Practices

 

 

Value Through Quantificationhttps://iaonline.theiia.org/2019/Pages/Value-Through-Quantification.aspxValue Through Quantification<p>A review of publicly available internal audit reports shows that most include qualitative assessments of value addition, even where quantitative assessments seem possible or advantageous. In fact, some audit reports show that an assessment of the audit recommendations’ net benefits had not been performed at all. Without a quantitative assessment, in many instances auditors cannot be certain their recommendations add rather than destroy value. While qualitative assessments are useful for analyzing simple issues, they could be misleading if used for complex, high-risk, or novel situations. Internal auditors should quantify recommendations applied to these types of areas — especially when aimed at improving processes or aligning with best practices.</p><p>Without quantification, auditors run the risk that seemingly beneficial audit recommendations may in fact be ill-advised. By using a qualitative assessment, especially one that is not adequately documented, an auditor could miss interdependencies and ignore relevant costs, thereby overstating net benefits. For example, consider a recommendation intended to improve transaction processing efficiency through a system enhancement. On the surface, such a recommendation would appear to create value. But what if over the lifetime of the system, estimates of benefits associated with processing-time savings totaled less than the cost of implementing and maintaining the enhancement? This drawback would not be apparent without quantification of benefits.</p><p>Quantifying also provides an effective way of getting buy-in from audit clients. Often, client inertia or resistance increases if recommendations provide questionable or unconvincing value. Clients may raise legitimate concerns about why they should dedicate scarce resources to recommendations whose value is unclear. By demonstrating quantitatively that the value addition is positive, audit client buy-in would be more forthcoming. </p><p>Additionally, quantification can help auditors provide assurance when recommendations involve unchartered waters for clients. In other words, audit recommendations may be untested in the specific environment in which they are to be implemented. Gaining reliable insight into the real net benefits can be difficult using only qualitative assessments, making quantitative data in such instances a<br> near imperative.</p><p>Lastly, when auditors provide quantified recommendations, they can better demonstrate the value of their work by tracking benefits realized post-implementation. With quantified net benefits of individual or aggregated recommendations, auditors could harvest the quantified data showing their recommendations’ impact on specific processes and functional areas, or at the entity level. </p><p>Under the right circumstances, a strong case exists for demonstrating the value of audit recommendations quantitatively. When used appropriately, quantification can shine a bright light on audit benefits, rather than leaving clients in the dark.  </p><p class="p4"><span class="Apple-tab-span"> </span></p>Solomon Chief Simutowe1
International Conference: Intelligent Leadershiphttps://iaonline.theiia.org/2019/Pages/International-Conference-Intelligent-Leadership.aspxInternational Conference: Intelligent Leadership<p>​<span style="font-size:12px;">In Wednesday's final general session, IIA President and CEO Richard Chambers recognized 2018–2019 IIA Global Chairman Naohiro Mouri for his tireless work during the last 14 months and recapped their time together traveling around the world promoting the internal audit profession.</span></p><p>Futurist Mike Walsh then took the stage to wrap up the 2019 International Conference with his session on "Reinventing Leadership for the Age of Machine Intelligence." According to Walsh, algorithms, automation, and artificial intelligence (AI) are becoming the deep infrastructure of our world. By 2030, he says, AI platforms capable of continuous learning and adaption will create an algorithmic world of seamlessly orchestrated and personalized experiences.<br></p><p>Walsh posed many questions to consider about the future: Are you thinking big enough about the risk and potential transformations associated with AI? What if we always knew exactly what to say and when? What if machines could recognize our emotions? How might facial recognition change our experience of applications? How can you create new experience by taking away the friction points? What if we no longer needed our devices at all? What if the biggest impact of AI was on our behavior and sense of identity?<br></p><p>"Now is the time to reinvent, redesign, and reimagine," he says. "The future of analyzing risk is data and the data relationships you can build." To survive the disruptive future, he adds, organizations will need to get ready to be more flexible, responsive, and adaptive. <br></p><p>Walsh encouraged the audience to constantly challenge their assumptions about the future. Are you thinking big and fast enough about the transformative potential of the algorithmic age? The next action would be to have discussions with the youngest members of your team to learn how to better include their frame of reference into ideas or strategy.<br></p><p>But how do organizations need to transform for the 21<sup>st</sup> century? Walsh says the key is to get others to see you as a different kind of organization. You have to make culture your operating system — the system of interactions that governs how your people collaborate. "It's the most difficult to change but it's the blueprint for true transformation," he says.<br></p><p>When it comes to leadership in an age of algorithms, automation, and AI, leaders are more important that ever, Walsh adds. They need to upgrade their approach to making decisions and solving problems — this means exploring how to start re-skilling teams, migrating talent to new roles, and preparing for the new types of challenges they'll face, he says.<br></p><p>"The future is not anything as simple as an upgrade," Walsh says. "It's an invitation for all of us to think in an entirely new way. Think big, think new, think quick."<br></p>Shannon Steffee0
