You Can Always Turn Around Can Always Turn Around<p>​During an audit, you discover a department's most significant project was misguided, no longer aligned with organizational needs, and a waste of the department's limited resources. Everyone involved agrees with your assessment, leading to the question, "Why continue?" Leadership responds with reasons such as: "We always complete every project," "We just do as we're told," and "We can't stop — it would be an admission that we failed." What do you do?</p><p>Any auditor worth his or her completed time sheet would recommend that management adjust, modify, or stop the project dead in its tracks, allowing the department to get to work on something (anything) more important. Unfortunately, while we might do an excellent job of telling others what to do, many audit departments do not practice what they preach and often move forward on potentially inconsequential projects as though there were no turning back.</p><p>Stories from the real audit world — experiences from my own career or that I learned about from others firsthand — help illustrate this problem. Details have been removed to protect the innocent, the guilty, and the somewhere-in-between.</p><ul><li>While providing support for the external auditors, the chief audit executive (CAE) explained that one of the planned tests did not apply to the way the company operated. The accountant agreed but explained the test would have to be completed because "it was a requirement of the audit program." </li><li>Although auditors were told the audit schedule was flexible, no one ever deviated from it. The audit leader would say, "If we went to the audit committee and asked for a change, they would think we didn't know what we were doing when we first put the plan together."</li></ul><p><br></p><p>Unfortunately, it wasn't too hard for me to produce these examples — a sign that the practice of continuing to do work obstinately just because it is "in the plan" continues to haunt our profession. We claim we want to be agile, but we don't even have the agility necessary to adapt to changing circumstances.</p><p>There is nothing — no project, no audit engagement, no plan — that internal audit should require itself to complete just because it has already been started, it is what has always been done, or the more dreaded, "we don't want to have to explain why we changed." This is not value, this is not service, this is not professionalism — this is blind adherence to meaningless dogma. </p><p>Look ahead at the work you are doing and, if it has no reason — if the risk isn't there, if the requirements aren't there, if it is done to support a promise that makes no sense — just say no. Turn around and start something new, different, and better. </p>Mike Jacka1
Dissent in Risk Management in Risk Management<p>Employee communication of dissent, or constructive challenges, to management and its corresponding reception, are key aspects of risk management. Employee perception about conveying disagreement influences that employee’s understanding of controls, and his or her conscious or unconscious willingness to execute assigned duties.</p><p>Implementing a risk response — deadlines, checklists, reviews, and other specified assignments — may not coincide with the desires of the process owner tasked with completing them. This disconnect between the goal of management and the desires of the process owner is a prime source of dissent, which, in turn, affects the success of the risk response.</p><p>Specific steps precede an employee’s decision to express dissent. First is the awareness of the issue, followed by the attribution of personal responsibility for responding, and then the estimation of the response. The decision to express dissent then involves weighing the possible change against the anticipated backlash. </p><p>There are typically three types of dissent: articulated, antagonistic, and displaced. Because internal auditors must include an assessment of communication channels when testing the design and effectiveness of controls, it is important that they understand the role that dissent plays in a risk management program and how dissent can influence control effectiveness. By doing so, auditors can identify sources of control failure not immediately recognizable when the control is evaluated in isolation.</p><h2>Articulated Dissent</h2><p>Articulated dissent is the direct communication of dissent by employees to individuals with the authority to influence organizational change. Employees choose this method because they believe the dissent will be received positively and seen as constructive feedback. Articulated dissent is influenced by a perception that retaliation will be minimal and a conversation with management is positive. Employees will use articulated dissent when it is perceived that the organization is accepting of criticism. It involves an active effort to change the organization for the better from within.</p><h2>Antagonistic Dissent</h2><p>Antagonistic dissent is used by employees who believe that dissent will be received as adversarial, but that the feedback they provide will ultimately be safeguarded against retaliation. This strategy is used by employees in roles that provide a sense of organizational leverage — based on position, expertise, or relationship — and the perception of immunity against reprisal. Antagonistic dissent is primarily used to oppose issues that have a personal connection to the dissenter. Employees express dissent to audiences that are captive or influential, and it occurs in low retaliation conditions. The dissent is intended to change the organization from within, but primarily in a direction that is most beneficial to the individual. Although the underlying motivation for dissent can be self-oriented, the change may be a positive for the organization. <br></p><h2>Displaced Dissent</h2><p>Displaced dissent is used when the employee believes that feedback will be perceived as adversarial and will lead to some form of retaliation. This dissent is communicated to an audience that is either outside of the organization, inside of the organization but lacking any authority, or composed of employees at a similar level. External audiences include spouses, non-work friends, or family members. Internal audiences include fellow co-workers who lack the ability or authority to address the concern. These audiences are chosen because of the low risk for retaliation and for the sense of community that comes from shared displeasure. Displaced dissent involves expressing disagreement without confronting management directly. It is a common predictor of employee exit because employees internalize their disagreements without communicating them to those with the power to help. The physical exit of the employee is preceded by a psychological exit — the employee “checks out” and loses his or her commitment to the organization. </p><h2>Understanding Dissent Strategies</h2><p>An effective risk management program must consider the dissent strategies used by employees. How employees choose to express their constructive challenges can have a material impact on a risk management strategy. When a control is designed using a risk-based approach, the design process often omits an understanding of how the employee tasked with implementing it will receive the instructions.</p><p>Because risk responses are performed by front-line employees, dissent that is unknown or unseen by management affects the efficacy of the strategy. When employees engage in a displaced or antagonistic dissent, their interpretation may differ from that of management; they may view the internal controls to which they are assigned as restraints on their ability to work effectively. If this perception is coupled with a lack of effective communication channels, the employee is left with dissent options that are disadvantageous to the organization (antagonistic or displaced dissent). This dissent action can result in key controls failure because the employee feels unable to express concerns about the control, itself, or its impact on other job functions. </p><p>Internal control failure may be misinterpreted as a failure in design when the breakdown stems from a lack of avenues for employees to express dissent. Employees who believe they have no reasonable means of communication with management redirect their dissent toward their assigned duties, resulting in a negative impact on the organization. </p><h2>Managing Dissent</h2><p>To mitigate the negative effects of dissent on risk management, management should evaluate communication channels available to employees. Does the organization provide reasonable outlets for employees to communicate disagreements and disputes? Do these outlets provide the support and confidence to empower employees? Communication channels are the formal and informal mechanisms in place for capturing and addressing employee concerns. </p><p>Organizations with a focus on governance, risk, and control are likely to have the formal aspect covered, whether through third-party hotlines, official human resources policies, regularly scheduled one-on-one meetings, or a combination thereof. What is missing is a recognition of how organizational culture influences their use and effectiveness. When the culture set by management through formal and informal policies includes an openness toward opposing viewpoints, employees then view the reception of dissent as positive and are more likely to express it in ways beneficial to the organization. </p><p>Managers and stakeholders should recognize their organization’s culture in strategic decision-making. A better understanding of the culture can come from surveys of employee attitudes, a formal audit of information flow between organizational levels, or other assessments of communicative effectiveness. </p><p>Appropriate communication channels for the expression of dissent must be supplemented by training for managers on the types of dissent and how each should be addressed. Additionally, strong organizational policies should formalize the organization’s attitude toward dissent. These policies should provide clear direction to managers and employees on how the organization approaches the expression of dissent and specific procedures for the expression and management of these opinions. </p><h2>Communication Is Crucial</h2><p>It is important for employees, managers, and auditors to understand the communication channels employees use to express dissent, and how each of these may affect the organization’s strategic goals. Ultimately, the role of dissent in employee attitudes and behaviors is a key component in determining if a risk management program can succeed. <br></p>Andrew Topa1
