Return to the Workplace to the Workplace<p><span class="ms-rteStyle-Quote">​"Not everyone will be super comfortable with in-person interviews because of COVID-19, but I understand we are business as usual."</span><br></p><p>That's the response I got when I asked a warehouse manager if he preferred for me to conduct audit interviews in person or over Microsoft Teams. When my organization pivoted to working remotely in April, I was confident we were facing the greatest challenge our audit function would see in 2020. However, our return to the workplace and the new challenges it created proved me wrong.</p><p>I've read some outstanding articles and attended great webinars on best practices for auditing remotely, and I'm grateful these resources exist. But I fear many of us are failing to prepare adequately for how to audit when our companies shift back into a state of "normal" — or a new normal unlike anything we've experienced before.</p><p>My organization was one of the first to bring all of its corporate employees back to the workplace. With some precautions such as mask wearing in common areas and socially distanced seating in conference rooms, we were told it was "business as usual." However, I quickly learned that business as usual was anything but usual. </p><p>Some of my audit clients prefer in-person meetings. Others have asked me to conduct an entire audit virtually with file sharing and video calls from our individual offices in the same building. Still others have preferred a hybrid approach. While I'm still learning how best to navigate auditing during the pandemic, I've picked up a few tips along the way that I hope will help guide others as they also return to the workplace.<br></p><h2>Overcommunicate </h2><p>Communication is key in the best of times. In the worst of times — or a global pandemic — it's absolutely critical. I've started keeping a catalog of the department heads who prefer in-person meetings versus virtual meetings. If I'm not sure, I schedule the initial planning meeting as a video call, which sometimes results in their telling me to just come to their office. We then discuss their preferences as well as the goals for the audit and work together to find a way to accommodate both. </p><p>Sometimes it's a challenge. In the audit referenced above, we needed to observe some processes occurring in the warehouse, but some of the warehouse staff weren't comfortable with an in-person visit from internal audit. At the same time, they lacked the technology needed for us to perform a virtual observation. As I worked with the warehouse manager to find a solution that was both within his team's comfort level and conducive to providing the audit assurance we required, we found creative solutions. For example, he arranged for me to observe an employee who'd already contracted and recovered from COVID-19 and was less concerned about in-person interaction. We also established clear expectations — during my visit, for example, we would all wear masks and distance as much as possible. What had seemed like an auditing nightmare 30 minutes earlier quickly became feasible because of clear, intentional communication and expectation-setting.</p><p>In another audit, client team members expressed their preference for conducting all interviews virtually. We agreed to their request and arranged for video conferencing. One of the interviewees, a technical expert with the group, mentioned his exhaustion after our lengthy, 90-minute discussion. With an in-person interview, I would have quickly noticed the warning signs of exhaustion and asked if he wanted to end the meeting for the day and resume later. Since he was sharing his screen, I wasn't able to look for visual cues of discomfort. I learned the importance of more frequent check-ins during video calls and of giving clients more options up front for meeting lengths and structure.      </p><h2>People Not Politics </h2><p>One of the least foreseen challenges of COVID-19 era auditing has been avoiding what I call "pandemic politics." I work in a building with around 700 people, and each has his or her own perspective on how our COVID-19 response should have gone and how we should be acting in the workplace. Whether masks really work or are an invasion of personal liberty, the extent to which one should limit in-person social interactions, and whether COVID-19 is a devastating virus or "just the flu" are all topics about which most people seem to hold strong opinions. Of course, the mix of opinions held may also differ by region and culture. </p><p>I've found it helpful to avoid discussing the politics of the situation and instead focus on the people. I try to assess and defer to others' preferences and comfort levels whenever possible — as long as it does not conflict with the organization's COVID-19 policies —<strong><em> </em></strong>so that I'm not unintentionally sending the wrong message and damaging a working relationship.   </p><p>Auditors should feel empowered to communicate their preferences as well, and it can be done without getting political. There have been times, for example, when I've found myself uncomfortable with a proposed scenario that did not involve social distancing. Explaining that, as an auditor, it's important to follow the organization's social distancing policies has gone a long way in avoiding potentially dangerous situations without hurting feelings. I've also found that as I show my respect for others' preferences, they are quick to return the favor.          </p><h2>Establish Risk Appetite</h2><p>In every aspect of the business, internal auditors need to understand the risk appetite the board and management have chosen to adopt. Understanding the pandemic risk appetite is no exception. As an essential business that operates more than 850 convenience stores, my organization has taken on some risk to keep its stores open. Understanding this appetite helps me as I plan, perform, and report on audit and consulting reviews, including a lookback our chief audit executive (CAE) and I facilitated on our organization's COVID-19 response efforts.</p><p>However, it's also vital for me to set and define my own personal risk appetite and to verify that it generally aligns with that of my organization. Performing audits at my organization would be especially challenging if I were not willing to accept the risks of returning to our office, resuming some modified business travel, and interacting face-to-face (or mask-to-mask) with clients. Understanding my tolerance for COVID-19 risk has also enabled me to request accommodations at times — for example, asking to be booked on airlines that have strict cleaning procedures and require masks. It's also empowered me to make personal choices such as taking the stairs versus a crowded elevator, wearing a mask during meetings, or distancing myself during larger work gatherings.</p><p>If you are an audit leader, it's important to understand your staff's risk appetites as well. Several months ago, a coworker returned from an out-of-town audit where he was scheduled to observe a key second line function. The person he was supposed to observe had been running a fever but insisted he would be there for the audit meeting. Thankfully, my coworker knew his own risk appetite and had been empowered by our CAE to make the right choice by rescheduling the observation. This turned out to be particularly fortuitous as the person he would have been observing received a positive COVID-19 test result later that day.<br></p><h2>Be Agile</h2><p>We had our "normal" audit process pre-COVID-19. Then we developed a new normal during our pivot-to-home time and again when we returned to the office. But frankly, my new normal changes with every new engagement I begin. It changes with every meeting I conduct and every project I lead. Change is our new normal. I used to believe that communication was the most essential skill for a 21<sup>st</sup> century auditor. I now believe it to be agility. Only through proactively anticipating and adapting to a constant state of change will we succeed in staying relevant and delivering value both during and after the pandemic.</p><p>Agility involves looking at each engagement with a fresh eye. Reusing the previous year's work program is widely regarded as a dangerous audit pitfall, yet many auditors still blindly follow this practice. During the planning phase of every audit, our group tries to approach the scope with an open mind and adapt our procedures to add the most value. Sometimes this involves adding a consulting component. Sometimes it involves scoping out a low-risk area or focusing more on an emerging risk. I have yet to work on an audit where the risk control matrix was identical from year to year. While agility has historically been a core element of our internal audit department, the pandemic and its new challenges have only emphasized its importance.  </p><h2>Keep Innovating</h2><p>While the pandemic brought unprecedented challenges, auditors responded with insight and innovation. In many organizations, auditors took on new roles as trusted advisors, using their knowledge of risk to provide advice and assurance in nontraditional ways. Some auditors assisted with evaluating or advising on the COVID-19 response plan. Others developed more efficient procedures using data analytics or robotic process automation. Auditors found that not only could they audit remotely, but they could also minimize disruption to the business. We found that, in some cases, auditing virtually actually provided benefits. </p><p>It could be temping when returning to the workplace to go back to "business as usual," especially if at that point the threat of COVID-19 is greatly reduced. Or it could be tempting to retain all the changes made during the pandemic. But we must evaluate which changes were true innovations that we should keep versus adaptations needed for a period of time. We must also keep innovating at the same speed we did in 2020 because emerging risks aren't slowing down. </p><p>Auditors proved in 2020 that we were capable of rapid, creative, and noteworthy innovations. It's only by continuing along that revolutionary path that we can continue to increase the value audit provides into 2021 and beyond.<br></p>Jami Shine1