International Conference: Economic Disruptionhttps://iaonline.theiia.org/2019/Pages/International-Conference-Economic-Disruption.aspxInternational Conference: Economic Disruption<p>​<span style="font-size:12px;">"Geopolitics and the Global Economy" was the hot topic closing out day two of The IIA's 2019 International Conference in Anaheim, Calif. Peter Zeihan, a geopolitical strategist who specializes in global energy, demographics, and security, laid out the history of U.S. foreign policy and gave an overview of trade relations since the end of World War II.</span></p><p>"We are in the midst of a great transition," Zeihan explains. "We are looking at the end of our economic model."<br></p><p>With supply chains facing disruptions from these geopolitical risks, especially the U.S.-led trade wars, internal auditors should pay attention. Zeihan says countries that have seen this coming and have worked to diversify their supply chains and into more concentrated zones near points of consumption are definitely at an advantage. <br></p><p>"What you're looking for is a place where inputs, production, and consumption are both secure and hopefully co-located," he warns. "Right now, the only place that happens en masse is in North America."<br></p><p>Zeihan offered this assessment of today's post-order American foreign policy: "If you want something that's positive, you need to bring something to trade."<br></p>Shannon Steffee0
International Conference: Audit Leaders Discuss Challenges and Opportunitieshttps://iaonline.theiia.org/2019/Pages/International-Conference-Audit-Leaders-Discuss-Challenges-and-Opportunities.aspxInternational Conference: Audit Leaders Discuss Challenges and Opportunities<p>​A leadership panel on "Challenges, Opportunities, and the Path to Success" opened the final day of The IIA's 2019 International Conference in Anaheim, Calif. Panelists included Theresa Grafenstine, managing director and chief auditor, Information Security & Continuity of Business, at Citi; Kiko Harvey, inspector general, United Nations World Food Programme (Italy); and Jenitha John, chief audit executive, FirstRand Ltd. (South Africa). </p><p>Each panelist talked about her background and what led her to become an internal auditor. Ultimately, it was a passion for all of them. </p><p>Asked by moderator Scott Bloom how internal audit can help organizations and executives prepare for technological advances and risks, Grafenstine said auditors need to look at the technology and ask questions. "Our biggest gift is that we're critical thinkers and we break things down into critical controls," she explained. "Who has control over this algorithm? What can it do? What if it goes wrong? Can we stop it?" When approaching cyber risk, asking basic control questions can go a long way, she added.</p><p>The discussion then turned to building an audit function and the competencies that would make it a high-performing department. "I ask a lot of questions about team building, and I expect technical skills to be there," Harvey said. </p><p>She added that she looks for the abilities to listen, think critically, and see and solve problems, as well as how engaged auditors will be. "We feed the world's starving, so is that their passion?" Harvey asked. "Are they joining my team for the right reason? Do they want to make things better or are they there for the benefits?" </p><p>On the topic of skills internal auditors need to evolve with the business, John said auditors must stay attuned to the evolving risk landscape. "Many organizations experience changes in digital, data, customers, competition, conduct, compliance, and cyber," she said. It's important for internal auditing to transform as a profession, refresh its methodologies, and use hindsight and foresight. She says auditors also need to be agile and nimble, harness innovation, and foster a creative mindset. </p><p>Grafenstine detailed how audit leaders can be more influential in educating boards and gaining their trust. As a former inspector general for the U.S. House of Representatives, "I had to translate things into terms that were meaningful for them," she said. "In working with politicians, what became clear was that I needed to package my message for who was listening to it. I needed to make sure the person listening understood what I was saying and what I was asking them to do." Whether it is verbal conversations or written reports, Grafenstine says auditors need to keep their audience in mind. </p><p>As female leaders, each woman touched on the challenges they've faced in their careers. John explained that women tend to experience a lot of guilt about working so much, but she's found that organizations are becoming more flexible. She said people should be managed by outputs, not by time, and encouraged women to "be selfish with your time, prioritize your personal life." Leveraging technology also allows women to be present in many forms, she noted. </p><p>Grafenstine recalled that her time as one of the first three female auditors hired in the field office for inspector general was a growth opportunity. "In the tech area, instead of focusing on being the only female, think, 'I am a professional and bring a different perspective to the table,'" she advised. </p><p>Grafenstine also admitted that her biggest challenge was herself. Her glass ceiling was fear. "I always felt like I didn't belong," she said. "Until I tackled that, I was going to hold myself back. Whatever you're afraid of, you need to tackle it. Once you attack that, you can be a leader."</p><p>Harvey noted that she's always felt welcome in her working situations, but she said she missed a lot of family and school events because she made that choice. "In my generation, I felt that I had to be present at work or people would say 'we can't rely on her because she has young children,'" Harvey said. </p><p>Harvey said she took bold moves by moving her family around for her career, although it was difficult on her children and her. "Organizations are becoming much better at this and there's no excuse anymore," she said. "It's easier now than it was before." </p>Shannon Steffee0
