COSO Appoints New Chairman Appoints New Chairman<p><span style="font-size:12px;">The Committee of Sponsoring Organizations of the Treadway Commission (COSO) </span><span style="font-size:12px;">named Paul Sobel, vice president and chief audit executive at Georgia-Pacific LLC, as its new chairman. His appointment to a three-year term is effective Feb. 1.</span></p><p>Sobel is recognized as an expert on governance, enterprise risk management, compliance, and internal control. He was selected for the​ position because of his extensive background along with his experience in corporate environments and professional service firms, according to COSO. He succeeds Robert Hirth, who​ served as COSO chairman since 2013. </p><p>In addition to leading audit functions at four large companies, Sobel has held leadership roles as chairman of the Global Board for The IIA and as chairman of an audit committee for a privately held company. He also served as editor of <em>Internal Auditor</em> magazine's "Risk Watch" column from 2008 to 2017.</p><p>"It is an honor and privilege to be ​selected as COSO's new chairman," Sobel says. "I have been actively involved in the latest developments with the committee to help organizations across the globe improve their risk management, governance, and controls in our collective effort to deter corporate fraud."</p><p>Sobel was chosen from a group of more than a dozen applicants after a rigorous selection process.</p><p>"Paul is an exemplary leader with a strong vision," said COSO Lead Director and IIA President and CEO Richard F. Chambers. "I, along with the Board, strongly believe that he is well-qualified to further COSO's important mission." </p><p>Sobel also is a longtime volunteer with The IIA. In addition to serving as global chairman in 2013–2014, he was president of the Internal Audit Foundation, program chair for The IIA's International Conference in 2010 and 2013, and The IIA's representative on the Pathways Commission, which developed recommendations to enhance the future of accounting education in the United States.​</p>Staff0
Getting the Word Out the Word Out<p><span style="font-size:12px;">​As new risks and compliance requirements emerge, management and the board have never needed more assurance about the way they're managing risk than they do now. And while internal audit has a vital role to play in providing that assurance, management and key stakeholders are often unaware of the breadth of knowledge, skills, and experience audit practitioners have, placing the function at risk of underutilization. If internal audit is to thrive, it needs to step up and improve its profile and sell itself to the board and management. In part that means chief audit executives (CAEs) need to develop their marketing skills, but it also entails developing a reputation for solid performance and reliability.​</span><br></p><h2>Laying the Groundwork</h2><p>The first step, says Seth Peterson, internal audit manager at The First National Bank in Sioux Falls, is to make sure that internal audit can deliver what it says it is going to deliver. This, he says, is the groundwork needed to market the function. "If you are trying to build up trust within the organization, don't make promises you can't keep about work you can't do with resources, skills, expertise, or experience that you don't have — you set yourself up for failure and damage your credibility," he says.</p><p>Peterson, a past <em>Internal Auditor</em> Emerging Leaders honoree, notes that if the function wants to raise its profile, it is important that internal audit understands the needs of the organization, and aligns its focus to ensure that it is providing assurance on the key risks underpinning the business strategy and objectives. "If you can't align your audit coverage with the key risks facing the strategic objectives of the business, you will have a difficult time showcasing your value to management," he says.</p><p>He adds that demonstrating internal audit's proven track record is also useful when building relationships with management. "It's great if you can show that internal audit has been successful not only in providing objective assurance, but in providing efficiency recommendations, saving the business unit time or money, and aligning with strategic objectives."</p><p>Liz Sandwith, chief professional practices adviser at the U.K.'s Chartered Institute of Internal Auditors and a former head of audit, says that chief audit executives need to ensure internal audit delivers the level of assurance it is meant to on the audit plan before it tries to get involved in other areas. "Pitching for or responding to requests for additional work is only going to be successful if internal audit is already recognized as a function that is a center of excellence that produces quality work," she says. "If it isn't, then chief audit executives are going to have an uphill struggle trying to convince key stakeholders like the CFO that they should be involved in other projects."</p><p>Sandwith also says that before asking to be involved in other projects, internal audit needs to do its research. "Turning up and asking the CFO 'Is there anything we can help with?' is pointless, disrespectful, frustrating, and time wasting for a key internal audit stakeholder," she explains. "You need to do your homework and assess what the key risks might be for the organization if it pursues particular strategies or courses of action. You need to present key stakeholders with details about what role internal audit could play in the life cycle of existing or planned projects, and what the potential impact could be of its involvement — increased assurance, more robust control, improved efficiencies and procedures, better value for money, improved flow of management information, and so on. If you don't know fully what the organization is trying to achieve, how can you help?"</p><p>One of the mistakes that CAEs make when trying to raise the profile of the function (and themselves) is that they can become arrogant, Sandwith says. "Don't ever think that you know the business better than management simply because internal audit reviews the organization's key risks," she advises. "Internal audit's job is to help management make better-informed decisions — not to tell them what to do. You won't get very far trying to influence management if you think you are better than them."​</p><h2>Networking a​nd Offering Solutions</h2><p>Marbelio Villatoro, internal audit manager at aerospace and defense contractor Raytheon Co., says that soft skills are essential when trying to market internal audit. "Chief audit executives need to network within the organization if they want to raise the profile of the function and tell people about the contribution that internal audit can make," he says. "They need to make themselves visible and amenable, and it means spending time visiting and talking to other departmental heads about what they are doing and suggesting ways — however minor — that internal audit could help out."</p><p>Villatoro, also ​​recognized as an <em>Internal Auditor</em> Emerging Leader, says that internal audit needs to understand its limits, realizing the scope of activities it can perform and expertise it possesses. Nonetheless, he points out, internal auditors can still be part of the solution. "If internal audit can't help, for example, perhaps we can recommend people that can — either within or outside the business," he says. "If the organization needs to use a third-party consultant, perhaps we can make recommendations about the scope of the engagement and its budget, or how to get the most out of their expertise. Being proactive and always offering solutions is a key way for internal audit to make a great impression within the business."​</p><h2>Communication</h2><p>Good communication skills are also important. Dominique Vincenti, vice president of Internal Audit at Nordstrom in Seattle, says that CAEs need to effectively communicate what internal audit's role and skills are throughout the organization. </p><p>"People need to understand what internal audit does and the skills it has to offer, so it is the job of chief audit executives to communicate with them to make sure they understand the breadth of skills, experience, and expertise that the internal audit department has, as well as the success rate it has achieved," Vincenti says. "It is also very important that internal audit quantifies its success, and that it spells out the value that its involvement has resulted in."</p><p>Vincenti says that a simple way of improving marketing skills is to go and ask the organization's head of marketing for tips. "Talk to the marketing department — they are the professionals," she advises. "People are often more willing than not to share advice and their expertise if they think you are genuinely interested in getting their help, so go and pay the head of marketing a visit."</p>Neil Hodge1