Update: Audit's Pulse Is Strong Audit's Pulse Is Strong<p>​The IIA's latest North American Pulse of Internal Audit report reveals the profession is doing better than many audit leaders initially feared under the shadow of the COVID-19 pandemic. The survey of 588 internal audit leaders finds that although the pandemic's impact on organizations has been severe, its impact on internal audit has been largely stable. </p><p>For example, 80% of health-care industry respondents rate the pandemic's impact as extensive for the organization, but only 37% say it had an extensive impact on internal audit. Less than 20% of audit leaders in financial and insurance organizations rate COVID-19's impact as minimal for the overall organization, but 41% rate it as minimal for internal audit.</p><p>This is not to say that internal audit functions were unaffected, however. Travel budgets were drastically reduced across industries. Yet despite such cuts, many variables that are most important to assessing internal audit's health remain relatively stable.</p><p>For example, only 17% of respondents report internal audit staffing budgets were cut, and only 26% say their external sourcing budgets have decreased. For professional development, 69% of respondents say their budgets stayed about the same or increased. </p><p>Overall, 44% say their budgets have stayed about the same. Internal audit staffing was more stable, with 64% reporting their staffing levels remain unchanged. </p><p><img src="/2021/PublishingImages/Update-apr%2721-factoid-1.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:190px;height:722px;" />Although internal audit functions still face challenges as a result of the pandemic, such signs are encouraging as the economy recovers. "While the pandemic continues to extract a heavy cost and organizations manage through crisis, many internal audit functions have been able to adapt, innovate, and rise to the challenge," says Jim Pelletier, vice president, Professional Standards and Knowledge, at The IIA. <strong>— L. Wamsley</strong><br></p><h2>ESG Is Top Success Driver<br></h2><h3>Investors link environmental and social impact to value.<br></h3><p>Nearly half of institutional investors rate the integration of material environmental, social, and governance (ESG) opportunities into strategy as the biggest driver of success, according to the EY Center for Board Matters' 2021 Proxy Season Preview. Of the more than 60 institutional investors surveyed, 42% cite the diversity of the board, management, and workforce as a top driver. </p><p>The report offers six ways to help companies enhance their ESG reporting, starting with focusing on topics that intersect with the business and its strategy. It advises that "investors want boards to help companies adapt their strategies for a future in which prioritizing stakeholders and considering environmental and social impacts will be critical to building resilience and creating long-term value."</p><p>Without mandated ESG reporting globally, ratings systems have proliferated but are poorly correlated, according to Aggregate Confusion: The Divergence of ESG Ratings, a working paper from the MIT Sloan School of Management. One attempt to establish a global set of uniform standards is Stakeholder Capitalism Metrics, released in September 2020 by the World Economic Forum International Business Council. <strong>— L. Nelson</strong><br></p><h2>Contrasting Views of Today's Risks <br></h2><h3>Global studies warn of digital- and pandemic-related threats. <br></h3><p>Risk is in the eye of the beholder, and such is the case in looking at two global risk reports for 2021 and beyond. There are crossover areas of risk in the Global Risks Report 2021 from the World Economic Forum (WEF) and Executive Perspectives on Top Risks for 2021 and 2030 from North Carolina State University and Protiviti. Predictably, the pandemic rose to the top of both studies. </p><p>The WEF report focuses on societal impacts of risk based on insights from about 650 respondents representing international coalitions, business leaders, academia, and government and nongovernmental organizations. The N.C. State/Protiviti report represents the views of 1,081 C-suite executives and board members. Each respondent group sees the pandemic from different perspectives.</p><p>Business leaders view the crisis through the lens of pandemic-related policies and regulations as well as how economic conditions may constrain growth and reduce customer demand. The WEF study, meanwhile, identifies livelihood crises and youth disillusionment as knock-on effects of the pandemic. </p><p>Digital disruption also features prominently in both surveys, with business leaders concerned about retraining employees and competing with "born-digital" companies. In contrast, the WEF report examines this risk through the lens of digital inequality, digital power concentration, and adverse technology advances. Cyber risk is echoed in both studies.</p><p>The biggest disconnect involves climate change. The environment is not as high on the radar of business leaders, with some exceptions. "Climate is in there, but it's not a short-term issue for 2021," said Mark Beasley, director of the Enterprise Risk Management Initiative at N.C. State University in Raleigh, during a recent Protiviti webinar. </p><p>Conversely, climate action failure, human-caused damage, extreme weather, and biodiversity loss rank high in the WEF's risk survey. <strong>— C. Janesko</strong></p><h2> <img src="/2021/PublishingImages/Bob-Zukis-215x240.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Cyber Governance After SolarWinds<br></h2><h3>Following the massive 2020 cyberattack, boards will be accountable for catastrophic systemic risks, says Digital Directors Network CEO Bob Zukis.</h3><p> <strong>Is the magnitude of the SolarWinds attack putting pressure on boards to be accountable for cybersecurity governance? </strong></p><p>While I don't think we'll see a Sarbanes-Oxley-like regulatory response, it will result in some targeted legislation — specifically the U.S. Cybersecurity Disclosure Act. This legislation will require the board to disclose if it has any directors with cybersecurity skills. Now cybersecurity is an investor and consumer public interest issue, the stakes are high financially, and it's clearly in the public interest. So regulators have to act because companies are not even taking the basic steps they should be.<br></p><p>In terms of governance, the SolarWinds breach is highlighting the scale and scope of systemic risk — that is, risk within and between the parts of a highly connected digital ecosystem. This also will be a real challenge for the technology industry to identify and mitigate systemic risk issues and concerns for their products. The first class-action lawsuit has already been filed against SolarWinds focusing on claims of misleading disclosures around the impact of its products to its customers. But every company's digital business system is also inherently rife with systemic risk.<br></p><p> <strong>Are directors knowledgeable enough about the risks and all the different ways attacks can occur to provide effective oversight and governance?</strong></p><p>Most corporate boards are nowhere near where they need to be. The fact that well over 50% of the S&P 500 still tasks their audit committee with cybersecurity risk oversight is one warning sign. However, there is a small group of leaders who get it. They are putting cybersecurity skills onto their boards, organizing their boardroom efforts on these issues in focused technology and cybersecurity committees, and starting to change how they understand risk — moving beyond conventional risk management into systemic risk management.</p><p>While accounting and finance directors on audit committees do a great job, the skills and competencies aren't there to effectively oversee the cybersecurity agenda. You can't govern what you don't understand. Directors need to do much more than ask questions; they are there to question and understand answers.</p><p> <img src="/2021/PublishingImages/Update-apr%2721-factoid-2.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:190px;" />The full board should also be trained and develop a base competency in digital and cybersecurity risk oversight. As more and more business value drives through digital means and channels, boardrooms need that cybersecurity breadth and depth to protect the digital value that they are creating.</p><p> <strong>How can internal audit functions help boards be more prepared and informed to address cybersecurity risks?</strong></p><p>This is the lesson from SolarWinds and the digital business system: Companies will continue to neglect systemic risk at their peril. Systemic failure is often much faster and cataclysmic than traditional risk failures. That's what's unique about cybersecurity risk — there is a constant battle to take or impair value going on. Improve your odds of winning that battle, and it drives a better business outcome. Cybersecurity risk is also increasingly looking to exploit the inherent systemic weaknesses in complex digital business systems, so the two need to work together. </p><p>This is where internal audit has a critical role to play in understanding, managing, and mitigating systemic risks throughout a business. Cybersecurity risk is the active threat to the digital business system. The internal audit function has an entirely new world of risk to begin to understand, and it's all about systemic risk. Delaware Supreme Court Chief Justice Collins Seitz recently said, "Boards must be able to demonstrate credibly that they are thinking about systemic risk." If the courts are making this kind of a statement, they are clearly anticipating holding the board to a higher standard of accountability to this issue.<br></p><h2>Fixing America’s Broken Infrastructure<br></h2><h3>Investment is needed to raise competitiveness, report says.<br></h3><p>Revitalizing U.S. infrastructure is a recurring theme in the political platforms of the country's two main political parties. Yet, "nearly every facet of the country's infrastructure is below global standards and deteriorating daily," says a report from the Committee for Economic Development of The Conference Board. </p><p>COVID-19 has only "increased the urgency of raising America's global competitiveness," according to A U.S. Infrastructure Plan: Building for the Long Haul. The report from the New York-based business think tank notes that federal nondefense physical investment has generally declined since the 1960s. </p><p>Closing the U.S. infrastructure gap will require principled cost-benefit analyses, sound use of public–private partnerships, and alternative approaches for using private investment resources, the report advises. Efficient choices will account for climate change risk and incorporate user fees into sustainable funding, according to the report. <strong>— L. Nelson</strong><br></p>Staff1
Learning, Growth, and Inclusion, Growth, and Inclusion<p>​Just weeks after accepting his position as IIA president and CEO, Anthony Pugliese's schedule was jam packed with IIA-related activities. He arrived bright-eyed and smiling at IIA Global Headquarters for meetings, interviews, and a photo shoot amid a whirlwind schedule.</p><p>That whirlwind will no doubt intensify as Pugliese officially takes the helm, replacing longtime leader Richard Chambers. He says he is enthusiastic about the potential for a more vibrant, innovative, and future-ready internal audit profession — and IIA. His vision prioritizes new approaches to learning and training; technological advancement and acumen; human intelligence skills; and diversity, equity, and inclusion (DE&I) — all vital to internal audit's long-term growth and relevance, he says. </p><p>"Internal auditors get to see the whole organization in a way that not many others do," Pugliese says. "That can be challenging, but it's also exciting because it never stops changing and our profession gets to be in the middle of it, advising management and giving assurance to shareholders and audit committees." </p><p>Pugliese's broad experience includes seven years at Deloitte, 21 years at the Association of International Certified Professional Accountants (AICPA), and more than two years in his most recent position, president and CEO of the California Society of CPAs (CalCPA), the largest state CPA organization in the U.S. The IIA's Global Executive Search Committee selected him after a meticulous, stakeholder-informed global search. "Anthony has the breadth, depth, and scale of experience, business acumen, and strategic thinking that will facilitate the growth of The IIA and ready it for the future of the internal audit profession — from membership and global advocacy to digital transformation and technological innovation," says Mike Joyce, Blue Cross Blue Shield Association vice president, chief auditor and compliance officer, who chaired the committee.</p><h2>Turning Vision Into Action</h2><p>When digging into his new role at The IIA, Pugliese asked individual stakeholders open-ended questions, allowing themes to emerge organically. He takes in data "constantly and quickly," he says, combining intuition and judgment, grounded in the facts he has available. "I don't like to get bogged down, and I try to find the common themes," he notes. "Complex problems can often be simplified with questions like, 'Why do we do that?' or 'What are we trying to fix?'"</p><p>Pugliese's ability to consume information quickly and distill it into a clear strategy has been noted throughout his career. "Anthony has a superhuman ability to synthesize information from across the organization, connect ideas and people, and drive collaboration and results — all with a sense of humor and wit that makes working with him feel like fun," says Heather Pownall, a management consultant for (ISC)<sup>2</sup>, who worked in business development under Pugliese's leadership at the AICPA. "He was the connective tissue, understanding everything that was going on across the organization and unifying the executive team."