The Responsive Organization Responsive Organization<p>​Extraordinary events can disrupt businesses and rapidly cause significant financial losses globally, as the COVID-19 pandemic has so painfully shown. When the crisis unfolded, board members, executive management, and internal audit teams had to innovate and embrace technology to manage essential change for long-term survival. Being able to respond quickly and adapt effectively to the challenges determined which organizations thrived and which struggled. </p><p>A practical, responsive approach, emphasizing product and service quality, is critical as organizations adapt to changing business conditions resulting from the pandemic. Fortunately, responsiveness is an essential component of what internal auditors do every day. </p><p>Responsiveness and adaptability require agility, excellent communication, and collaboration between internal audit and functional managers. To help the organization accomplish strategic goals by auditing what matters, internal audit must work closely with the board, management, and other stakeholders while balancing its audit and advisory responsibilities to maintain objectivity and independence. </p><h3>Value and Responsiveness</h3><p>Internal audit can add value by helping to make the organization become more responsive. Answers to three questions can explain why:</p><ol><li><em>What must management achieve for the organization to succeed?</em> According to The IIA’s 2020 North American Pulse of Internal Audit report, despite staffing growth reflecting continued stakeholder support, many organizations do not fully leverage internal audit services for certain key risks.</li><li><em>What key risks stand in the way of management achieving objectives and meeting performance targets? </em>The Pulse report highlights differences between how chief audit executives (CAEs) view risks and how internal audit resources are allocated to support the board and executive leadership.</li><li><em>Is it possible for internal audit to improve responsiveness, help management succeed, and solve problems that the board and leadership view as necessary, if internal audit and enterprise priorities are not aligned?</em> While most CAE respondents rate their internal audit functions as mature to support strategic risk management, long-term planning, and continuous improvement, 3% rate their department at the lowest, initial stage, and 17% rate themselves at the second-lowest, infrastructure stage, the Pulse notes.</li></ol><p>Internal audit must be able to maintain its independence, continue to drive accountability and transparency, and enhance and protect organizational value by providing risk-based assurance, advice, and insight. At the same time, the department needs to adopt an end-to-end internal audit value chain (IAVC) mindset that enables auditors to help management create, capture, and sustain value (see “Understanding the Internal Audit Value Chain,” below).<br></p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Understanding the Internal Audit Value Chain</strong><p><br>An organization’s objectives are centered around optimal use of people, technology, processes, and corporate culture to achieve strategic goals, sustain performance, and drive profitability. The Internal Audit Value Chain (IAVC) is an end-to-end framework that provides a simple, flexible, and agile structure to connect the organization’s goals with the internal audit support objectives. The IAVC and its key components are defined as the enterprisewide initiatives impacting business functions.  </p><p>Internal audit’s role in the value chain requires an understanding of the organization’s: </p><ol><li>Strategic alignment and direction. </li><li>Risk management and monitoring.</li><li>Operational efficiencies.</li><li>Quality and compliance.</li><li>Financial management and corporate governance.</li><li>Responsiveness and ability to adapt to the constantly changing business, political, and economic environments.</li></ol><p>The IAVC can enable the CAE to collaborate with the board, leadership, and management to: </p><ul><li><em>Create value</em> — Determine the starting point toward an overarching objective and not the endpoint.</li><li><em>Capture value</em> — Identify problems the organization is solving and how they are reflected in the strategy.</li><li><em>Sustain value</em> — Retain factors that allow the organization to create and capture value over time.<br></li></ul></td></tr></tbody></table><h3>Building Responsiveness<br></h3><p>A responsive organization is agile in the ever-changing business environment, learns during strategy formulation, and enhances its capabilities as it executes those strategies. When organizations are not responsive, they fail to: 1) identify and mitigate risks impacting strategy; 2) follow up to validate that critical findings were resolved satisfactorily; and 3) address compliance issues, customers, or clients’ complaints timely and effectively. These failures can result in financial losses and reputational damage. </p><p>To become responsive, the board, leadership, and management, with support from the CAE, need a simple view of strategy planning, formulation, and execution as an ongoing process. Internal audit can help by: </p><ul><li>Analyzing the current environment and identifying new risks, opportunities, and metrics. </li><li>Facilitating meaningful collaboration with management and stakeholders and learning during strategy formulation. </li><li>Providing tools and support as needed for management to execute the strategy successfully.</li></ul><p><br>This assistance not only can help the organization build responsiveness, it can demonstrate internal audit’s value as a trusted advisor to management, the board, and other stakeholders. In this role, internal audit must show adequate capabilities and always demonstrate integrity, competence, and due professional care. </p><p>To assess some of the challenges the organization faces in being responsive, internal auditors should consider these questions as they relate to business operations: </p><ul><li>What are the challenges encountered by the business operations supported by internal audit?</li><li>What are some of the problems internal audit is helping management solve?</li><li>Do these problems impact strategy or address critical challenges faced by management?</li><li>What is the best way for internal audit to help management resolve problems and prevent reoccurrence while maintaining the function’s independence and objectivity?</li><li>What additional skills will internal audit need to plan and execute audits and reviews that matter to management?  </li></ul><p><br>In planning and executing risk-focused audits, internal auditors gain visibility of potential threats and fraud, critical risks — including emerging and rapidly evolving risks — and unmitigated findings that may impact the organization’s ability to achieve strategic objectives. If ignored because of a lack of responsiveness, the organization may struggle to respond to catastrophic events. Unresolved findings can result in embarrassing publicity, fines, and severe reputational damage. </p><p>Escalating significant issues to executives, the board, and appropriate committees timely is essential for responsiveness. Internal audit cannot wait to complete an assessment and issue a final audit report involving sensitive topics such as fraud, regulatory violations, and the inability to identify emerging threats and evolving risks. It must provide information and actionable insights that management and the board can use to make appropriate real-time decisions. </p><p>Using the IAVC as a guide, the CAE needs to develop and implement a simple, adaptable, and scalable framework to monitor and evaluate the progress of organizational goals, including six components:</p><ul><li><em>Strategic alignment.</em> Internal audit must provide insights based on an understanding of the enterprise strategy and challenges that stand in the way of achieving objectives. This includes making timely changes to adjust to the dynamic environment.</li><li><em>Risk assessment.</em> Internal audit needs to leverage its experience and lessons learned from performing reviews linked to core risks that impact the achievement of goals.</li><li><em>Operational efficiencies.</em> Internal audit should promote organizational improvement and optimizing technology.</li><li><em>Quality and compliance.</em> Internal audit should help management across business operations and locations meet and exceed product and service quality consistently.</li><li><em>Financial management.</em> Internal audit should help improve financial management and governance and continuously embrace change.</li><li><em>Responsiveness.</em> Internal audit must connect all the IAVC components and support management in responding and adapting to create, capture, and sustain value. </li></ul><p><br>Ultimately, each organization will have different priorities, and internal audit must continuously evaluate and update its framework to align with the organization’s strategic goals and mission objectives. </p><h3>Audit Steps for Improvement</h3><p>There are eight steps internal audit teams can apply, in collaboration with stakeholders, to improve the organization’s ability to anticipate, respond to, and adapt to changing business conditions and mitigate business risks.<br></p><p><strong>1. Staff Flexibly With Subject Matter Experts</strong> Demonstrating adequate internal audit capabilities to management comes down to consistently solving problems and helping to mitigate risks that management considers important. By assigning auditors with the right blend of functional and technical skills — along with industry and consulting experience — to perform reviews that matter, internal audit can quickly earn management’s trust. </p><p>A combination of in-house staff members working alongside external subject matter experts can enable internal audit and management to promptly speak a common language and transition to providing value-added activities during reviews. Additionally, these experts can probe beyond the obvious issues to uncover the problems management might not be aware of. The right cosourcing arrangements can: </p><ul><li>Provide expertise to help management solve fundamental problems quickly. </li><li>Enable learning and knowledge transfer as internal auditors develop and apply new skills to help management sustain the organization’s performance.</li><li>Increase comfort levels and limit inappropriate pressures from management on audit planning and findings, as well as resistance to accepting recommendations and implementing corrective actions.</li></ul><p><br>Using experts to solve the right problems creates positive outcomes for internal audit, the board, and management without a substantial personnel investment. As a result, the CAE can address the root causes of significant problems quickly and provide solutions that can enable management to succeed, respond, and adapt to changing conditions.<br></p><p><strong>2. Track Remediation of Findings and Resolution of Issues and Complaints</strong> An organization cannot be responsive and adapt to changing internal and external constraints if it does not identify and mitigate emerging and evolving risks. The organization’s responsiveness is impacted when management ignores audit findings — including fraud red flags. To be responsive, internal audit needs a method to track the timely and appropriate remediation of all audits and findings by management, including independent validation of critical corrective action plans. <br></p><p><strong>3. Escalate Issues to the Board and Committees Timely</strong> Delays encountered from remediation of findings associated with significant risks or fraud must be escalated to the board timely. Internal audit can enhance responsiveness by remaining objective and free from undue influence.