The Dollar Value of Error-seeking Audits Dollar Value of Error-seeking Audits<p>​A​ttention to the risk of significant errors and fraud is a recurring theme throughout The IIA’s International Professional Practices Framework. For example, under mandatory Attribute Standard 1220.A1, internal auditors must exercise due professional care by considering the “probability of significant errors, fraud, or noncompliance.” </p><p>In the public and private sectors, errors that slip through normal business cycles are likely unintentional. Fraud is defined in the <em>Standards</em> Glossary as, “Any illegal act characterized by deceit, concealment, or violation of trust” and therefore entails intentionality on the part of the wrongdoer. The dichotomy between what is an unintentional error and what is an intentional fraud may not always be clear cut. </p><p>Some audit methods seem better suited to finding errors and fraud than others. Audit methods that rely on representations by management, and by which auditors gain confirmation that controls have operated as intended — such as interviews, control self-assessment checklists, walk-through tests, transaction sampling, and analytical review of reasonableness — can be vulnerable to confirmation bias. Such conclusions could be uncontroversial, but risk internal audit’s reputation if significant errors or fraud come to light at a later date. </p><p>Error and fraud can be further obscured by insufficiently negotiated remedial actions at closing meetings with audit clients (see <a href="/2017/Pages/When-Recommendations-Go-Unaddressed.aspx">“When Recommendations Go Unaddressed”</a>). Experience over many years suggests the timely completion of agreed-on actions sometimes linger unfinished, or are implemented less diligently than what internal audit intended. It follows that confirmation bias in fieldwork, combined with under-negotiated and then poorly implemented remedial actions, can conspire to hide the possible existence of significant errors and fraud, which occur more frequently than might be expected. One way to minimize the risk of providing false assurance and boost internal audit’s value to the board is to search for the very errors internal controls are intended to prevent.</p><h2>Looking for Errors</h2><p>Pursuing significant error and fraud requires hypothesizing about what potentially could occur. Ideally, this is done by harnessing multi-industry experience and creative thinking — starting with the worst conceivable scenarios — and then planning audit fieldwork with the foreknowledge that actual findings may differ from what was hypothesized.</p><p>Error detection methods include:</p><ul><li>Cross-matching data that is not normally matched, such as cell phone metadata and building access data. <br></li><li>Using data mining. <br></li><li>Using Benford’s Law to highlight unusual transaction deviations.<br></li><li>Interrogating email content.<br></li><li>Listening to personnel who may be willing to divulge information about how controls have been bypassed.<br></li></ul><p><br></p><p>Internal audit has an edge in that it normally has data mining tools at its fingertips; a network of trusted contacts across the organization who can be valuable sources of information; and a wide view of end-to-end processes; whereas, many employees are limited to the restricted perspective of their own department. By leveraging these advantages, internal audit can see what may be invisible to others.</p><p>It is easier to persuade management of the impact of a weak control if an actual error with a quantifiable impact is found as compared to surmising about an unproven control failure with the potential to cause a negative financial impact. Internal audit has a strong argument for process improvement and management has a weakened defense if an actual error or multiple errors are tabled for discussion at the closing meeting. </p><p>Through hypothesizing error and fraud scenarios in our audit planning across various organizations, my internal audit team has been able to boost its reputation for findings that translated into fast management responses, material dollar recoveries, and, in more than a few cases, personnel changes that were long overdue.</p><p><strong>Case No. 1.</strong> By seeking deposit limit exceedances, internal audit found £75 million (US$99 million) in treasury deposits at a British infrastructure services company intended to maximize bank interest, but that significantly exceeded board-approved deposit limits with those financial institutions. Management had elevated its own self-interest in maximizing revenue-based personal bonuses while circumventing the board’s risk appetite. Management self-interest has been a frequently observed bias that has come to light in error-seeking audits. <br></p><p><strong>Case No. 2.</strong> Internal auditors found AU$60 million (US$47 million) in a single bank account at an Australian transport company earning zero interest, owing to management’s inattention to value-for-money. The board agreed the money should have been invested at low risk across several institutions for interest earnings of at least AU$900,000 (US$705,000) per year. In both Case No. 1 and Case No. 2, the lack of a treasury report concealed from the board how funds in treasury were stewarded, resulting in the discovery of material cash held in the wrong places. <br></p><p><strong>Case No. 3.</strong> By constructing numerous error hypotheses before and during fieldwork, internal audit found £8 million (US$10.5 million) in erroneous overcharges by maintenance subcontractors of a British engineering company. There were approximately 50 separate error and fraud findings hidden in aggregated lump-sum claims for payment that client management had signed off with inadequate due diligence checks before payment approval. Although multiple management sign-offs had occurred up to the CEO, each had assumed the manager below had performed detailed checks on the subcontractor charges. Once internal audit quantified the overcharges, nearly all were recoverable without any need for lawyers. A surprise dividend arising from this audit was that when the engineering company’s CEO was subsequently promoted to a more senior CEO position at a larger firm, he took the chief audit executive (CAE) with him. <br></p><p><strong>Case No. 4.</strong> When reviewing the general ledger for unmanaged assets, £4 million (US$5.3 million) in overdue, uncollected debt was found at the British subsidiary of a U.S. parent company. The debt had escaped credit control’s attention as it was from nonroutine customers that fell outside normal business, therefore bypassing routine debtors reporting. Yet 50 percent remained collectible, resulting in a £2 million (US$2.6 million) windfall cash inflow and a cleaner balance sheet. <br></p><p><strong>Case No. 5.</strong> Accounts payable had failed to detect AU$2 million (US$1.6 million) in duplicate payments to suppliers across different clients in retail, transportation, government, and engineering. Although the accounts payable systems were capable of detecting the duplicates before payment, unbeknownst to senior management, those system warnings had been switched off or were ignored by local supervisors. Internal audit used its knowledge of the controls that should have been in place to independently perform data mining checks specifically targeting undetected duplicates. To our surprise, dozens were found. Management recovered the overpaid amounts from the suppliers and switched back on the inbuilt accounts payable system controls. <br></p><p><strong>Case No. 6.</strong> Internal auditors uncovered AU$1 million (US$788,000) in fraudulent sick leave and unrecorded annual leave by employees of an Australian transport company by hypothesizing that vacation fraud was possible and seeking errors through cross-matching payroll data to cell phone usage, vehicle usage, and building entry data. At first, management tried to argue that internal audit had breached privacy regulations by analyzing the whereabouts of employees. But the CAE proved that use of the organization’s own telecommunications metadata to investigate employee whereabouts during work hours was allowable under local privacy regulations. The audit concluded not only that employee culture was in need of repair, but also that the supervisory culture was abysmal, resulting in several management changes. This impacted favorably on workforce productivity, balance sheet leave liabilities, and overtime costs, which had been incurred as a direct result of employees taking false leave over many years. <br></p><p><strong>Case No. 7.</strong> In a case reflecting significant error and fraud, internal audit found motor vehicle usage policies that were poorly written and weakly applied at two separate companies. Moreover, the outside leasing companies had stacked risks and rewards of lease charges in their own favor. As a result, motor vehicles were being used fraudulently for nonbusiness purposes, the parent organizations were unaware of driver license cancellations because of nonexistent driver declarations, vehicle accident rates were worsening with consequent increases in insurance premiums because of unchecked driving records, and the leasing companies were charging unwarranted end-of-lease penalties. Although the companies could not recover past costs, they each avoided AU$1 million (US$780,000) in annual future costs through policy and control improvements resulting from the audit. </p><p><strong>Case No. 8.