From Emerging to Leader Emerging to Leader<h2>How has your career advanced since becoming an Emerging Leader?<br></h2><p><strong>Bordelon</strong> Since being recognized as an Emerging Leader in 2014, I have received multiple promotions. I’m now an associate director at my firm. I’m still at the same great firm 14 years after starting as an intern in 2005. I also have expanded my family and have a four-year-old son and a two-year-old daughter. Trying to set a good example for them and show them that I have a job that I love and can excel at while also being present and visible for them is a daily goal.<br></p><p><strong>Rusate</strong> Since 2017, I have further developed myself professionally by obtaining my Certified Internal Auditor, Certification in Risk Management Assurance, and Certified Information Systems Auditor designations. Working for my current employer has given me the opportunity to advance my skills, while working alongside industry experts, in an environment that openly promotes and rewards individuals for professional development. <br></p><h2>What is your advice for new internal auditors? </h2><p><strong><img src="/2019/PublishingImages/Alex-Rusate.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Rusate</strong> Never stop learning. You can always obtain more knowledge through certifications, internal business processes, industry level knowledge, etc. I have pursued a variety of internal audit skill sets because I expect that the internal auditor of the future will need to have a strong background in financial, operational, IT, and regulatory matters to keep relevant in the evolving business landscape. New technology, such as intelligent automation, will help scale down the tedious tasks that consume auditors’ time and allow them to work on more sophisticated matters that require a higher skill set. </p><p><strong>Bordelon</strong> Don’t overlook the soft skills of listening, being friendly and respectful, asking questions, having a strong work ethic, etc. You can learn the hard skills through research and on-the-job training, but you often cannot teach soft skills. These are usually the distinguishing characteristics between leaders and the status quo.<br></p><h2>What skills have helped you most in your career?</h2><p><strong><img src="/2019/PublishingImages/Leslie-Bordelon.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Bordelon</strong> Maintaining a positive outlook/disposition regardless of the project, client temperament, location — travel or not — or circumstance has been an essential skill that has helped me in my career. I try to look at all situations in a positive light and see all projects as an opportunity to add one more arrow to my quiver of skills. Having this outlook has helped me when deadlines are tough or I’m traveling away from my family. Another skill that has helped me is flexibility. I’m a planner by nature and love to know what I’m working on for the next week, year, or even five years. Being a consultant in internal audit has challenged me in that area as my schedule/work commitments change almost daily. Trying to go with the flow and be flexible has been a skill that I’ve had to develop over time, but one that has served me well in my career. </p><p><strong>Rusate</strong> Thinking critically and taking on new challenges with enthusiasm are two traits that have helped me most in my career. Thinking critically has helped me when I have identified opportunities for improvement for unaddressed risks during walkthroughs and testing, and not simply taking management’s explanation at face value. Typically, management will know significantly more about a process than you; however, when you combine critical thinking with your holistic knowledge of the company, you can identify risks and opportunities for improvement. Taking on new challenges, such as auditing areas not traditionally reviewed or subject matter that I do not have experience with, has helped to enhance my career. When encountering these situations, I make sure that I have or develop the skills needed to conduct the engagement before accepting it in accordance with IIA Standard 1210: Proficiency. When you have the ability to identify risks, discover process improvements, and step up to address engagements that are important to the chief audit executive, management, or the board, it helps make you a trusted advisor.<br></p><h2>What has been your most satisfying moment as an internal auditor?</h2><p><strong>Rusate</strong> My most satisfying moment was when the global controller reached out to the internal audit team to ask that we help at an advisory level to investigate a potential accounting issue at a manufacturing plant. The figures were not consistent with management’s expectation or the fiscal performance of the other manufacturing plants, and management did not have resources available to look into the irregularity. I was assigned to the engagement and was able to determine the root cause of the issue — the implementation of a new ERP system the previous year. Identifying the root cause enabled management to implement corrective actions that led to the company having increased profitability from that plant on a consistent basis. </p><p><strong>Bordelon</strong> I worked on a project last year with a very tight deadline, a mountain of work, and a good bit of travel. I had a team of all stars, and we worked together to accomplish more than anyone thought possible in such a short period. In fact, we not only completed the project on time, but delivered extra value in many ways and built some great friendships and bonds along the way. It’s a project that I won’t soon forget.</p><h2>What frustrates you most in your work?</h2><p><strong>Bordelon</strong> I get frustrated with the negative connotation some people have regarding Sarbanes-Oxley work. I think that work is a fantastic way to learn all aspects of a company, build relationships with clients, and expand your knowledge of an industry. Sarbanes-Oxley work has been invaluable in my career and has afforded me the ability to work on both my hard and soft skills.</p><p><strong>Rusate</strong> A challenge in the profession is working with engagement contacts to make sure you maintain a good balance between achieving audit deliverable dates while still being cognizant of their day-to-day responsibilities. Maintaining a mutually respectful relationship with the engagement contacts will help ensure the audit is received in a positive manner and ensure the sustainability of effective audits going forward. <br></p><h2>Why do you stay in the profession? </h2><p><strong>Rusate</strong> I stay in the profession because of the diversity of the subject matter, growth opportunities, and the ability to add value across the entire organization. This profession allows me to gain exposure to functions across businesses, which then enables me to more accurately identify key risks within processes. Furthermore, internal auditing is growing faster than most other professions, according to the U.S. Bureau of Labor Statistics. As reported in the last issuance of the bureau’s Occupational Outlook Handbook, employment for internal audit professionals will grow 10% from 2016 to 2026, faster than the 7% national projected average for all occupations. The main reason I stay in the profession is to add value to the organization. Whether it be through identifying risk and working with management to mitigate it down to an acceptable level or identifying process improvement opportunities that drive revenue or cut costs, those are some of the most rewarding aspects of the profession. </p><p><strong>Bordelon</strong> I stay in the profession because I enjoy the mentoring that my job enables me to participate in and being able to help my clients solve problems and achieve their goals. My colleagues, teams, and mentors are an extension of my family, and I truly feel valued and appreciated in my company and by my clients. </p><p>I’m also excited about the future of internal auditing. As companies start to embrace new technologies such as machine learning and robotic process automation, internal audit teams have to really rethink how they approach their work. Adopting more agile practices and understanding both the opportunities and the risks presented by these technologies will put next-generation auditing in a great position to help companies transform their businesses. I’m really looking forward to being a part of that process.  <br></p>Staff1
Communication Skills for Success Skills for Success<p>After gaining years of internal audit experience, associate internal auditors may be promoted to senior internal auditor. Internal audit management may recognize the auditor’s professional growth and want to encourage continued development. </p><p>Senior internal auditors are responsible for leading audits across the organization while working with associate internal auditors on various audit projects. Through many years’ experience, senior auditors have had extensive opportunities to hone internal audit-specific skills, such as testing, workpaper execution, and audit report writing. <br></p><p>New senior auditors may not have experience in the area of developing and coaching  the individuals on their audit project team. And while senior auditors may have strategies for teaching internal audit practices and processes, they might not possess the skills that help develop a well-rounded associate auditor. Therefore, it is the senior auditor’s responsibility to not only understand what promotes the professional growth of associate auditors, but also the strategies for effectively teaching the skills that ensure success. How the skills are taught often impacts the ability to grasp new internal audit concepts and processes. </p><p>Three key communication skills for new senior auditors to master are language selection and usage that encourages learning and growth, demonstrating strong communication skills to strengthen the skills of the team, and facilitating strategic communications through business partnerships. These skills cover the various interactions internal auditors experience daily.</p><h2>1. Language Selection</h2><p>A senior auditor’s word selection, tone, and inflection can make a tremendous difference in the effectiveness of communication. One area in particular is providing constructive feedback. Such feedback, while both well-intentioned and important, may not be well-received because of the inflection and tone of voice. Some associates may be able to hear the message through the inflection and tone, but others may focus solely on it, and completely miss the objective of the message. </p><p>To assess the associate auditor’s understanding when explaining an internal audit concept, the senior auditor might ask, “Does that make sense?” versus “Are we okay?” or “Are we good?” This makes a difference in determining progress and encouraging discussion. While it may be well-meaning, “Does that make sense?” is phrased in such a way that might not permit feedback (and if it does, is focused on the topic being taught). “Are we okay?” can open dialogue for the associate auditor to ask questions, as well as voice concerns. Using “we” indicates that the learning process involves both the internal audit senior and associate. This phrasing can sometimes encourage a broader conversation, rather than solely confirming a successful transfer of knowledge. </p><p>Simple changes in wording can have a huge impact on the team’s morale and skill development, especially because associate auditors may have varying professional backgrounds and different learning styles. Word choice, tone, and inflection can help reinforce the meaning of one’s message and encourages professional and productive discussions.