Agile Planning Planning<p>In an age where extreme weather events, rapid technological change, and geopolitical turmoil are becoming more frequent — and in some cases, more catastrophic — organizations are increasingly having to react more quickly to high-impact events. Business interruption to companies' physical assets and supply chains caused by climate change, for example, can cripple production schedules. Risks that may have been categorized as unlikely but with a high impact — such as Brexit — can suddenly leap to the top of an organization's risk register overnight. Newly emerging risks that seemed nearly impossible, like the U.S.–China trade war, can result in priorities that have been mainstays of boardroom agendas for years being knocked off the critical list. Moreover, disruptive technological and other advancements may require organizations to pivot on short notice to either leverage new capabilities or manage new threats.<br></p><p>The message is clear: Risk planning needs to be more immediate and short-term — what may have been considered a priority risk three months ago may not look as bad on reflection. And as boardroom focus moves with changing, often disruptive circumstances, internal audit has to become more agile too.<br></p><h2>Shorter Time Horizons<br></h2><p>Phil Tarling, an internal audit consultant based in the U.K. and former chairman of The IIA's Global Board of Directors, believes that it is becoming increasingly common for chief audit executives (CAEs) in several industry sectors — particularly manufacturing, high-tech, and pharmaceuticals — to use six-month, or even three-month, audit plans. "Given the speed at which the nature of risk is changing, it is without doubt that some organizations' audit plans are focusing on only the next three to six months," Tarling says. "Manufacturers that use 'just-in-time' management, for example, will require internal audit to have a very flexible audit plan and approach, particularly in light of the uncertainty surrounding Brexit and the possibility of a 'no deal' scenario, as well as the U.S. trade war with China, which may impact sourcing."<br></p><p>Short-term planning has many advantages. For example, Tarling suggests that CAEs who use shorter term audit plans will be more capable of refocusing their efforts and resources than those organizations that have annual audit plans. <br></p><p>"CAEs who plan their work for three months at a time will know that they need to keep a tight control of their budgets and workload so that they have enough in reserve to adapt quickly to the needs of the business," Tarling says. "CAEs that use annual audit plans tend to allocate most of their budgets and resources up front, which leaves less capability for slippage or for change. That is no longer tenable for organizations that are more exposed to political and economic risks."<br></p><p>As a result, internal audit needs to be increasingly flexible in its planning, Tarling says, stressing that CAEs must build contingencies into their audit planning and budgeting to allow for swift changes in focus and resources. He adds that internal audit must be capable of reacting quickly to new business needs, and they need to proactively identify emerging risks or other priorities that may require greater focus and management oversight. "The function needs to be as flexible and agile as possible," he says.<br></p><h2>The End of Annual Plans</h2><p>Similarly, John Chesshire, chief assurance officer for the States of Guernsey, an island that is part of Britain and located in the English Channel, says the annual audit plan is becoming obsolete. "I dispensed with this formulaic approach a number of years ago and, like a growing number of CAEs, I now plan my team's mix of assurance, advisory, and other engagements on a much less rigid basis," Chesshire explains. He used to invest a great deal of time in annual planning, though often within weeks the plan would shift because of new priorities such as a local crisis or other sudden changes. Eventually he saw the relevance of an annual plan diminish and fade. <br></p><p>Quarterly planning offers several benefits for CAEs — particularly for those with small audit teams, Chesshire says. "With a more flexible approach we can be much more responsive to the changing risk landscape and ensure we add maximum impact at the right moment in our organization," he explains. "This is key when we may only realistically get one shot at an engagement on a particular high trajectory risk or issue."<br></p><p>Chesshire adds that his key stakeholders appreciate the approach, too. They see that it enables internal audit to add value by delivering services at the right time, precisely when they're needed. Plus, he says, it's fostered internal audit's credibility over the years and helped enhance stakeholders' trust in the audit function. <br></p><p>But Chesshire points out that his audit team doesn't just focus on "quick wins" or tactical tasks. "I seek to map every engagement back to our assurance universe and the risk-based subjects it contains," he says. "That way, I can demonstrate that a more responsive, agile service does not mean one that ignores the bigger picture or our core activities or gets pulled away from particular areas of risk by whoever shouts loudest."<br></p><h2>Agile Leadership</h2><p>While some industry sectors and particular types of organizations will be more exposed to changing risk priorities than others, internal audit functions everywhere will need to be able to demonstrate that they can react to changing circumstances and deliver assurance on newly prioritized risks quickly. CAEs need to be agile leaders — long-term, 12-month audit plans may well prevent them from achieving that.<br></p>Neil Hodge0
Trials and Transformation and Transformation<p>Richard Chambers became the ninth president of The IIA in January 2009 during the onset of the global economic crisis. It was a time when companies were experiencing a major loss in shareholder confidence due to colossal risk management failures and a lack of corporate accountability. These dark times revealed vast new opportunities for internal audit to help protect organizations and enhance their performance. <br></p><p>Chambers says internal auditors grasped those opportunities by pivoting swiftly to focus on the emerging risks brought on by the financial crisis and the impact these risks were having on their organizations. The profession became much more risk-centric in those early years of the prolonged financial downturn. The result? Internal audit solidified the stature that it had earned in the prior decade and became a critical component of the systems of risk management and internal controls in modern organizations. “The past decade has been about proving that the confidence that was conveyed to us in the early 2000s was deserved,” Chambers says. “This decade, I think we’ve earned that trust even more.”</p><p>On the eve of Chambers’ 10th anniversary with The IIA, we sat down to discuss how the internal audit profession was impacted by the financial crisis, how it responded, and how it has evolved.</p><h3>INTERNAL AUDITOR You became The IIA’s CEO during the greatest economic upheaval since the Great Depression. How was that crisis impacting internal audit?<br></h3><p>▣  ▣ <strong>RICHARD CHAMBERS</strong> Having been in this profession over 30 years at that point — whether it was my time in government or in the corporate sector — my experience had been that whenever organizations’ resources were severely impacted, it would translate into an even more drastic impact on internal audit. Historically, I had witnessed internal audit departments being divested at a much higher rate than the organization as a whole as executives sought to trim costs. <br></p><p></p><p>I was anticipating that scenario at the end of 2008, but I was pleasantly surprised as the next couple of years unfolded and internal audit was not disproportionately downsized in most organizations. In fact, reductions in the profession at that time were similar to what organizations were experiencing overall as a result of the financial crisis. </p><h3>Why was it different this time?<br></h3><p></p><p>▣  ▣ Internal audit’s resilience appeared to be a reflection of the stature the profession had gained in the previous decade. One difference between this recession and the recession of the early 2000s and those that came before, was there had been a sea change in internal audit’s positioning within the governance structure. Following the financial reporting scandals of the early 2000s that involved Enron, WorldCom, and others, we saw legislation and regulations implemented that fostered a stronger emphasis on controls — particularly financial reporting controls. As a result, internal audit was ushered from the back room to the boardroom where it developed a stronger relationship with the audit committee. </p><p></p><h3>Was internal auditing being redefined?</h3><p></p><p>▣  ▣ We didn’t redefine ourselves; we started living our definition. In the early 2000s, internal audit became much more risk-centric. If you think about it, there was not even a standard that required internal audit to do a risk assessment as part of its audit planning process until 2002. So, we had only a short time between the onset of the standards mandating a risk assessment and the beginning of the financial crisis to get a full appreciation of what being risk-centric meant.</p><p></p><p>With the onset of the financial crisis in 2008, suddenly there were countless new risks facing our organizations. The crisis had exposed the ineffectiveness of risk management, itself, as a critical risk. There was a notable spike in operational risks as companies were compelled to achieve greater operational efficiency and effectiveness. And almost half of chief audit executives (CAEs) reported increased coverage in cost reduction and containment in 2008 and 2009. We started to see risks around technology, cybersecurity, culture, social media, and so on. And compliance risks became critical — particularly as we saw legislative provisions such as those in the U.S. Dodd-Frank Wall Street Reform and Consumer Protection Act make their way into regulation. </p><p>So in the wake of the financial crisis, there was a radical and rapid rebalancing of internal audit’s focus. It reprioritized and emphasized a broader portfolio of risks. Internal audit was living up to its definition of being risk-based. <br></p><h3>Was internal audit’s response to the financial crisis appropriate?</h3><p></p><p>▣  ▣ It’s hard to argue with the success internal audit achieved at the time. It was an unprecedented time for the profession. While we were busy rolling up our sleeves to help our organizations respond to the emerging financial crisis-related risks, there were already those asking, “Where were the internal auditors, and why weren’t they looking at risk management in financial services organizations?” And my answer was, there wasn’t a lot of emphasis by internal audit on the effectiveness of risk management before 2008 because we were being asked to fight the last war by focusing on internal controls over financial reporting. Very few people were focused on the effectiveness of risk management in financial services — including those management and board members who were actually responsible for risk management. The emphasis was to ensure there were no more Enrons and WorldComs. When you’re busy looking behind, you miss what lies ahead.