Signature Audits Audits<p>​​​​Audit client expectations have risen steadily over the past several years, requiring internal audit to increase its value delivery and become more relevant to day-to-day business. Yet practitioners often struggle to meet these expectations, as reported in a 2016 KPMG report, Seeking Value Through Internal Audit. Only 10 percent of the financial executives and audit committee chairs surveyed agreed that internal audit adequately identified and responded to emerging risks. Respondents indicated that audit results too often confirm concerns alrea​​dy identified by management instead of identifying new issues and emerging risks. Some chief audit executives have been quick to explore new service and delivery models that can provide value to stakeholders beyond assurance, leading to the development of advisory services and consultative reviews. But these efforts have not always considered how to improve existing audits.</p><p>To address this challenge, internal audit teams at German automaker Daimler have looked for ways to improve assurance services and tap into the unrealized value of its process audits. Although the annual audit plan offered numerous ways to increase value to the organization, internal audit sought to explore new ways to add value within the framework of existing audits. To identify and exploit new opportunities, the team launched a program called Signature Audits, aimed at increasing internal audit's contributions during regularly scheduled client engagements.</p><h2>Launching the Program</h2><p>The audit team introduced its Signature Audit methodology by first selecting an engagement that offered a suitable environment to pilot the concept. Daimler was poised to launch new technologies and services considered strategically important to the organization and monitored by top management. To identify unknown risks and potential workarounds to processes being implemented, an unconventional audit approach was required. The audit team needed to look beyond existing<br> client policies and procedures to capture emerging risks and resolved to deploy audit techniques that are typically used less frequently during traditional processes. Practitioners used a hands-on approach that involved re-performance of controls or simulations such as mystery shopping — where the identity and purpose of the customer is not known by the group being evaluated.</p><p>In another type of simulation, two of the auditors created a fictitious account consisting of customer information from one auditor and bank account information from the other. The practitioners used this technique to determine whether the controls to validate customer identities would pick up the mismatched personal information (whereas in a regular, non-signature engagement, auditors might just verify that the customer's personal information was appropriately captured). Internal audit's objective was to assess real-life scenarios as opposed to conducting paper-based assessments that often rely solely on the audit of existing policies and their implementation. </p><p>The results of the Signature Audit pilot exceeded expectations. Findings captured critical risks that weren't identified by existing processes and required senior management to rethink certain aspects of the service to be deployed. The added value from the assessment became obvious as senior management immediately deployed corrective actions.  </p><h2>A Different Kind of Audit</h2><p>Although Signature Audits resemble traditional process audits in many respects, fundamental differences exist between the two approaches. Signature Audits usually require more preparation, more resources, additional training, and a unique mind-set — to implement them, auditors need to be innovative, curious, and creative. For example, when Daimler auditors assessed controls around cargo access security within the company's supply chain, they knew that a review of delivery slips would not suffice. On paper, controls seemed to be in order — all inspection forms were completed and signed, without any deviation from normal procedure. But when the auditors decided to follow delivery trucks, track their routes, and conduct random checks on cargo security, different results came to light. Asset counts differed from what was documented, and cargos were discovered unlocked. The auditors found that key aspects of the process had been circumvented — something a traditional audit may not have captured.</p><h2>Selection and Preparation </h2><p>Not all process audits are appropriate candidates for the Signature Audit approach. Signature Audits have a better chance of success, and a more significant impact, when applied to strategic areas with a significant level of complexity. Moreover, the approach is often particularly effective if the strategic area involves new processes, such as the deployment of a new service or a new technology. </p><p>Signature Audits often require unique preparation, including the consultation of experts in the audited area who can help design creative test scenarios. Auditors may also need to improve their knowledge of the process, product, or service under review. They should be prepared, as well, to take a certain amount of risk. Creative audit techniques, such as the use of penetration testing tools or social engineering techniques, may involve a degree of deception. Senior management and the legal department should authorize internal auditors to perform these types of procedures, and the auditors should immediately inform these groups of any critical findings. For example, if auditors successfully manage to compromise a system's security, senior management must be made aware of the activities so they can initiate corrective actions without delay.</p><p>Extensive reconnaissance efforts may be conducted that require additional resources, such as laptops and penetration-testing software. Benchmarking research and market analysis may also be required, and travel could involve visits to multiple locations outside the audit client's office. Significant travel may be necessary, for example, if auditors visit similar plants in different countries to compare processes and identify best practices before audit fieldwork begins.</p><h2>Fieldwork</h2><p>The performance of fieldwork in real-life conditions, as opposed to a paper-based assessment, is an essential component of Signature Audits. When reviewing a three-way match, for example, Daimler's auditors will consider the end-to-end accounts payable process and physically observe the receipt of goods instead of solely relying on the system data. Or, when assessing a warranty claim process, auditors will actively generate warranty claims in production and simulate real-life scenarios. Auditors can engage guest auditors with expert knowledge to help create these simulations, or hire consulting or other specialized expertise to accompany them during audit preparation and fieldwork. </p><p>Daimler's auditors are encouraged to identify creative ways to complete test work, using innovative tools and resources. Examples include unannounced site inspections, simulations of real-life conditions, social engineering, exploiting system vulnerabilities, and data analytics. In one instance, the auditors exposed a security flaw by creating a fake employee with full administrative rights. Using these credentials, they were able to add, delete, and manipulate data, as well as delete records of certain inventory entirely from existence. Although such techniques are occasionally used during regular process audits, Signature Audits rely on them extensively. </p><p>During Signature Audit fieldwork, practitioners often seek to circumvent processes as opposed to testing process effectiveness. For example, while auditing a new mobile application, internal audit decided to test a phone hotline established for customers experiencing difficulties. Signature Audit techniques applied to the call center in charge of the hotline revealed that the app's authentication controls could be easily bypassed by calling the center. Similarly, penetration tests on the call center systems revealed additional vulnerabilities and severe control weaknesses, leading to a significant change in the design of the service.</p><h2>Reporting</h2><p>The reporting phase of a Signature Audit also features key differences from a regular engagement. Presentation of results, for example, is rarely done using standard PowerPoint presentations or Excel templates. Instead, communication relies on real-world demonstration of the concerns identified. The process may entail a field visit with the client and senior management to observe certain issues in person. Or it can be done through the use of audiovisual resources, such as playing video or audio recordings, performing live simulations (which are often effective when auditing IT and engineering), or displaying pictures of audit evidence.</p><p>Offering tangible evidence is an effective way to engage the client and communicate value to stakeholders — something that Daimler internal audit has confirmed with client feedback on its Signature Audits. Concrete audit results pointing to proven deficiencies and impact, as opposed to identification of control gaps that present a hypothetical risk, can lead to significant improvements in the acceptance of audit results and remediation efforts. Daimler's auditors observed this effect when they reported on information security vulnerabilities found in an online service — instead of simply reporting on control gaps in the vulnerability management process, the team showed senior management a 30-minute demo highlighting the damage that could occur. After seeing the ease with which vulnerabilities could be exploited, management took corrective actions immediately.</p><p>Management's reaction to the Signature Audit experience was typical — surprise at first and then ultimately, appreciation. Showing clients actual risk instead of simply telling them about risk potential elicits a much higher degree of engagement and helps increase the likelihood that corrective actions will be taken. </p><h2>A Culture of Innovation</h2><p>Implementing Signature Audits provides an effective vehicle to communicate the value of internal audit to the organization, including senior management and the audit committee. It provides an opportunity to showcase the audit team's ability to advance the organization's strategic goals and contribute to the identification and assessment of emerging risks. The focus on exploiting control gaps to illustrate the impact of deficiencies creates stronger buy-in from audit clients, improved remediation results, and increased trust from internal audit stakeholders. It can also lead to additional demand for audit services as stakeholders realize the value of this approach and decide to engage the audit department in other similar audits.</p><p>The Signature Audit concept also provides an opportunity to create a culture of innovation within the audit team. The explorative nature of Signature Audits offers a significant learning experience for practitioners as well as the ability to unleash their creative potential — it gives them a chance to ask what they would do differently to improve a product or service. As a result, auditors gain a more direct connection to organizational performance, which can increase their commitment and ability to deliver results. It can also improve the relationship between the internal audit function and other departments in the organization, due to the collaborative use of guest auditors during the preparation and fieldwork phase, and it helps increase internal audit's ability to retain and recruit talent by fostering a positive image of the function. The methodology can lead to numerous enhancements that benefit the audit department, promote business improvement, and enhance internal audit's stakeholder value proposition throughout the business. </p><p>​​<br></p>Hans Buehler1