</p><h2>2. Demonstrating Communication Skills</h2><p>When a senior auditor thoughtfully considers language, and makes necessary changes in phrasing and tone to best support the team, it is appropriate to then demonstrate his or her communication skills. As senior auditors work with a variety of stakeholders, they should consider their written and oral communications.  </p><p><strong>Written Communication</strong> New associate auditors who are learning the internal audit department culture will undoubtedly copy the communication style of their leaders; therefore, it is critical to reflect upon one’s own written communication and replace bad communication habits with a strong communication style. After all, one cannot hold associate auditors to a high communication standard if senior auditors are not modeling appropriate communication skills, themselves. From time to time, jargon is used in memorandums and emails are sent lacking punctuation, grammar, or spelling. Associate auditors are included in correspondence, so professional language and communication should be used in all interactions. Even if it takes a few extra minutes, senior auditors should proofread written communication. <br></p><p><strong>Oral Communication</strong> Exposing associates to various learning experiences is important; however, careful planning by the senior auditor is necessary to set up the individual and team for success. For example, if an associate auditor has never presented in front of audit client management, why have him or her present for the first time at the closing meeting, which may be more sensitive than the opening meeting? The associate may be successful, but chances are, without experience, he or she will flounder. Such unplanned approaches to training decrease team morale, and send a message to the audit client that internal audit is not a supportive and growth-focused department. A planned and intentional approach to communication training sends a message that the senior auditor cares not only about the success of the audit, but the associates, too. <br></p><h2>3. Strategic Communication </h2><p>Strong business partnering relationships are often built in informal ways, whether that be a walk around the office during lunch, a short coffee break, or by dropping by someone’s office. Chances are that at one time or another, a leader within the internal audit department has included the recently promoted senior auditor in such opportunities. By including associates in such interactions, it helps them build their own network and demonstrates the way in which to build their own relationships with leaders throughout the enterprise. This can help improve the image and reputation of the internal audit department within the organization.</p><p>Senior auditors also can help facilitate opportunities for communication skill improvement among associate auditors through the presentation of technical skills. Associate auditors may have professional and educational backgrounds in areas outside of the department under review, but possess specialized skills in subjects such as predictive modeling and project management. These skills are not only valuable in their application within the internal audit role, but they are also useful across the enterprise. When appropriate, senior auditors can initiate the conversation among business management about the possibility of a workshop or webinar, for example, and encourage the associate auditor to share his or her expertise with audit clients. </p><h2>Fostering Success </h2><p>Being promoted from associate internal auditor to senior internal auditor is reason to celebrate one’s professional accomplishments. However, with such promotion comes increased responsibility. And to foster further success, it is necessary to implement the communication skills that will progress one’s own professional development, as well as help improve the skills of emerging talent within the internal audit department. <br></p>Christine Hogan Hayes1
Well-deserved Criticism? Criticism?<p>During the last few years, internal auditing has faced significant criticism from both stakeholders and practitioners. Much of it centers around audit effectiveness and the profession’s ability to identify and report risks and failures, as highlighted in research from professional service firms. The IIA’s own 2019 North American Pulse of Internal Audit points to audit communication deficiencies and potential misalignment with corporate boards on risk areas. But does the profession deserve all of this criticism? Is it truly underperforming? <br></p><p>In my experience, senior management at publicly listed companies mostly views internal audit as a necessary evil — a nonessential service function that is either required by a listing exchange or by corporate boards. Otherwise, there is no general appetite to maintain an internal audit function unless the senior executive team, or the board, recognizes the value internal audit adds in providing assurance and improvement opportunities. Because internal audit is not valued, it is not granted sufficient operating budget, which limits the function’s ability to cover organizational risks. </p><p>Not surprisingly, many surveys of the profession reveal that internal audit struggles to attract and retain talent, is mostly underfunded, and lacks resources, including technology. Gartner’s 2018 Audit State of the Function report projected budgets increasing only slightly in 2019 and flat head count for 2019, consistent with prior years. And among respondents to Deloitte’s 2018 Global Chief Audit Executive survey, more than 40% said their audit functions lacked skills and talent; plus, only 21% used advanced analytics. How can the profession proactively identify and manage cutting-edge risks in areas such as blockchain, cybersecurity, and fraud when it does not have appropriate capital and technology?</p><p>But limited budgets and resources are not the profession’s only impediments — lack of control over internal audit’s activities and purview, as manifested through our organizational reporting relationships, also presents a problem. At most U.S. publicly listed firms, the chief audit executive reports administratively to the chief financial officer (CFO) and functionally to the audit committee. This configuration risks the CFO providing insufficient budget and other resources and using internal audit to complete projects and tasks not included in the audit plan — activities that might ordinarily fall on other CFO functions — thereby detracting from internal audit’s ability to conduct risk-based audits or complete its plan. </p><p>Given its limited budgets, inadequate technology resources, understaffing, and lack of autonomy, the profession does not deserve much of the harsh criticism it has received. Only when the audit function is truly independent and empowered will it be able to provide effective support to management and the board, sit at the forefront of risk management, and be able to proactively identify and help remedy corporate misconduct and fraud.  <br></p>Chris Dogas1
Editor's Note: Internal Audit's Emerging Stars's Note: Internal Audit's Emerging Stars<p>This marks the seventh year <em>Internal Auditor</em> has recognized emerging leaders in the internal audit profession. Our <a href="/2019/Pages/Emerging-Leaders-2019.aspx">2019 Emerging Leaders</a> join 100 other young professionals who have been recognized since 2013. </p><p>Past honorees have not rested on their laurels, but instead, as expected, continue to achieve great things. For example:</p><ul><li>At the time they were named Emerging Leaders, 74 had their Certified Internal Auditor (CIA) designation. Today, 89 are CIAs. </li><li>Since being named an Emerging Leader, 71 have new job titles or have moved to new companies.</li><li>Three Emerging Leaders have served on The IIA’s North American Board and Global Board of Directors. Seventeen leaders have served on one or more of The IIA’s committees.</li><li><p>Emerging Leaders have written 88 blog posts/articles for the magazine, and 46 leaders have been interviewed for Internal Auditor articles. <br></p></li></ul><p>Two former Emerging Leaders, Leslie Bordelon (2014) and Alex Rusate (2017) share how their careers have progressed since their recognition in this issue’s <a href="/2019/Pages/From-Emerging-to-Leader.aspx">“Eye on Business."</a> Rusate, for example, has obtained three new certifications since 2017. Bordelon and Rusate offer up-and-coming internal auditors advice on how to advance in the profession and explain why they stay in internal auditing. Bordelon says she’s excited about the future of the profession. “As companies start to embrace new technologies such as machine learning and robotic process automation, internal audit teams have to really rethink how they approach their work,” she says.<br></p><p>Technology is a theme throughout the “Emerging Leaders 2019” article. “In fact, emphasizing analytics seems almost old-fashioned to the 2019 honorees; they assume analytics are key to internal audit and continually expand their skills — often on their own time,” writes author Russell Jackson. This year’s leaders recognize that this expertise can open doors for internal auditors, and they’re eager to be meaningful players in their organization’s success, Jackson says. </p><p>On another note, when you’re Wright, you’re Wright. With this issue, we wish “Risk Watch” contributing editor Charlie Wright a fond farewell and introduce Rick Wright (no relation) as the new contributing editor. A big thank you to Charlie for his time and effort, and for the outstanding contributions he’s made to this department. We are fortunate to have Rick as Charlie’s replacement beginning in December. Rick is the director of internal audit and enterprise risk management for YRC Worldwide. He is also the author of <em>The Internal Auditor’s Guide to Risk Assessment and Internal Auditing: Uncover the Myths, Discover the Value</em>. Welcome, Rick!<br></p>Anne Millage0
