Practices

 

 

Determining Internal Audit's ROIhttps://iaonline.theiia.org/2021/Pages/Determining-Internal-Audits-ROI.aspxDetermining Internal Audit's ROI<p>​Like all departments in an organization, internal audit is an investment expected to yield a meaningful return. But unlike departments where return on investment (ROI) is easily calculated and traceable to the bottom line, internal audit is challenged to assess the inherently qualitative benefits of its work — such as compliance with laws, risk mitigation, process improvements, or providing management with peace of mind via assurance — against the quantitative costs it incurs, such as payroll, travel, software, and training expenses. </p><p>While each internal audit function faces different perceptions and unique expectations of value, internal audit teams can use a cost-benefit analysis to measure, drive, and communicate their value, and, ultimately, their ROI.</p><h2>COST-BENEFIT ANALYSIS</h2><p>Completing a departmental cost-benefit analysis is a way to address stakeholder misconceptions and skepticism over internal audit’s value, and in some instances, help make the case against cosourcing or outsourcing the function altogether. Similar to the divisional profit and loss statements seen throughout an organization, a cost-benefit analysis can provide tangible, quantitative evidence of internal audit’s value and overall ROI. </p><p>While each internal audit function’s cost structures, value streams, goals, and key performance indicators (KPIs) will vary, the cost-benefit analysis should incorporate current and planned monetary and nonmonetary benefits and controllable costs.<br></p><p><strong>Monetary Benefits</strong> These benefits can take various forms — including cost savings and revenue recoveries — and are most likely to garner stakeholder interest and promote further usage of, and investment in, the internal audit function. </p><p>Cost savings can be divided into two categories: savings realized directly by internal audit and savings realized by the business as the result of internal audit’s work. The first category can include external audit fee reductions achieved through reliance on internal audit’s work. Cost reductions implemented within the internal audit department, itself, such as for travel or audit cosourcing fees, will be reflected as reductions to the controllable costs section of the analysis as opposed to increased monetary benefits. The second category may include data analyses and subsequent recommendations. For example, an internal audit team at a global manufacturing firm performed analytics on the company’s accounts payable data, which resulted in the discovery of $500,000 in various duplicate payments and unclaimed vendor credits. Through internal audit’s research and communications with the accounts payable team, the company subsequently realized $400,000 of those credits, which internal audit would then factor into its monetary benefit calculation. </p><p>Internal audit also can perform engagements that lead to funds recovery, most commonly through contract compliance audits. For example, if a company has licensing agreements with various international partners to distribute and sell its branded product, the licensor may receive royalties, which are typically based on a percentage of sales. Additionally, the licensing agreement may have minimum payment or performance requirements that stipulate additional compensation to the licensor if not met. In this instance, if the agreement contains an appropriate right-to-audit clause, internal audit can review the licensing agreement, compare it to historical schedules and payments received, request additional detail from the licensee to validate reported numbers, and, in the event of discrepancies, work with the business to ensure the collection of additional amounts owed. <br></p><p><strong>Nonmonetary Benefits</strong> The inability to measure a benefit’s monetary impact should not preclude it from being tracked and reported to interested stakeholders, especially if it can be quantified in other ways. For instance, if internal audit conducts training on data gathering and analytical techniques that results in future time savings for the participants, then the cost-benefit analysis should include the training hours and resulting time savings as nonmonetary benefits. </p><p>While nonmonetary benefits will not alter the net monetary surplus or deficit, they should be included in a companion schedule. Tracking and reporting nonmonetary benefits will not only raise stakeholder awareness of internal audit’s many value streams, but it will also provide important context that the department’s value is not limited to the list of monetary benefits reported. <br></p><p><strong><img src="/2021/PublishingImages/Pelikan-Cost-Benefit-and-ROI-of-a-Global-Manufacturing-Firms-Internal-Audit-Department-2020–2022.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:500px;height:464px;" />Planned Benefits</strong> As is common in investing, an ROI goal may not be achievable in the short term. Similarly, an internal audit function, particularly a new and growing one, should not limit its cost-benefit analysis or ROI goals to a single year. Rather, a growing team may expect to incur additional costs and further invest in personnel and tools over multiple years and use them to deliver greater value in the long run.</p><p>In these cases, a cost-benefit analysis with only a one-year view may reveal a far bleaker picture than reality. While conventional budgetary reporting uses quarterly and annual views, a longer term cost-benefit analysis may paint a more accurate picture of the internal audit function and its trajectory. In “Cost-Benefit and ROI of a Global Manufacturing Firm’s Internal Audit Department: 2020–2022” (at right), the internal audit function appears to be operating at a deficit, or at least from a monetary cost-benefit perspective. However, due to investments in personnel and technology that continue to expand the department’s value-added service offerings and improve the depth and quality of work, a positive and sustainable ROI is expected to begin the following year.</p><p>While it may not be possible to fully anticipate and quantify the future benefits an internal audit team will provide, the cost-benefit analysis provides an opportunity to outline its planned benefits, which can be estimated based on a combination of goals, extrapolation of current or forecasted benefit run rates, and opportunities identified during pre-engagement risk assessments. As in any forecast, the cost-benefit analysis should document the rationale for key assumptions that support future estimates.</p><p>Not only can a long-term outlook on internal audit’s value positively impact stakeholder perceptions and increase use of the function, it also can lead to further investment in internal audit to ensure realization or an increase of anticipated returns. <br></p><p><strong>Controllable Costs</strong> Every internal audit function incurs costs. Some are direct and under its control, such as payroll, travel, professional memberships, training, software, and consulting, while others are indirect and outside its control, such as the department’s allocation of rent, utilities, insurance, and shared services. To avoid unnecessary dilution of the department’s true net benefit and ROI, the analysis should focus on direct and controllable costs. The rationale is that the chief audit executive (CAE) can budget and manage controllable costs, whereas indirect, fixed-cost allocations are likely to be incurred by the company, regardless of internal audit. As a caveat, the analysis should not disregard shared costs that are variably tied to internal audit’s resource consumption. For instance, if the company uses a cloud-based enterprise resource planning system, and pays per license (vs. fixed fee), then those costs would be considered direct and controllable and should be a part of internal audit’s costs in the analysis. </p><h2>EVALUATE RESULTS </h2><p>First and foremost, the cost-benefit analysis should be used as an internal benchmarking and planning tool. After the initial analysis, an internal audit team may discover that its costs currently exceed its benefits. The results, either surprising or expected, present a valuable opportunity for root-cause analysis and subsequent goal setting. </p><p>The deficit may be caused by cost management, limitations on the extent of value-added projects the team can perform, quality of execution, or the inability to adequately quantify the monetary impact of its value. Regardless of the cause, CAEs can refocus their team’s efforts on addressing these shortfalls and taking steps to improve them. The CAE can use the initial 2020 cost-benefit analysis results in the chart above to further manage costs and establish goals and KPIs on the benefits side. Additionally, if the department determines that its total benefits are falling short, it can revisit its current project plan and ascertain whether different, higher value projects are necessary, provided they continue to align with key risks and board expectations, or consider expanding the scopes of current projects with higher value potential. </p><p>The cost-benefit should be an ongoing measurement of internal audit’s progress. If the team notes a deficit in its initial analysis, subsequent analyses may reveal encouraging signs of improvement. However, in the event of stalled progress, ongoing analysis can provide opportunities for further change and improvement. </p><p>As a caveat, internal audit’s cost-benefit and ROI analysis should not be tied to team member compensation or incentives, which could lead to conflicts of interest, impaired independence, and failure to objectively measure and report benefits. Additionally, to avoid inflation of internal audit’s reported benefits, the quantitative benefit values reported should be fully validated with the appropriate business stakeholders before finalizing.