Update: Mindset for the Next Generation Mindset for the Next Generation<p>​Protiviti's latest Internal Audit Capabilities and Needs Survey underscores the importance of the profession embracing a next-generation mindset of innovation and transformation. To build and manage this mindset, internal audit needs to develop its competencies in governance, methodology, and enabling technologies.</p><p>The <a href="" data-feathr-click-track="true" target="_blank">survey</a> — which was conducted before the COVID-19 pandemic — finds that chief audit executives (CAEs) and internal audit teams have a lot of work to do. The 777 audit executives surveyed gave themselves low ratings for their competency in those three areas. In what Protiviti calls a "red flag for CAEs," self-assessments for competency with enabling technology such as artificial intelligence (AI), process mining, robotic process automation, and advanced analytics are some of the lowest in the survey.<br></p><p>Protiviti recommends prioritizing the three competencies, especially enabling technology. Next-generation auditing, processes, and tools — from strategic vision, agile auditing, and dynamic risk assessment, to AI, machine learning, and process mining — should receive greater attention from internal audit.<br></p><p>While many internal audit functions see innovation as a core value, the study says fewer groups are undertaking some form of innovation or transformation compared with Protiviti's previous surveys. At the same time, the functions' capabilities have matured. However, the survey cautions audit groups that are not moving forward "to get moving — or risk falling too far behind."</p><p>The study says audit committees want CAEs to explain how their efforts are resulting in more risk coverage, and the more detailed information the committees receive, the more their interest increases. <strong>— G. Nordhoff</strong><br></p><h2> <img src="/2020/PublishingImages/Update-company-culture-during-the-pandemic.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:199px;" />Seeing Talent as an Asset<br></h2><h3>New white paper describes a framework for valuing human capital.<br></h3><p>COVID-19 presents a watershed moment for valuing human capital, says a white paper published by the World Economic Forum in collaboration with Willis Towers Watson. The paper, <a href="" data-feathr-click-track="true" target="_blank">Human Capital as an Asset</a>, advises organizations to deploy a framework of principles-based tools and metrics to measure and account for human capital and to govern business performance. </p><p>A human capital accounting framework can enable an organization's board and management to track how its investment in people is augmenting its human capital, the paper notes. "As companies look to reset their business models, they need an approach to valuing talent not as an expense but as an asset," says co-author Ravin Jesuthasan, managing director at Willis Towers Watson, "so that boards and management can be held accountable for their investment in people and for delivering better outcomes."</p><p>The paper offers examples of human capital metrics, including models for understanding the employee experience, the total cost of work, and the return on work. It provides guidance tailored specifically to chief human resources officers, boards, and policymakers. <strong>— L. Nelson</strong><br></p><h2>Cyber Skills Gap Widens<br></h2><h3>Education is needed to build competencies as threats rise.<br></h3><p>The global cybersecurity skills gap worsened for the fourth year in a row, even as threats become more advanced. The gap now has affected 70% of organizations, according to The Life and Times of Cybersecurity Professionals 2020, conducted by the Information Systems Security Association (ISSA) and independent analyst firm Enterprise Strategy Group (ESG). </p><p>The <a href="" data-feathr-click-track="true" target="_blank">survey</a> (PDF) of 327 cybersecurity professionals reveals that there has not been significant progress made in narrowing the gap since such studies have been conducted. This gap leads to repercussions such as increased workloads, unfilled job openings, and an inability for organizations to use cybersecurity technologies to their full potential. </p><p>ISSA and ESG say the only path forward is a holistic approach to cybersecurity education, with organizations making investments in developing and implementing globally accepted career development plans for cybersecurity staff. According to the data, 68% of respondents don't have a well-defined career path, despite the fact that 39% say it can take up to five years of hands-on experience to develop cybersecurity proficiency. </p><p>The study also indicates that businesses are not providing adequate training for their cybersecurity staffs. Thirty-six percent of respondents say their organizations should provide a bit more cybersecurity training, and 29% say it should provide significantly more training. Additionally, 64% say their organization should be doing more to address cybersecurity challenges. </p><p>"Key constituents are not looking at the profession strategically," says Jon Oltsik, senior principal analyst and fellow at ESG. "These disturbing trends should be of concern to corporate directors and business executives, particularly in light of the alarming findings this year that 67% of respondents believe that cyber-adversaries have a big advantage over cyber-defenders." <strong>— L. Wamsley</strong></p><h2>ERM in Uncertain Times<br></h2><h3>COSO Board member Patty Miller says the framework's principles can guide internal audit in addressing today's unexpected risks.<br></h3><p> <strong>How can internal audit apply The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) <em>Enterprise Risk Management–Integrating With Strategy and Performance</em> in times of extreme uncertainty? </strong></p><p>The COSO ERM framework is principles-based and applies in good times and bad. The framework's five components contain 20 principles, which should be present and functioning to achieve success. A careful consideration of these principles can lead to insights on effective risk management activities that can minimize the ongoing impact of the uncertainty and enable better preparation for the next event. </p><p>For example, a Governance principle such as exercising board oversight can help determine if the role of the board is sufficient during great uncertainty. And Performance principles such as identifying, assessing, and prioritizing risks can help in assessing the effectiveness of contingency plans to support a quick response to — or even anticipation of — changes. The Information, Communication, and Reporting principles on communicating and reporting on risk, culture, and performance information can aid in determining how effectively key stakeholders have been kept informed, including employees, strategic partners, shareholders, regulators, customers, and suppliers.</p><p> <strong>How is the COVID-19 pandemic changing the way organizations assess and manage risk?</strong></p><p>Seemingly overnight, major businesses are bankrupt, strapped for capital, scaling back and downsizing, or even changing their business model. The pandemic has reinforced that the pace of change is ever increasing, unpredictable, and that no organization can be complacent in its strategy, market position, or relative competitive advantage. Each organization must reconsider its strategy and related risk appetite, and specifically assess how prepared it is for such widespread risks, including "black swan" events. Do they have processes to scan the external environment for emerging risks? Have they assessed the organization's ability to withstand disruptions? Are they using scenario planning and "what-if" analyses? Do they have effective monitoring processes to alert them to fast-moving changes? Internal audit has an opportunity to assist management in such assessments.<br></p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​22% of employees globally feel pressure to compromise</strong> their organization's ethics standards or policies — or the law.<br></p><p> <strong>30% of top management feel pressure to "bend the rules" versus 17% of non-managers. </strong></p><p>"By identifying employees who may be at a higher risk for feeling pressured to bend the rules, organizations can be proactive in addressing any possible issues before there is a problem," the <a href="" data-feathr-click-track="true" target="_blank"><span class="ms-rteForeColor-8">Global Business Ethics Survey</span></a> notes. <br></p><p>Source: Ethics and Compliance Initiative, Global Business Ethics Survey — Pressure in the Workplace: Possible Risk Factors and Those at Risk<br></p></td></tr></tbody></table> <p> <strong>A big part of the COSO ERM framework is considering risk during strategic planning. How can the framework help the many organizations that have been forced to rapidly change strategies in response to changing business conditions?