Practices

 

 

Trusted Advisors in Times of Uncertaintyhttps://iaonline.theiia.org/2021/Pages/Trusted-Advisors-in-Times-of-Uncertainty.aspxTrusted Advisors in Times of Uncertainty<p>​Soft skills such as effective communication, persuasion, collaboration, and critical thinking are essential competencies of internal auditors. Armed with these competencies, internal auditors can better respond to the demands of the profession, strengthen business relationships, and contribute to audit engagement effectiveness. While soft skills are always needed, they may be even more crucial during times of uncertainty and change. In fact, the COVID-19 pandemic has accentuated the importance of soft skills and why internal auditors should use them to solidify their role as trusted advisors in organizations. </p><p>Worldwide, internal auditors have had to adjust to an increasingly challenging business environment, with the global pandemic significantly impacting the way they perform their duties. In particular, remote auditing has changed internal audit engagement dynamics because it limits face-to-face contact and physical observations. As a result, collaboration and effective communication with audit stakeholders is more complicated, requiring flexibility, teamwork, and empathy on the part of internal auditors. </p><p>As the pandemic continues, employee agility, operational resilience, technological innovation, and (in some cases) continued remote operations will be essential for survival, requiring professionals to adapt. It will require enhanced skills and strategic thinking.</p><p>For internal auditors, soft skills are highly relevant to the job — and to becoming a trusted partner, especially in times of uncertainty. Whether these skills come more naturally or require more practice, it is possible for auditors to strengthen such skills to better respond to crisis situations. With experience, practitioners can learn to adopt best practices for effective communication, persuasion, collaboration, and critical thinking that positively influence audit engagements.</p><h2>Audit With Empathy</h2><p>Audit clients may show higher levels of stress, anxiety, and frustration due to the loss of key personnel, business interruptions, and the impact of closed borders during the pandemic. Many colleagues also have experienced varying degrees of trauma and loss, both in the workplace and in their personal lives. Internal auditors should understand that clients may feel that this is the worst possible time for an audit.</p><p>When conducting an audit or an advisory review, internal auditors should reassure audit clients that they will make every reasonable effort not to interrupt the operations by working to reduce requirements for stakeholder involvement. Internal auditors should emphasize that they are there as a safety net during the crisis, and that their role is to add value rather than identify mistakes or find fault. Throughout the engagement, internal auditors should perform their work with empathy and consider the audit client's current situation. </p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p><strong>​My Research on Soft Skills in Internal Audit</strong></p><p>The relationship between soft skills and effective internal audit client engagements is corroborated by a study I conducted in Macao for my Master of Business Administration dissertation at Oxford Brookes University. My research, which took place in 2020, reveals that the soft skills of internal auditors may need to evolve to reinforce internal audit as a trusted partner in times of crisis. </p><p>In the study, internal audit experts across sectors suggest that the pandemic has impacted their relationships with audit clients. For instance, the study participants say audit clients are now more focused on their departmental priorities and are dealing with increased pressures. At the same time, they are more sensitive and afraid of the consequences of reportable audit findings, and internal auditors struggle to find ways to collaborate and demonstrate their relevance. In fact, audit clients seem less accepting of internal audit when compared to the past and exhibit a more defensive attitude. Consequently, audit clients may be less willing to share critical information relevant to the audit and less willing to accept audit recommendations. </p><p>My research has uncovered a range of best practices to enhance soft skills such as effective communication, persuasion, collaboration, and critical thinking — competencies that would help internal auditors be more effective advisors in times of uncertainty.<br></p></td></tr></tbody></table><h2>Communicate Effectively During a Crisis</h2><p>In times of uncertainty, communication needs to be simple, concise, proactive, continuous, and timely. This promotes alignment with the business and the changing operating environment, and allows audit stakeholders to make timely decisions and improvements to their business units. Further, soliciting regular feedback from all stakeholders, especially remote ones, is essential to ease their stress and address their concerns during the crisis. </p><p>To deliver a compelling message, it's also important to adjust the communication style based on the client's cultural background. Situations of uncertainty created by a crisis can be perceived differently across contexts and cultures. For example, individuals who feel threatened by the unknown may show less flexibility to make changes when faced with unpredictable situations because of their cultural background and inherent social values. </p><p>Further, auditors should always listen to undertone. With listening skills, it is often not about what the audit client says; it is about what is not said. Listening to the client's tone and speed of speaking could help auditors extract critical information, for example. </p><p>Effective persuasion relies on the internal auditor's ability to convey a compelling and concise message, supported by audit facts. Practitioners should use persuasion to present audit issues as opportunities for improvement and better operational efficiency, and never as mistakes or fault. Persuasion skills could also be used to bridge gaps and achieve consensus between internal auditors and clients. </p><p>Methods and lines of communication should be varied to promote flexibility and efficacy in auditing. For example, audit teams may need to substitute face-to-face meetings with email and video conferences if workers are remote. However, when face-to-face contact is limited, it may affect the dynamic of audit engagements. That is because internal auditors may miss important nonverbal cues that they would have noticed in a face-to-face meeting.</p><h2>Stay Relevant and Collaborate Meaningfully</h2><p>During a crisis, collaboration can seem more challenging because audit clients worry about the outcome of the audit report, costs, their own jobs, and the business — all while struggling to keep up with many other priorities. Internal auditors need to make a greater effort to engage with audit stakeholders, continuing to develop strong relationships with clients around trust, credibility, efficiency, and transparency. Persuasion is critical to effective communication, particularly when auditors are negotiating recommendations for better governance, but persuasion may not be possible without trust.</p><p>Because there is an increased need during a crisis to provide management with operational, regulatory, and performance enhancement audit reviews to help with decision-making and governance, internal audit should collaborate with management to identify gaps in controls. Internal auditors should continuously provide independent assurance and advice on the operations and the effectiveness of risk monitoring during and after the crisis. Another way to collaborate is to offer business leaders benchmarking statistics and comparative analyses to boost confidence in decision-making during the crisis.</p><p>Turbulent times call for flexibility and teamwork. With so many processes and systems in flux, it won't always make sense to stick to audit plans and schedules that were developed months earlier. And it won't always make sense to use traditional audit techniques that look for errors in past transactions. </p><p>Instead, internal auditors should take a step back and reevaluate their audit focus and its relevance to the crisis. They should evaluate priorities and offer shorter and more collaborative audit engagements to enable rapid corrective actions, while focusing on what is essential to the organization's survival. For example, compliance with governmental and regulatory requirements should be a top priority. </p><p>Successful collaboration relies on internal audit's ability to understand the challenges and needs at the organization level. Collaboration needs to be relevant to add real value to audit stakeholders — therefore, internal audit should be evaluating the organization's priorities and identifying its most significant risks. </p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><strong>​World Economic Forum Report Tracks High Demand for Soft Skills</strong><p>The global pandemic has placed new demands on the competencies of internal auditors, not the least of which are skills relating to adaptability and communication. These competencies were already on the radar of employers and managers leading up to the pandemic. In the World Economic Forum's Future of Jobs Report 2020, the skills for which demand is increasing the most among business leaders include areas that largely deal with soft skills, such as: </p><ul><li>Critical thinking and analysis.</li><li>Problem solving.</li><li>Self-management.</li><li>Working with people.</li><li>Management and communication of activities.</li></ul><p><br>The IIA's Internal Audit Competency Framework, updated in 2020, is meant to help internal auditors and audit functions assess their strengths and weaknesses in competencies related to the profession. The framework is broken into four knowledge areas, including environment, leadership and communication, performance, and professionalism, with three competency levels that progress from general awareness, to applied knowledge, to expert practitioner.