Emerging Leaders: 2019 Leaders: 2019<p>​Each year's Emerging Leaders talk less about the profession pivoting to a trusted advisor role and more about actually performing that role — and how excited they are to expand internal audit's influence into new areas. Indeed, the 2019 Emerging Leaders' diversity shows partly in the variety of experiences they've had in an advisory capacity and their specific goals for expanding the profession's profile. And as in previous years, the 2019 Emerging Leaders are a diverse, multinational group. Since the first crop of honorees in 2013, 14 countries have been represented; this year's professionals hail from The Republic of Belarus, Canada, the U.S., and Zambia. Just under half since the beginning are women, just over half are men — many of whom have advanced to positions of greater leadership and gone on to volunteer in key IIA governance and advisory positions. </p><p>As a group, this year's Emerging Leaders are enthusiastic about talking up internal auditing — to schools, business groups, and their colleagues — and about supporting the profession through expanded participation in local professional organizations. Technology, as always, is what these high-performing practitioners want to talk about. Automation and data analytics are familiar. In fact, emphasizing analytics seems almost old-fashioned to the 2019 honorees; they assume analytics are key to internal auditing and continually expand their skills — often on their own time. That expertise opens doors to more internal auditor interaction with organizations' executives, and this year's Emerging Leaders are eager to take advantage of the opportunities they see ahead to be meaningful players in their enterprises' success.</p><h2> <img src="/2019/PublishingImages/Sweeney.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Jordan Sweeney, <strong>CFE</strong><br></h2><p> <strong>28,</strong><strong> Senior Auditor</strong><br><strong>City of Sacramento, Calif.</strong></p><p>Jordan Sweeney conducts “impactful audits,” as one colleague puts it, and she is hailed for following up to ensure recommendations are implemented. From day one, the University of California at Davis graduate was given sole responsibility for auditing the city’s Department of Utilities (DOU). As a result of her consistent follow-up efforts, the DOU has achieved “a realized monetary benefit of more than $15.2 million dollars,” reports Sweeney’s supervisor, Sacramento Assistant City Auditor Lynn Bashaw. “She continues to work with the department to implement recommendations made in her audits,” Bashaw adds, “as well as recommendations made in previous audits.” Sweeney says providing informal audit training to DOU staff members responsible for the recommendation follow-up efforts helps them understand what internal audit is looking for and communicate that to other staff, thereby reducing the number of documentation requests she has to submit. She also manages the city’s whistleblower hotline for reporting fraud, waste, or abuse, and so far has resolved more than 80 cases. Sweeney, who holds a master’s degree in civil engineering, came to the profession after learning about it at home — her husband is a premium auditor for an insurance company. The work seemed challenging yet fun, she explains, and used many of the same data analysis and problem-solving skills an engineering education requires. Sweeney adds: “I felt it would be very rewarding to be a part of something with such a big impact on how the government operates.” </p><h2> <img src="/2019/PublishingImages/Cheng.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Cheng Cheng, CIA</h2><p> <strong>28, Consultant, Enterprise Risk Service</strong><br><strong>MNP LLP</strong><br><strong>Toronto<br></strong></p><p> <strong></strong>This is how Cheng Cheng characterizes his profession: "I selected internal auditing because it's challenging, nonroutine, and fun." The University of Toronto graduate started out with a degree in commerce and a master's degree in accounting; early in his career, Cheng worked on finance, assurance, and internal audit-related jobs, ultimately opting for the latter as his main focus. "Every day is a new challenge and learning  opportunity," he says. One early challenge was how dependent consulting is on experience and industry knowledge, which he lacked at the time. "I forced myself out of my comfort zone," he says. "I told myself, 'Don't' be afraid to ask questions.'" And having tapped his mentor's experience to great effect, he advises those working with professionals who have extensive knowledge in the field to observe how they work. Cheng's own work encompasses internal controls over financial reporting, payroll audits, external quality assessment, and risk-based operational and compliance audits, notes MNP colleague Jim Barbour, who cites another challenge Cheng has overcome. "A recent client required him to reconstruct multiple years' payroll reporting to tax authorities," Barbour says. "He used document capture and data analytics tools to prepare and evaluate the source data for the required deliverables." Cheng points to the value of communication skills as key to explaining deliverables to clients. "No matter how technology evolves," he says, "we will always need to build relationships with people." Outside internal audit, pick-up basketball games most weekends constitute Cheng's No. 1 hobby. He's also an active volunteer in MNP's Community Activity Project and Education program and serves as treasurer for IIA–Toronto. </p><h2> <img src="/2019/PublishingImages/Fritz.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Blaine Fritz, CIA</h2><p> <strong>29, Governance & Operations Manager/Chief of Staff</strong><br><strong>GSK</strong><br><strong>Research Triangle Park, N.C.</strong></p><p>Blaine Fritz became an internal auditor to understand how companies work from the inside out. He hit the professional jackpot: The Michigan State University graduate has led global audit teams and conducted engagements across multiple risks — commercial practices, anti-bribery and corruption, financial controls and reporting, and supply chain, to name a few. His work has spanned multiple functions, cultures, and geographies, including North and South America, Europe, and Asia. The former audit manager, who’s since moved into Managed Markets and Government Affairs, has also led multiple initiatives to improve the internal audit function at GSK, notes his manager, John Boone, vice president, Contract Management and Operations. “He’s gathering observations on the impact of an audit from a business perspective,” Boone says, “and will feed these observations back into the internal audit function to improve efficiency and effectiveness and minimize business disruption in future audits.” Other projects include leading the Audit Ways of Working Alignment Project, which identified differences in approach between regions and among risk areas, and facilitating training on audit process and third-party oversight. The people part of the equation, Fritz says, is key. “My work provides an opportunity to gain a global perspective and cultural awareness through the people I meet around the world,” he says. Fritz focuses on internal audit’s evolving role, noting that use of the audit function as a resource for insights gained through sharing of good practices across the business represents an important change for the profession. “Auditors can share an enterprise view gained from experiences in different risks and parts of the business,” he comments. Outside the office, the soccer player and youth team coach also serves as an Early Talent Mentor for GSK’s Future Leaders Program and as a member of GSK’s Orange Day Volunteer Committee; each year, employees spend Orange Day off-site, volunteering at a charity of their choosing.</p><h2> <img src="/2019/PublishingImages/Donner.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Melissa Morlan Donner, CIA</h2><p> <strong>26, Audit Supervisor</strong><br><strong>Bank of America</strong><br><strong>Chicago</strong></p><p>Melissa Morlan Donner prefers people to face forward in their approach to internal auditing. "If 'well, that's how we did it last year' is the only rationale you have for something," she says, "there's probably a way to improve it." That often involves automation and, especially, being able to understand what it's doing. Already, the University of Florida graduate notes, a key skill for internal auditors is "the ability to understand how automation can be applied." Writing code is a plus for anyone to possess, she says. "But more important is being able to clearly articulate what you think an automated process would look like and have a grasp of what is possible before working with an automation expert to get it done." Donner built her audit skills analyzing and testing controls across various industries as a consultant, while also project managing the day-to-day activities of those engagements, reports current supervisor Janet Jarnagin, an audit director at Bank of America. Now Donner is responsible for board and executive management reporting, including presentations summarizing audit results, issue status, and audit department performance to the organization's highest governing bodies, Jarnagin says. Within months of starting at Bank of America, Donner designed a new monthly business review for the chief audit executive (CAE) to oversee department operations and revamped the issue management report for the CEO's management team. Donner says that's a good example of the trusted advisor role internal audit is taking on, and she adds that data visualization is an increasingly important part of it. Reporting a 1% to 2% month-over-month increase via text or a slide may not raise red flags, she explains. But seeing a line chart spanning six months that shows a 10%-plus increase — with a six-month projection if nothing happens — "can really serve as a call to action," she says. Donner is a member of The IIA's Chicago chapter and volunteers at TutorMate, an online program that helps kids improve their reading skills.</p><h2> <img src="/2019/PublishingImages/Munshya.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Kenson Munshya, CIA, CISA</h2><p> <strong>29, Audit Manager</strong><br><strong>Stanbic Bank Zambia</strong><br><strong>Lusaka</strong></p><p>Kenson Munshya first saw internal audit from the outside, and found himself impressed by practitioners' insights and deep understanding of the organizations he was auditing externally. "Over time," the Rusangu University Zambia graduate says, "I started looking at the internal auditors' reports as one of the reference points to gain an understanding of clients." Then he joined them — and started spreading the word about internal auditing. "He has a mission to make a difference in the profession," says colleague Chuma Silutongwe. He adds that Munshya was instrumental in helping parent company Standard Bank Group's Africa regions team win the firm's 2018 Group Internal Audit Mark of Excellence Award for enhancing the use of data analytics and audit automation. Plus, he's supported teams from Namibia, Malawi, Botswana, and Mauritius in providing key insight on IT-related engagements, such as cybersecurity and business continuity audits. Munshya says practitioners need to prepare for the future by improving their skills in data analytics, machine learning, and artificial intelligence (AI); he is piloting the automation of the company's audit process using those very skills. Still, he adds, "ultimately, it comes down to one's people skills to manage change and influence decisions." Internal auditing often involves negotiating with management, so a firm grasp of the disruptive technologies combined with people skills is key, Munshya stresses. "I'm amazed at internal audit's ability to influence an organization and be a change agent around strategy and operations, as well as around governance, risk, and internal controls," he says. Outside of internal audit, Munshya enjoys decidedly low-tech pastimes, including chess, jogging, and reading. He also volunteers for outreach programs through his church and is an active member of IIA–Zambia. </p><h2> <img src="/2019/PublishingImages/Cook.