</p><p>Nonetheless, if the team remains committed to improvement and continues to measure progress and adjust as needed, the assessment results will continue to improve. Ultimately, these results can be shared with stakeholders as evidence of the department’s progress and increasing value to the organization. </p><h2>COMMUNICATE VALUE</h2><p>While every internal audit function faces unique perceptions and expectations of value, each one has a customized strategy for communicating value to stakeholders. Nonetheless, each strategy should consider three elements.<br></p><p><strong>Target Audience</strong> Once internal audit has completed its cost-benefit analysis and has collectively agreed to share it with stakeholders, the target audience should be considered. The audience should include stakeholders that internal audit reports to directly, such as the CEO, chief financial officer, and audit committee. However, a broader audience, including various business unit leads, may be necessary, especially if those individuals are skeptical about internal audit’s value. That may include departments where internal audit would like to establish or expand its value-added services. Sharing these analyses with internal stakeholders and clients first can further validate results and assumptions, and lead to further revisions before sharing it with executive leadership, the audit committee, and the board. <br></p><p><strong>Degree of Detail</strong> The degree of detail in a cost-benefit analysis will vary based on the stakeholder. For instance, executive leadership and the audit committee may be interested in just the total costs and monetary benefits along with a summary of key items and trends. Conversely, business unit leads may be more interested in the item-level detail of the projects impacting their areas along with past and planned benefits.</p><p><strong>Basis for Assumptions</strong> Like other data models, a cost-benefit analysis of internal audit is both art and science. Some inputs are clear and easily measurable — such as payroll and travel expenses on the cost side or realized savings confirmed by the business on the benefits side — while others are more subjective and require assumptions. </p><p>Limiting the analysis to easily measurable elements may represent only a subset of internal audit’s actual value. Instead, the analysis should consider other nonmonetary, quantitative benefits, such as engagements completed, recommendations implemented, and time savings, or qualitative benefits, such as prevention of noncompliance with specific laws. In situations where it is possible to reasonably estimate the monetary impact of a benefit using consistent, logical, and documented assumptions, such items should be reflected in the analysis. For instance, if during an operational audit, internal audit identifies and provides training on automated reporting that saves the accounts receivable manager five hours a week, then those weekly time savings should be considered as reportable nonmonetary benefits. However, if the time savings achieved were applicable to part-time, hourly associates whose total workload was reduced as the result of the efficiencies realized, then the potential payroll savings could be classified as a monetary benefit. </p><h2>A MEANINGFUL RETURN</h2><p>Internal auditors are well aware of their function’s capabilities and potential to further drive organizational value, but many stakeholders remain skeptical due to a general lack of understanding about the function’s overall impact, particularly on the organization’s bottom line. While each audit function faces different stakeholder perceptions and challenges, each is an organizational investment expected to yield a meaningful return. Internal auditors can measure their controllable costs and benefits, set goals, and revisit their project mix to provide more value and, ultimately, report on these items to stakeholders to ensure common awareness of internal audit’s value and potential. Like any other investment, an internal audit function with a clear, meaningful, and sustainable ROI will garner widespread appreciation and merit continued investment.  <br></p>Jack Pelikan1
Are You Emotionally Intelligent?https://iaonline.theiia.org/2021/Pages/Are-You-Emotionally-Intelligent.aspxAre You Emotionally Intelligent?<p>​Knowledge and traditional skills are essential to success, but they can only take an auditor so far. Even for the most adept practitioners, objectives cannot be achieved merely with intelligence, technical proficiency, and expertise. To work effectively with clients, internal auditors need strong soft skills — many of which fall under emotional intelligence, or emotional quotient (EQ). Emotionally intelligent people understand, accept, and manage their own emotions, and they can read the emotions of others. Internal auditors with high EQ treat people with empathy and can manage feelings and relationships just as well as objective, quantifiable engagement goals. Emotional intelligence is vital to fulfilling our professional responsibilities.</p><p>Perhaps most importantly, having a high EQ enables practitioners to communicate effectively. Assessing the organization’s risk management framework, developing a risk-based audit plan, obtaining management agreement in response to audit results, and reporting to the audit committee all require extensive, careful interaction with stakeholders. Internal auditors need to communicate well across all levels of the organization, ensuring a robust understanding of their value proposition. </p><p>To ensure communications are well-received and acted upon, internal auditors also must be able to build relationships — another area requiring high EQ. Audit engagements are a team effort between auditor and client, requiring practitioners to balance professional skepticism with the need for rapport. They must ask probing questions related to risk and controls but avoid putting clients on the defensive. Taking the right approach requires empathy and social skills — key elements of EQ. </p><p>Delivering quality work, and maintaining engagement schedules, also requires auditor EQ. Multiple deadlines, heavy workloads, and other pressures can take a toll on audit performance — and even lead to burnout if not managed correctly. But according to The Impact of Emotional Intelligence on Auditor Judgment, published by Virginia Commonwealth University, auditors with a high degree of EQ manage pressures and timelines better, exercise superior judgment, and maintain professional skepticism. The result is a better experience for both auditor and client, and a superior outcome for the organization. </p><p>The World Economic Forum’s 2020 Future of Jobs report ranked EQ among the top 10 high-demand skills for organizations; just five years ago, it was absent from the ranking. High-EQ professionals are sought more than ever for the value they can deliver to stakeholders. And in an era of increasingly sophisticated technologies such as artificial intelligence, the ability to manage and respond to emotion is a key trait separating the work of people from that of machines and automation. EQ-related competencies need to be an integral part of every role in an organization, and they must certainly be a top priority for internal auditors. <br></p>Bhavin Raithatha1
