The Boring Audit Department Boring Audit Department<p>Austin Kleon, a self-described "author who draws," recently wrote that he believes people behave as if they have a secret wish to be bored to death. As he explains in a blog post, Kleon imagines people saying, "I want artists to say all the right things. … I want artists to play it safe. I want me and my artists to be best friends forever. I want artists to do and be all of these things and then I want to be allowed to complain how boring art is." ​</p><p>I have always believed that internal audit work is more art than science. Take the audit report. I worked with someone who saw electronic workpapers as the answer to all his report-writing woes. In every meeting about improving either our reports or our workpaper system, he would arrive with suggestions on how to reduce reports to a collection of pull-down menus and buttons — all designed to remove human error from the process. He never said the words, but what he wanted was a fill-in-the-blanks audit report.</p><p>Effective audit reports are not a collection of stock phrases and plugged-in data; they are an artfully constructed blend of perfected verbiage, salient points, and appropriate support — all balanced to represent the needs of both internal audit and its stakeholders. Effective report construction is an art. </p><p>Likewise, effective completion of an audit project is also an art. And ultimately, the development and maintenance of an effective internal audit department is an art. </p><p>With that in mind, reread the quote from Kleon. But this time, wherever the word <em>art</em> appears, replace it with the phrase <em>internal audit</em>.</p><p>Many board members, executive managers, and even internal audit leaders don't want anything extraordinary from their audit departments — nothing challenging, nothing outside the box, nothing that might ruffle feathers. They want internal audit to stick to the script, remain predictable, and play it safe at all times. Not surprisingly, these same individuals are among the first to complain they are not getting anything from their internal audit departments — they say that it provides no value, that it represents a drain on the organization, that it is, dare we say, boring.</p><p>We accede to their desires at our own peril. If we avoid excitement, if we avoid confrontation, if we avoid the unpredictable, if we avoid risk, and if we worry about maintaining friendships, then we forfeit our right to complain about the results. The minute we think we can fill in the blanks, keep repeating what we've done in the past, and survive by sticking with the status quo is the minute we inevitably become boring.</p><p>And if we make internal audit boring, we have no one to blame but ourselves for our ultimate demise. No one needs a boring audit department.</p>Mike Jacka1
Words Matter Matter<p>​This month's cover story, <a href="/2018/Pages/Information-Distillation.aspx">"Information Distillation,"​​</a> considers the best way to communicate the results of an audit. According to author Norman Marks, effective communication "tells leaders what they need to know, when they need to know it, in a form that is not only readily understood, but also actionable by them." </p><p>The editors of this magazine are all about communication. Our job is to provide readers useful information that is easily digestible. Over my 30 years as an editor, I've come to appreciate the importance of using the correct words when communicating. For example: </p><ul><li>There are certain words writers <em>utilize</em> to make them appear smarter, when the simpler form of the word (<em>use</em>)<em> </em>works just as well and doesn't appear as pompous. <br></li><li>"Very" is not always necessary or correct. Using "very unique," "very critical," or "very first" does not lend to the writer's credibility. <br></li><li>Brief is better. Instead of "in order to," use "to" and, instead of "take into account," use "consider." <br></li><li>Some words/phrases just don't make sense. It's "regardless," not "irregardless." And, <em>please,</em> don't write that you "don't disagree" with something. Either you disagree or you agree. <br></li></ul><p><br></p><p>Whew! I feel better. OK, back to audit communication. In a blog post originally published in October 2011, IIA President and CEO Richard Chambers offered valuable suggestions for what not to include in an audit report that still hold true (see <a href="/blogs/chambers/2017/Pages/10-Things-Not-to-Say-in-an-Internal-Audit-Report.aspx">"10 Things Not to Say in an Internal Audit Report"</a>). His suggestions include:</p><ul><li>"Don't use weasel words.<strong> </strong>It may feel safer to avoid being specific, but when you have too many hedges … there's a danger that you are not presenting well-supported facts." <br></li><li>"The problem is rarely universal. It's good to be specific, but there's a danger in words such as 'everything,' 'nothing,' 'never,' or 'always.'"<br></li><li>"Avoid unnecessary technical jargon. Every profession needs a certain amount of technical jargon, but the more we can avoid audit-speak, the more we can be sure that the message is clear."<br></li></ul><p><br></p><p>In this issue's "Eye on Business" (page 64) Michelle Hubble and Sandy Pundmann add their voices to the mix on what constitutes good audit communication. As Pundmann says, "Exclude extraneous words and data that don't add value to the report. … Crispness is key."</p><p>So, what does all of this boil down to? Whether you're an editor or an auditor, words matter. Make sure you choose them wisely. ​</p>Anne Millage0
Information Distillation Distillation<p>​A company president once told me shortly after I joined the organization that he didn't understand why he was receiving copies of internal audit reports. He didn't understand how they were relevant to his work. He had better uses of his time than reading our reports.</p><p>He is not alone. Drew Stein, a board member and former CEO in New Zealand, has written, "Almost all of internal audit findings are mundane operational compliance issues." </p><p>When organizational leaders don't see value <em>to them</em> in what internal auditors share — even questioning whether they should waste their time reading audit reports — something is wrong and change is needed. These leaders will only see value if internal auditors' communications are about issues that matter to them and to the organization's success, and provide clear, concise, and actionable information. In other words, auditors must provide them with the information they need to be effective leaders.</p><p>In an era of dynamic change, organizations and the managers who run them are also changing how they monitor and run the business. In particular, they must be ready to make decisions quickly because risk and opportunity don't wait for them. A decision delayed is often a decision that is made by a competitor.</p><p>In many ways, the internal audit profession has challenged many of its traditional, tried-and-true methods and principles to meet these changing stakeholder demands. One thing that hasn't changed is that many internal auditors are still communicating their findings through a traditional audit report, and that may not be sufficient. They may not realize that the <em>International Standards for the Professional Practice of Internal Auditing</em> does not require a formal, written audit report. Standard 2400: Communications requires that "Internal auditors must communicate the results of engagements." The <em>Standards</em> require <em>communication</em>, and internal auditors should consider how they can <em>communicate</em> effectively.