Professionalism Above All Else Above All Else<p>​Recently, I’ve been talking to anyone who will listen about the role of internal audit policies, procedures, and standards, and how they impact the success of both the profession and individual departments. Although I believe all such guidance is fundamental to audit effectiveness, I contend that the foundation for our success is really composed of three basic rules — by focusing on them, all other policies, procedures, and standards become even more effective.<br></p><p>The first rule comes from the Hippocratic oath: “Do no harm.” The second is taken from the Nordstrom Employee Handbook’s single instruction: “Use your good judgment in all situations.” And the third is one that I just felt needed to be added: “Do all of this with your brain somewhere nearby.” Together, these rules cover the areas of ethics, critical thinking, and common sense. I think they embody much of what internal audit strives to achieve in its strategies, in its planning, and in its day-to-day activities.<br></p><p>Recently, while I was discussing these concepts with a colleague, he argued that they would only work if our stakeholders followed the same principles. He seemed to be inferring that we should only treat others with the fullest of respect when we are similarly respected. I cannot disagree more.<br></p><p>I have a recurring conversation with my kids where I ask why he or she (I have one of each) is behaving a certain way toward the other. Generally, each one tells me that the other treats him or her in a similar fashion. I try to explain that, if either were willing to behave differently, the other might respond in kind. I am trying my best to send a message: Model the positive action that is desired, not the negative action of others.<br></p><p>In response, I get a look that every dad in the world knows — the “don’t be so stupid” look. (At this point I am loathe to point out that my kids are 28 and 30 years old. Sigh.)<br></p><p>It is not internal audit’s responsibility to model the specific behaviors of its stakeholders; it is internal audit’s responsibility to exemplify professionalism in all it does. We have to approach our work with the intent of doing no harm. We have to use good judgment, rather than follow meaningless rules and procedures, in all we do. And we have to use common sense at all times. <br></p><p>Internal auditors must set higher standards of behavior, rather than fall into the trap of lowering ourselves by practicing the poor behaviors of others. We have to act as professionals, no matter how unprofessionally we may be treated. <br> </p><p>I have yet to see a situation where being a professional, even in the face of the most unprofessional behavior by the highest levels in the organization, did not work to the benefit of the department and of the organization as a whole. <br></p>Mike Jacka1
Materiality Defined Defined<p>​Because the term <em>materiality</em> arose within the context of financial reporting and statement assurance, internal auditors have been challenged in adapting or creating a definition that is relevant for themselves and their stakeholders. In the context of financial reporting, materiality is relevant to three stakeholder groups: 1) preparers of financial statements, 2) auditors, and 3) users of financial statements. Although materiality decisions are made by only two of these three groups — preparers and auditors — most internal auditors’ conception of materiality likely has a user orientation. The auditor might ask, “How would a reasonably prudent investor react to the magnitude of misstatement (under- or over-reported amounts) or omission of a specific financial statement item in terms of its presentation and disclosure?”<br></p><p>Given this backdrop, the term <em>materiality</em>  can be a significant cause of confusion in determining what to audit, how much to audit, what to correspondingly report, and for what matters it is necessary to gain consensus regarding management action. In many situations, stakeholders come to the table with their own concept of materiality — sometimes vaguely defined — that can be at odds with internal audit’s definition. Sometimes managers attempt to mitigate or downplay an issue and internal audit’s proposed recommendation because it reflects poorly on their performance in their respective areas of responsibility. In such instances, supposed lack of materiality can be used as the basis for an argument to convince internal audit that the issue under discussion has no real merit.<br></p><p>If internal auditors are not well-prepared to articulate and defend what they believe to be the relevant concept of materiality, the discussion of audit issues can easily become contentious or seriously impaired. It is therefore imperative that internal auditors fully understand the meaning and contexts of the term <em>materiality</em> so they are prepared to use it authoritatively and appropriately.<br></p><h2>The Old Rule of Thumb</h2><p>Historically, many stakeholders, and even many internal auditors who began their careers as certified public accountants or chartered accountants, were introduced to the materiality concept from a financial reporting and external audit standpoint. Here, the term referred to the significance of an item to the users of a set of financial statements, and the probability that its omission or misstatement would influence or change a decision by them. Although professional standards never defined the threshold for materiality as a fixed percentage of revenue, equity, or other financial statement value, and it is clear that qualitative factors play an equally important role as quantitative considerations, a widely used rule of thumb was that materiality was reached when a misstatement or omission was at least 5 percent of a given factor — such as net income or net assets. Accordingly, anything less than 5 percent often was considered immaterial for audit scoping or adjustment proposal purposes.<br></p><p>In 1999, the U.S. Securities and Exchange Commission’s (SEC’s) Staff Accounting Bulletin 99 (SAB 99)rejected the blanket concept that a misstatement or omission of less that 5 percent of a given factor is immaterial. The SEC had no objection to the rule of thumb as a starting point in assessing materiality, but quantifying in percentage terms the magnitude of a financial reporting misstatement was only the beginning of an analysis of materiality. <br>SAB 99 requires that a determination of materiality for financial reporting consider the quantitative and qualitative aspects of the matter under analysis as part of a full examination of all relevant considerations. Qualitative factors to consider in the materiality evaluation for financial reporting may include reaching budget or other projections, triggering or increasing executive compensation, masking a change in financial results or other trends, and achieving compliance with debt and other covenants. Combining quantitative and qualitative factors can make the materiality determination much more complex. The result of the SEC’s pronouncement was to make the old rule of thumb outdated even for financial reporting.<br></p><p>Before the U.S. Sarbanes-Oxley Act of 2002, materiality also was used in identifying serious weakness in internal control over the financial reporting <br>process. The American Institute of Certified Public Accountants defined material weakness as a condition where the internal control components do not reduce to a relatively low level the risk that:<br></p><ul><li>Misstatements caused by errors or fraud in amounts that could be material in relation to the financial statements may occur. </li><li>Misstatements are not detected timely by employees in the normal course of performing their assigned functions. </li></ul><p></p><p><span id="DeltaPlaceHolderMain"><span><img src="/2017/PublishingImages/Fabrizius%20Categories%20of%20Financial%20Reporting%20Control%20Weakness.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:400px;height:306px;" /></span></span>In an attempt to establish more consistent and clearer guidance for Section 404 of Sarbanes-Oxley, the U.S. Public Company Accounting Oversight Board (PCAOB) defined a material weakness differently, and effectively developed three categories of financial reporting controls weaknesses (see “Categories of Financial Reporting Controls Weakness” at right). Under PCAOB Auditing Standard (AS) 5 (now codified as AS 2201), “The severity of a deficiency depends on: <br></p><ul><li>Whether there is a reasonable possibility that the company’s controls will fail to prevent or detect a misstatement of an account balance or disclosure. </li><li>The magnitude of the potential misstatement resulting from the deficiency or deficiencies.”</li></ul><p>Consistent with the SEC’s approach, the PCAOB in its standards avoids suggesting quantitative guidelines. The PCAOB says that materiality should not be based on a numerical formula because the facts and circumstances need to be professionally evaluated and considered for each situation.<br>Not surprisingly, when performing their Sarbanes-Oxley Section 404 assessments, many organizations find it difficult to differentiate between significant control deficiencies and material weaknesses. The organizations and their external auditors often still resort to quantifiable measures of specific impact to the financial statement to help establish a distinction. <br></p><h2>Internal Auditing and Materiality</h2><p>Unfortunately, quantifiable rules for materiality continue to be applied even to situations other than the fairness of the financial statements. However, for internal auditors the argument against using any materiality rule of thumb is amplified by the inherent and substantial differences between the roles of internal auditors and external auditors. In summary, very different assurances are provided by these different services. Internal auditors review and test controls at a significantly lower level of materiality than do external auditors, and routinely review a much broader range of risks than those for financial reporting. External audits are designed to report on historical data, whereas internal audits are generally focused on the efficiency, effectiveness, and compliance of current and future operations (see “Internal Audit Compared to External Audit” below right).<span id="DeltaPlaceHolderMain"><span></span></span></p><h2>Dealing With the Issue</h2><p><span id="DeltaPlaceHolderMain"><span><span id="DeltaPlaceHolderMain"><span><img src="/2017/PublishingImages/Fabrizius%20Internal%20Audit%20Compared%20to%20External%20Audit.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:500px;height:289px;" /></span></span></span></span>Internal auditors need means of measuring, assessing, or judging the performance of a broad swath of matters that are subject to audit. In the most general sense, the standards used for this purpose are referred to as audit criteria. Audit criteria are reasonable and attainable standards of performance and control against which compliance, the adequacy of systems and practices, and the efficiency and cost-effectiveness of staffing activities can be evaluated and assessed. To be realistic and useful, these criteria must be relevant, reliable, neutral, understandable, and complete. The aggregate of the internal auditor’s findings measured against the criteria, along with the exercise of professional judgment, permits the audit team to form a justifiable and defensible conclusion about each audit objective. An important threshold factor is the concept of materiality. <br></p><p>At times, internal auditors may be inclined to avoid dealing with complex concepts of materiality and significance. They may be tempted to throw up their hands and let someone else — senior management or the audit committee — make the call on the importance of identified issues and the need for corrective action. In this scenario, all issues would be delivered in an unfiltered and unprioritized fashion, with internal audit merely performing the role of information gatherer and reporter. <br></p><p>Many reasons exist as to why this approach would represent a sort of professional malpractice, and would likely lead to dissatisfaction with internal audit’s performance by its key stakeholders.