Excuses for Mediocrityhttps://iaonline.theiia.org/2021/Pages/Excuses-for-Mediocrity.aspxExcuses for Mediocrity<p>​I have a few regrets from my 30-year history with Farmers Insurance internal audit. Don’t get me wrong, it was a great ride. And I wouldn’t be where I am today (wherever that is) if it weren’t for the opportunities and serendipities that occurred throughout my career. But there were moments where, when I look back, I did a little less than shine.</p><p>We’ve all been there — the poor decision, the incorrect conclusion, the act that may have, in retrospect, been beneath our standards. We try for the best, but we know we occasionally fall short.</p><p>One regret in particular dawned on me recently. During the last few years of my career, the audit department seemed to lose focus on the importance of meeting assigned due dates. We wanted to meet the dates, but we started believing our own excuses for why things could not be done on time. I vividly remember rushing audits to conclusion because we were preparing the quarterly report for the audit committee and had to have something — anything — to say. And every time we reached the end of a mad dash, we recommitted to doing better. Then the<br>next quarter would arrive, and the same pandemonium reigned. </p><p>We often talked about the importance of timeliness, but we never took effective steps to change our processes and start getting the work done on time. And while our work quality had remained adequate, things were beginning to slip. By accepting mediocrity in one area, we were starting to see the impact on others.</p><p>We allowed the dates to slip, causing downtimes in the audit schedule. Downtimes negatively impacted the original schedule, and disruption of the schedule meant less time for scheduled audits. Then, because the schedule was impacted, we tried to compensate through better planning. And because of that effort, audit planning became a cottage industry unto itself. Our problem was execution, yet we tried to solve planning issues.</p><p>What are you letting slip? Are your reports issued when they were originally planned, or are you buying the excuse that it is just too hard to coordinate the parties involved? Are you identifying true root causes, or are you buying the excuse that there isn’t enough time to develop a broader solution? Are you holding the department to the highest possible standards, or are you buying the excuse that any group of people can only accomplish so much?</p><p>And finally, are you fulfilling the promises of the audit profession, or are you buying the excuses that cause you to be second best, constantly promising to do better next time?</p><p>There are always excuses. But there are seldom good reasons. And if you are starting to fail — or even starting to accept the most minute of failures — take a look and find the reasons, not the excuses. <br></p>Mike Jacka1
Breaking Down the Audit Reporthttps://iaonline.theiia.org/2021/Pages/Breaking-Down-the-Audit-Report.aspxBreaking Down the Audit Report<p>​The International Professional Practices Framework does not require internal auditors to issue a written report. So auditors can, in theory, communicate engagement results through any medium that suits the function and the client. For most departments, though, this is done via a written report that documents the engagement and prompts senior managers to action.</p><p>A well-written internal audit report, which some may argue is a rare thing, should be easy to read and review and even easier to act on. Whether new or experienced, internal auditors can always benefit from a refresher on the basics of audit report writing.</p><h3>WHAT GOES INTO A REPORT?<br></h3><p>Implementation Standard 2410.A1: Criteria for Communicating, states: “Final communication of engagement results must include applicable conclusions, as well as applicable recommendations and/or action plans. Where appropriate, the internal auditors’ opinion should be provided.” What should internal auditors include to make sure their reports meet these criteria? <br></p><p><strong>Findings</strong> Also called issues or observations, audit findings are the results of observation and testing during an engagement. They may be nonexistent or failed controls, but also can include instances of good practice that the auditor wants to share with the client. It’s crucial to communicate any issues clearly, so the client understands the problem and why he or she needs to act.</p><p>Many internal audit departments follow the five Cs model to structure their audit findings discussion for clients: criterion, condition, consequence, cause, and corrective action. However, the nonnegotiable elements are condition, cause, and consequence. </p><p>Another way to articulate condition, cause, and consequence is to ask three important questions:</p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"></blockquote><ol><li><span style="font-size:inherit;"><em>Who is not doing what, or what is not in place?</em> The report should indicate what observation and testing produced — evidence of inadequate or ineffective controls. For examp</span><span style="font-size:inherit;">le: “Senior managers in the facilities security team do not check applicants’ backgrounds for criminal or other relevant records.”</span></li><li><span style="font-size:inherit;"><em>So what?</em> The answer to this question should be a real risk statement. In other words, auditors should state the real-world harm that has occurred, or could result from, the control weakness, rather than just another failed control. For example: “As a result, the organization may risk reputational damage and financial loss if it hires people who have a history of theft or other crimes.”  </span></li><li><span style="font-size:inherit;"><em>Why?</em> Internal auditors should not settle for a superficial reason or a repetition of condition as the answer to this question. Instead, they should channel their inner four-year-old and keep asking, “Why?” For example: “This has arisen because senior managers in the facilities security team have not updated hiring processes in line with group policy, which requires background checks.”</span><span style="font-size:inherit;"> </span></li></ol><p><strong>Executive Summary</strong> Once internal auditors have articulated the key findings, it’s time to write the executive summary. The IIA Practice Guide, “Audit Reports: Communicating Assurance Engagement Results,” says the executive summary should “provide a clear and concise overview of the engagement results and efficiently deliver critical information with a persuasive, well-substantiated key message to stakeholders.” However, the summary should not be a condensed recitation of the findings. </p><p>Many clients will only take the time to read the executive summary, so it needs to provide high-level headlines. Broader themes such as underlying cultural or behavioral problems, a lack of governance, or other big items must feature in the executive summary.</p><p>Internal auditors should try to limit the executive summary to a short paragraph. It’s harder than people think, but readers appreciate such concise communication. </p><h3>HOW TO WRITE IT<br></h3><p>Standard 2420: Quality of Communications says, “Communications must be accurate, objective, clear, concise, constructive, complete, and timely.” To communicate in this way, internal auditors should follow the ABCs to keep writing active, brief, and concrete.<br></p><p><strong>Active</strong> The audit report should be written in the active rather than passive voice. Instead of saying, “The report was reviewed by the manager,” the report should say, “The manager reviewed the report.” The active version is shorter and clearer. </p><p>Often, report writers leave out the performer of the action altogether. For example, “The report was reviewed” is short, but it omits what could be useful information. A sentence such as, “The findings were discussed, rewritten, approved, and issued” contains four actions and no hint as to who performed any of them. One person? One team? Different people on different teams? The active voice helps avoid such confusion.</p><p>Because the active voice puts the responsible parties or area first, it may come across as blaming. However, overusing the passive voice produces writing full of vague, possibly misleading sentences. A good rule of thumb is to keep the use of passive voice in the report below 20%, which Microsoft Word readability statistics can calculate.<br></p><p><strong>Brief</strong> Report readers are busy, so internal auditors should use simple words and keep sentence length to 20 words at most (in English). Why would anyone want to wade through 20 pages when they could grasp the message in fewer than 10 pages of plain language? Again, Microsoft Word’s readability statistics function will help, as it provides the average number of words per sentence in a document.<br></p><p><strong>Concrete</strong> One way internal auditors can make their writing less abstract is to avoid nominalizations (also called verbal nouns). This happens when the writer takes a verb — analyze — and turns it into a noun — analysis. The result is a longer sentence. Instead of saying, “We performed an analysis of the data,” the writer should say, “We analyzed the data.” </p><p>Nominalizations make writing even harder to follow when people disappear completely from the sentence: “Analysis and further investigation led to discussions and decision-making.” The reader cannot determine who is analyzing, investigating, discussing, and deciding. </p><p>Some auditors may shy away from communicating so directly, especially in cultures that may see this as rude. However, if internal auditors have performed the engagement thoroughly and have material findings to report, the reader needs to know. Whether in reports, emails, or briefings, the ABCs will make it easier for readers to understand the message and act on it.</p><h3>TRUSTED ADVISORS, TRUSTED REPORTS<br></h3><p>When internal auditors understand their audience, keep communication factual, and focus on solutions, they create a professional and positive impression. They also avoid sending mixed messages and then wondering why no one has acted on the report recommendations.</p><p>Report writing — like all working practices — has changed greatly since the pandemic and will continue to evolve. Many internal audit departments are communicating more by phone and video, and producing more concise, targeted reports. With that goal in mind, internal auditors who can convey more with fewer words are of greater value to the organization.  <br></p>Sara I. James1