</strong> Sometimes error and fraud come to light through internal audit’s network of contacts. A vague but critical tip-off from a concerned staff member disclosed that the chief financial officer (CFO) shared proprietary board information with an IT firm bidding on multimillion-dollar contracts, and that the CFO was a director and shareholder of that IT firm. Audit confirmed the related-party connection with the securities regulator, and then used its charter access rights to study the CFO’s emails and cell phone records to verify the passing of proprietary information. In doing so, new, unexpected wrongdoings also came to light. The company terminated the CFO, fixed its conflict of interest procedure, recovered some historic costs, and stopped multimillion-dollar future overspend. <br></p><p>These cases illustrate the diversity of policy, risk management, system, procedural, and contractual failings that are discoverable through seeking significant errors and fraud when planning and executing audits. <br></p><h2>Compelling Evidence</h2><p>Appreciation of internal audit’s role and reputation as the board’s champion improved noticeably across the organizations when hard-to-dispute evidence of material error was tabled for discussion. Remedial actions followed quickly. Often, before the audit report was issued, controls were improved, costs were recovered, future costs were avoided, and — in the worst cases — offenders moved on.</p><p>Boards prefer it when errors are discovered early through internal audit’s error-seeking vigilance rather than after the event by public whistleblowing, external audit, regulators, or the media. Even if an error-seeking methodology finds no wrongdoing, that in itself is a strong, albeit not absolute, form of assurance on the effectiveness of controls. ​</p>Christopher Kelly1
Are You Auditing by Email? You Auditing by Email?<p>​Technology has expanded internal audit's reach considerably in recent years. With the advent of sophisticated analysis and communication tools, practitioners can now gather and examine data without ever leaving the comfort of their office — a process sometimes referred to as "auditing by email." But internal audit needs to be careful with technology,​ despite its convenience and capabilities, ensuring the tools do not lead to a cessation of fieldwork. Auditors who hide away in their offices and perform work from afar risk missing potentially key insights and communication opportunities.</p><p>In the past, nearly all operational engagements required physical visits to examine source documentation. Site walkthroughs and client face time were assumed — in fact, on-site activity often comprised a large proportion of engagement schedules. Today, many auditors can extract transactional data directly from enterprise resource planning systems and get all the information they need remotely. The transition to electronic data has made retrieval of original documents a less time-consuming and arduous process. </p><p>Nonetheless, internal auditors need to ensure the technology does not, in some ways, work against them. Communication is key, and it is more likely to occur regularly with internal audit staff available on-site. Ongoing communication helps the audit team understand the client's business, build relationships, and improve the design of audit procedures. Plus, it reduces the possibility of blindsiding clients with unexpected news. </p><p>Removing client interaction and physical presence on engagements can deprive internal audit of potentially valuable information. Without the auditors' eyes and ears on site, it can be much more difficult to obtain sufficient understanding of the internal control environment or help identify key risks that may threaten organizational success. The lack of presence also presents a challenge to consulting work, making the role of trusted advisor difficult to achieve.</p><p>Spending time on-site allows the audit team to better tailor its work to individual circumstances. When practitioners move through the organization and physically observe the client's environment, they can adjust the audit program more easily as new information becomes known. These adjustments, in turn, provide greater value to the client, and to the organization as a whole. </p><p>High-performing businesses need to stay focused on customers and their needs. By the same token, high-performing audit functions must be attuned to the needs of stakeholders — a task often best accomplished in person. Practitioners should avoid relinquishing their client interactions to technology and remember that the audit process is as much about building relationships as it is about individual effort. Great auditors not only excel at analysis and assessments — they also know when to close their laptops and step out into the real world.</p>Mark Ledman1
When Recommendations Go Unaddressed Recommendations Go Unaddressed<p>​The situation: An internal auditor makes a series of recommendations to an internal audit client, who refuses to implement one of the recommendations or address the finding.</p><p>The internal auditor’s view: The recommendation covers an important point. Her supervisor agrees that the risk of not implementing the corrective action or addressing it would be significant for the organization.</p><p>The client’s perspective: He con​curs with the finding, but believes the corrective action would take too much time and use too many resources.</p><p>The outcome: After several unsuccessful attempts to persuade the client of the validity of the recommendation, the issue is elevated to the CEO. Lacking resolution with that step, the recommendation is sent to the audit committee. The internal auditor and her chief audit executive (CAE) attend the audit committee meeting to discuss the recommendation, gaining support from the committee and the chief financial officer. The issue is resolved (ideally, the client attends the audit committee meeting and hears the committee’s decision directly, but if that is not possible, the audit committee minutes can be used to inform the client) and a cordial working relationship continues.</p><p>Although the details of this scenario may vary, it likely describes a situation that is all too familiar to most internal auditors. The recommendations the internal auditor presents may not always be welcomed or feasible, but making those recommendations is integral to internal audit’s role. That role, as Michael Levy, director of internal audit at Student Transportation Inc. in Wall, N.J., describes it, is “to spotlight issues and ensure that the appropriate people are aware and informed.” </p><p>But raising awareness and sharing information do not always produce the needed results. An audit client may decline to implement even the most well-researched and clearly explained recommendation, leaving risks that may affect the organization’s ability to achieve objectives unmitigated. When this happens, Standard 2600: Communicating the Acceptance of the Risk directs the CAE to discuss the matter with senior management or elevate the issue to the board, if necessary. </p><h2>What’s Behind the “No”?</h2><p>As with many instances, when two parties fail to see eye to eye, inadequate or flawed communication may be to blame. In the case of unaddressed recommendations, perhaps the internal auditors did not fully explain the value of a recommendation, or they did not adequately define what “recommendation” means within the organization’s culture, or they did not describe the potential consequences of failure to implement the recommendation.</p><p>Or, perhaps it is not a case of inadequate communication, but too much of it. “Many times, auditors tend to include every detail of the audit in the report,” Levy says. “I find that executive management and the board are no longer looking for the ‘novel’ version of reports that has become common over the years.” Internal auditors must focus on creating well-organized reports that stick to the point, covering what the reader needs to know, not everything the auditor knows. Each recommendation should be supported by a full description of the related risk, which will help establish the importance of the recommendation and the potential implications if it is left unaddressed. </p><p>Kevin Alvero, senior vice president of internal audit at Nielsen in Tampa, Fla., recommends using a categorization approach to clarify communication with the client. “If you clearly categorize recommendations based on risk (high, medium, low), you greatly reduce the chances that the most important ones will go unaddressed,” he explains. “I think that is very intuitive to people: They understand that if they don’t address the high-priority recommendations, there is a risk of that issue going forward.” In an annual audit process, recommendations that appear multiple times may move to a higher risk category — a signal to management about their importance relevant to risk.</p><p>At Principal Financial Group in Des Moines, Iowa, Cindy Bolton, audit director, reports that implementation of an enterprise risk management framework has encouraged communication around risk and risk metrics by the chief risk officer (CRO) and all the risk officers throughout the business. “We have a lot of discussion about risk and controls from the second and third lines of defense, as well,” she adds, “and a lot of time working in partnership with the second line, so the message to the first line is one continuous stream.”