</p><p></p><h3>Are there areas in which the internal audit profession has fallen short?</h3><p></p><p>▣  ▣ As a profession, we’re still not demonstrating some of the attributes of great professions. For example, I don’t see the level of conformance to the International Standards for the Professional Practice of Internal Auditing that we should be witnessing. I chaired the Internal Audit Standards Board in 2002 when we adopted the first standards that required external quality assessments. If you told me in 2002 that I’d be sitting here in 2019 saying that we still have such limited conformance, I would not have believed it. </p><p></p><p>When I say there’s nonconformance, I don’t mean to imply that no one is paying attention to the Standards. I’m talking about conformance with the full set of Standards. There is definitely widespread adherence to parts of the Standards around the world. There’s a much higher degree of conformance in large, publicly traded companies in North America and Europe than in other types of companies or organizations in other markets. But is conformance where it should be? Absolutely not. </p><p>Additionally, I would have thought there would be greater recognition of our Standards around the world. The IIA’s Standards are widely acknowledged within the profession, but they’re not necessarily widely recognized by others, such as regulatory bodies, relying on internal audit’s work. I continually deliver this message to global regulatory bodies: “There is only one set of global internal audit standards in the world. Why aren’t you promoting them?”<br></p><h3>Are there other areas in which internal audit could improve?</h3><p></p><p>▣  ▣ I’m concerned that the profession is not as assertive as it should be in speaking out. There’s a certain comfort level that says, “Nobody is pushing me to do this; therefore, I’m going to stay the course.” And when you take that approach, you leave your organization vulnerable to value-destructive calamities or scandals. For example, internal auditors are reluctant to tackle sensitive topics such as corporate culture, executive compensation, or management of risks associated with sexual harassment policies in their organizations. As a result, these are risks that seem to routinely get companies in trouble. </p><p></p><p>Too often, a courage deficit exists. Internal audit has to be courageous enough to address issues such as these that are not popular. We have to be courageous enough to speak the truth even when someone isn’t interested in hearing it. And we have to be courageous enough to speak truth to power. If a CEO is engaged in questionable activities, or fraud, the CAE must summon the courage to alert the audit committee.<br></p><h3>Are there other reasons internal auditors fail to speak up?</h3><p></p><p>▣  ▣ Internal audit is still reluctant, in some instances, to take on risks that are outside of its comfort zone. For example, culture, cybersecurity, and blockchain technology are areas in which internal audit may not have a lot of expertise, so they are frequently neglected despite the risks they present to the organization. Internal audit’s mandate is to be risk-centric, not just risk-centric in the risks with which we’re comfortable. </p><p></p><p>Internal audit also has not made the kind of progress that organizations need in identifying emerging risks. We are still inclined to see the risks that lie immediately in front of us. If we don’t help our organizations anticipate risks that may lie beyond the line of sight, we’re likely to be ill-prepared to help them when those risks materialize.<br></p><h3>You’ve talked a lot about expectation gaps with stakeholders over the years. Why does internal audit struggle to narrow those gaps?</h3><p></p><p>▣  ▣ Throughout my career, I’ve witnessed how dynamic stakeholder expectations can be and how quickly they can pivot. In the early 2000s, there were some who thought internal audit needed to be consultants in their organizations — out there helping people better understand their own risks and problems.</p><p></p><p>Then came tbe U.S. Sarbanes-Oxley Act of 2002. And regulatory compliance risks associated with financial reporting controls rapidly became the priority of internal audit’s stakeholders. By 2005, according to a PwC survey that I led, 71 percent of internal auditors at publicly traded U.S. companies reported they were spending more than half of their time on Sarbanes-Oxley compliance. With the onset of the financial crisis in 2008, the risks that companies faced and internal audit stakeholder expectations changed quickly. Internal audit realigned its coverage to address new risks. By 2012, according to an IIA survey, the percentage of internal audit plans dedicated to Sarbanes-Oxley compliance had fallen to less than 15 percent while the combined percentage of coverage dedicated to operational and compliance risks surged to more than 40 percent. Stakeholder expectations are changing yet again, 10 years after the financial crisis.</p><p>Recent reports suggest that management and boards are looking for internal audit to focus on key risks beyond financial reporting and compliance. As KPMG recently observed, risks related to culture, incentive structures, cybersecurity, data privacy, global supply chain, and outsourcing, as well as environmental, social, and governance risks, can significantly impact share value. It remains to be seen how extensively and rapidly internal auditors will pivot to address these risks. However, I am confident that they will.</p><p>The greatest danger of an expectations gap occurs when there is a swift and sudden shift in the risks that an organization faces. There’s often a lag time between when a risk becomes critical for an organization and how quickly internal audit can address it. And it’s in that window where stakeholder expectations get ahead of internal audit. That’s why it is critical in 2019 and beyond for internal auditors to have the agility to change direction swiftly to keep pace with stakeholder expectations.<br></p><h3>Where do you see internal audit in 10 years?</h3><p></p><p>▣  ▣ If, in some respects, in the early 2000s internal audit fell back into the era of hindsight — looking at whether financial controls were appropriately designed and implemented — there’s been a much greater emphasis on insight in this last decade. </p><p></p><p>The decade ahead offers internal audit a great opportunity to continue to build on the way we serve organizations by also providing foresight. Being able to look at emerging risks, to look out further and identify what actions need to be taken, and to talk more about what risks may present themselves if certain actions aren’t taken provides tremendous value.</p><p>Internal audit also has a huge obligation — and opportunity — in the next decade to embrace the fourth industrial revolution — a new era that extends digital technologies in new and unanticipated ways. We are in an era where the volume and complexity of data dwarfs anything we’ve seen. It defies imagination in some ways. Internal audit has to recognize not only what that means in terms of the risks our organizations face, but also the approach we take to auditing them.</p><p>In the coming decade, artificial intelligence (AI) is going to become much more pervasive. I often get asked whether AI is a threat to the internal audit profession. It’s not a threat unless internal audit continues to do the things that we’ve always done. A lot of the activities that internal audit has historically done are susceptible to being replicated or done through AI. Hindsight is much easier for AI to do, for example, than foresight. As yet, however, AI cannot combine data, information, trends, rumors, breaking news, competitors’ actions, and even hallway gossip to formulate reasoned and rational suggestions of future developments and their associated risks and opportunities — foresight. We have the opportunity and the obligation to address AI and similar technological innovations not only from the standpoint of what the risks are to our organizations, but also in terms of how internal audit uses it. AI can be a great contributor to internal auditing. It can help us become more efficient and target our efforts and resources. <br></p><h3>So how does the profession continue to grow?</h3><p></p><p>▣  ▣ Internal audit is definitely on stronger footing than we were 20 years ago, or even 10 years ago. However, this profession, like all professions, should always be prepared to prove its worth. I don’t think we have any guarantees of what lies ahead for internal audit. We are a respected resource right now, and we will stay there as long as we recognize the responsibility that comes with it. Internal audit must always be prepared to lean forward and not rest on its laurels.  </p><p></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p>​<strong>PULLING TOGETHER</strong></p><p><img src="/2019/PublishingImages/Millage-IIA-Chairmen.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Recessions and swift economic downturns are very challenging for professional associations. As Richard Chambers puts it, “If other sectors catch a cold during a recession, not-for-profits catch the flu.” The impact of the 2008 financial crisis on The IIA was great. “One of the first things that companies cut if the economy turns very soft is training and travel dollars,” Chambers explains, “so the impact was swift and severe.” <br></p><p>Chambers says he knew when he became president and CEO in January 2009 that the financial challenges were going to necessitate downsizing to a leaner, <br> re-engineered Global Headquarters. He and the Global Board of Directors had to make some difficult calls. “We didn’t really have a lot of choices,” he recalls.</p><p>Navigating through the crisis required full involvement — from the Board, volunteers, and IIA staff. “Those early months of 2009 were really spent working collaboratively,” Chambers says. “One of the greatest achievements of The IIA in the past 10 years was those first few months when the staff came together.” The Institute put together action teams to look at opportunities to cut costs and to grow revenue. “It was a collaborative process that really exemplified the very best of who we are,” Chambers says. The board was “absolutely unwavering” in its support of the steps The IIA took, he adds. </p><p>In the ensuing months, The IIA discontinued some initiatives and refocused on serving its members. “We redefined what service meant,” Chambers says. “We began to look at the member value proposition.”</p><p>“Throughout this decade, we’ve continued to make great progress in serving the members,” Chambers adds. Membership continues to grow, and The IIA is poised to crest to 200,000 members worldwide.</p><p>The results of the last 10 years have allowed The IIA to make some extraordinary investments that Chambers says will become more evident to members over the next couple of years. “We’re making unprecedented investments in technology in support of the profession,” he notes.</p><p>The IIA takes a strategic view of its role in supporting the organization and in serving its members. Its strategic plans have served as the blueprints for supporting member expectations and meeting the needs of the profession. “The IIA has never been stronger,” Chambers says. <br></p> <style> p.p1 { line-height:12.0px; font:9.0px Interstate; } span.s1 { letter-spacing:-0.2px; } </style> <p><strong><em>Image: Chambers says IIA Board support has been integral to The Institute’s success over the past decade. Chambers and Board chairs from the past 10 years recently gathered at The IIA’s Midyear meetings in Orlando, Fla. From left to right: J. Michael Peppers, Denny Beran, Günther Meggeneder, Phil Tarling, Richard Chambers, Patty Miller, Anton van Wyk, Naohiro Mouri, Larry Harrington, and Paul Sobel. (Not pictured: Angela Witzany and Rod Winters)</em></strong></p> </td></tr></tbody></table><p></p>Anne Millage0
