Practices

 

 

Fighting the Same Old Battleshttps://iaonline.theiia.org/2021/Pages/Fighting-the-Same-Old-Battles.aspxFighting the Same Old Battles<p>​In the book <em>Writing Down the Bones</em>, author Natalie Goldberg tells a story about motivational speaker Tony Robbins. A client he had worked with multiple times consistently haggled over price, schedule, etc. He decided it was time to change the dynamics. As they sat in the 10th-floor executive suite, the client began the battle once again. Robbins reached into his thousand-dollar suit, pulled out a water pistol, and began shooting it at the client. The executive was startled, but quickly understood the message. “We’ve been here before. Why are we wasting our time?” He laughed and signed the contract.</p><p>How often have you sat in the same room having the same discussion with the same clients? How often have you quarreled over miniscule points, debated the choice of individual words, and quibbled over insignificant corrective action details, repeating discussions you have had time and time again? </p><p>One cause for these repetitive conflicts is education. Do the audit clients understand the work we do? Do they understand how we reach our conclusions? Have we done enough to explain it to them? And have we pointed out they are repeatedly arguing the same points?</p><p>But auditors need to use these situations to better educate themselves, as well. At a past employer, it took our audit department just a few audits of branch claims offices to realize our debates with the regional claims manager occurred because he thought our sample sizes were inadequate. Were they too small? Probably. Was he asking for more than was necessary? Probably. But as soon as we provided the testing he was looking for, the debates were much shorter.</p><p>Still, we may need to shake things up sometimes — make the client realize we’ve been through all this before and that we can all save a little time by moving beyond the normal bickering and getting to what needs to be discussed. One client fought us tooth and nail on everything we reported, insisting on multiple meetings to hash out every report. Deciding it was time to upset the apple cart, I started the meeting by asking, “What will it take for me to get you to drive out of here with this audit report?” My verbal water pistol worked — the report was ready to be issued one hour later. </p><p>In all things we must challenge the status quo. But we may not realize how true this is when it comes to the daily give and take, conversations, and debates we have with our clients. Look for such instances and decide if one side or the other needs to be better educated. Or is it a case of falling into the same old patterns? To paraphrase Goldberg, step through the resistance right now and do something new, something surprising, and something great. And when you see yourself, your team, or the client falling into the same patterns, break out the squirt gun and shake things up. <br></p>Mike Jacka1
Courage as a Cornerstonehttps://iaonline.theiia.org/2021/Pages/Courage-as-a-Cornerstone.aspxCourage as a Cornerstone<p>​As past research has shown, and many practitioners can likely attest, audit findings that don’t meet clients’ approval can occasionally result in direct pressure to change the audit report. And in some cases, when resisting this pressure, auditors may even experience retaliation. Indeed, sometimes our work consists of much more than just following standards and writing reports. Political factors and unethical behavior create challenges that fall outside the normal realm of professional practice. Nonetheless, in every phase of the audit process — planning, performing, and communicating — auditors must have the courage to perform their work objectively and thoroughly, even in the face of fear and intimidation. </p><p>When planning, practitioners try to identify high-risk areas that could have the greatest impact on the organization’s ability to achieve its objectives. But often the most important areas are not immediately visible and consist of information entrusted to gatekeepers — usually management. Internal auditors must demonstrate the courage to examine these areas, even when clients may not want them to. At the same time, practitioners must not confuse courageousness with recklessness. An overly aggressive approach could lead to management and the board pushing back as well as increasing barriers to the information auditors need. </p><p>During the performance of audit engagements, practitioners could encounter numerous situations that call for professional courage. For example, in an organization with poor cultural practices, senior management might try to overpower or even bully auditors during information-gathering or attempt to conceal documents. Moreover, performing assessments may involve asking tough questions, which can be intimidating — especially when directed at those in power. These situations require internal auditors to show bravery, challenge the client, and pose questions no one else wants to ask.</p><p>Finally, when communicating results, especially to the board, practitioners need to report as objectively as possible. Communications must be measured and accurate to maintain credibility, and auditors need to avoid overstepping their bounds. Moreover, political savvy goes hand in hand with being courageous — as a quote often attributed to Winston Churchill states, “Courage is what it takes to stand up and speak; courage is also what it takes to sit down and listen.” A combination of assertiveness and diplomacy goes a long way toward achieving a successful outcome.</p><p>Perhaps Mark Twain said it best when he described courage as the foundation of integrity. For internal auditors, courage should be foundational to professional practice, along with objectivity, due professional care, and competency. We should always be willing to ask stakeholders demanding questions, stand for what is right, avoid falling prey to the pressure of others, and act for the benefit of the organization and society. Courage doesn’t mean you don’t feel afraid; it means you don’t let fear stop you. <br></p>Matej Drašček1
Emerging Leaders: Where Are They Now?https://iaonline.theiia.org/2021/Pages/Emerging-Leaders-Where-Are-They-Now.aspxEmerging Leaders: Where Are They Now?<p>​Internal audit is an exceptional destination profession. Rising through an organization’s departmental ranks toward a chief audit executive (CAE) post is rewarding and challenging, and the work is essential to the enterprise. At the same time, powerful evidence indicates that internal audit skills empower practitioners to answer even the most unexpected of opportunity’s knocks and excel in leadership posts far outside the traditional boundaries of the profession. Some of <em>Internal Auditor</em>’s past Emerging Leaders are climbing the ladder, some are at the top and exploring ways to expand their spheres of influence, and some use their internal audit skills in strikingly diverse careers.<br></p><h3>ELEVATING CREDIBILITY <br></h3><p>Thokozani Sihlangu is focused and ambitious. When he was named a 2020 Emerging Leader, he was senior audit manager, Quality Assurance, at Absa Group in Johannesburg. He took a job as senior audit manager with Standard Bank in December of that year, and is now head of Transactional Products and Services Audit. His role is at a strategic level, he says, allowing him to contribute to Group Internal Audit’s strategy formulation — and then customize a strategy for the business unit he leads and execute against that strategic direction.</p><p>Sihlangu heads a team of business auditors and data scientists, reporting key audit insights, material audit items, and audit themes to governance committees. Leading it well demands that he maintain excellent relationships with key executive stakeholders, too. His team also provides traditional audit assurance against the audit plan and modern modes of assurance in the form of strategic technology project assurance and data-led audit reviews. </p><p>As such, Sihlangu’s long-term career plans haven’t changed, and are right on track. “I am proud that I managed to achieve most of the plans I had for myself when I was in university, which was to attain an MBA and be head of an audit unit before age 35,” he says. “Being an Emerging Leaders honoree was a dream come true, and it has elevated my credibility in the profession.” <br></p><h3>EXPANDING RESPONSIBILITIES<br></h3><p>Nora Kelani, a 2017 Emerging Leaders honoree, has, as she puts it, “reached the top of the internal audit ladder” at her firm, so now she’s focused on expanding her responsibilities outside the traditional aspects of the profession. Indeed, the internal audit senior manager at Trust Holding–Nest Investments in Amman, Jordan, is working on a Certification in Risk Management Assurance and an MBA. After 2017, her position evolved, she notes, and now she reports directly to the board of directors of the holding company she works with. It owns and supports multiple insurance subsidiaries, a reinsurance company, a bank, and other large investments across Europe, the Middle East, and North Africa. </p><p>Kelani’s job involves working in, and traveling to, several of the company’s far-flung locations. She served on The IIA’s Global Advocacy Committee from 2018 to 2020 and this year was tapped to serve on The Institute’s Global Advocacy Advisory Council.</p><p>Expanding her scope has enabled Kelani to provide a variety of consultancy and advisory services — risk management, governance, information and communications technology, operations, and general business consultancy — to numerous stakeholders in different industries. That capability, she says, proves to her that internal auditors add value in advisory and consultancy functions just as much as in traditional audit tasks. “My career has flourished both vertically and horizontally just as I’d hoped it would and has exceeded my aspirations at certain points,” she says. Moving forward, she wants to seek positions where she empowers others, advocates for governance and internal controls, influences strategies, and participates in setting the vision of the organization.</p><h3>IMPLEMENTING CHANGE<br></h3><p>Derrick Li began his career in internal audit at a large accounting firm before signing on with Vancouver’s South Coast British Columbia Transportation Authority (TransLink) for his next career rung, a post as manager, Enterprise Risk and Capital, at subsidiary Coast Mountain Bus Co. (CMBC). Next, he was division manager, Business and Advisory Services, at Metro Vancouver, a separate entity. Li then moved to TransLink headquarters as director, Internal Audit and Performance Improvement. He was there when he received an Emerging Leaders honor in 2014. </p><p>Li then moved to a role as executive director, Finance and Corporate Services, at CMBC in 2018. Two years later, he jumped to his current job as chief operating officer (COO) at Lawson Lundell LLP, a large Vancouver law firm. He oversees business, administrative, and financial operations, and serves on the executive committee, focusing on the firm’s growth strategy and execution. “My career has far exceeded my expectations,” Li says. “Making the transition from CAE to an executive was always in the back of my mind, but I didn’t think I would transition this early in my career.” </p><p>He adds, “I can honestly say that I wouldn’t be where I am in my career without the tremendous experience I gained as an internal auditor.” In his last role at CMBC, he served additionally as chief financial officer (CFO) and corporate secretary, so he had the chance to interact with internal audit regularly — as an audit client and as part of quarterly internal audit/board interactions. That expanded his perspective: “Internal auditors have a unique opportunity to learn every facet of an organization,” Li says. “They can do a lot more, whether moving onto the management side of things or proactively providing advisory services to management.”</p><p>Li says he especially appreciated the variety and scope of his work as an internal auditor. “Every hour of your day could be spent on a different topic and dealing with all levels of an organization,” he says. As COO of a law firm, that’s still true, he adds — and now he can implement change directly. <br></p><h3>SPRINGBOARD TO PARTNER</h3><p>Joseph Harrington has moved from a staff position to partnership at PricewaterhouseCoopers (PwC) since his 2014 Emerging Leaders honor and from providing outsourced internal audit services to heading up artificial intelligence (AI)-related activities. As a principal at PwC Labs in New York, he says, his career has become more technical than anticipated, so his approach is a bit different. “It’s more about how I can leverage technology the best way possible, versus what I know myself and can teach to my team,” he says. </p><p>He’s a co-leader in his new post, providing AI and machine learning capabilities to help internal teams deliver services — including audit services — to clients more efficiently and to help clients that use PwC technology to accelerate internal processes on their own. Harrington likes helping clients embed security and control by design. </p><p>Using machines presents risks, but they don’t tire or have bad days, he explains. Rather, “they provide consistency, which is difficult to measure when it’s just humans performing vouching or tracing.” And while some biases are unique to machine learning models, he adds, his team can help control for them with an approach that includes humans and technology. “It’s not about a person versus a machine,” he says. “It’s about a person versus a person with a machine.” The latter is more efficient. For example, full population testing — not just sampling — is only possible using machines to kick out anomalies for a person to substantiate or refute.