A Real Elevator Speech Real Elevator Speech<p></p><p>When we are honest, we have to admit that internal auditors don't always enjoy a positive reputation. Partly, unfavorable perceptions exist because people don't know what we do. And unfortunately, they also stem from people who think they do know what we do. So we always have to be ready to share our side of the story — sometimes at a moment's notice.</p><p>On my way to speak at a recent IIA–Fort Worth chapter meeting, I struck up a conversation with someone in an elevator. When I mentioned I was giving a presentation, he asked what I was speaking about. Fearful of the response I was sure to receive, I told him, "Internal audit." He did not disappoint, forming a cross with his fingers and jokingly — I hope — saying, "Keep away!"</p><p>I laughed. "Don't worry, I'm not one of those auditors," I said. "I don't try to find people doing things wrong; I try to help people do their jobs better."</p><p>I could tell he didn't believe me, but he also seemed willing to give me the benefit of the doubt (if for no other reason than hoping this might free<br> him from being audited while on the elevator). And at that point I had a sudden realization. "You know," I said, "they always say you're supposed to<br> have an elevator speech. I guess I just gave mine. Did it work?"</p><p>He laughed. "Well, at least it was short."</p><p>Yes, I actually got a chance to give an elevator speech. And I got to give it on an elevator. Did I make a difference? Did this person come away with a new perspective on internal audit? I really can't say, but I learned three things.</p><p>First, elevator speeches really happen. Our days are filled with brief interactions and, sometimes, those interactions can<br> provide an opportunity to talk about the value of internal audit.</p><p>Second, elevator speeches need to be short. That means we must be able to express the value of internal audit in a succinct way that resonates with<br> the listener. </p><p>And third, even a few seconds can spark a change in someone's perceptions. My hope is that this gentleman remembers his<br> conversation with an internal auditor (if he remembers it at all) as a quick interaction that gave him new information — perhaps enough to keep his fingers from forming a cross next time.</p><p>I like to think of this experience as a little nudge. A little nudge can make a difference, and enough little nudges can start a groundswell. In turn, that groundswell can lead to better understanding of internal audit's value among people everywhere.</p><p>So, in Fort Worth, Texas, because of an elevator speech delivered in an actual elevator, one person's perspectives about internal auditing may<br> have been nudged just a little. Who have you nudged today? </p>Mike Jacka1
From the Same Playbook the Same Playbook<p>​​Predicting the biggest potential risks businesses face has become something of an industry. Consultancies, think tanks, and others produce surveys, reports, and ranked listings of what they consider to be the greatest threats to the success of governmental and corporate strategies. ​In 2017, geopolitical risk featured heavily, as did the threat from environmental disaster, terrorism, disruptive tech​nologies, and demographic change — see, for example, the highly respected Global Risks Report 2017 published by the World Economic Forum.</p><p>But do these tectonic shifts of the global risk landscape, which threaten to derail an organization's strategic objectives, ever make it onto a chief audit executive's (CAE's) annual audit plan? And should they? Does the magnitude of the new challenges mean that the role of internal audit needs to evolve to address them? Opinions are split about internal audit's role in providing assurance around the risks affecting company strategy. Some boards want internal audit involved, some do not. Some internal auditors want to contribute to strategic assurance, others are led to prioritize compliance-related auditing. </p><p>"There is a sense today that in an innovative, disruptive, and fast-paced environment, someone needs to start providing assurance around risks affecting company strategy," Paul Walker, the Zurich Chair in Enterprise Risk Management at St. John's University in New York, says. "If the CAE is willing to step up and demonstrate that he or she can add value, that's a win for everybody."</p><p>Walker says some CAEs are well placed to execute this role. "Some CAEs I've met are brilliant people with amazing business acumen, and the executives and the board in their organizations want them involved," Walker says. "They recognize the value of having that person involved and may not even see them as an audit executive — but instead as a trusted business advisor." </p><h2>An Audit Disconnect</h2><p>It is unclear how many auditors are already fulfilling this role. In 2015, The IIA's Global Internal Audit Common Body of Knowledge (CBOK) survey found that 57 percent of practitioners say internal audit is fully, or almost fully, aligned to their organization's strategic plans. Another 35 percent answered that they were somewhat aligned, underscoring the subjective nature of such assessments. In addition, being aligned with strategic plans and objectives does not necessarily mean that internal auditors are involved in auditing them. Anecdotally, most CAEs admit that there can be a disconnect between what auditors report and what their clients are most interested in.</p><p>"When I go to managers' association meetings, they tend to be engaged and passionate about new digital developments, business transformation programs, and research and development projects," Polona Pergar Guzaj, internal audit consultant at 4E and president of IIA–Slovenia, says. "Internal auditors seldom talk about auditing these areas, which suggests we are not actually aligned with the kinds of managerial interests that work themselves into the business strategy."</p><p>Pergar agrees that auditors often prefer to audit the areas they know well, especially in compliance-based areas, and shy away from areas that could have a bigger impact on the organization achieving its strategic objectives — and where internal audit could potentially add more value. Admittedly, the size and maturity of audit functions can be a problem. She says the situation is better in larger departments and in the financial services sector. Yet in Slovenia, and in many other parts of Europe where Pergar works, audit functions are small, compliance related, and often have relatively low corporate profiles. Even when boards do agree in principle that internal audit should be involved in strategic work, it can be a fight to get them to speak to the CAE about the big issues, she says. </p><h2>Where to Begin</h2><table class="ms-rteTable-default" cellspacing="0" width="100%"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> <strong>​The Benefits of Getting Involved</strong><br><br>A qualitative IIA study, Become a Strategic Internal Auditor, found that businesses in which internal audit engaged at a strategic level enjoyed a range of benefits:  <ul><li>Internal audit stays connected to the business and becomes a business advisor or risk partner when it's involved in more strategic initiatives. <br></li><li>Internal audit can be more proactive and get involved earlier in the life cycle of the project or strategic initiative, adding greater value. <br></li><li>Enterprise risk management can be used to raise risk and strategy questions, either directly or indirectly. <br></li><li>Internal audit gains valuable knowledge for the organization's future strategic initiatives when it is involved in leading-edge risk assessments in areas such as culture, the control environment, social media, or mergers. <br></li><li>Internal auditors may find that new skills and additional training are necessary to engage in the increased emphasis on strategic planning.<br></li></ul></td></tr></tbody></table><p>Become a Strategic Internal Auditor, a 2014 qualitative study by Walker published by The IIA, illustrates that those auditors who grasp the strategic audit nettle see tangible benefits for the organizations and departments in which they work (see "The Benefits of Getting Involved" at right). Getting to know the company's broad strategy can be relatively straightforward — auditors simply need to read the corporate literature and follow the relevant industry or sector in the press. Internal auditors shouldn't be put off if they find the strategy task difficult because it is a process that many organizations struggle to get right — underlining the need for better challenge and sounder assurance.</p><p>"There is a lack of definition and best practice for strategy and business planning processes, and that means a lot of companies may not know how to develop those effectively," Steven Barlow says. Barlow has been a chief risk officer in the United Arab Emirates for almost seven years and is former CAE of Novartis, Prudential, Pearson and the U.K. Department of Energy. "Similarly, there is a lack of internal audit expertise and experience in reviewing those areas."</p><p>Barlow says internal auditors need to understand that the two biggest risks many companies face are not having an effective strategy and not executing that strategy appropriately. "Often, these two interrelated risks are not being identified or reported to the board by management, risk and compliance functions, or internal audit," he adds.</p><p>In terms of effective strategy, common pitfalls include developing aspirational strategies where the downside risks have been ignored by optimistic managers, or new product launches and initiatives into markets where the company has little knowledge and expertise. "As a result, there is often no strategic response to new entrants or to disruptive technologies that affect the dynamics of the market," Barlow says. "When those risks materialize, they can have a dramatic impact on shareholder value." </p><p>On the implementation side, he says, businesses often have only sketchy roadmaps with few milestones to show how well plans are being carried out, and can have almost no effective monitoring and follow up. If strategic objectives are not correctly linked to individual performances and incentives, the workforce is unlikely to understand how they can contribute to the business' overall strategic performance, he says.</p><p>Barlow says the CAE needs to have a dialogue with the board agreeing to a change program for the audit function to help address these issues. The new mandate should specifically align audit with the company strategy and objectives and focus its work on long-term, sustainable value related to those objectives, and the key risks and processes for managing them. Finally, that mandate should clearly position internal audit as the third line of defense so that the function can pull away from too much compliance checking — leaving that to management and the risk functions in the business.</p><h2>A Seat at the Table</h2><p>Internal auditors have traditionally aligned themselves with the business' risk objectives, but that is different from being aligned with the business' strategic objectives, Greg Grocholski, vice president and CAE at the global manufacturer SABIC in Riyadh, Saudi Arabia, says. The distinction is subtle but important. It's one thing auditing perceived risks <em>to</em> strategy, it's another to truly grasp the risks <em>of</em> the strategy and processes in a broader sense. </p><p>"I've tried to align our function with the general business strategy and objectives, which means having a seat at the top table," Grocholski says. "Internal auditors have talked about this for years, and it's a challenge because it is a cultural issue, a credibility issue, and a perception issue." </p><p>Grocholski's view is that CAEs need to accept the perception problem as a fact of life and move on. He advises CAEs to act like CEOs — which implies a broader knowledge of the business than would be expected from a traditional internal auditor. Professional internal audit knowledge, adherence to The IIA's <em>International Standards for the Professional Practice of Internal Auditing</em>, and professional assurance acumen should be regarded as the minimum today, he says. Being able to think through challenges from different perspectives, having a thorough understanding of what it costs to get each product to market, and whether the business is going to achieve the right shareholder value from its initiatives is critical if internal audit is to be taken seriously.