</p><p>Besides communication, another possible reason for nonimplementation relates to resources. The benefits to be derived from the recommendation may not justify its cost, in the eyes of the client. Or the drain on other, nonfinancial resources may be prohibitive (although, if the recommendations are focused on issues that exceed the organization’s established risk tolerance, this should justify adding resources). Auditors have a responsibility to understand the business well enough to be aware of the financial impact of the recommendations they are making. “Otherwise,” Alvero says, “they are not fully serving the needs of the client.”</p><p>When building an understanding of an issue that will be included in the audit report, internal auditors need to consider the cost, impact, and significance related to the issue. This enables the auditor to balance the high cost to remedy and the possible low impact and likelihood of misstatement the issue may potentially have. Although the internal auditor should definitely take the lead in these considerations, it should not be a solitary exercise. The client should play an active role.</p><p>Avoiding the cost-benefit objection can be as simple as discussing with the client the feasibility of various approaches and devising a management action plan in conjunction with management. When those discussions are held, the result “is not ‘internal audit recommends and management responds,’” Bolton says. “Management is already involved.” </p><p>If the cost of a recommendation is unknown, an approach might be to divide it into two parts: management researching the cost of possible solutions and internal audit determining whether these solutions adequately address the recommendation. This enables progress to be made, rather than hitting a brick wall of “no” the minute the cost is considered. Another workaround for expensive recommendations is for internal audit to make additional recommendations (such as extra reviews and quality reviews) to satisfy them. </p><p>“Developing recommendations is one of the areas where we, as a profession, have an opportunity to act as consultants and not only add value directly to the organization, but also to our stakeholders,” Levy notes. “Many times, when recommendations are developed in a vacuum, without management’s input, the desired outcome is not reached.”</p><p>Communication and resources are not the only roadblocks to implementing recommendations. Kevin Patton, director of internal audit at The Ohio State University in Columbus, points out that a client’s adoption of a recommendation may be affected by changes to existing information systems or implementation of new information systems, which often take longer than estimated. “System issues seem to take more time to resolve than other comments, such as financial and operational,” Patton explains. “In those cases, we ask the unit how they are mitigating the risk and get an understanding of their processes.” In some companies, moving to a new platform could make a recommendation obsolete, causing management to decide a short-term fix is not worth the cost. As with costly recommendations, the auditor should understand the business well enough to be aware of systems plans before making a related recommendation.</p><p>Other possible situations that may affect the client’s willingness or ability to implement a recommendation include a change in business strategy, loss of staff or changes in staffing, or competing priorities in the client’s area. Ongoing communication with clients is critical to internal audit’s effectiveness in such circumstances. It will help ensure that the internal auditor is informed on the client’s issues and can function as a partner in addressing them. </p><h2>The Fine Art of Follow-up </h2><table class="ms-rteTable-default" cellspacing="0" width="100%"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​To read the Practice Guide, Audit Reports: Communicating Assurance Engagement Results, visit <a class="vglnk" href="" rel="nofollow" target="_blank"></a></td></tr></tbody></table><p>IIA Standard 2500: Monitoring Progress states that the CAE “must establish and maintain a system to monitor the disposition of results communicated to management.” Item 2500.A1 speaks of the CAE’s responsibility to establish a follow-up process to monitor and ensure that management actions have been implemented or senior management has accepted the risk of not doing so. Item 2500.C1 specifies that it is internal audit’s responsibility to monitor (to​ the extent agreed with the client) the disposition of results of consulting engagements.</p><p>Whatever the reason for failure to implement internal audit recommendations, that failure has the potential to expose the organization to risk. Therefore, internal audit has a distinct role in monitoring whether management implements the controls it agreed to. While the size and nature of the risk will influence the type and amount of follow-up activity, Following Up Recommendations/Management Actions, a 2016 paper from the U.K.’s Chartered Institute of Internal Auditors, outlines general post-recommendation activities that need to be made clear to the client before the audit:</p><ul><li>How outstanding recommendations/management actions will be tracked. <br></li><li>How resolutions will be reported and validated. <br></li><li>What follow-up action might be needed. <br></li><li>How this will be carried out to provide assurance that identified risks are being addressed appropriately.<br></li></ul><p> <br> </p><p>Warren Hersh, auditor general at New Jersey Transit in Newark, says a robust follow-up process must begin with the establishment of the department’s verification philosophy, which generally will follow one of two approaches: 1) actually performing a follow-up audit, testing to verify that corrective actions have been implemented; or 2) accepting the representation of management on the status of corrective actions. In Hersh’s experience, following the first approach takes significant resources and focus. His current department uses the second approach, with one variation. “If we have an audit that has significant findings that impact the key risks faced by the department, in addition to reporting to the audit committee, we automatically schedule a follow-up audit either later in the audit plan year or in the next audit plan year.”</p><p>Hersh’s team uses audit management software to monitor the status of corrective actions, and that status is reported at every audit committee meeting because it gets the attention of senior management.</p><p>At Ohio State, Patton’s team uses a formal follow-up review process for all recommendations that are included in the final report. The first phase is to follow up with clients every 90 to 120 days until the recommendations are resolved. A follow-up review report is issued to the same distribution list that received the final report. After the second follow-up, any remaining unresolved findings are escalated to senior university leadership for consideration and prioritizing with the unit. In fact, according to Patton, during the second follow-up review, the senior leader is responsible for obtaining an updated management response and resolution time frame to set the priority for the unit. If, after a third follow-up review, any unresolved comments remain, Patton discusses those in detail with the audit and compliance committee. </p><p>But there is another possibility as well. Management may decide to accept the risk and not resolve the comments. These situations also are elevated to the audit and compliance committee for discussion. Patton notes, “Of course we hope it doesn’t get to that point. And it rarely does for us.” </p><p>Principal Financial Group’s process for follow-up is similar to that of Ohio State, with progress checks quarterly. Bolton explains that recommendations are rated critical, high, moderate, and low. Anything moderate or higher receives additional testing to make sure it is implemented to internal audit’s satisfaction. Low items are not tested as vigorously: “We accept their word it’s done.” A quarterly report on the percentage completed and the status of follow-up items is issued to senior management and the audit committee. </p><h2>Understand the Reason</h2><p>Alvero points out the need to determine the reason for nonimplementation. Did management make a business decision, choosing not to take the recommended action based on the risk to business objectives balanced against other factors, such as cost and resources? Or did management simply ignore the recommendation? </p><p>“Making a business decision not to implement a recommendation is not necessarily a red flag,” he says. “It is not the same as ignoring a recommendation, which obviously would be a concern.” Investigation may be needed into the extent of the refusal to implement, because that is generally not a one-unit decision. In many companies, the business office, the CRO, the audit committee, and other individuals or groups, depending on organizational structure, would have to support the decision.</p><p>In some cases, limited resources within the internal audit department may affect follow-up efforts. In these cases, Hersh advises internal audit to prioritize the key risks and then focus on implementation of corrective actions for the more significant risks. He considers this necessary when assessing whether management has inappropriately accepted a risk, in internal audit’s opinion, by not implementing corrective actions.</p><h2>Working Toward One Goal</h2><p>Ultimately, as with so many business transactions, what is being done is often secondary to how it is being done. For its recommendations to carry weight and earn full consideration, internal audit must act as a trusted advisor to the business, establishing and demonstrating a mindset of cooperation and collaboration, not an adversarial relationship. As Bolton puts it, “We have different units, different priorities, different purposes, but ultimately we are one company. We are all working together, trying to do the right thing.” ​​</p>Jane Seago1