<br></p></td></tr></tbody></table><h2>Boost Critical Thinking</h2><p>Critical thinking is essential to identifying the most significant risks threatening an organization and to finding opportunities to maintain effective governance during a crisis. This involves evaluating a situation from different angles and questioning assumptions that might appear to be normal. Changes in the business environment, operations, regulations, and the economy demand that internal auditors employ an inquisitive mindset, challenging all types of new information, while never taking things at face value. </p><p>Internal auditors who demonstrate excellent critical thinking skills will have a sense of purpose and a genuine interest in asking the "why" questions to continuously search for knowledge. They also may have an ability to analyze people's emotions, enabling them to ask appropriate questions and read body language and other nonverbal cues. In fact, the emotional acuity of internal auditors is invaluable during the audit process; if practitioners can't understand the emotions of their audit clients, they can't get their point across. </p><p>Good critical thinking contributes to audit engagement effectiveness, together with confidence, courage, and the ability to articulate information — while looking at situations in an unbiased manner to avoid making assumptions or distorting facts. This mindset helps auditors avoid mechanical, reactionary, or meaningless results or actions. </p><h2>Learn From the Pandemic</h2><p>There are many lessons internal audit professionals can learn from the pandemic to move forward as trusted advisors within their organizations. Times of uncertainty call for a sense of urgency and a focus on developing audit competencies and skills. New work approaches can provide meaningful support to audit clients, management, board members, and audit committees — and ultimately, help internal auditors to stay relevant during the crisis. </p><p>In difficult times, being a trusted advisor means more than simply giving management an opinion — it means identifying the challenges facing organizations, providing active collaboration and assistance, ensuring compliance, and monitoring risk exposure. It also means internal auditors must use soft skills to gain trust, provide reassurance, communicate frequently and effectively, and read between the lines. </p><p>The best results come from critical thinkers who can deliver on both the technical and emotional spectrums — where being analytical forms the basis of the thought process, yet a persuasive appeal helps successfully deliver the message.<br></p>Cátia Silva1
The New Normal of Talent Managementhttps://iaonline.theiia.org/2021/Pages/The-New-Normal-of-Talent-Management.aspxThe New Normal of Talent Management<p>​Internal audit departments are integral to the organizations they help safeguard. And to remain being so, continual adaptation is essential to fulfill their key objective of mitigating risk. The changes arising from the COVID-19 pandemic have disrupted the profession substantially, but there are many positives and key lessons that can be drawn from a challenging 20 months.</p><p>Flexible working models, automation through data analytics, and auditing technology are at the forefront of discussions regarding the future of internal audit. COVID-19 has certainly accelerated the need for more sophisticated technology platforms for most businesses, and many of these businesses have invested in cutting-edge software to operate optimally. As such, there have been significant expansions of existing IT audit teams, as well as a focus on upskilling business auditors through training and exposure to new technologies adopted by their firms. Ensuring that all members of the department are well-versed on the key risks associated with relevant software and technology has become a priority.</p><p>Automation also will become increasingly commonplace, but embedding it into the internal audit workflow will be a challenge. Those auditors with training and experience in data analytics are set to be in high demand.</p><p>Adapting to a new world full of technological advancement will be of great importance to internal audit functions looking to recruit and retain talent. They also will need to address the changes that the COVID-19 pandemic has had on working patterns and what employees and job candidates are likely to demand from employers. These and other factors will be challenging for audit functions in an increasingly competitive market for audit talent.</p><h2>What the New Normal Looks Like</h2><p>Many businesses have been implementing new technology or are in the process of a digital transformation. This shift is the new normal, and auditors, no matter what their specialty, must become proficient with technology to stay ahead of the curve.</p><p>Each piece of software comes with risks, and understanding these risks in depth will be required of all audit teams. Although these demands require internal audit departments to learn new skills, they also are a great opportunity for auditors to invest in themselves and their career trajectory. Obtaining additional knowledge will always be looked upon favorably by prospective employers, as well as by headhunters looking to fill niche roles.</p><p>"There's been a significant increase in change audits, risk advisory work, cultural and behavioral reviews, and digital/tech and cyber audits," says Samantha Coggins-Thompson, chief audit executive (CAE) at Computershare in London. "Baseline competencies for audit staff of the future will change. All of us will need to be tech-savvy, data-literate, and change-experienced auditors."</p><h2>Competing for Talent</h2><p>The new normal also means greater competition for audit talent. From an employer's perspective, retaining talent should be the top priority, even above a recruitment strategy. Losing talent is expensive both financially and operationally. And filling niche roles, such as those within internal audit, can take talent teams up to six months, even before factoring in notice periods.</p><p>It's imperative for each department to regularly review salaries and ensure that highly qualified team members are being compensated accordingly. Salary surveys and benchmarking can help an internal audit function understand if it is competitive in the market. These methods can be as specific or as broad as internal audit would like. An example is understanding how a cybersecurity specialist auditor would get paid in comparison to a generalist auditor. </p><p>This salary information is excellent for internal audit functions that want to ensure they are paying a competitive rate, as well as for scoping the market to see what is in demand. For job candidates, such surveys also are incredibly useful for validating whether they will be paid in line with their peers.</p><p>Contractors remain in high dem-and, but their cost can be stifling for audit functions. Audit leaders who plan to hire and build out their teams may need external assistance to help mitigate risk and attract the best talent in the market. The cost of a bad internal audit hire can exceed $130,000, so approaching recruitment and retention with a clear strategy is crucial.</p><p>One way internal audit can ensure it has access to top talent is through talent pooling, which means recruiters continuously identify and nurture potential candidates. The result of this process is that when the audit function is ready to start hiring and interviewing, it will already have a qualified shortlist of candidates. Talent pooling is an excellent strategy for any firm regardless of size, as it creates a more thoughtful, proactive recruitment process. It can be conducted on an ongoing basis or when there is a specific role that is upcoming.</p><p>Equally, audit functions should set up training programs and courses to upskill teams, so they can retain talent and ensure employees are competent with current and future technologies being implemented in the business. For most software, training and development will be offered as part of the onboarding process, so internal auditors should become involved as early in that process as possible.</p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p><strong>​Auditing Talent Management</strong></p><p>Most organizations are aware of the importance of talent management — at least in an abstract sense. But how in-depth is that awareness? Are the risks of poor talent management understood, observed, and contextualized? This is where internal audit can offer a helping hand.</p><p>Internal auditors are adept at identifying when a process isn't working and being able to interpret how that issue can affect the business. Perhaps most importantly, auditors are adept at recommending improvements to the status quo. </p><p>Talent management could certainly benefit from being looked at in this way because employees are an organization's most important asset. The difference between getting it right and getting it wrong can significantly impact a company's competitiveness.</p><p>Ensuring that talent management is part of the audit universe is the first step. Having it on the agenda and recognized as potentially high-risk is important. Perfecting or improving talent attraction, retention, and performance should be a priority. These issues need to be viewed in a detached, analytical, and data-led manner. That is a perfect job for internal audit.<br></p></td></tr></tbody></table><h2>The Impact of COVID-19</h2><p>One of the biggest shifts businesses have seen has been around employees who are considering leaving their roles. The COVID-19 pandemic demonstrated how organizations treat their staff in times of adversity, and unfortunately, some of these firms have incited a negative reaction from employees — perhaps unwittingly, perhaps not.</p><p>Now that organizations are coming out of the other side of the pandemic, people are reconsidering their options and thinking seriously about how happy they are at work. Do employees feel supported by their organization? Do they feel safe? Do they see a future there?</p><p>The pandemic also has revealed skills gaps, within both internal audit teams and individuals. The profession needs to change and adopt an agile, flexible approach; otherwise, retention of talent will falter.</p><p>Moreover, the pandemic has demonstrated the effectiveness of remote working. It's evident that many organizations will be embracing either a 100% remote working model, or more commonly, a hybrid remote-office model, moving forward.</p><p>"Internal audit will undergo a radical transformation with a new hybrid model combining working from the office and remotely, which will prompt the use of a new audit methodology increasingly turned toward continuous risk monitoring, data analytics, and artificial intelligence," says Patrick Simonnet, CAE at Bank of China in New York. "The auditor will have to complement his or her toolbox in becoming a tech-savvy engineer." </p><p>Some businesses are staggering their return-to-office process over time; however, there are still individuals and organizations that believe the role of an auditor should be in an office. There are benefits to both working models, and ultimately, each organization will have a different approach depending on the size of its audit team, the experience level of its staff, and the processes that have to be completed in person.