| Building a Better Auditor: Finding Opportunity From a Crisis | | https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/Building-a-Better-Auditor-Finding-Opportunity-From-Crisis.aspx | Building a Better Auditor: Finding Opportunity From a Crisis | <p>Internal auditors got used to cyclical economic crisis situations and the expected risks of natural disasters, unreliable business partners, governmental misbehaviors, mistakes in decision making, human imperfection, and the likes. We developed more or less standard solutions to those risks — or at least some recommendations — and hid behind walls of contingency planning, hedging, and training for emergencies. We took for granted all the technical and educational progress that was happening, and where some of us jumped at opportunities, others planned budgets of money and time and postponed some of the developments until better times.</p><p>Many auditors forgot that risk is a two-sided coin: On one side is a threat and on the other side is an opportunity. The bigger the risk, the bigger the threat and opportunity. This is close to the concept of risk appetite, but when we add knowledgeable management to it, the case takes on completely new dimensions.</p><p>Moreover, almost always our approach to a risk depends on what side of the coin we want to be on: the opportunity side or on the threat side. A few bold leaders such as Bill Gates, Steve Jobs, and Elon Musk challenge the status quo with positive thinking and aggressive ability. Often such leaders capitalize on a major crisis.</p><p>The COVID-19 pandemic pulled and pushed most of us from our comfort zone. Instead of just thinking outside of the box, it forced internal auditors to get out of our boxes altogether and face a wild world of unknown. The pandemic also forced us to start learning about ourselves and understanding whether we — both as a society and as individuals — are ready to capitalize on opportunities. While many people still hope to return to the world they were used to, others see that the changing world is bringing us new and undefined areas that we can move toward.</p><p>Resiliency is not about recovering the normal business operations amid crisis, which is what we normally call business continuity. Instead, we now are talking about redesigning ourselves to some better and different versions of what we used to be. And this relates to everyone and everything, from individuals to businesses to countries.</p><p>For individuals, it's a shift in mentality: being ready to learn, changing our approach from complaining about new hardships to pursuing the opportunities, and asking for help from other advanced thinkers. It means focusing on priorities, developing a plan, and moving on. This change in mindset forces people to think of themselves as entrepreneurs and operate a business of one, even if we are employed in an organization that cares about employees. Human resource specialists increasingly say employees are or should be viewing themselves as business partners of organizations and their equals.</p><p>These ideas then extrapolate to businesses in terms of their own inventiveness and ability to capitalize on crises to gain new revenues, markets, products, clients, business partners, ways of doing business, employees, and styles of communications. All of those things will inevitably change what governments are or should be doing. Governments may be slow to react as they have higher inertia and can afford to move a bit slower, but still those will be forced to move on as well.</p><p>Over the last year, more and more experts have said the COVID-19 crisis is not the last one of this scale and the world will likely face more severe crises and more often. Market players and risk management specialists describe the major risks arising in technology, information security, legal compliance and frameworks, globalization, re-engineering of business processes and activities, climate change, infections, debt crises, digital power concentration, and inequality. Other rankings rate business resilience risk as a major risk.</p><p>What constitutes resilience in general for the business is the ability to capitalize on a crisis to become more profitable, to find new business opportunities, offer new products, and redesign business processes. Instead of returning to business as usual, these organizations become a new and more advanced version of the business.</p><p>It is time for organizations to start developing business resilience plans. Those plans should define how the business can be ready to react to something it has never encountered before, how it can learn from it, and how it can use those events as a prompt for future revenues and developments.</p><p>In addition to listing risk events that could happen and developing plans to address them, businesses should list opportunities that could arise if these negative events occur and the actions they can take to capitalize on them. Moreover, if the organization decides that opportunities are of greater business interest, it should consider whether it could potentially capitalize on those opportunities without experiencing the downside risks in question.</p><p>This is the right area for internal auditors to step in with thought leadership and analysis. Internal auditors are uniquely positioned in the organization with their deep knowledge of business strategies, business risks, and exposures and their interdependencies. Moreover, their independent position allows auditors to have a fresher look at what is going on in the organization.</p><p>As such, internal auditors can not only lead management to change its paradigm, but also facilitate management discussions of business resiliency plans. This facilitator role may involve asking questions to add structure to the process. Auditors also can provide information from recent audits about the challenges the organization needs to account for during the planning process, as well as business strengths that the organization can capitalize on.<br></p><p><br></p><p>Yevgeniya Rossova, CIA, CRMA, is an internal audit, risk management, and compliance professional at IIA–Kazakhstan.<br></p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank"><em>here</em></a><em> to learn how to contribute a blog post.</em></p> | Yevgeniya Rossova | 0 | | | |
