Your Voices



U.S. SEC: Environmental, Social, and Governance Risks Better Be on Your Radar SEC: Environmental, Social, and Governance Risks Better Be on Your Radar <style> div.WordSection1 { } </style> <p><img src="/2021/PublishingImages/US-SEC-Environemtnal-Social-Governance-Risks-Better-Be-on-Your-Radar-445x300.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Organizations are under increasing pressure from shareholders, regulators, and other key stakeholders to report on environmental, social, and governance (ESG) issues. The movement to accurately measure and report the impacts that organizations have on the environment, climate, natural resources, workforce, and community (and their related ethical implications) is rapidly changing how the public interacts with and values businesses and government institutions.</p><p>The business world is clearly responding. In 2011, 20% of companies on the S&P 500 issued reports related to sustainability, according to the Governance & Accountability Institute. Today, that number is 90%. It is not surprising, then, that measuring the accuracy of this new discourse has come under increased regulatory scrutiny.</p><p>The U.S. Securities and Exchange Commission (SEC) announced on March 4 that it has created a 22-member Climate and ESG Task Force within the Division of Enforcement to monitor how organizations report their climate- and ESG-related disclosures to investors. Based on that announcement, it is clear the task force is focused on enforcing reporting rules.</p><p>“Proactively addressing emerging disclosure gaps that threaten investors and the market has always been core to the SEC’s mission,” Acting Deputy Director of Enforcement Kelly L. Gibson, who will lead the task force, said in the SEC’s statement. “This task force brings together a broad array of experience and expertise, which will allow us to better police the market, pursue misconduct, and protect investors.”</p><p>Internal auditors are well-positioned to support their organizations in this evolving risk area. While most regulations on ESG reporting are relatively new, the processes for evaluating the effectiveness and efficiency of any regulatory compliance regime are well-established — validating that reporting processes are complete, accurate, timely, and relevant.</p><p>The first step should be for internal auditors to update their risk assessments in this area and consult with stakeholders on the board and in the C-suite on whether changes are needed in the audit plan. The IIA published an <a href="" data-feathr-click-track="true" target="_blank">IIA Bulletin</a> on this subject this week to support its members.</p><p>The SEC’s action provides a prime example of the importance of two issues that have I written about repeatedly over the years. First, the speed or velocity of risk is increasing. For many organizations, ESG was not on the radar as little as five years ago. Today, it is quickly rising as a top risk with regulatory, reputational, ethical, shareholder, and operational implications.</p><p>However, internal auditors may not yet be in the best position to support their organizations on this complex risk overall. According to The IIA’s <a href="" data-feathr-click-track="true" target="_blank">OnRisk 2021</a> report, “All parties are reasonably well-aligned with regard to organizations’ capability to manage environmental, social, and governance risks, which collectively comprise sustainability. However, confidence is fairly low. CAEs rate their personal knowledge about this increasingly relevant risk category as very low.”</p><p>The second is agility. Internal auditors must be ready, not just to respond quickly to changing stakeholder demands on risk assurance, but to lead the way when risk assessments show changes to likelihood and impact. The SEC’s new zeal to “better police the market, pursue misconduct, and protect investors” is a clear call for internal auditors to inform and educate stakeholders on this evolving regulatory risk.</p><p>Beyond the immediate response to changing regulatory risks related to ESG, internal audit leaders should firmly establish their role on the issue within their organization. Last month, The IIA contributed a letter to a hearing of the U.S. House of Representatives Committee on Financial Services titled, “Climate Change and Social Responsibility: Helping Corporate Boards and Investors Make Decisions for a Sustainable World.” In that letter, I made the case for internal audit playing a critical role in sustainability beyond simple assurance on reporting.</p><p>“While worthwhile, that narrow view fails to address the natural inhibitors to organizations to do more to comprehensively tackle this critical issue,” according to the letter. “Internal audit, as an objective and independent provider of assurance and advice with the purpose of continuous improvement, is ideally positioned to help organizations find the motivation and the means to embrace and incorporate sustainability measures that can advance both organizational performance and broader social, economic, and environmental objectives.”</p><p>Indeed, internal auditors are generally tasked with supporting management of key operational risk areas, including strategic, legal, and compliance, which historically account for up to 80% of an organization’s risk portfolio.</p><p>Internal audit cannot find itself on the outside looking in on such critical risks. It must improve its understanding of this issue by educating practitioners about emerging risks related to  sustainability and how it fits into an organization’s operational and strategic priorities. It also must clearly articulate the value of “independent assurance” on ESG reporting, as regulators focus increasingly in this area.</p><p> As always, I look forward to your comments. </p>Richard Chambers0
On the Frontlines: Blockchain Is the Next Disruptive Frontier the Frontlines: Blockchain Is the Next Disruptive Frontier<p>​The 21st century has seen numerous information systems technologies arise in science, automotive, aviation, and supply chain, among other fields. But perhaps one of this century's most disruptive technologies is blockchain, which dates to only 2008. That was when an individual — or group of individuals — using the pseudonym Satoshi Nakamoto published a white paper entitled Bitcoin: A Peer-to-peer Electronic Cash System to address the threat of "double-spending" in digital currency.</p><p>In 2009, the Bitcoin network was launched. Unlike traditional banking systems, Nakamoto's peer-to-peer, decentralized (peer-to-peer) network allows participants within that network to authenticate the transactions of each user without the support of a trusted intermediary or agent, such as a bank.</p><p>The advent of the technology engine behind bitcoin started to change the way some organizations conducted e-commerce and eventually some of their internal processes. Over the next decade, private and public sector organizations started adopting blockchain's distributed ledger technology for services including electronic commerce, procurement, registration, election polling or voting, clearing and settling customer transactions, managing logistics and supply chain, and fraud prevention.</p><p>Blockchain is also revolutionizing the conventional ways of administering various government functions. An example is the Republic of Estonia, the first country to use blockchain to provide e-residency and notarization services to its citizens with the aid of an Estonian e-ID. This platform enables Estonian citizens to register and manage a company, file taxes, access banking services, and pay third-party service providers remotely. Similarly, the government of the United Arab Emirates has been pursuing directives to use blockchain platforms to issue government documents starting in 2020.</p><p>Many top-notch global organizations are also using or planning to use blockchain as a secure, robust, and cutting-edge technology to better serve customers. The list includes well-known companies such as Bank of America, IBM, J.P. Morgan, Royal Bank of Canada, and Walmart. The <em>Statista</em> publication on June 9, 2020, puts the global market capitalization of blockchain from 2018 to 2020 at $3 billion. Projected blockchain revenues from 2021 to 2025 range from $7 billion to over $40 billion, signifying a huge investment in the technology.</p><p>In a nutshell, blockchain is a peer-to-peer distributed digital network with an immutable, decentralized shared ledger that allows network participants to reach transaction consensus without a trusted intermediary such as a bank, escrow company, or regulator. Some of the most salient characteristics of blockchain technology include:</p><ul><li>A decentralized, distributed network that not only does not require a central repository but also allows a very high degree of network fault tolerance, thereby eliminating network single points of failure.</li><li>Cryptographically based, tamper evident, and tamper resistant data storage, thereby rendering the data on the blockchain immutable.</li><li>Member group consensus-based data verification offering additional data integrity protection.</li></ul><p><br>Blockchains may be categorized into three major categories: public, private, and consortium.<br></p><p>Public blockchain — often referred to as permissionless blockchains — are open to everyone. These public platforms are used for various cryptocurrency transactions, such as bitcoin, as well as other uses. A public blockchain, by virtue of being significantly larger than its private counterparts, tends to experience performance or scalability issues if the network continues to grow rapidly in size. </p><p>Private blockchains, on the other hand, are referred to as permissioned blockchains. With these private platforms, only allowed members may join the platform upon the approval of the access control administrator following verification of user credentials. An example of a private blockchain platform is Hyperledger Fabric, developed at the Linux Foundation.