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Maddie Cook, CPA</h2><p> <strong>30, Senior Manager, Consulting</strong><br><strong>Crowe LLP</strong><br><strong>Los Angeles</strong></p><p>Maddie Cook is in the enviable position of working in a role that requires her to indulge in one of her favorite pastimes. The job requires travel, and Cook says, "I really enjoy learning about the cultures that are new to me and sampling local cuisine." And her travels provide valuable insights for her global client work, notes Pamela Hrubey, a Crowe managing director and Cook's career coach. "She leverages the business experience she has gained from working in Canada and the United States to support a variety of clients with offices around the globe," Hrubey says, "bringing a balanced business perspective along with her deep knowledge of internal controls." The University of Western Ontario graduate is also part of an innovation team considering ways to leverage blockchain technology to create internal audit efficiencies, and she's been researching the potential of robotic process automation and AI. "Clearly we will see, over time, these technologies playing a large role within our profession," she comments. To assess controls around that technology, internal auditors will need a robust understanding of how it functions, the associated risks, and the organization's strategy for integrating the technology into its business processes. "The more knowledge we have, the better we will be able to assist, review, and potentially advise management on implementation in the future," Cook says. She also points to significant opportunity to use these technologies in audit work. Companies are making the move to blockchain and other technologies to advance their businesses, she notes. "Internal auditors will need to adapt our methodologies to maximize the associated benefits of the new tools by developing audit programs that increase organizations' confidence in their use." Outside the profession, Cook has donated her time to the Boys & Girls Club of America, a community food bank, and an organization that builds bikes for kids.</p><h2> <img src="/2019/PublishingImages/Wang.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Jiahui “Bella” Wang, CIA</h2><p> <strong>28, Senior Internal Auditor, Computer Information Analyst</strong><br><strong>Atlas Air Inc.</strong><br><strong>Purchase, N.Y.</strong></p><p>Bella Wang was surprised to learn how much soft skills support the technical aspects of internal auditing. "I didn't understand the diversity of attributes a practitioner needs to have to be effective," the St. John's University graduate explains. In particular, Wang says that recognizing the importance of sales skills was a professional "aha!" moment. "We are selling our expertise, ideas, and recommendations almost every day to help add value to our organizations." Wang accomplishes that with a firm foundation of technical knowledge, says her supervisor, Charles Windeknecht, Atlas Air's vice president, Internal Audit. "She consistently exhibits a deep understanding of the risk and control considerations she is assessing," he says, "by asking challenging questions in a relevant and meaningful manner." The questions change, of course, as the technology that powers the profession changes. "Technology and automation will make changes in how, where, and when we perform audits," Wang says. Already, she has designed and built several data analytics programs to support internal audit's objective of executing more effective testing, Windeknecht notes. Wang says her department uses analytics routines during annual fraud assessments to help management isolate higher risk transactions. "Senior management is coming to us with more requests to help them identify process improvement opportunities," she says. Wang is also active with the youth education nonprofit Junior Achievement and often speaks at area college and university events about the benefits of internal auditing.</p><h2> <img src="/2019/PublishingImages/Beeston.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Megan Beeston, CFE</h2><p> <strong>29, PRG Senior Associate</strong><br><strong>Frazier & Deeter LLC</strong><br><strong>Atlanta</strong></p><p>Stephen Brown, CAE at PRGX Global, recalls the time Megan Beeston was working on an IT project for his company as part of a co-sourced team when her supervisor was injured and unavailable for an extended period. “Megan stepped up and successfully managed the project with minimal oversight, and exceeded expectations in every way,” Brown says. The Kennesaw State University graduate says the experience provided her tremendous opportunity for learning and growth. “Working in public accounting constantly involves quickly and seamlessly adapting to unexpected situations to avoid delays in projects and deadlines,” she says. She benefitted from having built good relationships with clients — and having the ear of her company’s managers. Early on, she says, she stepped back and realized that internal audit has long used data analytics. But the progress underway now is even more exciting, she adds, as technology increasingly enables internal auditors to expand their capabilities past current roles. “Integrating IT concepts into our strategies will allow us to provide the most value-add to our organizations,” she says. “Any initiative for research or training in technology and how we can apply systems to be more efficient is an important step for us.” Beeston came to the profession when a professor presented it in a compelling way — making her realize she could use people skills to make her role more successful and help people solve problems, which she saw as a perfect fit. Her internship exposed her to a variety of roles and projects, piquing her interest even further. “The ability to wear many hats — as an extension of an organization as its internal audit function, as a service auditor, or consulting through process improvements and security assessments — challenges me technically and as a person,” she says. Outside internal audit, Beeston plays tennis and watches college football. She also fundraises for the Leukemia & Lymphoma Society through her company, volunteers on select weekends with the pediatric grief counseling organization Kate’s Club, and co-chairs the mentor–mentee program at her local IIA chapter.</p><h2> <img src="/2019/PublishingImages/Orunkhanov.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Aidar Orunkhanov</h2><p> <strong>29, Solutions Director</strong><br><strong>TAMR</strong><br><strong>Cambridge, Mass.</strong></p><p>Aidar Orunkhanov approaches internal audit from a different perspective. The University of Illinois at Urbana–Champaign graduate started out in data analytics and came across internal auditing by chance. But he noticed that the profession was beginning to implement data-driven methodologies and saw the potential to implement analytics. He’s now back in data analytics, at a start-up that applies machine learning to data unification, but comments that the massive amounts of data produced by new technology will propel internal auditing toward near-real-time functionality and other elements of automation, raising some worries about technology replacing humans. But he says the technology can’t replace humans completely: “I’d call it ‘using new tools’ rather than ‘managing robotic assets.’ Robotic process automation [RPA] is an ideal solution to frequently repeated rule-based processes.” RPA, in fact, should free up time for more creative and exciting work, he says. One example: He led development of an automated dashboard at a former employer that provides auditors with timely changes to risk profiles and data-enabled outliers for testing purposes. He also co-led a hands-on data analytics training program for 200 colleagues. In addition, Orunkhanov lectures at Boston University, teaching a graduate-level course in business analytics. On weekends, he enjoys travel photography. “The gear I carry has grown exponentially,” he says,” but an incredible Instagram picture is worth it all.” Orunkhanov also volunteers at a local food bank and helps families file their tax returns.</p><h2> <img src="/2019/PublishingImages/Carnevale.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Marilyn Carnevale, CIA, CPA</h2><p> <strong>30, Senior Auditor</strong><br><strong>Rutgers, The State University of New Jersey</strong><br><strong>Piscataway, N.J.</strong></p><p>After a stint in external audit, Marilyn Carnevale has been happily surprised by how gratifying she’s found her internal audit career — particularly the newness of each assignment. “Internal audit procedures often have to be developed from scratch to meet the unique needs of an organization,” she says. “It’s exceptionally challenging, but completely rewarding when our recommendations come to fruition.” At Rutgers, her alma mater, Carnevale was assigned to assist on “a major, multi-phased project,” reports her supervisor, Marion Candrea, manager, Audit and Advisory Services. “It was part of a highly regulated area that required a rigorous learning curve that she easily overcame,” Candrea says, adding that Carnevale started taking on lead auditor tasks right away. With that responsibility came the opportunity to work with student interns. In fact, she was so effective that she soon earned the title of internship program supervisor. Carnevale remembers people leaving her former public accounting firm for internal audit positions, but adds now: “Honestly, I did not even know if I would be any good at it.” Her ties to the university moved her to pursue the position she’s in. “The fact that I’d never heard of internal auditing until about four years into my career is partially why I believe in advocating for the profession,” she says. That includes educating students about options beyond public accounting. In her free time, Carnevale volunteers at The IIA’s Central Jersey Chapter, attends Rutgers athletics events, donates her hair to Locks of Love and Pantene Beautiful Lengths — and plays the piano. </p><h2> <img src="/2019/PublishingImages/Ballweg.