Navigating Expectations Expectations<p>​Aesop’s Fable, “The Miller, His Son, and Their Donkey,” recounts the trio’s perilous journey to the market where, along the way, the man and his son face various criticisms for each of their decisions. First, they are chided as foolish and wasteful for walking, and then lazy and cruel for riding. In a desperate attempt to quell the second criticism, they decide to carry the animal only to lose it in the river. The moral is that it is impossible to please everyone given the diversity of opinions, and that attempting to do so can be a fruitless endeavor. </p><p>This predicament also applies to internal audit functions. As the role of internal audit continues to expand, so does its stakeholder base and the level of expectations. But, like the onlookers from the fable, internal audit’s broadening stakeholder base may value a variety of conflicting qualities. For instance, an organization’s manufacturing department, which values efficiency and minimized downtime, may perceive internal audit’s U.S. Sarbanes-Oxley Act of 2002 controls testing as valueless and disruptive to its operations, while the chief executives and external auditors may view such testing as an invaluable barometer in their overall controls assessment.</p><p>In acknowledging that universal stakeholder approval is not always possible, an effective internal audit function also realizes that it can consistently act in the best interests of the organization and its core values, even if it leads to some dissatisfied stakeholders along the way. And while each organization’s values are unique and there is no one-size-fits-all approach to stakeholder management, chief audit executives (CAEs) and their staff members can consider specific actions throughout the engagement life cycle while navigating widespread stakeholder expectations. </p><h2>Begin With the Risk Assessment</h2><p>Regardless of the industry, organization, or department, all stakeholders face some form of risk and understand the need to manage it within acceptable levels. That said, disagreement on the nature and severity of risk is inevitable. While auditors are not expected to evaluate risk through the same lenses as their stakeholders, they can use the risk assessment process to engage stakeholders — such as through interviews and surveys — and as an opportunity to align future audits or projects with mutually agreed-upon risks. Further, to ensure stakeholders are on board with the risk ratings and evaluation criteria, auditors should use generally accepted risk assessment methodologies, such as The Committee of Sponsoring Organizations of the Treadway Commission’s <em>Enterprise Risk Management–Integrating With Strategy and Performance</em>. Wherever possible, they should quantify the likelihood and potential impacts of such risks in lieu of using highly subjective, and often contentious, heat maps with high, medium, and low categorizations. </p><h2>Align Engagement Goals </h2><p>Once the need for an engagement has been established by aligning it with mutually agreed-upon risks, internal auditors should set goals for the engagement and discuss them with impacted stakeholders before beginning fieldwork. Further, auditors can gain stakeholder interest by articulating the direct or indirect links between the proposed engagement and the accomplishment of departmental and organizationwide objectives. For example, an operational audit of an organization’s shipping function should begin by evaluating the department’s immediate and long-term goals, such as shipment of 100 percent of forecasted orders this month, quarter, and year, and the organizationwide objectives they support, such as greater customer satisfaction and improved profitability. </p><p>As a result, the engagement’s goals should include identifying issue root causes and providing recommendations that will enable them to achieve their goals. When the department’s goals conflict with, or do not align with, enterprisewide objectives, further dialogue with departmental and executive leadership may be warranted before beginning fieldwork.</p><h2>Obtain Buy-in</h2><p>To promote a “no surprises” approach, internal auditors must proactively communicate engagement goals with their stakeholders and obtain consensus on scope and timing. While this practice seems obvious to many, its importance is sometimes overlooked. Auditors should use engagement proposals, scope documents, and kick-off meetings as a vehicle for engaging their stakeholders and establishing ground rules and expectations.</p><p>Furthermore, obtaining stakeholder buy-in requires not just discussing the engagement terms, but also communicating what’s in it for them. While this message can be challenging, especially on a mandatory compliance audit, stakeholders are far more inclined to act as a partner when they are aware of the incentives. For example, instead of warning sales department leaders about the penalties for their team’s noncompliance with company travel and expense policies, an internal auditor reviewing travel expenses can emphasize the benefits of cooperation during the audit, such as shorter audit duration, less disruption, and a reduction in audit findings. The audit also can point out the advantages of implementing the subsequent recommendations, such as greater management and monitoring of expenses and budgetary adherence. </p><h2>Stay Agile</h2><p>While a robust engagement plan can set the tone and ensure the efficient allocation of audit resources, an internal audit engagement’s — and department’s — success is contingent on the team’s ability to promptly adapt to change. According to The IIA’s 2018 North American Pulse of Internal Audit, two-thirds of CAEs significantly value future agility, yet only 45 percent consider their departments very or extremely agile today. </p><p>The process to becoming agile can begin by leaving flexibility in the engagement plan, which can range from budgeting hours for responding to ad hoc requests, to continuously refining the plan after major milestones. In addition, audit teams need to establish a scope change management protocol with stakeholders up front to ensure changes to the original plan and scope are handled consistently.</p><h2>Use Accepted Methodologies and Best Practices</h2><p>To avoid irreconcilable differences of opinion, auditors can base their approach, evaluation criteria, and, ultimately, their conclusions on generally accepted standards. For instance, while assessing a company’s IT password requirements, an auditor is likely to encounter stakeholder pushback and questioning by concluding that the password length requirements are weak or even noncompliant without attribution to a specific framework. On the other hand, if the auditor notes that the company’s current password length requirement of five characters does not align with the U.S. National Institute of Standards and Technology (NIST) Special Publication 800-63 recommendation of at least eight characters, stakeholders are far less inclined to challenge the finding and more likely to accept the recommendation, especially if they also value the NIST framework and were apprised of the audit criteria earlier in the engagement. </p><h2>Remain Neutral</h2><p>Regardless of the organization, interdepartmental conflicts or turf wars are inevitable, and by virtue of their authority, internal auditors often are petitioned by stakeholders to support a particular side. IIA Standard 1120: Individual Objectivity states, “Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.” While maintaining an objective mindset is critical, it can be far more challenging for internal auditors to appear neutral in the eyes of their stakeholders. In addition to abiding by the explicit requirements of neutrality, which include refusal of gifts and avoidance of workplace fraternization, internal auditors should refrain from being overly complimentary or critical of a particular stakeholder group in their interactions and in their reports. For example, internal auditors should avoid using words with strong connotations such as <em>failure</em>, <em>weakness</em>, or <em>gap</em> and replace them with more constructive terms such as <em>opportunity</em>. </p><p>In the unfortunate situation where a dispute arises between internal audit and a stakeholder, such as disagreements over regulatory interpretations, audit findings, or recommendations, CAEs should consult a mutually regarded third party as a mediator, whether it is another department, such as legal or human resources, or outside consultants. For instance, if internal audit and accounting have a disagreement about the interpretation of the new Financial Accounting Standards Board Lease Accounting Standard, the CAE can consult the external audit firm to provide its independent, objective interpretation of the standard to both parties in hopes of achieving greater alignment.  </p><h2>Be Self-sufficient</h2><p>While a thorough risk assessment and well-articulated plan can help stakeholders understand the need for, or even appreciate, the engagement, they are less likely to embrace the fieldwork process, itself. For example, a retail operations manager concerned about shrink may welcome the idea of a loss-prevention audit, but may be less enthusiastic about the auditor’s requirement to conduct time-consuming inventories after hours. While auditors should avoid the temptation to eliminate or modify key audit procedures to appease stakeholders, they should try to reduce the audit burden by compiling their own documentation, such as running reports and queries, scheduling observations at mutually agreed-upon times, and being fully prepared at the onset of fieldwork to limit the audit duration. </p><h2>Issue Vetted, Quantifiable, and Actionable Reports</h2><p>The audit report can be the most valuable product of an engagement, but it also can be the most controversial. According to Deloitte’s 2018 Global CAE Research Survey, 24 percent of participants listed helping the business respond to prior internal audit recommendations as a key strategic priority. As audit reports can have a widespread audience, including executive leadership and the board, stakeholders can be highly sensitive to negative feedback and how it is presented. While some stakeholder defensiveness is inevitable, internal auditors can make the audit report less controversial by preparing it under a highly collaborative and iterative process. While stakeholders should not author, redact, or edit an audit report, they should be given the opportunity to review drafts and ask questions until consensus is achieved before publishing it to a larger audience. </p><p>Additionally, audit recommendations should not come in the form of mandates, but rather as value propositions supported by tangible, quantifiable benefits. For instance, an auditor completing a Lean Six Sigma assessment can advise stakeholders that implementation of the proposed recommendations could potentially drive productivity up X percent and reduce operating costs by Y percent. If such data is not available in house, the auditor can at least point to successful case studies, such as General Electric’s savings of $12 billion in the first five years after implementing Six Sigma. Lastly, to the extent that supporting management in its implementation of audit recommendations does not impair independence, auditors should offer to lend support throughout the process to ensure the recommendations are timely and satisfactorily addressed. </p><h2>Convert Solicited Feedback Into Action</h2><p>While soliciting real-time, informal feedback throughout the engagement life cycle is valuable, internal auditors cannot underestimate the importance of formal, recurring feedback mechanisms such as stakeholder surveys and quality assessment interviews. According to KPMG’s 2018 Benchmarking Survey, three-quarters of respondents use a formal stakeholder satisfaction questionnaire. While effective surveys can take several different forms, internal audit surveys should be anonymous to ensure candid feedback, and leave the respondents with the opportunity to provide free-form responses — in lieu of pure multiple choice or numerical rating scales — to expound upon improvement opportunities with examples and recommendations.</p><p>While administering a survey can be seen as a gesture of good faith to the stakeholder, it can be perceived as mere lip service without being converted into visible actions. To ensure stakeholders realize their feedback is not in vain, CAEs should consider summarizing the survey results, including the improvement opportunities and subsequent action plans, and communicating them to impacted stakeholders via reporting or debrief meetings. </p><h2>Perform Quality Assessments </h2><p>The most valuable feedback an internal audit function can receive is directly from its stakeholders. Nonetheless, the performance of periodic quality assessments, as mandated by The IIA’s <em>International Standards for the Professional Practice of Internal Auditing</em>, can help identify additional opportunities to align with generally accepted best practices. While a quality self-assessment using IIA-provided tools is generally sufficient, CAEs must adhere to The IIA’s guidance to engage an independent party at least once every five years to complete the assessment, and ensure stakeholders are apprised of this practice to avoid the perception of a conflict of interest. Similar to the audit feedback surveys, CAEs should consider reporting the results of their quality assessments, including any subsequent action plans, to impacted stakeholders to demonstrate the audit function’s commitment to continuous improvement. </p><h2>A Customized Approach</h2><p>Internal audit functions face constant challenges juggling diverse and occasionally conflicting expectations from their stakeholders, including business-unit leads, executives, board members, external auditors, and regulators. Unfortunately, these challenges cannot be alleviated by a single action or even a one-size-fits-all approach. However, an effective internal audit function can navigate widespread stakeholder expectations through a multifaceted approach that engages stakeholders in every aspect of the engagement life cycle. By differentiating effective stakeholder management from constantly trying to please everyone, internal auditors can avoid the fate of Aesop’s Miller and His Son. <br></p>Jack Pelikan1
Anticipating Surprises Surprises<h2>​The 2019 North American Pulse of Internal Audit study notes internal audit's ability to identify atypical risks isn't keeping pace with the frequency of surprise risks reported by management. How can internal audit help assess these risks? </h2><p>Boards most commonly turn to executive management for information on emerging and atypical risks, but it's a serious governance concern if they aren't searching for input from others, particularly their chief audit executive (CAE). This represents a clear opportunity for internal audit to position itself as the objective source of information on emerging and atypical risks. </p><p>CAEs need to carve out enough time to strategize no matter the size of their department. They need to challenge their own risk assessment practices. Are they simply a mirror for what management is willing to share, or are they providing insights beyond that feedback? They should develop a data strategy and start planning for the resources they'll need to execute it. Most importantly, they need to be effective with their limited time with the audit committee and board. This involves understanding their audience and needs; being prepared to deliver meaningful, objective information; and speaking out on difficult issues.</p><h2>Why is there greater reliance on management — rather than internal audit — to identify and assess emerging and atypical risks?</h2><p>CAEs still depend heavily on traditional methods for assessing risks. In fact, 88 percent rely on periodic interviews with management. This is fine as long as it is just one source among many. Yet less than half of CAEs have identified and monitor key risk indicators and only 30 percent are leveraging data analytics in this space. </p><p>Internal audit can do better. Management may not always be willing to share everything it knows in interviews. Indeed, there may be strong disincentives for it to share more than the minimum. CAEs need to identify alternative sources — both internal and external — for gathering information on risks. With that comes the need for a comprehensive strategy for collecting and analyzing this data and delivering insights and recommendations.</p><p><a href="" target="_blank"><em>Click here</em></a><em> to download the 2019 North American Pulse of Internal Audit.</em><br></p>Staff0
It's Not About You!'s Not About You!<p>The audit report was 25 pages long. The results didn’t begin until page 16. Even worse, the audit’s purpose was not revealed until well into the document. It appeared past the auditors’ signatures, past a boilerplate that defined internal audit’s role and established its independence, and past a description of the standards that were audited against. On the fourth page, 600 words into the audit report, the authors included just a single sentence that explained, albeit vaguely, why the audit had been performed.<br></p><p>This is a true story, but it is not a tale of incompetence. Indeed, the audit itself represented superior work performed by a proficient and experienced practitioner. The anecdote instead points to a far-too-common breakdown between performing internal audit work and communicating results. It demonstrates audit reporting that focuses too much on the audit and the auditor, and not enough on the clients and their business objectives. </p><p>To fix this problem, auditors must train themselves to write audit reports with audience awareness. Putting that skill into practice, however, requires the support of audit management and the trust of the audit client. With these elements in place, auditors can produce reports that serve as a much more effective communication vehicle and provide greater value to their clients.<br></p><h2>Making the Grade </h2><p>In an article titled, “Understanding a Writer’s Awareness of Audience,” author and writing professor Carol Berkenkotter analyzed expert writers and the role of audience awareness in their composition process. Her work was inspired by “The Cognition of Discovery: Defining a Rhetorical Problem,” a study by researchers Linda Flower and John Hayes that found experienced writers formed a mental image of their readers. College freshmen in the study struggled to think beyond the topic and content of their essays. </p><p>“Unlike real-world writing situations,” Berkenkotter wrote, “which confront the writer with a variety of rhetorical situations and audiences with differing needs, school writing demands that the student write for a single authority, the teacher.” As a result, success in the writing process is determined by the student’s ability to demonstrate his or her expertise on a given subject to this authority figure. </p><p>Although professional auditors have left behind the classroom <em>setting</em>, reverting to a classroom <em>mindset</em> when writing audit reports can easily result in a focus on demonstrating the auditors’ own authority. Reports produced this way often fail to effectively communicate the audit’s value or meet stakeholder needs. </p><p>Fortunately, writing with audience awareness is a skill that can be learned and developed. Writers who exhibit audience awareness, Berkenkotter found, engage in four main types of activities — as shown in “Audience Awareness” below. Each activity is accompanied by a list of questions, shown in the right column. Berkenkotter suggests that with practice over time, addressing these questions becomes less of a process and more of a state of mind. “Professional writers automatically internalize their audiences; as they write, they ask themselves the questions that their readers might be expected to ask,” she says. “In the process of being one’s own reader, an expert writer is constantly revising [his or her] own work.” This imagined audience, she adds, becomes the touchstone upon which the writer bases his or her decisions, including organization.