</p><p style="text-align:justify;">Consortium blockchains are hybrid blockchain versions where multiple organizations participate in managing the network. In this model, one or more entities may control the network, thereby causing a reliance on a third party for business transactions.</p><p>The tamper-proof attributes of blockchains, leading to immutable sets of transaction records, represent a higher quality of evidence for internal auditors. Blockchain technology will impact the performance of the audit engagement because of its attributes, as the technology can seamlessly complement traditional audit techniques.</p><p>Furthermore, various fraud schemes related to financial reporting, such as the recording of fictitious revenues, could be avoided or at least greatly mitigated. Frauds related to missing, duplicated, and identical invoices also can be greatly curtailed.</p><p>As a result, the advent of blockchain can enable auditors to reduce substantive testing as inherent and control audit risks will be reduced, thereby greatly improving an audit's detection of risk. As such, the continuing use and progress of blockchain may soon mean that auditors will need to deepen their knowledge of this disruptive technology.</p><p><br></p><p>Shaun Aghili, DBA, CIA, CRMA, CISA,<em> </em>is an assistant professor specializing in internal audit, fraud prevention, and information systems assurance at Concordia University of Edmonton in Alberta<em>.</em></p><p>Harriet Tenge is a graduate student researcher in the Master of Information Systems Assurance (MISAM) program at Concordia University of Edmonton.</p><p>Maureen Okello is a graduate student researcher in the MISAM program at the Concordia University of Edmonton.<br></p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;color:#6eabba !important;"><em>here</em></a><em> to learn how to contribute a blog post.</em><br></p>Shaun Aghili0
Building a Better Auditor: Building a Roadmap for Success a Better Auditor: Building a Roadmap for Success<p>​Throughout your educational journey, your program major and its curriculum served as your roadmap to get from point A to point B — earning your degree. And earning your degree helped you enter the workforce and start a dynamic career in internal auditing. Now that you've landed your role, you might ask, "Where do I go from here? Where is my roadmap?"</p><p style="text-align:left;">Career journeys are no longer the linear progression seen in the business environment of years past; they include twists, turns, and even surprises, leading to rewarding growth and advancement opportunities. To seize the right opportunities, you must know where you want to go, the skills you currently possess, and the competencies you would like to develop. You must have a career development plan.</p><p style="text-align:left;">Creating a career development plan will help you establish both short- and long-term career development goals, identify strategies for enhancing the competencies necessary to achieve those goals, and explore ways to leverage your strengths and talents within your current position to advance your career. Leveraging five simple steps, you can create a roadmap for your career.</p><h2>Step 1: Establish Your Starting Point — Know Where You Are</h2><p>Explore how you feel about your current role, brand, talents, strengths, weaknesses, and competency level. Be introspective and ask yourself: Am I satisfied with my role and how others view me? What knowledge, skills, and abilities do I bring to the table?</p><p style="text-align:left;">To better understand your knowledge and abilities, assess your current competency with The IIA's <a href="" data-feathr-click-track="true" target="_blank">Internal Audit Competency Framework</a>. Determine your competency level within the 22 knowledge areas among four disciplines: Professionalism, Performance, Environment, and Leadership and Communications.</p><h2>Step 2: Set Your Direction — Identify Where You Want to Go</h2><p style="text-align:left;">Remember what it felt like in college once you determined your major and knew your end goal? Career development planning can provide you with that same sense of direction. You can pinpoint both interim stops and the ultimate destination for your career over the next five years while building your plan. Some simple actions to help you set your direction include:</p><ul style="text-align:left;"><li>Discuss career opportunities with supervisors, colleagues, and mentors.</li><li>Share interests and seek insights on their perceptions of you, your performance, and your potential.</li><li>Reflect on your current organizational environment. How is it evolving to meet stakeholder needs? How are expectations of your role and function changing, and how can you add value?</li></ul><p style="text-align:left;"><br>In addition, ask yourself these questions to set your direction:<br></p><ul style="text-align:left;"><li>Is my immediate focus on developing new skills to enrich my current job performance?</li><li>Is my next career step lateral, up, or over in another organization? What experiences do I need?</li><li>What specific role do you have your sights set on? What skills do you need to develop?</li><li>What do I want to achieve in the next one, three, and five years?</li></ul><h2>Step 3: Plan Your Journey — Explore How You Will Get There</h2><p style="text-align:left;">Remember, no two career journeys are the same. While you may move through the same sequence of roles as another person, you have unique strengths and development opportunities to leverage. Map your path by exploring the requirements and competencies for the positions you aspire to over the next five years. Focus on capitalizing on your strengths and addressing opportunities to get where you want to be. Review the job descriptions that interest you the most to:</p><ul style="text-align:left;"><li>Determine the knowledge, skills, abilities, and other characteristics you need to secure those positions.</li><li>Identify the specific skills, experiences, and knowledge you need to acquire for your year one, year three, and year five stops on your career journey.</li></ul><p style="text-align:left;"><br>Use the Internal Audit Competency Framework to identify competency gaps.</p><h2>Step 4: Map Your Route — Document Actions, Measures, and Timelines</h2><p style="text-align:left;">Commit to achieving your career goals — document the specific actions you will take, timelines for completion, and how each activity supports your objectives. Determine which activities will be most beneficial to you on your career journey. These activities might include:</p><ul style="text-align:left;"><li>Staying up-to-date on practices, knowledge, and emerging trends in the profession through online content, news sources, publications, and more.</li><li>Pursuing additional education, training, or professional <a href="" data-feathr-click-track="true" target="_blank">certification</a>.</li><li>Engaging in mentoring programs as a mentor or mentee.</li><li>Participating in networking and volunteering activities.</li><li>Assuming additional tasks or challenging responsibilities within your current role.</li><li>Leading collaborative projects, developing reports, and presenting findings.</li></ul><h2>Step 5: Monitor Your Progress and Course-correct</h2><p>Create an accountability mechanism by sharing your plan with a supervisor or mentor, and discuss your progress quarterly to stay on track with your career journey. You may encounter detours, roadblocks, or take side roads, so establishing regular check-ins with those you admire and respect can help you course-correct or adjust your plan to accommodate new destinations.<br></p><p>Remember, this is your plan. You are the only one accountable for success. It is the actions you take and choices you make that will move you forward through your journey. Adventures await.</p><p> </p><p>Carrie Summerlin, CCSA, is vice president, Internal Audit Foundation at The IIA.<br></p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;color:#6eabba !important;"><em>here</em></a><em> to learn how to contribute a blog post.</em><br></p>Carrie Summerlin0