</p><p>For example, the ability for internal auditors working at investment banks to sit on a trading desk and talk to department heads in person is crucial for relationship building, as well as being visible across the firm. Although it is feasible for auditors to do this remotely, in some firms it may not have the same effect. </p><p>For internal auditors' recommendations to be taken on board and implemented, there needs to be a shared level of respect and trust between clients and practitioners. Ultimately, each firm should look at its working model on a case-by-case basis and ensure that it serves business goals as well as those of the internal audit function. There needs to be compromise to ensure that operations can still run smoothly while being mindful of this new age of working. </p><p>Although there is a need for working in an office to train new auditors and keep a sense of company culture, there is a consensus that flexibility has to be the norm moving forward. Organizations may struggle to keep talent if they are unwilling to adapt to new methods of working. </p><p>With remote working, the biggest hurdle internal audit must overcome is creating a seamless process that works across teams. Remote working can only be effective if the right actions are in place and communication is clear. The transition hasn't completely happened yet, so it will be interesting to see how some of the larger, more traditional organizations deal with working remotely. It will not be easy.</p><p>"The way I maintain and grow stakeholder relationships remotely is similar to how I do it in person," says Prasana Kunapalan, internal audit manager at Sanne in London. "I proactively connect with people for matters beyond core internal audit work. I put effort into introductions, personal chats, sharing insights, and offering a safe space to vent. Instead of waiting to see faces in the office, I contact people wherever I see an opportunity. This means showing an interest in company communications (by volunteering with group initiatives), welcoming new starters (regardless of team or level), sharing ideas (and taking the lead), and providing complimentary feedback (for audit and nonaudit matters)."</p><h2>The Value Proposition for Candidates</h2><p>It's going to become even more competitive to find the best internal audit talent, so organizations need to stand out and offer something that is as attractive as possible by asking:</p><ul><li>Is there a clear and genuine path for each team member to progress if his or her performance merits it? </li><li>Has internal audit undertaken a salary benchmarking exercise to ensure that each team member is paid at market rate? </li><li>As far as is practical, does the organization grant flexibility with regard to where and when team members can work?</li><li>Is the internal audit team granted genuine access to converse and consult with the business stakeholders? Or is internal audit seen as a necessary evil rather than a vehicle in which value can be added to the business?</li><li>Does internal audit make genuine attempts to ensure that candidates from all backgrounds are being assessed fairly and made to feel welcome both at the interview and when they begin employment?</li><li>Does the internal audit department have a clear mission and purpose that the whole team strives toward?</li></ul><br>If internal audit gets these things right, attracting, onboarding, and retaining the best talent in the market will start to become easier.<br>Jamie Burbidge1
Internal Audit Considerations for the “Spend Now” Public Sectorhttps://iaonline.theiia.org/2021/Pages/Internal-Audit-Considerations-for-the-Spend-Now-Public-Sector.aspxInternal Audit Considerations for the “Spend Now” Public Sector<p>​U.S. news outlets are currently detailing what exactly is in the historic $1.2 trillion infrastructure bill that President Joe Biden signed in November. A significant portion of the bill is dedicated to federal government contracts, and the inevitable spending spree may soon be keeping public sector internal auditors very busy.</p><p>Although the level of spending is unprecedented, the situation itself is not. Internal audit can learn much from studying the successes and failures of the last major influx of funding seen in the public sector.</p><h2>History Repeats Itself</h2><p>For the U.S. public sector, 2009 was a landmark year. In the wake of the housing market crash that triggered a new recession, there was a desire to inject a large amount of funding into the public sector quickly. This desire manifested in the American Recovery and Reinvestment Act of 2009, which provided approximately <a href="https://www.cbo.gov/sites/default/files/cbofiles/attachments/02-22-ARRA.pdf" data-feathr-click-track="true" target="_blank">$831 billion</a> (PDF) in stimulus for a wide range of recipients and uses. According to <a href="https://www.thebalance.com/what-was-obama-s-stimulus-package-3305625#citation-3" data-feathr-click-track="true" target="_blank">reports</a>, $275 billion of these funds were allocated to federal contracts, grants, and loans.<br></p><p>All at once, public sector entities had a substantial amount of money and little guidance on how to use it. "The regulations, unfortunately, took a long time to follow," says Mark Maraccini, Public Sector Internal Audit Lead Partner at Crowe and the speaker for The IIA Public Sector Audit Center's Dec. 10 <a href="https://www.theiia.org/centers/psac/events/Pages/webinar-equity-in-procurement.aspx" data-feathr-click-track="true" target="_blank">webinar</a>, "Equity in Procurement: How Auditors Balance Assessing DE&I Strategic Initiatives Within Procurement Processes, While Safeguarding Against Fraud, Waste, and Abuse." "The federal government essentially said, 'We need to spur the economy to spend, spend, spend, spend.' This created an environment fraught with risk, and it wasn't until 2010 or 2011 that auditors started to get involved and ask questions."</p><p>At the time, audit clients were taken aback by the sudden scrutiny they were placed under, Maraccini recalls. "They said, 'What do you mean guidance?'" he says. "'You didn't tell me there were all these caveats, restrictions, and requirements.'"</p><h2>Same Risk, Different Year</h2><p>Fast forward to 2021 and history appears to be repeating itself, although in response to a very different crisis. In the <a href="https://www.worldometers.info/coronavirus/country/us/" data-feathr-click-track="true" target="_blank">U.S. alone</a>, the death toll from the COVID-19 pandemic is more than 805,000, and the number of recorded COVID-19 cases is over 49 million. Additionally, the pandemic and the policies enacted in response to it have had profound effects on the U.S. economy. At its worst point, 17 million people lost their jobs in a single month, and the gross domestic product declined by $2.1 trillion.</p><p>Continued recovery from the pandemic, from both an economic and health and safety standpoint, were core tenets of President Biden's presidential campaign. To that end, the infrastructure package is the largest single investment in U.S. infrastructure in decades. Roughly $240 billion will go toward building or rebuilding roads, bridges, public transit, airports, and runways. Another $150 billion will be used for climate change-related projects such as electric vehicle charging stations, updating energy grids to work better with renewable energies, and making public transit more sustainable.</p><p>Much like in 2009, however, with a massive influx of funding and limited guidance on where it is supposed to go, public sector organizations have a complex road before them. "This creates a split inference between what the government is telling organizations to do and what organizations know will eventually happen," Maraccini says. He notes that all federal grants have requirements and processes, and contractors have controls to ensure they are followed. "Eventually, the auditors are going to start asking questions to check that funding was spent in accordance to released guidance," he says.</p><p>In this environment, public sector contractors will turn to internal auditors to help avoid past mistakes, even without a clear picture of what the regulatory environment will look like. "What internal audit can do now is help balance messaging to ensure, even in an environment that is saying 'spend and spend now,' organizations remain responsible," Maraccini explains. "They should follow the same controls, processes, and procedures they were already following and not go too outside the box in their spending initiatives."</p><h2>Internal Audit Value</h2><p>The primary tool internal audit has to provide such messaging is an audit of procurement activities. These activities are detailed in The IIA's latest Supplemental Guidance Practice Guide, <a href="https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Practice-Guides.aspx" data-feathr-click-track="true" target="_blank">Auditing Procurement in the Public Sector</a>. The guide also recommends ways internal auditors can add value to public procurement by providing independent assurance and advice.</p><p>According to the Practice Guide, internal audit assurance regarding procurement activities typically addresses:</p><ul><li>The adequacy and effectiveness of governance and oversight.</li><li>Compliance objectives, including those related to public reporting and disclosure.</li><li>The organization's ability to measure its procurement performance, recognize deficiencies, and take corrective actions.</li><li>The integrity of the procurement process and the achievement of the desired objectives.</li><li>Process efficiencies and improvements.</li><li>Information systems specific to procurement processes.</li></ul><p><br>According to Maraccini, audit engagements in this environment must happen in real time. "We want management to have internal audit feedback regarding its decisions in the present, not after the decisions have already been made," he explains. "We want all organizational stakeholders confident that we have a good process to gauge spending, sound controls, and that the organization is still maintaining a high level of ethical behavior with every step it takes."</p><h2>A Collaborative Mentality</h2><p>Although internal audit's role in managing procurement funding risk is significant, it shares this burden with operational management, quality assurance, and compliance, according to the Practice Guide. To provide true, comprehensive assurance, collaboration is essential.</p><p> From internal audit's perspective, collaboration takes many forms, including inquiring about recent risk assessments and risk occurrences, and having the chief audit executive share information and coordinate activities when appropriate. Internal audit also should communicate whether procurement business units "are organized and … sufficiently skilled and qualified to navigate the complex legalities of public procurement," the Practice Guide advises. Moreover, internal audit can interact with external audit — in conformance with Standard 2050: Coordination and Reliance — to ensure that assurance work is not duplicated and provisions for assurance and advice are maximized.</p><p>"Internal audit should be starting communications just to understand how departments are handling purchases, as well as what controls were added or taken away in response to the pandemic," Maraccini says. "This isn't to be accusatory; rather, it's just asking questions around how we're doing this, and if we are doing anything different with these types of funding. Everyone must be on the same page."</p><p>According to Maraccini, some questions internal audit could ask include:</p><ul><li>How are decisions for purchases being approved, and has the workflow approval process changed?</li><li>Is the organization getting requests for more emergency purchases under this new approval process?</li><li>Is the organization now doing things it hasn't done before such as applying funding back to previous periods or allocating costs it normally wouldn't?</li></ul><p><br>Maraccini emphasizes that such questions are designed to acquire information outside the traditional audit process. "This is about getting recommendations to management now with key action steps," he says. "You can call it a 'current state assessment.'"</p><h2>Balancing Action With Caution</h2><p>Most of the new infrastructure bill's federal investments will be dispersed over the next five years, <a href="https://www.cnn.com/2021/07/28/politics/infrastructure-bill-explained/index.html" data-feathr-click-track="true" target="_blank">CNN reports</a>. During this period, to mitigate the substantial risk public organizations face from regulators without detailed guidance, internal audit can remain an arbiter between the desire for spending action and the desire for caution. Somewhere in between these two desires lies a suitable path forward, and internal audit is positioned to light the way.<br></p>Logan Wamsley1