</p><p><strong>4. Assess Corporate Culture and Leadership Tone</strong> Internal audit should evaluate the current corporate culture, tone at the top, and effectiveness of the whistleblower and ethics programs. </p><ul><li>Does the corporate culture encourage employees and stakeholders to report fraud or violations without fear? </li><li>How has the organization addressed and resolved previous complaints?</li><li>What are the elements of culture impacting responsiveness and adaptability to evolving customer expectations, risks, and the business environment? </li></ul><p><strong><br>5. Evaluate the Effectiveness of the Crisis Management Strategy</strong> The ability to quickly evaluate the severity and impact of negative publicity and communicate the appropriate responses to the public (customers and regulators) is imperative. For example, companies such as Amazon responded quickly to the COVID-19 disruptions and succeeded at meeting and even exceeding customers’ expectations throughout the pandemic. </p><p>Information travels fast in the digital environment, and the public perceptions of initial responses often become a permanent reality that impacts the organization’s reputation. Internal audit should perform readiness reviews, including evaluations of previous crisis management incidents to validate that management not only fulfilled all promises communicated, but delivered more than it promised to regain public confidence. Did the crisis management campaigns reviewed achieve the intended effect? If not, what enhancements can internal audit recommend?<br></p><p><strong>6. Periodically Review Policies and Procedures for Alignment With Objectives</strong> Businesses create policies and procedures to guide how they perform routine tasks. Employees may perceive that management has documented and approved all formal policies and procedures, but this is not always the case.</p><p>Internal auditors can help management by routinely evaluating policies and procedures and ensuring they align with established goals, strategy, and the current business environment. Such reviews also can validate that policies and procedures are achieving the intended effect. How are corporate policies and procedures understood and applied across business functions and locations to help the organization respond and adapt? The validation steps can include clear messaging, understanding, adequate oversight, continuous monitoring, and appropriate execution.<br></p><p><strong>7. Minimize Turnover of Qualified Internal Auditors</strong> It can be difficult to replace internal auditors who have gained substantial knowledge from working closely with outside experts through cosourcing arrangements. Also, skilled auditors may leave the organization if they lack challenging assignments. Hiring and training replacement staff has opportunity costs for the audit function, including lost value creation and the inability to help management respond and adapt to changes. To retain staff, internal audit should reward excellent performance by giving auditors a varied workload of fulfilling, challenging, and high-profile reviews that impact strategy. <br></p><p><strong>8. Develop Appropriate Responsiveness Metrics</strong> Organizations cannot manage what they are not able to measure. There are a variety of relevant key performance indicators, key risk indicators, risk events, and other metrics for measuring the effectiveness of the organization’s responsiveness and adaptability. Internal audit should collaborate with the board and management to determine the appropriate metrics for the organization. </p><h3>Responsive Auditors</h3><p>In a time when responsiveness has never been so critical, organizations need an internal audit function that can help the board, management, and stakeholders solve pressing problems. That requires internal audit to change its business-as-usual skills and mindsets to gain stakeholders’ trust and communicate and collaborate with the board and management.</p><p>Continuous evolution is required for internal audit to function as management consultants when necessary by helping solve unique problems, support crisis management, and drive results. Auditors’ knowledge and solutions are what management needs to become responsive and adaptive in a time of constant change.  <br></p>Jonathan Ngah1
Managing Audit Programs in Highly Regulated Areas Audit Programs in Highly Regulated Areas<p>​Internal auditors are required to use their professional judgment when evaluating the effectiveness of an organization’s internal controls, corporate governance, and risk management practices. To do that efficiently, audit programs must be updated timely to ensure that departments are being held accountable not only to internal policies and procedures, but also to the outside regulatory world. Five key elements can help internal auditors ensure the completeness of the organization’s audit program around regulatory compliance. <br></p><p><strong>1. Identifying Information Sources</strong> </p><p>Internal audit needs to stay abreast of regulatory changes and determine how to address them. A good starting point is reviewing relevant documents and articles from The IIA, such as Nancy Haig’s February 2020 <em>Internal Auditor </em>article, “A Plan for Regulatory Change.” In addition, internal auditors should maintain open dialogue with their organization’s compliance department and regulatory agencies to discuss current and upcoming rules and regulations and their impact on business operations. Other departments may be responsible for identification and risk assessment processes. Internal auditors need to keep that in mind when deciding on what process works best for them. </p><p>Supervisory insights or quarterly updates are also released on regulatory agency websites. Take, for example, a change to the U.S. Consumer Financial Protection Bureau’s (CFPB’s) Regulation B, which implements the Equal Credit Opportunity Act (ECOA) of 1974. This regulation outlines lending acts and practices that are prohibited, permitted, or required by creditors when extending credit to borrowers. An amendment to ECOA became effective on Jan. 1, 2014, and a subsequent change was made effective Jan. 1, 2018, both of which are outlined on the CFPB website. These types of regulatory updates should be incorporated into the appropriate audit program to ensure sufficient coverage for risks that the organization may face. <br></p><p><strong>2. Determining Regulation Relevancy</strong> <br></p><p>Much of the process of identifying regulatory requirements involves understanding the organization, its overall goals and strategies, and the related business risks that may impact the achievement of objectives. Some organizations may identify regulatory guidance that applies to the industry but may not apply to it directly if the organization does not engage in certain transactions or business niches. As a result, the auditor may identify the regulation in a risk assessment and conclude testing is not applicable, stopping the change process. Including the regulation in a risk assessment provides the auditor and management reviewer the ability to show what was considered for testing and document any underlying reasoning.</p><p>A mandate in the Regulation B ECOA example requires that creditors provide a disclosure form to the applicant informing it of its right to receive a copy of all written appraisals within three days of application, unless the applicant waives the timing requirements. Auditors working in an institution with a large concentration in mortgage lending should make sure there are established procedures to comply with this regulation and test the effectiveness of those procedures. On the contrary, a commercial bank may not have to provide such a disclosure form to applicants, unless a portion of the commercial property or loan, itself, is secured by a one- to four-unit residential dwelling. Assuming the commercial bank has no such collateral in its loan portfolio, an auditor may identify the regulation and determine testing is not necessary.</p><p><strong>3. Initiating a Change Request</strong></p><p>When a regulatory update or change should be incorporated into the audit program, the auditor should discuss the proposed change with the chief audit executive (CAE). Feedback is solicited from the CAE to ensure proposed changes are not included in other programs to minimize duplication of efforts. Then, a formal change request memorandum should be submitted for approval.</p><p>To initiate a change, the auditor prepares a formal memorandum documenting the program step changes and the reason for the request. Then, the memorandum and attachments are electronically submitted to the CAE or designee for review and approval. </p><p>Formatting and content for change requests may vary by institution and management style, but incorporating these elements may be a good place to start:</p><ul><li>Requestor name.</li><li>Date requested.</li><li>Change description.</li><li>Change reason.</li><li>Proposed test procedures.</li><li>Decision (accept, reject, other).</li><li>Area for sign-off or electronic signature.<br></li></ul><p><strong><br>4. Approving Changes</strong></p><p>All changes to internal audit programs must go through an approval process after submission to ensure they meet the needs of internal and external stakeholders. After the change request is submitted, internal audit management may either approve, reject, or request additional information or clarification. If approved, the changes are made to the respective program and a copy of the changes are given to the internal audit team and the audit committee. If additional information is requested or the change is rejected, the requestor should be notified and corrections should be made until all parties agree with the changes.<br></p><p><strong>5. Implementing and Testing</strong></p><p>Once final approval is received and changes are implemented in the audit program, the internal auditor will verify the effectiveness of internal controls and processes to ensure that standards and regulations are met. The internal auditor may incorporate the new audit procedures during the fieldwork phase of the next audit, or perform ad-hoc testing to verify internal controls are working as intended. </p><p>The complexity and scope of the change management process will vary based on the organization’s size, regulatory oversight, and management practices. Nevertheless, organizations should ensure they are keeping up with regulatory changes and have a systematic approach in place for updating audit programs. The auditor in charge of keeping programs up to date should determine what works for the department and the businesses it supports, which is key to ensuring the organization passes its next regulatory review.</p><h3>Creating an Action Plan</h3><p>With the abundance of literature, white papers, and continuing education available online, there are no excuses for an incomplete audit program around regulatory change. Keeping in mind the responsibility to the organization and stakeholders, internal auditors should create an action plan that they can review on an ongoing basis. Doing so not only ensures programs stay current and that the audit team identifies issues before they become material findings, but it also will cement internal audit’s status as a key advisor to business stakeholders.  <br></p>Robert Kusant1
