Practices

 

 

A Standard of Performancehttps://iaonline.theiia.org/2018/Pages/A-Standard-of-Performance.aspxA Standard of Performance<p></p><p>Stakeholder pressure on internal auditors has never been greater. In today’s dynamic business world, internal audit is called on to ensure businesses around the globe conform to a wide range of legislation and regulation; to provide tactical and strategic insight and foresight into their organization’s performance; and to get ahead of the curve on emerging technologies and social trends. And, in fact, the list could go on. Professional internal auditing is based on The IIA’s <em>International Standards for the Professional Practice of Internal Auditing</em>, which is part of the International Professional Practices Framework. Taken together, these guiding and mandatory principles provide internal auditors the tools to effectively serve their organizations and provide stakeholders confidence that their internal audit team is functioning at the highest possible standards of professionalism and skill. The <em>Standards</em> underpin the work that we do every day. Whether auditors are performing a basic audit, providing assurance, giving advice and insight, or doing a consulting assignment, they need to adhere to certain professional behaviors — just like those followed by doctors, lawyers, accountants, and others. </p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​ <style> p.p1 { line-height:12.0px; font:14.0px 'Interstate Light'; } p.p2 { line-height:12.0px; font:42.5px 'Interstate Light'; } p.p3 { line-height:12.0px; font:9.0px 'Interstate Light'; } p.p4 { text-indent:-12.0px; line-height:12.0px; font:9.0px 'Interstate Light'; } p.p5 { text-indent:12.0px; line-height:12.0px; font:9.0px 'Interstate Light'; } span.s1 { vertical-align:1.5px; } span.s2 { letter-spacing:-0.1px; } </style> <p> <strong>The </strong> <em> <strong>Standards</strong></em></p><p>The IIA’s <em>International Standards for the Professional Practice of Internal Auditing</em> are principle-focused and provide a framework for performing and promoting internal auditing. The <em>Standards</em> are mandatory requirements consisting of:</p><p>Statements of basic requirements for the professional practice of internal auditing and for evaluating the effectiveness of its performance. The requirements are internationally applicable at organizational and individual levels.</p><p>Interpretations, which clarify terms or concepts within the statements.</p><p>Auditors must consider both the statements and their interpretations to understand and correctly apply the Standards. The Standards use terms that have been given specific meanings as noted in its Glossary.</p><p>The International Internal Audit Standards Board released a revision to the Standards, which came into effect Jan. 1, 2017. For the full text of the IIA Standards, visit <a href="http://www.theiia.org/standards" rel="nofollow"> <span class="ms-rteThemeForeColor-1-0">www.theiia.org/standards</span></a><span class="ms-rteThemeForeColor-1-0">.​</span></p></td></tr></tbody></table><p>Professional internal auditors must live and breathe the fundamental values enshrined in the <em>Standards</em>. Those values should be crystal clear to everyone in an internal audit function. The theme I’ve chosen for my term as 2018–2019 chairman of the IIA Global Board of Directors, “Emphasize the Basics — Elevate the <em>Standards</em>,” offers a fundamental way of both connecting with our stakeholders and providing the most solid, relevant internal auditing possible.</p><h2>Setting and Meeting Expectations</h2><p>The <em>Standards</em> provide consistency in audit practice, guarantee the quality of whatever audit assignment is undertaken, and help the chief audit executive (CAE) align stakeholder expectations with the actual services the audit function provides. Auditors may need to educate stakeholders about what to consistently expect from internal audit and then deliver it — a process the Standards greatly enable. </p><p>The <em>Standards</em> help ground the independent nature of internal audit as it operates as the third line of defense in conjunction with management and the various second line risk and compliance functions. Independence guarantees internal audit’s effectiveness. If there is uncertainty about the facts surrounding a particular initiative, for example, or different parts of the business are in dispute, internal audit can be relied on to provide an independent and objective view on the matter at hand. For example, I was recently involved in reviewing an integration project to bring two large organizations into one legal entity. Not only did the board’s audit committee ask internal audit to stay very close to the merger, but the regulator asked internal audit to keep it abreast of what was happening by bringing our independent view to the regulator on how the project was progressing. Both sides were concerned that certain controls may be overlooked, or not be established. Internal audit’s position of independence enabled us to provide assurance to both stakeholders and ensure that everyone had the same understanding of what was happening on the ground.</p><h2>Being in Conformance</h2> <p>Getting the basics right enables internal auditors to tackle emerging issues such as robotics and artificial intelligence from a position of strength. Audit functions that follow the <em>Standards</em> will be mature and have excellent connections throughout the business. Without this maturity, the audit function will be unable to respond timely to the rapid technological developments facing organizations. </p><p>According to The IIA’s rolling research project, the Common Body of Knowledge (CBOK), the percentage of CAEs who say that they are in full conformance with the <em>Standards</em> fluctuates. In 2005, 56 percent of CAEs said they were in conformance; this figure dipped to 42 percent in 2010 and then rose to 54 percent in the latest, 2015 survey. However one reads those numbers, they are disappointing, because in any one year only about half of CAEs are achieving what should be the basic professional requirement to operate as an internal auditor. </p><p>I am a qualified accountant in the U.S., and I cannot be a member of the American Institute of CPAs without complying with its rules and regulations. The same holds true of other professionals , such as lawyers and doctors. That is why, if we are calling ourselves a profession, my expectation — and that of many stakeholders — is that all internal auditors should be in conformance with the <em>Standards</em>. </p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<p style="color:#222222;"><strong>The CIA Certification: The Mark of the Profession</strong></p><p style="color:#222222;">The Certified Internal Auditor (CIA) certification is the global designation all internal audit professionals should achieve. It represents our understanding and application of the Standards throughout our work, which helps our stakeholders better recognize the value the profession delivers to organizations. The CIA is the premier, globally recognized certification that enables professional internal auditors to rise above the rest and deliver on stakeholder expectations.</p><p style="color:#222222;">Recently, the CIA exam syllabi and topic areas were revised to bring the exams up to date with the current global practice of internal auditing, to clarify the knowledge and skills CIA candidates must possess, to create greater alignment between the CIA syllabi and The IIA’s <em>Standards</em>, and to refocus Part Three content on core skills.  </p><p style="color:#222222;">The purpose of the exam is to assess individuals who meet the requisite global competencies in current internal audit practice. There are three parts:</p><ul style="color:#222222;"><li>Part One — Essentials of Internal Auditing<br></li><li>Part Two — Practice of Internal Auditing<br></li><li>Part Three — Business Knowledge for Internal Auditing<br></li></ul><p style="color:#222222;"> <br>CIA candidates are expected to:</p><ul style="color:#222222;"><li>Possess current knowledge of The IIA’s Professional Practices Framework and demonstrate appropriate use.<br></li><li>Be able to perform an audit engagement with minimal supervision in conformance with the <em>Standards</em>. <br></li><li>Be able to apply tools and techniques to evaluate risks and controls.<br></li><li>Demonstrate knowledge of organizational governance.<br></li><li>Apply knowledge in business acumen, IT, and management needed for internal auditing. <br></li></ul><p style="color:#222222;"><br>Having the CIA certification conveys to our stakeholders that we mean business — and, importantly, that we have the competencies and skills to deliver on the purpose of internal auditing, to protect and enhance organizational value.​​</p></td></tr></tbody></table><h2>Obtaining External Quality Assurance</h2><p>The CBOK findings seem to indicate that internal audit leaders do not see the value of external quality assurance. In many organizations with small audit functions, stakeholders often are not as demanding, or not knowledgeable, about what internal audit does compared to an audit committee for a listed company where quality assurance reviews of internal audit are expected. However, to be a professional internal auditor, one must be in conformance with all of the <em>Standards</em>, including those on quality assurance, and that is much easier to achieve than people think. In the many quality assurance projects I have experienced, I have never seen a spectacular failure. </p><p>The bottleneck can be the quality assurance process, itself, but it need not be too onerous or expensive. CAEs can attend their local IIA chapters and find a suitable peer with whom to partner so they can reciprocally provide that service. There are plenty of resources that explain how to do this on The IIA’s <a href="https://na.theiia.org/Pages/IIAHome.aspx">website​</a>. My challenge to CAEs is to get an external quality assurance review. I can guarantee they will learn a lot about their function and come away with many tangible benefits. For example, if an audit function finds it has not done enough training, it can use the evidence from the quality assurance review to request funds from the board. The CAE can require everyone who is pursuing a career in internal auditing to sit for the Certified Internal Auditor (CIA) exam. </p><p>Also, a quality assurance review will flush out potential conflicts of interest in terms of independence. And it will help align the organization’s expectations of internal auditing with internationally recognized best practices, so that stakeholders can feel confident calling on internal audit for the right issues at the right time.</p><h2>A Unique Profession</h2><p>There is another reason my theme is “Emphasize the Basics — Elevate the <em>Standards</em>.” Internal auditing as a profession is truly global, and by following the Standards we set the benchmark for how the job should be done. Internal audit is practiced in similar ways regardless of industry, geography, size of organization, and whether it is for-profit or nonprofit. This is not the case in the legal or accounting professions, for example, where local laws and practices vary widely. </p><p>This is one of the reasons why internal auditing is important to me, personally. I am Japanese, but I’ve worked in the U.S., the Middle East, Asia, and Europe. Wherever I go, I can still practice my profession, speak to internal audit colleagues, and learn from what people are doing in various industries and regions. Those conversations have a direct relevance to me because the Standards enable us to speak a common language. </p><p>My first role was as an accountant, which I did not enjoy because I felt it encouraged me to share too narrow a view of the world. When I retrained as an internal auditor, I was amazed. Internal auditing entailed looking at an organization from end to end. CAEs have to see things through the chief executive officer’s or board member’s lens — without having to actually be in that role. That was — and remains — fascinating to me, and there is no other function in the organization that fulfills that role. </p><h2>Advancing the Profession</h2><p>My goal for every reader of this article, and the profession as a whole, is to put the <em>Standards</em> center stage of our efforts. My tenure as chair is a relatively short 14 months. I would love to see conformance with the Standards rise from 54 percent where it is today, to 75 percent during my tenure. That may be too ambitious, but I believe it is possible if we all work together. </p><p>You do not have to be a CAE to help in that process. If you are a junior auditor planning a career in the profession, take the CIA exam and do at least the recommended amount of training. Attend local IIA chapter events, get to know colleagues in different industries, and develop skills. If you are a CAE and have not yet had an external quality assessment — take the plunge. You will not only be doing yourself and your organization a great service, you will be helping to advance the credibility and effectiveness of the global profession. And that is something worth aiming for. </p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p> <strong>​​The Chairman of the Global Board of Directors​</strong> ​</p><p>Naohiro Mouri is executive vice president and chief auditor of American International Group (AIG), a global property-casualty, life <br> and retirement, and general insurance company based in New York.