Practices

 

 

Use Your Headhttps://iaonline.theiia.org/2019/Pages/Use-Your-Head.aspxUse Your Head<p>The need for internal auditors to understand and apply critical thinking seems self-evident, especially with research showing the importance chief audit executives (CAEs) place on this skill. It’s also made an outstanding showing in The IIA’s annual Pulse of Internal Audit survey over the years. In 2018, 95% considered critical-thinking skills essential to their function’s ability to perform its responsibilities.<br></p><p>Unfortunately, while everyone agrees that critical thinking is important, they find it hard to define exactly what it is. If you ask 10 CAEs, you are likely to get 10 different answers. And at the core, those answers boil down to nothing more than internal auditors using their brains.</p><p>Fortunately, The Foundation for Critical Thinking provides a more practical definition: “The intellectually disciplined process of actively and skillfully conceptualizing, applying, analyzing, synthesizing, and/or evaluating information gathered from, or generated by, observation, experience, reflection, reasoning, or communication, as a guide to belief and action.”</p><p>Using this definition, the Foundation for Critical Thinking developed an outline for critical thinking based on eight elements, described in the book, <em>The Thinker’s Guide to Analytic Thinking</em>, by Linda Elder and Richard Paul. Following is a framework for internal auditors’ use of critical thinking based on these elements.</p><h2>Thinking Critically </h2><p>Critical thinking requires understanding the purpose of the individual task toward determining the question to be answered. It also involves recognizing the various points of view brought to the task, as well as the assumptions, concepts, and theories upon which the work will be based. Information is gathered, leading to inferences or preliminary conclusions, which come together to provide final conclusions and consequences.</p><p>Thinking critically about the audit process means thinking critically about audit engagement tasks. This requires evaluating the tasks, such as interviews, functional tests, and risk assessments to better understand not only how they are completed, but also how critical thinking was used and how it can be used more effectively in the future. Some people consider critical thinking to be “thinking about how you think.” <br></p><p><strong>Understand the Purpose</strong> Identifying the objective of an audit engagement is fundamental. But the first step in critical thinking applies this concept to each activity conducted within the audit, providing guidance for the critical thinking that follows. The objective of an interview might be to learn the interviewee’s understanding of the process, the purpose of a test might be to ensure the organization is compliant with a specific regulation, and the goal of a meeting might be to confirm all parties understand the audit process. These objectives are often assumed, but critical thinking requires the auditor to be able to articulate them.<br></p><p><strong>Determine the Question</strong> The point of critical thinking is to come to a conclusion regarding a question or problem. Therefore, to think critically, internal auditors need to determine, based on the previously defined purpose, what question the individual task (test, interview, process documentation, etc.) will answer. Does this person understand his or her role in the accounts payable process? Is there a more efficient way to ensure new hires are appropriately vetted? Does the data support the effectiveness of controls? The question can be specific or broad, based on the detail of the work being done and the individuals involved. But it should align with the task’s purpose, as well as the overall purpose of the engagement.<br></p><p><strong>Understand Your Points of View</strong> Everyone approaches a situation with points of view, both positive and negative. Effective critical thinking requires understanding how they impact the ensuing analysis. Internal audit’s point of view might be that the department helps the organization achieve its objectives. However, because of internal audit’s focus on risks and controls, it also may approach engagements with a point of view that is skewed toward risk aversion or ignores missed opportunities as part of an assessment. For this reason, it is important to also consider other points of view and, as appropriate, include them in the analysis. <br></p><p><strong>Determine Assumptions</strong> Effective critical thinkers step back to determine the assumptions — beliefs we take for granted at subconscious or unconscious levels — being made to adjust for them. These can be positive (everyone in the organization is working toward success, or the client sees internal audit as a partner) or negative (the department being reviewed has never run well and will continue to run poorly, or no one in the organization sees the value of internal audit). Any of these could be true, but they should be evaluated to determine if they are accurate and what impact they will have on the analysis. <br></p><p><strong>Identify Concepts and Theories</strong> Concepts, theories, and principles help make sense of things. They are different than assumptions, which are ideas and beliefs brought to a project. Concepts and theories are the additional information and ideas that may be needed to conduct the analysis. Some of this information may already be known, such as control frameworks or standards for internal auditing. Others may require additional research, such as applicable laws and regulations or best practices in the industry. Ultimately, the internal auditor should confirm that, in every audit task, he or she understands the concepts and theories needed to answer the question being asked.<br></p><p><strong>Gather Information</strong> At the core of critical thinking is information, which is the lifeblood of internal audit work. Without it — data, evidence, and facts — there is nothing on which to base inferences and conclusions. Information should be applicable to the purpose and the question being asked, and the points of view, assumptions, concepts, and theories can result in the need for additional information. Many audit processes — interviewing, testing, process analysis, etc. — also are methods for gathering information.<br></p><p><strong>Recognize Inferences</strong> Analysis should begin when the audit engagement starts, with the auditor immediately drawing inferences and preliminary conclusions. This involves constructing hypotheses regarding what is occurring, then subjecting them to further analysis. For example, an initial interview may infer that a process is well-understood and controls are effective. Subsequent testing proves that controls are not working as designed and significant delays and errors are occurring. It is not that the initial inference was incorrect. Rather, the initial inference provided a base to identify the need for additional information. <br></p><p><strong>Provide Final Conclusions and Consequences</strong> This is the final step in the critical-thinking process. The testing, interviewing, reviewing, and analyzing lead to conclusions that answer the question and satisfy the purpose of the audit task. The conclusions also should provide direction on how to proceed — more testing, more interviews, additional data gathering, or completing the audit engagement. </p><h2>The Audit Process</h2><p>The preceding descriptions show how every stage of an audit engagement can be evaluated with an eye toward using effective critical thinking. However, specific issues related to the elements of critical thinking should be considered within every audit task. <br></p><p><strong>Risk Assessment</strong> One cause of the Great Recession was the subprime mortgage crisis. Analysts believe the complicated nature of these securities resulted in few people understanding how they actually worked or the impact of the associated risks. The lesson is that sufficient information should be gathered in the risk assessment process to ensure the intricacies of the process, as well as the associated risks, are understood. If the auditor does not feel comfortable with his or her understanding of how things work and how they might go wrong, then the audit task should not proceed until more information is obtained.</p><p>The subprime mortgage crisis also points to another important part of critical thinking in the risk assessment process: One reason the crisis was allowed to escalate was that everyone was benefiting. And people seldom question success. When a process or product is succeeding, the unconscious assumption is that risks are well-controlled. This leads to the inference that risks are mitigated and no further reviews are needed. Stated this way, we can see the fallacy. But it only becomes obvious when viewed through the lens of the critical-thinking framework.<br></p><p><strong>Interviewing</strong> A good interviewer confirms the answers given answer the questions asked and support the overall purpose of the interview. In addition, because people, even internal auditors, have personal agendas, the interviewer should safeguard that no assumptions about the validity of answers intrude on inferences being drawn. <br></p><p>Inferences will be made during the interview regarding how new information may have changed the structure of the interview, the subsequent information gathering, the purpose of the interview, and, in rare cases, the purpose of the engagement. Navigational change can come from any task within the audit process.<br></p><p><strong>Process Documentation</strong> As with interviewing, information gathered during process documentation may result in navigational changes. And it is important that the internal auditor not look only at what is presented. Taking off the blinders — watching what else is occurring — may result in inferences and preliminary conclusions that change the focus of the audit. For example, if the auditor is working in a warehouse and notices an unmarked van occasionally picking up a box or two, it may represent a significant issue requiring follow-up. Even something as simple as a large pile of papers on a desk may indicate an issue that needs to be addressed. <br></p><p><strong>Testing</strong> Entrepreneur and author Seth Godin notes, “Connecting the dots … is more essential than ever before. Why, then, do we spend so much time collecting dots instead? [A] big bag of dots isn’t worth nearly as much as [a] handful of insight.” The volume and accessibility of data has resulted in including as much data as possible in every test. Critical thinking requires understanding why specific data is needed — how it supports the purpose of the test, itself, and of the audit engagement. A 100% sample may not be required, no matter how easy it is to retrieve. Being awash in data can actually inhibit the critical-thinking process. Never gather data just because you can; gather data because it supports what you are trying to achieve.</p><h2>Report Writing</h2><p>Much of internal audit’s focus on critical thinking centers on report writing, when all the inferences and conclusions come together for presentation to the client. But everything that goes into the report — the data gathering, the process descriptions, the conclusions — should have occurred long before the report is drafted. If critical thinking is applied throughout the internal audit process, one of the biggest struggles in report writing can be eliminated.</p><p>The overall purpose of report writing needs to be understood and some additional questions need to be addressed, such as what is the purpose of the report, who is the report for, what does the reader care about, and what is internal audit trying to say? Answering these questions — reviewing the assumptions that are being made about reports — will give the internal auditor a better grasp of the content to include.</p><h2>Thinking About How You Think</h2><p>Thinking about how you think is the first step every internal auditor should take. A good exercise is to take a specific task — an upcoming interview, functional test, or walk-through — and work through the critical-thinking framework. This will help auditors see the good and bad habits they use in the thinking process and allow them to build on their strengths and work on their weaknesses. Continue this exercise and, eventually, an increased awareness of how critical thinking is used in all situations will develop. And it will make auditors, audit departments, and the profession better. <br></p>Mike Jacka1