</p><p>The traditional audit report and its standard format tell stakeholders what <em>auditors</em> want to say, rather than telling stakeholders what <em>they</em> need to know. A more effective audit communication tells leaders what they need to know, when they need to know it, in a form that is not only readily understandable but actionable by them. In other words, internal auditors should provide stakeholders with the information they need to be effective. At the end of an audit engagement, the auditor should consider what information — assurance, insight, and advice — will help stakeholders lead the organization to success. What are their challenges, and how can internal audit help deal with them?</p><h2>What Stakeholders Need to Know</h2><p>Your young child comes to you crying in the night and tells you she has a tummy ache. Her head seems warm but she doesn't have a high temperature, so you bring her into bed with you and she comfortably cuddles up. But soon she starts crying and curls up into a fetal position. "Mommy, daddy, it really hurts!" she cries. This time when you touch her head, it is hot, and you decide to take her to the emergency room.</p><p>Fortunately, she is seen quickly by a doctor, who says he needs to run a few tests. You wait. Then you wait some more. Eventually, a nurse appears. You run to her and ask, "How is she? Will she be OK?"</p><p>The nurse hands you a binder and says, "Here's the doctor's report."</p><p>You raise your voice. "Is she OK?"</p><p>The nurse smiles and informs you that there is an executive summary on page 3 where you will find the information you need.</p><p>The leaders of the organization, internal audit's stakeholders, are not that different. They want to know whether everything — the people, processes, and systems relied on to manage risks — is going to be all right (assurance). They also need to know what they need to do (advice and insight).</p><p>They don't need to know:</p><ul><li>Why internal audit did the audit. They need to know the results and why they matter, not the audit planning process. The results will include assurance on specific risks and objectives.<br></li><li>How internal audit performed the work.<br></li><li>Background information that they should already know and is not relevant to the assurance, advice, and insight internal audit is sharing.<br></li><li>Details that are being handled appropriately at lower levels of the organization.<br></li></ul><p> <br> </p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p>​<strong>Cover Note Example</strong></p> <p>The note below — originally a hard copy, later in an email — was attached to an audit report sent to executive management and the audit committee at Tosco Corp.​</p><p>January 15, 1995</p><p> <strong>Audit of Derivatives Trading</strong></p><p>Are there any risk issues of significance to the audit committee or executive management? YES/NO</p><p>Are there any outstanding major internal control findings meriting audit committee or executive management attention? YES/NO</p><p>Distribution:</p><p>Audit Committee</p></td></tr></tbody></table><p>The "Cover Note Example" (see right) accompanied an audit report to stakeholders at Tosco Corp. when I was the company's chief audit executive (CAE). The note showed them at a glance whether there was anything they needed to worry about. It gave them the assurance they needed to rely with confidence on the controls around derivatives trading risks.</p><p>If we identified significant internal control weaknesses, we did more than rely on a rating system. The cover note would have one sentence that described them at a high level. The executive summary would explain how enterprise objectives might be affected.</p><p>Going back to the story about the sick child, if you opened the report to the executive summary and it said your child's condition was "needs improvement," would that be acceptable? Would it provide the assurance you need or the information you need to care for her?</p><h2>What Do You Mean?</h2><p>After I left Tosco, I joined Solectron Corp., a global electronics manufacturing company. My first task as CAE was to review and approve the audit report for our audit of the Shenzhen, China facility. My predecessor had developed an audit report format that led with the results presented in a table. There was a row for each area of risk that had been included in scope, with an assessment of the related controls — using a red, yellow, green color-coding system — and the number of significant findings.</p><p>In the draft audit report I reviewed, the assessment for every area of risk was "red," and the paragraph directly below the table started with, "The system of internal controls at the Shenzhen facility is not adequate. Significant improvements are required."</p><p>I called Audrey, the audit director for Asia Pacific and Japan and a direct report to me. "Audrey, what does this mean?" I asked. Her reply was, after a moment's hesitation, "Norman, the internal controls are not adequate." I repeated my question and she repeated her answer. </p><p>"Audrey, imagine that as you are getting on the elevator on the fourth floor of the corporate office in Singapore, you see Chester, the president and CEO for Asia Pacific and Japan. He asks you, 'What do I need to know about your audit of Shenzhen?' I want you to call me tomorrow and tell me what you would say, recognizing that you only have until the elevator reaches the ground floor."</p><p>Audrey called me the next day. "I would tell Chester that 'the controls in Shenzhen will not be able to support the 30 percent expansion in manufacturing capacity planned for later this year,'" she said. Instead of blandly saying that controls were inadequate, or even that the listed areas of risk were outside acceptable levels, Audrey was giving executive management actionable information that would help it run the business successfully. This advice and insight was based on an understanding of the organization's strategies, plans, and objectives. It told the executive, in clear and readily understandable language, that the plan to move production from other locations to Shenzhen would probably fail. That assessment was then followed with advice on the changes necessary to address the situation. We changed the audit report to lead with the effect on the business and its strategy. We used the language of the business to share our assurance, advice, and insight, rather than the language of internal audit (risk and controls).</p><p>The senior management team and the board are focused on executing on and achieving their strategies and objectives. Internal audit may know how internal control and risk management deficiencies may affect those goals, but unless auditors say more than "the system of internal control is not adequate," there is no assurance that management will appreciate what the audit results should mean to them.</p><p>Internal auditors need to communicate the results of their audits in a way that:</p><ul><li>Makes it clear which enterprise objectives might be affected and how.<br></li><li>Explains which risks to objectives are outside desired levels.<br></li><li>Helps them identify and then take the necessary and appropriate actions.<br></li></ul><p> <br> </p><p>For example, our report following an audit of the process for reviewing and approving capital expenditure requests at Tosco led with an opinion statement: "The Authorization for Expenditure process does not meet the needs of the organization. Decisions are not timely and, as a result, business opportunities are lost — rendering null the original business justification."