Practices

 

 

An Extraordinary Experiencehttps://iaonline.theiia.org/2018/Pages/An-Extraordinary-Experience.aspxAn Extraordinary Experience<p>Pity the poor used car salesperson. Survey after survey shows these purveyors of the pre-owned work in one of the least trusted professions, mired in a cesspool of lobbyists, telemarketers, and (gasp!) business executives. There are many reasons for this distrust, but part of it has to be the frustrating ordeal of buying a used car.</p><p>Given the industry’s reputation, and my own encounters with it, a recent auto dealership commercial caught me by surprise. It featured a customer so enamored with the used-car buying experience that he, purportedly, gave his endorsement without compensation. After extolling the virtues of the salesperson, the service department, and the dealership as a whole, he made an amazing statement: “I had an extraordinary buying experience.” </p><p>Internal auditors are generally not included in surveys of “trusted professionals,” but I imagine we would not appear particularly high or low on such a list. Our reputations have improved significantly over the years, though we are still haunted by lingering perceptions of audit professionals as snitches, nitpickers, compliance tyrants, and even bayoneters of the wounded. These perceptions are dying a well-deserved, none-too-soon death. But they still drive some people’s approaches and reactions to internal audit. ​</p><p>Accordingly, I think any of us would be shocked to hear someone say, “I had an extraordinary internal audit experience.” But shouldn’t we be trying for just that level of service? Shouldn’t we be doing the extra work that would turn even our friends, supporters, and advocates into raving fans? Shouldn’t we be trying to make every internal audit an extraordinary experience?</p><p>If so, we first have to figure out what an extraordinary audit experience looks like. And that means we have to identify and understand every step every stakeholder experiences in every internal audit project.</p><p>During the 1980s, Jan Carlzon, CEO of Scandinavian Airlines System, coined the phrase “moments of truth” to describe each and every time the customer comes into contact with an organization or department. He described how these moments of truth represent the point in time when customers are forming their opinions. By focusing on these moments, he suggested, the organization or department could better manage them, thereby better managing customers’ perceptions and creating a more positive experience.</p><p>For internal audit to deliver service our stakeholders will consider extraordinary, we must identify each and every one of these moments. We must determine why each is occurring, understand what the customer wants from that touch point, and develop ways to make each of those individual experiences the best they can be. If we manage those touch points — if we make each of those moments unforgettable — then, and only then, will our stakeholders walk away saying, “I just had an extraordinary internal audit experience.” </p><style> p.p1 { line-height:12.0px; } p.p2 { line-height:12.0px; } p.p3 { text-indent:18.0px; line-height:12.0px; } p.p4 { text-indent:9.0px; line-height:12.0px; min-height:11.0px; } p.p5 { line-height:9.0px; font:8.0px 'Interstate Light'; } span.s1 { letter-spacing:-0.1px; } span.s2 { font:8.0px Interstate; letter-spacing:-0.1px; } </style>Mike Jacka1
Ten Tips to Manage Your Careerhttps://iaonline.theiia.org/2018/Pages/Ten-Tips-to-Manage-Your-Career.aspxTen Tips to Manage Your Career<p></p> <p>While working in internal audit for more than 30 years within corporate functions and professional service firms, one of the most fulfilling things I’ve done is counsel and assist associates with various pieces of their careers. Helping people make good career decisions and watching them develop to their full potential should be an objective of any professional. </p><p>The opportunity to serve in this role has allowed me to identify and understand career challenges internal auditors repeatedly run into and help them develop the skills to better manage their careers and avoid these common pitfalls. Mastering 10 skills can help internal auditors better position themselves to take advantage of opportunities and enable them to prosper in today’s work environment. </p><h1>one. </h1><h2>Differentiate yourself from your peers.</h2><p>What unique skills and experiences do you have, or are you developing, to differentiate yourself? Too often, internal auditors have not focused on this question and are not able to articulate which demonstrated strengths and key attributes set them apart from their peers. It is not just a matter of stating a skill or attribute — they should be able to give examples that demonstrate they possess that skill or attribute. <br></p><p>Using generic descriptive phrases such as “I’m a hard worker” or “I have high ethics” doesn’t differentiate a person, as many people use them. At any level or position, internal auditors need to continue to build skills and experiences that make themselves more valuable and also set them apart from peers. </p><p>Auditors also should practice their interviewing skills. Are you able to clearly articulate what your key strengths and differentiating qualities are? In particular, when you interview, do you know what qualitative skills and attributes you want to communicate to an interviewer? Résumés also should be updated to communicate these qualifications.</p><h1>two.<br></h1><h2>Learn to develop and maintain relationships.</h2><p>One of the most important career skills is the ability to build and maintain professional relationships. Access to a network of professionals is valuable and can be used for a broad range of activities, such as sales opportunities, references, staffing and job opportunities, coaching, and insights on companies and executives. <br></p><p>But building and maintaining a network is a process. Internal auditors should consider who they network with and why, then develop a process to support and reinforce networking activities. For example, practitioners should keep track of when they interact with people or maintain a list of people with whom they need to reconnect. </p><p>While social media networks are fine for many purposes, professional networking requires a personal touch and interaction. People in your network need to know you and your capabilities so that when a need arises, they are happy to help. </p><h1>three.</h1><h2>Set long-term goals but manage your career in terms of “orbits.” </h2><p>Goals give you something to work toward in your personal and professional life. However, in today’s dynamic work environment, reaching those goals may seem daunting. The uncertainty of constant change presents a challenge in developing a clear path to goals, especially long-term goals. Studies have shown that writing goals increases an individual’s probability of achieving them.<br></p><p>Alex McKenna, a career counselor for senior executives, advises people to think about their careers in two- to five-year increments, which he refers to as “orbits.” When in an orbit, the focus should be on performing well while building skills and experiences that qualify you to move to a higher orbit. That higher orbit could be a higher-level position or a position in a different organization where your skills and experiences would be better used. In that higher orbit, you would look to add new skills and experiences to reach an even higher orbit. </p><h1>four.</h1><h2>Create your own opportunities.</h2><p>Rather than just waiting for unique or challenging opportunities to come their way, internal auditors should seek out those assignments. If a problem has been identified, be one of the people to fix it. There are benefits to volunteering for the tough assignments. First, tough assignments grow skills and offer unique experiences. Often, fixing major problems involves developing new approaches or applying new thinking rather than just performing routine assignments. Second, these are the assignments where internal auditors get noticed. Being part of a team that addresses major issues or problems gets the attention of more senior people, which is the attention auditors want.<br></p><p> </p><h1> five.</h1><h2>Learn to focus your time and activities.   </h2><p>The 24/7 work cycle and other complexities can be overwhelming at times and may lead internal auditors to jump from one task to another. At the end of what seemed to be a very busy day, an auditor may be unable to answer the question, “What did I accomplish today?” Time is your most valuable and limited asset. You can’t create more of it, and it easily can be wasted. <br></p><p>So, it’s important to focus on the most important tasks and get them done. Auditors should operate every day with focus, know what needs to be accomplished, and direct energy to that task. Various methods can assist in this process, such as to-do lists, priority lists, or daily reminders. Whatever is used, the most important thing is to learn to instill the discipline of focus in daily activities.</p><h1>six.</h1><h2>Get a mentor.</h2><p>With critical or challenging career situations, it helps to have access to someone you trust, respect, and feel comfortable seeking advice and counsel from — someone who also has confidence in you and is interested in your personal development and progression. Internal auditors should look for opportunities to develop real mentoring relationships with someone who can help. These relationships tend to develop over time and can’t be forced. A good mentoring relationship develops itself, and networking and relationship building play an important part. Over time, these relationships can change and evolve. You may even have more than one mentor during your career. <br></p><p>The mentoring relationship is rewarding for both mentor and mentee, so auditors also should look for opportunities to be a mentor. This can start early in a career by giving advice and counsel to newer staff. Mentoring helps develop communication and leadership skills, expands networks, and leads to personal satisfaction.  </p><h1>seven.</h1><h2>Always understand the needs of your employer or potential employer.</h2><p>Too often, employees do not really understand the specific needs of their employer or prospective employer. There may be a job description, but it may not highlight critical expectations or skill needs. This can lead to a misalignment between the unspoken expectations of a superior and an employee’s skills or performance. Such misalignment can prove fatal to a career.<br></p><p>This same concern arises when an employee is approached about another position. Discussion, especially with a headhunter, may focus on things like compensation and title and not enough on the specific needs, expectations, and skills required to be successful in that position. Knowing these things will significantly improve a person’s chances of making a good career decision. And, it will ensure that the new employer is getting an individual well-suited to the job. Fundamental to succeeding in this process is a person’s deep understanding of his or her own real skills and abilities.</p><h1>eight.<br></h1><h2>Give your employers and co-workers the benefit of your objective views.</h2><p>One of the attributes that most great leaders value is having employees who will give them good, objective views. In the internal audit profession, stakeholders highly value objective feedback from their auditors. Similarly, peers also value and seek the opinions and views of others. It’s part of the learning process. <br></p><p>Auditors should learn to objectively express opinions and views constructively and with courage and conviction. This also will establish you as someone with a voice. Practitioners should not hide behind auditor independence. Internal auditors are sometimes reluctant to provide their views or recommendations because they said they needed to remain independent. That rationale rarely is one that management executives will buy into. Internal auditors can provide views, feedback, and recommendations without impairing their independence. </p><h1>nine.<br></h1><h2>Understand the role and nature of compensation.</h2><p>Everyone wants and deserves to be fairly compensated for their efforts and achievements. Compensation is an important factor in any job, but its nature and impact are often misunderstood from two standpoints. First, while an increase in compensation provides great, immediate, and positive reinforcement, compensation, itself, is not a long-term motivator. The factors that provide long-term job satisfaction include things like challenging work assignments, increased personal responsibilities, and exposure to executives and challenging situations. Long-term, high compensation will not overcome the absence of these kinds of motivators and will not, in itself, make up for a poor job situation. <br></p><p>Secondly, compensation should be viewed as a dynamic process — not just a point-in-time, static measure. At any time, an employee could be offered a position for more money than he or she is currently making. Similarly, market conditions may result in a new hire being paid more than someone who has been there longer. Does your compensation reflect how you have been recognized, how you are progressing, and how you are valued? </p><p>If not understood and appropriately handled, compensation can be a major reason why a new job or opportunity does not work out. We all like to be flattered by a high offer; however, the real question is the nature of the position.​</p><h1>ten.</h1><h3>Communicate.</h3><p>Communication may be the single most critical career skill, and it’s important that internal auditors establish a track record of clear and open communication with peers and superiors. This is especially important when there’s a problem with a position, co-workers, or managers. Too often, employees are reluctant to put issues on the table, often from fear that they might be viewed as a troublemaker or asked to leave. <br></p><p>When concerns are not communicated, internal auditors risk making significant career decisions — such as leaving a job — without the benefit of full knowledge. A practitioner may be surprised to find that someone he or she speaks to agrees with and supports his or her views, or that he or she is more valued than previously thought. For example, if a particular job is not working out but management views an auditor highly, he or she may be placed in another position in the organization that is a better fit. </p><h2>SHAPE YOUR CAREER</h2><p>It is probably unrealistic to expect anyone to simultaneously address all 10 items on the list. Picking one or two to start with is ideal. Then as these skills are developed, auditors can go back to the list and identify one or two more to work on. Ultimately, it’s about managing your career in a way that helps you succeed and creating a satisfying, rewarding professional experience.  </p>Richard J. Anderson1
