Practices

 

 

From Ratings to Recommendationshttps://iaonline.theiia.org/2017/Pages/From-Ratings-to-Recommendations.aspxFrom Ratings to Recommendations<p>​Audit ratings may be the most misused tool in the auditor’s tool belt. Instead of motivating management to fix problems, ratings more often serve as a demotivator, answering the question, “How bad is it?” This is the wrong question, and it erroneously imposes a “stick” mentality. While ratings may get the attention auditors are looking for, they undermine any attempt to build strong, professional relationships and fail to encourage constructive behavior. If we believe in our mission as stated in The IIA’s International Professional Practices Framework — “to enhance and protect organizational value” — then the goal of any audit is not to demonstrate just how bad things are, but to encourage positive action in support of the organization’s goals. </p><p>Many internal auditors report long lists of open audit recommendations and management’s resistance to implementing them, ranging from passive-aggressiveness (ignoring the recommendations) to outright denial that any problems exist. Auditors will say that it’s not personal, that they are just doing their job. They often think the client should be mature enough to not take being audited personally. But when you are the subject of an audit that could potentially expose your weaknesses all the way up through the C-suite to the board, it’s unavoidably personal. Add to that the audit ratings — essentially bright flashing arrows pointing out problems — and you have the makings of a difficult relationship with management. How can auditors transform this stick into a carrot? To begin, it helps to understand a few basics on motivation.<br></p><p>What truly motivates people has been studied for years by University of Rochester researchers Edward Deci and Richard Ryan. Their research has culminated in what they call the self-determination theory (SDT), which posits that human motivation is optimized when three basic needs are met: developing one’s skills (competency), exercising free will (autonomy), and feeling connected with others (relatedness). According to SDT, motivation through common meaningful goals will trump negative reinforcement every time. The researchers also found that while negative reinforcement can be effective, the impact is often temporary and can incentivize undesirable behavior. <br></p><p>Instead of rating audit findings, internal auditors should prioritize recommendations. In other words, don’t focus on what is wrong — bring attention to the most important actions required to manage risks. The chief audit executive for the County of Los Angeles, Peter Hughes, explained at the recent IIA Western Regional Conference that he uses this strategy to great effect. Brilliant in its simplicity, the approach is future focused on solutions rather than looking backward at past mistakes. Most importantly, as SDT points out, by focusing on developing common goals via prioritized recommendations, management will be far more motivated to take ownership. Instead of grading their level of incompetence, give them the opportunity to implement solutions and demonstrate their competence, autonomy, and relatedness.  <br></p>Jim Pelletier1
It’s Only One Wordhttps://iaonline.theiia.org/2017/Pages/It’s-Only-One-Word.aspxIt’s Only One Word<p>​It’s so easy to change a single word … and so easy for that simple change to impact a sentence, a paragraph, or an idea. Rock musician Warren Zevon wrote an amazing song titled “Carmelita,” which includes the line, “I pawned my Smith Corona. …” For those who don’t know, a Smith Corona is a typewriter: a tool that, before the proliferation of computing power, was widely used by writers everywhere — even internal auditors. In that simple phrase, Zevon describes a man who has reached the end of his rope, pawning a valuable tool of his trade.<br></p><p>American pop singer Linda Ronstadt, in a typically incredible performance, covered the song. However, she made a small but significant change — “I pawned my Smith & Wesson. …” Again, for those who don’t know, Smith & Wesson is a brand of firearms. Ronstadt’s alteration seems minor, yet it changes everything about the lyric, its impact, and the story told by the song. It significantly modifies what was originally written.<br></p><p>And it is with no less impact that some reviewers make changes to audit reports, far too often altering those reports without ensuring that the change is necessary or appropriate. Words are precise, and when audit management assigns auditors to write those reports, management should expect the auditors to use the precise words that mean precisely what they mean to say.<br></p><p>Yet many audit report review processes seem designed to take away the auditor’s responsibility for that precision. Far too often, the lead, manager, chief audit executive, etc. doesn’t like what is written (“I can’t say why; I just don’t like it”) and starts editing. The process often results in a report the auditor no longer recognizes and, in the worst situations, it says something the auditor never intended it to say.<br></p><p>Report reviewers everywhere, here are three lessons you should take to heart:<br></p><ul><li>Do not change anything without ensuring those who actually did the work have a say in those changes. That is the only way to ensure the report is still accurate.</li><li>Never make a change unless you can explain why that change is necessary. Otherwise, you are just changing for personal preference.</li><li>Always explain the reasons for any change to the person who wrote the original drafts. Only by understanding the reason for the changes will that individual ever learn how to do a better job.</li></ul><p></p><p>However, there is a fourth and just as important lesson that seems counterintuitive in a discussion about the preciseness of words. Don’t dither.<br>Internal auditors work hard to find the exact wording when something close will do. And our focus on that unnecessary precision results in a deluge of rewrites, delays, and frustrations. Get it right, but don’t worry about being perfect. And when all is said and done, make sure you haven’t turned a typewriter into a gun. <br></p>Mike Jacka1
Auditing From a Distancehttps://iaonline.theiia.org/2017/Pages/Auditing-From-a-Distance.aspxAuditing From a Distance<p style="text-align:justify;">Remote auditing, also known as online auditing or virtual auditing, has been in use by organizations worldwide for many years. Engagements conducted remotely use technology to carry out audit work without requiring the practitioner to be physically present at the audit location. The approach can yield significant benefits, particularly for organizations with geographically dispersed operations. ​</p><p style="text-align:justify;">Among the most significant benefits are cost-reduction opportunities related to travel. An auditor from Pakistan at a multinational company, for example, worked remotely on a four-week assignment in South Africa, resulting in savings of approximately US$7,000 in air travel and other expenses. Beyond cost savings, however, remote techniques can enable practitioners to more easily review locations that are difficult to access because of travel restrictions, safety concerns, or lengthy visa processes. They can also contribute to more efficient resource utilization in scenarios where information can be requested instantly via phone call or email, without the need for an auditor on site.</p><p style="text-align:justify;">Given that business disruption requires internal audit functions to manage costs more efficiently and effectively, this is an opportune time for internal auditors to take a closer look at remote auditing. Auditors can follow several steps to help optimize its use on engagements and ensure positive results. But first, they should familiarize themselves with potential hurdles that could impede successful practice.</p><h2>Knowing the​​​​ Limitations</h2><p style="text-align:justify;">Like most other technology-dependent approaches, remote auditing has its share of implementation challenges. Areas that merit particular attention include communication, practical knowledge, client impact, and technology.</p><p style="text-align:justify;"><strong>Communication </strong>Auditor–client rapport established through face-to-face interaction represents a key facet of traditional auditing. And while effective working relationships can be fostered to a degree through technologies such as telephone and videoconferencing, they are not as easy to initiate as when both parties are in the same location — where a simple knock on the door or impromptu meeting in the hallway can elicit a conversation. </p><p style="text-align:justify;"><strong>Familiarity With Remote Auditing </strong>Clients and audit staff may not be familiar with the mechanics of a remote audit, leading to some confusion. Traditional audits involve regular face-to-face interaction in settings where there are often no time zone, language, or cultural differences. Remote audits, depending on scope, may lack these elements, potentially resulting in miscommunication or unreasonable expectations.</p><p style="text-align:justify;"><strong>Client Burden </strong>Remote audits can increase the client's workload. In a traditional audit, for example, verifying the physical existence of an asset would involve visiting the asset location. Performing this same procedure via a remote audit would require a client representative to visit the asset and email a photograph to the auditors. </p><p style="text-align:justify;"><strong>Technological Limitations </strong>Isolated locations or operations based in a different country may not have the infrastructure in place to fully support a remote audit. Issues can vary, ranging from basic challenges such as insufficient network bandwidth to more complex issues such the size and format of data and local regulations affecting data transfer. </p><h2>Strategies for Success</h2><p style="text-align:justify;">Depending on an organization's size and scope of operations, effective remote auditing with significant cost savings can be achieved by following several key guidelines.</p><p style="text-align:justify;"><strong>Know When to Audit Remotely </strong>Remote audits are not suitable for all clients and all engagement types. Practitioners must determine whether the proposed audit has an appropriate scope of work and a client willing to participate in the process. Client participation, in fact, is crucial, as reluctance can result in communication delays, lack of understanding, and miscommunication.