| #IAm Jude Viator | | https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/IAm-Jude-Viator.aspx | #IAm Jude Viator | <p><span style="text-align:justify;">Through a conv</span><span style="text-align:justify;">ergence of fate, opportunity, innate ability, and life-long training, I find myself nearly 15 years into a fascinating career as an internal auditor. Just a mere 17 years ago, I was a converted accounting student, having moved past my original plans to become a chemical engineer. As I re-planned my adult life, I was confident in my ability to work with math and numbers and also understood that accounting was a safe and secure educational tract. Shortly thereafter, I quickly acknowledged that I also had an interest in people, processes, and </span><em style="text-align:justify;">not</em><span style="text-align:justify;"> doing accounting, so I welcomed the idea of an alternative path </span><span style="text-align:justify;">—</span><span style="text-align:justify;"> audit.</span></p><p style="text-align:justify;">To be honest, around that time, the truism "mother knows best" also played a part, as she directly told me, "Jude, I am not totally sure what all an auditor does, but you are one." There may have been some other words shared, but that was the gist. I can remember bagging groceries the summer before that semester, when the corporate auditors arrived. Many were annoyed or concerned, but I recall a deep interest in their purpose and approach. As the summer ended, I was ready to fully invest in the idea of chasing the audit dream. </p><p style="text-align:justify;">I mentioned fate played a role, and it was a BIG one — my girlfriend (now wife) had a roommate that I rarely saw. However, I just happened to be visiting when she was returning from an event hosted by the Louisiana State University (LSU) internal audit program. She was beaming about opportunities, while also bemoaning the challenging course. I left that evening with an interest and an excitement, knowing that I wasn't restricted to external audit. Fast forward two days, and my mom tells me that I have mail from LSU, inviting students to enroll in the internal audit program. Apparently, a similar promotional message had come before, and was part of the reason my mom had even suggested audit to me. I am not sure she even fully understands what that meant to me, to this day.</p><p style="text-align:justify;">As you may expect, I joined that program, which helped me (forced me) into becoming a professional (Dr. Sumners had and still has high expectations). It also helped me land my first audit-related job, which is the job that I still have today, having been promoted a few times. Over those years, the LSU internal audit program and the decision to align with internal audit have enriched my life. Beyond providing me with a stable and rewarding job, the program introduced me to friends, colleagues, lessons, and experiences that have shaped my career. Internal audit has provided me with an unbelievable opportunity: I get paid to be skeptical and to get to know people, processes, and organizations — my favorite things. It has been fascinating to learn that audit is a mindset that is enhanced through experience and training, and those who naturally see the world through that lens are more prone to find not only career satisfaction, but daily enjoyment of the opportunities that it provides.</p><p style="text-align:justify;">I think at our core, we all carry traits of quality auditors, even if we don't associate with the idea of being one. Understanding the profession as I do now, I can easily recognize that my dad has always exhibited many of those characteristics. His dream was working in law enforcement, and he lived that dream from the year I was born until the year my first child was born, almost 30 years. He was and is a rule follower, and my brothers and I heard many speeches about ethics, but he also told traffic-stop stories that emphasized empathy and compassion. Looking past that softer side, those stories communicated the importance of being observant, listening, understanding requirements, considering risks, and knowing when it was okay to hand out a warning instead of a citation. It is an age-old irritation for auditors to be perceived as cops, but in my life experience, that comparison isn't all bad. </p><p style="text-align:justify;">After 'retiring,' my dad is now back with the state police, working as a compliance auditor for driving schools. I hear new stories (and I now yearn for the details) that carry much less physical risk, but the same characteristics. Even after all my training and work experience, I find myself continuing to learn and evolve through those conversations. While I never dreamed of law enforcement, like many, I also see my dad as a role model, and his example has encouraged me to strive to be a better human, better husband, better father, and better auditor.<br></p><p style="text-align:justify;"><br></p><p>Jude Viator, CIA, CISA, CRISC, is an internal and IT audit practitioner and associate director in Postlethwaite & Netterville's Control & Risk practice, based in Baton Rouge, La.<br></p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;color:#6eabba !important;"><em>here</em></a><em> to learn how to contribute a blog post.</em><br></p> | Jude Viator | 0 | | | |
| Building a Better Auditor: Sound Judgment and Due Care | | https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/Building-a-Better-Auditor-Sound-Judgment-and-Due-Care.aspx | Building a Better Auditor: Sound Judgment and Due Care | <p>Being a governance professional for 17 years in four different organizations was a very enriching experience; however, my work was limited to technology companies and their related operations and finance. I felt trapped and like I had nothing more to give. Although I coached and provided consultation, I felt I had reached the most feared and notorious "status quo" stage in my career.</p><p>Then, in 2020, I received an invitation to interview with a real estate company. I was amazed and scared at the same time. I asked myself if I could leave the technology shell I was in and start a new journey in real estate.</p><p>It was a very difficult decision. My chief audit executive encouraged me to take the opportunity, and it turned out to be the "kiss of life" to my career — a whole new world to explore. In my first year, I audited four different construction projects and five subsidiary companies and had many consultation engagements.</p><p>A real estate audit is different from a normal audit engagement in that you may be asked to perform a full-scope audit, which includes financial, strategic, health and safety, etc. The common practice in real estate in Egypt is to establish an independent financial entity for each project, which creates the need to examine individually the financial position of each company, thus the need to create a full-scale audit program. </p><p>Needless to say, such a full-scale program takes longer than other audit engagements. The length of the engagement is also a pressure factor. As you invest time and effort in executing the engagement, it is some time before you receive feedback from management or the CAE's appraisal of the audit report. </p><p>What I needed in this case, I already had, but I needed to discover it for myself: I simply needed to believe in myself and my competency to conduct engagements. As long as I practiced sound judgment and due professional care during all phases of the engagement, as outlined in the <em>International Standards for the Professional Practice of Internal Auditing, </em>I could succeed. </p><p>One year later, I can say with confidence that I have met both my own and my superiors' expectations. I've concluded that the main factor in my success is that I believed in myself and my ability to embark on a new challenge in the audit world.<br></p><p><br></p><p>Ahmed Gharib, CIA, is group internal audit senior manager at Porto Group in Cairo.<strong> </strong><br></p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;color:#6eabba !important;"><em>here</em></a><em> to learn how to contribute a blog post.</em><br></p> | Ahmed Gharib | 0 | | | |