The 4 Pillars of Remote Work for Audit Teamshttps://iaonline.theiia.org/2021/Pages/The-4-Pillars-of-Remote-Work-for-Audit-Teams.aspxThe 4 Pillars of Remote Work for Audit Teams<p>Flexible work options are common in the internal audit profession, but the COVID-19 pandemic has ushered in a new time when more and more auditors are working from home. Some audit departments were ready and adapted easily, while others scrambled to install appropriate infrastructure, security, and processes to support remote work. As the threat of the pandemic begins to ebb, some teams will return to traditional work environments while others may consider permanent changes to their office-centric arrangements. </p><p>This unique episode in business has demonstrated the viability of flexible, distributed work arrangements, as well as their pitfalls. Allowing internal audit teams to work from home can have significant benefits, but any distributed work strategy must carefully consider all potential security, managerial, and behavioral issues. </p><h3>BEYOND THE OFFICE<br></h3><p>Today’s office environment was born during the Industrial Revolution when workers needed access to paper documents and to be close to other employees to execute most processes. This traditional office spawned management techniques in which employees reported to work at a designated time, had controlled environments, and could be seen conducting their work. </p><p>The digital revolution has overturned the need for a central workplace by creating new opportunities for data to be accessible virtually anywhere. For example, internal auditors now can conduct routine reviews without being in the same location as the audit client. Many audit team leaders have embraced such efficiencies, including remote work, but others have been reluctant to let go of an office-centric culture. This reluctance may be due to audit leadership’s management philosophy, but it also may reflect an organizational philosophy over which audit has little control.</p><p>While remote work and other flexible arrangements have novel challenges and can have negative results, audit leaders should take an objective view of the trade-offs involved with them. A well-executed telecommuting strategy can yield tremendous benefits for internal auditors.<br></p><p> <strong>Enhanced Employee Morale and Retention</strong> Employees often cite “lack of respect for their time” as a leading contributor to work dissatisfaction and a primary reason for leaving a job. They desire, and increasingly expect, a flexible work environment. Job flexibility directly improves employee morale and reduces turnover because employees receive tangible benefits such as: </p><ul><li> <em>Trust.</em> Allowing employees this type of flexibility sends the message they are trusted to manage their time. </li><li> <em>Respect.</em> Flexible work arrangements demonstrate respect for the various pressures and demands employees face from all facets of their lives. This is key for employee retention.</li><li> <em>Reduced commutes.</em> Long commutes to and from work can be a primary contributor to unhappiness with one’s job. Eliminating commutes, even for a few days a week, can reduce frustration, give team members a greater sense of control, and provide them extra time on those days when their only commute is to another room in their home. </li><li> <em>Belonging.</em> Although it may seem counterintuitive, when employees have flexibility, they tend to be more loyal to the organization. Providing a work-from-home option decreases employee turnover by 50%, according to a Stanford University study published in <em>The Quarterly Journal of Economics</em>.  <br></li></ul><p> <br> <strong>Increased Productivity</strong> Employees who are more satisfied with their jobs tend to be more productive. The Stanford study finds that employees who work at home experience a 13% boost in productivity versus those who work in a traditional office. Employees who telecommute work the equivalent of 1.4 more days per month than do their office-based counterparts, according to a 2020 study by online employment company Airtasker. <br></p><p> <strong>Cost Savings</strong> When executed as part of a larger infrastructure strategy, allowing team members to work from home can result in significant savings. The increase in employee retention and improved performance can directly influence the bottom line. For many audit groups, though, the greatest savings can be from dramatically reducing the office space required. Even in hybrid operations where team members work at home and at the office, a carefully executed strategy that staggers office-based days can create tremendous savings. </p><p>To realize the full benefits of flexible work arrangements, internal audit functions need a carefully executed strategy. This strategy should be built upon four pillars: 1) infrastructure and security, 2) expectations management, 3) communication requirements, and 4) management adaptation.<br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><h3>​Pillar 1: Infrastructure and Security</h3><p>The need to adjust work structures arose quickly with the pandemic. Audit teams were sent home to work and, in many cases, discovered team members had inadequate computers, slow internet connections, and lacked the means to maintain data and access security. </p><p>To have an effective long-term strategy, the internal audit function must anticipate these needs and be willing to make the necessary investment. Leaders cannot view such expenses as additive, and instead should see them as substitutions for other investments that would come in the long run. </p><p>Ideally, the audit team should prepare a budget that identifies additional expenses for a remote work strategy. This budget should start with a full inventory of all software, hardware, and infrastructure required. For example, audit teams may need to invest in cloud-based software rather than machine dependent software, virtual private network lines for audit team members to protect the data in transmission, encryption software for data storage, reliable high-speed internet service, standardized laptop computers, and mobile phones. </p><p>These expenses can appear daunting, but management should be aggressive in identifying cost savings to offset them. Internal audit could easily reduce the hardware and software licenses required in the office. Reducing the amount of office space could provide the greatest cost savings. <br></p></td></tr></tbody></table><h3>Pillar 2: Expectations Management</h3><p>With a change in workplace structure comes a related change in expectations. For example, an audit manager may expect a team member to be available during certain hours, yet the team member may have different views of the specific hours in which work is to be done. Also, there could be expectations about response time to team members or clients, availability for meetings, and possibly even dress codes for virtual meetings. </p><p>Audit teams face a unique challenge because they often have large projects involving multiple team members where each step depends on the completion of a task by someone else. This problem is especially exacerbated when work-from-home arrangements can result in some audit team members working from different time zones. </p><p>Too often, the greatest friction arises because there are different expectations that have simply not been articulated. Accordingly, audit teams must develop formal policies that delineate expectations. These policies should be developed collaboratively so team members fully understand the reasoning and necessity for such policies. Because the policies may not anticipate all issues that may arise, managers must revisit and revise them regularly. </p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><h3>​Pillar 3: Communications Requirements</h3><p>Managers should articulate their expectations for team member communication, but they should be accountable for enhanced communication, themselves. Remote work cultures generate a much greater need for communication, because team members no longer have the interpersonal cues available in an office environment. </p><p>For example, team members may have difficulty getting information from clients, face roadblocks on projects, get pulled into other projects, or even face personal struggles. Such difficulties need to be communicated to managers so they can adapt accordingly. However, while such communication might come naturally during meetings in an office setting, in remote settings, managers and team members must initiate the necessary communication proactively. </p><p>Managers should be deliberate about communicating frequently and, at times, they should even place check-in calls that don’t have a specific work agenda. These connections are critical; otherwise, employees can feel disconnected and not part of a cohesive team. Managers cannot communicate enough.