The IIA at 80https://iaonline.theiia.org/2021/Pages/The-IIA-at-80.aspxThe IIA at 80<p>​Celebrating its 80th anniversary this month, The IIA finds itself in a world of unprecedented turmoil. The transformations taking place in response to dynamic risks, reality-bending technology, and a once-in-a-century pandemic make many practitioners consider this the turbo version of internal auditing. The profession is relevant, fast-paced, and more exciting than ever. </p><p>IIA President and CEO Anthony Pugliese points out that just 20 years ago, internal audit was focused primarily on financial controls. "That was the mainstay of who we were," he says. "But internal auditing has grown to include much more, and that's the model that will prevail." </p><p>Pugliese says it is worth noting that, even back then, "The IIA had a forward-looking view of where the profession needed to be going, issuing a revised definition of internal auditing that emphasized consulting and adding value. In a time of rapid change and transformation, it's more important than ever that we look forward."</p><p>The world's principal provider of standards, guidance, and training for internal auditing faces a formidable challenge in guiding its 200,000+ members and the profession, itself, into a turbulent and uncertain future. However, internal audit leaders from around the globe have a clear and consistent message: We are entering an era of near-constant disruption, and technology won't just drive that disruption, it also will be the answer to successfully managing it.</p><p>"The biggest need for the profession overall is to embrace, understand, use, and apply technology in ways we haven't in the past," Pugliese says.</p><h2>Unlikely Partners: COVID-19 and Technology</h2><p>One of the defining legacies of COVID-19 will be its influence on technology adoption. Early on in the pandemic, it became clear that the sudden and dramatic disruption to the workplace had greatly eased reluctance to embrace technology. A byproduct or perhaps a companion to this phenomenon is a new business focus on creating resilient and agile organizations that can better manage disruption. For example, GM CEO Mary Barra coined the phrase "ventilator speed" to describe a new mindset on managing disruption after the legacy automaker quickly converted an idled manufacturing facility to assemble and deliver 30,000 desperately needed ventilators in just five months.</p><p>These two forces — chronic disruption and organizational resilience — are the drivers internal audit leaders see for the profession in the future.</p><p>"COVID-19 has stretched IT developments to support businesses and families as a way of life," says Ruth Doreen Mutebe, head of Internal Audit at Umeme Ltd. in Uganda, and secretary, Board of Directors, IIA–Uganda. "Hence, auditing now and in the future will be technology-driven." </p><p>However, the profession must first overcome a fundamental weakness. Historically, internal audit has not been an early adopter of technology. But Pugliese is an ardent advocate for upskilling the profession so that it becomes a critical support for an organization's understanding and leveraging of technology. "We won't all have the same level of understanding on every specific topic," Pugliese says, noting that "technology-enabled" for some organizations may simply mean the ability to understand and use social media. "But we all need a level of proficiency."</p><p>Going forward, organizations are going to seek that proficiency over a diversity of risk areas and emerging technologies, including pandemic recovery, climate change, cybercrime, geopolitical instability, blockchain, cryptocurrency, and artificial intelligence. Internal audit functions must be able to respond.</p><p>This echoes a point made by Sally-Anne Pitt, director at Pitt Group Pty Ltd. in Melbourne, Australia, and vice chairman, finance, of The IIA Global Board of Directors: The future demands a diversity of expertise, a diversity of response modalities, a diversity of technological development, and a transformation from top to bottom. "The biggest challenge for internal audit is to remain relevant, to respond to a broad range of issues as soon as they arise," Pitt says. "We need to be prepared for the unexpected, such as a pandemic." </p><p>The pandemic and other disrupters have raised awareness about business continuity management and taught the world that the concept of black swans — unlikely events with extreme consequences — should be relegated to history. With COVID-19, Mutebe says, organizations "witnessed the real benefit of risk and business continuity management. It is no longer a myth, and internal auditors are no longer considered to be 'prophets of doom.'"</p><p>The talent to adapt will be one of the most important traits for businesses going forward, says Ernesto Martínez Gomez, group executive vice president–Internal Audit, Banco Santander in Madrid, Spain, and ONA lead director on The IIA's Global Board. "So much is changing so rapidly on so many fronts — regulatory, macroeconomic conditions and how they influence each other — that it's very challenging, but very necessary, to maintain a balanced focus," he notes. COVID-19 and diversity, for example, "shouldn't express one over the other's need to be adapted." </p><p>This will likely manifest itself in an evolution in audit teams. In the past, the team might consist of 70% business and administration or accounting experts and the other 30% lawyers or other specialists, Martínez says. In the future, a better mix might be 50% economists and 50% science, technology, engineering, and math (STEM) experts. Complementary to the focus on STEM skills, emphasizing learning and adapting rather than having specific knowledge will be essential, Martínez says. </p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p><strong>​Perspectives on the Pandemic</strong><br><strong>Pugliese:</strong> "There will never be a moment when the effects of the pandemic will be gone. It set in motion a whole new way of working. I can find different skill sets anywhere in the world; I don't have to look in my backyard; I have the entire planet." </p><p><strong>Pitt:</strong> "I'm based in Melbourne, Australia, and we hit the dubious record of the longest lockdown in the world — just lifted. This has meant we have had to completely adapt the way we work, and I've not been face-to-face with most of my clients for 18 months."</p><p>"Are we on the right track to put the pandemic behind us? Internal auditors need to add value to their organizations, so they need to have a clear understanding of what their stakeholders value and expect. That is going to look different for each organization; there isn't a one size fits all." </p><p><strong>Wright:</strong> "On The IIA's 100th anniversary, we'll look back at 2020 and the COVID-19 pandemic being the year that caused an order of magnitude jump in the focus on technology, bio-nano-tech, and electric."</p><p><strong>Mutebe:</strong> "2020 and uncertainty are synonymous — uncertainty of life, business continuity, family/societal gatherings or celebrations, and resumption of normal internal audit operations. 2020 taught practitioners that those who are resilient win."<br></p></td></tr></tbody></table><p>Mubete agrees. "An ideal audit function will have strategy specialists and 'numbers' specialists, as well as generalists with combinations of the skills," she says. "Regardless, it will soon be unusual to see an audit function without access to data analysts."</p><p>The IIA's current Global Board chairman, Charlie Wright, says the next 10 years will bring more innovation and change than throughout all of human history, and the profession needs to be prepared for the convergence of several disruptive technologies. Indeed, Wright, chief risk officer at Jack Henry & Associates in Oklahoma City, built his chairman's theme around creating the future-ready auditor. </p><p>"Internal audit is at a pivotal point in history," Wright says. "New processes, entire companies, and probably industry verticals will pop up in the next 10 years. The technology shift will bring both opportunity and challenge for internal auditors and the organizations we support."</p><p>The profession has already moved from a heavy focus on financial statements, he adds, acknowledging the need for internal audit to be more strategy-focused. He notes that becoming so won't require an either/or divergence. "We'll need to be both strategic and tech-savvy." Many internal audit functions are realizing that the transition will be difficult, Wright says. New technology is hard to learn. Skills take time to improve and resources are in high demand. "I doubt most internal audit shops are staying ahead," he adds. "We need to be doing more."</p><h2>Social Upheaval: COVID-19 and ESG</h2><p>There's little debate that the profession's embrace of technology is not optional. Technological change is accelerating, and failure to act now only promises to make catching up that much more difficult. Indeed, failing to act now could threaten internal audit's relevance in the future. But this transformation won't happen in a vacuum, and practitioners will continue to be pressed to provide valued services across a growing spectrum of risk areas. One of the most pressing today is nonfinancial reporting.