</p><p>In a career spanning more than 20 years, Mouri has held several chief auditor positions. Before joining AIG, he was a statutory executive officer, senior vice president, and chief auditor for MetLife Alico Insurance K.K. Japan. He also led the audit departments at J.P. Morgan Asia Pacific, Shinsei Bank, Morgan Stanley Japan, and Deutsche Bank Japan. He began his career at Arthur Andersen in Atlanta and Tokyo.</p><p>Committed to supporting internal audit professionals, Mouri also has held numerous board and volunteer leadership positions at The IIA, including international secretary (2007–2008), vice chairman–professional development (2008–2009), vice chairman–professional guidance (2015–2016), vice chairman–professional practices (2016–2017), and senior vice chairman of the Global Board (2017–2018). He has been IIA–Japan director since 2003.</p><p>Mouri served from 2001–2006 as the first elected president of the Asian Confederation of Institutes of Int​ernal Auditors (ACIIA). ACIIA recognized him with its “Outstanding Contribution in the Field of Internal Auditing” honor in 2016.</p><p>Mouri advocates for the profession through IIA and other industry forums, and he has lectured at several universities in Japan, including the Meiji University Graduate Program for Professional Accountancy and Senshu University. Mouri co-authored Korega Kinyukikan no Naibukansa da (Internal Audit for Financial Institutions), which is available in Japanese and Mandarin.</p><p>Mouri, a Certified Internal Auditor and Certified Public Accountant, has a bachelor’s degree in accounting from Georgia State University.</p></td></tr></tbody></table><p></p> <style> p.p1 { line-height:12.0px; font:14.0px 'Interstate Light'; } </style>Naohiro Mouri0
"Trust Me," Said the Smiling Auditorhttps://iaonline.theiia.org/2018/Pages/Trust-Me-Said-the-Smiling-Auditor.aspx"Trust Me," Said the Smiling Auditor<p>​Buzzwords are fascinating creatures. They stampede their way into the lexicon like cavalry to the rescue, bludgeon us with constant overuse, and then become reviled as trite clichés used in lieu of actual thought. But closer examination reveals that buzzwords achieve their status because, at some point, they perfectly articulated some important concept. <em>Empowered, synergy, bleeding edge, think outside the box</em> — once meaningful concepts, they have become little more than collections of nonsense syllables.</p><p>Internal auditors are not immune. We are currently overusing an important phrase that, if we are not careful, will lose its power and be summarily dismissed into buzzword oblivion. And that would be a shame, because the phrase <em>trusted advisor</em> is extremely powerful.</p><p>Becoming a trusted advisor is a worthy aspiration. But the phrase risks beco​ming a hackneyed cliché because auditors have quit thinking about what the phrase really means. Sure, they understand the concept of <em>advisor</em>, but they lose sight of the key concept —<em> trusted</em>.</p><p>As IIA President and CEO Richard Chambers notes in his appropriately titled book <em>Trusted Advisors</em>, "trust is one of the most underused words in the internal audit vocabulary. … Rarely do we speak of whether [our stakeholders] should trust us."</p><p>Many auditors think that if they work on their relationship management skills and try to tell the truth, trust will follow. But trust is much more than building rapport and managing relationships.</p><p>Trust comes from actions, not words. It is what others see us do, what others discover we have done, and what others believe we will do. It comes from something as simple as meeting our agreed upon deadlines, and from something as complicated as having the integrity to report what is rather than what everyone wants to<br>hear. It represents the accumulation of activities that show we either back what we say or turn our backs on our promises, our clients, and ourselves.</p><p>Years ago I worked with an executive who I had known since we were both lowly supervisors. On one occasion, internal audit discussed the results of an audit with him and one of his directors, and the director argued every one of our points. Finally, the executive said, "I have worked with internal audit for years. If they say there is a problem, then there is a problem. I don't want to hear excuses; I want to hear how you are going to fix this."</p><p>Still, gaining clients' trust in audit work is only table stakes. Do clients trust your advice? That's a nice start. Do they trust you to be a part of the management and leadership team? Much better. Do they trust you enough to turn to you for advice every time something important is happening, confident that you will provide objective and independent information that will aid decision-making? If so, then you are truly a trusted advisor.</p>Mike Jacka1
Leading Toward Improvementhttps://iaonline.theiia.org/2018/Pages/Leading-Toward-Improvement.aspxLeading Toward Improvement<p>​Ongoing professional development is not an extracurricular activity; it is integral to ensuring auditor competency and a requirement for auditing in accordance with The IIA's Code of Ethics. Beyond that, professional development plays an increasingly important role in recruiting and retaining talent that can meet the future needs of the audit function.​ </p><p>According to The IIA's 2018 North American Pulse of Internal Audit report, "CAEs will not be able to hire their way out of [the] skills shortage. … CAEs that develop talent continuously and consistently can identify gaps, strengths, and weaknesses in the internal audit activity." The report adds that internal audit functions that make provisions for career development programs will not only help themselves in terms of skills inventory, they will have an advantage in talent recruitment, development, and retention as well.</p><p>While each auditor must take responsibility for his or her own professional development, audit managers can play a key role in ensuring the department receives the most value from these efforts and gives staff members the best chance for success. They can accomplish this by planning a coordinated approach to staff professional development, managing the development budget effectively, and cultivating a supportive culture that challenges individuals and rewards them for their efforts. </p><h2>A Coordinated Effort</h2><p>According to the 2018 Pulse report, "Professional development plans with specific annual targets and provisions for training help to ensure a high level of collective proficiency for the internal audit activity." Although resources are available to help with planning, such as The IIA's Global Internal Audit Competency Framework, each audit manager must document skills versus needs specific to his or her own organization. </p><p>Planning for certifications and training can follow a two-pronged approach: On one side, audit managers should assess the skills and knowledge the department needs to fulfill its mission; on the other, they should consider the training and development progression of individual employees. This exercise should reveal clues as to where to focus staff training efforts, helping answer questions such as:</p><p></p><ul><li>Where are there gaps? ("We need someone with the Certification in Risk Management Assurance and we don't have one; who would be the best person to pursue that?") </li><li>How should the talent pipeline be organized? ("We are going to need another Certified Internal Auditor on staff within the next year; should we train or hire?")</li><li>Where is there overlap? ("We have three people all working on the Certification in Control Self-Assessment; let's spread out.") </li><li>Where do resources need to be deployed? ("We have a senior person with a lot of certifications; let's have her focus on publishing and presenting so we can devote study, application, and exam resources to lower level employees.") </li></ul><p> <br> </p><p>To manage development efforts effectively, audit managers need to determine what kind of training employees want and then balance that input against the department's skill-related needs and budget. A brief, periodic email survey can be an effective tool for staying up to date on the teamwide training picture. For example, audit managers could ask: <br></p><ul><li>What are you working on now? </li><li>In the past three months, have you earned a certification, published something, given a presentation, taken on a board/committee/volunteer role, or done something else that we need to recognize and celebrate? </li><li>Do you know what the next step is in your training/development plan? </li><li>Are there any impediments —such as lack of funds, time, or training materials — hindering progress on your training/development plan? </li></ul><p> <br> </p><p>Job interviews, the onboarding process, performance reviews, and informal meetings also represent excellent opportunities to gauge what is important to employees, what they want to accomplish in their careers, and what types of training might help them meet those goals. Employees are more likely to remain committed to earning a certification if they believe they are helping both the team and themselves — that they are working toward bettering their future, rather than simply completing an assignment. </p><h2>Manage Costs and Stretch Resources</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​CPE Activities</strong></p><p> <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=5cd3ead6-ebc1-4e7c-811d-e0f38928c8ba" rel="nofollow"></a>According to Section 3.2 of The IIA’s CPE policy, in addition to formal educational programs, certified individuals may obtain CPE through a variety of qualifying activities, including:</p><ul><li>Passing examinations.</li><li>Authoring or contributing to publications.</li><li>Translating publications.</li><li>Delivering oral presentations.</li><li>Participating as a subject matter expert volunteer.</li><li>Performing external quality assessments. </li><li>Taking Internal Auditor magazine’s <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=5cd3ead6-ebc1-4e7c-811d-e0f38928c8ba"> <span class="ms-rteForeColor-8">CPE Quiz</span></a>.</li></ul></td></tr></tbody></table><p>Training and development can get expensive, but the audit department can make the best use of its professional development budget by taking advantage of cost-saving opportunities and by broadening its scope of learning activities. <em>Professional development</em> is sometimes used as a blanket term for passing certifications and maintaining them by earning continuing professional education (CPE) credits. Attending live seminars and purchasing online self-study courses are two of the most common ways auditors earn those CPEs. In addition to these methods, auditors can avail themselves of several other professional development resources. </p><p>First and foremost, auditors can take advantage of any free training and CPEs that align with their plan. For example, some professional organizations offer free webinars, and those free CPEs can add up to concrete savings by the end of the year. </p><p>Staff members also could volunteer to serve on an IIA committee, write for an industry publication, or conduct training courses and seminars. These are not only inexpensive ways to meet CPE requirements, they also serve as an effective means to promote continuing education and professional development above and beyond certification.