Meet The IIA's Next President and CEO: Anthony J. Pugliese The IIA's Next President and CEO: Anthony J. Pugliese<p>​The IIA's incoming president and CEO, Anthony J. Pugliese, says he recognizes he's taking the helm of The Institute at a critical point in the evolution of the internal audit profession — and he's more than ready for the challenge. </p><p>"I am honored to assume leadership at The IIA at such an exciting time for the profession," he says. "Internal auditors are among the world's most trusted business advisors, and The IIA will continue to build on its strong foundation of leading the profession through a time of great challenges — and even greater opportunities."</p><p>Pugliese was named successor to longtime IIA leader Richard F. Chambers after a four-month search supported by executive search firm Korn Ferry. He was selected from among a diverse field of more than 50 candidates globally.</p><p>Jenitha John, chair of The IIA's Global Board of Directors, says Pugliese will bring "a fresh approach and mindset" to The Institute. "Given all that he has accomplished so far in his career, to say nothing of his enthusiasm for the profession, we are excited about what's in store for The IIA," she says. </p><p>Pugliese will take over The IIA at a time when many significant challenges face the profession, from ethical issues related to new technologies; and environmental, social, and governance developments; to talent disruption; and new wrinkles to third-party relationships stemming from the COVID-19 pandemic.</p><p>"It can be daunting to keep up with the pace of change we are seeing in the profession just from a pure guidance, legal, and technical perspective, and we haven't yet embraced all of these changes," Pugliese says. "Our obligation is to ensure members have the strong working knowledge and skills they need, and to understand how we upskill a learned profession at a faster rate than we're used to."</p><p>Despite the daunting environment, Pugliese says he can't wait to get started and plans to hit the ground running on March 8, his first official day. "I intend to listen to a lot," he says. "I want to understand what everyone — from staff, members, and volunteer leadership in our organization — sees in terms of strengths, opportunities, and where we need to change." </p><p>Pugliese brings with him 31 years of association management and audit experience. His career began at Deloitte, where he ultimately became responsible for audit, IT, and accounting services for financial services clients. From there, he served in various roles at the American Institute of Certified Public Accountants (AICPA), including chief operating officer and executive vice president of Membership, Technology, and Learning through a joint venture with the Chartered Institute of Management Accountants to combine both public and management accounting. Pugliese currently serves as president and CEO at the California Society of Certified Public Accountants (CalCPA), where he is responsible for both the strategic development and day-to-day operations of the country's largest state-based CPA association. Five times <em>Accounting Today</em> highlighted him as one of the "100 Most Influential People in Accounting."</p><p>Pugliese's deep understanding of technology and its important role in the future of internal auditing was one aspect of his background that stood out to The IIA's Search Committee, according to John. </p><p>"At both Deloitte and my first few years at the AICPA, I was very focused on accounting, auditing, and technical issues facing our overall profession," he says, adding he was responsible for responding to technical accounting and auditing questions emanating from the firm's U.S. audit practice. Pugliese also has spearheaded a number of digital transformation initiatives during his career.</p><p>Also of particular interest to the Search Committee was Pugliese's unique global perspective and role as an industry leader on the international stage, and his passion for lifelong learning and the evolution of education.</p><p>"Until my time at CalCPA, everything across my career had an international focus," Pugliese explains. This global perspective was something that he missed and what initially drew him to The IIA. "I wanted to have that global view and perspective that I had in all my other roles," he says. "And with this role in particular, the idea of thinking about the entire world as a platform for growth is exciting. I want to expand the internal audit profession and grow The IIA, so we can be of even greater service to members." And Pugliese knows how to do it. At AICPA and CalCPA, he drove membership growth to their highest levels in the history of both organizations.</p><p>Pugliese says he wants to address diversity within internal auditing, as well. "We need to deepen our understanding of all parts of our pipeline of future CIAs — from those who entered the profession and became successful as well as those who entered and left — and understand why we have a diversity problem. Other 'learned professions' like physicians, engineers, and lawyers don't have the same issues. Why not? What are they doing right that we're not?"</p><p>Exploring new opportunities for mentoring the next generation is a personal passion of Pugliese's, and it is one he hopes to carry to The IIA. In his off time, he enjoys working to mentor college students and young professionals. "There's got to be something missing that is not giving people from a young age an accurate depiction of what we look like and the huge opportunity being a member of our profession brings," he explains. "We have to start early, at the high school and early college level, to ensure that stereotypes about the profession are addressed and the opportunities are put front and center."</p><p>To do so, Pugliese explains, means placing a greater emphasis on teaching; educating members; having high visibility and accessibility with members, staff, press, and government agencies; and presenting the general public with a perception of the profession that corrects long-established stereotypes and ensures continuing relevancy of the profession. "Internal audit should assume the mantle as the team you can't live without, especially in today's rapidly evolving business environment," he says.</p><p>Pugliese himself doesn't easily fit into such stereotypes. In his spare time, he is an avid reader and maintains a daily running routine, and enjoys being active outside with his family.</p><p>A native of Florida and graduate of the University of North Florida, Pugliese says he's excited to move with his family — husband Greg, son Jonathan, and twin daughters Brooke and Chloe — back to the state. Much of his extended family resides a short distance from The IIA's Lake Mary-based headquarters. "Being so close to family is an unexpected benefit." </p>Logan Wamsley0
The Internal Audit Game Internal Audit Game<p>​Having changed the way people work, digital technology is changing how they learn, as well. For internal auditors, the need to adapt is particularly important as their work has become more interconnected and process-oriented. Auditors must constantly improve through more tailored learning that enables them to choose their own learning path and speed.</p><p>That’s why some internal audit functions are getting serious about business games. While computer games have long been a fixture for consumers, recently developers have begun tailoring computer-based games for professional development in specific industries and professions. Game-based learning ranges from simple learning games to simulations.</p><p>These games transfer complex learning content into an easily consumable simulation model. Moreover, they can enable internal auditors to convert their existing theoretical knowledge into practical skills. They even provide some competition (see “The Swiss Audit Championship,” below).<br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<strong>The Swiss Audit Championship</strong><p><br>In October 2019, more than 100 auditors participated in the Swiss Audit Championship, hosted by IIA–Switzerland and the Audit Research Center | ARC Institute at the Technopark Zurich. During the live business game convention, auditors trained interactively with the guidance of the business game MARS.</p><p>Participants competed virtually as individual players or in groups of three. The goal of the game was to found a new civilization on Mars. To build their own colony, they had to answer competence questions and use their audit skills wisely. In the process, participants developed skills in strategic audit development, audit engagement management, interview techniques, report writing, and other areas. Auditors acquired new knowledge through challenges, in competition with other participants.</p><p>After the event, participants discussed their experiences and what they learned from the game. Their feedback included: <br></p><p><strong>What did you enjoy most about the Swiss Audit Championship event?</strong></p><ul><li>The ambiance during the event, the feeling of competition embedded in the game, as well as the team play fostered by the business game. </li><li>It was something new and therefore very exciting. Especially seeing my own rank after each turn in the serious business game, which motivated me to give my best. Learning in gaming format: the link between fun and learning. </li><li>The opportunity to meet and compete with peers using a fun and innovative learning approach. The event also provided useful insights about the impact of digital on the future of internal audit. <br><br></li></ul><p><strong>What did you think was the best effect of the game?</strong> </p><ul><li>Learning with fun. Sometimes it can be challenging to train after work. With such a tool, it is easier and distracting in a good way. The most difficult part is the question creation.</li><li>Time went by incredibly fast. Before you know it, you’ve learned something again. </li><li>Gamified training helps to increase your productivity and motivation by encouraging you to be goal-oriented and invested in the outcomes of the game.</li></ul><p><br></p><p><strong>What is your overall impression of the game-based training event?</strong></p><ul><li>I found the concept of game-based learning tailored to my profession really engaging, and I enj-oyed the experience.</li><li>The game was exciting! I’m convinced gamification is a good thing to learn. The technical briefing in advance is important to get ready to train. </li><li>It was an enjoyable experience, which I would recommend to existing team members as well as to new internal audit joiners — for example, as a team building exercise. The game brings freshness to the repetitive corporate e-learning format. <br></li></ul></td></tr></tbody></table><h3>Learning Games</h3><p>Computer-based educational games are based on the idea that a close connection between learning and digital game content can support knowledge and skill development. This is done by transferring playful learning processes to a virtual environment. In contrast to traditional (noncomputer-based) learning games, serious business games use motivational methods from digital entertainment media and the film industry. They encourage learning by establishing parasocial interactions and relationships between the training participant and the non-personal character in the game. How the learning environment is designed ultimately depends on factors such as the learning goal, needs, and motivation of the target group.