In High Demand High Demand<p>​</p><p>Internal auditors who possess specialist skills, accredited professional qualifications, and leadership and business acumen are in great demand — so much so that employers are willing to pay substantially more to attract and retain them. According to research by recruitment specialist Robert Half, internal audit salaries in the United States generally are set to increase by up to 4.2 percent in the year ahead, depending on the size of the organization they work for and their level of experience, among other factors.</p><p>This is welcome news given that the 2017 Internal Audit Compensation Study, produced by the Internal Audit Foundation, found that the number of auditors who did not receive a raise in basic salary increased last year, marking an end to a seven-year downward trend. The report found that some 15 percent of respondents did not receive a base salary increase last year — the highest proportion since 2011–2012. </p><p>However, internal auditors with specialized skills and in-demand certifications saw higher than average compensation packages — a trend that Robert Half says is likely to continue, at least in the near term. Two specific areas of expertise — information technology (IT) auditing and environmental, health and safety (EHS) auditing — were in very high demand by U.S. employers in 2016. IT auditors saw a median salary more than US$14,000 higher than generalist auditors, while those auditors who specialize in EHS received salaries worth US$17,561 more.</p><p>IT auditor salaries are being driven higher because demand for such expertise is outstripping supply. In fact, such a talent shortage is prompting audit leaders to implement initiatives such as rotational audit assignments as a way of growing IT audit skills in-house, according to internal audit consultancy Protiviti's latest Internal Auditing Around the World publication.</p><p>As for EHS skills, The IIA's 2017 North American Pulse of Internal Audit survey finds that EHS is a topic appearing on more than one-third (35 percent) of board and audit committee agendas, yet less than one-quarter (23 percent) of internal audit functions feel informed about such risks to the business. Once again, the increase in salary is due to the demand for skills outstripping supply. </p><p>In fact, it's a favorable jobs' market for those internal auditors with multiple specialist skills. The Compensation Study says that practitioners who possess experience and expertise in more than one field or specialization can generally negotiate higher compensation. For instance, the study found that U.S. auditors with four areas of expertise commanded an average median salary approximately US$45,000 higher than generalist auditors with just one area of expertise.</p><p>The Compensation Study also reports that employers are willing to offer higher salaries to internal auditors with in-demand credentials. The<em> </em>study found that the average median salary in 2016 for U.S. internal auditors with one or more formal qualifications was US$34,009 higher than the figure for internal auditors without any certification. Practitioners with credentials in particularly high demand, such as the Certified Internal Auditor (CIA) and the Certification in Risk Management Assurance (CRMA) designations, garnered even higher rates of pay in 2016, the Foundation reports.</p><p>But mixed with this positive news for the profession, the report also contained some negative findings. For example, internal audit leaders are neglecting to think about "soft skills" such as leadership, business communication, and relationship-building when recruiting candidates. Such skills are not just "nice to haves" — they are increasingly important and expected by management. </p><p>Furthermore, the Compensation Study says that employers are limiting their search for internal auditors to those with an accounting degree, rather than looking for potential candidates who might have other skills and experience that the organization could benefit from. For example, technology skills are often underrepresented in internal audit job descriptions, yet experience in areas ranging from big data to cybersecurity is desperately needed. Many employers also value knowledge of EHS risks and their potential impact to the business, yet often neglect to call this out in job specifications too.</p><p>The Compensation Study suggests that failing to include such details can result in an employer hiring candidates who meet outdated or incomplete requirements, and who cannot meet the skill needs and demands of the business in the future. This is especially worrying given that boards want internal audit to act more as a strategic partner and to demonstrate greater business acumen. For example, 64 percent of internal audit stakeholders interviewed for the 2015 Common Body of Knowledge​​Stakeholder survey, conducted by The IIA's Internal Audit Foundation and Protiviti, said that internal audit should have a more active role in assisting management and the board to assess and evaluate the organization's strategic risks.</p><p>According to the Compensation Study, internal audit leaders should take steps to help "brand" their departments as a place where talented internal auditors want to work. This would need to accommodate working practices that employees — particularly millennial workers — now come to expect more and more, such as remote work arrangements, flexible work schedules, the ability to maintain a satisfying level of work-life balance, and the opportunity to learn about other areas of the business. </p><p>Visit <a href="">The IIA's website</a> to learn more about the 2017 Internal Audit Compensation Study.</p><p><br></p>Neil Hodge1
Core Principles and the QAIP Principles and the QAIP<p>​When the International Professional Practices Framework (IPPF) was updated in 2015 to include the Core Principles for the Professional Practice of Internal Auditing, it provided a significant opportunity to integrate and align these Principles into an internal audit activity's quality assurance and improvement program (QAIP). The challenge is how to do it in a practical and meaningful way that provides incremental value to the internal audit activity and its stakeholders. This is especially relevant in today's dynamic business environment, because demonstrating the effectiveness of Core Principles as a component of the QAIP supports the credibility and value of internal audit and promotes its role within the organization's governance structure.</p><p>The best way to integrate Core Principles into the internal audit activity's understanding of quality is to develop a concept and approach that is easy to understand, is adaptable to an individual organization, and provides insight into how effectively the Core Principles are being achieved. It also is important to understand how achieving Core Principles could be an integral component of the QAIP and an extension of the assessment process. Even though QAIP external assessments do not require auditors to evaluate conformance with the Core Principles, they are a mandatory element of the IPPF. As such, chief audit executives (CAEs) should have a perspective as to whether they are being achieved and a way to communicate that perspective to key stakeholders in a way that is easy to understand and can be monitored, measured, and reported over time. </p><h2>Why Integrate the Core Principles?</h2><p>Standard 1300: Quality Assurance and Improvement Program is designed to promote and support quality and continuous improvement in an internal audit activity. Internal and external assessment components provide a framework to ensure quality is embedded into internal audit processes and infrastructure. Communication of results to senior management and the board supports their fiduciary oversight of the internal audit activity. Achieving these Core Principles is a professional requirement. Embedding them into the QAIP is an effective way to ensure the internal audit activity is aligned with these mandatory IPPF elements or ensure that governance and oversight activities related to internal audit are consistent with successful practices and professional requirements.</p><h2>How to Integrate the Principles </h2><p>Quality standards require an evaluation of conformance with the Code of Ethics and the <em>International Standards for the Professional Practice of Internal Auditing</em>. It is assumed that if an internal audit activity is in general conformance with the Code of Ethics and the Standards, then it is achieving the Core Principles. As a result, even though Core Principles are mandatory, there is no mechanism defined to provide a CAE with a view toward whether the Core Principles are being achieved. <br>In fact, there are other characteristics that demonstrate whether an internal audit activity is achieving the Core Principles beyond conformance with other mandatory elements of the IPPF. The most appropriate mechanism to integrate Core Principles into the QAIP is to use a maturity framework to describe levels of maturity related to each principle. This can provide insight into achieving Core Principles efficiently using a combination of quantitative and qualitative characteristics to define maturity. </p><p>The QAIP provides quantitative characteristics to the maturity framework through its internal and external assessment requirements. Other qualitative characteristics that help describe placement on the maturity spectrum supplement the QAIP quantitative view. There are five steps that provide a roadmap for implementing a Core Principles Effectiveness Framework into a QAIP.  </p><p><strong>1. Establish a Maturity Framework</strong></p><p>The Core Principles Effectiveness Framework (see "Core Principles Effectiveness Model" below) describes the infrastructure, process, and quality associated with differing levels of achieving effectiveness for the Core Principles. Progression along the maturity spectrum is a function of demonstrating characteristics associated with each level. Movement to a higher level of maturity assumes characteristics of all previous levels of maturity continue to be demonstrated. Placement on the maturity spectrum is a matter of professional judgment considering the "best fit" based on defined characteristics. </p><p><img src="/2017/PublishingImages/Woller-Core-Principles-Effectiveness-Model.jpg" alt="" style="margin:5px;width:600px;height:271px;" /><br></p><p>Effectiveness progresses from:<br></p><ol><li><em>An ineffective level</em> – Infrastructure and processes supporting the internal audit activity are not well defined or operating effectively and there are many areas of partial or nonconformance with associated standards.  </li><li><em>A partially effective level</em> – Infrastructure and processes supporting the internal audit activity are defined and operating effectively but there are areas of partial conformance within associated standards. </li><li><em>An effective level</em> – Infrastructure and processes supporting the internal audit activity are mature and there is general conformance with all associated standards.