</p><p>At SABIC, Grocholski says he has been focusing on areas such as profit leakage and gross profit margin analysis. The first is designed to compare the product value margins of old and new business lines. That can reveal what added value the company derives from the billions of dollars it spends on researching new products compared to its existing lines. The second aims at getting a fine-grained understanding of the challenges of the production cycle — how fixed costs, plant depreciation and efficiency, feed stock and supply chains, energy costs, and potential liabilities affect the gross margins — and what can be done to improve the value added to the business. He says recent events at other manufacturers over emissions procedures show the need for internal audit to focus more on what happens in the production process.</p><p>To be successful, he says, CAEs need to develop the right level of what he calls intuitive analytics — the speed at which one grasps the significance of how broader business issues connect. "Imagine you're in the C-suite, where you've earned a spot, and you are in discussions with executive vice presidents, chief financial officers, and CEOs," Grocholski says. "You have to demonstrate that you can contribute to the conversation in a meaningful and substantive way that engages with them from a strategic business perspective, not from a technical, audit perspective — it's a given you can nail the audit issues when they arise. That's what it means to be a fully paid-up member of the team and deserve that seat at the table."</p><h2>A Lighter Touch </h2><p>On a practical level, CAEs need to re-examine their audit plans to determine how much of their focus is on strategic-level work in comparison to compliance-based audits. Striking the right balance is important. Benito Ybarra, chief audit and compliance officer at the Texas Department of Transportation in Austin, acknowledges that not all CAEs are comfortable moving into more strategic and consulting-style projects, especially after corporate disasters such as Enron and WorldCom showed how such cozy relationships can go wrong. Yet, despite the tougher regime for internal auditors brought in by the U.S. Sarbanes-Oxley Act of 2002, the <em>Standards </em>specifically allow for consulting assignments, provided everyone knows where the red lines are.</p><p>For example, the CAE may invite executives from different parts of the organization together for a workshop to discuss how the strategy implementation can be strengthened in an area where it has been found to be weak or disconnected. More detailed audit work could be needed in areas such as the quality of the decision-making processes, which can be done effectively by looking at how authority has been delegated among individual executives, Ybarra says. When strategy changes, those delegations often are not updated, causing potential friction and wasted effort. Furthermore, it helps clarify the organization's appetite for risk and identify areas where added controls are required in lieu of additional flexibility and authority.</p><p>"Truly understand what the organization's strategy is and where each executive plays into the advancement of those strategies — then engage them with your recommendations based on the reviews you've done on the business' objectives and call out the gaps and challenges and have a discussion," Ybarra says. "Accept that you may not always have the best perspective, but if you don't take a risk, you'll never get there."</p><h2>Taking a Risk</h2><p>Internal audit at ING Bank started realigning its work a couple of years ago, with dedicated teams working across the global business in response to new digital distribution channels and customer expectations stemming from the business strategy in the data analytics and digital audit teams. Leen van der Plas, Global Audit Division head for ING's Corporate Audit Services in the Netherlands, is part of the global leadership team that comes together at least twice a year for a strategic planning session with the CEO, audit committee, external auditors, regulators, and others to explain what is on their radars. Periodic meetings with board members and audit committee members are also on the agenda, as are a lot of interaction with top management.</p><p>"It's vital to hear things straight from the source, even if the strategy is in an early phase," van der Plas says. He builds a strategic audit program from these meetings with dedicated scopes, timelines, and resources.</p><p>"While addressing company strategy and related business objectives in the audits, we issue our audit findings with a risk rating in an overall report for each audit with an audit opinion. Dedicated project audits relate specifically to the implementation of the strategy," he says. "You have to be tough asking questions, and you need to dare to challenge, even if people find it difficult to take."   </p><p>Like many in the banking sector, ING has been looking for ways to serve clients better through, for example, centralized call centers. One of ING's strategic objectives is to make its services client-centric — making the call center a one-stop shop for customers who call in and need help. Van der Plas' team highlighted, at that time, the risk that individual employees may have access to too many systems.</p><p>"This piece of work took into account both strategic objectives and controls, and our recommendations reflected that," van der Plas says. "We added value by bringing awareness into the mix — thinking about risk and control in relation to speed of delivery."</p><p>Given the obvious difficulties of businesses devising and implementing their strategies in a fast-changing world, it makes sense for someone to provide assurance that organizations are on the right track. And internal auditors are in a position to play such an important role — if they are willing to come out of their compliance comfort zones and take a risk. It is time for internal audit to rise to the challenge, before the board turns to someone else for help. </p><p> <br> </p>Arthur Piper1
Time for Auditors to Get out of Control for Auditors to Get out of Control<p>At a recent internal audit conference, I asked audience members to raise their hands if their department had provided opinions on internal control effectiveness, risk management effectiveness, compliance effectiveness, or loss management practices. With few exceptions, attendees indicated that they focused only on the effectiveness of controls.<br></p><p>Research shows that risks contributing to the majority of significant loss in value are not subject to audit. A study by research and advisory firm CEB, now part of Gartner Inc., found that internal audit time is focused in inverse proportion to the areas of the business where major losses of value occur. Controls, not value, are driving audit resources. </p><p>Years ago, when drivers would pull up to a gas station, someone would "audit" their car. An attendant would manually test tire pressure, check the car's oil level, and possibly inspect the transmission and radiator fluids to ensure safe and reliable vehicle operation. Today, these controls are automated and displayed on a dashboard. Can auditors do the same in business? "The Process Pyramid" below depicts the hierarchy of business processes. At the top of the pyramid are strategic, value-adding processes that are often neglected by internal auditors. The bottom two levels of day-to-day activities and regulatory compliance activities are critical, but they are intended to protect business. </p><p>Focusing on control-intensive, day-to-day business processes does not constitute a value-added audit strategy. Is internal audit hampering the automation of controls by continuing its focus on these activities? The time has come for internal auditors to step aside from their focus on internal control and transform their practices for assessing control effectiveness.​</p><h2>Shifting the Focus</h2><p><img src="/2017/PublishingImages/McCuaig-Process-Pyramid.png" class="ms-rtePosition-2" alt="" style="margin:5px;width:445px;height:318px;" />Suppose internal audit collectively adopted the premise that practitioners can only add value if they focus on areas with the greatest value-add potential. With that assumption, how can internal auditors develop a different way of looking at the audit universe? The Three Value Questions below are designed to help identify what's important and pinpoint those areas where internal audit should place its focus.</p><p>Years ago, I was the chief audit executive of an oil and gas company. I had as many as 90 internal auditors on staff. We focused our efforts and built a risk-rated audit universe around refineries, terminals, pipelines, and gas stations. Essentially, we audited physical inventory and the systems that accounted for volumes and values. </p><p>In those days, the stock market did not assign any premium to our ability to maintain and manage inventories. The best inventory control systems received zero value. Poor operational risk management was a negative factor. Zero was the top score. Failure to manage risks in core business activities eroded value. Success was expected and not rewarded.</p><p><img src="/2017/PublishingImages/McCuaig-Three-Value-Questions.png" class="ms-rtePosition-2" alt="" style="margin:5px;width:445px;height:303px;" />But what drove the value of oil businesses at that time was the ability to find and develop oil and gas reserves. The value of these reserves is determined by complex geological, engineering, and economic models. Reserve values far exceeded the value of crude and refined product inventories. Nonetheless, my staff spent virtually no time verifying proved and probable reserves. I estimate that if our audits reduced inventory losses by .05 percent, we preserved value of about $4 million but added none. Focusing on the value of proved reserves, though, would likely have added or preserved 10 times that amount, and probably with one-third the staff. </p><p>If a business activity is a critical but non-value adding, consider reducing its priority from an internal audit perspective. Look for ways to automate controls and hand accountability back to business management to run it. Help the business get rid of the dip sticks and tire pressure gauges. Business management can manage core business processes perfectly well. If they don't, you have a management problem, not a control problem.  </p><p>Scan the horizon for emerging risks and opportunities. While non-value adding activities should be de prioritized, they may still contain the potential for catastrophe. Those risks cannot be ignored, and ensuring catastrophic risks are identified and managed is as important as auditing value adding strategic activities.</p><p>The answers to the three value questions change all the time and must be reviewed at least annually to reflect the economic and competitive environment. And often the answers are intangible. Years ago a stock market analyst proved that the key value-adding activity for airlines was improving customer experience and recommended buying airline stocks based on his assessment. His recommendations turned out to be accurate. But you will not find "customer experience" on the balance sheet or in an office. Nor is it a value adding activity in the airline business today.​</p><h2>The Limits of Control</h2><p>Years ago as a volunteer fireman in my community, I was assig​ned to assist in a fire inspection at a local school. I was a professional internal auditor and thought I knew exactly what to do. I started by counting and inspecting fire extinguishers. My colleagues with more experience told me to stop. They explained that while fire extinguishers were effective controls, they only worked if there was a fire. Our job was to prevent fires in the schools. If we relied entirely on fire extinguishers, then we implicitly would be willing to accept the risk of a fire and be prepared to extinguish it. </p><p>What we did instead was look for sources of ignition and flammable materials. By eliminating either of those completely, the risk of a fire was virtually eliminated. Keep the fire extinguishers, but recognize their limitations. Fire extinguishers are only useful if you are prepared to tolerate the occasional fire. </p><p>By extrapolating from the fire extinguisher example, it is possible to propose a model for getting auditors out of control and deeply involved in the rest of the business. The Four Quadrants Model below assesses the level of each risk, using a conventional consequence x likelihood method, and introduces a "risk acceptance willingness" score indicating the willingness to accept a risk event at any given level of risk.  