</p><p>Harrington joined PwC from a small boutique consulting and internal audit firm, where he provided outsourced internal audit services to banks and credit unions. At PwC, he initially worked in a risk and compliance analytics group that primarily provided U.S. Bank Secrecy Act and anti-money-laundering analytics. </p><p>But his career quickly pivoted when the Financial Accounting Standards Board announced not-yet-effective lease-related standards updates in 2018. “When that occurred, I worked with another partner at PwC to build out a natural language processing platform to help read and understand lease documents for our clients, helping them save time and money on properly recording them on financial statements,” Harrington says. That change was a springboard to his PwC partnership offer in 2019. </p><h3>LEVERAGING INTERNAL AUDIT KNOWLEDGE<br></h3><p>Since her 2013 Emerging Leaders honor, Kayla Carter has moved from providing internal audit services to external clients to an internal role focused on driving digital transformation — and from Kansas City to San Francisco. Now senior director, Business Process and Technology, at Protiviti, Carter supports the executive team in executing the firm’s global internal digitalization and business transformation strategy, including streamlining processes across all areas of the worldwide enterprise. She’s responsible for organizational change management for the executives’ initiatives, project governance, and ongoing support of production environments.</p><p>“My job is challenging, but in a good way,” Carter says, adding that she enjoys working with colleagues across the globe to make day-to-day tasks easier and reporting and analytics better. Her job is different these days, she notes, but she leverages the knowledge she gained from internal audit every day. “My goal is to help improve and streamline the same business processes I used to audit,” she says. “There is always room to improve and make things better.”</p><h3>MAKING ORGANIZATIONS STRONGER<br></h3><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Embracing Leadership Individually<br><br></strong><p>The Emerging Leaders honor means something different to each person who receives it, just as leadership itself is a personal trait that each individual understands and expresses in a unique way. Some base it on their daily tasks; leaders lead, in other words. Carter says she feels like a leader because she formerly led teams on internal audit client engagements and now helps lead her company through its transformation journey. Sihlangu leads a team of seven in his job and recently joined the IIA–South Africa Chapter’s board of directors.</p><p>Others grapple with the nuances of what it means to lead, though; moreover, their examples show that the traits that make a leader may be lasting, but confidence in expressing them may come and go. Harrington didn’t feel like a leader at the time of his honor because he was one of many performing traditional internal audit services. Now, though, he’s filed two patents and helped lead a global team of 300 professionals, many of them deep technologists. “It’s in that pivot to exploiting technology that I now feel like a leader in my profession,” he says; indeed, he’s “one of the world’s leading experts on leveraging data science to deliver business value.”</p><p>Li says he felt like a leader seven years ago as CAE, when he managed the internal audit group and was a leader in his local professional community. But being an executive is quite different, he finds. “There is more of a spokesperson or brand ambassador component that I didn’t realize,” he notes. Zitting says he felt like a leader in 2013, but isn’t sure he does anymore, even though his leadership responsibility is bigger. “I find that the further my career advances, and the closer to the top of an organization I get, the easier it becomes to doubt my own leadership or believe I am not good enough,” he says. “I’m sure that feeling only makes us stronger as leaders.” <br></p></td></tr></tbody></table><p>Dan Zitting, a 2013 Emerging Leaders honoree, is now CEO at Vancouver’s Galvanize — recently acquired by Diligent Corp. — and he says he believes in internal audit as much as ever. “From the minute I started building technology for use in audit, risk, and compliance rather than focusing on being a practitioner, I was in love,” he says. “I am exactly where I would like to be, running a technology business focused on making organizations stronger through technology.” </p><p>Zitting started his career at EY in Denver providing internal audit, risk analytics, and U.S. Sarbanes-Oxley Act of 2002 compliance services, then co-founded and helped run Linford & Co. LLC, a New York IT risk advisory professional services firm. In 2010, he founded New York’s <a href="http://workpapers.com/" rel="nofollow" data-feathr-click-track="true">Workpapers.com</a>, a software-as-a-service internal audit and compliance management platform that was acquired by the company that became Galvanize. </p><p>“Organizations are waking up to realize that their purpose is every bit as important to today’s employees, customers, and investors as their profits,” Zitting stresses. “We should build people, processes, and technology that are as strong in measuring and managing strategy and governance as in managing financial results.” He has never wavered in his belief, he adds, that internal audit has the most responsibility of any part of an organization for building and overseeing those capabilities. <br></p><h3>A BRIDGE TO BROADER HORIZONS<br></h3><p>Hui Jing, a senior finance manager at HP Inc. in Singapore, extols the benefits of using internal audit experience as a bridge to broadening professional horizons. “I would have never imagined having the opportunity to move across so many different roles and, best of all, to leverage my previous experience in risk, controls, and governance the way I do today,” she says.</p><p>When Jing was an Emerging Leaders honoree in 2013, she was an internal audit lead at HP, where she’s since taken on multiple roles in finance — implementing accounting and governance frameworks for new business models, managing unprecedented foreign exchange market volatility, driving profitable business growth, and guiding investment decisions. Now the Greater Asia senior finance manager, she’s responsible for the financial performance of developed and emerging markets in the region.</p><p>“Effective data analytics and an increasing reliance on IT systems and controls will shape the future of internal audit,” Jing says. “A great example is the focus many audit functions have today on data analytics and digital transformation.” Because business dynamics evolve so rapidly, she adds, internal audit plays an important role both in preempting business, financial, IT system, and compliance risks and in helping shape the organization’s responses to those that emerge.</p><h3>A RISK GO-TO PERSON <br></h3><p>“Having seen many people come and go, I would say that internal audit is not everyone’s calling,” Jing says. “But having personally embarked on this journey, I feel it is a great way to be exposed to different businesses, processes, and systems.” The profession demands thinking with an open mind and making assessments objectively, systematically, and logically, she adds. Success, she stresses, comes from being viewed by stakeholders as a trusted partner and a go-to person on all matters involving risk.</p><p>“I believe a leader should be ambitious, yet authentic and influential, to take other people along on his or her vision and strategy,” Jing says, emphasizing her company’s talent development program and the benefits she’s received from it. “They enabled me to grow from a young talent into the leader that I am today,” she says. Acknowledgment from The IIA doesn’t hurt. “Being an Emerging Leaders honoree indeed opened my eyes,” Kelani says. “While I avoided acknowledging my leadership traits before, perhaps as a way to champion humility, today I totally embrace being a leader with all my heart.”</p><p>The key, she adds, is understanding that leadership is a responsibility, and not just more stripes on a uniform or certifications after a name. It comes from inside and must be wielded wisely to be wielded well.  <br></p>Russell A. Jackson1
CEO Message: Recruiting the Best for Internal Audit's Futurehttps://iaonline.theiia.org/2021/Pages/CEO-Message-Recruiting-the-Best-for-Internal-Audits-Future.aspxCEO Message: Recruiting the Best for Internal Audit's Future<p>​Since 2013, <em>Internal Auditor</em> magazine has been showcasing emerging leaders in the profession. Those chosen for this distinction each year are the 30-and-under trailblazers who are shaping and growing the profession through innovation, technology skills, ingenuity, and hard work.</p><p>The IIA’s celebration of youthful talent in the profession could be short-lived without a thoughtful approach to recruiting and serving the needs and expectations of even younger potential members. </p><p>The IIA’s Internal Audit Education Partnership program supports development of internal audit curricula at participating colleges and universities. The program helps ensure graduates have the skills to conduct basic internal audits and prepares them to achieve the Certified Internal Auditor designation. However, it is not designed to inspire young people to become internal auditors.</p><p>The changing dynamics of modern business demand that we do more. Change is occurring at lightning speed, and disruption driven by technology is part of the new normal. The next generation of internal auditors must possess innately agile, curious, and innovative minds, and encouraging young people who exhibit such drive to consider a career in internal auditing begins at the high school level. The IIA’s new strategic plan speaks directly to addressing this.</p><p>Data from the 2020 Career Interest Survey by the National Society of High School Scholars suggest we have some work to do. It finds medicine and health-related careers (37%) the top choice of the more than 14,000 respondents. Another 17% chose business/corporate as an expected career path, which tied for second with sciences and biology/biotechnology. More traditional career paths for internal auditors — accounting/tax and finance/fintech — ranked considerably lower at 4%.</p><p>In the coming months, we will explore new and creative ways to reach Generation Z and will develop strategies, tactics, and resources to address our opportunity as a profession. This must include supporting diversity, equity, and inclusion (DEI) efforts at all levels. I’ve noted before that beyond being the right thing to do, supporting DEI is as much a business decision as an ethical one.</p><p>With the guidance and support of our North American chapters and affiliates around the world, we hope to soon reach out to high school guidance counselors or their equivalents to boost knowledge of the profession, dispel negative stereotypes, and encourage the best and brightest to consider internal auditing as a career.</p><p>As you read about the impressive group of emerging leaders featured in this issue, I hope you’ll join me in seeking new ways to mentor and nurture the next generation. The IIA understands this begins at the local level, and we will work diligently with our members to build a pipeline of future-ready auditors.<br></p>Anthony Pugliese0