<br></p><p>While internal auditors may frequently be confronted with issues that defy simple categorization and prioritization, they need to recognize their responsibility to provide an assessment of significance. Internal auditors are the experts on internal controls and that, by necessity, includes determining the impact that the quality of controls has on their organization’s activities. <br></p><p>The <em>International Standards for the Professional Practice of Internal Auditing</em> require internal auditors to add value and help improve the organization’s operations. They shortchange the value proposition if they do not demonstrate how their work product can directly meet these requirements. By sorting through the information they have gathered in their internal audit assignments, which necessitates the explication of internal auditors’ materiality judgments, they can move forward with the important and leave behind the unimportant. <br></p><p>Granted, this is not always an easy task. There is no mechanical application of a framework that will provide simple, indisputable answers. Because of the need to apply professional judgment and to consider and weigh many factors, different individuals evaluating similar facts and circumstances may reach different conclusions in certain situations. When this happens, internal auditors have to deal with the gray areas of the issue.<br></p><p>The <em>Standards</em> allow internal auditors to permit senior management to accept a level of residual risk, if they do not believe it is unacceptable to the organization. However, as stated in Standard 2600: Communicating the Acceptance of Risks, if internal auditors believe it is “unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board.” <br></p><p>Any other difficult issues may also require further attention to move them to consensus. This could involve the engagement of specialists, internally or externally, who provide subject matter expertise. Also, these very limited, infrequent, and contentious issues could be just the ones that are significant enough that involvement by senior management or the audit committee may be needed to reach resolution.<br></p><p>Issues that advance to this level should meet criteria that are established and understood in advance by internal audit, senior management, and the audit committee with an agreed-upon reporting protocol. Stakeholders typically express interest in categories of topics and issues, such as fraud and significant regulatory noncompliance, about which they want to be made aware and involved, regardless of materiality. To cover the other possibilities that require some assessment of importance, it is necessary to have a working definition of materiality for internal auditors and their stakeholders.<br></p><h2>Guidelines for Materiality</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Definition of Materiality for Internal Auditing</strong><br><br>Materiality for internal auditing was defined in a 1994 IIA research report, The Internal Auditor’s Role in Management Reporting on Internal Control, as “any condition that has caused, or is likely to cause, errors, omissions, fraud, or other adversities of such magnitude as to force senior managers to undertake immediate corrective actions to mitigate the associated business risk and possible consequent damages to the organization.”<br><br>This definition is particularly relevant because of its general management perspective, not just a financial perspective. It also is risk based, enterprisewide, and action-oriented in dealing with risks. <br><br>While the revised and updated International Professional Practices Framework does not define the term <em>materiality</em>, the Glossary does contain the following definition for the term <em>significance</em>: “The relative importance of a matter within the context in which it is being considered, including quantitative and qualitative factors, such as magnitude, nature, effect, relevance, and impact. Professional judgment assists internal auditors when evaluating the significance of matters within the context of the relevant objectives.”</td></tr></tbody></table><p>When evaluating the significance of the issues that audit work identifies, some guidelines can supplement the definition (see “Definition of Materiality for Internal Auditing” at right), help frame the evaluation, and determine significance. These guidelines help with the application of materiality in practice.<br><br><strong>Materiality for External Auditors May Not Be Relevant</strong> Do not base materiality for matters of operational efficiency and effectiveness, safeguarding assets, and compliance with laws and regulations on the materiality concepts and levels considered by the external auditors for purposes of the examination of the financial statements or the Sarbanes-Oxley Section 404 internal control assessment. Very different assurance is being provided.<br><br><strong>Incorporate Contextual Considerations</strong> Materiality should never be used as a sole or significant measure for prioritization and investigation in cases of suspected or illegal behavior or fraud. Put another way, zero tolerance or allowable error of zero should be established when considering illegal acts.<br><br><strong>Consider Qualitative Factors</strong> The qualitative dimensions of an issue may be more important than the quantitative aspects. Customer service, public perception, cycle time, quality outcomes, and employee morale are examples of important considerations that are resistant to quantification efforts.<br><br><strong>Context Matters</strong> Remember that not all quantifiable areas are the same. For example, the significance of errors and misstatements will be different for suspense accounts and related-party transactions because they involve greater risk than most other accounts or activities with similar balances.<br><br><strong>Is It Pervasive or Isolated?</strong> Understand the root cause of the issue. The fact that it has or can easily recur makes it more of a concern than an isolated, explainable, one-time matter. <br><br><strong>Improve Performance</strong> Lost opportunities to quantifiably enhance revenues and reduce and avoid costs, while not technically material or relevant to the current financial statements, can be materially important, and have a cumulative effect, in improving performance in future periods.<br></p><h2>Build a Foundation</h2><p>A foundation of dialogue with stakeholders can help internal auditors determine a mutually agreed upon framework based on quantitative and qualitative factors. Providing meaningful context to their reporting of issues can enhance internal auditors’ value to their organizations and assist stakeholders in establishing priorities, determining remediation, and escalating issues when necessary. <br></p>Michael P. Fabrizius1
Focus on the Three E's's.aspxFocus on the Three E's<p>​Although developed in and long associated with the public sector, the concept of value-for-money (VFM) auditing is finding increasing interest and application in the private sector. These organizations realize the true power and range of value VFM audits generate. Understanding this approach can help position internal auditors to exceed stakeholders’ expectations. For example, VFM audits can enable resources to be acquired at optimal cost without jeopardizing quality and performance, unearth inefficiencies, and identify ineffective operations. Along the way, it also can help identify irregularities or potential indicators of fraud — all culminating in business improvements. <br></p><p>VFM auditing is embodied in Standard 2100: Nature of Work, which states, “The internal audit activity must evaluate and contribute to the improvement of the organization’s governance, risk management, and control processes using a systematic, disciplined, and risk-based approach. Internal audit credibility and value are enhanced when auditors are proactive and their evaluations offer new insights and consider future impact.”<br></p><p>Conforming to this standard requires a thorough understanding of the risks, governance structures, and control activities associated with improving business operations. This leads to assessing the acquisition of resources, evaluating business functions, and maximizing the achievement of goals — the very foundation of VFM audits. This foundation focuses on the three E’s: economy, efficiency, and effectiveness.<br></p><p>The VFM auditor asks: Are the right operations being performed to achieve the objectives of the unit (effectiveness) in the right way (efficiency) at an appropriate cost (economical use of resources or economy)? Answering such questions involves assessing an appropriate range of performance measurement criteria. For instance, if procurement is not acquiring goods and services at the right prices in the right amount and on schedule, then it is not effective because it is not achieving its goals. VFM audits can be applied to any business function such as finance, procurement, human resources, and marketing, as well as to any industry. <br></p><p>When performing a VFM audit, the auditor must possess a multitude of skills; be multidisciplined; let go of the financial statement audit mindset; be able to think outside of the box; ask challenging questions; be persistent and question the validity of information; and be able to work as a team player with subject matter experts, accountants, IT specialists, and management.<br></p><h2>The Foundation </h2><p>Economy alludes to the cost of resources (i.e., minimizing the cost of resources used for an activity without compromising quality). For example, if components “A” and “B” can equally be used and cost $20 and $30 each, respectively, to make product “C,” then purchasing the cheaper component “A” is the better option. Also, when copying a report for distribution, is the business unit using an expensive copying paper (70 cents/sheet) versus a cheaper (3 cents/sheet) paper to produce the same report? This review also could expose fraud if it is revealed there is collusion between the paper supplier and an employee to use more expensive paper. Do you send a report by mail, which incurs postage or courier costs, when it can be emailed at no cost? Other factors to consider when reviewing economy are determining that sound business practices are carried out, an optimal staff level is in place, excess resources are not on hand, and cheaper equipment is used where required. <br></p><p>Efficiency pertains to the methods of operations and include identifying slack, waste, redundancy, and duplication of effort; determining inappropriate use of operating procedures; identifying inefficient systems and procedures; and ensuring maximum outputs from inputs. The types of questions to ask during this aspect are:<br></p><ul><li>Is activity “A” necessary?</li><li>Can two machines be used instead of one?</li><li>Can activity “B” be completed in five minutes instead of 10?</li><li>Is activity “C” a duplicate of activity “A”?</li><li>Department “A” produces 120 widgets against a plan of 100 indicating 120 percent efficiency, but department “B’s” efficiency is 80 percent — producing 80 against a target of 100. Is this because of staff training issues or something else? </li></ul><p></p><p>Effectiveness measures the extent to which the objectives of an activity are achieved. It asks questions such as:<br></p><ul><li>Are the right operations being performed? </li><li>Are objectives achieved? </li><li>Are these achieved objectives having a positive impact?</li><li>What factors exist to inhibit the satisfactory performance of a unit in achieving its objectives? </li></ul><p><br>VFM audits add value to an organization in each of its three phases. Identifying and costing inefficient activities such as waste and duplication of effort, and validating that desired goals were achieved at minimal cost and with maximum efficiency, can have a dramatic and long-lasting impact on an organization.<br></p><h2>Key Benefits </h2><p>Understanding and carrying out a VFM audit can provide tremendous benefits to stakeholders in an organization by unearthing audit findings to aid management to discharge its mandate and allocate resources optimally. Within this context, a VFM audit: <br></p><ul><li>Focuses on organizational and management performance.</li><li>Facilitates and promotes improved strategic and operational decision-making.</li><li>Assists management by identifying and promoting better management practices.</li><li>Clarifies management responsibility and leads to better accountability.</li><li>Enhances efficiency in the acquisition of resources. </li><li>Allows assessments over the achievement of objectives.</li><li>Identifies performance gaps by comparing input resources and expected outcome as well as the actual outcome. </li></ul><p><br>Ultimately, VFM audit findings must stand on their own to add value to the organization.<br></p><h2>A Powerful Tool</h2><p>In any organization, there is an emphasis on getting maximum output from resources expended. An evaluation of all business functions is needed to ensure minimum- and lowest-cost resources are used without compromising the quality of output, inefficient activities are identified and eliminated, maximum outputs are obtained from minimal inputs, and objectives are realized to collectively achieve the greatest returns. VFM audits can be used to accomplish these tasks, unleashing significant benefits to the organization’s governance, risk management, and control environments. VFM auditors should be an integral part of the audit effort, as reflected in The IIA’s Core Principles for the Professional Practice of Internal Auditing’s emphasis on promoting organizational improvement. <br></p>Lal Balkaran1