Price Versus Value Versus Value<p>You are sitting in your annual budget meeting, having provided an estimate of internal audit’s expenses for the coming year. Those responsible for ensuring the appropriate use of organizational capital review your proposal with intense scrutiny. An impassioned discussion follows in which the great and powerful budget wizards look for ways to reduce spending while you argue for the resources necessary to accomplish your mission. In the heat of this battle, do you understand you are not arguing about the price of internal audit, but rather about internal audit’s value?</p><p>When it comes to selling something, even internal audit’s services, price is an important factor in the final buying decision. But focusing on price alone obscures the real consideration behind the buying decision — the perceived value received for that price.</p><p>Take, for example, the purchase of a diamond. Beyond issues of quality, some buyers value brand and status. The exorbitant price of any item at Tiffany’s is as much about the blue box as it is the bauble within that box. But of course not all buyers need the fancy name cachet — for some, a gem from Discount Dave’s Diamonds, Dinnerware, and Dinettes will suffice. </p><p>When it comes to internal audit services, few (if any) organizations will pay the extra premium for the Tiffany’s of internal audit. (This is not quite as true when it comes to external audit providers, but that is a discussion for another time.) Nonetheless, if those stakeholders have even a smidgen of understanding about internal audit, neither will they want the equivalent of a purchase from Discount Dave’s.</p><p>This reality brings to mind a fundamental truth about the marketing of internal audit: The only commodity we should be selling is the value we provide. And one of the most telling moments related to the success of that sales pitch is budget time. Budget discussions can become mercenary in nature, focusing narrowly on how much money the department will spend, how much it will be given, and how much will be taken away. And if internal audit sits in those meetings and argues price, it will almost certainly not succeed. Sure, it may win that particular battle, but it will lose the long-term war of defining and defending internal audit’s value.</p><p>Budget time is the ultimate moment of truth for any internal audit department. It is when the dialogue must change. Even as other departments argue dollars and cents, internal audit must focus the dialogue on internal audit’s value, followed by what the stakeholders, clients, and customers are willing to pay.</p><p>We cannot sell on being low-priced; instead, we have to sell on being the best value. <br></p>Mike Jacka1
Starting Small Small<p>Several years ago, my employer, Western Reserve Group, a property and casualty insurer based in Wooster, Ohio, was contemplating the best way to launch an internal audit department — either in-house or outsourced. With continued growth of the company expected, it made sense to enhance its focus on internal auditing. </p><p>The company chose to outsource internal audit to third-party consultants. The consultants completed, on average, three to four audits per year, until about four years ago when senior management and the audit committee determined that having an internal auditor on site to manage the internal audit function, using a cosourcing model for technical expertise, was the best fit for the company.</p><p>I was brought on as that internal audit manager. As a one-person department, getting a positive start was a must. Recommending wholesale changes to an already successful company would not be the best way to gain support for internal audit. Instead, I garnered support by listening to and observing the business units, while gaining some early wins by updating governance items, such as the internal audit charter and manual. </p><p>Absorbing knowledge from the business units helped expand my awareness of the organization and provided valuable insight down the road. Reviewing each of the audit reports completed by the prior consultants also was valuable. Likewise, reading the external auditors’ and regulators’ reports provided useful information in gaining a foundational knowledge of the organization.</p><p>Most important to developing an effective internal audit function is having a strong tone at the top that governance and internal audit go hand-in-hand in establishing the values and ethical behavior that guide the organization. The support of the audit committee and CEO is vital in showing internal audit can be used as a valuable tool and resource, in addition to providing the typical assurances required. Since the first day, the continued support I have received has allowed internal audit to develop and grow. As Western Reserve’s president and CEO Kevin Day puts it, “Strong corporate governance starts at the top of our organization with a focus on providing an ethical climate based upon our strong core values. It was vital when bringing an internal auditor on board that the entire company was aware the internal audit function was fully supported by the CEO and the board. We succeeded in this through transparency and communication throughout not only the management team, but also through all levels of the organization.”</p><p>A saying I like to use is: “Look back to move forward.” I saw where internal audit was and then determined ways to improve the cycle time between audits of the core business areas and ensure high-risk areas were covered. Creating a function that adheres to the <em>International Standards for the Professional Practice of Internal Auditing</em> was a focal point. </p><p>Just determining each auditable function and the controls surrounding those areas can take considerable time and resources. The key is to be patient while continually moving forward in building an audit universe. From there, a risk-based audit plan can be formed while gathering trends and hot topics by interviewing key members of senior management to gain an overall picture of the organization. Blending that with industry-specific needs and audit focal points can help form a solid audit plan.</p><p>Internal audit must work as a strategic partner with management and should interact with all levels of the organization to gain support and show that it can be a trusted advisor. This cannot be accomplished in days or weeks, but rather in months and years, as trust will be built over time. </p><p>At times, it can feel like internal audit is spinning its wheels or going in many different directions at the same time. It is human nature to overestimate what can be completed in one year or less, but people often greatly underestimate what they can complete in five years. Internal audit should start with a long-term road map that it frequently adjusts and reviews. </p><p>With limited resources comes limited time, but small audit functions must maintain flexibility when events occur that are outside the scope of the audit plan. Having laser focus and a detailed game plan can help squeeze in work that can add value to the organization. </p><p>Whether it is gaining certifications, frequently attending training events, or reading articles about the industry or profession, continuous learning also is important with the ever-changing risk environments of most organizations today and cannot be minimized in a small audit department.</p><p>It should be a goal of all internal audit functions, regardless of size, to ensure adequate coverage across the organization’s audit universe. But internal audit must first understand where all the risks and their respective control points occur.  <br></p>Justin Stroud1
Real-world Education Education<p>Business schools across the country emphasize the importance of hands-on learning experiences via internship programs. Internal audit internships can provide students with an understanding of the business as a whole, allowing interns to get a clearer idea of areas that interest them. Additionally, internships in internal auditing expose students to various functional areas within a company so they can experience different career paths outside of their degree or major. <br></p><p>With an ambitious timeline for developing internal audit programs for multiple departments, Professional Physical Therapy (PPT  — an outpatient therapy provider in the U.S. — first collaborated with Hofstra University in Hempstead, N.Y., to offer a summer internship program in 2017. The goal of the internship program was not only to attract high-quality graduates to PPT, but to attract candidates to the internal audit profession. More specifically, the objective of the internship program was to give students an opportunity to gain experience in the internal audit department of a large health-care company and refine their critical thinking skills as they relate to compliance and internal auditing. Unlike other internships that give detailed instructions on each task to be performed, this program was intended to give interns considerable autonomy.</p><p>As part of the program, PPT wanted the interns to develop department-specific audit tools for human resources, marketing, business relations/sales, and finance and accounting that were statistically viable and measured the overall performance, functional task compliance, and inherent risk associated with each department. Other objectives were to determine functional variability and level of error or noncompliance with legal, regulatory, operational, industry, and firm standards. </p><h2>Selection and Onboarding</h2><p>Hofstra faculty chose eight high-quality undergraduate and graduate student internship prospects. After interviewing with PPT’s director of internal audit and chief compliance officer (CCO), all eight students were offered paid internship positions. The interns comprised four graduate students and four undergraduate students with majors in accounting, legal studies in business, biology, and marketing. </p><p>In the first week, interns participated in an orientation training boot camp. They were introduced to PPT staff and provided with an overview of the program, health-care internal audit best practices, and the organizational charts of the four departments to be audited. To help the interns understand what an audit looks like, they were provided with an overview of the PPT clinic and revenue cycle operation audits (i.e., how they were developed, scoring, performance, reports, and corrective actions). Interns were then assigned to one of the four departmental internal audit teams and provided work stations.