</p><p>In addition to these approaches, audit managers can draw from a host of alternative resources and techniques. Each can be leveraged for training efficiency and cost savings.</p><p> <strong>Interdepartmental Learning</strong> Audit managers should consider sources for training from within their own company. Subject matter experts from other departments inside the organization can provide training on new technologies, business processes, etc., enabling audit staff members to better understand the business areas they audit. While internal training may or may not qualify for CPE, enhanced knowledge of the business will help improve auditors' confidence and enable them to offer more meaningful recommendations — making this highly valuable, and economical, training.</p><p> <strong>Intradepartmental Learning</strong> Managers can harness their own staff resources for budget-friendly training. For example, a staff auditor could be assigned to read a book from the Internal Audit Foundation and give a presentation to the team summarizing the book's content and its implications for the work internal audit does. This exercise not only adds new knowledge to the group, it also provides valuable public speaking experience and leadership training for the staff member — all at the mere cost of a book. Audit staff can also be a valuable source of experiential training. This is something the audit manager should consider as part of the overall professional development plan because certifications typically require some form of prerequisite experience. Job shadowing and working with more experienced auditors on a variety of engagement types can help auditors gain the experience they need to qualify for certifications.</p><p> <strong>Handing Down Knowledge</strong> Teamwork and collaboration also can help the audit department stretch its professional development budget. Mentoring, for example, can make the certification process more efficient. Auditors who have earned a particular certification can coach others seeking that certification, offering tips for taking the exam as well as advice on how to plan study time, how to navigate the application process, and which study materials are the most valuable (and least valuable). Passing down lessons learned like these can add up to large time savings, as opposed to having each new candidate begin the certification process from scratch. </p><p> <strong>Discounts and Group Savings</strong> Some organizations offer discounts on certification applications and exams at certain times of the year. The audit manager should incorporate these into the training plan so that auditors are working toward taking exams when they are the most affordable. </p><p>Auditors also can coordinate and save with group training opportunities, rather than having each staff member individually pursue certification and CPE. The IIA, for example, offers opportunities to obtain group savings on training courses. For events held by a local chapter, audit managers should always ask if a discount is available for group sign-up. Plus, some local chapters have funds available to provide assistance to members with costs such as conference travel and expenses as well as application and exam fees.</p><p> <strong>Training Library</strong> Finally, audit managers should consider creating a training library. The library can take on various forms (paper, digital, or both), and it should be available to any staff member seeking certification or training. This is the best way to economize the purchase of materials. Team members should not each buy the same training manual when they can plan ahead to stagger their study efforts and share purchased content. </p><h2>A Supportive Culture</h2><p>Even though professional development is vital to an effective audit function, auditors can easily get caught up in their day-to-day work and relegate development to the cracks in their busy schedules. Audit managers can take several steps to help staff members resist this inclination.</p><p>First, managers should devote actual work time and resources to professional development. As the 2018 Pulse report states, a supportive culture for professional development is critical. Successful audit leaders not only preach professional development and certification, they back it up with the support of work hours and funding. </p><p>Designating a professional development champion, in addition to the CAE, also can be helpful. The champion can assist the CAE with highlighting training opportunities, making sure team members who earn certifications are recognized, and connecting those seeking certifications with mentors who have already earned them. He or she also should be well-connected in the industry and thereby attuned to development opportunities, such as a chance for a junior auditor to volunteer on a committee, get a first speaking experience, or publish a first article.</p><p>Finally, the CAE and champion should work together to come up with ways to publicly recognize staff members for their professional development accomplishments. For example, whenever someone earns a certification, the champion could display the certificate in the office, ensure that it is mentioned in the department newsletter, and update the employee's business cards with his or her new designation. Whatever the method, accomplishments should be highlighted in some visible, lasting way. Recognition can be a powerful motivator, as it demonstrates to the individual that the department (and the audit leader) values and appreciates his or her effort. Moreover, it conveys to clients that audit personnel place a strong value and emphasis on professional development, and they possess the skills to not only do their jobs but to serve as leaders in their profession. </p><h2>Tools for Success</h2><p>Ultimately, successful management of professional development resembles successful management of any other business process. The audit leader must align the mission and values of individuals with those of the organization, plan wisely, give people the tools and resources they need, and keep them engaged and motivated by tracking their progress and celebrating their success. The reward for the audit manager who does this effectively will be a greater ability to recruit and retain talent and to grow that talent to suit the mission of the audit function. </p>Wade Cassels1
Disruptive Businesshttps://iaonline.theiia.org/2018/Pages/Disruptive-Business.aspxDisruptive Business<h2>​What are the disruptions facing today's businesses?</h2><p><strong>HARTKOPF</strong> In today's transformative age, businesses are being disrupted from every angle. With changes to global laws and regulations, organizations are challenged to rethink how they comply. In addition, volatility in the global economy may be impacting companies' bottom lines. Paired with these shifts, sectors are also converging at lightning speed — creating new risks and opportunities for businesses in every industry. In the global digital world, digitally enabled companies have a competitive advantage over traditional industry incumbents. As companies move into new sectors and digitally native businesses dominate, acquisitions and divestitures are reshaping the focus and makeup of businesses. Big data is moving beyond being just a buzzword, and business leaders are using data to drive competitive insights and make big moves. Even the consumer is changing. With more access to information and the internet at everyone's fingertips, preferences and expectations are not what they used to be.</p><p><strong>SHRINER</strong> Businesses are facing more fundamental uncertainty than at any time since World War II. Technology and automation are reshaping and, in some cases, replacing jobs in customer service, and with the advent of artificial intelligence (AI), even roles that require decision-making skills are under threat. The nine-to-five model, itself, is being challenged by the gig economy, with work "paid by the hour" replacing the daily effort of the long-tenured employee. The knowledge worker is being replaced by the data worker, developing and feeding the algorithms that make the predictions that drive an increasing number of daily experiences. Meanwhile, a war for data is being waged, with the spotlight on social media and technology companies. The internet's long memory of user interests — cookies — and the companies that monetize personal information are being challenged by the "right to be forgotten" and other data protection principles from regulators and from a concerned public. This war will intensify and be waged across countries with different social norms and legal frameworks. Within this environment, managers must motivate and direct, deliver products and services, and make plans for the future.<br></p><h2>What are the risks posed by disruption?</h2><p><span><span><strong><img src="/2018/PublishingImages/Rick-Shriner_70x70.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />SHRINER</strong></span></span> All businesses run the risk of failing to define and respond to competitive pressures or market needs. The dominance of technology mega companies will keep many established industries on their toes. Who thought that an e-commerce company would buy a premium grocery store chain? Further, an increasingly mobile workforce in a tight labor market means less innovative companies may be starved — or bled —​ of high performers with next-generation skills. In many respects, business disruption is a war for talent.</p><p><span><span><strong>HARTKOPF</strong></span></span> It's important for businesses to continue to change and constantly innovate. Maintaining a status quo business model without regard for external influences — legal/regulatory, competitor, economic, technological — will put businesses at a disadvantage in the marketplace and potentially result in losses or penalties. Organizations that do not embrace new technologies — AI, robotics — will not be able to compete in the global digital environment. The additional challenge is that these new technologies may create an even larger talent gap as existing employees may not be best positioned to address them. It's important for companies to understand the potential impact of these risks and the influence of other external forces as they could negatively affect business outcomes.<br></p><h2>How can organizations prepare for the new ways of working that go with business transformation?</h2><p><span><span><strong><img src="/2018/PublishingImages/Lisa-Hartkopf_70x70.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />HARTKOPF</strong></span></span> Organizations need to constantly update their strategic objectives and communicate them broadly. Embracing new technology can be a first step in transforming your busi​ness model, driving growth, and increasing efficiency. At the core of this transformation is the need to stay true to your business objectives, increase the company's agility, and establish a flexible model to help facilitate quick responses to external shifts. Perhaps the best way to prepare for new thinking is by tapping the right people for your business. Organizations need to place an emphasis on not only attracting, retaining, and advancing diverse talent, but also adopting a flexible workforce model that enables a business to engage the right resources, at the right time, and in the right place.</p><p><span><span><strong>SHRINER</strong></span></span> Going on the offensive begins with understanding where your operations might be vulnerable. Companies are identifying specific areas of excessive complexity, lag, or cost in their operations, be it in supply chains, sales channels, customer engagement models, or back-office processes. Doing so gives organizations a glimpse of where operations may be most impacted by disruption — positively or negatively — and enables an evaluation of responses. But that's only part of it; companies will require great vision, adaptability, and commitment to allocate key talent and resources at the expense of shorter term value. Most companies are viewing these modernization efforts as a multiyear journey.</p><h2>How can internal audit be involved in efforts to address disruption?