International Conference: Dynamic, Disruptive Diversityhttps://iaonline.theiia.org/2019/Pages/International-Conference-Dynamic-Disruptive-Diversity.aspxInternational Conference: Dynamic, Disruptive Diversity<p>​<span style="font-size:12px;">Closing day one of the 2019 International Conference on a high note was Jade Simmons, a classical pianist, who spoke about "Dynamic, Disruptive Diversity: A Bold Approach to Harnessing the Power of Differences." Simmons combined music and storytelling to explain how she approached diversity in transforming her career and how the same approach can apply to business.</span></p><p>As an African American classical pianist in a traditional industry, Simmons said she spent all of her time trying to be perfect to attract a more diverse audience. But, she says, "When we talk about diversity, we have to throw the idea of being perfect out of the window." She realized that opportunity lies in providing variety in what we do. <br></p><p>Pursuing diversity, Simmons says, requires going beyond ethnicity and gender. This includes diversity of thought, diversity of background, diversity of experience, and diversity of talents. "When we think of diversity of talents, what we're doing is opening up different opportunities to let people shine," she says. "We can't start from a place of initiatives and benchmarks. You're going to have to begin to believe that people want a different offering than what they are seeing." <br></p><p>Simmons wanted diversity of experience to be a part of what she was offering, so she began storytelling during her concerts. People began latching on to the stories. "What you do isn't about getting things right but about moving things so people can feel drawn to the space they want to be in," she explains. Diversity should never be about obligation, she adds — It should be about exploration. <br></p><p>"You need to shift your mindset," Simmons says. "At the end of the day, you should be able to look differently at how you see yourself and how you see others and how you value them." <br></p>Shannon Steffee0
International Conference: Haig Wins Internal Auditor’s Thurston Awardhttps://iaonline.theiia.org/2019/Pages/International-Conference-Haig-Wins-Internal-Auditor’s-Thurston-Award.aspxInternational Conference: Haig Wins Internal Auditor’s Thurston Award<p>​Awards can enhance a professional's personal brand. Ask author and internal audit executive Nancy Haig, winner of <em>Internal Auditor</em> magazine's 2019 John B. Thurston award for her February 2018 feature article, <a href="/2018/Pages/Your-Personal-Brand.aspx">"Your Personal Brand."</a> Haig received the award today at The IIA's International Conference in Anaheim, Calif.</p><p>The Thurston Award recognizes the most outstanding feature article published in <em>Internal Auditor</em> during the previous year. Haig has been an internal audit professional for more than 20 years, most recently as director of internal audit and compliance for a New York-based global consulting firm. </p><p>In her article, Haig explains that just as a strong brand can be an organization's strongest asset, a personal brand is critical for an internal auditor. "Developing a strong personal brand can benefit an internal auditor's career in many ways," Haig writes. In addition to professional achievement and recognition, it can help auditors determine their career direction and assess whether they are in the right role. Importantly, she adds, "Through consistent use of his or her brand, (an internal auditor) will be seen as a trusted advisor."</p><p>In presenting the award, IIA Global Chairman Naohiro Mouri noted that Haig's own brand includes playing an active role in supporting the internal audit profession, including as 2019-20 senior vice chairman of The IIA's North American Board.</p>Tim McCollum0
International Conference: IIA Accomplishments, Awards, and Performance Excellencehttps://iaonline.theiia.org/2019/Pages/International-Conference-IIA-Accomplishments-Awards-and-Performance-Excellence.aspxInternational Conference: IIA Accomplishments, Awards, and Performance Excellence<p>​IIA President and CEO Richard Chambers opened day two of the International Conference in Anaheim, Calif., highlighting Institute accomplishments during the past year. Some noteworthy items include:</p><ul><li>The IIA surpassed the 200,000-member milestone.</li><li>It welcomed its 150,000th CIA recipient.</li><li>All North American conferences sold out.</li><li>The IIA's governance structure underwent restructuring.</li><li>Advocacy efforts are going strong around the world.</li><li>Publicly listed companies must disclose whether they have internal audit functions.</li><li><p>The IIA began its digital transformation. </p></li></ul><p><span style="font-size:12px;">Following Chambers' opening remarks, IIA Global Chairman Naohiro Mouri presented three awards in front of a crowd of 2,500 attendees. Nancy Haig won the John B. Thurston Award for her article, </span><a href="/2018/Pages/Your-Personal-Brand.aspx" style="font-size:12px;">"Your Personal Brand,"</a><span style="font-size:12px;"> in the February 2018 issue of </span><em style="font-size:12px;">Internal Auditor</em><span style="font-size:12px;"> magazine. Lawrence Harrington and Philip Tarling both received the Victor Z. Brink Distinguished Service Award. Gerald Cox received the William G. Bishop III, CIA Lifetime Achievement Award.