Editor's Note: Standouts Amid Crisishttps://iaonline.theiia.org/2021/Pages/Editors-Note-Standouts-Amid-Crisis.aspxEditor's Note: Standouts Amid Crisis<p>​At a time when there’s not a lot of good news in the world to report, we are very excited to be able to do just that by introducing <em>Internal Auditor</em> magazine’s 2021 Emerging Leaders. </p><p>As we’re all well aware, working during a worldwide pandemic has introduced a host of new challenges for internal auditors, including remote work, travel restrictions, and communication issues, not to mention helping their organizations form COVID-19 response plans. This year’s Emerging Leaders have been required to address these and many other issues while continuing to add value in their daily work. And, as you will read in “<a href="/2021/Pages/Emerging-Leaders-2021.aspx" data-feathr-click-track="true">Emerging Leaders: 2021</a>,” they have done just that. </p><p>As Bill Mulcahy, longtime practitioner and IIA volunteer, explained in his nomination of honoree Christy Beers, “She handled the ultimate audit double dip — a large company merger while managing the changes that come with remote work during the pandemic.” Bill, who sadly passed away earlier this year, was one of Christy’s biggest advocates. “I’m grateful for having known him,” she told us. “I wouldn’t be where I am today without his mentorship.”</p><p>Bill was also a big advocate of <em>Internal Auditor</em>’s Emerging Leaders, nominating a young professional each year. Whenever one of his nominees was chosen, Bill would be sure to take out a full-page ad to congratulate him or her. We will greatly miss his dedication to, and enthusiasm for, advancing the next generation of internal auditors. </p><p>Bill’s 2021 nomination is one of 15 Emerging Leaders who hail from across the U.S. and five additional countries — The Bahamas, Canada, Ghana, United Arab Emirates, and Vietnam. Five men and 10 women from a variety of industries and backgrounds share their stories of success. From using virtual meetings and telehealth systems for virtual walk-throughs, to creating a collaborative onboarding portal and team intranet site, to creating new opportunities to be agents of change during the pandemic, their stories are diverse and impressive. </p><p>And speaking of impressive, beginning on <a href="/2021/Pages/Emerging-Leaders-Where-Are-They-Now.aspx" data-feathr-click-track="true">page 41</a>, we check in with some of our past Emerging Leaders. Whether they continue to rise through the ranks of internal auditing or are using their audit experience to move into a new profession, many of our past Leaders, as expected, continue to excel in their chosen career paths. </p><p>Hear more from past and current Emerging Leaders about just what it takes to be a leader in a series of videos on <a href="/" data-feathr-click-track="true">InternalAuditor.org</a>. </p><p>Congratulations to our 2021 Emerging Leaders! You’ve persevered through a pandemic and are more prepared than ever to be leaders in your profession. <br></p>Anne Millage0
Emerging Leaders: 2021https://iaonline.theiia.org/2021/Pages/Emerging-Leaders-2021.aspxEmerging Leaders: 2021<p>​This year’s Emerging Leaders have been forged by a fire their predecessors could never have imagined — but one that will change, in profound ways, how the profession is practiced and how its practitioners fit into their organizations’ strategic planning and operations efforts. Some of the professionals profiled here did their part by masking, distancing, and working from home. Others participated along with top executives in plotting their companies’ responses to COVID-19 and in assessing the effectiveness of chosen interventions; now they’re making sure they all continue as planned. Their careers, all of the Emerging Leaders agree, will involve more geographic flexibility, smoother access to decision-makers, and in many cases, greater focus on the soft skills required for integration into more and more aspects of their organizations. They also will include greater attention to the technology that’s changing practitioners’ connectivity and revolutionizing internal audit processes. Even in a work-from-home environment, 2021’s Emerging Leaders led and assisted in remarkable reconfigurations of their organizations’ information technologies to improve the accuracy and stakeholder understanding of their audit results. They also led and assisted in massive individual audit projects to assess company leadership, switch to new audit tools, and integrate an acquisition’s audit processes. In other words, they did what internal audit leaders usually do — even though they had to do it from afar.<br></p><h3> <img src="/2021/PublishingImages/Leonardo-Ferguson.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Leonardo Ferguson, CIA, CRMA</h3><p> <strong>30, Supervisor, Internal Audit </strong><br><strong>Colina Holdings Bahamas Ltd. </strong><br><strong>Nassau, Bahamas</strong><br></p><p>Leonardo Ferguson likes reporting results to audit clients better than he anticipated. “I began my professional career in public accounting, and my charted course did not include internal audit,” the Tuskegee University graduate says. Now Ferguson finds it rewarding to engage and collaborate directly with stakeholders and deliver reports that meet their expressed needs. Indeed, Ferguson says one aspect of the profession he would change is enhancing its collaboration with other assurance providers, both internal and external. “Primarily, we all have similar goals,” he says, “and by fostering synergies and aligning our focus, we can be even more impactful to the organization.” A key project Ferguson worked on involved assessing his company’s board as part of a governance, legal, and corporate audit engagement, reports his supervisor, Giorgina Duncanson-Thompson, chief group internal auditor at Colina Holdings. He designed procedures to assess the board’s composition, finding best practices through research that would benefit the company’s strategic plan and direction. The lesson, Ferguson says: “Our true value to the company doesn’t lie in performing tasks, but in understanding the overall objective and delivering recommendations that are well-received.” Duncanson-Thompson adds that in reviewing inactive and dormant accounts at the organization, Ferguson worked with management to develop system-enhanced solutions to reduce the need for manual intervention. “His work highlighted areas for improvement with regulatory reporting, and his recommended solution directly addressed management’s concerns,” Duncanson-Thompson says. Ferguson pays it forward by mentoring university students, and one notable mentee merged passions for information systems and internal audit after hearing about the rewarding career path the latter offers. The student is now a Certified Information Systems Auditor and looks to become a Certified Internal Auditor (CIA) as well. Ferguson also volunteers for #HashtagLunchbag, a charity that provides free meals to the community, and has worked on projects for the Bahamian conservation charity National Trust. In his free time, he focuses on landscape and event photography, travel, and quality time with family and friends.<br></p><h2> <img src="/2021/PublishingImages/Nicole-OBryant.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Nicole O'Bryant, CIA</h2><p> <strong>28, Consulting Manager, Internal Audit</strong><br><strong>Postlethwaite & Nettervile </strong> <br> <strong>Baton Rouge, La. </strong><br></p><p>Nicole O’Bryant had six months under her belt at her current company when COVID-19 forced everyone to work remotely. As the pandemic unfolded, says colleague Jude Viator, consulting associate director at Postlethwaite & Netterville, O’Bryant “saw an opportunity and took the initiative to request, obtain, and analyze team feedback to reimagine team connection points and ongoing meetings.” The Control and Risk team’s 30-plus members, scattered across multiple locations, had remained productive, he says, but connections were becoming stale. O’Bryant refocused the connection environment, Viator adds, leading to a highly successful new meeting format. “While working from home during the pandemic, our team members have strived to stay engaged with one another to maintain our positive firm culture,” O’Bryant says, “for each other and for new team members.” Long-term, she anticipates the need for practitioners to leverage technology even more extensively to facilitate client engagements and interaction. The challenge will be continuing to discover ways to connect beyond the video screen. “Connection will be key in delivering our continued value-added services to the organization,” she says. O’Bryant will be fostering additional connections, within the profession, in her role as vice president of programming at IIA–Baton Rouge; her work there facilitates engagement with other internal audit professionals, she notes, and helps her better understand “the challenges and strengths they encounter in their daily work.” That understanding has served O’Bryant well as she helps her company rethink local intern learning through a refresh of its summer internship program. Beyond the profession, O’Bryant volunteers with her college sorority, Chi Omega at Louisiana State University. Free time is spent with Jake and Theo — husband and goldendoodle, respectively — traveling to see relatives throughout Louisiana and Texas. Post-pandemic plans include a honeymoon on Italy’s Amalfi Coast.<br></p><h3> <img src="/2021/PublishingImages/Christy-Beers.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Christy Beers </h3><p> <strong>30, </strong><strong>Vice President, Audit Manager</strong><br><strong>Truist Financial Corp. </strong> <br> <strong>Atlanta</strong> </p><p>Christy Beers aced her first internal audit competition. Her student team won at IIA–Atlanta’s 2015 Internal Audit Case Competition — and she received her first internal audit job offer on the spot. She accepted and has been with the firm ever since. In 2019, notes colleague Megan Beeston Panella, IT audit manager, Business Advisory Services, at Rausch Advisory Services, and a 2019 Emerging Leader, Beers became the first Audit Case winner to later judge for the competition; this year, she chairs the chapter’s virtual, renamed 11th Annual Bill Mulcahy Auditing & Advisory Case Competition. She’s been involved with planning, panel discussions, and leadership for numerous chapter events, and in 2018 she received IIA–Atlanta’s Mulcahy Leadership Award. “Through my involvement in chapter activities, I’ve met mentors who have helped me achieve my career goals,” says Beers, who’s pursuing the CIA credential. Those mentoring lessons were tested by COVID-19, of course. “She handled the ultimate audit double dip — a large company merger while managing the changes that come with remote work during the pandemic,” said colleague and longtime IIA volunteer Bill Mulcahy, who sadly passed away in May. “She adapted her work style to make sure audit objectives were met.” Mulcahy, Beers comments, was one of her biggest advocates. “He saw potential in me that I didn’t even see,” she says. “I’m grateful for having known him. I wouldn’t be where I am today without his mentorship.” After office hours, Beers spends time outdoors and enjoys running, walking, and hiking. She’s also been dancing since she was 4: “It’s a great way to work out and be creative — and have fun in the process.”<br></p><h3> <img src="/2021/PublishingImages/Maureen-Cooper.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Maureen Cooper, CIA<br></h3><p> <strong>29, Senior Manager, Technology Audit</strong><br><strong>Protiviti</strong><br><strong>Dallas</strong><br></p><p>Maureen Cooper’s status as an Agile expert at her company began with a third party’s test run. “A client was starting on its Agile audit journey and asked us to partner on executing a couple of pilot audits,” the University of Oklahoma graduate says. The Agile approach emphasizes enhanced flexibility and greater engagement with stakeholders. In 2018, Cooper was tasked by executives with helping to develop “Next-gen Agile Audit” materials for the company, reports Andrew Struthers-Kennedy, a managing director at Protiviti. Cooper has since led external-facing webinars, conducted virtual and internal self-study training, and contributed to educational blog posts on the topic, Struthers-Kennedy says. “She regularly interviews clients on their Agile audit journeys to provide consulting advice tailored to their size, risk profile, and complexity,” he adds. As the company’s Next-gen Agile Audit practice has grown, Cooper has joined the project management office leadership team, including bringing in a junior colleague to mentor. More broadly, she focuses on technology audits and general controls and cybersecurity across financial services, consumer products, and manufacturing sectors. From April 2020 to March 2021, she helped lead a global strategic initiative to innovate control testing services using emerging technology and alternative delivery models. She and two colleagues defined, established, and piloted the company’s Control Testing & Innovation Center, leveraging a standardized approach to increase the effectiveness of 70-plus controls. At her previous Protiviti post, in Chicago, Cooper led a wide range of local community service activities, including toy and book drives, gift bag events, and sponsored activities in support of nonprofits. Spare time is spent with “a very busy toddler,” her husband, and their dog, Murphy. <br></p><h3> <img src="/2021/PublishingImages/Andrew-Goodman.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Andrew Goodman, CIA, CPA</h3><p> <strong>29, Manager, Medicare Compliance-Continuous Monitoring</strong><br><strong>CVS Health</strong><br><strong>Hartford, Conn.