</p><p>The first words used the language of the business to highlight the fact that business objectives likely were not being achieved. The opinion continued by saying that capital decisions might be delayed to the extent that revenue opportunities were lost. The audit report went on to explain what was happening, gave an example of a missed opportunity and the cost to the business, and how management had agreed to address the issue. This report prompted change.</p><h2>Have a Discussion</h2><p>Many internal audit departments track and report to their audit committee the number and aging of outstanding audit recommendations. One of the reasons management often fails to take all the necessary actions promptly is that internal audit and operating management do not have a common understanding of the potential effect on enterprise objectives.</p><p>Some auditors talk about internal audit having to "sell" its audit findings. They complain when management is reluctant to make the change they recommend. But perhaps management is right! Maybe the risk is one they should be taking on business grounds, or there is a better way to address the issue.</p><p>Rather than writing a recommendation and asking for a management response, internal audit departments should sit down with operating management and discuss:</p><ul><li>Do we agree on the facts?<br></li><li>Do we agree that there is a risk to one or more enterprise objectives?<br></li><li>Do we agree on the significance of the risk?<br></li><li>What is the root cause of the problem?<br></li><li>Should the risk be accepted or action taken to minimize it?<br></li><li>What are the options and which is best?<br></li><li>Will the actions bring the risk to an acceptable level?<br></li><li>What is a reasonable time frame within which to complete the corrective actions, and who will own each task?<br></li></ul><p> <br> </p><p>A constructive, open discussion with management — where everybody is listening and working toward the shared objective of enabling enterprise success — is far more likely to result in the change necessary for success. Internal auditors should realize that their final product is not really the audit report and its recommendations — it's the change that they enable. Informing executive management and the board that internal audit and management have agreed on defined actions is far better than sharing internal audit's recommendation and management's response.</p><h2>Beyond the Report</h2><p>The <em>Core Principles for the Professional Practice of Internal Auditing</em> talks about sharing not only assurance and advice, but insight. Every good internal auditor has opinions that go beyond what is typically included in the formal audit report. These may be of great value to management — if management gets to hear them. For example, the audit team may have thoughts on:</p><ul><li>The competence of the management team and staff.<br></li><li>Teamwork and morale in the area audited.<br></li><li>The level of resources available to the team (people, budget, systems, computers, etc.).<br></li><li>The ability of the team to deliver optimal performance.<br></li></ul><p> <br> </p><p>At the same time, management may have questions on these or similar topics and may welcome the opportunity to ask for the audit team's thoughts. Often, these insights are at least as valuable as the assurance and recommendations for change included in the audit report. But there has to be an opportunity for management to hear and discuss the insights of the audit team.</p><p>When there is more to say than "everything is fine," a face-to-face conversation with management can be the best communication method, especially in private when difficult topics can be discussed candidly. The most effective communications result in a shared understanding, and this is best achieved when both sides not only talk and listen, but ask questions to make sure they understand the other fully. This is the path to effective change and delivering the full value of internal audit to management.</p><p>A meeting or a phone call also may be essential if issues are serious and need to be addressed promptly. If the risk is significant, it doesn't make any business sense to delay corrective action for weeks while the audit report is being drafted.</p><h2>Forms of Communication</h2><p>Internal auditors need to communicate in a way that is easy for the individual with whom they desire to communicate to receive, absorb, and act on the information they need. Every CAE should take full advantage of modern communication methods as well as embrace the oldest way to communicate — talking and listening.</p><p>CAEs should understand how each of their key partners in management and on the board likes to receive information, especially the information they want to get from internal audit. These days, executives receive most of their information in dashboards and similar forms, as well as in meetings and emails. CAEs should consider asking that the CEO's and chief financial officer's (CFO's) daily dashboards or metrics include a section that highlights audit-related issues meriting that executive's attention. Sometimes, that is enough.</p><p>If the executive needs to know that the audit engagement confirmed that controls over a specified risk are working effectively, then that can be communicated with a descriptor and a green light. If controls are not adequate and the CEO's or CFO's attention is necessary, a red light replaces the green one with a link to the details, which may be the audit report in full or abbreviated form.</p><h2>Listen and Ask Questions</h2><p>As a CAE, I told my internal audit teams that I don't ever want them to "go and talk" to somebody. I want them to "go and listen." If they are talking more than 40 percent of the time, they are talking too much. Internal audit's communications should provide its audience, its stakeholders, with the opportunity to listen actively — to ask questions and to discuss the situation and its implications.</p><p>Communications should start early and be frequent. If internal audit finds something that appears problematic during the audit engagement, it should be talking about it, and listening, to management straight away. </p><p>The closing meeting at the end of fieldwork is an excellent opportunity for sharing, not only by the internal audit team but by management. The meeting should conclude with a shared understanding of the facts and issues, the risks they represent to enterprise objectives, and the actions that everyone agrees should be taken. If internal audit has done that well, the audit report simply becomes an after-the-fact summary. Even if there is no formal audit report, everybody should be assured that all issues will be addressed appropriately.</p><p>The audit report has value in enabling a discussion with senior management and the board — although serious issues should be communicated promptly in person or by phone. In some industry sectors, the report is necessary to meet the requirements of the regulators. But rather than considering the audit report to be the primary communication vehicle in every case, internal audit should adapt to its stakeholders' needs for assurance, advice, and insight. When internal audit provides the executive team and the board with the information they need, when they need it, to run the organization successfully, it is optimizing its value.</p>Norman Marks1