| Future Imperfect | | https://iaonline.theiia.org/blogs/jacka/2021/Pages/Future-Imperfect.aspx | Future Imperfect | <p>A few years ago, I had the honor of being the closing speaker for an IIA conference. As with almost all IIA conferences, it was filled with interesting presentations and information of value to anyone willing to listen to what was being said. And therein lay the problem.</p><p>Quite simply, the participants appalled me with their inability to actually listen to what was being said — to seemingly dismiss the newer concepts and ideas they were being presented. These were ideas that represented the future directions of internal audit — forward-thinking ideas, concepts that could be immediately applied, things the participants needed to know. But their reactions and subsequent questions revealed the participants' unwillingness or inability to understand the gift they were being given.</p><p>You'll have to trust me on this. The presenters were good, their presentations were good, and the entire conference was good. But the crowd, doing their best imitation of Cletus the Slack-jawed Yokel … well, not so much.</p><p>I got more than a little peeved.</p><p>I sometimes fiddle with my presentations right up to the minute of the actual presentation. (This has driven more than one person in charge of logistics into paroxysms of exasperation.) But this time I did more than fiddle; I made significant changes to the final slides. The presentation happened to be on leadership — a topic that leant itself to the new message I wanted to send. But it could have been "The Fundamentals of T-accounts" for all I cared because I was going to make a point. I took the portion of the presentation containing my thoughts on the future of internal audit and the charge that internal auditors must do more with what we have, and pumped up the anger quotient, effectively telling the participants to get their heads out of their workpapers, look around, and realize the world had changed, the requirements of internal audit had changed, and if they didn't change they would soon become the horse and buggy of the professional world. I was trying to metaphorically slap them upside the head.</p><p>I got good marks for that presentation. Unfortunately, I don't think it was because there was a great appreciation of the new message I was trying to send. If they had actually received that message, there would have been more than a few of the attendees less than satisfied. And the ratings should have reflected that displeasure. They didn't get my message. And I have to believe they walked away from that conference with continued, somnambulistic ignorance. Either I didn't use a big enough hammer or the one I used was trying to work through too much bone.</p><p>That experience sits in the back of my mind during every conference I attend. I look around during other conferences and I wonder, have we learned, are we trying for more, are people hearing the words and warnings that are out there? I like to think that my prior experience was an aberration, that I happened to come across a weird crowd at a weird time. I've never again run into quite the same situation.</p><p>So, good news, our future should be fine. But I can't rest easy.</p><p>Most conferences have informative and important presentations and receptive and appreciative audiences. But how much do these conferences — the attendees and the presenters — represent what is going on in the broader internal audit world? What we see in these situations are people who are participating — people who see the need for more information and new ideas. Unfortunately, there are a lot of auditors and audit groups who are not involved.</p><p>Are those other groups good? Are they mediocre? Are they bad?</p><p>I fear for what may be out there. Even when I talk with individuals attending conferences, seminars, presentations, etc., I hear stories that scare me. Stories from individuals who are working in audit shops that have not fully accepted what we can be and what we should be striving for. I talk to departments that see no problem reporting to the chief financial officer. I talk to departments that feel their job is to find what is wrong. I talk to departments that do not want to make waves. I talk to departments that constantly talk about changing things, and never do. I talk to departments that aren't ready or refuse to be ready to make the necessary moves into the future, often stuck in the past unable to even move into the present.</p><p>And these are the ones who are involved.</p><p>Many of us — presenters, authors, trainers, leaders, proselytizers — continue to sound the clarion call that internal audit must change. It cannot sit on its now musty laurels and expect success to come calling. We have to take control of our own futures to ensure we can continue to make a valuable difference.</p><p>But there are only so many times we can say we are on the precipice of change before we fall into the abyss. There are only so many times we can say we are at an inflection point before we miss the turn. And there are only so many times we can say we must grab the opportunities the future holds before the future grabs us, shakes us silly, and discards us back into the past.</p><p>I came this close to titling this piece "Requiem for a Profession." I truly fear we may be blindly walking into our final days. And, much like so many other issues we see in today's world, it may be too late to make the change.</p><p>However, maybe not.</p><p>Join me next time …<br></p> | Mike Jacka | 0 | | | |
| On the Frontlines: Data-driven vs. Data-informed | | https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/On-the-Frontlines-Data-driven-vs-Data-informed.aspx | On the Frontlines: Data-driven vs. Data-informed | <p>Data is a powerful thing. The essential role that data analytics play in today's audit profession cannot be emphasized enough, especially in light of the digital transformation taking place across industries. Many auditors use data in one of two ways. "Data-driven" internal auditors make use of abundant data sets and analytics techniques to reach unexpected and valuable audit insights. Meanwhile, "data-informed" internal auditors build on professional wisdom, experience, and pragmatism to carry out audit engagements, using any data they come across as a support to their rationale and judgment.</p><p style="text-align:left;">Be it data-driven or data-informed, neither is absolutely right or wrong. However, the extremes of either style can have negative consequences. Being purely data-informed could be used as an excuse to avoid the hard work of distilling data. On the other hand, data-driven auditors may be tempted to over-analyze everything that comes into view, without stepping back and looking at the big picture, guided by human judgment.</p><p style="text-align:left;">Auditors should therefore seek a balance between the two extremes. In fact, there are common pitfalls that internal auditors should take care to avoid to reap the full potential of data analytics.</p><h2>Focusing Only on the Known Unknowns</h2><p style="text-align:left;">When planning for an audit engagement, auditors often easily compile a list of risks and concerns based on a past understanding and information available at hand. Starting from there, auditors then build a series of analytics procedures and metrics to either conform or disprove auditor skepticism. This is an approach of "finding the known unknowns" and is undoubtedly fundamental to developing an audit analytics program. However, auditors solely relying on this approach may miss what could prove to be their secret weapon —"finding the unknown unknowns," or finding risks or anomalies not on the auditor's radar at the outset.</p><p style="text-align:justify;">Admittedly, this is easier said than done. One approach is for auditors to conduct an exploratory analysis into any accessible key business metrics or datasets related to the audit scope, prior to finalizing an audit plan. Hopefully, this will align facts and numbers with auditor assumptions and create opportunities to fine-tune the audit plan with more pertinent considerations.</p><h2>Assuming the Data Is Clean and Organized</h2><p style="text-align:justify;">Garbage in, garbage out. Any analytics program is only as good as the data that feeds it, and auditors often have to compile data in disparate forms and patterns and from different sources. This subjects auditors to additional layers of data quality risk, both from bad data in its original form and errors/omissions during the data compilation process. Jumping straight into analysis on such data without a sanitary check could produce misleading audit results, ultimately putting the reputation of the audit department at risk.</p><p style="text-align:justify;">Cleaning the incoming data can add to the upfront workload in any analytics journey. But the process of data cleaning can be a valuable exercise in itself, as the invalid datasets, once identified, may reveal important patterns for further investigation. As the saying goes, "the devil is in the details."</p><h2>Mixing Correlation With Causation</h2><p style="text-align:left;">Supported by the right data and algorithms, auditors should be on track to identify some patterns or anomalies from the data. However, auditors also may be quick to believe that they have just discovered a "mine" of audit findings and chase it down the path. Until there is further evidence, auditors should bear in mind that these clues are just correlated with a potential issue and may not represent all of the truth or justify an audit finding.