</strong></p><p>Whether it's a first-time strategy exercise, or a re-look given unanticipated change, the guidance in the COSO ERM framework is useful. The framework guides organizations to consider downside and upside impacts. In evaluating how the strategy should change, an assessment of the impact on objectives, operations (such as increased use of technology and remote employees), competitors, customers, and regulatory requirements is needed. Can new flags be designed to better alert management to emerging risks? Leveraging the framework in a strategic reassessment helps ensure new strategies are aligned with the mission, vision, and core values; the implications of the chosen strategies are understood; and that long-term capabilities exist to execute the strategies.<br></p><h2>The Line Between Negative Tests and Recovery<br></h2><h3>Employees returning to the office may not be fully recovered from a COVID-19 bout.<br></h3><p>In the midst of the COVID-19 pandemic, there has been a blurring of what recovery from the virus actually means. Although a patient can be designated as "recovered" following a negative test for the virus, common symptoms such as chest heaviness, breathlessness, muscle pains, and fatigue can last weeks or even months, according to an <a href="" data-feathr-click-track="true" target="_blank">article</a> in <em>Nature Research</em>. These symptoms could prevent individuals from resuming work at their expected productivity. <br></p><p>"Some people, especially the young and healthy, might not see a need to follow preventive measures, because they expect only a few days of flu-like symptoms at the worst," says Nisreen Alwan, associate professor of public health at the University of Southampton.  </p><p>Alwan recommends regular follow-ups for all patients who have experienced a positive test or highly probable COVID-19 symptoms. Return-to-work policies should account for this recovery time. <strong>— L. Wamsley</strong></p>Staff1
Editor's Note: Excelling in Challenging Times's Note: Excelling in Challenging Times<p>​It's hard to believe we are already publishing the October issue of <em>Internal Auditor</em> — and still working from our homes. In this year of sudden disruption, I'm excited to share some positive news by continuing our annual tradition of presenting the up-and-coming stars of the internal audit profession. You can meet <em>Internal Auditor'</em>s 2020 Emerging Leaders beginning <a href="/2020/Pages/Emerging-Leaders-2020.aspx" data-feathr-click-track="true">here</a>.<br></p><p>These leaders stand out because they have a passion for the profession, and they understand what it takes to advance their careers. This year, we take a deeper look into just what that is. In a package of articles, we consider the hiring process and the benefits of mentoring. </p><p>Successful internal auditors are intentional in their search for employment. They look for organizations in which they can grow and advance — that means choosing an organization that understands the importance of internal auditing. According to former Emerging Leaders Seth Peterson (2013) and Alex Rusate (2017), internal auditors should consider three areas: the prospective organization's culture, its governance structure, and how the audit function operates (e.g., does it conform to the <em>International Standards for the Professional Practice of Internal Auditing</em>?). Peterson and Rusate consider the hiring process from both the job candidate's and the hiring manager's perspectives in <a href="/2020/Pages/Recruiting-the-Next-Generation-of-Internal-Auditors.aspx" data-feathr-click-track="true">"Recruiting the Next Generation of Internal Auditors."</a><br></p><p>Once on board at an organization, participating in mentorships is a great way for internal auditors to learn and grow. Many of this year's Emerging Leaders serve as mentors. "Mentoring is critical in the ever-changing environment of technology and internal audit," says 2020 Emerging Leader Michelle Brown. In fact, mentorships can be a win for both the employee and the employer. As Christine Janesko writes in <a href="/2020/Pages/Mentorships-That-Work.aspx" data-feathr-click-track="true">"Mentorships That Work,"</a> "Research shows that mentoring relationships can improve communication and leadership skills and help with employee retention and engagement."<br></p><p>In late 2019, The IIA's volunteer Emerging Leaders Task Force launched a successful pilot mentorship program for internal auditors. It paired 10 emerging professionals with 10 senior internal audit leaders from throughout the U.S. Nancy Haig, chair of The IIA's North American Board, participated as a mentor in the program. She shares her experience and the experience of others in "<a href="/2020/Pages/Mentorships-That-Work.aspx#MentoringProgram" data-feathr-click-track="true">A Mentoring Program for Audit Professionals</a>." Many of the mentees who participated in the pilot are past Emerging Leaders.<br></p><p> <em>Internal Auditor</em>'s Emerging Leaders, past and present, continue to impress and inspire us with all they are accomplishing. A big congratulations to the 2020 Emerging Leaders. We can't wait to see what you do next.<br></p>Anne Millage0
Kickstart Your Audit Career Your Audit Career<p>Congratulations! You've just earned your Certified Internal Auditor designation from The IIA and landed that internal audit position at that company you've been so eager to work for. You're likely focused on making a good impression, launching your career, and making it a long-term success. How do you accomplish that as a new auditor? Three key steps can help make your experience positive, productive, and fulfilling as you embark on your career.<br></p><h2>1. Make It Your Business to Know the Business</h2><p>While most new employees have a limited understanding of the business, it is inexcusable for that deficit to persist for an extended time. Internal auditors need to understand the products or services their company offers. Asking good questions is essential, but auditors need to know what to ask and who to ask it of — and they need to do their own research. </p><p>One of us started our first job in an internal audit department at a large technology company. The company's products were complex, and there was an implicit notion that anyone who worked in finance, accounting, or internal audit didn't really need to understand the technology — that was for the engineers and sales personnel. While auditors may not always need to possess in-depth technical knowledge of company products, they should at least have a general understanding to demonstrate basic knowledge and "speak the language" of the organization. For example, an auditor in the manufacturing industry could request a tour of the production line or reach out to the research and development team. In the services industry, auditors could contact sales personnel to learn more about customer offerings. Understanding the company's products or services can help auditors connect their observations with risks. <br></p><h2>2. Cultivate Client Relationships </h2><p>Audits are not conducted in isolation. The job involves scheduling pre-audit meetings, conducting interviews, and presenting critical audit findings to management. Internal auditors' ability to build effective client relationships will largely determine their success as practitioners. If possible, they should not let the pre-audit meeting be their first interaction with the client. </p><p>Suppose, for example, that internal audit is scheduled to review the organization's payroll in the next quarter. The assigned auditor should take the initiative to introduce him or herself, before the engagement begins. This can happen organically if the auditor is working on premises — for example, upon seeing the audit client in the organization's break room or hallways. Otherwise the auditor could set up an informal chat via phone or video conference. </p><p>Some of the most challenging yet rewarding experiences we've had as auditors came from presenting significant audit deficiencies during the exit meeting. Although these discussions can be difficult, clients typically recognize their value — partly because we take the time to build the relationship. Of course, auditors should avoid letting client relationships impact their ability to objectively assess processes and controls. But maintaining independence and objectivity does not preclude relationship building across the organization.<br></p><h2>3. Get a Mentor </h2><p>Mentoring can be a powerful tool for professional development. The right mentor can increase a practitioner's visibility within the company or industry, help visualize a long-term career path, and provide tactical support along the way. If the mentee is thinking about transferring to a different area of the organization, a mentor from that area can help determine whether a transfer would make sense, and if so, advise on how to get there. Working with a mentor within internal audit can also provide tremendous benefit, as he or she can support professional development and counsel on how to navigate the less defined areas of the job (see "<a href="/2020/Pages/Mentorships-That-Work.aspx" data-feathr-click-track="true">Mentorships That Work</a>").