Mapping Assurance Assurance<p>How many times have you heard, "Why are you auditing us again? Didn't we just do this?" In these instances, another assurance function may have recently conducted a review, creating the potential for internal audit to perform redundant work. How many audits are being conducted within your organization at any given time? Perhaps management has difficulty distinguishing internal audits from other types of audits and reviews, such as those from regulators, compliance, or environmental, health and safety departments. Do you know whether all risks – strategic, operational, human resources, financial, regulatory and compliance, and technology – are covered by an assurance provider?</p><p>One of internal audit's key responsibilities is to provide assurance to senior management and the board/audit committee that organizational risks are understood and are being managed appropriately. To fulfill that responsibility, internal audit requires tools and techniques customized to the organization that can assist in identifying, organizing, and presenting this information. Creating an assurance map may assist internal audit in providing those entities a clear understanding of risk and assurance coverage throughout the organization. </p><p>The IIA addresses this need with a new Practice Guide, "Coordination and Reliance: Developing an Assurance Map." It outlines a process the internal audit activity can use to create and maintain a robust assurance map.  ​</p><p>Assurance maps can be used organizationwide; their function is broader than internal audit alone. An assurance map can support:</p><ol><li>A shared understanding of the risks faced by the organization aligned by risk categories. </li><li>Identification of the organization's risk management and assurance roles/functions.</li><li>Development of a holistic, comprehensive assurance framework that can be useful during times of transition – such as when mergers and acquisitions, organizational restructuring, or strategic changes occur.</li><li>Collaboration among assurance providers to facilitate the efficient and effective use of resources.</li></ol><h2>Common Risk Language</h2><p><strong></strong>A key component of a robust assurance framework is that the organization has a common language around risk. In practical terms, the auditable risk universe used by the internal audit activity is not all-encompassing, so internal audit's typical risk language may not be familiar across the organization. Many risk areas are not impactful enough to rise to internal audit's risk universe but must still be addressed per regulations. </p><p>Other risk areas may be related to strategy, which would exceed the scope of a typical internal audit engagement but still prove useful for the organization. Creating an assurance map allows the organization to develop a comprehensive risk universe; and for all risk discussions and reporting organizationwide to be understood by everyone involved, a common risk language is necessary.</p><h2>Clear Roles and Responsi​bilities</h2><p>Once all risk categories, risks, and assurance providers have been identified, the assurance map can be completed to document which providers are covering which risks. This allows management to see where risk management activities are occurring and what risks are covered or not covered by an assurance provider. </p><p>An assurance map does not have to be restricted to assurance providers only. If there are operational areas that manage risks or risk categories, they may also be included. If any areas lack clarity regarding what they should be doing in terms of risk management, the assurance map will help management address the issue resulting in more comprehensive risk coverage organizationwide.</p><h2>Comprehensive Assurance Framework</h2><p>A comprehensive assurance framework ensures that the organization is addressing all of its risks appropriately and timely.  Creating an assurance map assists the organization in documenting its risk management approach, and it can be used to facilitate risk identification, assessment, management, and monitoring exercises that will assure senior management and the board all of the organization's assurance providers are working together to manage risk.  </p><h2>Collaboration</h2><p><strong></strong>Many organizations across industries operate in silos. Operational divisions work separately from the control functions (e.g., legal and compliance), and the control functions work separately from internal audit. Working this way inhibits communication about risks and leaves management with a fragmented view of risk coverage in the organization. If management is unclear about who is managing what risks, duplication of efforts can result, which wastes valuable resources and can create audit fatigue among auditable entities. Creating an assurance map can be a beneficial exercise to bridge these silos and begin operating in a more cohesive manner.</p><p>Once an assurance map is created, the organization's risks can easily be linked to its objectives and strategies. Risks, risk management, and assurance process are dynamic in all organizations, and a well-designed assurance map can allow the organization to keep pace with the changing environment and jump-start a robust risk management program that benefits the entire organization. An assurance map can, if thoroughly documented and maintained, be used to build the foundation not only for a coordinated and robust assurance management framework but an enterprisewide risk management framework as well. </p>Anne Mercer1
The Passcode Is ... 312 Passcode Is ... 312<p>​Recently, I facilitated an internal audit seminar where something unusual occurred. The restrooms at the facility were locked, requiring a code for access. And while this type of security can be found in many commercial buildings, other factors raised questions about the practice. </p><p>The event coordinator gave the restroom code to seminar facilitators to share with participants. Someone also had written it on the whiteboard of each room. Moreover, the code appeared on flip charts that pointed the direction to the restrooms, as well on the doors of the restrooms themselves. ​</p><p>Seminar participants started to discuss the situation. The room full of auditors instantly pointed out that displaying the code in so many places represented an obvious breakdown in controls. Some of them compared it to writing a login password on a sticky note and then attaching it to one's computer.</p><p>But a couple of attendees took the analysis a little further. They asked the deeper question — the one that any auditor using critical thinking skills should ask: What was the risk of everyone knowing the code? And as the discussion continued, someone asked another, perhaps more important question: How big was the risk that unauthorized individuals would enter the sanctum sanctorum of the 9th floor restroom when the building had guards on duty to<br> ensure only authorized individuals could gain access in the first place?</p><p>What kind of auditor are you? Do you go ballistic when you see a circumvented control? Do you accept the control as is, assuming that, because it existed in the first place, it should continue to exist? Or do you look at a control circumvention and ask why the control existed in the first place and why it continues to exist? Or do you ask even deeper questions about risks, how they have changed, and how people are reacting to them? </p><p>A good auditor identifies a control breakdown and determines how to get it working again. A better auditor questions whether the control needed to exist in the first place. But the best auditor, the auditor who is providing real value to the organization, doesn't put all the focus on the existing process and controls. The best auditor looks at the risks with fresh eyes to better understand exactly what is at risk, how people's actions impact those risks, and how the organization can most effectively respond.</p><p>Allow me to go out on a most dangerous limb here and disclose that the code to enter the men's room was 312. And now, security is compromised and disaster may rain down upon us because a control has been circumvented. Of course, to the best of my knowledge, no disaster befell us during the seminar.</p><p>What is the worst that can happen when a control is circumvented? And why am I supposed to care about the control in the first place? Those are the questions far too many auditors forget​ to ask.</p>Mike Jacka1