</p><p>Next, interns were assigned to project managers/mentors from the legal and compliance department in teams of two. Because the internship program took place in the health-care sector, interns were also provided with an overview of the U.S. Health Insurance Portability Accountability Act. Then they were trained on how to develop internal audit tools and given goals and deadlines for deliverables.</p><p>Guidance was given on how interns could access relevant information to achieve their objectives. For example, they were given job descriptions of individuals in the departments to be audited, relevant forms and policies, and the necessary steps to develop an audit tool. Also, interns were told they would be interviewing staff in the various departments to learn about departmental processes and role-specific job requirements. The legal and compliance team explained legal issues relevant to health care and the audit process using an actual clinic audit, sample audit report, and corrective actions. </p><p>Finally, each audit team developed a 60-day plan that was reviewed by a mentor, conducted mock staff interviews to illustrate how interns should interview PPT staff, and learned how to research industry standards and best practices. Interns met with their mentors, who gave an overview of the timeline for internship components, including research, interviews, policy review, document review, internal audit tool development, testing, measurement and weighting, and audit performance.</p><h2>Audit Tool Development</h2><p>Teams were assigned to specific departments based on interns’ educational backgrounds and interests. The goal of having two-person teams was multifaceted. The interns were able to work as autonomous teams, while mentors provided guidance as needed. However, the interns relied on each other’s strengths to a great extent to achieve objectives before resorting to their mentor for guidance. This helped build interns’ self-confidence and reduced heavy reliance on mentors in the program. </p><p>The interns’ first task was to gather research by reviewing industry and firm standards, firm policies and procedures, and relevant laws and regulations, and by interviewing respective department personnel. Each team’s mentor reviewed the information and aided or provided feedback to the interns as needed through the research process. </p><p>Once the research process was complete, the teams developed the audit tools, which consisted of binary questions that could easily be scored and weighted. Audit tool question development went through multiple steps of evaluation over a four-week period. First, the audit tools were approved by the project manager/mentor. Next, they were approved by the director of internal audit and then the CCO. Once a team received final approval, the interns conducted an audit using their newly developed audit tool. Based on those findings, the teams created key performance indicators (KPIs) and a KPI dashboard for each department audited. </p><p>With results from the audit and KPI information in hand, the interns prepared an audit report summarizing their findings. Interns also conducted a gap analysis and provided an action plan based on its results. Finally, each team prepared a presentation of its audit findings and presented them to PPT’s executive board. </p><h2>Company Benefits</h2><p>The program allowed for an ambitious project of developing audit tools for continued use for four departments, and it was completed in a relatively short time frame. Furthermore, the review process in place (i.e., by mentors, the director of internal audit, and the CCO) ensured that the output of the program was of high quality. Because interns were responsible for the development of each department audit tool from start to finish, the project cost much less than it would have cost had it been performed by legal and compliance personnel.</p><p>The PPT internship program was such a positive experience for the members of the legal and compliance departmenets that PPT decided to hire one of the interns in a full-time capacity. Due to the success of this internship program, PPT’s director of internal audit and CCO indicated interest in pursuing additional internships in the future. </p><p>The internship program increased exposure to, and promotion of, the company through the interns. By providing a positive and satisfying learning experience for the interns, the company receives positive publicity spread by the interns to their peers.</p><h2>Student Benefits</h2><p>Because each team was responsible for a project from start to finish, they were able to improve their critical thinking skills considerably by way of firsthand learning. By providing each intern with autonomy — and another intern to work closely with — they were able to bounce ideas off of one another to solve problems and achieve their objectives. Interns used critical thinking skills at every stage of the internship program: research, development, execution, reporting, and presentation. In addition to improved critical thinking skills, interns also refined their technical skills by using Excel tools and learned a great deal about health-care industry standards, departmental company standards, and best practices. </p><p>However, one of the greatest outcomes of the program was the opportunity for the interns to develop their communication and soft skills by placing them in real-world situations. Interns learned how to develop good rapport with company personnel, work efficiently as a team, capitalize on each other’s strengths, and work under pressure. Feedback provided to the interns from mentors resulted in significant improvement in these areas. As a result, this internship program created much more desirable job candidates.</p><p>Interns in the program completed a mid-internship self-performance appraisal form where many indicated they were able to apply knowledge from their university studies to a real-world setting, learned a great deal about areas in which they had very little previous knowledge, identified technical and presentation skills as being enhanced, and expressed that their communication skills improved. While several interns were frustrated with the real-world phenomenon of different expectations from different supervisors, they learned to cope with these sometimes-contradictory expectations. This reflects a clear acknowledgement of improvement in soft skills in the workplace. </p><p>The interns also identified gaining work experience in the health-care industry, working independently and within a team, and being responsible and accountable for work performed as additional benefits of the program. After presenting their findings to the executive board, interns indicated they felt a great sense of accomplishment and self-satisfaction.</p><h2>Changing Perceptions</h2><p>Internship opportunities in internal auditing that create positive experiences for the interns and the organization can work to enhance perceptions of the internal audit profession. Students share their experiences with peers, which can translate to increased interest from students looking to learn more about internal auditing. Additionally, organizations may see an increase in high-quality candidates who may have never considered a career in internal auditing.  <br></p>Rina M. Hirsch1
Breaking Free of Mental Traps Free of Mental Traps<p>​Feeling caught in a mental trap? Overthinking can inhibit internal auditors’ service to clients. “Mental traps are habitual modes of thinking that disturb our ease, take up enormous amounts of our time, and deplete our energy, without accomplishing anything of value,” former University of Toronto philosophy and psychology professor André Kukla writes in <em>Mental Traps: The Overthinker’s Guide to a Happier Life</em>. </p><p>Auditors can unwittingly fall into many mental traps and “spin” at any point in the engagement life cycle. Being aware of these traps and learning how to overcome them can help auditors become better at their jobs, reduce the effort required to finish their work, and deliver greater value to their clients.</p><p>Among the mental traps that the book covers, nine are most relevant for internal auditors: persistence, amplification, fixation, reversion, anticipation, procrastination, acceleration, resistance, and division. According to Kukla, each of these traps relates to four cardinal errors pertaining to undertaking tasks or projects: Individuals either do too much or too little, or they start or finish a task too soon or too late. Internal auditors should be mindful of these traps and errors and take proactive steps to manage them.</p><h2>Persistence </h2><p>The first trap involves continuing to work on tasks that have lost their value. This results in people doing too much. As Kukla points out, North American culture teaches people to regard persistence as a virtue. This is a form of mental inertia — having begun an activity, people keep moving in the same psychological direction until they reach the end. This inertia tips the scale in favor of continuing the task even if it no longer has merit. The individual promised to complete it, so he or she will doggedly carry on to the end. </p><p>It is important to remember, however, that there is a difference between persistence and perseverance. While persistence is a mental trap that leads to a dead end, perseverance is a laudable trait in which one steadfastly pursues a goal despite encountering obstacles.</p><h2>Amplification </h2><p>Working harder than necessary to achieve one’s aims and doing too much is amplification. For internal auditors, amplification occurs in a few common situations. The first is when they continue testing to prove an observation for which they have already collected sufficient evidence. After all, if some evidence is good, more must be better, right? </p><p>Auditors can avoid this by applying a rule of thumb: Only gather enough evidence to convince the intended audience to take action. Once the threshold is reached, quit digging. </p><p>Engaging in “analysis paralysis” is another example. This occurs when internal auditors continue to analyze a situation beyond what is required in the belief that it will help make the case for change. </p><p>Internal auditors also can spend inordinate time polishing reports because they believe the reports are not ready. Auditors face the law of diminishing returns and at some point need to stop the work and issue the report. They don’t need to be perfect. Setting relatively firm deadlines can help auditors deal with this mental trap.