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Christopher Ballweg, CIA, CISA</h2><p> <strong>28, IT Audit Supervisor</strong><br><strong>American Financial Group Inc.</strong><br><strong>Cincinnati</strong></p><p>No matter how much internal audit technology advances, success in the profession will always rely on people skills, according to Christopher Ballweg. With a primary focus on IT audits, he sees technological advancements as key to driving change — but the University of Kentucky graduate also stresses that “relationship-building, clear communication, and adaptability” are a practitioners’ most important competencies. Indeed, he says, auditors must be able to clearly communicate any questions or observations, regardless of the business partner. Education helps. Ballweg started at American Financial Group right out of college, notes former colleague Brian McNalley, IT audit manager at Macy’s and a 2018 Emerging Leader. Since then, he has received two key professional certifications and an MBA from Mount St. Joseph University. On the job, Ballweg has been a team leader for engagements involving cybersecurity, disaster recovery, business continuity, the Payment Card Industry Data Security Standard, and U.S. Sarbanes-Oxley Act of 2002 compliance. “A key challenge is ensuring that our work is adding value to our various stakeholders,” Ballweg says. Practitioners who want to be seen as trusted advisors, he adds, must know stakeholders’ goals and ensure that engagements are focused on delivering value. That, he says, requires flexibility. “Continuous change is the aspect of the profession I enjoy most,” he says. When he started, cybersecurity audits and the U.S. National Institute of Standards and Technology Cybersecurity Framework were “still in their infancy,” he says. “Now they’re on the mind of nearly every stakeholder in an organization.” Ballweg has been active in The IIA’s Cincinnati Chapter since 2013, and is a board member of his local American Cancer Society Young Professionals group.</p><h2> <img src="/2019/PublishingImages/Delores.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Christiane Dolores</h2><p> <strong>29, Internal Audit Manager</strong><br><strong>Caesars Entertainment Corp.</strong><br><strong>Las Vegas</strong></p><p>Today's students at the University of Nevada Las Vegas have access to a career insight that Christiane Dolores didn't. The alumna makes a point to attend events on campus to meet students and engage them in the internal audit community, she says, because most of her time as a student was spent learning about external auditing. She's become deeply involved in the profession, having served on the IIA–Las Vegas board as secretary, vice president of Programs, and now vice president, notes her supervisor, Victor Echenique, Caesars' internal audit director. Dolores led an awareness initiative about the services internal audit provides and created a brochure for Internal Audit Awareness Month that was distributed to 145 colleagues throughout the Caesars organization. She excels at her job, Echenique says, winning the "Audit Ninja" title as internal audit's Employee of the Quarter and Employee of the Year six times in a department of more than 80 practitioners. She manages planning and execution of compliance, financial, and operational audits of business operations at casino properties in multiple states, and she's a leader in the department's philanthropy efforts. Dolores didn't set out to be an internal auditor, starting her career in Accounts Receivable and moving around the enterprise to learn several different accounting functions in the organization's nongaming enterprises. "I had no intention of working for internal audit," she says. Then, conversations with a colleague helped change her mind. Now she calls it "probably the best decision I've made for myself." </p><h2> <img src="/2019/PublishingImages/Katsiaryna.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Katsiaryna Pranovich</h2><p> <strong>29, Chief Auditor </strong> <br> <strong>JSC MTBank</strong><br><strong>Minsk, Republic of Belarus</strong></p><p>Katsiaryna Pranovich has learned the value of listening. Early on, she found communicating with internal clients to be “the most laborious, difficult aspect of the job.” But then she learned to listen more attentively to her colleagues, she says, to focus better on what they need from her. “That, plus gaining experience and exercising patience allowed me to adjust my style of communication,” she explains. Pranovich sharpens her people and public speaking skills with stand-up performances of her own comedy material in local clubs and cafes. One of her favorite parts of the job, the Belarusian State Technical University graduate emphasizes, is helping colleagues deal with difficult situations. Another is the opportunity to “engage in different areas of the organization’s activities.” Pranovich extends her internal audit interactions outside the enterprise as well, notes Pavel Varyvonchyk, CAE at JSC MTBank. “She constantly expands her professional skills by attending seminars and conferences,” he says, “which allows her to maintain professional relations with internal auditors at similar companies here and in neighboring countries.” Indeed, Varyvonchyk adds, Pranovich is a two-time winner of the firm’s Best Employee Award. One reason is her involvement in a project examining data mining for automated internal auditing, which aims for continuous monitoring of key departmental indicators of possible process violations. Another project Pranovich heads up is creating automated workpapers and options for management decision-making following audits. Pranovich is, in fact, lauded for her methodologically accurate documents. “The devil is in the details,” she says, “especially with the increasing speed of work and changes in business processes.”</p><h2> <img src="/2019/PublishingImages/Spittler.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Steve Spittler, CPA, CISA</h2><p> <strong>28, Senior IT Internal Auditor</strong><br><strong>LPL Financial</strong><br><strong>Fort Mill, S.C.</strong></p><p>Steve Spittler is a technology enthusiast with strong people skills — two important assets for an internal auditor specializing in IT engagements. “As companies move to the cloud and increase use of third-party vendors,” says the Bentley University graduate, “even practitioners who mainly perform business or compliance audits need to understand the implications cybersecurity could have on their engagements.” Nearly every audit his team performs has cybersecurity considerations, he notes. A recent challenge involved leading both the Vendor SOC1 testing program and the cybersecurity audit for the enterprise, reports co-worker and unofficial mentee Anja Erlandson, senior analyst, risk management, at LPL. “He not only completed the tasks,” she says, “he assisted the business in creating new internal controls, making recommendations consistent with industry best practices.” He also has added visual analytics to audit reports, analyzed large data sets to identify discrepancies, and tested the effectiveness of department policies and procedures. The first few years of Spittler’s career were spent as a public accountant conducting external financial audits; he says the move to his current post represented an opportunity to grow his skills. His social network also has expanded. Spittler says: “What I love about my job is the level of collaboration and the people.” Most of his engagements are integrated, with the business audit and IT audit teams working together, he notes, citing the value of building relationships with clients. Practitioners often can see firsthand the improvements made because of their recommendations, he adds. Off the clock, Spittler volunteers at the Humane Society, the Metrolina Food Bank, and the Boys & Girls Club of America.</p><h2> <img src="/2019/PublishingImages/Murray.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Sarah Murray, CIA</h2><p> <strong>27, Senior Auditor</strong><br><strong>Savannah River Nuclear Solutions</strong><br><strong>Aiken, S.C.<br></strong></p><p> <strong></strong>For Sarah Murray, early career inspiration came from an audit class project that involved creating flowcharts and identifying control deficiencies. "It was totally different than anything I had done in my accounting studies thus far," she says. The Augusta University graduate enjoyed it enough to apply for an internal audit internship and ended up "falling in love with the work and the variety of people that you get to meet." One part of the job she's especially fond of is working with data. "It always has a story to tell you," she notes. Former Augusta University accounting lecturer and current colleague Steve Loflin, principal internal auditor at Savannah River Nuclear Solutions, says Murray's skills in analytical and substantive testing are exceptionally advanced. "As much as she impressed me as a student," he comments, "I've been even more impressed by her abilities as an internal auditor." Loflin adds that Murray is known for her timely and effective auditing and her ability to build relationships. Murray does have an agenda: She's out to end the "gotcha" and "take no prisoners" stereotypes of internal auditors. She makes a point to find ways to minimize nervous tension during engagements by checking clients' work spaces for clues to a favorite football team or new grandchildren. "I get them talking about those things to loosen them up," she notes, "and see audit as a function that is truly there to help." Murray also volunteers with local youth ministries, and with the River of Life, which provides exterior home repairs and improvements to local community members. In addition, she's active in, and a former officer of, The IIA's Central Savannah River Area Chapter. </p><p><br></p><p><img src="/2019/PublishingImages/EmergingLeaders_oct%2719_judges.jpg" alt="" style="margin:5px;" /><br></p>Russell A. Jackson0