A Circle of Advocates Circle of Advocates<p>​Internal auditors spend a lot of time trying to convert people. In some cases, the conversions are small: "Here are the findings — let's come to agreement on what is wrong and how to make it better." In other ca​ses, the conversions are much larger: "In spite of what you think, internal audit is not here to bayonet your wounded; we're here to help the organization achieve its objectives." When we do that job well, we build a circle of advocates who become our best promoters.</p><p>We talk a lot about how to make those conversions — how to sell internal audit to the naysayers who see us as the enemy. And honing that sales pitch<br> is important, as many clients will respond well to our efforts. But we seldom discuss when we should stop selling and just simply walk away.</p><p>The nasty truth is that some people will never buy what internal audit sells. They have been burned, they have their own agendas, or they just refuse to see internal audit as an ally. And as the old saying goes, never try to teach a pig to sing; it wastes your time and it annoys the pig. Internal auditors must recognize that some clients, no matter how much we try to convince them, will never sing the praises of internal audit. And once we have identified them, we must be willing to walk away.</p><p>Of course, ours is a risk-based approach, and if the risks lie within the purview of someone who just doesn't like us, we can't abandon the person, department, or organization. No, even in the face of dislike and even pure hatred, we must still do our work, maintain our standards, and continue to move forward. But that doesn't mean we should waste additional effort trying to convince the client of our added value.</p><p>Keep in mind that, even when we "give up" on such clients, we are still selling ourselves to them. First, by continually providing value, we keep chipping away at the wall they have erected between their department and ours.</p><p>But a more important sales job — and the more convincing one — comes from that circle of advocates. Redirecting our efforts away from those advocates as we try to sell to the naysayers can begin eroding our fan base. But if we maintain our focus on those fans, they become stronger advocates. And the word will start to get around. And soon enough the naysayers will hear their co-workers praise internal audit as a group that provides value, is a trusted advisor, and represents a real partner to the business.</p><p>Tom Peters (as he so often does) put it best: "Greatest waste of time? Trying to 'convert' non-believers. Instead, surround 'em. That is, you don't 'convert.' 'They' 'discover' — come to appreciate what you're doing because a couple of <em>their</em> pals have joined up." When it comes to selling internal audit, sometimes the client's voice speaks the loudest.</p>Mike Jacka1
Agile Performer Performer<p>​Ralph Daals, group chief auditor of London-based RSA Insurance, is passionate about the journey he and his team have been on over the past two years. “The seeds for the transformation were sown in October 2013 when internal audit uncovered significant irregularities during a routine review in our Irish business,” he explains. “That event was publicly reported and brought home the message that, in the end, internal audit will be judged by the things it misses.”</p><p>This clarity about internal audit’s accountability led to new, forward-looking expectations of the function. Daals recalls: “Our chairman put it nicely — ‘I would like you to be able to tell me that the building is about to catch fire, as opposed to pointing me to it after the event.’”</p><p>Meanwhile, RSA was transforming with an agenda of significant strategic rationalization, cost reduction, and operational turnaround. The company was changing rapidly with innovations around big data, robotics, and more digital and agile developments; and with these changes a new profile of risks emerged. “Typically, internal audit follows the company,” Daals says, “but we were driven to make a huge leap to get ahead and stay ahead.”</p><p>The challenges were tough. “We not only had to become more dynam​ic and forward-looking, and get on top of the new risks RSA was facing, but we also had to play our part from a cost and efficiency point of view. We had to do more with less — we’re talking about a double-digit percentage cost reduction here,” he says. “Doing this right meant reinventing ourselves and fundamentally changing our mindset, skills, and ways of working.”</p><h2>Transforming Internal Audit</h2><p>The ambitious changes Daals sought required the function to be inventive — particularly because, he emphasizes, it did not have deep pockets and could not hire expensive consultants. “Constraint was a key driver of innovation and, ultimately, became a real friend,” he says. </p><p>The team started to assess the world around it, identifying and learning from cutting-edge companies regardless of industry and function. “We ended up casting the net pretty wide and then adopting and tailoring what we thought could work well for us,” Daals says. “Jim Collins’ book <em>Good to Great</em> provided a lot of early inspiration. It was all about starting with purpose and people — attracting and retaining the right talent, giving them freedom within a framework, and playing to their strengths.”</p><p>He was wary that, in too many cases, change programs introduced new processes that existed on paper, but didn’t lead to new ways of working in the long term. Theirs was not, he argues, a traditional transformation program — it had no project plans, no champions, and no reams of documentation. </p><p>“We looked to make change easy and infectious, with small iterative improvements driven by obsessing over the right things: sharing successes, challenging each other, and ultimately deeply embedding practices and improvements in our behavior and culture,” he says. “At any time we have about five functionwide ‘obsessions,’ both behavioral and technical. These create a ripple-effect-based transformation — contagion can be very powerful.”</p><p>This approach allowed people to see and feel the build-up of momentum and meant that evolution could happen at an increasing — and often surprisingly rapid — pace. Daals explains that he borrowed from computer animation firm Pixar’s innovation culture and started to experiment, test, and refine ideas.</p><h2>Building Blocks</h2><p>The transformation rested on four main interconnected “building blocks.” The first of these was to simplify and standardize what the team did and when it did it. This was intended to minimize complexity and distractions to allow internal audit to focus all its time and efforts on what mattered most. A vital part of this process was that internal audit had to be comfortable about not doing some of the things it had taken on in the past. Daals says it started with “bonkers lists,” which evolved into a functionwide learning exercise aimed at making the function more efficient and focused.</p><p>“We also wanted to keep it simple to ensure the real value comes from our core activities,” he says. “We shouldn’t have to resort to ‘add-on’ activities, such as advisory reviews, before value is created or recognized. It would imply something is fundamentally wrong.”</p><p>The second building block involved increasing the relevance and timeliness of insights and interventions. The traditional annual planning process became a flexible six-plus-six rolling plan with a strategic three-year outlook. This allowed audits to run in parallel with changes in the business and emerging risks and to anticipate better the skills the team needed now if it was to be ready for the future.</p><p>At the same time, the team brought plan delivery in line with reporting to executives and nonexecutives, cutting the time between identifying findings and committee reporting to a minimum. “Our team now delivers 100 percent of our plan every quarter, which was unheard of in the past,” Daals says.</p><p>The third building block involved implementing an “AsOne” operating model, inspired by Daals’ past work with Deloitte. “We broke down the silos that typically exist in an international function and eliminated the traditional reporting structures and hierarchies,” he explains.