</p><h2>Fixation </h2><p>Related to amplification, fixation occurs when progress toward finishing an engagement or task is blocked. This often occurs when internal auditors require additional information from a stakeholder such as an executive who happens to be unavailable. </p><p>Instead of using the time to do something else that will help complete the engagement, auditors may waste time by devoting efforts to activities that add no value or repeating what’s already been done. Neither of these actions ultimately adds any value. As a result, auditors expend too much effort on the current task and don’t begin the next task soon enough. Auditors can avoid this situation by effectively planning for the future and considering the schedules of key stakeholders. </p><h2>Reversion </h2><p>A bit more complex, reversion happens when people have set out to accomplish a task and have failed at it. Rather than let it go, they continue to focus their thoughts on attaining the missed goal. Kukla states that “reversion is the temporal opposite of fixation,” but rather than working to hasten an <em>immovable future</em> when a task is blocked, people try to change the <em>immutable past</em>. </p><p>Fixation and reversion share a common problem in that people continue to work on a task when there is nothing more to be done. With reversion, auditors need to accept their failure; get over the feelings of guilt, regret, or shame; and move on to the next project.</p><h2>Anticipation </h2><p>Auditors can suffer from anticipation by starting a task too soon — for example, by not planning enough before they begin fieldwork. Inexperienced internal auditors are prone to the anticipation trap by being anxious to start fieldwork before they understand why the engagement is being undertaken, what is the most effective way of obtaining evidence, and how the engagement should be executed to meet the clients’ needs. This is evident when auditors begin detailed testing of transactions before exploring other, less labor-intensive options, such as interviews or walk-throughs, to get evidence. Internal auditors need to plan adequately before beginning fieldwork, yet not do so much planning that they delay getting started.</p><h2>Procrastination </h2><p>One of the most prevalent mental traps, procrastina-tion involves performing small, relatively meaningless tasks that take the place of actually devoting time to required or appointed tasks that will add value. Engaging in procrastination, internal auditors end a current task too late and do not start the next task soon enough. </p><p>One common way of procrastinating is to postpone starting fieldwork by over-planning. Auditors can avoid this by establishing deadlines and allocated efforts for each phase of the audit and holding to them as much as possible. Some flexibility is needed, of course, but an audit is a small project and should be treated like one.</p><p>Another way to procrastinate is to delay contacting stakeholders to avoid confrontation or a potentially unpleasant discussion. Auditors may delay for a day or two, only to find out that the stakeholder is not available for the next week. If this happens enough times, the engagement timeline can be delayed by several weeks.</p><p>Internal auditors also procrastinate by not writing their audit report because they know writing, editing, and finalizing it will open themselves to challenge and criticism from their supervisors and clients. Audit departments can address this trap by beginning to draft the engagement report the moment fieldwork begins. Doing so promotes refining and testing observations and conclusions as the engagement progresses rather than waiting until the end.</p><p>Although related to amplification, performing more tests than required during fieldwork can be another form of procrastinating. This can be the case when additional testing is done to avoid getting to the next phase of the engagement. </p><h2>Acceleration </h2><p>The flip side of procrastination is acceleration. Rather than being slow to start, acceleration occurs when people don’t give a task the necessary time and attention and end up finishing it too soon. Often, procrastinating at the beginning of a project or task can result in acceleration at the end.</p><p>For example, internal auditors may rush through planning, ultimately not delivering what clients and stakeholders wanted. As a result, they may have to go back and perform more unplanned fieldwork. Failing to take time to ensure tests are designed appropriately and executed correctly may yield faulty evidence from rushed and sloppy work. Auditors also may have to repeatedly revise reports because they rushed to write a first draft without adequately thinking through what they want to report on and how they want to report it.</p><p>Internal auditors can avoid acceleration by devoting time to perform each phase of audit work effectively through appropriate planning and continually monitoring their progress throughout the engagement. Frequently referring to the scoping document throughout the audit — especially when writing the report — can help keep internal auditors on track and focused on the goal of the engagement.</p><h2>Resistance </h2><p>When people who are busily involved in a task that is going well are presented with a valid emergency, opportunity, or interruption that requires their attention, resistance occurs. This could include a client request for an urgent, high priority, and inconvenient assignment while auditors are in the middle of another engagement. An example could be an unplanned investigation into a fraud at a remote location that will require significant travel and time away from home. To address this trap, auditors can apply a general rule proposed by Kukla: “It is pointless to let opportunity slip away when the present task can be postponed without cost.”</p><h2>Division </h2><p>The division trap happens when individuals try to concentrate on two things at once. This trap involves the mistaken assumption that people can be effective multitaskers. </p><p>Kukla points out that people cannot consciously attend to two things at once because attention is indivisible. When individuals think they are multitasking, they are either “fast-switching” their consciousness between two activities, or they have relegated one of the activities to an unconscious, automatic mode of operation.</p><p>Internal auditors, especially those at a senior level, often need to juggle many tasks. They rarely have the luxury of focusing on only one thing at a time. The problem is that dividing attention between tasks actually takes more time and effort than concentrating on one task at a time. When people drop one task and return to it later, they don’t pick up at the spot where they left off. They have to spend time picking up the threads of the task.</p><p>To manage their time better, internal auditors should devote segments of time to specific tasks. They should take steps to avoid unnecessary distractions such as emails, telephone calls, and interruptions by direct reports or other employees. As Kukla notes, there is always something that can take a person’s attention away from the task at hand.</p><h2>A Virtuous Habit</h2><p>By being mindful of mental traps and taking steps to break free of them, internal auditors can better enjoy their work and be more effective in their roles. The aim is to devote less time and effort to producing consistently good results. Being mindful of mental traps is an ongoing discipline that can become a virtuous habit incorporated into auditors’ day-to-day work. It can supplement the well-developed technical skills and knowledge auditors already possess, helping to make them more successful as individuals and as team members. </p>Murray D. Wolfe1
6 Steps to Right-size Internal Audit Steps to Right-size Internal Audit<p>At some point in almost every chief audit executive’s (CAE’s) career, he or she is asked to assess and justify the organization’s level of internal audit resources. The number of variables and organization-specific considerations can make this a formidable task because there is no rule or standard to determine the appropriate amount of audit spending. Because judgment and subjectivity are required, CAEs run the risk of being seen as self-serving if the benchmarking exercise is used to advocate increased head count or spending, or to resist internal audit budget reductions in conjunction with broader cost-cutting initiatives.  <br></p><p>Considerable judgment is left to the CAE to ensure the audit plan covers the appropriate level of risk. In actual practice, audit committees frequently ask CAEs whether internal audit is sufficiently staffed with respect to number of people and skill. The starting point then, to facilitate “right-sizing” the internal audit function, is to clearly establish and understand internal audit responsibilities, scope, and coverage, as well as stakeholder expectations. To aid this assessment, internal auditors can follow a six-step benchmarking approach aimed at answering the age-old question: How much is enough? </p><h2>Establish the Purpose for Benchmarking <br></h2><p>When internal audit is asked to rationalize budget and head count, stakeholders should consider the current state of the organization and its risk appetite. During times of economic stress, some organizations may be tempted to reduce centralized overhead functions and the corresponding semi-independent oversight of risk, internal control, and business processes. Downsizing also may eliminate administrative and control processes, increase workload, and curtail oversight functions while expanding autonomy and levels of authority. Unfortunately, intense revenue pressure and cost cutting can heighten the risk of inappropriate behavior and shortcuts in controls and business processes. Consequently, right-sizing internal audit should go beyond arbitrary across-the-board reductions. That is why benchmarking should encompass the resources required to meet stakeholder and regulatory expectations, within the agreed-upon risk appetite for the organization. <br></p><p>Other reasons for benchmarking the internal audit function may be to examine use of outsourced vs. in-house resources, centralized vs. decentralized audit resources, career vs. rotational audit staffing, and frequency of audit coverage, as well as to identify differences in the level of audit services provided compared to other organizations in the same industry. </p><h2>Inventory Internal Audit’s Principal Activities <br></h2><p>Next, the CAE should inventory the principal activities performed by internal audit that may be handled differently within other organizations. For example, does internal audit run the U.S. Sarbanes-Oxley Act of 2002 project management office or perform independent testing to support required management Section 404 assertions? Does the internal audit function provide direct support to external auditing, including substantive testing not required for the organization’s Sarbanes-Oxley assessment on internal control? Does the organization operate in a heavily regulated environment with prescriptive requirements for the internal audit function? <br></p><p>Internal audit is regarded as an organization’s third line of defense, responsible for providing independent assurance. The three lines of defense model establishes responsibility for internal controls and how organizations can best establish and coordinate duties related to risk and control. It also states that the individual lines of defense should not be combined in a way that reduces effectiveness. Coordination helps minimize gaps and eliminate duplication of assigned duties. Understanding the makeup of responsibilities within the three lines of defense is an important first step in benchmarking the internal audit function.  </p><p>When inventorying an internal audit department’s activities, CAEs should include all discrete activities that require 10 percent or more of total available internal audit resources. Getting too granular makes effective benchmarking difficult.</p><h2>Know and Define the Industry </h2><p>For some organizations this is relatively straightforward. For others it may be more difficult, particularly if the organization is engaged in disparate lines of business. For example, a technology manufacturing company may also own broadcast media. Auditors should choose the most representative industry or consider benchmarking against two or more separate industries if this seems more appropriate. Next, they should identify key competitors and industry trends that may impact the benchmarking exercise.  </p><p>One of the best means of understanding industry culture is through industry-specific benchmarking groups. Formal and informal groups focused on internal audit and Sarbanes-Oxley benchmarking exist in several industries, including aviation, engineering and construction, financial services, manufacturing, news media, and retail. Participation in networking groups and reading industry-specific publications provides insight to the organization’s industry and its culture. This is valuable to understand commonalities and differences to be considered in the benchmarking exercise. For example, are most competitors privately held when the organization is publicly traded? Does the organization operate internationally compared to competitors that operate primarily in the U.S. and Canada? Is the organization’s industry expanding or contracting or deploying administrative functions off shore? What is the cultural expectation for internal audit? Does the industry see internal audit as a policing activity or the function that runs the Sarbanes-Oxley program? Is internal audit viewed as a source of talent and a business partner or a necessary evil and corporate overhead?</p><h2>Identify Benchmarking Alternatives </h2><p>There are numerous approaches to benchmarking the internal audit department. Each of these has advantages and disadvantages, and some are easier than others to develop and execute.  </p><p><strong>Simple Approach</strong> The most common and easiest approach is to use a basic metric such as total revenue per auditor or number of employees per auditor. Generally, the numerator in the ratio is publicly available (for public companies) and requires only determining the number of auditors in an organization to complete the benchmark ratio. It’s a quick and easy way to approximate audit coverage with others. Comparisons in this basic approach also are included in other benchmark approaches with richer data. Usefulness is relatively limited, however, as differences in audit coverage or business operations are not identified. At best, it can serve as a minimum guideline in establishing a base level of resources compared to other companies. <br></p><p><strong>Internal Audit Benchmarking Report</strong> The IIA’s benchmarking tool compares audit department size, experience, and other metrics against the averages of similar organizations in chosen peer groups. Benchmark metrics include employee compensation; organizational statistics; department staffing and costs; oversight, including audit committee information; operational measures, including audit life cycles; performance measures; and risk assessment and audit planning information. <br></p><p>Data is confidential and reported only in aggregate form. Identifying information is not publicly disclosed, although a list of participating companies within each industry is provided. Once internal audit and the CAE make their benchmark metrics selections, the Audit Intelligence Suite compares the audit activity against comparable departments and creates a tailored benchmark report. Principal limitations are the fee and whether sufficient representation exists with companies of the same size and characteristics within the same industry.  <br></p><p><strong>Private Benchmark Survey</strong> Industry-focused and private benchmark surveys also provide relevance and credibility. An alternative is to use the peer group of organizations cited in most proxy statements for U.S. publicly listed companies. For example, the 2018 Fluor Corp. proxy listed 22 companies considered direct competitors and other peers in the engineering and construction industry. This is the perfect group to enlist for a private benchmark survey. To preserve anonymity and confidentiality, it may be useful to mask specific organization responses. An independent third party can facilitate collection and dissemination of results; specific categories can be banded to preserve confidentiality of individual responses.  <br></p><p>Revenue can be grouped in broad categories and a similar approach can be used for internal audit budget amounts, number of employees, and other benchmark data. Audit committee members and executive management tend to view peer surveys as the most relevant as they compare companies with much of the same risks, industry constraints, culture, and regulatory requirements. The approach takes effort to execute and typically requires assistance from an independent third party to facilitate. Consequently, this benchmark exercise often takes longer than other approaches. </p><p><strong>Third-party Surveys</strong> Most of the Big Four accounting firms, professional service providers, and recruiters publish annual or periodic surveys covering internal auditing. It is worthwhile to research current publications and consider whether these can be used to benchmark the organization’s internal audit function. However, it is sometimes difficult to apply broad surveys to satisfy the data requirements for a specific benchmarking exercise. In addition, third-party surveys often are thematic in focus, and do not provide sufficient demographic detail or include the necessary data to facilitate benchmarking internal audit resources and head count. <br></p><p><strong>Appraisal Approach</strong> The appraisal (or market adjusted) approach starts with basic survey data from another benchmark survey. Adjustments are then made to account for differences in the organization’s inventory of audit services compared to others included in the basic survey. This concept is similar to the technique used by real estate appraisers where the individual property value is appraised based on the comparable value of nearby existing homes and adjusted upward or downward for such things as a pool, finished patio, and high street traffic.  </p><p>When conducting an appraisal approach survey, CAEs should try to accumulate data on services that may not be comparable based on their knowledge of the industry, competitors, or the uniqueness of their organization. For example, if other organizations do not provide external audit direct assistance and the organization provides three full-time exempt (FTE) employees, the CAE should subtract three FTEs from the head count comparisons in the benchmark survey, along with appropriate footnotes. This approach recognizes unique differences in audit services and attempts to provide a balanced, apples-to-apples comparison. It requires judgment and data to execute and can be subject to criticism by stakeholders if additions or subtractions appear arbitrary or not well-supported. </p><p><strong>External Audit Fee Comparison</strong> There also is no standard to determine the appropriate amount to spend on external audit fees. These fees vary widely among organizations of equal size and are driven by the same organization control environment characteristics applicable to internal audit. This relationship holds true when external audit fees are market-driven (based on hours to complete the audit), which reflects complexities in the availability, quality, and reliability of data and the organization’s control environment. Consequently, internal audit fees compared to external audit fees can be extrapolated across peer organizations to develop a range of expected internal audit spending for the organization.  <br></p><p>This approach provides the most useful metric that reflects the unique characteristics and differences in organization control environments. External audit fees, along with organization revenue information, are available from U.S. publicly listed companies. Completion of this benchmark analysis requires obtaining the cost or head count for the internal audit function. Audit committees tend to like this comparison because it provides a snapshot of both internal and external audit fees, particularly if focused on organizations in the same industry. </p><h2>Summarize and Interpret Results  </h2><p> </p><p>Once data has been collected, CAEs should summarize and apply results for the organization to the external benchmark survey. Stakeholders appreciate the insight of multiple perspectives that add credibility to the thoroughness of the exercise. Accordingly, CAEs should use as many approaches for obtaining benchmarking data as possible. This will provide a comprehensive snapshot of the organization’s internal audit function and resources compared to others.  </p><p>Stakeholders can compare spending in the organization’s industry to other industries or organizations with similar revenue, and see differences in external audit fees and the categories of services provided by internal audit functions. </p><p>CAEs also can consolidate individual surveys to establish a range of acceptable internal audit resources and coverage that facilitates flexibility and judgment for making resource or staffing decisions. If the internal audit function is well above or below the range established by triangulating multiple surveys, compelling data now exists for recommending specific changes. <br> </p><h2>Report Benchmark Results to Stakeholders </h2><p>The CAE should approach reporting the results of a benchmark analysis with the same objectivity and rigor applied to internal audit reports. It’s important to consider the assessment from the perspective of recipients, stakeholders, and decision-makers on the audit committee and in executive management. After the study is prepared, the preliminary results should be vetted with stakeholders to ensure key perspectives have not been overlooked. Invariably, audit committees also will ask the external auditor for input, so he or she should be included in the vetting process. </p><p>The benchmark report from the CAE should describe the objectives of the exercise and the survey approaches used, along with any assumptions and exclusions. Transparency is imperative for the report to be viewed as objective and credible. CAEs should summarize relevant industry trends, cultural differences, variations in audit services provided by their function compared to others, and other data points stakeholders should be aware of. They should conclude with recommended changes based on benchmark data in line with stakeholder expectations for internal audit.  </p><p>Frequently, the survey supports the current level of resources and head count without the need for substantive changes. Such a conclusion also provides value to the audit committee by independently corroborating the appropriateness of resources. Finally, CAEs should summarize survey results and disseminate them to other participants if industry or private benchmark surveys were conducted. </p><h2>Opportunity for Dialogue</h2><p>All CAEs should right-size the internal audit function periodically to satisfy IIA Standard 2030: Resource Management. Benchmarking and comparison with other organizations also helps ensure the function provides reasonable value and coverage for the industry and company risk profile. It also affords an opportunity for insight and dialogue with the audit committee and management to sustain and grow investment in internal audit resources. <br></p>Stephen Shelton1