Diversity and Inclusion in Today's Business's-Business.aspxDiversity and Inclusion in Today's Business<h3>​Why should CEOs and boards be concerned with diversity and inclusion? </h3><p><strong>WHITTLE</strong> Why wouldn’t they be concerned about diversity and inclusion? We have a diverse world and a diverse talent pool. Many studies have shown that diverse teams perform better, and for teams to be successful, they must have diversity of thought, not just visible diversity. If you’re a business owner or CEO, and you consider who your customers or clients are, you should recognize that they’re a very diverse population. Therefore, having diversity among leaders and among teams helps you better serve them as you can better tailor your products or solutions to meet their specific needs. Customers and clients also can look to companies and say, “Am I doing business with a company that respects diversity and inclusion, and that looks like me or my company?” <br><strong>TOWNSEN</strong> Inclusion and diversity are both critical talent and business issues. To be an employer of choice, and to have fully engaged employees, you need a genuinely inclusive culture. Feelings of exclusion lower productivity in employees and increase turnover. Inclusion can unlock the power of diverse teams, bringing different perspectives and helping to drive innovation. In addition, the demographics of our country have changed. To get the best, you need to be hiring the best. Stakeholders, customers, and clients also are demanding it. Customers are diverse and companies need the best thinking to help solve complex business challenges or identify new market opportunities.<br></p><h3>What should a diversity/inclusion program include? </h3><p><strong><img src="/2017/PublishingImages/Sue-Townsen.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />TOWNSEN</strong> Organizations should concentrate on three main areas to be successful. First is driving inclusion in a company’s culture. Inclusive behaviors should be developed in all leaders who, in turn, are accountable for demonstrating those behaviors. Second is to focus on key human resources processes, including talent acquisition, development, and performance management. Together with a strong diversity recruiting strategy, it’s important to mitigate any potential bias in these processes. Finally, organizations need vibrant, inclusive networks with defined objectives. This is where connectivity happens. People stay when they feel they belong. Networks can be designed to help drive development of diverse professionals, provide networking opportunities, and encourage retention. They provide safe places for groups to discuss challenges. Networks also can be instrumental in connecting with clients and the larger community. When all is said and done, a relentless focus on measurement and governance helps ensure that defined objectives are being met.<br><strong>WHITTLE</strong> Determining the pieces of a diversity and inclusion program will depend on where the organization is in its evolution of a diversity and inclusion strategy, what its culture and values are, how its approach to diversity aligns with that, and how it is going to measure its progress. At Grant Thornton, diversity and inclusion is an imperative, and it’s embedded in our culture. They are embedded in not only every aspect of the talent life cycle, but also in the client experience, as well as our involvement in the community. <br></p><h3>What if the organization doesn’t have a program?</h3><p><strong><img src="/2017/PublishingImages/Whittle_Sharon_R.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />WHITTLE</strong> First and foremost, if you don’t have a program you should be examining “why?” Start with your organization’s vision and values. Do your current vision and values support having a program? Or, do you need to rethink them? Vision and values drive culture, which forms the true foundation of the organization. Think about the potential impact of a program on your organization’s stakeholders.<br><strong>TOWNSEN</strong> It isn’t about a program, it is about whether it is a business imperative. If it is, companies must approach diversity and inclusion as a strategic priority and put appropriate resources behind it. There are many avenues to get support to develop an approach, but the first step is understanding and communicating the business case to the organization. <br></p><h3>What should be included in a diversity/inclusion audit?</h3><p><strong>TOWNSEN</strong> From an audit perspective, some of the key lenses include strategy and governance, regulatory, and process. A few considerations include: Is there a clearly defined diversity and inclusion strategy? Are the appropriate stakeholders involved and being held accountable? Are results measured? Another approach to consider is to audit talent processes to assess for unconscious bias. For example, organizations can look at performance ratings and promotion rates of diverse talent compared to nondiverse talent to uncover insights.<br><strong>WHITTLE</strong> Metrics that should be in an audit include recruiting, hiring, retention, promotion pattern, training and development, succession planning, mentoring and coaching, and leadership development. There are other issues that should be considered. Is there a communications plan for how executives and others will communicate with the rest of the organization? Is there a diversity statement? Are there measurable goals? Is leadership united and consistent in its level of program support? Audits should be conducted across multiple geographies and countries, business lines, and divisions to determine the level of consistency. Defining accountability also is important. Accountability for these programs should be defined in writing in job descriptions, performance evaluations, and promotional goals. Accountability can drive the experience so that stakeholders wake up every day and live it.<br></p><h3>How should internal audit approach diversity/inclusion within its own ranks?</h3><p><strong>WHITTLE</strong> In the same way diversity and inclusion is important for diverse teams, it’s equally important in internal audit. Some studies on brain science, particularly around gender, and how men and women approach problems differently, provide additional evidence for having diversity and a complete spectrum of skills for teams to be successful. The ability to have people on a team who think differently and are willing to challenge each other is vital. Internal audit is about asking the right questions and being skeptical and willing to challenge. It’s difficult to achieve that if you don’t have a diverse group of individuals working together who have very different ideas.<br><strong>TOWNSEN</strong> No differently — internal audit is just like any other function. There’s value in diversity and working together, particularly in harnessing unique perspectives to add value and find solutions.<br></p><h3>How does your company approach diversity/inclusion?</h3><p><strong>TOWNSEN</strong> We are proud of our inclusive culture at KPMG. For us, this means our people feel free to bring their full, authentic selves to work every day and share ideas and passions in ways that enrich our teams, spur innovation, and drive the firm’s success. Our commitment to inclusion and diversity influences everything we do, including the way we recruit, train, and develop our people. To continually strengthen our workforce and impact, we established several strategic priorities that include driving increased diversity, instilling inclusive leadership, and developing next-generation leaders at KPMG and beyond. At every level, our people take ownership for creating an inclusive culture — leading and inspiring our teams, enabled by a framework of national diversity advisory boards, local networks, and inclusion councils. Together, we help create an environment of dialogue and action, addressing the challenges and capturing opportunities that matter most to our firm, our clients, and our communities. <br><strong>WHITTLE</strong> We approach diversity and inclusion as part of our culture and a key part of who we are. We look not only at someone’s outward, or visible diversity, but also at someone’s diversity of thought, background, and experience. Those characteristics carry so much importance. Our strategy also includes measuring and assessing certain retention, advancement, and promotion statistics. We’ve also placed importance on education, skill building, and leadership as well as benefits and work-life flexibility. For us, it’s about employee engagement and being able to advance diverse groups within the organization. One example is being able to advance more women into leadership roles within our firm. <br></p>Staff1
Editor's Note: From Emerging to Outstanding's-Note-From-Emerging-to-Outstanding.aspxEditor's Note: From Emerging to Outstanding<p></p><p>For the fifth consecutive year, <em>Internal Auditor</em> is recognizing the rising leaders in the internal audit profession. The magazine’s Emerging Leaders program was created in 2013 to not only highlight outstanding young internal audit professionals, but also to bring forth the next generation’s voice within The IIA — a must-do as millennials are expected to comprise 50 percent of the workforce by 2020.</p><p>The program has been an overwhelming success. Since its debut, many of these leaders have gone on to contribute to the profession in a variety of ways. Their contributions enable The IIA to better determine what is important to the next generation and the tools they need to do their jobs, as well as share with previous generations the views and approaches of up-and-coming internal auditors. </p><p>Take, for example, Seth Peterson (<a href="">@swpete85</a>), one of our original Emerging Leaders. Seth was already a member of The IIA’s Chapter Relations Committee when he was named an Emerging Leader in 2013. By 2016, he sat on The IIA’s Audit Committee. Today, he is a member of The Institute’s Global Finance Committee and vice chair – finance of the North American Board. </p><p>Seth also serves as the North American Board liaison to The IIA’s Young Professionals Task Force. Among the priorities of this task force, which includes Emerging Leaders from 2015 and 2016, are contributing to articles and webinars, planning networking opportunities at IIA events, and providing insight to the North American Board related to attracting and serving young professionals.</p><p>Other Emerging Leaders are serving on IIA committees and participating in a variety of ways to advance the profession. Laura Soileau (<a href="">@laurasoileau</a>) was a member of the Publications Advisory Committee when she was named an Emerging Leader in 2014 and continues on the committee to this day. She also has been elected to the North American Board. Laura has served as a “Back to Basics” contributing editor, won an outstanding contributor award for an article she co-authored, and currently authors the blog, <a href="/blogs/soileau">“Solutions by Soileau.”</a></p><p>The Emerging Leaders’ continued participation in The IIA validates what we originally saw in them — their passion for, and willingness to give back to, the profession. We’re proud to present our <a href="/2017/Pages/On-the-Rise-2017.aspx">2017 Emerging Leaders</a>. The future of the profession is indeed bright with these forward-looking, motivated, impressive individuals poised to take it to the next level. </p><p>Speaking of forward-looking, be sure to check out’s newest blog, “Points of View by Pelletier.” Jim Pelletier (<a href="">@JimLPelletier</a>), The IIA’s vice president, Professional and Stakeholder Relations, guides readers through innovative technologies, practices, and thinking for today’s disruptive times.</p>Anne Millage0