Caution, Fear, and Control,-Fear,-and-Control.aspxCaution, Fear, and Control<p>​In 2004 there was an incident at Disneyland's Mad Tea Party. For those who do not know what a Mad Tea Party is, a quick primer. (And for those of you who dismiss this portion of our program because you do not like Disney parks, go find your child — the one dying in the lonely dungeon of your soul — let it out, and go play.) </p><p>The attraction (they are never called "rides") consists of 18 giant teacups that hold up to four riders. The guests (they are never called "customers") spin the teacups by turning the giant disc/wheel in the center of the vehicle. The teacups sit on three spinning turntables that, themselves, sit on one giant spinning turntable. This may seem a bit much, but it doesn't move that fast. (And we won't talk about the time, back in my college days, when two friends and I did our best to keep our cup spinning at maximum velocity for the duration of the experience except to say that there were no protein spills, another Disney sobriquet, but finding the exit was a bit of a challenge.) There are no height limits and, in spite of what a group of young punks might have tried to accomplish lo those many years ago, it is considered a "beginner" thrill attraction for children.</p><p>The 2004 incident involved a disabled man who lost his balance and fell out of a teacup. The guest didn't require medical treatment, nor did he hire an attorney. However, the incident happened shortly after Disney hired a new safety team and the scuttlebutt was that the new team was trying to prove themselves. They had already made safety-related changes in other areas of the park — some good; some not-quite-as-good. And in response to this incident, they reduced how fast the teacups could be spun by tightening down the ability of the center wheel to set the cups in motion. Unfortunately, the tightening was so severe that the cups would barely turn.</p><p>I happened to visit the park about a month later. My friends and I got in a teacup and, no matter how hard we tried, we could barely make it spin.</p><p>It was still a decent flat ride (as they are called in the industry), but the fun had been diminished by those so concerned for safety, so concerned for guest well-being, so concerned about a lawsuit, and so concerned about proving they could make an impact, that the experience took a back seat to caution and fear.</p><p>"My, what a fascinating story," you are saying to yourself. "There is no doubt that overcontrol came from overreaction. Thank goodness we internal auditors would never take such drastic and ridiculous actions ourselves."</p><p>"Nay, nay, I say." (And I can tell by the look on your faces that a couple of you saw this coming.) Here are just a few snippets from my personal experience:</p><ul><li><p>There was the requirement (written into procedure) that the accounting department ensure the desk of the person opening checks was not next to the person receiving those checks.</p></li></ul><ul><li><p>There was the requirement that check stock be locked up in branch offices, even though the only thing that differentiated this stock from any other paper in the office was a Farmers Insurance watermark.</p></li></ul><ul><li><p>There was the finding that the height of the seven-foot-tall fence securing excess computers be raised to close the two-foot gap between the fence and the ceiling, a fenced area that was located in a parking garage that required various authorizations to enter and computers so out of date that the company could find no one who wanted them.</p></li></ul><ul><li><p>There was the finding I wrote up in a rough draft stating that Home Office management would not know the Phoenix Regional Manager's travel plans because he was not completing trip request forms. (Thank goodness my manager yanked that one before it got any further.)</p></li></ul><ul><li><p>There was…</p></li></ul><p>Well, 30 years' experience; I've got a lot of stories. And I'm sure you have your own.<br></p><p>Why do we do this? What causes the overabundance of caution that results in Sisyphean controls? Why do we want a form filled out, paper locked up, desks separated, an extra couple of feet put on a fence? Why do we lock down the teacup in such a way that it can no longer provide the entertainment that is the purpose for its existence?</p><p>I'm sure there are lots of reasons. One I've talked about before is the fear internal auditors have that something will go wrong when they have been involved. We're in charge of controls. So, an error is a loss of control, and a smudge on our good name. (It isn't true. But it is one of those secret fears we harbor — nightmares of showing up for a test without having studied, being unable to find the room where the big meeting is being held, and reporting everything is OK when it isn't.)</p><p>But I think there is another issue that we overlook. It is one of the reasons the fears listed above take root, it is why the "gotcha" mentality still exists, it is why auditors hide behind their reports, and it is why internal audit, in many organizations, does not live up to the potential of our profession.</p><p>I believe that a sizable majority of internal auditors and internal audit shops suffer from an inferiority complex.</p><p>OK, I can already hear the outraged outcries against such defamation — the howls of protest, the screams from damaged egos, and the silent cry of hurt feelings. But ask yourself, how do you approach your organizational peers, how do you address questions about what the department has accomplished, how do you comport yourself in meetings, how do you act, and how do you work? Do you approach all instances with a quiet, unquestioned confidence? Or do you allow yourself to be defined by the questions that haunt us about our worth and how we are perceived?</p><p>Even for those of you who believe you have a strong audit department, strong people, and a strong brand, do these questions lie in the back of your mind, subverting your ability to step forward as boldly as you should?</p><p>Ask these questions … and be honest with yourself.</p><p>Even as we succeed, there seems to be the constant and consistent need to prove ourselves time and again. I don't know how this happens, but I see it in the actions of audit departments with which I have worked, and I hear it in the way people talk about the work they do. Maybe it is because we do not think we are seen as an integral function of the company, maybe it is because we are sometimes considered the ugly stepchild of accounting, or maybe it is because we seem to be in constant battle with the people with whom we are trying to partner — trying to help succeed. But it seems that there is an underlying attitude and need to constantly prove ourselves — to say, "Look at us, we're your friends, we provide value. Honest. Don't you like us?"</p><p>You want an example? I've always thought the involvement many internal audit departments have in the organization's U.S. Sarbanes-Oxley Act of 2002 projects is a problem. And it all stems from when Sarbanes-Oxley first reared its ugly little head and no one else wanted it. They turned to internal audit and we were so excited they noticed us cowering in our corner that we jumped at the chance. Now, too many audit departments are too involved in Sarbanes-Oxley. It has become an albatross around our neck that we cannot remove.</p><p>And this inferiority complex is at the root of why we always seem to find something wrong; it is why we have so much trouble issuing clean audit reports. Seriously, how many times have you reported controls were effective. And, if you did, did you hedge your bets by issuing memos or something about "unreported minor issues"? Did you still find something/anything? I know, we'd love to say that everything is clean, but there is always something to find, isn't there?</p><p>How often is what we find really important — even worth mentioning? And how often do we include it because our inferiority complex insists: 1) that we prove our value by finding something; 2) if we give them a clean audit and something goes wrong, they'll pick on us; and 3) a clean audit report means we didn't do anything? </p><p>I, like you, have preached that we provide value even when we issue a clean audit report –— that we are providing assurance. But we cannot seem to escape the belief that a report with no findings is useless; and if the report is useless, the work is useless; and if the work is useless, the auditor, the department, and the concept of internal audit are useless. So, we better report something.</p><p>In fairness to the team that took such drastic steps with The Mad Tea Party, this attraction has had a history of incidents. Much of the information I've provided about this attraction comes from the excellent book <em>The People v. Disneyland</em> by David Koenig, a fascinating book that discusses that strange world where Disneyland and attorneys intersect. And in the book Koenig notes that the attraction had generated at least 20 lawsuits. So, it may be that the safety experts were reacting to past incidents as much as the one under scrutiny.</p><p>And, after a while, the ability to spin the teacups was returned — the controls were loosened. But the damage had been done. And many people began to have second thoughts about anything that team proposed.</p><p>But the final outcome isn't the issue here. What matters is how it all happened in the first place. And how a team, in an attempt to make themselves look valuable, came up with stringent controls that resulted in The Teacup Folly.</p><p>Yes, we have to prove our value. But we cannot/will not prove our value by working from a place of fear and insecurity. We have to do the work we know is valuable, and let that work stand on its own — not frantically prove value in every step.<br></p><p>In every audit, in every engagement, stop and ask yourself, "What am I trying to prove?" Of course we are trying to prove that controls are in place to ensure effective achievement of objectives. But are you also trying to prove something about yourself and your department? This is not necessarily a bad thing, as long as you are trying to prove that value in a positive way. But when you are trying to prove it as a way to disprove the doubts that are within yourself, you are working from a foundation of weakness<br></p><p>Internal audit is a noble profession. Internal audit has value. And internal audit is an integral part of the success of any organization. And when we work from an understanding and belief in that foundation, then the work and the value will stand on its own.<br></p>Mike Jacka0