</li><li><em>A sustainable level</em> – Quality programs are focused on continuous improvement and general conformance with associated standards is demonstrated for at least two consecutive external assessments.  </li><li><em>World class</em> – There is a drive and passion for continuous improvement using benchmark data and peer input, with external quality assessment taking place more frequently than once every five years with a focus on generating ideas for improvement.  </li></ol><p>Most organizations strive to be at an effective to sustainable level, as there are incremental costs associated with operating at a world-class level.  </p><p><strong>2. Map Core Principles With the Standards and Code of Ethics</strong></p><p>Linking the Core Principles to associated professional guidance is the next critical step in the process. Without clear linkage, results of the QAIP, including internal and external assessment, cannot provide data for placement on the maturity spectrum. While linkage is subject to professional judgment, there are clear associations between the Core Principles and the Principles and Rules of Conduct in the Code of Ethics and the <em>Standards</em>. An example of linkage related to the Core Principle "demonstrates integrity" is shown in "Core Principles Mapping" below). This same linkage exercise needs to be conducted for all other Core Principles.</p><p><img src="/2017/PublishingImages/Woller-Core-Principles-Mapping.jpg" alt="" style="margin:5px;width:475px;height:428px;" /><br></p><p><strong>3. Define Characteristics of Maturity</strong></p><p>Placement of a Core Principle onto the maturity spectrum requires that characteristics specific to that level of maturity be defined. There are three aspects to characteristics that should be defined for each level. <em>Standards</em> and QAIP characteristics define maturity in terms of level of conformance with the <em>Standards</em> and the extent to which conformance is validated through internal periodic assessment or external assessment elements of the QAIP. Infrastructure and process characteristics define maturity in terms of level of formality and sophistication within the internal audit activity. These characteristics also attempt to describe behaviors within the internal audit activity that support differing levels of maturity. The third category comprises those characteristics specific to a Core Principle and might include examples of infrastructure, process, conformance, or successful practices that are unique to that Core Principle. Characteristics build upon those described for the previous level of maturity and should provide a clear view and differentiation between the levels. When viewed in combination, these definitions provide a useful tool to facilitate the placement of a specific Core Principle onto the maturity spectrum. As with any maturity framework, placement on the spectrum is a "best fit" based on the judgment of the professional performing the assessment. "Demonstrates Integrity Characteristics," below, establishes the characteristics for the Core Principle, "demonstrates integrity." The <em>Standards</em>, QAIP, infrastructure, and process characteristics are the same for all Core Principles.  </p><p><strong>4. Perform Internal and External Assessment Consistent With Requirements of a QAIP</strong></p><p>Evaluating the effectiveness of the Core Principles can only be accomplished when the results of the QAIP support placement of effectiveness within the maturity spectrum. A well-designed QAIP that includes internal and external assessment components and communication of those results provides the perfect platform for evaluation, placement, and communication of effectiveness. Ongoing monitoring of internal audit activity performance supports quality on an audit-by-audit basis. This is often supported by the definition, tracking, and reporting of key performance indicators (KPIs). The best way to monitor effectiveness is to identify Core Principles effectiveness as a KPI and report statuses related to maturity annually to senior management and the board. This further supports the board's fiduciary oversight responsibility of internal audit by providing insight into current and changing maturity levels for the Core Principles. Periodic internal assessment provides the opportunity to assess conformance with the Code of Ethics and the <em>Standards</em> to provide data associated with the defined characteristics, and is essential to provide insight into conformance in the periods between external assessments. An external assessment provides the perspective of an independent assessor or assessment team qualified in the practice of internal audit and external assessment related to levels of conformance. Frequency of external assessment is a factor in determining level of maturity.</p><p><strong>5. Evaluate and Report Maturity Levels for Core Principles</strong></p><p>Placement of maturity in the Core Principles Effectiveness Framework is a matter of professional judgment. Using a systematic and defined framework increases the likelihood that placement is appropriate and consistent with defined characteristics. A maturity framework provides the foundation and perspective to make reasoned and professional judgments regarding the levels of maturity for each Core Principle. From an organizational perspective, some principles might be more relevant than others in achieving objectives. Increasing the level of maturity and the resulting investment might be appropriate.  </p><h2>Aligning Internal Audit</h2><p>The Core Principles established in the IPPF describe the essence of an internal audit activity. Incorporating an evaluation of Core Principles into the QAIP provides the perfect mechanism to demonstrate to stakeholders that this mandatory element of the IPPF is relevant to the practice of internal auditing in the organization and that the internal audit activity is aligned to their requirements. Using a maturity framework provides a context for this communication that is measureable and easy to understand. It also provides better insight into the activities that support the profession and can promote a deeper understanding of internal audit's role in the governance mechanism of organizations. As the <em>Standards</em> change, the Core Principle Effectiveness Framework is scalable and adaptable. Each Core Principle's defined characteristics can be adapted to organizations and modified over time as circumstances warrant.  </p><p><img src="/2017/PublishingImages/Woller-Demonstrates-Integrity-Characteristics.jpg" alt="" style="margin:5px;" /><br></p><p><br></p>Basil Woller1
Breaking Down The Standards Down The Standards<p>​To some, the idea of tackling conformance with the <em>International Standards for the Professional Practice of Internal Auditing</em> may seem like a steep, uphill climb. The phrase “conformance with the <em>Standards</em>” can sound authoritative and overwhelming, suggesting a complex, resource-intensive effort. But conformance is actually much easier to achieve than many chief audit executives (CAEs) may think. In fact, numerous activities performed by practitioners likely conform with the <em>Standards</em> already.<br></p><p>Composed of principles-based, core requirements, the <em>Standards</em> provide a framework for performing and promoting internal audit services and are essential in meeting the responsibilities of internal auditors and the internal audit activity. Conformance with The IIA’s cornerstone of Mandatory Guidance begins with an awareness of the <em>Standards</em> and of how they provide a blueprint for the internal audit activity to evaluate and contribute to the improvement of organizational governance, risk management, and control processes. The <em>Standards</em> consist of two main categories: <br></p><ul><li>Attribute Standards (series 1000–1322) address the attributes of organizations and individuals performing internal auditing.</li><li>Performance Standards (series 2000–2600) describe the nature of internal auditing and provide quality criteria against which the performance of these services can be measured. </li></ul><p><br></p><p>A close examination of these areas reveals a relatively simple path to conformance, and one that many practitioners may already have begun to take. While not intended to provide confirmation of conformance, thinking about the Standards as advised can help internal auditors better navigate the requirements and streamline their approach.<br></p><h2>Attribute Standards</h2><p>Attribute Standards help establish the internal audit activity’s position within the organization. Performance Standards, by contrast, involve the performance of internal audit responsibilities such as planning engagements, performing engagements, and communicating results. The majority of internal audit activities likely expend most of their effort focusing on Performance Standards, which may explain why some of the most common areas of nonconformance have fallen within the Attribute Standards (see “Top Areas of Nonconformance” at right). </p><p><img src="/2017/PublishingImages/Hovious-Top-Areas-of-Nonconformance.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:600px;height:333px;" />Conformance with the Attribute Standards can be assessed by breaking them down into simple concepts: 1) reviewing the internal audit charter; 2) determining the independence of the internal audit activity and objectivity of the internal auditors; 3) evaluating the proficiency and due professional care with which engagements are performed; and 4) confirming the completion, maintenance, and communication of the quality assurance and improvement program (QAIP). “Attributes Standards Overview,” at the bottom of this page, provides a detailed breakdown along each of these areas.<br></p><p>For existing internal audit activities, these concepts should already be established. Evidence of conformance can be demonstrated by ensuring that all elements of the Attribute Standards are formally documented — or by reviewing existing documentation and updating it as necessary. Newly formed (or forming) internal audit activities should determine how they are going to apply the Attribute Standards, and then implement and document them, as they help set the stage for why the internal audit activity exists and how it will function. <br></p><p>The easiest way to determine the level at which an internal audit activity conforms with the <em>Standards</em> is through an internal assessment. QAIPs require an internal assessment, which, per Standard 1311: Internal Assessments, includes:<br></p><ul><li>Ongoing performance monitoring, using processes, tools, and information considered necessary to evaluate conformance with the Code of Ethics and the <em>Standards</em>. </li><li>Periodic assessments to evaluate conformance with the Code of Ethics and the <em>Standards</em> performed by someone in internal audit or within the organization with sufficient knowledge of internal audit practices. The individual must possess at least an understanding of all elements of the International Professional Practices Framework (IPPF).