</span><br></p><p>Moments later, Dennis Snow, president of Snow & Associates Inc., took the stage to talk about "Performance Excellence: The Employee Factor" and how to engage employees to deliver outstanding customer service. Snow, who had a 20-year career with Walt Disney World, focused on customer experience, performance excellence, and leadership. He outlined four principles that can create loyalty and performance excellence that is "worth every moment of effort you put into it."</p><h2>Principle 1: Clearly Define the Customer Experience </h2><p>Snow advised attendees to ask themselves, "Who are my stakeholders within the organization? What do we want their experience to be?" </p><p>"That's your brand," Snow says. "What three things do you want your stakeholders to say about the value you bring to the organization in the service you provide?" Is it that you're highly responsive? Your follow-through was outstanding? Do you anticipate their needs?</p><p>The customer experience must be defined in terms of employee behaviors, Snow explains. "What needs to happen to have them say those three things?" He says those behaviors need to be embedded in the culture. </p><h2>Principle 2: Know What Frustrates Your Customers — and Do Something About It </h2><p>Snow says far too many organizations know exactly what frustrates customers but don't do anything about it. He suggests meeting quarterly as a team to ask, "What things frustrate our stakeholders and what can we do about it?" A better question might be, "What keeps our stakeholders up at night and what can we do about it?" </p><h2>Principle 3: Hire the Right People </h2><p>Before interviewing people, leaders should determine what qualities make a superstar a superstar. Snow says identifying those qualities the organization wants in an employee can create a benchmark in the hiring process. For example, are managers seeing and hearing those qualities through the candidate's behavior in the interview? </p><p>"The interviewing selection process should model the culture of your organization," he says. "Every detail enhances or detracts from the culture of the organization. Are you demonstrating your values and culture during the interview process?"</p><h2>Principle 4: Train and Communicate Relentlessly </h2><p>Organizations can never assume their people get it, Snow warns. They can't put posters on the wall and say that's it. </p><p>"You have to be relentless about training and communication," he stresses. "You need to be very clear about what your expectations are." Snow says effective training and communication builds pride in the organization, ensures that the employee understands the true product, and guarantees that the employee knows what's expected.</p><p>When it comes to training, never let a coaching moment go, Snow advises. And it's important to never let a recognition moment go. "When our people feel like we sincerely appreciate what they do, the most powerful thing we can do is acknowledge that performance," he says. "The most effective recognition is all about emotion. We lock in performance excellence."</p><p>Whether it's at Disney World or within internal audit, these are the principles that create loyalty. "When we do these things consistently and well, the outcome is stakeholder loyalty," Snow says. </p>Shannon Steffee0
International Conference: Opening Remarks, Chat With Richard Dreyfusshttps://iaonline.theiia.org/2019/Pages/International-Conference-Opening-Remarks,-Chat-With-Richard-Dreyfuss.aspxInternational Conference: Opening Remarks, Chat With Richard Dreyfuss<p>​<span style="font-size:12px;">Outgoin</span><span style="font-size:12px;">g</span><span style="font-size:12px;"> 2018–2019 Chairman of The IIA's Global Board Naohiro Mouri officially welcomed attendees from more than 100 countries as he opened the 2019 International Conference in Anaheim, Calif., today. Recapping his chairman's theme, "Emphasize the Basics — Elevate the Standards," Mouri encouraged those in the room to celebrate the work of the global organization, network with each other, and hear each other's stories as they all strive to elevate the profession.</span></p><p>Just after Mouri's opening remarks, the Internal Audit Foundation's (IAF's) 2019 Esther R. Sawyer Research Award was presented to undergraduate student Jiamei Elizabeth Feng of Bentley University in Waltham, Mass., by Brian Christensen, executive vice president, Global Internal Audit, Protiviti, and 2018–2019 president of the IAF. Feng's paper, "Internal Auditing's Identity Issue: Management-orientated or Accounting Related," explores how the internal audit function can be "a channel that management can rely upon for assurance and consulting services.<br></p><p>During today's first general session, A Violation of Trust: How Bernie Madoff Changed a Nation, IIA President and CEO Richard Chambers sat down with Academy Award-winning actor Richard Dreyfuss to explore insights gained from playing Madoff in the ABC miniseries of the same name. Madoff is currently serving a 150-year sentence for the largest investment fraud in U.S. history.   <br></p><p>Like Madoff, Dreyfuss was raised in Queens, N.Y. "I understood not just Bernie Madoff. I understood all of the men who came back from World War II and were intent on succeeding at business," Dreyfuss says. "They were all passionately in love with the opportunity offered by the United States. No one grows up saying they're going to become a master criminal. Madoff committed to crossing the line into criminal behavior. He did it for the most base of reasons."