</p><p style="text-align:justify;">Technology also plays a pivotal part determining remote auditing feasibility. It is easier, for example, to extract and transfer data from systems such as SAP compared to data held in physical documents.</p><p style="text-align:justify;"><strong>Communicate Up Front </strong>All stakeholders should understand what a remote audit is, its mechanics, and any expectations associated with the process. To address these issues, internal audit may want to establish an agreement with the client that specifies how communication between the two parties will occur, and at what frequency. This agreement can help reduce the potential for misunderstanding and enable all stakeholders to understand the resource and time commitment required. ​</p><p style="text-align:justify;">If the audit team is split between on-site and remote auditors, the remote practitioner needs to provide periodic updates on audit progress to the on-site team, and vice versa. This process removes duplication, allows for brainstorming, and ensures that the remote auditor still feels connected to the team. </p><p style="text-align:justify;"><strong>Select the Right Tasks </strong>Remote auditing can be more useful for quantitative tasks than qualitative tasks. For example, carrying out a review of an organization's invoice processing — when the data and support material are readily available online — requires less interaction with the client compared to reviewing the adequacy of its compliance with international trade requirements. <span><span><span><span>The degree of communication involved is the main differentiator. </span></span></span></span>Data analytics, as well, would require less interaction in comparison to a review of the procurement process for new vendors. <span><span></span></span></p><p style="text-align:justify;"><strong>Do Your Homework </strong>Given remote auditing's divergence from traditional auditing, client and practitioner preparation is key to carrying out engagements successfully. Both parties should, for example, become familiar with the necessary communication methodologies (teleconferencing, desktop sharing, etc.) in advance. Moreover, internal audit should dedicate a certain amount of time for the duration of the audit to the remote auditor and respond timely to any requests. Appointing an on-site liaison or coordinator to assist the remote auditor on a short-term basis can also be beneficial. ​</p><h2>Digital​​​ Engagements</h2><p style="text-align:justify;">We live in a global and increasingly digital world — remote auditing is ideally suited to helping provide assurance in it. With the right strategy, remote auditing has the potential to be an efficient alternative or supplement to traditional audit approaches. It provides global and local organizations with the agility to respond to disruption and other challenges in today's dynamic business environment. </p>Aiman Khan1
The Root of the Matterhttps://iaonline.theiia.org/2017/Pages/The-Root-of-the-Matter.aspxThe Root of the Matter<p>Most internal auditors would likely agree that audit findings can best be resolved by addressing, correcting, or eliminating the root cause as opposed to merely addressing symptoms, and that directing corrective measures at the root cause reduces the probability of recurrence. In fact, auditors whose reporting only recommends that management fix the issue — and not the underlying reason that caused the issue — could be failing to add insights that improve the longer-term effectiveness and efficiency of business processes, and thus the overall governance, risk, and control environment.</p><p>Root cause analysis enables auditors to produce deeper, more thorough reporting by providing an objective, structured approach to identifying and determining the most probable underlying causes of a problem or undesired event within an organization. It considers factors that result in the nature, magnitude, location, or timing of harmful outcomes (consequences) stemming from past risk events, or factors that may lie behind future risk events. The auditor uses this information to identify what behaviors, actions, inactions, or conditions need to be addressed to prevent recurrence of similar harmful outcomes. </p><p>Complex, serious, or pervasive problems are rarely the result of a singular event or failure. Frequently, a "perfect storm" of several causes forms to create an ideal environment for the failure to occur. Moreover, simply getting to the root cause to prevent it from happening again may not be enough — the consequences have to ​be addressed. </p><p>To better understand root cause analysis, two general myths need to be dispelled — the myth of the single root cause, and the myth that fixing the root cause alone fixes the problem. Upon recognizing these false notions, internal auditors can use several methods to perform root cause analysis more effectively on their engagements. </p><h2>Multiple Root Causes</h2><p>Many organizations mistakenly use the term <em>root cause</em> to identify one main cause. However, focusing on a single cause can limit the solutions set, resulting in the exclusion of viable solutions.</p><p>Internal auditors commonly use the Five Whys technique to explore the cause–effect relationships underlying audit issues, with the goal of determining the root cause of a defect or problem. By asking successive "why" questions, the nature of the problem as well as its solution usually become clearer. Asking "why" helps identify the causes associated with each sequential step of the defined problem or event. An example from The IIA's Implementation Guide 2320:<em> </em>Analysis and Evaluation illustrates this technique: "The worker fell. Why? Because oil was on the floor. Why? Because a part was leaking. Why? Because the part keeps failing. Why? Because the quality standards for suppliers are insufficient." By the fifth "why," the internal auditor should have identified or be close to identifying the root cause. (For another example, see the <a href="/2017/Documents/Parker-online%20exclusive%20material-5%20whys%20table.pdf" target="_blank">Five Whys Table</a>.)</p><p><img src="/2017/PublishingImages/Parker_ERM%20vs%20Root%20Cause.png" class="ms-rtePosition-2" alt="" style="margin:5px;width:500px;height:227px;" />Although this technique can be useful, some experts contend that using the Five Whys leads auditors to mistakenly believe that only one true root cause to an issue exists — and that if they are successful in finding that root cause they will permanently solve the problem. In reality, several<em> </em>related or unrelated root causes are frequently responsible for the findings that auditors identify. (See <a href="/2017/Documents/Parker-online%20exclusive-fault%20tree.pdf" target="_blank">Fault-tree Analysis</a> for a variant of the Five Whys technique that better accommodates multiple root causes.)</p><p>Rather than assuming the presence of just one root cause, internal auditors should brainstorm with a team to identify all the potential causes that contribute to a problem. The process can result in multiple opportunities to mitigate risk and prevent problems from occurring. It is also helpful for auditors to think about root cause analysis in terms of three stages: identification, measurement, and prioritization. Using this approach, the structure of root cause analysis is analogous to the structure of a risk assessment (see "ERM vs. Root Cause" at right). </p><p><strong>Identification</strong> The cause-and-effect diagram represents a preferred tool for identifying multiple root causes. Also called a fishbone diagram — because its shape is similar to the side view of a fish skeleton — this method enables users to visually display the many potential causes of a problem or an effect, helping reveal key relationships among causes and provide additional insight into process behavior. It uses a graphical description of the process elements to analyze potential sources of process variation (see "Fishbone Diagram" below right).</p><p>When using a team approach to problem solving, differing opinions often arise as to the problem's root cause. The fishbone diagram helps capture these ideas and stimulate team brainstorming. It also can be used to structure the brainstorming session, as the diagram not only helps identify the many possible causes for an effect or problem, but also enables users to sort these ideas into useful categories: </p><ul><li>Man (people) — anyone involved with the process.</li><li>Machine (equipment/technology) — any equipment, software, hardware, tools, supplies, etc. required to accomplish<br> the job.</li><li>Measurements (management) — data generated from the process and metrics used to evaluate its quality, efficiency, and effectiveness.</li><li>Method (process) — how the process is performed and the specific requirements for doing it, such as policies, procedures, and rules.</li><li>Materials (inputs) — raw materials, parts, documents, data, etc. used to produce the final product or output of the process.</li><li>Mother Nature (environment) — the conditions, such as location, time, and temperature, in which the process operates, as well as external factors that are not associated with the natural environment, including laws, regulations, and culture. </li></ul><p><br></p><p><img src="/2017/PublishingImages/Parker_Fishbone%20Diagram.png" class="ms-rtePosition-2" alt="" style="margin:5px;width:500px;height:333px;" />Causes derived from the brainstorming effort are grouped into these categories and then traced back to the root causes, which can be performed using the Five Whys technique in conjunction with the fishbone diagram. Because people by nature often like to start working on a problem as quickly as possible, this approach can help yield a more efficient and thorough exploration of the issues behind the problem, which in turn will lead to a more robust solution. (See <a href="/2017/Documents/Parker-online%20exclusive%20material-Root%20cause%20summary%20table.pdf" target="_blank">Root Cause Summary Table</a> for a tool that can be used to capture results from fishbone diagraming.)</p><p><strong>Measurement and Prioritization</strong> For the measurement and prioritization phases, the team can numerically confirm the proportion of each root cause's impact on the problem and rank them accordingly. Two root cause analysis tools can be especially useful in this process — the Pareto chart and the scatter diagram.