</li></ul><p></p><p>Such steps may already be incorporated into the routine policies and practices currently used to manage the internal audit activity. If the activity is already performing ongoing monitoring and periodic assessments as described, then it may be in conformance with Standard 1311.<br></p><p>The internal audit activity must also conduct an external assessment every five years, at minimum, to conform with the 1300 series. Ensuring this assessment is completed may demonstrate conformance with Standard 1312: External Assessments.<br></p><h2>Performance Standards</h2><p><img src="/2017/PublishingImages/Hovious-Work-Program.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:550px;height:457px;" />Performance Standards consist of steps internal auditors perform on a regular basis. Four of the top 10 standards least conformed with, according to IIA Quality Assurance data, consisted of Performance Standards. As with the Attribute Standards, conformance with Performance Standards can also be broken down into simple concepts.<br></p><p><em>Standards</em> series 2000 requires all internal audit activities to be managed effectively with policies and procedures to ensure value is added to the organization. The process includes establishing, communicating, and obtaining approval on a risk-based plan that can be deployed by appropriate and sufficient resources. Most internal audit activities likely follow these principles and therefore may conform to this series. <br></p><p>The 2100 series pertains to the nature of audit work and requires internal audit activities to evaluate and contribute to the improvement of the organization’s governance, risk management, and control processes by using a systematic, disciplined, and risk-based approach. Conformance with this series of standards requires the internal audit activity to devise an appropriate strategy to evaluate the organization, which involves:<br></p><ol><li>Obtaining an understanding of how the organization makes decisions, manages and communicates risk, promotes ethics and values, and ensures effective performance and accountability (Standard 2100: Governance).</li><li>Evaluating risk exposures and assessing the adequacy and effectiveness of controls in responding to risks relating to governance, operations, and information systems regarding the achievement of strategic objectives, reliability and integrity of financial and operational information, effectiveness and efficiency of programs and operations, safeguarding of assets, and compliance with internal and external requirements. The evaluation should also include examining the potential for the occurrence of fraud and how fraud risk is managed (Standard 2120: Risk Management and Standard 2130: Control).</li></ol><p></p><p>Performance Standards series 2200 through 2400 describe the audit engagement process. All internal audit activities should follow the basic engagement process, which consists of three parts:<br></p><ul><li>2200 Series: Engagement Planning — determining objectives and scope, assessing timing considerations, and allocating resources to create and document a work program that considers the relevant strategies, objectives, and risks of the organization. </li><li>2300 Series: Performing the Engagement — conducting fieldwork, which includes identifying, analyzing, evaluating, and documenting appropriate information to support the engagement results, as well as supervising the engagement effectively. </li><li>2400 Series: Communicating Results — providing timely, quality results to the appropriate recipients that include the engagement’s objectives, scope, results (applicable conclusions, recommendations, and/or action plans), and applicable disclosures.</li></ul><p><br></p><p>Most internal audit activities likely conform to these standards in principle — in other words, they conform with the essence of the requirement.<br></p><p>Internal audit activities that maintain a monitoring process to follow up on the disposition of outstanding audit engagement results most likely also conform to Standard 2500: Monitoring Progress. Conformance can be evidenced by a routinely updated exception tracking system, which may be a spreadsheet, database, or other tool.<br>Lastly, Standard 2600: Communicating the Acceptance of Risks, requires the CAE to use judgment to determine whether management has accepted a level of risk that may be unacceptable to the organization. This standard obligates the CAE to attain an understanding of the organization’s risk tolerance and risk acceptance process (if one exists). If the CAE concludes that an unacceptable level of risk has been accepted, the matter must be discussed with the organization’s senior management; and if it is not resolved, the matter must be brought to the board’s attention. <br></p><h2>Easier Than It Seems</h2><p>Internal auditors need to remember that conformance does not hinge on following a set of prescribed rules. Instead, conformance is about understanding and achieving the principles behind the <em>Standards</em>. Demonstrating conformance is as simple as identifying current processes in place related to each standard and then documenting sufficient evidence (see “Work Program,” above, for an example of a straightforward assessment). <br></p><p>The effort does not have to be daunting or consume an inordinate amount of resources. By reading and understanding the IPPF, including the new Implementation Guides and related Supplemental Guidance, and documenting their work, practitioners can easily align themselves with professional standards and enhance their value to the organization. </p><p><img src="/2017/PublishingImages/Hovious-Attribute-Standards-Overview.jpg" alt="" style="margin:5px;" /><br></p>Christine Hovious1
From Output to Outcomes Output to Outcomes<p>​<span style="text-align:justify;">I</span><span style="text-align:justify;">n today's world, there is growing demand on internal auditors to visibly demonstrate their contributions toward achieving organizational objectives. Auditors need to serve as key partners to the board and management in identifying challenges that may hamper achievement of those objectives, as well as helping uncover constraints to seize emerging opportunities. Such efforts are achieved by performing focused, independent, objective assurance and consulting activities that align with the organization's strategy and priorities.</span></p><p style="text-align:justify;">One key performance indicator (KPI) for internal auditing's success in these areas is the number of audits completed or audit issues raised. However, it is less common to see the number of corrective actions taken by the organization used as a KPI, possibly because internal auditors lack control over implementing these actions. The audit report, then, typically constitutes the last point of influence over an area under review.</p><p style="text-align:justify;">And while audit reports tend to comprise the main outputs for internal audit work, it is difficult to gauge their impact until corrective actions are implemented satisfactorily and any risks identified are mitigated. In effect, unless internal audit results are converted into action, it is challenging to clearly demonstrate internal audit's contributions toward achieving organizational objectives. Accordingly, internal auditors should be more involved in helping organizations implement proposed corrective actions originating from their work. Five steps can help practitioners play a more proactive role in facilitating effective implementation, while still maintaining their independence.<span style="text-decoration:underline;"> </span></p><p style="text-align:justify;">1.     <strong>Categorize audit issues to make them suitable for action</strong>. If audit issues are grouped in a systematic manner, management can more easily perform holistic analysis and take corrective actions. For instance, audit observations can be categorized into strategic, policy, compliance, process, IT, human resource, and financial issues. Each category has a different audience requiring different responses and attention. Normally, strategic and policy issues are best addressed by the board and top management, whereas the responsibility for compliance and process issues leans toward mid-level operational management. </p><p style="text-align:justify;">2.     <strong>Rate audit issues based on operational impact.</strong> Audit issues can be rated as high, medium, or low depending on risks associated with business objectives. Audit issues rated as high risk could be significant, drawing the attention of top management, compared to medium or low risks. High ratings could also help attract a sense of urgency in view of organizational impact. <br></p><p style="text-align:justify;">3.     <strong>Develop a robust audit issue tracking system</strong>.  IIA Standard 2500: Monitoring Progress states that "the chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management." Collective involvement of both internal auditors and management in designing and implementing such a system would enhance system effectiveness and ownership. The system could maintain features such as the ability to integrate with the audit system in use and access each proposed corrective action; accessibility to audit clients with a view to regularly update actions taken; and the capacity to analyze progress by status of actions (implemented, in-progress, not implemented), risk category (strategic, policy, compliance, processes), risk rate (high, medium, low), and business unit. Moreover, the system needs to be designed to allow aging analyses of pending corrective actions (e.g., those within the due date, or overdue by 3 months, 6 months, and 12 months or more). <br></p><p style="text-align:justify;"><strong>4.</strong>     <strong>Allocate sufficient resources for continuous support and counseling.</strong><strong>  </strong>Internal auditors, working with the business, are optimally positioned to assess the organizational impact of audit issues and identify any systemic challenges affecting implementation. Thus, they can provide advice on how pending corrective actions would best be addressed. Also, auditors may regularly reevaluate the relevance of the corrective action, periodically validate the adequacy of the actions taken, and provide feedback as needed.  <br></p><p style="text-align:justify;"><strong>5.</strong>     <strong>Provide reports to the board and management periodically. </strong>Internal auditors need to report periodically on the status of corrective actions taken. The report may include status of implementation and outstanding actions by due date, risk category, risk rate, and business unit. </p><p style="text-align:justify;">Following these steps can help develop a partnership between management and internal auditors. Perhaps more importantly, though, the process vividly demonstrates how internal auditors can help the organization accomplish its objectives. Internal auditors are encouraged to play a more proactive role toward implementing corrective actions and to help convert their audit output to concrete results.  </p><p style="text-align:justify;">​<br></p><p style="text-align:justify;"><em>The views and opinions expressed in this article are those of the author and do not necessarily reflect the official position of the author's employer.</em><br></p>Geremew Tadele1