Your Personal Brand Personal Brand<p>​Brands are essential to corporate identity. Successful company branding can make a lasting impression on consumers, solidify market presence, and increase organizational value. At their best, brands establish instant recognition and lifetime loyalty, sometimes representing the organization's greatest asset.</p><p>By the same token, personal branding is important for all professionals, and perhaps especially critical for internal auditors. Establishing a brand can enhance an auditor's stature in the organization, as well as increase the perception that he or she can serve as a trusted advisor and provide value. Conversely, practitioners who neglect branding may face significant career adversity, such as finding themselves "on the outs" after delivering bad news to the C-suite or struggling after a post-merger consolidation of the audit function. </p><p>Like an organization's culture, a personal brand exists whether the individual knows it or not. Internal auditors need to intentionally craft their brand — and once established, that brand must be actively managed and maintained. </p><h2>What Is a Personal Brand?</h2><p>More than 20 years ago, management consultant Tom Peters coined the term <em>personal brand</em> in a <em>Fast Company</em> article titled, "The Brand Called You." Peters said of personal brand, "Regardless of age, regardless of position, regardless of the business we happen to be in, all of us need to understand the importance of branding. We are CEOs of our own companies: Me Inc. To be in business today, our most important job is to be head marketer for the brand called You."</p><p>A more recent notion of personal brand comes from Daron Pressley, a sales and marketing consultant who leads branding workshops. According to Pressley in his Branding and Brand Management Workshop Reference Guide, "Success is about the mirror you look into each morning and how you use the reflection you see to shape the life you live. This is personal branding." </p><p></p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong style="font-size:12px;">Prof​essional Associations</strong><p>Joining and actively participating in a professional trade association can help boost one's career, as well as enhance personal branding. Volunteering can include several activities, such as: </p><ul><li>Participating in a local association chapter.<br></li><li>Writing professional certification exam test questions. <br></li><li>Writing an article for an industry publication.<br></li><li>Speaking at a conference.<br></li><li>Creating a video for a trade group website.​<br></li></ul></td></tr></tbody></table><p>Although definitions may vary, <em>personal brand</em> almost always refers to someone's authentic personal image — the amalgamation of qualities that make an individual unique. It represents someone's professional presence, encompassing both business skills and personal qualities. Those seeking to define their brand would do well to heed playwright Oscar Wilde's advice: "Be yourself. Everyone else is already taken." </p><p>Today, personal brand is often linked to one's social media presence, though every interaction is a branding opportunity — whether in person, through email, or by phone. Failure to treat people with respect, or communicate professionally, can impact personal brand. </p><h2>Why Is a Personal Brand Important? </h2><p>Developing a strong personal brand can benefit an internal auditor's career in many ways. First, it can help a practitioner assess him or herself as a professional and gauge career status. The process requires some homework and self-reflection, which can help reveal development opportunities the auditor may want to pursue. </p><p>Second, an effective personal brand can help an auditor achieve recognition as a well-rounded professional with accomplishments outside of the organization. For example, a brand that encompasses volunteering at a local IIA chapter, participating on a board committee, or making other professional contributions can help auditors stand out as knowledgeable practitioners who advocate for the profession. By doing so, practitioners can increase the likelihood of being perceived as thought leaders, especially when their contributions often consist of offering fresh perspectives. </p><p>Third, once their personal brand has been established, internal auditors can more readily determine their career direction and better assess whether they are in the right role, at the right level, and working with the right people. Auditors should then be positioned to make the changes necessary to ensure they are in a truly fulfilling job, resulting in a higher level of performance, engagement, and success through career advancement.</p><p>Lastly, the internal auditor, through consistent use of his or her brand, will be seen as a trusted advisor. Others will trust the auditor's reputation, much as they would a product's brand name. </p><h2>Create Your Brand</h2><p>Creating a personal brand involves building from the inside out. Internal auditors should determine what about their values, personality, knowledge, and experience makes them stand out. Auditors should consider strengths, the benefits they bring to a role, what differentiates them from others, and what they can deliver to the organization. </p><p>To better understand how they're perceived, auditors also may want to ask others — colleagues, mentors, friends, or partners — to identify their strengths, values, skills, and abilities. If feedback does not align with the auditor's desired image, he or she should take appropriate action to revise personal branding. Practitioners also need to determine their unique professional style, and present that style consistently in all they do. For example, is the auditor's professional style casual and relaxed, sophisticated and polished, focused and analytical, jovial and energetic, or some combination of these qualities? </p><p>In a 2013 blog post titled "10 Steps to Building and Managing Your Personal Brand," marketing expert Matthew Royse suggests individuals may want to start with an elevator pitch — a short, concise message that explains who that person is and what makes him or her unique. For internal auditors, the pitch may include whether his or her specialty, or passion, is perhaps information security risks and controls, governance, or quality programs. It can be used for client introductions, job interviews, or social interactions. The elevator pitch also could be adapted for the LinkedIn Summary section of the individual's profile, or on his or her Facebook page, if using the site professionally. Messaging should be continually refined as the auditor's career evolves.