On the Rise: 2017 the Rise: 2017<p>​The paradigm for young audit professionals is shifting rapidly. Continuing a trend established by each successive group of Emerging Leaders over the last few years, 2017’s class started their careers remarkably well-prepared and laser-focused on internal auditing. In fact, some began making career plans as early as high school; and some have returned to their alma mater post-graduation to help educate others on the profession. These practitioners aren’t nonaudit professionals who just happened to answer an internal audit want ad. Moreover, they’re what might be called “post-IT-literate.” In other words, they don’t see computer skills as a necessary asset for getting ahead at the office. Proficiency with data and software is assumed; it’s been an integral part of their entire lives. They think in terms of maximizing process improvement through data analytics and leveraging sophisticated IT in routine audit engagements. And this year’s crop embraces the role of trusted advisor. They’re ready to take a seat at the C-suite table, to advise the business on high-level risk assessment and mitigation, and to use their unique perspective to spot problems and opportunities that impact the success of the organization. These ambitious, talented practitioners are steeped in the profession, poised to take on new challenges, and ready to lead. </p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​ <p>VIDEOS: <span>See what practitioners recognized by <em>Internal Auditor</em> as this year’s Emerging Leaders like best about internal auditing.</span></p><ul> <font color="black"> <li> <span class="ms-rteThemeForeColor-2-0"> <a href="/Pages/video.aspx?v=hzdjd1YzE6TRnU0rCaXMmN5tr0fAMwDq"><span class="ms-rteThemeForeColor-2-0">Emerging Leaders: What I Enjoy Most</span></a></span></li> <li> <font color="black"> <a href="/Pages/video.aspx?v=Axczd1YzE6hCIN8oTeNL8fhA3bPm2XFa"><span class="ms-rteThemeForeColor-2-0">Emerging Leaders: Essential Skills</span></a><br></font></li><font color="black"> <font color="black"> <li> <font color="black"> <span class="ms-rteThemeForeColor-2-0"><a href="/Pages/video.aspx?v=M0ajd1YzE6tavJ94cPTDLUsmCcw-E_k3"> <span class="ms-rteThemeForeColor-2-0">Emerging Leaders: Why I Became an Auditor</span></a></span></font></li> <font color="black"> </font></font></font></font></ul> <font color="black"> <font color="black"> <font color="black"> </font></font></font></td></tr></tbody></table><h2> <img src="/2017/PublishingImages/EL-Everet-Zicarelli.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Everet Zicarelli, CIA, CPA</h2><p> <strong> <em>27, Senior Internal Auditor<br>Sallie Mae Bank<br>Newark, Del.</em></strong></p><p>It’s time for internal auditors to get the credit they deserve, and Everet Zicarelli is doing what he can to accomplish that. In fact, the University of Delaware graduate says the profession should place more emphasis on marketing internal auditing as an exciting and rewarding career choice for college graduates. “I’d like to see the profession encourage schools to offer more courses and majors centered around internal auditing,” he says “so we can attract talented candidates straight out of college and grow that talent organically.” He says he hopes others will have a better awareness of the profession than he did after graduating and working in public accounting. “When I switched to internal audit, I didn’t really have a good understanding of the difference between external and internal auditing.” Now that he’s gotten up to speed on the latter, Zicarelli keeps his external audit skills sharp by leading Sallie Mae Bank’s direct assistance program for its external financial statement audit, notes Thomas Linton, the company’s vice president, Internal Audit. The team performs audit-related tasks on behalf of the external auditors, reducing the fees and “further demonstrating the competency of the internal audit function.” Zicarelli helps enhance that competency through his role with the department’s on-campus internship recruiting program — and, Linton points out, he’s been rewarded for his efforts by being tapped as the designated mentor for all internal audit interns. He adds that feedback from past and current interns highlights the role Zicarelli has played in ensuring a first-class internship experience. “My favorite part is their passion for learning,” Zicarelli says. “They want to learn it all and can’t wait to take on the next challenge. That’s extremely rewarding.” <br></p><p> <br> </p><h2 style="text-align:right;">Karen Tylinski, CFE<img src="/2017/PublishingImages/EL-Karen-Tylinski.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /></h2><p style="text-align:right;"> <strong> <em>29, Senior Auditor<br>Nielsen<br>Tampa, Fla.</em></strong></p><p>Karen Tylinski sees things differently — and she tries to help others do so, too. She started at her current company with a background in tax at a Big 4 international accounting firm, notes Kevin Alvero, senior vice president, Internal Audit, at Nielsen. Since coming on board, the University of South Florida graduate has shared audit techniques from the tax field “that have benefited us in the audience measurement industry,” he says. Tylinski’s efforts include researching new audit tools and helping automate previously manual audit procedures, and she’s leading a large internal audit engagement that could have a multimillion-dollar impact on the business. Alvero adds: “This is indicative of the level of comfort I have in her leadership skills.” Tylinski says experience helps her build confidence, which makes the job even more rewarding. She says she has a better understanding and awareness of how her work fits into the big picture, for the department and the company, which makes it more fulfilling. She says she hopes to spread the word, showing future practitioners how exciting internal auditing is. “Internal auditing keeps me on my toes, especially since no two projects are the same,” she says. “I would like to help people outside the profession understand how stimulating and rewarding it can be.”<br></p><p> <br> </p><h2> <img src="/2017/PublishingImages/EL-Kara-Goslin.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Kara Goslin, CIA, CPA</h2><p> <strong> <em>29, Senior Internal Auditor – EMEA <br>Deckers Outdoor Corp.<br>London</em></strong></p><p> Kara Goslin wants to make internal audit better on the inside — and from the outside. Sarah Eberhardt, chief audit executive at Deckers Outdoor Corp., recalls Goslin’s response to feedback about U.S. Sarbanes-Oxley Act of 2002 testing tools that were slow and not user friendly. The University of California at Santa Barbara graduate helped choose and develop a new tool, and was very involved in streamlining the internal testing process. She also successfully presented a business case to Eberhardt and the company’s chief financial officer for her current assignment to London, her home base for helping improve Sarbanes-Oxley testing in Europe, the Middle East, and Africa — and for networking globally within the company. She has also created training materials and conducted coaching sessions with local leadership. Moreover, Goslin wants to update internal auditors’ demographics, noting it is “a field that becomes much more male dominated the higher in management you rise.” She says the paradigm is shifting, but emphasizes that the profession still has a long way to go in terms of women’s visibility and progression. Indeed, Goslin sees internal audit departments tapping practitioners with more varied backgrounds moving forward. “A lot of departments have rotational programs,” she says. “That’s important in broadening our understanding and identifying where we should be focusing.” She adds that it could help change how outsiders see internal auditors. And while she’s amused by people who picture “a tight-laced numbers person trying to dig up dirt,” she stresses the importance of countering that false impression. Goslin looks forward to the day when nobody is surprised that a woman, musician, and craft beer aficionado is also an internal auditor.</p><p> <br> </p><h2 style="text-align:right;">Brian Salvador, CPA<img src="/2017/PublishingImages/EL-Brian-Salvador.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /></h2><p style="text-align:right;"> <strong> <em>29, </em></strong><strong><em>Senior Internal Auditor</em></strong><br><strong><em>Intellectual Ventures Management LLC </em></strong><br><strong><em>Bellevue, Wash.</em></strong></p><p>Brian Salvador likes to get things done — and if they don’t work correctly, he likes to fix them. He offered dozens of project performance improvement suggestions to his previous employers EY and Boeing, says Colette Pretorius, Salvador’s former boss at Boeing and now group finance manager at Microsoft. The Portland State University graduate once led a control assessment at a major sports promotion company with personnel scattered across three continents and led testing of Sarbanes-Oxley controls for two Fortune 500 companies. Notably, he also developed a risk control matrix repository — based on engagement and control types — to improve quality and consistency in workpaper documentation, saving one client more than 4,500 hours. “I noticed that auditors were always drafting audit programs from scratch,” Salvador says. The tool was well-received and now serves as a model to new auditors developing work programs. But there are bigger changes he’d also like to effect, moving the profession from “primarily providing process assurance to providing proactive consulting, helping the organization improve internal controls and underlying systems in a manner that positively impacts downstream activity.” He notes as well that technology-savvy and mature organizations will shift toward automation, requiring further proactive efforts from practitioners. “It’s important for internal auditors to understand the tools available to analyze data — and to educate their businesses on identifying risk areas and evaluating internal controls,” he says. Moreover, Salvador anticipates an increase in continuous monitoring, allowing organizations to perform effective trend analyses and better predict changes in their business environments. </p><h2> <br>​<img src="/2017/PublishingImages/EL-Drew-Williams.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Drew Williams, CIA, CPA, CFE</h2><p> <strong> <em>29, </em></strong><strong><em>Internal Audit Supervisor</em></strong><br><strong><em>Raytheon Co.