<br></p><p><img src="/2019/PublishingImages/Cassels_apr%2719_p.45.jpg" alt="" style="margin:5px;width:700px;height:456px;" /></p><h2>Structure and Sequence</h2><p>Audit report content should be organized by its importance to the audit client. Beginning the audit results only after pages of describing audit procedures, as the report cited earlier did, makes sense only to the practitioner who has been immersed in the engagement for months. For internal audit stakeholders, seeing and understanding the results is more important than knowing how the results were found. </p><p>As a practical guide, the content of a client-focused audit report should be prioritized by four main areas:</p><ol><li>The reason for the audit, related to client business objectives.</li><li>The results of the audit and their impact on client business objectives.</li><li>Recommendations, if any.</li><li>Information about the audit process and the auditors.</li></ol><p>Although this structure reflects the order of importance, it does not strictly dictate the sequence of the report. For example, some information about the auditors and the audit process may be interwoven throughout the document — auditors don’t necessarily have to place it all at the end. What matters is whether the report is client-focused (as opposed to audit-focused) and whether it prioritizes the information most important to the clients.</p><p>Audit reports, in other words, should not all follow the same template. Decisions about what to include, what to leave out, and how to organize the report should be made based on awareness of the audience. Writing with audience awareness will help auditors overcome the task-oriented mindset that results in audit-focused reports. But to put this technique into practice, auditors must believe they are empowered to change.</p><h2>Culture and Empowerment</h2><p>The audit report that tells stakeholders what auditors want to say is an artifact encountered by many new practitioners when learning the profession. Cultural subtleties, such as referring to the report with words like “deliverable” and “work product,” reinforce the notion that the report’s purpose is to document internal audit’s execution of the engagement. </p><p>To change this mindset, audit managers and chief audit executives (CAEs) must begin to empower their staff members and require them to take a different approach to reporting. Regardless of how many articles they read or seminars they attend, practitioners will never change for the better if their audit department’s culture includes an unspoken expectation that audit reporting involves filling in old templates. When CAEs and audit managers read audit reports that begin with, “Internal audit conducted a review of …” they must start sending them back and coaching their staff to write reports that focus on the client’s business objectives. </p><p>In fairness, because the audit report typically serves as the primary method of documenting what happened in an audit, practitioners will naturally want to justify their value by demonstrating the volume and quality of the work performed. Rather than asking the auditor to merely suppress this inclination, audit managers can relieve the burden by giving auditors other outlets through which to communicate in detail about the rigor and quality of their work. For example, managers could simply meet with auditors to discuss the execution of a given engagement, allowing the auditors to discuss how much time they spent on it and any difficulties encountered, as well as revisit decisions that were made. These types of details — important to the audit process but too granular for the client — should be documented in the audit’s workpapers for later reference. The documentation can help assure auditors that even though clients might not be apprised of process minutia, audit management understands and appreciates these details. </p><h2>Client Trust</h2><p>To make the transition from defensive audit reporting that focuses on process documentation to reporting that is proactive and focused on audience utility, internal auditors must also have the trust of their clients. One reason audit reports often contain excessive process detail is that practitioners worry clients may be resistant to, or suspicious of, the audit process — especially if the client might view the results as unfavorable. When this occurs, internal auditors focus primarily on defending their work and results rather than communicating what those results mean to the client’s business. </p><p>To overcome this defensive mindset, internal auditors must constantly work to strengthen trust — in both the audit function as a whole and each of its practitioners, from one engagement to the next. If clients receive regular communication throughout engagements, understand that internal audit’s mission is to help the business achieve its objectives, and have been educated about the audit process, they will be able to accept audit reports with trust, boilerplates and disclaimers aside.</p><h2>It’s About the Audit Client</h2><p>Writing engaging audit reports that are suited to the needs of the individual client can be liberating for practitioners, but it also represents a challenge. Outside the safety zone of template-based reporting, auditors must make careful choices about what to include, what to exclude, and in what order to place information to maximize the client’s perception of report quality and utility. However, the payoff for practitioners willing to undertake this challenge is enhancing their clients’ understanding and appreciation of the value of internal audit.  <br></p>Wade Cassels1
Opening and Closing Meetings and Closing Meetings<p>​Imagine attending an opening meeting for a scheduled audit. The audit topic is somewhat controversial and there has been pushback on the review’s timing. The auditor-in-charge worked hard to find time to get everyone to attend (8-10 people). The meeting is held in a huge conference room, so people are waving across the room and jokingly asking, “How’s the weather over there?” There is anticipation mixed with nervousness and anxiety as the auditors introduce themselves. The auditor-in-charge turns on the projector and forwards through the 12 slides in the opening meeting slide deck in about five minutes. She asks if there are any questions (there are none) and thanks them for their time. The group proceeds to exit the conference room feeling deflated. Everyone thinks, “What was the point of that?”</p><p>Now imagine attending a closing meeting for a different audit that went well. The clients are engaged with the issues internal audit finds and want to use the audit to help drive improvements in their business. The meeting is held in a huge training room set up with circular tables suitable for 36 people. The auditor-in-charge had difficulty aligning everyone’s schedules, so the meeting is held at 4 p.m. on Friday. Six of the 18 people call in to attend the meeting while the rest sit at the back of the room. Unfortunately, the auditor-in-charge shows up just five minutes before the meeting starts and has multiple issues with the technology — he neglects to bring an adapter for the laptop and doesn’t know how to use the projector. As a result, the meeting starts 15 minutes late. Two slides in, the meeting is derailed by someone on the phone asking a question, resulting in a five-minute side conversation between the auditor-in-charge and the person on the phone as the others disengage into side conversations or checking their phones and laptops.</p><p>Many times, internal audit takes opening and closing meetings for granted and just goes through the motions to conduct them. The difference between meetings that are successful and meetings that are not is preparation and clear objectives. Internal auditors can follow guidelines that will ensure these meetings are informative and engage their audit clients.</p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​Conducting Effective Meetings </strong></p><p>Because the opening meeting can set the tone for the audit and the closing meeting is a crucial last step in the audit process, internal auditors can benefit from tips to run the meetings in the most professional manner possible. </p><ul><li><strong>Consider your appearance at the meetings.</strong> Because internal audit is positioning itself as a competent team of professionals, they should look the part and dress appropriately. </li><li><strong>Never sit opposite the clients in an “us vs. them” setup.</strong> The audit team should mingle to make the meeting more collaborative.</li><li><strong>Don’t use “auditee” or other internal audit jargon with clients or other meeting participants.</strong> The only people who use those words are auditors.</li><li><strong>Never read directly from the slides or the audit report.</strong> Points should be made as if the auditor is having a conversation. Use the slide deck and audit report as a guide, not a crutch. If an auditor is unable to do that, then he or she has not prepared well enough for the meeting.</li><li><strong>Remarks should be addressed to the most senior (nonaudit) person in the room.</strong> This is simply good etiquette.</li><li><strong>Be culturally sensitive.