</p><p>The IIA's Executive Search Committee noted that Pugliese exuberantly takes on challenges and develops vision, strategy, and actionable plans. "Establishing a vision and being able to drive it through is a critical leadership skill," says Charlie Wright, Jack Henry & Associates chief risk officer, who served on the committee. "Anthony is a seasoned association leader who has a strategic focus on running a business, which will be critical to taking The IIA from where it is today and bringing us into tomorrow. He has very creative ideas about partnerships, our approach to training, how to respond to disruptive technology, and how to advance our digital transformation process."</p><h2>Responding to Change and Disruption</h2><p>A key priority for Pugliese is ensuring the internal audit profession remains relevant in today's highly disruptive business environment. Internal auditors must keep moving beyond their comfort zones, he says. They must consistently seek to expand their awareness and update their competencies through continuing education and training, especially in the areas of technology; human intelligence; and environmental, social, and governance (ESG). "The primary role of any professional association is to make sure that its members stay relevant," he explains. "The world is at a point where change is so fast that the people coming out of colleges and universities have more knowledge than the people mentoring and supervising them, so it's really incumbent upon our members to keep up. That is why I think education is so important."</p><p>While internal auditors hold the responsibility for seeking opportunities to learn, Pugliese also recognizes that The IIA must continually produce training on timely, relevant topics and design training platforms that attract members and give them something valuable. "We have to figure out a way to make learning fun so that people want to do it and that it's relevant to the issues we want to solve," he says. "Successful training means members walk out knowing how to do something versus just being able to remember what they heard."</p><p>Pugliese also says internal auditors need to be on the leading edge of awareness about technological developments and trends. "Technology has gone from being a way of increasing efficiency to something that is far more transformative across business and surely across every profession," Pugliese told Richard Chambers in a February edition of Chambers' IA Insights and Advice video series. "Embracing some of the disruptive aspects of business today and being able to guide management and boards and audit committees through things like technological disruption is going to be huge in positioning us for ongoing relevancy."</p><h2>Going Beyond Technology</h2><p>But internal auditors should not limit their continuing education to technology, Pugliese says. ESG is a burgeoning area that internal auditors are well-positioned to address. "Measuring and assessing nonfinancial indicators of success is really exciting, and internal auditors are very well-situated to do that kind of work, in fact better than almost any other profession," he says. "It's one of the biggest opportunities I've seen for internal audit to add value in a tangible way, not just to management and the board, but to everybody."</p><p>Human intelligence competency is also important for internal auditors. "Those skills you don't necessarily consider critical to a job — perception, intuition, and teamwork — actually are becoming more important," Pugliese says. "Internal auditors have to rely on many different people in the conduct of their work; they can't possibly know it all. So being able to assemble and lead a team is vital. Sometimes those skills are natural or innate, but often you can acquire them." </p><p>A self-described extrovert, Pugliese counts humor among his human intelligence skills. "Sometimes people can be overly serious when the situation doesn't warrant it," he says. "I found out early on that if you've got a good knack for using the right kind of humor and the right timing, it can defuse a lot of tension and anxiety." </p><p>While a love of people and a quick wit seem to come naturally to Pugliese, self-awareness, which he defines as understanding the way one is perceived by others, is more hard-won. "That's actually very important for any job, but particularly in the CEO role, much of what you do is to motivate people," he says.</p><h2>Cultivating An Inclusive Culture</h2><p>Pugliese is known for his ability to engage and empower people — key ingredients for building an inclusive culture. Terry Grafenstine, global chief auditor for technology at Citi, is a longtime IIA volunteer and member who met Pugliese while serving on the AICPA's board. As a public sector internal auditor, she was worried about fitting into a group dominated by private industry CPAs. "Anthony made me feel so welcome, like the things that I contributed were different and meaningful," Grafenstine recounts. She says Pugliese was instrumental in the AICPA's merger with the U.K.-based Chartered Institute of Management Accountants (CIMA) and that he brought together individuals from different cultures, backgrounds, and industries, and motivated them around a common vision. "He made us feel like what we each had to say was important, and as a result, he got more out of the sum than the parts," Grafenstine explains.</p><p>Demonstrated effectiveness as a driver of inclusive culture was important to the executive search committee and the stakeholders surveyed by the committee at the onset of the process. The business benefits include increasing collaboration between IIA Headquarters and global affiliates and members, which ensures global voices feel equally heard and valued and maximizes the sharing of intellectual capital, according to Joyce. "We want to support diversity and inclusion throughout The IIA, both in the workplace and among our membership globally, so we probed all the candidates about their experience and engagement around that," Joyce explains.</p><h2>Taking Action on Diversity </h2><p>Pugliese says people often avoid the topic of diversity because they don't understand what to do with it. "It can be uncomfortable for some people," he says. "Yet when you talk to someone in an underrepresented population, it's really not that uncomfortable, because people want to talk and to give their point of view. And you just have to be respectful."</p><p>Pugliese has proven his willingness to tackle such issues directly, with measured thought and action. Following the death of George Floyd, a Black man who died while being restrained by Minneapolis police last year, Pugliese issued a DE&I statement to the membership of CalCPA, committing to form a member-led DE&I committee responsible for establishing goals and practices to identify and address racial inequities. Additionally, CalCPA and the Institute of Management Accountants jointly issued a survey-driven report that exposed troubling disparities in the senior ranks of the accounting industry. "We have gotten a little bit better on hiring, in terms of bringing in underrepresented populations, but we haven't done much better in terms of bringing those individuals all the way up into key senior management roles," Pugliese explains. "And I sense the same concerns are here in the internal audit profession, so we're going to continue this work." </p><p>In addition to being the right thing to do, the survival of the profession is contingent upon underrepresented groups seeing themselves in business roles like internal auditing, Pugliese adds. "Diversity, equity, and inclusion are business decisions as much as they are ethical decisions," he says, noting that changing demographics alone make diversity "intrinsically important" to the pipeline of future auditors. </p><p>Pugliese says having a global board of directors with members from underrepresented groups will lead this progress. "They get it, including me; for the LGBTQIA population, I get it," he says. Leveraging personal experiences will foster multiple approaches to success, he notes, but the process of trying various plans of attack prompts an urgency in getting started. "There's not one magic program."</p><h2>Embracing Change</h2><p>As organizations face a whirlwind of change, technologically and socially, internal auditors must be ready to go all in on the unique opportunities at their fingertips. Pugliese is palpably enthusiastic about ensuring The IIA is the dynamic and inclusive authority, educator, and advocate to help the profession seize those opportunities globally.</p><p>"His energy is clearly contagious," says Jenitha John, CEO of the Independent Regulatory Board for Auditors and IIA Global Board chair, who served on the search committee. She and others laud Pugliese's insight, foresight, and fresh perspectives as well as his ability to parlay them into a vision for The IIA. "Anthony demonstrates the caliber and attributes we require in the next CEO," she says. "We look forward to his expertise and wisdom."<br></p>Lauressa Nelson0
How Do You Measure Internal Audit Value? Do You Measure Internal Audit Value?<p>​The importance of internal audit value delivery to the organization it serves has been recognized and encouraged by The IIA for years. In fact, value focus is noted in the International Professional Practices Framework (IPPF) elements, including the Mission, Definition, <em>International Standards for the Professional Practice of Internal Auditing</em>, Code of Ethics, Core Principles, and The IIA’s Value Proposition.</p><p>Today, value can only be delivered when internal audit innovates in who it hires, what it assesses, and how it executes and communicates; understands and aligns with organizational strategies; and has a laser focus on critical and emerging risk areas. Stakeholders expect internal audit to have broad, unrestricted scopes expanding beyond financial risks and encompassing operational and strategic areas. Increasingly, stakeholders expect internal audit to address not just hard topics, but also soft topics, such as the quality of the culture and the control environment. The services internal auditors provide to stakeholders must deliver:</p><ul><li>Knowledge about major organizational risks, related mitigation, and needed improvements.</li><li>Assurance that sufficient risk mitigation (generally internal control) is in place and operating.</li><li><p>Objective insights, arising from analysis and organizational experience, to improve organizational agility, efficiency, and effectiveness. <br></p></li></ul><p>Knowledge, assurance, objectivity, and insight are difficult to measure directly. Many CAEs resort to process measurements, such as completion of the approved audit plan or meeting cycle time to issue a final report, as surrogates for measuring the value of their services. </p><h2>The Wrong Metrics<br></h2><p>Internal audit is not the only profession that struggles with the value question. For example, in the medical field, value — or quality of care rendered — is certainly a goal. But quality of care is hard to objectively measure, so doctors often are evaluated by process measures, such as the number of patients treated in a day. Unfortunately, this may reduce the ability to achieve the value goal, as doctors motivated to see more patients may spend less time with each one, resulting in less ability to understand and deliver the quality of care required. </p><p>Similarly, CAEs who focus on process metrics such as completion of the approved audit plan may undermine their value delivery goal by focusing on finishing audits, rather than considering extending an audit to deliver better assurance or more focused recommendations. Or consider the risk of perfectly executing the wrong plan that delivers zero value, but results in a high metric. Clearly, completion of the audit plan does not measure value delivered. But what metric does or could?