Agents of Improvementhttps://iaonline.theiia.org/2018/Pages/Agents-of-Improvement.aspxAgents of Improvement<p></p> <p>In their quest for internal audit to contribute to business success, corporate leaders increasingly want auditors to help improve business processes. Deloitte’s 2017 Ready for the Spotlight publication notes that CEOs, chief financial officers, and other business leaders “want advice on risks and risk management, and insights into business operations and processes.” </p><p>Similarly, internal audit stakeholders say consulting on business process improvements is the top area where internal audit can provide advice, according to The IIA Research Foundation’s 2016 Internal Audit Common Body of Knowledge Stakeholder Report. Internal audit can adopt several practices in approaching high-impact business process improvement projects. </p><h2>Select the Right Processes</h2><p>Internal audit can start process improvement efforts by selecting the business areas where it can add value. As with many audit-related activities, a risk-based approach is the best way to select areas for improvement projects. This approach includes selecting processes that are critical for accomplishing the organization’s strategy, selecting complex processes that cross functional lines, and selecting processes where there is a general consensus that there is a need for improvement.</p><p>To select operational processes that are critical to accomplishing the organization’s strategy, internal audit should ask: Is this process critical to the business’s mission? If this process is inefficient, does it matter to achieving the organization’s goals? If the answers to these questions are “no,” then spending time in this area is unlikely to drive significant benefits to the business, and management may not consider this type of project impactful.</p><p>Selecting complex processes that cross functional lines enables internal audit to assist with problems that are difficult for one function to resolve. Functions that are upstream may not realize they are doing things in a way that causes problems for functions that are downstream. Conversely, individual business functions are more able to self-assess and solve problems with processes that are performed within their area. </p><p>If a cross-functional effort is needed, internal audit can assist different departments in coming together to improve a process. Likewise, a complex process may be difficult for the process owner to analyze without assistance. Internal audit can assist a process owner in taking a fresh look at a complex process.</p><p>A consensus that a process needs improvement can assist in getting support for the project and the buy-in needed to motivate the function’s managers and team members to collaborate with internal audit to drive change. For example, at an aerospace manufacturer, there was a consensus that the procurement process needed improvement. Senior management could see excess inventories building and material purchase costs were exceeding budgets. However, there was no agreement about the cause of these issues. Additionally, because the procurement function was critical to achieving business goals, the procurement process was a prime area for internal audit to perform an advisory project.</p><h2>Enlist an Executive Sponsor</h2><p>Even with consensus that a process needs improvement, project teams frequently encounter resistance to change from some process participants. These individuals often believe someone else needs to adjust — not them. Internal audit can help overcome this resistance by enlisting executive sponsors who are highly interested in seeing the process improved.</p><p>In the aerospace company, both the CEO and general counsel served as executive sponsors for internal audit’s procurement process improvement project. These executives played an informal role and did not participate in project meetings or the project process. However, their interest in the project and desire to improve the procurement process became invaluable in leveraging the project output to drive change.</p><h2>Staff the Project</h2><p>Audit teams need to have the right skills to perform insightful business process analysis and complete improvement projects successfully. The team members must have strong business acumen and the ability to add value for the business process. Audit leaders should consider using just-in-time training to give the team members the most current knowledge possible of the subject area to be audited. </p><p>For complex and specialized areas, audit teams should bring in subject-matter specialists from within the organization or through service providers. For example, the aerospace company’s chief audit executive (CAE) used a combination of internal auditors with significant company experience and a contributor from a service provider who brought data analysis skills that the internal team did not possess.</p><p>Finding the right skills within the organization can save costs, but such employees must be independent of the area being reviewed. Just as independence is critical for assurance projects, it also is important for advisory projects to ensure specialists take a fresh look at the process. </p><h2>Establish Benchmarks</h2><p>Setting benchmarks for the area selected for improvement gives internal audit a measuring stick to use throughout the project. Questions to ask include: </p><ul><li>What are the performance standards for the operations of this area? <br></li><li>What are the best practices for this function? <br></li><li>What are the key perform-ance indicators? <br></li><li>How should the function measure success? <br></li></ul><p><br>At the aerospace company, internal audit began its project by benchmarking its practices against other procurement functions. In addition, the auditors leveraged resources such as manufacturing forums and functional publications to identify improved practices for all significant procurement processes from requisitions, to soliciting bids, to certifying suppliers, to establishing master agreements, to creating purchase orders and rating suppliers. </p><h2>Identify Improvement Opportunities</h2><p>Performing gap analysis and process analysis enables internal audit to identify inefficiencies, non-value-added tasks, and other opportunities for improvement. In gap analysis, the objective is to identify the areas where there is a gap between the actual performance of the function and the benchmark. Gap analysis can be performed by gathering policies, key performance indicators, and interviews on practices and then comparing the actual practices to the benchmark.</p><p>For process analysis, flowcharting is a good approach to identifying opportunities for improvements in process efficiency and control design. The goal is to not only have an efficient process, but also have efficient design and placement of controls. Often, organizations add controls as a process evolves. In these situations, the controls tend to be an afterthought and as a result, the controls are manual and occur at the back end of the process. </p><p>Throughout process analysis, internal audit should continually ask: </p><ul><li>Has there been appropriate use of technology? <br></li><li>Have processes and controls that can be automated, been automated? <br></li><li>Can the process be streamlined? <br></li><li>Can controls be moved from the back end of the process to the front end?<br></li></ul><p><br>​The aerospace company’s internal audit function found several opportunities to improve procurement processes. For example, it discovered that some purchase orders were being issued without final engineering specifications and negotiated firm prices. Additionally, the procurement function was not benefiting from the negotiated prices in the established master agreements and blanket purchase orders it had established.</p><h2>Test Transactions</h2><p>As with an assurance project, most process improvement projects should include tests of transactions and the effectiveness of controls. The difference with a process improvement project is that there is additional focus on assessing not just control effectiveness but also process effectiveness, cost, and efficiency. </p><p>Testing should include performing data analysis and collecting empirical support for all issues identified. These efforts should provide convincing statistical evidence to support the issues to be included in the project report. If internal audit cannot develop convincing statistical support for an identified issue, the team should ask whether the issue really is significant. </p><p>At the aerospace company, the purchase orders issued without firm prices and without final engineering specifications took on added significance when the team quantified how frequently this was occurring. The data analysis indicated that the problem involved a surprisingly high percentage of purchase orders.</p><h2>Understand Root Causes</h2><p>For each issue, the internal audit project team should drill down past the surface problem to understand the root cause. Determining the root cause of an issue may require substantial analysis, involving considerable time and effort. In many cases, management already may be aware that an issue exists. The project adds value by providing a solution to the root cause.</p><p>At the aerospace company, internal audit analyzed why the procurement function was not providing engineering details and negotiating firm prices for so many purchase orders. The surface answer was that buyers were not performing their responsibilities appropriately. But the root cause was far more complex. The company’s end customer was not providing sufficient engineering details for the final product timely. Another contributing factor was the long lead time needed for suppliers to fabricate some parts being procured. </p><p>As a result of these and other root causes, the procurement function did not have the engineering details available to provide to the vendor and did not have sufficient information to negotiate a final price. The procurement function’s buyers could not solve these root causes on their own. In fact, the buyers were frustrated by this problem. Procurement needed additional and more timely information from the customer. To obtain this information, procurement needed assistance from the sales and contracting functions, as well as business-unit leaders. </p><h2>Create Solutions</h2><p>Once the project team has identified the issues, the next step is to develop solutions. Some internal audit functions develop recommended solutions and present them to the process owner. A better practice in process improvement projects is to work with the process owner to gain buy-in and agreement with the root cause analysis and to build an action plan together to address the root causes. </p><p>The aerospace company’s internal audit function worked closely with the procurement process owners to gain their agreement on the root causes and to jointly develop the solutions. For the issue that involved getting more timely engineering specifications from the customer, the action plan included enlisting the support of the other functions needed to solve this problem, such as sales, contracts, and business-unit leaders. </p><h2>Tell the Story </h2><p>The best approach to reporting on process improvement projects is to keep the report succinct while still telling the business story. As with any communication that auditors want executives to read, the business process improvement report should be concise. </p><p>In building the report, internal auditors should start with the most important issues first. If the report doesn’t begin with the headlines, the reader may never get to its most important issues. Auditors should prioritize report issues using the lens that management uses — not a compliance or audit perspective. Another good practice is to provide a one-page executive summary. Using a PowerPoint format rather than a Word document may be more effective, depending on the audience.</p><p>Auditors should make the corrective action plan an integral part of the report so that they not only explain the root causes of the issue, but also provide the steps to resolve the issues. In many cases, auditors can structure the report so that the main focus and format is the corrective action plan. This approach also can help strengthen internal audit’s reputation as a business partner.