U.S. Navy Wants to Throw 70% of Its Internal Auditors Overboard Navy Wants to Throw 70% of Its Internal Auditors Overboard<p> <img src="/2021/PublishingImages/US-Navy-Wants-to-Throw-70-Percent-of-Its-Internal-Auditors-Overboard-445x300.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />The courageous men and women who risk their lives for our national defense also face dangers from volatile risks, such as cyberattacks and the COVID-19 pandemic. In addition, citizens and taxpayers rightly expect efficiency and effectiveness in defense operations. So why would the U.S. Navy make plans to slash its internal audit budget by 70% over the next two years? </p><p>The proposed cuts to the Naval Audit Service budget would effectively dismantle the agency, leaving it with 85 employees compared with its current staff of 290. By comparison, the U.S. Army and Air Force audit agencies execute their missions with more than 600 staff members each. Not only would such a move by the Navy devastate critical assurance services, it would severely weaken oversight of a massive organization, whose budget was nearly $206 billion in taxpayer dollars in 2020.</p><p>What’s more, such a drastic cut would be foolhardy at a time when proposed budgets for the Navy anticipate a huge influx of tax dollars to accelerate shipbuilding. The proposed 2022 Department of Defense (DoD) budget includes about $167 billion for designing and building more than 100 ships over the next several years, according to published reports.</p><p>History tells us that such ambitious construction agendas are ripe for fraud, waste, and abuse. The Naval Audit Service has a proven record of effectively identifying such waste. Just in the last six months of 2020, the service published 19 reports, made 85 recommendations, and identified approximately $192 million in potential monetary benefits. That final figure is particularly relevant when one considers the Naval Audit Service’s entire 2020 budget was $46.1 million.</p><p>It is troubling, if not surprising, that the Navy would be willing to throw more than 200 dedicated and effective internal auditors overboard in such a short-sighted move. As an auditor within the U.S. Department of Defense (DOD) for more than 21 years, I often witnessed DOD audit functions suffer disproportionate cuts. While internal audit in government should not be immune to cuts, a 70% reduction in Navy audit oversight capabilities would be nothing short of reckless and dangerous. Whether by design or happenstance, another effect of such cuts would be to muzzle or starve the Naval Audit Service of its “watchdog” role. </p><p>The proposed DOD budget is a holdover from the previous presidential administration. I fervently urge the current administration to reconsider this penny-wise-and-pound-foolish approach to internal audit funding. Indeed, the new administration can affirm its commitment to accountability, oversight, and assurance over taxpayer dollars by ensuring all government audit services are properly funded. </p><p>To that end, I have sent a <a href="" data-feathr-click-track="true" target="_blank">letter</a> to the White House and Secretary of Defense requesting reconsideration of the proposed reductions to the Naval Audit Service budget.</p><p>During my years at the Pentagon, the word I heard most often was stewardship. Military leaders at the time constantly emphasized the importance of being good stewards of taxpayers’ resources. Good stewardship is more important today than ever. Our government institutions need reliable, independent assurance, which is essential to battling waste, fraud, and misappropriation; protecting taxpayer dollars; and serving the public good. Reducing effective oversight and assurance services at a time when the Navy is preparing to award billions of taxpayer dollars in construction contracts is not good stewardship. In my opinion, carrying through with draconian cuts to the Naval Audit Service budget is a recipe for disaster.</p>Richard Chambers0
#IAm Jami Shine Jami Shine<p>​When I tell people I'm an "acting auditor," I get some confused looks. I grew up acting in local community and professional theatre productions and started doing film and commercial work as a hobby in my mid-20s. Now with 40 <a href="" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;">IMDb</a> credits and roughly 100 commercials under my belt, what strikes me the most about acting is how similar it is to auditing.    </p><p>Stereotypes aside, auditors and actors have more in common than you might think. I was asked at my first job interview why I was pursuing audit when I'd spent my high school and college years working theatre jobs. Without hesitation, I answered, "They're both ways of bringing meaning to chaos." I'd never made that connection before that moment, but my 14 years in auditing have proven this statement true.</p><p>Some people assume that acting is about being fake or lying. But acting is primarily about analysis — discovering motivations, examining the sequence of a chain of events, and uncovering truth. Actors learn not to label characters as "good" or "bad" and instead seek to understand the complex factors that drive their choices. Stage presence is being fully present in that moment, listening with your full concentration, and reacting truthfully. (Sound like an audit interview to you?)</p><p>The skills I learned as an actor — thoroughly examining evidence versus leaping to assumptions, performing root cause analysis, listening actively, and asking "why" continually — are the same skills I use every day in internal audit.   </p><p>Have you ever heard the acting joke, "What's my motivation?" I can verify that an actor will often ask why when he or she is directed to move from one side of the stage to the other. Sometimes directors want to retort, "Because I said so, that's your motivation." However, actors instinctively understand that all actions are driven by human desires and goals. </p><p>Internal auditors can apply this concept to understand control gaps and obtain buy-in for recommendations. Often, we focus only on the control failure and not on the root cause. By understanding our clients' motivations, we can better understand why the failure happened in the first place.</p><p>For example, perhaps the control owner was motivated by meeting pressing production deadlines and did not understand the control's importance. Or perhaps the control owner was motivated by a desire to be seen as competent and was too afraid to ask for clarification of a procedure he or she didn't understand. </p><p>Understanding these motivations is helpful in finding the appropriate remedy as well as in "selling" that recommendation to the audit client. Demonstrating to a client how implementing stronger controls can help it achieve its strategic objectives (its motivation) turns what could be seen as a negative (an audit finding) into a positive (a better chance of success).        </p><p>My audit career and acting hobby have both opened opportunities for me that I never dreamed possible. Remote access to client systems allowed me to spend three weeks shooting a feature film in Kansas City while performing control testing when I wasn't on set. My acting skills have come in handy on projects such as creating training videos for our store employees at QuikTrip or playing comedic characters in cybersecurity awareness videos. </p><p>Both passions have collided when I've gotten to emcee audit conferences, facilitate audit training, and give presentations. My background in improvisation has particularly come in handy when facilitating enterprise risk management meetings or navigating technical difficulties during virtual presentations. And while my acting hobby has definitely taken a back seat in recent years to my love of audit, I am confident I am a better auditor because of my experiences as an actor.<br></p><p><br></p><p>Jami Shine, CIA, CRMA, CISA, CRISC, is the corporate and IT audit manager for QuikTrip Corp. in Tulsa, Okla.<br></p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;color:#6eabba !important;"><em>here</em></a><em> to learn how to contribute a blog post.</em><br></p>Jami Shine0
On the Frontlines: The Threefold Value of Follow-up Reviews the Frontlines: The Threefold Value of Follow-up Reviews<p>​In the <em><a href="" data-feathr-click-track="true" target="_blank">International Standards for the Professional Practice of Internal Auditing</a></em>, Standard 2500 informs about the final stage of the audit process, that of monitoring. While the standard outlines the responsibilities of the chief audit executive and internal audit function, itself, the action has a threefold effect.</p><h2>1. Provides Reassurance to Management</h2><p>The final report submitted to the audit committee and copied to senior management provides reasonable assurance of the assessment of risks and corrective action to controls and processes therein. However, the follow-up activity goes further in saying more about the same area of audited activity to management and the organization.</p><p>After reporting on the agreed-upon action between the internal auditor and client within the specified timeline, the recommendation of the auditor should be reported as closed. Risks identified during the audit process should have been mitigated and residual risks now should be at a manageable level.</p><h2>2. Highlights Management's Satisfactory Performance</h2><p>The internal auditor is encouraged to report satisfactory performance observed during the audit review. At the follow-up stage, tests performed by the auditor on the effectiveness of the corrective action that was implemented should highlight management's treatment of the risks that were identified. This action reassures senior management about risks mitigation as well as provides an appreciation of the repair work of the audited department.</p><h2>3. Underscores Audit's Value</h2><p>The corrective action (recommendations) proposed by the internal auditor, agreed on by the client, and eventually implemented underscores the auditor's value in the process. This is the stage where the quality assurance aspect of the audit process emerges, certifying the effectiveness of all the work done in the four preceding stages of planning, performing, communicating, and monitoring.</p><p>Many internal audit functions — especially small and mid-sized departments — find it difficult to perform follow-up reviews. Staffing constraints and sudden management requests take a toll on an already-full schedule. The main focus is getting the approved annual audit plan completed before year-end.</p><p>The internal audit function is a major player in effective corporate governance, and we must make <span lang="EN-TT">it</span> mandatory to allow management to rely on our activity. Follow-up reviews bring full circle the effectiveness of the work that internal audit started.<br></p><p><br></p><p>Larry Kowlessar, CRMA, is the senior internal auditor of the Urban Development Corporation of Trinidad and Tobago in Port of Spain.<br></p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;color:#6eabba !important;"><em>here</em></a><em> to learn how to contribute a blog post.</em><br></p>Larry Kowlessar0
