The Power of Integrated Auditing Power of Integrated Auditing<p>​Integrated auditing — a combination of financial, performance, and IT auditing — offers numerous benefits to an audit function, allowing greater impact without necessarily increasing headcount. Integration can help internal audit stay relevant in its role as trusted adviser in the rapidly changing post-COVID-19 environment.</p><p>Integrated auditing's strength is that it shows not just where money was spent, but how it was spent — an important consideration in the public sector, says Mara Ash, CEO of Business & Financial Management Solutions LLC of Austin, Texas. Taxpayers want government to spend their tax dollars prudently, efficiently, and effectively, and integrated auditing can provide this reassurance. It's a different concern compared with the private sector, which generally is more focused on making a profit. The public sector's concern, by contrast, is "Did you use my tax dollars efficiently?" Ash says.</p><p>The move to integrated auditing represents an evolution of internal audit, says Kip Memmott, audit director for Oregon's Secretary of State. Auditors — whether performance, financial, or IT — used to be more siloed into their respective areas. Now, each needs to know more about the others' areas. "It's an awesome opportunity for cross-training, not only from a technical skill set, but from a cultural area," he says, in terms of breaking down rivalries and developing understanding. While the performance, financial, and IT auditors all have different skill sets and work with different legal requirements and standards, they all are working toward the same end game — determining whether the client is executing its mission to the best of its ability, Memmott says.</p><h2>Benefits of Integration</h2><p>From the organization's point of view, the advantages are efficiency and effectiveness, says Domenic Savini, assistant director for the Federal Accounting Standards Advisory Board (FASAB) in Washington, D.C. For example, when auditors perform an integrated audit, they accomplish their objectives using coordinated audit processes and testing that typically cut across multiple audits and/or objectives during the audit cycle and yield results that are more comprehensive. The audit tests help satisfy multiple objectives and bring audit matters into sharper focus. This win-win situation keeps use of audit and client resources to a minimum and results in comprehensive recommendations and related solutions, says Savini, who notes his views are personal and do not necessarily reflect those of the FASAB or any of its members. </p><p>For Ash, integrated auditing allows public sector organizations to determine whether expenditures were made efficiently and whether they were effective. Determining effectiveness allows the organization to make good management decisions about the direction of the program. It also pushes auditors out of their comfort zones to look holistically at the organization and its processes, helping them to become more of a trusted adviser.</p><p>Integrated auditing exposes employees — especially those seeking management roles — to different operational areas, Savini says. This exposure helps them develop an understanding of their organization's various business processes, become more effective decision-makers, and hopefully, more well-rounded managers, he adds. </p><p>Integrated auditing also gives organizations a broader reach and more depth in its audits, and a powerful tool to look at complex issues, Memmott says. He notes both performance and financial audit standards require practitioners' data to be reliable, adding that IT can help make this determination. Meanwhile, the multiple concerns of a COVID-19 and post-COVID-19 work environment — managing a workforce, recruiting and turnover, telework, and flexible work schedules and work sites — all are areas in which internal audit should be involved, he says. </p><p>Bringing together performance, financial, and IT audits provides audits that are powerful, real-time, and proactive. Integrated auditing also pushes audit to take a more active role with its organization. "The idea with integrated auditing is to be more proactive, more strategic, and more forward looking," Memmott says.<br></p><h2>Barriers to Adoption</h2><p>Despite its advantages, integrated auditing is not often used in government, Memmott says. Many internal audit functions are small and do not have either the staff or the skill sets, especially for IT auditing. Risk aversion, the mindset of "this is the way we've always done things," also plays a part. </p><p>For Savini, having adequate and competent staff resources are a chief audit executive's primary concern, followed by efficient communication among the audit team members and management buy-in on the concept of integrative auditing. Management needs to understand that what may appear to be "scope-creep" is actually an investment toward future resource savings and better, more focused audit results, he says. </p><p>Integrated audits take longer because of their broader scope. Some areas may take longer than planned or newly discovered areas may need to be addressed. Integrated audits can be budget-eaters, especially if they are not well designed and coordinated, Memmott says. Conversations with the audit committee during development of the audit plan are important. "Because of the cost, it's got to be the right area," Memmott says. </p><p>The silos that can exist between different areas, such as between different types of auditors, also can be a barrier, Memmott says. Differences in expectations and relationships may need to be worked through with clients as well. "There's a lot of education, not only internally, but externally, that should go into integrated auditing," he says. </p><p>While not necessarily a barrier, auditors in the public sector need to stick to the facts, be aware of topics that might be politically sensitive, as well as avoid political groupthink and the influences of politics or political ideology, Savini says. Auditors in the public sector as well as those with highly engaged audit committees typically do not have the luxury of picking and choosing their audits. As a result, these auditors need to be clear and know how their results will be used. "We can't hide from doing an audit, but we have to do it in an apolitical and unbiased manner," Savini says. "We must protect the integrity of the internal audit profession."</p><h2>Real-time Auditing</h2><p>Typically integrated auditing is done at the end of the fiscal year to coincide with the annual financial audit, Ash says. (An internal auditor typically would not perform the annual financial audit; however, internal auditors may be involved in providing assurance over internal controls affecting financial statements.) That said, real-time auditing has benefits, she notes, given that government entities are moving to integrated audits for their grant programs. They are doing so because grantees are required to show the outcomes associated with the funding they received, and federal guidance requires them to share new ideas or efficiencies. Real-time auditing enables grantees to make course changes during the performance period to ensure desired outcomes, and the results can be applied to other programs.</p><p>Integrated auditing, working hand-in-hand with real-time auditing, brings more muscle and provides greater assurance. The key, Memmott says, is in structuring the real-time audit to ensure that, even with the larger scope of the integrated audit, information is disseminated in a timely fashion.</p><h2>Implementation</h2><p>In looking to implement integrated auditing, "my advice is always to start at the top," Ash says. She recommends making sure that management is on board and understands internal auditing as well as integrated auditing. With integrated auditing, it's a matter of breaking down the mindset of separation — financial and performance audits and understanding how they are integrated — then putting it all together with the organization's existing work tools and programs.</p><p>Second, Ash suggests looking at major, high-dollar-value programs, especially if they are subject to federal funding regulations, or if they are actively monitored at the state/county/local level. These programs provide a great starting point, because stakeholders and others will want information about program outcomes, Ash says. Third, she advises looking at high-visibility programs, the ones that are in the public eye. <br></p><p>In terms of helping teams work together, "data analytics is a magical tool," Memmott says, noting that it has the power to bring financial, performance, and IT teams together, even though they have different objectives. In addition, when building an audit plan, he says auditors should think about the objectives and the steps to meet those objectives, and build the plan specifically around integrated auditing. </p><p>In addition, a good onboarding program can help with recruiting and retention, break down the silos between disciplines, and build understanding across disciplines. Memmott notes that his department has a rotational program, for example, where performance auditors could rotate through IT. </p><p>Diversity within a team is critical as a means of supporting candid discussions on different issues, Savini says, and to help ensure audit stays apolitical and true to its objectives. He stresses the importance of hiring not based just on demographics, but hiring for diversity of thought, opinion, and experiences.</p><p>When working with public governing bodies such as county commissions and city councils, "integrated auditing is your friend," Ash says. An integrated audit can answer the organization's bottom-line concern — what it got for its expenditure on a project. With an integrated audit, Ash says she can tell the governing body that money spent on allowable costs and controls was effective, detail programmatic outcomes, and discuss what improvements might be needed. </p><p>While implementation of integrated auditing can have higher initial costs, the return on investment will pay for itself down the road, Savini says. In this current environment, organizations need to leverage every resource to get "mean, lean, and green," so it is an advantage to leverage the skills of auditors. "If they're ready, willing, and able, you have got the most important part of the battle won," Savini says. </p><p>Integrated auditing also will help organizations cope with possible cuts in federal funding and develop better programs, Ash says. "Integrating performance and fiscal auditing is something that we are going to have to get comfortable with now, because in the future it's something we are going to have to do to survive."<br></p>Geoffrey Nordhoff1