</p><p>The audit department at the aerospace company included a short executive summary at the front of its report about the procurement review, which highlighted the 10 most important issues and stated the planned corrective actions. The detailed report provided additional information about those issues and also included other issues that were important to communicate.</p><h2>Manage the Message</h2><p>When internal audit is close to issuing a project report, it should have face-to-face meetings with the executive recipients of the report. No matter how well the report is written, this personal interaction can aid in making sure the message is communicated accurately. These meetings are an opportunity to build closer relationships with business leaders.</p><p>For the aerospace company’s procurement project, the CAE held multiple discussions with the management of the procurement function and met with the CEO and general counsel who had been the executive sponsors. The report and meetings helped these executives understand the project results and the significance of the issues. As a result, the CEO tasked the leader of the business unit and the procurement function with carrying out the action plan. </p><p>The business-unit leader was best placed to address the customer-related issues as well as other issues that needed executive support. The procurement leader and business-unit leader laid out a time line and worked together to carry out the action plan. The CEO asked the procurement leader to provide regular updates on the status of the corrective action plan. Both the CEO and general counsel participated in these status meetings and helped to keep a focus on making progress. Over time, the procurement function implemented the corrective actions, and the project led to substantive positive change in the company’s procurement processes.</p><h2>Improvement Advisors</h2><p>Internal audit’s independence, process analysis skills, and knowledge of the organization’s procedures and operations create the perfect mix of talents needed to provide high-quality process improvement services. Because the audit function is already intimately familiar with the business, it can get to the root causes quickly and offer advice that is tailored and specific. ​</p>James E. Schulien1
A Clear Picturehttps://iaonline.theiia.org/2018/Pages/A-Clear-Picture.aspxA Clear Picture<p></p><p>Examples of governance breakdowns in public- and private-sector organizations are plentiful, from avoidable cyber breaches to scandals fed by toxic or misaligned cultures. Whatever the causes, problems in governance and risk management are invariably at the heart of many organizational failures. With such potentially dire circumstances, one would imagine that supporting and nurturing good governance would be the first priority of every member of the organization. However, there are plenty of examples where ignorance of sound governance practices — whether actual or willful — are to blame.</p><p>One of the root causes of Wells Fargo’s fake account scandal was a decentralized governance structure that allowed its community bank leadership to shield the board from understanding the scope and significance of the problem. According to a report from the bank’s board, the decentralized structure and the bank’s culture also handicapped efforts to identify and address the problem.</p><p>At Equifax, whose 2017 cyber breaches exposed the personal data of nearly half of the U.S. population, the governance breakdown appears to be tied to poor oversight of IT controls. A June 2018 settlement between Equifax and eight states that brought suit against the credit-rating agency focused corrective action on a strict audit regimen of IT controls by internal audit and aggressive oversight by the board. The unstated message is that a lack of such assurance and oversight contributed to Equifax’s epic breach.</p><p>Preventing what at times seems like an epidemic of high-profile governance failures would appear overwhelming. After all, what can one person or group of people do to stop it? The easy answer is to hope executive leadership and the board have developed strategies to strengthen governance practices and put in place sufficient internal controls to successfully identify and mitigate risks.</p><p>Ultimately, internal auditors must do their part. They must have an innate understanding of their vital role in good governance and embrace that it is part of their job to zealously promote that role and the value internal audit provides the organization. Internal audit cannot afford to sit back and let others dictate its role based on a skewed or myopic view or, worse yet, on an agenda that doesn’t put the organization’s success first.</p><p>Internal auditors, especially chief audit executives (CAEs), must make it a priority to educate executive management, audit committees, or other governing bodies on the conditions where internal audit can thrive and provide high-quality assurance, advice, and insight. Heads of audit must invest in developing relationships with the CEO, chief financial officer (CFO), and board to become trusted advisors. The relationship the CAE has with the CEO/board must be the same as the CEO/CFO or CEO/general counsel relationship — one that is mutually trusting and mutually respectful, especially where each needs to do what is necessary in their respective roles. Lastly, the CAE needs to be in meetings with the CEO, CFO, and executive vice president to hear what’s going on. </p><h2>Control the Message</h2><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> <style> .ExternalClass p.p1 { line-height:12.0px; font:14.0px 'Interstate Light'; } .ExternalClass span.s1 { vertical-align:1.5px; } </style> <p> <strong>Getting the Message to Stakeholders​</strong></p><p>Successful communication is key for chief audit executives (CAEs) to build strong and mutually beneficial relationships with their audit committees. That partnership can be achieved with a few simple guidelines.<br></p><p> <strong>Communicate the value.</strong> Ultimately, internal audit’s product deliverable is not the work done on engagements. It is what is communicated to stakeholders about what those engagements found. Internal audit must make clear to stakeholders why its recommendations matter to the organization and how it will help protect it from risks or leverage risks to help it reach its goals.<br></p><p> <strong>Learn to listen.</strong> Listen to learn. Most people listen to respond. Internal auditors must listen to learn. Often, internal audit’s best work can come from understanding what is said, but also from what is not being said.<br></p><p> <strong>Keep it short. Keep it simple.</strong> Executive management and boards/audit committees are constantly being pulled in multiple directions. In​ternal audit must respect this and provide concise and precise information to stakeholders. <br></p><p> <strong>Invest in building relationships. </strong>The challenge in building relationships is that work gets in the way. Heavy workloads for CAEs and frontline auditors can make it easy to put relationship building on a back burner. Make the time. Frontline auditors can schedule two or three hours a week to get to know department or division managers and the work they do. CAEs should meet regularly with audit committee chairs. Investing a few hours can pay dividends in the long run.<br></p><p> <strong>Commit to excellence.</strong> Convincing stakeholders of internal audit’s value is tied to providing the highest quality service possible. ​<br></p></td></tr></tbody></table><p>The principal challenge in getting internal audit’s complex message to stakeholders is controlling the message, itself. Internal audit cannot allow others to define what it does. When control of the message is lost, misconceptions and misperceptions about internal audit creep in. Internal audit can best control the message through articulation and demonstration — what is said to stakeholders and what is done to earn their trust.</p><p>The message articulated to stakeholders must be clear and convincing. IIA President and CEO Richard Chambers provides a great example of that in his February 2018 blog post, <a href="/blogs/chambers/2018/Pages/Internal-Audit-Advocacy-Actions-Speak-Louder-Than-Words.aspx">“Internal Audit Advocacy: Actions Speak Louder Than Words.”</a> In the post, Chambers hones in on three key messages that internal auditors should promote to stakeholders:</p><ul><li>When the internal audit function is effective, the organization is made stronger.<br></li><li>The IIA’s <em>International Standards for the Professional Practice of Internal Auditing</em> provides the foundation for high-quality audits that help ensure complete, accurate, and reliable information is reported to the board. <br></li><li>Certified internal auditors demonstrate proficiency in the profession and are better equipped to deliver high-quality audits in accordance with the <em>Standards</em>. <br></li></ul><p> <br>Demonstrating what internal audit does and how it brings value to the organization is up to the CAE, internal auditors, and audit committee. Striving to provide the best service possible means understanding the business, continually honing and expanding skills, examining efficiency and effectiveness, and conforming to the <em>Standards</em>. </p><p>But how do all these pieces come together for the benefit of the organization? Each has a part to play in communicating to stakeholders the importance of internal audit in supporting good governance practices. </p><h2>The CAE’s Role</h2><p>The CAE is the face of internal audit for executive management and the board/audit committee. This individual serves as liaison, ambassador, and advocate for both the function and the profession. It is imperative, therefore, for CAEs to develop stakeholder relationships built on trust and a deep understanding of internal audit’s value to the organization.</p><p>This requires that internal audit deliver on its promises. CAEs must build teams that:</p><ul><li>Understand the business.<br></li><li>Understand the company’s strategy and value of key initiatives.<br></li><li>Are versed in the variety of risk areas, including cybersecurity and IT.<br></li><li>Embrace technology.<br></li><li>Constantly work to expand their knowledge and skills. <br></li></ul><p> <br>The CAE’s integrity must be beyond reproach, and that integrity must carry through to each member of the team. Building trust requires an unwavering commitment to independent and unbiased assessments of the organization’s governance policies and internal controls.</p><p>CAEs also must be willing to speak truth to power. One of the core services that internal audit should provide is asking the hard questions and exposing faults others within the organization may be reluctant to address. With this as a foundation, the CAE can convince stakeholders of internal audit’s value and educate them on what internal audit needs to operate at the highest levels. </p><h2>The Practitioner’s Role</h2><p>For individual auditors who make up the team, the role is relatively simple: They should deliver their best possible work with the highest levels of integrity, objectivity, and independent thinking, and invest in growing their skills. I often ask audit staff to put the pen down and tell me three key or strategic insights they have right now in the work that’s in front of them. This is an easy question to answer for staff members who invest in their talent development. CAEs must be able to trust that team members will deliver on the promises they make to stakeholders.</p><h2>The Audit Committee’s Role</h2><p>The audit committee, in many ways, holds the keys to internal audit’s success. As the principal contact between internal audit and the board, the audit committee must be converted into internal audit’s ally and defend it with the same zeal as the CAE. This must be real and true support. The audit committee that stands with its CAE is 100 times better than the audit committee that stands behind its CAE.</p><p>Obtaining support requires educating the audit committee about its obligations. The minimum requirements for the audit committee that CAEs must articulate at every opportunity include: </p><ul><li>Understanding that its obligation to internal audit is as important as its obligation to external audit.<br></li><li>Remaining involved in the hiring, firing, review, and remuneration of the CAE. Turning over all but final approval of these steps to management creates the risk of demoting or diluting internal audit’s role as a truly independent assurance provider. <br></li><li>Being open to communicating with the CAE without executive management present. <br></li><li>Demanding the highest quality internal audit function and being willing to resource the function and guarantee its independence to get it.<br></li></ul><p> <br>These steps are crucial to getting the best internal audit function possible. As the relationship matures, the audit committee can become more than just internal audit’s ally. It can become its partner. Success comes when the CAE and audit committee stand together.</p><p>The biggest challenge, by far, is to make the case for internal audit to busy board and audit committee members. The IIA provides many tools to help educate and convert stakeholders to internal audit’s cause (see “Help Stakeholders Understand and Value Internal Audit” below​). </p><h2>Everyone Benefits</h2><p>Internal audit practitioners face a wide variety of challenges to provide consistent and high-quality assurance and advisory service to their stakeholders. Laws, regulations, inadequate resources, competition from accounting firms, and lack of educational support resources can make getting the job done a Herculean task.