Oh Yeah, Employees Are Important, Too,-Employees-Are-Important,-Too.aspxOh Yeah, Employees Are Important, Too<p>Do you ever find yourself reading something — a bit of learning, an illuminative piece, a collection of evidential tidbits, an analysis of juicy data, something from which you are gratefully gaining knowledge and insights — when you stumble across a factoid, an enlightenment, a piece of information that brings you to a full stop, causes you to reread to ensure the initial reading was correct, and sends you into a tirade, a paroxysm of epithets, a maelstrom of spittle, a frenzied St. Vitus' Dance of angered hysteria, a veritable fit of pique?<br></p><p>Such happened to me the other day.</p><p>I was doing additional research for a presentation on internal audit resilience that I will be giving at The IIA's GAM Conference this year. (Note: It's not too late. You can still <a href="" data-feathr-click-track="true" target="_blank">sign up</a> for what is always one of The IIA's top conferences.) I was calmly reading <em>Forbes</em> online when I came across an article from Deloitte titled <a href="" data-feathr-click-track="true" target="_blank">"Building Resilience: The Importance of Audit During Times of Disruption."</a></p><p>t's a nice piece. It has good information on the "value that C-suite, finance, and audit committee executives, investors, shareholders, and board members place on audit as a result of COVID-19." It showed their concerns and their perspectives on audit.</p><p>Again, nice stuff.</p><p>I'm sure I'm like most readers in that I tend to focus on the headline information — the categories that garner the highest numbers. In this instance I was reviewing the respondents' primary concerns related to the challenge of COVID-19. Then I looked more closely at the illustration included with the article, focusing on the lesser concerns.</p><p>And it was at this point that the fires began to burn, the storm clouds began to build, and the internal alarms went off warning that something was amiss in this wonderful world of ours. There were eight "concerns" listed. No. 6, in a section titled "additional concerns," was "health and well-being of employees." Behind concerns about the business model, accounting and financial reporting, financial resilience, customers, and brand, were the lowly employees, just beating out the supply chain and investor relations.</p><p>Just to nonrandomly pick one of those greater concerns, financial reporting was more important than the health and well-being of employees. In the middle of a pandemic that has infected more than 28 million and has killed half a million in the U.S., these executives thought financial reporting — financial reporting, financial …reporting, financial insert-your-favorite-expletive reporting — was a greater concern than the people who actually put those reports together, impact the results of that report, and are how the organization actually continues to exist.</p><p>Here's a number: 44% of respondents felt health and well-being of employees was a concern. In other words, over half did not feel that their employees — their employee's health, their employee's well-being, their employee's impact — was a top concern of the organization.</p><p>I hope the elevated level of my upsetedness has been appropriately displayed in the above. If not, let me finish by saying that this is heartless, short-sighted, and the reason so many employees say they are not invested in their work or in their organizations.</p><p>A fit of pique, indeed.</p><p>So, what does this mean for the internal auditor? Well, as often happens with such information, there are two aspects.</p><p>First, as always, auditor audit thyself. Where is the health and welfare of the audit staff on your list of priorities? If there are rumblings of employees coming back to the office, is every step possible being taken to ensure the auditors' safety? And, in general, where does the staff stand when it comes to internal audit's strategy? Are they prominently described as part of the success, or are they an afterthought — a line in the strategy that feels tacked on to appease the human resources department?</p><p>Spend some time examining the mote in your own eye. Talk to employees, review the strategic directions, and make sure that employees feel they are recognized as an important part of the department's success.</p><p>Second. Well, let me just say I feel an audit coming on. Maybe it's an audit of culture, maybe it's a strategy-level audit, or maybe it is just an audit of executives' perceptions. (Has there ever been such an audit? I don't know. Why not be the first?)</p><p>If you are working in an organization that places employees below the business model, customer relations, and the rassen frassen accounting and financial reporting, then it is internal audit's job to step forward and provide warnings that such actions are the road that leads to ruin. Do executives even know this is the perception? Does the board? Does the audit committee? Misaligned priorities may exist and no one really recognizes it. (How many of the 56% who didn't see employees as a concern recognized the disparity?)</p><p>Internal audit's job is to help an organization achieve its objectives. And those objectives cannot be reached successfully, at least they cannot be sustained successfully, unless value is placed on the employees. So, if employees are the "oh, yeah, and them, too" that pops up in strategies and plans, then raise the issue.</p><p>And what if no one wants to hear the message? Then you know everything you need to know about the organization's perception of its employees, the organization's perceptions of internal audit, and the reasons why finding a better operation for which to work is sometimes the best career move.<br></p>Mike Jacka0
Why Do They Think Internal Auditors Are Looking for Problems? Do They Think Internal Auditors Are Looking for Problems?<p style="text-align:right;"> <img src="/2021/PublishingImages/Why-Do-They-Think-Internal-Auditors-Are-Looking-for-Problems.gif" alt="" style="margin:5px;" />​DILBERT © Scott Adams. Used By permission of ANDREWS MCMEEL SYNDICATION. All rights reserved. <br></p><p>Last week, the globally popular business comic strip "Dilbert" took on management's perception of/reaction to internal auditors. Like all Dilbert strips, there is enough truth in the punchline to grab our attention and be provocative. I must admit that I smiled. I certainly encountered management officials who didn't want me, or my internal audit team, poking around in their departments. But we always reached some agreement.</p><p>After my initial amusement at the comic strip, I asked myself: Why does management so frequently assume that we are just there to "find problems?" I even had managers look me in the eye and say, "I know you have to find something wrong to justify the audit." I sometimes felt that they looked at us like we do a traffic police officer. We often wonder if they have a quota on the number of traffic citations they have to deliver. It is my fervent hope that the day will come when we are universally appreciated for helping to "prevent" problems rather than "finding" them.</p><p>Our profession has made a lot of progress in overcoming perceptions like the one portrayed in Dilbert. But the stereotype persists. As I explored in a recent blog, we have work to do in helping people understand what we do, and how we do it. A few years ago, I authored a blog post titled "<a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=26a6d73b-62d4-4479-88e9-5578dc3f7967" data-feathr-click-track="true" target="_blank">Five Classic Myths About Internal Auditing</a>." As I considered the message Dilbert conveyed about internal audit, I was reminded of those five myths — especially Myth 2: "Internal auditors are nitpickers and fault-finders," and Myth 5: "Internal audit is the corporate police function."</p><p>Myths can tell us a lot about ourselves — or, at the least, about how others see the world. But it seems that the most inaccurate myths are the ones most difficult to dispel, particularly if there is a grain of truth buried in them.