Practices

 

 

From Output to Outcomeshttps://iaonline.theiia.org/2017/Pages/From-Output-to-Outcomes.aspxFrom Output to Outcomes<p>​<span style="text-align:justify;">I</span><span style="text-align:justify;">n today's world, there is growing demand on internal auditors to visibly demonstrate their contributions toward achieving organizational objectives. Auditors need to serve as key partners to the board and management in identifying challenges that may hamper achievement of those objectives, as well as helping uncover constraints to seize emerging opportunities. Such efforts are achieved by performing focused, independent, objective assurance and consulting activities that align with the organization's strategy and priorities.</span></p><p style="text-align:justify;">One key performance indicator (KPI) for internal auditing's success in these areas is the number of audits completed or audit issues raised. However, it is less common to see the number of corrective actions taken by the organization used as a KPI, possibly because internal auditors lack control over implementing these actions. The audit report, then, typically constitutes the last point of influence over an area under review.</p><p style="text-align:justify;">And while audit reports tend to comprise the main outputs for internal audit work, it is difficult to gauge their impact until corrective actions are implemented satisfactorily and any risks identified are mitigated. In effect, unless internal audit results are converted into action, it is challenging to clearly demonstrate internal audit's contributions toward achieving organizational objectives. Accordingly, internal auditors should be more involved in helping organizations implement proposed corrective actions originating from their work. Five steps can help practitioners play a more proactive role in facilitating effective implementation, while still maintaining their independence.<span style="text-decoration:underline;"> </span></p><p style="text-align:justify;">1.     <strong>Categorize audit issues to make them suitable for action</strong>. If audit issues are grouped in a systematic manner, management can more easily perform holistic analysis and take corrective actions. For instance, audit observations can be categorized into strategic, policy, compliance, process, IT, human resource, and financial issues. Each category has a different audience requiring different responses and attention. Normally, strategic and policy issues are best addressed by the board and top management, whereas the responsibility for compliance and process issues leans toward mid-level operational management. </p><p style="text-align:justify;">2.     <strong>Rate audit issues based on operational impact.</strong> Audit issues can be rated as high, medium, or low depending on risks associated with business objectives. Audit issues rated as high risk could be significant, drawing the attention of top management, compared to medium or low risks. High ratings could also help attract a sense of urgency in view of organizational impact. <br></p><p style="text-align:justify;">3.     <strong>Develop a robust audit issue tracking system</strong>.  IIA Standard 2500: Monitoring Progress states that "the chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management." Collective involvement of both internal auditors and management in designing and implementing such a system would enhance system effectiveness and ownership. The system could maintain features such as the ability to integrate with the audit system in use and access each proposed corrective action; accessibility to audit clients with a view to regularly update actions taken; and the capacity to analyze progress by status of actions (implemented, in-progress, not implemented), risk category (strategic, policy, compliance, processes), risk rate (high, medium, low), and business unit. Moreover, the system needs to be designed to allow aging analyses of pending corrective actions (e.g., those within the due date, or overdue by 3 months, 6 months, and 12 months or more). <br></p><p style="text-align:justify;"><strong>4.</strong>     <strong>Allocate sufficient resources for continuous support and counseling.</strong><strong>  </strong>Internal auditors, working with the business, are optimally positioned to assess the organizational impact of audit issues and identify any systemic challenges affecting implementation. Thus, they can provide advice on how pending corrective actions would best be addressed. Also, auditors may regularly reevaluate the relevance of the corrective action, periodically validate the adequacy of the actions taken, and provide feedback as needed.  <br></p><p style="text-align:justify;"><strong>5.</strong>     <strong>Provide reports to the board and management periodically. </strong>Internal auditors need to report periodically on the status of corrective actions taken. The report may include status of implementation and outstanding actions by due date, risk category, risk rate, and business unit. </p><p style="text-align:justify;">Following these steps can help develop a partnership between management and internal auditors. Perhaps more importantly, though, the process vividly demonstrates how internal auditors can help the organization accomplish its objectives. Internal auditors are encouraged to play a more proactive role toward implementing corrective actions and to help convert their audit output to concrete results.  </p><p style="text-align:justify;">​<br></p><p style="text-align:justify;"><em>The views and opinions expressed in this article are those of the author and do not necessarily reflect the official position of the author's employer.</em><br></p>Geremew Tadele1
Auditing What Mattershttps://iaonline.theiia.org/2017/Pages/Auditing-What-Matters.aspxAuditing What Matters<p>​Organizations exist to provide value for their stakeholders, and increasing that value requires businesses to accept appropriate risks. But which risks? And how much uncertainty is too much? To make those decisions, management must evaluate and balance growth opportunities, goals, related risks, and effective deployment of resources, while never taking their eyes off the strategy and enterprise objectives.<br></p><p>Clearly, internal audit has an important role to play in this process. Yet some internal auditors are torn between performing traditional internal audit activities — the time-honored “tick and tie” procedures — and activities that contribute more directly to value creation. “Both those activities are important,” says Larry Baker, a senior leader in internal audit, enterprise risk management, and strategic planning in Oklahoma City. “Even when management is convinced the organization is doing everything possible to ensure that a process is working effectively, internal audit still needs to do an independent audit of the controls that make management feel so comfortable.”<br></p><p>However, in any business, time and resources are limited, and internal auditors who wish to serve as trusted advisors to the organization must ensure their efforts provide maximum return on investment. Priorities must be set. For some internal auditors, the act of prioritization may necessitate a fresh look at what matters most to the business. <br></p><h2>Identifying the “Right” Risks</h2><p>Bill Watts, partner at Crowe Horwath in Columbus, Ohio, recalls a time more than a decade ago when the approach to determining what to audit was not as thoughtful as it is today. Audits tended to be very structured and repeatable. Then came the U.S. Sarbanes-Oxley Act of 2002, which indirectly caused companies to re-examine their control structures and how to improve controls, leading to evolution in other areas. “Internal auditors today must think more broadly, across the enterprise,” he notes. “Where is the company strategy focused, what are the major initiatives, and where is the money being spent? Those answers tell you what’s important to the entity, and that’s where internal audit should focus.” <br></p><p>There is yet another question that can help internal audit identify the “right” risks to address, says Brad Ames, internal audit director for Hewlett Packard Enterprise in Palo Alto, Calif.: Who is accountable for a specific strategy? “Once you know that, you can build an authentic relationship with them and make them your stakeholders,” he explains. “Ask them what they see that would inhibit them from accomplishing their strategic objectives. Begin the risk discussion, always establishing visibility into risk so they don’t overvalue or fear it. Determine in advance how the partnership will accelerate business strategy. This context will help them feel more confident about the risk, making them less likely to allow it to cause them to undercommit to the strategy.”<br></p><p>In most organizations, one of the areas of focus will involve technology. All businesses must learn how to optimize the use of technology — not only in any technology-enabled products and services they offer to customers, but also in their own internal business processes for greater efficiencies and effectiveness. Many organizations’ strategies include specific objectives related to technology, a clear signal that internal audit must focus on it as well — in Ames’ words, “presenting itself as relevant to strategy.”<br></p><p>It is also important for internal auditors to recognize that, even as they raise their focus on strategic initiatives, they must maintain many customary audit activities, such as looking at segregation of duties, fraud potential, regulatory compliance, and transactions. However, Ames points out, even the traditional audit activities can and should “move toward strategy.” <br></p><h2>The Risk Connection</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Making a Case for a More Strategic Approach</strong><br><br>Internal auditors can make inroads into altering their organization’s culture to accept a more strategic approach to internal auditing. Here are techniques the audit leaders interviewed for this article recommend to lay the groundwork and prove the department’s readiness:<br><br><ul><li><strong>Even while performing traditional internal audit activities, have the courage to step outside the norm occasionally.</strong> Be sure to communicate the positive results of the “experimentation” and the ways it benefited the organization. Use that win to build the next one.</li><li><strong>Take the “journey begins with a single step” approach and start by making one small adjustment.</strong> Then, when the time is right, make another. The key is to take each step with the firm intent of going on the whole journey.</li><li><strong>Spend more time talking to customers and listen carefully to their responses.</strong> If you are doing a traditional activity such as matching invoices, spend an hour talking to the people who process the invoices. It’s often possible to learn more from hearing than seeing, and that knowledge, which may uncover previously unknown issues or opportunities, can help you build a case for expanding internal audit’s role. </li><li><strong>Polish your soft skills.</strong> Those who can ask good questions, establish relationships (within the bounds of independence and objectivity), listen carefully, and summarize succinctly are generally more effective in uncovering truths — and in building compelling business cases for desired outcomes based on those truths.</li><li><strong>Arm yourself with expertise before acting.</strong> In today’s environment, there is a lot of pressure to do more with less, add value, and show productivity. This may cause internal auditors to jump into activities they don’t fully understand. Don’t make that mistake. Be prepared. Perform research, get training, and ask experts to help you where needed. If you are given a chance to try something new, the odds of getting a second chance will depend on doing the first one well.</li><li><strong>Don’t fear failure.