</p><p>Many large companies have well-established mentoring programs that will match candidates with a more experienced professional. New auditors should take advantage of this resource. In the absence of a formal program, auditors should leverage their professional network to seek out mentors on their own. When selecting a mentor, auditors should consider choosing someone who:</p><ul><li> You can feel comfortable discussing your goals and challenges with.</li><li>Can offer a different perspective — picking someone who thinks like you limits growth opportunities. </li><li>Can be trusted to provide sound professional guidance. <br></li></ul><h2>Kick Into High Gear</h2><p>The internal audit profession can be dynamic and rewarding, but the quality of the experience depends largely on the effort practitioners put into it. The early days in audit are critical, and they set the stage for opportunities that follow. Auditors who can speak the language of the business will be recognized. Those who network and view themselves as part of a broader organization, rather than just a member of the internal audit team, will approach their work with a value-add mentality and build key relationships. And those who find a mentor they can trust will gain a line of sight they wouldn't otherwise have to navigate their current role and their career.<br></p>Rachael Moyer1
A Culture of Service Culture of Service<p>Service-oriented auditing is not a new concept. For many years internal audit leaders have built client-focused practices into their approach, such as agreeing well in advance on convenient times for engagements, clearly communicating the scope of work to be completed, and confirming engagement details in writing with management. Essentially, they seek to work with clients as business partners rather than using a box-ticking, compliance-oriented approach. And while these are constructive practices that help build relationships, they fall well short of the level of service to which we should all aspire. To best serve the organization, we need to embed a culture of service in the audit function — where management is kept continuously informed and expectations are regularly exceeded.</p><p> A culture of service permeates the entire audit function, not just its leadership. The audit team collectively should understand the importance of client relationships and their value to the audit process. Accordingly, every member of the audit function should help ensure that anyone who interacts with internal audit is well-informed of relevant audit objectives, what to expect from engagements, and timelines for deliverables. These efforts will help develop and solidify client relationships in day-to-day interactions across all levels of the department.</p><p> Communication plays a key role in providing superior service — it should be both frequent and ongoing. As common practice, auditors share the audit announcement, written scope of work, and audit report. But there is a lot more to offer during planning, fieldwork, and reporting — and auditors should not limit their deliverables to only these few documents. Additional written communication can include minutes from meetings with management, status updates on engagement progress, and preliminary observations identified.<br></p><p> More frequent verbal communication can also be valuable, such as explaining audit objectives for internal control testing and clarifying document requests. Although these communications may not be necessary, they can help maintain open dialogue with clients and enable them to better understand the audit process. And by keeping clients informed, internal auditors are more likely to be seen as professional service providers rather than overseers assigned to judge people, process, and performance. The effort not only facilitates better relationships but can also dramatically improve the audit function’s image in the organization.</p><p> Famed NFL quarterback Roger Staubach said, “There are no traffic jams along the extra mile.” In other words, the pack begins to dwindle when extra effort is required. For internal auditors, that extra effort can help build strong relationships and distinguish internal audit as a trusted advisor. Embedding a culture of service in the audit function doesn’t have to involve additional costs, delays, or compromises — but going the extra mile will always bring the best possible results.<br></p>Bhavin Raithatha1
Beyond Diversity and Inclusion Diversity and Inclusion<p>Demands for racial justice went global in recent months, largely in response to the publicized killings of George Floyd, Ahmaud Arbery, and Breonna Taylor in the U.S. The movement that galvanized around this issue followed soon after other recent movements that drew attention to injustice and inequality related to race and ethnicity, gender, religion, and sexual orientation. Increasingly, the importance of social equity and justice is gaining recognition in today's globally interconnected world.</p><p>For example, more than three-fourths of Americans <a href="" data-feathr-click-track="true" target="_blank">surveyed</a> last year by research organization JUST Capital say they strongly believe companies should publicly condemn structural racism and racial injustice and take concrete steps to create a more equitable future. As support for social equity has grown stronger, employees, customers, and investors are putting pressure on companies to lead transformative change. </p><p>"Internal auditors have an opportunity to make a significant impact with the energy and momentum of recent social justice events," says Susan Haseley, executive vice president and global diversity and inclusion leader at Protiviti in Dallas. </p><p>She says internal auditors can lead discussions with senior management and the board about risks and opportunities related to diversity, equity, and inclusion (DEI) as part of organizational culture. Beyond that, auditors can design a roadmap to reach the organization's strategic DEI objectives, provide ongoing insight about how to overcome obstacles, and hold the organization accountable to achieve the agreed-upon objectives. </p><h2>The Goal of Equality</h2><p>Inequality persists globally — especially on the basis of race, ethnicity, and gender — despite incremental progress made by decades of social movements and legislative changes, according to an <a href="" data-feathr-click-track="true" target="_blank">Oxfam briefing paper</a> (PDF) released in January. The COVID-19 pandemic has reflected and magnified that inequality, with its health and economic impacts disproportionately impacting <a href="" data-feathr-click-track="true" target="_blank">women</a>, as well as <a href="" data-feathr-click-track="true" target="_blank">people</a> who are Black, Indigenous, or in ethnic minority groups.  </p><p>Reducing inequality and supporting marginalized and disadvantaged people are among the 17 Sustainable Development Goals (SDGs) the United Nations seeks to achieve by 2030. The reasons for the SDGs' focus on inequality are practical. The World Economic Forum's <a href="" data-feathr-click-track="true" target="_blank">Global Risks Report 2020</a> (PDF) warns: </p><p> <span class="ms-rteStyle-BQ">"Inequality hinders growth and damages macroeconomic fundamentals … slows down economic activities, and casts doubt on a country's stability. This damages investor confidence and undermines political capital — both fundamental conditions for prosperity, especially in times of economic volatility."</span><br></p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​MORE</strong></p>IIA members, click <a href="" data-feathr-click-track="true" target="_blank" style="text-decoration:underline;"><span class="ms-rteForeColor-8" style="text-decoration:underline;"><strong>here</strong></span></a> and log in to read The IIA's Global Knowledge Brief, Beyond Diversity and Inclusion: Social Equity and Corporate Social Responsibility.</td></tr></tbody></table><p>The SDGs have created a new reality for businesses, says IIA Global Board Chair Jenitha John, who led DEI initiatives in her former role as a chief audit executive (CAE) in post-apartheid South Africa. "The reality is that the blended value proposition in organizations has to align with the SDGs as well as the transformation imperatives in a specific organization," she explains. According to the <a href="" data-feathr-click-track="true" target="_blank">blended value proposition</a> (PDF), a company's economic value works in concert with its social value. "These should be vital for internal audit to consider," John says.