Auditing With Grit With Grit<p>What seems like an eternity ago, I received a book in the mail titled <em>Grit: The Power of Passion and Perseverance</em>, by Angela Duckworth. It was sent to me by my mentor and friend with a note that said, "You are gritty, and gritty is good." I wasn't sure at first what he meant, but after reading the book I was inclined to agree that grit is a quality I possess.</p><p>According to Duckworth, "[If you have] a deep and abiding interest, a ready appetite for constant challenge, an evolved sense of purpose, and a buoyant confidence in your ability to keep going that no adversity could sink," you probably rate high on the grit scale. I like to think this describes me. It may also describe many internal auditors, as these qualities are often necessary to perform our jobs effectively. </p><h2>Personal and Professional Grit  </h2><p>My capacity for grit was tested a few years ago when I faced a challenge in my personal life. In 2015, I tested positive for the BRAC1 breast cancer gene mutation. After discussions with close family and friends, I underwent multiple preventive surgeries, including a double mastectomy in 2016. While some might consider this measure extreme, an 86% chance of developing breast cancer in my lifetime was not something I was willing to accept. Now my risk has been reduced to 10% per general statistics, and 2–5% per my doctors — odds I'm much more comfortable with. </p><p>I also discovered the value of grit in my professional life. Early in my career, I took an internal audit position at a large financial services company. I then left the job a few years later for a traditional accounting position, only to return soon afterward to internal auditing upon realizing that's where my true passion lies. I progressed quickly to the role of internal audit director and woke up every day for the next eight years with the same enthusiasm I had at the beginning of my career — and the perseverance to make a difference in the audit profession.   </p><p>Staying true to my friend and mentor's observation, I recently mustered internal grit once again by resolving to start my own business. Now my work involves practicing, teaching, and training others about internal auditing, including the concept of <em>grit</em> and how it applies exceptionally well to the profession.</p><h2>Grit in Practice</h2><p>Duckworth describes those with grit as high achievers who possess qualities such as diligence, persistence, determination, focus, and the ability to overcome obstacles. She also explains in her book that talent, aptitude, skill, and education are not enough. </p><p>Grit, as it relates to internal auditing, starts with a passion and desire to make a difference in the organization. It means looking forward to the next engagement or challenge. It means having the courage to point out what others may not want to see. </p><p>Great auditors have to combine an understanding of operations, financial processes, and technology with the curiosity to find risky or unusual items. They also must possess the ability to establish relationships and build trust with management. And, of course, auditors must do all this while not always being greeted with open arms by their clients.</p><p>How do great auditors accomplish great things? They do it with grit. They audit with passion, working toward longer term, strategic goals that are of value to the organization, with the necessary resolve and follow-through to reach those goals. They do it with perseverance, working with the courage and determination to pursue an engagement or finding, despite obstacles, until their job is complete.</p><h2>Are You Gritty?</h2><p>How do practitioners determine whether they have the qualities to be a gritty auditor? First, they should make sure they are in the right place or in the right profession by answering a few questions:</p><ul><li>Are you passionate about your organization, clients, and engagements? </li><li>Do you look forward to delivering relevant, value-added findings to management?  </li><li><p>Do you believe in the larger purpose of auditing and its impact on your organization or clients?</p></li></ul><p>If the answer to each of these questions is "yes," internal auditors should then make sure they tackle their work every day with an eye toward five key factors: </p><ol><li><strong>Achievement.</strong> Believe respect is earned and reward and recognition come after achievement.  Add value through the systematic identification and mitigation of risk and implementation of solutions that result in significant improvements.</li><li><strong>Focus.</strong> Gain the necessary knowledge for each engagement. Risk assess engagements using appropriate knowledge and input. Focus on meeting value-added objectives. Set timetables and manage engagements to timely completion.</li><li><strong>Time/Resources.</strong> Allocate time to the high-impact goals, risks, and improvement opportunities within engagements. Apply the latest tools and technology while controlling audit costs; do more with less.</li><li><strong>Effort.</strong> Create a culture of commitment. Be committed to every engagement and to supporting the success of the organization. Work hard and smart. Continuously improve yourself and your techniques.</li><li><strong>Reputation.</strong> Build a reputation for providing a valuable service and fulfilling promises. Be known for your resolve and agility to overcome obstacles and ensure success. Remain adept and nimble as you audit in an ever-changing world, within evolving organizations, leadership, strategies, technologies, and risks.</li></ol><p>Practitioners who perform their work with these factors top of mind can safely say they audit with grit.</p><h2>The Power of Grit</h2><p>To quote Duckworth, "Our potential is one thing, what we do with it is quite another." Internal auditors have a tremendous platform to improve effectiveness within an organization, a platform that is sometimes underutilized. It's time to show grit as auditors and spend each day working to our full potential. <br></p>Amanda "Jo" Erven1
A Blended Approach Blended Approach<p>​Traditional audits are often awash in wasted time, unnecessary conflict, and incorrect assumptions. Active auditing is a form of Agile auditing that was developed in a major utility company to eliminate, or at least substantially decrease, these kinds of wasteful activities. The term active auditing was, in fact, coined because it is the antonym of passivity and waiting.</p><p>Lean — often synonymous with the Toyota Production System — is a change-making methodology. Agile is an IT project management approach. Active auditing borrows concepts from both disciplines to create a more efficient way to run audits. The catalog of material describing both Lean and Agile principles is vast, so active auditing borrows only what is needed to create an audit system that can work better than a traditional one. The system can best be explained by breaking it down into three pillars.</p><h2>Pillar One: Energetic Collaboration<br></h2><p>Lean and Agile both preach that there can be only one team, and that team members must work together throughout the project. However, the reality is often two teams — the audit client and auditors — facing each other across a battlefield even while proclaiming their intent to work collaboratively. Active auditing recognizes that both teams work for the board, and the board has the right to expect both to behave as a single, combined team. </p><p> <img src="/2019/PublishingImages/Coleman-combining-lean-agile-techniques.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:450px;height:331px;" />Collaborating energetically is a choice to which both auditors and audit clients must commit. Without deliberate and overt commitment, both groups tend to fall back into bad habits. Once committed, the two develop shared ground rules — defining what’s nonnegotiable for each of them and how they want to work together. Personal connection is critical for collaboration, so information should be shared early, often, and in person, as much as possible.</p><p>Beyond the practical steps, auditors must lead in making themselves open and vulnerable. This can be a scary step, as auditors typically are so accustomed to maintaining professional distance that laying their cards on the table may not come naturally. Auditors must be the first to extend an authentic, though likely uncomfortable, hand to the audit clients to collaborate. And they must mean it — in everything they say and do.</p><p>When teams energetically collaborate, better information is offered, rather than extracted; far less time is wasted; there are fewer misunderstandings; clients grow to believe the auditors understand them; there is less conflict, which is good for clients and auditor; and the audit can be fun.</p><h2>Pillar Two: Iterative Audit Execution<br></h2><p>Agile as a software development methodology was created to counter traditional sequential Waterfall techniques. Waterfall is how most construction projects are managed — by planning, designing, building, and implementing. It relies on high-quality requirements-gathering at the beginning of a project and an acceptance that changes midstream are unwelcome. In contrast, Agile embraces flexibility and change. To manage this flexibility, Agile breaks the work down into iterations, or sprints. An iteration is a mini-software project, with a specified beginning and end, that is structured to produce working and sellable software at its completion. If a typical large software project takes two years, an Agile project will produce perhaps 12 instances of sellable code over that time, whereas a Waterfall project will produce one. </p><p>The overall risk of the project is reduced because the Agile project tests the market frequently, while the Waterfall project hopes its grand unveiling two years from now is still what the market wants.</p><p>Active auditing borrows from the concept of iterations — breaking down the audit program into mini-audits. The typical steps of an audit — from risk assessment to workpaper approval — still occur, but in smaller chunks. And they are completed before moving to the next iteration. </p><p>Active auditing starts by building an overall audit program, which is the best initial guess at the right control objectives and fieldwork steps. Then, using engagement planning sessions, the work is assigned to time-boxed iterations. Time-boxing establishes start and end dates that auditors and clients commit to work within. It’s best to keep an iteration to between two and four weeks, but that choice depends on the fieldwork. After each iteration, the single, combined team pauses to reevaluate and ask: </p><ul><li>Based on what’s been learned, what needs to change? <br></li><li>Is the risk assessment still valid? <br></li><li>Are all the fieldwork steps required to assess the con-<br></li><li>trol objective? <br></li><li>Are the right people involved? <br></li><li>Where are the bottlenecks? <br></li></ul><p>Both Lean and Agile teach internal auditors to welcome change to their audit program as they learn more and reassess risk. They can’t assume initial planning was perfect, so they should embrace an evolving audit. In return, when audits are executed as smaller mini-audits, they become easier to manage because work is done in digestible bites, countermeasures to address problems can be applied in the next iteration, and the audit can be stopped after an iteration and still have useful results.