</strong> Not every effort will be a success, but that can’t be a reason to give up. Develop your resilience by learning from failure and moving on. </li></ul></td></tr></tbody></table><p>The upcoming revision of The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) <em>Enterprise Risk Manageme​nt–Integrated Framework</em>, scheduled for release in early 2017, describes an enterprise risk management (ERM) program that is highly interrelated with controls. Whether internal auditors use COSO ERM to guide their risk-driven strategic activities, or build their own frameworks based on its precepts and shaped by experience and common sense, Watts warns against “cherry-picking activities” from the framework. Focusing only on certain parts of a framework while ignoring others is likely to hinder generating full benefit from the process, perhaps even missing opportunities. Taking a broader, holistic view that aligns the organization’s ERM program with strategy facilitates internal audit’s understanding of the strategy itself and its role in the major initiatives the business deems critical to accomplish the strategy.<br></p><p>This is not to say that an internal audit focus on organizational objectives, as outlined in the strategy, automatically improves ERM within the organization. “Hopefully it does, but it’s far from given,” says Charlotta Löfstrand Hjelm, chief internal auditor at Lansforsakringar AB in Stockholm. “If there is no objective, there is no risk. The important thing is to show where value is created and how it can be affected by certain unwanted events — or enhanced, if we can articulate how to capture this.” Showing how goals affect value and risk in other areas can be helpful, as can positioning objectives as the link between the audit plan — including consulting and advisory activities, not only assurance audits — and the different plans from the organization, such as strategic plans, business plans, and risk reports. <br></p><p>Auditors tend to be good at using a risk-focused approach. In fact, Ames speculates that management tends to perceive internal audit as being all about compliance or risk. In his view, a risk-based approach is “our foundation,” but internal auditors should be more focused on increasing value to the business, positioning internal audit as partners in strategy.<br></p><h2>The Need for Speed</h2><p>A phrase often used to characterize one aspect of the relationship between internal audit and risk management is that internal auditors must “audit at the speed of risk.” In today’s business environment, types of risk, likelihood of occurrence, and degrees of impact change almost daily. If internal audit is focused on supporting strategic objectives, and if a key factor in accomplishing those objectives is understanding the risk surrounding them, then the speed at which internal audit can identify and act on risk is important. Internal auditors must find ways to remain informed and take proactive measures. <br></p><p>Lisa Lee, vice president, Audit at Google Inc. in Mountain View, Calif., says in a fast-paced environment, the key for internal auditors to add value is to communicate concerns quickly. “Where it makes sense, engaging early with process owners to conduct risk assessments and assess control design effectiveness will help provide clarity on the highest risks that need to be managed,” she explains. Moreover, she says, “Assessing the maturity of controls can help provide meaningful information, as manual or detective type controls may be appropriate when a process or product is first launched, but as the process or product matures and scales, so should controls.” Using a maturity model, such as a scale from 0 (indicating a nonexistent control) to 5 (indicating an optimized control), can be helpful in instances where there may be a need for more robust controls. <br></p><p>The traditional approach of having an annual audit plan may not mesh well with the speed of today’s business. Internal auditors may struggle to adhere to the plan while also trying to accommodate constant change and ensure focus remains on the most critical risks. Lee notes that at Google, internal audit maintains a running list of initiatives and commits to a quarterly audit plan based on addressing the current high risks.<br></p><h2>Getting Buy-in</h2><p>Making changes to the way internal audit operates may not always be welcomed with open arms. In some organizations or industries, long-established cultures and beliefs may not lend themselves to change — at least, not easily or quickly. If traditional internal auditing is the organization’s expectation, the audit department must continue to perform it as effectively as possible, making sure to contribute value and communicate that value regularly (see “Making a Case for a More Strategic Approach,” above). <br></p><p>Lee says she believes in letting the work speak for itself. “Management appreciates receiving relevant and timely information,” she explains. “If internal audit can provide information that will help executives do their job better or help them achieve their goals, then buy-in isn’t a problem because they see value in internal audit’s work.”<br></p><p>But what if it is internal audit’s own leadership that needs to be convinced of the value of a more strategic approach to internal auditing? According to Ames, “It’s difficult for audit departments to break through from a routine, traditional approach to a more optimized, innovative view without support from the leadership in the audit department, itself. You might have a few who reach those levels, but never the whole department. And internal audit won’t become a partner in the strategy.” <br>The CAE is the linchpin. When risk is discussed in the organization, the CAE must step up to highlight the need for a strategic approach and explain the audit committee’s mission. If the mission described in that explanation is focused only on protecting, the opportunities for enhancement may be limited. The opportunities are even more limited if the CAE chooses not to listen to his or her internal auditors’ suggestions for how they can contribute more value to the organization. “Then perhaps it is time for the CAE to move on to another position,” Hjelm suggests, while also admitting, “This is, of course, easy to say, but hard to do.” <br></p><h2>A Value-producing Proposition</h2><p>Regardless of where in the organizational chart minds need to be changed, those internal auditors who understand that expanding their efforts across the organization’s value chain can help the department deliver increased risk coverage, cost savings, and measurable value to the business must carry the flag. And, in fact, that advocacy can play a key role in reaching the career goal many internal auditors set for themselves: becoming a trusted advisor. Hjelm explains that when risk turns to value, assurance also transforms to insight — a transformation expected of a trusted advisor. She counsels, “The audit report is not the main result of our work. The main result becomes our identification and description of what consequence a risk or a combination of risks has. Internal auditors’ understanding, knowledge, and ability to communicate in business language can help the board and C-suite focus on ‘hot’ areas.”<br></p><p>Focusing internal audit’s activity on the strategic objectives that matter most to the organization is a value-producing proposition. And, in fact, while it is a topic of attention now, it may not be an entirely new concept. Perhaps it is, instead, a matter of recommitting to basic, long-held beliefs that may have slipped out of view for a time, in the rush of checking items off the daily to-do list. Baker notes, “We sometimes forget that our whole life in internal audit has involved objectives, risk, and controls. Sometimes we focus more on controls, other times we zero in on risk. But objectives have always been there. And if we don’t assess risk and controls with objectives in mind, why do it?” </p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<strong>From Critical Objectives to Critical Risks</strong><br><br>Critical objectives often have critical risks. Knowing how to identify those risks, prioritize them, and develop mitigation plans can help internal audit focus its efforts on value-producing activities for the organization. The following process, described by Larry Baker, has been in use at his previous employer, Devon Energy Corp., for many years. Each step is facilitated by internal audit.<br><br><strong>Step 1 Identify and Define the Risks</strong><br><ul><li>Based on their understanding of the organization’s strategic objectives, opportunities, and related risks, senior executives and other management identify major risk areas most important to the company. At Devon, this tends to be approximately 20 risk areas.</li><li>Each risk area’s leader defines the risk, details the scope, and identifies two to four inherent risks in that area. The </li><li>resulting list encompasses between 50 and 60 inherent risks.</li><li>Employees who are knowledgeable about those inherent risks identify factors that drive each inherent risk (control weaknesses), the ERM activities in place to manage the risk (controls), and gaps or opportunities for improvement. They then develop recommendations for how to better manage the risk as needed. </li></ul><br><strong>Step 2 Rate the Risks</strong><br><ul><li>Each year, the board, executives, and other management complete a survey on the 20 risk areas. They rate each in four categories: probability, velocity, readiness, and financial impact. Devon’s survey is fundamentally the same each year, which enables the company to compare results and trends. </li></ul><br><strong>Step 3 Address Risk in Detail</strong><br><ul><li>Every quarter, a cross-functional group of vice presidents for three of the 20 risk areas is brought together for a two-hour workshop to focus on the inherent risks for those three areas. The group votes on how effectively the risk is being managed and how effectively it should be managed, then examines the gap between the two results. The gaps are discussed in order of size, largest gaps first. </li><li>The focus is on determining whether there is anything the company should be doing that it isn’t doing, or if any new risks are emerging. </li></ul><br>It takes approximately 18 months to cover all 20 areas. Internal audit uses these results to identify any new information or changes that need further examination. Significant changes often relate to areas most critical to the organization and, therefore, guide internal audit’s effort in valuable, strategic, and risk-driven directions.</td></tr></tbody></table><p></p>Jane Seago1
Tools of the Tradehttps://iaonline.theiia.org/2017/Pages/Tools-of-the-Trade.aspxTools of the Trade<p>A​lthough the practice of internal auditing is more complex and the expectations of auditors greater than eve​r, the foundation of the profession — The International Professional Practices Framework (IPPF) — remains strong and continues to provide the foothold internal auditors need to be successful. <em>Internal Auditor</em>’s first issue of 2017 begins by considering what matters most to today’s organizations and then reminds internal auditors of the tools they should be using, like the IPPF, to ensure a consistent and professional approach to addressing those issues.<br></p><p>As author Jane Seago says in our cover story, <a href="/2017/Pages/Auditing-What-Matters.aspx">“Auditing What Matters,”</a> “in any business, time and resources are limited, and internal auditors who want to serve as trusted advisors to the organization must ensure their efforts provide maximum return on investment.” In other words, internal auditors need to make sure they are auditing the right things. “An initial key step in elevating to be a strategic partner is understanding the organization’s strategic mission, the objectives designed to accomplish that mission, and the metrics by which success will be measured,” says Luz Dary Bedoya Bedoya of Audilimited, Organización Corona in the latest IIA Global Perspectives and Insights report, Elevating Internal Audit’s Strategic Impact. <br></p><p>Basing their work on the <em>International Standards for the Professional Practice of Internal Auditing</em> is a must. However, in the 2015 Common Body of Knowledge report, Looking to the Future for Internal Audit Standards, only 54 percent of CAEs surveyed used all of the <em>Standards</em>, with 11 percent reporting they did not use any of the <em>Standards</em>. Although an improvement on the numbers reported in 2010 — 46 percent and 14 percent, respectively — the findings indicate internal audit has a ways to go. <br></p><p>I wonder, however, whether those who say they don’t use the Standards are actually following the guidance, but are unaware they are doing so. In <a href="/2017/Pages/Breaking-Down-The-Standards.aspx">“Breaking Down the Standards,”</a> Christine Hovious, director, IIA Global Standards and Guidance, acknowledges that “The phrase ‘conformance with the <em>Standards</em>’ can sound authoritative and overwhelming, suggesting a complex, resource-intensive effort.” But, she explains, conformance is much easier to achieve than many CAEs may believe. “In fact, numerous activities performed by practitioners likely conform with the <em>Standards</em> already,” she says. In her article, Hovious details the components of the Standards, breaking them down into bite-size, easily digestible pieces. <br></p><p>The remainder of the February issue delves deeper into the successful practice of internal auditing. From integrated audits, to ethical practice, to auditing governance, to incorporating the Core Principles of the IPPF into quality assessments, we’ve got you covered on what it takes to succeed in today’s organizations.</p>Anne Millage0