</p><p>Stakeholders want to see corporate social responsibility and other environmental, social, and governance issues measured, tracked, and <a href="" data-feathr-click-track="true" target="_blank">reported</a> (PDF) transparently. A recent <em>Agenda</em><em> </em> <a href="" data-feathr-click-track="true" target="_blank">report</a> suggests DEI-related metrics will become more heavily weighted in executive compensation plans. </p><p>And CEOs are starting to receive this message. Last year, the Business Roundtable, a group of 181 CEOs of prominent U.S. companies, signed a new <a href="" data-feathr-click-track="true" target="_blank">Statement on the Purpose of a Corporation</a> (PDF). In it, the CEOs committed to "move away from shareholder primacy" and instead to lead their companies "for the benefit of all stakeholders — customers, employees, suppliers, communities, and shareholders." </p><h2>Auditing DEI</h2> <p>The CEOs' emphasis on social responsibility — including DEI issues — aligns with a growing focus on corporate culture. Internal audit is uniquely positioned to assess culture, says John, who was recently named CEO of the Independent Regulatory Board for Auditors in South Africa. "Internal audit has the mandate to see holistically across the organization; to audit against a framework, criteria, policies, and procedures; and to test whether the talk is being walked by leadership," she says. </p><p>For organizations just beginning their DEI efforts, internal audit can conduct consulting engagements to establish baseline data that may help prompt the discussion (see "Conducting Baseline Assessments" below). Such engagements should consider the organization's unique context and the maturity of its DEI journey. Internal audit should coordinate its work with the organization's human resources (HR) and senior leadership, the board, and other key stakeholders. Organizations should consider seeking assistance from an external DEI expert or firm, if necessary. </p><h2>Leadership's Role</h2><p>In assessing the organization's DEI efforts, internal audit can work with senior management and the board to explore how the organization's current state compares with its vision for the future. Any discussion about social equity must begin with a close look at the organization's values, says Perry Liu, CAE and diversity and inclusion champion at CSAA Insurance Group in Walnut Creek, Calif. </p><p>"It's also important to look at your competitors and then ask, how do we want our brand to be represented?" he explains. "Are our mission, vision, and value statements just words on paper, or have they been translated into tangible actions?" If they haven't, the organization should determine why not and how it can change. </p><p>When internal auditors notice inconsistences, they should speak up to management, John says. "Internal audit can act as the catalyst by pointing out the red flags emanating from the audit process through root cause analysis, interviews, data analytics, conducting an audit engagement, or just observing behavior," she explains. John notes that addressing especially sensitive observations may require CAEs to have closed discussions with the chairman and members of the audit committee, without management present. </p><p>"Leadership, from the top down, sets the tone for culture, for what behavior is acceptable and what is not acceptable," Haseley says. Without such commitment, DEI initiatives are unlikely to be prioritized, which leaves them doomed to struggle and fail.</p><h2>Cultural Intelligence, Empathy, and Persistence</h2><p>A key to shifting to a culture that embraces all stakeholders, according to John, is bringing awareness to cultural intelligence. She describes <em>cultural intelligence</em> as the "connective, collaborative, collective intelligence" that recognizes the value of each person's unique beliefs, intellect, wisdom, and qualifications. </p><p>"If we can educate, train, and bring awareness to cultural intelligence, then we can harness that uniqueness and bring about the best for organizational value creation and success," John says. "Innovation and creativity are harnessed best when working as a collective."</p><p>To gain cultural intelligence, leaders must demonstrate empathy — a true desire to understand the experiences of others who are unlike themselves, says Tony Williams, senior vice president of Global Human Resources, Transformation Enablement and Regions, at The Estee Lauder Companies Inc. in New York. <strong></strong>"Understanding, in a thoughtful manner, the psychological journeys and hurdles faced by other human beings enables leaders to better leverage their power to influence positive change based on those learned perspectives," he explains. </p><p>And persistence is key, according to Liu. "If you can recruit one high-level person to be on your side, they'll help you recruit others," Liu says. It's similar to following up on open audit issues. "You can't mind being that pest to consistently bring up issues until they are remediated," he explains. "It's all about celebrating the small wins and hoping they turn into bigger wins." </p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​ <p> <strong>Conducting Baseline Assessments</strong></p><p style="text-align:left;">To gather baseline information about the state of the organization's DEI, internal auditors may consider assessment activities, including:</p><ul><li>Conducting interviews, focus groups, and surveys on the views and experiences of employees, customers, and other stakeholders related to diversity, inclusion, and social equity and justice. These should include reflections on the organization's operations and communications. </li><li>Reviewing ethics hotline calls for reports of DEI-related concerns and how they were managed. </li><li>Reviewing internal and external communications related to DEI, including crisis communications plans. </li><li>Reviewing HR policies, practices, and metrics, and benchmarking them against a DEI framework. </li><li>Determining whether the organization has measurable DEI goals with specific, meaningful performance targets, indicators, and incentives. Internal auditors should identify how management is held accountable for achieving equity targets.</li><li>Evaluating social equity implications<strong><em> </em></strong>related to goods, services, processes, and stakeholder relationships. For example, auditors should review the organization's philanthropic activities and contributions, as well as the investments of the business and its affiliates for risks and alignment with the organization's mission and values. Additionally, auditors should review supply chain management and processes to determine whether they promote supplier diversity, including providing opportunities for small and minority-owned businesses. Moreover, they should determine whether those processes detect, monitor, and restrict practices detrimental to social equity, such as the exploitation of workers.</li><li>Evaluating whether the organization's stated values are integrated into its strategy, reflected in its policies and communications, and aligned with its actions. Auditors should identify discrepancies, shortcomings, and their root causes, as well as potential remedies.</li><li>Evaluating public transparency related to DEI metrics as part of nonfinancial reporting.</li><li>Reflecting on results with senior leaders and the board. </li></ul></td></tr></tbody></table><p></p>Lauressa Nelson1
Magical Words Words<p>In 2015, an IIA task force composed of leading practitioners from around the world considered whether the 1999 Definition of Internal Auditing should be updated. The task force concluded that the definition remained an excellent description of internal auditing:</p><blockquote><p><em>Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.</em></p></blockquote><p><br> However, the task force supplemented the definition with the Core Principles for the Professional Practice of Internal Auditing and the Mission of Internal Audit. These were a significant step forward in guiding internal audit functions around the world.</p><p> The task force wrote the Core Principles and Mission very carefully. Its intent was to make them concise as well as punchy and powerful. In addition to some important language, they contain magical words that carry great meaning.</p><p> The brief Mission, which is intended to be optional guidance for audit functions that wanted to create a mission statement for their own department, reads: <em>“To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.”</em> </p><p> Let’s break down that statement to show how internal audit can apply those words, especially the three magical words — assurance, advice, and insight — to help the organization achieve its objectives.</p><h2> Enhance and Protect</h2><p> Traditionally, internal audit has focused on assessing the design and operation of the controls that keep risks within desired boundaries. The emphasis has been on <em>protecting</em> the organization from harm. Internal auditors identify the things that might happen to impair the ability of the organization to achieve its objectives, commonly referred to as risks. They assess the level of those risks and determine whether management has an effective system of control in place that provides reasonable assurance that the risks are at acceptable levels.