</p><p>The modern internal audit profession has been around for only about 100 years. Yet, it is amazing how many myths and misperceptions have evolved about the profession in such a relatively short period of time. And while each of the "five myths" is generally untrue, that they are so enduring tells us that we still need to take stock of how we are perceived in our own organizations and by the stakeholders we serve. Do we do things to reinforce these myths? Or do we need to do a better job creating awareness of how the profession has changed? You be the judge.</p><h3>Myth 1: Internal auditors are "bean counters" just like the accountants.</h3><p>One of the most common misperceptions about internal auditing is that the auditors are "bean counters" who focus solely on their companies' financial records. There is an obvious grain of truth in this myth: A solid auditing or accounting background can be helpful for a career in internal audit. But a typical annual internal audit plan today dedicates less than 25% of internal audit's resources to financial-related risks. Instead, internal auditors are more likely focused on fraud risks, compliance issues, and myriad operational issues that are unrelated to accounting, and the auditor's background is likely to be as diverse as the operations they audit.</p><p>An accounting degree is not the only path for career success, and these days, it's not even the most common path. Repeated surveys by The IIA's Audit Executive Center indicate that audit executives are now recruiting job applicants with analytical/critical thinking abilities, data-mining skills, business acumen, and IT skills more often than they seek applicants with accounting training.</p><h3>Myth 2: Internal auditors are nitpickers and fault-finders.</h3><p>At the heart of several jokes about internal auditors is the misperception that we are dead set on picking apart processes and ruining the reputations of the people who do the "real work." According to this myth, internal auditors are viewed as the group that "bayonets the wounded after the battle is over," distracting management from more important responsibilities.</p><p>In reality, of course, internal audit's focus is on major risks rather than on nit-picking details. Internal audit resources are limited, and when auditors focus too much attention on minor issues, they are limiting the time available for addressing the major risks and controls that are at the heart of internal audit. A good internal auditor would rather report on a $6 million cost savings than on a $6 error!</p><h3>Myth 3: It's best not to tell the auditors anything unless they specifically ask.</h3><p>This myth can be damaging, so it is unfortunate the advice has made its way into more than one "How to Survive an Audit" article. Audit clients are sometimes given this advice by well-meaning friends, but it results in less efficient audits and wastes everyone's time. If internal auditors believe their clients are purposefully hiding information, whether by omission or commission, they normally will increase the scope of the audit to determine whether other important information has gone unreported. The purpose of internal auditing is to add value and improve an organization's operations, and hiding information is against everyone's best interests.</p><h3>Myth 4: Internal auditors follow a cycle in selecting their audit "targets" and use standard checklists so they can audit the same things the same way each time.</h3><p>This myth is less true with each passing year. The IIA's <em> <a href="" data-feathr-click-track="true" target="_blank">International Standards for the Professional Practice of Internal Auditing</a></em> <em></em> <a href="" data-feathr-click-track="true"> <em></em></a>require risk-based plans to determine our priorities, both in developing internal audit plans and schedules and in planning individual audits. Obviously, some risks justify repeat audits, and there are some types of audits — for example, certain compliance reviews required by regulators — in which audit programs and checklists are unlikely to see major changes from year to year. But, in general, internal auditing has become a dynamic profession that must change any time an organization's risks change.</p><h3>Myth 5: Internal audit is the corporate "police function."</h3><p>As Lord Justice Topes once said, "The auditor is a watchdog and not a bloodhound." In my experience, the best internal auditors are almost always those who create a rapport with their clients. When internal auditors' behavior is accusing or aggressive, they are far more likely to be met with resistance than when they treat findings as an opportunity to help accomplish objectives and facilitate improvement. Breaking down this stereotype is so important that most internal audit groups actively encourage clients to think of internal audit as a coach, not a cop.</p><p>Each of these myths was closer to reality in the 20th century than today. It's easy to think of a few specific examples in which an action that reinforces those stereotypes might be justified. Unfortunately, there are too many cases in which internal auditors are needlessly perpetuating the myths. Are any of the classic myths true about you or your internal audit function? If so, it might be time to take a good look at what you are trying to accomplish and how you plan to reach your goals.</p><p>Changing perceptions takes time, and it often requires the combined efforts of many individuals to break down a stereotype. Our profession's image is rapidly improving, but more work is needed to enhance our stakeholders' understanding of the profession. Each of us can help to eliminate the myths and misperceptions — whether through small steps, such as passing along pertinent news to clients, or through larger contributions, such as sharing audit knowledge at a seminar or conference.</p><p>Each internal audit function is unique, and your perspective might be different from mine. Has your internal audit department recently made real progress in dispelling any of these myths? If so, please let me know how it worked for you. </p>Richard Chambers0
On the Frontlines: Auditor Skepticism the Frontlines: Auditor Skepticism<p>​As a young man growing up, when television consisted of three channels driven by 1970s culture shows, I must admit I learned a lot about ethics, character, and the vagaries of human behavior watching <em>Star Trek</em>. The fifth episode of the first season, "The Enemy Within," still resonates with its contemporary look at the unpredictability of human behavior.</p><p>In true <em>Star Trek</em> fashion, the relative calm of traveling "where no man (or woman) has gone before" is broken by<em> </em>a crisis that strikes the crew, causing a dilemma. In this episode, while beaming up from a planet, a transporter malfunction causes Captain Kirk to be split into two people: one "good," but indecisive and ineffectual; the other "evil," impulsive, and irrational. First Officer Spock must work with Chief Engineer "Scotty" to rejoin the good and evil sides of Kirk.</p><p>I admire how the writers balanced Spock's logic off Kirk's emotional human side to show the complexity of how decisions are formed. Yet, I question whether it is realistic, in real life, to maintain a sense of skepticism across all audits, large and small, without a structured approach. There are at least two huge challenges to maintaining skepticism long-term.</p><h2>1. Hard Work</h2><p>The literal definition of <em>skepticism</em> is an active process of "inquiring" and "reflection" — processes that suggest questioning, careful observation, probing reflection, and suspension of belief. Sounds like an audit, doesn't it? Skepticism is not just words, or a consideration in an audit, it is a process of discovery of the unknown.</p><p>Ancient philosophical skeptics evolved into two branches. One branch denied all possibility of knowledge or certainty. The second branch advocated suspension of judgment until sufficient evidence is found. No matter the obvious challenge of defining skepticism, if the process becomes too bureaucratic, the rigor of audit skepticism will wane over time.</p><h2>2. Heuristic Risk - Judgment</h2><p>Behavioral risk literature often promotes popular theoretical anecdotes for change, but to paraphrase the father of behavioral science, Dan Kahneman: "An increase in awareness of biases has not been transformative in behavioral change."</p><p>The second challenge to sustainable skepticism is the fluidity of judgment in complex organizations. Questions about risk include issues of value and assigned probabilities that can change as the organization evolves. One high-flying division may enjoy great influence while others may experience more scrutiny.</p><p>Maintaining skepticism also will require being responsive during periods of rapid change. But that begs the question: How does internal audit anticipate and prepare for change in judgment posture?</p><p>These are just examples of the questions auditors should consider when thinking about skepticism. One suggestion to create sustainable auditor skepticism is to not rely solely on individual judgment. Questionable or borderline financial engineering or risk-taking require consultation to maintain the appropriate balance.</p><h2>Finding Balance in Skepticism</h2><p>I have found that developing a process to deal with tough subjects is more effective when diverse leadership is involved and a commitment to transparency exists. In the event of an issue, a discovery process should be available to management to ensure consistency, impartiality, and balance in presenting all sides.</p><p>Ground rules for operationalizing skepticism should consider the need for training, risk assessment tools, and senior-level engagement. Many organizations currently have processes to address skepticism for run-of-the-mill issues. For more challenging and complex issues, a team effort is required to build institutional learning and consensus that ensures the right balance.</p><p>Transparent processes also require appropriate levels of confidentiality. The process for vetting questionable practices should not become a punitive one but one of discovery and best practice that leads to better outcomes.</p><p>I hope this post helps organizations that have begun to discuss how to build sustainable processes that evolve with their business.</p><p><br></p><p>James Bone is executive director of GRCIndex and principal investigator at the Cognitive Risk Institute in Lincoln, R.I.​<br></p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank"><em>here</em></a><em> to learn how to contribute a blog post.</em></p>James Bone0