Diversity in Actionhttps://iaonline.theiia.org/2016/Pages/Diversity-in-Action.aspxDiversity in Action<p>​For any chief audit executives (CAEs) unsure of the need to embrace diversity in their teams, consider this: Diverse teams outperform non-diverse ones. According to data from management consultancy McKinsey, gender diverse teams outperform those lacking this mix by 15 percent. "If that doesn't get you on board with diversity and inclusion, then it might be time to rethink your approach to team management," says Kate Headley, director of talent management firm The Clear Company.</p><p>There are several ways that CAEs can take action to improve gender diversity in their teams. Linnea Texin, senior consultant at Corporate Citizenship, a management consultancy, suggests that firstly, CAEs should engage their teams to pinpoint the key issues that affect their ability to recruit, advance, and retain female talent, while also looking at wider, external issues, such as regional and industry trends.</p><p>Secondly, CAEs should ask key stakeholders — including executives, core team members, and customers — what key actions they feel the team should take to improve diversity. Thirdly, audit executives should set performance metrics and targets to check they are making progress. And lastly, the whole strategy should be well-communicated so that the whole team understands the rationale and is behind it. "More transparency helps build trust," says Texin.</p><p>Any successful approach to improving gender diversity will depend on attracting and hiring female talent, followed by developing, motivating, and retaining staff, says Patrick Voss, managing director at Jeito, a culture and engagement consultancy. Each requires a different set of activities to make it successful, says Voss — and he offers two simple options to help make it work.</p><p>"For those internal audit teams that are in-house and of a much bigger company, speak to the human resources team to see what initiatives they have in place to encourage greater diversity in the workplace. The chances are that a potential employee will be drawn by the company brand in the first place, so consider how the internal audit team can build on this."</p><p>Secondly, Voss advises asking members the audit team, as well as individuals outside the audit function, to describe the culture in three words. The response, she says, will help provide an idea of how internal audit is perceived. "Then speak to female colleagues and peers and assess their reaction to these descriptions," she adds. "If they suggest this sounds like an unappealing place to work, think about how you might shift this culture."</p><p>Stephen Frost, founder of Frost Included, a diversity consultancy, says that "gender bias" in departments and organizations can be reduced through conscious and more self-aware leadership, and through changes to the recruitment and appraisal processes. "A Harvard Kennedy School study found that a more diverse recruitment resulted when candidates were presented in groups, rather than one-by-one," Frost says. "Mixed interview panels are also important, and organizations like Goldman Sachs, Lloyds Bank, and KPMG now insist on at least one female executive in any panel when interviewing for senior-level recruitment," he adds.</p><p>Another method is to process applications and potential promotions purely based on skills and experience. Using a "name blind" policy will also help avoid discrimination not only by gender, but also by age, nationality, address, and any other information that has nothing to do with past successes and experience.</p><p>However, the key issue to improve inclusivity and performance within internal audit departments shouldn't necessarily be just about gender, Frost says. "For various complex sociological reasons you may also have women who actually manifest typically male attributes and attitudes, which is not the answer. Successful businesses need to create an environment that is genuinely diverse in its character and outlook, and it should challenge and counterbalance such stereotypical male values."</p><p>Experts also warn about confusing diversity with a "numbers game." Voss says that CAEs should not try to "set targets for target's sake." "Aiming for a 50/50 split is fantastic, but if it is unlikely to be reached, then aim for step-by-step increases that might be more manageable," he explains. "Think through where you currently are on gender balance and set yourself realistic targets based on the pool of talent you have access to and the marketplace."</p><p>Headley also says that it may be best to "forget about numbers" as they can "be detrimental to success." "In smaller teams, quotas can often be both harder to achieve and irrelevant in terms of the skills needed to carry out the job at hand," she says.</p><p>Research has shown that companies do not need to have a 50/50 split between men and women to achieve the benefits associated with gender diversity. In fact, The CS Gender 3000: Women in Senior Management, a 2014 report by financial services firm Credit Suisse, shows that even at the highest level of the organization, companies with just one female director achieved better share price performance than those companies without women during the previous six years. </p><p>"Embracing true diversity means focusing on the capabilities of the individual, rather than their gender, ethnic origin, social background, or any other demographic," Headley says. "This includes assessing a person's potential to develop the technical skills needed for the role, rather than their existing abilities. If your recruitment processes are inclusive, the by-product will be a truly diverse team."</p>Neil Hodge1
Top Articles of 2016https://iaonline.theiia.org/2017/Pages/Top-Articles-of-2016.aspxTop Articles of 2016<div>Last year we published nearly 150 articles on our website, in addition to our blogs and social media posts. Below are the year’s 10 most popular features, based on visits to the site.</div><div><br>Judging by the list, it’s clear that you, our audience, were especially hungry for perspectives on fraud-related topics. You also showed an interest in soft skills and ways to improve the internal audit function. Our annual feature on Emerging Leaders has historically been a top performer as well, and 2016 (see No. 2 spot) was no exception.<br></div><p></p><div><ol><li> <a href="/2016/Pages/Toxic-Leaders-Toxic-Culture.aspx">Toxic Leaders, Toxic Culture​</a><br></li><li> <a href="/2016/Pages/On-the-Rise-2016.aspx">On the Rise: 2016​</a><br></li><li> <a href="/2016/Pages/Getting-More-From-Interviews.aspx">Getting More From Interviews</a><br></li><li> <a href="/2016/Pages/A-Matter-of-Trust.aspx">A Matter of Trust</a>​<br></li><li> <a href="/2016/Pages/Proactive-Fraud-Analysis.aspx">Proactive Fraud Analysis</a><br></li><li> <a href="/2016/Pages/5-Steps-to-Agile-Project-Success.aspx">5 Steps to Agile Project Success</a><br></li><li> <a href="/2016/Pages/Fraud-and-Related-party-Transactions.aspx">Fraud and Related-party Transactions</a><br></li><li> <a href="/2016/Pages/Integrating-Key-Risk-and-Performance-Indicators.aspx">Integrating Key Risk and Performance Indicators</a><br></li><li> <a href="/2016/Pages/On-the-Hunt-for-Payroll-Fraud.aspx">On the Hunt for Payroll Fraud</a><br></li><li> <a href="/2016/Pages/Optimizing-Internal-Audit.aspx">Optimizing Internal Audit​​</a><br></li></ol></div><p><br></p>Staff0
The High-performance Audit Teamhttps://iaonline.theiia.org/2016/Pages/The-High-performance-Audit-Team.aspxThe High-performance Audit Team<h2>​What are the primary characteristics of a high-performing audit function?</h2><p><strong>Carawan</strong> Our profession has gone through a major transformation over the last decade. The nature of risk is increasingly global and interconnected, which means more is at stake than ever before. Audits of those gray areas such as culture and conduct are no longer a “nice to have” but a “must have” in any comprehensive risk-based audit plan. Stakeholder expectations are constantly changing, and regulators around the world continue to raise the bar for internal audit departments. The only constant in today’s audit profession is change, and a high-performing audit team is one that can constantly evolve to meet new challenges and seize opportunity.</p><p><strong><img src="/2016/PublishingImages/Larry-Harrington.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Harrington</strong> High performance teams understand the organization’s mission, strategy, objectives, and risks and provide insight and foresight to enhance the organization’s success. Further, they understand the importance of evolving risk management; it won’t matter if you are world-class if you audit the wrong things. They understand stakeholder expectations, think about implications across the enterprise, and are responsive to a business context broader than the boundaries set by the audit plan.</p><p>At Raytheon, in addition to hiring experienced internal auditors, we hire high-potential talent from every function within the company to enhance our collective knowledge of the organization.</p><h2>How can you ensure you’re recruiting high-performing auditors?</h2><p><strong>Harrington</strong> When business management believes we are a high-performing team, they see us as a talent pool for the organization and a key source to fill financial, operational, and IT positions in all functions. We measure, benchmark, and report our turnover into the business. Additionally, management willingly offers up its top talent to rotate through us because they see the unique value of that rotation. </p><p>We put our candidates through a comprehensive interview process focusing on competencies and results using behavioral interviewing techniques. Candidates are interviewed by multiple members of internal audit staff as well as leadership. We look for the best candidates regardless of background and education, and screen to ensure they are an appropriate fit for our high-performing team culture.</p><p><strong><img src="/2016/PublishingImages/Mark-Carawan.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Carawan</strong> When looking to recruit top talent, I think it’s important to enable flexibility in one’s organizational design. Just because there isn’t a role that is a perfect fit for an individual, any leader should be strategic and think about the future needs of the audit department and the organization, and where that person might fit in the future. From a more practical perspective, we follow a very thorough recruitment process when recruiting staff at Citi. This includes having diverse slates for open roles and multiple and diverse interviewers for each role, including audit-delivery and non-audit-delivery staff such as human resources professionals. We also test candidates against Citi’s leadership standards, looking at not only what candidates have achieved in their careers, but how. This helps ensure only the very best, high-performing candidates join the team.