</p><p>But as growing demands on stakeholders translate to growing demands on internal audit, it is imperative that the relationship between them be effective. This must begin with educating stakeholders on internal audit’s needs, its value to the organization, and the necessity for all the players in the governance process to see the benefits of a symbiotic relationship. ​</p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"> <br> <p> <strong>Help Stakeholders Understand and Value Internal Audit​</strong></p><p>The IIA provides numerous tools to support chief audit executive communication with executive management, the audit committee, and the board. These tools explore pressing issues facing organizations and provide foundational support for understanding internal audit and its role in good governance.<br></p><p> <strong class="ms-rteThemeForeColor-1-0"> <a href="http://theiia.mkt5790.com/tone_at_the_top_form?sessionGUID=eb66d473-8511-3c28-1456-a8d2e9e3847e&sessionGUID=2b644942-44ea-03e2-7291-4d6541991a43&sessionGUID=82a2a62d-38eb-dd6e-4ce9-03292428b5ad&webSyncID=d8b6145c-2237-1aad-6214-6abd6b787981&sessionGUID=82a2a62d-38eb-dd6e-4ce9-03292428b5ad"> <font color="white">Tone at the Top​</font></a></strong> This bimonthly newsletter provides boards, audit committees, and executives with information on issues such as risk, control, and governance. Each edition features a Quick Poll that offers insights on how others approach issues addressed in the previous edition.<br></p><p> <strong> <a href="https://global.theiia.org/about/about-internal-auditing/Pages/Position-Papers.aspx"> <font color="white">Global Position Papers</font></a></strong> ​These articulate The IIA’s positions and perspectives on vital governance and control issues, from the value of conformance to the <em>International Standards for the Professional Practice of Internal Auditing</em> to internal audit’s role in good governance. Their Key Takeaways and 5 Questions features are designed to quickly provide information and insights to busy executives and board members.<br></p><p> <strong> <a href="https://na.theiia.org/about-ia/PublicDocuments/global-advocacy-platform-pillars-of-good-governance.pdf"> <font color="white">Global Advocacy Platform and Toolkit</font></a></strong> The Global Advocacy Platform offers practitioners and affiliate leaders several tools to advance their advocacy efforts, including an advocacy planning tool, stakeholder analysis tool, templates, presentations, fliers, brochures, and videos.​</p><p> <a href="https://na.theiia.org/periodicals/Pages/Global-Perspectives-and-Insights.aspx"> <strong> <font color="white">Global Perspectives and Insights</font></strong></a> This periodic publication offers insight and direction on key issues, with perspectives that resonate globally.​​</p></td></tr></tbody></table><p></p>Gregory Grocholski1
Certification: Where to Begin?https://iaonline.theiia.org/2018/Pages/Certification-Where-to-Begin.aspxCertification: Where to Begin?<p>​Earning a certification can enhance an internal auditor’s career by demonstrating his or her subject-matter expertise and commitment to the profession. In the process of studying for a certification, an auditor can develop and practice time management skills similar to those used on an audit, which provides a solid foundation that can increase workplace performance and efficiency. Additionally, immersing oneself in a certification study program will improve an auditor’s ability to learn and fosters curiosity. </p><p>While the benefits are clearly demonstrated, it can be overwhelming choosing which certification to pursue. Auditors should ask themselves several questions when making this important career investment.</p><h2>What Should I Pursue?</h2><p>The IIA offers certifications, designations, and qualifications that can provide value along different points of an internal auditor’s career path. The certifications and designations that demonstrate core competency include the Certified Internal Auditor (CIA), Internal Audit Practitioner (IAP) — which can be applied for after passing part one of the CIA exam — and the Qualification in Internal Audit Leadership (QIAL). The CIA is the only globally accepted certification for internal auditors and is the standard by which individuals demonstrate their professionalism. The QIAL  is for aspiring leaders and current audit executives looking to further establish credibility and successfully lead an audit team.</p><p>The certifications that demonstrate subject-matter expertise include the Certification in Risk Management Assurance (CRMA) and the Certification in Control Self-Assessment (CCSA). The CRMA establishes credibility as an advisor on risk and the CCSA positions auditors to drive organizational change.</p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p>​<strong>Changes to IIA Certifications</strong></p><p>The IIA is respositioning its Certification in Control Self-Assessment (CCSA), Certified Financial Services Auditor (CFSA), and Certified Government Audit Professional (CGAP) programs. </p><ul><li>The CCSA program will be integrated with the Certification in Risk Management Assurance (CRMA) through the next CRMA exam update.</li><li>The CFSA and CGAP exam will transition to an assessment-based certificate program.</li></ul><p> <br> </p><p>The last day The IIA will accept new CCSA, CGAP, and CFSA certification applications is Dec. 31, 2018. These certifications will continue to remain valid, supported by IIA training, and require annual continuing professional education credit reporting. Those who currently hold CGAP, CFSA, and CCSA certifications and want to obtain the Certified Internal Auditor credential may register to take the challenge exam from April 1, 2019, through Dec. 15, 2020. For more information, visit <a href="http://www.theiia.org/" rel="nofollow" target="_blank"> <span class="ms-rteForeColor-8">www.theiia.org</span></a>. </p></td></tr></tbody></table><p>Industry-specific certifications include the Certified Government Auditing Professional (CGAP), Certified Financial Services Auditor (CFSA), Certified Process Safety Auditor (CPSA), and Certified Professional Environmental Auditor (CPEA). Each of these demonstrates subject-matter expertise on industry-specific risks. Changes to the CCSA, CFSA, and CGAP certifications are coming in 2019 (see “Changes to IIA Certifications,” right). </p><p>There also are certifications offered by other associations that would benefit auditors who assess an organization’s IT and business systems (ISACA’s Certified Information Systems Auditor) or who want to become experts in fraud detection, prevention, and deterrence (Association of Certified Fraud Examiners’ Certified Fraud Examiner). Auditors should research any certification requirements with the organizations that own them. </p><h2>What Makes Sense for My Career?</h2><p>Auditors should consider where they are professionally and what skills they need to grow. Professional growth can mean moving into management positions or increased contributions as an individual.</p><p>For example, an experienced auditor can demonstrate his or her breadth of knowledge and subject-matter expertise by obtaining an industry specialty certification such as the CFSA or CPSA. An audit manager who is a CIA with career aspirations of audit director or chief audit executive (CAE) could demonstrate commitment to the profession and leadership abilities by earning the QIAL, which has experience and education requirements. The IAP is a great starting point to demonstrate a commitment to the profession while working toward a longer term goal of the CIA.</p><p>It is important to know that some certifications have eligibility requirements, such as education, work experience, formal training, and character references. For example, CIA candidates with a four-year degree must obtain a minimum of 24 months of internal audit experience or its equivalent. A master’s degree can substitute for 12 of the required 24 months. Candidates without a four-year degree can substitute work experience according to the eligibility guidelines. Familiarity with the requirements can help guide professional development efforts through one’s audit career.</p><p>Auditors can start their work toward a certification before they meet all the entry requirements. In some instances, professionals can sit for the exam without having met the work experience requirement and earn the certification once they have accumulated the years needed. The entry requirements — and exit requirements for some certifications — ensure the consistency and integrity of IIA certified professionals.</p><h2>What Makes Sense for My Team?</h2><p>Another factor to consider is the skill of the audit team, overall. If there is a solid concentration of experience, it makes sense to add breadth with a new skill. Does the team have a subject-matter expert on risk management? If not, it might make sense to pursue the CRMA to demonstrate expertise on risk assurance and governance processes. </p><p>Auditors should talk to their CAE about their professional development plan to ensure that the department and personal training goals are in alignment.</p><h2>What Makes Sense for My Life?</h2><p>Studying for any certification is a time commitment, which can vary depending on the certification. After reviewing the certification requirements to determine the number of exams per certification, testing center locations, exam syllabus, and overall time investment, an auditor can make a better informed decision regarding what commitment is appropriate. </p><p>Auditors also should consider how to study. Does this certification have an online training module, study book, or in-person course? How will training fit into the auditor’s life? Reaching out to one’s professional network is also recommended. Colleagues at work or in a local IIA chapter may have valuable insight on time management, study requirements, and other considerations an individual may not think about. In addition, auditors should consider joining an exam-related social media group to connect with others preparing to sit for the test. There are LinkedIn groups and Facebook pages dedicated to preparing for the CIA exam.</p><h2>Elevating the Profession</h2><p>A professional certification can be a worthwhile investment in an internal auditor’s future. To realize the value, professionals should carefully assess what makes sense for their career, team, organization, and overall life situation. Ultimately, a decision to pursue certification elevates not only the status of the internal auditor and adds value to the organization, but advances the profession, as well.<br></p>Dana Lawrence0
Emerging Leaders: 2018https://iaonline.theiia.org/2018/Pages/Emerging-Leaders-2018.aspxEmerging Leaders: 2018<p>F​or a diverse group, this year's Emerging Leaders are surprisingly unified on important aspects of their expanding influence in internal audit. For example, they're unanimously enthusiastic about supporting the profession, through internal and external advocacy, association activity, and educating undergraduates about career opportunities. Moreover, they're uniformly confident they'll rely more on technology to do their jobs tomorrow, and they expect their audit work to involve more IT assessment across the board. And they're looking forward to it — they're confident they have, or can easily acquire, the skills they'll need to stay on top of technological evolution, whatever it turns out to be. Indeed, many of them are already tech leaders at their organizations, providing guidance on audit applications up and down the reporting ladder. But perhaps what unifies them most is that they all want to change the face of the profession and improve it in the eyes of stakeholders. Yet the 2018 Emerging Leaders aren't abandoning the profession's established high standards and effective practices. Instead, they see a bigger picture of internal audit — one that shows practitioners' unique access to and understanding of areas across the business and the diversity of information and advice they can provide. The 2018 class expects to play a meaningful role in their organizations' operations and success, to be sought out as trusted advisors, to track trends inside and outside their enterprises, to provide key data and insights to management on strategic issues, and to assist in assessing the results of their organizations' efforts.</p><h2><img src="/2018/PublishingImages/Alex%20Hardy.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Alex Hardy, CIA, CA </h2><p> <em> <strong>30, Associate Director, Audit & Advisory</strong></em><br><em><strong>Prosperity Advisers Group</strong></em><br><em><strong>Newcastle & Sydney, Australia </strong></em></p><p>Alex Hardy has big ambitions, and one of them is helping young professionals move forward in their careers. “His ambition to attain a partnership role at the company is guided by his vision of transforming the firm’s audit practice and capitalizing on technological opportunities,” says colleague Stephen Coates, a director at Prosperity Advisers Group. But Hardy’s proudest achievement, Coates adds, is being a mentor to junior staff. Already, Hardy is a founding member of the company’s Employee Advisory Board and, beyond the firm, he was named to the inaugural IIA–Australia Youth Leadership Committee. The University of Newcastle graduate is also executive director at Hunter Young Professionals, which provides opportunities for young people to network in a business environment. Indeed, says Bryant Richards, associate professor of accounting and finance at Nichols College and one of this year’s Emerging Leaders judges, “No longer emerging, this individual is a current leader of the profession.” Hardy presents weekly to boards, shareholders, and management on audit outcomes and opportunities for improvement. And he provides pro bono professional services to Renew Newcastle, Cooks Hill Surf Lifesaving Club, and Ronald McDonald House. He also talks a lot about technology. “If you don’t know what blockchain, AI, big data, and real-time access mean, then you are already behind the eight ball,” Hardy says. “All of them are game changers, and a degree of fluency is important for future success.”