Auditing What Matters What Matters<p>​Organizations exist to provide value for their stakeholders, and increasing that value requires businesses to accept appropriate risks. But which risks? And how much uncertainty is too much? To make those decisions, management must evaluate and balance growth opportunities, goals, related risks, and effective deployment of resources, while never taking their eyes off the strategy and enterprise objectives.<br></p><p>Clearly, internal audit has an important role to play in this process. Yet some internal auditors are torn between performing traditional internal audit activities — the time-honored “tick and tie” procedures — and activities that contribute more directly to value creation. “Both those activities are important,” says Larry Baker, a senior leader in internal audit, enterprise risk management, and strategic planning in Oklahoma City. “Even when management is convinced the organization is doing everything possible to ensure that a process is working effectively, internal audit still needs to do an independent audit of the controls that make management feel so comfortable.”<br></p><p>However, in any business, time and resources are limited, and internal auditors who wish to serve as trusted advisors to the organization must ensure their efforts provide maximum return on investment. Priorities must be set. For some internal auditors, the act of prioritization may necessitate a fresh look at what matters most to the business. <br></p><h2>Identifying the “Right” Risks</h2><p>Bill Watts, partner at Crowe Horwath in Columbus, Ohio, recalls a time more than a decade ago when the approach to determining what to audit was not as thoughtful as it is today. Audits tended to be very structured and repeatable. Then came the U.S. Sarbanes-Oxley Act of 2002, which indirectly caused companies to re-examine their control structures and how to improve controls, leading to evolution in other areas. “Internal auditors today must think more broadly, across the enterprise,” he notes. “Where is the company strategy focused, what are the major initiatives, and where is the money being spent? Those answers tell you what’s important to the entity, and that’s where internal audit should focus.” <br></p><p>There is yet another question that can help internal audit identify the “right” risks to address, says Brad Ames, internal audit director for Hewlett Packard Enterprise in Palo Alto, Calif.: Who is accountable for a specific strategy? “Once you know that, you can build an authentic relationship with them and make them your stakeholders,” he explains. “Ask them what they see that would inhibit them from accomplishing their strategic objectives. Begin the risk discussion, always establishing visibility into risk so they don’t overvalue or fear it. Determine in advance how the partnership will accelerate business strategy. This context will help them feel more confident about the risk, making them less likely to allow it to cause them to undercommit to the strategy.”<br></p><p>In most organizations, one of the areas of focus will involve technology. All businesses must learn how to optimize the use of technology — not only in any technology-enabled products and services they offer to customers, but also in their own internal business processes for greater efficiencies and effectiveness. Many organizations’ strategies include specific objectives related to technology, a clear signal that internal audit must focus on it as well — in Ames’ words, “presenting itself as relevant to strategy.”<br></p><p>It is also important for internal auditors to recognize that, even as they raise their focus on strategic initiatives, they must maintain many customary audit activities, such as looking at segregation of duties, fraud potential, regulatory compliance, and transactions. However, Ames points out, even the traditional audit activities can and should “move toward strategy.” <br></p><h2>The Risk Connection</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Making a Case for a More Strategic Approach</strong><br><br>Internal auditors can make inroads into altering their organization’s culture to accept a more strategic approach to internal auditing. Here are techniques the audit leaders interviewed for this article recommend to lay the groundwork and prove the department’s readiness:<br><br><ul><li><strong>Even while performing traditional internal audit activities, have the courage to step outside the norm occasionally.</strong> Be sure to communicate the positive results of the “experimentation” and the ways it benefited the organization. Use that win to build the next one.</li><li><strong>Take the “journey begins with a single step” approach and start by making one small adjustment.</strong> Then, when the time is right, make another. The key is to take each step with the firm intent of going on the whole journey.</li><li><strong>Spend more time talking to customers and listen carefully to their responses.</strong> If you are doing a traditional activity such as matching invoices, spend an hour talking to the people who process the invoices. It’s often possible to learn more from hearing than seeing, and that knowledge, which may uncover previously unknown issues or opportunities, can help you build a case for expanding internal audit’s role. </li><li><strong>Polish your soft skills.</strong> Those who can ask good questions, establish relationships (within the bounds of independence and objectivity), listen carefully, and summarize succinctly are generally more effective in uncovering truths — and in building compelling business cases for desired outcomes based on those truths.</li><li><strong>Arm yourself with expertise before acting.</strong> In today’s environment, there is a lot of pressure to do more with less, add value, and show productivity. This may cause internal auditors to jump into activities they don’t fully understand. Don’t make that mistake. Be prepared. Perform research, get training, and ask experts to help you where needed. If you are given a chance to try something new, the odds of getting a second chance will depend on doing the first one well.</li><li><strong>Don’t fear failure.</strong> Not every effort will be a success, but that can’t be a reason to give up. Develop your resilience by learning from failure and moving on. </li></ul></td></tr></tbody></table><p>The upcoming revision of The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) <em>Enterprise Risk Manageme​nt–Integrated Framework</em>, scheduled for release in early 2017, describes an enterprise risk management (ERM) program that is highly interrelated with controls. Whether internal auditors use COSO ERM to guide their risk-driven strategic activities, or build their own frameworks based on its precepts and shaped by experience and common sense, Watts warns against “cherry-picking activities” from the framework. Focusing only on certain parts of a framework while ignoring others is likely to hinder generating full benefit from the process, perhaps even missing opportunities. Taking a broader, holistic view that aligns the organization’s ERM program with strategy facilitates internal audit’s understanding of the strategy itself and its role in the major initiatives the business deems critical to accomplish the strategy.<br></p><p>This is not to say that an internal audit focus on organizational objectives, as outlined in the strategy, automatically improves ERM within the organization. “Hopefully it does, but it’s far from given,” says Charlotta Löfstrand Hjelm, chief internal auditor at Lansforsakringar AB in Stockholm. “If there is no objective, there is no risk. The important thing is to show where value is created and how it can be affected by certain unwanted events — or enhanced, if we can articulate how to capture this.” Showing how goals affect value and risk in other areas can be helpful, as can positioning objectives as the link between the audit plan — including consulting and advisory activities, not only assurance audits — and the different plans from the organization, such as strategic plans, business plans, and risk reports. <br></p><p>Auditors tend to be good at using a risk-focused approach. In fact, Ames speculates that management tends to perceive internal audit as being all about compliance or risk. In his view, a risk-based approach is “our foundation,” but internal auditors should be more focused on increasing value to the business, positioning internal audit as partners in strategy.<br></p><h2>The Need for Speed</h2><p>A phrase often used to characterize one aspect of the relationship between internal audit and risk management is that internal auditors must “audit at the speed of risk.” In today’s business environment, types of risk, likelihood of occurrence, and degrees of impact change almost daily. If internal audit is focused on supporting strategic objectives, and if a key factor in accomplishing those objectives is understanding the risk surrounding them, then the speed at which internal audit can identify and act on risk is important. Internal auditors must find ways to remain informed and take proactive measures. <br></p><p>Lisa Lee, vice president, Audit at Google Inc. in Mountain View, Calif., says in a fast-paced environment, the key for internal auditors to add value is to communicate concerns quickly. “Where it makes sense, engaging early with process owners to conduct risk assessments and assess control design effectiveness will help provide clarity on the highest risks that need to be managed,” she explains. Moreover, she says, “Assessing the maturity of controls can help provide meaningful information, as manual or detective type controls may be appropriate when a process or product is first launched, but as the process or product matures and scales, so should controls.” Using a maturity model, such as a scale from 0 (indicating a nonexistent control) to 5 (indicating an optimized control), can be helpful in instances where there may be a need for more robust controls. <br></p><p>The traditional approach of having an annual audit plan may not mesh well with the speed of today’s business. Internal auditors may struggle to adhere to the plan while also trying to accommodate constant change and ensure focus remains on the most critical risks. Lee notes that at Google, internal audit maintains a running list of initiatives and commits to a quarterly audit plan based on addressing the current high risks.