</p><h2>Promote Your Brand </h2><p>Social media is perhaps the most important means of managing a personal brand online. Professionals can use it to connect with peers, build relationships, and share information that aligns with their brand. After deciding on a personal brand, internal auditors need to determine which social media platforms they'll use to promote themselves. </p><p>Some aspects of social media, and specific tools, will better align with brand objectives than others. Auditors should research social media sites to determine which ones are most compatible with their brand. LinkedIn, for example, provides one of the best platforms for establishing one's reputation as a serious and talented professional, though some may argue that Facebook now also occupies some of that space — even though it began as a purely social tool. Twitter also provides a mix of social and professional content, though its unique format and character limit may not be a good fit for individual branding needs. </p><p>Internal auditors need to be mindful that their social media content, and overall internet presence, is persistent and readily searched. Therefore, anyone creating a personal brand should remain professional and appropriate at all times. An individual's social media presence reflects his or her values and will often serve as the basis on which that person is judged. Frank Bucaro, a speaker and ethics advocate, describes on his website how tending to these areas can build one's brand over time. "As trust is proven over and over again, your brand continues to strengthen," he says. "It is actually trust that is branded — trust based on honesty, integrity, ethics, transparency, openness, based on the authoritative use of power!" </p><h2> <img src="/2018/PublishingImages/Haig-How-Well-Are-You-Managing-Your-Personal-Brand.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Manage Your Brand </h2><p>Once established, a brand needs to be monitored to ensure the intended messaging, and the individual's reputation, remain intact. Auditors can gauge how their presence on social media is being perceived, for example, by reading feedback from blog posts, or responses to comments made on LinkedIn. They can assess whether feedback is positive and whether they need to approach their professional interactions any differently. </p><p>Several tools, adapted from Royse's blog post, can align an individuals' online presence with his or her intended branding.</p><p> <strong>Name Search</strong> Internal auditors should search for their name in major search engines, making sure to use variations of their name during the process. The search will help reveal what's been said about the individual online, including any information that may be false or inaccurate. Auditors also may want to find out whether additional information can be found on them in "people databases," such as Intelius and Spokeo. Users can search for themselves on these sites and, for a fee, receive full results. Alternatively, a site like <a class="vglnk" href="" rel="nofollow" target="_blank"> <span>Pipl</span><span>.</span><span>com</span></a> can be used to aggregate these searches.</p><p>Upon locating web content that is inconsistent with their brand — or simply inaccurate or false — users can contact the site administrator and ask that their article, comment, photo, or name be removed. Users also can appeal directly to search engines, such as Google, Yahoo, or Bing, to remove the edited pages. By filling out a simple form, the user can request that the URL be re-indexed. Such requests are not always granted, though instances of confidential, libelous, or copyrighted material will likely have a better chance of success. </p><p>When seeking to remove online information, auditors can use tools such as JustDeleteMe or AccountKiller to facilitate the process. JustDeleteMe's and AccountKiller's free tools show users how, and how difficult or easy it is, to delete unwanted information as well as remove social media accounts that are no longer useful or relevant. </p><p> <strong>Username Management</strong> Ideally, auditors should choose a username consistent with their brand identity and use it as uniformly as possible across platforms. Free tools, including <a class="vglnk" href="" rel="nofollow" target="_blank"> <span>Namecheck</span><span>.</span><span>com</span></a> and <a class="vglnk" href="" rel="nofollow" target="_blank"> <span>Namecheckr</span><span>.</span><span>com</span></a>, can be used to help determine username availability. Users simply type in their desired or current username to find out where the name is registered across social media sites and domains. Auditors can register their desired username on sites they don't currently use, for future application.</p><p>Auditors can also use <span>Namecheck</span><span>.</span><span>com</span> to create or simplify a personal LinkedIn URL. For example, a profile that appears as <span>linkedin</span><span>.</span><span>com</span><span>/</span><span>pub</span><span>/</span>nancyhaig/40/2633/205 could be changed to one that is easier to remember, such as <a class="vglnk" href="" rel="nofollow" target="_blank"> <span>linkedin</span><span>.</span><span>com</span><span>/</span><span>in</span><span>/</span><span>nancyhaig</span></a>. Users can search via <span>Namecheck</span><span>.</span><span>com</span> to determine whether the desired name is available — if the user's first choice is unavailable, he or she can choose a variation that supports the user's personal brand. The custom LinkedIn URL must contain between five and 30 letters or numbers; it may not include spaces, symbols, or special characters. To change the URL:</p><ol><li>Login to LinkedIn.<br></li><li>Click the "Me" icon at the top of the page.<br></li><li>Click "View Profile."<br></li><li>On the profile page, click "Edit public profile & URL."<br></li><li>Under "Edit public profile URL," click the pencil icon next to the assigned URL.<br></li><li>Type last part of new custom URL in the text box.<br></li><li>Click "Save." <br></li></ol><p> <strong>Custom Alerts</strong> To monitor what others have said about them online, auditors can set up automatic alerts using tools such as Google Alerts or Talkwalker Alerts. To create a Google alert, the user would simply go to <a class="vglnk" href="" rel="nofollow" target="_blank"> <span>google</span><span>.</span><span>com</span><span>/</span><span>alerts</span></a> and enter his or her name. To create a Talkwalker alert, the user would visit <a class="vglnk" href="" rel="nofollow" target="_blank"> <span>Talkwalker</span><span>.</span><span>com</span><span>/</span><span>alerts</span></a> and, similarly, add his or her name. Both sites provide options such as how often, and in what language(s), the user prefers to be notified. Any instances of those names online trigger an email alert to the user, providing continuous brand monitoring.</p><p> <strong>Social Management</strong> When maintaining a social media presence across multiple platforms, auditors can use a tool to help manage them. Hootsuite, for example, connects a user's social media accounts and coordinates them through a dashboard interface. The service is free for personal use, for up to three social media profiles, and its features include the ability to monitor conversations, keywords, and phrases across social media. Hootsuite also can be used to schedule and automate the timing of messages, as well as track follower growth to see which content resonates with users. ​</p><p> <strong>Website Creation</strong> Some internal auditors may want to consider building their own website, particularly if they decide to start a business or perform consulting work. One helpful site creation resource is Squarespace — an intuitive, out-of-the box tool available on both desktop and mobile platforms. Squarespace charges users for domain registration and website hosting. </p><h2>An Ongoing Process</h2><p>Just as company brands change over time, personal brands also may need to adapt to remain current. Internal auditors should remember to go back to their trusted colleagues to help refine and refocus their brand, all the while remaining consistent with their trusted core values. Technology changes also should be monitored to ensure users are using the latest social media tools appropriately to enhance and promote their personal brand. Without deliberate, continual attention to brand building, your brand can turn from highly personalized and effective to one that is defined by others on your behalf.</p>Nancy Haig1