</p><p style="text-align:left;">In this case, a prudent auditor would stop and reflect on two underlying questions before taking further action:</p><ul style="text-align:left;"><li>Are there any other clues that would provide an opposing point of view?</li><li>What is not collected or apparent in the data? For example, is there data collection bias?</li></ul><h2>Data Reporting: Engaging in Information Overload</h2><p style="text-align:left;">When preparing a report, it can be tempting for auditors to want to show the audience (and especially executives) everything from the analysis, as evidence of the hard work done and robustness of the process. It is an understandable mistake, but doing so actually forces the audience to repeat the laborious process that the auditor has gone through to reach the conclusion. Instead, auditors should ask themselves three questions before they proceed, relating to who, what, and how:</p><ul style="text-align:left;"><li>To whom are you communicating?</li><li>What do you want your audience to know or do?</li><li>How can you use data to help make your point?</li></ul><p style="text-align:left;"><br>All that being said, the only way auditors can successfully avoid these data analytics pitfalls is through practice. With experience, a balanced approach, and good judgment, data analytics can be an indispensable guide and a tool to help internal auditors bring more value to the profession.</p><p style="text-align:left;"><br></p><p style="text-align:left;">Maosen Cai, CIA, CISA, CMA, FRM, is audit analytics lead at a digital-only bank in Shenzhen, China.<br></p><p style="text-align:left;"><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank"><em>here</em></a><em> to learn how to contribute a blog post.</em></p> | Maosen Cai | 0 | | | |
| Building a Better Auditor: A Mental Health Perspective on Career Growth | | https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/Building-a-Better-Auditor-A-Mental-Health-Perspective-on-Career-Growth.aspx | Building a Better Auditor: A Mental Health Perspective on Career Growth | <p>According to the World Health Organization (WHO), "Health is a state of complete physical, mental, and social well-being and not merely the absence of disease or infirmity." It is important to note that mental health is an integral part of what the WHO defines as a healthy state. The WHO defines <em>mental health</em> as "a state of well-being in which an individual realizes his or her own abilities, can cope with the normal stresses of life, can work productively, and is able to make a contribution to his or her community."</p><p>Several of the key phrases within the definition of mental health also are key attributes for a successful professional, such as a state in which an individual "realizes his or her own abilities," "can cope with the normal stresses of life," "can work productively," and is "able to make a contribution." Indeed, these attributes often are basics that are included in job descriptions and would be necessary in any working professional.</p><p>Mental health is an increasingly important topic within the work environment because poor working conditions and organizational issues are factors that contribute to poor mental health. These two factors are particularly present within the internal audit function and for internal audit personnel, because of:</p><ul><li><em>Internal audit's continuing struggle for a "place at the table" and for management support. </em>The audit function attempts, with increased vigor to be seen as an advocate and an advisor of management rather than a policeman or a watchdog, which can lead to poor working conditions in organizations with low internal audit function maturity.<br></li><li><em>Organizational issues, ironically.</em> The nature of the internal audit function is to address organizational issues, if any are present, yet when organizational issues contribute to poor mental health, it places auditors at the forefront of workers at risk within the organization.</li></ul><p><br>The responsibility for taking care of the employees' well-being and mental health is two-sided — both from the employee's as well as the organization's sides. Here are some things internal auditors can do to take care of their mental health.</p><h2>1. Connect With People</h2><p>In one's personal life, having a social circle for support is important to human beings, who are social creatures at their core. This support can involve familial relationships, friendships, and even networking with colleagues and fellow professionals.</p><h2>2. Be Physically Active</h2><p>While going to the gym can be time-demanding, expensive, or, for me personally, just plain boring, there are always alternatives for physical activity that suit all tastes and fitness levels. These can range from a walk in the park, to cycling through your local trails, to climbing mountains at home and abroad on your holidays. Being active also can foster social connections because these activities can be enjoyed with others in your community.</p><h2>3. Keep Learning</h2><p>This aspect will give you a purpose and direction in your life, a stronger feeling of accomplishment and being goal-oriented, as well as help develop your career. There are many learning options, such as obtaining your Certified Internal Auditor or Certification in Risk Management Assurance from The IIA.</p><p>There also are other options that do not tie directly into your career but would also be helpful. For example, you can sign up for physical activity classes or camps to stay physically active, as well as participate in such classes with members of your community to stay social. You often will find that the skills you develop in these classes are transferable to your internal audit department. The next time someone compliments your great teamwork, you can invite them to your basketball classes or practice where you developed your teamwork skills!</p><h2>4. Take Care of Your Physical Health</h2><p>It's an old adage, but it remains true that a healthy mind resides in a healthy body. Making sure you are eating right and enjoying nutritious meals, drinking plenty of water — I assure you, no matter how much water you are drinking, it is not enough, so drink more water — avoiding smoking and unhealthy habits, and getting enough sleep are all factors that help you be a healthier person in both body and mind. You will notice that being healthy ties in with being active. This list might sound long, but most items are interrelated, and you will find yourself ticking several items in one activity most of the time.</p><h2>5. Give Back to the Community</h2><p>Dedicate some of your personal time to volunteer in activities to help others or to help the planet. Volunteer opportunities are available just about everywhere, whether it is teaching an extracurricular class at your old school in the afternoon, participating in beach clean-ups and environmental activities, or just helping your neighbors. Giving back feels good, and you will notice, not coincidentally, that giving back ties into being social, active, and healthier. It could even lead to new learning opportunities, creating a huge, compounded positive effect on your mental health.</p><p>Internal auditors deal firsthand with organizational issues both on a larger scale for the organization as a whole as well as on a more micro scale for the internal audit department. The function, itself, is based on dealing with these issues, which are growth and development opportunities. So, it is important for us to internally foster a positive mental health environment to maintain our positive outlook and be able to make a change for the better and be role models for our fellow organizational members.<br></p><p><br></p><p style="text-align:justify;">Hassan Khayal, CIA, CRMA, CFE, is an internal audit professional based in the United Arab Emirates and a 2020 <em>Internal Auditor</em> Emerging Leader.</p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank"><em>here</em></a><em> to learn how to contribute a blog post.</em></p> | Hassan Khayal | 0 | | | |