</h2><p><span><span><strong>SHRINER</strong></span></span> Internal audit needs to be involved in its company's commercial activities, which will be most impacted by disruption from new regulations, technologies, or competitors. For example, helping navigate new data privacy law implications of acquired customer information is not only risk mitigating, but also incredibly helpful to the business' future acquisition strategy. Internal audit needs to ask itself, "Are we close enough to the sources of disruption?" Second, given the impacts of disruptive technologies will be profound, many internal auditors aren't waiting around to be surprised by the changes. They are talking to AI, automation, and data visualization companies now, often piloting the technologies, themselves, and facilitating business adoption along the way. Little of this happens, however, without an accommodative company culture.</p><p><span><span><strong>HARTKOPF</strong></span></span> Internal audit is in a unique position to address and facilitate business disruption. The team should be actively involved in discussions concerning the organization's strategic plan — including objectives around strategic transactions such as acquisitions, divestitures, major system implementations, joint ventures, and alliances. In driving an organization forward, internal audit can coordinate frequent enterprise risk assessments to stay ahead of external forces and provide timely insights developed during reviews that focus on emerging risks. Internal audit should keep a finger on the pulse of changes occurring in the marketplace and conduct benchmarking to help management anticipate the impact on the organization.</p><h2>Does internal audit need to disrupt or transform itself?</h2><p><span><span><strong>HARTKOPF</strong></span></span> Internal audit has been "transforming" incrementally over the last 20 years, but these changes haven't been disruptive. To keep pace with the changes affecting the business and provide forward-looking insights, internal audit will need to make some overarching changes, including: </p><p></p><ul><li>Redesigning the operating model to be more flexible, timely, and focused on the risks that matter.</li><li>Understanding and embracing new technologies.</li><li>Tapping a flexible workforce model to deliver the most appropriate knowledge, experience, and skills.</li><li>Coordinating more effectively with the first and second lines of defense by having them embrace responsibility for initial validation and control monitoring, respectively. <br></li></ul><p><br></p><p><span><span><strong>SHRINER</strong></span></span> Let's face it: The business of internal audit is being disrupted in much the same way as companies overall. The next five years will present more change to our profession than did the past 15 years. Hints of those changes are evident today. For example, it's common to see internal audit functions comprising 10 percent to 20 percent "data people" in addition to accountants or IT specialists. These percentages will increase. The tools of our trade are rapidly evolving. It may not be long before data visualization tools eclipse PowerPoint for communicating audit results. Auditors will need to learn to detect process deviations or control issues from the output of automation tools or bot algorithms.</p>Staff1
Beneath the Surfacehttps://iaonline.theiia.org/2018/Pages/Beneath-the-Surface.aspxBeneath the Surface<p>​After wake-up calls from a long list of organizations — including Volkswagen, FIFA, and Wells Fargo — some observers might expect significant progress by now in addressing culture-related issues. But instead, high-profile cultural failures continue to plague the corporate landscape as the list of examples keeps growing.</p><p>Internal audit has a critical role to play in identifying and assessing problems with an organization’s culture. Through a barrage of webcasts, presentations, and publications, most internal auditors are likely now attuned to the importance of examining this aspect of the organization. By now, practitioners should be aware that:</p><ul><li>Culture is a critical component of organizational governance and often the root cause of significant issues.</li><li>Culture is not defined by documents and processes, but by employee perceptions and how things actually get done in<br>an organization.</li><li>There is no single culture in an organization, but a complex weaving together of multiple layers involving a tangled undergrowth of subcultures.</li><li>There is no single right culture — optimal culture varies depending on the organization.<br></li></ul><p><br></p><p>Still, many internal auditors have difficulty getting started with cultural audits, finding the subject matter hard to manage. Practitioners need to dig deep into this topic, well beyond the superficial mantle, and understand what to examine — as well as approaches to avoid. Stakeholders must have an accurate assessment of culture before damaging issues erupt in a torrent of organizational harm.</p><h2>Weak Audit Evidence</h2><p>Auditors like hard evidence, such as written approvals, formal contracts, and documented transactions. Hard evidence is objective, and typically it can be gathered by less experienced auditors and interpreted quickly. </p><p>In terms of auditing culture, hard evidence often relates to items such as:</p><p></p><ul><li>Communications from the C-suite on ethics — whether communications cover the important aspects of behavior and ethics and are sufficiently frequent.</li><li>Ethics policies — whether policies are formalized, supported by training, and understood by</li><li>the employees.</li><li>Hotline calls — the number of calls, the policies on how calls are addressed, and evaluation of whether calls are addressed correctly.</li><li>Turnover statistics — average sick time, rate of employee turnover, etc. </li><li>Compensation programs —whether the programs are designed to reward the right behaviors and avoid incentivizing undesired behaviors.</li></ul><p><br></p><p>These areas, and the hard evidence that can be obtained about them, certainly support culture. But even when programs and policies are in place and operating effectively, culture can still be a problem. Focusing on these aspects of culture is at best incomplete, and it could be misleading. </p><p>Culture is not primarily a set of policies and programs — it is defined through how employees behave in their day-to-day work. Expertly auditing and obtaining hard evidence has value, but it does not enable auditors to peel back the exterior of an organization and see what is really happening inside. Even surveys, though useful, provide limited insight on organizational culture (see “What About Surveys?” at right). Hard evidence cannot stand on its own and needs to be supplemented.</p><h2>Stronger Audit Evidence</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p><strong>​What About Surveys?</strong></p><p>Client surveys might be convenient and produce hard data, but are they useful in auditing culture? Consider these observations:</p><ul><li>Culture-related issues that are significant enough to cause serious damage to an organization do not need to be widespread. A serious cultural issue that results in bribery in a foreign country, sexual harassment, or altering the accounting numbers in a noticeable way can occur in an isolated group of the organization because of a subculture unique to that group. Knowing that 99 percent of employees have not seen an incident of bad behavior is not helpful in detecting this type of issue.<br><br></li><li>"Do senior executives keep their word?" is a question that may often be found in employee surveys related to culture. While this seems like a useful question, is it asking about all executives or excluding the one rogue executive? Does it encompass any kind of issue or only important ones? Does it apply to the last quarter or the last 10 years? An employee taking the survey likely does not have enough context to know how to answer, and the responses yielded will probably provide little useful information to the organization. Most survey questions seem to ask for responses in normal circumstances, for most employees, on average. This information will not identify a specific problem in a culture.<br><br></li><li>Suppose employees observe an aspect of culture that is toxic. They may feel powerless to address it without jeopardizing their job. They may believe that if managers were truly concerned with culture, they would not have allowed this situation to persist. Upon receiving an employee survey from human resources, will they be motivated to answer the survey honestly? Aren't those caught in a toxic culture the ones who might hesitate to answer honestly, fearing their responses may not be anonymous?</li></ul><p><br></p><p>Surveys can be useful, but they shouldn't be a primary source of evidence on culture. Although surveys can highlight certain issues and messages, they don't necessarily identify all important cultural issues. In this sense, surveys can provide a false sense of accomplishment and potentially neglect to identify hidden issues in culture. <br></p></td></tr></tbody></table><p>When considering audit evidence about culture, internal auditors may want to envision a volcano — where, buried deep inside, lava and gases are collecting and could erupt from the earth’s crust without warning. A volcano serves as an apt metaphor for how culture operates in an organization. On the outside, even when an eruption is imminent, everything might look fine. The form appears normal, the exterior is solid, and while a few small vents may show smoke, no major issues are evident.</p><p>Likewise, based on a surface-level assessment, the board and top management may conclude the organization appears sound. However, the effects of a toxic culture can be bubbling deep inside, and eventually an eruption occurs that no one seems to have predicted. A problem remained buried in the mountain that could have been identified or predicted, yet no one uncovered the truth and brought it to light.</p><p>How can internal auditors help prevent, or at least caution about, the next eruption? Perhaps more importantly than looking at the organization’s structures and foundation — the top-down, hard evidence — they need to get inside to see whether an eruption may be close at hand. A volcano contains a great deal of soft evidence, though examining these areas can be uncomfortable and somewhat risky. Diving deep into the organization to examine culture is the only effective way to perform the role required of internal auditing.</p><p>Where and when do auditors gather this soft evidence? Everywhere and all the time. Internal auditors do this primarily in two ways: as part of every engagement, and during their informal interactions with clients.</p><p><strong>During Every Audit</strong> Internal audit projects provide an opportunity to get out of the office and engage directly with employees at all levels of an organization. Internal auditors should use this opportunity. Although focus groups and structured interviews can be somewhat helpful, they are artificial devices — participating in a prearranged session with an agenda, facilitators, note takers, and overseers is not the same as going about daily activities. Evidence pertaining to culture will more likely be identified after building relationships with audit clients and observing how they operate. On this foundation, culture will reveal itself to practitioners as they ask themselves several questions: </p><p></p><ul><li>How does management engage with the internal auditors? Throughout planning, fieldwork, and reporting, is management supportive of the audit or does it exhibit reactions ranging from dismissiveness, to a lack of responsiveness, to outright interference with the engagement?</li><li>Does management’s style and approach foster the right mindset among employees in the group being audited? Does management reward the right behaviors? Does it communicate effectively and demonstrate transparency? Is it open-minded and accepting of new ideas? Do its actions reinforce that the end does not always justify the means?</li><li>What is the tone of the employees in the area audited? Are they positive, supportive of management, and focused on the best interests of the organization? Do cliques exist within the group that hinder its success? Has groupthink so overtaken them that important ideas or concerns cannot be expressed?