| On the Frontlines: Incorporating Data Analytics for Smarter Audits | | https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/On-the-Frontlines-Incorporating-Data-Analytics-for-Smarter-Audits.aspx | On the Frontlines: Incorporating Data Analytics for Smarter Audits | <p>Since the start of my internal audit career, there's been constant conversation in our field about how we can use data analytics to become more efficient and effective. If conversation translated to execution, every aspect of our work would be infused with and informed by data. But many internal auditors will agree that when it comes to data analytics in internal audit, we're much further along with talk than we are with action.</p><h2>For Transformative Results, Integrate Data Analytics Into Your Planning and Strategy</h2><p>Right now, many audit functions apply some form of data analytics, although it's often on an ad hoc basis. Auditors often work in Excel sheets and select samples either manually based on ad hoc formulas or randomly. A couple weeks before an audit, they may incorporate data analytics for some light planning.</p><p>This inconsistent approach usually fails to tie in with the overall strategic vision of the chief audit executive and business, and it generally limits the value offered by internal audit.</p><p>To turn these ad hoc efforts into something more transformative, you need to tie data analytics into the internal audit group's overall strategy, which should ultimately feed into the larger strategy of the business. So, when you're planning for the coming year, it's essential to think about where you can use data analytics in your audits and decide what the scripts will look like.</p><p>When you apply data analytics in the planning phase, you can make sure you're looking at the right areas of risk. Then, when you begin to plan for individual audits, you can use the more transaction-level data analytics to inform your sampling procedures and the scope of your efforts. There's no need to make ad hoc decisions at this point — you've already operationalized data analytics, woven it into your strategy, and allocated the time for it. Now, success comes down to data acquisition.</p><p>Bringing data analytics into the planning phase also helps convert the inevitable skeptics. On the face of it, introducing data analytics can look like you're just making more work for your auditors. But when you incorporate analytics strategically ahead of time, allocate the hours for it, and tie it into strategy, you're not increasing anyone's workload. You're simply shifting time that would have been spent executing audits into the planning phase so you can make your audits more targeted, productive, and practical.</p><h2>To Create Analytics That Work, Start With Your Internal Audit Vision and Use Data Analytics to Further It</h2><p>The process of incorporating data analytics isn't like flipping an on-off switch. I know this from experience because our internal audit team at Crowe went through the process. Several years ago, we began building our own data analytics solution, Crowe Analytics Advisor for Banking. This project required a lot of thought and discussion.</p><p>We've all seen data analytics results that are interesting but not very useful. That's exactly what we wanted to avoid with our solution. It's easy to generate charts and tables, but we knew that the analytics we were using needed to generate relevant information and insights that would help us become better auditors.</p><p>We started with our established work programs, and we went through every step in our audit process to decide how data analytics could lead to a smarter approach.</p><p>The thinking we applied at Crowe can work for your organization, too. If you have a successful audit department, then you most likely have internal programs that have been refined over time. What better place to start with data analytics than with intellectual property that you've already built out and that you know is relevant to your audits?</p><p>So, start with the internal audit content you know you'll use and ask: How can we use data analytics to better achieve our goals? Take the program you're using and define a relevant suite of analytics that would help you accomplish what's needed. Then, weave those analytics into your planning for the year and beyond.<br></p><p><br></p><p>Ryan Singer, CIA, is a consulting senior manager at Crowe LLP in Columbus, Ohio.</p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank"><em>here</em></a><em> to learn how to contribute a blog post.</em><br></p> | Ryan Singer | 0 | | | |
| The Impact of King Kong's Fall | | https://iaonline.theiia.org/blogs/jacka/2021/Pages/The-Impact-of-King-Kongs-Fall.aspx | The Impact of King Kong's Fall | <p>Imagine you work in New York City. You are walking from the subway to your downtown office when you see a crush of people — some are running toward something, some running away, some standing in place as they ogle an unusual sight. You join the crush to see what is going on. Getting to the center of the activity, you observe a huge, furry mass and, upon closer inspection, you realize it is a giant ape that has fallen to its death at the base of the Empire State Building.</p><p>Your reactions are mixed. You can already tell that the elimination of this risk is a victory, and you feel an internal rejoicing. But you also recognize that you are seeing a once-living creature that, through no fault of its own, was trapped in a situation from which there was no escape. Its inevitable fate is displayed before you.