Adding Value in R&R Audits Value in R&R Audits<p>​With an organization’s internal controls being tested more than once a year via external auditors and regulatory requirements, such as the U.S. Sarbanes-Oxley Act of 2002, what additional value does an internal auditor bring? Internal auditors can look beyond the financial statement’s accuracy and focus on control reviews to ensure its alignment with management’s objectives and strategies — specifically in the revenue and receivables process.</p><p>External auditors and in-house Sarbanes-Oxley auditors perform test procedures to validate various assertions related to revenue transactions, receivables balances, and their presentation and disclosures in the financial statements. Internal auditors can work with management to ensure that the revenue and receivables processes are set up and controlled effectively to achieve the organization’s goals. There are several areas on which internal audit can focus to help achieve this objective.</p><h2>Pricing Strategy </h2><p>Internal auditors should interview senior management to get insight over the assumptions, historical sales growth analysis, customers’ feedback and forecasts, and other resources tapped to gain the pulse of the market. This insight will help internal auditors assess if the pricing strategy is moving in the right direction to help the organization achieve its goals. If not, internal audit should discuss with management how to improve the analysis and pricing strategy.</p><p>Once satisfied with the pricing strategy, internal auditors should then evaluate transformation of this strategy into the actual pricing structure, assess whether the framework provided to the sales team for negotiating with customers aligns with the pricing strategy, and ensure that the approvals for pricing structure and negotiations include exceptions to the pricing strategy.</p><h2>Having the Right Customers</h2><p>In a business-to-business model, working with profitable and creditworthy customers is a sign of sustainability and consistent growth year over year. When reviewing the customer selection process, internal audit should: </p><p></p><ul><li>Check the existence and adequacy of customer selection policies approved by the appropriate level of management. </li><li>Ensure adherence to these policies.</li><li>Assess the adequacy and reliability of resources used to check customers’ credit rating (good credit provides reasonable assurance over revenue collection). </li><li>Evaluate profitability at a customer level and question management on loss-making deals (profitability analysis provides visibility over profitable deals).</li><li>Review the effectiveness of controls over updating customer data in the organization’s customer database to ensure data validity.</li></ul><h2>Contractual Obligations </h2><p>This area is more applicable to organizations that provide a complex bundle of services. Such sales need a well-drafted contract detailing all performance obligations. Internal auditors should check for the existence of a control where contracts are reviewed by legal experts, an accounting policy team, and an operations team, and are approved by the appropriate management level to protect the company from unwanted obligations and commitments.</p><p>If a contract template with standard clauses is already developed, the auditor’s job is to focus on any nonstandard terms agreed upon by customers and assess their reasonability and approval process effectiveness. Internal audit should risk-rank the contracts based on their contribution to the organization’s objectives and then develop a testing strategy to review the reasonableness of key nonstandard terms. The higher the number of nonstandard terms, the greater the challenge for internal auditors.</p><h2>Conversion of Orders to Invoices</h2><p>Internal auditors should confirm that a process exists to capture the goods or services provided to customers and to invoice them for these goods or services. Prices for goods and services sold by the organization should be updated in the price database, and the revenue system must capture all goods and services sold to customers for accurate invoicing.</p><p>Usually, internal auditors test these processes on a sample basis. To make the sample selection effective, internal auditors should pick up on clues about process gaps, control weaknesses, and system constraints through process map reviews, data analytics, rework queues, pain points, and process improvement ideas communicated by management. These areas could reveal missing management oversight and potential revenue leakages, such as not invoicing for services provided or generating invoices with lower-than-negotiated rates. </p><h2>Tracking Receivables and Collection Efforts</h2><p>The receivables aging report is a good source to determine tracking process efficiency. External auditors and Sarbanes-Oxley auditors review the aging report for valuation and to reconcile with the financial statements, while internal auditors can assess the effectiveness of its collection efforts. Does follow-up with customers happen with sufficient frequency and is there a process to escalate problematic dues with senior management? Also, are the receivables that are handed over to collection agencies, either under litigation or from bankrupt customers, being tracked to protect the company’s interests? </p><p>Although write-off approvals are reviewed by external auditors and Sarbanes-Oxley auditors, internal auditors should analyze write-off data to identify outliers, such as the same employee writing off certain customers’ dues frequently or the same customers’ dues getting written off often. The root causes of these outliers will help reveal the process control issues. </p><h2>Recording Cash Receipts</h2><p>Recording cash receipts is vulnerable to misappropriation of cash received from customers and is reviewed by external auditors and Sarbanes-Oxley auditors. Cash receipts include electronic fund transfers, checks, credit cards, and physical cash receipts. Internal auditors can focus on the timeliness of recording the collection of cash in addition to the adequacy of segregation of duties and sufficient oversight in receiving, depositing, and recording cash funds. </p><h2>Performance Metrics</h2><p>Last but not least are the metrics developed by management to measure the performance of revenue and receivables processes. Internal audit should review the accuracy of key metrics to ensure that the data used for metrics calculations are correct and current. Internal auditors also can suggest additional metrics that will be useful to management.</p><h2>Focus on What Matters</h2><p>By reviewing end-to-end processes and questioning the alignment of various policies, procedures, and performance metrics with management’s corporate objectives, internal audit can enhance the work of external and Sarbanes-Oxley auditors. Working with management to finalize the objective and scope of audits will help auditors focus on the risks that really matter to management, in addition to reviewing key internal controls that matter to internal auditors. <br></p>Shilpa Yadav1
An Extraordinary Experience Extraordinary Experience<p>Pity the poor used car salesperson. Survey after survey shows these purveyors of the pre-owned work in one of the least trusted professions, mired in a cesspool of lobbyists, telemarketers, and (gasp!) business executives. There are many reasons for this distrust, but part of it has to be the frustrating ordeal of buying a used car.</p><p>Given the industry’s reputation, and my own encounters with it, a recent auto dealership commercial caught me by surprise. It featured a customer so enamored with the used-car buying experience that he, purportedly, gave his endorsement without compensation. After extolling the virtues of the salesperson, the service department, and the dealership as a whole, he made an amazing statement: “I had an extraordinary buying experience.” </p><p>Internal auditors are generally not included in surveys of “trusted professionals,” but I imagine we would not appear particularly high or low on such a list. Our reputations have improved significantly over the years, though we are still haunted by lingering perceptions of audit professionals as snitches, nitpickers, compliance tyrants, and even bayoneters of the wounded. These perceptions are dying a well-deserved, none-too-soon death. But they still drive some people’s approaches and reactions to internal audit. ​</p><p>Accordingly, I think any of us would be shocked to hear someone say, “I had an extraordinary internal audit experience.” But shouldn’t we be trying for just that level of service? Shouldn’t we be doing the extra work that would turn even our friends, supporters, and advocates into raving fans? Shouldn’t we be trying to make every internal audit an extraordinary experience?</p><p>If so, we first have to figure out what an extraordinary audit experience looks like. And that means we have to identify and understand every step every stakeholder experiences in every internal audit project.</p><p>During the 1980s, Jan Carlzon, CEO of Scandinavian Airlines System, coined the phrase “moments of truth” to describe each and every time the customer comes into contact with an organization or department. He described how these moments of truth represent the point in time when customers are forming their opinions. By focusing on these moments, he suggested, the organization or department could better manage them, thereby better managing customers’ perceptions and creating a more positive experience.</p><p>For internal audit to deliver service our stakeholders will consider extraordinary, we must identify each and every one of these moments. We must determine why each is occurring, understand what the customer wants from that touch point, and develop ways to make each of those individual experiences the best they can be. If we manage those touch points — if we make each of those moments unforgettable — then, and only then, will our stakeholders walk away saying, “I just had an extraordinary internal audit experience.” </p><style> p.p1 { line-height:12.0px; } p.p2 { line-height:12.0px; } p.p3 { text-indent:18.0px; line-height:12.0px; } p.p4 { text-indent:9.0px; line-height:12.0px; min-height:11.0px; } p.p5 { line-height:9.0px; font:8.0px 'Interstate Light'; } span.s1 { letter-spacing:-0.1px; } span.s2 { font:8.0px Interstate; letter-spacing:-0.1px; } </style>Mike Jacka1