</p><p>The Pareto chart illustrates the Pareto principle, frequently referred to as the 80/20 rule, which states that 20 percent of the population accounts for 80 percent of the phenomenon. The chart's purpose is to highlight the set of factors or activities that most contribute to a problem or opportunity (see "Pareto Chart — Types of Errors" below right). </p><p>By categorizing and displaying the supporting data for multiple causes, the Pareto chart can focus attention on the causes most important to resolving, reducing, or eliminating a problem. This approach can be particularly helpful when the team is:</p><ul><li>Analyzing data about potential root causes or the frequency<br> of problems.​</li><li>Dealing with many different problems and causes but looking to focus on the most significant ones.</li><li>Analyzing wide-reaching causes by zeroing in on their individual components.</li></ul><p><br></p><p>Scatter diagrams pair causes and effects, with one variable on each axis, to look for a relationship between them. It could depict the relationship between a cause and an effect, between one cause and another, or even between one cause and two others. If the diagram reveals a relationship, then the possibility arises that one variable may be controlled by varying the other variable, or that two effects that appear related share the same cause. During root cause analysis, scatter diagrams can be useful for displaying and analyzing the relationship or correlation between cause and effect variables, which can help point to the true root causes of problems as well as facilitate ranking those causes in order of importance by strength of relationship (see "Scatter Diagram — Revenue vs. Sales" below right). </p><h2>Fixing the Problem</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<p><strong>Data Analytics</strong></p><p>The use of data analytics helps drive improved effectiveness in the way audit departments assess risk and execute audits. Pareto charts and statistical correlation tools such as scatter diagrams leverage data analytics for root cause measurement and prioritization to quantitatively determine the significance of the root cause(s) identified. Root cause analysis can be supported by data analytics during the measurement/prioritization phase by statistically measuring the potential impact of root causes observed and prioritizing them according to risk. </p></td></tr></tbody></table><p>Once internal auditors have identified a root cause, or multiple root causes, they must be able to offer meaningful recommendations or management action plans to address the issue. But contrary to a common misconception, fixing the root cause alone does not necessarily fix the problem — auditors must also help address the damage or difficulties that emerged as a result. To better understand this idea, practitioners can benefit from reviewing a key foundational concept in audit report writing, informally referred to as the Five C's: </p><ul><li>Condition (<em>what is</em>).</li><li>Criteria (<em>what should be).</em></li><li>Cause (<em>why</em>).</li><li>Consequence [Effect] (<em>so what</em>).</li><li>Corrective action plans and recommendations (<em>what's to be done</em>).</li></ul><p><br></p><p>Well-written audit reports provide recommendations that address the underlying root causes of a problem, thus helping to ensure the condition will not recur. Because recommendations must resolve both the condition and the cause, the terminology used in the recommendation often mirrors or matches the terminology in the condition and the cause. Moreover, the recommendation must identify the action necessary to bring the condition in line with the criteria.</p><p>Irrespective of the reporting format an audit function uses, these elements should generally be included in some form in each finding to address and report audit issues effectively. For root cause analysis, auditors need to drill down a little further on the last two components — consequence and corrective action plans/recommendations — to ensure they add value.</p><p>When noting a condition's business impact in an audit finding, one of four levels may apply: </p><ul><li>Direct, one-time effect on the process.</li><li>Cumulative effect on the process.</li><li>Cumulative effect on the organization.</li><li>High-level, systemic effect.</li></ul><p><br></p><p><img src="/2017/PublishingImages/Parker_Pareto%20Chart%20Types%20of%20Errors.png" class="ms-rtePosition-2" alt="" style="margin:5px;width:525px;height:317px;" />In response to these levels, three important types of recommendations/action plans can be considered. The first two are described in the IIA Practice Guide, Audit Reports: Communicating Assurance Engagement Results": </p><ul><li>Condition-based recommendations — provide an interim solution for correcting the current condition (e.g., removing inappropriate access).</li><li>Cause-based recommendations — actions needed to prevent the condition/observation from occurring again. Root cause-based recommendations are typically longer term solutions and may involve more time (e.g., creating and implementing an access review policy). </li></ul><p><br></p><p>A third type of recommendation/action plan must be considered when the root cause has created a consequence whose damaging effects must be remediated before business continues: </p><ul><li>Recovery-focused — address the consequences of the condition and describe what will be done to correct errors caused by it.</li></ul><p><br></p><p>As illustrated by disasters such as the Deepwater Horizon oil drilling accident, which resulted in 11 deaths and caused the largest oil spill in U.S. history, identifying the root cause to prevent such a catastrophe from recurring is only one part of the solution — someone also has to clean up the oil. So, in addition to a recovery-focused root cause analysis effort to get to the root cause of the spill's consequences, a recovery-focused recommendation and action plan would be needed to address the environmental damage. </p><p>Internal auditors should consider that the level of the effect will drive the nature of the root cause analysis and the type of recommendation and action plan: </p><ul><li>Direct, one-time effect on the process (condition-based recommendation and action plan).</li><li>Cumulative effect on the process (cause-based recommendation and action plan).</li><li>Cumulative effect on the organization (recovery-focused recommendation and action plan).</li><li>High-level, systemic effect (recovery-focused recommendation and action plan).</li></ul><p><br></p><p><img src="/2017/PublishingImages/Parker_Scatter%20Diagram%20Revenue%20vs%20Sales.png" class="ms-rtePosition-2" alt="" style="margin:5px;width:500px;height:250px;" />As noted in Audit Reports: Communicating Assurance Engagement Results, "Action plans are effective when designed and executed in a way that addresses the root cause." In that regard, root-cause analysis has the aim of generating and formulating agreed-upon corrective actions to eliminate, or at least mitigate, those causes to produce significant long-term performance improvement in addition to promoting the achievement of better consequences.</p><h2>Reap the Benefits</h2><p>The resources spent on root cause analysis should be commensurate with the impact of the issue or potential future issues and risks. Before starting root-cause analysis for more complex issues, internal auditors should bear in mind that additional time may be required to analyze the processes, personnel, technology, and data necessary to generate agreed-upon corrective action plans that eliminate, or at least significantly mitigate, the root causes. An effective action plan brings the condition in line with the criteria and addresses the potential or existing harmful outcomes stated in the effect. In the end, this approach will allow the auditor, audit client, and organization to reap the full benefits that a well-executed root-cause analysis effort can provide.   </p><p><br></p>Jimmy Parker1
More Than Compliance with “A”https://iaonline.theiia.org/2017/Pages/more-than-Compliance-with-“A”.aspxMore Than Compliance with “A”<p>​It is difficult to argue that compliance audits are not an important internal audit product. Noncompliance with, for example, anti-money laundering legislation can have serious consequences. In one recent example, Deutsche Bank was fined $425 million by the New York State Department of Financial Services and $204 million by the U.K. Financial Conduct Authority for failing to conduct basic money laundering due diligence. <br></p><p>Despite the seriousness of noncompliance, many managers do not see compliance audits to be of value, possibly because they often look like this:<br></p><ul><li>Objective: Verify compliance with “A.”</li><li>Criterion: Client should do “A.”</li><li>Condition: Client is not doing “A.”</li><li>Recommendation: Do “A.”</li></ul><p><br></p><p>Auditors need to ensure that compliance audits provide real assurance to senior management and add value.<br></p><h2>Do the Right Thing</h2><p>Internal auditors can add value to compliance audits by doing the right audit and doing it correctly. Doing the right audit means examining why there is a compliance requirement in the first place. Typically, it’s for legal, regulatory, operational, or ethical reasons. But behind “you must do ‘A,’” there is a serious enough risk for management or regulatory/legal authorities to put in a compliance requirement. However, risk shifts quickly, and speed of change is a critical success factor of business. Risk morphs rapidly in a world where globalization and automation affect strategic and operational initiatives of global enterprises. Changing risks can affect not only the need for compliance controls but also their adequacy. In addition, while the compliance function monitors noncompliance, internal audit provides the independent assessment over risk as the third line of defense. <br></p><p>Internal audit provides assurance on the effectiveness of governance, risk management, and compliance, including the way in which the first and second lines of defense achieve risk management and control objectives. This assurance covers a broad range of objectives, including compliance with laws, regulations, policies, procedures, and contracts. But it should not be compliance simply for compliance sake. Internal audit should consider the overarching business objective and the controls that help mitigate risk to the achievement of the objective — even when examining compliance-related controls. <br></p><p>Deconstructing the top-level strategy into key objectives will identify the enterprise-level risks that threaten achieving those goals, the process-level control objectives that mitigate enterprise risks, and process-level risks and controls. The compliance activities will likely be closely related to these process-level risks and controls, which should be assessed. <br></p><h2>Start With the Objective </h2><p>Virtually every company will have