| What Did You Say to Me? | | https://iaonline.theiia.org/blogs/jacka/2021/Pages/What-Did-You-Say-to-Me.aspx | What Did You Say to Me? | <p>Here is a fundamental truth about social media. It is a Sargasso Sea of misinformation, logical voids, prattled inanities, and nattered nonsense — a sucking quicksand of uselessness that people return to with the unerring certainty of the junkie returning to the opium den. To quote Admiral Ackbar, "It's a trap!!!" </p><p>And I confess, I stand on the brink of (and sometimes fall into) that bottomless void on a daily basis. I do a quick check on Facebook, get a sporadic update on Instagram, and see the latest infobits on Twitter — in sum, take that little hit of endorphins that comes from those oh-so-innocent updates.</p><p>At this point, I'm sure there are a couple of you sitting in your ivory towers looking down on us poor unfortunates, smug in the belief that you have kept yourself pure, never dipping your toes in the fetid pool of social media. However, your proclamations of aversion are short-lived. No, you are not playing in the Snapchat-TikTok-Tumblr-Reddit-Discord-Twitch worlds. But you are reading this blog and, I am sorry to inform you, it is a form of social media. And any time you read a blog or get a LinkedIn account or simply hear others talk about what they have heard, you are part of the game. There is no escape.</p><p>All of the preceding, in its garrulous loquacity, is an introduction to a discussion about a significant issue/problem with the supposed conversations that occur on social media. Many of us get a little riled up when we come across something on social media with which we do not agree. And I find that it can take nothing more than a certain word, phrase, sentence, or image to put me in a very bad way. Such postings trigger something in me. I feel my pulse begin to race, my blood pressure increase, and my ability to be a critical thinker disappear down a drain of fury. No hyperbole here; there is a physical, sometimes violent, reaction to what I see. And I know there are a number of you out there who have similar experiences. Social media has conditioned us to react — to live in a world where snippets are considered valuable information and response is expected in microseconds rather than after pausing to think.</p><p>But, in spite off all the preceding, I'm not here to cast aspersions on social media. Rather, let's talk about those triggers and reactions.<br></p><p>I have recognized the way social media sets off those triggers within me. (The first step is recognizing you have a problem.) And when I see it happen, I try my best to step back from the edge of bullied insanity and let the calm, rational parts of my mind take over. Sometimes it doesn't work. And I would like to take this opportunity to apologize for some of the responses I've put on Facebook. But, as I become more aware of it happening and realize how unhealthy it is to let such small things get me fired up, I do my best to step back and take a few calming breaths. Yes, I may still respond, but I hope those responses are more thorough, reasoned, and nuanced.</p><p>So, I'm trying to watch my personal triggers. But what triggers do I use that may cause similar reactions in others — triggers that cause them to react rather than think?</p><p>Which leads to the bigger picture. What do we say, what do we write, and how do we act that sets off the triggers of those with whom we are working? Are we aware how the words we use might impact the effectiveness of audit work? Do we recognize that a slip of the tongue might turn a hesitant client into an active adversary? And do we even think about the words we use?</p><p>Here, to my mind, is an example of the tone-deaf auditor. I got this response to a recent blog post.</p><p><span class="ms-rteStyle-BQ">Does Internal audit have customers or auditees, that is the question. If you want to have customers, start selling ice-cream; if you want to have auditees, start auditing.<br></span></p><p>You want a trigger word? Try using "auditee." There is a reason that the profession has done its best to move away from what is now considered to be a disparaging term. I've been around a long time; I fall into the trap of occasionally using it. And when it happens, I see everyone around me cringe — auditors and nonauditors alike.</p><p>I'd love to know what this person's relationship with clients is like. Maybe it's all wonderful and the clients don't mind being thought of as auditees. But I'm willing to bet dollars to mechanical pencils that there is tension between the two teams. And the use of the word "auditee" shows either a tone-deafness on the part of the person who wrote this or is an indictment against that auditor's attitude when it comes to the people with which he or she works.</p><p>Words matter. And the term "auditee" is just one instance. Another example: When we want to report something that needs to be corrected, do we call it an issue, a finding, an irregularity, an opportunity? Each word has its own benefits and its own baggage, and the correct one to use — the one that will not set off our client's triggers — depends on the client.</p><p>Another reply to another of my blog posts.</p><p><span class="ms-rteStyle-BQ">Some people have said on LinkedIn that the words don't matter; it's what you do that matters. Well, that's true in some circumstances; we can all think of governments saying one thing and doing another. But that doesn't mean words don't matter — if they didn't, people wouldn't criticize governments for hypocrisy. For those on LinkedIn who think words are irrelevant, I wonder if they'd feel the same way if their employment contracts (mere words) suddenly changed. I suspect not. Words matter. </span></p><p><span class="ms-rteStyle-BQ">Language matters.</span><br></p><p>The mere fact that we are called "auditors" already sets many people on edge. And, yes, I know some departments are starting to use other terms. But, even in those instances, people can see behind the change. Sorry, no matter what word they hear — auditor, consultant, advisor, etc. — they will react. And that reaction, generally, is not positive. Which means one more trigger may be all it takes for them to turn on us — to start yelling, screaming, and making the task of working with that person more difficult. (I've got a couple of stories on that one. We can talk at the All Star Conference's welcome reception on Monday night.)</p><p>We all have triggers that can set us off. It is important for us to understand ourselves, how we react, and how to get those reactions under control. (That is big part of emotional intelligence. Look it up.) But we have to pay attention to others, doing our best to avoid the possible triggers. And, when we see ourselves about to step on those landmines, we have to step back and find a different, better way to communicate.<br></p> | Mike Jacka | 0 | | | |
| On the Frontlines: Citizen Developers and Professional Experts | | https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/On-the-Frontlines-Citizen-Developers-and-Professional-Experts.aspx | On the Frontlines: Citizen Developers and Professional Experts | <p>The rise of self-service analytics, including "auto machine learning" tools and other advanced automated approaches, bring internal audit teams more power than they had ever hoped for. But with great power comes great responsibility. Should auditors embrace this power? Should we contain it? Could we contain it if we thought that is what we would like to do?</p><p>Do these questions sound familiar? Probably yes, as these tools simply are the new enablers of the phenomena we have been calling "end-user computing" for quite a while. </p><p>A few years ago, when we started to recognize the end-user computing phenomena, we simply had a "wizard" in the audit team who could do things in spreadsheets or databases that others didn't even know were on the menu. With the rise of self-service tools, these wizards have grown a following of apprentices, and now the person we used to call "wizard" wants to be known as a "citizen data scientist" or "citizen developer," depending on the tools that individual most commonly uses. </p><p>As long as you are willing to learn, these wizards will show you how to replicate their tricks in your projects. But as amazed as we are, our wizards are the first to recognize that they are not the top of the heap. Being a "true" data scientist/data engineer/programmer (a specialized professional) is not the same as what they do as a "citizen" data scientist or a "citizen" developer (a handy amateur). </p><p>Although they are "amateurs" or "hobbyists," these citizen developers are the ones who create our business intelligence dashboards, process our data so the rest of us can use it, develop bots to simplify our jobs, and perhaps design and oversee automated workflows to collect and route information to others in the team who need it. They get the job done, not because they are technical masters, but because they are "good enough" at what they do, and really understand what you are trying to get done (business acumen).</p><p>Because of their ability to produce results and their dual nature of business and technical, when audit teams considered end-user computing, we didn't choose to contain these wizards. Yes, we did recognize that some level of controls had to be put in place. We wanted to make sure we knew what decisions they were making with their tools, and we also wanted to ensure that these decisions were made at the right level of authority, regardless of technical expertise. With those guardrails, we actually chose to enable these wizards in the departments we were reviewing and embedded them in our own teams. </p><p>Since the amateurs can do the job, does this mean the end of professional services? Can we accept that we are all finally equally good? No, and no … definitely not.