A New Runway New Runway<p>​I have been an internal auditor for most of my career, and from the beginning, it has been fulfilling, challenging, and interesting. Internal auditing has played to my strengths of curiosity, focus on continuous improvement, building risk assessments, and developing business relationships. I have enjoyed partnering with process owners, learning about their challenges, and highlighting risks and improvement opportunities.</p><p>Yet, one day early in my career, the company's chief financial officer (CFO) asked me a question that had rarely crossed my mind: "So, what do you want to do with the rest of your career, or would you like to be a career auditor?" It was a big question and I answered it honestly; I loved audit and believed in the value a solid audit team could bring to an organization. Just six years out of college, I felt I still had quite a bit to learn before needing a change.</p><p>I continued my audit journey and soon switched to a different company with an opportunity to rebuild a part of the internal audit team that had recently experienced significant turnover. For the next six years, I had an amazing run, leading audit teams on three continents, building strong relationships with process owners, and partnering with various departments to enhance the value the team delivered.<br></p><p>But still, the CFO's question gnawed at me. Did I want to be a career internal auditor? Would I have the courage to leave the comfort of my chosen profession to broaden my horizons and reap the potential benefits of following the path unknown? What lessons could I learn by stepping outside of my comfort zone and career? I faced a decision that most internal auditors contemplate during their career, and this is what I learned on my journey.</p><h2>A New Direction</h2><p>For me, the CFO's question raised other questions. Was I missing something by not stepping out of my comfort zone and "going into the business"? Was it right to question my chosen career path? I had the opportunity to work with many departments and often had wondered whether I could leave internal audit behind to do something else. Most times, the answer was a fairly definite "no," while a couple of times I could have been tempted by job openings on other teams.</p><p>That temptation first arrived when I was presented an opportunity to join the Financial Planning and Analysis (FP&A) team with the company's largest division. The new vice president of Finance was shaking things up and already had proven to be the kind of leader many aspire to be — authentic, visionary, intelligent, supportive, and thoughtful. Her goal was to elevate the finance department to the next level after a recent large acquisition. The proposition was that my audit skills in process review and analysis, focus on improvement, and problem-solving abilities would benefit the team in performing a value chain analysis, building efficiencies, and strengthening controls.</p><p>The opportunity seemed to finally answer my question of whether I could have a career outside of audit. I was excited at the prospect of learning from a respected leader, expanding my skills, and supporting process improvement initiatives I believed in. Finally, I would be able to see what life was like outside of internal audit.</p><p>And so, I started a new career. It was a thrilling new runway to take off in a new direction, exciting albeit slightly intimidating. Things were changing fast at the division, and my role was reimagined shortly after I joined the team.</p><p>I didn't mind. At last I had the coveted seat at the table. I was included in strategic planning discussions, helped create analyses that would drive capital investment decisions, and contributed to presentations that would be shared with senior executives. I worked with everyone from engineers to demand planners; dove deeper into business operations; and lived and breathed waterfall bridges, economic value-added calculations, and cash flow analyses.</p><p>It was an incredible amount of hard work. The deadlines were rigorous; the pressure was intense.</p><p>During this time, I realized that my internal audit team had been rather sheltered. Although the run up to the audit committee meetings could be hectic, and report issuance could get contentious, it was nothing compared to the amount of scrutiny that was placed on FP&A. Every number, every word mattered. If a forecasted result was missed, FP&A was the first to be held accountable. We equipped the vice president of Finance with every bit of information we could think of in anticipation of senior leadership questions. Our team was on call and always ready.</p><h2>Lessons From the Other Side</h2><p>I spent two years in FP&A. During that time, I learned several valuable lessons that helped me grow professionally and deepened my appreciation of how a strong internal audit team can effectively support the organization.</p><p><strong>Internal auditors are uniquely positioned to support business initiatives and ad ho</strong><strong>c projects.</strong> Although internal auditors often are viewed as generalists, their skills can be successfully applied in other parts of the business. I found FP&A fulfilling because the projects complemented my natural curiosity, as well as my ability to ask the right questions, dig into details, and make connections between varied parts of the process to pinpoint improvement opportunities.<br></p><p><strong>Understanding business drivers and their correlations is imperative for a successful audit. </strong>Being in FP&A showed me facets of core operations I had not seen before. Audit teams often review downstream processes, such as accounting, without fully grasping the dynamics of the operational strategy, which could lead to a misaligned audit scope or lackluster observations. Internal auditors should seek to understand the organization's core operations and risk profile to better align the entire audit cycle, from organizational risk assessment to audit procedure design.<br></p><p><strong>Respect and understanding of business activity cadence garners g</strong><strong>oodwill. </strong>I gained greater respect for the complexity of business processes and urgency of timelines. I also have a better appreciation of the importance of teamwork and the incredible amount of dedication and hard work that the accounting, finance, and operations teams put in to drive the business forward. Proactively planning around a month-end close, a quarterly reforecast, or strategic planning doesn't mean constantly pushing projects to the side. However, general awareness and accommodation in the audit plan can yield higher engagement from business partners.<br></p><p><strong>Recognizing the deeper impact of an audit observation and audit as a whole is vital. </strong>Business partners often are stretched thin working their "day jobs," as well as on special projects and new initiatives. An audit can be a disruption, especially if it is broad in scope and lasts several months. However, a bigger nuisance and disappointment is an audit that misses the mark on its objectives and does not deliver the insight business process owners are yearning to know.</p><p><strong>Business partners are looking for meaningful support from internal audit. </strong>Pointing out the obvious, low-hanging fruit may be helpful when business partners are looking to bring more focus to completing action plans for shortcomings they know about. But what they are more interested in is something they may be missing altogether — something that may be material and impactful to the way they do their work. A thoughtfully planned internal audit can deliver that impact, so the audit team should ensure the audit scope and objectives resonate with business partners and clearly articulate the root cause and impact of every observation.<br></p><p><strong>Internal audit should stay close to the business and remain agile. </strong>Internal audit's business partners often are working to solve urgent and unexpected problems. A well-respected internal audit team can provide independent, objective, and competent support. The ability to modulate the audit plan to address emerging risks, adapt the audit approach, and incorporate lessons learned and observations in real time can help auditors and business partners focus their efforts on the most relevant topics and, more importantly, provide timely insight to the organization. It also mirrors the focus on business success through agility, nimbleness, and responsiveness to today's fast-paced environment.<br></p><p><strong>Diverse skills are key to a successful internal audit team. </strong>Rotational programs can help diversify internal auditors' experience and provide invaluable insight into the mechanics of business processes. However, a small internal audit department may not be able to sustain a rotational program. Allowing auditors to provide short-term project support can create a learning opportunity and a chance to strengthen relationships, which could benefit the team in the long run. Even if teammates choose to pursue a more permanent assignment outside of audit, the audit team will gain an advocate and a sounding board in the business.</p><p>I have often thought that a measure of an internal audit team's success was the number of times business partners reached out with a request. It is the ultimate sign of alignment, engagement, and trust that internal auditors bring value through the independent and objective evaluation of processes, while keeping continuous improvement opportunities in mind.</p><p>Being "in the business" reaffirmed my belief that to succeed, internal auditors must understand the organization's operations and priorities, be aware of emerging risks, appreciate the cadence of business processes, and have effective relationships with process owners. This, in turn, pivots the risk assessment and audit planning conversation from "What are your initiatives?" and "How can we help?" to "Understanding your business priorities and process changes, this is how we can support you." Doesn't that sound like a more exciting way to begin a dialogue?</p><h2>My Return to Internal Audit</h2><p>In the end, I returned to internal audit and have been back for two years now. I missed the diversity of work, having a broader view of the organization and its risk universe, and leading a team. Yet, the lessons I learned on "the inside" made me a better auditor and leader. I have a deeper appreciation for a holistic approach to auditing — the need to understand before making a judgment — and I am better equipped to ask the right questions and discern what matters.</p><p>Moreover, I am grateful to the leaders who challenged me to push beyond the boundaries of my professional comfort zone. Internal auditors should not be afraid to broaden their horizons, offer their expertise, and gain new skills, whether through supporting a project, participating in a rotational program, or exploring a new career path.<br></p>Agnessa Vartanova1