</strong><br></p><p>Andrew Goodman started his career in public accounting before transitioning into internal auditing. “I did not realize that I would be able to interact with senior business leaders almost immediately,” the Bentley University graduate says now of his audit work. “That’s an opportunity few other early-career roles provide.” After five years in the profession, Goodman recently transitioned again — this time to Medicare compliance. He stresses that the skills he developed in internal audit prepared him to take on the new role. His stint in the profession included innovating an approach to auditing Medicaid processes following the $69 billion 2018 merger of Aetna, where he started in 2016, and CVS Health, where he still is, and the integration of the two companies’ internal audit departments. He and his team reviewed Medicaid contracts and identified the controls in place to ensure compliance with specific contract requirements, explains colleague Alex Rusate, senior internal auditor at the New York Independent System Operator and a 2017 Emerging Leader. “Where any gaps existed, they identified those and worked with their business partners to agree on sufficient corrective action — an approach to Medicaid that the internal audit department had never taken before,” Rusate says. Goodman’s time in internal audit also included providing key support services as the COVID-19 threat began to grow, validating the effective implementation of some of the company’s pandemic-related policy changes. Long-term, he says, internal auditors will continue to become more adaptable as circumstances change due to the pandemic. And they will embrace “the new environment of working with colleagues and business partners remotely rather than in person.” <br></p><h3> <img src="/2021/PublishingImages/Than-Van-Nguyen.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Than Nguyen, CIA</h3><p> <strong>28, Internal Audit Manager</strong><br><strong>Masan Group</strong><br><strong>Ho Chi Minh City, Vietnam</strong><br></p><p>Than Nguyen sees the silver lining: COVID-19 has changed the business environment, he says; it has created unique challenges that demand “new ways of working.” But the pandemic has also offered opportunities to explore ways to provide more value to the organization as agents of change, he adds, by sharpening the profession’s focus on consulting activities that identify improvement options, embrace innovation, and contribute to sustainable growth. “The pandemic will accelerate internal audit’s transformation journey in Vietnam toward best practices that will improve efficiency and effectiveness,” he says. Nguyen has led numerous successful transformation projects for financial institution and corporation clients, says colleague Thao Tran, internal audit assistant manager at Yamaha Vietnam, who adds that the Academy of Finance Vietnam graduate always “takes into account the nature of each business to come up with the best practical solution.” He says Nguyen also actively seeks opportunities to be part of the global IIA community. Indeed, Nguyen was chosen to be an IIA Global Professional Knowledge Group member as a subject matter expert, Tran adds, “exposing him to many different views, opinions, and skills.” Colleague Phuong Tran, a lecturer at Professional Training and Consultancy Company Ltd., notes: “Of course, there is no specific recipe, but I think that he simply always tries to find better strategies — he works hard, reads a lot, and thinks carefully before he carries out any task.” Nguyen recently participated in the SeABank Run for the Future and the BBGV Charity Fun Run, both fundraisers. In his spare time, he networks with friends and colleagues, and enjoys reading, watching news, traveling, and hiking.<br></p><h3> <img src="/2021/PublishingImages/Jennifer-Anderson.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Jennifer Anderson, CIA</h3><p> <strong>30, Senior Internal Auditor, International Ports & Terminals</strong><br><strong>DP World</strong><br><strong>United Arab Emirates</strong><br></p><p>Jennifer Anderson spends much of her time in the air. “I do a lot of aerial acrobatics, such as aerial silks, hoop, and trapeze,” the University of Glasgow graduate says of her free time. She has performed in circus shows and is now choreographing a routine for a virtual aerial competition. On the job, she’s in the air a lot too, spending about half of her time traveling internationally to audit DP World’s International Ports & Terminals portfolio. Her company specializes in cargo logistics and port terminal operations, and in one recent three-month spell, business took her to the U.K., Egypt, and Ukraine. When she’s on the ground, Anderson coordinates the Group Internal Audit flagship Guest Internal Auditor Program, which invites employees from all over the world to join the headquarters team on internal audits. Anderson also is helping establish Group Internal Audit’s Future Internal Auditor framework, an in-house development effort aimed at future-proofing the internal audit team, ensuring it stays relevant. And she enhanced her team’s capacity to deliver value by working with her company’s Human Capital department to develop an assessment tool enabling Group Internal Audit senior leaders to gauge their direct reports’ competencies and address any training needs. Moreover, the ground and the air are the focus of Anderson’s zeal for corporate sustainability — she incorporates elements of sustainability in all of her audit reports. “As auditors, we are in a valuable position to influence organizations to recognize the importance of environmental, social, and governance (ESG) elements,” she explains. Using audit practices and reports as a platform, Anderson notes, she can highlight those elements, which encourages the rest of the audit team to take ownership, too. “We can really enrich the operating environment with our unique perspective and capabilities — recognizing the importance of ESG elements is a crucial priority,” she says. Anderson also participates in the DP World Youth Council, which seeks to give youth a voice, empower them, and engage their thoughts. <br></p><h3> <img src="/2021/PublishingImages/Andrew-Sherman.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Andrew Sherman, CPA</h3><p> <strong>24, Advisory Senior Consultant, Assurance and Internal Audit</strong><br><strong>Deloitte & Touche LLP</strong><br><strong>Chicago</strong><br></p><p>Andrew Sherman’s dual degrees in accounting and business intelligence/data analytics provide an uncommon perspective on internal audit, risk advisories, and business scenarios. “He’s always challenging his core business background and traditional competencies with new concepts, tools, and methodologies in data analytics,” says co-worker Sarah Fedele, U.S. internal audit lead at Deloitte, “including statistical analysis, data visualization, Agile methodologies, and cybersecurity.” That’s part of the reason Sherman was promoted to his current post earlier this year, and he’s enthusiastic about the vantage point his role affords. “Internal audit provides an opportunity to interact with all levels of management across multiple functions,” he notes, “allowing me to identify and advise on issues that affect more than one function or process area.” He mentors new analysts on communicating with clients and team members in the remote virtual world, Fedele adds. Sherman says he hopes “internal auditors’ success at working remotely during the COVID-19 pandemic expands the talent pool of exceptional individuals who live and work outside more traditional commute ranges.” He also helped plan and design the Internal Audit Foundation’s Premier Research Study 2020: Assessing Competencies in Internal Audit. The Creighton University graduate, who’s pursuing the CIA credential, was “pivotal in extracting insights via data analysis and visualization and in writing the final research paper,” Fedele notes. The results aim to provide valuable and measured information that depicts competency across the profession in a meaningful way. Sherman ran the Chicago Marathon in 2019, fundraising for WorldVision’s global clean water-supplying efforts, and when local COVID-19 restrictions are lifted, he plans to get involved in local Endure2Cure cancer support programs. In his free time, he enjoys golfing, running, indoor rock climbing, and playing video games.<br></p><p> <img src="/2021/PublishingImages/Emerging-Leaders-2021-Judges.jpg" class="ms-rtePosition-4" alt="" style="margin:5px;width:700px;height:463px;" /> <br> </p><h3> <img src="/2021/PublishingImages/Mercedes-Washington.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Mercedes Washington, CIA, CFE CCSK</h3><p> <strong>30, Internal Audit, Auditor I</strong><br><strong>Nielsen</strong><br><strong>Oldsmar, Fla.</strong> <br></p><p>Before her career in auditing began, Mercedes Washington learned how her company works. Starting with a bachelor’s degree in business management, the University of South Florida graduate “gained firsthand understanding of the equipment and software applications that support the company’s global business,” reports Kevin Alvero, senior vice president, Internal Audit, Compliance, and Governance, at Nielsen. She was promoted to project manager, working with stakeholders on implementing new measurement technology. Now, Alvero notes, she audits technology projects for process quality and standards compliance. “I love the granularity of internal auditing,” Washington says. “I thought it would be difficult to grasp the ins and outs of a company so large, but it has furthered my love of being in the weeds. Delving deep into the organization to fully understand processes and detect possible risk points is right up my alley.” Alvero adds that Washington created a streamlined process for internal audit’s walk-throughs — a standardized, digital data collection method that “eliminates the need for multiple back-and-forth emails and follow-ups with external auditors.” He says she also uses leadership of her professional development and growth “community of practice” at Nielsen as a platform for sharing insights on the internal audit profession with peers in other departments, and she’s active in business resource groups that help sustain active Black leadership and promote diversity. Washington is also working on adding a CIA and an MBA after her name. In her free time, Washington enjoys Brazilian jiujitsu, tumbling, indoor rock climbing, and 5K runs, and says she can “spend hours visiting model homes for decorating ideas.”<br></p><h3> <img src="/2021/PublishingImages/Brooke-Schaefer.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Brooke Schaefer</h3><p> <strong>28, Audit Manager, Controlled Substance Expert and Opioid Rx Product Specialist</strong><br><strong>Crowe Healthcare Risk Consulting LLC</strong><br><strong>Clayton, Mo.</strong><br></p><p>Brooke Schaefer never saw herself fitting into a professional box. “Instead of working on a wide variety of audits in the health-care sector,” reports her career coach, Tamara Mattox, audit senior manager at Crowe LLP, “she helped develop a specialized controlled substance pharmacy team and is now a subject matter expert.” The specialty: investigating drug diversion, which the U.S. Council of State Governments calls “the deflection of prescription drugs from medical sources into the illegal market.” Schaefer, who’s pursuing the CIA credential, says she expected her work to be high stakes, but adds: “I never anticipated being in a position that allowed me to have such an impact on society.” Working with pharmacy clients revealed all the manual processes in place to mitigate opioid prescribing and diversion risks, Schaefer explains, so her team built software to eliminate them — it analyzes prescribing data and uses proprietary complex algorithms to identify even the savviest of attempted crooks. The project was Schaefer’s introduction to software programming. “Internal auditors can be disrupters in the industry,” the graduate of both Maryville University and William Woods University says. “It’s pretty remarkable what we have been able to accomplish.” She’s also part of what Mattox calls a small, select group of auditors on an internal professional growth team tasked with “looking outside the box for supporting individuals on their internal audit career paths.” When the pandemic started to take its toll, controlled substances projects no longer could include travel to client sites — but the internal audit team could not postpone its work. Schaefer used virtual meetings and telehealth systems for virtual walk-throughs so business could continue. Outside of work, Schaefer volunteer fundraises for her community’s pool and park; she also loves spending quality time with family.<br></p><h3> <img src="/2021/PublishingImages/Sabrina-Mongrain.