</p><p>Actually, we have been dealing with fields of amateurs and professionals forever. For example, we still want our doctors to go to medical school, but maybe we check with mom before running to the emergency room. The same happens when the car "is making a sound," and you have to decide between taking your car to your brother or to the shop.</p><p>Sometimes it is not even our decision. It may happen as we listen to our neighbor's tribute garage band when we arrive home versus going to a concert of the band they cover. </p><p>In all these examples, we simply exist on a tiered ecosystem that starts with "elementary school art class," moving into "mass-made available at the supermarket," to "crafts," to "fine arts." The environment is large enough to accommodate all these options, and the people playing in each tier are the first to recognize their skills and limitations.</p><p>So how do auditors navigate this new ecosystem when it comes to our professional or citizen developers and data scientists? Perhaps we deal with it the same way we treat other end-user computing tools and teams: We try to understand the scope and impact of the work to be performed and make sure it is appropriate.</p><p>Basically, if your proposed bot will simplify something you already are doing, go ahead and craft it with your friendly neighborhood data scientist. If all hell could break loose when the process is not completed, then make sure the new tool is developed with the support of your IT team, following all their development stages, and perhaps even buy a plug-and-play solution.</p><p>Doing this will enable you to use your citizen/self-service tools and experts to get started, run proofs of concept, and complete rapid prototyping and test deployments to keep pushing performance and sometimes enable new opportunities or skills for you and your team. If your proof of concept is effective and transformative, you may graduate it from your "science fair" installation into an institutional tool established in collaboration with your IT team and other experts. </p><p>Is this consistent with your experience? Let me know in the comments.</p><p> </p><p>Francisco Aristiguieta, CIA, is responsible for internal audit analytics at Citizens Property Insurance Corp. in Jacksonville, Fla.</p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank"><em>here</em></a><em> to learn how to contribute a blog post.</em><br></p> | Francisco Aristiguieta | 0 | | | |
| Anecdotes as Evidence, Stories as Truth | | https://iaonline.theiia.org/blogs/jacka/2021/Pages/Anecdotes-as-Evidence-Stories-as-Truth.aspx | Anecdotes as Evidence, Stories as Truth | <p>Let me tell you a story.</p><p>No. Wait a minute. Rather than tell a story, let's talk about stories.</p><p>I've been going through my old blog posts, and I realized how often I've not only used the phrase "Let me tell you a story," but how often I've started posts with that phrase.</p><p>And there's a good reason for this. Nothing is as powerful as story. Nothing is as powerful as the anecdote that makes the point, the memoir that shows how it was done, the reminiscence that exhibits a practice, the account that uses the specific to make a point about the general. The best way to make a point — the best way to persuade the listener — is not by quoting facts and figures, but by coming up with a story that resonates with that listener and provides a touchpoint between the individual's experiences and yours.</p><p>Think about presentations you've attended. Now think about the ones that really stood out. Do they stand out because of the specifics contained within the presentation — the facts, figures, data, and evidence? Or do they stand out because the presenter was able to use stories and examples to make the dry dust of the details come to life?</p><p>Let's use Agile as an example. I sat through a number of presentations and read a few books trying to get a grip on what was being described. And while all of them laid out the process and concepts well, they didn't click. Then I read a book that did more than just lay out the process; it told the story of how Agile was used in that organization — stories about the process and the successes. And it all came together for me; it came to life in a way that all the other attempts had been unable to do.</p><p>Let me give you another example. I've done a lot of work around process mapping and I can go on forever telling you about how it can help build relationships with the client. However, no amount of verbiage I might spill is as forceful as this one anecdote. At Farmers Insurance internal audit, we spent a year completing process mapping projects in every claims office. We started revisiting the offices and, during one of our first visits, a clerk jumped up and, with complete sincerity said, "Oh boy, the auditors are here."</p><p>Story is more impactful than the underlying information.<br></p><p>All of the preceding leads to this point. What is true regarding how we are impacted is just as true for any one of our clients. This is a drum I've beaten in the past. But as Todd Rundgren sang, "I just want to bang on the drum all day." And this is a drum well worth beating. In all situations, for all clients, story is more impactful than the details, facts, and figures, no matter how accurate and, to us, compelling those details, facts, and figures may be.</p><p>Throughout the audit process, we can discuss every detail, every statistic, every bit of information, and every element of incontrovertible minutiae we know to be important. But we will receive nothing back but stony glances, blank stares, and the subtle sounds of our clients' snores.</p><p>You have to know what the story is that you are trying to tell — the story behind, around, and in front of all that information. And then make that story the star. Yes, the underlying value must be there, but the story is the big deal.<br></p><p>Story should permeate the audit process. At the outset of the audit, that story may be about making the department better. During the audit, that story might be about the individuals within each department working together to better understand things. At the end, that story might be about how and why things will change.</p><p>And, no, none of those are particularly compelling. But they are a start. For example, at the end of the audit the overall story is about making change. But the more compelling story is told around the client's customer. That story is not about a delayed process, but about how change will help ensure those customers get the value they desire.</p><p>Recently, Seth Godin put it this way. "What evidence would <em>you</em> need to change your mind?" If we are honest with ourselves, we know that the answer is not evidence, but a compelling story.</p><p>Anecdotes are not evidence. But people treat them that way. (Just look at social media.) And stories are not the truth. But they resonate with people more than the truth. Recognizing and accepting this will help you understand how best to persuade others when change is needed. Because, after all, we are in the persuasion business. And one good story beats out any volume of evidence.</p><p>So, let me tell you a story…<br></p> | Mike Jacka | 0 | | | |
| #IAm Jaimie Yang | | https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/IAm-Jaimie-Yang.aspx | #IAm Jaimie Yang | <p>"Ready … hup!" means I am taking a 15-foot jump off a platform and flying through the air.</p><p>I am, of course, talking about my hobby of flying trapeze. In 2015, I saw a Groupon for flying trapeze lessons and convinced my friend to try it with me. The feeling of anticipation, the initial rush of adrenaline, and the peaceful, calm moments at the peaks of my swing put the biggest smile on my face. I did not consider myself an active person at the time but proved myself wrong by falling in love with not only flying trapeze but other aerial arts, as well.</p><p>Of course, I am also an internal auditor at heart. That means when I explain my hobby to my co-workers, I draw a diagram (see below) of not only the rig itself, but also the controls in place (robotic shark notwithstanding, and as a quick note on No. 6, a certified rigger inspects the rig at least monthly and replaces parts as they start to show wear).<br></p><p>Here is how a typical flying trapeze class goes:</p><ol><li>You climb up a set of ladders that takes you to the board. Before you climb, you clip into safety lines that function like a seat belt. If you were to slip and drop, the safety lines will stop further movement past the initial point.<br><br></li><li>At the top of the board, the board worker swaps your ladder lines for the ones attached to the trapeze rig. While the board worker holds on to the back of your belt, you step up to the edge and grab the bar. "Ready" means bend your knees and "hup" means you jump (or bunny hop) off. The board worker will hold on to you until your feet leave the board. The word "hup" is used in lieu of "go" as "go" and "no" sound pretty similar.<br><br></li><li>You're flying! The lines puller on the ground will instruct you through your trick. For your first class, you learn how to do a knee hang. Your calls are: legs up, hook your knees, hands off! You're clipped into those safety lines the whole time and the lines puller can assist you with building height/momentum or slowing down your descent as needed.<br><br></li><li>For the last part of each class, you throw your trick to the catcher. The catcher is on the opposite bar with his or her legs wrapped in a secure position appropriately called the catcher's lock. You perform your trick and trust that the catcher will be there.<br><br></li><li>When you are done with your trick or catch, you let go of the bar and land in the net. From when you jumped until when you land, you have spent approximately 20 to 30 seconds in the air, but I can tell you from experience that it feels like it is much longer!</li></ol><p>