</em></strong><br><strong><em>Dallas</em></strong></p><p>Adding value to an organization through internal audit engagements is not the same as using those engagements simply to save clients some money. That’s a lesson Drew Williams has learned already in less than two years in the profession. “I want to recalibrate how we define value,” he says. “When I hear the word, my mind automatically goes into thinking I need to find that inefficient process that will save the company millions.” In reality, he’s discovered, “value” could be as simple as identifying redundant processes, highlighting a manual process that could be automated, or escalating an issue to the appropriate audience. Those are areas the University of Texas at Dallas graduate excels in, notes Sarah Garcia, senior manager, Internal Audit, at Raytheon. “His partnerships throughout the business gain him continued support during audit engagements,” she says, “and encourage other audit customers to collaborate with us.” He builds and strengthens those relationships in part through regular social outreach, she adds. Williams also effectively wields perhaps the ultimate value-add weapon: data analytics. “I enjoy the challenge of understanding raw data sets and identifying key fields,” he says, “then strategically developing criteria to analyze the data to draw meaningful conclusions.” Artificial intelligence and robotic software will increasingly assist auditors in managing massive amounts of data, he adds. “Internal audit needs to master these tools. Having facts and data to support a risk assessment — or even to facilitate a conversation — makes life a lot easier throughout the engagement.” <br></p><p> <br> </p><h2 style="text-align:right;">Jordan Gross, CIA, CPA<img src="/2017/PublishingImages/EL-Jordan%20Gross.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /></h2><p style="text-align:right;"> <strong> <em>29,</em></strong><strong><em> Senior Auditor</em></strong><br><strong><em>Fossil Group Inc.</em></strong><br><strong><em>Richardson, Texas</em></strong></p><p> In the future according to Jordan Gross, internal auditors will help map out corporate strategy, while computers will track and manage glitches in the system. “The line between a ‘financial’ and an ‘IT’ auditor continues to blur,” the University of Florida graduate says. He calls on all practitioners to understand the basics of IT systems and governance and how both general and application-level controls work. Auditors of tomorrow will also need to be more adaptable, he says. “The job will evolve away from traditional methods of planning and auditing toward a more continuous audit approach,” Gross predicts, “where analytics tools identify and investigate exceptions in close to real time.” With just five years of internal audit experience behind him, Gross is already familiar with the big picture. He’s Fossil’s global Sarbanes-Oxley compliance project manager, says Priscilla Perry, senior internal auditor there, and was recently tasked with bringing a formerly out-of-scope region into the Sarbanes-Oxley testing fold. “[The process] required him to manage the rollout for multiple foreign entities, ensuring controls were mapped appropriately and guidance was provided to new testers and process owners,” she says. Perry also notes that Gross is the Fossil data analytics lead, and that he regularly uses innovative thinking to do more with less in an increasingly resource constrained business climate. “I’d like to see internal audit involved much earlier in big strategic projects that affect the business, like a system rollout or a reorganization,” Gross adds. “Our ability to emphasize controls when building new processes could greatly reduce the number of issues later.” <br></p><p> <br> </p><h2> <img src="/2017/PublishingImages/EL-Bill-Stahl.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Bill Stahl, CIA</h2><p> <strong> <em>28</em></strong><strong><em>, Manager, Advisory Services</em></strong><br><strong><em>EY</em></strong><br><strong><em>Atlanta</em></strong></p><p>Bill Stahl focuses on continually enhancing his skill set for an important reason. “In the future, internal auditors must be more broadly versed in the business and be able to leverage technology to detect and monitor risk,” the Georgia Southern University graduate says. He notes that operational, business, strategic, compliance, and technology risks will continue to join financial risk on practitioners’ radar. Moreover, he says, tomorrow’s internal auditors will be required to leverage technology to deliver on-demand results to management. When Stahl uses advanced audit techniques with clients, it often results in the C-suite “changing its approach and seeing the internal audit team as a trusted advisor,” notes Steve Jackson, senior manager at EY in Atlanta. Clients often request Stahl by name, a rarity; that may be due in part to his honest approach on engagements. Stahl leads global, multiyear projects with teams scattered around the world, and he relies on his network of internal audit professionals for guidance from time to time. “Internal auditors often are required to audit areas of the business they may not have experience with or be as well-versed in,” he points out. “When I have experienced this, I immediately tap my network for the experience or subject matter expertise I need to deliver an accurate and complete audit. From my perspective, having a strong network of leaders and peers you can rely on is critical to being a successful practitioner.” He leverages the network of colleagues at The IIA’s Atlanta Chapter to expand his areas of expertise, too. The challenge to master more than one competency and to push the limits of the collective internal audit skill set invigorates him more today than when he started in the profession, he says.<br></p><p> <br> </p><h2 style="text-align:right;">Alissa Irgang, AMIIA, GDLP<img src="/2017/PublishingImages/EL-Alissa-Irgang.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /></h2><p style="text-align:right;"> <strong> <em>29</em></strong><strong><em>, Senior Manager</em></strong><br><strong><em>Protiviti</em></strong><br><strong><em>Australian Capital Territory</em></strong></p><p>Alissa Irgang thinks big, and acts big. The Australian National University graduate has already served as national lead in Protiviti’s first global Project Management Office for a major project, reporting directly to the client executive in New York, notes Jenny Hollingworth, the firm’s corporate communications manager. She also notes Irgang’s achievement as an author: “Her thought leadership on corporate governance has been published in the Company and Securities Law Journal.” Moreover, she’s chair of IIA–Australia’s ACT Chapter Council, a post she used to create and launch the first IIA mentoring program in Australia, developing the charter and infrastructure and providing guidance for program participants. She’s since assisted other states in establishing and managing their own mentoring programs. “The hardest part was the start, because we’d never had anything like it before,” Irgang recalls. “Turning this idea in my head into a reality took a lot of time, research, and support.” She hopes the mentees learn that the profession is not just about following a defined audit process, stressing that internal auditors need to focus on purpose, not paperwork, and understand the value and objectives behind the audit. She also points out that the technology exists to power a new kind of internal audit practice, working broader, deeper, faster, and smarter. “Everything is changing, and the future is already here,” she adds. “To remain relevant, we need to evolve with it.”<br></p><p> <br> </p><h2> <img src="/2017/PublishingImages/EL-Anne-Davis.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Anne Davis, CIA</h2><p> <strong> <em>26</em></strong><strong><em>, Risk and Financial Advisory Senior Consultant</em></strong><br><strong><em>Deloitte & Touche LLP </em></strong><br><strong><em>Charlotte, N.C.</em></strong></p><p>A marketing internship as part of the Wake Forest University Business and Enterprise Management program showed Anne Davis that her interests in business were actually more aligned with accounting and finance and, eventually, internal auditing. Now, when she’s not traveling for client projects, “she continues to seek opportunities to return to her alma mater, to promote the benefits of a career in the profession,” says Paul Lindow, internal audit partner at Deloitte. Davis is also a career coach for Deloitte’s summer interns, helping them acclimate to the firm’s culture and to the professional services industry. Lindow credits her involvement with enabling a more positive experience for the interns — and with helping them build the foundational skills necessary for a career in internal auditing. The most rewarding aspect? Davis says she truly enjoys sharing her knowledge and perspective about a profession she respects and enjoys, and she’s convinced more than a few interns that internal auditing can be challenging, rewarding, and interesting. Indeed, Davis’ work focuses on financial services clients, providing her with experience in anti-money laundering efforts and in Dodd-Frank Act supervisory stress testing and Comprehensive Capital Analysis and Review, among other areas. “I’m also learning how to incorporate data analytics, robotics, and cognitive intelligence to execute audits in a more effective way,” she notes — streamlining processes and working with the first and second lines of defense to provide a value-driven outcome. That’s the kind of approach she says will help “propel the internal audit profession in the right direction and shift the sometimes negative perception of us as troubleshooters into one of trusted, independent partners.” </p><p> <br> </p><h2 style="text-align:right;">Matthew Suhovsky, CIA<img src="/2017/PublishingImages/EL-Matthew-Suhovsky.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /></h2><p style="text-align:right;"> <strong> <em>29, Financial Services Risk Manager</em></strong><br><strong><em>Crowe Horwath LLP</em></strong><br><strong><em>New York</em></strong> </p><p>For Matthew Suhovsky, relationships are key in internal audit. The California Lutheran University graduate says building them is critical to success in the profession. “This doesn’t happen immediately, but as trust is built and success has been achieved,” he says. Staying on the same engagements over time helps. “Clients don’t only know me as someone who works for Crowe, they know me as a person,” he adds. Suhovsky’s soft skills extend to co-workers, says Machelle Rinko, senior manager at Crowe. “He recruits and develops talented professionals,” she notes, “and builds a successful, dedicated, and motivated team.” He also mentors in the organization’s formal performance management program, and he seeks a more positive image of the profession. “Internal auditors are here to help mitigate risk and act as a partner and resource to businesses,” he stresses, “contrary to the perception of auditors aiming to get people in trouble.” He’s helping to change that perception through campus recruiting and speaking with students about the profession. He’s also looking to the future, and the changes it may bring to internal auditing. “Integrated audits allow business units to get a holistic view of their control environment,” he says. “Operational audits combined with technology audits can be a value-add to organizations, but they’ll require a complete transformation in the way we work.”</p><p> <br> </p><h2> <img src="/2017/PublishingImages/EL-Nora%20Zeid%20Kelani.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Nora Zeid Kelani, CIA</h2><p> <strong> <em>28, Group Internal Auditor</em></strong><br><strong><em>Trust Holding</em></strong><br><strong><em>Amman, Jordan</em></strong></p><p> Nora Zeid Kelani combines technical audit skills, an ability to see the big picture, and a sharp focus on bringing more women into the profession. “It is a given that in the Middle East, internal audit is a male-dominated career, especially when travel is involved,” she says. “Women are discouraged from working in this profession and are often looked at as less professional.” She recalls an audit report writing course with 40 attendees — 39 men and her. That took courage, says Shafiq Nino, group internal audit manager at Nest Investments (Holdings) Ltd., who also cites Kelani’s work with the company’s Group Audit Automation project, which entails finding innovative ways of leading teams from a dozen subsidiaries in multiple geographies from a remote location. Nino also lauds Kelani’s commitment to education and to women’s rights, noting the time the Hashemite University graduate “had a positive influence on a Jordanian woman in her 30s, helping her pursue a college education with support and tutoring.” Kelani says it’s a matter of effort. “The more the internal audit community puts into changing the inherited mindset of male dominancy, the more women will join us,” she emphasizes. The profession needs more young members, too, Kelani says, urging internal auditors to be more proactive by communicating with college and high school students, offering free introductory workshops and Q&A sessions. And while she thinks more and more internal audit functions are adopting forward-looking practices, she notes further progress is needed. “If we want to be a 360-degree business-focused profession and not just a finance-related profession, we need to start being one — now.” </p><p> <br> </p><h2 style="text-align:right;">Joshua Wood, CIA, CPA, CFE<img src="/2017/PublishingImages/EL-Joshua-Wood.