Counterintuitively this model suggests that as risk levels rise, reliance on internal controls should decrease. Like fire prevention in schools, we can add value best by understanding the events and conditions that could cause losses in strategic risks with effective risk management, not effective control (e.g., fire extinguisher) management. ​<img src="/2017/PublishingImages/McCuaig-Four-Quadrants.png" class="ms-rtePosition-2" alt="" style="margin:5px;width:445px;height:312px;" /></p><h2>Let Management Protect Value​</h2><p>In the control-focused approach<em>,</em> we recognize that the level of fire risk in a school is extremely high, and its consequences unacceptable. Controls (e.g., fire extinguishers), however, would not be sufficient or appropriate. Prevention is the only effective strategy, and it requires an understanding of root cause and the ability to manage risk before the event occurs. </p><p>In many core business processes, control-focused approaches are perfectly acceptable and extremely efficient as a risk management strategy. Unfortunately, these controls draw enormous attention from auditors, and that attention is undeserved. Automating the controls can dramatically reduce audit time.​</p><h2>Get Into Risk</h2><p>Businesses intentionally take high-stakes risks with full knowledge of the level but no willingness to accept the risk event. Examples include new product development, geographic expansion, and oil and gas exploration — particularly in frontier areas. The justification for this approach is to add value. To be acceptable, the business value for taking such a risk must exceed the expected loss. Years ago I had a client with complex business operations in remote environments around the world — all daily activity throughout these locations fed in real time into a data center in the head office. If a communication failure or breakdown occurred in the corporate data center, the results could be catastrophic. A single spare switch costing about $25,000 would have enabled quick recovery in such an event, but the IT department chose not to purchase one in order to save money. The downside dwarfed the savings, constituting a bad risk. </p><p>Internal audit has a role in reporting on the effectiveness of risk management, and standards exist for them to do so. Yet in my informal polling, few internal audit departments appear to be engaged in this activity. Remember, fire extinguishers don't prevent fires. Reporting on control effectiveness along high level/low appetite risks makes no sense. ​</p><h2>Understand the Role of Human Behavior</h2><p>In every field of human endeavor, human error accounts for at least 50 percent of failures. It's true for auto accidents, environmental incidents, aviation accidents, fires in the home, U.S Sarbanes-Oxley Act of 2002 deficiencies, cyber risks, anti-money laundering and anti-bribery violations, and every other activity I am aware of. Yet none of the internal auditors I have asked have ever reported on compliance effectiveness against an accepted set of standards for their organization. </p><p>In fact, the only two universal compliance standards, one from the International Organization for Standardization and another from Standards Australia, are proprietary and not even in the public domain. I am not aware of specific guidance from The Committee of Sponsoring Organizations of the Treadway Commission or The IIA. </p><p>It is impossible and irresponsible to ignore human behavior in risk management. It is also impossible to "control" our way to compliance. Internal auditors can examine the processes for ensuring that employees know what is important, why it's important, and how to comply. Technology is available to monitor compliance, which represents a gaping hole in comprehensive risk management. Internal audit has a role to play in providing insight and assurance.​</p><h2>Support Business Losses</h2><p>Businesses incur losses for strategic reasons. Automobile manufacturers gain market share with warrantees. Retailers offer "no questions asked" money-back refunds. These losses don't need controls, they need analysis. If you are offering a warranty, what is the expected defect rate? How many defects per year? What's the expected cost per defect? How can the organization detect fraudulent claims? These are all questions on which internal auditors can offer assurance and insight. I know of none that do so.</p><p>Recently I ordered a blood pressure monitor from a well-known retailer. It was delivered quickly, but it didn't work. Over the course of three days, I had multiple conversations with the manufacturer, who was clearly using a control-based approach to limit claims. I called the e-retailer and within 60 seconds the company provided me with a packing slip to return the defective device and the choice of a replacement shipped for free or a refund. That's a loss-management strategy that actually adds value, and it is the reason this e-retailer has become dominant. It's a lesson to short-sighted manufacturers. ​</p><h2>Leaving Controls Behind</h2><p>The time has come for auditors to turn their attention away from control, turn over management of core business processes to professional managers, and hold them accountable. In most cases organizations have reached the limits of control effectiveness, and internal audit will not add further value by continuing to assess it. Internal auditors can best add value by advising on control design and automation. In many cases, because they are so easy to add in our computerized environment, controls are hindering the business.</p><p>But there is huge opportunity for adding value and potential to deliver urgently needed assurance advisory services in assessing and managing business risks, loss management, and compliance effectiveness. It's time for internal auditors to get out of control.</p>Bruce McCuaig0
We Can't Codify Everything't-Codify-Everything.aspxWe Can't Codify Everything<p></p><p>Internal audit's professionalization is largely the result of codified activities. Established, credible paraphernalia of professional practice, including comprehensive standards, practical guidance, rigorous certification requirements, and a code of ethics, form the foundation of internal auditing. Steadily increasing public recognition and respect for internal auditing surely exists in part due to this robust structure. Nonetheless, as the profession continues to mature, we have reason to be cautious. Once a critical mass of standards and advisory material has been reached — and it may perhaps already have been reached — we should pause to avoid being stifled by instructions, bureaucracy, and over-codification.  </p><p>To a large extent, unspoken assumptions bind internal audit professionals together in their common endeavors. Arguably, a large part of a profession's wisdom arises from experience and knowledge that are too deep to be articulated. Codified guidance cannot capture the full range of professional activity that involves wisdom and sensitivity.   </p><p>Explicit instructions and bureaucratic literalism can create the illusion that what really matters in professional activity can be captured entirely in written form. Moreover, it implies that professional practice must be based solely on this established guidance. The distinguishing features of many professions — a physician's bedside manner, an architect's aesthetic sensitivity, and the acerbic rhetoric of a courtroom lawyer — cannot be codified in rational blueprints.</p><p>We may distinguish for our purposes among three types of knowledge: knowledge <em>that</em>, knowledge <em>how</em>, and knowledge <em>what</em>. The auditor may know <em>that</em> a procurement process aims at an optimal decision on expenditure, and he or she may know <em>how</em> the details of the process unfurl. The auditor's professionalism becomes truly apparent, however, with the third level of knowledge: he or she knows (through observation, logic, and judgment) <em>what</em> to conclude on the status of the risks and risk-mitigating internal controls observed. Attainment of this third type of knowledge is easier to recognize than to define, and it is founded on education, practical experience, and wisdom.</p><p>Sometimes the internal audit profession, like a silkworm, appears to be spinning around itself a cocoon of instructions and codified practices. If the focus of internal auditing shifts further from knowledge and experience to compliance with instructions, the outcome might be a subordination of the search for truth to the satisfaction of methodological demands. Furthermore, there is something eerie in the notion that the accumulated knowledge of internal auditors can be adequately preserved in a code of established practice. Creativity may be dismissed as infidelity to codified instructions. Professional guidance needs to set out the essentials while providing space for our practical judgment to flourish. Otherwise, we may be perceived as a profession characterized by box-ticking compliance, rather than by wisdom.</p><p><br></p>David O'Regan1
Hit the Ground Running the Ground Running<p>​​College interns have become a key source of new employee hiring in Fortune 500 companies, according to Jeffery Selingo, ​author of <em>There Is Life After College</em>. Data from the Collegiate Employment Research Institute at Michigan State University presents compelling evidence supporting Selingo's claim. Based on the Institute's 2015-16 Recruiting Trends, companies with more than 10,000 employees now convert about half of their interns to full-time employees.</p><p>The trend in hiring interns and retaining them as full-time employees has impacted many major internal audit departments. Nestlé Purina not only advertises its internship program, but empowers its interns to join the company full-time immediately upon graduation. Interns travel up to 50 percent of the time auditing Nestlé business units in Canada, Mexico, and the U.S., working within operational audit teams of the Nestle Market Audit group. Through this experience, interns "accrue a deep knowledge of the business very quickly," the company reports. As such, interns are viewed as a rich source of new audit talent.