The Future-ready Internal Auditor Future-ready Internal Auditor<p>​As a child, I was a big fan of the animated TV series, <em>The Jetsons</em>. As those of you who watched the show know, the Jetsons were a futuristic family with a robot maid, video conferencing, ubiquitous automation, and a flying car — along with many other gadgets that were pure science fiction in the 1960s.</p><p>As a lifelong tech enthusiast, I've watched technology progress toward this Jetsons ideal. While we don't yet have robot housekeepers like Rosie, we certainly have any number of robot-like gadgets that do our bidding at home — from Roombas, to Alexa, to "smart" appliances, for example. Communicating Jetson-style from almost anywhere and via video went mainstream in 2020. And automation is cropping up everywhere — not just in grocery stores and warehouses, but also in robotic process automation (RPA), chatbots, and personalized product recommendations. Some technology has advanced more slowly than I anticipated — I fully expected to see flying cars by now. While we do have semi-autonomous cars, and there are several global startups working on "urban air taxis," the general public still can't purchase a fully autonomous vehicle. But we are getting closer to that reality every day.</p><p>The Jetsons wasn't able to predict everything, of course. In fact, there are many ways in which technology has surprised us with totally unexpected developments. What we <em>can</em> predict is that the pace of technological change is going to be dizzying over the next decade and internal auditors are going to have to keep up. As the 2021–2022 chairman of The IIA's Global Board, I will encourage internal auditors to be future-ready. Organizations and audit functions that are not nimble and adaptive will have a difficult time surviving in this world of constant change. However, I believe internal auditors have the skills and experience to look out for what's next and to take five key steps to meet this moment.</p><h2>Supercharge Internal Audit With the Right Technology Resources</h2><p>Even for someone who has spent a career working with and implementing new technologies, these dramatic changes can seem overwhelming. But there's much internal auditors can do to ensure we are future-ready. Continuous learning is going to be more important than ever, and IIA President and CEO Anthony Pugliese is positioning The Institute as a critical resource for internal auditors.</p><p>The IIA is focused on transforming its technological capabilities, delivering new and relevant training, providing important guidance through resources like the Global Technology Audit Guides (GTAGs), and establishing a new IT certificate. IIA members should take advantage of these resources, and they should develop habits like reading this magazine, which regularly covers technology topics; listening to technology podcasts; and following technology experts on social media.</p><p>One of the attributes board members value most from internal audit is insight. In an era where disruptive technology will need to be factored into every audit, it is imperative that internal audit leaders staff their functions with people who have technology insight. There are several ways to ensure the audit team has optimal technical skills, but here are a few ideas:</p><ul><li>Rotate auditors into a more technical role for a year or two, and then bring them back into the audit function.</li><li>Be purposeful with the training budget to ensure team members are obtaining training in the skills of the future.</li><li>Consider creative activities like gamifying training or holding online competitions that encourage use of interactive and collaborative software.</li><li>Recruit technically competent people who may not have audit experience. Then, train them to perform the audit work.</li></ul><h2>Build Stronger Relationships With Partners and Extended Third Parties</h2><p>As today's organizations focus on enterprise risk management (ERM) and interdependent risks within the company, it is also important to consider interdependencies with specific third parties and the aggregated risks of multiple third parties. As the march toward the cloud and numerous "everything-as-a-service" providers create greater reliance on external providers, third-party risk will become even more prevalent. Maintaining transparency of third-party risks and controls is critical as supply-chain vulnerabilities continue to be heavily targeted by malicious attackers (e.g., in the SolarWinds and Colonial Pipeline events).</p><p>As more organizations move into the cloud, relationships with third parties become more opaque. Cloud providers — and every third party the organization deals with — are relying on other third parties for services, supplies, and data. Internal audit needs to work with the legal department, establishing models now that allow it to audit through a third party to obtain certain types of information about a fourth, or even a fifth, party.</p><p>Another technology with built-in third-party risk is blockchain, which is a decentralized network of distributed users who have agreed to trust each other for certain types of transactions. These networks can be as small as two or three or could include millions of participants. Blockchain will require organizations to work together to create automated contracts and online and real-time approval processes for an immediate exchange of value. While data can be restricted and encrypted, it will still be vulnerable to inadvertent exposure. All the organizations in the network will need to address the confidentiality risks, ensuring that personally identifiable information is not compromised or stolen. Some participants — banks, other businesses, buyers, sellers, and regulators — will require access to sensitive information. These situations will have to follow defined controls, regulations, and protocols to ensure compliance with laws and to meet the expectations of customers who are now, more than ever, demanding privacy and confidentiality.</p><p>Internal auditors need to be prepared for completely different testing of distributed and shared data and will need to consider questions like:</p><ul><li>How will internal audit obtain and test information that is buried in some third party's database?</li><li>How will auditors test data that is being used on one of the blockchain consortiums?</li></ul><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<p><strong>My Circuitous Path to Internal Auditing</strong><br></p><p>Like many internal auditors, I arrived at the profession from a somewhat indirect route. After graduating high school, I planned to be a high school teacher and coach. I was good at math, I liked kids, and while I wasn't really built for basketball, I had learned to play because it was the only sport my little Oklahoma high school offered. But after about three semesters at Oklahoma State University, I figured out that wasn't really the right path for me. I dabbled in engineering, and then made my way to accounting and computer science. I loved the business side of accounting, and in computer science I found that I really enjoyed the fast-changing world of technology. Particularly with coding, things have to be very sequential and ordered to work, and I could appreciate that. I ended up receiving two degrees: one in computer science and one in accounting.</p><p>I worked as an auditor for a certified public accountant for a couple of years but then jumped back into IT and became a computer programmer. Even in the mid-1980s, technology was advancing quickly and I didn't want to lose the computer science training I'd gained in college. So, I took a job with a Tulsa-based energy company, working my way up to technical services supervisor. While there, I developed billing applications and was the IT project leader for the implementation of new financial systems.</p><p>In 1991, I decided it was time to get back to the accounting world, and I went to work for American Airlines. By then, I was leading people, so I started running large accounting processing systems, such as payables and receivables, revenue accounting, and interline accounting. Even though I was no longer a computer programmer, in my various leadership roles, I still helped build and design large, integrated, and technologically sophisticated accounting systems.</p><p>At that point, while technology, leadership, and accounting had been ongoing themes in my life, I had no interest in internal auditing. However, that changed after Sept. 11, 2001. American Airlines had two planes involved in the terrorist attacks, and the effect on the company was immediate. The federal government shut down the national airspace, cancelling thousands of flights. Exactly a week after 9/11, I received a call from my boss, the chief financial officer at American Airlines: My job was being eliminated, but I was being offered a new role as the chief audit executive (CAE), if I was willing to move to Dallas. My response, "Sure, boss, I'd be glad to take that job in Dallas."</p><p>After I'd been doing the job for just a few months, I realized that internal auditing was not what I'd expected. I loved the service aspect of the work — the ability to help other people succeed. I also enjoyed the consulting side of it, as I've always liked fixing problems. I decided to stay on that career path, and I eventually went on to work for Devon Energy as its CAE.</p><p>Today, I'm the chief risk officer at Jack Henry and Associates, a fintech company, where I oversee the CAE. All the work I'd done previously — the accounting work, the big process work, the computer programming, the leadership roles — it all came together for me in the remarkably satisfying profession of internal auditing.<br></p></td></tr></tbody></table><h2>Use Data Management As a Catalyst for Change</h2><p>As with disruptive periods throughout history, organizations are going to encounter both risks and opportunities. One of those opportunities relates to the most valuable asset in the digital world, data. As organizations move data into the cloud, collect data about their customers and employees, and find even more ways to use that information, data custody and privacy will become more important than ever. Consumers understand the risks to their privacy, so governments are responding with new laws and regulations that punish organizations that aren't handling their responsibilities well. Internal auditors need to be more analytical and understand that the organization's data will be quickly downloaded, thus heightening data privacy issues. Data privacy begins with identity management, so a great place for auditors to start is to review identity governance, administration, and privileged access management.</p><p>More data moving around more quickly means an accelerated use of big data and greater demand for data analytics. Internal audit needs to ensure there is governance over that data. Auditors will need to focus on database management and ensure policies, procedures, governance, data stewardship, privacy controls, and classification schemes are in place and functioning effectively.</p><p>To leverage data appropriately, the entire audit planning process needs to be redesigned to integrate a focus on data. Part of the scoping and objective-setting process — which has traditionally occurred on the front end of planning — should now include a focus on identifying potential data analysis that might add value in the audit.</p><p>The results of this effort should be used to refine and enhance the scope of the audit. Audit sampling — or 100% testing where possible — will then allow internal audit to provide more accurate insight into the area being audited. As auditors approach the end of the audit, they can convert the data into storyboards and visualization to tell a more impactful story.