a set of policies and procedures that must be followed to protect it from lawsuits, prosecution, and reputational and other risks. These are the areas with compliance requirements and where audit performs compliance audits. For example, companies with manufacturing plants must comply with environmental regulations, and U.S. publically traded companies have to comply with the U.S. Sarbanes-Oxley Act of 2002 and other financial and legal rules and regulations. <br></p><p>Transforming a compliance audit into a value-adding activity starts with the audit objective. This defines what the audit seeks to accomplish and drives the scope, criteria, work plan, and final results. If the objective is simply to verify compliance with “A,” then one will fall into the trap of concluding “You are not doing ‘A’” and recommending “Do ‘A.’” However, if the objective is “To verify the need for, existence of, and adequacy of compliance with ‘A,’” it will be better positioned to address governance and risk management issues and compliance. <br></p><p>In this type of audit objective, one of the first steps would be to determine if the original risks and compliance requirements still exist. They may have been eliminated by a change in operations (e.g., the company is no longer making that product) or transferred to someone else (e.g., subcontracted out); the company is no longer using that manufacturing process; or business process re-engineering, changes in location, or retooling may have eliminated, transferred, or lessened the risk. In these cases, the value add might be the elimination of the requirement. No risk = no compliance requirement.<br></p><p>With a good understanding of the current level and sources of risk, the next step is to look at the requirement for, and the adequacy and effectiveness of, the mitigating control. This requires an understanding of the cause and source of the risk and the operation of the control. Is the control still required? Does it address the root cause? Are there better ways to mitigate the risk? By answering these questions, the audit may identify unnecessary, ineffective, or better controls, which may reduce the cost of compliance while improving risk mitigation. The next step would be to verify that the control activities are being performed (i.e., compliance). </p><p>However, if one finds noncompliance, it is not sufficient to recommend “Do ‘A.’” Audit recommendations should address the root cause, including determining why management is not complying. Was management aware of the requirement? Is management capable of complying? Are there compensating controls that have been implemented? Asking why (usually several times) is often sufficient to determine the cause of noncompliance. <br></p><p>Internal auditors also should determine the impact of noncompliance. Then instead of saying, “Do ‘A,’” audit can provide a rationale and make a recommendation that assists management in complying.<br></p><p>Next, the audit should be done right. This means maximizing use of resources and analytics. Data analytics includes the application of analysis techniques to understand business processes; identify and assess risks; test controls; assess efficiency and effectiveness; and prevent, detect, and investigate fraud. Data analytics techniques can assist organizations in focusing their risk responses in the areas in which there is a higher risk — including compliance risk.<br></p><p>Existing levels of risk can be assessed and trends identified to determine whether the risk is increasing or decreasing. For example, environmental compliance could examine spills (number and quantity), clean-up costs, and lawsuits (quantity and value); while production compliance could examine material, personnel, maintenance, and operational costs. By examining measures over several months or years, trends can be produced to assess the effectiveness of mitigation efforts and identify emerging risks.<br></p><p>The effectiveness of controls also can be tested with analytics. For example, environmental compliance can examine the control over the purchasing of hazardous materials — ensuring that the purchase quantities match requirements — thereby avoiding environmental compliance issues around disposal. Compliance with hiring practices could review staffing methods and staffing rates (by gender, race, etc.) to ensure procedures are being followed and address employment equity requirements before they become noncompliance issues. <br></p><h2>Remove the Stigma</h2><p>Sometimes compliance with a poor control can increase risk and dysfunctional behavior, and cultural issues can make enterprisewide compliance difficult for global companies and increase risk. Doing the right compliance audit — not simply “did we do ‘A?’” — and doing it effectively can result in significant value to the organization and remove the “gotcha’” stigma of compliance audits. However, it requires auditors to re-look at the compliance-related risk and controls and use analytics. By doing so, it will add value and provide assurance to senior management about compliance-related risks. </p>Brian Aiken1
#PurposeServiceImpacthttps://iaonline.theiia.org/2017/Pages/PurposeServiceImpact.aspx#PurposeServiceImpact<p>​As ubiquitous as social media is today, it is hard to recall a time when we were not glued to our Facebook, Twitter, or Instagram accounts. Indeed, it is rare to read about a cause or event without running into at least one hashtag. This article is no exception. <br></p><p>As the 2017-2018 global chairman of The IIA Board of Directors — a privilege I am humbled and honored to experience — one of my first assignments was to develop a theme for my term. Coming up with the basics was easy: Purpose, service, and impact are three concepts that are very important to me. But when I looked at those words on their own, they seemed somehow incomplete. Then, as I was bouncing ideas off my team, the hashtag treatment was suggested. Thus, my theme became #PurposeServiceImpact.<br></p><p>We have become so accustomed to the hashtag, we often forget what it is intended to convey. It’s a useful, shorthand way to say, “pay attention,” “join the discussion,” and “pass it along” — reactions I hope IIA members have to the concepts of <em>purpose</em>, <em>service</em>, and <em>impact</em> as we go through the year, because I believe they have a very real place in our personal and professional lives.<br></p><h2>#Purpose</h2><p>Purpose is fairly straightforward. We all have a sense of purpose about our careers and our lives. It is the “why” of what we are doing, our mission, the reason we want to make a difference. As individuals, we need to know that all of the effort, focus, and sacrifice we have invested over time will pay off in achieving a goal.<br>As internal auditors, our mission is clearly laid out for us in The IIA’s International Professional Practices Framework: “Enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.” How we enhance and protect organizational value is different for each of us based on our organization’s business. Is it market share? New products? Students educated? Patients served? Perception of reputation? Earnings per share? Whatever it is, internal auditors, at the very least, help management maintain that value, but, ideally, we enhance and increase it through the work we do.<br></p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>#BoardPriorities </strong><br>During the coming year, I anticipate deploying the #PurposeServiceImpact philosophy as I lead The IIA’s Global Board of Directors in several initiatives:<br><ul><li>Addressing the recommendations of a special Governance Task Force that has studied The IIA’s governance structure and processes. Significant changes are being proposed to the board and membership.</li><li>Completing the triennial refresh of The IIA’s global strategic plan. A new approach to gather input from multiple regional sessions is underway.</li><li>Advancing the recent Guiding Principles of Effective Affiliate Governance, which is intended to help affiliates serve their stakeholders and more than 190,000 members worldwide.</li><li>Studying laws, regulations, and questions related to licensing the internal audit profession. A global steering committee is working on this project.</li><li>Considering ways to increase the level of conformance with the International Standards for the Professional Practice of Internal Auditing.</li><li>Assessing The IIA’s portfolio of certifications to ensure it meets stakeholder expectations and is positioned for sustained success.</li></ul></td></tr></tbody></table><p>As individuals and as internal auditors, we do not operate in a vacuum. We function within some sort of larger construct. As individuals, that may be a family, a community, a club — even an organization such as The IIA. As internal auditors, it is where we work. We must clearly understand the purpose of our organization and be certain that our personal sense of purpose aligns with it. Generally, every organization has a mission statement, but studying other indicators such as culture, strategy, and reputation can provide useful information, as well. Then we must determine how we can help the organization realize its mission.<br></p><p>A practical application can be found in the way some auditors are evolving the traditional risk-based audit approach — which is still very valuable — with more strategic elements. Start with the big-picture objectives of the organization and take the risk assessment from there. This helps ensure that what internal auditors do is more strategic and supports the goals of the organization — its purpose. For example, I once audited an area that had wonderful ideas, plans, and goals, but lacked good project management to address those plans in a systematic and metrics-driven way. I provided recommendations about managing projects. This was not a typical risk audit, but it provided value: The department recognized that adding this element would help in achieving departmental goals. <br></p><p>For almost 10 years, I worked on a university campus, and nearly every day I would walk on the sidewalks with the students we were educating. For another 15 years, I worked at two of our academic medical centers where I would walk the halls and see the patients we were serving. I came face to face with real stakeholders — the people who are counting on the organization — and that connection has always given me the drive to do all I can as an internal auditor to help my institutions succeed in their missions.