</p><h2>Challenges of Measurement<br></h2><p>Directly measuring value is challenging. Examples of some of the more significant challenges to measuring value are described here. <br></p><p><strong>Stakeholder Expectations</strong> Internal auditors must first understand what their stakeholders want and how they view value, and then measure against those wants and expectations. But the reality is that some stakeholders may not understand the breadth of capabilities a modern internal audit function has, or may even want a less aggressive function that doesn’t challenge the status quo. In such a situation, stakeholder expectations may be significantly lower than the role described in the Mission and Definition of internal auditing. The opposite is also possible, with stakeholder expectations far exceeding a reasonable performance level. And to make it even more challenging, expectations might vary for the board versus senior management. Audit research has shown that boards focus more on assurance while management primarily seeks new insights from internal audit. <br></p><p><strong>Subjective Nature</strong> Value is often in the eye of the beholder and not easily quantified. For example, an internal auditor who helps management identify and correct inefficiencies in a new process design is certainly delivering value. But how does one quantify time and resources not wasted on a design because it was corrected pre-implementation? <br></p><p><strong>Client Surveys</strong> Many CAEs presume they can measure value by asking clients if they have received value from audit work performed. The challenge is that client responses may be skewed by their emotional reaction to a recent audit. Or they may not have a reasonable or best-in-class expectation so their feedback may be based on flawed criteria. Finally, surveys may be asking the wrong questions by inquiring about audit processes rather than value received.<br></p><p><strong>Nature of the Audit Engagement</strong> One objective of an assurance engagement is to assess the effectiveness of risk management and report on the assessment to the board and senior management. Value may come from providing assurance that risks are well-managed. In other engagements with an advisory focus, such as helping management design risk management processes for a new acquisition or system, value may be less about assurance and more about providing recommendations to improve a control design. In audit investigations, value may be about dollars recovered. This is not to suggest these three examples are mutually exclusive. But it does affirm that value is complex and it is unlikely that any one metric can cover any and all services. </p><h2>Importance of Measurements<br></h2><p>Internal auditors want to make a positive contribution to their organizations. Unfortunately, in far too many cases, the measurements or key performance indicators that the profession uses to attempt to measure staff (and perhaps evaluate staff) can unintentionally drive the opposite behavior desired. </p><p>Stories abound of auditors who focused on the timeline, the budget, or the calendar — delivering against standard metrics but not delivering true value. Worse are the stories where auditors avoided audit areas that could have provided value in favor of maximizing process metrics, such as concluding an audit on time by ignoring warning signs that emerged late in an audit. </p><h2>A Balanced Approach<br></h2><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>INTERNAL AUDIT FOUNDATIONS</strong><p>Aside from having the right measurements, the foundations of the internal audit function must already be in place. Their importance cannot be overstated.</p><ul><li>A documented mission focused on value delivery and helping the organization achieve its strategies and objectives.</li><li>A clear and appropriate charter providing requisite authority, access, and unrestricted scope.</li><li>A risk-based audit plan approved by the board that is routinely adjusted as the organization’s risks change. </li><li>A professional team with broad and appropriate skills and qualifications. </li><li>A courageous and respected CAE who is willing to tackle and communicate challenging issues, while striving to innovate and continuously enhance the team’s capabilities and performance.</li><li>Regular interaction with, and feedback from, key stakeholders to ensure a mutual understanding of evolving expectations.<br></li></ul></td></tr></tbody></table><p>To avoid the shortcomings of solely relying on process metrics, CAEs should  implement a balanced set of complementary measures. These measurements, tracked over time, can indicate if a function’s focus on value is, in fact, the top priority for the audit team and paying off in organizational improvements and client satisfaction. The four categories of measurements recommended include value drivers, client behavior, client feedback, and audit process. Coupled with the elements listed in “Internal Audit Foundations” at right, these balanced measurements enable internal audit to plan, execute, measure, and communicate value delivered.<br></p><p><strong>Value Drivers</strong> These measurements consider the fundamental behaviors that should lead to relatively higher quality performance. Measurements such as the percentage of auditors with masters’ degrees or certified internal auditors, adherence to the IPPF, or the percentage of auditors with operating or managerial experience will increase the likelihood of value delivery. <br></p><p><strong>Client Behavior</strong> These measurements reflect value if management or the board solicits internal audit assistance, positively corrects identified audit issues timely, and actively seeks internal auditors for special projects or open positions. These can include increasing requests over time from a cross section of functions within an organization, the trend of corrective actions implemented on time, a reduction of repeat findings, or the number of auditors placed in other roles throughout the organization.</p><p>A positive trend in such metrics suggests that management recognizes the value of the internal audit function and the importance of correcting issues noted. To achieve a positive trend, internal audit must focus on higher relative risk areas, effectively communicate the importance and impact of audit issues identified, and help identify solutions that address the root cause. The “Why did this happen?” and “Who cares?” questions must be convincingly answered to persuade management to reprioritize activities and implement corrective action. To be sought out for new roles, auditors must earn management’s respect for their organizational knowledge, balanced judgment, communication skills, and ability to identify and help manage risks.<br></p><p><strong>Client Feedback</strong> Client surveys can be an effective tool to capture the subjective view of value from management’s perspective. However, they must be used with great thought and care. Suggestions for ensuring the effectiveness of this tool include:</p><p>Focusing surveys on management’s perceptions and experiences with the audit team and results, and not on the audit process. Surveys that ask if a planning meeting was held or if the report was issued timely focus on the process and provide information that audit management should already know. Rather, ask questions to solicit management’s viewpoints. Did the audit team present itself professionally? Was management informed on the area under review? Were the results presented accurately, fairly, and timely? Did management receive value from the audit? Would management seek internal audit’s assistance in the future? </p><p>Providing an opportunity for written comments, not just numerical ratings. Better yet, offer an opportunity for a live conversation with the CAE or internal audit management to discuss and probe areas of satisfaction or dissatisfaction.</p><p>Avoiding using client survey results in auditor performance reviews, which risks creating a conflict with the auditor when difficult issues arise in an audit. Auditors should be courageous and willing to question the status quo to offer insights. The last thing an auditor should ask is, “Do I pursue the issue and irritate management, which is evaluating me soon? Or do I soften or drop the issue to get a higher rating?” <br></p><p><strong>Audit Process</strong> These measures are typically used today. Value is inferred if the audit plan has been approved and is executed timely — with appropriate changes as the risk profile of the organization evolves — and if audit results are communicated timely. It remains useful when balanced with other measurements and are not the primary focus of performance feedback.</p><h2>Reinforcing Audit's Mission<br></h2><p>Organizations are changing at warp speed. To keep up, internal audit needs to be agile, responsive, and focused on value delivery — and the right metrics can reinforce the desired value-based behaviors. Even with a balanced set of measurements, value delivery is still not directly measured. However, by evaluating value drivers, client behavior, and client feedback trends, as well as audit process measurements, audit management will have a much stronger indication of value delivered and improvement over time. And, critically, this balanced set will reinforce the value-based mission of the internal audit function, motivating the audit team and minimizing the risk that it focuses on the due date and budget rather than the substance of the audit. <br></p>Patricia K. Miller1
Putting the Auditors First the Auditors First<p></p><p>Internal audit strategies tend to focus on what we will do for the organization, often using verbiage found in the International Professional Practices Framework. Phrases like “independent and objective,” “assurance and consulting activity,” “enhance and protect value,” and “systematic and disciplined approach” populate most departmental vision and mission statements. And the underlying goals and objectives reinforce these positions with phrases related to ensuring controls function correctly, supporting risk management, reporting results, and performing follow-ups. (While researching this column, I found one department whose first stated objective was to achieve the department’s objectives.)</p><p>This is all well and good. The concepts and traits contained therein are important to our success and our ability to support the organizations we serve. They help build the solid foundation that allows internal audit functions to do the work they need to do. But we may be missing something important in all this.</p><p>Organizations have realized that when they take care of the employees, the employees will take care of the customer. Herb Kelleher, co-founder and former CEO of Southwest Airlines — an organization widely respected for its customer service — put it most succinctly: “You have to treat your employees like customers.” With the realization that happy employees make happy customers, those organizations are putting employees first. And they’re succeeding. </p><p>If this is all true — and solid research as well as anecdotal references support the concept of putting employees first — then what does it mean for internal auditors? The underlying question becomes: How does your internal audit department treat its internal auditors? </p><p>At this point I suspect many are rising to their feet proclaiming, “Our internal auditors are the No. 1 asset in our department.” But if the auditors are the most important part of the audit department — if they are, indeed, No. 1 — is that allegiance professed in the department’s visions, missions, or objectives?</p><p>I recently became aware of an audit department that lists its No. 1 core value as the hiring and continuous training of the best people. That is a strong statement, and it speaks volumes about the department. But it stands out because it is a rare sighting in the world of internal audit.</p><p>The only way any audit department succeeds is because of the people who do the work. And even if audit leaders believe the auditors who do the work are their No. 1 priority, that belief is meaningless if they haven’t articulated and exhibited it. Without formal acknowledgment, it’s just hot air flowing into the balloon employees will climb aboard as they leave the department.</p><p>Audit leaders should take a closer look at their mission, vision, objectives, and charter. And they should make sure that their No. 1 asset — the people — is a proud and prominent part of what is being valued. <br></p>Mike Jacka1