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Sabrina Mongrain<br></h3><p> <strong>28, Senior Manager, Global Regulatory Compliance Audit</strong><br><strong>Royal Bank of Canada</strong><br><strong>Toronto</strong><br></p><p>Sabrina Mongrain always wants to know the “why?” behind processes, controls, and risks; she regularly queries co-workers in the business to understand their problems and ensure internal audit’s alignment with their strategies. “She works to solution alongside the business, rather than solution at it, to ensure stakeholder buy-in and partnership,” says former manager-once-removed Sara Gelgor, chief compliance officer at Concentra. Indeed, Mongrain says the best part of internal audit is understanding processes end-to-end. “We are collaborators with the business on processes,” the Laurentian University graduate says, “not just reviewers after processes are in place.” She shared her forward-thinking ideas at a credit union group’s internal audit roundtable in 2020, encouraging attendees to challenge standard audit regimes. And at a former employer, Mongrain helped reengineer the regulatory compliance risk assessment process. She also implemented new technology for the audit team there that reduces the risk of missing audit observations, and she created a more analytical, numbers- and percentages-based audit format to identify areas of concern for senior management and the board. “I work to be as transparent and collaborative as possible,” says Mongrain, who’s pursuing a CIA. “Keeping secrets from the stakeholder in the engagement does not benefit anyone. That has certainly taken the ‘policing’ out of my style of auditing.” Beyond her audit work, Mongrain is a volunteer board member at Rituals for Recovery, an Ontario nonprofit that assists with trauma recovery, and a March of Dimes volunteer who “chats with folks who have been shut in through the pandemic to help uplift their days.” She also knits and crochets.<br></p><h3> <img src="/2021/PublishingImages/Holly-Saville.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Holly Saville, CIA, CPA</h3><p> <strong>27, Finance Manager, Commerce Finance</strong><br><strong>Microsoft</strong><br><strong>Redmond, Wash.</strong><br></p><p> <span class="s1" style="letter-spacing:-0.1px;">When COVID-19 started to disrupt every aspect of commerce, </span> <span class="s2" style="font-stretch:normal;font-size:8.5px;line-height:normal;font-family:interstate;letter-spacing:-0.1px;"> <strong>Holly Saville</strong></span><span class="s1" style="letter-spacing:-0.1px;"> “proactively answered the new challenge of remote work by developing a team website,” says former supervisor Brian Salvador, director, Controls and Compliance, at NAES Corp. and a 2017 Emerging Leader. Saville, a University of Kansas graduate, explains that with Microsoft operating remotely since March 2020, she saw the need to foster digital collaboration. “I improved my team’s online documentation, including creation of a collaborative onboarding portal and team intranet site,” she says, “to centralize resources and facilitate the entirely remote onboarding of 15 new teammates.” Salvador notes that the website created “clarity and camaraderie,” adding that the guidance in it provided significant value to the onboarding process. She now supports a multibillion-dollar online financial platform, focusing on order-to-cash processes, to ensure accurate accounting and financial reporting. Day to day, she autonomously and directly supports management in developing complex and innovative solutions, which requires deep understanding of the company’s intricate systems to design and execute end-to-end processes and controls. Expertise in risk assessment and control improvement is a must, Salvador notes, because Saville “leads initiatives to drive process improvement across engineering, compliance, and finance.” Interestingly, risk management, now her favorite part of internal audit, seemed dense and abstract in academia, Saville says, adding that real-life practice has proved it to be “an area of immense impact.” Saville volunteers as a guest speaker at Seattle University and participates in alumni panels at the University of Kansas. She also is a member of a United Way committee at Microsoft that supports charity events, encouraging community engagement across her team; and she organized a volunteering program at a care home in a community struggling with homelessness and mental health issues. In her free time, Saville enjoys scuba diving and international travel.</span><br></p><h3> <img src="/2021/PublishingImages/Clement-Osei-Agyemang.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Clement Osei Agyemang, CFE, CISA, CFIP, CCA</h3><p> <strong>30, Founder</strong><br><strong>Global Independent Oversight Experts</strong><br><strong>Accra, Ghana</strong><br></p><p>Clement Osei Agyemang aims high. At one former employer, he made history. “I was the first person to properly set up an internal audit department among the company’s branches in Africa,” the University of Professional Studies, Accra, graduate says. While there, Agyemang established the Officer of Integrity award program to promote integrity among the entire staff, reports colleague Eric Odobai, manager at IIA–Ghana. The aim, he adds, was to “offset destructive behaviors with incompatible productive ones.” At another former company, Agyemang’s audit plan included assessing and advising on management interventions to contain the COVID-19 pandemic, among other approved audit activities. “He is great at coming up with new ideas,” Odobai adds. “He is a hope for the future of internal audit.” Now, Agyemang devotes his time and energy to a nonprofit organization he founded in 2020 to continue the internal audit services volunteering he’s been engaged in since he was in college, Odobai notes. Global Independent Oversight Experts provides free oversight services for businesses that can’t afford them, Agyemang says, but that need such services to survive the pandemic. “I believe there are a lot of organizations out there that need the services of highly objective, candid, and trustworthy people like myself to give them honest answers and solutions,” he adds. Internal audit’s assurance and consulting activities have improved the conditions of many companies, he says, adding: “If I could, I would make internal audit a global compulsory function in the corporate world, either in-house or outsourced.” Agyemang, who’s pursuing the CIA designation, also serves as a member of IIA–Ghana’s Certification and Professional Development Committee. <br></p><h3> <img src="/2021/PublishingImages/Angie-Mauga.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Angie Mauga<br></h3><p> <strong>25, Risk Advisory Services, Associate II</strong><br><strong>Weaver</strong><br><strong>Dallas</strong><br></p><p>Angie Mauga has combined academia and The IIA for much of her adult life. As a student at the University of Texas at Dallas (UTD), she was president of the school’s Center for Internal Auditing Excellence (CIAE) Student Chapter, notes center director Joseph Mauriello. And at 2018’s Internal Audit Education Partnership (IAEP) Student Exchange, he adds, Mauga conducted a 45-minute one-on-one interview with Naohiro Mouri, The IIA’s global board chair at the time, in front of more than 300 attendees — several of whom she later mentored. Mauga was also a student liaison for the IIA–Dallas<br>Super Conference and annual UTD Fraud Summit from 2016 to 2020, helping coordinate student volunteer groups to facilitate conference activities. As a graduate and professional, Mauriello says, Mauga — who’s working toward obtaining the CIA credential — still contributes to the success of the CIAE. “She used her experience as a student in IAEP courses to fine-tune the coaching methods used to facilitate student projects and papers,” he explains. “Her one-on-one coaching techniques, for which she pulled from her own experience as an internal audit student, resonated with her peers.” Mauga says: “My work with students has helped me develop my internal audit knowledge and improve my soft skills.” As a college student, she adds, she generally worked independently. “Now that I have started my career in internal audit, I have realized I enjoy the amount of collaboration this career requires,” she says. Mauga also volunteers at a local food bank, and in her free time she’s been learning to shoot skeet and “going on food adventures around Texas” with her husband.<br></p><h3> <img src="/2021/PublishingImages/Gillian-Wayne.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Gillian Wayne, CIA</h3><p> <strong>29, Vice President, Audit Supervisor</strong><br><strong>Bank of America</strong><br><strong>Charlotte, N.C.</strong><br></p><p>Gillian Wayne wanted to be a banker since she was 4; her parents fashioned a pretend drive-through ATM and used their real Bank of America deposit slips to complete transactions with her. In 2013, she lived that dream by interning in the audit department at Bank of America’s corporate office. “Internal audit has provided me a vantage point of the organization that few experience,” the Florida State University graduate says. “Practitioners work with people across the organization, at all levels, allowing us to appreciate interdependencies and what is truly important to the business.” Wayne joined the company’s central strategy team in 2019, adds manager Janet Jarnagin, senior vice president, audit director, at Bank of America, and now focuses on executive reporting, including creating reports and dashboards that summarize audit results, issue trends, and control environment indicators. In fact, she’s created new reporting to better highlight audit results and trends. Jarnagin points to one example: A section of the quarterly board report had a text-heavy narrative format. “She brought in more quantitative data points to provide a more holistic view of each segment’s control environment,” Jarnagin says. The process involved streamlining the text and reducing the risk of errors. “I carved out some time to experiment,” Wayne adds, “then pitched the redesign to senior leadership in my team.” Wayne also made time for volunteer work through her company, organizing a tree-planting event that spanned three metropolitan areas — Charlotte, N.C., New York, and Chicago. Free time no longer exists for Wayne, who’s focused on planning a Nov. 7 wedding and remodeling her home.<br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​ <p><strong>Internal Audit Foundation Honors Emerging Leaders</strong></p><p>The Internal Audit Foundation is giving colleagues, friends, and organizations the opportunity to recognize an Emerging Leader by making a donation to the Foundation in his or her honor.</p><p>For more than 45 years, the Foundation has provided relevant research, insight into emerging topics, and pertinent materials to promote and advance the internal audit profession's value globally. The Foundation also funds academic advancement initiatives to support the next generation of internal auditors. Visit the <a href="https://theiia.networkforgood.com/projects/139245-2021-honor-an-emerging-leader-campaign" data-feathr-click-track="true"><span class="ms-rteForeColor-8">Emerging Leaders online tribute page</span></a> to make your donation. For more information about the Foundation, please visit its <a href="https://na.theiia.org/iiarf/Pages/About-the-Internal-Audit-Foundation.aspx" data-feathr-click-track="true"><span class="ms-rteForeColor-8">website</span></a>.<br></p> </td></tr></tbody></table><p></p>Russell A. Jackson0
A Quiet Placehttps://iaonline.theiia.org/2021/Pages/A-Quiet-Place.aspxA Quiet Place<p><em>​“If one goes into a strange society and can do these three things, ask a question accurately, give a command accurately, and gloom and exclaim and enthuse at the proper moments, most of the rest of what you have to do is listen.”</em> — Margaret Mead<br></p><p>Why is it so hard for internal auditors to stay quiet? Why do we move from step to step in our process without providing the silence that allows others to fully communicate? It’s not that we’re nonstop prattlers, constantly running off at the mouth. But we seem to have a fear of silence — an inability to quietly sit back, allowing communication and information to flow without interjecting our own thoughts and ideas.</p><p>We are not the only ones; people everywhere seem to believe proof of their existence requires constant verbalization. But success in our profession can only be achieved when we develop a metaphorical quiet place — a time and space that allows for uninterrupted flow of communication from the person with whom we are working.</p><p>In the earlier quote, U.S. anthropologist Margaret Mead details our role in allowing sufficient space for silence. And while what follows primarily relates to interviewing, it is applicable to all audit activities, including meetings, testing, and even report writing.<br></p><p><strong>Give a command accurately.</strong> No, we are not literally giving commands when we perform audit work. But we do provide direction — specifically or by inference — that helps the client focus, move forward, and provide the communication we need. <br></p><p><strong>Gloom and exclaim and enthuse at the proper moments.</strong> Successful communication requires empathy. Not to be confused with sympathy, or feeling sorry for someone, empathy is the unfeigned ability to recognize and relate to another person’s emotions. And showing that empathy by responding with gloom, exclamation, or enthusiasm, as appropriate, builds the rapport necessary for effective communication with audit clients.</p><p><strong>Ask a question accurately.</strong> Mead listed this item first, but I saved it for last because of its importance. In our profession, we ask a lot of questions. But do we truly understand what we are asking, why we are asking it, and what we hope to gain? Before we begin any step in the audit process — before we open our mouths or begin a test or even place our fingers on the keyboard — we should pause to think about what we are about to express. We need to determine how it relates to what has happened before, how it applies to what’s currently happening, and how it will impact what happens next.</p><p>We have to know what to share, how to respond, and what to ask. But most importantly, we have to know when to say nothing at all. Silence is the opportunity we give others to provide the information we need. </p>Mike Jacka1