</p><h2>How can an integrated internal audit function boost performance?<br></h2><p><strong>Carawan</strong> The global and interconnected nature of risk means an integrated team is necessary to ensure top performance. A team that is made up of individual silos that do not proactively share information and check and challenge one another is ultimately a team doomed for failure. Communication and partnership are key in ensuring a team is looking at risk in a comprehensive, joined-up, and holistic manner.</p><p><strong>Harrington</strong> Interestingly, when internal audit boosts its own performance, it will also be in a position to boost the organization’s performance. The central ingredient is people. We start by understanding the challenges, risks, and concerns facing the organization and convert those issues into a formal hiring strategy to attract diverse candidates with skills to assist internal audit in those areas. We also have a formal learning strategy to enhance team member competencies. </p><p>CAEs must substantially increase the dollars invested in team learning. We also must require team members to meet the company investment with their own investment. Finally, leadership must create the right environment, reinforcing the speed at which the world is changing and the need for continuous improvement, all while challenging, recognizing, and rewarding team members. </p><h2>What soft skills are most important to audit performance and why?<br></h2><p><strong>Harrington</strong> These soft skills, not in order of importance, include: leadership; verbal, written, and presentation communication; diversity and inclusion; emotional intelligence; critical thinking; networking; listening and asking better questions; teamwork; negotiation; and adaptability. </p><p><strong>Carawan</strong> Soft skills are just as important as hard skills when I think of a successful auditor. Being able to communicate effectively with other team members and ultimately stakeholders is key to carrying out a successful audit. This becomes critical when an auditor needs to deliver a tough message to a stakeholder in a productive and constructive manner. Effective communication skills help stakeholders move away from thinking of audit as the “police” and instead consider audit a partner who is there to help them manage risk. </p><h2>What is innovation’s role in high-performance auditing?<br></h2><p><strong>Carawan</strong> A high-performing audit team is one that continuously evolves to meet the new challenges and seize the opportunities that arise from change. Within this context, innovation is of the utmost importance. Citi Internal Audit’s approach to auditing culture is a great example, as it demonstrates a direct response to a relatively new challenge facing the industry. Culture has long been on the corporate radar, but the financial crisis placed it front and center. With this spotlight on culture also came a need to assess its place within the control environment of financial institutions. Citi Internal Audit designed and rolled out a comprehensive approach to auditing culture in 2015. </p><p><strong>Harrington</strong> Innovation is key to high-performance auditing. The world is changing at light speed and that will accelerate going forward. Every business and industry is under pressure to reinvent itself annually. CEOs and boards look to internal audit to assist in streamlining complexity, process, controls, etc. They look to us to be experts in Six Sigma, lean, and data analytics to help them drive the competitive changes necessary to survive. Insight and foresight are critical to innovation as are the hiring strategy and the learning plans to ensure we have the competency to deliver innovative solutions that help the organization achieve its objectives. Finally, look for innovation and leading practices from other industries and businesses, not just your own.</p><h2>What is the biggest obstacle to high performance and how do you overcome it?<br></h2><p><strong>Harrington</strong> Complacency. We regularly benchmark against other global internal audit functions to learn leading practices and share those across our teams. We search The IIA’s website for thought leadership materials. We meet quarterly with all second lines of defense to share risks, trends, and leading practices. We have a continual risk assessment process and meet regularly with leaders inside and outside the company to keep abreast of risks.   </p><p><strong>Carawan</strong> The biggest obstacle to high performance is homogeneity. The day you have your leadership team sitting around the table with everyone nodding in agreement — you’ve got a problem. Every team needs constructive conflict to thrive. And this is not just limited to audit teams. Different opinions and views make us think, re-consider, and look at things from a different point of view. This is true at all levels of an organization. Leaders must foster an environment that welcomes constructive conflict, where staff feel like it is safe to speak up. </p>Staff1
Growth Through Challengehttps://iaonline.theiia.org/2016/Pages/Growth-Through-Challenge.aspxGrowth Through Challenge<p>​Nothing prepared Kayla Brown for her first audit road trip. After a steady diet of compliance work at Atlanta-based children’s apparel company Carter’s Inc., she was sent across the country to audit the operations of six of its California stores. She was 23 years old, traveling alone, and had never rented a car before. “Being on your first job,” she says, “it’s the little things that can stress you out.”<br></p><p>Once Brown arrived on the West Coast, she encountered some initial skepticism from store managers. Some thought she didn’t seem old enough to be auditing the businesses they had worked at for many years. Most of the audits went smoothly, but one store didn’t do so well. “Luckily, the store manager was good to work with, so it wasn’t a difficult conversation,” she says. “But it’s not great to be the bad guy. You want the business to get better and you want to serve as a partner.”<br></p><p>Despite Brown’s nervousness, the California audits were a great experience and a launching pad for her current career. Three years into her job, she has led Carter’s retail store audits throughout the U.S. and Canada. <br></p><p>Brown’s desire to be a business partner and her eagerness to learn are typical of young auditors entering the profession. Like Brown, challenges encountered during early audit assignments are often the fire that ignites successful careers at a young age. Some of <em>Internal Auditor</em>’s current and previous Emerging Leaders share their experiences.<br></p><h2>Into the Deep End</h2><p>Today’s young auditors reflect the profession’s growing emphasis on being multifaceted — no one’s going to confuse them with accountants. Some like Brown have emerged from universities with internal audit curricula, such as those that are part of The IIA’s Internal Audit Educational Partnership. Others have come over from external audit firms. Then there are those like Seth Peterson who fall into the job.<br></p><p>Peterson, assistant vice president and internal audit manager with The First National Bank in Sioux Falls, S.D., wasn’t looking to be an internal auditor — his interest was banking. A professor at Buena Vista University suggested he get a job as a bank examiner to gain a sense of which area of banking he wanted to pursue, but there weren’t any openings. After a stint in an operations job at another Sioux Falls-based bank, he applied for an internal audit opening that could give him the overall view of the bank that he wanted.<br></p><p>For Peterson, internal audit was a whole new world. He knew nothing about auditing, and he didn’t know what to expect. Yet, what initially was intended to be a short-term position quickly turned into a great career opportunity. “Everything about internal auditing was new to me,” he says. “I went into it with an open slate: I didn’t know what I was doing. I thought, ‘Let’s figure this out and shape what I want to do.’” <br></p><p>Those first audits were a trial by fire. His first bank had a series of frauds and control breakdowns. “It let me see when things go bad, how bad they could go,” Peterson recalls. Although the frauds were consumer-driven, the audits involved gathering facts from bank employees who were fearful that their mistakes might cost them their job. For a young auditor, they were tough conversations that involved balancing internal audit’s need to be objective with the interest to build trust with audit clients. “Looking back, I could have been better prepared and equipped to handle those interviews,” Peterson admits. <br></p><p>Such trials can be a great way to learn, as long as auditors aren’t overwhelmed by them, Peterson says. He credits his boss at the time, Joel Baier, with giving him feedback on his work and sharing his own experiences — and the mistakes he had made along the way. “What was most valuable to me was him sharing what didn’t work for him, what the mistakes were, and what he learned from that,” Peterson says. <br></p><h2>Prepared to Succeed</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Sound Advice</strong> <br>Emerging Leaders past and present offer some tips for new entrants to the profession. Their core message is simple: Master the soft skills.<br><br><strong>Get a Mentor </strong>New auditors can learn much from audit leaders and other experienced co-workers, including how to communicate with clients about sensitive issues and how to protect their independence and remain objective. “Whenever I had some issues or questions regarding internal auditing, Olga was there to help with advice,” says Maja Milosavljevic of her mentor Olga Antic. Sometimes the best mentors will come from outside the profession, such as audit clients, company executives, and board members. “In interacting with executives and board members, you’re learning from some high-powered and experienced people,” Derrick Li says.<br><br><strong>Build Relationships</strong> Interactions with audit clients are opportunities for internal auditors to demonstrate how audit services can provide value, Seth Peterson says. But to get to that point, clients need to see auditors as people. Peterson recommends breaking the ice by getting involved in company volunteering activities. “You’d be surprised by what you can learn about someone from volunteering with them,” he says. “They see you as something other than an auditor.”<br><br><strong>Learn From Mistakes</strong> For new auditors, mistakes come with the territory. A bad client meeting can serve as a teachable moment — so can feedback from superiors. Auditors can learn from mentors’ and audit leaders’ mistakes, as well. As Andrew Loyack of Ahold Delhaize says, auditors shouldn’t have to touch the stove to know they’ll get burned. Above all, be resilient, he advises. “If you get knocked down, pick yourself up and learn from your mistake,” he says. <br><br><strong>Network</strong> When she speaks to college students about the profession, Kayla Brown stresses the same thing: networking. She should know — she landed an internship through a contact of one of her professors. Brown’s boss at that internship referred her to a colleague who became her boss at Carters. “Even if you love your current job, you never know when your circumstances might change,” she says. Networking helps on the job, as well. Khristi Ferguson of AccuAccounts reached out to fellow internal audit leaders in other Caribbean countries to share challenges and to get advice. “That helped a lot, just getting started,” she says.</td></tr></tbody></table><p>Those tough early conversations have shaped how Peterson leads his current team at The First National Bank in Sioux Falls. There, his focus is on having audit clients see internal auditors as people — and vice versa — which “helps people open up and lets us do our job more effectively,” he says.<br></p><p>That’s a lesson Derrick Li has taken to heart over the years. Li is director of internal audit and performance improvement at Translink, the public transportation authority for the Vancouver, British Columbia, region. As a young auditor, “you have to go in with a customer-first mentality,” he explains. “Otherwise, you come in as young and inexperienced, and you’ll quickly be shown the door.”