<br></p><h2>Getting Buy-in</h2><p>Making changes to the way internal audit operates may not always be welcomed with open arms. In some organizations or industries, long-established cultures and beliefs may not lend themselves to change — at least, not easily or quickly. If traditional internal auditing is the organization’s expectation, the audit department must continue to perform it as effectively as possible, making sure to contribute value and communicate that value regularly (see “Making a Case for a More Strategic Approach,” above). <br></p><p>Lee says she believes in letting the work speak for itself. “Management appreciates receiving relevant and timely information,” she explains. “If internal audit can provide information that will help executives do their job better or help them achieve their goals, then buy-in isn’t a problem because they see value in internal audit’s work.”<br></p><p>But what if it is internal audit’s own leadership that needs to be convinced of the value of a more strategic approach to internal auditing? According to Ames, “It’s difficult for audit departments to break through from a routine, traditional approach to a more optimized, innovative view without support from the leadership in the audit department, itself. You might have a few who reach those levels, but never the whole department. And internal audit won’t become a partner in the strategy.” <br>The CAE is the linchpin. When risk is discussed in the organization, the CAE must step up to highlight the need for a strategic approach and explain the audit committee’s mission. If the mission described in that explanation is focused only on protecting, the opportunities for enhancement may be limited. The opportunities are even more limited if the CAE chooses not to listen to his or her internal auditors’ suggestions for how they can contribute more value to the organization. “Then perhaps it is time for the CAE to move on to another position,” Hjelm suggests, while also admitting, “This is, of course, easy to say, but hard to do.” <br></p><h2>A Value-producing Proposition</h2><p>Regardless of where in the organizational chart minds need to be changed, those internal auditors who understand that expanding their efforts across the organization’s value chain can help the department deliver increased risk coverage, cost savings, and measurable value to the business must carry the flag. And, in fact, that advocacy can play a key role in reaching the career goal many internal auditors set for themselves: becoming a trusted advisor. Hjelm explains that when risk turns to value, assurance also transforms to insight — a transformation expected of a trusted advisor. She counsels, “The audit report is not the main result of our work. The main result becomes our identification and description of what consequence a risk or a combination of risks has. Internal auditors’ understanding, knowledge, and ability to communicate in business language can help the board and C-suite focus on ‘hot’ areas.”<br></p><p>Focusing internal audit’s activity on the strategic objectives that matter most to the organization is a value-producing proposition. And, in fact, while it is a topic of attention now, it may not be an entirely new concept. Perhaps it is, instead, a matter of recommitting to basic, long-held beliefs that may have slipped out of view for a time, in the rush of checking items off the daily to-do list. Baker notes, “We sometimes forget that our whole life in internal audit has involved objectives, risk, and controls. Sometimes we focus more on controls, other times we zero in on risk. But objectives have always been there. And if we don’t assess risk and controls with objectives in mind, why do it?” </p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<strong>From Critical Objectives to Critical Risks</strong><br><br>Critical objectives often have critical risks. Knowing how to identify those risks, prioritize them, and develop mitigation plans can help internal audit focus its efforts on value-producing activities for the organization. The following process, described by Larry Baker, has been in use at his previous employer, Devon Energy Corp., for many years. Each step is facilitated by internal audit.<br><br><strong>Step 1 Identify and Define the Risks</strong><br><ul><li>Based on their understanding of the organization’s strategic objectives, opportunities, and related risks, senior executives and other management identify major risk areas most important to the company. At Devon, this tends to be approximately 20 risk areas.</li><li>Each risk area’s leader defines the risk, details the scope, and identifies two to four inherent risks in that area. The </li><li>resulting list encompasses between 50 and 60 inherent risks.</li><li>Employees who are knowledgeable about those inherent risks identify factors that drive each inherent risk (control weaknesses), the ERM activities in place to manage the risk (controls), and gaps or opportunities for improvement. They then develop recommendations for how to better manage the risk as needed. </li></ul><br><strong>Step 2 Rate the Risks</strong><br><ul><li>Each year, the board, executives, and other management complete a survey on the 20 risk areas. They rate each in four categories: probability, velocity, readiness, and financial impact. Devon’s survey is fundamentally the same each year, which enables the company to compare results and trends. </li></ul><br><strong>Step 3 Address Risk in Detail</strong><br><ul><li>Every quarter, a cross-functional group of vice presidents for three of the 20 risk areas is brought together for a two-hour workshop to focus on the inherent risks for those three areas. The group votes on how effectively the risk is being managed and how effectively it should be managed, then examines the gap between the two results. The gaps are discussed in order of size, largest gaps first. </li><li>The focus is on determining whether there is anything the company should be doing that it isn’t doing, or if any new risks are emerging. </li></ul><br>It takes approximately 18 months to cover all 20 areas. Internal audit uses these results to identify any new information or changes that need further examination. Significant changes often relate to areas most critical to the organization and, therefore, guide internal audit’s effort in valuable, strategic, and risk-driven directions.</td></tr></tbody></table><p></p>Jane Seago1
Tools of the Trade of the Trade<p>A​lthough the practice of internal auditing is more complex and the expectations of auditors greater than eve​r, the foundation of the profession — The International Professional Practices Framework (IPPF) — remains strong and continues to provide the foothold internal auditors need to be successful. <em>Internal Auditor</em>’s first issue of 2017 begins by considering what matters most to today’s organizations and then reminds internal auditors of the tools they should be using, like the IPPF, to ensure a consistent and professional approach to addressing those issues.<br></p><p>As author Jane Seago says in our cover story, <a href="/2017/Pages/Auditing-What-Matters.aspx">“Auditing What Matters,”</a> “in any business, time and resources are limited, and internal auditors who want to serve as trusted advisors to the organization must ensure their efforts provide maximum return on investment.” In other words, internal auditors need to make sure they are auditing the right things. “An initial key step in elevating to be a strategic partner is understanding the organization’s strategic mission, the objectives designed to accomplish that mission, and the metrics by which success will be measured,” says Luz Dary Bedoya Bedoya of Audilimited, Organización Corona in the latest IIA Global Perspectives and Insights report, Elevating Internal Audit’s Strategic Impact. <br></p><p>Basing their work on the <em>International Standards for the Professional Practice of Internal Auditing</em> is a must. However, in the 2015 Common Body of Knowledge report, Looking to the Future for Internal Audit Standards, only 54 percent of CAEs surveyed used all of the <em>Standards</em>, with 11 percent reporting they did not use any of the <em>Standards</em>. Although an improvement on the numbers reported in 2010 — 46 percent and 14 percent, respectively — the findings indicate internal audit has a ways to go. <br></p><p>I wonder, however, whether those who say they don’t use the Standards are actually following the guidance, but are unaware they are doing so. In <a href="/2017/Pages/Breaking-Down-The-Standards.aspx">“Breaking Down the Standards,”</a> Christine Hovious, director, IIA Global Standards and Guidance, acknowledges that “The phrase ‘conformance with the <em>Standards</em>’ can sound authoritative and overwhelming, suggesting a complex, resource-intensive effort.” But, she explains, conformance is much easier to achieve than many CAEs may believe. “In fact, numerous activities performed by practitioners likely conform with the <em>Standards</em> already,” she says. In her article, Hovious details the components of the Standards, breaking them down into bite-size, easily digestible pieces. <br></p><p>The remainder of the February issue delves deeper into the successful practice of internal auditing. From integrated audits, to ethical practice, to auditing governance, to incorporating the Core Principles of the IPPF into quality assessments, we’ve got you covered on what it takes to succeed in today’s organizations.</p>Anne Millage0