</p><h2>Reimagine How to Deploy Technology Within Internal Audit</h2><p>Some internal audit functions are well-suited for RPA and artificial intelligence (AI), machine learning, continuous auditing, and anomaly detection tools. With RPA, internal auditors can more easily move from testing a sample of internal controls to testing the entire population. Programmable bots can be used to test controls in minutes and feed the results to management dashboards. Bots also can monitor configurable controls, report on results outside of specific thresholds, and even prepare and document workpapers.</p><p>Auditors can leverage machine learning to simplify grouping and categorization tasks. Another example would be to teach a tool to predict who should have approved a particular invoice and then run the tool against the entire population of invoices to identify discrepancies. These technologies will expand the potential to perform the testing much more effectively.</p><p>Internal auditors may find useful a practical, three-part series of reports from The IIA's Internal Audit Foundation, in collaboration with Deloitte, on Moving Internal Audit Deeper Into the Digital Age. Part 1 offers a structured methodology for leveraging automation within the internal audit function. Part 2 considers six critical components of RPA and cognitive intelligence and examines their output to determine the greatest risk areas and how to audit them. And, Part 3 looks at how internal auditors can take automation capabilities beyond theory to practice. The reports, as well as numerous other technology-related publications and resources, are available via resource exchanges on The IIA's website, including the Artificial Intelligence and Data Analytics resource exchanges.</p><p>Another option for auditors looking to educate themselves on the latest technologies is to attend The IIA and ISACA's annual GRC Conference. This year's conference, being held Aug. 9-11 virtually and in Denver, Colo., has tracks focused on cybersecurity, data, and technology trends, among many others.</p><h2>Prepare for the Democratization and Convergence of Technology</h2><p>As mobile technologies become cheaper and more ubiquitous, the benefits of technology are going to become more common and impact many more people. With so many important technologies currently evolving, the impact will begin to grow exponentially.</p><p>The foundation of this concept is built on Moore's Law, an idea I first encountered as a computer science student. Moore's Law is based on American engineer Gordon Moore who in the 1960s predicted that because manufacturers were able to make smaller and smaller transistors, the number of transistors added to silicon chips would double every 18 to 24 months. This has given rise to exponential growth in computing power that has continued for the last six decades.</p><p>This increasing computing power means that technology will continue to quicken its pace, and we'll see the knock-on effects in areas like AI and machine learning, blockchain, robotics and autonomous vehicles, 3D printing, 5G, nanotechnology, and virtual and augmented reality.</p><p>One result of all of this extra computer power and storage is that scientists now have the capability to access and store more data related to the Internet of Things (IoT). With more access to the IoT, robotics can be deployed to automate activities and processes. And by applying AI, the robots can be trained to perform certain tasks and ultimately learn and make improvements to their own software. With all the technologies improving at a near-exponential rate, the cycle of improvement will be extraordinary.</p><h2>A Future-ready Response</h2><p>We don't need a quantum computer to tell us there is going to be a lot of change over the next several years, or that that change will dramatically impact internal auditors and the organizations they serve.</p><p>While I am still disappointed that we don't yet have flying cars, I am amazed with the size and speed of our computer chips, our ability to work on the scale of a nanometer, the advances in the 3D printing of human organs, and our understanding of the human gene. Moreover, I am continually impressed with the number of people around the globe who now have access to the wealth of information on the internet via mobile devices. These advances are incredible, but we are still early in a digital revolution that will truly change the world for the better. Internal auditors have the opportunity to lead our organizations into the extraordinary unknown that tomorrow will bring. It's time to get future-ready.<br></p>Charlie Wright1
CEO Message: Aligning Toward the Future Message: Aligning Toward the Future<p>​When I was approached about sharing my thoughts in a CEO Message in each of <em>Internal Auditor's</em> digital editions, I saw it as an opportunity to discuss with our members what we're thinking about, how our profession is undergoing change, dealing with the risk and opportunity of emerging trends, and so much more. What better way to accomplish that than through one of the most popular benefits offered by our organization? <em>Internal Auditor </em>magazine, which has been around almost as long as The IIA, itself, is a respected source of professional insights, information, and thought leadership that guides our members through their careers. I'm genuinely excited to contribute to that legacy.<br></p><p>My initial letter provides a glimpse into The IIA's new strategic plan. But let me offer a little background first. Since taking on my new role at The Institute in March, I've spent hundreds of hours talking to global board members, staff, key volunteers, and leaders in our North American chapters and global affiliates. The passion and dedication to the profession I found at all levels is truly inspiring.</p><p>These conversations were important in helping shape a new strategic plan that will ensure alignment between ongoing work at The IIA and our desired future state. While the new plan and all its related goals, objectives, and tactics are not quite finalized, we know several key components it will address.</p><p>We want to make sure our strategic plan is as future-proof as it can be, continually updated for necessary changes, and aligned with what we know is going on in the marketplace. It also must drive a culture within headquarters that encourages innovation, diversity, and a global perspective. We also know that the strategic plan must capture opportunities for expanding, reimagining, and modernizing our training and education portfolio; organizing our efforts around global advocacy in a way that enhances member engagement; and reaching a younger audience of future practitioners, among others.</p><p>Clearly, these are high-level descriptions of the strategic plan, but I hope they reflect two things. First is a thorough examination of how we operate as an organization. If we are going to grow The IIA and meet the challenges of a complex and rapidly changing marketplace, we must have a realistic assessment of what we do well and where we need to improve. Second is the drive to reimagine and reinvent ourselves. I believe strongly in opportunity, innovation, and a commitment to self-improvement. We must be ready, willing, and able to embrace change and growth.</p><p>I look forward to providing these regular updates to our IIA community. Ultimately, you are the reason The IIA exists, and our promise is to keep you informed, prepared, and inspired.<br></p>Anthony Pugliese0
Update: The Intelligent Automation Barrier The Intelligent Automation Barrier<p>​More than one-third of internal audit executives surveyed by Deloitte say lack of a clear strategy is the biggest challenge to adopting intelligent automation as part of their operations. It is a finding that runs counter to the commonly held belief that lack of access to data and of technology-enabled tools are the big roadblocks, says Sarah Fedele, Deloitte Risk & Financial Advisory's U.S. internal audit leader, based in Houston.</p><p>Nevertheless, digital transformation of an internal audit function takes a holistic strategy, she says. That holistic strategy needs to consider factors such as organizational culture, leadership mindset, and IT skills, as well as technological tools and architecture.</p><p>Only 8% of respondents say they currently use intelligent automation, according to the survey of more than 250 audit executives during a March webcast. Another 39% say they plan to begin using intelligent automation sometime after March 2022. Those findings parallel the extent that their organizations have adopted these technologies.</p><p>Among other findings, Fedele says she was struck that 19% of executives say they do not use intelligent automation for internal audit nor have plans to do so. Given the increased demands on internal audit for greater assurance and better advisory services, "you'd think intelligent automation would be a fairly critical component of those efforts," Fedele says. It has benefits as a quick win and from a strategic perspective, she adds.</p><p>The audit executives surveyed recognize the need to monitor automation at the enterprise level because the technology is not foolproof. More than half (52%) report they plan to increase their use of such technologies as artificial intelligence, machine learning, and robotic process automation to test how intelligent automation is used enterprisewide. <strong>—</strong><strong> </strong><strong>G. Nordhoff</strong></p><h2> <img src="/2021/PublishingImages/Update-aug21-factoid1.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:154px;" />Forced Labor in Supply Chain<br></h2><h3>Worsening labor practices fuel supply chain risk.</h3><p>A combination of tighter governmental scrutiny and an uptick in forced labor globally could create more supply chain risk for businesses. For instance, a new study from the University of Sheffield in the U.K. found that garment workers in Ethiopia, Honduras, India, and Myanmar are at increased risk of forced labor due to the pandemic.<br></p><p>Risk factors the 1,140 respondents experienced include wage declines, increasing indebtedness, worsening conditions of verbal abuse, and threats or intimidation, according to The Unequal Impacts of COVID-19 on Global Garment Supply Chains study. The number of child laborers has risen to 160 million, the first increase in 20 years, according to an International Labour Organization and UNICEF report, Child Labour: Global Estimates 2020, Trends, and the Road Forward.</p><p>Meanwhile, U.S. Customs and Border Protection (CBP) has stepped up enforcement efforts related to goods made with forced labor. Between 2020 and 2021, the U.S. issued withhold release orders on apparel, consumer goods, electronics, pharmaceuticals, tomato and cotton products, palm oil, silica-based products, and seafood. In March, the CBP seized latex gloves at the Port of Kansas City, Mo., after it received evidence that the producer had engaged in forced labor practices. "CBP will not tolerate forced labor in U.S. supply chains," says Port Director Steven Ellis. <strong>—</strong><strong> </strong><strong>C. Janesko</strong><br></p><h2>Workplace Culture and Well-being</h2><h3>Culture is essential to employee mental health and hybrid work success.