<br></p><p>But the most important question to ask, Dreyfuss says, is what allowed Madoff to commit his crime. "What was the world like that allowed him to do it?" he asked. "Lots of people knew he was a crook and none of them spoke up. There was just one investigator or auditor who pursed him like death: Harry Markopolos." <br></p><p>According to Dreyfuss, it wasn't about how talented Madoff was, it was about how blind and filled with denial everyone else was. In one scene in the miniseries, Madoff handed investigators information that would have brought his Ponzi scheme to a screeching halt, but they never followed up on it. They trusted him because he was Bernie Madoff, former chair of the Nasdaq. <br></p><p>Dreyfuss encouraged internal auditors to show courage in their work. "You are the front-line soldiers on a world that has descended in the last 50 years into such decay and such a loss of ethics that there's no one to trust," he says. "You are the last line of defense against the greedy and the cruel."<br></p>Shannon Steffee0
Step Forwardhttps://iaonline.theiia.org/2019/Pages/Step-Forward.aspxStep Forward<p>Throughout my 20 years as a student and practitioner of internal auditing, I have seen the profession make strides toward achieving its full potential. However, there is still more to do. If the full scope of internal audit’s work today is seen as ensuring the accuracy and reliability of information, opportunities to make a bigger difference and reach our potential are being squandered. Contemporary internal auditors must contribute to advancing the strategies and business practices of their organizations. Today’s internal auditors also must be an example of integrity and a force that drives the kind of good, sound culture that is the foundation of successful enterprises (see <a href="/2019/Pages/The-Right-Path.aspx">“The Right Path”</a>). In short, to operate at the highest levels of the business, internal audit must “Step Forward” — my theme for my year as chair of The IIA’s North American Board. </p><p>Three areas of opportunity for internal auditors to step forward fall under the headings of culture, courage, and conflict. There are still those practitioners who do not fully understand what the role of an internal auditor entails — or, if they do, they are unwilling or unable to take the necessary steps toward fulfilling that role. First, setting the right tone by conducting oneself with professionalism and competence is key — own the role unapologetically and without reservations. Second, some internal auditors lack the courage to make disruptive and strategic recommendations for improvement to management and the board. And, finally, some auditors are simply uncomfortable with conflict. They fail to understand that embracing conflict can help them produce better, more robust work.</p><p>I urge internal auditors who struggle in these areas at any level of the profession and in any type of organization to <em>step forward</em> and begin making a bigger difference for themselves, those they serve, and the profession.</p><h2>Culture: Do What’s Right</h2><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p><strong>​My Year As Chair</strong><br> </p><p>During my year as IIA North American Board chair, my focus will be encouraging a renewed emphasis on helping internal auditors realize and appreciate that they are part of an indispensable profession. That entails providing IIA members with the tools they need to step forward in their organizations — to help them balance their often deep technical proficiency with the ability to instill confidence in their stakeholders that internal audit can make a difference at a strategic level and provide leadership.</p><p>In addition, in North America and globally, The IIA is striving to achieve concrete results from its advocacy work. We have been advocating, for example, for the U.S. Securities and Exchange Commission to require publicly traded companies to disclose whether they have an internal audit function. This is the first of many steps required to provide The IIA with the impetus to go further and begin a public discussion about what it means to be a professional internal auditor who follows the <em>International Standards for the Professional Practice of Internal Auditing</em> and the criticality of holding a Certified Internal Auditor designation. </p><p>I am also chairing an IIA group that is reviewing the committees of the North American Board to ensure our professional body is streamlined and fit-for-purpose. We are assessing whether each committee is still adding the value that we initially envisaged. The review most likely will lead to restructuring, change, and spirited discussions. When people are passionate about what they do, it is crucial that those involved can see the bigger picture and bring their considerable skills and talents to bear on the most relevant and strategic issues. So, we are looking at the North American committees as well as the relationships between that body and global committees under the One IIA initiative, which is aimed at achieving better uniformity of internal audit quality globally.<br></p></td></tr></tbody></table><p>It is part of internal audit’s job to help drive a prevailing culture within the organization that is fair, healthy, effective, and focused on serving customers — an organization that one can trust. Securing a position of trust is not easy. When I accepted my current role as chief audit and compliance officer at the Texas Department for Transportation (TxDOT) in 2011, I was called on to improve the profile of the audit department and the organization. Immediately, my defense mechanism kicked in: Yes, I was responsible for how the audit department was perceived; no, I couldn’t own responsibility for the organization’s profile. In the end, I took on the challenge and, in partnership with my commission (board), initiated a program to elevate the focus on holding ourselves accountable, being transparent, and examining how and with whom the organization conducted its work.