The Lines of Independencehttps://iaonline.theiia.org/2019/Pages/The-Lines-of-Independence.aspxThe Lines of Independence<p>A lead auditor comes to work one day and is instructed to do an audit engagement with another auditor. However, the lead auditor is aware that the indicated team member is not independent with regard to the underlying audit subject. The prudent and diligent lead auditor presents this information to the relevant superior and asks that the team member be replaced. Yet, not only is the compromised auditor left on the engagement, but the lead auditor is then instructed not to share this information with anyone and to conduct the audit engagement as initially planned. What should the lead auditor do?</p><p>Standard 1100: Independence and Objectivity says internal auditors are expected to be objective and independent in performing their professional duties. However, there isn’t always specific guidance on how they should behave in situations that put ethical pressure on them. The first question is whether the auditor is even able to recognize such a situation. Once that is determined, the next relevant question is who can the auditor escalate the issue to. In such instances, the auditor may be afraid of losing his or her job by speaking up about these kinds of issues.</p><p>Several suggestions may help internal auditors deal with challenging ethical situations while protecting their own independence.</p><h2>Start From the Beginning</h2><p>Internal auditors are obligated to adhere to The IIA’s Code of Ethics, the principles and expectations that govern the behavior of auditors in conducting their work. The Code of Ethics comprises integrity, objectivity, confidentiality, and competency. Although these principles are general in their nature, each has minimum requirements for conduct and behavioral expectations. Ultimately, they set the tone for the ethical practice of internal auditing. Thus, understanding and keeping in mind the requirements outlined in the Code of Ethics is an excellent starting point for every internal auditor in preserving his or her independence and conducting ethical audit engagements (see The IIA’s implementation guidance on the Code of Ethics released in early 2019).</p><h2>Speak Up<br></h2><p>Presenting the situation realistically, based on facts, and with all the relevant details, can help auditors protect themselves. Internal auditors derive objective conclusions based on facts in their everyday work. By not speaking up, auditors can inadvertently become collaborators and supporters of ethical violations, which can impair their own independence. Regardless of the specific circumstances, auditors should be aware that working on an engagement with another auditor whose independence is impaired weakens the independence of all involved auditors and the entire audit engagement.</p><h2>Ask for Advice</h2><p>Some ethical problems may not have an obvious solution. One good option may be to ask colleagues with more experience for advice. Without necessarily presenting the underlying situation with complete details, auditors can get valuable advice on how to protect themselves and create a win-win situation for everyone involved. Additionally, auditors might find it useful for their own professional development to listen to the experiences of their colleagues. Hearing about ethical challenges that others have faced can help auditors recognize the indicators of independence impairment.</p><h2>Create Ethical Safeguards</h2><p>There are no rules that can help auditors preserve their independence in every situation they may encounter while doing their jobs. Being unaware of their impaired independence does not excuse auditors from responsibility. On the contrary, it is up to all auditors to recognize the situation they are in and to adequately protect themselves. With the right approach to engagements, auditors can eliminate the possibility of compromising their independence. </p><p>Some examples of situations that may adversely affect auditor independence include:</p><ul><li>Intimidation by management that makes the auditor concerned about his or her job.</li><li>Personal relationships outside of the office with the CEO, chief financial officer, senior managers, chief audit executive (CAE), other auditors, or employees in the area being audited. <br></li><li>Accepting gifts or favors from co-workers who may expect something in return.</li><li>Assigning auditors to assurance engagements in their previous employment area less than one year after transitioning into internal audit.</li><li>Expecting auditors to make business decisions and perform nonaudit-related operational tasks.</li><li>Basing auditor compensation on the number of audit findings during engagements.</li></ul><h2>Escalate the Issue</h2><p>One effective way to deal with an ethical dilemma in which there is a threat to an auditor’s independence is to escalate the issue. In the case of the lead auditor letting the audit supervisor know of a compromised team member and the supervisor keeping that auditor on the engagement, the lead auditor should ask the supervisor why he or she wants to move forward with that auditor. If there is good reason, the lead auditor should remind the supervisor that the <em>International Standards for the Professional Practice of Internal Auditing</em> requires that the impairment be disclosed to relevant parties. If escalating the issue to the direct supervisor does not help, the next step should be to escalate it within the audit department. If the CAE then does not address the issue, the lead auditor should consider the harm lack of independence might cause. If it is significant, other escalation possibilities should be considered. Whistleblowing systems and ethics hotlines, which are generally present in organizations today, can help auditors report any questionable situations they are dealing with without direct confrontation.</p><h2>Long-term Implications</h2><p>If an internal auditor is confronted with a situation that impairs his or her independence or that of a team member, and none of the actions taken has resolved the issue, then he or she should consider the long-term implications. As a last resort, an auditor can resign from the job. If an auditor’s independence were found to be compromised and he or she was working unethically, the auditor could not only be fired, but he or she could also lose all professional credibility, which can be difficult to regain.</p><h2>The Basis of Board Trust</h2><p>The IIA defines <em>internal auditing</em> as an “independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.” Boards of directors rely on internal audit to provide them with reliable information for effective decision-making. This information is most trusted when it comes from an internal audit function that demonstrates its independence.   <br></p>Maja Milosavljevic1
Internal Auditors Should Be Bravehttps://iaonline.theiia.org/2019/Pages/Internal-Auditors-Should-Be-Brave.aspxInternal Auditors Should Be Brave<p>"You can’t say that!”<br></p><p>My boss, the chief audit executive (CAE), was telling me to change the audit report. For the second year in a row, my team found that accounting was not performing important reconciliations on time. As a result, financial reporting could be materially misstated and significant fraud might go undetected.</p><p>Rather than simply advising on-time completion of reconciliations, the audit team had performed a root cause analysis. They found that, due to cost-cutting, staffing in the unit responsible for the reconciliations had not only been reduced but also tasked with numerous special projects. The unit lacked sufficient people to meet its responsibilities without significant overtime, which management would not approve. Even if it did, the level of overtime would inevitably lead to burnout and the loss of valuable employees. Although we had found deficiencies relating to reconciliations, the staffing issue might affect the performance of other important controls.</p><p>The draft audit report explained that insufficient resources had elevated the unit’s risk level and recommended adding permanent staff or contractors at month-end. The CAE, however, was reluctant to include that information. He said that his name was on the audit report, and he refused to recommend an action he was sure management would ignore. In fact, management would be angry that we had questioned its cost-cutting strategy. We delivered the report without identifying the root cause and merely recommended completion of the reconciliations.</p><p>The original report was correct, explained the business risk, and recommended appropriate corrective actions. But perhaps because he feared how management would react, the CAE kept part of the story — part of the risk — to himself. The CAE, in other words, was not brave.</p><p>It can be hard for internal auditors to tell their stakeholders, whether at the board level or in top management, what is putting the organization at greatest risk. It can be hard to say that control failures stem from insufficient staffing, inadequate pay, or imperfect leadership. It can be hard to say that the organization’s structure, processes, people, and methods are not agile enough to succeed in today’s dynamic world. But these are all truths that need to be told. If no one tells the emperor he has no clothes, he will carry on without them.</p><p>Internal auditors at every level are subject to all kinds of pressure that may inhibit them from speaking out. Yet if they are to be effective, they must be able to do so — even at great personal risk.