<img src="/blogs/Your-Voices/PublishingImages/yang-trapeze-whiteboard-445x300.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:500px;height:333px;" />
</p><p>After successfully catching your knee hang, you learn more tricks such as the pike whip, straddle whip, and split. You also will gradually be introduced to new techniques such as how to take off without a belt hold, how to kick in time with the swing and build height on your own, and how to control your body position to turn and bounce in the net. As you become more advanced, you can even learn how to turn around mid-air to return to the board after your catch and how to fly without lines.<br></p><p>Trapeze is my favorite way to wind down and start my weekend. There is something freeing about flying through the air and literally just letting go. I feel both physically and mentally stronger when I try something new or finally nail the trick that I've been working on for weeks. I'm not one to back down when it comes to a challenge, and doing something that I didn't know I was capable of doing brings such a strong sense of accomplishment.</p><p>While I am definitely addicted to the feeling of flying and relish the fact that there are endless things to learn, what keeps me coming back is the genuinely warm and supportive community. I have flown at a few rigs across the country as well as travelled to one in the middle of a Costa Rican rainforest with others from my local rig. Everyone I have met is just as excited as you are to celebrate your successes, and there is no shortage of encouragement when you are working to figure something out.</p><p>I encourage everyone to get outside of their comfort zone, and if you are ever in Dallas or if you fly somewhere locally and would like a friend to go with you, let me know!<br></p><p>
<br>
</p><p>Jaimie Yang, CIA, CPA, CISA, is an IT audit manager at Raytheon Co. in Dallas, and a 2016 <em>Internal Auditor</em> magazine Emerging Leader..</p><p>
<em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank"><em>here</em></a><em> to learn how to contribute a blog post.</em></p> | Jaimie Yang | 0 | | | |
| Building a Better Auditor: The Funny Thing About Humor In Internal Auditing | | https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/Building-a-Better-Auditor-The-Funny-Thing-About-Humor-In-Internal-Auditing.aspx | Building a Better Auditor: The Funny Thing About Humor In Internal Auditing | <p>There is a quote by Mahatma Gandhi: "If I had no sense of humor, I would long ago have committed suicide."</p><p>No, I am not saying I would do that, but my life would be insipid without a sense of humor. It is a weapon against troubles, a valuable tool for conflict management, and an integral part of my life.</p><p>Well, you might ask, "But, what should we do with your weapons and tools? Why should we waste our valuable internal audit time on reading this?"</p><p>OK, have a little patience, dear friends. The thing is, I not only use humor in my personal life, it also is an integral part of my internal audit practice, and I highly recommend you use it in yours.</p><p>So, when and how might internal auditors use their sense of humor? For sure, the first and main application is communicating with audit clients.</p><p>Unfortunately, conflicts are inevitable in audit work. Audit clients sometimes disagree with the findings reported, and even more frequently, they disagree with the wording used to describe the observations. In that case, auditors definitely need our good old "diplomacy and assertiveness." We have to be able to persuade politely, and one of the methods to do that is through humor.</p><p>I don't know whether you have been informed or not, but I'll share it with you: Audit clients are people, not robots or extraterrestrials. That is why, even in cases when they are ready to "kill" you for the issues observed and reported, trust me, humor may — and probably will — rescue you from that horrible fate.</p><p>Just stay calm, put yourself in the client's shoes, and start smiling. Find a reason to make a joke. The best beginning for making jokes in a heated debate is to laugh to yourself.</p><p>However, always remember that there is a fine line between a good and kind joke and a self-depreciating one. It is an art to balance between these two concepts. The goal is to make an audit client respect you, not to take you lightly.</p><p>For instance, you may use some form of paradoxical intention, which is a counseling technique in which the counselor intensifies the client's emotional state to help that person understand the irrationality of the emotional reaction. What I mean here is that you may laugh at the negativity of your own report, saying to yourself, for example, "Come on guy, why are you so negative?" Or, while pretending you are talking about some third party, you could ask the audit client, "Does this guy have a grudge against you?"</p><p>In my own practice, this method has always worked. For sure, there might be cases when an audit client will not accept your attempts to ease the tension.</p><p>Where else might internal auditors use their sense of humor? Among your teammates, of course. Joke, smile, and laugh — it is the best way for team building:</p><ul><li>If you are a manager, your sense of humor will get you closer to the staff. It will show the employees that you are not an alien being from another world. Nevertheless, managers should take certain precautionary measures. Your jokes must be kind and in no way offensive or abusive. To manage this kind of situation, you may use the method of laughing to yourself again, providing that your jokes are not too self-depreciating. Moreover, to keep fairness and equality, you must be ready to accept the jokes of your subordinates.<br><br></li><li>If you are a staff auditor, your sense of humor will simplify the process of becoming part of the team. Precautions similar to those noted for managers should be taken in this case, as well. One more tip: Be especially attentive about your jokes with internal audit managers. You never know how vindictive your boss is.</li></ul><p><br>In my own practice, I make jokes despite the status of a colleague. If there is a space for a good joke, I do it — no matter if it is with a low-level employee or a senior manager. Certainly, it does not mean the only thing I do is tell jokes (sometimes I work and speak seriously), but I really use my sense of humor as much as reasonably possible.<br></p><p><br></p><p>Aziz Fataliyev, CIA, is president and chairman of the board of IIA–Azerbaijan, and head of the internal audit department at Yelo Bank OJSC in Azerbaijan.<br></p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;"><em>here</em></a><em> to learn how to contribute a blog post.</em></p> | Aziz Fataliyev | 0 | | | |