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /></h2><p style="text-align:right;"> <strong> <em>28, Internal Auditor III</em></strong><br><strong><em>Calpine Corp.</em></strong><br><strong><em>Houston</em></strong></p><p> <br>Joshua Wood is an expert at data analytics. He leads training sessions for his audit department on analytics software and stays current by attending educational events. Rick Hamel, manager, Internal Audit, at Calpine Corp., notes that the Louisiana State University graduate has mastered creating and modifying ACL scripts “to perfect the query to deliver the correct results without numerous false positives.” Wood is learning how to transform and interpret data using other analytics software, too. “He understands that data analytics is a powerful tool in any audit,” Hamel says, noting that Wood has applied the technology to duplicate payments, payment cards, and payroll data. Wood’s contributions also include working with the company’s IT groups and business segments to extract data from the applications they use, and use of analytics to evaluate company time sheet compliance with state labor laws. He’s also a mentor to multiple interns on the job and is known for “solid planning, work management, and results,” Hamel notes. And while he’s firmly focused on current practice and technology, Wood also keeps an eye toward the future. “The availability and presentation of data is going to change internal audit,” he says. “Presenting analytical results through visualizations is our next frontier.” </p><p> <br> </p><h2> <img src="/2017/PublishingImages/EL-Tiana-Clewis.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Tiana Clewis, CIA, CPA, CFE</h2><p> <strong> <em>29, Founder and Coach</em></strong><br><strong><em>Selah Financial Coaching</em></strong><br><strong><em>Midlothian, Texas</em></strong></p><p> <br>It doesn’t have to say “Internal Auditor” on your business card for you to be an internal auditor. Tiana Clewis learned that as she recently transitioned from a senior staff auditor position with a large health system to a small business owner focused on financial coaching. Abosede Thompson, senior IT auditor at Baylor Scott & White Health, recalls that Clewis, in addition to volunteering at local IIA chapter meetings, often found innovative methods of addressing project-related challenges. Clewis, for example, took part in an 18-month project to streamline audit access to a third-party web application. The audit showed that too many former employees and contractors retained access to the app. But the audit process was so clunky that it could only be completed every couple of years, creating a significant IT security risk. Clewis was part of the team that undertook the complicated process of changing the app to single sign-on and designing a protocol that can shut down access within 48 hours. “It was a really long process,” she says, “but it significantly reduced the number of man-hours needed to audit user access.” Now the Howard University graduate — following six years in public accounting — shares her skills with nonpractitioners who need a leg up in their personal financial lives. “I have brought on some wonderful clients who have made great strides in a short time,” she reports. She’s also started taking on public speaking engagements and just wrote a book called <em>The Tool Called Money</em>. “I will always be an internal auditor,” she stresses. “It’s not a job; it really is part of who you are. If you’re always looking for ways to make things more compliant, more secure, and more efficient, you are an internal auditor at heart.” And while this mindset remains permanent, Clewis also points to the change and evolution of audit practice itself. Nobody just walks into a client’s office anymore with a list of check-the-box questions, she says. “It’s about digging into the process and procedures and stepping into the mind of the auditee.” </p><p> <br> </p><h2 style="text-align:right;">Jessica Minshew, CIA<span id="DeltaPlaceHolderMain"><img src="/2017/PublishingImages/EL-Jessica%20Minshew.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /></span></h2><p style="text-align:right;"> <strong> <em>29, Internal Auditor</em></strong><br><strong><em>Finance Industry</em></strong><br><strong><em>Macon, Ga.</em></strong></p><p>The faculty at Georgia Southern University focused extensively on external audit when Jessica Minshew was a student there. “It was reluctant to even acknowledge the internal audit field,” she says. So The IIA’s Middle Georgia Chapter, under her leadership as president, recently launched a faculty certification sponsorship program that covers the cost of the Certified Internal Auditor (CIA) exam, and training, for a business or IT faculty member at a local college, turning the newly minted CIAs into campus internal audit advocates. Minshew says her goal is to reach all the colleges and universities in the chapter’s footprint. She’d also like to see greater diversity in the profession and bemoans the commonness of overly similar staff backgrounds and stagnant ideas about the role of internal audit. “Bringing people into the department with different backgrounds and specialties, such as psychology or human resources, and strategically using them,” she says, “can build relationships with human resources, IT, and other business units that manage sensitive data.” Diversity also facilitates designing and performing audits of new and emerging areas — corporate culture, social engineering, or internal communications, for example — that may dominate in the future and help stave off irrelevance. “I  believe the only way internal audit will outlive automation is to prove the value of nontraditional audits,” Minshew says.</p><p> <br> </p><h2> <img src="/2017/PublishingImages/EL-Alex-Rusate.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Alex Rusate, CCSA, CPA</h2><p> <strong> <em>26, Senior Auditor, Financial Controls</em></strong><br><strong><em>AMRI</em></strong><br><strong><em>Albany, N.Y.</em></strong></p><p>Alex Rusate started preparing for a career even before selecting a college, setting his sights on the accounting profession. On campus, an internal audit internship helped steer him toward his current line of work. But he knows that many students don’t have that kind of exposure, so he used his time at Bentley University to help teach young people financial literacy. He created a program that taught accounting and finance to high school students — and exposed them to a wide variety of career options. “I thought that was the most rewarding part of the program,” he says, “because I could see students with genuine interest in internal auditing and forensic accounting.” Anthony Curto, a senior associate at KPMG, who’s known Rusate for the better part of a decade, adds that Rusate now helps his alma mater pair students with alumni as academic and professional mentors. On the job, Rusate sees a high-tech future where practitioners “audit smarter by leveraging data analytics and computer-aided audit tools” — and use their detailed understanding of the organization’s operations to add value. He’ll be ready. Recent accomplishments include conducting an analysis of a former employer’s revenue recognition process and control structure and aiding in whistleblower hotline allegation investigations there, too. He also conducted a full regulatory review of a former employer’s compliance with the U.S. Telephone Consumer Protection Act.</p><p> <br> </p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><h2>​The Judges</h2> <br>This year’s Emerging Leaders judges see a group of young professionals who want to shake up the status quo, and who possess the background and skills to do so. These qualities should serve them well, as today’s practitioners face an audit environment where the status quo is crumbling, and where they’re increasingly called to advise on business priorities and emerging risks. To handle that responsibility and effectively partner with management, the judges note, the 2017 Emerging Leaders will have to stay on their toes, keeping informed on regulatory requirements, cybersecurity threats, industry-specific developments, reputational risks, and other key issues. Are they up to the challenge? The judges think so, and they should know. This year’s panel represents a variety of geographies, industries, and audit roles — and some are past Emerging Leaders honorees themselves.  <br><br><strong>Karen Brady, CIA, CRMA,</strong><em>corporate vice president of audit and chief compliance officer, Baptist Health South Florida; member, IIA North American and Global Boards of Directors</em><br>The “age of deregulation” will require tomorrow’s leaders to justify their department’s value. “This requires not only having the skills to become a valued business partner,” Brady says, “but also the finesse to demonstrate this value.” That, she adds, is going to make an already challenging profession even more so. But these young professionals have demonstrated strong multitasking skills. “The amount of time they dedicated to volunteerism, as well as their efforts in mentoring, was quite surprising considering the amount of time they dedicate to their full-time job,” she says.<br><br><strong>Kayla Flanders, CIA, CRMA,</strong><em>senior audit manager, Pella Corp.; member, IIA Publications Advisory Committee</em><br>Today’s Emerging Leaders will not practice yesterday’s internal auditing, Flanders explains. “We no longer focus only on compliance and strict enforcement of policies,” she says. Flanders is optimistic about the group’s experiences in forward-looking areas such as data analytics, audit process improvement, and relationship building. That last skill, she says, is “crucial to the profession’s success.”<br><br><strong>Thomas Luccock, CIA, CPA,</strong><em>director, Internal Audit, and senior advisor to the president (retired), Michigan State University; member, IIA Publications Advisory Committee</em><br>More of 2017’s Emerging Leaders are called “trusted advisors” by their nominators and peers than in years past, Luccock notes, and that represents the constant evolution of the profession. “The importance of breadth of knowledge and experience, as well as data analytic skills, is becoming paramount to effectively evaluating internal controls,” he says. “Today’s Emerging Leaders must be aware of the increasing need for cybersecurity controls and how to evaluate these.”<br><br><strong>Anne Mercer, CIA, CFSA, CFE,</strong><em>vice president, Internal Audit (retired), Universal American; vice chair, Member Services, IIA North American Board of Directors; member, IIA Global Board </em><br>As a group, this year’s Emerging Leaders are well-prepared for the realities of modern internal auditing, Mercer observes. “They’re passionate about promoting the internal audit profession,” she says, “in part by working within their organizations to educate business owners on the collaborative role of the department.” That aligns well, she adds, with the mandate today for practitioners to add value to the organization while also highlighting their unique role compared to other compliance-oriented functions. <br><br><strong>Maja Milosavljevic, CIA, </strong><em>senior group internal auditor, Sberbank Europe AG; 2015 Emerging Leader</em><br>In an internal audit environment that she characterizes as challenging, Milosavljevic says practitioners must “deal with new areas of auditing, such as corporate culture, and constantly develop their skills and knowledge.” Accordingly, one of the ways she finds the 2017 Emerging Leaders inspiring is that they see the importance of certification and strive to “distinguish themselves through this dimension of professionalism.” <br><br><strong>Naohiro Mouri, CIA,</strong><em>chief auditor, AIG Japan; senior vice chair, professional practices, IIA Global Board of Directors</em><br>The way internal audit inspires 2017’s Emerging Leaders impresses Mouri, who notes as well the tender age at which many of them have realized it’s something of a calling — and the “strong sense of purpose” they show to positively influence others in the profession. They’re putting their proverbial money where their mouth is, too, he says, “demonstrating their competence to be trusted advisors in their organizations.”