Flowchart Basics Basics<p></p><p>When Frank and Lillian Gilbreth introduced the first process flowchart to a group of engineers in 1921, the innovative method of giving a pictorial view of a process quickly gained admiration in the academic and business worlds. Flowcharts gained popularity over the decades and today are used by many professions. Accordingly, by the 1970s, the International Organization for Standardization (ISO) developed standards around them. </p><p>Internal auditors may have mixed reactions about flowcharts. Many will venture to reveal their love-hate relationship as there are often flashbacks to a great amount of time and effort — and, possibly, frustration — in creating, validating, correcting, and recreating flowcharts. Others may refer to the adage, “a picture is worth a thousand words.” Regardless, these diagrams are valuable tools for auditors and have many applications. Currently, technologies such as process mining are revolutionizing the way flowcharts are created and analyzed because of their transparency and the value of information they provide.</p><p>In simple terms, a flowchart is a visual representation of a process showing activities and workflow. These illustrations present steps, systems, and information inputs and outputs, all represented by various symbols. In other words, a flowchart is a map that shows specific features in a process and how data, documents, systems, individuals or departments, actions, and decisions flow and interact. In short, flowcharts can make complex information easier to understand. </p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p>​<strong>RELATED STANDARDS</strong><br></p><p>Several IIA implementation guides mention flowcharts for planning and execution purposes. The most significant are: <br></p><ul><li>Standard 2201: Planning Considerations</li><li>Standard 2300: Performing the Engagement</li><li>Standard 2310: Identifying Information</li><li>Standard 2320: Analysis and Evaluation</li><li>Standard 2330: Documenting Information</li></ul></td></tr></tbody></table><p>Flowcharts are typically easy to read and understand given the global standardization of symbols. For example, processes are represented by rectangles, decision points by diamonds, manual steps by trapezoids, and databases by cylinders. These symbols are connected by arrows showing the linked activity in the process. Flowcharts may contain short notes or comments to provide additional details and may even include a legend. In addition, flowcharts generally have a structured flow, such as top to bottom or left to right, and contain multipage connectors, if needed, along with start and end points.</p><h2>Uses</h2><p>Internal auditors use flowcharts in their work for various reasons, including: </p><ul><li><strong>Training and guidance</strong> – incorporated in manuals, presentations, and other educational materials, or as part of policies, guidelines, or methodologies to complement or illustrate narrated procedures and requirements. </li><li><strong>Execution and delivery of engagements</strong> – to understand processes and controls design during engagement planning, analyze and evaluate information throughout project execution, and support the formulation of results and opinions. For example, auditors use flowcharts to identify control gaps or process inefficiencies or, when appropriate, as concise visuals in reporting. <br></li><li><strong>Fulfilling requirements</strong> – to support organizations that must meet regulatory requirements, such as the U.S. Sarbanes-Oxley Act of 2002, which requires the documentation of business processes and internal controls (e.g., used to complement narratives and risk/control matrices) or to obtain and maintain accreditations such as specific ISO certifications.</li></ul><h2>Limitations</h2><p>While flowcharts are useful for auditors, they also have certain limitations, such as: </p><ul><li><strong>Structure.</strong> One of the biggest limitations is that flowcharts tend to focus on a linear flow. They also present a process as intended to be, instead of how a process actually operates.<br></li><li><strong>Oversimplification.</strong> To make it easier for people to understand, flowcharts oversimplify processes and data flows. In addition, when auditors rely exclusively on flowcharts they may miss risks outside the processes, including emerging risks, as well as the critically important soft controls. </li><li><strong>Overcomplication.</strong> Just as oversimplification can be an issue, providing too much detail can result in awkward, complex, and non-visually appealing maps. </li><li><strong>Administrative burden.</strong> Creating and updating flowcharts requires resources. Revisions may be necessary to create the right diagram when auditors should be spending their time focusing on other areas.</li></ul><h2>Process Mining</h2><p>Process mining is a technology and technique used for discovering, monitoring, and improving processes. This method involves extracting recorded data from event logs in information systems and illustrating actual process flows and variations. While traditional flowcharts illustrate an assumed process, process mining provides a representation of the real process. Because process mapping can be fast, fully automated, and repeated, organizations are using the technology in many ways, including conformance checking, identification and analysis of issues, and continuous optimization initiatives. </p><p>Process mining has many implications as a way of transforming and innovating how auditors conduct their work. For example, as a computer-assisted audit tool, auditors can use it to obtain and analyze a holistic view of the entire process chain, instead of just sampling. This view is based on actual data, not assumptions, allowing auditors to observe and explore the inner workings of a process to find out what is really happening. With this information, auditors can pinpoint issues, validate deviations or inefficiencies, identify and evaluate root causes, and recommend practical remedial action plans and mitigation strategies. At the same time, audit departments can rethink the audit process, itself, and find efficiencies along the way. This may include reducing or eliminating conventional interviews and walkthroughs, designing innovative continuous monitoring or continuous auditing solutions, and eliminating outdated documentation. </p><h2>Old Tool, New Tricks</h2><p>Knowing how to develop and analyze flowcharts is considered basic knowledge for internal auditors. New tools and techniques around process mapping are paving the road for fresher ways to execute and deliver assurance and advisory services. By embracing enabling technologies, auditors can reshape their thinking and provide more in-depth insight and foresight, produce impactful reporting, and deliver valuable support throughout their organizations. </p>David Dominquez1
Employee Onboarding in a Virtual World Onboarding in a Virtual World<p><img src="/2021/PublishingImages/employee-onboarding-in-a-virtual-world_445x300.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />​Virtual onboarding has become a necessity for organizations in the COVID-19-created work-from-home environment. While 75% of executives anticipate at least half of office employees working in the office by July, according to a recent PwC report, the work-from-home model is expected to remain a permanent fixture of the business landscape. The study, It's Time to Imagine Where and How Work Will Get Done, indicates that work arrangements most likely will take the form of a hybrid in-office/work-from-home model.</p><p>Meanwhile, onboarding of new employees will have to adapt to the post-COVID world. In fact, The IIA's publication <a href="" data-feathr-click-track="true" target="_blank">OnRisk 2021: A Guide to Understanding, Aligning, and Optimizing Risk</a> identified talent management as among the most relevant risks for 2021 and a priority for improvement.</p><p>Integrating new employees into the organization — which can include everything from payroll and benefits to an introduction to the corporate culture — is crucial to their success and the likelihood they will stay with the organization. Employee turnover was a problem even before the pandemic. What People Really Want From Onboarding, a 2018 study by human resources (HR) software provider BambooHR, found that 31% of respondents quit a job within six months of starting it. Additionally, a 2019 survey by employment website Indeed found that in jobs where people left within the first six months, 40% say a more effective onboarding process could have helped them stay longer. </p><h2>Adapting to Remote Processes</h2><p>Despite the disruption caused by the pandemic, the basic elements of onboarding — payroll, benefits, and other paperwork  — have gone well at IIA Global Headquarters in Lake Mary, Fla., says HR Managing Director Stacy Brooks. The IIA started using DocuSign several years ago, so it was ready when the onboarding process moved remote. New employees also were able to access other documents through an online workforce management portal and were emailed IIA-specific internal forms to upload and review.</p><p>Zoom chats, phone calls, and emails all play a role in communicating with new hires to make sure IIA staffers are available to answer questions. "It was not that far of a stretch, just a different experience in that they were no longer sitting across a conference table from us," Brooks says.</p><p>New hires face a learning curve in terms of communication, says Stephanie Lopez, senior internal auditor at Hasbro Inc., a toy, board game, and media conglomerate based in Pawtucket, R.I. "It does take more work to think about how to engage in communication virtually with coworkers in the day-to-day." </p><p>New hires put into the virtual work-from-home world face challenges, because the work environment cannot be controlled like that of an office, Lopez says. The challenge is to get the employees out of their home environment and into a work environment. "When you hire someone you have to train their mind to focus in a virtual environment and on the benefits of creating a work space at home," Lopez says. "The big risk would loss of company time, so we have to find ways to avoid that, by setting up meeting times, reminders on the calendar, or even coffee breaks to come together as a team."</p><p>Motivation is an additional concern. "Part of the hiring process is asking yourself, 'Is this person self-motivated?'" says Robert Cahoon, manager, internal audit, at Hasbro. "If they are not, this can be a challenge when the person is working from home." Cahoon says he assigns a mentor to new hires, while Lopez herself mentors new hires.</p><p>However, the new employee's experience also can play a part in onboarding. A person without much work experience coming into a job in this work-from-home virtual world might find it harder to connect with coworkers at different levels in their careers, says David Petrisky, who recently joined The IIA as director, Professional Practices. For his part, Petrisky says he has had little problem with the onboarding because he has more experience working in organizations, and no problem working independently.