<br></p><h2>#Service</h2><p>Service is purpose put into action. It is doing things to meet the goals expressed in mission statements, transitioning purpose from concept to reality. Consequently, it can be the hardest part of the #PurposeServiceImpact trilogy. Purpose identifies noble goals and impact represents the outcomes of actions completed to achieve those goals. Service is the link between the two; it is “walking the walk.” <br></p><p>It is often said that internal auditors should “know the business” to be as effective as possible, and there is no question it is important to establish credibility with clients. At one point in my work at a health institution, I became aware that a health-care administrator certification was valued by many of the hospital leaders, so I decided to prepare for and take the certification exam. It demonstrated to my colleagues that I knew and cared about our business, and was willing to “walk the walk” to make us successful.<br></p><p>Internal auditors certainly do not lack opportunities to serve. Almost daily, we encounter areas where unsurpassed service is required or expected. According to the stakeholders represented in The IIA’s 2017 North American Pulse of Internal Audit, we must embrace our role as educator and change agent; be brave enough, even in the face of professional or personal danger, to do the right thing; avoid viewing the world in black and white; develop strong relationships with stakeholders; build interpersonal skills; and continue to develop competencies. This list goes well beyond <em>what</em> we are expected to do. It outlines expectations for <em>how</em> we do it, as well. <br>It’s no wonder we sometimes feel like we are on a tightrope stretched across a gaping canyon. We know we must perfect our balancing act to face the risks and service expectations ahead — not only at work, but also at home, with friends, and in our outside activities.<br></p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>#HigherEdFocus   </strong><br>In my position as chief audit executive (CAE), I support the Board of Regents and executive management at the expansive University of Texas System. The System has more than 120 internal auditors at its 14 academic and health science institutions, consisting of more than 220,000 students, 100,000 faculty and staff, and an operating budget of almost $18 billion. <br><br>My career-long focus in higher education started in graduate school at the University of South Florida where I was the student internal audit intern. After earning a Master of Accountancy, I spent time in public accounting before returning to the university to lead that same internal audit department for almost 10 years. In 1999, I moved to Texas and was the CAE at UT Medical Branch in Galveston and UT MD Anderson Cancer Center in Houston before arriving at UT System Administration in 2013. <br><br>I proudly admit to being a “career internal auditor.” I can probably count on one hand the times I’ve done what would be considered a “repeat” audit. Because our organizations continually change, so do our audits. There’s nothing routine, cyclical, or boring about what we do. </td></tr></tbody></table><p>It is in those optional activities where many of us find another way to serve: volunteering. I believe volunteering is one of the most powerful manifestations of service because there is nothing that makes us do it. We do it freely and willingly. <br></p><p>There are many reasons to volunteer. We want to get to know a community, gain leadership skills, feel needed, do our civic duty, learn something new, be challenged, do something different from what we do at work, make new friends, be part of a team, test ourselves, build our resume, give back, or feel good. <br></p><p>Volunteering helps us in our profession, as well. Well-rounded internal auditors recognize the benefits of understanding the enterprise end to end. To gain that understanding, we have to raise our heads up from our desks and see what is happening on a broader basis. We need to get out of our offices — and our comfort zones. Volunteering provides that opportunity.<br></p><p>Those who are new to volunteering can start small. My long history of volunteering with The IIA began with being a greeter at meetings. I did it to help my local chapter, but that was only part of the reason. I also wanted to help myself advance both personally and professionally. That position made it easy for me to expand my network. Small steps can lead to big destinations; I am a case in point.<br></p><p>Of course, sometimes our services are needed in positions that may not be our first choice. When that happens, we can take a longer-term view. Fortunately, we can usually learn from any situation and gain the satisfaction of contributing to the greater good. Hopefully, those less-than-perfect volunteer roles are the exception rather than the rule. Life is short. When you have the choice, choose to make a difference in things that matter to you.<br></p><h2>#Impact</h2><p>And now we arrive at impact — the destination of the journey, the reason we provided service, and the realization of our purpose. The best and most successful internal auditors I know understand that internal auditing is more than just a job; it is a sincere effort to improve the lot of others, whether organizations or individuals. But it is not an activity that provides immediate, easily seen impacts. We often have to examine the ripple effects our efforts leave behind. Take for example two statistics from The IIA’s​ Pulse report: In 2016, 29 percent of respondents reported an increase in internal audit staff, and 30 percent expected to add staff in 2017. This is a ripple effect of the impact of internal audit. Today’s cost-conscious boards and executives would not spend substantially more on risk, control, and governance processes unless they were realizing value. We are making an impact.<br></p><p>We have to choose where we will make an impact. Given our time, energies, and resources, we need to focus on areas that enable us to influence things that are important to us and that we will look back on with pride. <br></p><p>For me, it is always education. Being in the higher education system, a financial supporter of The IIA’s Internal Auditing Education Partnership program, and a regular speaker in professional and college programs, I am a believer in the value and importance of education. Several years ago, in the early days of data analytics, I had an audit manager who was particularly good at analytics, which we used to achieve real wins in audit engagements. But we had a vision for even greater impact. Because we worked in a university setting, we were regular guest speakers in the audit classes and we knew that students were not getting exposure to data analytics tools. So, we convinced audit faculty that the curriculum needed to include this important aspect of practical auditing, and we engaged a software provider to make its tool available for this academic purpose. Since then, other auditors, faculty, and vendors have done the same, truly impacting the preparation of students for the audit workplace.<br></p><h2>Putting It All Together  </h2><p>Our lives have a lot of distractions, but I have an easy way to keep our eyes on the goal of creating appropriate impact. Think of the process as an equation — a simple set of steps:</p><ol><li>   <em> If we understand the purpose of the organization or profession…</em></li><li><em>    And our own purpose within that group…</em></li><li><em>    And those purposes are aligned…</em></li><li><em>    And if we commit to providing excellent, competent, ethical service…</em></li><li><em>    We will have an impact. We will make a difference.</em></li></ol><p></p><p>The #PurposeServiceImpact hashtag has a specific use, one I hope will resonate with IIA members. It says I would like you to think about these three concepts, identify with them, unify around them, and connect them with your own thoughts or activities. Twitter has shown the world how powerful the hashtag can be as a means to rally people around specific goals. I would like to think we can do the same within The IIA.</p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<strong>#FaithFamilyFlowers </strong> <br>Outside my professional life, I have three priorities that keep me grounded and rounded: faith, family, and flowers. Faith is the most important aspect of my life, providing the foundation for actions and decisions both personal and professional. It is also a constant footing for me as I assess my own purpose, service, and impact. Next comes family: I have two adult daughters and two granddaughters who are never far from my thoughts, even if a bit too far away physically for my liking. I rely on video technology to “see” them as much as possible.  <br><br>My family may, however, quip that they compete for my attention with another of my loves: my daylilies. As an internal auditor, I have not been afraid to dig deep and get my hands dirty, and the same goes for my garden. When I moved to Texas in 1999, a co-worker introduced me to daylilies. I started with 10 plants and grew to as many as 500 varieties in my yard at one time. In my new Austin garden, I’m down to only about 200 varieties. My passion goes beyond weekend gardening; I have won competitive flower shows, and my garden recently was designated by the American Hemerocallis Society as an official display garden. In addition, the garden was recently a stop on three different garden and pond tours. <br><br>I have a shirt that states, “Gardening… it’s cheaper than therapy.” While I admit that outdoor work is a source of therapy for me, I do not concede that it’s less expensive!</td></tr></tbody></table>J. Michael Peppers0