</h3><p>As the world continues to emerge from the COVID-19 pandemic, workers are reporting high levels of burnout and "negative emotions," defined as "worry, stress, anger, and sadness," according to Gallup's State of the Global Workplace 2021 Report. The advisory firm says reversing this trend requires creating inspiring workplace cultures that maximize employee potential and well-being. The report derives its data from Gallup World Poll surveys and interviews of nationally representative samples of adults in more than 116 countries.</p><p>Gallup acknowledges record levels of negative emotions globally in 2020, with roughly seven in 10 employees identifying as "struggling" or "suffering" rather than "thriving" in their overall lives. Yet, the firm points out that negative emotions have been increasing over the past decade in parallel with a decline in global gross domestic product (GDP) per capita. Gallup says that 80% of employees are disengaged from work, resulting in a loss of 10% of global GDP, or $8.1 trillion, annually from the global economy.</p><p>There may be a link between the increase in negative employee emotions and declining economic dynamism and innovation. "Successful corporations of the future not only will generate profits, but also will generate thriving employees who are capable of weathering crises," Gallup advises.</p><p>Additionally, recent research by Gartner suggests that organizations must apply radically flexible, or "composable," thinking to more quickly and effectively adapt to shifting employee needs and expectations. In a recent e-book, <em>C-suite: 7 Myths Standing Between You and the Hybrid Future of Work, </em>the research firm posits that businesses should be "made up of interchangeable building blocks that can scale up or down or swap out." Gartner maintains that existing remote work strategies should be replaced by deliberate, innovative hybrid workforce approaches that tackle three key issues: 1) evidencing tangible economic benefits, 2) investing in the employee experience, and 3) supporting the workforce operating in a hybrid model. <strong>—</strong><strong> </strong><strong>L. Nelson</strong><br></p> <h2><img src="/2021/PublishingImages/david-yamada-215x240.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Reckoning for Abusive Bosses<br></h2><h3>Bullying employees can negatively impact productivity and well-being, says David Yamada, director of the New Workplace Institute at Suffolk University Law School.</h3><p><strong>Broadway producer Scott Rudin recently resigned from his productions amid allegations of physical and verbal abuse of employees. What impacts can workplace bullying have on employees and organizations? </strong></p><p>The Scott Rudin story offers a prominent example of how workplace bullying can be so destructive. It's premature to say whether it will become a so-called poster case of horrific, toxic worker abuse, but it certainly qualifies as a leading candidate.</p><p>Workplace bullying is the classic lose-lose scenario. Negative impacts on employees include stress-related physical and psychological impairments, symptoms consistent with post-traumatic stress disorder, and even suicidal ideation. These impacts often affect job performance and relationships with co-workers, family members, and friends. Obviously, the effects on one's livelihood and vocation can be significant.</p><p>Negative impacts on organizations include reduced productivity from bullied workers and bystanders, lower morale, and higher absenteeism and attrition. Negative reviews on third-party social media sites can impact applicant flow. In especially toxic situations, negative media coverage may enter the picture.</p><p> <img src="/2021/PublishingImages/Update-aug21-factoid2.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:134px;" /> <strong>For internal audits, what are the indicators of an abusive leader or workplace and what types of controls should organizations have in place?</strong><strong> </strong></p><p> <strong></strong>Internal audits that incorporate climate surveys and 360 feedback need to distinguish between incivility and abuse. The former is bad, but the latter can be devastating. Productivity, morale, absenteeism, and attrition indicators concentrated in certain departments, working groups, etc., may serve as indirect signs that bullying behaviors are part of the mix.</p><p>Some employers have added workplace bullying or generic abuse to policies and training that cover and prohibit sexual harassment and forms of illegal discrimination. Of course, such policies are effective only if taken seriously by organizational leadership. Above all, top-level leadership treating workers with dignity and practicing the old-fashioned Golden Rule trickles down in positive ways.<br></p><h2>Tips for Energized Meetings</h2><h3>Simple strategies can boost meeting productivity.<br></h3><p>Internal auditors are familiar with the traditional flow of business meetings — a few minutes of spirited small talk before getting down to business. That's typically the time when energy levels plummet.<br></p><p>The key to keeping the energy of meetings going beyond those first five minutes is giving the meetings focus, says author Elizabeth Doty in a recent PwC <em>Strategy+Business </em>article. That in turn provides participants something to direct their ideas toward.</p><p>For example, leaders should choose a prompt that will help focus the discussion, says Doty, former lab fellow at Harvard University's Edmond J. Safra Center for Ethics. "Usually framed as a question," she says, "a strong prompt is specific enough that people can respond without too much effort, and broad enough to invite diverse views and new thinking."</p><p>Doty also recommends choosing an effective stimulus that provides context, orients participants toward the task, and adds new elements to their thinking. <strong>—</strong><strong> </strong><strong>L. Wamsley</strong></p>Staff1
Are You Emotionally Intelligent? You Emotionally Intelligent?<p>​Knowledge and traditional skills are essential to success, but they can only take an auditor so far. Even for the most adept practitioners, objectives cannot be achieved merely with intelligence, technical proficiency, and expertise. To work effectively with clients, internal auditors need strong soft skills — many of which fall under emotional intelligence, or emotional quotient (EQ). Emotionally intelligent people understand, accept, and manage their own emotions, and they can read the emotions of others. Internal auditors with high EQ treat people with empathy and can manage feelings and relationships just as well as objective, quantifiable engagement goals. Emotional intelligence is vital to fulfilling our professional responsibilities.</p><p>Perhaps most importantly, having a high EQ enables practitioners to communicate effectively. Assessing the organization’s risk management framework, developing a risk-based audit plan, obtaining management agreement in response to audit results, and reporting to the audit committee all require extensive, careful interaction with stakeholders. Internal auditors need to communicate well across all levels of the organization, ensuring a robust understanding of their value proposition. </p><p>To ensure communications are well-received and acted upon, internal auditors also must be able to build relationships — another area requiring high EQ. Audit engagements are a team effort between auditor and client, requiring practitioners to balance professional skepticism with the need for rapport. They must ask probing questions related to risk and controls but avoid putting clients on the defensive. Taking the right approach requires empathy and social skills — key elements of EQ. </p><p>Delivering quality work, and maintaining engagement schedules, also requires auditor EQ. Multiple deadlines, heavy workloads, and other pressures can take a toll on audit performance — and even lead to burnout if not managed correctly. But according to The Impact of Emotional Intelligence on Auditor Judgment, published by Virginia Commonwealth University, auditors with a high degree of EQ manage pressures and timelines better, exercise superior judgment, and maintain professional skepticism. The result is a better experience for both auditor and client, and a superior outcome for the organization. </p><p>The World Economic Forum’s 2020 Future of Jobs report ranked EQ among the top 10 high-demand skills for organizations; just five years ago, it was absent from the ranking. High-EQ professionals are sought more than ever for the value they can deliver to stakeholders. And in an era of increasingly sophisticated technologies such as artificial intelligence, the ability to manage and respond to emotion is a key trait separating the work of people from that of machines and automation. EQ-related competencies need to be an integral part of every role in an organization, and they must certainly be a top priority for internal auditors. <br></p>Bhavin Raithatha1
Determining Internal Audit's ROI Internal Audit's ROI<p>​Like all departments in an organization, internal audit is an investment expected to yield a meaningful return. But unlike departments where return on investment (ROI) is easily calculated and traceable to the bottom line, internal audit is challenged to assess the inherently qualitative benefits of its work — such as compliance with laws, risk mitigation, process improvements, or providing management with peace of mind via assurance — against the quantitative costs it incurs, such as payroll, travel, software, and training expenses. </p><p>While each internal audit function faces different perceptions and unique expectations of value, internal audit teams can use a cost-benefit analysis to measure, drive, and communicate their value, and, ultimately, their ROI.</p><h2>COST-BENEFIT ANALYSIS</h2><p>Completing a departmental cost-benefit analysis is a way to address stakeholder misconceptions and skepticism over internal audit’s value, and in some instances, help make the case against cosourcing or outsourcing the function altogether. Similar to the divisional profit and loss statements seen throughout an organization, a cost-benefit analysis can provide tangible, quantitative evidence of internal audit’s value and overall ROI. </p><p>While each internal audit function’s cost structures, value streams, goals, and key performance indicators (KPIs) will vary, the cost-benefit analysis should incorporate current and planned monetary and nonmonetary benefits and controllable costs.