</p><p> But, the task force members believed that internal audit has the ability to help the organization not only protect, but <em>enhance</em>, value. For example, auditors can consider whether management has effective processes, systems, and controls to:</p><ul><li>Optimize the value of the deals made with customers.</li><li>Seize opportunities when competitors stumble.</li><li><p>Recognize the possibilities presented by new technology for enhancing the organization’s processes, systems, or operations.</p></li></ul><p>Hire outstanding individuals, even when the organization does not have open positions.</p><p> Internal controls not only provide assurance on managing or mitigating the downside, but they also enable seizing and optimizing the upside. In fact, internal controls surround the processes for making the decisions about which risks to take. They provide assurance that the right people are making important business decisions, based on timely and quality information — including input from others who might be affected — after weighing all the things that might happen, both harmful and beneficial.</p><p> The task force recognized that considering downside risks without the context of the potential reward is not a wise way to make decisions, run the business, and be successful. Internal audit needs to help management make informed and intelligent decisions, taking the right risks to achieve enterprise objectives.</p><h2> Risk-based</h2><p> The traditional internal audit risk assessment process involves prioritizing the organization’s business units, processes, and systems based on factors such as revenue, complexity, and history of control issues. Internal audit performs a second risk assessment before each audit engagement starts to identify the more significant risks to the specific business unit, process, or system. Those lower level risks become the scope for the audit.</p><p> For example, when I became the chief audit executive (CAE) at a large global manufacturing business, I inherited an annual risk assessment process that identified the locations that should be audited based on those traditional risk factors. One of those locations was the operation in Austin, Texas. In its planning for the audit, the team had identified information security, procurement, and accounting as the more significant areas of risk where they would test related controls.</p><p> I had only been with the company a week when I was given the draft audit report for Austin to review. The team had identified several issues that they assessed as significant, and after reviewing its work, I agreed. My problem was that the issues were only significant to operating management in Austin. They were not significant to senior management of the company. The audit had focused on risks to operations in Austin rather than risks to the enterprise.</p><p> I changed the audit planning process so the audit plan was designed to address the more significant sources of risk — and opportunity — to the organization’s objectives. We started with understanding those objectives, identifying the more significant sources of risk to achieving them. Then we determined what we should audit and where to obtain assurance that those enterprise risks were addressed appropriately.</p><p> One of the more significant sources of risk and opportunity was the company’s ability to source quality materials at a good price at its more than 150 plants around the world. The business operated with very low margins, and our ability to meet customer demands and make a profit depended heavily on the effectiveness of the procurement processes.</p><p> I designed an approach with multiple audit engagements. Three of my best people — the two leaders of my U.S. and Asia teams and our specialist in procurement and contract auditing — performed consecutive audits of some of our largest operations, in Bordeaux, France; Charlotte, N.C.; Penang, Malaysia; and Suzhou, China. They also looked at the global procurement department at our corporate headquarters in California, which negotiated global contracts with our primary vendors. Not only did they assess the design and operation of the procurement functions at each location individually, but they also considered how well they shared best practices and worked together.</p><p> We published one report with our assessment of our enterprise ability to source quality materials at a reasonable price. The report identified Penang as being world-class, with opportunities for the company if its practices were adopted by the other locations. We also shared individual assessments in reports to each of the locations’ management teams.<br> </p><p>Instead of providing information that mattered to local management, we provided information that mattered to enterprise management. This is enterprise risk-based auditing.</p><h2> Assurance</h2><p> The Mission of Internal Audit says internal audit provides “risk-based and objective assurance, advice, and insight.” While it is fairly clear what <em>objective</em> means, not everybody understands what the statement means by <em>assurance</em>.</p><p> Assurance, advice, and insight are magical words. They carry huge significance, and if internal auditors are able to optimize the quality of the assurance, advice, and insight they provide to leaders of the organization, they will be highly valued.</p><p> Assurance is much more than expressing an opinion on the adequacy of controls and detailing the controls that are less than effective. For example, when I asked my audit committee chairman how well internal audit was performing, he said we “helped him and the other board members sleep through the night.” We gave him assurance that he could rely on the company’s organization, systems, people, and processes to perform as management and the board needed. Any time there was a serious weakness that threatened the achievement of objectives, he knew we would not only find it but work with management to correct it.</p><p> Similarly, when I asked the CEO of the division that owned 6,000 convenience stores and gas stations for his assessment, he said, “We helped the organization stay efficient.” That was a critical need for him because this is a very low-margin business.</p><p> The highly effective CAE provides business leaders with the assurance they need that the more significant potential harms will be addressed and opportunities seized. The CAE shares his or her assessment of the systems of internal control and enterprise risk management that the organization relies on to manage the business and the things that might happen on the road to successfully achieving objectives. </p><p> In the previous example, the opinion statement in the audit report provided management with the assurance it needed relative to the organization’s ability to source materials and achieve cost-control objectives. But internal auditors do more.</p><h2> Advice and Insight</h2><p> Many internal auditors are uncomfortable sharing their advice, let alone their insight. They will recommend corrective actions for the control weaknesses they identify, but they are reluctant to go further. Yet, several of the task force members spoke eloquently about how the less formal advice they gave management in one-on-one meetings often was of greater value than what they were able to put in the formal report.</p><p> Internal auditors are professionals. Their position as objective observers of the organization and its processes enables them to obtain insights that, if shared with management, can be very valuable to them. When internal auditors combine their professional <em>insights</em> with their ability to give advice to management or the board, they are delivering great value to the organization.</p><p> Just as doctors and mechanics are entitled to their professional opinion, so are internal auditors. It is not necessary to have the level of proof that will stand up in court; auditors can rely on their experience and intelligence in forming their judgments and insights. </p><p>Sharing those insights in the form of advice is easier when management sees internal auditors as professionals and respects their objective assessments. In my experience, management will listen and thoughtfully consider that advice before making its own judgment and decision.<br></p><p> My experiences, which are similar to others in the task force, included:</p><ul><li>Discussing with senior management the inability of a department head to trust his employees, delegate work, or motivate his employees. As a result, he was overworked and making mistakes in accounting and customer billing.</li><li>Reviewing a proposed organizational realignment with the chief information officer and giving him my opinions on how well it might work.</li><li>Sharing the audit team’s experience at a prior employer with the software that the IT department was planning to implement.