</p><h2><img src="/2018/PublishingImages/Robin%20Noack.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Robin Noack, CIA, CPA</h2><p> <strong> <em>29, Audit Manager</em></strong><br><strong><em>Federal Home Loan Bank of Pittsburgh</em></strong><br><strong><em>Pittsburgh</em></strong></p><p>Robin Noack understands that effective internal audit demands interaction with other areas of the business. The Pennsylvania State University graduate made a concerted effort to learn Federal Home Loan Bank of Pittsburgh's new governance, risk, and compliance application — and ultimately developed many of the ways the internal audit department puts it to use, notes colleague Dawna Fisher, senior manager at Federal Home Loan Bank. "She also developed a strategy for optimizing interactions with other departments to ensure identification of business unit risks and controls is complete and accurate," she says. Noack's strategy — established by coordinating with other lines of defense within the bank and working closely with the business units — enables internal audit to track audit-related issues that need validation and provide the follow-up on them that regulators require. Her team also prioritizes in-person interaction with clients. "We make every effort to socialize throughout the bank, building trust and positive relationships," Noack says. Business unit leaders regularly request her insights on hot topics and emerging risks in the financial services sector. Noack says knowing the business is part of the job. "It would be impossible to effectively audit a business unit without an intimate understanding of how it works or without strong relationships with the people within that unit," she explains. Additionally, Noack calls on the profession to better educate clients on the value internal audit delivers to the organization. "Everything we do as internal auditors is to protect the business' interests and correct any mistakes before it's too late," she points out. Outside the office, Noack donates time to the local DePaul School for Hearing and Speech and the Pittsburgh Botanic Garden. </p><h2><img src="/2018/PublishingImages/Justin%20Finn.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Justin Finn, CIA</h2><p> <strong><em>28, Assistant Vice President, Senior Auditor</em></strong><br><strong><em>Bank of America</em></strong><br><strong><em>Plano, Texas<br></em></strong></p><p>Justin Finn is “the auditor of the future, possessing both audit and analytical skills,” according to his supervisor, Jim McCole, senior vice president and audit director at Bank of America. Finn, a University of North Texas graduate, started out in the firm’s straight-from-college Corporate Audit Analyst Program, picking up business audit skills in issue validation, point-in-time audits, regulator issues, and continuous audit work in his first rotation. And with no previous Structured Query Language (SQL) experience, he learned to execute automation work relating to data analytics, exception testing, and continuous monitoring testing in the rotation that followed. Finn now serves as instructor for Corporate Audit’s SQL training program and as “automation sponsor” for the bank’s Audit Automation Analytics Champion program. “For sure, technology and the way we understand data will lead things forward,” Finn says. One example is data analytics and automation that enable full-population testing, eliminating the need for a sample approach, he says; another new technology that internal audit is adopting is artificial intelligence-driven ongoing monitoring that replaces some task work. Both require practitioners to develop new data analytic skills and delve beyond a superficial understanding of the technology. At Bank of America, Finn’s internal audit department focuses on finding and extracting data to create custom automation tests to help business line auditors with their own testing. “We can take the data and adapt it,” he says, “whether the internal audit client is looking for graphs or trends analysis, we can take the data and make a more meaningful picture.” Outside the office, Finn finds meaning in charitable work, volunteering at the local Ronald McDonald House and for Operation Kindness’ no-kill animal shelter.</p><h2><img src="/2018/PublishingImages/Linh%20Mai.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Linh Mai, CIA, CISA</h2><p> <strong><em>27, Senior, IT Risk Assurance</em></strong><br><strong><em>EY</em></strong><br><strong><em>Dallas</em></strong></p><p>Linh Mai is passionate about internal auditing and about sharing his knowledge of the profession. Indeed, The University of Texas (UT) at Dallas graduate served as the university's IIA/ISACA/ACFE student chapter president as an undergraduate and at the same time was a teaching assistant at UT Dallas' Center for Internal Auditing Excellence. He also became "the face of the UT Dallas Internal Auditing Education Partnership (IAEP) program," says Center director Joseph Mauriello. "As student coordinator, he worked with leading internal audit departments and professional services firms to introduce themselves to UT Dallas IAEP participants." Mai also organized student volunteer efforts for the IIA–Dallas Super Conferences and the UT Dallas Fraud Summit. He has since delivered numerous addresses to internal audit audiences  on developing student organizations, and he volunteers with ISACA's North Texas Chapter. At EY, he leads audits on areas ranging from Sarbanes-Oxley compliance to cybersecurity. "Sometimes innovative thinking is a matter of thinking differently about an existing innovation," Mauriello says. "He accomplishes this through his advocacy efforts." Part of his message is the reality of the profession's role. "I had the impression that most companies, operations, and internal audit functions were mature," Mai says. "However, the reality is there is significant potential for audit functions to generate value by advising and consulting on improvements in business processes." He adds that he's inspired and motivated by the vast opportunities for internal audit to help stakeholders, especially with the aid of technology. "I envision more processes, such as internal controls over financial reporting, requiring less overhead while providing more useful data," Mai explains, "allowing internal audit a greater opportunity to become advisors and freeing them from strictly regulatory or compliance functions." </p><h2><img src="/2018/PublishingImages/Kamal%20Jishan.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Kamal Uddin Gazi Jishan, ACCA </h2><p> <strong> <em>28, Deputy General Manager, Internal Audit</em></strong><br><strong><em>BRAC</em></strong><br><strong><em>Dhaka, Bangladesh</em></strong></p><p>Kamal Uddin Gazi Jishan tackles complex assignments every day — some technologically complex, some more logistically so. Nanda Dulal Saha, director of Internal Audit at BRAC, says a recent operations-level, organizationwide risk assessment and the adoption of a new system audit approach required “strong and controlled teamwork” to deliver the audit strategy, risk assessment, and reporting — and Jishan was part of those teams. The organization’s internal audit department numbers more than 300, one of the biggest anywhere in the world. Jishan, an Oxford Brookes University graduate, also led a project to automate the department’s report compilation and comparative results analysis, using customized internal audit management system software to pilot the automation before a successful launch. Jishan was recently assigned to the organization’s Kabul-based Afghanistan operations for a country office audit. “I try to gather as much information as possible on the entity before the actual visit by browsing through financial information, management reports, and information available on websites,” Jishan says. “I like to bring as much familiarity as possible with the operations of the project as well as the environment.” Away from the office, Jishan is active in the Bangladeshi audit and accounting community and, Saha says, “he takes pride in representing the global profession of internal audit — The IIA — and promotes membership and certification to that peer group.” Indeed, Jishan reports that he’s looking forward to the CIA Challenge Exam this month; he also emphasizes the value of seeing the bigger picture. “We need to remind ourselves every time of the broader objectives of an engagement,” Jishan advises, “and to focus less on finding out irregularities and more on building a strong, progressive relationship with management.”</p><h2><img src="/2018/PublishingImages/Nick%20Geffers.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Nick Geffers, CIA</h2><p> <strong><em>30, Business Risk Manager</em></strong><br><strong><em>Thrivent</em></strong><br><strong><em>Appleton, Wis.</em></strong></p><p>Nick Geffers likes to build relationships and bring people together. Last year, he was invited to join The IIA’s Young Professionals Task Force, says the Task Force’s IIA North American Board liaison Seth Peterson, vice president and internal audit manager at The First National Bank in Sioux Falls and past Emerging Leader. Geffers has since been a key player in the group’s outreach initiatives, aimed at establishing connections with local chapters and enhancing collaboration. The University of Wisconsin Oshkosh graduate focuses on consulting and risk management assurance engagements at Thrivent and, Peterson adds, he recently became director of development for the company’s Young Professionals Network. “Getting involved with young professionals groups gives us a voice and a bigger part in our profession,” Geffers says. “The power of connection is priceless.” He adds that participating in these groups will always be “incredibly important,” noting that it enables professionals to become connected to something greater than themselves and provides endless opportunities to make an impact. Geffers also supports The IIA’s Fox Valley Chapter as a past president and active board member. “While president, he created templates and standard processes, worked to add new board members from unrepresented organizations, and helped strengthen interchapter relations within the district,” Peterson says. In fact, Geffers says one aspect of the profession he likes even more than he anticipated is the amount of personal interaction involved — it’s one of his favorite parts of the job. He also notes that the more internal auditors connect with others, the more value they can provide — if they’re paying attention, that is. “As we move to becoming true strategic partners,” he says, “we need to listen more to our stakeholders.”</p><h2><img src="/2018/PublishingImages/Jamie%20Olson.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Jamie L. Olson, CIA</h2><p> <strong><em>29, QAIP Project Manager</em></strong><br><strong><em>U.S. Bancorp</em></strong><br><strong><em>Minneapolis<br></em></strong></p><p>Jamie Olson loves learning, and in internal auditing, she says, she’s “constantly learning something new.” The University of Minnesota Duluth graduate started at her current company as a staff auditor in Corporate Audit Services (CAS), then became a senior auditor, and is now the department’s Quality Assurance Improvement Program project manager. Olson was one of 14 U.S. Bank employees selected for a year-long program established to “demonstrate how U.S. Bank is ‘the bank of choice for millennials,’” reports colleague Krista Naccarato, senior audit manager. That program includes collaboration with senior management and committees across the bank, she adds. Olson values her unique opportunity to participate in the program. “It allows me to meet with leaders in the organization to learn more about their business areas and support the bank on a companywide level,” she says. She meets often with professional peers as well, as treasurer and past vice chair of the Young Professionals Committee of The IIA’s Twin Cities Chapter. That emphasis on relationship-building positively impacts her career, she says, by broadening her network and helping her better articulate risks and how they relate to the company as a whole. Those risks, she adds, are becoming increasingly digital, noting that practitioners need to embrace new technology to become more efficient and effective leaders. “If I could change one thing about the profession, it would be the SALY [same as last year] testing mentality,” she says. “We need to keep looking toward the future, and not just focus on the current state.”</p><h2><img src="/2018/PublishingImages/Michelle%20Chelemer.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Michelle Chelemer, CIA, CPA</h2><p> <strong><em>29, Senior Audit Manager, SunTrust Audit Services</em></strong><br><strong><em>SunTrust Bank </em></strong> <br> <strong> <em>Atlanta</em></strong></p><p>Internal auditing is enhanced by creativity. Michelle Chelemer displayed it in spades when she developed a new way to evaluate her company’s sales practices, says manager Joshua Mountz, audit director at SunTrust Bank. The Oglethorpe University graduate “created a cookie dough start-up company and performed secret shopping at branches,” Mountz says, “providing meaningful issues for management to consider that will impact our client experience going forward.” Chelemer explains that the project assessed the accuracy of teammate product knowledge and evaluated marketing materials. “The experience was exhausting, but exciting,” she says. The project received executive-level attention — and appreciation — and inspired organizationwide changes. Mountz adds that Chelemer is seen as a trusted advisor to business partners, and that she’s been recognized at SunTrust with a Gold Performance Excellence Award. He notes as well that she uses the bank’s data analytics resources to examine 100 percent of populations for control testing when feasible and to evaluate automated controls design. She also helps lead recruiting by examining candidates’ qualifications, screening them by phone, and performing interviews; she then trains the new teammates and helps her directors evaluate their performance. Mountz says she’s “the first person that anyone on the team goes to with questions, her directors included.” Chelemer, who also co-founded the Business Leadership Development Fellowship at Oglethorpe and volunteers with the Junior Achievement Discovery Center at Finance Park in Atlanta, thrives on the many areas with which she’s involved. “I’ve always been invigorated by challenges,” she says.