</p><p>One of the first steps, an external audit, identified noncompliance as well as some impropriety at an entity that did business with TxDOT. It would have been easy to call out the noncompliance, issue a report with recommendations, and be done with it. However, it was an opportunity to demonstrate that TxDOT was serious about its stewardship role. I positioned this to my audit committee chair as a chance for the organization to demonstrate that it was focused on driving honesty, integrity, and trust in its business relationships. Internal audit aligned with the board and executive leadership in formulating a strategy to anticipate and get ahead of any pushback from the entity’s officials. In addition to meeting with the entity’s leaders, I met with local officials and equipped TxDOT’s board and executives with information to share with our state officials. It was uncharted territory, but we knew it was the right thing to do, and we did it. It was the beginning of improving the profile of the audit department and the organization.</p><p>To set course on such initiatives, internal auditors must be able to work strategically and operationally at all levels of the organization. That entails evaluating the business to understand how it could do things differently to better serve customers — how it can achieve goals at the same time as building trust and a more sustainable culture. Recommendations must be relevant and practical. Internal audit’s oversight role puts it in a unique position to help the business in these ways. </p><p>Chief audit executives (CAEs) must engage their boards and advocate for internal audit by explaining its value to the organization. It is not always understood, for example, that internal audit is here to make things better. Even where a good relationship exists, there may be opportunities to extend internal audit’s reach. For example, recently numerous accounts of harassment in the workplace have been brought to light. Few would instinctively think of internal audit as ideally positioned to help address such an important, culturally explosive issue. Instead, they would reach out to human resources or the legal department. But internal audit can act as the eyes and ears of the board on such sensitive issues and help gauge the culture in different parts of the enterprise. Every audit opens the door to understanding how business is conducted, but it also is an opportunity to understand the culture of those performing the work. Internal audit needs to step forward and ask questions to ensure it feels good about the organization’s health. </p><h2>It Takes Courage</h2><p>During my career, I’ve conducted many external quality assessments. Invariably, I request time with each member of the board to understand his or her knowledge of the CAE’s role. Their feedback often includes: CAEs do not communicate effectively; CAEs do not focus on matters that are important enough to rise to the board level; and the time CAEs have with the audit committee and their reporting executive manager is insufficient. These are indications CAEs are not stepping forward to make their value known, and their work is not perceived to be informing or advancing the success of the organization. Perhaps they do not understand their organizations as well as they should, or they are not fully engaged with how their organization’s leadership plans aim to achieve its strategic goals — issues that come up time and again in IIA research and surveys.</p><p>The North American Board has asked The IIA to focus on advocating for the internal audit/board relationship through the creation of tools and content that will help CAEs have the courage to step forward. In the meantime, CAEs can take it upon themselves to get to know individual board members and executives. CAEs need to understand the priorities of the entire board, not just the audit committee. It takes courage to ask for time with the board, but the context and perspective obtained from those conversations help make internal audit’s work meaningful.  </p><p>More junior staff can step forward by spending constructive time with senior auditors. It can take courage to speak to CAEs for those just beginning their careers, but it will be worth the effort. Junior staff also should get involved with their professional organizations — The IIA has many local chapters and special interest groups. If these auditors are only learning from their companies, they are missing out on great ideas they can bring back to their teams. </p><h2>Embrace Conflict </h2><p>While it may sound counterintuitive, internal auditors should treat every engagement as an opportunity to deal with potential conflict. At TxDOT, for example, we deliberately include conflict in our audit processes and find it to be a powerful tool. For instance, when our audit teams explain their recommendations regarding an audit’s scope of work, or what testing they are planning, the internal audit management team is charged with challenging it. That puts the teams through a level of conflict that helps them support the work they want to do and the reasons they want to do it; and it can identify gaps and weaknesses to help make the audit work stronger. It also pushes the management team to put itself in the business owners’ shoes, which requires deep knowledge of the business and its leaders to be effective. My role is to challenge the management team by bringing a board and executive management perspective to the forefront. I ensure that the message we are delivering will matter, and that we account for potential organizational and political considerations. </p><p>We have such meetings at the planning, fieldwork, and reporting phases of each audit. This process prepares staff members to sell their ideas and value to our business partners — it helps everyone in the organization. It can be tough going through this process, but we remind our team that it is a safe environment, and it is orchestrated to help them deal with the conflict they will sometimes face out in the field. It would be a disservice to my team not to do so.