| Get To Know Your Customers Day | | https://iaonline.theiia.org/blogs/jacka/2021/Pages/Get-To-Know-Your-Customers-Day.aspx | Get To Know Your Customers Day | <p>Did you know that today (as this is posted) is "Get To Know Your Customer Day"? No? Seriously? How could you have missed so monumental and important a day? Well, to be honest, I wouldn't have known either except that it popped up on my National Day calendar. Apparently, it is celebrated the third Thursday of every quarter and you can learn more<a href="https://nationaldaycalendar.com/october-21-2021-national-witch-hazel-day-get-to-know-your-customers-day-national-reptile-awareness-day-national-pumpkin-cheesecake-day-national-get-smart-abo/" data-feathr-click-track="true" target="_blank"> here.</a></p><p>Get to know your customers. What a great idea. And isn't it fascinating that the concept is so foreign to some people that a day has been identified to specifically emphasize the need — a day that is celebrated quarterly.</p><p>Which raises basic questions every audit department should be asking. Do you know your customers? Do you talk to them? Do you understand their business? Do you know the risks they face and the associated responses? Can you explain what they do and how it impacts the work you do? And the most basic question — one some audit shops never ask — do you know who your customers are in the first place?</p><p>All good, valid questions — questions that are the foundation for understanding our clients. But, as deep and complex as these questions may be, they are only the beginning. Really knowing our customers takes more digging, and more work.</p><p>In the description of <a href="https://nationaldaycalendar.com/october-21-2021-national-witch-hazel-day-get-to-know-your-customers-day-national-reptile-awareness-day-national-pumpkin-cheesecake-day-national-get-smart-abo/" data-feathr-click-track="true">Get to Know Your Customer Day </a>and an<a href="https://nationaldaycalendar.com/7-great-ways-to-know-your-customer/" data-feathr-click-track="true"> associated article,</a> the authors provided some suggestions on how to better know one's customers. Some of these suggestions are obvious. But others, at least when viewed through the lens of internal audit, take on a different perspective. Let's explore a few.</p><p><strong>Ask your customers questions.</strong> This may fall in the "Tell me something I don't already know" category, but do you actually ask your customers questions that are important to the customer? Or do you only ask questions that are important to you? The article continues, "Find out what services and products they need." Have you thought in terms of services and products you might supply to fill the customer's needs? Not just doing audits, but services and products that internal audit might provide to add value to the customer.</p><p><strong>Follow up on a purchase. </strong>I'm going out on a limb here, but I'm guessing that, if there is any follow up after the audit, it takes the form of following up on corrective action or sending out a survey. We'll get to surveys in a second, but do you actually talk to the customer after internal audit services are provided to determine if those services worked for that customer? Such conversations, done correctly, will not only show what is right or wrong with the services being provided, but will also provide a better understanding of the customers themselves.</p><p><strong>Conduct a Survey.</strong> A lot of internal audit shops send out surveys. However, most of those departments seem to do little more than collect the data as a measure of success. "This pie chart will show that we succeeded by reaching our goal of an average survey result of 3.1415926." Such measures are, essentially, meaningless. And they do nothing for the customer. For surveys to have meaning, two things should take place. First, ensure customers know the surveys are taken seriously by internal audit leadership. If you do not get a response, follow up. And continue to follow up (nicely), taking those requests up the internal audit chain of command, as necessary, to demonstrate that leadership cares about the results. Second, when you get those results, follow up with the respondent — particularly if the survey indicates there may be issues. From personal experience I know that such follow-ups make a difference in working with customers in the future (See "Follow up on a purchase" above).<br></p><p><strong>Network with other businesses.</strong> In our case, "other businesses" would be networking with other audit departments, something the profession does pretty well. In particular, most of us use IIA meetings, conferences, and seminars to learn how other audit departments get their work done. But how many of us are using those opportunities to learn about best practices in getting to know the customer?</p><p><strong>Create a Customer Profile. </strong>As you learn about your customers, start keeping a record about them — what has worked; what hasn't worked; how they respond; their likes, dislikes, backgrounds, hobbies, interests, etc. Note that it is a thin line between informative and creepy/illegal. But walk that line and you will have information that can be used by anyone in the department to better interact with customers. (To get more information on this approach, look up Farley files.)</p><p><strong>Hold a Special Event. </strong>I've told this story way too many times, but it is good and worth repeating. We would hold an annual internal audit open house. Trust me, offer free food and people will show up. We would have lines out our doors as we met and greeted people. We recruited new auditors, we had requests for audits, we put faces to our clients, and the clients put faces to the internal audit department. And, ultimately, we built rapport. They got to know us, and we got to know them. For you, a special event might be an open house, a poetry slam (yes, we did that once), selling off sections of the wall outside your office to be painted to raise money for a charity (did that one too), or anything else you can think of that puts a human face on internal audit while helping you learn about your customers. Find what works for you and do it.</p><p>Here's the ultimate point. We use the word client, we use the word auditee, we use the word … well, I can't use that word in a family blog post. Call them anything you want, but they are all customers. And we have to learn to reach out to them not as auditees, not as clients, not as people who have to accept our services, but as customers whose needs we can fulfill. That means making the effort to do more than just audit them; it means reaching out as one group of human beings to another to understand their motivations, needs, and the ways we can all work together to succeed.<br></p> | Mike Jacka | 0 | | | |
| On the Frontlines: Not All Findings Are Bad | | https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/On-the-Frontlines-Not-All-Findings-Are-Bad.aspx | On the Frontlines: Not All Findings Are Bad | <p>Early in my internal audit career, my manager asked me to begin an audit closing meeting in front a large group with the good remarks we noted during the audit. I was quite embarrassed, as I was not prepared for that. I probably managed the situation, but not very well. "Be fair with your auditee," my manager said later. "If they are not all bad, what stops you from telling them that?"</p><p style="text-align:justify;">That was a life lesson for me.</p><p>The internal audit report is the only document that presents the outcome of a practitioner's entire audit work to the reader. The audit plan, outcomes of risk assessment, preliminary study, data analysis, control testing, and interviews do not communicate anything, themselves, unless they result in an audit finding. It is the internal audit report that compiles the audit findings, highlighting deficiencies and nonconformities of an audit client's function that require management's attention and action.</p><p>Does all audit testing produce a negative result? Obviously not. In most cases, the opposite is true.</p><p>Internal auditors frequently find that most of the audit client's activities are running smoothly, and therefore do not lead to any audit finding. These facts, which indicate the existence of good controls in the client's processes, are audit findings in the positive sense and should be included in internal audit reports.</p><p>Unfortunately, internal auditors never report these favorable findings. Instead, the findings are buried in the audit files for future reference, often indefinitely.</p><p>However, internal auditors should balance the audit report by mentioning these positive outcomes of their review. Although a traditional audit report leaves little or no room for positive remarks, auditors should consider accommodating them briefly. For example, before going into the detailed audit findings, auditors could mention the important controls they tested that were working well. Trying to balance the positive with the negative can be tricky, though, because focusing too much on the positive may cause the audit report's focus to shift.</p><p>The positive remarks may be discussed in the audit closing meeting and even in meetings with the audit committee. Before starting discussion of the audit observations, the lead auditor or the chief audit executive may take a few minutes to acknowledge the good controls and best practices that auditors came across during testing. This is particularly important if there have been improvements from the previous audit.