The Power of Integrated Auditinghttps://iaonline.theiia.org/2021/Pages/The-Power-of-Integrated-Auditing.aspxThe Power of Integrated Auditing<p>​Integrated auditing — a combination of financial, performance, and IT auditing — offers numerous benefits to an audit function, allowing greater impact without necessarily increasing headcount. Integration can help internal audit stay relevant in its role as trusted adviser in the rapidly changing post-COVID-19 environment.</p><p>Integrated auditing's strength is that it shows not just where money was spent, but how it was spent — an important consideration in the public sector, says Mara Ash, CEO of Business & Financial Management Solutions LLC of Austin, Texas. Taxpayers want government to spend their tax dollars prudently, efficiently, and effectively, and integrated auditing can provide this reassurance. It's a different concern compared with the private sector, which generally is more focused on making a profit. The public sector's concern, by contrast, is "Did you use my tax dollars efficiently?" Ash says.</p><p>The move to integrated auditing represents an evolution of internal audit, says Kip Memmott, audit director for Oregon's Secretary of State. Auditors — whether performance, financial, or IT — used to be more siloed into their respective areas. Now, each needs to know more about the others' areas. "It's an awesome opportunity for cross-training, not only from a technical skill set, but from a cultural area," he says, in terms of breaking down rivalries and developing understanding. While the performance, financial, and IT auditors all have different skill sets and work with different legal requirements and standards, they all are working toward the same end game — determining whether the client is executing its mission to the best of its ability, Memmott says.</p><h2>Benefits of Integration</h2><p>From the organization's point of view, the advantages are efficiency and effectiveness, says Domenic Savini, assistant director for the Federal Accounting Standards Advisory Board (FASAB) in Washington, D.C. For example, when auditors perform an integrated audit, they accomplish their objectives using coordinated audit processes and testing that typically cut across multiple audits and/or objectives during the audit cycle and yield results that are more comprehensive. The audit tests help satisfy multiple objectives and bring audit matters into sharper focus. This win-win situation keeps use of audit and client resources to a minimum and results in comprehensive recommendations and related solutions, says Savini, who notes his views are personal and do not necessarily reflect those of the FASAB or any of its members. </p><p>For Ash, integrated auditing allows public sector organizations to determine whether expenditures were made efficiently and whether they were effective. Determining effectiveness allows the organization to make good management decisions about the direction of the program. It also pushes auditors out of their comfort zones to look holistically at the organization and its processes, helping them to become more of a trusted adviser.</p><p>Integrated auditing exposes employees — especially those seeking management roles — to different operational areas, Savini says. This exposure helps them develop an understanding of their organization's various business processes, become more effective decision-makers, and hopefully, more well-rounded managers, he adds. </p><p>Integrated auditing also gives organizations a broader reach and more depth in its audits, and a powerful tool to look at complex issues, Memmott says. He notes both performance and financial audit standards require practitioners' data to be reliable, adding that IT can help make this determination. Meanwhile, the multiple concerns of a COVID-19 and post-COVID-19 work environment — managing a workforce, recruiting and turnover, telework, and flexible work schedules and work sites — all are areas in which internal audit should be involved, he says. </p><p>Bringing together performance, financial, and IT audits provides audits that are powerful, real-time, and proactive. Integrated auditing also pushes audit to take a more active role with its organization. "The idea with integrated auditing is to be more proactive, more strategic, and more forward looking," Memmott says.<br></p><h2>Barriers to Adoption</h2><p>Despite its advantages, integrated auditing is not often used in government, Memmott says. Many internal audit functions are small and do not have either the staff or the skill sets, especially for IT auditing. Risk aversion, the mindset of "this is the way we've always done things," also plays a part. </p><p>For Savini, having adequate and competent staff resources are a chief audit executive's primary concern, followed by efficient communication among the audit team members and management buy-in on the concept of integrative auditing. Management needs to understand that what may appear to be "scope-creep" is actually an investment toward future resource savings and better, more focused audit results, he says. </p><p>Integrated audits take longer because of their broader scope. Some areas may take longer than planned or newly discovered areas may need to be addressed. Integrated audits can be budget-eaters, especially if they are not well designed and coordinated, Memmott says. Conversations with the audit committee during development of the audit plan are important. "Because of the cost, it's got to be the right area," Memmott says. </p><p>The silos that can exist between different areas, such as between different types of auditors, also can be a barrier, Memmott says. Differences in expectations and relationships may need to be worked through with clients as well. "There's a lot of education, not only internally, but externally, that should go into integrated auditing," he says. </p><p>While not necessarily a barrier, auditors in the public sector need to stick to the facts, be aware of topics that might be politically sensitive, as well as avoid political groupthink and the influences of politics or political ideology, Savini says. Auditors in the public sector as well as those with highly engaged audit committees typically do not have the luxury of picking and choosing their audits. As a result, these auditors need to be clear and know how their results will be used. "We can't hide from doing an audit, but we have to do it in an apolitical and unbiased manner," Savini says. "We must protect the integrity of the internal audit profession."</p><h2>Real-time Auditing</h2><p>Typically integrated auditing is done at the end of the fiscal year to coincide with the annual financial audit, Ash says. (An internal auditor typically would not perform the annual financial audit; however, internal auditors may be involved in providing assurance over internal controls affecting financial statements.) That said, real-time auditing has benefits, she notes, given that government entities are moving to integrated audits for their grant programs. They are doing so because grantees are required to show the outcomes associated with the funding they received, and federal guidance requires them to share new ideas or efficiencies. Real-time auditing enables grantees to make course changes during the performance period to ensure desired outcomes, and the results can be applied to other programs.</p><p>Integrated auditing, working hand-in-hand with real-time auditing, brings more muscle and provides greater assurance. The key, Memmott says, is in structuring the real-time audit to ensure that, even with the larger scope of the integrated audit, information is disseminated in a timely fashion.</p><h2>Implementation</h2><p>In looking to implement integrated auditing, "my advice is always to start at the top," Ash says. She recommends making sure that management is on board and understands internal auditing as well as integrated auditing. With integrated auditing, it's a matter of breaking down the mindset of separation — financial and performance audits and understanding how they are integrated — then putting it all together with the organization's existing work tools and programs.</p><p>Second, Ash suggests looking at major, high-dollar-value programs, especially if they are subject to federal funding regulations, or if they are actively monitored at the state/county/local level. These programs provide a great starting point, because stakeholders and others will want information about program outcomes, Ash says. Third, she advises looking at high-visibility programs, the ones that are in the public eye. <br></p><p>In terms of helping teams work together, "data analytics is a magical tool," Memmott says, noting that it has the power to bring financial, performance, and IT teams together, even though they have different objectives. In addition, when building an audit plan, he says auditors should think about the objectives and the steps to meet those objectives, and build the plan specifically around integrated auditing. </p><p>In addition, a good onboarding program can help with recruiting and retention, break down the silos between disciplines, and build understanding across disciplines. Memmott notes that his department has a rotational program, for example, where performance auditors could rotate through IT. </p><p>Diversity within a team is critical as a means of supporting candid discussions on different issues, Savini says, and to help ensure audit stays apolitical and true to its objectives. He stresses the importance of hiring not based just on demographics, but hiring for diversity of thought, opinion, and experiences.</p><p>When working with public governing bodies such as county commissions and city councils, "integrated auditing is your friend," Ash says. An integrated audit can answer the organization's bottom-line concern — what it got for its expenditure on a project. With an integrated audit, Ash says she can tell the governing body that money spent on allowable costs and controls was effective, detail programmatic outcomes, and discuss what improvements might be needed. </p><p>While implementation of integrated auditing can have higher initial costs, the return on investment will pay for itself down the road, Savini says. In this current environment, organizations need to leverage every resource to get "mean, lean, and green," so it is an advantage to leverage the skills of auditors. "If they're ready, willing, and able, you have got the most important part of the battle won," Savini says. </p><p>Integrated auditing also will help organizations cope with possible cuts in federal funding and develop better programs, Ash says. "Integrating performance and fiscal auditing is something that we are going to have to get comfortable with now, because in the future it's something we are going to have to do to survive."<br></p>Geoffrey Nordhoff1