</strong> In the U.S., staff members present their own findings as a development opportunity. In other countries, the senior member of the audit team is expected to do so. There may be some other cultural etiquette for meetings, as well. Internal auditors should always research cultural norms if they are presenting in another country.</li><li><strong>The auditor-in-charge should stand up during the meeting, if appropriate.</strong> Standing reinforces that he or she is facilitating the discussion. </li></ul></td></tr></tbody></table> <p> <strong>Prepare for the Meeting</strong> The meeting room should be visited the day before the meeting to make sure it is appropriate for the number of people attending and that the auditor running the meeting understands how to use the technology in the room. If the auditor-in-charge is uncomfortable speaking in front of people, he or she should rehearse the entire meeting.</p><p> <strong>Make Your Objective Clear</strong> A meeting must have a specific and defined purpose. Before sending that calendar invitation, ask yourself: What do I want to accomplish? This should be shared ahead of time with the client.</p><p> <strong>Consider Who Is Invited</strong> Think about who really needs to be in the meeting. When people feel that what’s being discussed isn’t relevant to them, or that they lack the skills or expertise to be of assistance, they’ll view their attendance as a waste of time. If there are any doubts about certain attendees, make them optional and let them decide whether to attend.</p><p> <strong>Stick to the Schedule</strong> Create an agenda (or slide deck, in this case) that lays out everything that will be covered in the meeting, along with a timeline that allots a certain number of minutes to each item, and email it to people in advance.</p><p> <strong>Be Assertive</strong> If one person is monopolizing the conversation — the fastest way to derail a meeting — call him or her out delicately. For example, “We appreciate your contributions, but let’s get some input from others.” Establishing ground rules early on will create a framework for how the group functions. Internal audit is in charge of the meeting. Discussions of risk ratings, for example, can be a derailer that the auditor should consider discussing outside of the meeting.</p><p> <strong>Start on Time, End on Time</strong> Knowing that time is valuable, do not schedule any meeting for more than an hour. Sixty minutes is generally the longest time people can remain truly engaged. A <em>Harvard Business Review</em> article, “The 50-minute Meeting,” suggests allowing 10 minutes of the 60 minutes for travel and administrative time. And if only 30 minutes is needed, don’t schedule an hour.</p><p> <strong>Ban Technology</strong> Laptops and smartphones distract people from being focused on the meeting or contributing to it. Instead, they’ll be sending emails or surfing the web.</p><p> <strong>Note Action Items and Follow-up</strong> So that everyone is on the same page, a follow-up email highlighting what was accomplished should be sent within 24 hours to all who attended. Document the responsibilities given, tasks delegated, and any assigned deadlines.</p><p>If opening and closing meetings seem repetitive and boring, consider the actors who perform in some Broadway plays for years. They strive to do every performance, even the 873rd, with the same passion as the first. They polish and perfect it each time. Clients deserve the best from internal auditors, and there will always be someone in the room who hasn’t seen the slide deck or been through an audit before. The right preparation can make these meetings valuable and productive for auditor and client.</p>Scott Feltner1
Building the Audit Function the Audit Function<p>​Building an internal audit function from the ground up may seem like a daunting task, but taking a measured approach and prioritizing what should be done first can ease some of the difficulties. Handling these initial steps with care also helps build trust in organizations that may have no experience with internal audit or may be suspicious of its motives. By selecting key areas of focus and seeking to make "quick wins," chief audit executives (CAEs) can soon win over management and the rest of the business, and establish a solid foundation for the audit function.</p><h2>The Lay of the Land </h2><p>Alyssa Martin, partner in charge at risk advisory services firm Weaver in Dallas, is no stranger to setting up internal audit functions from scratch. She says she typically sets up around three or four functions per year on behalf of clients, and that she has established — or "reconstituted" — more than 20 in her career to date. </p><p>Martin says the reason behind the organization's decision to set up an audit function can provide vital clues about what it will look like and how it will be resourced. Potential reasons include regulatory requirements; past governance failures that impacted operations; financial incentives such as improving processes, increasing efficiency, and minimizing potential frauds; or pressure from a large customer to provide it with more assurance. "The different circumstances behind the move to set up an internal audit function can influence the way it is developed, what its scope is, and what budget and resources it will have," she says. </p><p>The way in which internal audit will operate also needs adequate consideration, Martin adds. If, for example, the function comprises a head of internal audit who oversees a fully outsourced team, that individual must be a strong leader with lots of experience. He or she must be able to take charge and establish what the function's priorities should be, as well as determine what expertise the organization needs to obtain quickly. </p><p>Martin says internal audit needs a "sponsor" within the organization to champion the function and to send a message to the board and the rest of the organization that internal audit is a key player in ensuring effective governance and sound practice. Moreover, CAEs need to liaise and establish good working relationships with key second-line assurance functions in the business, particularly the chief risk and compliance officers, as well as maintain communication with the chief financial officer (CFO). "Internal audit can't act in isolation, and especially not when it is a new department," she says. "It needs to establish key partnerships with other functions in the business to see how they operate, how they view risk, and to learn their approaches."</p><p>Martin also notes the importance of building a good relationship with the audit committee, management, and the organization in general, and she stresses the need for audit heads to understand the audit universe and identify which activities are a priority for internal audit's involvement. "Find out where internal audit needs to be active first and what skills and experience you need to have to make a good impression straight away," she says. "You have to choose where you can make an immediate impact first to gain trust with management and the organization."</p><p>The head of internal audit also needs to look closely at the budget he or she has been given. "A low budget impacts hiring choices and what you can realistically do," Martin says. "It also means that you have to prioritize areas that need the most work or immediate focus." She advises audit leaders not to complain about receiving less funding than expected, noting that effective use of allotted resources can allow for quick wins and help build confidence with managers who control the purse strings, thereby making them more likely to agree to additional funding later.</p><h2></h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​</strong><strong>Set the Standard</strong></p><p>Anyone setting up a new audit function should be familiar with The IIA’s <em>International Standards for the Professional Practice of Internal Auditing</em>. Several standards, in particular, are especially relevant to the process:</p>1000 — Purpose, Authority, and Responsibility<br>1110 — Organizational Independence<br>1200 — Proficiency and Due Professional Care<br>2000 — Managing the Internal Audit Activity<br>2020 — Communication and Approval<br>2030 — Resource Management<br>2040 — Policies and Procedures<br>2050 — Coordination and Reliance<br>2060 — Reporting to Senior Management and the Board<br>2230 — Engagement Resource Allocation<br></td></tr></tbody></table><h2>Obtaining Buy-in</h2><p>Arif Zaman, head of internal audit at real estate company Emaar Industries and Investments based in Dubai, United Arab Emirates, was formerly a risk advisor at a consulting firm where he helped large corporate clients set up or reconstitute internal audit functions. Zaman says the experience taught him what a "good" internal audit function should look like, and what constitutes best practice. </p><p>Having board buy-in from the start is essential to the success of any internal audit function, Zaman says. "Once you have board backing, you can then get approval for the internal audit framework and reporting structure, which will allow internal auditors to maintain their independence and objectivity," he explains.</p><p>Like Martin, Zaman says internal audit must know who will champion the audit function — usually the second line of defense functions like compliance or risk management. He adds that, to maintain independence, internal audit should report to the audit committee or directly to the board. Once the reporting line is defined, the head of internal audit should ensure that three documents are drawn up quickly:</p><p></p><ul><li>An audit committee charter to define the role and responsibilities of the committee (with board approval).</li><li>An internal audit charter to define the scope, role, responsibilities, and reporting structure of the internal</li><li>audit function.</li><li>The standard operating procedures, which are policies and procedures that cover the annual audit plan, approval process, engagement plan, audit execution, audit reporting, follow-up, reporting, and quality assurance.