</p><h2>The Ineffective Manager<br></h2><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p><strong>​What is Bravery?</strong><br> </p> <p>Under ideal circumstances, the audit committee would help create an environment that enables the chief audit executive to be brave. But few board members will oppose an angry CEO or CFO in favor of a respected but more junior and expendable executive.</p><p>Internal auditors need to be brave, but not reckless. Several practices can help auditors take bold action when needed, including:</p><ul><li>Building trusted relationships with the top executives and each individual on the audit committee.</li><li>Planning the communication carefully, laying the groundwork for each discussion. Make sure your words are clear and unlikely to be misunderstood.</li><li>Communicating in person, one-on-one, and not relying on others to communicate for you.</li><li>Moving progressively up the organizational hierarchy, approaching each individual with an open mind and listening to his or her views — obtaining agreement and support before moving to the next level. Respect each individual’s needs and the implications of the situation for him or her personally as well as for the organization. Consider asking each of them to attend your meetings with more senior management, all the way to the board, as appropriate.</li><li>Listening and being prepared to modify your assessment if you’re wrong, even if it’s just moderating the language.</li><li>Talking with and listening to allies and others who can help you.</li><li>Ensuring no one is surprised, especially in front of others.</li><li>Building a reputation for maintaining professional integrity. Honesty, ethics, and professional responsibility should always be top of mind.<br></li></ul></td></tr></tbody></table><p>A few years later, when I served as CAE at another organization, I tasked my team with an audit of the Commercial Accounting function. Significant billing errors had been made, and our priority was to find out why.</p><p>When we interviewed the department head, a rising star at the company, he explained that errors had been made because his employees were incompetent. Not a single accountant had passed the CPA exam. As a result, he had to do all the challenging tasks himself, requiring him to work many hours each day and most weekends. Mistakes were inevitable. He asked that we recommend human resources change the job requirements to include a CPA or equivalent. </p><p>The audit lead asked me if we could make such a recommendation. His team confirmed that the department head was Commercial Accounting’s only CPA and that the function often needed to perform complex accounting tasks. I told him to speak with each of the Commercial Accounting staff members and form his own opinion on whether they were competent to perform the work. </p><p>The interviews went well. I was surprised to learn that the staff had many years’ experience in commercial accounting, including the more complex tasks the department head said they were not competent to perform. The employees were proficient, but their manager did not allow them to make decisions. In fact, he gave them simple assignments and never explained what he was trying to accomplish. Many of the employees were frustrated and considering leaving the company. </p><p>The department head was the root cause of the control failures. The audit team asked if we should indicate that in the audit report. I said there were better ways to communicate the results of the audit and our assessment — as well as our advice and insight — than the formal, written audit report. </p><p>I sat down with the division CEO, one of the top three executives in the company, and shared the facts. He told me he had suspected a management problem but hesitated to act because the corporate chief financial officer (CFO) favored the department head. He asked what I thought should be done — I refrained from recommending specific actions, in the interest of maintaining my independence.</p><p>We issued the audit report after discussing the situation with all senior parties. In the report, audit committee members saw an assessment that, while errors had been made, appropriate actions had been taken. I shared the rest of the story with them at the next audit committee meeting, with additional comments from the division CEO and the corporate CFO.</p><p>Was this an act of bravery? Looking back, I can say that while it was difficult to tell senior management that a rising star was not only underperforming but unlikely to be effective in the future, the risk to me was minimal. I explained the facts objectively and dispassionately, allowing senior management to make an informed and intelligent decision. They respected that ability and our willingness to go beyond traditional auditing to provide them with our insights on the management of Commercial Accounting. By the time I had to report to the audit committee, I had the support of each member of management. The division CEO, who attended the meeting, told the directors he agreed with our assessment and that we had taken the appropriate action.</p><h2>The Fearful CAE <br></h2><p>At my next company, the audit team uncovered financial statement frauds in several U.S. locations within the organization’s largest business unit. The company had more than 100 locations around the world, most of which were underperforming. Senior management was thinking about consolidating operations to cut costs, placing the locations’ general and financial managers under great pressure.</p><p>I wanted to know why so many local U.S. controllers were manipulating their financial results to show profits when, in fact, they were breaking even at best. Our inquiries revealed they were not doing so to put money in their pockets; their motive was to save their unit from closure. But we also uncovered a more significant problem: When the local controllers reported a projected loss to the business unit controller at headquarters (HQ) during their quarterly updates, he consistently asked them to “find a way to make the number.” After discussing the instruction with their local general manager and finding no legitimate means of achieving their financial targets, the unit controllers fabricated profits. </p><p>Once we started auditing, the frauds were easy to find — management subsequently terminated both the local controllers and general managers. But my concern was not limited to whether the business unit controller had acted inappropriately; I also considered the possibility of a pervasive control environment or culture issue.</p><p>The HQ business unit controller did not direct the unit controllers to act inappropriately, but he failed to impress on them the need to act with integrity despite the pressure. When I explained the situation to the corporate CFO, to whom I reported, he expressed confidence in financial management of the business unit at HQ. I had no persuasive evidence that either the CFO or the HQ controller intended the units to manipulate their financial results. I asked the CFO to reinforce the need for integrity by sending a memo to that effect to the company’s entire financial staff, but he said the code of ethics already covered this principle. I suggested a conference call with global finance leadership, but he said that was also unnecessary. I also suggested it might be prudent to have the local controllers report directly to HQ and then to him; he told me that was not how the organization operated.<br></p><p>After completing our investigations, we concluded the frauds were not material to the financial statements. Still, the underlying conditions had not changed, and the possibility remained that additional fraud might be committed. I felt an obligation to share the facts with our audit committee, as well as my belief that the organization’s overall control environment could be improved to help the local controllers do the right thing regardless of pressure.</p><p>When I met with the committee chair, a retired CFO, he listened carefully and agreed that I had an obligation to share the facts, as well as my perspective on the control environment, with the full committee. He also agreed to talk to each of the audit committee members before the meeting to prepare them for the discussion.</p><p>Next, I informed the CFO that this would be on the audit committee’s upcoming meeting agenda and outlined what I would say. I told him I would not imply he or his team was involved in the frauds. And while I offered to forewarn the company’s CEO, the CFO insisted that I leave that conversation to him. The CFO also committed to share his perspective on the issue and what actions should be taken, after I had spoken.</p><p>Unfortunately, the committee meeting did not go well. The chair had not provided sufficient details about my report to all the committee members in advance, and one overreacted. He was afraid the CFO and corporate controller had been involved in the fraud, despite my assurance that I had no reason to believe they were. Although the committee member calmed down, the CFO did not speak up either to comment on the environment that led to the frauds or to suggest corrective actions. The CEO and the audit committee chair remained silent. </p><p>After the meeting, I spoke with the audit committee chair again. He apologized for the way the meeting had gone but said the committee would not support me in a dispute with the CFO. He knew that the CFO had at one point asked me to stop the audits that were identifying the frauds, which I declined to do, and that our relationship was strained. Moreover, he was as surprised as I was that the CFO didn’t comment during the meeting and suspected that was deliberate.</p><p>The audit committee believed in me, but the CFO was also highly respected and “had a bigger business card.” Both the CFO and the CEO wanted this issue to “go away” without having to take action themselves.</p><p>Shortly afterward, the HQ controller reached out to me; he said I had acted with integrity, agreed with my perspectives, and gave me his support. Nonetheless, the CFO and I agreed a few months later that we should part ways, and I left the company some time afterward.</p><p>Was I brave? I knew the CFO did not want this “dirty laundry” aired before the audit committee, and I knew he would likely find a way to remove me at some point. But I was professionally obliged to share the facts and what they meant with the audit committee. In hindsight, I should have spoken to each of the audit committee members myself, despite the chair saying he wanted to do it. Nobody attending the audit committee meeting should have been taken by surprise, as one director clearly was.</p><p>Perhaps others, such as the CAE I mentioned earlier, would have been more prudent. But even with hindsight, I believe I did what I had to do.</p><h2>Take a Stand<br></h2><p>Internal auditors must be determined to tell the harsh truth and do so in a way that clearly explains the facts and any recommended actions. They need to be prepared to sacrifice their job, and even their career, if necessary. Auditors must be brave, acting in the best interests of the organization and consistent with their principles. Anything less is a disservice to the profession and the stakeholders we serve. <br></p>Norman Marks1