A New Runwayhttps://iaonline.theiia.org/2021/Pages/A-New-Runway.aspxA New Runway<p>​I have been an internal auditor for most of my career, and from the beginning, it has been fulfilling, challenging, and interesting. Internal auditing has played to my strengths of curiosity, focus on continuous improvement, building risk assessments, and developing business relationships. I have enjoyed partnering with process owners, learning about their challenges, and highlighting risks and improvement opportunities.</p><p>Yet, one day early in my career, the company's chief financial officer (CFO) asked me a question that had rarely crossed my mind: "So, what do you want to do with the rest of your career, or would you like to be a career auditor?" It was a big question and I answered it honestly; I loved audit and believed in the value a solid audit team could bring to an organization. Just six years out of college, I felt I still had quite a bit to learn before needing a change.</p><p>I continued my audit journey and soon switched to a different company with an opportunity to rebuild a part of the internal audit team that had recently experienced significant turnover. For the next six years, I had an amazing run, leading audit teams on three continents, building strong relationships with process owners, and partnering with various departments to enhance the value the team delivered.<br></p><p>But still, the CFO's question gnawed at me. Did I want to be a career internal auditor? Would I have the courage to leave the comfort of my chosen profession to broaden my horizons and reap the potential benefits of following the path unknown? What lessons could I learn by stepping outside of my comfort zone and career? I faced a decision that most internal auditors contemplate during their career, and this is what I learned on my journey.</p><h2>A New Direction</h2><p>For me, the CFO's question raised other questions. Was I missing something by not stepping out of my comfort zone and "going into the business"? Was it right to question my chosen career path? I had the opportunity to work with many departments and often had wondered whether I could leave internal audit behind to do something else. Most times, the answer was a fairly definite "no," while a couple of times I could have been tempted by job openings on other teams.</p><p>That temptation first arrived when I was presented an opportunity to join the Financial Planning and Analysis (FP&A) team with the company's largest division. The new vice president of Finance was shaking things up and already had proven to be the kind of leader many aspire to be — authentic, visionary, intelligent, supportive, and thoughtful. Her goal was to elevate the finance department to the next level after a recent large acquisition. The proposition was that my audit skills in process review and analysis, focus on improvement, and problem-solving abilities would benefit the team in performing a value chain analysis, building efficiencies, and strengthening controls.</p><p>The opportunity seemed to finally answer my question of whether I could have a career outside of audit. I was excited at the prospect of learning from a respected leader, expanding my skills, and supporting process improvement initiatives I believed in. Finally, I would be able to see what life was like outside of internal audit.</p><p>And so, I started a new career. It was a thrilling new runway to take off in a new direction, exciting albeit slightly intimidating. Things were changing fast at the division, and my role was reimagined shortly after I joined the team.</p><p>I didn't mind. At last I had the coveted seat at the table. I was included in strategic planning discussions, helped create analyses that would drive capital investment decisions, and contributed to presentations that would be shared with senior executives. I worked with everyone from engineers to demand planners; dove deeper into business operations; and lived and breathed waterfall bridges, economic value-added calculations, and cash flow analyses.</p><p>It was an incredible amount of hard work. The deadlines were rigorous; the pressure was intense.</p><p>During this time, I realized that my internal audit team had been rather sheltered. Although the run up to the audit committee meetings could be hectic, and report issuance could get contentious, it was nothing compared to the amount of scrutiny that was placed on FP&A. Every number, every word mattered. If a forecasted result was missed, FP&A was the first to be held accountable. We equipped the vice president of Finance with every bit of information we could think of in anticipation of senior leadership questions. Our team was on call and always ready.</p><h2>Lessons From the Other Side</h2><p>I spent two years in FP&A. During that time, I learned several valuable lessons that helped me grow professionally and deepened my appreciation of how a strong internal audit team can effectively support the organization.</p><p><strong>Internal auditors are uniquely positioned to support business initiatives and ad ho</strong><strong>c projects.</strong> Although internal auditors often are viewed as generalists, their skills can be successfully applied in other parts of the business. I found FP&A fulfilling because the projects complemented my natural curiosity, as well as my ability to ask the right questions, dig into details, and make connections between varied parts of the process to pinpoint improvement opportunities.<br></p><p><strong>Understanding business drivers and their correlations is imperative for a successful audit. </strong>Being in FP&A showed me facets of core operations I had not seen before. Audit teams often review downstream processes, such as accounting, without fully grasping the dynamics of the operational strategy, which could lead to a misaligned audit scope or lackluster observations. Internal auditors should seek to understand the organization's core operations and risk profile to better align the entire audit cycle, from organizational risk assessment to audit procedure design.<br></p><p><strong>Respect and understanding of business activity cadence garners g</strong><strong>oodwill. </strong>I gained greater respect for the complexity of business processes and urgency of timelines. I also have a better appreciation of the importance of teamwork and the incredible amount of dedication and hard work that the accounting, finance, and operations teams put in to drive the business forward. Proactively planning around a month-end close, a quarterly reforecast, or strategic planning doesn't mean constantly pushing projects to the side. However, general awareness and accommodation in the audit plan can yield higher engagement from business partners.<br></p><p><strong>Recognizing the deeper impact of an audit observation and audit as a whole is vital. </strong>Business partners often are stretched thin working their "day jobs," as well as on special projects and new initiatives. An audit can be a disruption, especially if it is broad in scope and lasts several months. However, a bigger nuisance and disappointment is an audit that misses the mark on its objectives and does not deliver the insight business process owners are yearning to know.</p><p><strong>Business partners are looking for meaningful support from internal audit. </strong>Pointing out the obvious, low-hanging fruit may be helpful when business partners are looking to bring more focus to completing action plans for shortcomings they know about. But what they are more interested in is something they may be missing altogether — something that may be material and impactful to the way they do their work. A thoughtfully planned internal audit can deliver that impact, so the audit team should ensure the audit scope and objectives resonate with business partners and clearly articulate the root cause and impact of every observation.<br></p><p><strong>Internal audit should stay close to the business and remain agile. </strong>Internal audit's business partners often are working to solve urgent and unexpected problems. A well-respected internal audit team can provide independent, objective, and competent support. The ability to modulate the audit plan to address emerging risks, adapt the audit approach, and incorporate lessons learned and observations in real time can help auditors and business partners focus their efforts on the most relevant topics and, more importantly, provide timely insight to the organization. It also mirrors the focus on business success through agility, nimbleness, and responsiveness to today's fast-paced environment.<br></p><p><strong>Diverse skills are key to a successful internal audit team. </strong>Rotational programs can help diversify internal auditors' experience and provide invaluable insight into the mechanics of business processes. However, a small internal audit department may not be able to sustain a rotational program. Allowing auditors to provide short-term project support can create a learning opportunity and a chance to strengthen relationships, which could benefit the team in the long run. Even if teammates choose to pursue a more permanent assignment outside of audit, the audit team will gain an advocate and a sounding board in the business.</p><p>I have often thought that a measure of an internal audit team's success was the number of times business partners reached out with a request. It is the ultimate sign of alignment, engagement, and trust that internal auditors bring value through the independent and objective evaluation of processes, while keeping continuous improvement opportunities in mind.</p><p>Being "in the business" reaffirmed my belief that to succeed, internal auditors must understand the organization's operations and priorities, be aware of emerging risks, appreciate the cadence of business processes, and have effective relationships with process owners. This, in turn, pivots the risk assessment and audit planning conversation from "What are your initiatives?" and "How can we help?" to "Understanding your business priorities and process changes, this is how we can support you." Doesn't that sound like a more exciting way to begin a dialogue?</p><h2>My Return to Internal Audit</h2><p>In the end, I returned to internal audit and have been back for two years now. I missed the diversity of work, having a broader view of the organization and its risk universe, and leading a team. Yet, the lessons I learned on "the inside" made me a better auditor and leader. I have a deeper appreciation for a holistic approach to auditing — the need to understand before making a judgment — and I am better equipped to ask the right questions and discern what matters.</p><p>Moreover, I am grateful to the leaders who challenged me to push beyond the boundaries of my professional comfort zone. Internal auditors should not be afraid to broaden their horizons, offer their expertise, and gain new skills, whether through supporting a project, participating in a rotational program, or exploring a new career path.<br></p>Agnessa Vartanova1
The Future-ready Internal Auditorhttps://iaonline.theiia.org/2021/Pages/The-Future-ready-Internal-Auditor.aspxThe Future-ready Internal Auditor<p>​As a child, I was a big fan of the animated TV series, <em>The Jetsons</em>. As those of you who watched the show know, the Jetsons were a futuristic family with a robot maid, video conferencing, ubiquitous automation, and a flying car — along with many other gadgets that were pure science fiction in the 1960s.</p><p>As a lifelong tech enthusiast, I've watched technology progress toward this Jetsons ideal. While we don't yet have robot housekeepers like Rosie, we certainly have any number of robot-like gadgets that do our bidding at home — from Roombas, to Alexa, to "smart" appliances, for example. Communicating Jetson-style from almost anywhere and via video went mainstream in 2020. And automation is cropping up everywhere — not just in grocery stores and warehouses, but also in robotic process automation (RPA), chatbots, and personalized product recommendations. Some technology has advanced more slowly than I anticipated — I fully expected to see flying cars by now. While we do have semi-autonomous cars, and there are several global startups working on "urban air taxis," the general public still can't purchase a fully autonomous vehicle. But we are getting closer to that reality every day.</p><p>The Jetsons wasn't able to predict everything, of course. In fact, there are many ways in which technology has surprised us with totally unexpected developments. What we <em>can</em> predict is that the pace of technological change is going to be dizzying over the next decade and internal auditors are going to have to keep up. As the 2021–2022 chairman of The IIA's Global Board, I will encourage internal auditors to be future-ready. Organizations and audit functions that are not nimble and adaptive will have a difficult time surviving in this world of constant change. However, I believe internal auditors have the skills and experience to look out for what's next and to take five key steps to meet this moment.</p><h2>Supercharge Internal Audit With the Right Technology Resources</h2><p>Even for someone who has spent a career working with and implementing new technologies, these dramatic changes can seem overwhelming. But there's much internal auditors can do to ensure we are future-ready. Continuous learning is going to be more important than ever, and IIA President and CEO Anthony Pugliese is positioning The Institute as a critical resource for internal auditors.</p><p>The IIA is focused on transforming its technological capabilities, delivering new and relevant training, providing important guidance through resources like the Global Technology Audit Guides (GTAGs), and establishing a new IT certificate. IIA members should take advantage of these resources, and they should develop habits like reading this magazine, which regularly covers technology topics; listening to technology podcasts; and following technology experts on social media.</p><p>One of the attributes board members value most from internal audit is insight. In an era where disruptive technology will need to be factored into every audit, it is imperative that internal audit leaders staff their functions with people who have technology insight. There are several ways to ensure the audit team has optimal technical skills, but here are a few ideas:</p><ul><li>Rotate auditors into a more technical role for a year or two, and then bring them back into the audit function.