</p><h2>Enhancing Value</h2><p>I accept that a year is not a long time to effect all of the changes mentioned herein. At a minimum, I would like to hear more stories about internal auditors stepping forward and adding value to their organizations. I want to continue to push for a shift in the way publicly traded companies view and talk about the profession. But, most of all, I want auditors to understand that internal auditing is a noble and indispensable profession, and I urge them to have the courage to act accordingly. <br></p><table cellspacing="0" class="ms-rteTable-4" style="width:100%;"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p><strong>​From Then to Now</strong><br> </p><p>After graduating from the University of Texas in 1993, I expected to pursue a career in law. Instead, I decided to take a break from school and accepted a job collecting student loan payments at the Texas Guaranteed Student Loan Corp. I worked my way up to investigator and, eventually, to internal auditor. The investigator job reported to the internal auditor, who allowed me to work on an audit. I really loved that, especially interviewing people and learning about things that were considered confidential. It was so interesting to me being in that environment.</p><p>In 2006, I joined the technology solutions business Dell Inc., which had been focusing on improving its culture by “Winning With Integrity.” Dell was using the internal audit department to drive change across the business. I was assigned to assist with the organization’s first external quality assessment, including working on its first internal audit charter. It was a great learning experience to understand how a Fortune 50 company could rally around an internal audit initiative. Dell really did implement a world-class audit function, and I learned so much from that organization. I’d be remiss if I didn’t mention Mike DeCaro, vice president of Corporate Audit at the time, who challenged me and everyone to be more than technically adequate, and to step forward and strive for excellence. </p><p>Joining the Texas Department of Transportation (TxDOT) in 2011 was an opportunity for me to help modernize an audit department and help it drive change in the business. Today, I oversee TxDOT’s internal audit and compliance divisions, which are aimed at improving stewardship, risk management, accountability, and governance through value-driven audits, evaluations, investigations, and advisory services engagements.</p><p>During my more than 20-year career, I have served in various positions with the IIA–Austin Chapter, including as the 2006 president. I have been a member of The IIA’s Professional Issues Committee, Publications Advisory Committee, and Public Sector Advisory Committee. I’ve served as vice chair of both content and professional development and as senior vice chair on the North American Board. Now, as chair of the North American Board, I also have a seat on The IIA’s Global Board. I am a member of the American Center for Government Auditing, American Association of State Highway and Transportation Officials, and several other professional organizations. I am past chair of the Texas State Agency Internal Audit Forum. I have earned the Certified Internal Auditor, Certified Information Systems Auditor, Certified Fraud Examiner, and Certified Compliance and Ethics Professional designations.<br></p></td></tr></tbody></table><p></p>Benito Ybarra0
Assessing Data Reliabilityhttps://iaonline.theiia.org/2019/Pages/Assessing-Data-Reliability.aspxAssessing Data Reliability<p>Reports from extracted data can sometimes be misleading, which can be a problem when organizations rely on them to make critical business decisions. This is especially important for organizations subject to the U.S. Sarbanes-Oxley Act of 2002 as part of the testing process.</p><p>The U.S. Public Company Accounting Oversight Board warns that having inaccurate reports might lead to key controls deficiencies, so organizations should ensure that reports used in assessing the operation of key controls are complete and accurate. Internal auditors can easily apply tools and techniques to ensure that reports and data used for decision-making are reliable.</p><h2>The Impact of Bad Data </h2><p>Poor data quality is responsible for an average of $15 million per year in financial losses, according to recent Gartner research. It also is a primary reason for 40% of all business initiatives failing to achieve their targeted goals. Unreliable reports can impact:</p><ul><li><em>Strategic Decisions</em> — performing mergers and acquisitions, changing organizational structure, expanding to new locations, or developing new product portfolios.</li><li><em>Operational Decisions</em> — costing and pricing of projects, budget-related decisions and priorities, sales forecasts, production and inventory needs, and resource requirements. </li><li><em>Financial Decisions</em> — financial reporting, credits and loans, invoicing, collection, and investments.</li><li><em>Regulation and Compliance</em> — employment labor laws, intellectual property, data privacy, and software licensing.