</p><p>"Internships have changed the dynamic of recruiting on a national scale," says Jon Gonzalez, a recruitment partner for Deloitte. "Most CPA firms are making their intern hiring decisions much earlier in the process to compete for top talent." </p><p>Because employers are increasingly hiring from their intern pools rather than through traditional college campus recruitment, many college career service organizations have had to change their on-campu​s internship recruiting schedules to stay in sync with recruiting practices. For example, the University of Pennsylvania's Career Services moved its internship recruiting from February 2017 to October 2016 to stay in sync with employer recruiting practices. </p><h2>Traditional Staffing Sources</h2><p>Historically, many companies filled their vacant internal audit positions from within the company, selecting employees with broad financial or operational knowledge or with solid management experience. Looking inward to fill open positions stems, in part, from the idea that internal auditors must have experience in the complexities of a company and its processes and procedures to successfully accomplish professional audit work. Indeed, some chief audit executives (CAEs) have recruited existing managers from within their organizations not only for those reasons, but also for their ability to connect, given their background, with client management. </p><p>However, in recent years, internships have increasingly become an important source of internal audit hiring given the technical training that interns receive and the performance capability that they have already demonstrated. Equally as important, skilled interns learn how to interact professionally with the company workforce and client management during their internships. These soft skills vary depending on the industry and corporate culture. But such skills give certain interns a performance advantage, if hired, because they already know the corporate behavior expected. Because of the reduction in hiring risk, the strategy of some firms is to always select internal audit interns with the goal of offering them full-time employment. </p><h2>CAE Support</h2><p>CAEs rarely hesitate to hire an intern whose work performance comports with expectations. Robert Thieling, former executive director of Audit Services at Group Health Cooperative, a large health maintenance organization covering the Pacific Northwest, and new vice president of internal audit for MedImpact Healthcare Systems in San Diego, began an internship program immediately upon assuming his CAE responsibilities at Group Health 11 years ago. "There was not an intern we wouldn't have hired full-time," he says. "Some we lost to CPA firms doing internal audit consulting, but that only proved the value of the program and the quality of our interns." </p><p>Similarly, Expedia has leveraged its internship programs to supplement the company's internal audit team during peak periods, viewing internships as a less costly staffing alternative. Jeff Davis, Expedia's vice president of Corporate Audit Services, is using the company's human resources (HR) department to standardize intern hiring and leverage the other HR disciplines to actualize even more of the internship program's cost-saving benefits. The number of audit interns at Expedia has averaged two to three per year, according to Davis. "Based on the needs of the department, we may offer qualified interns the opportunity to transition to part-time positions for further professional development." </p><p>Scott Howe, vice president and CAE at Costco, also relies on a corporatewide internship program for most intern staffing, though he will hire directly if a prospective intern reaches out to him with a special interest in internal auditing. Since becoming CAE for Costco nine years ago, Howe has hired several interns into permanent positions. </p><p>"If positions had been available, I would have hired more. Overall, one out of every two interns meets my expectations," Howe says, a figure consistent with the industrywide conversion rate of interns to full-time employees. "As a relatively small department of 26 staff members, I have to set high expectations for interns." </p><p>These and other CAEs see internship programs as providing great opportunities for early-career employees to observe many company functions and locations, leading to a thoughtful consideration of different career paths. </p><h2>Investment in Interns</h2><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Real-world Internships</strong><br><br> <p>Goldman Sachs Internal Audit interns shadow and assist audit teams, attend seminars and presentations, and participate in networking events. This experience is designed to provide the intern "with a real sense of what you would be doing day-to-day as a full-time employee," according to the description published in the firm's intern job announcement, indicative of the rationale for such an investment.  </p><p>Lithia Motors, which broke into the Fortune 500 at No. 482 in 2015, not only encourages, but prefers, that its internal audit interns join the company as full-time auditors upon graduation, which is stated as an explicit goal of Lithia's internal audit department on the company's website. </p><p>At retailer Nordstrom, all of the interns working on compliance with the U.S. Sarbanes-Oxley Act of 2002 have landed full-time positions at Nordstrom, a major CPA firm, or another Fortune 500 company. Moreover, half of all Nordstrom interns are hired into the company, including internal audit — a figure consistent with Collegiate Employment Research Institute data.</p></td></tr></tbody></table><p>Some internal audit departments may lack the management breadth to support another professional development program. Some CAEs have noted that upwards of one-third of their internal audit staff members are rotational in nature, participating in companywide professional development programs supported by internal audit. While such programs have tremendous potential for developing future corporate leaders, they can also strain the department's infrastructure. To be successful, an internship program requires a significant investment of time.</p><p>Brooke Vatheuer, CAE for Alaska Air Group, has taken the planning and organizing of her internship program to a whole new level. "By the time the internship commences, we have planned out their activities for a 12-week period — everything from facility tours to audit assignments to happy hours with other interns and leaders," Vatheuer says. "We recognize that an intern's primary job is to learn, so we build plenty of coaching and development time into their schedule."</p><p>One note of caution: Training and indoctrinating internal audit interns may entail substantial cost given their potential lack of professional business experience. Moreover, closer supervision of interns is often necessary to ensure continuity of audit work product quality. Nonethess, many firms have determined that the benefits derived from identifying and hiring talent from their intern pools offset the added indoctrination training and supervision cost, justifying their investment in an internship program.</p><h2>Best Practices</h2><p>Many of the CAEs interviewed for this article have taken a traditional approach to managing their intern programs — planning, organizing, controlling, and directing them to a successful outcome. The following key attributes of a well-designed internal audit intern program, including selected outcomes or processes for each management function, originate from a working group of internal audit management professionals who serve on Seattle University's Internal Audit Advisory Board. Companies such as Amazon, Boeing, Expedia, and Nordstrom are represented on the board, along with Deloitte, PricewaterhouseCoopers, and EY.</p><p> <strong>Planning</strong> — preparing job descriptions, program budgets, and a hiring plan and schedule. </p><p>What the intern will do and is expected to accomplish is explained in the job description. Many firms state the goal of their intern program in the description, such as identifying future internal auditors or augmenting existing staff. In either case, it is important to emphasize not just the meaningful nature of the work experience, but the availability of mentors, career guidance, and specialized professional training, such as data analytics or certain program applications. </p><p>To capture the true financial impact of an intern program, most companies prepare an operating budget containing not just the direct costs, but also the indirect costs, including audit supervision and intern training. Predetermined start and end dates for the annual intern program drive the budget. Because it is discretionary, many companies will address it annually based on audit plans and hiring needs.</p><p>Working with internal audit management and hiring support organizations — such as HR, recruiting, and leadership and development — helps create a plan and schedule that include enhanced coordination and communication in the hiring process while mitigating the risk of selecting the wrong candidate. </p><p> <strong>Organizing</strong> — assigning audit management, appointing mentors, and orienting new interns. </p><p>The assigned audit manager must arrange intern work space, training, and building and system access, and remain available on site to give help or serve as a sounding board until the intern is integrated into the organization. To ensure adequate communication, weekly one-on-one meetings between manager and intern are a best practice. Most managers will routinely invite interns to all-team meetings and functions as soon as they are on board. Given the demands of intern management, most companies require the assigned manager to have substantial audit management experience before giving them internship oversight responsibility. </p><p>Mentors provide audit coaching and career guidance. Some companies appoint a mentor within the internal audit department to provide hands-on audit guidance and another mentor outside the department to guide and develop the intern professionally. Often, the latter mentor is at the senior management level.</p><p>A formal orientation normally defines company expectations for an internship; identifies internship program management (where to get help); overviews the company business and corporate functions; explains the internal audit organization and its policies/procedures; and emphasizes professional standards for timeliness, customer service, and due diligence. Most companies stress that interns must take responsibility for their own work performance and professional development, so they are encouraged to document their work activity and accomplishments and seek feedback from their immediate management and company mentors.</p><p> <strong>Controlling</strong> — establishing intern work objectives/schedules, performance feedback, and remedial action.</p><p>To ensure a positive work experience, audit management establishes intern objectives and sets professional expectations early on as a performance evaluation tool. Most firms permit work schedules to be negotiated during the school year provided that the requirements of the master audit schedule are met. </p><p>Periodic performance reviews typically are conducted based on mutually agreed-to performance criteria, including leadership, ethical, or behavioral principles adopted by the company. Specific feedback is rendered, incorporating the observations of relevant auditors, project managers, and audit client management where appropriate. Most firms summarize strengths and weaknesses of the intern being evaluated, and nearly all identify improvement opportunities.</p><p>Remedial action where needed is critical for professional growth. Improvement plans are normally developed consistent with company HR practices and with an eye toward enhancing intern performance as an eventual full-time auditor. </p><p> <strong>Directing</strong> — assigning intern training and audit projects and communicating and coordinating internship activities.</p><p>Intern training generally focuses on audit tools and techniques for data analytics, enterprise resource planning for audits of business functions, and audit sampling for testing a population. Linking the prescribed training to the initial audit assignment is considered a best practice, which prepares interns to hit the ground running. </p><p>Guidelines should be established before assigning audits to interns. Above all, the audit project must be interesting and challenging and provide some fun along the way. Key criteria to consider include the extent of exposure to a variety of company locations, processes, and systems, and whether the audit can be scoped to the intern's employment period while still allowing participation on other audit projects. While their assigned audits are certainly contained in the master audit plan, interns are rarely assigned a project ranked critical on the risk assessment heat map. </p><h2>Skills in Demand</h2><p>Some internal audit departments remain resistant to internships because the educational system has not always taught the skills that internal auditing and similar professions demand. Many colleges and universities today recognize that deficiency and are preparing students for knowledge transfer to the workplace by combining education with relevant work experience. Some schools even offer college credit for internships.</p><p>As for internal auditing, some schools administer certificate and post-graduate programs specifically designed to teach students not just internal audit concepts and techniques, but how to apply them to actual audit projects. For example, students enrolled in Seattle University's internal audit program support campus administration by routinely auditing functions such as finance, facilities, HR, and IT as part of the internal audit curriculum. The master audit schedule and project findings are coordinated through the university's chief financial officer and presented to the audit committee of the board of trustees, giving students hands-on audit experience. CAEs willing to undertake the challenge of an internal audit internship program may be pleasantly surprised by students who are well-prepared for the professional challenge. ​</p><p>Based on lessons learned from her oversight of internships during the past several years, Mindi Work, vice president of finance for Symetra Financial, offers this advice: "Stretch them, give them real assignments, and let them be a little uncomfortable. They are not there to job shadow. It will truly be a valuable experience if they contribute meaningful work to the audit department." </p><p> <br> </p>Dennis Applegate1