</p><h2><img src="/2018/PublishingImages/Brian%20McNalley.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Brian McNalley, CISA</h2><p> <strong><em>30, IT Audit Manager</em></strong><br><strong><em> Macy’s Inc.</em></strong><br><strong><em>Cincinnati</em></strong></p><p>Brian McNalley combines technical expertise and a passion for the profession. “He’s actively involved in The IIA and has a strong focus on data analytics, which is a key area for internal auditors,” notes Jenitha John, CAE at FirstRand Bank and one of this year’s Emerging Leaders judges. “And his chapter leadership achievements are noteworthy.” The University of Cincinnati graduate has been volunteering for The IIA’s Cincinnati Chapter for seven years — in fact, during his time as vice president and president, meeting attendance nearly doubled, notes colleague Branden Keller, a senior IT audit manager at Macy’s. He lauds McNalley’s emphasis on networking events aimed at helping “like-minded auditors meet each other” and his focus on academic relations. “I’m taking on additional responsibilities within academic relations, educating students and getting them involved, to expand The IIA’s presence in the community,” McNalley says. That’s been complicated by a focus on external auditing at local universities, he adds, so the chapter has been holding events to show students the benefits of becoming an internal auditor. The IIA experience, says McNalley, who expects to start exams this fall in pursuit of CIA certification, has been one of the most rewarding of his career. His message to those early-career colleagues: “Getting involved is definitely appreciated and provides some great opportunities.” McNalley also has a strong interest in technology; he’s a data analysis specialist and has built custom scripts to automate testing. “I’d like to continue changing the sample-based testing approach,” he says,” and test full populations with analytics and audit tools.” He also notes that adapting to change is one of the best parts of being an IT auditor. “It keeps our profession from becoming too routine.”</p><h2><img src="/2018/PublishingImages/Haylie%20Kwon.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Hea Mee (Haylie) Kwon, CIA, CPA</h2><p> <strong><em>30, Audit Project Manager</em></strong><br><strong><em>Texas Health & Human Services</em></strong><br><strong><em>Austin, Texas</em></strong></p><p> <strong><em></em></strong>Haylie Kwon wants people to understand internal auditing better. The Korea University graduate says her main emphasis when promoting the profession — to junior staff and university students — is to explain who its practitioners really are. “We are not law enforcement that will find out what you did wrong and punish you,” she says. “I want people to view us more as advisors.” Supervisor Karin Hill, director of internal audit at Texas Health & Human Services, notes that Kwon has ascended the career ladder quickly, and that she is well thought of by those under her supervision. “Staff assigned to her teams are extremely complimentary of her leadership style,” Hill says, adding that Kwon pays compliments, too — she chaired IIA–Austin’s Awards Committee and started the practice of reaching out to volunteers’ supervisors to thank them for supporting staff as they serve the profession. Part of Kwon’s successful style is tracking the evolution of audit clients as they adapt to their own clients’ changing expectations. “We need to be aware of new risks that emerge from those changes,” she explains, “and seek smarter ways to audit so that we can meet our clients’ needs.” That should contribute to a perception shift she feels is crucial, because it affects how internal auditors build relationships with those clients. “We need their cooperation and trust,” Kwon says, “to truly understand the nature of their work and what they are trying to accomplish.” That message needs to be taken to younger audiences, she urges, emphasizing more focus on exposing the profession to undergraduate students — something that she and her classmates never experienced. “As graduates of one of the top business schools in Korea, we were going to be the next generation of business leaders” she explains. “However, we were never exposed to internal auditing, only financial auditing.” Kwon says she was lucky to find her way to internal audit — but bemoans the “many bright young minds that aren’t aware of our profession.” </p><h2><img src="/2018/PublishingImages/Thomas%20Sherrill.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Thomas Sherrill, CPA</h2><p> <strong><em>28, Manager, Assurance and Advisory Management Program</em></strong><br><strong><em>The Home Depot</em></strong><br><strong><em>Atlanta</em></strong></p><p>Thomas Sherrill builds ties that bind — and that save companies money. “He develops strong relationships with his business partners that create open channels for discussion to gain insights into processes and issues,” says his boss, Bob Anderson, vice president of internal audit and corporate compliance at The Home Depot. He adds that the University of North Carolina graduate identifies solutions that provide value to stakeholders and company shareholders — including more than $3 million in cost-out opportunities in just 24 months — and “combines personal relationships with data analysis skills.” The relationships, Sherrill says, are crucial to the audit function’s success. “I always emphasize that creating genuine and strong relationships will make your work personally rewarding,” he explains, “and will allow you to gain information and knowledge around business processes that will help you succeed.” Sherrill, who was awarded IIA–Atlanta’s Mulcahy Leadership Award this year, has led audits across all facets of Home Depot’s business, from mature processes in the finance space to supply chain processes in newly acquired subsidiaries. Additionally, he was last year’s chair of the Diversity and Inclusion Committee for the company’s Internal Audit group. Sherrill also donates time outside of work to help the Empty Stocking Fund distribute toys to underprivileged families during the holidays and pitches in with volunteer landscaping and maintenance assistance at Piedmont Park. Looking toward the future, Sherrill — who recently passed the first set of exams on his way toward CIA certification — says internal auditors will have to keep up with rapidly changing technology by adding skills to their tool sets and continuously learning about new systems and processes. He adds: “The same core characteristics of current professionals — honesty, intellectual curiosity, and ethics — will be as important in the future as they are today.”</p><h2><img src="/2018/PublishingImages/Kyle%20Hebert.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Kyle Hebert, CIA</h2><p> <strong><em>30, Supervisor, Audit Coordination</em></strong><br><strong><em>COBX</em></strong><br><strong><em>Lansing, Mich.</em></strong></p><p>Kyle Hebert understands the importance of institutional memory. When he undertakes major projects, the Northwood University graduate “takes it upon himself to work with others, with a goal of making a positive impact through knowledge sharing, encouragement, and team building,” says former supervisor Sarah Saunders, director, Internal Audit, at Jackson National Life Insurance Co. Indeed, Saunders reports, he approached every project with the intention of growing someone to replace him. In fact, Hebert cites on-the-job mentoring as one of the most beneficial elements of career development. “If you do not have a good mentor, it will be hard to pick up on the important aspects of auditing, such as how to communicate results to a stakeholder,” he says. And he pays it forward, too. Saunders calls him one of the most dedicated volunteers she’s ever seen, explaining that he “jumped in, all in, from day one” at The IIA’s Lansing Chapter, where he now serves as president. Hebert created a new Day of Audit training program and worked to improve relations with local chief audit executives. “Don’t be afraid to get more involved with your career outside your 9-to-5 commitment,” he urges. On the other hand, Hebert cautions that practitioners should be afraid of technological complacency. “We can’t become complacent on the skills we have because they’re becoming obsolete exponentially faster each year,” he says. In his role at COBX, a company within Blue Cross Blue Shield of Michigan’s Emerging Markets division, Hebert oversees the internal and external audit coordination teams, he reports, “ensuring that stakeholders are knowledgeable of what is expected of them from the auditors and regulators, and ensuring that auditors and regulators are receiving information they have requested from the business.” He also leads the department’s annual risk assessment. </p><h2><img src="/2018/PublishingImages/Diego%20Henriquez.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Diego Henriquez, CIA, CPA</h2><p> <strong><em>27, Senior Consultant</em></strong><br><strong><em>Deloitte & Touche LLP</em></strong><br><strong><em>Houston</em></strong></p><p>Just three years into his own career, Diego Henriquez is already assisting others in theirs. The Louisiana State University graduate is a CFO Transition Lab Manager at Deloitte, executing customized eight-hour workshops at some of the world's biggest organizations. The sessions assist new C-suite executives, including chief audit executives and chief financial officers, in analyzing talent, organization, priorities, time allocation, and relationships. Henriquez and his colleagues then work with each individual to develop a 180-day plan for transitioning into his or her new role. "My work on executive transition labs has provided tremendous insight that allows me to better understand how senior executives operate and strategize to deliver results," he says. Colleague Sarah Fedele, a Deloitte principal, notes that Henriquez was recognized as a 2017 IA Transformer of the Month, an award that honors leadership within the practice. Fedele adds: "Ask anyone who has worked with him to describe his leadership style and you'll find a common response: 'He leads by example.'" After work, Henriquez is the Houston Food Bank site lead for Impact Day, Deloitte's firm-wide volunteer event, leading planning efforts and shepherding the participation of more than 300 colleagues. Fedele says he handles that role masterfully and with enthusiasm." He's also an onboarding advisor for Deloitte interns and consultants, and he's heavily involved with the company's campus recruiting efforts. Henriquez is enthusiastic about his work and says internal audit at a professional services firm affords him the opportunity to see a wide range of industries, processes, and departments. "Other professions might focus on one area of a business," he says, "but my work has helped me develop a unique perspective because I am exposed to so many different aspects of my clients' businesses." </p><h2><img src="/2018/PublishingImages/Blake%20Reed.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Blake Reed, CIA</h2><p> <strong><em>28, Accounting Manager, North America Supply Chain Control</em></strong><br><strong><em>Nike Inc.</em></strong><br><strong><em>Memphis</em></strong></p><p>When Blake Reed starts a job, the University of Memphis graduate makes an immediate impact. Applying his understanding of process improvement, finance, and accounting, he establishes himself as a go-to person for internal audit best practices and control guidance. He provides management with specific options for improvement by using data analytics to identify important trends in the enterprise’s workflow. Indeed, he’s “already in a managerial role,” notes Emerging Leaders judge Jenitha John, “which I believe is an achievement for someone his age.” Since being nominated, Reed’s title no longer indicates internal audit, but past posts have included internal audit manager at AutoZone, where he managed Sarbanes-Oxley compliance, oversaw business process audits, and managed the risk assessment and planning process. Reed has also conducted analytic testing of full population transactional data and executed IT audits. “The ability to understand legacy systems and the capabilities of new technologies is going to be the standard moving forward for internal auditors,” he says. “An internal auditor needs to be able to effectively evaluate a system to determine whether it meets the business’ need.” Future practitioners will need to be well-versed in technology and operations to assess and address risk effectively, he adds, but auditor–client interaction will always be just as important — he says he notices its effect on engagements all the time. Reed cites, for example, his clients’ frequent use of the inclusive pronoun “we,” instead of “they,” when discussing a project. “Little things like that let you know you are having an impact and the business sees you as a true value-add partner.” Outside the office, Reed advocates for St. Jude Children’s Hospital and the American Society for the Prevention of Cruelty to Animals. </p><h2><img src="/2018/PublishingImages/Alan%20Nguyen.