</li></ul><h2>Start With a Risk Assessment</h2><p>The first step is to perform a risk assessment to determine which reports should be subject to evaluation. This should include an assessment of the report type, impact of the report for decision-making, key control considerations, change management procedures, and access restriction. </p><p>Reports can be categorized into three main types — canned, customized, and manual. Canned reports are generated from a system where no changes have been made. Those reports usually represent low risk for completeness and accuracy. Customized reports are developed based on user needs and represent higher risk for completeness and accuracy. Manual reports are created by an end user and have not passed a formal change management process for report testing. They usually represent the highest risk.</p><p>As each report type represents a different inherent risk level, identifying the report type is crucial for the reliability assessment, and should lead to different validation activities.</p><p>Other factors that should be considered when determining reports for testing include:</p><ul><li><em>Data Usage.</em> Does the report and underlying data relate to strategic, financial, operational, or regulatory decisions?</li><li><em>Impact of the Report.</em> Would a mistake in the report pose a potential strategic, financial, operational, or regulatory risk to the organization?</li><li><em>Control Considerations.</em> Is the report used in the execution of key controls to mitigate significant risks?</li><li><em>Change Management Procedures.</em> How effective are the change management controls for report creation?</li><li><em>Access Restrictions.</em> What access restriction mechanisms — such as password or permissions — are in place?</li></ul><h2>Test for Completeness </h2><p>Internal auditors need to verify the report type and understand the parameters used to generate it. Just one incorrect parameter can severely impact report reliability. Because several parameters typically are used to generate a report, the internal auditor should spend time with the report owner to understand if the parameters were correctly selected. </p><p>Next, internal auditors should check whether any exclusions have been set up at either the application user-interface level or the code level. If it’s the latter, assistance from developers may be needed. Auditors also should be careful not to be fooled by the report name. A procurement report named “Total Expense for Vendors” may only show expenses that are procurement-related, but not all expenses.</p><p>Internal auditors should review several areas when testing reports for completeness.</p><ul><li><em>Look at when the report was last modified.</em> Checking the last modification date can highlight whether report changes occurred.</li><li><em>Common practice is to limit what data a user can see based on user access rights profiles, which should be in line with job responsibilities.</em> It is critical to verify that the user generating the report provides a complete report. In many cases, the end user may be indifferent or unaware of this, so it is always advisable to approach the system owner.</li><li><em>Compare different reports that should show the same data.</em> Because each report is built with different logic, this is a good way to test report completeness. Compare the same information from different sources and ask different stakeholders to opine on the reasonability of the data.</li><li><em>Use the “full and false inclusion” method.</em> Take a sample of transactions that should or should not be in the report, and verify accordingly.</li><li><em>Verify if any manual checks or system validations prevent duplicate records. </em>To identify such occurrences, perform a simple but effective duplication test for a sample of data fields.</li><li><em>Review blank data fields.</em> Missing data is a good indicator that additional checks need to be performed.</li><li><em>When using a reporting tool, such as a business intelligence application, ensure that the latest version is being used. </em>Upgrades usually solve technical defects, and data-warehouse interfaces can be different.</li></ul><h2>Test Data Accuracy </h2><p>In testing accuracy, internal auditors need to understand which data capture method was used, as each method has a different level of risk for data reliability: on a paper form, by users directly entering data, or by a system. It’s also important that auditors recognize the type of controls over system data entry and system data input validations, such as double keying and upper and lower limits. </p><p>Other items that should be assessed by internal auditors in the testing of data accuracy include:</p><ul><li><em>The meaning of a data field.</em> Internal auditors should never assume, based on the column descriptions, that they understand what the data item is.<br></li><li><em>The source data for key data fields.</em> This can be done by tracing back to identify the source data repository. </li><li><em>Reasonableness.</em> For example, is it reasonable that a car was rented for $2,000 a night? </li><li><em>Date fields.</em> Dual date format issues might adversely impact any date analysis. For example, a date in a report such as 03/05/2019 might be displayed as either March 5, 2019, or May 3, 2019, depending on the end user’s regional setting. </li></ul><h2>Blind Trust</h2><p>Unreliable data can negatively impact key decisions. In many cases, organizations are unaware of unreliable reports, resulting in stakeholders grappling with flawed data that, ultimately, might lead to wrong or nonoptimal choices. Unfortunately, this lack of awareness may lead many organizations to blindly trust their data, which can mean disaster. Organizations are data driven, so internal auditors must ensure that decisions are made based on complete and accurate reports. <br></p>Danny Fridman1

  • IIA Global 3LOD Exposure_July 2019_Premium 1
  • IIA_Sawyer_July 2019_Premium 2
  • IIA Sepcialty Centers_July 2091_Premium 3