The Need for Integration Need for Integration<p>​In an era when IT is embedded in almost every process, trying to audit operational, financial, and technology controls independently is not an efficient use of resources. Beyond the redundancy of effort, it results in fractured reporting to both the board and senior management. Yet many practitioners continue to use this fragmented approach, despite its numerous disadvantages. To add value and improve the organization's operations — as mandated by The IIA's Definition of Internal Auditing — audit functions should instead adopt an integrated audit approach.</p><p><em>Integrated auditing</em>, as described in an IIA Practice Guide, refers to a holistic approach to internal audit engagement planning and execution that helps ensure all aspects impacting the quality or efficiency of a process are considered. The approach often requires auditors with different backgrounds and areas of expertise, at least during the planning phase, to identify all the risks and exposures that should be part of the audit engagement, including operational, financial, environmental, technological, and regulatory concerns.​</p><p>Adopting an integrated audit approach focuses the chief audit executive (CAE) on developing auditors who can plan and perform engagements that consider any activity with the potential to prevent the achievement of organizational objectives. These integrated practitioners can provide an end-to-end understanding that includes policies, procedures, inputs, people, technology, outputs, environmental impacts, regulatory requirements, and more importantly their connection to organizational goals. </p><p>Integrated auditors, though, should not be expected to possess expertise in every area. In fact, part of being an effective integrated auditor involves knowing when to call the experts and ask for help. However, integrated auditors should be expected to possess the core competencies needed to plan and perform an internal audit, and to be proficient in applying the International Professional Practices Framework's Mandatory Guidance.</p><p>They also should have a deep understanding of the organization, including its core business and strategic goals, policies and culture, and technology (information and operational). Moreover, they should be well-versed in industry-specific issues, such as those pertaining to geographic location or the market in which the organization operates.</p><p>Integrated auditing is a winning proposition for the internal audit activity, individual auditors, and the organization. Integrated audits are more effective because they simultaneously assess financial, operational, and IT risk and controls, and they produce more timely recommendations to improve risk management, operational, and governance controls. The approach may help discover deficiencies that could go unnoticed when performing individual audits, and it can increase internal audit's relevance by providing a more comprehensive view of organizational risk. </p>Eva Sweet1
Intelligent Relationships Relationships<p>Internal audit is in a unique and challenging position; while responsible for providing assurance on the organization's ability to achieve its objectives, practitioners effectively have no authority over any of the operations and people it reviews. Without this authority, auditors face increased challenges to obtaining buy-in while managing conflict inherent in the process. Understanding and use of emotional intelligence, <a href="/2018/Pages/How%27s-Your-EQ.aspx">or emotional quotient (EQ)</a>, can help internal auditors smooth these waters throughout the audit process.</p><p>A key to successful buy-in is ensuring that internal audit's motivations are in alignment with the customer's. It begins with internal audit understanding its own motivations — from the broad goal of organizational improvement to more specific goals such as helping customers understand internal audit's value, putting customers at ease with the audit process, and even something as basic as getting the audit plan completed on time. A focus on the personal competence skills within EQ — including accurate self-assessment and commitment to aligning group and organizational goals — can ensure internal audit has an accurate understanding of its own motivations.</p><p>Internal audit must then understand and react to the goals and motivations of its customers. The shared goal of achieving organizational and departmental objectives is important. But customers will also have their own underlying motivations that internal audit should work to discover throughout the audit process. Social competence skills such as understanding others' perspectives, service orientation through anticipating customers' needs, and communicating by listening openly will help internal audit learn about and manage these responses. </p><p>These underlying motivations are often the cause of conflict escalation. Conflict, in and of itself, is not bad. Healthy conflict can help generate creative solutions and ensure that one individual's ideas and suggestions do not dominate others' opinions. But the trick is ensuring that healthy conflict is promoted while unhealthy conflict is kept under control.</p><p>Once again, the social competences of EQ come into play. Rather than responding to what the customer is saying, the internal auditor should try to understand why the response is occurring. Practicing empathy skills such as understanding the feelings and perspectives of others, service orientation through anticipating and recognizing customers' needs, and the political awareness of a group's emotional currents and power relationships will help the internal auditor gain a perspective on the motivations behind the customer's response. Emotional intelligence social skills such as influence, communicating openly, building bonds by nurturing relationships, and collaborating and cooperating by working with others toward a shared goal can then be used to bring the conversation back to the topic of working toward an effective resolution.</p><p><em>To learn more about how EQ can help internal auditors maintain positive, productive relationships throughout the organization, read "</em><a href="/2018/Pages/How%27s-Your-EQ.aspx"><em>How's Your EQ?</em></a><em>" or watch "</em><a href="/Pages/video.aspx?v=NpbTA2ZTE6qtYxwpXqzFPtB4FdwHk_Z3"><em>Emotional Intelligence for Internal Auditors.</em></a><em>"</em></p>Mike Jacka1
COSO Appoints New Chairman Appoints New Chairman<p><span style="font-size:12px;">The Committee of Sponsoring Organizations of the Treadway Commission (COSO) </span><span style="font-size:12px;">named Paul Sobel, vice president and chief audit executive at Georgia-Pacific LLC, as its new chairman. His appointment to a three-year term is effective Feb. 1.</span></p><p>Sobel is recognized as an expert on governance, enterprise risk management, compliance, and internal control. He was selected for the​ position because of his extensive background along with his experience in corporate environments and professional service firms, according to COSO. He succeeds Robert Hirth, who​ served as COSO chairman since 2013. </p><p>In addition to leading audit functions at four large companies, Sobel has held leadership roles as chairman of the Global Board for The IIA and as chairman of an audit committee for a privately held company. He also served as editor of <em>Internal Auditor</em> magazine's "Risk Watch" column from 2008 to 2017.</p><p>"It is an honor and privilege to be ​selected as COSO's new chairman," Sobel says. "I have been actively involved in the latest developments with the committee to help organizations across the globe improve their risk management, governance, and controls in our collective effort to deter corporate fraud."</p><p>Sobel was chosen from a group of more than a dozen applicants after a rigorous selection process.</p><p>"Paul is an exemplary leader with a strong vision," said COSO Lead Director and IIA President and CEO Richard F. Chambers. "I, along with the Board, strongly believe that he is well-qualified to further COSO's important mission." </p><p>Sobel also is a longtime volunteer with The IIA. In addition to serving as global chairman in 2013–2014, he was president of the Internal Audit Foundation, program chair for The IIA's International Conference in 2010 and 2013, and The IIA's representative on the Pathways Commission, which developed recommendations to enhance the future of accounting education in the United States.​</p>Staff0