Diversity in Action in Action<p>​For any chief audit executives (CAEs) unsure of the need to embrace diversity in their teams, consider this: Diverse teams outperform non-diverse ones. According to data from management consultancy McKinsey, gender diverse teams outperform those lacking this mix by 15 percent. "If that doesn't get you on board with diversity and inclusion, then it might be time to rethink your approach to team management," says Kate Headley, director of talent management firm The Clear Company.</p><p>There are several ways that CAEs can take action to improve gender diversity in their teams. Linnea Texin, senior consultant at Corporate Citizenship, a management consultancy, suggests that firstly, CAEs should engage their teams to pinpoint the key issues that affect their ability to recruit, advance, and retain female talent, while also looking at wider, external issues, such as regional and industry trends.</p><p>Secondly, CAEs should ask key stakeholders — including executives, core team members, and customers — what key actions they feel the team should take to improve diversity. Thirdly, audit executives should set performance metrics and targets to check they are making progress. And lastly, the whole strategy should be well-communicated so that the whole team understands the rationale and is behind it. "More transparency helps build trust," says Texin.</p><p>Any successful approach to improving gender diversity will depend on attracting and hiring female talent, followed by developing, motivating, and retaining staff, says Patrick Voss, managing director at Jeito, a culture and engagement consultancy. Each requires a different set of activities to make it successful, says Voss — and he offers two simple options to help make it work.</p><p>"For those internal audit teams that are in-house and of a much bigger company, speak to the human resources team to see what initiatives they have in place to encourage greater diversity in the workplace. The chances are that a potential employee will be drawn by the company brand in the first place, so consider how the internal audit team can build on this."</p><p>Secondly, Voss advises asking members the audit team, as well as individuals outside the audit function, to describe the culture in three words. The response, she says, will help provide an idea of how internal audit is perceived. "Then speak to female colleagues and peers and assess their reaction to these descriptions," she adds. "If they suggest this sounds like an unappealing place to work, think about how you might shift this culture."</p><p>Stephen Frost, founder of Frost Included, a diversity consultancy, says that "gender bias" in departments and organizations can be reduced through conscious and more self-aware leadership, and through changes to the recruitment and appraisal processes. "A Harvard Kennedy School study found that a more diverse recruitment resulted when candidates were presented in groups, rather than one-by-one," Frost says. "Mixed interview panels are also important, and organizations like Goldman Sachs, Lloyds Bank, and KPMG now insist on at least one female executive in any panel when interviewing for senior-level recruitment," he adds.</p><p>Another method is to process applications and potential promotions purely based on skills and experience. Using a "name blind" policy will also help avoid discrimination not only by gender, but also by age, nationality, address, and any other information that has nothing to do with past successes and experience.</p><p>However, the key issue to improve inclusivity and performance within internal audit departments shouldn't necessarily be just about gender, Frost says. "For various complex sociological reasons you may also have women who actually manifest typically male attributes and attitudes, which is not the answer. Successful businesses need to create an environment that is genuinely diverse in its character and outlook, and it should challenge and counterbalance such stereotypical male values."</p><p>Experts also warn about confusing diversity with a "numbers game." Voss says that CAEs should not try to "set targets for target's sake." "Aiming for a 50/50 split is fantastic, but if it is unlikely to be reached, then aim for step-by-step increases that might be more manageable," he explains. "Think through where you currently are on gender balance and set yourself realistic targets based on the pool of talent you have access to and the marketplace."</p><p>Headley also says that it may be best to "forget about numbers" as they can "be detrimental to success." "In smaller teams, quotas can often be both harder to achieve and irrelevant in terms of the skills needed to carry out the job at hand," she says.</p><p>Research has shown that companies do not need to have a 50/50 split between men and women to achieve the benefits associated with gender diversity. In fact, The CS Gender 3000: Women in Senior Management, a 2014 report by financial services firm Credit Suisse, shows that even at the highest level of the organization, companies with just one female director achieved better share price performance than those companies without women during the previous six years. </p><p>"Embracing true diversity means focusing on the capabilities of the individual, rather than their gender, ethnic origin, social background, or any other demographic," Headley says. "This includes assessing a person's potential to develop the technical skills needed for the role, rather than their existing abilities. If your recruitment processes are inclusive, the by-product will be a truly diverse team."</p>Neil Hodge1
Top Articles of 2016 Articles of 2016<div>Last year we published nearly 150 articles on our website, in addition to our blogs and social media posts. Below are the year’s 10 most popular features, based on visits to the site.</div><div><br>Judging by the list, it’s clear that you, our audience, were especially hungry for perspectives on fraud-related topics. You also showed an interest in soft skills and ways to improve the internal audit function. Our annual feature on Emerging Leaders has historically been a top performer as well, and 2016 (see No. 2 spot) was no exception.<br></div><p></p><div><ol><li> <a href="/2016/Pages/Toxic-Leaders-Toxic-Culture.aspx">Toxic Leaders, Toxic Culture​</a><br></li><li> <a href="/2016/Pages/On-the-Rise-2016.aspx">On the Rise: 2016​</a><br></li><li> <a href="/2016/Pages/Getting-More-From-Interviews.aspx">Getting More From Interviews</a><br></li><li> <a href="/2016/Pages/A-Matter-of-Trust.aspx">A Matter of Trust</a>​<br></li><li> <a href="/2016/Pages/Proactive-Fraud-Analysis.aspx">Proactive Fraud Analysis</a><br></li><li> <a href="/2016/Pages/5-Steps-to-Agile-Project-Success.aspx">5 Steps to Agile Project Success</a><br></li><li> <a href="/2016/Pages/Fraud-and-Related-party-Transactions.aspx">Fraud and Related-party Transactions</a><br></li><li> <a href="/2016/Pages/Integrating-Key-Risk-and-Performance-Indicators.aspx">Integrating Key Risk and Performance Indicators</a><br></li><li> <a href="/2016/Pages/On-the-Hunt-for-Payroll-Fraud.aspx">On the Hunt for Payroll Fraud</a><br></li><li> <a href="/2016/Pages/Optimizing-Internal-Audit.aspx">Optimizing Internal Audit​​</a><br></li></ol></div><p><br></p>Staff0
The High-performance Audit Team High-performance Audit Team<h2>​What are the primary characteristics of a high-performing audit function?</h2><p><strong>Carawan</strong> Our profession has gone through a major transformation over the last decade. The nature of risk is increasingly global and interconnected, which means more is at stake than ever before. Audits of those gray areas such as culture and conduct are no longer a “nice to have” but a “must have” in any comprehensive risk-based audit plan. Stakeholder expectations are constantly changing, and regulators around the world continue to raise the bar for internal audit departments. The only constant in today’s audit profession is change, and a high-performing audit team is one that can constantly evolve to meet new challenges and seize opportunity.</p><p><strong><img src="/2016/PublishingImages/Larry-Harrington.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Harrington</strong> High performance teams understand the organization’s mission, strategy, objectives, and risks and provide insight and foresight to enhance the organization’s success. Further, they understand the importance of evolving risk management; it won’t matter if you are world-class if you audit the wrong things. They understand stakeholder expectations, think about implications across the enterprise, and are responsive to a business context broader than the boundaries set by the audit plan.</p><p>At Raytheon, in addition to hiring experienced internal auditors, we hire high-potential talent from every function within the company to enhance our collective knowledge of the organization.</p><h2>How can you ensure you’re recruiting high-performing auditors?</h2><p><strong>Harrington</strong> When business management believes we are a high-performing team, they see us as a talent pool for the organization and a key source to fill financial, operational, and IT positions in all functions. We measure, benchmark, and report our turnover into the business. Additionally, management willingly offers up its top talent to rotate through us because they see the unique value of that rotation. </p><p>We put our candidates through a comprehensive interview process focusing on competencies and results using behavioral interviewing techniques. Candidates are interviewed by multiple members of internal audit staff as well as leadership. We look for the best candidates regardless of background and education, and screen to ensure they are an appropriate fit for our high-performing team culture.</p><p><strong><img src="/2016/PublishingImages/Mark-Carawan.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Carawan</strong> When looking to recruit top talent, I think it’s important to enable flexibility in one’s organizational design. Just because there isn’t a role that is a perfect fit for an individual, any leader should be strategic and think about the future needs of the audit department and the organization, and where that person might fit in the future. From a more practical perspective, we follow a very thorough recruitment process when recruiting staff at Citi. This includes having diverse slates for open roles and multiple and diverse interviewers for each role, including audit-delivery and non-audit-delivery staff such as human resources professionals. We also test candidates against Citi’s leadership standards, looking at not only what candidates have achieved in their careers, but how. This helps ensure only the very best, high-performing candidates join the team.</p><h2>How can an integrated internal audit function boost performance?<br></h2><p><strong>Carawan</strong> The global and interconnected nature of risk means an integrated team is necessary to ensure top performance. A team that is made up of individual silos that do not proactively share information and check and challenge one another is ultimately a team doomed for failure. Communication and partnership are key in ensuring a team is looking at risk in a comprehensive, joined-up, and holistic manner.</p><p><strong>Harrington</strong> Interestingly, when internal audit boosts its own performance, it will also be in a position to boost the organization’s performance. The central ingredient is people. We start by understanding the challenges, risks, and concerns facing the organization and convert those issues into a formal hiring strategy to attract diverse candidates with skills to assist internal audit in those areas. We also have a formal learning strategy to enhance team member competencies. </p><p>CAEs must substantially increase the dollars invested in team learning. We also must require team members to meet the company investment with their own investment. Finally, leadership must create the right environment, reinforcing the speed at which the world is changing and the need for continuous improvement, all while challenging, recognizing, and rewarding team members. </p><h2>What soft skills are most important to audit performance and why?