<br></p><p>Li learned to be client-centric when he worked for outsourced internal audit clients while he was at professional services firm BDO. Because most of their internal audits were one-off engagements, internal auditors needed to develop future business by demonstrating the value that internal audit can provide business units. It’s a mentality he took with him to future internal audit jobs. <br></p><p>Another lesson Li learned from his audit consulting days was the value of preparation. One of his first internal audits at BDO was a board governance review for a large public company that had received poor governance ratings. For this review, Li interviewed board members who were top corporate executives. These could have been daunting exchanges for a new auditor, but Li came in prepared to ask the right questions. “You may not know as much as the people you’re auditing, but doing that prep work and demonstrating that knowledge can go a long way,” he stresses.<br></p><p>Upon leaving BDO, Li became a CAE at a succession of public sector organizations in Vancouver, each one more complex and with greater operating revenues. Unlike many young auditors, he didn’t have a CAE to teach him the leadership ropes. In his current position at Translink, he’s the youngest member of a staff of eight internal auditors, and he’s instilled them with that twin focus on the client and being prepared. His team has moved from primarily conducting financial compliance audits to doing performance, risk, and even Lean Six Sigma engagements. “Audit clients will quickly see if you’re all talk,” he says. “You’ve got to demonstrate quickly that you’re able to deliver. And if you make promises, you’d better commit to keeping them.”<br></p><h2>Changing Mind-sets</h2><p>Developing those client relationships can be challenging for new auditors at a time when they are just beginning to develop their “people skills,” says Maja Milosavljevic, senior auditor with EY in Belgrade, Serbia. Starting her career at the National Bank of Serbia, she learned the importance of developing a strong network throughout the organization, as well as having a good internal audit methodology. She observed how her mentor, Olga Antic, organized audit engagements and approached audit clients. “From my first projects, I learned how complex and detailed the work of internal audit can be and how important it is to have a good audit methodology to rely on,” Milosavljevic says.<br></p><p>From Antic, she learned how to gain her clients’ confidence, even when they were sometimes afraid of being audited. And she learned fundamental principles of working — including the International Standards for the Professional Practice of Internal Auditing — that she applies today. One big lesson was how to maintain her independence and objectivity. Antic advised her that “there are no strict rules for every situation internal auditors may find themselves in,” Milosavljevic recalls. “It is up to me to find an adequate solution for every situation I find myself in to preserve my independence and objectivity.”<br></p><p>Antic encouraged Milosavljevic to obtain her Certified Internal Auditor designation, and after a year she moved on to Erste Bank, where she advanced to senior internal auditor before landing her current job this year. Still, Milosavljevic struggles to convince audit clients that she is a trusted adviser, rather than a controller, in a country where internal audit is still a relatively new profession. “Looking back, I wish I had known that the mind-sets of people could be changed,” she says. “I would advise my younger self to always be persistent and polite with people when trying to influence their mind-set, because it is a process that requires time, but gives long-term results.”<br></p><h2>Youth Takes the Lead</h2><p>Like Milosavljevic, Khristi Ferguson has had to win over audit clients early in her career, but sometimes she’s had to convince her colleagues, as well. After working in external audit at Deloitte and KPMG following graduation from college, Ferguson moved into internal audit when she joined The Bahamas government as an internal audit director.  <br></p><p>Government, with its entrenched bureaucracy and potential for corruption, turned out to be a particularly challenging first internal audit job. One of Ferguson’s first larger audits was an operational review of the general post office. There, she found hardly any controls in place, operations that were ad-hoc, and audit clients who didn’t understand their strategic direction and purpose, much less what the auditors were doing there. “I spent most of my time with management, assuring them that this is not a ‘gotcha moment,’” Ferguson says. Instead, she wanted to get an overall view of operations and advise management of the regulations they needed to follow. “Some didn’t even know those rules existed,” she recalls.<br></p><p>Despite her external audit background, there was a learning curve for Ferguson. The Bahamas government has 72 ministries and departments, all with diverse conditions. At times, she had as many as seven audits in progress, covering a range of industries such as aviation, finance, utilities, and transportation. For each engagement, she had to develop specific expertise quickly. “How are you going to become an expert in aviation if you have nothing to do with planes?” she says. “You’ve got to find those rules and regulations, and you have to become an expert overnight.”<br></p><p>Then there was her staff, which comprised a mix of veteran internal auditors and young auditors with little formal training. Ferguson arranged training quickly with help from The IIA. She also upgraded the department’s technology by adding data analytics software, and she drafted one of the auditors who had a technology background to become the department’s IT audit specialist.<br></p><p>Rather than focus on financial audits, as auditors had done before, Ferguson focused her department on operational reviews that would reveal problems and opportunities for improvement. Clients resisted at first, but she convinced some of them quickly once they saw that her department was uncovering issues that they could fix before they were found by the auditor general or external auditors. Others took more convincing. “Some were just staunch and didn’t want to hear anything,” she says. “And then when they saw the audit report, they said, ‘you were right.’”<br></p><h2>Onward and Upward  </h2><p>Ferguson and Milosavljevic are proving that talented auditors are increasingly in demand. For Ferguson, that has meant launching her own business, AccuAccounts, which provides internal audit and consulting services for small companies in The Bahamas. <br></p><p>Another auditor with a new job is Andrew Loyack, who recently joined Zaandam, Netherlands-based Ahold Delhaize, whose U.S. division operates supermarkets along the East Coast. It’s a chance to bring his internal audit skills to the retail industry after eight years in the financial sector with outsourced internal audit provider Financial Outsourcing Solutions (FOS). <br></p><p>Loyack’s first job was a natural progression after studying accounting and management information systems at Shippensburg University of Pennsylvania and interacting with internal auditors during internships. He was struck at first with how much the auditors interacted with clients. Being an outsourced internal auditor was unique in that Loyack worked with lots of different small community bank clients. “It was hard to keep track of all the contacts that I had,” he says. “It wasn’t just separate audits, it was separate organizations and risk appetites.” <br></p><p>Having so many diverse clients made communication a necessity. “It was daunting at first because I was communicating directly with C-level management,” he explains. “Getting to the point where I was comfortable approaching them with questions and concerns was something I would never have fathomed right out of college.”<br></p><p>Those early experiences taught Loyack the value of learning how his clients and co-workers prefer to communicate and learn. He also observed how his mentor at FOS, Lisa Steen, worked through issues with clients. Her best advice for Loyack was to “always maintain that professional, valued adviser position,” he says. <br>Loyack also took advantage of FOS expanding its use of internal audit technology to share his IT knowledge with co-workers. That knowledge-sharing mind-set follows Loyack as he enters the next phase of his career at Ahold, where he is an IT internal auditor. “The things I went through at my first job — the trouble I had where I could have communicated better or more frequently — are things that I already have in the back of my mind so I don’t have to fall into the same potholes,” he says. <br></p><p>It’s those early lessons and experiences that can shape young auditors professionally as they move forward in their careers. And that forward movement is a key point: Like their peers in other professions, today’s young auditors aren’t standing still. They’re eager for new challenges and new opportunities.</p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<strong>Digital Audit Natives </strong><br>Today’s young auditors are digital natives, so one expects them to be naturals with technology. That was true for Maja Milosavljevic — senior auditor with EY in Belgrade, Serbia — at her first job. “I was more advanced with technology than my more experienced colleagues,” she says. She recalls that the combination of her technology skills and her co-workers’ business knowledge strengthened the audit team. But “there could have been more technology at that time that would have made audit work even more efficient,” she says.<br><br>Auditors craving more modern audit technology don’t always find it smooth sailing. For Khristi Ferguson, who led an internal audit department at The Bahamas Ministry of Finance, it was a matter of work styles. Younger auditors preferred communicating by email. “Technology was more their friend than a foe,” Ferguson notes. The more experienced auditors would get in a car and drive to talk to someone. Ferguson had to bring both camps together so the newer auditors could share how to use technology in their audits and the veteran auditors could teach their new co-workers about the government. “Both sides saw value,” she says. “Did it mesh right away? No, not at all.”<br><br>Being adept with technology and helping co-workers get up to speed can help new auditors advance in their careers. In Andrew Loyack’s case, it led to a new job as an IT auditor with Ahold Delhaize, after working in an operations and compliance audit role at his former employer, Financial Outsourcing Solutions. When he started his previous job, originally as an IT auditor, most audits were done manually, but within three years, the audit function was strongly digital and looking to expand its data analytics capabilities. Loyack took a personal interest, developing a mind-set that he’s carrying over to his new position. “I’m a big knowledge-share person,” he says. “Even if I know something, I want to make sure everybody knows it.”</td></tr></tbody></table><p></p>Tim McCollum1