Getting the Word Out the Word Out<p><span style="font-size:12px;">​As new risks and compliance requirements emerge, management and the board have never needed more assurance about the way they're managing risk than they do now. And while internal audit has a vital role to play in providing that assurance, management and key stakeholders are often unaware of the breadth of knowledge, skills, and experience audit practitioners have, placing the function at risk of underutilization. If internal audit is to thrive, it needs to step up and improve its profile and sell itself to the board and management. In part that means chief audit executives (CAEs) need to develop their marketing skills, but it also entails developing a reputation for solid performance and reliability.​</span><br></p><h2>Laying the Groundwork</h2><p>The first step, says Seth Peterson, internal audit manager at The First National Bank in Sioux Falls, is to make sure that internal audit can deliver what it says it is going to deliver. This, he says, is the groundwork needed to market the function. "If you are trying to build up trust within the organization, don't make promises you can't keep about work you can't do with resources, skills, expertise, or experience that you don't have — you set yourself up for failure and damage your credibility," he says.</p><p>Peterson, a past <em>Internal Auditor</em> Emerging Leaders honoree, notes that if the function wants to raise its profile, it is important that internal audit understands the needs of the organization, and aligns its focus to ensure that it is providing assurance on the key risks underpinning the business strategy and objectives. "If you can't align your audit coverage with the key risks facing the strategic objectives of the business, you will have a difficult time showcasing your value to management," he says.</p><p>He adds that demonstrating internal audit's proven track record is also useful when building relationships with management. "It's great if you can show that internal audit has been successful not only in providing objective assurance, but in providing efficiency recommendations, saving the business unit time or money, and aligning with strategic objectives."</p><p>Liz Sandwith, chief professional practices adviser at the U.K.'s Chartered Institute of Internal Auditors and a former head of audit, says that chief audit executives need to ensure internal audit delivers the level of assurance it is meant to on the audit plan before it tries to get involved in other areas. "Pitching for or responding to requests for additional work is only going to be successful if internal audit is already recognized as a function that is a center of excellence that produces quality work," she says. "If it isn't, then chief audit executives are going to have an uphill struggle trying to convince key stakeholders like the CFO that they should be involved in other projects."</p><p>Sandwith also says that before asking to be involved in other projects, internal audit needs to do its research. "Turning up and asking the CFO 'Is there anything we can help with?' is pointless, disrespectful, frustrating, and time wasting for a key internal audit stakeholder," she explains. "You need to do your homework and assess what the key risks might be for the organization if it pursues particular strategies or courses of action. You need to present key stakeholders with details about what role internal audit could play in the life cycle of existing or planned projects, and what the potential impact could be of its involvement — increased assurance, more robust control, improved efficiencies and procedures, better value for money, improved flow of management information, and so on. If you don't know fully what the organization is trying to achieve, how can you help?"</p><p>One of the mistakes that CAEs make when trying to raise the profile of the function (and themselves) is that they can become arrogant, Sandwith says. "Don't ever think that you know the business better than management simply because internal audit reviews the organization's key risks," she advises. "Internal audit's job is to help management make better-informed decisions — not to tell them what to do. You won't get very far trying to influence management if you think you are better than them."​</p><h2>Networking a​nd Offering Solutions</h2><p>Marbelio Villatoro, internal audit manager at aerospace and defense contractor Raytheon Co., says that soft skills are essential when trying to market internal audit. "Chief audit executives need to network within the organization if they want to raise the profile of the function and tell people about the contribution that internal audit can make," he says. "They need to make themselves visible and amenable, and it means spending time visiting and talking to other departmental heads about what they are doing and suggesting ways — however minor — that internal audit could help out."</p><p>Villatoro, also ​​recognized as an <em>Internal Auditor</em> Emerging Leader, says that internal audit needs to understand its limits, realizing the scope of activities it can perform and expertise it possesses. Nonetheless, he points out, internal auditors can still be part of the solution. "If internal audit can't help, for example, perhaps we can recommend people that can — either within or outside the business," he says. "If the organization needs to use a third-party consultant, perhaps we can make recommendations about the scope of the engagement and its budget, or how to get the most out of their expertise. Being proactive and always offering solutions is a key way for internal audit to make a great impression within the business."​</p><h2>Communication</h2><p>Good communication skills are also important. Dominique Vincenti, vice president of Internal Audit at Nordstrom in Seattle, says that CAEs need to effectively communicate what internal audit's role and skills are throughout the organization. </p><p>"People need to understand what internal audit does and the skills it has to offer, so it is the job of chief audit executives to communicate with them to make sure they understand the breadth of skills, experience, and expertise that the internal audit department has, as well as the success rate it has achieved," Vincenti says. "It is also very important that internal audit quantifies its success, and that it spells out the value that its involvement has resulted in."</p><p>Vincenti says that a simple way of improving marketing skills is to go and ask the organization's head of marketing for tips. "Talk to the marketing department — they are the professionals," she advises. "People are often more willing than not to share advice and their expertise if they think you are genuinely interested in getting their help, so go and pay the head of marketing a visit."</p>Neil Hodge1

  • MNP_Apr 2018 IAO_Premium 1
  • ITACS_Spring18_sapr 2018 IAO_Premium 2 Apr15_Apr30
  • IIA CIA Cert_Apr2018 IAO_Premium 3