</p><p>Looking more closely you make a shocking discovery — an aftermath that those who later document the events will leave out in lieu of telling the story of the escape, the battle, and the ensuing fall. Lives have been lost; people have been crushed under the massive primate. The news outlets will release numbers, but you are looking at the actual evidence of devastation.</p><p>Shaken, you continue to work. Sitting at your desk, you grapple with what you have seen. Your assistant reminds you that it is time for your first meeting of the day. In comes the internal audit department to discuss the issues they have identified while reviewing one of the areas over which you are in charge.</p><p>How much do you think you're really going to care? How much attention are you going to pay? How important is anything they will say compared to what you have just seen?</p><p>We know internal audit is important. We serve an important function and, done right, are an integral part of the organization's success. But as we wrap ourselves with that importance and bury ourselves in the world of objectives, risks, and controls, we sometimes forget that there is a world outside that has nothing to do with us. And we forget that our clients/customers/fellow human beings have lives going on that have nothing to do with us. And, quite often, that life is a whole lot more important than our report on control breakdowns in petty cash.</p><p>Early in my career, I was sitting at my desk working on an audit when I suddenly heard someone cry out. Everyone in the office looked up to see a clerk rushing out of the office. She had learned her father had been killed.</p><p>I vividly remember looking down at my workpapers thinking that nothing before me was as important as the events that were going on around me.</p><p>Internal audit is important. But we have to balance that importance against the rigors of everyday life.</p><p>Yeah, it is an aspect of empathy, EQ, emotional intelligence, whatever you want to call it. But what it's really called is being human. And, in all our bag of internal audit tricks — in our skills of communication and critical thinking and writing and testing and the unending litany of proficiencies — no one thing is more important than the skill of being human and remembering that all those around us are humans, too.</p><p>The odds of any of us having a meeting with a client after they have experienced the effect of King Kong's fall are slim. However, any event in life, from a death in the family to that nasty hangnail, can be just as distracting. We have to be aware of the known and unknown incidents our clients are facing and take them into account.</p><p>As a friend of mine once said about internal audit, we're not curing cancer. Yes, we are important. But you never know when a 60-ton gorilla may have appeared in a person's life. Treat everyone accordingly.<br></p> | Mike Jacka | 0 | | | |
| On the Frontlines: Identity and Authentication | | https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/On-the-Frontlines-Identity-and-Authentication.aspx | On the Frontlines: Identity and Authentication | <blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><p><em>Well, who are you? (Who are you? Who, who, who, who?)<br></em><em>I really wanna know (Who are you? Who, who, who, who?)<br></em><em>— The Who, "Who Are You"</em></p></blockquote><p><br></p><p>When Pete Townshend wrote those words, I doubt he was thinking of writing an identity and authentication anthem, but there it is. Who are you, and can you prove it? Because if you can, the system is programmed to provide you with privileges. I think Townshend would agree with that, to some extent.</p><p>In the virtual universe, most people have multiple identities (IDs). Your banking, e-commerce, social media, and even browsing history can all be associated with one or more of your IDs. And if any of those IDs and data sets can be matched and a profile built of who you are and what you might be interested in, woo-hoo! Marketing gold.</p><p>For enterprise IT environments, the system really is programmed to provide privileges within its environment that enable administration, usage, reporting, and auditing. In fact, every system that has a limited set of users, with differentiated permissions, needs to start with a set of IDs to which it can associate the privileges and (typically) record their usage.</p><p>IDs can represent real people or programmed services that execute system administration or operating functions. Consequently, the management of identities is one of the foundational control objectives in IT. Internal auditors should be able to evaluate their organizations' implementation of controls over the establishment of — and accountability for — IDs in every significant system, including applications, databases, servers, network management solutions, and other computing and communications infrastructure.</p><p>The IIA recently issued a new
<em>Global Technology Audit Guide (GTAG), </em><a href="https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG-Auditing-Identity-and-Access-Management.aspx" data-feathr-click-track="true" target="_blank">Auditing Identity and Access Management</a>, that aims to give audit managers and others who may not be technology experts enough information to plan and execute a meaningful evaluation of their organization's controls over related risks. The new
<em>GTAG</em> includes references to a few widely used external control frameworks:</p><ul><li>The U.S. National Institute for Standards and Technology Special Publication (SP) 800-63: Digital Identity Guidelines and SP 800-53 revision 5: Security and Privacy Controls for Information Systems and Organizations (SP 800-53r5).</li><li>ISACA's COBIT 2019.</li><li>Center for Internet Security (CIS) Controls version 7.1 (aka the "Top 20," formerly the SANS Top 20). </li></ul><p><br>There are other frameworks, globally, for IT and information security, and over time The IIA may publish professional tools that evaluate identity and access management control descriptions in those other frameworks. For example, the International Organization for Standardization (ISO) publishes guidance for identity management (ISO 24760), identity proofing (ISO 29003), authentication (ISO 29115), and access management (ISO 29146), which many organizations use for designing and evaluating controls. Clearly, the control concepts are discussed in a fairly consistent vocabulary, so the