</p><p>Environmental, social, and governance (ESG) considerations are a priority, Mubete says, and she predicts the mandate of internal audit will progress from assurance over governance, risk, and compliance to governance, risk, and sustainability. Internal control will be subsumed into risk management, and sustainability will encompass aspects of profit, people, and planet as well as compliance beyond country borders, she adds. "The scope of internal audit will expand to include context beyond the organization, in-country stakeholders, compliance, and strategy." </p><p>ESG does present a new opportunity for internal audit, but it does not have to become one of the top challenges, Pugliese asserts. As organizations respond to ESG-related demands from stakeholders and regulators, internal audit is already integrating new audits and audit activities into annual plans. This is one area where internal audit's existing skills are more than adequate to provide value, whether that means performing audits of a company's carbon footprint, helping implement new ESG programs, or reviewing annual sustainability reports, Pugliese says. </p><p>Mutebe agrees, but offers a warning, as well. "Evaluation of corporate governance is part of the mandate of internal audit, but audit of the same is usually outsourced," she says. That practice will slow the speed at which internal auditors can hone necessary skills and delay acceptance by management that internal audit can actually do a better job. Internal auditors need to prioritize skills required to effectively audit environmental and social aspects, including systems to reduce carbon footprints, integrity of production and disposal systems, disclosure of the impact of products and services on the environment, and overall transparency, Mutebe says.</p><p>"This is critical, especially now that the trend toward more corporate transparency around ESG is growing and is being considered in the credit rating analyses of institutions," she says.</p><h2>Transformation: COVID-19 and Internal Auditing</h2><p>Many of the changes auditors will grapple with in the near future center on COVID-19-induced challenges, including learning how to optimize execution in a remote environment, Mutebe says. "How can internal controls, segregation of duties, information security controls, asset controls, and ergonomics oversight be monitored, tested, and audited in a remote environment?" she asks. Mutebe suggests online interaction with audit committees and boards, consideration of soft-copy evidence, and interrogation of IT systems to gather evidence. </p><p>Pitt says the loss of personal contact is significant, but she adds that the profession is already making progress precisely because of pandemic-accelerated technology changes. "The challenge for internal audit is meeting the increased expectations, but I think they're up to that. I can't see internal auditors completely returning to their previous ways of working," she stresses. </p><p>Historically, internal auditors have grown into the opportunities presented to them by change, Pugliese says. However, he warns that as the profession gets involved in more subspecialties, the learning curve sharpens. Still, the adaption to remote work proves practitioners are up to the task. "The whole logistical piece of being present is significantly reduced — permanently and with positive effect — proving without having to experiment that we can do what was considered undoable," he says. <br></p><p>For Wright, that adaptability inexorably must be tied to technology. "The astounding technological disruptions require an immediate pivot to auditors who can use a variety of tools to execute audits, a skill set that is so flexible that it allows them to transition seamlessly from one tech audit to another," he says. The pandemic also brought into sharp relief the need for auditors to build their audit tools into technology as it is implemented, Wright adds, and that auditing after the fact no longer adds value.</p><p>This brings the discussion on the future of the profession full circle.</p><p>"The internal audit profession has an opportunity to rethink its professional contribution to stakeholders, re-skill and re-tool itself to remain relevant regarding ESG; diversity, equity, and inclusion; and privacy issues," Mutebe states. "We have no option if we still want to be counted as a critical and value-adding profession. What made us succeed yesterday may not grant us the same effect tomorrow."<br></p>Russell A. Jackson1
CEO Message: Envisioning the Next 80 Yearshttps://iaonline.theiia.org/2021/Pages/CEO-Message-Envisioning-the-Next-80-Years.aspxCEO Message: Envisioning the Next 80 Years<p>​This month, The IIA celebrates its 80th anniversary as the internal audit profession's principal advocate, educator, and provider of standards, guidance, and certifications. It's probably safe to assume that those who gathered in December 1941 to create a professional association for internal auditors could not have imagined the complexity of today's risks: those associated with cybersecurity, artificial intelligence, blockchain, cryptocurrency, ESG, and so much more.</p><p>Milestones such as these typically lead to discussions about the journey that brought us to where we are today. But our task is to consider where we might be 80 years from now. As a professional association, we are obligated to our members to provide vision, mission, and leadership that will keep the profession growing and vibrant into the 22nd century.</p><p>In a <a href="/2021/Pages/CEO-Message-Aligning-Toward-the-Future.aspx" data-feathr-click-track="true">previous CEO Message</a>, I introduced readers to our new strategic plan. That plan is now in place and the basis of the work The IIA does at global headquarters and around the world. It is designed to drive innovation, be sustainable, and increase value to members and the profession while serving the public good. It is built with a keen understanding of the ongoing shift to a talent-driven economy and evolving generational preferences shaped by technology, disruption, and innovation. </p><p>We hope our strategic vision is motivating and inspiring, but meeting the challenges of a complex and volatile marketplace takes more than that. We also must understand the strategic drivers that influence the profession and association management generally. These drivers include those that shape the profession's future workforce, the ability to embrace disruption, and calculated efforts to direct how the profession is viewed by our 112 affiliates, stakeholders, and the general public.</p><p>The IIA must craft a reimagined business model that is sustainable yet nimble enough to respond to rapidly changing, unpredictable, and evolving market demands. This includes building an agile organization that reacts well to market volatility and fluctuations.</p><p>In short, we must evolve The IIA for the next 80 years of success.</p><p><a href="/2021/Pages/The-IIA-at-80.aspx" data-feathr-click-track="true">"The IIA at 80"</a> shares valuable insights from internal audit leaders from around the world. I hope you'll consider their views about the current state of the profession as well as what they see for its future. After you do, I urge you to imagine the profession in 20 years on The IIA's 100th anniversary. Consider the potentially profound changes we will see in society, the environment, the economy, and governments. Then consider that there will be, inevitably, technological advances that rewrite and rewire how we think about many things. Then ask yourself, "What can I do today to prepare myself, my audit function, my organization, and my profession for that future?"<br></p>Anthony Pugliese1
Update: What's Driving the Great Resignation?https://iaonline.theiia.org/2021/Pages/Update-Whats-Driving-the-Great-Resignation.aspxUpdate: What's Driving the Great Resignation?<p>​A year ago, the hope was that with vaccines in wide distribution, the world would go back to some semblance of normalcy, but it is increasingly clear that has not been the case. One of 2021's many unforeseen trends has been the "Great Resignation."</p><p>For the third consecutive month, the U.S. set a record for job resignations, with 4.4 million people quitting in September, according to the most recent report from the U.S. Bureau of Labor Statistics, released in November. That equates to 3% of the workforce, and follows an estimated 4.3 million U.S. workers who left their positions in August. </p><p>Although the reasons for these resignations are complex, many experts say the most significant driver of the trend is a new perspective on employee identity, quality of life, and their expectations of employers. In an interview with The Washington Post, Anthony Klotz, a professor of management at Texas A&M University, describes these feelings as "pandemic epiphanies," with individuals using their newfound leverage after a year of remote work to either demand something better from their current employer or look elsewhere. Some people seek full-time remote work, while others seek increased compensation or significant improvement in workplace culture.<br></p><p> <img src="/2021/PublishingImages/Update-dec21-factoid1.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:162px;height:473px;" />This trend has led to a renewed organizational focus on attracting and retaining workers. According to a recent global survey by consulting firm Willis Towers Watson, 92% of companies say improving the "employee experience" will be a priority over the next three years, an increase of 40% from before the pandemic. In another global survey from UBS Group AG, 74% of companies report they have begun offering more flexible schedules, 71% are letting more employees choose whether to work from the office, and 66% say they have raised compensation. <strong>— L. Wamsley</strong><br></p><h2>Assessing Audit Competency<br></h2><h3>Practitioners’ proficiency with technology and emerging risks isn’t matching their growing relevance.<br></h3><p>Internal auditors give themselves high marks for audit proficiency, but their competency is falling short in key knowledge areas, notes the Assessing Internal Audit Competency report. Respondents consider all 28 competencies in The IIA's Internal Audit Competency Framework relevant, according to the global survey of almost 1,200 internal auditors by Deloitte and the Internal Audit Foundation.</p><p>Respondents' rate ethical behavior, due professional care, individual objectivity, and organizational independence the highest. Each is part of the framework's professionalism pillar. Professionalism is where respondents say they are most proficient, too, with ethical behavior, individual objectivity, and the mission of internal auditing leading the way.