</p><p>Toby DeRoche, an internal audit consultant based in Jacksonville, Fla., says assignment of a mentor has helped him learn the culture of his employer. His mentor calls weekly and has been proactive in reaching out, DeRoche says. "Having more touch points and more frequent communication makes a huge difference." </p><p>The average new hire has more than 50 activities to complete during onboarding. Some ways to organize that process include:</p><ul><li><strong>Covering the right information. </strong>This includes key company information such as policies and values, overview of teams and departments, and where to find resources.</li><li><strong>Tailoring digital onboarding materials for impact.</strong> Create content in different formats (videos, one-on-one training, screen sharing, phone calls, etc.) to avoid Zoom fatigue. Consider different ways for remote employees to set up their technology, such as videos with step-by-step instructions.</li><li><strong>Being flexible</strong>. Acknowledge the juggling of work-life balance, and consider letting new hires work through some resources at their own pace. </li><li><p><strong>Thinking beyond the first week. </strong>Spread out onboarding tasks to give new hires time to absorb important information. Look for ways to build engagement and connection.</p></li></ul><p>In addition, Indeed lists <a href="" data-feathr-click-track="true" target="_blank">16 steps</a>, plus a day-by-day schedule, to follow when building a successful virtual onboarding experience.</p><h2>Learning the Company's Culture</h2><p>Apart from the basic payroll and benefits paperwork, new employees also face an arguably greater challenge of becoming part of their new organization's culture. The IIA Practice Guide, "Auditing Culture" (2020), defines organizational culture as "the invisible belief systems, values, norms, and preferences of the individuals that form an organization." </p><p>Helping new employees understand and feel a part of an organization's culture can be especially challenging now. Brooks cites hurdles associated with making new hires feel instantly engaged and welcomed when they are not able to come to the office, get a tour, and meet other staff members. "That piece of engagement for a new employee can be a bit of a challenge," she says. Zoom meetings and telephone meetings are both critical in the new-employee onboarding process; for those who live locally, in-person meetings at The IIA's headquarters in Lake Mary may take place.</p><p>Pre-pandemic, onboarding at Hasbro was a multiday event, introducing new employees to the company and its history. Shannon Urban, vice president, chief audit executive, joined the company in late March shortly after the work-from-home policy was instituted and received a condensed 1.5-hour online onboarding session.</p><p>A hiring freeze gave the company breathing room to refine its process. Despite the brevity, Urban says she felt the process went well for her; she received responsive IT support, and she was able to contact an HR representative when she had any questions or concerns. </p><p>Relationships are important in her role, and all in all, Urban says she is learning the company's culture. But she also has to work harder to adjust to some of the nuances of a remote working environment. Knowing that it would be hard to build relationships initially and get to know the organization, Hasbro's chief financial officer scheduled 50 meetings with various executives the day Urban started. </p><p>"I actually think being remote worked out well," Urban says. "Everybody was home, nobody was traveling — everybody made time. I was able to have some really good first conversations with a broad swath of the organization." Even so, she says, it has been frustrating that she hasn't been able to meet her team in the company's Rhode Island, U.K., and Asia locations in person.</p><p>Successful assimilation of new employees is important in terms of their longevity at the organization, DeRoche says. Employees working remotely have a lot less invested in the organization, and therefore less willingness to stay. "You're basically an outsider looking into it from an assimilation point."</p><p>So much of culture is informal, DeRoche notes, such as the ways workers interact and the cues they observe from top management. These elements can be lost when working remotely. One possible solution would be to have group onboarding sessions, say, once a month, DeRoche suggests. New hires could introduce themselves; managers, including company top management, could give live welcomes to the organization. Once the employees are on board, short daily team meetings along the lines of Agile scrum meetings could help bring the new hires into the company culture.</p><h2>Looking Ahead</h2><p>Another side to the new world of remote work needs to be considered, as well, Urban says. People are working more than ever, or are having to flex their workday because of child care or elder care responsibilities. "Anything and everything is now interrupting our traditional pattern," Urban says. </p><p>The post-COVID-19 new normal will encompass some people in the office full time, others remote full time, and many employees in the middle, in the office a day or two a week. Long term, organizations will need to address how they can help new hires assimilate the elements that make their new employer special. "A lot of the things that we have put in place initially to navigate this in terms of how we manage people, how we support people, how we develop people on our team, have to be rethought," Urban says.</p><p>For its part, Hasbro is having active discussions to ensure the company's culture and the sense of fun that comes from being a toy and entertainment company remain intact in the new virtual world, Urban says. "There's a sense that we can't afford to lose that because that's one of the things that makes working at Hasbro really unique."</p>Geoffrey Nordhoff1
On the Topic of Talent the Topic of Talent<h2>​What are the key skills CAEs should be looking for in today's internal audit candidates?  </h2><p><strong>Cangelosi</strong> As today's internal audit function evolves, so do the skills of those executing deliverables. While traditional audit technical skills remain critical, with IT and data analytic skills in increasing demand, nontechnical skills can really differentiate a great internal audit candidate from an average candidate. Today's internal audit function incorporates historical auditing and value preservation, as well as forward-looking vision and value creation. In line with these consultative objectives, successful internal auditors should have strong communication skills and be analytical and critical thinkers. They should be inquisitive and seek to understand root cause. And perhaps most important, they should be able to leverage teams to bring specialist knowledge and value partnerships within the business to achieve overall company objectives.</p><p><strong>Fedele</strong> Although there are many key skills CAEs should look for in candidates, two categories immediately jump to mind. The first is updated technology skills, which are needed to better understand the risks associated with advanced technology use as with robotic process automation and algorithmic models within the organization. Internal auditors also need these skills to apply advanced analytics, intelligent automation, and data visualization to their own work. The second key attribute to look for is strong soft skills inclusive of critical thinking, communication, executive presence, team-building, leadership development, interviewing, storytelling, and the ability to foster more open and collaborative relationships with stakeholders. </p><h2>How will the pandemic impact hiring processes going forward? </h2><p><strong><img src="/2021/PublishingImages/Sarah-Fedele-70x70.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" /><strong>Fedele</strong></strong> Hiring processes in a virtual world appear to be accelerated. Searching for new employment is easier without a peer looking over your shoulder, and scheduling interviews is quicker when you're able to jump from one video call to the next. With respect to geographies, I haven't seen much change in approach. Large organizations have historically hired without geographic limitations. The need to physically move for work seems delayed in the near-term, and it's uncertain if a move will eventually be required. With that said, an organization located in and serving a specific geography is typically focused on broader community impacts, focusing hiring efforts locally whether the team works virtually or not.</p><p><strong><strong>Cangelosi</strong></strong> If there was ever any doubt, the pandemic has certainly proven that auditors can be successful working from home. As companies continue to evaluate what their future workforce model will look like, technology and digital advancements are fast-tracking like never before. The accessibility of data and information required to perform internal audit work has made geographic boundaries less of an issue, opening up the pool of candidates by casting wider nets. The unfortunate downsides in a work-from-home model include sacrificing the personal connection with business-unit owners, the risk of data protection and privacy violations, regulatory reporting and compliance issues, direct and indirect tax risks for the company, and, for those personnel working internationally, potential payroll tax and immigration issues.<br></p><h2>How should CAEs approach diversity and inclusion in their hiring practices?  </h2><p><strong><img src="/2021/PublishingImages/Joann-cangelosi-70x70.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" /><strong>Cangelosi</strong></strong> Ideally, diversity and inclusion are part of the corporate culture and supported by the organization's executive team and board. Understanding your diversity hiring data is important in evaluating where behaviors may need to change. The process from position description development and job postings, to interviews and candidate selection should be free from subconscious biases. Employees should be free to bring their whole selves to work, showing up authentically. Teams with a variety of diverse backgrounds bring multiple perspectives, resulting in creative and insightful innovation and meaningful analysis and decision-making.</p><p><strong><strong>Fedele</strong></strong> Deloitte encourages CAEs to recruit from a variety of sources to attract candidates from a range of backgrounds and experiences, filling open positions with individuals able to help the broader team thrive through diversity of thought. Hiring practices are only the start, though, as it is key for the CAE to create a culture of inclusion. Without a culture of inclusion within the internal audit function and the broader organization, diversity efforts often fall short.<br></p><h2>How should artificial intelligence (AI) fit into the hiring plan?</h2><p><strong><strong>Fedele</strong></strong> As AI continues to integrate into our work lives, we're starting to see internal audit "superjobs" that combine portions of the traditional internal audit role with support from smart machines, data, and algorithms. For example, if AI was developed to support an internal auditor superjob, it might perform first-level review of workpapers, review the final audit workpaper file for compliance with IIA Standards, or draft the final audit report from results in workpapers. As AI adoption expands in organizations and teams of those with superjobs unite, "superteams" are formed as groups of people and intelligent machines work in concert to solve problems, gain insights, and create value. </p><p><strong><strong>Cangelosi</strong></strong> The technological advancements of AI can prompt one to ask whether we will really need human intelligence in the near future. The benefit of AI is that manual tasks can be replaced by machine learning, freeing up staff to focus their efforts on new opportunities. New opportunities will likely be a higher use of their skills, keeping employees motivated as they are now able to focus on strategic initiatives. While results from AI are remarkable, it is still humans who design AI technology and ensure quality review of resulting outputs.<br></p><h2>How can CAEs invest in staff training to help build long-term organizational resilience?</h2><p><strong><strong>Cangelosi</strong></strong> Internal audit is focused on risk identification and mitigation, as well as effective and efficient operating processes. As tools and technologies change the way we audit, so must the skills and capabilities of those performing the work. Equally as important as technical skills is an in-depth understanding of the organization and how it operates. Many companies have successfully implemented rotation programs within their organizations, to provide internal auditors an opportunity to work on diverse initiatives in different roles, while enhancing skill sets. In some cases, these employees remain permanent members of the new department, allowing others in the internal audit group opportunities for advancement. </p><p><strong><strong>Fedele</strong></strong> Giving current staff robust training, as well as incentives to pursue certifications relevant to internal auditors — including those focused on internal audit, risk management assurance, cybersecurity fundamentals, analytics, cloud, fraud, and project management — can permanently fill talent gaps while creating an environment of continuous learning and improvement. In better preparing internal audit and the organization for digital disruption, emerging risks, and evolving opportunities, everyone can grow and make positive changes.<br></p>Staff1