<br></h2><p><strong>Harrington</strong> These soft skills, not in order of importance, include: leadership; verbal, written, and presentation communication; diversity and inclusion; emotional intelligence; critical thinking; networking; listening and asking better questions; teamwork; negotiation; and adaptability. </p><p><strong>Carawan</strong> Soft skills are just as important as hard skills when I think of a successful auditor. Being able to communicate effectively with other team members and ultimately stakeholders is key to carrying out a successful audit. This becomes critical when an auditor needs to deliver a tough message to a stakeholder in a productive and constructive manner. Effective communication skills help stakeholders move away from thinking of audit as the “police” and instead consider audit a partner who is there to help them manage risk. </p><h2>What is innovation’s role in high-performance auditing?<br></h2><p><strong>Carawan</strong> A high-performing audit team is one that continuously evolves to meet the new challenges and seize the opportunities that arise from change. Within this context, innovation is of the utmost importance. Citi Internal Audit’s approach to auditing culture is a great example, as it demonstrates a direct response to a relatively new challenge facing the industry. Culture has long been on the corporate radar, but the financial crisis placed it front and center. With this spotlight on culture also came a need to assess its place within the control environment of financial institutions. Citi Internal Audit designed and rolled out a comprehensive approach to auditing culture in 2015. </p><p><strong>Harrington</strong> Innovation is key to high-performance auditing. The world is changing at light speed and that will accelerate going forward. Every business and industry is under pressure to reinvent itself annually. CEOs and boards look to internal audit to assist in streamlining complexity, process, controls, etc. They look to us to be experts in Six Sigma, lean, and data analytics to help them drive the competitive changes necessary to survive. Insight and foresight are critical to innovation as are the hiring strategy and the learning plans to ensure we have the competency to deliver innovative solutions that help the organization achieve its objectives. Finally, look for innovation and leading practices from other industries and businesses, not just your own.</p><h2>What is the biggest obstacle to high performance and how do you overcome it?<br></h2><p><strong>Harrington</strong> Complacency. We regularly benchmark against other global internal audit functions to learn leading practices and share those across our teams. We search The IIA’s website for thought leadership materials. We meet quarterly with all second lines of defense to share risks, trends, and leading practices. We have a continual risk assessment process and meet regularly with leaders inside and outside the company to keep abreast of risks.   </p><p><strong>Carawan</strong> The biggest obstacle to high performance is homogeneity. The day you have your leadership team sitting around the table with everyone nodding in agreement — you’ve got a problem. Every team needs constructive conflict to thrive. And this is not just limited to audit teams. Different opinions and views make us think, re-consider, and look at things from a different point of view. This is true at all levels of an organization. Leaders must foster an environment that welcomes constructive conflict, where staff feel like it is safe to speak up. </p>Staff1
Growth Through Challenge Through Challenge<p>​Nothing prepared Kayla Brown for her first audit road trip. After a steady diet of compliance work at Atlanta-based children’s apparel company Carter’s Inc., she was sent across the country to audit the operations of six of its California stores. She was 23 years old, traveling alone, and had never rented a car before. “Being on your first job,” she says, “it’s the little things that can stress you out.”<br></p><p>Once Brown arrived on the West Coast, she encountered some initial skepticism from store managers. Some thought she didn’t seem old enough to be auditing the businesses they had worked at for many years. Most of the audits went smoothly, but one store didn’t do so well. “Luckily, the store manager was good to work with, so it wasn’t a difficult conversation,” she says. “But it’s not great to be the bad guy. You want the business to get better and you want to serve as a partner.”<br></p><p>Despite Brown’s nervousness, the California audits were a great experience and a launching pad for her current career. Three years into her job, she has led Carter’s retail store audits throughout the U.S. and Canada. <br></p><p>Brown’s desire to be a business partner and her eagerness to learn are typical of young auditors entering the profession. Like Brown, challenges encountered during early audit assignments are often the fire that ignites successful careers at a young age. Some of <em>Internal Auditor</em>’s current and previous Emerging Leaders share their experiences.<br></p><h2>Into the Deep End</h2><p>Today’s young auditors reflect the profession’s growing emphasis on being multifaceted — no one’s going to confuse them with accountants. Some like Brown have emerged from universities with internal audit curricula, such as those that are part of The IIA’s Internal Audit Educational Partnership. Others have come over from external audit firms. Then there are those like Seth Peterson who fall into the job.<br></p><p>Peterson, assistant vice president and internal audit manager with The First National Bank in Sioux Falls, S.D., wasn’t looking to be an internal auditor — his interest was banking. A professor at Buena Vista University suggested he get a job as a bank examiner to gain a sense of which area of banking he wanted to pursue, but there weren’t any openings. After a stint in an operations job at another Sioux Falls-based bank, he applied for an internal audit opening that could give him the overall view of the bank that he wanted.<br></p><p>For Peterson, internal audit was a whole new world. He knew nothing about auditing, and he didn’t know what to expect. Yet, what initially was intended to be a short-term position quickly turned into a great career opportunity. “Everything about internal auditing was new to me,” he says. “I went into it with an open slate: I didn’t know what I was doing. I thought, ‘Let’s figure this out and shape what I want to do.’” <br></p><p>Those first audits were a trial by fire. His first bank had a series of frauds and control breakdowns. “It let me see when things go bad, how bad they could go,” Peterson recalls. Although the frauds were consumer-driven, the audits involved gathering facts from bank employees who were fearful that their mistakes might cost them their job. For a young auditor, they were tough conversations that involved balancing internal audit’s need to be objective with the interest to build trust with audit clients. “Looking back, I could have been better prepared and equipped to handle those interviews,” Peterson admits. <br></p><p>Such trials can be a great way to learn, as long as auditors aren’t overwhelmed by them, Peterson says. He credits his boss at the time, Joel Baier, with giving him feedback on his work and sharing his own experiences — and the mistakes he had made along the way. “What was most valuable to me was him sharing what didn’t work for him, what the mistakes were, and what he learned from that,” Peterson says. <br></p><h2>Prepared to Succeed</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Sound Advice</strong> <br>Emerging Leaders past and present offer some tips for new entrants to the profession. Their core message is simple: Master the soft skills.<br><br><strong>Get a Mentor </strong>New auditors can learn much from audit leaders and other experienced co-workers, including how to communicate with clients about sensitive issues and how to protect their independence and remain objective. “Whenever I had some issues or questions regarding internal auditing, Olga was there to help with advice,” says Maja Milosavljevic of her mentor Olga Antic. Sometimes the best mentors will come from outside the profession, such as audit clients, company executives, and board members. “In interacting with executives and board members, you’re learning from some high-powered and experienced people,” Derrick Li says.<br><br><strong>Build Relationships</strong> Interactions with audit clients are opportunities for internal auditors to demonstrate how audit services can provide value, Seth Peterson says. But to get to that point, clients need to see auditors as people. Peterson recommends breaking the ice by getting involved in company volunteering activities. “You’d be surprised by what you can learn about someone from volunteering with them,” he says. “They see you as something other than an auditor.”<br><br><strong>Learn From Mistakes</strong> For new auditors, mistakes come with the territory. A bad client meeting can serve as a teachable moment — so can feedback from superiors. Auditors can learn from mentors’ and audit leaders’ mistakes, as well. As Andrew Loyack of Ahold Delhaize says, auditors shouldn’t have to touch the stove to know they’ll get burned. Above all, be resilient, he advises. “If you get knocked down, pick yourself up and learn from your mistake,” he says. <br><br><strong>Network</strong> When she speaks to college students about the profession, Kayla Brown stresses the same thing: networking. She should know — she landed an internship through a contact of one of her professors. Brown’s boss at that internship referred her to a colleague who became her boss at Carters. “Even if you love your current job, you never know when your circumstances might change,” she says. Networking helps on the job, as well. Khristi Ferguson of AccuAccounts reached out to fellow internal audit leaders in other Caribbean countries to share challenges and to get advice. “That helped a lot, just getting started,” she says.</td></tr></tbody></table><p>Those tough early conversations have shaped how Peterson leads his current team at The First National Bank in Sioux Falls. There, his focus is on having audit clients see internal auditors as people — and vice versa — which “helps people open up and lets us do our job more effectively,” he says.<br></p><p>That’s a lesson Derrick Li has taken to heart over the years. Li is director of internal audit and performance improvement at Translink, the public transportation authority for the Vancouver, British Columbia, region. As a young auditor, “you have to go in with a customer-first mentality,” he explains. “Otherwise, you come in as young and inexperienced, and you’ll quickly be shown the door.”<br></p><p>Li learned to be client-centric when he worked for outsourced internal audit clients while he was at professional services firm BDO. Because most of their internal audits were one-off engagements, internal auditors needed to develop future business by demonstrating the value that internal audit can provide business units. It’s a mentality he took with him to future internal audit jobs. <br></p><p>Another lesson Li learned from his audit consulting days was the value of preparation. One of his first internal audits at BDO was a board governance review for a large public company that had received poor governance ratings. For this review, Li interviewed board members who were top corporate executives. These could have been daunting exchanges for a new auditor, but Li came in prepared to ask the right questions. “You may not know as much as the people you’re auditing, but doing that prep work and demonstrating that knowledge can go a long way,” he stresses.