</li><li>Are the core values of the organization expressed in what internal audit has observed? Most organizations adopt values around respecting people, doing the right thing, working collaboratively, or similar objectives. Do employees and management exhibit these core values throughout their activities, or are they all too willing to ignore them as they pursue alternative motives? </li></ul><p><br></p><p>Beyond these topics, potential issues identified during an audit project need to be closely analyzed for their root cause. In fact, finding root causes related to culture is common. Given how frequently significant issues arise from toxic cultures, every audit issue should be examined to determine whether culture is part of the root cause.</p><p>One option to more formally bring culture into focus on audits would be to require the internal audit team to assess culture on each project. Initially the team may find this effort difficult, as evaluating all aspects of culture effectively takes experience and insight. The process is best learned through practice. Requiring a cultural assessment on each audit forces the practice, enables full consideration of different team members’ perspectives, and helps build higher level observations on culture. If the team members on an audit project have insufficient experience auditing culture, their assessment does not need to be shared with client management. Audit managers can conduct the process strictly as an internal exercise until the team has gained the requisite level of competency.</p><p> <strong>While Walking the Hallways</strong> One of the major advantages of an internal auditor versus an external party is the ability to gain insight about the organization every day, from multiple angles. Internal auditors converse with all levels of employees as part of formal meetings, email exchanges, and even impromptu discussions in the hallways. They should use these interactions to gather evidence on culture, such as what is valued, what is rewarded, who is favored, and how problems are viewed. Moreover, effective internal auditors establish themselves as objective, unbiased professionals. In this capacity, employees will seek out the internal auditor to discuss their concerns and observations, providing further opportunity for cultural insight.</p><h2>Pulling It All Together</h2><p>Whether through audit projects or walking the hallways, internal auditors should stay continually attuned to key audit evidence that may provide information on the organization’s culture. Throughout the process, practitioners need to remember that a volcanic eruption caused by toxic culture is usually not an immediate event. Instead, it builds over time, accompanied by numerous causes and indicators.</p><p>Auditors need to stop the frantic pace of simply completing audit projects and consider what they observe in the different cultures present in their organization. Soft evidence on culture is not captured on a single audit, in a single way, through a single process. But when cumulative evidence is aggregated, internal auditors should have enough evidence to assess culture. They just need sufficient experience, understanding, perspective, and potentially courage to pull it all together and determine what it means. That is the nature of auditing culture. <br></p>Doug Anderson1
Tailoring IPPF Implementationhttps://iaonline.theiia.org/2018/Pages/Tailoring-IPPF-Implementation.aspxTailoring IPPF Implementation<p></p> <p>A fundamental challenge of today’s chief audit executive (CAE) is matching internal audit to the needs of the organization and the expectations of internal audit’s key stakeholders. While there is one International Professional Practices Framework (IPPF) and one <em>International Standards for the Professional Practice of Internal Auditing</em>, internal audit functions vary in their practices and level of development across organizations. A primary role of the CAE is to tailor the application of the IPPF to the organization, taking into account its unique needs and environment and knowing how to leverage a maturity model view of the IPPF and <em>Standards</em> in striving for internal audit excellence.</p><h2>A Living Framework </h2><p>​One of the strengths of the IPPF is the principles-based nature of the <em>Standards</em>. Being principles based allows organizations of different industries, sizes, and locations — with varying governance models and stakeholder expectations — to apply the same set of standards. The principles-based nature of the <em>Standards</em> also helps add clarity and consistency, while still being relevant and adaptable to evolutions in society and in the organizations internal audit serves.</p><p>In 2015, the IPPF received significant enhancements that improved its ability to serve as a tool for internal audit functions to take their practice to higher levels of effectiveness and provide even greater value to their organizations. Two noteworthy changes are:</p><p>Creation of the 10 Core Principles for the Professional Practice of Internal Auditing, which, taken as a whole, articulate internal audit effectiveness. For an internal audit function to be considered effective, all principles should be present and operating effectively. However, with the release of these Core Principles, The IIA also recognized that how an internal audit function demonstrates achievement of the Core Principles may differ from organization to organization. </p><p>Implementation Guides and Supplemental Guides moved from “strongly recommended” status to “recommended” status, adding further flexibility to the IPPF for practitioners. </p><p>The ever-evolving nature of the IPPF gives practitioners the flexibility they need to align to the unique needs of the organizations they serve. The IPPF’s various layers also provide practitioners with a framework they can use to continually integrate new methodologies, tools, resources, and practices to further mature their performance.</p><h2>A Maturity Model View </h2><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p>​<strong>Examples of Successful Uses of Maturity Models​</strong></p><p> </p> <ul><li>The IIA’s Internal Audit Capability Model for the Public Sector <br></li><li>The Internal Audit Maturity Assessment – previously maintained by The IIA Quality Services Department<br></li><li>IIA Path to Quality Model<br></li><li>IIA Practice Guide, Process Capability Maturity Model<br></li><li>IIA Practice Guide, Compliance and Ethics Program Maturity Model<br></li><li>The ISACA COBIT 4.1 Model<br></li><li>The RIMS Risk Maturity Model<br></li><li>Software Engineering Institute Capability Maturity Models<br></li><li>International Organization for Standardization and the International Electrotechnical Commission’s ISO/IEC 15504​<br></li></ul></td></tr></tbody></table><p>When looking at internal audit’s conformance with the <em>Standards</em>, many practitioners and stakeholders at first may think of it as a binary exercise — either being in conformance or not. Perhaps this is natural given the external quality assurance and improvement assessment’s common ratings scale of “generally conforms,” “partially conforms,” and “does not conform” are widely recognized. </p><p>Practitioners should look at using the IPPF and the <em>Standards</em> as part of a journey toward greater maturity and continuous improvement. Such a continuous improvement view is consistent with the IPPF, which includes in the <em>Standards</em> the assertion that quality is not only about assessing quality at one point, but also about improvement, as outlined in Standard 1300: Quality Assurance and Improvement Program. A maturity framework approach allows practitioners to assess the audit function’s implementation of the IPPF to continually improve audit practice. </p><h2>Maturity Model Structure</h2><p>Many organizations have used maturity models to assess and help bring continuous improvement. The IPPF, itself, includes guidance on the use of maturity models, including The IIA’s Practice Guide, Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements. Based on review of other maturity models, the following categories are proposed for use in the model for applying the IPPF: Level 5 – Optimized, Level 4 – Managed, Level 3 – Defined, Level 2 – Repeatable, and Level 1 – Initial/Ad hoc. </p><p>It is natural to ask how these levels align with the category of general conformance to the <em>Standards</em>. For consistency, and to allow the maturity model to capture performance that falls below general conformance — as well as above the base general conformance level — Level 3 on the maturity framework will be defined with attributes that achieve general conformance with the Standards (see “Maturity Model Alignment Points” below). </p><h2>Applying the Maturity Model to the <em>Standards</em></h2><p>By exploring several areas of the <em>Standards</em>, one can see how the maturity model may be applied. Some aspects of the <em>Standards</em> may seem binary, such as Standard 1000: Purpose, Authority, and Responsibility, which requires that an internal audit activity have a charter. Either an organization does or does not have an internal audit charter.</p><p><img src="/2018/PublishingImages/Urton_Maturity%20Model%20Alignment%20Points.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:580px;height:306px;" />However, even given this binary nature, the maturity model can be used to highlight how to differentiate between conformance in Level 3 – Defined and below conformance (Level 2 – Repeatable and Level 1 – Initial/Ad Hoc). Perhaps even more importantly, note how Level 4 – Managed and Level 5 – Optimized can be used to differentiate higher levels of maturity and excellence, using the charter as an opportunity for stakeholder engagement, alignment, and elevation of internal audit stature and opportunity to perform (see “Internal Audit Maturity Model Related to the Standards” at the end of this article).</p><p>A fundamental area such as communication of results applies to every internal audit function. The column, “Standard 2400: Communicating Results,” in the “Internal Audit Maturity Model Related to the <em>Standards</em>” chart at the base levels cover aligning the report with core points in the <em>Standards</em>. The higher levels of 4 – Managed and 5 – Optimized include exploring stakeholder value and insights received, as well as stakeholder, top executive, and board perceptions on the quality of internal audit reporting.</p><p>Lastly, talent is an area of importance and challenge for many internal audit functions, so using a maturity model approach to look at Standard 1000: Proficiency and Due Care, or any other standard to apply the IPPF, can identify an array of practices and performance levels that can result in distinct improvements. </p><p>Currently, internal audit functions often look for leading practices, opportunities to provide more value, and continuous improvement. Taking a fresh view of the IPPF and the <em>Standards</em> through a maturity model approach can help internal audit assess its current state, identify opportunities for improvement aligned with stakeholder priorities, and drive continuous improvement. Having a maturity model can equip the CAE with a framework and tools to help articulate options to stakeholders and the internal audit team. CAEs need to be adept at defining those aspects of applying the maturity model approach that will make a difference in their organization, given the stakeholder expectations and risks.</p><h2>Does Size Impact Maturity?</h2><p>Beyond maturity levels, internal audit, itself, varies in size as does the size of the organization it serves. A smaller internal audit function may not need as much documentation in planning and process as functions serving large, complex organizations. Some elements, such as an internal audit charter, will apply no matter what the size of the organization; however, other aspects of the IPPF, such as how to build talent models, may not require the complexity of infrastructure.</p><p>The IIA’s Practice Guide, Assisting Small Internal Audit Activities in Implementing the <em>International Standards for the Professional Practice of Internal Auditing</em>, notes the level of challenge for a small internal audit function in conforming with various categories of the <em>Standards</em>:</p><ul><li>Low degree of challenge: Standard 1000: Purpose, Authority, and Responsibility.<br></li><li>Medium degree of conformance challenge: Standard 1100: Independence and Objectivity, Standard 1300: Quality Assurance and Improvement Program, Standard 2000: Managing the Internal Audit Activity, Standard 2200: Engagement Planning, and Standard 2300: Performing the Engagement.