Climbing the Scale the Scale<p>​​Sometimes, a binary answer isn't enough.​</p><p>At least, that is the belief of the thousands of organizations that have used a maturity model to assess their progress in achieving certain goals since maturity model concepts were introduced in the 1970s. They have found the model's reliance on a scale — often 1 (initial) to 5 (optimized) — to assess their performance in specific areas a useful guide for accomplishing two important objectives: understanding where the organization stands currently and coming to agreement on where it should be.</p><p>Initially focused on the IT function within an organization, maturity models have expanded into many distinct disciplines, such as project management, quality management, business process management, learning, human resources, supply chain, sustainability, social media, and security assurance (see "Maturity Model Examples" below right). Regardless of their niche area, effectively configured models tend to encourage in-depth conversations among a range of stakeholders and enable nuanced and goal-driven thinking about targeted areas. As such, they are a valuable tool for internal auditors who have come to realize, over time, the benefits of moving beyond a "black and white" approach to audit findings and the support that the range of levels provides in helping auditors discover the gaps between current and desired states. Once auditors have identified and quantified the gap, they can begin searching for the root causes that hinder achievement of the desired state and zero in on appropriate recommendations to bridge the gap. </p><p>"Maturity models can be a much more engaging experience for the audit client/management as compared to a pass/fail assessment or other opinions," says James Rose, chief financial officer of Aperture Credentialing in Louisville, Ky., and author of the IIA Practice Guide, "Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements." </p><p>Some of the "engaging experience" may arise from the availability of a broad spectrum of labels. Alyssa Martin, executive partner, Advisory Services, for Weaver in Dallas, notes that internal auditors often are confined to using black or white answers: compliant/noncompliant, effective/ineffective. In her view, maturity models are exactly the "right paradigm" to evaluate the effectiveness of management systems such as governance that require many judgment calls. That is because those who work regularly with judgment calls may be more comfortable with a more subtly defined range of evaluations, rather than a simple yes/no, right/wrong finding. </p><h2>Changing the Conversation</h2><p>Use of a maturity model changes the nature of the conversation about the audit. The levels of incremental maturity lend themselves to acknowledging the organization's advances to date, creating a positive, collaborative tone. Recognizing these successes creates a more receptive audience when internal auditors present the verbal and written reports outlining the path to improvement. </p><p>​​​Before the full benefits of maturity models can be realized, the groundwork has to be laid via pre-audit planning discussions among internal auditors, process owners, and management. "The discussion defines the different levels of maturity and establishes up front with the client what the expectations are within the maturity spectrum," says Kayla Flanders, senior audit manager with Pella Corp. in Pella, Iowa. "It takes more effort before the audit, but it helps significantly throughout the audit and at the end of the engagement when discussing issues and the overall report rating based on that upfront alignment."</p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> <strong>​Maturity Model Examples</strong> ​ <p> <br>There are nearly as many maturity models as there are business functions to be measured. Here are a few models that may be useful for internal auditors:</p><ul><li>Capability Maturity Model Integration (CMMI), from the CMMI Institute (available in formats tailored for development [CMMI-Dev], service establishment and management [CMMI-SC], and product and service acquisition [CMMI-ACQ]).<br></li><li>Cybersecurity Capability Maturity Model (C2M2), from the U.S. Department of Energy (also available in formats tailored for the electricity [E-C2M2] and downstream natural gas [DNG-C2M2] subsectors).<br></li><li>COBIT 4.0 and COBIT 4.1, from ISACA.<br></li><li>Portfolio, Programme, and Project Management Maturity Model (P3M3), from Axelos.<br></li><li>Risk Maturity Model (RMM), from The Risk Management Society. <br></li><li>Test Maturity Model integration (TMMi), from TMMi Foundation.<br></li></ul> <br> </td></tr></tbody></table><p>She offers this example, related to financial reporting. Confer with the audit client to decide what attributes fit into each maturity category — mature, baseline, etc., reflecting both where the client is and where the organization expects the client to be — and then test to those attributes. In the mature space, an audit client may be using data analytics to identify specific anomalies or gaps in a process to review. This more effectively manages the risk by identifying anomalies based on outlined criteria and reviewing, typically, all transactions. At the baseline level, the client may be reviewing only individual significant transactions over a specified dollar value. This clearly manages the risk at a different level. Controls typically build on one another, so the client may still be doing the baseline activity or, as it moves into the mature category, it may find a need to focus less on some of the lower-level controls or eliminate them altogether. If the client is not yet where the organization expects it to be, the internal auditor can reflect in the report the existing level, the level expected by the organization, and the work the client is doing to get to the desired stage. The report also can clearly communicate what attributes are missing (typically already known by management) to move the client into the next defined level of maturity. </p><p>Communication is also high on the list of benefits for Carmen Ozores, internal audit manager at HUCAM-Ufes, Ebserh (Empresa Brasileira de Serviços Hospitalares) in Brazil. "The common language helps in communicating assessment results, which makes the information clearer to support decision-making," she says. "For example, a maturity model provides the audit client a clear understanding of risk levels and which controls fit the situation to create a better control environment."</p><p>Not only is a common language fostered by the use of maturity models, it is a language that tends to be less inflammatory than many binary options, such as "ineffective" and "unsatisfactory," and more focused on process than on people. It ensures, in a non-threatening way, that stakeholders understand precisely what internal auditors mean when they recommend actions to move from one level to the next.</p><h2>Assurance and Insight</h2><p>The work internal auditors do with the client to develop an understanding of what the model contains and how it is used ultimately helps progress the audit and enables the auditors to leverage the efficiencies the model offers. Brian Selby, director, Internal Audit–IT, at Discover in Riverwoods, Ill., notes, "Good tools, such as maturity models, help staff be more productive in their endeavors and deliver a better-quality product and service by acting as a source of improvement ideas." For example, although an organization might be performing risk assessments, the auditor may find that new risks keep materializing and destroying value. "By looking at higher-level maturity model practices for risk management process areas, the auditor can identify dynamic risk assessment approaches as a way to increase the likelihood of identifying new risks more timely," he explains.</p><p>In that sense, leveraging maturity models aligns with the use of appropriate tools called for in the <em>International Standards for the Professional Practice of Internal Auditing</em>, specifically, Standard 2210.A3: Engagement Objectives: </p><p>"Adequate criteria are needed to evaluate governance, risk management, and controls. Internal auditors must ascertain the extent to which management and/or the board has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must identify appropriate evaluation criteria through discussion with management and/or the board."</p><p>For Martin, the benefits of using maturity models are even more straightforward. They help internal auditors perform two of their most critical functions: providing assurance and insight. "Assurance is advising the client that the area is achieving the expected level of maturity," she explains. "Insight is identifying the root of the differences between the current and the desired state and defining the barriers to achieving expected performance levels." </p><p>Using maturity models in this way may be particularly effective for business areas that have a documented, internationally recognized framework such as The Committee of Sponsoring Organizations of the Treadway Commission's updated <em>Internal Control–Integrated Framework</em>, ISACA's COBIT, and the International Organization for Standardization's ISO 27001 and 22301 standards, says Anthony Noble, vice president of IT audit at Viacom Inc. in New York. He explains, "Having the structure of an internationally recognized framework to assess against enables us to use the literature generally available to easily partition areas to review and then evaluate their maturity level."</p><h2>Use Caution</h2><p>Despite their benefits, maturity models are not always the right solution. Like any approach an internal auditor may take, use of maturity models needs to be thought through carefully to optimize the benefits and minimize downside aspects as they relate to the organization and the intended outcomes of the work.</p><p>One potential drawback to maturity models is the temptation they may provide auditors to push the organization to higher maturity levels of performance than it is willing or able to adopt. This situation requires internal auditors to be seasoned enough in their thinking to accept that not every aspect of the audit needs to be at the highest level of maturity. Each organization must determine, based on a risk assessment, the appropriate amount of investment to make in achieving a degree of maturity for a process or procedure. Although the automatic assumption may be that every process should be at the highest level of maturity (level 5), that may not be the case, depending on the organization's core business, environment, and risk tolerance. If the consensus is that a level 3 or 4, rather than a 5, is appropriate for the process, then being assessed at that level is not a failure. Indeed, the range of acceptable options is one of the strengths of using maturity models. </p><p>"If, per a risk-based assessment, a given activity is appropriate at a lower level of maturity, auditors ought not recommend additional resources be spent for the sole sake of advancing to the next level," notes Debbie Shelton, director, IT Security & Compliance with LG&E and KU Energy, in Louisville, Ky. "Rather, auditors should work to understand management's process for determining the risk involved, the appropriate level of maturity, and the matching of the two." Based on this understanding, auditors can determine whether the assessment assumptions are sound, decide whether management adhered to its processes, and consider whether recommending something additional is needed to help the client meet functional objectives.