</p><p>The learning benefit of business games is particularly high if the contexts learned in the simulated situation can be transferred and applied to the learner’s familiar environment. That is why the training or game experiences must be usable for the individual’s work reality. The learning situations experienced in business games are simplified representations of reality, although this gap may be reduced in future developments through the use of augmented reality technology (see “Action Competence Through Reflective Knowledge,” below right).</p><p>The categories of visibile learning objectives, content, and competencies that can be imparted, as well as the motivational effect, are used as distinguishing features of the individual types of business games. The prototypical characteristics of business games are clearly defined learning goals and a high degree of structuring of the learning content, which makes learning goals clearly visible to the user. The focus is on transferring knowledge (knowing that) and acquiring behavioral skills (knowing how), according to Brian Burke in <em>Gamify</em>.</p><p>Another priority in educational games is experiential learning through the player’s handling of learning objects in simulations. Business games offer the user the opportunity to acquire the content either independently or through cooperation or interaction within a learning and training community. This is accompanied by an intrinsic motivation to learn, since the participant is rewarded by the inherent dynamic or positive experience of the game. The strength of this form of learning is the possibility of providing audit staff with normative knowledge in the form of “knowing that,” such as the implementation of audit processes and methodologies. It also provides simulations in the form of “knowing how” for practical application.</p><h3>Enhancing Decision-making</h3><p>To make the right decisions in audit work, practitioners need experience they can only acquire to a limited extent through theoretical input. As a rule, this experience is gained through audit practice, by acting in everyday audit situations and gaining knowledge through correct or incorrect decisions. </p><p>Serious business games can create a risk-free space for auditors to try out various strategies for audit situations. For training participants, this happens without having to bear possible negative consequences professionally, and they receive direct feedback about their actions and decisions during the game. Thus, games contribute to improving the planning and decision-making behavior of individuals and groups.</p><p>For example, a business game can foster a high degree of interaction among participants, while the learning loops in such training are much more direct and shorter in duration. This enables participants to learn more in less time and optimize their performance.<br></p><p><img src="/2020/PublishingImages/Foerschler-action-competence-through-reflective-knowledge.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:500px;" /></p><h3>Interconnected Knowledge<br></h3><p>In addition to decision-making, knowledge is a central productivity factor in today’s information society, especially in areas such as internal auditing. The nature of audit work underlines the necessity of lifelong learning. </p><p>The changes and risk characteristics of the objects to be audited mean that audit functions are continuously learning from today’s knowledge base and its scope. To keep up, auditors must constantly update their expert and methodological knowledge. </p><p>In addition, increases in staff turnover mean internal audit often loses the knowledge gained from audits when auditors leave the organization. Internal audit needs ways to transfer knowledge to new auditors and, if necessary, to adapt new employees’ soft skills to the needs of the organization or new business models.</p><p>Serious business games provide new ways for audit functions to develop lifelong learning of knowledge and soft skills. Moreover, during a game, participants can distribute existing knowledge and integrate new knowledge into the organization, audits, and audit processes. At the same time, these games can communicate “knowing how” to all audit staff members uniformly.</p><p>Games can be used in different ways to build knowledge:</p><ul><li>Individual employee training.</li><li>Blended learning, in advance of a training event.</li><li>Integrated with on-site training by alternating methodological input with live training in the game’s simulations. Participants can discuss individual scenes in the game, allowing for direct learning.</li><li>Live business game conventions and competitions.</li><li>Specially designed business games for individual needs.</li></ul><p><br>For example, in the serious business game CRYPTO, participants learn the IT security aspects of defending against social engineering risks. The gamified training combines puzzles, point-and-click exploration elements, and an interesting narrative adventure. </p><p>The story line takes place in a biotechnology research company in London. Participants become Alex Lee, a security analyst and private detective tasked with infiltrating the company and identifying the most important security gaps. Over the course of the game, Alex must interact with the company’s unique and diverse employees. In the process, participants find, analyze, and try to exploit common security mistakes, which cyber criminals could use to access and steal confidential information. </p><h3>Training Internal Audit’s Next Generation </h3><p>The generation now entering the workforce has been moving in the digital world since childhood. Their use of web technologies is correspondingly natural and intuitive. For these digital natives, new forms of language, expression, and communication are necessary, as well as new, interconnected structures of learning and thinking (see “5 Tips for Developing Self-guided Learning,” below). It is precisely this kind of thinking that the simulations of business games promote.</p><p>In this context, organizations must develop forms that fit this new learning culture in a multimedia environment. This is a challenge that organizations, and internal audit departments in particular, must face. </p><p>Serious business games can be a successful solution, alongside other virtual learning formats, to provide employees with adequate training and further education, as well as to transfer knowledge from current employees to new hires. In facilitating such learning, modern, game-based training can support internal auditors in driving value in their organizations.   <br></p><table cellspacing="0" width="100%" class="ms-rteTable-4" style="height:30px;"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><strong>​5 Tips for Developing Self-guided Learning</strong><p>Learning through serious business games can be an effective example of self-guided learning for internal auditors. To get the most out of training, internal audit functions should:<br></p><ol><li><strong>Set individual competency goals.</strong> Set objectives for employees and managers oriented to the strategic requirements of the internal audit department, on the basis of regular competency measurements.<br></li><li><strong>Enable a culture of self-organized learning.</strong> Initiate processes to change the learning culture and establish learning environments with a set of innovative learning and communication tools, which promote individual and organizational learning.</li><li><strong>Independently plan and manage learning processes.</strong> Design individual learning processes on the basis of appropriate feedback, which may include planning instruments developed by the human resources department.</li><li><strong>Enable self-organized knowledge-building and qualification. </strong>Facilitate formal learning with virtual learning formats that take place on demand by the learners and use open educational resources.</li><li><strong>Integrate competence development.</strong> Use the social learning form to promote active dialogue among employees through motivational elements during the learning process.</li></ol><br></td></tr></tbody></table><p></p>Dominik Foerschler1
What's Our Job?'s Our Job?<p>​When I entered the internal audit profession, my manager taught me a foundational principle that stuck with me for 30-plus years. She said, “As audit manager I have one job — keep the regional manager out of trouble.” Over time I changed the titles to match my various situations, and it has morphed into an important truism: Internal audit’s No. 1 job is to keep the organization’s leaders out of trouble.</p><p>Through the years, many people have disagreed with me about this simple statement. (In fact, I’ll bet more than a couple of you rankled upon reading it.) Those disagreements seem to fall into three camps.</p><p>The first is the most common and comes from internal auditors who fall back on basic internal audit principles, arguing that our job is to help ensure risks are identified, controls effectively mitigate those risks, and objectives are achieved. No doubt these principles are key to our success. However, isn’t this just a long-winded way of saying that we help keep everyone out of trouble? And when we not only identify potential risks but also potential opportunities, aren’t we helping leaders stay out of trouble by enhancing their ability to succeed?</p><p>The second argument originates from leadership and represents a shortsighted view of what we can do. As an example, the chief claims officer at an organization where I previously worked asked members of the audit function what we thought he wanted from internal audit. I raised his hackles by responding that our job was to keep him out of trouble — he vehemently disagreed.</p><p>He then said something many of us have heard from other executives: “I want you to tell me something I don’t know.” I wanted to respond, “If you don’t know something and I tell you about it, isn’t that helping you keep out of trouble?” However, retirement was still several years away, so I kept quiet. But to limit expectations to “something I don’t know” is to pigeonhole internal audit as no more than another source of information, not a partner in the business.</p><p>The third argument can be generally expressed in the question, “What if leadership deserves to get in trouble?” When leaders are no longer acting in the best interests of the organization, and are involved in unethical behaviors such as fraud, falsifications, discrimination, or even lying and bullying — when leaders are driven by self-interest over the organization’s needs — then they deserve all the trouble that follows. But when leaders fail the organization, we have a responsibility to ensure organizational structures around controls, governance, and ethics are strengthened, helping keep everyone else out of trouble.</p><p>We have a litany of responsibilities that ensure we are successfully accomplishing our missions, visions, and objectives. But they should all work together to achieve one thing — keep everyone out of trouble. When our work keeps everyone safe, that is a value that can’t be matched. <br></p>Mike Jacka1