<br></p></td></tr></tbody></table><h3>Pillar 4: Management Adaptation</h3><p>Changing management’s attitude is the most important and most difficult part of implementing a work-from-home strategy. Audit leaders often cite concerns about a “looser” work environment that would remove elements of accountability and result in reduced productivity, higher costs, poorer client service, and lower quality. They imagine scenarios where team members are easily distracted by their home environment and don’t prioritize work. </p><p>At the center of this discomfort is a feeling of loss of control and a major break from traditional methods when remote work becomes the norm. One reason for this feeling is many managers are accustomed to measuring input rather than output. If they can see a team member, then they assume that individual is working. </p><p>Simply stated, internal audit managers must adapt and start measuring results. For example, rather than measuring time in the office or hours billed to a job, managers could assess audit project effectiveness by measuring project throughput, trends in audit hours, hour variance from budget, or significance of analysis. Even in office environments, moving to a results-based focus that extends trust to team members can be effective and result in a better workplace culture. </p><h3>REALIZING THE BENEFITS<br></h3><p>The pandemic has provided an evolutionary break from the traditional office-centric paradigm. The work environment was already drifting toward more flexible arrangements that included remote work, but the pandemic hastened this trend and provided a realistic peek inside the new reality. The evidence is clear that flexible work environments enhance productivity, boost employee morale, and reduce expenses.</p><p>However, such benefits cannot be realized unless there is a careful approach that delineates expectations and provides clear parameters for audit leaders and their staffs. Each strategy could vary based on the size and nature of the audit department and organization, but any remote work strategy should include the four pillars to provide clarity to the team and generate optimal results. <br></p>W. Ken Harmon1
An Eye Toward the Futurehttps://iaonline.theiia.org/2021/Pages/An-Eye-Toward-the-Future.aspxAn Eye Toward the Future<p>​I discovered internal auditing through an operational auditing course at the University of Arkansas. At the time, I was an accounting major, but I had come to realize I didn’t like tax work or working solely with debits and credits. This introduction to internal auditing wasn’t like my other classes — instead, it offered case studies that allowed students to evaluate risks, find ways to increase effectiveness, and identify root causes.</p><p>Like many other internal auditors, I love analyzing processes. Drop any good internal auditor into a driver’s license bureau or other typically slow-moving system, and we’re likely to start thinking: “How can I serve customers faster?” “Where are the risks?” “How can I redesign this for a better outcome?” The operational audit course got me excited about this kind of systems thinking. It was the reason I decided to pursue a master’s degree at Louisiana State University and specialize in internal auditing. I have never looked back.<br></p><p>The future of the internal audit profession is dependent upon the next generation being aware of all it has to offer and seeing themselves as practitioners. As the 2021–2022 chair of The IIA’s North American Board, much of my focus will be on investing in the next generation of internal auditors. I’ll be working with The IIA’s new President and CEO Anthony Pugliese to enhance and expand our student engagement strategy and be more proactive about getting in front of universities and students. This will all be part of a larger effort to grow a diverse and engaged IIA membership that includes expanding opportunities for volunteerism and helping peers connect.</p><h3>ELEVATING INTERNAL AUDIT'S PROFILE AT THE COLLEGE LEVEL <br></h3><p>I was lucky enough to stumble on that operational audit course, but many young people in business, accounting, or data science programs are not aware of internal auditing as a profession. We need more university courses like the one I encountered initially and more programs like the one at Louisiana State University, which is an IIA Internal Auditing Education Partnership Center of Excellence program. We also need to continue fostering opportunities to connect with students. </p><p>Some of The IIA’s chapters have connected with universities to promote internal auditing, like the mentorship program that 2020 Emerging Leader Bonnie Tse of IIA–Seattle launched with local university students. The IIA also supports chapters in presenting an annual chapter challenge to help engage students and grow them into members. We should double down on these efforts, connecting with professors and university programs, to make it clear there are jobs for future practitioners. </p><p>To help chapters and global affiliates with outreach, The Institute has posted an Academic Relations Toolkit on <a href="https://na.theiia.org/Pages/IIAHome.aspx" data-feathr-click-track="true">TheIIA.org</a>. In it, members can find resources for starting an academic relations plan in their area, along with best practices from other chapters. The IIA also offers grants, scholarships, awards, and events for prospective auditors, such as the Internal Audit Student Exchange. This event, hosted annually in September, is aimed at college students with experience or interest in the field.</p><h3>ENCOURAGING DIVERSITY IN THE PROFESSION <br></h3><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Stepping Stones to Leadership</strong><p>It was at Louisiana State University (LSU), where I earned a master’s degree in accounting with a specialization in internal auditing, that I first got involved in The IIA as a student member. I enjoyed the opportunity to network and participate in chapter events. </p><p>While at LSU, I passed the CIA exam, receiving the Student Highest Achievement Award for my performance. Passing the exam while I was still a student allowed me to start my career a step ahead. On my first day on the job, I already understood the fundamentals.</p><p>During my time at LSU, I interned at Avery Dennison, a Fortune 500 manufacturing company based in Pasadena, Calif. Following my graduation in 2001, I continued with the company, starting first as an internal auditor and moving up to senior internal auditor in 2003. The internal audit team traveled up to 80% of the time, including internationally, which gave me an opportunity to see the world. </p><p>In 2004, the company transitioned me to a financial analyst role, which was based in Cleveland, Ohio. I quickly realized that I missed internal auditing, so after a year, I took a job with International Paper, a Fortune 100 manufacturing company based in Memphis, Tenn. This job taught me the importance of relationship-building with internal audit stakeholders and allowed me to hone my leadership skills. </p><p>Finally, a little more than 10 years ago, my husband and I relocated to Baton Rouge, and I joined my current organization, Postlethwaite & Netterville. I started as a manager and was promoted to associate director and now director, which is a partner equivalent. I love my current job and I couldn’t imagine doing anything else. </p><p>Throughout my internal audit career, The IIA has enabled me to network and learn from peers outside my organization, contribute to and stay on top of developments in the profession, and further grow my leadership skills. I’ve participated at the chapter level, serving as the IIA–Memphis Chapter president and on the IIA–Baton Rouge Chapter Board of Governors, and at the North American committee level through the Publications Advisory Committee, where I served as a member for six years. Through this affiliation, I authored and co-authored multiple articles for <em>Internal Auditor</em> magazine, as well as served as a contributing editor to the magazine and on its Editorial Advisory Board. In 2017, I joined The IIA’s North American and Global boards. </p><p>On a personal level, I spend my weekends watching my eight-year-old son play sports, and you’ll find us at many of the LSU sporting events in Baton Rouge. I also enjoy running, and my family is looking forward to the day we can resume traveling. <br></p></td></tr></tbody></table><p>To engage the next generation, we must work to change the perception of the internal audit profession as boring and the belief that internal auditors are “just accountants.” Instead, we must encourage more nontraditional paths to the profession. We need to work with universities beyond their accounting programs to help people from different disciplines and backgrounds — such as liberal arts, computer science, data analytics, and management — understand that internal auditing benefits from a diverse and inclusive pool of professionals and is a viable, fun, and exciting career. </p><p>We know that as more teams embrace technology solutions in internal auditing, students with backgrounds in IT and data analytics will be needed. And of course, not all new auditors are straight out of college. Some move over from other departments within a company because of the skills they can bring to the audit function.