No More Excuseshttps://iaonline.theiia.org/2017/Pages/No-More-Excuses.aspxNo More Excuses<p>Recent surveys show a continuing gap between what executive management and board members expect, and what internal audit delivers. Audit professionals insist they want to close that gap. So, why isn't it happening?</p><p>People are not comfortable with change, often hiding their resistance under a veneer of excuses. If it weren't for one reason or another, they say, they could change. Internal audit is no different. Several excuses, from specific to more general, are evidence of a department that may not be willing to accept the risk of — and need for — change.</p><p>It takes too long to issue audit reports with corrective action. Sorry, no matter what you think, the audit is not complete until the client agrees on corrective action. You can say you issued the report, you can say you hit your milestones, and you can say the department is successful because departmental metrics are being met — but until agreement is reached with the client, nothing has happened. Find out why you have trouble establishing that agreement, find the root cause of the problem, and then solve it. Be an auditor.</p><p>We report to the audit committee; we don't need to report administratively to the CEO. Reasons for this one abound. For example, the CEO doesn't have time, internal audit has a better relationship with a different member of the C-suite, or the current relationship has no impact on the department's effectiveness. Unfortunately, without direct communication with the CEO, internal audit does not have access to the strategic information necessary to accomplish its objectives, is not considered an equal with others in executive management, and is fooling itself if it thinks it can become a trusted advisor. </p><p>We don't have time for [blank]. Fill in the blank with just about anything. We don't have time for training, for nonfinancial audits, for special requests, for anything out of the ordinary. To prove there is always time for something important, try reducing your audit schedule by one audit — just one audit. First, you may notice no one really misses it. More importantly, notice you now have time to accomplish that project you didn't have time for.</p><p>You don't understand, we just can't do that. Try explaining what it is we don't understand. In the process, you will realize that you are just making excuses. You can, indeed, do it. You just have to get past the fears — fear of your superiors, fear of lost security, and the fear of trying something new.</p><p>The primary impediment to progress is resistance to change. And internal auditors must recognize that their excuses are nothing more than a subterfuge that allows change avoidance. Just as internal audit refuses to accept clients' excuses, it must recognize and eliminate the excuses that keep the department from moving forward.</p><p>What excuses are you making that keep you from effecting real change? </p>Mike Jacka1
Many Ways to Learnhttps://iaonline.theiia.org/2017/Pages/Many-Ways-to-Learn.aspxMany Ways to Learn<p>​​<span style="font-size:12px;">A standard 40 hours of training annually was o​nce considered sufficient for maintaining internal auditors' professional skills and knowledge. Today, 40 hours is not nearly enough to keep pace with ever increasing stakeholder expectations and the host of emerging risks organizations confront. For these reasons, internal auditors face continual pressure to supplement their training with continuous learning and development. But with budget cuts and time constraints, it can be difficult to make the case for an increase in training resources when, historically, 40 hours per year was the norm.</span></p><p>So what is a dynamic and enthusiastic internal auditor to do with minimal or nonexistent resources and a significant desire to learn? Three no-cost options, while not a substitute for professional​, more robust training, can help practitioners hone their skills and supplement formal instruction. </p><h3>Individual Learning and Development </h3><p><strong>What?</strong><strong> </strong>Canvas Network — an assemblage of courses from universities and colleges worldwide. <br><strong>For Whom? </strong>The professional seeking coursework in a wide variety of subjects, ranging from Business Ethics for the Real World (from Santa Clara University) to Foundations of Evidence-based Practice in Healthcare (from The Ohio State University).<br><strong> Commitment? </strong>Canvas suggests two to three hours per week, per course. A course can last approximately 10 weeks. <br><strong>Format? </strong>Online; some courses are self-paced, while others are offered in a specified semester.<br><strong> </strong><strong>Benefits? </strong>With a multitude of offerings, Canvas provides opportunities to explore new industries (e.g., pharmaceuticals, aviation) and gain technical expertise (e.g., collaborative knowledge services).  </p><p>Having personally completed a Canvas course (Exploring the Student Affairs in Higher Education Profession, from Colorado State University), I can attest to the course's interesting and high-quality instruction, which consisted of weekly modules comprising lectures, reading, and videos. </p><h3>Collaborative Study</h3><p><strong> </strong><strong>What? </strong>Discussion Group<br><strong> </strong><strong>For Whom? </strong>The professional seeking thoughtful conversation about instructional media — such as Ted Talks, podcasts, and books — with internal audit colleagues who seek a more informal learning environment.<br><strong> Commitment? </strong>Preferably, meetings should be held once per month — more often if participants are interested and available. A few hours of preparation would be required before meeting for participants to read, watch, or listen to materials.<br> <strong>Format? </strong>Preferably in person, although discussions could occur online if participants are interested and available.<br><strong> </strong><strong>Benefits? </strong>A discussion group can be designed exactly to participants' needs and interests. For those interested in a book club, internal audit (think the IIA Bookstore), career development, or business books could be the topic of discussion. For those who enjoy learning via speeches, a selection of Ted Talks could spark conversation; or industry podcasts may be a better option — especially for participants with lengthy commutes.</p><h3>Rotating Technology Instruction</h3><p> <strong>What?</strong><strong> </strong>Training Team — a collaborative team consisting of participants who train each other on topics of interest, particularly well-suited for technology training. Teaching and learning technology can be more effective when it is both hands-on and interactive; a training team accomplishes both as it encompasses live instruction and encourages ongoing dialogue about technology. Unlike other topics, technology is constantly evolving — training teams are designed to help keep pace with these changes and promote strengths among those teaching and learning.<br><strong> </strong><strong>For Whom? </strong>The professional seeking brief yet personalized instruction with internal audit colleagues about emerging and current technologies.<br><strong> Commitment? </strong>Preferably, meetings should be held once per month — more often if participants are interested and available. For those offering instruction during the meetings, preparation could take upward of eight to 10 hours.<br> <strong>Format? </strong>Preferably in-person, although demonstrations could occur online if participants are interested and available.<br><strong> </strong><strong>Benefits? </strong>A training team can be designed exactly to participants' needs and interests. Group members can compile a list of technologies, programs, and systems that they would like to learn about or teach (e.g., Instagram, Google Analytics tools, and programming in R). They would then agree on who will teach each topic and set up a learning schedule. For those who enjoy technology, or recognize that their skill level could be improved,<strong> </strong>this format offers a flexible and unique way to share an interest or passion, as well as gain new ideas and information. </p><h3>Lifelong Learning</h3><p>These three learning platforms offer a variety of ways to keep pace with the speed of internal audit and the risks organizations face, supplementing more traditional, equally important internal audit learning methods such as conferences and seminars. Many more such resources are available online and via in-person collaboration with peers. The IIA, for example, offers free webinars to IIA members on a regular basis and opportunities to collaborate face-to-face through local chapters and institutes. </p><p>How a practitioner chooses to proceed depends on his or her goals (e.g., focusing on technical skills, improving public speaking) and schedule. By prioritizing continuous learning; setting a realistic, individualized, and intentional plan; and executing that plan,​ every internal audit professional can grow, develop, and even have fun along the lifelong learning journey.</p>Christine Hogan Hayes0
Key Stakeholder Surveyshttps://iaonline.theiia.org/2017/Pages/Key-Stakeholder-Surveys.aspxKey Stakeholder Surveys<p>​Requirements for a quality assurance and improvement program (QAIP) are outlined in IIA Standard 1300. An integral part of any QAIP should be to help ensure an internal audit department is addressing expectations through the use of surveys. However, audit departments often limit the use of surveys to management in the area in which assurance or advisory activities are performed and miss an opportunity to obtain feedback from other key stakeholders, including the audit committee and executive management.</p><h2>Management Surveys</h2><p>Audit departments should have a process to survey management at the conclusion of assurance or advisory activities to help identify opportunities for improvement. Questions should be objective and geared toward adherence to the <em>International Standards for the Professional Practice of Internal Auditing</em> to help minimize subjective responses. In addition, rather than asking "yes" or "no" questions, respondents should be provided a scale ranging from "strongly agree" to "strongly disagree" or a number range such as 1 through 4. Including space to write comments to further elaborate on each of the ratings will provide greater insight into management's perspective.  </p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​ <p> <strong>Assurance & Advisory Survey </strong></p><ul><li>The objective, scope, and timing of the assurance or advisory activity was clearly communicated. </li><li>The team clearly communicated ongoing status as well as evolving issues throughout the assurance or advisory work. </li><li>Appropriate areas of risk, including your specific concerns, were considered.</li><li>At the conclusion of planning, the audit team demonstrated an appropriate level of industry and technical knowledge.</li><li>The team demonstrated independence and objectivity in performing the assurance or advisory work.</li><li>The team demonstrated courtesy, professionalism, and a constructive and positive approach and was able to establish effective working relationships.</li><li>The disruption of activities was minimized as much as possible by the team.</li><li>The assurance or advisory work consumed the amount of your and your team's time that you anticipated at the beginning of the review or less.</li><li>Issues identified were constructive, accurate, mutually agreed upon, and communicated timely.</li><li>Recommendations were creative, reasonable, actionable, and addressed the root causes of problems.</li><li>The report was clear, accurate, and issued timely.