<br><br><strong>Karem Toufic Obeid, CIA, CCSA, CRMA,</strong><em>chief audit executive, Tawazun Economic Council; vice chairman, global services, IIA Global Board of Directors</em><br>This year’s Emerging Leaders must be agile, Obeid notes, because a fast-changing environment demands that auditors’ skills rapidly evolve to align with stakeholders’ developing demands; that’s how they’ll achieve the best results. He has high hopes for these practitioners, calling them qualified, motivated, enthusiastic, and “highly involved in elevating and advocating internal audit.”<br><br><strong>Marbelio Villatoro, CIA,</strong><em>internal audit integrated project manager, Raytheon Co.; 2015 Emerging Leader</em><br>2017’s Emerging Leaders have their work cut out for them, according to Villatoro. “They will be challenged with new risks the profession has never seen,” he says, “and their leadership will be critical in ensuring positive change can be created across industries.” The good news: These practitioners are well-rounded, and they’re genuinely committed to the profession’s growth. “They’re thought leaders who seek positive change,” he adds. </td></tr></tbody></table><p></p>Russell A. Jackson0
Build Your Brand Your Brand<p>​<span style="font-size:12px;">Whether we as members of the profession like it or not, the word auditor typically does not elicit warm, fuzzy feelings. And while we've made great strides toward improving the profession's image, most practitioners would likely agree that it falls short of where they'd like it to be.​ This reality, while unfortunate, is important to accept — particularly when it comes to assessing the department's brand. In fact, acknowledging the stereotype we carry with us is the first step toward brand improvement.</span></p><p>Using this acknowledgment as a jumping-off point for change, internal auditors can develop a solid strategy by following several steps aimed at improving the audit function's brand and communicating it with stakeholders. These steps can be used to turn the brand around, or to establish a brand if one does not already exist. When implemented correctly, the process should result in a more positive image for the department, and improved relationships throughout the organization. ​</p><h2>Identify Your Customer</h2><p>Who, realistically, is the audit function's primary customer? Who will the department focus its energies on ensuring is satisfied? Is it the board/audit committee? Senior leadership? Or is it some other layer in the organization? Internal auditors' natural inclination might be to say they want to serve everyone, but attempting to serve everyone will result in serving no one. </p><p> <span style="font-size:12px;">Identifying internal audit's customer may be as simple as looking at the function's reporting relationship, but often it's not that clear-cut and, of course, no two organizations are alike. For example, while the CAE frequently reports to a member of the C-suite or the audit committee, not all organizations are structured this way. Moreover, if internal audit is supporting a lengthy implementation, its primary customer may be different during that time frame — even though it retains its organizational reporting relationships. Accordingly, internal auditors must do their homework to correctly identify their primary customer.​</span></p><h2>Define Your Brand Ambitions</h2><p>Regardless of how internal audit perceives itself internally, the department should define what it wants its brand to be. This process should involve consideration of the department's primary customer, the department's strengths, and what it is striving for but hasn't achieved yet. The bar should be set high. ​</p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><h2>​Do You Have a Branding Problem?</h2>What we do, as auditors, is valuable work. We carry a unique role and have a unique visibility into the organization that many others do not possess — and this simply comes from doing our day jobs with no additional effort. Quite simply, if an internal audit department is not adding value to the organization, and especially if it is perceived as not adding value to the organization, it may have a branding problem. ​​<br></td></tr></tbody></table><h2>Evaluate Your Existing Brand</h2><p>Some internal auditors may think they know where they stand with clients, but in reality I'm not sure any department really does. Why? Most audit functions likely receive feedback via one or two mechanisms: formal customer satisfaction surveys and informal meetings. While these can be useful sources of information, each has its drawbacks:</p><ul><li><em style="font-size:12px;">Client surveys.</em><span style="font-size:12px;"> Although clients may complete the questionnaire forms, what real information do they provide beyond the measurement scale (i.e., a rating of some sort)? If the comments field is blank, internal audit is not getting the feedback it needs.</span><br></li><li><em style="font-size:12px;">Informal meetings.</em><span style="font-size:12px;"> Auditors may not necessarily be getting true, candid, constructive criticism in their informal face-to-face discussions. More likely, auditors learn what's on the client's mind in that moment, without much consideration of everything the department does.</span><br></li></ul><p><br><span style="font-size:12px;">In</span><span style="font-size:12px;">terna</span><span style="font-size:12px;">l audit can't know where it stands without asking. With that in mind, I recommend a couple of approaches.​</span></p><p><strong>Confidential, 360-degree Feedback Surveys</strong> Practitioners should cast as wide a net as they can, but ensure that the target customer is well-represented — even if it's the board/audit committee. The human resources function can often provide assistance with survey efforts.</p><p>In my experience, 360-degree feedback surveys represent all tiers of stakeholders — including the audit function's peers, its direct reports, and organizational leadership. The survey is tailored to each group, and results are aggregated by group, inclusive of some overall higher level commentary as well. It provides an excellent means of candid, constructive feedback. To optimize results, the survey comments fields should be made mandatory, not optional. Open-ended comments usually represent the best, most useful form of response. <br><br><strong>Candid Feedback at Meetings</strong> The audit team should consider inviting a key stakeholder to one of its staff meetings to offer both positive and constructive, critical feedback. I find this to be the most divisive recommendation among people I speak with, mostly because of concerns about what stakeholders might say to the team and the pressure of receiving potentially negative news. Following some ground rules can help alleviate these concerns:</p><ul><li><span style="font-size:12px;">Select someone the team knows and trusts. This rule is certainly not absolute — for example, if the audit committee chair or a board member or senior leader attends but is unfamiliar to the team, the stature of these individuals will still capture the auditors' attention. Otherwise, familiarity with the stakeholder will, in particular, support constructive feedback.</span><br></li><li><span style="font-size:12px;">Meet with the stakeholder in advance. The chief audit executive (CAE) should discuss openly and candidly with the stakeholder what the audit team is doing well, an</span><span style="font-size:12px;">d what it can do better. The CAE should also ask the stakeholder to request feedback from his or her team, as the leader may have an incomplete picture of internal audit's strengths and opportunities. </span><br></li><li><span style="font-size:12px;">Ask the stakeholder to provide examples the audit team can relate to. The CAE should coach stakeholders on sharing constructive feedback in a way that facilitates discussion, as opposed to simply delivering criticism. Stakeholders should be encouraged to cite concrete examples to illustrate key points.</span><br></li><li><span style="font-size:12px;">Make sure the team agrees on actions to address. The actions can support development of the audit function's branding goals.</span><br></li></ul><p><br><span style="color:#222222;font-family:georgia, 'times new roman', times, serif;font-size:16px;font-weight:700;letter-spacing:0px;">Establish Goals and Communicate Your Efforts</span><br>After defining the department's brand and receiving stakeholder feedback, internal audit should set measurable goals and deadlines. Even though branding may seem like a structurally loose process, internal audit can still craft meaningful, concrete goals around it. The goals can be focused around metrics and data gathering (interviews, feedback sessions, surveys, etc.) as well as measuring the change in these metrics over time to ensure progress is made. </p><p>The CAE needs to ensure the audit team's thorough commitment to the branding process at this stage. The amount of time and organizational resources devoted to branding can be significant, and those efforts should not go to waste. A naysayer on the team who doesn't support the branding effort could undermine any progress made, and consideration must be given to how this risk would be addressed.</p><p>Internal audit should also make sure stakeholders are aware of the branding initiative. The department doesn't necessarily have to label the process as "branding" — instead it could be described in terms of goals, areas of focus, etc. Moreover, stakeholders should be informed that internal audit expects them to provide feedback on the departments' progress. <br></p><h2>A Solid Commitment</h2><p>Committing to a branding effort can help change, or establish, the perception of the audit function and enhance stakeholder relationships. To succeed, internal audit must invest sufficient resources and be prepared to encounter challenges along the way — all of which can be overcome. Audit functions that haven't embraced this effort should ask themselves, "What's holding us back?"​</p>Brian Tremblay1