</p><p>Our internal audit teams need to be diverse beyond skills and backgrounds. If one looks at the organizations internal auditors serve, they will see they are made up of diverse people. The more the internal audit department reflects the organization as a whole, the more we’re going to be able to relate to our internal audit customers and stakeholders. </p><p>Diversity, equity, and inclusion (DEI) is a strategic area of focus for the North American Board, so I’m also looking forward to continuing work in this important area. Later this year, the Internal Audit Foundation, in collaboration with Deloitte, will embark on a study to explore both the importance of DEI in the audit function and how the audit function can play a pivotal role in advancing DEI enterprisewide. Ultimately, diversity can only improve our audit departments. Diversity of thought helps us communicate better, understand different points of view, and assess risk from many different angles.</p><h3>UNDERSTANDING THE NEXT GENERATION OF AUDITORS <br></h3><p>As we welcome the next generation of internal auditors, we also have to be open to generational differences. Granted, the last year has given us all an opportunity to practice our technology skills while working remotely. But for students coming out of college now, Zoom, Teams, and other collaborative technologies are second nature.</p><p>When I need to chat, I am one of those people who will pick up the phone and call or — when we were still in an office — pop by for a quick face-to-face exchange. For some of the younger generation that I work with, they’re more likely to send me an instant message. It’s sometimes been hard for me to remember to keep our chat client on and respond, but part of being open and inclusive is not necessarily expecting everybody to adapt to my approach. We have to be willing to meet people where they are.<br></p><p>The next generation also could be an asset to internal audit functions as chief audit executives look to add technology competencies within their teams. There may even be opportunities for reverse mentoring, where less experienced auditors are able to teach some technical skills to more experienced teammates. Research shows that when a company encourages the exchange of ideas across generations, it improves productivity, profitability, and worker morale for all. </p><p>Organizations are going to have to be more flexible and innovative in how they engage the younger generation — and really all of us, as that’s just good talent management. It’s going to be important to periodically get a sense from the audit team about what’s important to them — whether it’s community involvement, mentoring opportunities, or initiatives related to well-being or social interaction — and try to incorporate some of that into the team or the organization. As the pandemic has taught us, communication is critical. </p><p>We also need to help new or prospective auditors understand what a career could look like within the organization, the different paths they could take, and how this could ultimately set them up to achieve their career goals. The more we can adapt our approach to meet their needs, the better off we’re going to be.</p><h3>BUILDING RELATIONSHIPS IN THE NEW NORMAL <br></h3><p>Most auditors new to the profession have a passion for learning and an eagerness for understanding how organizations work. But they’re coming out of school into a completely different environment than the one I walked into at my first internal audit job. The pandemic has made relationship building that much more challenging by removing those chances for small chats when riding in the elevator or running into someone in the break room. Even on the other side of the pandemic, the workplace is going to look different; there’s going to be a big emphasis on how to build relationships in this environment. For me, it’s about how I sustain and maintain my relationships, but for the new generation, they’re walking in without these relationships already in place.</p><p>New auditors are going to have to be intentional about connecting with people, whether it’s  team members, people within the organization, or people who are part of their management group. If they show that drive and exercise their soft skills, then other things, such as opportunities for further contribution, will naturally fall into place.<br></p><h3>GROWING THROUGH THE IIA<br></h3><p>For auditors new to the profession or looking to advance their careers, The IIA has many helpful initiatives. Take the Emerging Leaders Task Force (ELTF), for example. Made up of IIA volunteers, the task force encourages emerging internal audit leaders to engage, connect, and contribute to the profession. </p><p>The task force recently launched the Emerging Leaders Mentoring Program. I served as a mentor through the inaugural program, and I am very enthusiastic to participate again this year. Being a mentor has allowed me to develop new relationships and given me a better understanding of the challenges internal auditors are facing today at different stages in their careers. </p><p>The ELTF also recently launched The IIA’s Emerging Leaders LinkedIn Group, a place for the next generation of internal auditors to network. Young professionals can share their knowledge on the Group page, learn about IIA opportunities, and find curated IIA resources most relevant to them.</p><p>In addition, the ELTF supports Internal Auditor magazine’s annual Emerging Leaders program, which since 2013 has been recognizing up-and-coming internal auditors who have the potential to be future leaders. I was honored to be chosen as an Emerging Leader in 2014 and will be the first alumni to serve as the chair of the North American Board. </p><p>On the volunteer side, The IIA is making it easier for internal auditors to get involved with the association by transitioning certain committees to advisory committees and promoting volunteer opportunities on a more ad hoc basis. This allows auditors who are busy at work or who have family obligations — which includes some of our younger auditors — to pop in and contribute to a working group and then pop back out, as necessary. For me, volunteering has played a key role in my professional development and has opened the door to new opportunities. It has given me the chance to meet many talented and passionate internal auditors from my community and around the world (see “Stepping Stones to Leadership” above).</p><h3>ADVANCING CAREERS</h3><p>Many of the things that make people successful as professionals are still going to be there no matter the landscape — things like being accountable for one’s career, learning as much as possible about one’s organization and industry, and connecting with peers in the internal audit profession. Showing a commitment to internal audit advocacy and the <em>International Standards for the Professional Practice of Internal Auditing</em>, continuous learning, and engaging with other practitioners can help internal auditors get there.</p><p>New auditors need to go after the Certified Internal Auditor (CIA) certification because it will help them develop their understanding of the <em>Standards</em>, which are the foundation of the profession. Having the CIA demonstrates the auditor’s commitment to, and ultimately proficiency in, internal auditing.</p><p>It’s important for the next generation of auditors to embrace as many opportunities as possible. One of the things that made a difference for me in my career was being open to experiences, and that included sometimes taking assignments that nobody else wanted and ones that stretched me, resulting in greater learning and growth. Those different opportunities and experiences can help open doors in internal auditors’ careers. It’s that growth potential that will attract the next generation and help us collectively advance the profession. I hope you will join me on the journey. <br></p>Laura Soileau0