<br></li><li>High degree of conformance challenge: Standard 1200: Proficiency and Due Professional Care, Standard 2100: Nature of Work, Standard 2400: Communicating Results, Standard 2500: Monitoring Progress, and Standard 2600: Communicating the Acceptance of Risks.<br></li></ul><p><br>For an audit department covering a smaller, less complicated organization, some of the higher levels of internal audit maturity may not be needed. However, some aspects of internal audit excellence that are money and time saving may be as important in a smaller, closely aligned, agile organization as in a large, international conglomerate. </p><p>In a small internal audit department, the challenges can be addressed through flexible planning, process disciplines that keep everyone on track, and tools available to CAEs of small groups. For example, flexibility can be applied during internal audit risk assessments, in duration and style of internal audit projects, and in documentation and communications. In process discipline, internal auditors should focus on what is important to accomplish and eliminate the unnecessary, strive to automate repetitive tasks, and leverage checklists and lessons learned to continually improve. </p><p>Many tools and resources are available to internal audit groups of all sizes and maturity levels, thanks to The IIA, the internet, and peer networks. There also are many technology solutions that can help ease the administrative needs of small departments by facilitating standard workflows, approval/review processes, and action plan follow-up. Having a robust system can be a key source for demonstrating compliance with several of the standards. </p><p><img src="/2018/PublishingImages/Urton_table_p32-33.jpg" alt="" style="margin:5px;" /><br></p> <style> p.p1 { line-height:9.0px; font:8.0px 'Interstate Light'; } span.s1 { letter-spacing:0.1px; } </style> <p><em>Anderson and Dahle are co-authors of </em>Applying the International Professional Practices Framework, 4th Ed<em>., published by the Internal Audit Foundation.​</em></p><style> p.p1 { line-height:12.0px; font:14.0px 'Interstate Light'; } span.s1 { vertical-align:1.5px; } </style>Urton Anderson1
Centralized vs. Decentralized Audit Functionshttps://iaonline.theiia.org/2018/Pages/Centralized-vs.-Decentralized-Audit-functions.aspxCentralized vs. Decentralized Audit Functions<p>​Internal audit departments typically are structured as centralized or decentralized. Department structure plays an influential role within the department, as well as in the business operations that are audited. Therefore, it is crucial for internal audit management to evaluate which structure is the best fit for its team and the business. </p><p>Per The IIA’s International Professional Practices Framework, an organization’s internal audit activity is required to be in conformance with the <em>Standards</em>. However, the <em>Standards</em> do not specifically address ​departmental structure, so the chief audit executive (CAE) can determine how the internal audit activity is set up by examining the advantages and disadvantages of both centralized and decentralized. </p><h2>Centralized Structure​</h2><p>In a centralized audit department, management and staff work in the same location and either travel to other office locations or work remotely to conduct audits. The centralized structure offers many advantages. First, internal audit leadership works in the same office. Members of management — ranging from supervising seniors to the CAE — not only meet in-person, but, more importantly, demonstrate a consistent “tone at the top.” Also, with the entire team in the same location, any team member has access to management, which can encourage informal, in-person coaching and mentorship.</p><p>Having the team together also promotes consistency in training, both at the entry level and experienced practitioner level. Internal audit policies and procedures, such as workpaper expectations, can be communicated and compliance monitored with greater uniformity. As it relates to uniformity, a centralized department can promote more equal opportunities, such as audit project assignment. In addition, when all staff work out of the same office, more collaboration among team members can occur.</p><p>There also are disadvantages with a centralized departmental structure, such as the inevitable travel component to the job — especially at the staff and senior staff levels. For some, the opportunity to travel the world may be appealing; however, because the time spent on the road can be extensive, it may be difficult to attract and retain top talent. Although conducting audits remotely can decrease the travel commitment, there are some audits that still require on-site walkthroughs; detailed test work; and meetings that cannot be performed via email, phone, or teleconference. On-site audit fieldwork activities are valuable, as there is much to gain when working with the audit client in person. This can be a benefit not only in the current audit, but through observation and informal meetings, candid conversation about the site’s operations can highlight what’s really going on. Additionally, there is value gained when internal audit is geographically closer to the operations it audits, as continual dialogue about regional policies and practices can assist internal audit during its risk assessment and audit planning processes. </p><h2>Decentralized Structure</h2><p>A decentralized department assigns internal audit teams in more than one location, and each team is responsible for auditing that office’s (or region’s) operations. The decentralized internal audit department also offers many advantages. First, when audits are performed at a more local level, there is increased opportunity for internal audit staff members and management to collaborate throughout the actual audits. Internal audit managers can coach employees and provide advice in a variety of areas, such as walkthrough and interview techniques and workpaper and documentation execution. Unlike the centralized structure, where managers might supervise the team remotely, staff members benefit from the in-person guidance when managers are available on-site. </p><p>Additionally, with a decentralized model, audit staff members and management are close to the business operations under review, which can help forge relationships that result in candid dialogue about risk and controls. This can prompt requests for consulting engagements and advisory reviews, which benefit both internal audit and management.</p><p>There also can be some drawbacks to using a decentralized model. First, staff members (and management) may develop expertise limited to the office and region where they work. For example, auditors can gain expertise about part of a process that occurs in their location, such as product design, but miss other process components, such as manufacturing, that help complete the full picture of the process. Specialization also can limit skill development. </p><p>Another downside to a decentralized department is that each auditor typically performs multiple audits at the same time. Unlike a centralized model, which often can incorporate travel (and therefore, each auditor is assigned one project at a time), a decentralized model assigns multiple audit projects to each auditor, which can cause scheduling problems and demand careful attention to balancing priorities and deadlines.</p><h2>Organizational Impact</h2><p>Once internal audit leaders weigh the structure’s impact on the department, itself, it is critical to assess how the structure aligns with the organization. Two perspectives that can be used to evaluate organizational impact are company culture and structural alignment.</p><p>Company culture is the organization’s overall environment and atmosphere. It comprises the stated policies and procedures, as well as the values and norms, both of which permeate interactions, communications, and expectations. Every culture is different, as each organization has its own history and experiences that uniquely shape how the organization makes decisions. Internal audit leaders, therefore, need to determine how the selected department structure will complement the company culture. For instance, if the overall culture encourages manager/employee collaboration as a method to effectively support and train emerging talent, then a decentralized audit department may be a good fit. Such a structure enables managers to be on-site during audits and provide in-person feedback and coaching. However, a different company may encourage a talent development model that promotes professionals as generalists (as opposed to specialists), and therefore, a centralized audit department, which permits a wider range of audit project opportunities, may be a better choice to achieve congruence with the overall culture.</p><p>The manner in which other departments are structured within the organization influences the audit department’s structure. Does the organization have satellite locations? If so, what departments reside in those offices? If there are minimal resources in other offices, then a centralized audit department structure may be a best fit. However, if the organization is experiencing rapid growth in a certain region, an internal audit leader may consider a decentralized structure; by placing dedicated resources in that region, internal audit can partner with local management and collaborate on evaluating key risks and controls.</p><h2>Thoughts for the Future</h2><p>The determination of an internal audit department structure that supports both the audit team and the organization is an important decision made by the CAE and internal audit management. Like many other management decisions, it is worthwhile to evaluate the structure’s continued relevance and applicability periodically, as organizations change — sometimes extensively — over time. ​</p>Christine Hogan Hayes1
Find Your Voicehttps://iaonline.theiia.org/2018/Pages/Find-Your-Voice.aspxFind Your Voice<p></p><p>The nature and role of internal auditing in North America has radically altered over the past decade or so. No longer seen as a back-office compliance department, there just to check accounts payable or perform mundane administrative processes, the cutting-edge audit function is increasingly regarded by audit committees and regulators as a trusted advisor. Many chief audit executives (CAEs) have a seat at the top table, advising the C-suite on emerging and strategic risks and helping management mitigate those threats to the organization’s objectives. </p><p>Internal audit has had to work to implement those changes to its role and status, and I have great respect for the courage and determination that takes. But not all internal audit functions are operating at that level. That could be because stakeholders do not fully understand what internal audit does — or can do — and continue to underinvest and undervalue their audit functions. Or, it may be because internal auditors do not always push as hard as they might to fulfill what can be a daunting and uncomfortable role.<br></p><p>My theme as chairman of The IIA’s North American Board over the coming year is “Find Your Voice.” Specifically, I want all internal auditors to reflect on, develop, extend, and communicate the true value they can provide to their organizations. In finding their voices, auditors will be able to achieve their full potential in serving their organizations, and they will be ensuring their ongoing relevance in a rapidly changing world. <br></p><h2>External Pressures</h2><p>There are two major trends that make my message urgent. For the first time in many years, there is an emphasis in the U.S. government on deregulation. This is a radical change from the increasing levels of rulemaking and regulatory scrutiny the profession has faced since the turn of the century. </p><p>Both the U.S. Sarbanes-Oxley Act of 2002 and the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act, as well as countless other pieces of regulatory reform, have tended to emphasize the compliance function of internal audit. If stakeholders, especially in the energy and financial sectors, for instance, see internal audit as a box-ticking function, it is largely as a result of these requirements. </p><p>Since Donald Trump became president, an estimated 600 regulations have been eliminated, according to George Washington University’s Regulatory Studies Center. High-profile examples include the partial repeal of the Dodd-Frank Act, the repeal of the Affordable Care Act individual mandate, and the Federal Communications Commission privacy rules.