Internal Auditing in 2020https://iaonline.theiia.org/2019/Pages/Internal-Auditing-in-2020.aspxInternal Auditing in 2020<h2>What are the biggest risks organizations will face next year?<br></h2><p><strong>Joyce</strong> For many, cybersecurity, data management, and third-party vendor compliance will remain the biggest immediate concerns. Recruitment and retention of skilled employees will be an ongoing challenge. However, we are living in an unusually high period of general uncertainty. The economic and political environments, extreme weather, trade relations, regional military action, etc., all create the potential for “black swan” type risk events that auditors should be thinking about. This may require revising traditional risk assessment approaches to reflect the potential impact of these uncontrollable events.  </p><p><strong>Ybarra</strong> The continual rise of automation, robotics, and the less-than-predictable geopolitical climate will impact how organizations do business and will challenge their resilience. There will be more pressure to ensure operating strategies and staff are agile and flexible enough to withstand a potential recession, impacts to supply chains, and a changing workforce. The talent and platforms that are creating value today may need to quickly shift and adapt as things change more rapidly.<br></p><h2>What risks do digital transformation initiatives present organizations?</h2><p><strong><img src="/2019/PublishingImages/benito-ybarra.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Ybarra</strong> Organizations must ensure that digital transformation initiatives are prioritized and measured based on the criticality of their data assets. Undisciplined approaches that do not consider classification, access, and data security could incur more costs than the transformation is projected to save. Ensuring key players are involved in the development and execution of initiatives is critical to achieving higher success rates.</p><p><strong>Joyce</strong> The first risk would be failing to recognize the need to transform one’s business model quickly enough, and to establish a clear vision of the desired end state. The second risk would be failing to effectively manage these projects. These transformative projects tend to exceed expectations regarding complexity, budget, resource demands on personnel, scope creep, etc. Equally vital is ensuring a flawed process is not digitized in the hope that greater use of technology alone will create value. Like most large projects, a digital transformation initiative requires clearly established objectives that support the stated strategy, adequate resources and support from senior management, continuous supervision, measurable metrics to gauge progress, and contingency and parallel operational capabilities to mitigate delays.<br></p><h2>What opportunities does the recent change to the Statement on the Purpose of a Corporation offer internal audit?</h2><p><strong><img src="/2019/PublishingImages/Mike-Joyce.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Joyce</strong> You are referring to the Business Roundtable’s announcement in August 2019, when more than 180 CEOs committed to lead their companies for the benefit of all stakeholders. This represents a significant conceptual shift from their prior corporate governance statements, which have historically emphasized shareholder primacy as the dominant stakeholder. While it remains to be seen how effective this emphasis will eventually be, the idea that putting customers first, investing in employees and their local communities, engaging fairly and ethically with suppliers, and long-term value creation are directly connected to ultimately positive shareholder returns is certainly one that can be supported through internal audit assurance of the specific goals established to achieve measurable results. </p><p><strong>Ybarra</strong> The potential here is huge, as it calls for the focus of the organization and its leaders to be broader than providing shareholder value. Auditors will need to consider how organizations generate value, in addition to their focus on revenue and expense drivers. For instance, concluding on the organization’s ability to “support the communities in which we work” could be a monumental challenge for some internal auditors; however, focus on areas like this could help further differentiate and elevate an internal auditor’s role and highlight those with dynamic abilities. It will be increasingly important for auditors to communicate with boards and leadership to ensure focus in assessing progress in these areas is supported and aligned with expectations.<br></p><h2>What role should internal audit play in providing assurance over the information going to the board?</h2><p><strong>Ybarra</strong> The mission criticality and necessity of information going to the board should be assessed by internal audit and included, to some extent, in its engagement plan. Boards provide oversight and key approvals based on the information they are provided, and they must be assured that the information can be relied on. Deeper discussions with the executive team and audit committee regarding this level of assurance must occur to ensure their engagement and support.</p><p><strong>Joyce</strong> Clearly, recent survey results have demonstrated an inconsistent confidence level that boards receive the information they need to effectively manage strategic risks. To that end, chief audit executives (CAEs) might start by validating their audit committee’s comfort with the level, depth, and timeliness of information they currently receive to satisfy their oversight responsibilities. Are the internal processes that compile this information designed to promote accuracy and transparency? What information provided is highly valued, and what information is ignored, or found not to be relevant? Obviously, time and effort should be devoted to facilitating those information streams that most directly relate to the board’s strategic and governance accountabilities.</p><h2>How can internal audit help address toxic cultures in an age when corporate behavior is under the microscope?</h2><p><strong>Joyce</strong> There should be no tolerance in today’s world for toxic corporate behavior. It drives away good employees, and will ultimately damage or destroy organizations that fail to identify and correct it. Internal audit is in an ideal position to continually assess the ethical and compliance environment within their organizations, and report opportunities for resolving gaps. They can partner with their compliance, legal, and human resource functions to ensure that employees are encouraged to report potential wrongdoing, and are supported and protected when they do so. They can ensure that any appropriate corrective or disciplinary action is applied timely, fairly, and consistently at all levels. They can measure the actions and examples set by senior management, and reinforce their critical responsibility to serve as behavioral role models. They can ensure that dialogue at the audit committee level includes frank discussions on these subjects when applicable. </p><p><strong>Ybarra</strong> No. 1 is to take a position on identifying and rooting out issues with the culture. Auditors can get stymied by seeking undeniable criteria on which to base their conclusions. It will take: 1) creativity and communication to formulate and agree on the elements of culture that will be evaluated; 2) conducting engagements or including evaluation of these elements in every audit engagement; and 3) having the courage to report results, offer potential solutions, and follow up to ensure effectiveness and sustainability.<br></p><h2>What skills should CAEs be looking for in new internal audit hires going forward?</h2><p><strong>Ybarra</strong> In evaluating potential hires, CAEs should be looking for an ability to listen, process, and demonstrate understanding before offering solutions. I’ve run across too many internal auditors who have answers before the problems are even identified. The mark — and genesis — of internal auditors is in their ability to listen. It’s a basic skill that we need to continue to practice and teach.</p><p><strong>Joyce</strong> In many respects, the attributes of an effective new auditor haven’t changed much in my 36 years in the profession. Basic technical skills will always be required, and the emphasis on adopting and maximizing emerging technology will continue to grow. Having a problem-solving and inquisitive nature also are important. However, soft skills are ultimately what sets a great auditor apart from an average one. The ability to effectively communicate, both verbally and in writing, is more difficult to teach a new auditor than how to sample accounts payable invoices, for example. Much of our job should be engaging with operational staff in a manner that makes them comfortable enough to share information and explain processes in a way that we may not have identified on our own.  <br></p>Staff1
Mastering the Organizationhttps://iaonline.theiia.org/2020/Pages/Mastering-the-Organization.aspxMastering the Organization<p>How many times have you been asked by your stakeholders:</p><ul><li>What is the best practice in this process?</li><li>Why should I care about that control?</li><li>How have we addressed risk within our organization?</li><li><p>What about the smaller, less material areas? Are we adequately covered?</p></li></ul><p>Internal auditors, by nature of our position and the work we do, should have some level of expertise in all of the processes we touch. If internal audit's main goals are to 1) protect the organization and 2) add value, then we should always strive to learn and work toward understanding the areas we are assessing. But how does internal audit accomplish this? The internal audit team at US Silica in Katy, Texas, focuses on continually gaining trust, understanding its stakeholders, and stepping in to help. <br></p><h2>Gain Trust</h2><p>The audit function's expertise would be virtually meaningless without stakeholder confidence and trust in our ability to provide value. Our goal is to create a culture where individuals feel comfortable bringing issues to our team and trust that we will help address them, rather than simply writing up a report of the issue, placing blame, and walking away.</p><p>We gain trust by devoting time to educating departments, management, and employees on corporate governance, compliance with the U.S. Sarbanes-Oxley Act of 2002, revenue recognition principles, fraud, and all of the areas with which internal audit is involved. When we acquire a company or bring on new team members in any department, our first step is always to educate. Educating allows us to introduce the role of internal audit and foster a strong governance culture before issues arise or we perform audits. </p><p>Another part of gaining trust is to provide useful insights. To do that, internal audit first must ask the right questions, do our homework, and involve the correct people in our audits to ensure we have all of the puzzle pieces. Our expertise comes from being able to figure out which pieces are important and how they best fit together. For example, we are currently helping one of our locations streamline and automate several of its approval processes to reduce the amount of emails and manual touch points.  </p><h2>Understand Your Stakeholders</h2><p>Some people associate networking with simply learning about someone's personal interests or asking about his or her family. That is one part of getting to know one's colleagues. But for internal auditors to be successful, they must be able to turn the conversation to what is important to the organization's goals and use internal audit's experience to help improve upon the process. We listen to the frustrations that teams may have and think about how we can incorporate automation or systems, or how other departments are handling similar processes that might provide useful solutions.</p><p>When internal audit schedules planning meetings with teams within the company, we spend more time listening than talking. We may come prepared with a few questions based on our research of their role and department, and then we actively listen to what the client has to say. In creating a risk-based audit plan, the most useful audits come from understanding the goals of the organization, teams, and individuals and then shaping the plan around the risks the organization may face in achieving those goals.</p><h2>Walk the Talk</h2><p>This is where the hard work comes in. Internal audit partners with the organization. If there is an emergency or a broken process, we act as part of the team to help fix the problem. In other words, we demonstrate the expertise we've gained by applying it when needed. We do not use internal audit's independence as a scapegoat for not helping.</p><p>There are a multitude of ways internal audit can be a team player and maintain its independence. For instance, internal audit may not be able to post journal entries and put together reconciliations, but we can help find ways to automate processes, research issues, and propose better solutions. Internal audit can even go so far as helping create templates and determine the requirements for the proposed automation and then step aside and let the experts take it from there.</p><p>Not every audit needs to be a major overhaul — the quick wins matter too. Any support internal audit provides to making the company stronger and faster is going to have an impact. For example, our internal audit team helped achieve a quick win by researching and proposing higher materiality thresholds in lower risk processes to ensure the company is focusing on material transactions and reducing time spent in lower risk areas. We've also helped find long-term solutions such as implementing automation with third-party service providers to reduce manual workload and increase data accuracy.</p><p>And walking the talk goes beyond mastering the audits we are performing or processes we help fix to measuring and marketing internal audit's progress. There are countless articles that explain how to build one's brand, and it is just as important to build the internal audit team's brand. Advocating for internal audit will lead to others advocating for the positive change internal audit brings. </p><h2>Repeat and Evolve</h2><p>At US Silica, internal auditors strive to constantly improve. We stay current on industry technologies, tools, and techniques. We stay relevant by actively participating in project teams, reviewing our accomplishments and goals with management, and continually refining our internal audit processes to improve our team's approach. And if we can continue to focus on internal audit's core values, then our success will speak for itself in the work we do. <br></p>Robin Meister0
Audit Wellnesshttps://iaonline.theiia.org/2019/Pages/Audit-Wellness.aspxAudit Wellness<p style="text-align:justify;">Auditing is a knowledge-based profession, which means its practitioners have to think for a living. We work extensively with data, requiring significant concentration and focus. We evaluate the effectiveness of business operations, necessitating an ability to analyze and problem-solve. Our capacity to perform these activities effectively hinges not only on our expertise, but on how we take care of ourselves.</p><p style="text-align:justify;">The way we treat our bodies affects the chemicals in our brain, which in turn affects the performance of our minds. Without a strong and healthy mind, everything becomes more difficult — working with spreadsheets, performing analytics, communicating with clients, and so on. Even with extensive knowledge of audit standards and robust technical skills, a weak mind inevitably will affect audit effectiveness. For this reason, internal auditors may want to consider several wellness habits that could help fortify the mind and enhance work performance.<br></p><h2>Improve Focus and Concentration </h2><p style="text-align:justify;">Today's world presents a host of distractions — social media, emails, text messages, reminder notifications — that compromise our ability to focus. We have a "need to know now" tendency, where every notification chime or pop-up banner prompts an immediate screen check. But if we don't check Facebook, Twitter, or Instagram during the day — are we really missing anything important? Would the world come to an end if we didn't respond to emails right away? If someone had a truly urgent request or need, wouldn't a phone call likely accompany the emails or texts?</p><p style="text-align:justify;">According to a 2017 OfficeTeam survey of U.S. organizations, office employees spend about five hours each week on their cellphone focused on nonwork activities such as answering personal emails and checking social media accounts. Succumbing to distractions breaks one's concentration. Plus, valuable time and energy can be lost trying to get back into the flow of the previous task. These little distractions add up and over time negatively affect our budgets, project delivery, and work quality. An auditor's attention is already divided — working on different engagements, across multiple audit sections, with different directors and staff members — and the pressure to deliver can be intense. Introducing unnecessary distractions only makes it harder. Turning off the smartphone, or at least minimizing screen time, can go a long way toward maintaining one's attention on tasks at hand. </p><p style="text-align:justify;">Still, no one is born knowing how to focus. And the workplace is full of interruptions beyond our mobile devices. Co-worker drop-bys, impromptu meetings, Slack messages, and last-minute requests are part of most auditors' daily reality. Over time, these constant demands and interruptions take a toll on our attention span.</p><p style="text-align:justify;">Sustained focus is achieved through practice and deliberate actions. One form of focus training that has gained significant attention in recent years is daily meditation. <br></p><p style="text-align:justify;">According to a 2018 article in the <em>Journal of Cognitive Enhancement</em>, "Regular and intensive meditation sessions over the course of a lifetime could help a person remain attentive and focused well into old age." Researchers came to this conclusion based on results of one of the most extensive longitudinal studies examining a group of meditation practitioners. Beyond enhanced focus and concentration, studies also point to stress and anxiety reduction, improved emotional health, enhanced self-awareness, better sleep, and decreased blood pressure as benefits of regular meditation practice. Taking a daily, restorative mental break could help enhance overall well-being and improve readiness for whatever lies ahead. <br></p><h2>Enhance Learning</h2><p style="text-align:justify;">To keep up with the demands of their work, internal auditors must be able to learn quickly. Auditors do not have the luxury of spending years learning and understanding all the various facets of an organization or department. Practitioners need every advantage they can muster to help tackle what is often a steep learning curve. That requires agility and critical thinking, including the ability to apply past experience to new assignments and to find connections across different parts of the business. Without these skills, problems such as budget overruns and failure to provide timely deliverables are more likely to occur.</p><p style="text-align:justify;">One way of increasing mental agility and learning capacity is through physical exercise. According to a 2014 study conducted by the University of British Columbia, regular aerobic exercise boosts the size of the hippocampus — the area of the brain connected to verbal memory and learning. Other research has shown benefits of exercise to include better alertness, attention, and motivation. While exercise may sometimes feel like a drain on one's already busy schedule, the benefits of adding it to a daily or weekly routine can easily outweigh the cost of time it takes to perform.  <br></p><h2>Fight Fatigue</h2><p style="text-align:justify;">According to the book <em>Fatigue Science of Human Health,</em> co-edited by fatigue science expert Yasuyoshi Watanabe, "Mental fatigue caused by prolonged mental work not only [results in] an increase in sensation of fatigue, but also a decrease in work efficiency." Auditors can easily suffer from mental fatigue during busy season, or while working on a large project with several moving parts and a hard deadline. Fatigue can present itself in the form of drowsiness, decreased motivation, irritability, and distraction. The symptoms not only slow down our work, but could lead to errors in judgement, inaccurate interpretation of information, and loss of valuable time and money.</p><p style="text-align:justify;">One way to battle brain fatigue is by maintaining a healthy diet. According to an article by neurosurgery professor Fernando Gomez-Pinilla on Brainfacts.org, "Because the brain demands such high amounts of energy, the foods we consume greatly affect brain function." Food provides fuel for performance, but not all food is good for the body and mind. In fact, some foods actually reduce energy and can damage mental health and functioning. A 2018 <em>Healthline</em> article, "7 Foods That Drain Your Energy," lists the following culprits: bread and pasta; cereal and yogurts; alcohol; coffee; energy drinks; fried and fast foods; and low-calorie snacks, which can reduce energy levels.</p><p style="text-align:justify;">By contrast, many foods can serve to boost brain health and improve cognitive functioning. In its article, "Foods Linked to Better Brain Power," Harvard Medical School includes green, leafy vegetables, fatty fish, berries, and walnuts among a list of "best brain foods." So when mid-afternoon fatigue sets in during a critical audit engagement, practitioners may want to put down the sugary sweets in favor of these healthier, brain-friendly alternatives.</p><p style="text-align:justify;">Of course, what really sets the stage for mental alertness each day is what happens the night before — the amount of sleep a person gets. In a 2015 <em>Scientific American</em> article, John Peever, director of the Systems Neurobiology Laboratory at the University of Toronto, and Brian J. Murray, director the sleep laboratory of Sunny Health Center, described the function of sleep in this way: "Sleep serves to reenergize the body cells, clear waste from the brain, and support memory and learning." Research from the National Sleep Foundation indicates that adults need between seven and nine hours of uninterrupted sleep.</p><p style="text-align:justify;">Staying up late to binge-watch online content or catch up on social media has consequences. After working a long day, auditors should consider what their brain needs for the following days' work. <br></p><h2>Stay Well</h2><p style="text-align:justify;">Effective audit performance starts from within. Making healthy lifestyle choices can provide a solid foundation for any practitioner's well-being and ability to succeed. As research shows, maintaining a healthy body and mind is key to optimal performance. <br></p>Michelle Swaby1