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Thanh (Alan) Nguyen, CIA, CFSA, CRMA, CCSA</h2><p> <strong><em>30, Manager, Risk Advisory Services</em></strong><br><strong><em>RSM Vietnam Auditing and Consulting Co. Ltd.</em></strong><br><strong><em>Ho Chi Minh City, Vietnam</em></strong></p><p>Alan Nguyen understands the importance of the big picture. "He always focuses on the key objectives of the clients' departments," says former colleague Tham Ta, an audit staffer at Nguyen Kim Holdings. "He regularly updates his knowledge of not only all areas of his organization's operations, but also of the industry as a whole and of business in general." And that, according to Ta, is why Nguyen adapts quickly and provides effective strategic ideas. Many of those ideas, in fact, have contributed "significant improvements to the organization's governance, internal control, and risk management processes," Ta adds. Nguyen says it's part of the job. "As one of four cornerstones of governance, internal auditors need to improve and reinvent themselves," he explains, "and stay updated on not only trends in the industries they work in, but also on global trends." His motivation for learning is simple. "In Vietnam, internal auditing is new, and the profession is being developed slowly," he explains. "Helping it move forward prompted me to develop myself as a professional." Ta reports that Nguyen works actively as a volunteer to help the elderly, orphans, and the homeless. As a practitioner,  he says tomorrow's auditors will, among other qualities, need to be trustworthy, diplomatic, and patient. They must possess strong interpersonal skills, he adds, as well as the ability to think strategically. Nguyen says their reward will be "a holistic view of operations and processes that affords a perfect opportunity to be someone who knows everything about something, and something about everything." </p><p><br></p><p><img src="/2018/PublishingImages/EL_judges.jpg" alt="" style="margin:5px;" /><br></p>Russell A. Jackson0
Editor's Note: Keys to Succeedhttps://iaonline.theiia.org/2018/Pages/Editor's-Note-Keys-to-Succeed.aspxEditor's Note: Keys to Succeed<p>​The October issue of <em>Internal Auditor</em> is always my favorite issue of the year. In it, we recognize the up-and-coming internal audit professionals who are shaping the profession. These bright, young auditors are passionate about practicing, and advancing, internal auditing. They are innovative, and their positivity and enthusiasm are contagious. </p><p>As this year's Emerging Leaders acknowledge, internal auditors face more challenges, and opportunities, than ever. So, what do they say are the keys to success in this evolving profession? The leaders, perhaps unsurprisingly, identify technology as one key, saying they expect to rely more on technology as their careers progress. In fact, technology skills are already an expectation of auditors. As Ernest Anunciacion of Workiva notes in this month's <a href="/2018/Pages/Integrated-Knowledge.aspx">"Eye on Business,"</a> "since technology plays an increasingly large, fundamental role for companies, auditors must fully grasp what's involved and associated with it." </p><p>Certification is another important way in which this year's Emerging Leaders differentiate themselves. In <a href="/2018/Pages/Certification-Where-to-Begin.aspx">"Certification: Where to Begin?"</a>, Dana Lawrence, a risk consultant with Simple Finance, advises readers to consider which certifications to pursue based on what makes sense for one's career and for one's life. </p><p>Richard Anderson adds to the conversation in <a href="/2018/Pages/Ten-Tips-to-Manage-Your-Career.aspx">"Ten Tips to Manage Your Career."</a> Anderson, clinical professor of risk management at DePaul University and a retired partner of PwC, has served as a mentor to many internal auditors throughout his career. In his article, he offers 10 skills that can help internal auditors prosper in today's work environment — skills such as differentiating oneself from one's peers and creating one's own opportunities. </p><p>Internal Auditor's Emerging Leaders, past and present, are a good barometer of what it takes to be successful in internal auditing. Take, for example, the apps they use. Just for fun, Senior Editor Shannon Steffee asked Emerging Leaders from all the way back to 2013 what apps they use to enhance their work and personal lives. In the InternalAuditor.org online exclusive, <a href="/2018/Pages/Powering-Productivity.aspx">"Powering Productivity,"</a> the leaders share the apps they use for travel and expenses, productivity and organization, bridging language barriers, networking, and personal enjoyment. </p><p>Readers can learn more about the 2018 Emerging Leaders in our <a href="/2018/Pages/Emerging-Leaders-2018.aspx">cover story</a>. Thank you to this year's distinguished judging panel, who rated our candidates in the areas of certification, business acumen, leadership, advocacy, community service, and innovative thinking. </p><p>Congratulations to the 2018 Emerging Leaders!</p>Anne Millage0
Skills for New Practitionershttps://iaonline.theiia.org/2018/Pages/Skills-for-New-Practitioners.aspxSkills for New Practitioners<p>​For today's organizations, it's a sink or swim world. Leaders must keep up with the rapid pace at which their industry is evolving or risk losing out to competitors. Inevitably, this pressure is felt by employees, including internal audit staff — auditors who fail to add value or meet expected standards could easily be seen as expendable.​</p><p>In this climate, having the right skills is more important than ever. But which skills are the most important? Especially for those newer to the audit profession, this can be a difficult question to answer. To help shed light on the topic, we recently asked IIA Vice President of Training and Development Lisa Hirtzinger to share her thoughts on areas of competency entry-level auditors should possess. ​</p><h3>What do you think are the most important success factors for new internal auditors?</h3><p>Knowledge from The IIA's International Professional Practices Framework (IPPF) <em>is key</em>. The IPPF is a wealth of information beyond the <em>International Standards for the Professional Practice of Internal Auditing</em>. It encompasses tools and resources to help implement the <em>Standards</em> (Implementation Guidance) and other tools to leverage regarding how to approach an internal audit of specific topics (Practice Guides/Global Technology Audit Guides (GTAGs)).</p><p>In addition, critical thinking, data analytics, and communication skills are often highlighted as success factors for internal auditors. ​</p><h3>What are the key technology skills for new (non-IT) auditors?</h3><p>Every internal auditor needs to understand technology risk. You don't have to be an expert on the latest technology, or a systems auditor, but you do need to constantly be aware of new technologies and risks; and how almost every process has a technology component or interdependency. </p><p>Perhaps the key skill is to not shy away from technology, but rather embrace it and the information available to break it down for you (knowledge briefs, articles, GTAGs, etc.) ​</p><h3>How important is industry-specific knowledge for new auditors?</h3><p>It depends on your career path; first focus on the fundamentals. Then build on your skills whether industry, technical, or leadership (or a combination). </p><p>It may also depend whether you started your career in internal auditing, or whether you are joining the profession from operations/service. Either way, industry-specific knowledge is critical to enhancing organizational value via your internal audit role. ​</p><h3>How would you weight the importance of soft skills compared to technical skills?</h3><p>Equal – technical is required to be a great internal auditor; and then soft skills make you successful in the environment you operate within (partnering with peers, teaming with co-workers, communicating with stakeholders).​</p><h3>Given the rapid changes in business and technology, how often do you think new practitioners should be updating their skills?</h3><p>Always and continuously. Part of being a great internal auditor is being curious and leveraging resources. You can invest as little or as much time as you have, or as the challenge ahead calls for; but do try to invest time for yourself, for your career development, and for the collective skill level on the internal audit team. There are so many tools and resources available to take advantage of — the important thing is to set aside time to leverage resources before an audit, share what you know with peers during an audit, and apply what you learned to the next audit. </p><p>This leads me to another great factor about our profession, which is knowledge sharing. Don't be afraid to ask others for ideas and input — oftentimes rewarding and engaging conversations follow.   ​</p><h3>Are recent graduates expected to have some training before they're hired, or is it assumed most or all learning will occur once they start the job?</h3><p>Internal auditing is such an exciting opportunity and career because of the wide exposure we have within organizations. Many organizations have wonderful onboarding and/or internship programs.</p><p>At the end of the day, required experience depends on the organization, but more often than not internal audit functions are looking for talent with competencies such as process improvement and root cause analysis. They're also seeking change agents, critical thinkers, and good communicators, as well as those without fear of technology.​</p><p>If you really want to set yourself ahead of the competition, consider preparing for the Certified Internal Auditor (CIA) exam, which assesses the skills foundational to the profession.</p><h3>For those entering the profession from other fields, what types of competencies are generally sought after?</h3><p>Industry knowledge, business acumen, process improvement, risk management, lifelong learning, and a willingness to pair that knowledge with internal audit processes.​</p><h3>How important do you think an understanding of the business is for new practitioners?</h3><p>Absolutely critical, and yet don't expect yourself to understand it all the first day, week, month, or year. At a minimum, ask questions about your organization's strategic plan and objectives so you can always link the audit you are working on to the bigger picture.</p><p>Each audit provides an opportunity to learn more, connect more dots, meet new people at the organization, benchmark compared to other organizations, and find additional information and resources. The key is to be open to always adding to your knowledge and be able to apply that specifically to your organization in order to enhance value. ​</p><h3>For new auditors who aspire to higher level positions, what is the best way to start moving up the ladder?</h3><p>One way to get started is to show initiative, whether by taking on additional roles, or being open to learning and feedback. In addition, I would recommend getting certified, as it lends credibility that you've been assessed on your competencies and are maintaining the designation/knowledge. ​</p><h3>Is there a rule of thumb you'd advise for the amount of time new practitioners should devote to professional development?</h3><p>The rule of thumb is simply to do just that: devote time to professional development — you determine how much and what type. It is not about achieving or limiting yourself to a specific number of CPE credits; rather it is about your career path and growing your skills and value. Continuous knowledge is critical to your success as an internal auditor. We live in a rapid pace of change, and our knowledge needs to keep up to ensure we are delivering value in real-time.</p><p>There are many ways to gain skills, whether by networking, taking advantage of knowledge resources, finding a mentor, attending professional development opportunities (online or in person), etc. The important thing is to set a goal and have a plan. It can be as simple as ensuring you read two new articles that spark ideas each week (one technical and one soft skill), or as rigorous as preparing for the CIA exam. The opportunities are endless, but failure to focus on professional development will leave you behind your peers.</p>Staff1