</p><p>RSA internal audit consists of more than 60 people based in key cities across three regions: the U.K., Ireland, and the Middle East; Canada; and Scandinavia. Daals says that the AsOne model “facilitates a high level of connectivity and collaboration between the teams” so they can work together as if they were all in the same room. This necessitated a new digital way of working and using communication channels such as Yammer.</p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​To learn about RSA internal audit's recent awards for outstanding performance and innovation from the U.K.'s Chartered IIA, visit <a class="vglnk" href="" rel="nofollow" target="_blank"></a><strong>.</strong>​</td></tr></tbody></table><p>“Building on AsOne, we advanced our way of working based on music streaming service Spotify’s agile culture. We even adopted some of their naming conventions,” Daals says. “We now structure ourselves around ‘squads’ — fluid teams that bring together the right people for an audit or other initiative, regardless of hierarchical position or location.”</p><p>For the audit function’s stakeholders, Daals says that AsOne increased the quality and consistency of output and coverage, improved the way internal audit shared best practice, and boosted efficiency by reducing duplication and, ultimately, cost.</p><p>The fourth building block was all about striving to build a high-performance culture. “This may sound clichéd — and many talk about it — but in the end we are a people business, and so building a high-performance culture was crucial,” Daals explains. “For us, this is about striving to create an environment where we can attract and retain the best.” He was inspired by Google’s approach to investing in talent and its view that hiring remarkable people is its single most important activity.</p><p>“We tailored this — only people with the passion and aptitude for it are involved in recruitment,” he says. “Our recruiters, typically our most senior people, dedicate significant time to finding the right talent. Every candidate is recruited with an international interview as standard.”</p><p>Daals and his team also looked to elite sports for ideas. “We work closely with performance company PlanetK2, which uses the same kind of performance psychology ideas with us as it uses with Olympic teams. Everybody is challenged about how to get the best out of themselves and each other.”</p><p>All these changes helped to create what Daals characterizes as an agile function. “Agility for us is about being dynamic and flexible. It is about our ability to anticipate, respond, and continuously improve.” He adds that agility needs to be embedded in the mindset, culture, and values of the team; processes and methodologies then follow naturally. “It’s about having a team that gets better and better with every challenge thrown at it,” he says.</p><p>He says that this agility has many advantages: Internal audit is now better at using the team’s full capabilities and experience, it can rapidly gather and deploy the right resources via the squads, and the rapid feedback between stakeholders and the function facilitates quick and constant improvements in what the function does and how it does it.</p><p>Accountability remained a focal point throughout the changes. “Our accountability is always front of mind,” Daals says. “We regularly ask ourselves our killer question: ‘Have we missed anything significant?’”</p><p>“To answer this,” he continues, “we perform a half yearly exercise where we look back across our business through the lenses of issues raised by others, risk incidents, and material external events. We ask, ‘Where were we?’ ‘Did we pick it up?’ and if so, ‘Did we report it appropriately?’” The lessons identified are widely discussed and fed into the continuous improvement of the function, and Daals says the results are getting better every time. He sees it as crucial to delivering against internal audit’s purpose of keeping RSA safe and improving.</p><p>Daals also takes quality assurance seriously. He employs Deloitte to review and challenge audits done in the previous quarter. The reviewers assess whether the audits focused on the right areas and identified the correct risks and issues.</p><h2>Skills for the Future</h2><p>The new-style internal audit team needs to attract a new type of internal auditor, with skills that will be important to the organization of the future. This means it needs to offer an exciting proposition in terms of both working environment and opportunities, Daals says. New recruits may come from other sectors or have a nonaudit background. The team currently includes nontypical members such as a web and app developer and a criminologist. “It’s important to get the balance right between maintaining their unique skills and perspectives and learning internal audit essentials,” Daals adds.</p><p>His search for innovative people who are willing to be shaken out of their comfort zone and are eager to improve constantly is making the team more distinct and adept. “We are always asking how we can break through the typical talent barriers,” he says. “We are well aware that what we are creating doesn’t suit everybody, it requires tenacity and resilience. At times we have had to make some difficult decisions, but that’s OK.”</p><p>To help team members grow to their full potential, Daals has introduced innovations such as a dedicated “Learning Friday” every other month on which everybody can choose what they learn. No work is allowed.</p><p>“We took a lot of inspiration on how to create the best workplace from an [online education] company called Mindvalley,” Daals explains. “It is important we not only bring in new skills, but make sure all our people are set up for the future. So we are investing in upskilling people in ‘new world risks’ such as cyber risks and risks arising from big data and use of robotics and artificial intelligence.” This includes teaching them the basics of coding, how to audit agile developments, and simulating mock crises such as a cyberattack. Daals expects everyone to become highly proficient with data analytics tools.</p><p>He also wanted to move away from a system where people couldn’t progress until the person above them left. The new structure has no fixed number of people per level, so if someone is ready to be promoted, they can be.</p><h2>Hindsight and Innovation</h2><p>So what’s next? “It has been good so far,” Daals says. “Our feedback scores have consistently gone up and our people are in high demand by the business. We have a more agile and forward-looking model that we hope will help us to deal with whatever comes our way. But it doesn’t stop here. We have identified, for example, seven ways of injecting innovation into auditing, including stress-testing the control environment and risk-event and scenario-based auditing. As long as it supports our purpose and we keep an appropriate eye on what we call ‘audit risk,’ we won’t hesitate to give it a go.”</p><p>He is keen, however, to stress that agile is not the same as chaos and needs careful management. He advises others looking at creating an agile culture to establish first a stable “backbone.” You also need to find a way to combine opposites. “Looking forward is great, but not if you don’t look backward at the same time,” he warns. “Sustainability of controls and remediation activity is as, if not more, important.” Chasing emerging risks or organizational change can be catastrophic if you don’t focus on the areas that everybody takes for granted, but can still hurt the company.</p><p>Daals concludes: “We may get it wrong sometimes; you can’t win without ever failing. But in the end, it’s fun putting yourself out there. If you fail, fail and learn fast, but never compromise on outcome.” </p><p><strong><em>A version of this article first appeared in issue 36 of </em>Audit & Risk<em>, the magazine of the Chartered Institute of Internal Auditors. Reproduced with permission. </em></strong></p>Ruth Prickett1