</li><li>Helping a division CEO understand that his relationships with his direct reports and micromanagement of capital spending was inhibiting their performance.</li><li>Advising a recently acquired subsidiary’s chief financial officer about how to work effectively with the corporate finance team.</li><li><p>Informing an executive that some of his people were excellent and of high potential.</p></li></ul><p>I recall a meeting I had with a senior executive that went well over the allotted time. As we went to the door to leave for our respective meetings, I thanked him for his time and apologized for going over. He turned to me and told me not to apologize. Our meeting, when we had discussed at length the division’s operations and challenges, was one of the few times he was able to sit and think about the business rather than constantly fighting fires. He respected my insights, appreciated the way my questions made him think, and valued my advice.</p><h2> Make a Difference</h2><p> Business leaders welcome the assurance, advice, and insight that a respected professional, such as the CAE, can share about his or her operations. When we talk about what matters to them — their ability to succeed — they value:</p><ul><li><em>Assurance</em> that they can sleep at night, knowing they can rely on the organization’s people, systems, processes, and controls.</li><li><em>Advice</em> on how they can address any deficiencies and improve their efficiency and effectiveness.</li><li><p><em>Insights</em> on other matters that affect how they run the organization, making the informed and intelligent decisions necessary for success.</p></li></ul><p>Internal auditors should not restrict their work — their products and services — to assessing only the controls that protect value. They should provide the assurance, advice, and insight that leaders need, when they need it, on what matters to the success of the organization. That includes creating value as well as protecting it. Internal auditors are professionals with the ability to help management and the board succeed, and should not unnecessarily limit their ability to make a difference.<br></p>Norman Marks1
There Are No Right Answers Are No Right Answers<p>​One goal shared among attendees at new auditor seminars is learning the best ways to get things done. They are thirsty for information about how to perform their new jobs correctly — how to do things "right."</p><p>But as an instructor, my initial response to their questions can be frustrating. They ask what The IIA's <em>International Standards for the Professional Practice of Internal Auditing</em> require, and I answer that they provide guidance but do not specify exactly what to do. The right answer, I tell them, depends on individual circumstances and the requirements of the organization. They ask how best to handle a certain situation, and I say it depends on the circumstances and the department. They ask how best to accomplish an audit step, and I say it depends. Eventually, they ask a question, I smile back, and they say, "I know; it depends." I am not being flip; I am trying to help them see the realities of working in the internal audit profession.</p><p>Students are trained to always expect a right answer. They are graded on the absolute correctness of their exam responses, they hear real-life case studies that have a single solution, and in accounting, they memorize rules and concepts that lead to correct outcomes. At the end of their studies, they graduate assuming that the business world is built on the existence of such right answers.</p><p>Thrust into the real world, they learn that shades of gray dominate. And this is just as true for internal auditors as it is for anyone — except that the profession doesn't always act that way.</p><p>Auditors do not like to make mistakes. Maybe it's because we're supposed to be the masters of controls, maybe it's because we are supposed to know how to mitigate all risks, or maybe it's just because we think making mistakes hurts our credibility. But whatever the reason, we act as though there has to be a single right answer to everything — one right way to test, one right way to assess risk, one right way to write a report, one right way to correct an identified issue, and one right way to audit.</p><p>That is not the real world. And that is not real internal auditing. There are better answers, but not perfect ones.</p><p>Talk to five chief audit executives about their No. 1 risk and you'll get five different answers. Talk to 10 auditors about how to write a report and you'll get 10 different solutions. And talk to any client about his or her idea for a "perfect" solution to an identified issue and it may be 180 degrees from yours.</p><p>No one is right. And everyone may or may not be wrong. Internal auditors must recognize that there may be any number of answers. Our challenge is to help clients determine what answer might be best.</p><p>And how do we solve that problem? Well, it depends. … <br></p>Mike Jacka1
The Way Forward Way Forward<p>​As the pandemic has swept across the globe, it has upended organizations in every sector of the economy. Some have thrived, some have fallen by the wayside — and many have moved forward by changing the way they do business. As a result, internal auditors are finding their historical audit universe feels outdated. </p><p>Audit plans need to be refreshed to address emerging risks. Even the way teams audit must evolve. And while all this change may feel daunting, it is also an opportunity to rethink internal audit's value, how it's perceived today, and what it needs to look like tomorrow. Now is the time to reposition the audit function to maximize value delivery in this rapidly changing world. <br></p><h2>Stakeholders and Internal Controls </h2><p>Executives and boards need to challenge everything about their business to emerge from the current situation with strong and competitive fundamentals. For example, marketing strategies are transforming, and go-to-market approaches need to be revised in light of the shift to a virtual-centric environment. Profitability models and cost structures are being reevaluated along with organizational makeup and spans of control. Old risks are being reprioritized and new risks are emerging. Leadership wants key departments such as internal audit to be proactive and engaged in the change. <br></p><p>"As the business environment is changing so rapidly, our stakeholders have expectations that we (internal auditors) will be changing <em>at least as fast</em> in order to help the business to mitigate and understand emerging risks," says Rachel Tressy, chief audit executive at Voya Financial in Weatogue, Conn. "For example, we've moved away from an annual audit plan, in favor of a six-month view of our plan that we share with our audit committee quarterly. This ensures that both our plan and the specific scope of our audits are focused on the highest priorities." <br></p><p>The cornerstone of audit testing — controls — also must change to keep up. Take, for example, cybersecurity controls. New demands for greater remote workforce capabilities challenge existing data security and privacy controls. Changing customer behavioral patterns and expectations are necessitating new controls related to companies' online presence and virtual transaction capabilities. This flood of new control requirements is being countered by companies' need to cut costs, including reducing headcount, to maintain profitability. In addition, cybersecurity risk, historically a hot topic garnering much attention, may now be eclipsed by all of the new emerging business risks. Internal audit needs to refresh its view of the control universe and help identify new gaps that need to be addressed. <br></p><h2>Relationship Building </h2><p>Auditors also need to ensure a strong focus on relationship building and communication — two skills that can make the difference between a good audit team and great one. And in the virtual world, it takes even more effort to get these skills right. <br></p><p style="text-align:justify;">"We have to find creative ways to stay connected to business partners, and our team members in the virtual environment — we don't have the ability to 'pop in' and talk," Tressy says. "We need to find ways to build and expand our relationships; we need to be 'in the know' and on people's minds. When we have strong relationships and know what the business is going through, we are better auditors." <br></p><h2>Innovation and Development </h2><p>Changing the nature and focus of audits is only half of the repositioning needed right now. This is also an opportune moment for audit teams to rethink how they perform many aspects of their work. Embracing new processes and tools to modernize and maximize the audit function helps not only with the perception of internal audit's value, but also the reality of its contributions. Opportunities to evaluate include virtual auditing, electronic workflow management, and distance team-building and development.   <br></p><p>"I am reminding team members to intentionally create space in their week to innovate," says Tammy Valvo, chief audit executive for Gate City Bank in Fargo, North Dakota. "We are identifying what we want to look like in the future and then creating the roadmap to get there, including KPIs and KRIs linked to performance objectives. We will also spend time discussing the concepts of independence and objectivity to ensure we maintain them in our future vision." </p><p>COVID-19 has put a strain on auditor development due to reduced in-person interaction, communication constraints, and decreased availability of traditional training outlets. But this period of isolation has also provided a time for reflection that can be channeled into a reevaluation of team development needs and gaps. Professional development must continue to be a top priority, enabling audit teams to maintain relevance by developing the skills needed to address their audit plan and deliver value. Fortunately, there are a myriad of tools available to facilitate training for a remote workforce. </p><img src="blob:" alt="" style="width:1px;margin:5px;" /><p>Zoom, Microsoft Teams, Skype, GoToMeeting, and Webex are some of the more common platforms to deliver real-time feedback and synchronous online teaching. Also, many companies maintain their own library of recorded training that can be accessed online, or leverage online learning content consolidators such as Coursera and edX. Specialized training that once was only available in person can now be easily recorded and accessed via online technology such as Camtasia, Biteable, or Soapbox. With so many powerful tools available, this can be a productive time for audit leaders who want to develop their team — and for auditors who want to brush up on their skills. <br></p><h2>Maximize the Opportunity </h2><p>Change is accelerating, and "business as usual" will not return in the same form as before. Now is the professional call to action for audit teams to not only embrace that wave of change but also to harness it, using this moment of reflection to determine what internal audit can be in the future. Audit leaders who maximize the opportunity to refresh and reposition stand to make their work more relevant and impactful for stakeholders as well as more exciting and rewarding to their teams. </p><p><em>Karen Begelfer will be moderating a panel discussion on "Repositioning Yourself and Your Team for 2021" at The IIA's Women in Internal Audit Leadership Virtual Forum on Sept. 16.</em><br></p>Karen Begelfer1
Necessary, But Not Evil, But Not Evil<p>​How often has the way someone described what we do made you cringe — or feel slighted, if not outright insulted? Choice examples from my own career include: "You are just a bean counter," "You are a corporate cop," and "Internal audit is a necessary evil." I suspect most of us have never counted any beans or practiced law enforcement — and we are certainly not evil. <br></p><p>So, why does this happen? Why do people see us this way, and sometimes feel the need to say it aloud? I can think of at least five reasons:<br></p><ul><li>Internal audit makes them nervous — their comments reflect an awkward attempt at humor.<br></li><li>They do not understand the profession and lack a good frame of reference for what internal auditors do.<br></li><li>They do not like being audited and view engagements as an interruption of their work.<br></li><li>The comments are made as a defense mechanism, out of fear of what internal audit may find.<br></li><li><p>Internal audit deserves the name-calling and criticism.<br></p></li></ul><p>These reasons are not mutually exclusive — the disparaging remarks may be explained by more than one of them, or even all five. Perceptions of internal audit can vary depending people's prior experience with auditors, the culture of the organization, attitudes among senior leadership, and many other factors. But with the right effort, negative perceptions can be changed. Several proactive steps, in particular, can go a long way toward correcting misconceptions and ensuring a more accurate view of the profession. <br></p><h2>Look in the Mirror</h2><p>When we hear negative comments, our natural tendency is to become defensive. But we should resist that urge and instead consider what we may have said or done to make others form that (potentially undeserved) opinion of us. Auditors should ask themselves if they could change their approach, behavior, or demeanor in a way that might alter the way they're perceived. Asking for feedback from trusted sources within the organization, as well as seeking out the confidential advice of a fellow practitioner at another company, may provide insights on potential blind spots. Before pointing to others, auditors should make sure their own house is in order.<br></p><h2>Nip It in the Bud</h2><p>On the other hand, the negative stereotypes we are trying to dispel or avoid may stem from organizational leadership. The CEO, chief financial officer, or other executive leaders might refer to internal audit in a way that paints a negative picture. I have experienced this in the past, and I usually just laughed it off. But in hindsight, it would have been better to politely call out the behavior in private and ask the executive to stop doing it. Failure to condone negative stereotypes, even if they are in jest, can help minimize or even eliminate the unwanted behavior. Auditors should address any negative comments tactfully, but early on — before they solidify people's impressions. <br></p><h2>Build Relationships</h2><p>Auditors should also combat hostility and distrust by developing strong relationships with key individuals. These people consist not only of the senior-most executives, but anyone in the organization considered an "influencer" of other people's opinions and views. Some internal auditors like to hide behind a perception of mystery and intrigue. But taking that approach usually works against them, enabling negative stereotypes to persist. Auditors should take the time, outside of normal audit activities, to invest in relationships and proactively manage perceptions.<br></p><h2>Let the Client Become the Auditor<br></h2><p>If the opportunity presents itself, and the organization is supportive, internal audit could consider a guest auditor program or rotational staffing model. In these scenarios, people who are positioned elsewhere in the organization would spend time in the audit function working on one or more projects. Guest auditors might join internal audit for a single project, whereas rotational programs may involve multiple projects and span one to three years. Through these programs, people in the organization who are not internal auditors get to learn what internal audit is, what it does, and how its practitioners perform their work. When the rotation ends, the participants become potential advocates for the audit function and can help dispel invalid perceptions or myths about the profession. <br></p><h2>Take a Deep Breath</h2><p>Sometimes the fear of the unknown causes anxiety and negative opinions. Until something becomes familiar and understood, quelling that anxiety can be difficult. Especially when reviewing a new area, or an area where many key people are new since the last audit, taking the time to ease concerns can help prevent negative opinions from forming. Practitioners should spend time talking with clients before the project formally begins, if possible. Alternatively, they could build extra time into the project budget to ensure ample opportunities for informal discussions. Clients should get to know auditors as "real people" and have a safe place to ask questions. Then perhaps internal audit will not seem as intimidating, and the audit process will not be such an unknown to them. <br></p><h2>Shifting the Perception</h2><p>While by no means comprehensive, the above steps can go a long way toward dispelling myths and cultivating positive relationships. The key is to adopt a proactive, measured approach and to maintain consistent effort. Those who persist can help change their function's image from a necessary evil to an essential ally. <br></p>Hal Garyn1