Ten Tips to Manage Your Career Tips to Manage Your Career<p></p> <p>While working in internal audit for more than 30 years within corporate functions and professional service firms, one of the most fulfilling things I’ve done is counsel and assist associates with various pieces of their careers. Helping people make good career decisions and watching them develop to their full potential should be an objective of any professional. </p><p>The opportunity to serve in this role has allowed me to identify and understand career challenges internal auditors repeatedly run into and help them develop the skills to better manage their careers and avoid these common pitfalls. Mastering 10 skills can help internal auditors better position themselves to take advantage of opportunities and enable them to prosper in today’s work environment. </p><h1>one. </h1><h2>Differentiate yourself from your peers.</h2><p>What unique skills and experiences do you have, or are you developing, to differentiate yourself? Too often, internal auditors have not focused on this question and are not able to articulate which demonstrated strengths and key attributes set them apart from their peers. It is not just a matter of stating a skill or attribute — they should be able to give examples that demonstrate they possess that skill or attribute. <br></p><p>Using generic descriptive phrases such as “I’m a hard worker” or “I have high ethics” doesn’t differentiate a person, as many people use them. At any level or position, internal auditors need to continue to build skills and experiences that make themselves more valuable and also set them apart from peers. </p><p>Auditors also should practice their interviewing skills. Are you able to clearly articulate what your key strengths and differentiating qualities are? In particular, when you interview, do you know what qualitative skills and attributes you want to communicate to an interviewer? Résumés also should be updated to communicate these qualifications.</p><h1>two.<br></h1><h2>Learn to develop and maintain relationships.</h2><p>One of the most important career skills is the ability to build and maintain professional relationships. Access to a network of professionals is valuable and can be used for a broad range of activities, such as sales opportunities, references, staffing and job opportunities, coaching, and insights on companies and executives. <br></p><p>But building and maintaining a network is a process. Internal auditors should consider who they network with and why, then develop a process to support and reinforce networking activities. For example, practitioners should keep track of when they interact with people or maintain a list of people with whom they need to reconnect. </p><p>While social media networks are fine for many purposes, professional networking requires a personal touch and interaction. People in your network need to know you and your capabilities so that when a need arises, they are happy to help. </p><h1>three.</h1><h2>Set long-term goals but manage your career in terms of “orbits.” </h2><p>Goals give you something to work toward in your personal and professional life. However, in today’s dynamic work environment, reaching those goals may seem daunting. The uncertainty of constant change presents a challenge in developing a clear path to goals, especially long-term goals. Studies have shown that writing goals increases an individual’s probability of achieving them.<br></p><p>Alex McKenna, a career counselor for senior executives, advises people to think about their careers in two- to five-year increments, which he refers to as “orbits.” When in an orbit, the focus should be on performing well while building skills and experiences that qualify you to move to a higher orbit. That higher orbit could be a higher-level position or a position in a different organization where your skills and experiences would be better used. In that higher orbit, you would look to add new skills and experiences to reach an even higher orbit. </p><h1>four.</h1><h2>Create your own opportunities.</h2><p>Rather than just waiting for unique or challenging opportunities to come their way, internal auditors should seek out those assignments. If a problem has been identified, be one of the people to fix it. There are benefits to volunteering for the tough assignments. First, tough assignments grow skills and offer unique experiences. Often, fixing major problems involves developing new approaches or applying new thinking rather than just performing routine assignments. Second, these are the assignments where internal auditors get noticed. Being part of a team that addresses major issues or problems gets the attention of more senior people, which is the attention auditors want.<br></p><p> </p><h1> five.</h1><h2>Learn to focus your time and activities.   </h2><p>The 24/7 work cycle and other complexities can be overwhelming at times and may lead internal auditors to jump from one task to another. At the end of what seemed to be a very busy day, an auditor may be unable to answer the question, “What did I accomplish today?” Time is your most valuable and limited asset. You can’t create more of it, and it easily can be wasted. <br></p><p>So, it’s important to focus on the most important tasks and get them done. Auditors should operate every day with focus, know what needs to be accomplished, and direct energy to that task. Various methods can assist in this process, such as to-do lists, priority lists, or daily reminders. Whatever is used, the most important thing is to learn to instill the discipline of focus in daily activities.</p><h1>six.</h1><h2>Get a mentor.</h2><p>With critical or challenging career situations, it helps to have access to someone you trust, respect, and feel comfortable seeking advice and counsel from — someone who also has confidence in you and is interested in your personal development and progression. Internal auditors should look for opportunities to develop real mentoring relationships with someone who can help. These relationships tend to develop over time and can’t be forced. A good mentoring relationship develops itself, and networking and relationship building play an important part. Over time, these relationships can change and evolve. You may even have more than one mentor during your career. <br></p><p>The mentoring relationship is rewarding for both mentor and mentee, so auditors also should look for opportunities to be a mentor. This can start early in a career by giving advice and counsel to newer staff. Mentoring helps develop communication and leadership skills, expands networks, and leads to personal satisfaction.  </p><h1>seven.</h1><h2>Always understand the needs of your employer or potential employer.</h2><p>Too often, employees do not really understand the specific needs of their employer or prospective employer. There may be a job description, but it may not highlight critical expectations or skill needs. This can lead to a misalignment between the unspoken expectations of a superior and an employee’s skills or performance. Such misalignment can prove fatal to a career.<br></p><p>This same concern arises when an employee is approached about another position. Discussion, especially with a headhunter, may focus on things like compensation and title and not enough on the specific needs, expectations, and skills required to be successful in that position. Knowing these things will significantly improve a person’s chances of making a good career decision. And, it will ensure that the new employer is getting an individual well-suited to the job. Fundamental to succeeding in this process is a person’s deep understanding of his or her own real skills and abilities.</p><h1>eight.<br></h1><h2>Give your employers and co-workers the benefit of your objective views.</h2><p>One of the attributes that most great leaders value is having employees who will give them good, objective views. In the internal audit profession, stakeholders highly value objective feedback from their auditors. Similarly, peers also value and seek the opinions and views of others. It’s part of the learning process. <br></p><p>Auditors should learn to objectively express opinions and views constructively and with courage and conviction. This also will establish you as someone with a voice. Practitioners should not hide behind auditor independence. Internal auditors are sometimes reluctant to provide their views or recommendations because they said they needed to remain independent. That rationale rarely is one that management executives will buy into. Internal auditors can provide views, feedback, and recommendations without impairing their independence. </p><h1>nine.<br></h1><h2>Understand the role and nature of compensation.</h2><p>Everyone wants and deserves to be fairly compensated for their efforts and achievements. Compensation is an important factor in any job, but its nature and impact are often misunderstood from two standpoints. First, while an increase in compensation provides great, immediate, and positive reinforcement, compensation, itself, is not a long-term motivator. The factors that provide long-term job satisfaction include things like challenging work assignments, increased personal responsibilities, and exposure to executives and challenging situations. Long-term, high compensation will not overcome the absence of these kinds of motivators and will not, in itself, make up for a poor job situation. <br></p><p>Secondly, compensation should be viewed as a dynamic process — not just a point-in-time, static measure. At any time, an employee could be offered a position for more money than he or she is currently making. Similarly, market conditions may result in a new hire being paid more than someone who has been there longer. Does your compensation reflect how you have been recognized, how you are progressing, and how you are valued? </p><p>If not understood and appropriately handled, compensation can be a major reason why a new job or opportunity does not work out. We all like to be flattered by a high offer; however, the real question is the nature of the position.​</p><h1>ten.</h1><h3>Communicate.</h3><p>Communication may be the single most critical career skill, and it’s important that internal auditors establish a track record of clear and open communication with peers and superiors. This is especially important when there’s a problem with a position, co-workers, or managers. Too often, employees are reluctant to put issues on the table, often from fear that they might be viewed as a troublemaker or asked to leave. <br></p><p>When concerns are not communicated, internal auditors risk making significant career decisions — such as leaving a job — without the benefit of full knowledge. A practitioner may be surprised to find that someone he or she speaks to agrees with and supports his or her views, or that he or she is more valued than previously thought. For example, if a particular job is not working out but management views an auditor highly, he or she may be placed in another position in the organization that is a better fit. </p><h2>SHAPE YOUR CAREER</h2><p>It is probably unrealistic to expect anyone to simultaneously address all 10 items on the list. Picking one or two to start with is ideal. Then as these skills are developed, auditors can go back to the list and identify one or two more to work on. Ultimately, it’s about managing your career in a way that helps you succeed and creating a satisfying, rewarding professional experience.  </p>Richard J. Anderson1

  • IIA Sawyer_Feb 2019_Premium 1
  • IIA AEC_Feb 2019_Premium 2
  • IIA Quality_Feb 2019_Premium 3