</p><p>However, the report finds a "relevance-to-competence" gap in technology areas such as IT control frameworks, analytics, and security and privacy. "Despite the criticality of these technologies, many auditors do not believe they have the skills needed to provide effective assurance and advisory services in these areas," the report notes. </p><p>The gap is wide for risk management, soft skills, fraud, and agile auditing, as well, the report says. Further, respondents rate their competency in the emerging area of environmental, social, and governance low and consider it the least relevant area. <strong>— T. McCollum</strong></p> <img src="/2021/PublishingImages/Update-dec%2721-factoid2.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;width:162px;height:701px;" /> <h2>The Corporate Broken Rung<br></h2><h3>Women still face a difficult climb to top positions.<br></h3><p>Along every step of the corporate ladder, women in North America have made slight gains in representation over the last four years, yet they are still significantly underrepresented at all levels of management. These findings come from Women in the Workplace 2021, an annual study conducted by McKinsey & Co. and LeanIn.Org involving 423 companies in the U.S. and Canada.</p><p>Women are less likely than men to make the leap to management, the study finds. For every 100 men promoted to any management role, 86 women are promoted. Differences are more stark higher up the corporate ladder. </p><p>The "broken rung" phenomenon is worse for women of color, who account for 12% of first-level managers, but only 4% of C-suite executives. Comparably, white women hold 28% of first-level management positions and 20% of C-suite roles. </p><p>Organizations considered top performers in diversity and inclusion are more likely to have strong diversity-focused strategies compared with companies overall. Best practices cited by the study include tracking the representation of women and women of color among new hires and promotions, ensuring equitable promotions by reducing bias within performance reviews, creating an inclusive culture, and holding senior executives and managers accountable for progressing on diversity goals. </p><p>Indra Nooyi, former chairperson and CEO of PepsiCo, says organizations cannot simply appoint a diversity and inclusion officer and call it "done." Nooyi, the first woman of color to head a Fortune 50 company, says diversity is a mathematical number, but inclusiveness involves emotion. "Are you going to make everybody feel welcome and included?" Nooyi asks pointedly in an interview with McKinsey & Co. "That requires deep involvement by all people in power to make sure that you identify bad behavior that's not inclusive, nip it in the bud, and model the right behavior." <strong>— C. Janesko</strong></p><h2>Ransomware Tool Spurs Warning <br></h2><h3>Attackers armed with BlackMatter are demanding payments.<br></h3><p>Amid a steep rise in ransomware attacks, the U.S. Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency have published a cybersecurity warning about recent hacking exploits using a tool known as BlackMatter. The ransomware-as-a-service tool first gained prominence in July by enabling bad actors to access secure networks and remotely encrypt host and shared drives. Hackers using the tool have demanded payments ranging from $80,000 to $15 million.</p><p>The warning details some of the tactics BlackMatter uses that make it so dangerous. It also recommends mitigation actions, including implementing detection signatures, using strong passwords and multifactor authentication, updating operating systems and software, limiting access to network resources, and deploying network segmentation and traversal monitoring. Additionally, the warning discourages organizations from making ransom payments not only because they encourage further attacks, but also because there is no guarantee any lost files will be recovered.</p><p>"This advisory highlights the evolving and persistent nature of criminal cyber actors and the need for a collective public and private approach to reduce the impact and prevalence of ransomware attacks," says Eric Goldstein, executive assistant director for Cybersecurity at CISA. <strong>— L. Wamsley</strong> </p><p></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><h2>​<img src="/2021/PublishingImages/Update_Dec_2021-120x120.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Auditors Back on the Road</h2><h3>Audit projects are among the types of business travel expected to resume in 2022, says Hatice Akyerli Dalton, internal audit leader for Deloitte's Travel, Hospitality, and Services sector.</h3><p> <strong>What is the forecast for travel in 2022, and what types of business travel are most likely to occur? </strong></p><p>Deloitte forecasts corporate travel in the first quarter of 2022 will be 35% to 45% of 2019 spending, 40% to 60% in the second quarter, and will rise to 65% to 80% in the fourth quarter. </p><p>The most likely reasons for travel include use cases high in importance to business success and dependent on face-to-face interaction. Travel motivations that fall into this category include client acquisition and relationship building, client project work such as internal audit projects, and industry conferences with strong networking opportunities or benefits.<br></p><p> <strong>How can internal audit functions make the case for audit-related travel?</strong> </p><p>Nowadays, with all the technology, access to data remotely, collaboration tools, artificial intelligence, etc., a typical internal auditor can do a lot of work on preparation, planning, and wrap-up remotely. Not all source data that auditors would need resides only in the field anymore. As such, a generalization can be made that more can be done while we spend less time in the field.</p><p>However, that is true for established teams and areas in which internal auditors have strong knowledge of the business processes and related risks being audited. Also, preestablished relationships with the audit client are a must. Areas such as the acquisition of new business units and new management and staff would need more in-person presence and interaction.</p><p>One of the main reasons that internal audit professionals will likely still need to travel some comes down to the saying, "trust but verify." Internal audit desktop/remote test work reviews will provide little insights compared to actually observing the physical premises, walking the halls, counting inventory, and especially conducting face-to-face interviews. Internal auditors get a sense when something feels off or does not appear to be complete. To exercise this, one needs to be in person. </p><p>Additionally, team training and collaboration is most impactful when in the field. Furthermore, most successful internal auditors are the ones who build the right level of relationships with their audit clients and earn their respect and trust. Those type of relationships will not easily form while not in person. In other words, relationship building requires an internal auditor to be authentic, knowledgeable about the business, and present in person.</p><p> <strong>How can those internal auditors who are traveling ensure they are doing so safely and productively?</strong></p><p>Internal auditors should follow U.S. Centers for Disease Control and Prevention and Federal Aviation Administration guidelines around safety protocols, including wearing masks and maintaining as much space as possible during the boarding and deplaning processes. In addition, being vaccinated before traveling — although not a requirement domestically — would increase the likelihood of a safe travel experience. Based on recent survey results, we have also seen an increase in travelers preferring direct flights — versus connecting flights — to limit time on planes and airports and reduce the risk of travel disruptions.<br></p></td></tr></tbody></table><p> <br> </p>Staff1
Fighting the Same Old Battleshttps://iaonline.theiia.org/2021/Pages/Fighting-the-Same-Old-Battles.aspxFighting the Same Old Battles<p>​In the book <em>Writing Down the Bones</em>, author Natalie Goldberg tells a story about motivational speaker Tony Robbins. A client he had worked with multiple times consistently haggled over price, schedule, etc. He decided it was time to change the dynamics. As they sat in the 10th-floor executive suite, the client began the battle once again. Robbins reached into his thousand-dollar suit, pulled out a water pistol, and began shooting it at the client. The executive was startled, but quickly understood the message. “We’ve been here before. Why are we wasting our time?” He laughed and signed the contract.</p><p>How often have you sat in the same room having the same discussion with the same clients? How often have you quarreled over miniscule points, debated the choice of individual words, and quibbled over insignificant corrective action details, repeating discussions you have had time and time again? </p><p>One cause for these repetitive conflicts is education. Do the audit clients understand the work we do? Do they understand how we reach our conclusions? Have we done enough to explain it to them? And have we pointed out they are repeatedly arguing the same points?</p><p>But auditors need to use these situations to better educate themselves, as well. At a past employer, it took our audit department just a few audits of branch claims offices to realize our debates with the regional claims manager occurred because he thought our sample sizes were inadequate. Were they too small? Probably. Was he asking for more than was necessary? Probably. But as soon as we provided the testing he was looking for, the debates were much shorter.</p><p>Still, we may need to shake things up sometimes — make the client realize we’ve been through all this before and that we can all save a little time by moving beyond the normal bickering and getting to what needs to be discussed. One client fought us tooth and nail on everything we reported, insisting on multiple meetings to hash out every report. Deciding it was time to upset the apple cart, I started the meeting by asking, “What will it take for me to get you to drive out of here with this audit report?” My verbal water pistol worked — the report was ready to be issued one hour later. </p><p>In all things we must challenge the status quo. But we may not realize how true this is when it comes to the daily give and take, conversations, and debates we have with our clients. Look for such instances and decide if one side or the other needs to be better educated. Or is it a case of falling into the same old patterns? To paraphrase Goldberg, step through the resistance right now and do something new, something surprising, and something great. And when you see yourself, your team, or the client falling into the same patterns, break out the squirt gun and shake things up. <br></p>Mike Jacka1