Agile Auditing Simplified Auditing Simplified<p>The Agile methodology can be transformative for an internal audit department. A few years ago, while working at one of the largest banking institutions in the U.S. with global operations, I had the opportunity to pilot Agile auditing, and then successfully rolled it out within my global audit team. Since then, I have also implemented Agile auditing at a smaller financial institution. </p><p>When the methodology is executed correctly, it provides accountability and transparency that enables audit processes to be performed more efficiently, while empowering staff. Internal audit departments that haven’t yet adopted Agile auditing should learn more about the tools and processes.<br></p><h2> Applying Agile to Audits</h2><p> As a project management methodology, Agile can apply a consistent approach to audits — essentially projects — providing staff members with tools for success, and thereby decreasing the risk that audits will be poorly managed. </p><p> <strong>Short, Efficient Cycles</strong> Agile breaks the audit down into small chunks of work that are delivered within short cycles — such as two weeks — of work called sprints. Each sprint has a series of meetings or events that facilitate the management of work.</p><p> Sprints begin with a planning meeting, where the team agrees on what work will be completed within the sprint. This is followed by short, daily “stand-up” meetings, where team members discusses their work to ensure that it can be successfully delivered. </p><p> As the audit progresses, new information or findings may be identified that require adapting the audit approach or audit work. “Storytime” meetings, held as needed, provide the flexibility to update the work to be completed within the audit or the sprint. </p><p> The audit team leverages a sprint review at the end of the cycle to showcase its sprint achievements, explain any tasks that were not completed, and add any tasks it identified during the sprint to the backlog. It holds a retrospective meeting to help the team continuously improve by asking what went well, what could be done better, and what should be implemented in the next sprint — whether it’s continuing something that worked or fixing something that didn’t. </p><p> <strong>Capturing the Work to Be Performed</strong> At the beginning of the audit, the audit team captures and prioritizes all the tasks or activities to be performed in the form of a backlog, which is updated, as needed, throughout the audit. This backlog comprises user stories that are defined in the format: </p><ul><li>As a [User: Who is the task for?]</li><li> I want [What needs to be done?]<br></li><li> So I can [Why does user want this?]<br><br></li></ul> <p> User stories ensure expectations and deliverables are clearly captured and agreed upon before execution. Capturing the “why” helps provide a consistent understanding of the purpose of the audit work. Each task has a definition of “Done” so everyone knows what must be delivered. Each user story or task is also sized relative to the others. Sizing the work (extra small, small, medium, large, extra-large) helps track the level of effort required for each user story/task and provides visibility into the level of effort required to complete the audit. </p><p> The audit team is empowered to size the user stories in the initial audit planning meeting where the user story backlog is reviewed and prioritized. CAEs should think ahead about how this backlog may be broken down into sprints throughout the audit. </p><p> In the sprint planning meeting, the audit team should break user stories down into smaller tasks if they are more than a few days of work and describe them in detail so the task and deliverable are clear. During this meeting, auditors also can choose what user stories/tasks they will work on. The task owner is recorded so it is clear who is responsible for ensuring the user story/task is being delivered within the sprint. See “Example High-level User Story Backlog” below for a starter list that can be tailored to any audit. <br></p><p><img src="/2020/PublishingImages/Kaller-example-high-level-user-story-backlog-table.jpg" alt="" style="margin:5px;" /><br></p><p><strong>Transparent Tracking</strong> During the sprint, the team tracks work using a sprint board or task board with columns labeled “Sprint Backlog,” “In Progress,” “Blocked,” “Review,” and “Done.” Initially, the sprint board captures all the tasks to be performed during the sprint in the sprint backlog column. Audit team members work on one task at a time and move it from “In-Progress” through “Review” to “Done.”</p><p> A team member will only begin work on the next task when the user story/task he or she is working on is “Done” or “Blocked,” meaning the task cannot be worked on anymore and action is required to move the audit work forward. This helps reduce the time auditors spend context switching between different tasks — remembering what they were doing so they can start working on a task again — and enables them to focus completely on one task. Capturing blocked tasks enables timely communication about where action or escalation is needed to complete audit work. The daily stand-up meetings also provide the auditor in charge visibility into where an auditor might need additional assistance, as it helps monitor how long the team member has been working on a user story or task. The auditor in charge can follow up with the team member offline if a task is taking longer than expected. The team should only move tasks on the sprint board during one of the events (Agile meetings: planning, daily stand-ups, storytime, or sprint review).</p><p> With the sprint board approach, the team reviews work in real time, so it can identify any complications with execution early and spread reviews of audit work throughout the audit, rather than compressing them at the end of the audit. </p><h2> Common Concerns </h2><p> As with any change, adapting to Agile auditing can be challenging, especially for auditors accustomed to the traditional audit approach or a less structured project approach. Here are a few of the concerns I have heard in Agile audit training sessions and from new Agile audit adopters.</p><p> <strong>Agile Does Not Fit Our Audit Methodology</strong> Because Agile is a project management methodology, its principles can be adopted in any audit department and with any audit methodology. Audit work is performed and documented in line with the internal audit department’s existing audit methodology. Although internal audit functions often implement Agile auditing alongside a move to a dynamic risk management audit methodology, they can benefit from Agile without a dramatic audit methodology change. </p><p> <strong>Daily Meetings Take Too Long and Are Hard to Manage Globally</strong> A common mistake in daily stand-up meetings is having detailed discussions that should be taken offline. They are purely touch points and should last no longer than 15 minutes. These meetings can take as little as five minutes when they are limited to answering Agile daily stand-up questions, and they still provide visibility and support. Stand-up questions include: What did you do yesterday? What are you going to do today? Are there any blocks to delivery (i.e., anything hindering delivery)? Have you identified any exceptions? </p><p> Meetings are easier when the audit team is based locally and can stand around and update a physical storyboard. However, these meetings still add value with remote working. With a global team, it is best to set a time when everyone can attend and to have a virtual storyboard. Where this is not possible, auditors who cannot attend simply send in their updates before the meeting. The auditor in charge can follow up with them after the meeting, if needed. Remote staff can view the virtual storyboard to see the team’s status so they still feel part of the team.</p><p> With the current remote working environment due to COVID-19, a virtual storyboard that can be accessed by the audit team is essential. It is helpful to have user stories in the same file as the storyboard. As the audit is broken down into small tasks, Agile provides visibility into remote working productivity. The audit management team also can access the board to stay close to the audit and see how it is progressing.</p><p> <strong>Stakeholders Don’t Want Daily Meetings With Audit</strong> Stakeholder engagement in the daily stand-up meetings is optional. Often, the auditor in charge will have daily catch-ups with the client’s audit liaison, so the information from the daily stand-up meetings is valuable to help resolve any blocks to completing audit work. Some audit clients prefer to have weekly status updates. <br> <br>Other clients like the daily meetings, as they provide some oversight of the audit. In this case, the client meeting should take place immediately after the audit team’s daily stand-up meeting so it does not stop the audit team from raising concerns openly.</p><h2> Agile Auditing Makes Sense</h2><p> Agile auditing empowers audit team members to choose what they work on and to better understand why they are performing their work. By allowing staff members to select what tasks they work on, it is easier for them to manage their time and consider their other commitments, such as other audits. Agile project management methodology tools provide visibility without micromanaging. Best of all, Agile auditing helps spread out audit work, creating less pressure at the end of the audit to deliver everything at once. To put it succinctly, Agile auditing formalizes good project management practices, improving productivity, efficiency, collaboration, and communication.<br></p>Amanprit Kaur Kaller1

  • FastPath-October-2020-Premium-1
  • AuditBoard-October-2020-Premium-2
  • CIALS-October-2020-Premium-3