</li><li>The assurance or advisory work resulted in an enhanced awareness of business risks and controls in my department. </li></ul></td></tr></tbody></table> <p>Just as action is expected by audit clients when control concerns are noted from audits, the chief audit executive (CAE) should take action if the response from a survey question falls below established expectations. For example, any score that is less than 3 on a 4-point scale should result in a follow-up. The process may include contacting the respondent or head of the area to obtain further information and reiterate the department's commitment to quality. Action may involve updating a department manual as well as communicating existing or enhanced procedures to all auditors to help avoid shortcomings in the future.</p><p>In addition, survey results should be shared with the audit committee and executive management as part of a balanced scorecard to measure the department on the basis of cost, quality, and timeliness. Survey results can be an effective measurement of quality for the department and should be paired with other quality metrics. </p><p>Despite efforts to create objective questions, it is often difficult to avoid correlation between the audit opinion rating and the survey results. It is common for audits with satisfactory ratings to receive high opinion scores while audits with unsatisfactory ratings receive low survey scores despite efforts to adhere to department policies and the <em>Standards</em>. Management is human and may use the survey as an opportunity to praise or criticize the audit team, regardless of how the team actually performed. </p><h2>Key Stakeholder Surveys </h2><p>Managers over the areas where assurance or advisory activities are being provided are not the most important customer of the audit. First and foremost, internal audit serves the needs of the audit committee, followed closely by executive management. To ensure it's meeting key stakeholder needs, the department should have a mechanism in place such as a "Key Stakeholder Survey" (see below). </p><p>By surveying key stakeholders, the audit department can assess whether it is addressing Standards 2010: Planning, 2110: Governance, 2120: Risk Management, and 2420: Quality of Communications. The audit committee and executive management are in the best position to provide insight into the effectiveness of the department in addressing these standards as they consider the overall audit plan and results communicated throughout the year. While survey questions related to these standards can be asked of management over each audit area, key stakeholders see the broader value audits bring to the organization as a whole.</p><p>Using another department such as Communications or a third party and making the survey anonymous will improve the chances that key stakeholders will be more candid. Survey results should be shared with the audit committee, executive management, and external audit. Scores that are less than desirable, or comments that may indicate improvement opportunities, should be discussed along with action plans. These plans should be tracked with progress reported periodically to the audit committee and executive management.</p><h2>Create a Repeatable Process</h2><p>Performing key stakeholder surveys regularly, ideally annually, helps the CAE more quickly identify areas of concern rather than waiting for them to surface as part of an external quality assessment review or, worse yet, from complaints that may go to the audit committee regarding the department. </p><p>While many management surveys are performed at the conclusion of each assurance or advisory activity, these surveys may not provide feedback from the most important group of customers. Departments should create a repeatable process to survey the audit committee, executive management, and external audit and incorporate this into their QAIP. </p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<strong><br>Key Stakeholder Survey<br><br></strong>Statements should be ranked and opportunity for comment provided.<br> <ul><li>Internal audit is independent and objective in performing its work. </li><li>Internal audit possesses the knowledge and skills, such as insurance industry knowledge and technology skills, needed to perform its responsibilities.</li><li>Internal audit understands company business operations and strategy.</li><li>The audit plan is risk-based.</li><li>I receive adequate updates on the progress of achieving the audit plan.</li><li>Internal audit evaluates risk exposures and the adequacy and effectiveness of related controls regarding: </li><ul><li>Achievement of strategic objectives. </li><li>Reliability and integrity of financial and operational information. </li><li>Effectiveness and efficiency of operations and programs.</li><li>Compliance with laws, regulations, policies, procedures, and contracts.</li><li>Safeguarding of assets.</li></ul></ul><ul><li>Internal audit adequately assesses and provides appropriate recommendations for helping improve the governance process at the organization, including: </li><ul><li>Promoting appropriate ethics and values within the organization. </li><li>Ensuring effective organizational performance management and accountability. </li><li>Communicating risk and control information to appropriate areas of the organization.</li><li>Coordinating the activities of and communicating information among the board, external auditors, and management.</li></ul></ul><ul><li>Internal audit reports and communications are clear, accurate, and issued timely.</li><li>The conclusions reached in audit reports and the opinions rendered are appropriate.</li><li>Internal audit shares information and coordinates activities with other internal and external providers of assurance and advisory activities to ensure adequate coverage and minimize any duplication of efforts.</li></ul></td></tr></tbody></table>Seth Davis1
The Dynamics of Interpersonal Behaviorhttps://iaonline.theiia.org/2017/Pages/The-Dynamics-of-Interpersonal-Behavior.aspxThe Dynamics of Interpersonal Behavior<p>​Often described as a soft skill, building strong interpersonal relationships between internal auditors and their wide variety of stakeholders is vital for a function’s success. Audit work entails listening, understanding, questioning, explaining, and, sometimes, dealing with sensitive information or challenging people’s cherished beliefs. Yet, internal auditors seem to focus their training and continuing education on developing and improving an array of formidable technical skills, seldom paying the same level of attention to sharpening their relationship skills. </p><p>Many auditors seem to expect verbal and written communication techniques, active listening and body language traits, and conflict-resolution skills to develop of their own accord — an approach they would never take in building their technical auditing abilities. This occurs even though effectively gathering information from a wide array of sources is germane to the role, and communicating audit findings forms part of the function’s requirements under The IIA’s <em>International Standards for the Professional Practice of Internal Auditing</em>. An audit department that fails to listen and communicate is unlikely to best serve the needs of its stakeholders. </p><p>One symptom of a lack of rapport can be seen where audit functions fail to deliver their findings in ways that stakeholders find useful. That suggests and entrenches a lack of understanding about the role of audit and what it can deliver. Agile departments tend to be more in tune with management and the board. They adopt a range of communication formats that better suit the needs of stakeholders, especially in areas such as strategy and emerging risk, where full-blown audit reports may not be as timely or relevant. </p><h2>Soft Is Hard </h2><p>When it comes to understanding the full range of people skills that need to be developed, part of the challenge for anyone in business — not just auditors — is that the terminology is not widely agreed to, says Manny Rosenfeld, senior vice president of internal audit at MoneyGram International in Dallas. Soft skills can be hard to define precisely, but are usually taken to include verbal and written communications, presentation skills, conflict-management skills, leadership, team building, and an ability to assess corporate culture. </p><p>In addition to being critical business skills, the ability to form and maintain effective interpersonal relationships is a life skill that some people seem naturally better at than others, says Rosenfeld, who co-authored <em>People-Centric Skills: Interpersonal and Communication Skills for Auditors and Business Professionals</em> (Wiley). “Technical skills are easy to teach, but if you are really interested in developing good people-centric skills, it can take a lifetime to master,” he says. </p><p>That is no reason for complacency. While Rosenfeld is skeptical that everyone can be taught full proficiency in certain areas of interpersonal relationships — such as effectively managing teams — all auditors should seek to make progress in the basics. He says there is tremendous potential for developing these skills over time, especially for somebody motivated to succeed. He prefers to talk about interpersonal relationships, because auditors can too often focus on higher-level soft skills — such as report writing and making presentations — while overlooking some of the more fundamental aspects of dealing effectively with people.</p><p>“Building trust is absolutely essential in creating successful interpersonal relationships,” Rosenfeld says. “Most people can cultivate trust over time, but auditors need to do it in a few days if they are to conduct a suitable audit.” </p><p>This lack of time makes it imperative that auditors become consciously aware that they are trying to build trust. Keeping promises on deadlines, actively listening to feedback, and delivering on audit’s stated goals all help. Trust can be further augmented by showing respect for the opinions of others, he says. That can be difficult because the culture of the audit team or the business may not always be one of openness and mutual respect. He says auditors need to have an open mind and assume that management is trying to do a good job and that differences of opinion between auditor and client can arise simply because they are approaching the same facts from different perspectives. </p><p>The most junior auditors need to start learning these techniques from day one. “These skills often receive little attention until auditors become managers,” Rosenfeld says. “But chief audit executives [CAEs] should turbocharge learning for the team in this area because it’s not something people can learn overnight and it is crucial to success.”