<br></p><h2>Pillar Three: Visual Management <br></h2><p>A central principle of Lean is to make waste visible. When waste is visible, the people involved can work together to eliminate it. Frequently, “waste” appears in audit work in the form of waiting, unnecessary motion, rework, and overproduction. Active auditing uses visual management techniques borrowed from Lean to allow the combined team to fully understand the audit’s progress and each member of the combined team’s part in it. </p><p>The greatest waste in auditing involves waiting. Waiting for data to be provided, emails to be returned, interviews to be scheduled, and so on. Internal auditors compensate by shifting their focus to other things, but that means rework as they have to reeducate themselves on the subject when they return to that work. Making lost time visible using visual management tools drives wait time down. </p><p>As often as every day for 15-30 minutes, auditors and clients should hold a standup meeting around a visual control board (VCB). The VCB consists of panels that show progress on the audit program, assigned tasks, a “dog house” for tasks that aren’t getting done, a shared master calendar, and a “hearts & minds” board to capture shared expectations and concerns. Because Lean is inherently a change-making methodology, it provides techniques for helping build mutual purpose, and daily standup meetings with the audit clients in front of the VCB are an important example. VCBs can be as large as an entire purpose-built wall or as small as an 11x17 piece of paper taped to a conference room whiteboard. Visual management can ensure: </p><ul><li>Every member of the single, combined audit–client team is constantly updated on status. <br></li><li>Problems are visible long before they manifest; waiting actions — such as data or report requests — are visible to the entire team, and therefore can be expedited. <br></li><li>The human aspects of an audit (anxiety, mistrust, etc.) are addressed openly and treated as legitimate risks to the project.<br></li></ul> <h2>Celebrate the Audit <br></h2><p>Active auditing borrows two additional important concepts from Agile. The first is retrospectives. In an Agile software project, after each sprint, the team gets together to examine what went well and what should change. This is a critical aspect of improvement and it should occur at the end of every audit, and often at the end of any sizeable iteration. Ceremonies and celebrations are the second concept borrowed from Agile for the conclusion of the audit. The team members come together to celebrate, perhaps with food, and take a moment to reflect on the work they did together. </p><h2>Audit Without Limits <br></h2><p>It can be difficult to implement all three pillars at once. The best first step is to start holding frequent, but brief, standup meetings with audit clients and auditors. It will quickly become clear that the standups are more effective with some form of visual management tool. The VCB should be developed early and expanded and refined over time. As standups progress, it should become easier to collaborate more effectively by developing ground rules and acknowledging the human side of the auditor–client relationship.   </p><p>In the end, the three pillars of active auditing work in concert. Energetic collaboration allows visual management to function smoothly to manage the audit work. Tight monitoring of progress through visual management allows the audit to execute iteratively. Timely and frequently completed audit work is the outcome of internal auditors and the audit clients working as a single team. The specific techniques used are likely to vary among companies and even across audits, but the core concepts contained in each pillar are universal and can be implemented anywhere. <br></p>Prescott Coleman1
The Citizen Internal Auditor Citizen Internal Auditor<p>​Internal auditors working in the public sector experience unique challenges. In many countries, they face a revolving door of elected officials looking toward the next election, appointees glancing over their shoulders to ensure the security of their appointments, and the heightened bureaucracy and red tape inherent with any governmental entity. </p><p>But perhaps the most daunting part of the job is that many government audit functions are required to make their final reports publicly accessible. The rest of us can only imagine the challenge of issuing a final report with the entire world watching. </p><p>Still, good things can come from potentially negative situations. One government audit function, for example, leveraged the reporting requirement by establishing its own website and using it to showcase the results of its work. The site showed internal audit’s positive contributions, providing constituents with concrete evidence of how tax dollars spent on auditing helped everyone. Imagine the opportunity to speak directly to stakeholders, explicitly showing the value auditing provides. </p><p>Practitioners may want to consider another upside to the public nature of this process — depending on where you reside, audit reports related to the various communities, municipalities, and governments associated with your area may be available for your perusal. At any time, you can go to the internet and find what is happening in your city, county, state, or other governmental entity. </p><p>Where civic participation is an option, internal auditors have two duties to uphold as citizens. The first mirrors that of any citizen — to become engaged in local government and the activities of public officials. But internal auditors also have something most other citizens lack — the professional knowledge and<br> experience required to understand public sector audit work. We are uniquely equipped to understand how local government uses the audit function, as well as the broader impacts on governance, risk, and assurance. </p><p>The challenge is to take the time to explore various local government websites and find those audit reports. Auditors can then determine if it looks like the audit function is examining the important areas, if their findings are important, and whether those responsible are addressing the findings. They can also determine if elected officials are taking the reports, results, and issues seriously. </p><p>If government entities fall short, internal auditors should step forward — as both citizens and professional internal auditors — and make their voices heard. Write letters and emails, speak up at open meetings, request a private meeting, and make elected officials understand the importance of internal auditing. If your voice is ignored, reach out to fellow professionals to help elected officials understand who they work for. Because when they work for internal audit professionals, those officials have an increased duty to ensure a strong governance structure — and a strong audit function — is helping everyone succeed. <br></p>Mike Jacka1
Auditing Conduct Conduct<p>​Outrageous behavior by employees within the global financial services industry have put boards and regulators on high alert regarding whether their companies are acting in the best interest of their customers. Recent scandals include Wells Fargo’s cross-selling program, where employees were pressured to open new bank accounts and issue credit cards for customers without their knowledge. At Australia’s Commonwealth Bank, some financial advisors charged clients service fees even when there was not any record of services being provided. The fallout from these and other scandals has included massive dismissal of staff, millions of dollars in fines, loss of customer confidence, and reputational damages. </p><p>Successful financial services companies view their customers as the heart of their business. These companies are focused on the continuous delivery of quality products and services that produce a fair and suitable outcome for their customers. Regulators and corporate boards expect companies to measure and demonstrate appropriate conduct toward their customers. Inappropriate, unethical, or unlawful behavior by the organization’s management or employees that lead to poor customer outcomes is not acceptable. </p><p>Today, conduct issues pose a great risk to a company’s success and sustainability. In addition to regulatory fines, companies that do not mitigate conduct issues may face a quick trial by “word of mouth” in social media that could result in reputational damage and loss of trust. It may be nearly impossible for an organization to manage the crisis and respond timely to correct the misconduct once the story gains traction on social media. That’s why internal audit departments should play a significant role in assessing whether their organization’s conduct risk framework is fit for purpose and identifies potential blind spots that management needs to address. <br></p><h2>Conduct Challenges</h2><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p>​<strong>Conduct Audit Tips</strong><br></p><p>Effective mitigation of conduct risk looks beyond mere compliance with laws and regulations while putting the customer’s interests first. Auditors charged with assessing conduct risk within an organization should:</p><ul><li>Avoid a “check-the-box” approach.<br></li><li>Be customer-outcome focused by looking at behaviors from the customer’s perspective. For example, in looking at a product offering, auditors should ask whether the company did right by the customer.<br></li><li>Go beyond regulation to call out detrimental conduct risk that is embedded in the organization’s strategy, values, and culture. <br></li><li>Don’t just focus on “hard” controls. Auditors should look at soft controls that can give them a feel for how business is conducted outside the formal audit program. For example, does the culture encourage employees to meet aggressive or unrealistic sales targets?<br></li><li>Seek specialist knowledge from external experts if the organization lacks such expertise in-house.<br></li><li>Emphasize reporting and data analytics to identify potential conduct blind spots.<br></li></ul></td></tr></tbody></table><p>The main challenge for internal auditors is that each organization’s conduct risk profile is unique and there is no “one size fits all” prescribed framework for assessing behaviors toward customers. As a result, there is no standardized approach to auditing conduct risk. As large financial services organizations operate in multiple jurisdictions, with different legal and regulatory environments, the ability to design an audit program that can depict a timely and holistic view of conduct becomes complex. </p><p>Another challenge in assessing conduct risk is that public sentiment and societal norms are constantly evolving. What was considered acceptable behavior in the past may be viewed differently today. For example, in the past it was considered acceptable to smoke in the workplace, but today smoking in offices is viewed as unacceptable and is illegal in many places. </p><p>Similarly, in the financial services industry, the adoption of technology and democratization of information have dramatically changed what are considered acceptable fees to charge for mutual funds. Average mutual fund fees or expense ratios have declined substantially over the past 20 years from in excess of 1% in 1996 to a fraction of a percent in 2019. Auditors need to understand not only their organization’s operations intimately, but also the regulatory and societal expectations.