Pushing Back Against Remote Workhttps://iaonline.theiia.org/2021/Pages/Pushing-Back-Against-Remote-Work.aspxPushing Back Against Remote Work<p>If internal audit leaders want to remain relevant within their organizations, they need to stand up and speak out against 100% remote working environments. We have fought hard to be seen as a trusted partner and not just another cost center. Rolling our chairs away from the table and hiding behind our computer screens puts us out of sight, out of mind. In fact, physical absence from the workplace presents several risks to internal audit, and to the organization it serves.<br></p><p>The most critical risk is a complete loss of organizational cohesion. Operating remotely, departments may break into silos that not only work independently of each other but also become fragmented internally. Whereas previously chief audit executives (CAEs) could walk by their team members’ desks at any time, they now must purposefully reach out to each individual separately. Moreover, group Zoom calls have turned even some of the hardest workers into unengaged, glassy-eyed drones. How well can tone at the top, inspiration, and a common sense of purpose be conveyed solely via a computer screen? </p><p>Another risk is diminished audit visibility and the collapse of relationship building. Before the proliferation of remote working, vice presidents or directors might have dropped by the CAE’s office and asked a question in the break room; or the chief financial officer might have seen the CAE in the hall and suddenly remembered to include him or her on a meeting invitation. Now they limit the number of Zoom attendees and, if they haven’t already, may start excluding internal audit from critical meetings. Instead of being part of key planning committees, auditors may not learn about important initiatives until they are announced to the entire organization.</p><p>Perhaps even more harmful to practitioners, maintaining an all-remote work environment risks invalidating the internal audit function. When budgets are analyzed, executive leadership may ask, “Where has internal audit been? We haven’t seen or heard from them; they must not have as much to do anymore.” Leadership may then look to slash the audit budget, followed by layoffs and a reduction of the audit plan to check-the-box engagements. Internal audit’s ability to add value becomes diminished, increasing its perception as a cost center.</p><p>Not only for the sake of internal audit, but also for the entire organization, audit leaders have no choice but to speak loudly and frequently against 100% remote working environments. As an alternative, the CAE could work with other senior leaders to create a hybrid in-office/work-from-home model and structure the audit function to overlap strategically with each department. This way, internal audit would remain “at the table” and better positioned to provide valuable insight and support. Then again, auditors can enjoy working in shorts and a T-shirt until a catastrophic event happens and once again executive leadership asks, “Where was internal audit?”<br></p>Thomas Mullinnix1
The Farley Filehttps://iaonline.theiia.org/2021/Pages/The-Farley-File.aspxThe Farley File<p>​One of the most important questions for any internal auditor is, “Do you know who your clients are?” It’s so fundamental that most internal auditors can probably answer in the affirmative. However, there is a related question that, while just as important, is often overlooked: “Do you know them?”</p><p>Successful internal auditing requires not only knowing who our clients are, but also building rapport and a mutual understanding with them. It means knowing more than just a name and a title; it requires knowing the person behind that title.</p><p>For some people, getting to know clients is easy — especially those with a knack for remembering personal details, which can facilitate relationship building. But not all of us are blessed with that innate talent. The good news is that a simple tool can help.</p><p>James Farley was a U.S. postmaster general and chairman of the Democratic National Committee. His fame, however, comes from the role he played as President Franklin Roosevelt’s campaign manager. Farley kept a file on everyone he or Roosevelt met. It included information on their spouses, their children, and anything else he learned from earlier encounters. Whenever people were scheduled to meet again with Roosevelt, Farley would review the files with him. Roosevelt could then enter the meeting with knowledge that would help him build connection and rapport. Farley files are now commonly kept by politicians and businesspeople.</p><p>At a former job, without knowing we were doing it, my internal audit staff started building Farley files. When an auditor would meet with a client, we would create a file with information about him or her — name, hobbies, passions, etc. We noted advice for working with these individuals, such as effective conversation starters and how to present information to them, as well as how they felt about internal audit — fan, raving fan, lukewarm, actively hostile, etc.</p><p>Sadly, I don’t know if it worked. Not long after we started, I was talking with the human resources (HR) manager and explained our approach. He asked us to stop — and I understand his concerns. After all, HR is responsible for ensuring a lot of regulatory requirements are met when maintaining employee information, particularly when it comes to the security of that information and ensuring it’s not used to support discriminatory practices. But I also think he went overboard. In the world of do-overs, it is something for which I would fight. Even in the short time we started building the files, we found it was a valuable way to record and share the insights we gained about our clients.</p><p>Every internal audit department should consider keeping a Farley file. Work with HR to ensure there are no issues. But push to get it done. The better we know the people we work with, the better our work will be.<br></p>Mike Jacka1
An Assessment of Internal Audithttps://iaonline.theiia.org/2021/Pages/An-Assessment-of-Internal-Audit.aspxAn Assessment of Internal Audit<p>​Internal audit is supposed to be an invaluable ally for the audit committee. That doesn’t mean the audit committee shouldn’t try to evaluate the contributions of the function, anyway.</p><p>If internal audit doesn’t deliver value, nobody benefits. Risks can go undetected or unaddressed. Operations executives can grow exasperated with what they perceive as nit-picky auditors intruding into their domains. Above all, corporate boards could have an incomplete picture of the organization’s risks.</p><p>So when I saw The IIA’s new Internal Audit Assessment Tool for Audit Committees, I was intrigued. How have audit committees been faring at assessing the effectiveness of internal audit? </p><p>“How it’s done can vary,” says Ginger Jones, audit committee chair at global chemical company Tronox Corp. “It can be more informal than formal.” At Tronox, for example, the audit committee’s charter requires it to review internal audit annually, but doesn’t require it to use any specific tool for the task. So Jones has her own set of questions to consider, such as: How does internal audit handle tasks related to compliance with the U.S. Sarbanes-Oxley Act of 2002? How do business units view internal audit? How does internal audit develop its talent pipeline?</p><p>That’s a sensible approach. The question is whether the rest of the corporate governance world can implement an evaluation process with sufficient scope and rigor for the challenges organizations face. </p><h2>Understand Your Needs</h2><p>Internal audit exists to help the audit committee ensure risk management is effective. Thus, the audit committee first needs to ask: What do we want internal audit to do for us? Where is our assurance ability a bit weak? </p><p>COVID-19 reminded boards they need a lot of help with risk management, especially with understanding how emergent risks  can turn traditional risks, such as security, fraud, and supply chain, upside down.</p><p>“The lack of a structured work environment can increase the risk of fraud and corruption among staff and suppliers,” says Nocwaka Oliphant, audit committee chair at the South African Council for the Architectural Profession. “A sharp internal audit function would be expected to increase its fraud identification processes in conducting its work.”</p><p>Fraud isn’t the only ground shifting underneath the board’s feet. Oliphant can rattle off a list: public health and safety, business continuity, climate change, and more. Auditors should be able to assist with those assurance challenges. But how does the audit committee know internal audit is ready? </p><p>That brings us back to The IIA’s assessment tool. The document is split into six sections, with topics such as evaluating the quality of internal audit services, assessing communication with the audit team, and gauging its independence and objectivity. Within each topic are several questions an audit committee could ask.