</p><p>A concern sometimes expressed about maturity models is their inherently subjective nature, which can manifest itself in inconsistency. That inconsistency, in turn, is likely to result in limited assurance of reliability regarding the assessor, the assessment's quality, and the usefulness of market benchmarking. The Capability Maturity Model Integration (CMMI) Institute has created a formal certification, the Standard CMMI Appraisal Model for Process Improvement program, to address the subjectivity/consistency issue.</p><p>Assessing compliance may be an area where maturity models should be used with caution, if at all. "The expectation today is that the organization is 100 percent compliant," Rose says. "However, practically speaking, there are always things that can be improved, including compliance." Therefore, if the organization's assessment reflects anything less than the top level of maturity in compliance, legal issues may arise if a major compliance issue occurs. This doesn't necessarily preclude use of a maturity model, but Rose suggests taking great care in defining the model's categories and wording so there is no inference of a lower degree of commitment to compliance on the organization's part.</p><p>Other areas that may not be entirely conducive to using maturity models include those that lack a widely published international standard for the function, Noble says, citing human resources, accounts payable, and accounts receivable as examples. "For areas such as accounts payable, there are many ways to perform the task at hand and no internationally recognized standards to measure the area against," he explains. "We can evaluate the capability maturity model level from 0 to 5, but it is harder to determine what additional processes would move the area from a level 3 to a 4, for example."  </p><p>Ultimately, maturity models represent a judgment of sorts. So, despite efforts to get everyone on board during pre-audit discussions and the use of less inflammatory language, there is no guarantee that difficult conversations will not arise after the audit. Flanders recommends auditors keep in mind that with maturity models, as with other, more traditional rating systems, "there is still a bottom and a top end of the scale, and no one likes to be at the bottom."</p><h2>Tips for Success</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Selecting a Maturity Model</strong>​ <p> <br>Given the diverse array of maturity models available, there seems little reason for an organization to develop a new one from scratch. However, many business functions may struggle to select the one best suited to their needs and, even after making the choice, they may opt to customize it to make it more valuable in their own environment. Selecting and tailoring a model will entail answering many questions, including:</p><ul><li>Is the model's predictive ability relevant to the business objective being measured?<br></li><li>What is the desired management outcome? What does management want to assess? What quantitative metrics or qualitative statements describe the desired management outcome?<br></li><li>Would following a model improve the probability that the outcome would be achieved?<br></li><li>Would management have a false sense of confidence that the outcome would be achieved if an assessment — using the model — shows a high state of process maturity?<br></li><li>What business processes are involved?<br></li><li>Will the model be applied across many different types of management processes to improve general compliance, controls, or organizational governance?<br></li><li>Is internal audit assessing an industry- or organization-specific set of tasks that requires some degree of specialized process knowledge, tools, techniques, or skills?<br></li><li>How well does each maturity level build on the previous level?<br></li><li>How well do the expectations in each level align with the expectation to have a process meet a certain level of maturity — say, level 3 as opposed to level 5?<br>​</li></ul><p>Source: IIA Practice Guide, "Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements"</p></td></tr></tbody></table><p>​As internal auditors increasingly adopt the use of maturity models, their experience with them grows and lessons are learned, ​making each new audit run more smoothly and effectively. Internal auditors who have experience with maturity models provide several tips to get the most out of them.​</p><p> <strong>​Choose Wisely</strong> Selby notes that not all of the published maturity models contain the rigor of the most commonly used and widely available models, citing as an example the CMMI-Dev v1.3 report, which dedicates 300-plus pages to defining in detail the model levels for the generic and process area goals and practices related solely to software development activities. Choosing a model that reflects the collective wisdom and experience of many professionals and practitioners and is subjected to peer review and testing can help increase the internal auditor's consistency and credibility (see "Selecting a Maturity Model"​ at right).</p><p> <strong>Be Flexible</strong> It may be advisable to embrace more than one model, using different models for specific functions under review. Shelton suggests starting by determining whether a maturity model is already being used by management of the function under review. If so, determine whether the model is suitable; if it is, use it for the audit. In this way, the client already understands the model, and perhaps already has completed his or her own assessment. This gives the internal auditor more time to review the evidence of maturity and recommend next steps, if needed, within the given risk profile.</p><p> <strong>Build the Best Model </strong>Ozores is a strong proponent of building a customized model, using an understanding of the audit client's environment to tailor standard frameworks. She suggests adding examples or making fine adjustments to the published model's language, so the result accurately reflects the environment under review. She counsels, "Depending on the field, there can be slight differences in language that make a great difference in final understanding." </p><p> <strong>Find a Champion</strong> In some of his previous organizations, Rose reports that the internal audit departments designated a methodology champion. That individual reviewed reports from a consistency standpoint, trained staff, and maintained the policies and procedures of the department. Given the rotation of audit team members, the champion improved consistency, thus mitigating risk and ensuring a quality assessment.</p><p> <strong>Mind the Gap</strong> Noble suggests baselining the maturity of various IT areas against desired maturity levels to build a useful gap analysis identifying improvement opportunities. He and his team use the published control framework literature when possible to provide a list of needed procedures for each area's level of maturity to facilitate identifying the gaps. He further suggests creating a graphic representation of the maturity model gap analysis, which he considers useful to aid senior management in understanding how close it is to achieving the desired maturity in several areas at once. </p><p> <strong>Be Prepared for High Ratings</strong> An area's maturity level is not always lower than its target state. In some cases, the area may be performing at a higher level of maturity than that agreed on in the planning discussions. This represents an opportunity to reallocate resources. Martin suggests, "If metrics for the area are well-defined, you can make actionable recommendations for change." </p><h2>Beyond Black and White Assessments</h2><p>When the appropriate maturity model is selected, tailored, or built from scratch, and agreed on in advance with the process owners and management, its use can enable internal auditors to provide nuanced indications of maturity levels. If a level is lower than expected, the auditors can uncover the root causes barring the path from the current state to the desired state and offer recommendations for continued improvement. </p><p>And these functions can be communicated using language that enables internal auditors to avoid the traditional perception of being critical or judgmental, seeing only black and white. Flanders notes, "Think about how we talk about ourselves. We assess internal audit departments as to their level of maturity using terms like 'assurance provider,' 'problem solver,' and 'insight generator.' We certainly don't call ourselves 'ineffective.' Why wouldn't we use a similar process for our clients?"  </p>Jane Seago1
Work Smarter, Not Harder,-Not-Harder.aspxWork Smarter, Not Harder<p>​The phrase “work smarter, not harder” encourages an increase in productivity and efficiency. It can motivate an employee to identify the most important and necessary tasks and execute them with accuracy and completeness while eliminating from one’s day the unnecessary activities that add no value. <br></p><p>But without action steps to work smarter, the phrase lacks substance. Through the identification of the root cause, a manager can devise a specific solution to the barriers the employee is facing and possibly eliminate such roadblocks. The following framework can support the struggling employee and identify the root cause of the problem, strengthen the employee/manager relationship, encourage thoughtful and honest conversation, and promote collaboration between the two parties to identify relevant solutions. The framework may also positively impact other auditors in the department, as well as departmental stakeholders.<br> <br><strong>Acknowledge the problem</strong> If an employee has been behind and missing deadlines or has been putting in long hours, it is time to come to an agreement that he or she is experiencing a roadblock and his or her current approach is not sustainable for the long term (i.e., burnout). At this stage, validation from a manager can be encouraging. <br><br><strong>Appreciate the employee</strong> Thanking an employee for his or her hard work can be meaningful. Recognition of the time and effort already expended helps promote a constructive dialogue. The long hours may be indicative of an employee who cares about his or her work product, but may not know the best way to get that valuable work product completed. An employee who displays this level of dedication is one the department wants to retain.<br><br>Identify the root cause Though an employee may be able to define the problem, there may be other obstacles at play that he or she is not defining as obstacles. The employee should walk through a typical day — or week — with his or her manager to determine which tasks and activities the employee is completing and not completing. This conversation should be treated like a typical internal audit walkthrough, with a thoughtful mix of open-ended and closed-ended questions, such as: <br></p><ul><li>What deliverables is he or she producing? </li><li>What is he or she requested to perform? </li><li>What is the estimated time it takes to complete each task? For example, if an employee is a junior- or entry-level associate, the demands and pressures placed on him or her by the senior or supervising auditor while on an engagement may be enlightening — and surprising.</li></ul><p><br><strong>Define the roadblock</strong> After discussing a typical day or week, the employee’s responsibilities, challenges, and habits should become more clear. At this point, it may be possible to identify what is holding the employee back from working efficiently and productively. Ask the employee what is holding him or her back. If the response doesn’t align with the manager’s thoughts, continue to ask the why and how questions. Once the issues are clearly identified, encourage the employee to think of them as roadblocks. Most roadblocks can eventually be cleared; for those that can’t be (e.g., permanent road closure), there is always an effective detour (e.g., a reasonable and realistic solution).<br><br><strong>Devise a solution</strong> Once the roadblock is defined, a solution can be determined and implemented. Three of the more common solutions are listed below. Depending on the roadblock, however, a different solution may be more effective.