Don't Just Measure It, Do Something!https://iaonline.theiia.org/2019/Pages/Dont-Just-Measure-It-Do-Something.aspxDon't Just Measure It, Do Something!<p>​How do you measure the success of your internal audit department? The subject comes up repeatedly in conferences, articles, research, and chapter meetings. It is obviously an issue that plagues and perplexes audit departments everywhere, and finding the answer seems to be a holy grail quest for the profession.</p><p>The challenge certainly doesn’t come from a lack of possibilities. Everything from audits completed to use of available audit hours to requests for audits to customer satisfaction to corrective actions completed to efficiency improvements identified to certifications achieved to the number of auditors who can dance on the head of a pin have been suggested, adopted, and rejected. But we all continue to search for internal audit’s success-measurement El Dorado. </p><p>The reason our search continues to fail, even with this unending supply of possibilities, is that audit departments forget two important rules pertaining to the development of success measures. Rule No. 1: The measures should be developed in support of the audit department’s mission. If the department cannot demonstrate how the measures support that mission, then they become vanity measures serving no purpose other than saying, “Look at us!” Note also the assumptions built into this rule — internal audit has a mission statement, that mission is in alignment with the organization’s mission, and every auditor knows and can recite the mission statement. Missing any of these elements results in ineffective measures.</p><p>However, most important is rule No. 2: At the end of the day, have a plan for how all those measures will be used. Author and marketing guru Seth Godin once stated, “Don’t measure anything unless the data helps you make a better decision or change your actions.” And unless an audit department uses its measures to improve internal audit’s choices, do better work, or make the department more effective, then collecting the associated data is just a waste of resources, time, and effort. </p><p>Many audit functions measure, but I have seen very few that use those measures to get better. At most, if they are not meeting the criteria promised to the audit committee, there will be much wailing and gnashing of teeth as the chief audit executive promises improvements. Then the failures are merely used as a blunt instrument to bludgeon members of the audit department into doing better. </p><p>Internal audit functions rarely analyze their shortfalls against success measures to determine the root cause. Too often their response is a simple, “We didn’t meet the measures of success this year so, honest, we’ll work harder next time.” This is a response we wouldn’t accept from a client, and one we cannot accept from ourselves.</p><p>Make sure you are measuring the right things. Make sure you are meticulously ensuring the credibility of the resulting data. And then make sure you are using the results to effect positive change. </p><style> p.p1 { line-height:12.0px; } p.p2 { line-height:12.0px; } p.p3 { text-indent:18.0px; line-height:12.0px; } p.p4 { text-indent:9.0px; line-height:12.0px; min-height:11.0px; } p.p5 { line-height:9.0px; font:8.0px 'Interstate Light'; } span.s1 { letter-spacing:-0.1px; } span.s2 { letter-spacing:0.1px; } span.s3 { font:8.0px Interstate; } </style>Mike Jacka1
The Auditor's Mindsethttps://iaonline.theiia.org/2019/Pages/The-Auditors-Mindset.aspxThe Auditor's Mindset<p>Cognitive biases can threaten any individual’s capacity to make good decisions. For internal auditors, audit interviews pose unique settings in which cognitive biases can threaten their professional skepticism. Interviews are conducted to obtain important information in a variety of contexts, including operational audits, compliance testing, and IT audits. Although interviews rarely, if ever, constitute sufficient audit evidence on which to base a conclusion, it is still important that internal auditors maintain their professional skepticism while conducting them. If an internal auditor allows a cognitive bias to impede his or her sense of professional skepticism in an interview, the quality of planning and of subsequent audit procedures is reduced. As a result, extra time is spent following up on unreliable information or, worse, important information is missed. Three biases, in particular, may affect internal auditors’ professional skepticism: truth bias, confirmation bias, and the halo effect.<br></p><h2>Truth Bias </h2><p>The assumption that others are telling the truth is necessary on a day-to-day basis to facilitate routine social interaction. If one tried to verify the truthfulness of every statement made by others, routine communication would grind to a halt. However, the tendency to believe others are providing truthful information may prevent internal auditors from employing appropriate levels of professional skepticism, which entails, at a minimum, a belief that sources of information are neither truthful nor untruthful. Truth bias has been documented repeatedly in deception detection research and seems to be a major factor limiting people’s ability to detect false statements in a variety of settings. The assumption of truthfulness is a common bias that may impede effective decision-making and, by extension, professional skepticism.</p><p>To combat truth bias, internal auditors should remain aware that the profession requires a questioning mind. By definition, truth bias involves a deficient use of questions and additional procedures just when they are needed most. When relying on information obtained in an interview, it is imperative that internal auditors ask themselves whether they employed a critical mindset in assessing the information they received, in posing follow-up questions, and in obtaining corroborating information. If not, then truth bias may have impeded professional skepticism (see “Description as Truth” below). The findings in Norah Dunbar’s, Artemio Ramirez Jr.’s, and Judee Burgoon’s Winter 2003 <em>Communication Reports</em> article, “The Effects of Participation on the Ability to Judge Deceit,” suggest that interviewers should work in pairs, with one interviewer performing the questioning, while the other member of the team observes. Dunbar and her co-authors find that the observer in such scenarios is better able to judge deceit on the part of the interviewee. </p><table cellspacing="0" class="ms-rteTable-4" style="width:100%;"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p> <strong>​Description as Truth</strong><br> </p><p>During an internal audit team’s first day on site at a parts distribution center, it requests a walk-through of the facility to gain an understanding of the intake, storage, inventory, and shipment of parts. A floor manager walks the team members through the facility explaining and answering their questions about each process. Based on the floor manager’s explanations and answers, the team identifies the high-risk processes and develops testing procedures for those processes. On the third day of the visit, the auditors begin testing the inventory process and note that each test is failing. During the results validation meeting with the general manager, the team learns the inventory processes described by the floor manager were incorrect. Because the auditors accepted the floor manager’s description as the truth, they had to recreate and reperform the inventory testing. In hindsight, professional skepticism would dictate that the internal audit team had no basis on which to trust the floor manager’s explanations as credible. Before identifying high-risk processes and designing and carrying out tests, the team should have taken additional steps, such as corroborating the explanations with documented evidence of transactions. Asking themselves if they were comfortable basing several days of work solely on the explanations of one person who they had just met could have saved the team significant time and effort.<br></p></td></tr></tbody></table> <h2>Confirmation Bias</h2><p>When one seeks out or gives too much weight to information consistent with a specific belief, that is confirmation bias at work. It may influence questions asked and how the answers received during an interview are processed. Internal auditors conducting interviews can certainly fall victim to confirmation bias by seeking out information consistent with a specific belief during those interviews. Often, this involves seeking out information that processes are operating as they should. Confirmation bias has the potential to compromise an internal auditor’s professional skepticism by steering the auditor toward a particular conclusion, regardless of the facts. </p><p>In their June 2011 <em>Harvard Business Review</em> article, “The Big Idea: Before You Make That Big Decision…” Daniel Kahneman, Dan Lovallo, and Olivier Sibony suggest managers combat confirmation bias by asking teams that are making recommendations whether credible alternatives to their recommendations have been considered. Interviewers should engage in a similar process. </p><p>To combat confirmation bias in an interview setting, internal auditors should enter with a conscious openness to learning about or uncovering information that is inconsistent with their prior beliefs. After the interview, they should ask themselves whether they learned anything that was contrary to their prior beliefs and whether they missed any opportunities to ask follow-up questions that would have uncovered such information. In other words, as Kahneman and his co-authors recommend, consider credible alternatives. Such an approach is consistent with professional skepticism. If the auditor in the “Seeking Information as Confirmation” example on this page had entered, conducted, and reflected upon her interview with such an attitude, she would have been more likely to focus on the exception that was apparent in the business finance manager’s response.