<br></p><p><strong>Monetary Benefits</strong> These benefits can take various forms — including cost savings and revenue recoveries — and are most likely to garner stakeholder interest and promote further usage of, and investment in, the internal audit function. </p><p>Cost savings can be divided into two categories: savings realized directly by internal audit and savings realized by the business as the result of internal audit’s work. The first category can include external audit fee reductions achieved through reliance on internal audit’s work. Cost reductions implemented within the internal audit department, itself, such as for travel or audit cosourcing fees, will be reflected as reductions to the controllable costs section of the analysis as opposed to increased monetary benefits. The second category may include data analyses and subsequent recommendations. For example, an internal audit team at a global manufacturing firm performed analytics on the company’s accounts payable data, which resulted in the discovery of $500,000 in various duplicate payments and unclaimed vendor credits. Through internal audit’s research and communications with the accounts payable team, the company subsequently realized $400,000 of those credits, which internal audit would then factor into its monetary benefit calculation. </p><p>Internal audit also can perform engagements that lead to funds recovery, most commonly through contract compliance audits. For example, if a company has licensing agreements with various international partners to distribute and sell its branded product, the licensor may receive royalties, which are typically based on a percentage of sales. Additionally, the licensing agreement may have minimum payment or performance requirements that stipulate additional compensation to the licensor if not met. In this instance, if the agreement contains an appropriate right-to-audit clause, internal audit can review the licensing agreement, compare it to historical schedules and payments received, request additional detail from the licensee to validate reported numbers, and, in the event of discrepancies, work with the business to ensure the collection of additional amounts owed. <br></p><p><strong>Nonmonetary Benefits</strong> The inability to measure a benefit’s monetary impact should not preclude it from being tracked and reported to interested stakeholders, especially if it can be quantified in other ways. For instance, if internal audit conducts training on data gathering and analytical techniques that results in future time savings for the participants, then the cost-benefit analysis should include the training hours and resulting time savings as nonmonetary benefits. </p><p>While nonmonetary benefits will not alter the net monetary surplus or deficit, they should be included in a companion schedule. Tracking and reporting nonmonetary benefits will not only raise stakeholder awareness of internal audit’s many value streams, but it will also provide important context that the department’s value is not limited to the list of monetary benefits reported. <br></p><p><strong><img src="/2021/PublishingImages/Pelikan-Cost-Benefit-and-ROI-of-a-Global-Manufacturing-Firms-Internal-Audit-Department-2020–2022.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:500px;height:464px;" />Planned Benefits</strong> As is common in investing, an ROI goal may not be achievable in the short term. Similarly, an internal audit function, particularly a new and growing one, should not limit its cost-benefit analysis or ROI goals to a single year. Rather, a growing team may expect to incur additional costs and further invest in personnel and tools over multiple years and use them to deliver greater value in the long run.</p><p>In these cases, a cost-benefit analysis with only a one-year view may reveal a far bleaker picture than reality. While conventional budgetary reporting uses quarterly and annual views, a longer term cost-benefit analysis may paint a more accurate picture of the internal audit function and its trajectory. In “Cost-Benefit and ROI of a Global Manufacturing Firm’s Internal Audit Department: 2020–2022” (at right), the internal audit function appears to be operating at a deficit, or at least from a monetary cost-benefit perspective. However, due to investments in personnel and technology that continue to expand the department’s value-added service offerings and improve the depth and quality of work, a positive and sustainable ROI is expected to begin the following year.</p><p>While it may not be possible to fully anticipate and quantify the future benefits an internal audit team will provide, the cost-benefit analysis provides an opportunity to outline its planned benefits, which can be estimated based on a combination of goals, extrapolation of current or forecasted benefit run rates, and opportunities identified during pre-engagement risk assessments. As in any forecast, the cost-benefit analysis should document the rationale for key assumptions that support future estimates.</p><p>Not only can a long-term outlook on internal audit’s value positively impact stakeholder perceptions and increase use of the function, it also can lead to further investment in internal audit to ensure realization or an increase of anticipated returns. <br></p><p><strong>Controllable Costs</strong> Every internal audit function incurs costs. Some are direct and under its control, such as payroll, travel, professional memberships, training, software, and consulting, while others are indirect and outside its control, such as the department’s allocation of rent, utilities, insurance, and shared services. To avoid unnecessary dilution of the department’s true net benefit and ROI, the analysis should focus on direct and controllable costs. The rationale is that the chief audit executive (CAE) can budget and manage controllable costs, whereas indirect, fixed-cost allocations are likely to be incurred by the company, regardless of internal audit. As a caveat, the analysis should not disregard shared costs that are variably tied to internal audit’s resource consumption. For instance, if the company uses a cloud-based enterprise resource planning system, and pays per license (vs. fixed fee), then those costs would be considered direct and controllable and should be a part of internal audit’s costs in the analysis. </p><h2>EVALUATE RESULTS </h2><p>First and foremost, the cost-benefit analysis should be used as an internal benchmarking and planning tool. After the initial analysis, an internal audit team may discover that its costs currently exceed its benefits. The results, either surprising or expected, present a valuable opportunity for root-cause analysis and subsequent goal setting. </p><p>The deficit may be caused by cost management, limitations on the extent of value-added projects the team can perform, quality of execution, or the inability to adequately quantify the monetary impact of its value. Regardless of the cause, CAEs can refocus their team’s efforts on addressing these shortfalls and taking steps to improve them. The CAE can use the initial 2020 cost-benefit analysis results in the chart above to further manage costs and establish goals and KPIs on the benefits side. Additionally, if the department determines that its total benefits are falling short, it can revisit its current project plan and ascertain whether different, higher value projects are necessary, provided they continue to align with key risks and board expectations, or consider expanding the scopes of current projects with higher value potential. </p><p>The cost-benefit should be an ongoing measurement of internal audit’s progress. If the team notes a deficit in its initial analysis, subsequent analyses may reveal encouraging signs of improvement. However, in the event of stalled progress, ongoing analysis can provide opportunities for further change and improvement. </p><p>As a caveat, internal audit’s cost-benefit and ROI analysis should not be tied to team member compensation or incentives, which could lead to conflicts of interest, impaired independence, and failure to objectively measure and report benefits. Additionally, to avoid inflation of internal audit’s reported benefits, the quantitative benefit values reported should be fully validated with the appropriate business stakeholders before finalizing.</p><p>Nonetheless, if the team remains committed to improvement and continues to measure progress and adjust as needed, the assessment results will continue to improve. Ultimately, these results can be shared with stakeholders as evidence of the department’s progress and increasing value to the organization. </p><h2>COMMUNICATE VALUE</h2><p>While every internal audit function faces unique perceptions and expectations of value, each one has a customized strategy for communicating value to stakeholders. Nonetheless, each strategy should consider three elements.<br></p><p><strong>Target Audience</strong> Once internal audit has completed its cost-benefit analysis and has collectively agreed to share it with stakeholders, the target audience should be considered. The audience should include stakeholders that internal audit reports to directly, such as the CEO, chief financial officer, and audit committee. However, a broader audience, including various business unit leads, may be necessary, especially if those individuals are skeptical about internal audit’s value. That may include departments where internal audit would like to establish or expand its value-added services. Sharing these analyses with internal stakeholders and clients first can further validate results and assumptions, and lead to further revisions before sharing it with executive leadership, the audit committee, and the board. <br></p><p><strong>Degree of Detail</strong> The degree of detail in a cost-benefit analysis will vary based on the stakeholder. For instance, executive leadership and the audit committee may be interested in just the total costs and monetary benefits along with a summary of key items and trends. Conversely, business unit leads may be more interested in the item-level detail of the projects impacting their areas along with past and planned benefits.</p><p><strong>Basis for Assumptions</strong> Like other data models, a cost-benefit analysis of internal audit is both art and science. Some inputs are clear and easily measurable — such as payroll and travel expenses on the cost side or realized savings confirmed by the business on the benefits side — while others are more subjective and require assumptions. </p><p>Limiting the analysis to easily measurable elements may represent only a subset of internal audit’s actual value. Instead, the analysis should consider other nonmonetary, quantitative benefits, such as engagements completed, recommendations implemented, and time savings, or qualitative benefits, such as prevention of noncompliance with specific laws. In situations where it is possible to reasonably estimate the monetary impact of a benefit using consistent, logical, and documented assumptions, such items should be reflected in the analysis. For instance, if during an operational audit, internal audit identifies and provides training on automated reporting that saves the accounts receivable manager five hours a week, then those weekly time savings should be considered as reportable nonmonetary benefits. However, if the time savings achieved were applicable to part-time, hourly associates whose total workload was reduced as the result of the efficiencies realized, then the potential payroll savings could be classified as a monetary benefit. </p><h2>A MEANINGFUL RETURN</h2><p>Internal auditors are well aware of their function’s capabilities and potential to further drive organizational value, but many stakeholders remain skeptical due to a general lack of understanding about the function’s overall impact, particularly on the organization’s bottom line. While each audit function faces different stakeholder perceptions and challenges, each is an organizational investment expected to yield a meaningful return. Internal auditors can measure their controllable costs and benefits, set goals, and revisit their project mix to provide more value and, ultimately, report on these items to stakeholders to ensure common awareness of internal audit’s value and potential. Like any other investment, an internal audit function with a clear, meaningful, and sustainable ROI will garner widespread appreciation and merit continued investment.  <br></p>Jack Pelikan1