</p><p>If internal audit’s key stakeholders, including audit committees, believe that most of internal audit’s value comes from ensuring the organization complies with regulations, it does not bode well. They may believe that if the regulations disappear, internal audit will not be needed. This could not be further from the truth. Indeed, while regulations may be eliminated, the risks addressed by them will continue to exist. If anything, risks and the related need for internal audit services increase in a deregulated market. Still, it appears conditions are not prime for internal auditing to become a mandated function within organizations in the foreseeable future.</p><p>A recent IIA global study on the regulation and licensing of internal audit reveals a consensus among stakeholders that, for several reasons, governments should not regulate or mandate internal audit. Regulation can take away decision-making from management and the board, say respondents to the study. </p><p>Regardless, this has not stopped The IIA from moving ahead with a strategy to advocate for a comply-or-explain mandate for publicly traded companies. Under such a mandate, organizations would have to report whether they have an internal audit function and how it is resourced. If they do not have an internal audit function, they would have to explain how they are mitigating risks. Such disclosure provides an increasingly active investor community vital information about a company’s approach to risk management. But in the interim, internal audit should become an integral part of an organization as the result of a carrot, not a stick. </p><p>The second major trend revolves around advances in artificial intelligence (AI), robotic process automation, and other technologies that threaten to replace compliance-based auditing. Internal auditors should fully grasp the implication of such automated auditing. Thomas Sanglier’s recent book, <em>Auditing and Disruptive Technologies</em>, published by The IIA’s Internal Audit Foundation, rightly argues that to thrive in the near future, audit departments will need to adopt and adapt to such advances. Staying relevant to organizations will mean moving up the value chain so that audit is operating at a strategic level. Technology will process the data. </p><p>This is why internal auditors need to tell their stakeholders how valuable effective, strategic, risk-based auditing can be. We can help them see the bigger risk picture by getting involved in supporting the strategic objectives of our organizations. Granted, AI will replace some of the traditional roles and tasks that internal audit has performed, but, in my view, it would be a welcome relief to move away from the humdrum compliance work and start focusing exclusively on what really matters — start focusing, in short, on value.</p><h2>Defining Value</h2><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p>​<strong>Advocacy Tools</strong><br> </p><p>Internal auditors should make full use of The IIA’s advocacy tools to inform their stakeholders of the value an effective function can provide. These include the <a href="http://bit.ly/2Hyvw2C"><span class="ms-rteThemeForeColor-1-0">Global Advocacy Platform: Pillars of Good Governance​</span></a><span class="ms-rteThemeForeColor-1-0"> </span>and the <a href="http://bit.ly/2HzeXnn"><span class="ms-rteThemeForeColor-1-0">position papers</span></a>: </p><ul><li>The Three Lines of Defense in Effective Risk Management and Control<br></li><li>The Role of Internal Auditing in Enterprise Risk Management and Control<br></li><li>​The Role of Internal Auditing in Resourcing the Internal Audit Activity<br></li><li>Internal Audit’s Role in Good Governance (available later in 2018)<br></li></ul><p><br>In addition, auditors can take advantage of relevant Internal Auditor magazine articles ​(InternalAuditor.org) to get up to date in best practices and share those with their stakeholders, where appropriate. Some recent examples include: </p><ul><li>“5 Steps to Marketing Your Audit Department” <br></li><li>“Your Personal Brand” <br></li><li>“Board Matters”<br></li><li>“The Dynamics of Interpersonal Behavior” ​<br></li></ul> <br> </td></tr></tbody></table><p>There are many definitions of <em>value</em>, because the concept changes over time as the demands on internal audit evolve. The IIA’s International Professional Practices Framework is a good place to start. It says, “the internal audit activity adds value to the organization and its stakeholders when it considers strategies, objectives, and risks; strives to offer ways to enhance governance, risk management, and control processes; and objectively provides relevant assurance.”</p><p>Putting those sound principles into practice can be more difficult than it might first seem. For example, what is relevant assurance? How can internal audit become more involved in strategic objectives and risks if that is not what stakeholders seem to be expecting? And how do stakeholders understand the value that internal audit can offer?</p><p>There is some truth to the idea that internal audit’s value resides in the eye of the beholder — the board, management, regulators, and other external parties. But we cannot be a passive recipient of those views if they do not mesh with contemporary practice. There is a real risk that stakeholder expectations are based on outdated notions of internal audit. </p><p>For example, one of my stakeholders is an incredibly knowledgeable individual — a former Big Four partner who is heavily involved in his own professional bodies. Recently, I told him we were doing the annual risk assessment and he surprised me by asking why internal audit was doing so. I explained how performing our own risk assessment helps internal audit create a risk-based audit plan and helps the organization achieve its strategic goals. I was glad that he had come to me because, frankly, I assumed he knew what internal audit did.</p><p>The first step to defining your voice is to create a value statement. Examples might include, “external auditors audit the past, we audit the future.” Or, “internal audit assists the board and management in accomplishing their responsibilities.” Or simply, “internal audit helps make the organization more successful.” Be sure to consult internal audit’s stakeholders. Creating a value statement is most effective when the process engages all involved. It is an opportunity to build understanding within the audit team about how audit is perceived and to explain to stakeholders the value internal audit could be offering where that is poorly understood. </p><p>Any value statement has to be addressed to the audience it is intended to inform — so while I urge auditors to advocate and educate stakeholders, they must do so in a language that is free from jargon. Because I work for a not-for-profit organization, my audit committee is made up of members of our community. That includes some financial experts, but also a Baptist minister, a real estate agent, and a couple of other individuals who do not have finance and business backgrounds. While they are smart people, I need to be able to explain internal audit’s value in a way that makes it easy for me to demonstrate what we have achieved through our work for the business. Creating a clear and well-understood definition of internal audit’s value for all stakeholders is a powerful tool.</p><h2>Walking the Talk</h2><p>In addition to advocating for an enhanced role and communicating with, and listening to, stakeholders, internal auditors need to deliver on their promises. Each of us needs to be the best internal auditor he or she can be. That involves being well-educated about the technical aspects of internal auditing, being up-to-date on current and emerging trends, and making a solid commitment to improve and update those soft skills that are crucial to our roles. Internal auditors should be certified to demonstrate their professionalism. Also, I am a big advocate of volunteering in the profession, of joining local chapters or committees and getting involved. I have benefited greatly on both counts. I am up-to-date on best practices and emerging issues in internal audit, and my organization has benefited from the technical skills I have obtained through my participation. At the same time, I have met some amazing people and developed some great friendships.</p><p>One area that CAEs often overlook is using external quality assessments as a challenge to the board. All internal audit departments should undertake periodic quality assessments, as mandated by The IIA’s Standard 1312, which says an external quality assessment must be performed every five years. I accept that it can be a difficult process to go through, but it can also be a tool for change. Presenting the results of such a review to stakeholders can support the CAE’s constant requests that the function be involved in more strategic and challenging work. If CAEs know they are not using audit staff most effectively, the quality review will reflect that in an evidence-based way. It is another way CAEs can find their voice and demonstrate that the audit committee can get real value from its audit function.</p><p>Being the best can be challenging and sometimes lonely. It can take time, effort, and patience to get the message through that internal audit is a forward-looking and progressive part of the business when those around you do not necessarily share or understand that view. </p><p>To stand in front of a stakeholder and say, “I’m supposed to be involved in strategic initiatives and have a seat at the table” is not always successful or well-received. To further support auditors, The IIA’s North American Board is putting more emphasis on advocating for members — an approach I will continue and extend where possible. It is no longer enough for The IIA’s advocacy to focus on attending meetings in Washington, D.C., to try to influence legislation and advocate for better governance. Although this is incredibly important and we continue to push initiatives with the U.S. Securities and Exchange Commission and other regulators, The IIA also is appealing directly to stakeholders. For example, we are hoping to partner with organizations like the National Association of Corporate Directors (NACD) to make sure they have the tools to inform their members about what they should be looking for from their internal auditors. Many audit committee and board members belong to the NACD and similar bodies. There are many other organizations that serve CEOs, chief financial officers, and other groups, and The IIA North American Board will be advocating and educating on the value internal audit can provide to their members. I urge internal auditors to also advocate for themselves — to “find your voice.” The IIA has many tools to assist you in this endeavor. For example, send copies of IIA advocacy documents to your stakeholders (see “Advocacy Tools,” page 38). Sometimes it is more objective and compelling when it comes from a third party.</p><h2>Finding Internal Audit’s Voice</h2><p>Obviously, what I have set out as my theme will take more than a year to achieve. But working together as a profession, and with our key stakeholders, we can help internal audit find its voice — and its place — to foster success and create opportunities in our organizations and beyond. </p><p></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"> <strong> </strong> <style> span.s1 { vertical-align:1.5px; } </style><strong> </strong> <p> <strong>The 2018–19 North American Board Chairman​</strong></p>​​Karen Brady began her career with Ernst & Young in New Orleans and has served in various executive positions, including controller and chief audit executive within the hospitality industry. She is a Certified Internal Auditor and Certified Fraud Examiner and has her Certification in Risk Management Assurance.  <p>Today, Brady is the corporate vice president of audit and chief compliance officer for Baptist Health South Florida. Baptist Health is the largest, not-for-profit health-care organization in South Florida, including 10 hospitals and over 50 outpatient facilities spanning four counties. With more than 18,000 employees and over 3,000 physicians, Baptist Health is considered one of the nation’s top employers, according to Fortune’s 100 Best Companies to Work For. It also has been recognized by the Ethisphere Institute as one of the World’s Most Ethical Companies for the past eight years. Brady has been with Baptist Health for over 25 years and during that time has implemented a robust, award-winning Internal Audit and Compliance department.</p><p>In addition to serving as North American Board chair and as a Global Board member, she has volunteered at The IIA in various capacities for many years. For example, she is a past conference chair (2011), Learning Solutions Committee chair (2011–2013), and Global Professional Development chair (2015–2017). </p><p>Brady also is past president of the Florida Health Care Compliance Association. Recognizing the importance of giving back to the community, she serves as chair of the Finance and Audit Committee on the Board of Riverside House, a charitable organization that helps guide men and women convicted of crime toward becoming productive citizens through a nondenominational, faith-based approach.</p><p>She is a fitness enthusiast and enjoys her morning runs. In her spare time, she enjoys travel, hiking, and water sports with her husband Jim. ​</p></td></tr></tbody></table><p></p> <style> p.p1 { line-height:12.0px; font:42.5px 'Interstate Light'; } p.p2 { line-height:12.0px; font:9.0px 'Interstate Light'; } p.p3 { text-indent:12.0px; line-height:12.0px; font:9.0px 'Interstate Light'; } span.s1 { letter-spacing:-0.1px; } span.s2 { letter-spacing:-0.2px; } span.s3 { letter-spacing:0.1px; } </style>Karen Brady0