Courage as a Cornerstonehttps://iaonline.theiia.org/2021/Pages/Courage-as-a-Cornerstone.aspxCourage as a Cornerstone<p>​As past research has shown, and many practitioners can likely attest, audit findings that don’t meet clients’ approval can occasionally result in direct pressure to change the audit report. And in some cases, when resisting this pressure, auditors may even experience retaliation. Indeed, sometimes our work consists of much more than just following standards and writing reports. Political factors and unethical behavior create challenges that fall outside the normal realm of professional practice. Nonetheless, in every phase of the audit process — planning, performing, and communicating — auditors must have the courage to perform their work objectively and thoroughly, even in the face of fear and intimidation. </p><p>When planning, practitioners try to identify high-risk areas that could have the greatest impact on the organization’s ability to achieve its objectives. But often the most important areas are not immediately visible and consist of information entrusted to gatekeepers — usually management. Internal auditors must demonstrate the courage to examine these areas, even when clients may not want them to. At the same time, practitioners must not confuse courageousness with recklessness. An overly aggressive approach could lead to management and the board pushing back as well as increasing barriers to the information auditors need. </p><p>During the performance of audit engagements, practitioners could encounter numerous situations that call for professional courage. For example, in an organization with poor cultural practices, senior management might try to overpower or even bully auditors during information-gathering or attempt to conceal documents. Moreover, performing assessments may involve asking tough questions, which can be intimidating — especially when directed at those in power. These situations require internal auditors to show bravery, challenge the client, and pose questions no one else wants to ask.</p><p>Finally, when communicating results, especially to the board, practitioners need to report as objectively as possible. Communications must be measured and accurate to maintain credibility, and auditors need to avoid overstepping their bounds. Moreover, political savvy goes hand in hand with being courageous — as a quote often attributed to Winston Churchill states, “Courage is what it takes to stand up and speak; courage is also what it takes to sit down and listen.” A combination of assertiveness and diplomacy goes a long way toward achieving a successful outcome.</p><p>Perhaps Mark Twain said it best when he described courage as the foundation of integrity. For internal auditors, courage should be foundational to professional practice, along with objectivity, due professional care, and competency. We should always be willing to ask stakeholders demanding questions, stand for what is right, avoid falling prey to the pressure of others, and act for the benefit of the organization and society. Courage doesn’t mean you don’t feel afraid; it means you don’t let fear stop you. <br></p>Matej Drašček1
Emerging Leaders: Where Are They Now?https://iaonline.theiia.org/2021/Pages/Emerging-Leaders-Where-Are-They-Now.aspxEmerging Leaders: Where Are They Now?<p>​Internal audit is an exceptional destination profession. Rising through an organization’s departmental ranks toward a chief audit executive (CAE) post is rewarding and challenging, and the work is essential to the enterprise. At the same time, powerful evidence indicates that internal audit skills empower practitioners to answer even the most unexpected of opportunity’s knocks and excel in leadership posts far outside the traditional boundaries of the profession. Some of <em>Internal Auditor</em>’s past Emerging Leaders are climbing the ladder, some are at the top and exploring ways to expand their spheres of influence, and some use their internal audit skills in strikingly diverse careers.<br></p><h3>ELEVATING CREDIBILITY <br></h3><p>Thokozani Sihlangu is focused and ambitious. When he was named a 2020 Emerging Leader, he was senior audit manager, Quality Assurance, at Absa Group in Johannesburg. He took a job as senior audit manager with Standard Bank in December of that year, and is now head of Transactional Products and Services Audit. His role is at a strategic level, he says, allowing him to contribute to Group Internal Audit’s strategy formulation — and then customize a strategy for the business unit he leads and execute against that strategic direction.</p><p>Sihlangu heads a team of business auditors and data scientists, reporting key audit insights, material audit items, and audit themes to governance committees. Leading it well demands that he maintain excellent relationships with key executive stakeholders, too. His team also provides traditional audit assurance against the audit plan and modern modes of assurance in the form of strategic technology project assurance and data-led audit reviews. </p><p>As such, Sihlangu’s long-term career plans haven’t changed, and are right on track. “I am proud that I managed to achieve most of the plans I had for myself when I was in university, which was to attain an MBA and be head of an audit unit before age 35,” he says. “Being an Emerging Leaders honoree was a dream come true, and it has elevated my credibility in the profession.” <br></p><h3>EXPANDING RESPONSIBILITIES<br></h3><p>Nora Kelani, a 2017 Emerging Leaders honoree, has, as she puts it, “reached the top of the internal audit ladder” at her firm, so now she’s focused on expanding her responsibilities outside the traditional aspects of the profession. Indeed, the internal audit senior manager at Trust Holding–Nest Investments in Amman, Jordan, is working on a Certification in Risk Management Assurance and an MBA. After 2017, her position evolved, she notes, and now she reports directly to the board of directors of the holding company she works with. It owns and supports multiple insurance subsidiaries, a reinsurance company, a bank, and other large investments across Europe, the Middle East, and North Africa. </p><p>Kelani’s job involves working in, and traveling to, several of the company’s far-flung locations. She served on The IIA’s Global Advocacy Committee from 2018 to 2020 and this year was tapped to serve on The Institute’s Global Advocacy Advisory Council.</p><p>Expanding her scope has enabled Kelani to provide a variety of consultancy and advisory services — risk management, governance, information and communications technology, operations, and general business consultancy — to numerous stakeholders in different industries. That capability, she says, proves to her that internal auditors add value in advisory and consultancy functions just as much as in traditional audit tasks. “My career has flourished both vertically and horizontally just as I’d hoped it would and has exceeded my aspirations at certain points,” she says. Moving forward, she wants to seek positions where she empowers others, advocates for governance and internal controls, influences strategies, and participates in setting the vision of the organization.</p><h3>IMPLEMENTING CHANGE<br></h3><p>Derrick Li began his career in internal audit at a large accounting firm before signing on with Vancouver’s South Coast British Columbia Transportation Authority (TransLink) for his next career rung, a post as manager, Enterprise Risk and Capital, at subsidiary Coast Mountain Bus Co. (CMBC). Next, he was division manager, Business and Advisory Services, at Metro Vancouver, a separate entity. Li then moved to TransLink headquarters as director, Internal Audit and Performance Improvement. He was there when he received an Emerging Leaders honor in 2014. </p><p>Li then moved to a role as executive director, Finance and Corporate Services, at CMBC in 2018. Two years later, he jumped to his current job as chief operating officer (COO) at Lawson Lundell LLP, a large Vancouver law firm. He oversees business, administrative, and financial operations, and serves on the executive committee, focusing on the firm’s growth strategy and execution. “My career has far exceeded my expectations,” Li says. “Making the transition from CAE to an executive was always in the back of my mind, but I didn’t think I would transition this early in my career.” </p><p>He adds, “I can honestly say that I wouldn’t be where I am in my career without the tremendous experience I gained as an internal auditor.” In his last role at CMBC, he served additionally as chief financial officer (CFO) and corporate secretary, so he had the chance to interact with internal audit regularly — as an audit client and as part of quarterly internal audit/board interactions. That expanded his perspective: “Internal auditors have a unique opportunity to learn every facet of an organization,” Li says. “They can do a lot more, whether moving onto the management side of things or proactively providing advisory services to management.”</p><p>Li says he especially appreciated the variety and scope of his work as an internal auditor. “Every hour of your day could be spent on a different topic and dealing with all levels of an organization,” he says. As COO of a law firm, that’s still true, he adds — and now he can implement change directly. <br></p><h3>SPRINGBOARD TO PARTNER</h3><p>Joseph Harrington has moved from a staff position to partnership at PricewaterhouseCoopers (PwC) since his 2014 Emerging Leaders honor and from providing outsourced internal audit services to heading up artificial intelligence (AI)-related activities. As a principal at PwC Labs in New York, he says, his career has become more technical than anticipated, so his approach is a bit different. “It’s more about how I can leverage technology the best way possible, versus what I know myself and can teach to my team,” he says. </p><p>He’s a co-leader in his new post, providing AI and machine learning capabilities to help internal teams deliver services — including audit services — to clients more efficiently and to help clients that use PwC technology to accelerate internal processes on their own. Harrington likes helping clients embed security and control by design. </p><p>Using machines presents risks, but they don’t tire or have bad days, he explains. Rather, “they provide consistency, which is difficult to measure when it’s just humans performing vouching or tracing.” And while some biases are unique to machine learning models, he adds, his team can help control for them with an approach that includes humans and technology. “It’s not about a person versus a machine,” he says. “It’s about a person versus a person with a machine.” The latter is more efficient. For example, full population testing — not just sampling — is only possible using machines to kick out anomalies for a person to substantiate or refute.