<br></p><p></p><ul><li><strong>Training</strong> – Is this employee new to the company? Maybe he or she is confused about the company’s systems or industry terminology. Is this employee new to internal audit? Maybe he or she is confused about a particular internal audit process. Connect the employee with the specific resource that can assist him or her in learning and development. The resource may be someone within internal audit, within the company, or external to the company, but should be someone who has the knowledge and can teach the skill effectively. The best option would be someone who came from a similar background as the employee (e.g., external hire), who previously experienced such a roadblock (e.g., help with the company systems), or has achieved success (e.g., a systems subject matter expert). Working with this type of mentor can provide much needed reassurance that successis attainable.</li></ul><ul><li><strong>Resource allocation</strong> – Has the employee taken on too much? Maybe he or she volunteered for too many projects or is performing work that is above the knowledge, skill, and experience of his or her ability? Lighten the employee’s workload and frame it positively. One way is to explain to the employee which tasks are the most important. Once these tasks are completed timely and accurately (and the associated skills are mastered), other projects can be added to further develop the employee’s skills. Another way to frame it positively might be for the manager to share with the employee whether he or she has been in the same situation.</li></ul><ul><li>Process improvements – One or more of the internal audit processes may be inefficient. Sometimes new employees can see this, whereas experienced employees are accustomed to doing things a certain way and don’t recognize the inefficiencies. There may be time-consuming deliverables that are either not necessary or duplicative, and there may be opportunities to improve and streamline processes.  </li></ul><p dir="ltr" style="text-align:left;">The solution of process improvements requires management to identify the full population of tasks that are completed within the department and evaluate whether each task is necessary and not duplicative. However, once process improvements have been implemented, it may increase not just the employee’s efficiency, but that of other team members within the department.</p><p><br><strong>Circle back</strong> Checking back in with the employee may be the most important step. Was the solution effective? How does the employee feel about the solution? Monitoring the employee’s progress through regular one-on-one meetings helps to ensure that the solution is operating as intended, and it continues open lines of communication between the manager and employee. And if the solution is not operating as intended, a determination can be made for why it is not and what can be done differently.<br></p><p>The framework provides an outline that can support hard-working team members who may need an encouraging conversation and guidance on how to implement such a strategy. By guiding employees in the direction of working smarter, it is more likely that companies will retain employees while seeing an increase in productivity and morale </p>Christine Hogan Hayes1
Editor's Note: When Threats Become Reality's Note: When Threats Become Reality<p>​Cyberattacks and data breaches are once again the top two threats to business continuity in 2017, according to the latest Horizon Scan Report, published by the Business Continuity Institute in association with the British Standards Institute. Nearly 90 percent of the 726 responding organizations from 79 countries report they are concerned about the possibility of a cyberattack, while 81 percent of respondents say the same about a data breach. According to the report, the eight other top threats are: unplanned IT and telecom outages, security incidents, adverse weather, interruption to utility supply, acts of terrorism, supply chain disruption, availability of key skills, and new laws or regulations. </p><p>Such threats can test an organization's resiliency. Risk Management magazine recently presented a list of 30 actual risk events that occurred last year. The "Year in Risk 2016" shows how broad the spectrum of threats is. For example: </p><ul><li>A massive denial of service attack blocks access to dozens of websites, including Reddit, Twitter, Amazon, and Netflix. The hacker's identity is still unknown.<br></li><li>The U.S. federal government declares a state of emergency in Flint, Mich., after unsafe lead levels are found in the water supply. Five local and state government officials resign or are fired, and criminal charges are filed against nine others. <br></li><li>Following foodborne illnes​s outbreaks at Chipotle Mexican Grill that sickened hundreds of customers, sales are down and the restaurant's stock price has dropped nearly 50 percent since its August 2015 peak. <br></li><li>Terrorist attacks kill more than 340 people in a shopping center bombing in Baghdad; 87 people in the Bastille Day massacre in Nice, France; 49 people in a nightclub shooting in Orlando, Fla.; and 35 people in a train station bombing in Brussels — sadly, to name just a few.<br></li><li>In June, 52 percent of U.K. voters elect to leave the European Union. It is yet to be seen how Brexit will affect commerce and trade. <br></li></ul><p> <br> </p><p>​Business resiliency is all about the organization's ability to quickly adapt to risk events such as these while maintaining continuous operations and safeguarding its employees, assets, and brand equity. In this month's cover story, "<a href="/2017/Pages/Resilience-Through-Crisis.aspx">Resilience Through Crisis</a>," author Mike Jacka takes a comprehensive look at internal audit's role in business resiliency — from crisis plan development, to plan implementation, to post-crisis analysis. In a world full of risk, internal audit can take a proactive role in organizational well-being.</p><p>​On a separate note, welcome to Charlie Wright, our new "Risk Watch" contributing editor. Wright is director, Enterprise Risk Solutions, for BKD LLP in Oklahoma City. He replaces Paul Sobel, who has contributed his time and expertise to the department since 2008. Thank you, Charlie and Paul!</p><p> <br> </p>Anne Millage0
In High Demand High Demand<p>​</p><p>Internal auditors who possess specialist skills, accredited professional qualifications, and leadership and business acumen are in great demand — so much so that employers are willing to pay substantially more to attract and retain them. According to research by recruitment specialist Robert Half, internal audit salaries in the United States generally are set to increase by up to 4.2 percent in the year ahead, depending on the size of the organization they work for and their level of experience, among other factors.</p><p>This is welcome news given that the 2017 Internal Audit Compensation Study, produced by the Internal Audit Foundation, found that the number of auditors who did not receive a raise in basic salary increased last year, marking an end to a seven-year downward trend. The report found that some 15 percent of respondents did not receive a base salary increase last year — the highest proportion since 2011–2012. </p><p>However, internal auditors with specialized skills and in-demand certifications saw higher than average compensation packages — a trend that Robert Half says is likely to continue, at least in the near term. Two specific areas of expertise — information technology (IT) auditing and environmental, health and safety (EHS) auditing — were in very high demand by U.S. employers in 2016. IT auditors saw a median salary more than US$14,000 higher than generalist auditors, while those auditors who specialize in EHS received salaries worth US$17,561 more.</p><p>IT auditor salaries are being driven higher because demand for such expertise is outstripping supply. In fact, such a talent shortage is prompting audit leaders to implement initiatives such as rotational audit assignments as a way of growing IT audit skills in-house, according to internal audit consultancy Protiviti's latest Internal Auditing Around the World publication.</p><p>As for EHS skills, The IIA's 2017 North American Pulse of Internal Audit survey finds that EHS is a topic appearing on more than one-third (35 percent) of board and audit committee agendas, yet less than one-quarter (23 percent) of internal audit functions feel informed about such risks to the business. Once again, the increase in salary is due to the demand for skills outstripping supply. </p><p>In fact, it's a favorable jobs' market for those internal auditors with multiple specialist skills. The Compensation Study says that practitioners who possess experience and expertise in more than one field or specialization can generally negotiate higher compensation. For instance, the study found that U.S. auditors with four areas of expertise commanded an average median salary approximately US$45,000 higher than generalist auditors with just one area of expertise.</p><p>The Compensation Study also reports that employers are willing to offer higher salaries to internal auditors with in-demand credentials. The<em> </em>study found that the average median salary in 2016 for U.S. internal auditors with one or more formal qualifications was US$34,009 higher than the figure for internal auditors without any certification. Practitioners with credentials in particularly high demand, such as the Certified Internal Auditor (CIA) and the Certification in Risk Management Assurance (CRMA) designations, garnered even higher rates of pay in 2016, the Foundation reports.</p><p>But mixed with this positive news for the profession, the report also contained some negative findings. For example, internal audit leaders are neglecting to think about "soft skills" such as leadership, business communication, and relationship-building when recruiting candidates. Such skills are not just "nice to haves" — they are increasingly important and expected by management. </p><p>Furthermore, the Compensation Study says that employers are limiting their search for internal auditors to those with an accounting degree, rather than looking for potential candidates who might have other skills and experience that the organization could benefit from. For example, technology skills are often underrepresented in internal audit job descriptions, yet experience in areas ranging from big data to cybersecurity is desperately needed. Many employers also value knowledge of EHS risks and their potential impact to the business, yet often neglect to call this out in job specifications too.</p><p>The Compensation Study suggests that failing to include such details can result in an employer hiring candidates who meet outdated or incomplete requirements, and who cannot meet the skill needs and demands of the business in the future. This is especially worrying given that boards want internal audit to act more as a strategic partner and to demonstrate greater business acumen. For example, 64 percent of internal audit stakeholders interviewed for the 2015 Common Body of Knowledge​​Stakeholder survey, conducted by The IIA's Internal Audit Foundation and Protiviti, said that internal audit should have a more active role in assisting management and the board to assess and evaluate the organization's strategic risks.</p><p>According to the Compensation Study, internal audit leaders should take steps to help "brand" their departments as a place where talented internal auditors want to work. This would need to accommodate working practices that employees — particularly millennial workers — now come to expect more and more, such as remote work arrangements, flexible work schedules, the ability to maintain a satisfying level of work-life balance, and the opportunity to learn about other areas of the business. </p><p>Visit <a href="">The IIA's website</a> to learn more about the 2017 Internal Audit Compensation Study.</p><p><br></p>Neil Hodge1

  • PwC_May2017_Prem1
  • SCCE May2017_Prem 2
  • IIA CIA LS_Prem 2



Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Process the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Five Classic Myths About Internal Auditing Classic Myths About Internal Auditing2012-06-20T04:00:00Z2012-06-20T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audit From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z