Culture of Accountabilityhttps://iaonline.theiia.org/2018/Pages/Culture-of-Accountability.aspxCulture of Accountability<p>​<span style="font-size:12px;">Holding people and organizations to account has historically been a case of pinning blame on them for failures they either caused directly or should have been aware of. As a result, organizations should not be surprised if employees are reluctant to embrace a culture of accountability. But Paul Russell, director and co-founder of soft skills training firm Luxury Academy, says that the key to encouraging employees to be more accountable is to teach them that the term is not synonymous with blame.</span></p><p>"Whereas accountability is a strategic approach implemented by management to enable more effective working practices, blame looks to apportion guilt for mistakes," Russell says. "A blame culture is inhibiting for employees, while an accountability culture should help employees to exhibit productive, effective working practices."</p><p>For employees to take ownership of problems and mistakes, they must have a strong understanding of customer expectations and their role in delivering them, Russell says. The workplace culture, he adds, should be one where roles and responsibilities are clearly defined, with an effective leadership strategy that encourages open communication and team working. Employees should receive consistent training, be encouraged to take accountability for the customer experience, and empowered to put things right if they go wrong. </p><p>Internal audit also has a strong role to play in the process. For example, in the U.K.'s Corporate Governance Code, internal audit has a duty to provide assurance to the board on the organization's culture.</p><p>"Internal audit needs to review accountabilities as part of its internal audit processes, as well as look at the culture of the unit being audited," says Philippa Foster Back, director at the Institute of Business Ethics, a U.K.-based organization that advocates for better business behavior. "And a key question that internal audit should ask is if employees can — and do — speak up and raise issues."</p><p>Foster Back points out that organizations need to have robust management reporting lines — as well as "speak up" and whistleblowing procedures — so that employees know how they can escalate concerns, rather than being left to either resolve issues themselves (where they might not be qualified to do so) or take the blame for mistakes made (which is also inappropriate).  She adds that getting employees to take ownership of problems and stopping them from covering up mistakes or passing the buck is easier to encourage if the organization's culture is open.</p><p> "In an open culture there is a dialogue and discussion of scenarios of dilemmas faced and mistakes being made," Foster Back says. "If these are openly discussed, say in a team meeting, the language is created so it isn't so difficult to own up. And underlying this open culture is the necessary support of leaders recognizing the importance of learning from mistakes."</p><p>Ultimately, achieving a culture of accountability will not happen overnight. "People struggle with what accountability means and are therefore afraid to take ownership of problems or make decisions on issues outside of their comfort zones or pay grades," says Liz Sandwith, chief professional practices advisor at the U.K.'s Chartered Institute of Internal Auditors.</p><p>However, progress will be achieved when people become more familiar with what the term implies. "We need people to understand what 'accountability' is, because it means taking responsibility for one's actions — and not in a negative, 'blaming and shaming' way," Sandwith says.</p><p>"Rather, accountability means making decisions when necessary for the benefit of the organization," she continues. "If those decisions turn out to be 'bad' decisions, these employees should not be punished: The organizational culture should be one in which mistakes can be tolerated, and where lessons can be learned, and training provided."</p>Neil Hodge0
Audits From Afarhttps://iaonline.theiia.org/2018/Pages/Audits-From-Afar.aspxAudits From Afar<p>​Current audit methodologies are taking advantage of rapid technology advances to offer greater accuracy and insight into complex operations, often with fewer person-hours. Many internal audit departments have applied agile, automated processes to improve the previously manual approach for measuring and managing controls and processes.</p><p>But what about the way internal auditors perform the audits, themselves? For example, much of internal audit's work — information-gathering, walkthroughs, and interviews — still is done on-site. Leveraging today's technologies to conduct remote audits could streamline this process and increase the efficiencies of internal audits.</p><h2>On the Road</h2><p>Internal auditors perform walkthroughs to measure the effectiveness and level of compliance of an organization's internal control system. The fieldwork portion of these walkthroughs typically involves small teams traveling to various locations and setting up shop for one or two weeks. There, auditors pull team leads, directors, vice presidents, and even top executives away from their daily duties to evaluate the control systems and targeted processes. Teams then perform substantive tests, examine analytical procedures, hold direct interviews, and raise inquiries with various levels of management.</p><p>Not only is this approach inconvenient for the individual site locations in terms of blocking out conference rooms, hotel cubicles, and meeting schedules, but it can become time-consuming for leadership and increase internal audit's travel costs. In fact, internal audit efforts can easily reach thousands of dollars per location, team, and area of focus. Moreover, the time spent traveling to the location instead could be spent on auditing, which could decrease the total audit hours. </p><p>On-site audits have another downside: The extensive travel and time away from home can actually be a drain on employee resources and contribute to turnover. Like most employees, today's internal auditors juggle complex work and personal lives, including ever-increasing commuting times and expenses, travel, and family responsibilities. Establishing more off-site audit work can help organizations retain talent and in some cases recruit employees who might otherwise not have wanted to work in a location.</p><h2>Auditing Remotely</h2><p>Leveraging technology to perform walkthroughs remotely can free up on-site resources and enable internal audit and management to more efficiently plan, interact, and share substantive data. Take for example the planning phase of the audit process. Planning the audit sets the stage for evaluating management's assertions, beginning the process of obtaining material evidence, aligning initial planning expectations with current audit findings, and building the supporting documentation library. </p><p>Yet, technology advances have improved routine data-collection activities and streamlined the historically manual methods around the measurement of processes and controls, including compiling information from disparate systems. That has minimized the need to be on-site to gather information. </p><p>The key to a remote audit is planning and appropriate resource management. Here are some tips and strategies.</p><p><strong>Use technology such as video chats, conference lines, secure file sharing, and virtual private networks.</strong> Conversations with the client, or even with members of the audit team, do not have to take place in person. Many organizations have a video chat capability on their employees' computers, enabling auditors to have those face-to-face conversations virtually. In addition, secure file sharing addresses the concerns of clients who do not want to share electronic documents because they fear they will get hacked. </p><p><strong>Schedule time ahead of planned fieldwork. </strong>This is more efficient for both the remote audit staff and the client. A week or two before the audit start date, auditors should email the client to schedule initial walkthroughs. Auditors should inform the client that they will be conducting an audit remotely and prepare the client to gather any electronic documents needed by the time the meeting occurs.</p><p><strong>Establish the remote auditing rules of engagement for the internal audit team.</strong> Whether it's one person or an entire team working off-site, the remote auditors should be aware of expectations. For example, rules of engagement could include when individuals should be available, status updates at the end of the day, and points of contact on the audit team for questions before engaging the client. These rules can help achieve good communication, which sometimes can be lost when auditing remotely. </p><p><strong>Determine specific roles and responsibilities for all team members.</strong> Roles and responsibilities can be included in the rules of engagement. For example, the manager in charge of the audit should assign an individual to be the single point of contact responsible for setting up meetings with the client. Another role that should be assigned is the individual who keeps track of the status of the audit and staffing to avoid having individuals on the team working on the same tasks.</p><p><strong>Set check-in times each day with the internal audit team to ensure the audit is still on schedule</strong><strong>.</strong> These check-ins are critical to the success of a remote audit. Because the audit team is not in the same physical location, communication does not occur as often throughout the day. A set check-in time will help communication flow and keep the audit on track.</p><p><strong>Start with less complex audits.</strong> Once internal audit has established its ability to perform simple audits off-site, it can transition to other complex areas later in the year. For example, an audit that typically can be completed off-site is electronic banking. The documents are usually electronic and can be sent securely, and the processes are less complex. </p><p>A more complex audit, like allowance for loan and lease losses (ALLL), should be performed on-site at first, to understand the complexities involved in the process as well as the complexities of the ALLL model. Internal auditors always should look at the audit plan and work with management to determine which audits would be more complex than others. </p><h2>Embrace Established Technology Principles</h2><p>It is no secret that technology is making life easier. By taking advantage of well-established technology principles, organizations and business leaders can transform business areas such as internal audit that often depend on manual processes. Innovations such as secure file sharing, video chats, and virtual private networks can facilitate remote audits that create flexibility and ease for both the client and the audit team. </p>Matthew J. Suhovsky0

  • SCCE2018_August2018_Premium 1
  • IIA FSACACGABookstore_August2018_Premium 2
  • IIA EHS2018_August 2018_Premium 3