</p><p>I strongly advocate including positive remarks in an internal audit report not only to offset the negative impression of the readers, but also to give them a fair impression about the audit client's function by noting that "It is not all bad." Moreover, positive comments help build a good relationship between the auditor and client. They can give the client a positive impression of internal auditors and the audit process, as well as help them accept the auditor as a business partner who works fairly to assess their function and make encouraging comments, where appropriate.</p><p>However, positive remarks in an audit report, closing meeting, or audit committee meeting should be succinct and kept to the bare minimum. They do not require the same level of elaboration and discussion as audit findings. However, auditors should bear in mind that achieving a balance is important, considering the readers' primary requirement of knowing the gaps in the process under audit.</p><p>As the term "reasonable assurance" is used for audit opinion, the same applies for positive audit remarks. The readers should be made aware that the positive notes are "reasonable" based on the evidence and samples examined by the auditors.</p><p><br></p><p>Tahsinur Rahim, CIA, CRMA, is head of Audit and Compliance at Guardian Life Insurance Ltd., in Dhaka, Bangladesh.<br></p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;color:#6eabba !important;"><em>here</em></a><em> to learn how to contribute a blog post.</em><br></p> | Tahsinur Rahim | 0 | | | |
| A Change Would Do You Good | | https://iaonline.theiia.org/blogs/jacka/2021/Pages/A-Change-Would-Do-You-Good.aspx | A Change Would Do You Good | <p>Whew. Been a crazy year, hasn't it? And crazy times have brought about a crazy amount of pontification on what has and will be happening. Don't know about you, but I never again need to hear the phrase "unprecedented times," "new normal," or any of the other recoined cliches we are seeing and reading everywhere.</p><p>However, fearful that the pitchforks and torches will be brought out with the spouting of another cliche, let me throw out another bromide. "The only constant is change." Sick of hearing it? Yes. Any less true for its over repetition? No.</p><p>So, if we all know change is constant, how were we in internal audit all caught so flat-footed?</p><p>Let's begin by admitting that, in the before times, we knew change was happening/going to happen. There was much talk and discussion about it in internal audit circles. Unfortunately, we seemed to think such change was far enough away that we need not take immediate action. And change, when we did implement it, happened at what we now can recognize as a glacial pace.</p><p>And then this black swan — a black swan so black it made all others look gray — flew into our lives. And change not only became a reality but accelerated beyond our wildest expectations. It hasn't been pretty.</p><p>The good news is that these events forced some changes that we in internal audit should have been implementing all along. The bad news is that much of the change we are trying to accomplish is a function of us doing little more than just trying to catch up. As a result, we now stand lip-deep in the muck, trying to find our way back to solid ground.</p><p>In spite of the gloom and doom that may seem to permeate the previous, it is not my objective to slap our collective wrists for not being ready. Yeah, we knew changes were coming (were happening) and we should have already been moving in the right direction. And, yeah, change rushed upon us so fast we did our best deer-in-the-headlights imitation. And, yeah, we need to dance as fast as we can to catch up.</p><p>However, we also need to learn lessons from our failure. There is a future beyond what is now occurring and, while we address our current predicaments, we must also prepare for the changes still to come. (Change does not stop just because it happened so quickly in the past.) While it is hard to focus on that future right now, we have to remember that the time to prepare for change is not when it occurs, but before it comes a-calling.</p><p>And therein lies the important point. We could not have predicted the specific changes we are now going through. All we could have known was that change, of some sort, was going to occur. Similarly, we cannot really predict the specific changes that will come. We can only know that change will occur. And that is why the concept of "managing change" really doesn't make sense. You cannot manage the unknown. Instead, rather than try to manage change, we must focus on using change, current and future, as an opportunity for growth and improvement — to prepare ourselves to ride the wave of change.</p><p>(And at this point I need to give you a reference. Some of the concepts I'll be talking about, including the prior discussion of managing change, come from the <em>Harvard Business Review</em> article, <a href="https://hbr.org/2021/09/a-futurists-guide-to-preparing-your-company-for-constant-change" data-feathr-click-track="true" target="_blank">"A Futurist's Guide to Preparing Your Company for Constant Change"</a> by April Rinne. You should be able to access it, but HBR does put a limit on how many articles you can view, so keep that in mind.)</p><p>The first thing every internal audit shop needs to do is change the mindset related to change. Too often, change is perceived as a risk. So, the department focuses on trying to mitigate that risk, ultimately removing the value any change might provide.</p><p>Don't believe me? Think about what it took/what it takes to implement any change in your department. How many questions are asked? How many approvals are required? How many "changes" are reformed and reformatted to the point where no change is recognized? And how many suggestions actually make it through?</p><p>This is the attempt to manage change. And it is why we do not take advantage of the opportunities that change provides. And it is why we are unprepared when the world changes around us.</p><p>This change in mindset has to start at the top. (Thank you, Captain Obvious.) It has to be preached from the top. Everyone has to understand this new mindset and be told again and again by leadership that the department wants to look forward, that it wants to prepare for what is to come, and that it now wants to accept change as something to be embraced rather than avoided. And then, the most important aspect of any mindset change, it has to be supported. Another cliché I hate, but one that is true: You must talk the talk, and then walk it. Our profession's history of risk-aversion and change-squelching means that even the slightest wobble in support may make all efforts moot.</p><p>As part of these efforts, leadership should be looking for change agents. Lurking within the department are people already chomping to be let loose — to make things better and different (not necessarily in that order.) They have to be given the freedom they need to do the things they dream. Some may not believe a different mindset has arrived and may hide. But they have to be given the chance to come forward and lead the department into new and valuable areas. Watch carefully. Leadership comes from anywhere.</p><p>Finally, the article discusses the concept of having someone assigned to "change-readiness." As you find those who want change, you will also identify people who can see the broader pictures — the ones who are looking at the future of internal audit within the perspective of your department; the ones who are seeing the tools, techniques, and adaptations that will make your department more effective; and the ones who can help the department prepare for a change-heavy future. Find that individual and give him or her the authority to start making your department change ready.</p><p>Let me note that I have addressed much of the foregoing to audit leadership. But change seldom comes from the official leaders; it comes from those who can see the work that is being done while seeing the opportunities. That means that this message is really for every auditor in every position. Change can be driven from anywhere. Yeah, it's a lot easier if leadership is right there with you. But a leader can come from anywhere. And you can be that leader.</p><p>Ultimately, this all comes down to a phrase that internal auditors have thrown around for years — internal auditors as change agents. But we have talked a lot and done very little about it. In fact, many professionals don't buy into our role as change agents. They see it is a violation of our independence and objectivity. </p><p>Sorry, but it is not a violation. (And I'm not going into that can of misinformed worms right now.) But becoming change agents — embracing change and looking at it as an opportunity rather than something that must be "managed" — is the way internal audit can remain relevant, not only watching for change, but leading change in our profession, in our organizations, and in our industries.<br></p> | Mike Jacka | 0 | | | |