Building a Better Auditor: Internal Audit and Relevance a Better Auditor: Internal Audit and Relevance <p>​The year 2020, just like 9-11, has forever changed our world. The events that swooped down and entered our lives in the early part of the year have transformed the way we work, live, and play. Changes occurred rapidly and may have been ones never envisioned. <br></p><p>For the internal audit profession, many are speaking about "how internal audit can attain or retain relevance." Remaining relevant or attaining relevance in our "new normal" will require a concerted effort. </p><p>Less than a year ago many professionals would have never dreamed that the "close the books" process could be executed through remote work arrangements. Then 2020 struck and organizations adapted while technology evolved. Those things didn't happen overnight. Management teams had to really look within their own procedures and skill sets and determine how to adjust and make things happen. </p><p>To remain in the "relevant" category, internal audit should consider the actions below.</p><h2>Look Within</h2><p>2020 has both taken and given us many things. One thing it has given us is the opportunity to re-evaluate our individual work habits and processes for signs of needed change or evolution. An immediate reaction by many internal auditors may be to identify how they can "shuffle the cards" and maintain presence with management and stakeholders. I challenge internal audit groups to first look deeper within their own ranks.</p><p>Internal audit, now more than ever, must continue to evolve and adjust to the new normal (whatever that is). Examine your departmental tools, skills, reporting line structure as well as your own processes and procedures.</p><p>There may be many ways where the shift experienced in 2020 has impacted the manner in which internal audit should approach its work and projects as well as its overall strategic purpose. In other cases, you may find the evolving world requires a new focus on skill set or communication skills. Whatever the case, take the opportunity to execute your own evaluation before the organization makes the decision for you.</p><h2>Embrace Technology</h2><p>Throughout the pandemic, technology advances have evolved numerous times and accelerated the pace of change that all organizations must adapt to. With this evolution comes increased risk, not only on the technical side but also on the people and resource application side.</p><p>Internal auditors must embrace the new norm, ensure they have the appropriate knowledge of new technology applications, and understand the risks that come with our increasingly vulnerable cyber world. I am not advocating that all auditors have an IT background, but in today's world, it is imperative to focus on understanding the concepts embedded in technology and how the controls the organization selects will enhance or mitigate potential issues.</p><h2>Examine Internal Resources</h2><p>During 2020 many internal audit groups may have loaned resources to other areas of the company. Much of this was out of need; however, it has brought a new dynamic to our profession. Work loan programs, rotation of auditors, cosourcing, and training programs are going to become part of our next normal. This will require a strong leadership mentality to ensure new members of the internal audit function fully embrace the <em>International Standards for the Professional Practice of Internal Auditing</em> and internal audit protocols, including independence, objectivity, and professional skepticism. </p><h2>Agility</h2><p>Before the pandemic, many internal audit groups were evaluating the concepts of agile auditing. Agile auditing incorporates a project-based approach to auditing and requires a complete shift in the mindset of both auditors and management. A complete agile audit approach may be difficult to embrace at this time. However, auditors can evaluate the concept more deeply and identify elements within the approach that may work for their organization. Staying agile to changing needs will be critical to maintaining relevance in a crisis world.</p><h2>Internal Controls</h2><p>This may be the last thing on management's mind at this time. However, the change in work habits has created a new dynamic in the functioning of all aspects of the organization. Internal controls are more important than ever. </p><p>If your company must report on compliance with the U.S. Sarbanes-Oxley Act of 2002, it is safe to say many of your previously identified key controls have altered or changed. Outside of internal controls over financial reporting, control processes have certainly changed due to work arrangements, technology, and availability of personnel. </p><p>Now is not the time to take your eye off the ball. It is critical that management understand the risk presented if controls have been altered, changed, or limited. Internal auditors must maintain their focus on this core area and protect their organizations, which may face the "opportunity" segment of the fraud triangle with individuals taking short-cuts when completing their responsibilities.</p><p>These are just a few considerations for internal auditors who want to ensure their organizations continue to embrace the function as one of purpose and relevance to the proper execution of the organization's strategy and work. </p><p><br></p><p>Lynn Fountain, CGMA, CRMA, CPA, is an internal control, risk management, and business process consultant in Overland Park, Kan.</p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank"><em>here</em></a><em> to learn how to contribute a blog post.</em></p>Lynn Fountain0
Satisfaction Guaranteed Guaranteed<p>​Internal auditors don't really want much. We just want to make sure we've identified every risk. And we want to make sure we've rigorously evaluated every risk. And we want to make sure our efforts are concentrated in those areas where there are the greatest residual risks. And we want to make sure we understand exactly how the process works. And we want to make sure we have talked with every person who can provide all the information we need. And we want to make sure we test every possible transaction. And we want to make sure we haven't missed anything. And we want to make sure it is all covered in the report. And we want to make sure that we have satisfied every reader of the report. And we want to make sure the report contains no errors. And we want to make sure the report contains no typos. And we want to make sure …<br></p><p>Nah … we don't really want much. We just want to make sure we have maximized our choices in a way that ensures everything is, if not perfect, so close to perfect that the difference can be measured in milli-micro-mistakelessness.</p><p>Do I overstate things? Perhaps. But stop and think about the work you are currently doing. How much time is spent on actual work, that is, work that can be legitimately considered "audit work." And how much time is spent making sure everything has been done correctly?</p><p>I'm serious, do some of the calculations. You've recorded the time spent on audits down to the day, hour, minute, jot, and tittle. Take those numbers, do some quick calculations (quick calculations, not the exhaustive and laboriously-assiduous ones you require in every audit) and figure out what percentage of that time is spent on true audit work and how much is spent double-checking, second-guessing, and reviewing. (Hint: almost every hour done by every person who is not the actual auditor falls under that second category.)</p><p>In his book <em>Elastic</em> (another book you should add to your must-read list) Leonard Mlodinow explores, among other issues, the physiological and psychological aspects of decision making. In a section titled "Choice Overload" he writes:</p><p><span class="ms-rteStyle-BQ">Psychologists call those who [accept the first satisfactory option, rather than continuing to look for a superior one] "satisficers," as opposed to "maximizers," who always try to choose the best. The term [satisficer] was coined by Nobel Prize-winning economist Herbert Simon in 1956 to explain the behavior of decision-makers who don't have enough information or computational power to make the optimal choice and, rather than struggle to remedy the limitations, decide to save time and effort by making a choice despite them.</span></p><p>Where do you think internal auditors lie on the satisficer-to-maximizer scale? Put another way, do "maximizers" sound like anyone we know … intimately? Of course, we would argue, we are in no position to take the "first satisfactory option." And quick decisions are as dangerous in our profession as protracted ones. However, our pursuit to make the best decision — our pursuit to maximize — often becomes a search for the Seven Cities of Internal Audit Cibola where the inhabitants agree with all findings, the walls are built of perfectly constructed issues, and the streets are paved with flawless audit reports.