<br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"> <p><strong>Seeking Information as Confirmation</strong></p><p>An inexperienced internal auditor meets with a business finance manager to understand how payments are received from clients and processed. In preparation for the interview, the auditor creates an agenda containing a list of questions. During the interview the auditor asks, “What do you do with checks you receive from clients?” The business finance manager replies, “I deposit most of the checks into the company account.” Without hesitation, the auditor asks the next question on the agenda. She likely has a bias toward finding that the checks are all deposited in the correct bank account. By ignoring the phrase “most of the checks,” the auditor fails to detect that the business finance manager is depositing some checks in inappropriate accounts. In fact, during the course of the audit, it becomes apparent that the finance manager and other persons are depositing some of the checks in their manager’s personal account for department parties and outings. The account owner and the persons making the deposits are ultimately terminated. By seeking out information consistent with what she knew should happen, the internal auditor who conducted the interview initially missed the fact that some checks were processed inappropriately, increasing the possibility that the audit could have missed this fact entirely.<br></p></td></tr></tbody></table><h2>The Halo Effect</h2><p>In the book <em>Thinking Fast and Slow,</em> author Daniel Kahneman describes the <em>halo effect</em> as the “tendency to like (or dislike) everything about a person — including things you have not observed.” Internal auditors should be aware of the biases created by the halo effect. If they like someone or view him or her favorably, they might tend to weigh their opinions and estimates on all topics more heavily than they should. On the other hand, if they do not like a person, they may have a bias in the opposite direction. Either way, they are checking their professional skepticism at the door.</p><p>Kahneman suggests fighting the biases created by the halo effect by verifying information using independent sources. In “The Weight of Credentials” example below, had the halo effect not compromised the auditors’ professional skepticism, they might have been able to corroborate the information provided by the gemologist with independent sources. Such sources should have included additional interviews, as well as documentation. By taking such steps, they could have identified the error instead of relying on the statements from someone perceived as having a halo. There were likely others involved in the processes described by the gemologist who could have discredited his statements. Although there is no guarantee the auditors would have detected the gemologist’s scheme if they had sought out independent sources, they certainly would have increased their chances of detecting information that would have prompted them to take additional steps to further investigate the processes.<br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"> <p><strong>The Weight of Credentials </strong></p><p>An internal audit team was auditing the jewelry return process at a merchandise return center. When the team inquired about the smelting and gemstone procedures, it was referred to the director of jewelry, who also was a licensed gemologist. During the interview, the gemologist was knowledgeable, friendly, and eager to share everything that was working well and everything needing to be improved. As a result, the team viewed him quite favorably. Although some of his process descriptions did not make sense, the team members took the gemologist’s descriptions as accurate because he appeared happy they were there to help him fix all of his processes and, after all, he was a licensed gemologist. Nine months after the audit, the gemologist was arrested for selling gemstones to overseas buyers and depositing the money into his personal account. The auditors should have gathered additional evidence to corroborate the gemologist’s explanations about the jewelry return process, but they were blinded by his credentials and knowledge of jewels. They fell prey to the halo effect.<br></p></td></tr></tbody></table><h2>Knowledge Is Power</h2><p>There are several concrete steps auditors can take to fight the negative effects cognitive biases have on audit interviews. In addition to conducting interviews in pairs, auditors should ask follow-up questions. This can help auditors gain valuable information during interviews. Next, they should obtain corroborating interview evidence by speaking to multiple individuals separately, rather than relying on the sole verbal representations of one person. Finally, and most importantly, auditors should not rely only on evidence gained from interviews during audit planning or testing. They should obtain corroborating evidence by walking through transaction processes or by testing transactions using documented evidence. </p><p>Professional skepticism is vital to an internal auditor’s mindset, whether he or she is gathering initial information to plan an audit or concluding on audit findings. Cognitive biases — such as truth bias, confirmation bias, and the halo effect — can compromise an internal auditor’s professional skepticism. When this happens, it can lead to an overreliance on oral evidence, misinterpretation of answers received during audit interviews, and failed audits. Being aware of cognitive biases and the importance of professional skepticism can help internal auditors guard against these outcomes. <br></p> <style> p.p1 { line-height:9.0px; font:8.0px 'Interstate Light'; } span.s1 { font:8.0px Interstate; } </style> <p> <strong>Cliff Nuxoll, CIA, CFE, ACDA,</strong><em> internal audit manager at Arthur J. Gallagher and Co. in Rolling Meadow, Ill., contributed to this article. </em><br></p>Chih-Chen Lee1
From Emerging to Leaderhttps://iaonline.theiia.org/2019/Pages/From-Emerging-to-Leader.aspxFrom Emerging to Leader<h2>How has your career advanced since becoming an Emerging Leader?<br></h2><p><strong>Bordelon</strong> Since being recognized as an Emerging Leader in 2014, I have received multiple promotions. I’m now an associate director at my firm. I’m still at the same great firm 14 years after starting as an intern in 2005. I also have expanded my family and have a four-year-old son and a two-year-old daughter. Trying to set a good example for them and show them that I have a job that I love and can excel at while also being present and visible for them is a daily goal.<br></p><p><strong>Rusate</strong> Since 2017, I have further developed myself professionally by obtaining my Certified Internal Auditor, Certification in Risk Management Assurance, and Certified Information Systems Auditor designations. Working for my current employer has given me the opportunity to advance my skills, while working alongside industry experts, in an environment that openly promotes and rewards individuals for professional development. <br></p><h2>What is your advice for new internal auditors? </h2><p><strong><img src="/2019/PublishingImages/Alex-Rusate.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Rusate</strong> Never stop learning. You can always obtain more knowledge through certifications, internal business processes, industry level knowledge, etc. I have pursued a variety of internal audit skill sets because I expect that the internal auditor of the future will need to have a strong background in financial, operational, IT, and regulatory matters to keep relevant in the evolving business landscape. New technology, such as intelligent automation, will help scale down the tedious tasks that consume auditors’ time and allow them to work on more sophisticated matters that require a higher skill set. </p><p><strong>Bordelon</strong> Don’t overlook the soft skills of listening, being friendly and respectful, asking questions, having a strong work ethic, etc. You can learn the hard skills through research and on-the-job training, but you often cannot teach soft skills. These are usually the distinguishing characteristics between leaders and the status quo.<br></p><h2>What skills have helped you most in your career?</h2><p><strong><img src="/2019/PublishingImages/Leslie-Bordelon.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Bordelon</strong> Maintaining a positive outlook/disposition regardless of the project, client temperament, location — travel or not — or circumstance has been an essential skill that has helped me in my career. I try to look at all situations in a positive light and see all projects as an opportunity to add one more arrow to my quiver of skills. Having this outlook has helped me when deadlines are tough or I’m traveling away from my family. Another skill that has helped me is flexibility. I’m a planner by nature and love to know what I’m working on for the next week, year, or even five years. Being a consultant in internal audit has challenged me in that area as my schedule/work commitments change almost daily. Trying to go with the flow and be flexible has been a skill that I’ve had to develop over time, but one that has served me well in my career. </p><p><strong>Rusate</strong> Thinking critically and taking on new challenges with enthusiasm are two traits that have helped me most in my career. Thinking critically has helped me when I have identified opportunities for improvement for unaddressed risks during walkthroughs and testing, and not simply taking management’s explanation at face value. Typically, management will know significantly more about a process than you; however, when you combine critical thinking with your holistic knowledge of the company, you can identify risks and opportunities for improvement. Taking on new challenges, such as auditing areas not traditionally reviewed or subject matter that I do not have experience with, has helped to enhance my career. When encountering these situations, I make sure that I have or develop the skills needed to conduct the engagement before accepting it in accordance with IIA Standard 1210: Proficiency. When you have the ability to identify risks, discover process improvements, and step up to address engagements that are important to the chief audit executive, management, or the board, it helps make you a trusted advisor.<br></p><h2>What has been your most satisfying moment as an internal auditor?