</p><p>“A lot of audit committees don’t truly understand what the full role of internal audit can be,” says Anne Mercer, IIA director of professional practices. “Chief audit executives can use the tool to have these conversations. It’s a way to open the door.” </p><h2>Assessment in Practice</h2><p>The assessment tool is meant to help audit committees forge closer ties with internal audit. Indeed, this tool is modeled after another one the Center for Audit Quality developed in the 2010s to help audit committees evaluate their external auditor. “We look at our tool as a companion to that,” Mercer says. </p><p>That said, an assessment doesn’t need to follow a fixed, formal approach. “Pick the parts that are important to you,” Mercer says. “You don’t need to assess all aspects every time.” </p><p>For example, consider how your organization embraces technology. If your business is a fast-growing startup that experiments with a lot of new technologies, you’ll need an audit function comfortable with analyzing new technology, and also embracing it for its own operations. An established multinational, on the other hand, might need auditors skilled at assessing regulatory compliance, assisting with large projects like a merger, or studying megatrends like climate change. </p><p>The assessment, itself, can involve asking senior executives how they view internal audit, as well as chats with managers in first-line roles. Do they ever invite internal audit to help them with projects? (A good sign.) </p><p>The audit committee also should consult with the rest of the board. What risks do they see as the organization’s foremost challenges? Does internal audit have the leadership, expertise, and resources to help with those matters?</p><p>“When I see high-functioning internal audit teams, they’re hiring great people, developing them, and then moving them into the business,” Jones says. That’s also a sign that internal audit has won over the business units. It’s the sort of cooperation that can put an audit committee’s mind at ease.</p><p>And there’s a lot of value in that. <br></p>Matt Kelly1
The Efficient Audit Functionhttps://iaonline.theiia.org/2021/Pages/The-Efficient-Audit-Function.aspxThe Efficient Audit Function<p>​The term <em>efficiency </em>refers to the volume of input needed to produce a certain output. Fewer inputs used for the same output, or the same inputs used to get larger output, result in increased efficiency. When it comes to internal audit work, efficiency can be measured in various ways and for different audit activities. Efficiency should be of particular interest when it comes to completing audit activities with scarce resources.</p><p>Many internal audit departments struggle to complete the audit plan within a certain time and improve efficiency. From this point of view, one could measure audit efficiency by the number of hours spent on executing audit procedures and other activities relevant for audit completion. Focusing on inputs of audit work, there are specific aspects that should be addressed to measure and improve audit efficiency.</p><h2>Announcing Audits</h2><p>Practitioners should strive for a transparent approach to the audit plan, rather than keeping it a secret. While an element of surprise is important for certain audit engagements, it is not the case for most engagements. Additionally, announcing an audit early can help manage audits during challenging periods, such as during the holidays or vacation season. This could potentially avoid possible bottlenecks of having to wait for the documentation to be delivered or client availability for interviews. After all, if auditors strive to be trusted advisors to their organizations and there is trust on both sides, there should be transparency.</p><h2>Assessing Resources </h2><p>When developing audit plans, internal audit should assess the working hours needed separately for each engagement. Setting up the same, or average, resources as a uniform standard does not help measure and improve audit efficiency. When done that way, some engagements will be under time constraints, while others will have more time than needed. Other important aspects that require realistic consideration and planning include vacations, sick leave, and administrative and other audit activities, as well as any resources needed for fraud investigations and consulting activities, which may occur during the same time as the audit engagement.</p><h2>Scheduling</h2><p>Scheduling the engagements allows all employees — not just internal auditors — to be aware of what is expected from them and to schedule their activities accordingly. Waiting to schedule engagements until after the completion of the previous audit can lead to huge workloads and pressure for the audit team, as well as discourage efficiency improvements. Worse, it can lead the department to stagnate or lose efficiency.</p><h2>Deadlines and Exceptions</h2><p>Clearly defined audit engagement completion deadlines are necessary for efficiency. They should be treated as time management guidelines that help auditors stay in line with relevant plans and targets, rather than strict, rigid limitations. The absence of deadlines could create chaos within the audit department and result in engagements that never end. While prolonged deadlines are sometimes needed, they should be the exception and not the rule. If they occur frequently, it may indicate that the audit planning or execution is not working correctly. </p><h2>Empowering Audit Teams</h2><p>Trusting audit team members to organize and execute engagements, stay in line with audit methodologies, and keep to deadlines without constantly checking on them allows them to find their own flexible solutions to accomplish their goals. In a trustful, open, and honest relationship, leaders step in when asked to help solve any problems encountered by auditors that they're not able to work through on their own. This trust should also exist among audit team members. </p><h2>Automating Audit Procedures</h2><p>Automating audit procedures can improve work efficiency by providing quicker analytical insights on data, trend analysis, graphical representations, and outlier identification. However, overreliance on automation could have an adverse effect if its use is not thought through. It may result in more manual work after the automated procedures have been completed in comparison to the manual execution of relevant audit procedures.</p><h2>Consider Stop-and-go Auditing</h2><p>A stop-and-go audit approach may help some departments find efficiency and add value. When planning an audit project, the lead auditor develops:</p><ul><li>A more up-to-date and in-depth understanding of the risks in the subject area than the audit management team could have when they added it to the periodic audit plan.</li><li><p>A sense of the control environment and culture of the area. </p></li></ul><p>After the planning phase, the lead auditor and audit manager make a "stop or go" decision. If an assessed risk is lower in comparison to other areas not in the plan, they write a memo explaining why to all concerned parties.<br></p><p>If the decision is made to proceed with the audit, the next step is to assess the design of the controls over the key risks. If it is concluded that the controls are well-designed and auditors are satisfied with the culture, they might stop the audit without performing any testing. An audit report is issued, but it states very clearly that the opinion is only on the design, and this is understood by all parties. Or, they proceed to full testing.</p><p>This technique runs the risk of missing deficiencies, but that is always a possibility. Stopping audits when there is a sufficient comfort with the risk saves time to audit other areas that seemed less risky during the periodic planning process, but are now perceived to have greater risk. </p><h2>Efficiency KPIs</h2><p>There is no unique set of efficiency-related key performance indicators (KPIs) that fit all audit activities. When designing KPIs, auditors can apply the usual risk assessment approach to identify which aspects require action. Good starting points are assessing current efficiency; observing the strengths, weaknesses, and motivational aspects for auditors; and identifying risks. With this approach, the audit function can identify the aspects it should focus on to improve efficiency, and create and verify relevant KPIs in line with the assessment.</p><h2>Continuous Monitoring</h2><p>Monitoring progress also is important for measuring and improving audit efficiency. Designing a dedicated dashboard for this purpose, with the aim of having continuous, real-time results readily available, would give an overview of the whole audit department. In this way, all audit team members could constantly monitor their progress, note when and where corrective actions are needed, and implement them timely.</p><h2>Maintaining Quality</h2><p>Considering that internal auditors are trusted advisors who are expected to provide valuable and useful insights, actions to measure and improve audit efficiency are meaningless if they result in poor quality audits. Thus, maintaining the holy union of efficiency and quality should never be questioned or compromised.<br></p>Maja Milosavljevic1

  • AuditBoard-July-2021-Premium-1
  • SCCE-July-2021-Premium-2
  • CIALS-July-2021-Premium-3