Pain-free Auditing Auditing<p><img src="/2020/PublishingImages/pain-free-auditing_445x300.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />​"We need to do a biopsy."</p><p>That's what my doctor told me during a recent office examination. What started as a routine specialist visit quickly turned into two of the scariest weeks of my life — and one of the most unpleasant medical experiences I've ever had. </p><p>In retrospect, I realize there are many ways my doctor could have made those weeks less torturous. Simple planning and communication steps would have gone a long way toward easing the stress and anxiety before, during, and after the procedure. </p><p>It also occurred to me that, in some ways, this experience parallels the process our clients undergo during an audit — and that many of the same improvement measures could be applied. Unfortunately I didn't get to write my doctor an audit report, but I have used my reflections to identify a few ways auditors can improve the client experience and provide more relevant, timely feedback. </p><h2>1. Involve Clients in the Planning Process</h2><p>My doctor never told me <em>why </em>I needed the biopsy or the other invasive procedures he performed — or what he expected to find. I was uninformed about the procedure and resorted to frantically searching the internet the night before (which I don't recommend before any invasive medical tests).</p><p>It's easy to make this same mistake with audit clients. We may perform what to us is a routine audit procedure without explaining why we are performing it, what we are looking for, and what to expect. Neglecting to provide this information can hinder the audit process before it's begun by putting clients on edge.  </p><h2>2. Provide Pain Relief</h2><p>I would rate my biopsy a 9 out of 10 on the pain scale — if 1 is a paper cut and 10 is the worst pain imaginable. My doctor chose not to use any anesthesia or numbing agent and instead handed me a grape lollipop to "distract me" from the excruciating pain. Once I stopped fuming, I began to wonder if I've ever figuratively handed an audit client a lollipop, assuring him or her that "we're here to help" without taking into account the disruption an audit brings.</p><p>The first step to providing clients pain relief is understanding the impact our presence has on their daily operations. During planning meetings, auditors can discuss ways to minimize any negative impacts — whether that's avoiding scheduling meetings during their busiest times, using a tool to pull our own samples and reports, or providing clear expectations and communication throughout the audit.  We should always be asking, "How can I make this audit less painful for my clients without compromising the value it provides?"     </p><h2>3. Be Honest</h2><p>When I asked how long the procedure would last, my doctor chuckled and dismissively replied, "Three to five seconds." After three minutes of the worst pain ever inflicted on me, I was in shock.  Someone I trusted with my health had lied to me.  </p><p>As auditors, we lose all credibility if honesty and transparency are not among our core values. Even when it's uncomfortable, such as sharing adverse or sensitive audit findings, we must communicate honestly and openly with clients to earn their trust.</p><h2>4. Furnish Timely Results</h2><p>"We'll call you within a week either way to give you the results," the doctor assured me. So I anxiously waited, taking my phone with me everywhere I went to make sure I didn't miss the call. But that call never came, and I feared the worst. When I couldn't wait any longer and called the office, I was told my results couldn't be disclosed by phone. </p><p>I found out nearly two weeks later at an appointment that I was cancer-free. I'd spent needless days fearing the worst due to the doctor's failure to communicate timely.  </p><p>At the beginning of every audit, I tell my clients they'll receive feedback from me throughout the audit, and I notify them immediately if I find anything significant. I've realized that providing great service throughout the engagement includes a continuous feedback cycle — whether that means frequent meetings with the department head or regularly sharing positive feedback (instead of communicating only when an issue arises). </p><h2>5. Solicit Feedback</h2><p>Although my experience was needlessly painful, my doctor probably had no idea he was causing harm or doing anything wrong. And because there is no patient feedback loop in place at his practice, it's unlikely he'll improve.    </p><p>It can be uncomfortable for auditors to request feedback from audit clients. We fear they may use the feedback cycle as a weapon to seek retribution for critical audit findings. But the alternative is worse. If we aren't actively seeking feedback, we may fail to improve, and our value will decline.  </p><h2>Do No Harm<br></h2><p>The next time I start an engagement, I hope I'm a better auditor thanks to the lessons learned from my procedure. I certainly intend to focus more attention on the client's experience, knowing that the audit will be more effective and add more value as a result. Perhaps I can't eliminate the inconvenience or discomfort of an audit, but I can help make the engagement less disruptive and stressful by endeavoring to be a pain-free auditor. <br></p>Jami Shine1
Update: Automation's Workforce Impact Automation's Workforce Impact<p>​Analysts have long foreseen the potential for vast worker displacement as the number of jobs rendered obsolete by automation outpaces the number of jobs created. As the COVID-19 pandemic continues, however, this trend has accelerated — and the workforce may not be entirely prepared for the transition. </p><p>According to a report by the World Economic Forum (WEF), technological changes initiated as a result of the pandemic could displace as many as 85 million jobs globally in the next five years. “Automation, in tandem with the COVID-19 recession, is creating a ‘double-disruption’ scenario for workers,” the report says. “In addition to the current disruption from the pandemic-induced lockdowns and economic contraction, technological adoption by companies will transform tasks, jobs, and skills by 2025.” </p><p>Of particular concern is not just the volume of jobs affected, but also the type, further deepening inequalities that already existed. For example, the pandemic has been particularly rough on the travel, tourism, and hospitality industries, which tend to have younger, lower wage workers who are disproportionally female compared to most of the workforce. Without an increased urgency to expand social protections — including support for retraining — the WEF warns, income inequality could increase significantly and put as many as 115 million people into extreme poverty within a year. </p><p>Not all is gloom and doom. Automation is expected to add as many as 97 million new jobs to the workforce. Moreover, a global survey of 800 executives by McKinsey & Co. finds that 68% of businesses expect to hire more technology and automation professionals. However, without organizational commitment to retraining an evolving workforce, those most in need of a new role will not be able to take advantage. — <strong>L. Wamsley</strong></p><h2>Mapping the Skills Path</h2><h3>The IIA updates the Internal Audit Competency Framework. </h3><p>A new update to The IIA’s Internal Audit Competency Framework may provide direction for auditors looking for paths to advancement. The framework is a visual tool to help practitioners build skills and knowledge at any stage of their career. </p><p>The framework is broken into four competency areas — professionalism, performance, environment, and leadership and communication — which are further divided into knowledge areas, such as organizational objectivity and fraud. Internal auditors can assess their abilities in these areas at three levels of competency: general awareness, applied knowledge, and expert.</p><p>The framework’s flexibility can help internal auditors identify their unique strengths and weaknesses, says Lisa Hirtzinger, The IIA’s senior vice president of training and development. “It’s here to help you assess where you are, figure out where you want to be, and then map that gap,” she says. “It’s meant to be your tool to help you grow in the profession.”</p><p>Based on the <em>International Standards for the Professional Practice of Internal Auditing</em> and key proficiencies, the framework can be used by individuals, teams, or up-and-coming auditors looking to take the Certified Internal Auditor exam. The knowledge areas also are linked to many of The IIA’s educational resources. —<strong> C. Janesko<br></strong></p><h2>Racial Equity and Justice</h2><h3>CEOs advocate actions while boards lag.</h3><p>Business Roundtable has announced public policy recommendations and corporate initiatives to reduce the economic opportunity gap among Black and minority individuals in the U.S. by addressing employment, finance, education, health, housing, and the justice system. While some progress to curb racial inequities has been made, gaps in economic opportunity have grown, according to the association, which comprises more than 200 CEOs of the largest U.S. companies. </p><p>For instance, in 2019, white family wealth in the U.S. was eight times that of a typical Black family and five times that of a typical Hispanic family. Such inequities are compounded across generations, according to Business Roundtable. Last year, the organization redefined its Statement on the Purpose of a Corporation to include benefiting all stakeholders, not just shareholders.</p><p>“It will take broad cooperation of leaders from every sector of society working together to create a force sufficient enough to bring about the necessary change,” wrote Business Roundtable Chairman Doug McMillon, president and CEO of Walmart, in USA Today. In June, he established a special committee of Business Roundtable’s board to collaborate with experts on how businesses could drive systemic change.</p><p>According to PwC’s 2020 Annual Corporate Directors Survey, U.S. boards have yet to put teeth behind such initiatives. Only 39% of the directors surveyed support including diversity and inclusion goals in company pay plans, and only 34% of directors rate racial diversity on their board as very important. PwC says boards should “take action to help dismantle racism and injustice” by requiring standardized reporting on diversity and inclusion efforts, tying program targets to executive pay, and committing to diversity on the board (for more on this topic, see <a href="/2020/Pages/Racism-Diversity-and-Governance-Finding-a-Better-Approach.aspx" data-feathr-click-track="true">“Board Perspectives”</a>). — <strong>L. Nelson<br></strong></p><h2>Forecast for a Changed World</h2><h3>COVID-19’s impacts will extend to 2021 and beyond the pandemic, says David Wood, chair of London Futurist and principal of Delta Wisdom. </h3><p> <strong>What risks and opportunities can businesses expect in 2021? </strong></p><p>The centuries-long trend of increasing urbanization is likely to be stopped in its tracks. People’s willingness to commute into cities or town centers is being reduced, and more companies will find effective ways to manage their employees remotely. New companies and organizations that are “born distributed” — being designed from the beginning to operate without any shared central offices, and with all staff hired with distributed working in mind — may have advantages over older, less distributed competitors.</p><p>A second pandemic is arising in the wake of COVID-19: poor mental health. Huge stress is being induced by lockdowns, threats of business failure or personal bankruptcy, changed family circumstances, and the prospects of short- or long-term health problems from the virus. Companies that prioritize emotional well-being can stand out from the crowd in new ways.