Update: Bold Moves for COVID-19 Exit Bold Moves for COVID-19 Exit<p>​McKinsey & Co. says organizations should adopt a new operating model and an all-in approach to transformation as they emerge from the COVID-19 pandemic. In a recent article, the consulting firm advises businesses to assess their full potential, set high aspirations, and deliberately sequence the moves to get there. </p><p>"Incrementalism is especially risky, particularly for organizations trying to break out of what feels like a COVID-19 perpetual crisis," the firm says in "This Way Out: How Leading Companies Chart a Full-potential COVID-Exit." "Our findings from past downturns confirm, as well, that companies that take an all-in approach emerge stronger and sustain that competitive advantage for almost a decade afterward."</p><p>In a separate article, McKinsey also advises that the strongest organizations are reinventing themselves with "swift, nimble, and versatile" operating models, which are most effective amid uncertainty. "How COVID-19 Is Redefining the Next-normal Operating Model" says the agile practices that helped organizations respond to COVID-19 should continue in a new operating model. </p><p>First, organizations should continue to base business priorities strictly on the company's purpose. Second, they should bypass traditional corporate hierarchies and deploy cross-functional teams with decentralized decision-making authority to address outcome-focused tasks. Third, they should create rigorous processes and invest in reskilling, reallocating, and reenergizing employees, emphasizing skills-based mobility. Fourth, organizations should direct technology toward facilitating the work of customer-facing teams.</p><p>McKinsey advises organizations to implement a process to evaluate crisis-initiated changes, decide which shifts to make permanent, and drive a broader transformation toward speed and efficiency. <strong>— L. Nelson</strong><br></p><h2> <img src="/2021/PublishingImages/Update-global-outlook-weakens.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:200px;" />U.S. Employers Can Mandate Vaccination<br></h2><h3>EEOC guidance makes exceptions for disabilities or religious beliefs.<br></h3><p>As COVID-19 vaccines continue to be distributed throughout the population, questions have been raised about whether employers can mandate the vaccination of their employees. To clarify this issue, updated U.S. Equal Employment Opportunity Commission guidance states that, indeed, employers can require their employees to receive the vaccine. </p><p>The guidance clarifies that vaccinations are not "medical examinations," which cannot be required of existing employees under the Americans with Disabilities Act. Exposure to COVID-19 is largely considered a "direct threat" to the workplace, making a vaccination requirement lawful. </p><p>Under specific circumstances — such as a disability or religious belief — the employer could not mandate vaccination and would need to make reasonable accommodations, such as remote work, available for an employee. Only if such accommodation is not possible could the employer exclude the employee from the workplace. </p><p>Organizations that require mandatory vaccinations should draft a policy that clearly informs employees what to expect. <strong>— L. Wamsley</strong><br></p><h2>Building an Adaptable Workforce<br></h2><h3>Surveys say enhancing employee skills is key to business resiliency. <br></h3><p>The COVID-19 pandemic and its tumultuous business disruptions have made organizations rethink what makes them resilient. According to two new studies, what global business leaders now see as key to resiliency is a highly adaptable workforce. </p><p>In the 2021 Deloitte Global Human Capital Trends report, 72% of more than 6,000 executives identify "the ability of their people to adapt, reskill, and assume new roles" as a priority for navigating future disruptions. Similarly, according to a McKinsey & Co. survey, Rethink Capabilities to Emerge Stronger From COVID-19, 78% percent of business leaders around the world say addressing gaps in capability is vital to their organization's long-term growth, with 73% valuing retraining or redeploying existing employees to fill those gaps. </p><p>"Amid disruptions, organizations either sink or swim based on their workforce's capabilities like collaboration, creativity, judgment, and flexibility," says Erica Volini, principal and global human capital leader at Deloitte Consulting LLP in Phoenix. "It's clear that workforce and human-centric matters are top priorities for C-suite and board leaders."</p><p>Both studies show that organizations want to invest in developing their workforce, but many have far to go when it comes to creating effective programs. Still, well over half of the executives surveyed by Deloitte say they plan to focus on "reimagining work" over the next three years. This means not only teaching employees new skills, but giving them more choice over what they do or even integrating the physical, mental, financial, and social well-being of workers into the design of work, itself.</p><p>"Moving forward, those leaders who address human capital holistically and build business decision-making around human potential will thrive," Volini says. <strong>— C. Janesko</strong></p><h2> <img src="/2021/PublishingImages/Update-Darcy-Gruttadaro-215x300.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Mindful of Mental Well-being</h2><h3> The pandemic is taking a toll on employee mental health, says Darcy Gruttadaro, director of the Center for Workplace Mental Health at the American Psychiatric Association.</h3><p> <strong>What measures can organizations take to support the mental health of employees during the pandemic? </strong></p><p>Data shows a tripling of people experiencing anxiety and depression and major concerns with a potential spike in suicides and overdoses. Employers play a key role in addressing mental health concerns. We recommend that employers use a LEAD Framework. </p><p>First, leadership: Leaders set the culture of organizations, so having them discuss mental health opens the door to employees seeking support and services when they are needed. Second, effective communication: Ensure supervisors and managers are regularly checking in one-on-one with those reporting to them. Be sure that people managers are asking how people are doing and giving them space and time to share the challenges they may face. Third, adapt to change: Now is the time for employers to evaluate policies and practices that can be adapted to accommodate for the need for flexibility. Fourth, double down on access to care: Employers should look at their employee assistance program (EAP) usage data and see an increase in people accessing it. If that is not the case, find out why. Work with your EAP to find innovative ways to reach employees in distress.<br></p><p> <strong>What are some signs that employees may be struggling with mental health problems?</strong></p><p>Nearly everyone is experiencing some strain on their mental health during this pandemic. The key issue is whether people are seeing change in colleagues that is significant and suggests a person may be experiencing a mental health issue. The change could be in appearance, behavior, mood, or thinking. Examples of ways it might show up at work, include: </p><ul><li>Withdrawing from social connection with others.</li><li>Procrastination and indecisiveness.</li><li>Not engaged or not seeming to care about work.</li><li>Angry outbursts or refusal to follow direction.</li><li>Unexplained absence or consistently showing up late to meetings.<br></li><li>Inability to handle multiple tasks.</li><li>Wandering off topic.</li></ul><p> <strong> <br></strong></p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​ <p> <strong>52% of business leaders and employees in 11 countries</strong> <span style="text-align:center;">say trust is higher at their organization today than it was before the pandemic.</span></p><p> <strong>61% of business leaders and employees say COVID-19</strong> has positively reshaped their perceptions about remote work, but</p><p> <strong>55%</strong> still think it's easier to trust colleagues in a physical workplace than colleagues working virtually.<br></p><p>"Organizations will need to carefully consider how to foster relationships between location-based and work-from-anywhere employees to ensure hybrid models reach their full performance potential," says Dan Schawbel, managing partner, Workplace Intelligence.<br></p><p>Source: The Workforce Institute at UKG, Trust in the Modern Workplace<br></p></td></tr></tbody></table><p><strong>How can internal auditors who are feeling stress from the pandemic maintain their mental health and address any symptoms they may be experiencing?</strong><br></p><p>Our mental and physical health are interconnected. Self-care is more important now than ever, especially for those suddenly working remotely. Be sure to get adequate sleep, eat right, set a reasonable work schedule, avoid excessive work hours, exercise — even if it just involves walking around the neighborhood or indoors — and take breaks during the workday. Stay socially connected with colleagues, family, and friends, and find ways to quiet your mind such as through meditation. If you are experiencing distress, do not wait — reach out to the EAP or a primary care provider. Mental health is like any other health issue — the sooner you get help, the better the outcome.<br></p><h2>Committing to Social Justice<br></h2><h3>Investment groups aren't acting on public statements on diversity.<br></h3><p>U.S. corporate executives increasingly have been taking stands on social issues such as global warming, economic inequality, and racial injustice,  but their actions may not match their words.</p><p>In a survey by JUST Capital, 79% of Americans say it will be just as important, or more important, for business leaders to speak out publicly on social issues over the next four years. That percentage compares with 68% who thought so in 2020. Members of both U.S. political parties support corporate leaders' activism (87% of Democrats and 75% of Republicans). </p><p>Meanwhile, a report from the nonpartisan group Majority Action found that asset managers such as BlackRock and Vanguard, while making statements in support of racial justice and equality, often do not back up those statements when it comes to composition of corporate boards. Of the 178 S&P 500 companies that had no Black directors as of their 2020 annual meetings, BlackRock voted to support the entire board at 163 of the companies, and Vanguard voted to support the entire board at 166. <strong>— G. Nordhoff</strong><br></p>Staff1