</li></ul><p> <br> </p><p>According to Zaman, understanding the business, how it operates, and — crucially — its culture, also are key steps to successfully setting up an internal audit function. "It is very important to be acquainted with the culture and business acumen of the company," he says. "It gives a general idea of the company's risk maturity and its control environment. It also provides useful insight about how an internal auditor should determine his or her approach and how to pitch the internal audit department framework within the organization."</p><p>Zaman also notes the importance of considering the culture of the country in which the organization operates. "Internal audit is nothing new in countries like the U.S., U.K., or elsewhere in Europe," he says. "These countries have an understanding and appreciation of what internal audit can provide. But in developing markets, awareness of what internal audit is supposed to do, and what it is capable of, can be quite low."</p><p>To help gain trust in the organization, Zaman says it may be best if internal audit has a pragmatic — rather than dogmatic — mindset. He stresses that flexibility may be necessary, as a "by the book" approach may intimidate business units and deter them from coming forward and reporting problems. "You want to establish a culture of openness and transparency that encourages people to come forward with concerns, rather than reinforce the stereotype of internal audit being an internal policeman," he says. </p><p>Zaman also agrees with Martin that achieving quick wins early on can help turn people's attitudes around in the auditors' favor. He warns against starting with sweeping, ambitious objectives such as advising an overhaul of the way the organization is run or recommending controls around every single business process. Instead, Zaman suggests looking at simple ways to help cut costs and increase efficiencies, being sure to quantify the immediate and long-term cost savings. "Concentrate on just doing the main audit work you need to do first and where you know you can succeed," he says.<br></p><p>It is also important for internal audit to show that it is open and collaborative, notes Randy Pierson, internal audit manager and invalid traffic compliance leader at The Nielsen Co. in Oldsmar, Fla. “Audit needs to avoid being siloed," he says." You want to make sure that you are getting all the information that you need so that you can understand the risks to the business and whether they are being controlled. The best way of doing this is to build up trust within the organization.”</p><p>Like Zaman and Martin, Pierson also advises making a good impression quickly through small but effective changes to improve practices, cut costs, etc., but also by working with subject matter experts throughout the business to get a better sense of operations and the risks they face.<br></p><h2>Working Within the Perimeter<br></h2><div>Leslie Krepa, a retired former head of internal audit living in the United Kingdom, does not believe that any auditor sets up a function from scratch in reality. “There are always perimeters setting out what you are able to do and what you will need to look at — the job description/internal audit terms of reference will have done that at the outset," she says. "The board, and especially the audit committee if there is one, will have expectations of what they want to see done, and they will have a budget in mind as well. Heads of internal audit will, however, usually have overall control about how the work is done, how the budget is spent, and how the function is set up, but management will have a very clear view about what they want prioritized, particularly as they took the decision to establish an in-house function in the first place.”</div><div><br></div><div>Krepa warns heads of internal audit not to rush into anything. She advises, for example, that CAEs avoid the mistake of presenting an audit plan to key stakeholders during their first week in the position, lest they want to be told to come back when they learn the business. Krepa suggests first visiting key departments, getting to know stakeholders, and visiting office sites. "Look at what is going on with your own eyes — the key early on is to listen and observe and not say very much," she says.<br></div><div><br></div><div>Krepa also advises audit heads to spend time with external audit. “Audit committee chairs rely on external audit to give them an independent view of risks to the business, and chances are that they have already asked for external audit’s opinion on what you are doing," she says. "Having external audit on your side at the beginning could be a real help in winning other key stakeholders over.”<br><br></div><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​Quick Checklist*</strong></p><p>Several activities should be considered when establishing an internal audit function:</p><ul><li>Identify key internal and external stakeholders and obtain a clear understanding of their expectations. </li><li>Communicate the role of internal audit to the board, audit committee, executive management, and the rest of the organization. </li><li>Ensure that there is a functional reporting line to the audit committee and — ideally — an administrative reporting line to the CEO. </li><li>Put an internal audit charter in place — one that is approved by the audit committee.</li><li>Conform with The IIA’s <em>International Standards for the Professional Practice of Internal Auditing</em>.</li><li>Prepare an internal audit strategic plan that considers the organization’s objectives and key risks as well as any gaps within its assurance framework. </li><li>Assess the organization’s risk maturity to help determine the internal audit strategy and approach.</li><li>Agree with management on an annual internal audit plan that is approved by the audit committee.</li><li>Agree with management on budgets (financial and staffing).</li><li>Coordinate internal audit work with that of other assurance providers (internal and external).</li></ul><p> <br> </p><p> <em>*A version of this checklist originally appeared in the Chartered Institute of Internal Auditors guide, How to Set up a New Internal Audit Activity. Adapted with permission.</em></p></td></tr></tbody></table><h2>Replacing a Previous Function</h2><p>Seidu Sumani, senior vice president, head of internal audit, at MFS Investment Management previously set up an internal audit function at another investment management firm in Boston after it was sold by its U.S. parent company. "The organization had previously been served by a group internal audit function, so management had a mature view of what internal audit did and the value it could add," he says. </p><p>With management buy-in already a given, Sumani had to work out quickly which departments and processes needed audit focus first, as well as demonstrate that he and his newly appointed team understood the business and the risks it faced. "I needed to establish what my priorities were very quickly, and what skills and experience I would need for my team," he says.</p><p>Sumani notes that it can be a struggle for heads of internal audit to assert their authority at the beginning. Budgets can often be decided by the CFO, for example, and if they are too low, audit heads need to deliver a compelling case about why they need more resources so early on. Sumani advises an assertive approach. "Disagreements with senior management can become quite common, quite tense, and quite political," he says. "But you have to be firm — yet persuasive — and be able to demonstrate that you have the knowledge and experience to back up what you are asking for."</p><p>For example, Sumani notes that he was given a budget for seven team members and was advised to outsource the IT audit function. Instead, he wanted an experienced IT auditor, which can be an expensive hire. "In the end, I was able to get what I wanted but it was not an easy argument to win," he says. There was also pressure on him to deliver results quickly, though he wasn't convinced that the areas management wanted internal audit to address first were in fact the riskiest or the best use of audit's limited resources. "So I took a risk-based approach, which was risky for me because results were not as quick," he says. "However, the results were more appropriate and in the end the stakeholders appreciated that."</p><p>Sumani also recruited someone who had more business experience than audit experience — two years in audit but a wealth of financial services experience; plus he had worked within the business. The new hire could "speak the same language" as managers in different departments, understood how they worked, and knew the key risks their departments faced, as well as how they addressed them. "As a result, we gained management's trust very early on," he says. In fact, he hired three people from within the business based on their knowledge of organizational processes and their ability to learn internal auditing quickly.</p><p>Sumani warns against hiring certain staff members just because management wants them on the team. "Choose your own team and hire who you need or want," he says. He also advises against letting management dictate what internal audit should be doing, emphasizing that it's the audit leader's job to prioritize which areas need the greatest resources and immediate focus. "If internal audit wants to show it is independent, it needs to assert that independence from the beginning," he says. "However, if you're going to ask for more resources and go up against management, be sure you can do what you say you are going to do."</p><h2>The Right People</h2><p>Phil Tarling, an internal audit consultant based in the U.K. and former chairman of The IIA's Global Board of Directors, also emphasizes the importance of staffing-related decisions early on. "Any new internal audit function will live or die by the people it has on its team," he says. "The question you need to ask is whether you want more low-level people who can do the nuts and bolts work effectively and can cover a lot of basic audits across the business, or do you go for high-level people who are willing to get their hands dirty, do the low-level work as well, but who can cover less ground?" He notes the answers depend largely on management's expectations, adding that staffing decisions can have ramifications down the road as internal audit matures.