Excuses for Mediocrity for Mediocrity<p>​I have a few regrets from my 30-year history with Farmers Insurance internal audit. Don’t get me wrong, it was a great ride. And I wouldn’t be where I am today (wherever that is) if it weren’t for the opportunities and serendipities that occurred throughout my career. But there were moments where, when I look back, I did a little less than shine.</p><p>We’ve all been there — the poor decision, the incorrect conclusion, the act that may have, in retrospect, been beneath our standards. We try for the best, but we know we occasionally fall short.</p><p>One regret in particular dawned on me recently. During the last few years of my career, the audit department seemed to lose focus on the importance of meeting assigned due dates. We wanted to meet the dates, but we started believing our own excuses for why things could not be done on time. I vividly remember rushing audits to conclusion because we were preparing the quarterly report for the audit committee and had to have something — anything — to say. And every time we reached the end of a mad dash, we recommitted to doing better. Then the<br>next quarter would arrive, and the same pandemonium reigned. </p><p>We often talked about the importance of timeliness, but we never took effective steps to change our processes and start getting the work done on time. And while our work quality had remained adequate, things were beginning to slip. By accepting mediocrity in one area, we were starting to see the impact on others.</p><p>We allowed the dates to slip, causing downtimes in the audit schedule. Downtimes negatively impacted the original schedule, and disruption of the schedule meant less time for scheduled audits. Then, because the schedule was impacted, we tried to compensate through better planning. And because of that effort, audit planning became a cottage industry unto itself. Our problem was execution, yet we tried to solve planning issues.</p><p>What are you letting slip? Are your reports issued when they were originally planned, or are you buying the excuse that it is just too hard to coordinate the parties involved? Are you identifying true root causes, or are you buying the excuse that there isn’t enough time to develop a broader solution? Are you holding the department to the highest possible standards, or are you buying the excuse that any group of people can only accomplish so much?</p><p>And finally, are you fulfilling the promises of the audit profession, or are you buying the excuses that cause you to be second best, constantly promising to do better next time?</p><p>There are always excuses. But there are seldom good reasons. And if you are starting to fail — or even starting to accept the most minute of failures — take a look and find the reasons, not the excuses. <br></p>Mike Jacka1
Breaking Down the Audit Report Down the Audit Report<p>​The International Professional Practices Framework does not require internal auditors to issue a written report. So auditors can, in theory, communicate engagement results through any medium that suits the function and the client. For most departments, though, this is done via a written report that documents the engagement and prompts senior managers to action.</p><p>A well-written internal audit report, which some may argue is a rare thing, should be easy to read and review and even easier to act on. Whether new or experienced, internal auditors can always benefit from a refresher on the basics of audit report writing.</p><h3>WHAT GOES INTO A REPORT?<br></h3><p>Implementation Standard 2410.A1: Criteria for Communicating, states: “Final communication of engagement results must include applicable conclusions, as well as applicable recommendations and/or action plans. Where appropriate, the internal auditors’ opinion should be provided.” What should internal auditors include to make sure their reports meet these criteria? <br></p><p><strong>Findings</strong> Also called issues or observations, audit findings are the results of observation and testing during an engagement. They may be nonexistent or failed controls, but also can include instances of good practice that the auditor wants to share with the client. It’s crucial to communicate any issues clearly, so the client understands the problem and why he or she needs to act.</p><p>Many internal audit departments follow the five Cs model to structure their audit findings discussion for clients: criterion, condition, consequence, cause, and corrective action. However, the nonnegotiable elements are condition, cause, and consequence. </p><p>Another way to articulate condition, cause, and consequence is to ask three important questions:</p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"></blockquote><ol><li><span style="font-size:inherit;"><em>Who is not doing what, or what is not in place?</em> The report should indicate what observation and testing produced — evidence of inadequate or ineffective controls. For examp</span><span style="font-size:inherit;">le: “Senior managers in the facilities security team do not check applicants’ backgrounds for criminal or other relevant records.”</span></li><li><span style="font-size:inherit;"><em>So what?</em> The answer to this question should be a real risk statement. In other words, auditors should state the real-world harm that has occurred, or could result from, the control weakness, rather than just another failed control. For example: “As a result, the organization may risk reputational damage and financial loss if it hires people who have a history of theft or other crimes.”  </span></li><li><span style="font-size:inherit;"><em>Why?</em> Internal auditors should not settle for a superficial reason or a repetition of condition as the answer to this question. Instead, they should channel their inner four-year-old and keep asking, “Why?” For example: “This has arisen because senior managers in the facilities security team have not updated hiring processes in line with group policy, which requires background checks.”</span><span style="font-size:inherit;"> </span></li></ol><p><strong>Executive Summary</strong> Once internal auditors have articulated the key findings, it’s time to write the executive summary. The IIA Practice Guide, “Audit Reports: Communicating Assurance Engagement Results,” says the executive summary should “provide a clear and concise overview of the engagement results and efficiently deliver critical information with a persuasive, well-substantiated key message to stakeholders.” However, the summary should not be a condensed recitation of the findings. </p><p>Many clients will only take the time to read the executive summary, so it needs to provide high-level headlines. Broader themes such as underlying cultural or behavioral problems, a lack of governance, or other big items must feature in the executive summary.</p><p>Internal auditors should try to limit the executive summary to a short paragraph. It’s harder than people think, but readers appreciate such concise communication. </p><h3>HOW TO WRITE IT<br></h3><p>Standard 2420: Quality of Communications says, “Communications must be accurate, objective, clear, concise, constructive, complete, and timely.” To communicate in this way, internal auditors should follow the ABCs to keep writing active, brief, and concrete.<br></p><p><strong>Active</strong> The audit report should be written in the active rather than passive voice. Instead of saying, “The report was reviewed by the manager,” the report should say, “The manager reviewed the report.” The active version is shorter and clearer. </p><p>Often, report writers leave out the performer of the action altogether. For example, “The report was reviewed” is short, but it omits what could be useful information. A sentence such as, “The findings were discussed, rewritten, approved, and issued” contains four actions and no hint as to who performed any of them. One person? One team? Different people on different teams? The active voice helps avoid such confusion.</p><p>Because the active voice puts the responsible parties or area first, it may come across as blaming. However, overusing the passive voice produces writing full of vague, possibly misleading sentences. A good rule of thumb is to keep the use of passive voice in the report below 20%, which Microsoft Word readability statistics can calculate.<br></p><p><strong>Brief</strong> Report readers are busy, so internal auditors should use simple words and keep sentence length to 20 words at most (in English). Why would anyone want to wade through 20 pages when they could grasp the message in fewer than 10 pages of plain language? Again, Microsoft Word’s readability statistics function will help, as it provides the average number of words per sentence in a document.<br></p><p><strong>Concrete</strong> One way internal auditors can make their writing less abstract is to avoid nominalizations (also called verbal nouns). This happens when the writer takes a verb — analyze — and turns it into a noun — analysis. The result is a longer sentence. Instead of saying, “We performed an analysis of the data,” the writer should say, “We analyzed the data.” </p><p>Nominalizations make writing even harder to follow when people disappear completely from the sentence: “Analysis and further investigation led to discussions and decision-making.” The reader cannot determine who is analyzing, investigating, discussing, and deciding. </p><p>Some auditors may shy away from communicating so directly, especially in cultures that may see this as rude. However, if internal auditors have performed the engagement thoroughly and have material findings to report, the reader needs to know. Whether in reports, emails, or briefings, the ABCs will make it easier for readers to understand the message and act on it.</p><h3>TRUSTED ADVISORS, TRUSTED REPORTS<br></h3><p>When internal auditors understand their audience, keep communication factual, and focus on solutions, they create a professional and positive impression. They also avoid sending mixed messages and then wondering why no one has acted on the report recommendations.</p><p>Report writing — like all working practices — has changed greatly since the pandemic and will continue to evolve. Many internal audit departments are communicating more by phone and video, and producing more concise, targeted reports. With that goal in mind, internal auditors who can convey more with fewer words are of greater value to the organization.  <br></p>Sara I. James1