A Voice for the Profession Voice for the Profession<p>​IIA President and CEO Richard Chambers will step down at the end of March from the post he has held since January 2009. Chambers has overseen The IIA during a time of significant change, as dynamic social, economic, and technological forces reshaped modern risk management.</p><p>As the voice for the profession for more than 12 years, Chambers has written and spoken extensively about how stakeholder demands are changing and how the profession must pivot to meet those needs. As he looks toward the next chapter in his long and storied career, Chambers offered some insights on the profession's continuing evolution and current state.</p><h2>How have changes over the past decade impacted the profession and The IIA?</h2><p>Really it starts with the velocity of risk — how rapidly risks emerge, change, and dissipate. This velocity of risk has accelerated dramatically in the last 20 years, whether it is that risks are literally materializing rapidly or the fact that we live in an information era where everything is known and analyzed. It is that exposure that allows risk to intensify so rapidly. </p><p>For most of the 20th century, even as late as 1990 when the internet as we know it was in its infancy, you just didn't have the speed of information that you have today. It's that combination that has really contributed to additional pressures and opportunities for the internal auditor. This new era of information proliferation, and risk dynamics, coincided with The IIA mandating that you needed to be risked-based in your audit planning and audit execution.<br></p><h2>How do you think this has impacted The IIA and its work to support the profession? </h2><p>It has given us the opportunity to better inform members and help them better respond to emerging risks. For example, if there are new risks that come out of COVID-19, where 20 or 30 years ago, you would need to wait for the next edition of your magazine, today you have ample information available immediately online. This has enabled The IIA to be swift and decisive in providing insight and guidance to the profession on how to address some of these issues.<br></p><h2>Do you believe internal audit is where it needs to be right now?</h2><p>The analogy I've used over the years is that the glass is half full. You can celebrate that it is half full, but you have to candidly acknowledge it also is half empty. We have made great progress in how responsive we are, how versatile we are, how resilient we are, and how quickly we pivot in the face of new risks. We can celebrate all that. The real opportunity for internal audit is to enhance value in organizations. Protecting value is important. It's been an important part of our mission since our inception, and I think it will always be a critical part of our mission. But you really waste opportunity when you have insight and knowledge that you only share when someone makes a mistake. You must be willing to share your perspective, knowledge, and insight when people are making decisions or even when they are not thinking about making a decision. If you are unwilling or unable to do that, you are a resource that is not living up to its full potential. To a certain extent, that is a real opportunity for growth in this profession in the next decade, and I'm hopeful I can continue to be a voice to challenge the profession on doing this.</p><h2>You've published three books during your tenure as CEO. What impact do you believe those books have had on the profession?</h2><p>With the materials I create for the profession, it's been my objective to make topics as timely and relevant as I can. </p><p>My first book,<em> Lessons Learned on the Audit Trail</em>, published in 2014, resonated very well. But I began to appreciate — again the velocity of risk — that at five years a book begins to feel dated. It was on that basis that we updated the original manuscript in 2019 to incorporate a lot of the developments over those five years. The main title of that book, The Speed of Risk, is probably the overarching lesson I learned over the course my career. </p><p><em>Trusted Advisors</em> (2017) was a response to a refrain from the profession that internal audit should have a seat at the table. It's fine to strive for an invitation for a seat at the table, but if you're a trusted advisor you're going to have a seat at the table with your name on it. If you're not trusted and not seen as an advisor — as my good friend Norman Marks has said — "you will sit at the children's table." The whole thrust of the second book is, "What does it take to be a trusted advisor?"<br></p><h2>Now you are ready to publish a fourth book, <em>Agents of Change</em>.</h2><p>The new book takes a page out of the approach we took on <em>Trusted Advisors</em>. We asked, "What does it take to be an agent of change?" Given the thirst in the profession for insights and ideas on being more effective, I believe the new book is going to have the same broad appeal.<br></p><h2>Do you believe your books reflect the evolution of the profession?</h2><p>In a lot of ways they do. <em>Lessons Learned on the Audit Trail</em> is very retrospective. I was speaking broadly about my experiences. <em>Trusted Advisor</em>s was much more contemporary. What are the things that highly effective internal auditors are doing in the here and now? <em>Agents of Change</em> is very forward looking. I don't think we have as many agents of change in our profession today as we have trusted advisors. I do distinguish in the book between them. I think a trusted advisor is seen as a reliable and accurate source of insight and information, and regardless of how they are delivering that information, they are so well-trusted that people listen and take action. I think you have to be a trusted advisor to be an agent of change. To be an agent of change, you don't just tell people what's wrong or how they can do something better. You talk about how they can tackle issues in ways that they maybe have never thought of. You're talking about what is possible. If you want to look at it another way, when you look backward, you tell people what was; when you look around you tell them what is; when you look ahead you tell them what is possible. I think agents of change are there to help people appreciate potential.</p><h2>Is this manageable for most practitioners?</h2><p>I think so. I think we all have a flame within us that will enable us to be agents of change. The question is whether we are going to turn the flame up and become the beacons that enable us to shine a light on the opportunities that are out there. I think it can be done. I think it will be done. If you look at what we've seen over the last 20 years and extrapolate that in the decade ahead, what you're likely to see is people aren't going to wait for internal audit to tell them what was or what is. They're going to be anxious for us to tell them what could be. There are going to be people who are uncomfortable with that.</p><p>In the book I talk about how as assurance providers we used to be called the bean counters. Trusted advisors tell you not only how many beans you've got but how you can grow them, harvest them, and take them to market, and where you have opportunities to improve. Agents of change say, "You know what, quit growing beans. Why don't you look at growing corn or kale or something new? Use that resource and capacity for growing beans and take on new opportunities." There are going to be people who say, "Wait a minute, that's management's job. Management is the one to do that; that's business strategy; that is not our place." If not us, then who else? Who else do you have in an organization other than the CEO or a couple of people in the C-suite who have that 360-degree view that we get as internal auditors and who build up over time that institutional knowledge? I would say it is not uncommon out there for a chief audit executive to have more tenure in his or her role than the CEO does. We're not making the decision. We're fully respecting the role management plays. But we're not adding a lot of value to the company if we only tell management what went wrong.<br></p><h2>As you look back over your tenure as CEO, how do you view milestones and achievements?</h2><p>I think it's been a remarkable decade, 12 years, however you want to measure it. But I don't give myself much credit for any of that. I feel I was privileged to lead the organization during this period. But I think we were destined to do great things. I think what The IIA needs in a CEO as well as a chairman and others on the board are people who have the passion and vision to help the organization realize its potential. They need to be agents of change.</p><p>My decision to step down is predicated more by a desire to afford new fresh leadership to come in, so The IIA is not recycling the same leadership style and same ideas for too long a period. I don't feel I've stayed too long. I feel like I've stayed just about the right amount of time, and I've been very grateful for the support I've gotten over these years from the board, and volunteer leaders around the world and the profession itself. But I also think it's time to pass the torch to new leadership.<br></p><h2>How would you most like to be remembered, as an executive who led The IIA during a time of extraordinary growth and change or as a longtime volunteer who gave so much time, energy, and intellect to the profession?</h2><p>I hope I'm remembered as someone who had a passion for this profession and was unwilling to allow it to become complacent. I hope I've been an enabler. I know it may appear at times that I see myself somehow as a bigger part of The IIA than I am. I feel the president and CEO of an organization needs to maintain enough humility to realize the organization is much bigger than he or she is. The organization's mission is much bigger than one person can achieve. I'm hopeful that my successor will be able to leverage the things we've done that worked, and be able to move on from things that haven't worked as effectively as we would have liked.<br></p><h2>What should we expect from you post-IIA? </h2><p>Like everyone else, my career has been a journey. Since my retirement from government auditing in 2002, I have partnered with organizations that are investing in the internal audit profession and whose mission is to serve and empower the profession around the world. That was true in both of my assignments at The IIA and during my tenure with PwC's internal audit practice. People should expect that I will do the same in the future. There are several organizations that are making investments in this profession because of the potential they see in it. I plan to partner with one of those organizations and continue to be a passionate voice for the profession just as I have been for the last 20 years.</p><h2>Any closing thoughts as you look back on a long and storied career?</h2><p>Literally hundreds of people from around the world have reached out to congratulate me on my "retirement." It has been interesting because I haven't used the "R" word once. I have too much energy and enthusiasm to sit on my back porch and watch the sun set. I would rather be up anticipating a sunrise on a new day and new opportunities. I am less than five years away from celebrating 50 years in the internal audit profession. Barring some unforeseen circumstance, I plan to celebrate it with a blog post reflecting on a half-century in the most amazing profession in the world. <br></p>Robert Perez1

  • AuditBoard-April-2021-Premium-1
  • PwC-April-2021-Premium-2
  • Pulse-of-Internal-Audit-April-2021-Premium-3