<br></p><p>Upon leaving BDO, Li became a CAE at a succession of public sector organizations in Vancouver, each one more complex and with greater operating revenues. Unlike many young auditors, he didn’t have a CAE to teach him the leadership ropes. In his current position at Translink, he’s the youngest member of a staff of eight internal auditors, and he’s instilled them with that twin focus on the client and being prepared. His team has moved from primarily conducting financial compliance audits to doing performance, risk, and even Lean Six Sigma engagements. “Audit clients will quickly see if you’re all talk,” he says. “You’ve got to demonstrate quickly that you’re able to deliver. And if you make promises, you’d better commit to keeping them.”<br></p><h2>Changing Mind-sets</h2><p>Developing those client relationships can be challenging for new auditors at a time when they are just beginning to develop their “people skills,” says Maja Milosavljevic, senior auditor with EY in Belgrade, Serbia. Starting her career at the National Bank of Serbia, she learned the importance of developing a strong network throughout the organization, as well as having a good internal audit methodology. She observed how her mentor, Olga Antic, organized audit engagements and approached audit clients. “From my first projects, I learned how complex and detailed the work of internal audit can be and how important it is to have a good audit methodology to rely on,” Milosavljevic says.<br></p><p>From Antic, she learned how to gain her clients’ confidence, even when they were sometimes afraid of being audited. And she learned fundamental principles of working — including the International Standards for the Professional Practice of Internal Auditing — that she applies today. One big lesson was how to maintain her independence and objectivity. Antic advised her that “there are no strict rules for every situation internal auditors may find themselves in,” Milosavljevic recalls. “It is up to me to find an adequate solution for every situation I find myself in to preserve my independence and objectivity.”<br></p><p>Antic encouraged Milosavljevic to obtain her Certified Internal Auditor designation, and after a year she moved on to Erste Bank, where she advanced to senior internal auditor before landing her current job this year. Still, Milosavljevic struggles to convince audit clients that she is a trusted adviser, rather than a controller, in a country where internal audit is still a relatively new profession. “Looking back, I wish I had known that the mind-sets of people could be changed,” she says. “I would advise my younger self to always be persistent and polite with people when trying to influence their mind-set, because it is a process that requires time, but gives long-term results.”<br></p><h2>Youth Takes the Lead</h2><p>Like Milosavljevic, Khristi Ferguson has had to win over audit clients early in her career, but sometimes she’s had to convince her colleagues, as well. After working in external audit at Deloitte and KPMG following graduation from college, Ferguson moved into internal audit when she joined The Bahamas government as an internal audit director.  <br></p><p>Government, with its entrenched bureaucracy and potential for corruption, turned out to be a particularly challenging first internal audit job. One of Ferguson’s first larger audits was an operational review of the general post office. There, she found hardly any controls in place, operations that were ad-hoc, and audit clients who didn’t understand their strategic direction and purpose, much less what the auditors were doing there. “I spent most of my time with management, assuring them that this is not a ‘gotcha moment,’” Ferguson says. Instead, she wanted to get an overall view of operations and advise management of the regulations they needed to follow. “Some didn’t even know those rules existed,” she recalls.<br></p><p>Despite her external audit background, there was a learning curve for Ferguson. The Bahamas government has 72 ministries and departments, all with diverse conditions. At times, she had as many as seven audits in progress, covering a range of industries such as aviation, finance, utilities, and transportation. For each engagement, she had to develop specific expertise quickly. “How are you going to become an expert in aviation if you have nothing to do with planes?” she says. “You’ve got to find those rules and regulations, and you have to become an expert overnight.”<br></p><p>Then there was her staff, which comprised a mix of veteran internal auditors and young auditors with little formal training. Ferguson arranged training quickly with help from The IIA. She also upgraded the department’s technology by adding data analytics software, and she drafted one of the auditors who had a technology background to become the department’s IT audit specialist.<br></p><p>Rather than focus on financial audits, as auditors had done before, Ferguson focused her department on operational reviews that would reveal problems and opportunities for improvement. Clients resisted at first, but she convinced some of them quickly once they saw that her department was uncovering issues that they could fix before they were found by the auditor general or external auditors. Others took more convincing. “Some were just staunch and didn’t want to hear anything,” she says. “And then when they saw the audit report, they said, ‘you were right.’”<br></p><h2>Onward and Upward  </h2><p>Ferguson and Milosavljevic are proving that talented auditors are increasingly in demand. For Ferguson, that has meant launching her own business, AccuAccounts, which provides internal audit and consulting services for small companies in The Bahamas. <br></p><p>Another auditor with a new job is Andrew Loyack, who recently joined Zaandam, Netherlands-based Ahold Delhaize, whose U.S. division operates supermarkets along the East Coast. It’s a chance to bring his internal audit skills to the retail industry after eight years in the financial sector with outsourced internal audit provider Financial Outsourcing Solutions (FOS). <br></p><p>Loyack’s first job was a natural progression after studying accounting and management information systems at Shippensburg University of Pennsylvania and interacting with internal auditors during internships. He was struck at first with how much the auditors interacted with clients. Being an outsourced internal auditor was unique in that Loyack worked with lots of different small community bank clients. “It was hard to keep track of all the contacts that I had,” he says. “It wasn’t just separate audits, it was separate organizations and risk appetites.” <br></p><p>Having so many diverse clients made communication a necessity. “It was daunting at first because I was communicating directly with C-level management,” he explains. “Getting to the point where I was comfortable approaching them with questions and concerns was something I would never have fathomed right out of college.”<br></p><p>Those early experiences taught Loyack the value of learning how his clients and co-workers prefer to communicate and learn. He also observed how his mentor at FOS, Lisa Steen, worked through issues with clients. Her best advice for Loyack was to “always maintain that professional, valued adviser position,” he says. <br>Loyack also took advantage of FOS expanding its use of internal audit technology to share his IT knowledge with co-workers. That knowledge-sharing mind-set follows Loyack as he enters the next phase of his career at Ahold, where he is an IT internal auditor. “The things I went through at my first job — the trouble I had where I could have communicated better or more frequently — are things that I already have in the back of my mind so I don’t have to fall into the same potholes,” he says. <br></p><p>It’s those early lessons and experiences that can shape young auditors professionally as they move forward in their careers. And that forward movement is a key point: Like their peers in other professions, today’s young auditors aren’t standing still. They’re eager for new challenges and new opportunities.</p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<strong>Digital Audit Natives </strong><br>Today’s young auditors are digital natives, so one expects them to be naturals with technology. That was true for Maja Milosavljevic — senior auditor with EY in Belgrade, Serbia — at her first job. “I was more advanced with technology than my more experienced colleagues,” she says. She recalls that the combination of her technology skills and her co-workers’ business knowledge strengthened the audit team. But “there could have been more technology at that time that would have made audit work even more efficient,” she says.<br><br>Auditors craving more modern audit technology don’t always find it smooth sailing. For Khristi Ferguson, who led an internal audit department at The Bahamas Ministry of Finance, it was a matter of work styles. Younger auditors preferred communicating by email. “Technology was more their friend than a foe,” Ferguson notes. The more experienced auditors would get in a car and drive to talk to someone. Ferguson had to bring both camps together so the newer auditors could share how to use technology in their audits and the veteran auditors could teach their new co-workers about the government. “Both sides saw value,” she says. “Did it mesh right away? No, not at all.”<br><br>Being adept with technology and helping co-workers get up to speed can help new auditors advance in their careers. In Andrew Loyack’s case, it led to a new job as an IT auditor with Ahold Delhaize, after working in an operations and compliance audit role at his former employer, Financial Outsourcing Solutions. When he started his previous job, originally as an IT auditor, most audits were done manually, but within three years, the audit function was strongly digital and looking to expand its data analytics capabilities. Loyack took a personal interest, developing a mind-set that he’s carrying over to his new position. “I’m a big knowledge-share person,” he says. “Even if I know something, I want to make sure everybody knows it.”</td></tr></tbody></table><p></p>Tim McCollum1

  • TeamMate_Prem 1
  • RSM_Prem 2
  • IIA Sydney Conf_Prem 3



Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Process the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audit From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z
Managing an Internal Audit Career: How Do You Know When It’s Time to Go?’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2015-03-30T04:00:00Z2015-03-30T04:00:00Z