</p><p> <span><span><strong>What are the biggest factors for internal auditors to consider <strong>considering going into next year as they assess risks and advise their organizations</strong> ?</strong></span></span><br></p><p>The problems caused by the biological infection of COVID-19 should remind us of the risks of other kinds of viral infection: surreptitious distribution of dangerous software, such as ransomware and spyware, and the circulation of cleverly constructed fake messages that are personally targeted at the foibles and biases of individual employees.</p><p>Unexpected restrictions on movement have also highlighted the importance of designing supply chains with resilience as well as efficiency — with agility as well as regularity. "Just-in-time" systems should now be viewed more skeptically than before.</p><table class="ms-rteTable-default" width="100%" cellspacing="0" style="height:324px;"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p>​4<strong>6% of households across the U.S. report facing serious financial problems during the COVID-19 pandemic,</strong> including difficulty paying credit card bills, loans and other debt, and mortgage or rent.</p><p> <strong>31% of U.S. households surveyed say they have used up all or most of their savings.</strong></p><p>“The survey’s implications could mean everything from a bigger drag on the economy to the nation’s mental health outlook,” noted NPR Business Desk correspondent Yuki Noguchi. </p><p>Source: NPR, The Robert Wood Johnson Foundation, and Harvard T.H. Chan School of Public Health,  The Impact of Coronavirus on Households Across America</p></td></tr></tbody></table><p> <strong>What will business be like after the pandemic and what risks might that raise?</strong></p><p>The COVID-19 experience has made such an impact on the public conversation that there is little prospect of reverting to business as before." It has become widely accepted that many of the most important professions have been inadequately compensated: health workers, cleaners, delivery personnel, janitors, and school teachers. Society has given too much attention to flashy innovation-speak and too little attention to the vital tasks of maintenance, prevention, and infrastructure.</p><p>With many businesses embracing automation more forcefully — to limit the need for employees to work together in close proximity — the specter will accelerate of technological unemployment (and its cousin, technological underemployment). Unless society switches away from an infatuation with gross domestic product and "employment rate," the risk will increase of greater inequality and alienation. Attention is overdue to the design of an updated social contract suited to the changed needs of the 2020s. </p><h2>The Poor State of Enforcement</h2><h3>Few countries actively enforce anti-bribery laws, report says.</h3><p>Only four countries — Israel, Switzerland, the U.K., and the U.S. — actively enforce the Organisation for Economic Co-operation and Development’s Anti-Bribery Convention, according to Transparency International’s latest report, Exporting Corruption. For the report, Transparency International, a global anti-corruption nonprofit, reviewed the actions of 46 countries and Hong Kong that together represent 83% of global exports. </p><p>The report finds Hong Kong and 33 countries — which account for nearly half of all global exports — have limited or no enforcement of anti-bribery laws. Those countries include major exporters such as China, Japan, South Korea, and the Netherlands. Nine countries — seven in Europe in addition to Australia and Brazil — moderately enforce laws against foreign bribery. </p><p>Transparency International says the U.S. remains a leader in launching international investigations and prosecuting offenders under the Foreign Corrupt Practices Act. In addition, international cooperation against foreign bribery is increasing. — <strong>G. Nordhoff</strong><br></p>Staff1
Editor's Note: Farewell to a Crazy Year's Note: Farewell to a Crazy Year<p>​As I sit down to write my final “Editor’s Note” of the year, a new president has just been elected in the United States. The tension in the air is palpable. It’s the perfect ending to a year like no other. </p><p>From politics, to the unimaginable impact of COVID-19 on both our health and businesses, to social justice issues, people in the U.S. — and around the world — are struggling to … let’s just say it, maintain our sanity. Beyond coping with the massive changes in our personal lives, from serious illness, to home schooling, to working from home, those lucky enough to have kept their jobs are challenged with adding value despite epic disruptions. </p><p>Internal auditors have worked throughout 2020 to keep their functions operational and help their organizations conquer challenges that are beyond the scope of most business continuity plans. In <a href="/2020/Pages/Perseverance-in-a-Pandemic.aspx" data-feathr-click-track="true">“Perseverance in a Pandemic,”</a> author Russell Jackson takes an in-depth look at how several audit functions are adding value to their organizations in unprecedented times. Agility and communication have been key. </p><p>Take for example Nora Kilani, assistant manager, Group Internal Audit, at Trust Holdings in Amman, Jordan, who says, “The moment traveling was no longer an option was the exact moment we had to be resilient enough not only to question how we do things, but also to take one step back and re-evaluate what we’re doing, what we’re focusing on, and how relevant it is to the current crisis.” </p><p>Not surprisingly, business continuity is one of the key risks identified in the 2021 IIA OnRisk report (see <a href="/2020/Pages/Perspectives-OnRisk.aspx" data-feathr-click-track="true">“Perspectives OnRisk”</a>). Only 55% of the board member, executive, and chief audit executive respondents say they are highly confident in their organization’s capabilities to handle the risk. The report considers 10 additional risks facing organizations in 2021, including economic and political volatility and culture.</p><p>As protestors continue to fill the streets and social media in support of social justice, organizations are grappling with how to support true equity and inclusion. It’s easy for boards to pay attention to the diversity and inclusion issue now, but will they sustain that focus? In this issue’s <a href="/2020/Pages/Racism-Diversity-and-Governance-Finding-a-Better-Approach.aspx" data-feathr-click-track="true">“Board Perspectives,”</a> author Matt Kelly considers the longer-term challenges for diversity and the role board directors play. </p><p>So, as I complete this note, I bid a not-so-fond farewell to a challenging and difficult (those words don’t seem adequate) 2020 and welcome with open arms the possibility of a better 2021. Hopefully, we will have learned from the tough lessons of 2020 and will be better prepared to adjust to whatever the “new normal” brings.</p>Anne Millage0
Perseverance in a Pandemic in a Pandemic<p>​COVID-19 has already had an incalculable impact on organizations worldwide — and at press time, the expected second wave appears to be gathering steam. The extraordinary upheaval wrought by the virus is making mere survival an uphill battle for many businesses, and in turn their internal audit functions. At the same time, the never-before-encountered challenges are creating some opportunities for practitioners to demonstrate their resilience and their creativity.</p><p>In New York City — hit hard and still standing — the New York City Economic Development Corp.'s (EDC's) internal audit department shifted its existing plan and started doing projects for the organization that weren't on the original schedule, notes Jennie Wallace, the organization's chief audit executive (CAE). The EDC formed a committee to assess the need for rent relief, for example, and internal audit was asked to help review the process around accomplishing it. That kind of impromptu help resulted in a changed relationship with leadership, Wallace points out, which welcomed internal audit's assistance — not always the case in the past. </p><p>In many organizations, auditors have similarly taken on an array of critical responsibilities in the face of the viral crisis. And their knowledge of what needs to be done to keep the enterprise operational has raised their profile. Indeed, Wallace isn't the only audit executive who notes enhanced relationships with stakeholders, updated response plans, and improved internal audit processes — all accomplished while working from home.</p><h2>Stakeholder Ties Pay Long-term Dividends</h2><p>Jeff Hall, director, professional practices, at Principal Financial Group in Des Moines, Iowa, headed internal audit's initial response to COVID-19. Since that time, he says, he's noticed an added luster about the team's image. "During a crisis, there are opportunities to further solidify our role in the organization," he comments. "And our brand improved as a result." Internal audit kept staffers fully engaged, he adds, but opened the door to new relationships with long-term potential. </p><p>The company's skill at navigating the crisis enabled the audit department's success by providing two critical elements, Hall stresses: "the right people making the right decisions and good communications from the corporate response team." In particular, he notes, the internal audit team relied on its strong connection with the enterprise's chief risk officer. Facilitated communications, he emphasizes, enabled timely decision-making. </p><p>"We started working from home right away, in mid-March," Hall says. The internal audit team immediately took a leadership role, stepping back to quickly assess whether audits in progress could continue or new ones could start. Almost 90% of "in-flight" audits could continue as planned; 20 or so were postponed until later in the year, and about 10 were rescheduled to begin earlier. </p><p>Importantly, Hall adds, company directors contacted all business unit leadership teams within the first two weeks after remote working began. They explained why "full-court audit" would have to wait, he says, but that practitioners could help in several areas and wanted to be as available as possible.</p><p>"That was well-received," he notes. Ultimately, the department fielded 18 different requests, totaling 1,200 hours of work over a 12-week period. </p><p>Internal auditors also worked with risk officers for each business to inventory all the system and process changes — mostly temporary — mandated by regulations in the wake of the pandemic's financial burden; each risk officer maintained a customizable template. Regulations demanded that Principal waive withdrawal fees in some cases, for example, and that it raise loan ceilings for 401(k) participants; the audit team also helped evaluate and validate the impact of those changes on risk status. Internal auditors were tasked with "identifying the highest-risk changes and making sure each change actually occurred and that it stopped at the right time," he adds, noting that regulators and key customers will likely inquire about that, too. </p><p>The organization had a road map for responding, though it was admittedly not based on practical knowledge. "We have a response plan that includes a pandemic," he says, noting that all pandemic response plans were developed by people who had never actually experienced one. "There's a look-back occurring," he adds. But he points out, too, that road map or no road map, the whole company managed to morph to 100% work-from-home in just a week.