</p><p>Mlodinow continues:</p><p><span class="ms-rteStyle-BQ">We all want to make good choices, but research shows that making exhaustive analyses, paradoxically, doesn't lead to more satisfaction. It tends to lead instead to regret and second-guessing. Letting go of the idea that a choice must be optimal, on the other hand, preserves mental energy and allows you to feel better if you later learn that a better choice existed. What works when choosing shoes or a new car or a vacation plan may not suffice when choosing a doctor or a partner for what you hope will be a lifetime relationship. But for most situations, those who accept options that are good enough, rather than feeling compelled to find the optimal one, tend to be more satisfied with their choices and, in general, happier and less stressed individuals.</span></p><p>Note that he does not speak of wrong decisions; rather, decisions that are better. So, while it is obvious that what we do is not in the same category as choosing shoes, a new car, or a vacation plan, neither are the ramifications of what we do up there with choosing the right doctor or a partner for life.</p><p>Again, I am not saying we just wave our hand with a "Fiddle-dee-dee" and "Tomorrow will be another day," going with the first whim that strikes our fancy. We have to maintain our professionalism, and part of that professionalism is reflected in our ability to maintain accuracy from the lofty heights of developing strategies all the way down to the nuts and bolts of ensuring every comma is in its place and every place has its comma. But, on the other hand, how many foot-pounds of energy, how many irreplaceable brain cells, how many available hours in the audit calendar do we use reviewing the review of the review the reviewer reviewed when the reviewer reviewed the review of the reviewer. (All done in the presence of woodchucks who were chucking wood.)</p><p>Yes, we are professionals. But as professionals we have to trust ourselves. That means stepping past the second guessing, instead focusing on doing good work the first time. Of course we want to ensure we make good choices. But exhaustive analysis of our own work will not result in perfection. In fact, it may not even lead to better.</p><p>Take a second look at that last quote from Mlodinow. In particular, note the disease called "second guessing." Maybe that is why we are never really happy with our reports, with our tests, or with our audits.</p><p>Maybe we just need to find the answers that satisfy, not the perfect ones.<br></p>Mike Jacka0
It's Hard for Internal Auditors to "Follow the Risks" When There Is No Consensus's Hard for Internal Auditors to "Follow the Risks" When There Is No Consensus <style> .ExternalClass div.WordSection1 { } </style><p><img src="/2021/PublishingImages/Its-Hard-for-Internal-Auditors-to-Follow-the-Risks-When-There-Is-No-Consensus-445x300.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />One of the persistent challenges internal auditors face is finding alignment with stakeholders on the risks that most threaten their organizations. For many years, I have written about the importance of building relationships with those we work for and with to nurture communications that support alignment. Indeed, the most common advice I’ve offered to chief audit executives (CAEs) over the years is “know what is keeping our stakeholders up at night” and “follow the risks.”</p><p>A recently published report from Protiviti and the North Carolina State University ERM Initiative helps shed light on that alignment (or misalignment). <a href="" data-feathr-click-track="true" target="_blank">Executive Perspectives on Top Risks: Key Issues Being Discussed in the Boardroom and C-suite</a> (PDF) examines risks facing organizations in 2021 and beyond as seen by a wide variety of respondents, from board members to every position that makes up the C-suite, including CAEs.</p><p>Two key takeaways from the report offer a good news/bad news scenario. First the good news: There is encouraging uniformity across the respondent mix about the No. 1 risk facing organizations in 2021 — the impact of COVID-19-related policies and regulations on business performance. The bad news: That’s where the consensus ends. While this is not ideal from an ERM perspective, it is useful in building awareness of the critical need for alignment.</p><p>For example, the second-highest-rated risk as identified by CAEs — managing cyber threats — does not show up in any of the top five risks for CEOs, chief financial officers (CFOs), or chief risk officers (CROs). That is not to say cyber doesn’t continue to be a top risk, coming in at sixth overall. However, it is significant that, among C-suite respondents, only CAEs view it among the top five risks in 2021.</p><p>CAEs’ focus on cybersecurity also is reflected in the upcoming 2021 North American Pulse of Internal Audit report. Cybersecurity, in fact, has ranked as the highest-rated risk among Pulse respondents every year from 2016 through 2020. It is important to note that the survey for this year’s Pulse report was conducted in October/November, reflecting the significant influence of the pandemic on CAEs’ overall risk assessments. Yet, the Pulse data also shows that cybersecurity as a percentage of audit plan allocation remains a lower priority, ranging from 6% to 8% over the same five-year period.</p><p>So, what are the more significant risks on the minds of our stakeholders? Two additional risks made the top five for boards, CEOs, and CFOs in the Protiviti/NC State report: Economic conditions in markets may significantly restrict growth opportunities, and market conditions imposed by the pandemic may impact customer demand for products and services. </p><p>I should note that the survey grouped the 36 risks rated by respondents into three broad categories: macroeconomic, operational, and strategic. That also offers insights into how each respondent group views risk. For example, CEOs and CFOs rated three macroeconomic risks among their top five, while three of the top five CAE-rated risks were operational. Additionally, both CEOs and CFOs included one strategic risk — risk involving the pandemic’s impact on consumers’ demand for products and services. CAEs did not include any strategic risks in their top five.</p><p>However, we should take heart in that the three nonstrategic risks that show up in the boards’ top five matched those of CAEs, although not in the same order. </p><p>The Protiviti/NC State report is rich with data and provides voluminous analysis. In addition to the comparison of risk views for 2021, respondents also were asked for their longer term risk views (2030). What’s more, the report provides analysis by organization size, industry, geographic region, and public versus nonpublic. I encourage all my readers to download the free report and delve into the details.</p><p>One of the report’s key observations offers an important insight that all risk management players should understand and take to heart:</p><p><span class="ms-rteStyle-BQ">“The results reflect how different roles assess risks differently in different environments and economic periods, and emphasize the critical importance of bringing numerous stakeholder viewpoints to bear in risk discussions. It is of paramount importance that both the board and the management team engage in dialogue regarding the critical enterprise risks, given the different perspectives each brings to the table and the potential for a lack of consensus. Without clarity of focus, the executive team may not be aligned with the board on what the top risks are. Worse, they may not be appropriately addressing the most important risks facing the organization, thereby leaving the organization potentially vulnerable to certain risk events.”</span></p><p>The still-raging global pandemic provides two important lessons in relation to risk management: It has alerted most organizations to weaknesses in controls and crisis management planning, and it has heightened awareness of the value of risk alignment. CAEs would be well-served to examine the views of stakeholders in the Protiviti/NC State report and leverage the insights to improve risk alignment in their own organizations.</p><p>While all of this information provides valuable insight into the state of alignment in how internal audit and its stakeholders view risks, it doesn’t really help with one of the most significant challenges internal auditors face: How are we to follow the risks if everyone is pointing in a different direction? I believe there are three keys: communicate, communicate, communicate. When internal auditors see disparity in how risks are being rated by internal audit’s stakeholders, we should speak up and speak out. We must be courageous enough to alert board members and management when their perspectives on risks facing the organization diverge.</p><p>We may not have all the answers, but we are ideally positioned to ask the questions. To blindly undertake our own risk assessments and craft our own audit plans without questioning why we see risks where others don’t is a perilous course. We must be the voice our organizations need to hear.</p><p>Once we have highlighted the differences in views, we should offer an audit plan that addresses the risks most crucial to our organizations. There will be risks addressed on the audit plan that may not be high on the board’s or management’s radar. But such areas of focus should be clearly understood and not the product of silence or miscommunication.</p><p> As always, I look forward to your comments. </p>Richard Chambers0

  • AuditBoard-March-2021-Premium-1
  • FastPath-March-2021-Premium-2
  • Temple-University-March-2021-Premium-3