</li><li>Be purposeful with the training budget to ensure team members are obtaining training in the skills of the future.</li><li>Consider creative activities like gamifying training or holding online competitions that encourage use of interactive and collaborative software.</li><li>Recruit technically competent people who may not have audit experience. Then, train them to perform the audit work.</li></ul><h2>Build Stronger Relationships With Partners and Extended Third Parties</h2><p>As today's organizations focus on enterprise risk management (ERM) and interdependent risks within the company, it is also important to consider interdependencies with specific third parties and the aggregated risks of multiple third parties. As the march toward the cloud and numerous "everything-as-a-service" providers create greater reliance on external providers, third-party risk will become even more prevalent. Maintaining transparency of third-party risks and controls is critical as supply-chain vulnerabilities continue to be heavily targeted by malicious attackers (e.g., in the SolarWinds and Colonial Pipeline events).</p><p>As more organizations move into the cloud, relationships with third parties become more opaque. Cloud providers — and every third party the organization deals with — are relying on other third parties for services, supplies, and data. Internal audit needs to work with the legal department, establishing models now that allow it to audit through a third party to obtain certain types of information about a fourth, or even a fifth, party.</p><p>Another technology with built-in third-party risk is blockchain, which is a decentralized network of distributed users who have agreed to trust each other for certain types of transactions. These networks can be as small as two or three or could include millions of participants. Blockchain will require organizations to work together to create automated contracts and online and real-time approval processes for an immediate exchange of value. While data can be restricted and encrypted, it will still be vulnerable to inadvertent exposure. All the organizations in the network will need to address the confidentiality risks, ensuring that personally identifiable information is not compromised or stolen. Some participants — banks, other businesses, buyers, sellers, and regulators — will require access to sensitive information. These situations will have to follow defined controls, regulations, and protocols to ensure compliance with laws and to meet the expectations of customers who are now, more than ever, demanding privacy and confidentiality.</p><p>Internal auditors need to be prepared for completely different testing of distributed and shared data and will need to consider questions like:</p><ul><li>How will internal audit obtain and test information that is buried in some third party's database?</li><li>How will auditors test data that is being used on one of the blockchain consortiums?</li></ul><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<p><strong>My Circuitous Path to Internal Auditing</strong><br></p><p>Like many internal auditors, I arrived at the profession from a somewhat indirect route. After graduating high school, I planned to be a high school teacher and coach. I was good at math, I liked kids, and while I wasn't really built for basketball, I had learned to play because it was the only sport my little Oklahoma high school offered. But after about three semesters at Oklahoma State University, I figured out that wasn't really the right path for me. I dabbled in engineering, and then made my way to accounting and computer science. I loved the business side of accounting, and in computer science I found that I really enjoyed the fast-changing world of technology. Particularly with coding, things have to be very sequential and ordered to work, and I could appreciate that. I ended up receiving two degrees: one in computer science and one in accounting.</p><p>I worked as an auditor for a certified public accountant for a couple of years but then jumped back into IT and became a computer programmer. Even in the mid-1980s, technology was advancing quickly and I didn't want to lose the computer science training I'd gained in college. So, I took a job with a Tulsa-based energy company, working my way up to technical services supervisor. While there, I developed billing applications and was the IT project leader for the implementation of new financial systems.</p><p>In 1991, I decided it was time to get back to the accounting world, and I went to work for American Airlines. By then, I was leading people, so I started running large accounting processing systems, such as payables and receivables, revenue accounting, and interline accounting. Even though I was no longer a computer programmer, in my various leadership roles, I still helped build and design large, integrated, and technologically sophisticated accounting systems.</p><p>At that point, while technology, leadership, and accounting had been ongoing themes in my life, I had no interest in internal auditing. However, that changed after Sept. 11, 2001. American Airlines had two planes involved in the terrorist attacks, and the effect on the company was immediate. The federal government shut down the national airspace, cancelling thousands of flights. Exactly a week after 9/11, I received a call from my boss, the chief financial officer at American Airlines: My job was being eliminated, but I was being offered a new role as the chief audit executive (CAE), if I was willing to move to Dallas. My response, "Sure, boss, I'd be glad to take that job in Dallas."</p><p>After I'd been doing the job for just a few months, I realized that internal auditing was not what I'd expected. I loved the service aspect of the work — the ability to help other people succeed. I also enjoyed the consulting side of it, as I've always liked fixing problems. I decided to stay on that career path, and I eventually went on to work for Devon Energy as its CAE.</p><p>Today, I'm the chief risk officer at Jack Henry and Associates, a fintech company, where I oversee the CAE. All the work I'd done previously — the accounting work, the big process work, the computer programming, the leadership roles — it all came together for me in the remarkably satisfying profession of internal auditing.<br></p></td></tr></tbody></table><h2>Use Data Management As a Catalyst for Change</h2><p>As with disruptive periods throughout history, organizations are going to encounter both risks and opportunities. One of those opportunities relates to the most valuable asset in the digital world, data. As organizations move data into the cloud, collect data about their customers and employees, and find even more ways to use that information, data custody and privacy will become more important than ever. Consumers understand the risks to their privacy, so governments are responding with new laws and regulations that punish organizations that aren't handling their responsibilities well. Internal auditors need to be more analytical and understand that the organization's data will be quickly downloaded, thus heightening data privacy issues. Data privacy begins with identity management, so a great place for auditors to start is to review identity governance, administration, and privileged access management.</p><p>More data moving around more quickly means an accelerated use of big data and greater demand for data analytics. Internal audit needs to ensure there is governance over that data. Auditors will need to focus on database management and ensure policies, procedures, governance, data stewardship, privacy controls, and classification schemes are in place and functioning effectively.</p><p>To leverage data appropriately, the entire audit planning process needs to be redesigned to integrate a focus on data. Part of the scoping and objective-setting process — which has traditionally occurred on the front end of planning — should now include a focus on identifying potential data analysis that might add value in the audit.</p><p>The results of this effort should be used to refine and enhance the scope of the audit. Audit sampling — or 100% testing where possible — will then allow internal audit to provide more accurate insight into the area being audited. As auditors approach the end of the audit, they can convert the data into storyboards and visualization to tell a more impactful story.</p><h2>Reimagine How to Deploy Technology Within Internal Audit</h2><p>Some internal audit functions are well-suited for RPA and artificial intelligence (AI), machine learning, continuous auditing, and anomaly detection tools. With RPA, internal auditors can more easily move from testing a sample of internal controls to testing the entire population. Programmable bots can be used to test controls in minutes and feed the results to management dashboards. Bots also can monitor configurable controls, report on results outside of specific thresholds, and even prepare and document workpapers.</p><p>Auditors can leverage machine learning to simplify grouping and categorization tasks. Another example would be to teach a tool to predict who should have approved a particular invoice and then run the tool against the entire population of invoices to identify discrepancies. These technologies will expand the potential to perform the testing much more effectively.</p><p>Internal auditors may find useful a practical, three-part series of reports from The IIA's Internal Audit Foundation, in collaboration with Deloitte, on Moving Internal Audit Deeper Into the Digital Age. Part 1 offers a structured methodology for leveraging automation within the internal audit function. Part 2 considers six critical components of RPA and cognitive intelligence and examines their output to determine the greatest risk areas and how to audit them. And, Part 3 looks at how internal auditors can take automation capabilities beyond theory to practice. The reports, as well as numerous other technology-related publications and resources, are available via resource exchanges on The IIA's website, including the Artificial Intelligence and Data Analytics resource exchanges.</p><p>Another option for auditors looking to educate themselves on the latest technologies is to attend The IIA and ISACA's annual GRC Conference. This year's conference, being held Aug. 9-11 virtually and in Denver, Colo., has tracks focused on cybersecurity, data, and technology trends, among many others.</p><h2>Prepare for the Democratization and Convergence of Technology</h2><p>As mobile technologies become cheaper and more ubiquitous, the benefits of technology are going to become more common and impact many more people. With so many important technologies currently evolving, the impact will begin to grow exponentially.</p><p>The foundation of this concept is built on Moore's Law, an idea I first encountered as a computer science student. Moore's Law is based on American engineer Gordon Moore who in the 1960s predicted that because manufacturers were able to make smaller and smaller transistors, the number of transistors added to silicon chips would double every 18 to 24 months. This has given rise to exponential growth in computing power that has continued for the last six decades.</p><p>This increasing computing power means that technology will continue to quicken its pace, and we'll see the knock-on effects in areas like AI and machine learning, blockchain, robotics and autonomous vehicles, 3D printing, 5G, nanotechnology, and virtual and augmented reality.</p><p>One result of all of this extra computer power and storage is that scientists now have the capability to access and store more data related to the Internet of Things (IoT). With more access to the IoT, robotics can be deployed to automate activities and processes. And by applying AI, the robots can be trained to perform certain tasks and ultimately learn and make improvements to their own software. With all the technologies improving at a near-exponential rate, the cycle of improvement will be extraordinary.</p><h2>A Future-ready Response</h2><p>We don't need a quantum computer to tell us there is going to be a lot of change over the next several years, or that that change will dramatically impact internal auditors and the organizations they serve.</p><p>While I am still disappointed that we don't yet have flying cars, I am amazed with the size and speed of our computer chips, our ability to work on the scale of a nanometer, the advances in the 3D printing of human organs, and our understanding of the human gene. Moreover, I am continually impressed with the number of people around the globe who now have access to the wealth of information on the internet via mobile devices. These advances are incredible, but we are still early in a digital revolution that will truly change the world for the better. Internal auditors have the opportunity to lead our organizations into the extraordinary unknown that tomorrow will bring. It's time to get future-ready.<br></p>Charlie Wright1

  • AuditBoard-November-2021-Premium-1
  • OnRisk-2022-November-2021-Premium-2
  • 2021-All-Star-Conference-November-2021-Premium-3