</p><p>Harrington joined PwC from a small boutique consulting and internal audit firm, where he provided outsourced internal audit services to banks and credit unions. At PwC, he initially worked in a risk and compliance analytics group that primarily provided U.S. Bank Secrecy Act and anti-money-laundering analytics. </p><p>But his career quickly pivoted when the Financial Accounting Standards Board announced not-yet-effective lease-related standards updates in 2018. “When that occurred, I worked with another partner at PwC to build out a natural language processing platform to help read and understand lease documents for our clients, helping them save time and money on properly recording them on financial statements,” Harrington says. That change was a springboard to his PwC partnership offer in 2019. </p><h3>LEVERAGING INTERNAL AUDIT KNOWLEDGE<br></h3><p>Since her 2013 Emerging Leaders honor, Kayla Carter has moved from providing internal audit services to external clients to an internal role focused on driving digital transformation — and from Kansas City to San Francisco. Now senior director, Business Process and Technology, at Protiviti, Carter supports the executive team in executing the firm’s global internal digitalization and business transformation strategy, including streamlining processes across all areas of the worldwide enterprise. She’s responsible for organizational change management for the executives’ initiatives, project governance, and ongoing support of production environments.</p><p>“My job is challenging, but in a good way,” Carter says, adding that she enjoys working with colleagues across the globe to make day-to-day tasks easier and reporting and analytics better. Her job is different these days, she notes, but she leverages the knowledge she gained from internal audit every day. “My goal is to help improve and streamline the same business processes I used to audit,” she says. “There is always room to improve and make things better.”</p><h3>MAKING ORGANIZATIONS STRONGER<br></h3><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Embracing Leadership Individually<br><br></strong><p>The Emerging Leaders honor means something different to each person who receives it, just as leadership itself is a personal trait that each individual understands and expresses in a unique way. Some base it on their daily tasks; leaders lead, in other words. Carter says she feels like a leader because she formerly led teams on internal audit client engagements and now helps lead her company through its transformation journey. Sihlangu leads a team of seven in his job and recently joined the IIA–South Africa Chapter’s board of directors.</p><p>Others grapple with the nuances of what it means to lead, though; moreover, their examples show that the traits that make a leader may be lasting, but confidence in expressing them may come and go. Harrington didn’t feel like a leader at the time of his honor because he was one of many performing traditional internal audit services. Now, though, he’s filed two patents and helped lead a global team of 300 professionals, many of them deep technologists. “It’s in that pivot to exploiting technology that I now feel like a leader in my profession,” he says; indeed, he’s “one of the world’s leading experts on leveraging data science to deliver business value.”</p><p>Li says he felt like a leader seven years ago as CAE, when he managed the internal audit group and was a leader in his local professional community. But being an executive is quite different, he finds. “There is more of a spokesperson or brand ambassador component that I didn’t realize,” he notes. Zitting says he felt like a leader in 2013, but isn’t sure he does anymore, even though his leadership responsibility is bigger. “I find that the further my career advances, and the closer to the top of an organization I get, the easier it becomes to doubt my own leadership or believe I am not good enough,” he says. “I’m sure that feeling only makes us stronger as leaders.” <br></p></td></tr></tbody></table><p>Dan Zitting, a 2013 Emerging Leaders honoree, is now CEO at Vancouver’s Galvanize — recently acquired by Diligent Corp. — and he says he believes in internal audit as much as ever. “From the minute I started building technology for use in audit, risk, and compliance rather than focusing on being a practitioner, I was in love,” he says. “I am exactly where I would like to be, running a technology business focused on making organizations stronger through technology.” </p><p>Zitting started his career at EY in Denver providing internal audit, risk analytics, and U.S. Sarbanes-Oxley Act of 2002 compliance services, then co-founded and helped run Linford & Co. LLC, a New York IT risk advisory professional services firm. In 2010, he founded New York’s <a href="http://workpapers.com/" rel="nofollow" data-feathr-click-track="true">Workpapers.com</a>, a software-as-a-service internal audit and compliance management platform that was acquired by the company that became Galvanize. </p><p>“Organizations are waking up to realize that their purpose is every bit as important to today’s employees, customers, and investors as their profits,” Zitting stresses. “We should build people, processes, and technology that are as strong in measuring and managing strategy and governance as in managing financial results.” He has never wavered in his belief, he adds, that internal audit has the most responsibility of any part of an organization for building and overseeing those capabilities. <br></p><h3>A BRIDGE TO BROADER HORIZONS<br></h3><p>Hui Jing, a senior finance manager at HP Inc. in Singapore, extols the benefits of using internal audit experience as a bridge to broadening professional horizons. “I would have never imagined having the opportunity to move across so many different roles and, best of all, to leverage my previous experience in risk, controls, and governance the way I do today,” she says.</p><p>When Jing was an Emerging Leaders honoree in 2013, she was an internal audit lead at HP, where she’s since taken on multiple roles in finance — implementing accounting and governance frameworks for new business models, managing unprecedented foreign exchange market volatility, driving profitable business growth, and guiding investment decisions. Now the Greater Asia senior finance manager, she’s responsible for the financial performance of developed and emerging markets in the region.</p><p>“Effective data analytics and an increasing reliance on IT systems and controls will shape the future of internal audit,” Jing says. “A great example is the focus many audit functions have today on data analytics and digital transformation.” Because business dynamics evolve so rapidly, she adds, internal audit plays an important role both in preempting business, financial, IT system, and compliance risks and in helping shape the organization’s responses to those that emerge.</p><h3>A RISK GO-TO PERSON <br></h3><p>“Having seen many people come and go, I would say that internal audit is not everyone’s calling,” Jing says. “But having personally embarked on this journey, I feel it is a great way to be exposed to different businesses, processes, and systems.” The profession demands thinking with an open mind and making assessments objectively, systematically, and logically, she adds. Success, she stresses, comes from being viewed by stakeholders as a trusted partner and a go-to person on all matters involving risk.</p><p>“I believe a leader should be ambitious, yet authentic and influential, to take other people along on his or her vision and strategy,” Jing says, emphasizing her company’s talent development program and the benefits she’s received from it. “They enabled me to grow from a young talent into the leader that I am today,” she says. Acknowledgment from The IIA doesn’t hurt. “Being an Emerging Leaders honoree indeed opened my eyes,” Kelani says. “While I avoided acknowledging my leadership traits before, perhaps as a way to champion humility, today I totally embrace being a leader with all my heart.”</p><p>The key, she adds, is understanding that leadership is a responsibility, and not just more stripes on a uniform or certifications after a name. It comes from inside and must be wielded wisely to be wielded well.  <br></p>Russell A. Jackson1
CEO Message: Recruiting the Best for Internal Audit's Futurehttps://iaonline.theiia.org/2021/Pages/CEO-Message-Recruiting-the-Best-for-Internal-Audits-Future.aspxCEO Message: Recruiting the Best for Internal Audit's Future<p>​Since 2013, <em>Internal Auditor</em> magazine has been showcasing emerging leaders in the profession. Those chosen for this distinction each year are the 30-and-under trailblazers who are shaping and growing the profession through innovation, technology skills, ingenuity, and hard work.</p><p>The IIA’s celebration of youthful talent in the profession could be short-lived without a thoughtful approach to recruiting and serving the needs and expectations of even younger potential members. </p><p>The IIA’s Internal Audit Education Partnership program supports development of internal audit curricula at participating colleges and universities. The program helps ensure graduates have the skills to conduct basic internal audits and prepares them to achieve the Certified Internal Auditor designation. However, it is not designed to inspire young people to become internal auditors.</p><p>The changing dynamics of modern business demand that we do more. Change is occurring at lightning speed, and disruption driven by technology is part of the new normal. The next generation of internal auditors must possess innately agile, curious, and innovative minds, and encouraging young people who exhibit such drive to consider a career in internal auditing begins at the high school level. The IIA’s new strategic plan speaks directly to addressing this.</p><p>Data from the 2020 Career Interest Survey by the National Society of High School Scholars suggest we have some work to do. It finds medicine and health-related careers (37%) the top choice of the more than 14,000 respondents. Another 17% chose business/corporate as an expected career path, which tied for second with sciences and biology/biotechnology. More traditional career paths for internal auditors — accounting/tax and finance/fintech — ranked considerably lower at 4%.</p><p>In the coming months, we will explore new and creative ways to reach Generation Z and will develop strategies, tactics, and resources to address our opportunity as a profession. This must include supporting diversity, equity, and inclusion (DEI) efforts at all levels. I’ve noted before that beyond being the right thing to do, supporting DEI is as much a business decision as an ethical one.</p><p>With the guidance and support of our North American chapters and affiliates around the world, we hope to soon reach out to high school guidance counselors or their equivalents to boost knowledge of the profession, dispel negative stereotypes, and encourage the best and brightest to consider internal auditing as a career.</p><p>As you read about the impressive group of emerging leaders featured in this issue, I hope you’ll join me in seeking new ways to mentor and nurture the next generation. The IIA understands this begins at the local level, and we will work diligently with our members to build a pipeline of future-ready auditors.<br></p>Anthony Pugliese0

  • AuditBoard-January-2022-Premium-1
  • CIA-January-2022-Premium-2
  • 2022-GAM-January-2022-Premium-3