Success Factors Factors<h3>​How can internal audit better align with the organization's strategic priorities?</h3><p> <strong>PEPPERS</strong> All of The IIA's recent stakeholder surveys tell us we must maintain or enhance organizational alignment to stay relevant. A practical test to ensure internal audit has the right balance is to consider how much of its risk assessment efforts are spent looking backward at past events versus looking forward at what is to come. Confirm that assurance and advisory engagements are selected to address the current objectives of the organization. Of course, that assumes you are knowledgeable about those strategic activities. <br> <strong>URBAN</strong> We are in a transformative age — business today is anything but usual. Strategic priorities are driving organizations more than ever to continue to protect and grow. This is where we can add tremendous value by tying our audit plans back to the organization's strategy. If our assurance and consulting work is not aligned with what's most important to the organization, we should challenge why we are doing it. If it's a regulatory or management requirement, then we should identify ways to cover those areas more efficiently so we can focus more on the risks aligned to strategic priorities.​</p><h3>How should internal audit adapt to meet changing expectations?</h3><p> <strong><strong><img src="/2017/PublishingImages/shannon-urban.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />URBAN</strong></strong> It is critical that internal audit practices and processes are flexible and able to adapt to the disruptive changes happening around us. Many internal audit functions follow prescribed practices that are carved in stone in the audit manual. This helps with consistency and quality, but it sometimes keeps auditors from exploring alternate approaches that may be more impactful or efficient for a particular risk area. Internal auditors should allocate time during the planning phase of an audit project to challenge themselves on the approach and techniques they deploy, and make innovation or continuous improvement part of the planning process. <br> <strong><strong>PEPPERS</strong></strong> We have to be in touch with those expectations. Our audit team members are the best resources to help with that. They should be encouraged to listen to our customers and come back and tell us what they hear. As a group, we can then be responsive. While adaptation and evolution are imperative, there are also fundamental principles and practices that shouldn't fluctuate wildly. So thoughtfully consider where and when to invest time and resources into change.​</p><h3>What will be the impact of disruptors like data analytics, artificial intelligence (AI), and blockchain?</h3><p> <strong><strong><img src="/2017/PublishingImages/Michael-Peppers.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />PEPPERS</strong></strong> I find it telling that some internal auditors still consider data analytics to be a new or recent disruptor. We've had that technology available to us for more than 20 years, and some still don't even touch it. When we think of how AI will impact our organizations in the next few years, auditors who take a similar hands-off approach will do so at their own peril. We want to be in a future position to audit these emerging technologies, so we need to be around the table as the related governance, architecture, and infrastructure decisions are being made.<br> <strong><strong>URBAN</strong></strong> These emerging technologies are disrupting long-held business norms, processes, and models. They hold the key for many organizations to drive more cost effective and reliable operations, but may be introducing risks no one has yet thought about. They also promise incredible new capabilities for auditors who understand and adopt what these new enablers can bring to the audit process. I like to think about these technologies as multipliers of audit capacity and capability — if we are brave enough to take the leap.​</p><h3>How can CAEs improve their relationships with the board and audit committee?</h3><p> <strong><strong>URBAN</strong></strong> A lot of it comes down to better communication and building trust. It's easy to assume we know what our stakeholders want, or need, from internal audit — but very few of us ask directly. In our organization, we touch base with key stakeholders at least once a quarter, and not just about the status of the plan or other administrative matters. We talk about what's important to them as stakeholders, and what defines a high-quality and high-value audit service. How are we doing, and where are we missing the mark? We try to understand their personal and social style, their communication preferences, etc. <br> <strong><strong>PEPPERS</strong></strong> I think a CAE has to start by candidly acknowledging the current state of those relationships. Don't just assume all is well. A great indicator is the frequency of communication and who initiates it. Solicit sincere feedback about style and then either maintain or modify accordingly. It also is imperative that CAEs take full advantage of every opportunity they have in front of their audit committees and boards. We must creatively and effectively represent to them the full spectrum of our work and the impact we are making. ​</p><h3>How can internal audit add value to the organization's sustainability strategy?</h3><p> <strong><strong>PEPPERS</strong></strong> Auditors need to have a holistic, long-term view of the organization, its objectives, and its risks. This includes issues around its long-term sustainability and the resources it uses to deliver products and services to its consumers. For example, many audits focus on the process, and while many auditors may use a process mapping effort known as SIPOC [Suppliers, Inputs, Process, Outputs, and Consumers], typically not much time is spent understanding the risks associated with the supplies and inputs into the process. Who is providing the inputs? Where do they get their supply? Is there limited capacity of the supplies, or does demand outstrip supply? What would happen if that supplier could no longer deliver? This is just one path of questioning that opens up by simply looking beyond what is normally audited. There are many other possible pathways when operations are considered from a longer-term, sustainability perspective.<br> <strong><strong>URBAN</strong></strong> According to the Center for Board Matters' 2017 Proxy Season Review, fully 49 percent of all shareholder proposals are related to environmental or social issues. With such diverse topics as greenhouse gas emissions, board diversity, and environmental health and safety, many internal audit teams are finding a place for these topics in the audit plan. Internal audit can address sustainability and environmental, social, and governance issues in many ways. One way is to look at the overall governance structure of sustainability. Is it a stand-alone function that issues a report once a year, or is it integrated into the business? Does it measure and report on key metrics and have reduction targets in place? Is it led by a senio​r executive? Some organizations also are examining whether and how to integrate nonfinancial risk into their overall enterprise risk management process, especially in light of recent U.S. Securities and Exchange Commission and shareholder interest in these areas.   ​</p><h3>How does internal audit attract and retain the right type of talent considering these issues?</h3><p> <strong>URBAN</strong>​​​ Talk about disruption! The entire business model for how candidates are sourced and from where they are sourced is changing across business. Internal audit is no exception. Organizations like ours are diving deeper into the universities to identify high-performing talent as early as freshman year to join our staff ranks. Traditional backgrounds and majors are still needed, but we are recruiting more data scientists, engineers, IT majors, and other non-accountants. Organizations are continuing to develop rotational leadership development programs that involve time in internal audit, but with the goal of building future business leaders — not future auditors. <br><strong>​​PEPPERS</strong> Selection of the right team resources starts with a clear understanding by all of what the job entails. That clarity will increase the likelihood of the right match for the position, and job satisfaction will follow and improve retention. But that is increasingly more challenging given the dynamic nature of the environment we've been discussing. A CAE colleague recently told me she has totally revamped her recruiting to heavily weight critical thinking skills. When those are present, she finds the individuals are better able to perform, contribute, and grow over time. When that happens throughout the internal audit activity, everyone benefits.​</p>Staff1
The Value of Mentorship Value of Mentorship<p>Mentorship is one of the most powerful tools for aspiring internal audit professionals and also provides valuable experiences to mentors. Early in my career, several professionals informally provided me with advice, suggestions, and guidance that helped bring me to where I am today. At the time, I did not realize these individuals were acting as "mentors" but the knowledge, experience, and insights they provided shaped the decisions I made, and I am grateful for the impact they have had on my professional development. Now that I am further in my career and understand the value of mentorship, I thoroughly work to cultivate the relationships with my mentors and mentees so we both get the most out of the experience and grow together.</p><p>At a recent internal audit forum, IIA Executive Vice President and Chief Operations Officer Bill Michalisin co-facilitated a panel on mentoring and career management. The panelists were young internal audit professionals who were part of <em>Internal Auditor </em>magazine's 2016 Emerging Leaders. As a fellow Emerging Leader, I reached out to Michalisin and some of the panelists and asked them to share their perspectives on mentorship with <em>Internal Auditor's</em> readers.<em> </em>  </p><h2>What should I look for in a mentor?