</p><h2>It's All About Strategy</h2><p>Jim Pelletier, The IIA’s vice president of Professional and Stakeholder Relations, agrees that building effective relationships with audit clients in the business should not be left to chance. “While auditors will have a strategy that will look at how we will use our expertise to deliver an effective audit, we don’t often plan our communications in the same way,” he says. “Why not?”</p><p>The group dynamics at work during an audit make this type of planning crucial. Management often views the audit team as a group of outsiders coming to find fault and criticize its work. That can make them overly defensive. In dealing with the arrival of this “outside group” of auditors, the inside group in the business will tend to exaggerate the differences between themselves and the auditors.</p><p>“It’s like the situation among sports fans,” Pelletier explains. “In our minds, we ‘dehumanize’ the other team, the players, and their fans, which allows us to rationalize using negative stereotypes, name calling, and insults.” While this is often playful among competing fans, Pelletier says, it can manifest in uglier ways in the office. By negatively labeling auditors as snitches or worse, individuals can then more easily rationalize treating auditors differently. “Many auditors have been lied to or purposefully given misleading or incomplete information,” he says. “This is not acceptable human behavior, but the rationalization brought out by the dynamics between in-groups and out-groups makes it feel okay.”</p><p>By labeling auditors as police, for example, the inside group is creating a distance that protects them from personal harm. Pelletier cites psychologist Thomas Szasz, who said: “Every act of conscious learning requires the willingness to suffer an injury to one’s self-esteem. That is why young children, before they are aware of their self-importance, learn so quickly.”</p><p>If this is correct, then auditors represent a threat to a client’s self esteem. Pelletier argues that to overcome this obstacle, auditors need to put empathy at the center of their communications strategy. “We have to acknowledge that whatever people may say to the contrary, being audited feels personal to the client,” he says. “Instead of being in denial about this, we must recognize that is a natural, negative psychological reaction that derives from the very nature of our role.”</p><p>Displaying empathy entails making sure you can see things from the perspective of those on the receiving end of the audit — and demonstrate that you care and are truly there to help. “Making the audit feel more like a partnership will help diffuse negative situations,” Pelletier says. “Those will still arise, but instead of reaching for the hammer every time, we should try the handshake.”</p><h2>Team Interaction Is Key</h2><p>Wendy Bedwell, assistant professor of psychology at the University of South Florida in Tampa, says good interpersonal skills are at the heart of creating effective audit teams. How well a team cooperates, handles conflict, and solves problems are all predicated on how well team members interact with one another, she says.</p><p>Bedwell says people who perform well generally actively listen to others, have good nonverbal skills — such as using the right body language in different situations — and develop an ability to be assertive without coming across as pushy or aggressive. While she says that how a person tends to interact with others is partially a character trait, she also says it is a skill that any auditor can develop. </p><p>It is an area in which CAEs can play a key role. The first step is to measure the interpersonal skills of each auditor. “There are several ways CAEs can measure interpersonal skills,” Bedwell says. “Just asking people how they see themselves and observing them when they are in everyday work situations is a great place to start.”</p><p>She says it is relatively easy to see who is not as competent a listener or talker on the team, and who has assertiveness issues or exhibits poor body language. With more senior staff members, she advises, observe how they handle conflict and solve problems that arise within the team. </p><p>“When observing staff members interacting, leaders absolutely cannot interrupt what is going on,” she says. “It’s natural to want to jump in, give advice, or sort out problems. But it will be much more useful in the long term to diagnose the issues and create a training program to address shortcomings.”</p><p>The CAE must create the right environment for positive change. “You are setting up expectations and creating a discussion on how to improve skills, so it is important to present it as a new initiative and as something vital to the success of the team,” Bedwell says. “You need to be clear that you do not expect everyone to be perfect, but like with any skill, practice can lead to improvements.”</p><p>While coaching can be effective, she says, people can also learn from their peers. Putting a good and poor communicator together can be useful. If there are people with excellent interpersonal skills, Bedwell says it may be worth making them champions and providing them with opportunities to demonstrate their skills. Role playing, practice, and feedback on areas of weakness can result in rapid improvement if the environment is supportive. “For this to really work, the CAE must create alignment between the development of interpersonal skills and the evaluation and reward systems in place,” she says. If those are correctly aligned, behaviors will continue to improve. If not, “that’s where most initiatives fail.”</p><h2>Learn to Listen</h2><p>“When CAEs are working to improve the communication skills of their team, they must remember that we don’t all communicate in the same way,” says Sarah Blackburn, vice chair and chair of the risk and assurance committee at NHS Digital in London, and past-president of the Chartered Institute of Internal Auditors. “We have to build something that is receptive and understanding of the way people prefer to contribute.” For example, she says, some people prefer to listen and digest information during a meeting, so the CAE needs to find different mechanisms — email or social media platforms — where team members can make their contributions in a way that suits them best.</p><p>She also says the CAE must set the tone and provide a model for the behavior he or she wants to promote by becoming as good at listening and communicating as possible. That involves reaching out to the business to ask for feedback on both his or her personal performance and on how well the team is doing.</p><p>“As an audit committee chair, I get a lot of feedback from management on audit work,” she says. Common complaints include auditors not listening, acting like the police, not taking the time to understand the business’ challenges, and writing reports about the audit process rather than focusing on what is valuable to management.</p><p>“A good CAE will take the opportunity to listen to the audit committee chair, management, and the external auditors,” she says. That kind of listening will pay massive dividends to the audit team’s ability to serve stakeholders well and communicate valuable insight to the top team, she adds.</p><h2>Welcome Feedback</h2><p>“A good indicator of the effectiveness of an audit function and its leadership is how good they are at getting feedback on their performance and having mechanisms in place to act on the results,” says Richard Gossage, managing director at the coaching and communications consultancy Copper Bottom Enterprises in Amersham, U.K. “CAEs should have networks of people such as the audit committee chair, the lead partner of the external audit firm, and others, who they recognize as giving accurate and objective feedback and be rotating around that group regularly.”</p><p>In accordance with the <em>Standards</em>, an external quality survey would provide good information on how internal audit’s communication is perceived.</p><p>Because the audit report is the function’s judgment on a particular issue communicated to management or the board, feedback on how well the information was gathered and the results communicated should be standard, he says. Quite often, good audit work and analysis can be ruined at the last moment by poorly written reports that fail to convey the relevance of audit findings to the intended audience.</p><p>“The fundamental cause of a lot of poor audit reporting is that the audit team can no longer see the forest for the trees,” Gossage says. “The report becomes a justification of the work that’s been done and the knowledge of the auditors, which is the symptom of a failure to understand your audience. Auditors fail to realize that the report is part of the ongoing dialogue with their audience.”</p><p>Gossage advises auditors to learn to see their reports as enabling tools for the business — not ends in themselves. That can require a shift in mindset and a willingness to try different types of communication. Being clear about the purpose of each communication and having a firm grasp of stakeholder expectations will make planning and delivering it much more effective, he says. </p><h2>An Empowering Excercise<br></h2><p>Developing sound interpersonal relationships is a difficult but crucial task for internal auditors. It can make the difference between effective and ineffective audits and audit teams. That is not something that should be left to chance — even though it often is. Building trust, demonstrating empathy, listening, seeking feedback within the team and among stakeholders, and acting to improve shortcomings are all important steps along the way. It may not be easy, but, as Gossage says, “it is a surprisingly empowering process.” </p><p> <br> </p>Arthur Piper1

  • MNP_Natonal Can Conf_Sept2017_Premium 1
  • SCCE_Aug2017_Prem 2
  • IIA FallTraining_Sept2017_Prem3

 

 

Six Steps to an Effective Continuous Audit Processhttps://iaonline.theiia.org/six-steps-to-an-effective-continuous-audit-processSix Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Processhttps://iaonline.theiia.org/understanding-the-risk-management-processUnderstanding the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Managing an Internal Audit Career: How Do You Know When It’s Time to Go?https://iaonline.theiia.org/blogs/chambers/2015/managing-an-internal-audit-career-how-do-you-know-when-it’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2017-07-17T04:00:00Z2017-07-17T04:00:00Z
Attribute Sampling Planshttps://iaonline.theiia.org/attribute-sampling-plansAttribute Sampling Plans2010-01-01T05:00:00Z2010-01-01T05:00:00Z