</h2><p><strong>Rusate</strong> My most satisfying moment was when the global controller reached out to the internal audit team to ask that we help at an advisory level to investigate a potential accounting issue at a manufacturing plant. The figures were not consistent with management’s expectation or the fiscal performance of the other manufacturing plants, and management did not have resources available to look into the irregularity. I was assigned to the engagement and was able to determine the root cause of the issue — the implementation of a new ERP system the previous year. Identifying the root cause enabled management to implement corrective actions that led to the company having increased profitability from that plant on a consistent basis. </p><p><strong>Bordelon</strong> I worked on a project last year with a very tight deadline, a mountain of work, and a good bit of travel. I had a team of all stars, and we worked together to accomplish more than anyone thought possible in such a short period. In fact, we not only completed the project on time, but delivered extra value in many ways and built some great friendships and bonds along the way. It’s a project that I won’t soon forget.</p><h2>What frustrates you most in your work?</h2><p><strong>Bordelon</strong> I get frustrated with the negative connotation some people have regarding Sarbanes-Oxley work. I think that work is a fantastic way to learn all aspects of a company, build relationships with clients, and expand your knowledge of an industry. Sarbanes-Oxley work has been invaluable in my career and has afforded me the ability to work on both my hard and soft skills.</p><p><strong>Rusate</strong> A challenge in the profession is working with engagement contacts to make sure you maintain a good balance between achieving audit deliverable dates while still being cognizant of their day-to-day responsibilities. Maintaining a mutually respectful relationship with the engagement contacts will help ensure the audit is received in a positive manner and ensure the sustainability of effective audits going forward. <br></p><h2>Why do you stay in the profession? </h2><p><strong>Rusate</strong> I stay in the profession because of the diversity of the subject matter, growth opportunities, and the ability to add value across the entire organization. This profession allows me to gain exposure to functions across businesses, which then enables me to more accurately identify key risks within processes. Furthermore, internal auditing is growing faster than most other professions, according to the U.S. Bureau of Labor Statistics. As reported in the last issuance of the bureau’s Occupational Outlook Handbook, employment for internal audit professionals will grow 10% from 2016 to 2026, faster than the 7% national projected average for all occupations. The main reason I stay in the profession is to add value to the organization. Whether it be through identifying risk and working with management to mitigate it down to an acceptable level or identifying process improvement opportunities that drive revenue or cut costs, those are some of the most rewarding aspects of the profession. </p><p><strong>Bordelon</strong> I stay in the profession because I enjoy the mentoring that my job enables me to participate in and being able to help my clients solve problems and achieve their goals. My colleagues, teams, and mentors are an extension of my family, and I truly feel valued and appreciated in my company and by my clients. </p><p>I’m also excited about the future of internal auditing. As companies start to embrace new technologies such as machine learning and robotic process automation, internal audit teams have to really rethink how they approach their work. Adopting more agile practices and understanding both the opportunities and the risks presented by these technologies will put next-generation auditing in a great position to help companies transform their businesses. I’m really looking forward to being a part of that process.  <br></p>Staff1
Communication Skills for Successhttps://iaonline.theiia.org/2019/Pages/Communication-Skills-for-Success.aspxCommunication Skills for Success<p>After gaining years of internal audit experience, associate internal auditors may be promoted to senior internal auditor. Internal audit management may recognize the auditor’s professional growth and want to encourage continued development. </p><p>Senior internal auditors are responsible for leading audits across the organization while working with associate internal auditors on various audit projects. Through many years’ experience, senior auditors have had extensive opportunities to hone internal audit-specific skills, such as testing, workpaper execution, and audit report writing. <br></p><p>New senior auditors may not have experience in the area of developing and coaching  the individuals on their audit project team. And while senior auditors may have strategies for teaching internal audit practices and processes, they might not possess the skills that help develop a well-rounded associate auditor. Therefore, it is the senior auditor’s responsibility to not only understand what promotes the professional growth of associate auditors, but also the strategies for effectively teaching the skills that ensure success. How the skills are taught often impacts the ability to grasp new internal audit concepts and processes. </p><p>Three key communication skills for new senior auditors to master are language selection and usage that encourages learning and growth, demonstrating strong communication skills to strengthen the skills of the team, and facilitating strategic communications through business partnerships. These skills cover the various interactions internal auditors experience daily.</p><h2>1. Language Selection</h2><p>A senior auditor’s word selection, tone, and inflection can make a tremendous difference in the effectiveness of communication. One area in particular is providing constructive feedback. Such feedback, while both well-intentioned and important, may not be well-received because of the inflection and tone of voice. Some associates may be able to hear the message through the inflection and tone, but others may focus solely on it, and completely miss the objective of the message. </p><p>To assess the associate auditor’s understanding when explaining an internal audit concept, the senior auditor might ask, “Does that make sense?” versus “Are we okay?” or “Are we good?” This makes a difference in determining progress and encouraging discussion. While it may be well-meaning, “Does that make sense?” is phrased in such a way that might not permit feedback (and if it does, is focused on the topic being taught). “Are we okay?” can open dialogue for the associate auditor to ask questions, as well as voice concerns. Using “we” indicates that the learning process involves both the internal audit senior and associate. This phrasing can sometimes encourage a broader conversation, rather than solely confirming a successful transfer of knowledge. </p><p>Simple changes in wording can have a huge impact on the team’s morale and skill development, especially because associate auditors may have varying professional backgrounds and different learning styles. Word choice, tone, and inflection can help reinforce the meaning of one’s message and encourages professional and productive discussions.</p><h2>2. Demonstrating Communication Skills</h2><p>When a senior auditor thoughtfully considers language, and makes necessary changes in phrasing and tone to best support the team, it is appropriate to then demonstrate his or her communication skills. As senior auditors work with a variety of stakeholders, they should consider their written and oral communications.  </p><p><strong>Written Communication</strong> New associate auditors who are learning the internal audit department culture will undoubtedly copy the communication style of their leaders; therefore, it is critical to reflect upon one’s own written communication and replace bad communication habits with a strong communication style. After all, one cannot hold associate auditors to a high communication standard if senior auditors are not modeling appropriate communication skills, themselves. From time to time, jargon is used in memorandums and emails are sent lacking punctuation, grammar, or spelling. Associate auditors are included in correspondence, so professional language and communication should be used in all interactions. Even if it takes a few extra minutes, senior auditors should proofread written communication. <br></p><p><strong>Oral Communication</strong> Exposing associates to various learning experiences is important; however, careful planning by the senior auditor is necessary to set up the individual and team for success. For example, if an associate auditor has never presented in front of audit client management, why have him or her present for the first time at the closing meeting, which may be more sensitive than the opening meeting? The associate may be successful, but chances are, without experience, he or she will flounder. Such unplanned approaches to training decrease team morale, and send a message to the audit client that internal audit is not a supportive and growth-focused department. A planned and intentional approach to communication training sends a message that the senior auditor cares not only about the success of the audit, but the associates, too. <br></p><h2>3. Strategic Communication </h2><p>Strong business partnering relationships are often built in informal ways, whether that be a walk around the office during lunch, a short coffee break, or by dropping by someone’s office. Chances are that at one time or another, a leader within the internal audit department has included the recently promoted senior auditor in such opportunities. By including associates in such interactions, it helps them build their own network and demonstrates the way in which to build their own relationships with leaders throughout the enterprise. This can help improve the image and reputation of the internal audit department within the organization.</p><p>Senior auditors also can help facilitate opportunities for communication skill improvement among associate auditors through the presentation of technical skills. Associate auditors may have professional and educational backgrounds in areas outside of the department under review, but possess specialized skills in subjects such as predictive modeling and project management. These skills are not only valuable in their application within the internal audit role, but they are also useful across the enterprise. When appropriate, senior auditors can initiate the conversation among business management about the possibility of a workshop or webinar, for example, and encourage the associate auditor to share his or her expertise with audit clients. </p><h2>Fostering Success </h2><p>Being promoted from associate internal auditor to senior internal auditor is reason to celebrate one’s professional accomplishments. However, with such promotion comes increased responsibility. And to foster further success, it is necessary to implement the communication skills that will progress one’s own professional development, as well as help improve the skills of emerging talent within the internal audit department. <br></p>Christine Hogan Hayes1

  • AuditBoard_Jan 2020_Premium 1
  • IIA Integrated BOY_Jan 2020_Premium 2
  • IIA GAM_Jan 2020_Premium 3