Producing Quality Audit Reportshttps://iaonline.theiia.org/2018/Pages/Producing-Quality-Audit-Reports.aspxProducing Quality Audit Reports<p>​The audit report represents the end result of weeks of reviews, analyses, interviews, and discussions. It provides important information to audit clients about the area reviewed by internal audit. More importantly, it provides details to management about significant issues that need to be addressed. How well internal auditors communicate that information is critical to getting their client’s acceptance of findings and their agreement with audit recommendations. </p><p>Quality reports require thought and effort. Auditors should consider who will read the report, what they will do with it, what level of detail is necessary, what the organization’s culture and norms call for, and if industry-specific language is necessary. IIA Standard 2420: Quality of Communication says communications should be accurate, objective, clear, concise, constructive, complete, and timely.</p><h2>Accuracy</h2><p>Inaccurate information could adversely impact the credibility of the entire audit report, so accuracy is critical. All of the numbers should be correct, the information should be factual, and documentation verifiable. There may be disagreement on what the numbers or facts mean, but there should never be an argument about their accuracy. </p><p>Accuracy is enhanced by appropriate supervision of the audit engagement. The IIA’s <em>International Standards for the Professional Practice of Internal Auditing</em> requires adequate supervision of engagements, and part of that includes verification of numbers and facts. Accurate and precise information lessens the chance of a misunderstanding.</p><h2>Objectivity</h2><p>Objectivity is the second most important quality behind accuracy. If readers feel that the report is not objective, it could undermine the confidence they have in the report. And while the report may be objective, the subtle use and placement of certain words can appear to show bias. This can be crucial to whether the reader accepts the auditor’s conclusions and recommendations. </p><p>Objective words are precise. They speak to the facts and can be supported by evidence. Biased words are subject to generalization and distortion of information. For example, the statement, “Very confidential files were just stuck in a drawer where anyone could get to them,” is biased and opinionated. A more objective statement would be, “Confidential files were stored in an unsecure drawer to which unauthorized personnel had access.”</p><p>Reports must be clear enough for readers to understand without having to refer to anything else. Language should include precise modifiers and clear technical terms.</p><p> <strong>Precise Modifiers</strong> A modifier is a word or phrase that alters the meaning of another word. Generally, the modifying word should be as close as possible to the word it is modifying. Otherwise, the modifying word could attach itself to a word that was not intended to be modified. This can subtly alter the meaning of the sentence or make it ambiguous. </p><p>For example, see how the placement of the word almost changes the meaning of the sentence: “The plane almost failed every inspection” vs. “The plane failed almost every inspection.” The first sentence leads readers to believe that the plane passed every inspection, whereas the second sentence indicates that the plane rarely passed any inspection.</p><p> <strong>Clear Technical Terms</strong> Auditors should consider spelling out acronyms, replacing technical terms with nontechnical words, and embedding definitions within the sentence. For example, “The audit department uses the COSO framework, a comprehensive list of controls, as a standard for controls and risks.”</p><h2>Conciseness</h2><p>Readers always appreciate conciseness, but it should not mean cutting down on information. It means using fewer words to convey the same information. Some things that impact conciseness include drawn-out verbs, overstated language, and redundant modifiers.</p><p>Drawn-out verbs turn verbs into noun phrases. They often, but not always, contain a noun with the “tion” ending and require a preposition. In most cases, the phrase can be replaced with one word. For example, “Make a determination of …” can be replaced with the word “Determine.” And “Perform a verification of …” can be replaced with “Verify.” Replacing the words conveys the same information with fewer words. </p><p>Overstated language uses longer, more complicated words where simpler, shorter words will do. For example, “Due to the fact …” can be replaced with “Because.” And “In order to …” can be replaced with “To.” Again, this doesn’t detract from the information. </p><p>Redundant modifiers turn a simple adjective into a long phrase. For example, the phrase, “In the month of May …” can be replaced with the words “In May ….” And the phrase, “On a daily basis …” can be replaced with “Daily.” </p><h2>Constructiveness</h2><p>Constructiveness primarily refers to the audit recommendations, which should give audit clients information to correct the current problem and also address the root cause so as to mitigate future occurrences. For example, departmental procedures call for inventory to be reconciled monthly. The audit determined that there were three months that did not get reconciled, and the manager explained that the person who normally does it was on sick leave and had no backup. In the audit report, the recommendations read:</p><p> <span class="ms-rteStyle-BQ">“The inventory manager should review the three months of inventory to ensure its accuracy. Further, the manager should cross-train another person in the department to serve as a substitute when the primary person cannot reconcile the inventory account.”</span></p><p>The recommendation addresses the three months that were not reconciled, the root cause, and cross-training another employee to ensure this does not happen again. </p><p>Giving management information to correct the problem and keep it from happening again adds to the quality of the report and shows how audit adds value to the organization.</p><h2>Completeness</h2><p>Everything the reader needs to make an informed decision should be included in the report, and no significant information should be left out. The auditor must not omit valid information because it does not support his or her points. Present all the facts and allow the reader to decide.</p><p>Standard 2410 states, “Communications must include the engagement’s objective, scope, and results.” So, the report is not complete without the reason for the audit, the final conclusion based on the evidence reviewed, and the amount of evidence reviewed to come up with the conclusion.</p><h2>Timeliness</h2><p>Auditors should complete and issue reports as soon as possible to give the audit client a chance to address the issues timely. Timeliness may vary based on things like the audit resources needed to complete the audit, the complexity and significance of the audit, the report review process, and other factors. </p><p>If serious issues need to be communicated before the report is completed — such as customer or employee safety or significant loss of assets — the auditor should immediately issue an interim report or memo to allow the client the opportunity to address the problems as soon as possible. The interim report or memo can be referenced in the final report.</p><h2>Valued Reports</h2><p>An audit report must be accurate and objective; flexible enough to communicate sometimes complex information to various levels of people; and able to withstand the scrutiny of peer reviews and other assessments, depending on the industry. A quality audit report aids audit clients in making informed decisions, so taking the time and effort to put it together benefits the audit client and auditor. </p>Jonnie T. Keith1
When the Wheels Come Off an Internal Audit, the Culprit Is Usually Poor Planninghttps://iaonline.theiia.org/blogs/chambers/2018/Pages/When-the-Wheels-Come-Off-an-Internal-Audit-the-Culprit-Is-Usually-Poor-Planning.aspxWhen the Wheels Come Off an Internal Audit, the Culprit Is Usually Poor Planning<p></p><p><img src="/2018/PublishingImages/Truck%20with%20wheel%20coming%20off.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />In my role as president and CEO of The IIA, I meet and converse with internal auditors around the world. It's gratifying to hear abou​t their successes, and important to learn about their challenges. In this week's blog post, I want to share with you some of the things I've heard when internal audits go bad. My hope is that, by talking about our mistakes, we can correct our course and prevent future problems. </p><p>In general, most issues that arise when the wheels come off during internal audits stem from a single root cause: inadequate engagement planning. It can be tempting to cut engagement planning short, especially when we're still trying to wrap up the last audit. But when we resort to shortcuts, the results can be disastrous. In the words of Benjamin Franklin, "By failing to prepare, you are preparing to fail." </p><p>Here are just a few examples of how things can go south when internal auditors fail to adequately plan:</p><ul><li>I recently heard about an internal audit that got off to a disastrous start simply because the auditors didn't explain to the client during the planning phase why they were coming and what they hoped to accomplish. To be sure, they had intended to detail the audit objectives and process at the beginning of fieldwork, but before they could do so at the kickoff meeting, their nervous new client was already in a defensive meltdown mode.  <br></li><li>Another internal audit department was proud that it gave clients plenty of notice about upcoming engagements – six full months ahead of time, in fact, when the annual plan was approved. But when the team flew in for fieldwork in Europe, the client wasn't there. Once again, the problem turned out to be poor communications during the audit planning stage. The engagement supervisor failed to check back with the client in the weeks immediately before the audit, and the client simply forgot about the upcoming engagement.  <br></li></ul><ul><li>Last year, I heard about an internal auditor who reviewed the results of a previous internal audit during the planning phase, but did not consider the work of other assurance providers. Testing was well under way when the exasperated client pointed out that the compliance department and regulators had both reviewed the exact same things a month earlier — and that neither had noted any problems. Naturally, there were some red faces in the internal audit department.<br></li><li>If you've stayed at a hotel two hours away from your client's location because you postponed making reservations until nearby hotels had no vacancies, you're not alone. If you've ever spent a weekend driving to a distant audit location because you waited a little too long to reserve a flight, you're not alone in that, either. "Didn't anybody arrange for a rental car?" "Wasn't somebody supposed to reserve a conference room?" "When do you think we can get access to the system?" I often hear of logistics problems that could be avoided simply by starting planning a little earlier and by using a checklist to help ensure details are not overlooked.</li><li>The most common "rookie" planning mistake is simply failing to ask for advice or help when it is needed. I have known several internal auditors who tried to go it alone when they did not have the knowledge or skills necessary to perform parts of an engagement. I have known others who tried to avoid the problem by eliminating audit procedures that should have been performed. Both approaches can lead to poor outcomes, yet a simple conversation with a supervisor might have solved the problem easily. For example, a new internal auditor might have been partnered with someone who knew more about the organization, an auditor reassigned to make better use of his or her individual knowledge and skills, or training might have been available. </li><li>Two internal auditors on one of my teams once found evidence of significant problems in a process under review. After weeks of testing, they shared their results with the client. The client told them that he was aware of the issue, which was why a decision had been made several months earlier to discontinue the process. New equipment was already on order. If, during the planning phase, the auditors had inquired about operations that might be changing in the future, they could have saved themselves weeks of work.</li><li>Another team of internal auditors did not learn until the start of fieldwork that a new technology had already been implemented. Unfortunately, the assigned auditors were not qualified to review the new technology, so they canceled the engagement and rescheduled an audit for the following year. But the worst was yet to come: Due to a staffing change, nobody told the next year's engagement supervisor about the canceled audit. Once again, audit planning was minimal; once again, the wrong auditors were assigned to the review; and once again, the audit had to be canceled ​after it had begun. I'm told that the client's reaction was "memorable."<br></li></ul><p>Each of these situations reflected poorly on internal audit, frustrated the internal auditors and the clients, and illustrated the type of inefficiency and ineffectiveness that internal auditors are supposed to prevent, not foster. But, in some cases, we may not be aware of the extent to which poor audit planning damages our reputation and our ability to add value.</p><p>One of the senior staff members in The IIA's Quality Services department recalled an internal audit function that did not include a planning phase in its audit engagements. The internal auditors had used the same work programs for years, basically repeating the same audits over and over with little client interaction. The internal auditors were good at staying on schedule, but because their audit reports always read the same, they did not address specific client concerns. So, most of the findings involved relatively minor errors or oversights. The outcome? The clients had a very low opinion of the internal audit function and stated that they did not believe it added value. </p><p>Audit planning is an investment, but it is an investment that can pay big dividends in terms of improved credibility and relationships with our stakeholders. It is also our best opportunity for improving audit effectiveness. That's why world-class internal audit functions plan, plan – and then plan some more.</p><p>These are just a few of the things that can go wrong when internal audits are not properly planned. I'm sure you have other examples. Keeping in mind that The IIA's motto is "Progress Through Sharing," I'd welcome your comments.</p>Richard Chambers0

  • Gleim_Nov 2018_Premium 1
  • Temple_ITACS_Nov 2018_Premium 2