</h2><p>"It is important that you spend time thinking about where you are in your professional development, what needs you have, and how a mentoring relationship can aid you in growing to address those needs," Michalisin advises. "Are you interested in learning more about a particular industry? A skill or profession? Or do you want to work on yourself and your own path to growth?" Michalisin recommends potential mentees look for individuals they respect and are ahead in their careers, whether that is in the mentee's field or in an area in which the mentee is interested. "Whatever your goals may be, what you look for in a mentor depends on you individually, which is why I suggest you select a mentor that you know in some way versus selecting a total stranger," he says.  ​</p><p>Jenny Wei, manager, risk advisory, at Deloitte, says she looks for a mentor "that has the qualities and attributes that I admire and want to learn from." Wei says the relationship must be mutually beneficial, with both sides seeing value in it. "I think it is important that your mentor is willing to invest time in the relationship, and that as a mentee you've been able to grow from the results of their advice, which further encourages your mentor to invest in you," she adds. </p><p>Kristine Tkachenko, senior auditor at the University of Toronto, says she looks for "experience I do not have, knowledge in areas that I am interested, and compatibility." And Jesus Valdez, senior internal auditor at Southwest Gas, says it's important to know that internal auditors do not need to have just one mentor. "Having multiple mentors has been an extremely rewarding opportunity," he explains. "I have learned so much more about business acumen, and the industry, in general, from my mentors."</p><h2>Where Can I Fi​​​nd Mentors?</h2><p>There's no magic formula for finding a mentor, but it is important for mentees to do their homework, think about what they want in a mentor, and explore current networks — personal, professional, social — to identify candidates.  Mentors can be found in the workplace, in professional associations like The IIA, and any place where networking opportunities are plentiful. </p><p>Wei points out, "Sometimes people don't realize that they have mentors in their career and personal life because it isn't formalized." She says she would challenge those people to think about the people around them that have supported them in one way or another and reevaluate that assumption. "Often, our mentors are already with us, and what we need is to recognize and practice ways to enhance that relationship even further," she explains.</p><p>Michalisin adds, "Many great mentors that I have had the privilege to work with include those that I was already interacting with regularly whether in the workplace or in personal circles." He suggests looking for opportunities to engage these individuals at events, through social media, and through peers.</p><p>Tkachenko agrees. "Get out there and network, go for it even if you are not comfortable, and you will quickly feel at ease," she says. When you find someone who you want to be your mentor, "don't be afraid to approach that person directly," Valdez adds. "The worst that can happen is that they say 'no,' and that is fine."   </p><h2>What Is My Responsibility as a Mentee?</h2><p>All three past Emerging Leaders state that making time for the relationship is critical to its success. Therefore, the mentee should actively seek connection with the mentor. "Remember that having a mentor is a two-way street, so make sure you also offer your time," Valdez says.</p><p>Wei offers two additional suggestions: "Regardless if you agree with the advice your mentor provides, try it anyway and report back on the results," and "demonstrate progress or actions from each meeting." Wei says these suggestions are important because they give the mentee an opportunity to learn through trying and naturally encourage the mentor and mentee relationship to develop by showing the mentor a return on his or her investment. "Nothing makes mentors happier than seeing the impact of their contributions in helping someone else," she explains.</p><p>"Work with your mentor to develop and set clear goals and discuss the expectations both of you have for the relationship," Michalisin adds. "Such clarity provides the basis for a strong relationship and one that meets the needs of both participants." He advises mentees to be present, respectful, and professional and proactively follow up with their mentors to ensure they get what they need. ​</p><h2>What's in It for the Mentor?</h2><p>The value of being a mentor is "giving back to the community," Tkachenko says. She says she has a passion for helping young professionals make introductions and for providing advice as needed. </p><p>"Being a mentor to others is an amazing experience and is a great way to thank your mentors and pass on knowledge to others," Wei adds. "What I enjoy the most is seeing the impact of helping others and seeing them grow into top performers in their career as well as their personal life." </p><p>"The benefits for a mentor are just as plentiful as those that are derived by the mentee," Michalisin adds. "In many ways, mentoring provides an opportunity for mentors to learn, grow, and evolve to be better leaders given the skills that mentoring helps to develop." He says he encourages members of his team, who may not have a team to lead, to consider mentoring as he believes it helps develop critical leadership skills, including listening, empathy, goal setting, providing feedback, and coaching. "Regardless of the stage of your career, learning is a constant thread and we need to ensure we look for it at all levels and in a variety of relationships." ​</p><h2>A Mutually Beneficial Relationship</h2><p>Mentoring, both as a mentor and mentee, is hard work. It requires a significant commitment and, like in business, the return on investment matters. Mentees must be sure to listen and be open to the guidance and counsel being shared even if, at the time, they may not want to hear it. And mentors must be willing to listen, show empathy, share perspective and feedback, and invest the time necessary to coach and guide. Mentoring can be a rewarding experience, and in a profession like internal auditing it is critical to passing the torch to the next generation of practitioners.​</p>Bill Stahl1
Top Articles of 2017 Articles of 2017<div>2017 has been a dynamic year for the profession — one marked by calls for innovation, increased focus on strategic alignment, and an ongoing need to examine organizational culture. We look back at the stories that have been most popular with <em>Internal Auditor’</em>s readers, reflecting the areas that helped define internal au​diting over the past year. <br></div><div><br></div><div>1. <a href="/2017/Pages/How-to-Audit-Culture.aspx">How to Audit Culture</a></div><div>Culture audits can help practitioners gain insight into the causes of poor organizational behavior.</div><div><br></div><div>2. <a href="/2017/Pages/Auditing-What-Matters.aspx">Auditing What Matters</a></div><div>Internal auditors can add value by selecting audits that contribute to achievement of strategic objectives.</div><div><br></div><div>3. <a href="/2017/Pages/On-the-Rise-2017.aspx">On the Rise: 2017</a></div><div>This year’s up-and-coming practitioners are making a difference in their organizations and helping move the profession forward.</div><div><br></div><div>4. <a href="/2017/Pages/Internal-Audit-Needs-Risk-Management,-Too.aspx">Internal Audit Needs Risk Management, Too</a></div><div>Managing its own risks can improve the audit function’s performance and demonstrate that it practices what it preaches.</div><div><br></div><div>5. <a href="/2017/Pages/Breaking-Down-The-Standards.aspx">Breaking Down the Standards​</a></div><div>With the right strategy, practitioners can divide conformance into bite-size, easily digested portions.</div><div><br></div><div>6. <a href="/2017/Pages/The-Innovative-Internal-Auditor.aspx">The Innovative Internal Auditor</a></div><div>As businesses strive to find opportunities in a world driven by technological transformation, internal auditors need to continually innovate to stay ahead of the game, says Shannon Urban, 2017–2018 chairman of The IIA’s North American Board.</div><div><br></div><div>7. <a href="/2017/Pages/Building-a-Data-Analytics-Program.aspx">Building a Data Analytics Program</a></div><div>Six strategies can facilitate progress when starting or furthering an analytics program.</div><div><br></div><div>8. <a href="/2017/Pages/Under-Siege.aspx">Under Siege</a></div><div>Public sector auditors can face intimidation, isolation, retaliation, suspension — even termination — just for doing their job.</div><div><br></div><div>9. <a href="/2017/Pages/COSO-ERM-Getting-Risk-Management-Right.aspx">COSO ERM: Getting Risk Management Right</a></div><div>Strategy and organizational performance are the heart of the updated framework.</div><div><br></div><div>10. <a href="/2017/Pages/Auditing-Organizational-Governance.aspx">Auditing Organizational Governance</a>​</div><div>Internal audit has an integral role to play in improving the organization’s strategic performance.​​</div><br>Staff0

  • MNP_Feb2018 IAO_Premium 1
  • IIA Training_Feb2018_Premium 2
  • IIA CIA_Feb2018_Premium 3