From Ratings to Recommendations Ratings to Recommendations<p>​Audit ratings may be the most misused tool in the auditor’s tool belt. Instead of motivating management to fix problems, ratings more often serve as a demotivator, answering the question, “How bad is it?” This is the wrong question, and it erroneously imposes a “stick” mentality. While ratings may get the attention auditors are looking for, they undermine any attempt to build strong, professional relationships and fail to encourage constructive behavior. If we believe in our mission as stated in The IIA’s International Professional Practices Framework — “to enhance and protect organizational value” — then the goal of any audit is not to demonstrate just how bad things are, but to encourage positive action in support of the organization’s goals. </p><p>Many internal auditors report long lists of open audit recommendations and management’s resistance to implementing them, ranging from passive-aggressiveness (ignoring the recommendations) to outright denial that any problems exist. Auditors will say that it’s not personal, that they are just doing their job. They often think the client should be mature enough to not take being audited personally. But when you are the subject of an audit that could potentially expose your weaknesses all the way up through the C-suite to the board, it’s unavoidably personal. Add to that the audit ratings — essentially bright flashing arrows pointing out problems — and you have the makings of a difficult relationship with management. How can auditors transform this stick into a carrot? To begin, it helps to understand a few basics on motivation.<br></p><p>What truly motivates people has been studied for years by University of Rochester researchers Edward Deci and Richard Ryan. Their research has culminated in what they call the self-determination theory (SDT), which posits that human motivation is optimized when three basic needs are met: developing one’s skills (competency), exercising free will (autonomy), and feeling connected with others (relatedness). According to SDT, motivation through common meaningful goals will trump negative reinforcement every time. The researchers also found that while negative reinforcement can be effective, the impact is often temporary and can incentivize undesirable behavior. <br></p><p>Instead of rating audit findings, internal auditors should prioritize recommendations. In other words, don’t focus on what is wrong — bring attention to the most important actions required to manage risks. The chief audit executive for the County of Los Angeles, Peter Hughes, explained at the recent IIA Western Regional Conference that he uses this strategy to great effect. Brilliant in its simplicity, the approach is future focused on solutions rather than looking backward at past mistakes. Most importantly, as SDT points out, by focusing on developing common goals via prioritized recommendations, management will be far more motivated to take ownership. Instead of grading their level of incompetence, give them the opportunity to implement solutions and demonstrate their competence, autonomy, and relatedness.  <br></p>Jim Pelletier1
It’s Only One Word’s-Only-One-Word.aspxIt’s Only One Word<p>​It’s so easy to change a single word … and so easy for that simple change to impact a sentence, a paragraph, or an idea. Rock musician Warren Zevon wrote an amazing song titled “Carmelita,” which includes the line, “I pawned my Smith Corona. …” For those who don’t know, a Smith Corona is a typewriter: a tool that, before the proliferation of computing power, was widely used by writers everywhere — even internal auditors. In that simple phrase, Zevon describes a man who has reached the end of his rope, pawning a valuable tool of his trade.<br></p><p>American pop singer Linda Ronstadt, in a typically incredible performance, covered the song. However, she made a small but significant change — “I pawned my Smith & Wesson. …” Again, for those who don’t know, Smith & Wesson is a brand of firearms. Ronstadt’s alteration seems minor, yet it changes everything about the lyric, its impact, and the story told by the song. It significantly modifies what was originally written.<br></p><p>And it is with no less impact that some reviewers make changes to audit reports, far too often altering those reports without ensuring that the change is necessary or appropriate. Words are precise, and when audit management assigns auditors to write those reports, management should expect the auditors to use the precise words that mean precisely what they mean to say.<br></p><p>Yet many audit report review processes seem designed to take away the auditor’s responsibility for that precision. Far too often, the lead, manager, chief audit executive, etc. doesn’t like what is written (“I can’t say why; I just don’t like it”) and starts editing. The process often results in a report the auditor no longer recognizes and, in the worst situations, it says something the auditor never intended it to say.<br></p><p>Report reviewers everywhere, here are three lessons you should take to heart:<br></p><ul><li>Do not change anything without ensuring those who actually did the work have a say in those changes. That is the only way to ensure the report is still accurate.</li><li>Never make a change unless you can explain why that change is necessary. Otherwise, you are just changing for personal preference.</li><li>Always explain the reasons for any change to the person who wrote the original drafts. Only by understanding the reason for the changes will that individual ever learn how to do a better job.</li></ul><p></p><p>However, there is a fourth and just as important lesson that seems counterintuitive in a discussion about the preciseness of words. Don’t dither.<br>Internal auditors work hard to find the exact wording when something close will do. And our focus on that unnecessary precision results in a deluge of rewrites, delays, and frustrations. Get it right, but don’t worry about being perfect. And when all is said and done, make sure you haven’t turned a typewriter into a gun. <br></p>Mike Jacka1
Auditing From a Distance From a Distance<p style="text-align:justify;">Remote auditing, also known as online auditing or virtual auditing, has been in use by organizations worldwide for many years. Engagements conducted remotely use technology to carry out audit work without requiring the practitioner to be physically present at the audit location. The approach can yield significant benefits, particularly for organizations with geographically dispersed operations. ​</p><p style="text-align:justify;">Among the most significant benefits are cost-reduction opportunities related to travel. An auditor from Pakistan at a multinational company, for example, worked remotely on a four-week assignment in South Africa, resulting in savings of approximately US$7,000 in air travel and other expenses. Beyond cost savings, however, remote techniques can enable practitioners to more easily review locations that are difficult to access because of travel restrictions, safety concerns, or lengthy visa processes. They can also contribute to more efficient resource utilization in scenarios where information can be requested instantly via phone call or email, without the need for an auditor on site.</p><p style="text-align:justify;">Given that business disruption requires internal audit functions to manage costs more efficiently and effectively, this is an opportune time for internal auditors to take a closer look at remote auditing. Auditors can follow several steps to help optimize its use on engagements and ensure positive results. But first, they should familiarize themselves with potential hurdles that could impede successful practice.</p><h2>Knowing the​​​​ Limitations</h2><p style="text-align:justify;">Like most other technology-dependent approaches, remote auditing has its share of implementation challenges. Areas that merit particular attention include communication, practical knowledge, client impact, and technology.</p><p style="text-align:justify;"><strong>Communication </strong>Auditor–client rapport established through face-to-face interaction represents a key facet of traditional auditing. And while effective working relationships can be fostered to a degree through technologies such as telephone and videoconferencing, they are not as easy to initiate as when both parties are in the same location — where a simple knock on the door or impromptu meeting in the hallway can elicit a conversation. </p><p style="text-align:justify;"><strong>Familiarity With Remote Auditing </strong>Clients and audit staff may not be familiar with the mechanics of a remote audit, leading to some confusion. Traditional audits involve regular face-to-face interaction in settings where there are often no time zone, language, or cultural differences. Remote audits, depending on scope, may lack these elements, potentially resulting in miscommunication or unreasonable expectations.</p><p style="text-align:justify;"><strong>Client Burden </strong>Remote audits can increase the client's workload. In a traditional audit, for example, verifying the physical existence of an asset would involve visiting the asset location. Performing this same procedure via a remote audit would require a client representative to visit the asset and email a photograph to the auditors. </p><p style="text-align:justify;"><strong>Technological Limitations </strong>Isolated locations or operations based in a different country may not have the infrastructure in place to fully support a remote audit. Issues can vary, ranging from basic challenges such as insufficient network bandwidth to more complex issues such the size and format of data and local regulations affecting data transfer. </p><h2>Strategies for Success</h2><p style="text-align:justify;">Depending on an organization's size and scope of operations, effective remote auditing with significant cost savings can be achieved by following several key guidelines.</p><p style="text-align:justify;"><strong>Know When to Audit Remotely </strong>Remote audits are not suitable for all clients and all engagement types. Practitioners must determine whether the proposed audit has an appropriate scope of work and a client willing to participate in the process. Client participation, in fact, is crucial, as reluctance can result in communication delays, lack of understanding, and miscommunication.</p><p style="text-align:justify;">Technology also plays a pivotal part determining remote auditing feasibility. It is easier, for example, to extract and transfer data from systems such as SAP compared to data held in physical documents.</p><p style="text-align:justify;"><strong>Communicate Up Front </strong>All stakeholders should understand what a remote audit is, its mechanics, and any expectations associated with the process. To address these issues, internal audit may want to establish an agreement with the client that specifies how communication between the two parties will occur, and at what frequency. This agreement can help reduce the potential for misunderstanding and enable all stakeholders to understand the resource and time commitment required. ​</p><p style="text-align:justify;">If the audit team is split between on-site and remote auditors, the remote practitioner needs to provide periodic updates on audit progress to the on-site team, and vice versa. This process removes duplication, allows for brainstorming, and ensures that the remote auditor still feels connected to the team. </p><p style="text-align:justify;"><strong>Select the Right Tasks </strong>Remote auditing can be more useful for quantitative tasks than qualitative tasks. For example, carrying out a review of an organization's invoice processing — when the data and support material are readily available online — requires less interaction with the client compared to reviewing the adequacy of its compliance with international trade requirements. <span><span><span><span>The degree of communication involved is the main differentiator. </span></span></span></span>Data analytics, as well, would require less interaction in comparison to a review of the procurement process for new vendors. <span><span></span></span></p><p style="text-align:justify;"><strong>Do Your Homework </strong>Given remote auditing's divergence from traditional auditing, client and practitioner preparation is key to carrying out engagements successfully. Both parties should, for example, become familiar with the necessary communication methodologies (teleconferencing, desktop sharing, etc.) in advance. Moreover, internal audit should dedicate a certain amount of time for the duration of the audit to the remote auditor and respond timely to any requests. Appointing an on-site liaison or coordinator to assist the remote auditor on a short-term basis can also be beneficial. ​</p><h2>Digital​​​ Engagements</h2><p style="text-align:justify;">We live in a global and increasingly digital world — remote auditing is ideally suited to helping provide assurance in it. With the right strategy, remote auditing has the potential to be an efficient alternative or supplement to traditional audit approaches. It provides global and local organizations with the agility to respond to disruption and other challenges in today's dynamic business environment. </p>Aiman Khan1

  • MNP_Nov 2017_Prem 1
  • IIA Bookstore_Nov 2017_Prem 2
  • IIA EndOfYear CPE_Nov2017_Prem 3



Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Process the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audit From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z
Managing an Internal Audit Career: How Do You Know When It’s Time to Go?’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2017-07-17T04:00:00Z2017-07-17T04:00:00Z