The 4 Pillars of Remote Work for Audit Teams 4 Pillars of Remote Work for Audit Teams<p>Flexible work options are common in the internal audit profession, but the COVID-19 pandemic has ushered in a new time when more and more auditors are working from home. Some audit departments were ready and adapted easily, while others scrambled to install appropriate infrastructure, security, and processes to support remote work. As the threat of the pandemic begins to ebb, some teams will return to traditional work environments while others may consider permanent changes to their office-centric arrangements. </p><p>This unique episode in business has demonstrated the viability of flexible, distributed work arrangements, as well as their pitfalls. Allowing internal audit teams to work from home can have significant benefits, but any distributed work strategy must carefully consider all potential security, managerial, and behavioral issues. </p><h3>BEYOND THE OFFICE<br></h3><p>Today’s office environment was born during the Industrial Revolution when workers needed access to paper documents and to be close to other employees to execute most processes. This traditional office spawned management techniques in which employees reported to work at a designated time, had controlled environments, and could be seen conducting their work. </p><p>The digital revolution has overturned the need for a central workplace by creating new opportunities for data to be accessible virtually anywhere. For example, internal auditors now can conduct routine reviews without being in the same location as the audit client. Many audit team leaders have embraced such efficiencies, including remote work, but others have been reluctant to let go of an office-centric culture. This reluctance may be due to audit leadership’s management philosophy, but it also may reflect an organizational philosophy over which audit has little control.</p><p>While remote work and other flexible arrangements have novel challenges and can have negative results, audit leaders should take an objective view of the trade-offs involved with them. A well-executed telecommuting strategy can yield tremendous benefits for internal auditors.<br></p><p> <strong>Enhanced Employee Morale and Retention</strong> Employees often cite “lack of respect for their time” as a leading contributor to work dissatisfaction and a primary reason for leaving a job. They desire, and increasingly expect, a flexible work environment. Job flexibility directly improves employee morale and reduces turnover because employees receive tangible benefits such as: </p><ul><li> <em>Trust.</em> Allowing employees this type of flexibility sends the message they are trusted to manage their time. </li><li> <em>Respect.</em> Flexible work arrangements demonstrate respect for the various pressures and demands employees face from all facets of their lives. This is key for employee retention.</li><li> <em>Reduced commutes.</em> Long commutes to and from work can be a primary contributor to unhappiness with one’s job. Eliminating commutes, even for a few days a week, can reduce frustration, give team members a greater sense of control, and provide them extra time on those days when their only commute is to another room in their home. </li><li> <em>Belonging.</em> Although it may seem counterintuitive, when employees have flexibility, they tend to be more loyal to the organization. Providing a work-from-home option decreases employee turnover by 50%, according to a Stanford University study published in <em>The Quarterly Journal of Economics</em>.  <br></li></ul><p> <br> <strong>Increased Productivity</strong> Employees who are more satisfied with their jobs tend to be more productive. The Stanford study finds that employees who work at home experience a 13% boost in productivity versus those who work in a traditional office. Employees who telecommute work the equivalent of 1.4 more days per month than do their office-based counterparts, according to a 2020 study by online employment company Airtasker. <br></p><p> <strong>Cost Savings</strong> When executed as part of a larger infrastructure strategy, allowing team members to work from home can result in significant savings. The increase in employee retention and improved performance can directly influence the bottom line. For many audit groups, though, the greatest savings can be from dramatically reducing the office space required. Even in hybrid operations where team members work at home and at the office, a carefully executed strategy that staggers office-based days can create tremendous savings. </p><p>To realize the full benefits of flexible work arrangements, internal audit functions need a carefully executed strategy. This strategy should be built upon four pillars: 1) infrastructure and security, 2) expectations management, 3) communication requirements, and 4) management adaptation.<br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><h3>​Pillar 1: Infrastructure and Security</h3><p>The need to adjust work structures arose quickly with the pandemic. Audit teams were sent home to work and, in many cases, discovered team members had inadequate computers, slow internet connections, and lacked the means to maintain data and access security. </p><p>To have an effective long-term strategy, the internal audit function must anticipate these needs and be willing to make the necessary investment. Leaders cannot view such expenses as additive, and instead should see them as substitutions for other investments that would come in the long run. </p><p>Ideally, the audit team should prepare a budget that identifies additional expenses for a remote work strategy. This budget should start with a full inventory of all software, hardware, and infrastructure required. For example, audit teams may need to invest in cloud-based software rather than machine dependent software, virtual private network lines for audit team members to protect the data in transmission, encryption software for data storage, reliable high-speed internet service, standardized laptop computers, and mobile phones. </p><p>These expenses can appear daunting, but management should be aggressive in identifying cost savings to offset them. Internal audit could easily reduce the hardware and software licenses required in the office. Reducing the amount of office space could provide the greatest cost savings. <br></p></td></tr></tbody></table><h3>Pillar 2: Expectations Management</h3><p>With a change in workplace structure comes a related change in expectations. For example, an audit manager may expect a team member to be available during certain hours, yet the team member may have different views of the specific hours in which work is to be done. Also, there could be expectations about response time to team members or clients, availability for meetings, and possibly even dress codes for virtual meetings. </p><p>Audit teams face a unique challenge because they often have large projects involving multiple team members where each step depends on the completion of a task by someone else. This problem is especially exacerbated when work-from-home arrangements can result in some audit team members working from different time zones. </p><p>Too often, the greatest friction arises because there are different expectations that have simply not been articulated. Accordingly, audit teams must develop formal policies that delineate expectations. These policies should be developed collaboratively so team members fully understand the reasoning and necessity for such policies. Because the policies may not anticipate all issues that may arise, managers must revisit and revise them regularly. </p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><h3>​Pillar 3: Communications Requirements</h3><p>Managers should articulate their expectations for team member communication, but they should be accountable for enhanced communication, themselves. Remote work cultures generate a much greater need for communication, because team members no longer have the interpersonal cues available in an office environment. </p><p>For example, team members may have difficulty getting information from clients, face roadblocks on projects, get pulled into other projects, or even face personal struggles. Such difficulties need to be communicated to managers so they can adapt accordingly. However, while such communication might come naturally during meetings in an office setting, in remote settings, managers and team members must initiate the necessary communication proactively. </p><p>Managers should be deliberate about communicating frequently and, at times, they should even place check-in calls that don’t have a specific work agenda. These connections are critical; otherwise, employees can feel disconnected and not part of a cohesive team. Managers cannot communicate enough.<br></p></td></tr></tbody></table><h3>Pillar 4: Management Adaptation</h3><p>Changing management’s attitude is the most important and most difficult part of implementing a work-from-home strategy. Audit leaders often cite concerns about a “looser” work environment that would remove elements of accountability and result in reduced productivity, higher costs, poorer client service, and lower quality. They imagine scenarios where team members are easily distracted by their home environment and don’t prioritize work. </p><p>At the center of this discomfort is a feeling of loss of control and a major break from traditional methods when remote work becomes the norm. One reason for this feeling is many managers are accustomed to measuring input rather than output. If they can see a team member, then they assume that individual is working. </p><p>Simply stated, internal audit managers must adapt and start measuring results. For example, rather than measuring time in the office or hours billed to a job, managers could assess audit project effectiveness by measuring project throughput, trends in audit hours, hour variance from budget, or significance of analysis. Even in office environments, moving to a results-based focus that extends trust to team members can be effective and result in a better workplace culture. </p><h3>REALIZING THE BENEFITS<br></h3><p>The pandemic has provided an evolutionary break from the traditional office-centric paradigm. The work environment was already drifting toward more flexible arrangements that included remote work, but the pandemic hastened this trend and provided a realistic peek inside the new reality. The evidence is clear that flexible work environments enhance productivity, boost employee morale, and reduce expenses.</p><p>However, such benefits cannot be realized unless there is a careful approach that delineates expectations and provides clear parameters for audit leaders and their staffs. Each strategy could vary based on the size and nature of the audit department and organization, but any remote work strategy should include the four pillars to provide clarity to the team and generate optimal results. <br></p>W. Ken Harmon1

  • AuditBoard-September-2021-Premium-1
  • FastPath-September-2021-Premium-2
  • All-Star-September-2021-Premium-3