</p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p><strong>​This Is the New Internal Audit</strong></p><p>The COVID-19 pandemic is drawing a line between internal audit then and internal audit now. Many departments have gotten “a wake-up call as to their value in the organization,” explains Robert Berry, former executive director of internal audit at the University of South Alabama and now president at consulting firm That Audit Guy. Those that did not hear from executive management asking them to be a part of the crisis recovery team should be concerned, he says, because “it shows that their value in the organization is not where they really want it to be.”</p><p>Berry cites the case of one company’s “let’s wing it” approach to employees working from home. “Essentially, employees were taking computers from the office home,” he says. That should have been an issue raised with management by the internal audit department, he stresses — but no one called internal audit, and audit team members who spoke up about it were ignored. By contrast, another company’s CEO “actually put internal audit on the crisis management team to help deal with the situation,” he says. </p><p>Internal audit’s higher future profile will be accompanied by doing things differently, agrees Jennie Wallace, chief audit executive (CAE) at the New York City Economic Development Corp. “This is the new internal audit,” she says, noting that practitioners are collaborative members of the organization and that CAEs are going to emphasize building relationships more than ever. “There’s so much internal audit can do that people hadn’t thought of,” she stresses. </p><p>Internal audit will brainstorm at the start more often, Wallace says, and not simply come in after the fact to identify gaps. She explains: “I say to management all the time, ’I want to give you the answers to the test before the test.’”</p><p>Berry agrees that “auditors will need to take on tasks that they should have been completing all along.” And they’ll need to get accustomed to working with new colleagues — some of them fellow employees, some not — in new ways on those new tasks, he says. “The pandemic has shown us that you can work with someone in a different location and still be productive.”<br></p></td></tr></tbody></table><h2>The Best-laid Plans</h2><p>Jade Lee, director of Internal Audit and Enterprise Risk Management at AltaLink in Calgary, Alberta, also had a companywide pandemic response plan available when COVID-19 struck — but it didn't anticipate the severity of the virus' impact, and it didn't cover internal audit processes at all. "As a result," she says, "adaptability and flexibility are key."</p><p>As an example, Lee says that although transitioning her team to remote work proved challenging, it quickly became the norm. Then internal audit had to pivot once again upon returning to the office. "However, after being back, it's again interesting how normal it felt immediately," she says. </p><p>AltaLink transitioned to a work-from-home environment on March 16, but as an electrical transmission company, key operations must continue. The company restricted access to the office to essential workers, Lee reports, including field personnel working in cell structures. She was temporarily seconded to the integrated Emergency Response Plan (iERP) team as the representative for the entire Finance division. "In that role I had visibility into the iERP team's planning and operations during the height of the lockdown," she says, "and I was responsible for communicating all essential information to the rest of Finance leadership."</p><p>During the first two months of working from home, Lee put some internal audit items on hold — such as closing projects or starting new ones — to prioritize business operations and avoid interrupting essential work. "I knew that every department was adjusting to the transition," she notes, "and with operations as an essential service, I did not want internal audit to be an additional burden to existing workloads." The team spent the time working on open audit projects, rationalizing internal controls, and working with control owners on electronic evidence. </p><p>Lee adds that she and her team shifted back to more normal audit operations after about two months, resuming their work on the audit plan at that time. Still in a 50% work-from-home/in-office rotation, though, she faces the challenge of managing a half-remote, half-in-person team: Most meetings with the businesses are still held via teleconference due to meeting restrictions, for example. But most of internal control evidence is now electronic, Lee adds, and "many processes are more automated than they used to be." And while the audit plan has fallen behind schedule due to pandemic-related disruptions, Lee receives support from her audit committee, to whom she recently presented an update that defers some projects to 2021. </p><h2>Calendars Revised, Agility Tested</h2><p>The EDC's Wallace is also looking at an altered 2021 audit plan. Her team was actively involved in the organization's pandemic response efforts, offering leadership guidance on what they thought executives needed to do — resulting in several new programs and processes developed by management. "When we look again," she adds, "we'll see how they did with it."</p><p>The EDC's involvement in the city's response to the pandemic, Wallace explains, was significant. Its efforts included:</p><p></p><ul><li>Activating multiple sites across the considerable real estate the EDC manages and maintains to make space for hospital beds and for temporary housing for first responders. </li><li>Creating a partnership of researchers, innovators, and the medical and public health communities to develop a bridge ventilator in less than a month; the device replaces manually operated bag valve masks as patients go on and off traditional ventilators.</li><li>Organizing the efforts of 70 local business partners to manufacture shields and gowns. </li><li>Creating a new supply chain, totally local, for COVID-19 tests. </li></ul><p><br></p><p>"We will be looking at some of those things," Wallace says, noting that two of the projects are already on the audit plan. She also reports adopting an Agile-like methodology to identify large streams of departmental work. "Within those larger audits are subprocesses," she explains. "The areas I chose from the annual risk assessment for Agile auditing include some of the COVID projects we did." </p><p>The assistance continues, Wallace adds, even as the second wave starts to make noise. "We've finished some of the projects, and some are still going on," she reports. The construction audit team, for example, is working on several ad hoc projects. And that's how Wallace hopes it stays. "Internal audit was not where it needed to be," she explains. "I'm trying to create a best-in-class function, and I'm hoping the things I've built will get better and better, and more finely tuned."</p><h2>Reprioritization and Resilience </h2><p>Nora Kelani, assistant manager, Group Internal Audit, at Trust Holdings in Amman, Jordan, has expanded her role during the pandemic, too. A key part of her job had been business trips for meetings with board members, audit teams, and executive management. "The moment traveling was no longer an option," she says, "was the exact moment we had to be resilient enough not only to question how we do things, but to take one step back and re-evaluate what we're doing, what we're focusing on, and how relevant it is to the current crisis."</p><p>Job one was stepping out of her traditional audit role and supporting the enterprise's crisis management efforts, Kelani reports. She focused on the organization's immediate needs, she explains — even though that was neither addressed in her internal audit education and training nor detailed in the guidance provided by industry organizations. Indeed, she emphasizes the challenge of wearing numerous hats: supporting the business during the crisis, while also trying to maintain objectivity and independence.</p><p>No profession will be the same after the pandemic, including internal auditing, she emphasizes. "We learned that digitization is no longer optional," she says, "that resilience is a must, and that trapping ourselves in the box of 'We're auditors; we can't be part of that' cannot work." And, she adds, "we learned that as long as the right disclosures are made to the right people, an internal auditor can take a part in steering the business ship when needed, instead of helplessly watching it sink to be able to report about it 'objectively' later."</p><p>Keeping communications flowing smoothly and efficiently is key to success in this era, Kelani stresses, despite the inability to meet with clients or stakeholders in person and the chaos that comes with any disruption of such magnitude. That's true for everyone who works in a multinational corporation, she adds, and needs to efficiently communicate lots of information to numerous stakeholders at the same time. </p><h2>Expanded Staffing Options</h2><p>James Hansen, vice president of the Office of Risk Management (ORM) at Compassion International in Colorado Springs, Colo., says his organization is embracing remote work as a new normal. That includes emphasizing cloud-based peer-to-peer software platforms, he says, "while exploring the right balance of remote and virtual delivery solutions." It enables regional hiring, too, instead of requiring candidates to move to the organization's headquarters city. "Long term," he adds, "this may allow us to innovate by tapping into a wider market of audit professionals we previously would not have logistically been able to entertain."</p><p>Indeed, he says the new norm has also leveled the playing field for staff members who were remote long before COVID-19. "Now everyone has that same remote meeting application experience," Hansen explains. "Previously, remote workers were likely on a call with a room full of people, while the in-room participants had the benefit of far fewer tech issues and additional interpersonal verbal and nonverbal communications." Another benefit: It's no longer a challenge to reserve those conference rooms.</p><p>Hansen's enterprise works with 8,000 church partners in 25 developing nations — in impoverished areas of the countries, and often in remote locations, requiring many manual processes. It's still "a very limited opportunity," but the organization helps equip partners with technology that can be leveraged for remote auditing. Hansen emphasizes that from a risk standpoint, entities need a robust digital platform for operations. "As we move to a more digital aspect of our business, on both the revenue and program sides," he says, "practitioners will have to have the skills and knowledge to audit that new virtual reality."</p><p>Internal audit has continued its engagements, but has narrowed the scope if it would normally involve global functions where locations have shut down. And it has escalated plans to implement virtual and remote audit solutions. Maybe the biggest change, however, is what Hansen calls "a heightened level of cross-functional collaboration and responsiveness and an increased level of understanding of what is a priority and what can be delayed." </p><p>Hansen's ORM includes Audit, where operational and technology audit teams are housed, Risk Management, Incident Response, and GRC, he explains. "Our structure is probably unlike any other audit shop, and may not suit traditional audit purists," he says, "but I can tell you that having Risk and Audit working together with Incident Response under one roof has been very beneficial."</p><h2>Continued Progress</h2><p>Every internal audit department's experience during the pandemic will be unique, and nobody has any idea exactly how much disruption is yet to come. But the early evidence is powerful and positive for audit practitioners, and it bodes well for continued progress toward achieving the trusted advisor status internal auditors seek.  <br></p>Russell A. Jackson1