</p><p>To evaluate whether an organization is acting with integrity in dealing with its customers, internal audit should assess whether the business designs and sells products and services in the best interest of the customer. As culture and conduct risks are interconnected, auditors should consider multiple factors that drive conduct and behaviors, including:</p><ul><li>Corporate governance.<br></li><li>Remuneration.<br></li><li>Incentive schemes.<br></li><li>Product development.<br></li><li>Sales practices.<br></li><li>Fees and charges.<br></li><li>Customer service.<br></li><li>Complaints handling.<br></li><li>Training.<br></li></ul><p>In general, a strong customer-focused culture leads to fewer conduct failings and helps to mitigate conduct risk. Internal auditors should leverage any previous audit work covering corporate governance, culture, and ethics in their conduct assessment. They should align their audit approach to the scale, business model, complexity, geographical reach, and regulatory environments in which the organization operates. Auditors should provide assurance on the design and effectiveness of controls over conduct risks and determine whether the controls in place are adequate and effective to mitigate the risk of poor customer outcomes.</p><h2>Audit Options</h2><p>In developing a structured approach to systematically assess conduct risk, auditors need to determine whether a top-down, bottom-up, end-to-end, or integrated audit is best suited for their organization. Regardless of what approach auditors select, the organization’s conduct risk framework is key. This framework should be anchored around the organization’s business strategy, risk appetite, culture, and values.</p><p><strong>Top-down </strong>The top-down audit approach starts by assessing the adequacy of an organization’s conduct risk framework and how the framework translates into policies. Then it drills down into how existing processes and controls over governance, risk appetite, culture, and behavior mitigate conduct risks. <br></p><p><strong>Bottom-up</strong> In the bottom-up audit approach, auditors assess the processes and controls within a business unit to determine whether conduct risk is mitigated. Auditors then can aggregate the conduct risk results of each audit into a thematic paper for effective communication to the board and senior management. <br></p><p><strong>End-to-End</strong> This audit approach evaluates the customer interaction value chain in its entirety. The customer interaction value chain comprises:<br></p><ul><li>Product design.<br></li><li>Pricing.<br></li><li>Distribution.<br></li><li>Sales practices.<br></li><li>Claims handling.<br></li><li>Complaints.<br></li></ul><p>While comprehensive, drawbacks to this approach are the manpower necessary to complete the audit and potential untimely communication of any findings.</p><p><strong><img src="/2019/PublishingImages/Land-integrated-audit-example.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:400px;height:206px;" />Integrated</strong> In the integrated audit approach, internal auditors consider aspects of conduct risk in every audit of a business unit (see “Integrated Audit Example,” at right). Such audits can range from an evaluation of sales practices during an underwriting audit to looking at incentive schemes and training programs during a regulatory compliance audit. Auditors would report any conduct risk findings as an issue in each applicable audit.<br></p><h2>Conduct Blind Spots</h2><p>Internal audit’s holistic view of an organization positions the department to identify potential conduct risk blind spots by assessing the organization’s underlying culture and conduct toward customers. Moreover, in their advisory role, auditors can highlight specific departments and individuals as role models whenever they find exemplary behavior and best practices in conduct risk mitigation. These actions can help ensure the organization’s conduct stays on the straight and narrow.  <br></p>Anders Land1
Expand Your Role in Internal Audit Your Role in Internal Audit<p>​How does a new internal auditor whose primary focus could be standard audits, such as auditing expense reports or U.S. Sarbanes-Oxley Act of 2002 testing, get the opportunity to work toward auditing nontraditional risks that are strategically significant to the company? Internal audit departments cannot audit what matters if it keeps new auditors on an island regarding internal and external information and changes facing their companies. By capitalizing on information and best practices, internal auditors can expand their roles both within the department and the organization. This is especially beneficial with the changing demands of stakeholders, senior management, and regulators. </p><h2>Internal Information</h2><p>Through a blend of formal and informal channels, internal auditors can keep their fingers on the pulse of the company and identify opportunities to add value. There are many formal conduits of information that can yield useful information about potential audit opportunities. Having internal audit participate in financial close calls and quarterly business reviews is a great way to identify the company's pain points and potential solutions. </p><p>For example, suppose while sitting in on a call, management notes that due to recent turnover and capacity issues, accounting was unable to identify the root cause of an issue related to absorption accounting at one of the production plants. The chief audit executive (CAE) volunteers one of his or her auditors to assist at an advisory level to do a root cause analysis and help develop an operational process narrative to help new employees understand the process. The auditor identifies issues that were causing absorption to be underreported at the plant, which, in turn, increased expenses. By remedying these issues, the plant is able to accurately present its financials and drive higher profitability. </p><h2>Informal Communication </h2><p>Internal auditors can get exposure to critical information through the simplest means. Developing professional relationships with different departments opens the door to many audit opportunities. It could be as easy as informally discussing issues facing their department that could expose process flaws or opportunities for improvement. This can be done by encouraging the audit team to sit with different departments in the company cafeteria instead of isolating themselves by sitting with other auditors. </p><p>Informally engaging with other departments also may turn up issues that aren't discussed in formal meetings. For example, suppose an auditor invites her company's operations manager to lunch. While trading pleasantries, the manager mentions that an employee quit his job a week before and left his badge and corporate credit card on his desk. No one has come to retrieve it and the items have been sitting out in the open ever since. The auditor is concerned, so she tests the badge at the entrance and it still unlocks the door. With her CAE's approval, the auditor reviews the exit process and discovers that 80% of employees who left or were fired that year still had access to the building, and that there was no formal offboarding process to ensure that badges were collected. The issue is then quickly remedied, but it may have persisted if the auditor had not decided to lunch with the operations manager. </p><h2>External Information</h2><p>Subscribing to industry publications and tracking standards and regulatory updates can help internal auditors gain a better understanding of the company, itself, and the industry their company is in. Greater knowledge of these areas improves an auditor's capability to indentify risks. </p><p><strong>Industry Publications</strong> Knowing how the industry is operating and trending can help identify risks, drive efficiencies, and create competitive advantages. Internal auditors can subscribe to industry publications or create Google alerts for their companies and competitors to easily stay informed about industry news and make educated assessments of risk.</p><p><strong>Standards Updates</strong> Staying current on relevant standards updates before their adoption dates allows internal auditors to identify issues their company might face and help address them proactively. When a new standard is adopted, instead of waiting for the evaluation and adoption to be completed by management, internal auditors can study the topic and develop the required competencies. Then they can discuss with their CAE their interest in joining the implementation team as an advisor. </p><p>At this level, auditors can be proactive in providing insight into the adoption controls that should be in place throughout the project and the process-level controls that should be embedded into the procedures during implementation. Major public accounting firms often release resources such as industry-specific interpretations and practical applications of standards updates for free.</p><p><strong>Regulatory Updates</strong> It is important to keep track of regulatory changes for smaller companies that don't have the resources to proactively disseminate regulatory information to their employees. For example, if an employee was not aware of a regulation such as the U.S. Telephone Consumer Protection Act (TCPA), which prohibits solicitation to phone numbers that are listed on do-not-call lists and the company uses robocalling for commercial solicitation, they could be exposing the company to risk. Or if it relied on data obtained by a third party saying it supposedly was already scrubbed against all numbers on state and national do not call registries, then making calls from that list could open the company up to class-action lawsuits if those numbers were opted in to a do-not-call registry. Since the TCPA is a strict liability statute that awards $500 per violation and up to $1,500 per willful violation, a class-action lawsuit with thousands of violations could have a material impact on the company. </p><p>Internal auditors can be a great resource by identifying regulatory risks such as these based on their knowledge of processes and staying current on regulatory laws and updates. This is a great example of how an auditor can step outside of his or her comfort zone to audit what matters to management. One caution when stepping out of comfort zones is to remember IIA Standard 1210: Proficiency. If an auditor does not have the competency to conduct the audit or review, he or she should not begin it. </p><h2>Grow Your Career</h2><p>Through leveraging internal and external information and capitalizing on change, internal auditors can position themselves to expand their roles and develop skills that will help them advance their careers. This includes staying informed and keeping their eyes open, continuing professional development, staying involved, inviting themselves to formal and informal corporate meetings, and ensuring they are prepared to deliver on engagements. <br></p>Alex Rusate1

  • IIA AuditBoard_Nov 2019_Premium 1
  • IIA GAM_Nov 2019_Premium 2
  • IIA OnRisk_Nov_Premium 3