It's All in the Deliveryhttps://iaonline.theiia.org/2016/Pages/It's-All-in-the-Delivery.aspxIt's All in the Delivery<p>​If there is anything worse than getting bad news, it may be delivering it. No one relishes the awkward, difficult, anxiety-producing exercise of relaying messages that may hurt, humiliate, or upset someone with whom the deliverer has a relationship. And it is often a thankless task. This was recognized at least as far back as Sophocles, who wrote in the tragic play Antigone almost 2,500 years ago, “Nobody loves the messenger who brings bad news.”<br></p><p>Physicians — who are sometimes required to deliver worse news than most professionals ever will — often engage in many hours of classwork and practical experience studying and role-playing how to have difficult conversations with patients and their families. They know that the message, itself, may be devastating, but how they deliver it can help the patient and his or her family begin to process it. <br></p><p>Internal auditors are in the fortunate position of not having to deliver news that is quite so shattering. Nevertheless, there is no question that certain audit observations can be difficult to convey and to receive. Learning how to prepare for and deliver such messages can create a better internal auditor.<br></p><h2>Laying the Groundwork</h2><p>Preparation to deliver difficult messages should begin well in advance, even before there is any bad news to deliver. “If the first time you see the client is to tell them about a problem, that in itself is a problem,” Theresa Grafenstine, inspector general of the U.S. House of Representatives in Washington, D.C., says. “At that point, you have no credibility in their eyes and they have no basis to trust you. You’ve created an uphill climb for yourself. However, if you’ve invested time in building a relationship before that difficult meeting, they’re more likely to listen to you because they’ll understand your values, intent, and motivations.”<br></p><p>Robert Berry, executive director of internal audit at the University of South Alabama in Mobile, points out that many audit–client communication missteps are due to internal audit’s mismanagement of the evolution of audit exception to issue. “Where most auditors fail is that they don’t bring management into the fold until an exception becomes an issue,” he explains. “We can’t afford to leave clients out of the process until the end.” <br></p><p>Berry’s solution is continuous communication via weekly updates to clients from the moment exceptions are noted. Communication starts at the lowest pertinent level in the organizational chain, with the person who owns the process that is under review, and his or her supervisor. Then, as the audit progresses, that upward reporting continues to the highest level of accountability for the issue. In his experience, this approach tends to engage clients in investigating the exception items and working with the auditor to determine if the exceptions are truly issues.<br></p><p>However, despite best efforts in building relationships and staying in regular contact with clients, some meetings will involve conveying difficult news. In those cases, preparation is critical to accomplishing objectives while dealing with fallout.<br></p><p>Being fact-based is the best approach, according to Alyssa Martin, partner in charge of Risk Advisory Services and executive partner at Dallas-based Weaver LLC. “Be fair and factual,” she says. “I find when those receiving the message typically become upset, it’s because they think they aren’t being looked at objectively. Focusing on facts helps with that.” <br></p><p>Before presenting to clients, internal auditors should ask others whose judgment they trust to review all the deductions and conclusions they’ve drawn on the facts to test whether their arguments hold up.<br></p><p>Rod Winters, retired general auditor for Microsoft in Seattle and former chairman of The IIA’s Global Board of Directors, suggests focusing on process as well as content. Process is professionally performing the work, self-preparation for delivering the message, explaining the conclusions in meaningful and realistic ways, and anticipating the consequences and possible response of the person receiving the message. Content is having the right data and valid conclusions so the message is correct and complete. <br></p><p>Self-preparation involves considering the type of person who is receiving the difficult message and determining the best approach. Some people want to hear the bottom line first and the supporting information after that; others want to see a methodical building of the case item by item, with the conclusion at the end. Some are best appealed to via logic; others need a more empathetic delivery. Discussions guided by the appropriate approach are more likely to be productive. Martin’s company goes as far as to tailor its message delivery to personality preferences by using personality profiles like the DISC approach, which characterizes individuals as one of four types with a predominant trait: Dominance, Influence, Steadiness, and Compliance. The individual’s category tends to drive how he or she wants to receive information, interacts with others, and values things and people. When there is critical information that has to be understood and accepted, Martin considers tailored delivery critical.<br></p><h2>During the Discussion</h2><p><img src="/2016/PublishingImages/seago-what%20not%20to%20do.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:420px;height:627px;" />Once the groundwork has been laid, it’s time to have the discussion (see “What Not to Do” at right). If this part of the process is mishandled, it can render all the careful preparation moot, so it is important to remember to:<br></p><ul><li>Seek opportunities to balance the discussion by recognizing the processes that are working well and those areas that are not. </li><li>Offer to help or ask how you can help address the issues raised in the discussion. </li><li>Make it clear that you understand the client’s challenges. If feasible, suggest some possible causes for the problem; it may make the client feel better and enable him or her to focus on fixing the problem. </li><li>Maintain open body language, recommends Manny Rosenfeld, senior vice president of Internal Audit, MoneyGram International Inc., in Dallas. Avoid crossing your arms, don’t place your hands over your mouth or on your face, and keep your palms facing each other or slightly upwards instead of downwards. Don’t lean forward or it will seem extra aggressive. Breathe deeply and evenly. If possible, mimic the body language of the message recipient, as long as the recipient is remaining calm. If the recipient begins to show signs of defensiveness or strong aggression, and your efforts to calm the situation are not successful, you might suggest a follow-up meeting for both of you to digest what was said and consider mutually acceptable options.  </li><li>Use self-deprecating humor, if it comes naturally to you. It can help defuse a sensitive situation.</li><li>Present the bottom-line message three times in different ways so people have time to absorb it.</li><li>Let the client vent. Berry warns against a tendency to interrupt the client’s remarks to “explain why we believe we are right.” He says allowing the client time to vent frees him or her to get down to business afterward. </li><li>Focus on problems with the process, not people problems. </li><li>Demonstrate empathy. Take time to think about what’s going through the person’s mind and help him or her think through the issue and how it occurred, what’s going to happen next, and how it will be resolved. Empathy can turn an adversary into a partner.</li></ul><p><br></p><p>“The goal is to get the problem fixed, not persecute somebody,” Rosenfeld says. “Let the client know that your main objective is not to make him or her look bad. You just want to help improve an important area for the company.”</p><h2>When It’s Not a Discussion</h2><p>By the nature of the job, internal auditors cannot limit delivery of bad news to face-to-face discussions; sooner or later, it must be delivered in written form, primarily via the audit report.<br></p><p>“If the audit report is the first time a client is seeing something in writing, that is the first and biggest mistake,” Berry notes. “Verbal updates are great, but periodic written updates go a long way.”<br></p><p>Once the report is in the client’s hands, many internal auditors offer the client the opportunity to request minor changes to the report, under strict conditions. Winters has done so, and explains, “I have great respect for operating management and the pressures it is under. I like to give them as much input into the report as possible, as long as it does not change the conclusion, blunt the clarity of the message, or deflect ownership of the issue.” Grafenstine echoes that approach, noting: “Auditors use certain terms so often that we become insulated against them. We forget it is possible to deliver the same message another way.”<br></p><p>That other way may involve minimizing the use of emphasizers in the report and verbally. For example, use “inacurate” instead of “very inaccurate” or “critical” instead of “highly critical.” Understatement can help keep emotional responses in check .<br></p><p>Many internal audit departments include a management response section in audit reports, even going so far as to help management craft the response based on internal audit’s understanding of the board’s perspective. This means focusing on what happened, what is going to be done about it and when, and how the board will know the issue is resolved. Working with managers on this part of the report may help them feel that their job is to resolve the issue, not fight it. <br></p><h2>Avoiding the Pitfalls</h2><p>Delivering difficult information is a minefield, and there are ample opportunities to take a wrong step and see explosive results.<br>“Internal auditors are used to giving bad news and can become very good at it,” Martin says. “But it makes people uncomfortable, so the internal auditor, in turn, becomes uncomfortable.” She says the most common errors internal auditors commit in their communications arise as a result of their desire to avoid conflict and discomfort. The two errors she cites: softening communications (e.g., offering excuses for why the failure occurred and avoiding the tough, straightforward language that is needed to get a message across) and reading the written report to the client. “When you are reading, you are not communicating.”<br></p><p>Another area that can represent a pitfall is failure to keep the verbal report and the written report in sync. In the face-to-face meeting, it is human nature to be empathetic, soften the message, and smooth over some of the rough edges that are in the written report. However, this sort of softening in the meeting can make the written report, with all the direct language intact, an unpleasant surprise, and can cause the recipient to feel betrayed or tricked.<br></p><p>Grafenstine notes the difficult task of finding a balance between empathy and getting the message across. “My approach is not to beat around the bush,” she says. “Be direct, but not accusatory.” She also points to the importance of understanding the culture of the organization. For example, she notes, words that are perfectly acceptable in one place may not be so elsewhere. “In my case, a good example is the term ‘e-discovery.’ In most places it’s fine, but its potential impact on protections provided under Article 1 of the Constitution gives it a completely different meaning on Capitol Hill.”<br></p><p>Emotional intelligence — understanding how to read people and relate to them — also helps in delivering difficult messages effectively. This is not an innate trait for many people, and it is a difficult one to learn, as are many of the so-called soft skills. Yet they are critical to the practice of internal auditing. <br></p><p>“In my experience, auditors rarely get in trouble over their technical skills because those are easier to master,” Rosenfeld says. “They get in trouble over insufficient soft skills. College degrees and professional certifications are all aimed at the technical skills. Sadly, very little is done to help auditors with the equally critical soft skills.”<br></p><p>Watching a mentor deliver difficult messages or deal with emotional people is also an effective ways to absorb good practices. Role-playing of potentially troublesome presentations to a friendly group (say, the internal audit staff) is another way to exercise one’s skills. <br></p><p>Delivering bad news is largely a matter of practice and experience, and it’s not something internal auditors have the choice to avoid. As Winters explains, “At the end of the day, you need to deliver the news and ensure they understand it. But your underlying objective is to ensure the issue is remediated, the associated risk is understood and effectively mitigated, and you have built an appropriate relationship going forward so you can do your job objectively and effectively.”  </p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<strong>Setting the Standard on Communications</strong><br>This excerpt from section 2400 of The IIA’s <em>International Standards for the Professional Practice of Internal Auditing</em> addresses appropriate practices relating to communication. The newly revised version of the Standards, including the wording below, becomes effective Jan. 1, 2017. Refer to the Standards for additional detail.<br><br><strong>2400 – Communicating Results</strong> Internal auditors must communicate the results of engagements. <br><strong>2410 – Criteria for Communicating <em>International Standards for the Professional Practice of Internal Auditing</em></strong> Communications must include the engagement’s objectives, scope, and results. <br><strong>2410.A1</strong> – Final communication of engagement results must include applicable conclusions, as well as applicable recommendations and/or action plans. Where appropriate, the internal auditors’ opinion should be provided. An opinion must take into account the expectations of senior management, the board, and other stakeholders and must be supported by sufficient, reliable, relevant, and useful information. <br><strong>2410.A2</strong> – Internal auditors are encouraged to acknowledge satisfactory performance in engagement communications. <br><strong>2410.A3</strong> – When releasing engagement results to parties outside the organization, the communication must include limitations on distribution and use of the results. <br><strong>2410.C1</strong> – Communication of the progress and results of consulting engagements will vary in form and content depending upon the nature of the engagement and the needs of the client. <br><strong>2420 – Quality of Communications</strong> Communications must be accurate, objective, clear, concise, constructive, complete, and timely. <br><strong>2421 – Errors and Omissions</strong> If a final communication contains a significant error or omission, the chief audit executive must communicate corrected information to all parties who received the original communication.</td></tr></tbody></table><p></p>Jane Seago1
Breaking Throughhttps://iaonline.theiia.org/2016/Pages/Breaking-Through.aspxBreaking Through<p>​What if you were told that gender diversity increases overall corporate revenue? In fact, a 2016 study by EY and the Peterson Institute for International Economics found that although female CEOs neither underperform or outperform male CEOs, an increase in the share of women in top management positions “from zero to 30 percent would be associated with a 15 percent rise in profitability.” And according to Ilene Lang, former president and CEO of Catalyst Inc., a nonprofit organization that promotes inclusive workplaces for women, “Research continues to show that diversity well managed yields more innovation and is tied to enhanced financial performance — factors good for all employees.” Yet, the number of women in leadership positions continues to significantly lag that of men. <br></p><p>I recently facilitated a session on the topic of women in internal auditing at The IIA’s International Conference in New York City. The session, Women Rising — Succeeding in Internal Audit and Leadership, was led by three female internal audit leaders: Jenitha John, CAE for FirstRand Bank in Sandton, South Africa; Bethmara Kessler, former CAE and now senior vice president, integrated global services, at Campbell Soup Co. in Camden, N.J.; and Dominique Vincenti, vice president, internal audit and financial controls, at Seattle-based Nordstrom. The conversations among the women highlighted that, although the skills needed by female and male internal auditors are virtually the same, women in the profession may face particular challenges.  <br></p><p>Follow-up conversations with the three women, as well as other experts in gender equality, point out the challenges women continue to face in working toward the C-suite. <br></p><h2>Lack of Support</h2><p>Not surprisingly, all of the 50 or so attendees at the IIA session were women, even though it’s been shown that women’s initiatives, to be successful, need the support of senior leaders, most of whom are men. According to Lang, “The preponderance of men in leadership means their efforts are necessary to advance change in the workplace.” Yet men are sometimes reluctant to participate in women’s initiatives, according to Engaging Men in Gender Initiatives: What Change Agents Need to Know, a Catalyst study by Jeanine Prime and Corinne Moss-Racusin. <br></p><p>One of the reasons is the erroneous belief that gains for women result in losses for men, known as a zero-sum mentality. Some organizations may inadvertently foster this mentality by focusing on individual performance and unduly increasing competition, rather than focusing on initiatives that raise corporate performance as a whole, according to the Catalyst study. <br></p><p>“Support from male leaders, in the form of mentorship (career advice and insights) and sponsorship (awareness and access to growth and visibility opportunities), is integral to our ability to systemically and sustainably impact the career progression of women,” Kessler says. “Helping them realize the impact their partnership can have on the success of female talent is an effective method for soliciting their involvement and generating buy-in.”<br></p><p>Encouraging sponsorship and deploying strategies to bridge the female confidence gap should be a key imperative for senior leadership, John adds. Leadership must support the unconscious bias dialogue among its workforce to tackle gender-conscious conversations, and have open and courageous discussions about the ways men and women can support each other going forward. <br></p><p>Adequately communicating the benefits that flow to everyone from diversity and inclusion is an important step toward achieving support for women in the workplace. Rewarding individuals who provide support for diversity and inclusion through acknowledgement and bonuses tied to overall performance can also go a long way.  <br></p><h2>Exclusion</h2><p>Another reason men sometimes don’t participate in women-focused initiatives in the corporate setting is because they are not included or encouraged to from the beginning. “Men should be enthusiasts for the achievement of gender equality and women’s rights,” John says.  According to Joelle Jay, an executive coach specializing in leadership development, women’s sponsorship programs must involve men and start with data to successfully show quantifiable results of moving women into leadership positions. Women’s initiatives “that aren’t backed by action amount to little more than the revving of an engine with the parking break firmly engaged,” Jay says. Mike Kaufmann, chief financial officer of Cardinal Health, was quoted in The Wall Street Journal saying, “If you want to change the numbers, you have to get men involved.” Kaufmann led the women’s network at Cardinal Health, and has won awards for his support of women in the workplace.   <br></p><p>“Early engagement, regular iteration of results (qualitative and quantitative), and celebrating and communicating successes can be effective in maintaining program support and momentum,” Kessler says. “It’s also a path to drawing in additional support. As word and visibility of the return on investment spreads, executives will want to be associated with business and talent impacting results.”<br></p><p>Ensuring that men play an integral part in the planning, and share in the success of women’s initiatives, are critical to achieving desired program goals. Champions of gender initiatives need to get and maintain active male support from the C-suite, and from all levels of leadership in the organization.  <br></p><h2>Apathy</h2><p>Men sometimes don’t participate in or support women’s initiatives because of apathy, according to the Catalyst study, or a sense that these issues don’t apply to them. However, the reason some men are advocates or champions for gender diversity is that they possess a strong sense of fairness. “Men who were committed to the ideal of fairness were found to have more personal concerns about issues of equality in general and were more aware of gender bias in the workplace and likely to take action,” according to the same study.<br></p><p>“At Nordstrom, we help men in the workplace connect with gender diversity challenges on a more personal basis,” Vincente says. “They have sisters, wives, or daughters and they care about their success.”<br></p><p>Kessler also says that finding a personal connection can be an effective method in combating apathy by helping men generate empathy and connect to the cause. “Do your research and engage him in conversation — does he have a daughter? A wife? Are there women who have played an influential role in his life?,” she asks.<br></p><p>The Gender Consciousness Program at FirstRand is sponsored by the CEO and deputy CEO. As John explains, “The ultimate goal of the program is learning enough about the differences between men and women to effectively access and connect with FirstRand’s talent across the organization. Part of that goal is embedding Stephen Covey’s quote, ‘Strength lies in differences and not in similarities.’”<br></p><p>Training, education, and communication on the causes of gender bias, and the positive reasons why some people do support diversity, inclusion, and fairness, are key to overcoming this misconception. <br></p><h2>Our Own Worst Enemy</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Breaking Boundaries</strong><br>International Conference attendee Johanna Salo, internal audit director at UPM in Helsinki, shares the top 10 lessons learned from “Women Rising — Succeeding in Internal Audit and Leadership.” These lessons are for anyone looking to break down gender barriers and succeed in his or her career.<br><br><ul><li><em>Be you.</em> Rather than adapt others’ expectations for your current role, be yourself. </li><li><em>Seize the moment. </em>While going with the flow, stay alert to understand defining moments in your life.</li><li><em>Integrate your life.</em> Internal audit is not a 9 to 5 job, so learning how to integrate your personal and professional life, by setting boundaries and priorities, is important.</li><li><em>Earn respect.</em> Politics are present in every company, so internal audit’s success often depends on sales and conflict management capabilities.</li><li><em>Stay behind facts.</em> Validate people, but stay independent and objective when delivering messages.</li><li><em>Be realistic and practical.</em> Remember to think critically and get to the root cause to make a difference.</li><li><em>Forget silos. </em>The best way to provide assurance is to have a holistic risk view of the organization.</li><li><em>Think context before issue.</em> Consider the magnitude of issues vs. overall context and related dependencies. Optimize efficiencies rather than pinpoint single deficiencies already known by management.  </li><li><em>Rethink reporting. </em>No matter what is intended in written communications, the reader may perceive it differently. Interactive issue remediation can go a long way to make sure you are both on the same page.</li><li><em>Aim at destination with gratitude.</em> Climbing the organizational ladder is often harder for women, so embracing each step with gratitude makes the journey more important than the destination.</li></ul></td></tr></tbody></table><p>Besides the lack of support from their male colleagues and male senior leaders, women are also holding themselves back. In a recently released Global Internal Audit Common Body of Knowledge (CBOK) Practitioner Study report, Women in Internal Auditing: Perspectives From Around the World, women assessed themselves lower than men in the 10 internal audit core professional competencies: professional ethics; internal audit management; application of the International Professional Practices Framework; governance, risk, and control; business acumen; communication; persuasion and collaboration; critical thinking; internal audit delivery; and improvement and innovation.     <br></p><p>Particularly, women rated themselves much lower than men in internal audit management and business acumen. However, lest anyone jump to the conclusion that women are not as well represented in leadership ranks because they actually lack these competencies, consider that research has proven that women consistently rank themselves lower than men. <br></p><p>In fact, Stanford University sociologist Shelley Correll conducted a study where both male and female participants were required, in 20-item rounds, to determine how much white or black appeared on a screen to assess their “contrast sensitivity ability,” a completely fictional skill. Unbeknownst to participants, there were no right or wrong answers, as the amount of black and white were equal in all 20 rounds. However, men assessed their “contrast sensitivity ability” higher than women, and expressed an interest in pursuing a career requiring this ability more often than women.  <br></p><p>“Confidence is a critical, yet often underrated skill with women,” Kessler says. “They tend to believe they either have it or they don’t, which isn’t true. It should be practiced and cultivated along with resilience, which women are usually more apt to focus on.”<br></p><p>Helping women, and their male colleagues, understand that this phenomenon exists, as part of the agenda of a women’s support or initiative program, is a positive step in addressing this issue.  <br></p><h2>A Double Standard</h2><p>In a 2014 Pew Research Center survey on women and leadership, four in 10 survey respondents say that women must do more to prove themselves than their male colleagues. <br></p><p>“The double standard is tough,” Kessler says. “First, because it is a real and not wholly imagined phenomenon, but also because part of it is within our own minds. The first step in combating it is in realizing that you do not need to strive for perfection or absolute alignment to aim for or achieve goals — there are many roads to the same destination.”<br></p><p>One of John’s life mottos is, “Competence builds confidence.” She ventures into unchartered territories, learns as much as she can, and shares her wisdom and opinions. “I also complemented my audit career by becoming a nonexecutive director on boards, which didn’t go unnoticed,” she says. “Learning how to change setbacks into setups will help women overcome any obstacles along their journey.” <br></p><p>Quantifying the number of men vs. women promoted at each level, and setting goals to ensure equality in criteria and rates of promotion, is fundamental to resolving this issue.<br></p><h2>Gender Bias</h2><p>During the session at the International Conference, panelists John, Kessler, and Vincenti discussed another challenge women face: the motherhood penalty. Coined by sociology researchers Correll and Stephen Bernard, it implies that if two equal candidates are presented, the mother is less likely to be recommended to be hired, and would be paid approximately US$11,000 less in salary if she was. Other challenges faced by professional women include a clash of family and work priorities, stereotyping and bias caused by gender norms, lack of social connectivity or inclusion in networks, and lack of sponsorship or mentors. <br></p><p>These issues may be addressed through training, education, and communication; acknowledging that these issues exist; and appealing to all leaders’ sense of fairness to achieve resolution.<br></p><h2>Closing the Gap</h2><p>The CBOK study found that although women in internal auditing are making advances, there continues to be a gender gap, particularly in the more senior ranks. According to the study, women comprise 44 percent of internal audit staff, and only 33 percent of directors and senior managers.<br></p><p>Although some progress has been made in achieving gender diversity in the internal audit profession, in general, the pace has been slow. Initiatives to achieve gender diversity are key, as is tracking the quantifiable success of such programs, to addressing the gender gap. Finally, showcasing female role models in the internal audit profession, like Kessler, John, and Vincenti, may provide inspiration to those looking to advance their careers.  <br></p>Nancy Haig1
Client Feedbackhttps://iaonline.theiia.org/2016/Pages/Client-Feedback.aspxClient Feedback<p>​Feedback from clients can serve as validation of the auditor’s analysis of data, compilation of information, approach to the audit and observations, and acceptance of the recommendations.  <br></p><p>Auditors should seek feedback in a way that helps improve their audit performance. Feedback is more effective when it reinforces what the auditor did right instead of wrong, and it allows him or her to judge what needs to be changed during the course of the audit. Moreover, feedback is best when it relates to a specific observation, data analysis, or audit query; is timely; and is delivered appropriately. It should be to the point, constructive, and provide relevant details, as any gap will lead the auditor in an unwanted direction. <br></p><p>Though feedback can be given at any time, there are steps internal auditors can take to ensure that the feedback they receive is useful and constructive.<br></p><h2>Frequency and Stages of Feedback</h2><p>Client feedback can be given regularly during the audit or as requested by the auditor, and it is a normal part of any audit. Practitioners document client feedback and use it as a foundation for the next level ofn audit review or incorporate it into the audit report, itself. Useful feedback can help steer auditors in the right direction and increase audit effectiveness. There are several times when it is appropriate to ask for feedback. <br><br><strong>During the Opening Meeting</strong> The first step toward transparency and positive participation with the audit client is establishing clarity around the objective and scope of the audit, tentative duration of review, and initial records and details that are required during the kickoff meeting. The meeting gives the client an opportunity to raise questions and ask for clarifications, if any, from the auditor. It’s important that the client leave the meeting with a clear understanding of the process and realistic expectations so the audit starts off on the right foot. <br></p><p>When the auditor is explaining the objectives in the kickoff meeting, he or she also should reference how the reports or management requests will be used to review certain areas to gauge whether relevant processes or controls need to be strengthened. The client’s participation and feedback in this discussion will help finalize the scope of review and determine acceptance, ownership, and accountability.<br></p><p>Clients should recognize that their enhanced performance, through the auditor’s recommended corrective measures, will help in achieving their department’s objectives. So establishing an honest understanding of audit objectives and respective roles of auditor and client should take place before the start of the audit.<br><br><strong>During the Audit</strong> The auditor applies different approaches and techniques during the audit review and communicates verbally and in writing when an issue arises. The client’s responses, actions, reactions, and behavior are the kind of feedback an auditor should look for when the audit is being conducted. After explaining the scope and objective of the audit in the kickoff meeting, the auditor should ensure that the review is being conducted within the same scope, without any intention to find mistakes, errors, or fraud. <br></p><p>If the client feels any sense of negativity about the audit, he or she may withdraw and be reluctant to provide information or feedback. The end result may mean extra effort by the auditor, lack of confidence by the client in the audit process, and nonparticipation of the client in the process of improvement.<br><br><strong>Closing Meetings</strong> These meetings occur when the audit is drawing to a close and the observations, root causes, rating of observations, and corrective measures need to be finalized. The type of feedback will differ in content and style based on who the client is (e.g., department heads or executives).  <br></p><p>The details of targets and responsible staff are also discussed and finalized during this meeting. Getting feedback in the closing meetings should go smoothly if the auditor has been transparent in his or her approach to, and conducting of, the audit. To ensure useful feedback is received during this stage, auditors need to clearly present observations, explain the referenced documents and records, and make sure the supporting data analysis is understandable and relevant to the audit. <br></p><h2>Overall Feedback</h2><p>Though auditors get feedback at different stages of the audit, and from different levels of management, in many organizations clients provide overall feedback on the performance and value added by the internal audit function. After the audit report is finalized, the client may give feedback on the audit techniques used, the auditor’s understanding and knowledge of the area audited, and the auditor’s communication and presentation skills. The list of points for feedback can be elaborate enough to enhance auditor/client participation and, ultimately, audit effectiveness. Organizations may even require that the auditor rate different clients on defined criteria, which could include providing relevant records and details timely, and implementation of corrective measures as planned. <br></p><p>A post-audit questionnaire (see this sample <a href="/2016/PublishingImages/Pages/Client-Feedback/Client%20Feedback%20Questionnaire.pdf" target="_blank">Client Feedback Questionnaire.pdf</a>) can be given to the client to rate internal audit on the pre-audit kickoff interaction, the execution of audit review, and the finalization of review. Questions may include:<br></p><ul><li>Was the audit team considerate of issues raised by the client in deciding period of review and availability of staff and other resources?</li><li>Did the auditor have adequate knowledge of the processes, systems, and relevant controls of areas under audit?</li><li>Were observations supported with relevant detail and documents?</li><li>Were final observations well-presented and concluded with the concerned client?</li></ul><p><br></p><p>Honest feedback from clients can lead to improvements in the effectiveness of systems, controls, and governance. Internal auditors should consider the feedback and show a willingness to change in areas where improvement is needed, while being strong enough to stand by their assessments and findings.  <br></p><h2>Working Together</h2><p>Client feedback on different aspects of the audit sets a benchmark, or highlights the gaps, in management’s acceptance of internal audit performance. Clients expect to have the opportunity to give their perspective, a process that helps to gain their commitment in supporting audit activities and working with internal audit to achieve organizational goals. Adopting and implementing a collaborative approach to feedback and highlighting the aim of supporting clients in improving organizational performance ensures a positive experience for all involved. <br><br><strong><em>A version of this article first appeared in the December 2014 issue of </em>Internal Auditor Middle East<em>, the magazine of IIA United Arab Emirates. </em></strong></p>Lalit Dua1

  • MNP_Tech-Consulting_Feb2017_Prem 1
  • IIA COSO-OnDemand_Feb2017_Prem 2
  • IIA Quality_Feb2017_Prem3

 

 

Six Steps to an Effective Continuous Audit Processhttps://iaonline.theiia.org/six-steps-to-an-effective-continuous-audit-processSix Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audithttps://iaonline.theiia.org/blogs/chambers/2015/lessons-from-toshiba-when-corporate-scandals-implicate-internal-auditLessons From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z
Understanding the Risk Management Processhttps://iaonline.theiia.org/understanding-the-risk-management-processUnderstanding the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Managing an Internal Audit Career: How Do You Know When It’s Time to Go?https://iaonline.theiia.org/blogs/chambers/2015/managing-an-internal-audit-career-how-do-you-know-when-it’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2015-03-30T04:00:00Z2015-03-30T04:00:00Z