Recruiting the Next Generation of Internal Auditors the Next Generation of Internal Auditors<p>​Organizations are constantly looking for new internal audit talent to help them address the risks of an ever-changing business world. That search creates opportunity for the next generation of internal auditors. However, internal audit hiring managers and job candidates come at the employment search and interview process with different perspectives and with different goals. Two past <em>Internal Auditor</em> Emerging Leaders discuss what the candidate and hiring manager both need to achieve during the recruitment process.</p><h2>The Candidate</h2><p>As a young internal auditor, selecting a career path is a critical decision that requires serious consideration. When evaluating a position within an internal audit department, individuals should consider the organization’s culture and how it aligns with their personality, the governance structure, and the operational components of the internal audit function.<br></p><p><strong>Culture</strong> To understand what type of corporate culture a candidate thrives in, the individual must first understand himself or herself. It can pay dividends for auditors to perform a critical self-assessment to understand the types of cultures that are the best fit for them. Conversely, not taking time to understand the organization and team culture during a career search can be a major mistake. </p><p>For candidates who are new to the workforce, online resources such as the DiSC assessment  or the Predictive Index test could shed some light on the cultures with which they are aligned. The DiSC assessment is a personality test that evaluates dominance, influence, steadiness, and conscientiousness traits, while the Predictive Index measures a person’s motivations and needs. </p><p>Figuring out a company’s culture should start even before the application process. Online resources such as Glassdoor post employee reviews and ratings of companies, which can be a good initial indicator of the company’s core values and culture. Reviewing the organization’s website and social media pages also is a good starting point to assess its core values and culture. </p><p>Leveraging the auditor’s professional network is another great resource to gauge whether the organization is a good fit. According to a 2018 Gallup study, 71% of workers say they use referrals from current employees of an organization to learn more about job opportunities. <br></p><p>Searching LinkedIn can identify connections who work at the organization and can provide candid feedback about the business. That feedback can give auditors a baseline understanding that they can use to draft insightful questions for the interview. </p><p>During the interview, candidates should ask behavioral questions to learn about the management style of the hiring manager and the culture of both internal audit and the company. Asking questions such as why the interviewer chose the company and what has made him or her stay can provide insights that could sway a candidate’s decision about a job offer. </p><p>It also is important to see what personality traits the organization values. Asking what personalities tend to be successful at the organization could help candidates determine whether they would be joining a business that encourages or discourages their cultural identity.<br></p><p><strong>Governance</strong> Candidates should ask about the organization’s governance structure, as well. Governance often drives internal audit’s effectiveness, alongside how senior management and the board perceive the value of the function. Internal audit’s effectiveness can be significantly impacted if the department does not have organizational independence or senior management does not seriously consider its reports. </p><p>In assessing governance, a good starting place is asking to whom the chief audit executive (CAE) reports. Ideally, internal audit should report to the board. </p><p>According to Standard 1110: Organizational Independence, the CAE “must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities.” This relationship allows for organizational independence of the internal audit activity. </p><p>Candidates also should inquire with the hiring manager about what kind of support internal audit receives from senior management and the board. If one of the interviewers is from outside of the department, auditors can gauge how stakeholders perceive internal audit’s effectiveness. Two questions that could yield insight into internal audit’s effectiveness are: </p><ul><li>How well does the internal audit function align with the strategies, objectives, and risks of the organization? </li><li>How would you describe your working relationship with internal audit? </li></ul><p><br>If the internal audit function is considered a trusted advisor, this will facilitate the opportunity to make a meaningful change within the organization. <br></p><p><strong>Operations</strong> A candidate should take a deep dive into the operational aspects of the internal audit function he or she considers joining. A good question to ask is whether internal audit conforms with the <em>International Standards for the Professional Practice of Internal Auditing</em>. Conformance is a good indicator of the maturity of the audit function. </p><p>Internal audit should be scoping in audits that matter to its key stakeholders. A question a candidate can ask is how internal audit develops the audit plan to align with the organization’s strategies, objectives, and risks. </p><p>Audit innovation should be a consideration, as well. A candidate should evaluate what steps internal audit has taken to integrate technologies such as data analytics, computer-aided audit tools, and robotic process automation into its audits. It is important for young internal auditors to develop skills that incorporate innovative techniques. </p><p>Asking what key performance indicators (KPIs) internal audit uses to assess its performance can shed light into the department’s priorities. KPIs that tie to audit quality, continuing professional development, and audit innovation are a positive sign. </p><h2>The Hiring Manager</h2><p>Internal auditors work in a great profession, and they should be proud to work for their organizations. Yet, with all the profession has going for it, why is it so hard to attract and retain the best talent? </p><p>One of the downfalls internal auditors have is that they think too much. Whether they are trying to connect with the next generation, identifying every possible situation for job candidates, or setting unrealistic expectations, audit leaders complicate the interview process. What if hiring managers simplified the process by evaluating a simple set of critical characteristics, then teaching the other skills needed to the people they hire?</p><p>The first question hiring managers should ask internal audit candidates is, “What do you know about our organization?” While this may seem like a trivial question, it often is the most important question of the interview. </p><p>Most organizations are proud to post online about their successes, core values, and how they give back to the community. Candidates should easily be able to research and respond with the areas that highlight their strengths. Unfortunately, applicants often cannot articulate why they want to work at the organization. </p><p>The content of the answer is not as important as what it says about how prepared the candidate is for the interview. Internal auditors need to be ready for all situations. </p><p>If the candidate is not prepared for a structured interview, then audit executives cannot be confident that he or she will be able to respond to impromptu requests from management down the road. When internal audit reviews a new area, the chief audit executive wants to know the audit team has conducted its research and is ready to provide objective assurance. This opening question provides insight into the applicant’s potential. </p><p>Once the interview gets past this question, there are three attributes that have proven to be the best indicators of success for an auditor. If the candidate can demonstrate these three skills, then internal audit has found the right candidate. <br></p><p><strong>Can the candidate communicate effectively?</strong> Evaluation of this attribute begins with the first communication from the candidate — whether it is through direct contact, résumé, or cover letter — and it doesn’t end until the offer is made. Each response to an interview question gives the hiring manager a better glimpse of the candidate’s ability to communicate. </p><p>As hiring managers ask questions, they can learn how the candidate communicates best. Not everyone will want the same style of communication, but the candidate needs to demonstrate that he or she can identify the style that is best for the situation. </p><p>Everyone makes mistakes in communication; it is how people learn and improve that matters most. Candidates should feel comfortable disclosing errors they have made and, more importantly, how they have grown from these mistakes to communicate better. <br></p><p><strong>Can the candidate think critically?</strong> The audit position can be tough. There is much information to sift through. The risks and risk responses aren’t always clear cut and require sound judgment to assess the current environment. Internal auditors need to be open-minded to be successful. Throughout an audit career, there will be countless situations where an auditor faces a unique situation that can’t be taught in a classroom. </p><p>By describing their past experiences, candidates can demonstrate their ability to work through a difficult situation, evaluate alternatives, and help solve a problem. When it comes to critical thinking, this is a skill that can be built upon, but it also becomes easier the more the individual practices. Luckily, auditors have a lot of practice in this area, making critical thinking an incredibly valuable skill. <br></p><p><strong>Can the candidate work well on a team?</strong> This is a non-negotiable characteristic. Internal auditors must work well together. At the same time, auditors are on the same team organizationally as the employees they will be auditing. Internal audit can’t be successful if auditors have an us-versus-them mentality. </p><p>The ideal candidate will be able to demonstrate how he or she has worked well on a team, overcome obstacles or difficult personalities, and sacrificed self for the good of the organization. Whether the experience was obtained through music, drama, or volunteering, there are ample opportunities for candidates to showcase how they can work on a team and toward a common goal.</p><p>Although many articles describe the skills that make a successful internal auditor, seeing how well a candidate has prepared for the interview and finding the answer to these three questions provide clarity about the auditor’s potential. Hiring managers should be willing to take a chance on someone who can communicate effectively, think critically, and be a team player over someone with years of experience and education any day.  <br></p>Seth Peterson1

  • CAE-OnRisk-January-2021-Premium-1
  • CIALS-January-2021-Premium-2