</p><p>Tarling says CAEs who are asked to manage a completely outsourced function can enjoy certain advantages. He points to the increased ease of saying that audit reports received are inadequate or requesting that a particular partner or subject matter expert lead an engagement, as well as leverage in negotiating additional services.</p><p>Regardless of team composition, Tarling, like Sumani, advises a firm, proactive approach. "If you are in charge of a fully outsourced function, or if you cosource, then make sure you flex your muscle and get exactly what you want," he says.</p><h2>A Solid Foundation</h2><p>Setting up internal audit from scratch will always present challenges, but taking a steady and realistic approach that involves management buy-in from the start will make the process a lot easier. And to build trust and avoid confusion or conflict, it is also important to remember that internal audit must define its scope and terms of reference from the outset. Management will be more likely to respond favorably if positive early impressions are made, and more likely to trust internal audit's judgment going forward.</p><p></p><div><br></div><div><em>Visit</em><a class="vglnk" href="" rel="nofollow"><span><em> </em></span></a><a href="" target="_blank"><em></em></a><em> for IIA suggestions and resources on setting up a small internal audit function.</em> <br></div>Neil Hodge1
GAM 2019: Leadership and Change 2019: Leadership and Change<p>​<span style="font-size:12px;">In Tuesday's General Audit Management Conference general session, Mike Evans, award-winning author, speaker, and executive consultant, led a lively discussion on Leading Change: Achieving What Matters Most. </span><span style="font-size:12px;">Evans offered several takeaways for every audit leader who is trying to embrace change and lead by example:</span></p><ul style="text-align:left;"><li><span style="font-size:12px;">He said today's business world is basically a "brawl with no rules." What are you doing to ensure your place in this environment?, he asked the audience.</span><br></li><li><span style="font-size:12px;">Brand "you" is the way others see you. We are all being scrutinized at any given moment. "People will tolerate what you say," Evans said. "They will act on what you do." Leadership, he added, is the congruency between what you say and what you do.</span><br></li><li><span style="font-size:12px;">How do your employees, colleagues, boss, customers, friends, and family view you? The only way to know is to ask them. "You may think you're demonstrating a particular brand when, in fact, you're not," Evans said.</span><br></li><li><span style="font-size:12px;">In today's economy, you are distinct or extinct. You must grow, innovate, and embrace change, and be nimble, agile, resilient, and focused. "Clinging to the status quo is not an option," Evans said, offering as examples: Blockbuster (which had a chance to purchase Netflix and passed on it), Payless Shoes, Kodak, and Nokia. Evans defined all of these companies as "short-termed, inwardly focused."</span><br></li></ul><div><br></div><p style="text-align:left;"> <span style="font-size:12px;">Evans asked the audience how can they grow, adapt, innovate, and reinvent themselves and turn disruption into opportunity. "If you fight [disruption], you're going to find it a losing battle," he said. He presented a "new world of work survival kit" that included:</span></p><ul style="text-align:left;"><li><span style="font-size:12px;">Mastery — best/absurdly good at something. Focus.</span><br></li><li><span style="font-size:12px;">Managing to legacy — all work = memorable, braggable wow factor.</span><br></li><li><span style="font-size:12px;">Unique selling proposition — present a remarkable point of view in 10 words or less.</span><br></li><li><span style="font-size:12px;">Networking obsession.</span><br></li><li><span style="font-size:12px;">Entrepreneurial instinct.</span><br></li><li><span style="font-size:12px;">CEO/leader/business person.</span><br></li><li><span style="font-size:12px;">Master of improvement.</span><br></li><li><span style="font-size:12px;">Sense of humor</span><br></li><li><span style="font-size:12px;">Comfortable in your skin.</span><br></li><li><span style="font-size:12px;">Intense, unrelenting appetite for technology.</span><br></li><li><span style="font-size:12px;">Embrace marketing: You are your own chief storytelling officer.</span><br></li><li><span style="font-size:12px;">Obsessed with renewal — learn every day.</span><br></li><li><span style="font-size:12px;">Outwork/over deliver.</span><br></li><li><span style="font-size:12px;">Excellence always.</span></li></ul><div><br></div><p style="text-align:left;"> <span style="font-size:12px;">Evans encouraged the audience to cultivate a culture and mindset of:</span></p><ul style="text-align:left;"><li><em style="font-size:12px;">Playing to win.</em><span style="font-size:12px;"> Evans said there is a big difference between playing to win and playing not to lose. Leaders need to be crystal clear on the expected result.</span><br></li><li><span style="font-size:12px;"><em>T</em></span><em style="font-size:12px;">aking accountability</em><span style="font-size:12px;">. In a peak performing culture, accountability is broader than your job description. Best practices of taking accountability, Evans said, include recognizing realities, accepting ownership, creating solutions, and exercising action.</span><br></li></ul><div><br></div><p style="text-align:left;"> <span style="font-size:12px;">Ideas, speed, talent, distinction, leadership = success in this new brawl-with-no-rules world, Evans told the audience. </span></p>Anne Millage0
GAM Workshop Highlights Pulse Report Findings Workshop Highlights Pulse Report Findings<p>​<span style="font-size:12px;">The IIA kicked off its General Audit Management (GAM) pre-conference sessions on Sunday in Dallas-Fort Worth, Texas, featuring a workshop on The Institute's </span><a href="" style="font-size:12px;">2019 North American Pulse of Internal Audit: Defining Alignment in a Dynamic Risk Landscape</a><span style="font-size:12px;">. The session, held exclusively for members of The IIA Audit Executive Center, was facilitated by IIA President and CEO Richard Chambers and IIA Managing Director, CAE Solutions, Harold Silverman.</span></p><p style="text-align:left;"><span style="font-size:12px;">Chambers began the workshop with a review of demographics from this year's Pulse report, noting that the survey's 512 respondents consist of 87 percent chief audit executives (CAEs) and 13 percent directors/senior managers. More than 40 percent, he added, have five or fewer years' CAE/director experience, and 25 percent have six to 10 years' experience.</span></p><p style="text-align:left;"><span style="font-size:12px;">Chambers noted this is a marked change, with longer CAE tenures reported in past years. He suggested the change could be due to reliance on rotational CAE models.</span></p><p style="text-align:left;"><span style="font-size:12px;">O</span><span style="font-size:12px;">rganization types represented in the report include publicly traded (31 percent), financial services (30 percent), public sector (19 percent), p</span><span style="font-size:12px;">rivately held (10 percent), and nonprofit (10 percent). Most audit functions fell in the four to nine (37 percent) and 10 to 24 (26 percent) employee range.</span></p><p style="text-align:left;"><span style="font-size:12px;">"We're continuing to see growth in the profession in this country," Chambers told the CAE audience. Twenty-six percent of all respondents' functions experienced a staffing increase in 2018.</span></p><p style="text-align:left;"><span style="font-size:12px;">Chambers noted that, on average, four risk areas comprise the bulk of audit plans: financial reporting, including internal control over financial reporting (ICFR) and non-ICFR (22 percent); IT and cyber (17 percent); operational (16 percent); and compliance (16 percent).</span></p><p style="text-align:left;"><span style="font-size:12px;">He also cited the report's finding that 91 percent of audit functions at publicly traded companies report functionally to the audit committee, board, or equivalent. He said it was alarming, however, to see that 75 percent of audit functions in publicly traded companies are reporting administratively to the chief financial officer. "I thought we had broken away from that trend a few years ago," he told attendees.</span></p><p style="text-align:left;">Chambers and Silverman then began group discussions around four key risk areas identified in the Pulse report: emerging and atypical risks, cybersecurity and data protection, third-party risks, and board and management activity.<br></p><h2>Emerging and Atypical Risks</h2><p style="text-align:left;">"Internal audit has an opportunity to step up and play a role in helping companies identify and stay abreast of emerging and atypical risks," Chambers told the audience.<br></p><p style="text-align:left;">The session attendees discussed how internal audit can remain agile in addressing emerging and atypical risks, with one CAE noting that he dedicates a certain percentage of hours in the audit plan to being agile and responding to new requests.<br></p><p style="text-align:left;">Attendees also discussed how they communicate to — and get buy-in from — stakeholders when seeking to modify internal audit plans due to emerging and atypical risks. "We need to be agile in that we need to be ready to respond," Silverman noted, "but we're not changing our plan because something is new." It may be new, but not as important, he explained. <br></p><h2>Cybersecurity and Data Protection </h2><p style="text-align:left;">Silverman noted that 70 percent of CAEs say potential reputational damage from inappropriate disclosure of private data is a high or very high concern. It is one of the most significant events that a CAE or organization will encounter, he said. <br></p><p style="text-align:left;">There is a gap, however, between actual and desired assurance over readiness and response to cyber threats, according to the Pulse findings. CAEs report a 36 percent effort gap, and 51 percent of CAEs say lack of cyber expertise within the internal audit staff is an obstacle to addressing cybersecurity risk. <br></p><p style="text-align:left;">Silverman questioned internal audit's confidence to assess this area. When dealing with chief information officers, chief information security officers, and even CEOs, he said, internal audit hasn't done enough to show how it can add value in this area, so it doesn't have the respect of those groups.<br></p><h2>Third-party Risk</h2><p style="text-align:left;">Silverman also discussed Pulse findings pertaining to third-party risks. He said that 21 percent of CAEs describe third-party selection processes as ad hoc, weak, or nonexistent. Additionally, 48 percent of CAEs say third-party monitoring processes are ad hoc, weak, or nonexistent. Despite these findings, the average audit function allocates only about 4 percent of its resources to third-party risk assurance.  <br></p><h2>Board and Management Activity</h2><p style="text-align:left;">Finally, the audience considered materials shared with the board and if internal audit is assessing whether they are complete, accurate, and timely. Fifty-seven percent of CAEs say they rarely or never discuss with the board and management the quality of information given to the board. <br></p><p style="text-align:left;">Silverman questioned whether boards have time to review the materials they receive and whether management teams are being completely forthright with boards regarding those materials. "Are they presenting a balanced perspective that shows not only risks in 2019 but thinking forward to 2020 and 2021 and what strategies are in place to get there?" he asked.<br></p><p style="text-align:left;">Only 49 percent of Pulse respondents strongly agree that management provides the board with all pertinent information related to risk, not just information that is supportive of the views of management. Fifteen percent somewhat or strongly disagree with that perspective. <br></p>Anne Millage0
The Forward Looking Auditor Forward Looking Auditor<h2>​Why is it so important for internal auditors to add foresight to their job description?</h2><p> <strong>Stewart</strong> Disruptive technologies and the trends impacting business are expected to intensify in coming years, making markets even more dynamic, competitive, and opportunistic. Successful organizations will need to be agile and accelerate their decision-making in an environment where prolonged periods of rapid change will be the new norm. Internal audit will have an opportunity to help management better evaluate its preparedness to deal with future events and the “what if” scenarios that will most likely impact the business. If successful, internal auditors have an opportunity to inform and shape the critical decisions that their management teams must make. The reality is that most professions — internal audit included — are about to go through tremendous change. Many internal audit functions will need to transform themselves to provide foresight and serve in this new capacity. The real question is whether those currently in the profession will recognize the opportunity, prepare themselves, and rise to the occasion or whether the transformation will be led by an influx of new talent who may be viewed as more equipped to embrace change. I suppose it will be a combination of both, and each of us will decide our future to the extent we are willing and prepared to embrace change.</p><p> <strong>Pundmann</strong> The No. 1 thing I hear from key internal audit stakeholders — namely, chief financial officers, audit committee chairs, and CEOs — is they need new chief audit executives (CAEs) to come into their roles ready to not only provide assurance, but also to advise and anticipate risks. Internal audit must be proactive. That said, assurance activities are critical, and we’re seeing more capabilities like automated assurance help internal audit do block-and-tackle analyses of control effectiveness. Taking those learnings, analyzing them, and using them to identify risks before things actually happen is what sets standout, forward-thinking internal auditors and CAEs apart from the rest.<br></p><h2>How can providing foresight help the organization compete?</h2><p> <strong><img src="/2019/PublishingImages/EOB-Sandy-Pundmann.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Pundmann</strong> It’s important for internal auditors to take what they’re seeing from a historical perspective and apply it to the future of the organization. If they can identify an emerging risk or trend early and communicate that insight to stakeholders, they can help the business gain competitive advantage. Whether an organization is launching a new product or service or implementing a new technology system, internal auditors should be involved early to assure appropriate steps are taken, anticipate risks, and advise on controls and processes. Things change so fast — it’s important to ensure necessary capabilities and controls are built into major efforts long before launch time, and the organization maintains a regular pulse throughout the planning.</p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​On the Horizon</strong></p><p>Pundmann and Stewart say internal audit should be aware of, and ready to address, several emerging risks, including:</p><ul><li>Cybersecurity</li><li>Data and cognitive analytics</li><li>Artificial Intelligence</li><li>Robotic process automation</li><li>Blockchain</li><li>Culture</li><li>Third-party </li><li>The rapidly changing strategies of competitors</li><li>Threats from alternative products and innovative business models</li><li>Generational and social trends</li><li>Climate change</li><li>Geopolitical changes</li><li>Government intervention and regulation</li><li>Competition for investment dollars</li><li>Fierce competition for talent</li></ul></td></tr></tbody></table> <p> <strong>Stewart</strong> In the future, the success of an organization may be determined more often by an ability to anticipate change, to make the right decision within a compressed time frame, and to execute ahead of the competition. An ability to quickly contemplate the potential risks and benefits of multiple “what if” scenarios will become key to effective decision-making and execution. Internal audit has an opportunity to transition from its past of monitoring historic transactions and controls through more recent efforts to establish continuous monitoring where errors or deficiencies can be quickly corrected, toward a future of what might be termed predictive monitoring, theoretical monitoring, or simply forward-looking assessments, where outcomes can be anticipated, competing ROIs validated, and changes made proactively to enhance execution and improve outcomes. Those organizations that make the best decisions and execute on those decisions in this new paradigm will have an advantage over their competition.<br></p><h2>What can internal auditors do to shift to a focus on foresight?</h2><p> <strong><img src="/2019/PublishingImages/EOB-Shawn_Stewart.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Stewart </strong>Internal audit professionals must become more aware of, and educated on, business trends, disruptive technologies, the movements of competitors, and alternatives and must be able to anticipate forward-looking risks. This will require greater industry perspective, stronger interactions between internal audit and the business, greater leverage of subject-matter experts, and advanced risk identification techniques. Internal audit must shift from the traditional and conventional to being more strategic and focused on what might impede the organization’s most important business objectives.</p><p> <strong>Pundmann</strong> Technology can help a lot. In the future, most internal audit functions will tap risk sensing, predictive analytics, robotic process automation, cognitive computing, machine learning, and — someday — artificial intelligence to help them look to risks and opportunities on the horizon.</p><h2>What is the risk if internal audit doesn’t provide forward-looking assessments?</h2><p> <strong>Pundmann</strong> Internal auditors who don’t offer forward-looking insights may diminish their relevance and their level of impact and influence within the organization. Internal auditors need to be proactive and anticipatory to help their companies gain and maintain competitive advantage. New technologies can help give internal auditors broader and deeper views into the risks they help manage, helping them deliver both insight and foresight. </p><p> <strong>Stewart</strong> An ability to adequately and quickly contemplate the potential risks, benefits, and capabilities of the organization to achieve its objectives for multiple “what if” future scenarios will become so important in decision-making that a failure to have this foresight will not be an option for most organizations. This will be particularly true for areas deemed to be most critical to the organization’s success. Management and audit committees will see value in the objective perspective in forward-looking assessments that internal auditors can provide and will seek to transform internal audit functions so they are capable of providing this foresight. Internal audit functions that fail to make this transition likely will find themselves in a less favorable position in the value chain of their organization, will have to deal with an unfavorable contrast to the more advanced internal audit functions of their peers, likely will see more of their budgets and opportunities repurposed to other functions that can support this need, and may ultimately be deemed obsolete and prime to be replaced. </p>Staff1

  • IIA GRC_May 2019_Premium 1
  • IIA Awareness Month_Premium 2
  • IIA Sawyer-OrderToday Bookstore_May 2019_Premium 3