<em>GTAG</em> should be relatable to any framework your organization uses.</p><p>One of the great, underappreciated technological controls is the use of identity management services in a process known as federation. This is a centralized system for assigning network access privileges to provide identity, authentication, and access management services to other systems on the network. Sometimes this process is called single sign-on (SSO), and when it is integrated with the organization's human resources database, it can enable the automation of many user access provisioning and deactivation processes.<br></p><p>Still, even in organizations with an SSO tool, there may be business applications or other elements in use that are not fully integrated — perhaps not even hosted on the network. Internal auditors should examine whether the feasibility of federation has been adequately evaluated by the enterprise or security architects. Decisions not to federate are inherently riskier, because of the introduction of manual processes that may inadvertently bypass or weaken other controls. It is definitely worth verifying whether a risk assessment and acceptance was documented.</p><p>Processes that force users of an ID to prove they are who they claim to be are known as authentication. By now, most internal auditors have heard the term multifactor authentication, and hopefully everyone also realizes that when a website or application requires you to enter a password and a code that was texted to you, you are engaging in a multifactor authentication. I won't bore you with the usual "authentication is something you: know, have, or are" examples, but consider identity theft for a moment: Do some organizations enable such frauds through inadequate authentication controls? </p><p>Presumably, most people would prefer to see the use of their identity to commit fraud prevented on the front end rather than repaired afterwards. I hope that the internal auditors in such organizations remain vigilant for opportunities to strengthen authentication controls in the new account set-up processes — please, for the sake of humanity.</p><p> <br></p><p>
David Petrisky, CIA, CRMA, CISA, CPA, is director, Professional Practices at The IIA.</p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;"><em>here</em></a><em> to learn how to contribute a blog post.</em></p> | David Petrisky | 0 | | | |
| What Do You Want? | | https://iaonline.theiia.org/blogs/jacka/2021/Pages/What-Do-You-Want.aspx | What Do You Want? | <p>Things are definitely ramping up in the world. I know you've all been working hard throughout the pandemic, but many changes are coming home to roost and internal auditors everywhere are finding that the new and increased risks mean new and increased work.</p><p>I'm going through a similar kicking into high gear with more opportunities coming my way. As I discuss these opportunities with various clients, I'm remembering and reliving one of the conundrums faced by many freelancers. What do I accept, and what do I reject? Various things have and will cause me to reject an offer (scheduling conflicts and an inability to present on the suggested topic are the main ones.) And basic things have always been important in my decisions to accept a project — the opportunity to help others learn, the opportunity to travel, and the opportunity to get out there and learn what is going on in the internal audit world.</p><p>But I've recently added a new question to my repertoire for decision-making. Not the normal consideration of "What's in it for me?", but a different question: "What do I want?" A simple change that results in a different focus — from what I'll "get" to what it is I "want."<br></p><p>The answer to this question changes with each opportunity and it changes with each day. But asking the question is helping me gain new insights in the work I'm doing.</p><p>As an example, I've been working with a client who laid out what he is looking for in topics and content. We ended our last meeting by my asking him to provide an answer to the questions: "What do you want your employees to get out of the training? What do you want them to have gained when it is all said and done?" (By the way, these are questions you should always ask when you are sending someone for training or going to training yourself.)</p><p>There's a chance he thinks I'm just sitting back now waiting for the answer. But that is far from the truth. I've continued to think about our conversation — the direction requested and the basic needs outlined — and I'm seeing an interesting approach.</p><p>I'm working on some thoughts that, I hope, I get to him before this blog post sees the light of day. What I am seeing — what I want out of this — is a fresh look at some areas where I have provided training before. And one of the things driving this — one of the things making me excited about this opportunity — is I'm answering the question, "What do I want?" The specific answer in this particular instance is unimportant to our discussion here. The important thing is that asking the question has led to something new and exciting … and better.</p><p>Look, I realize a sizable chunk of you out there are not freelancers. In other words, you get the projects that are assigned to you rather than getting to pick and choose the ones that you think might provide you the most value. The boss assigns the work; you have to take it. But that doesn't mean that, when you are assigned that project — anything from a review of blockchain to an audit of petty cash — you don't ask yourself that same question.</p><p>What do I want?</p><p>What will you get from this project? How will you make it yours? What is hidden in the project that others may not see? How can you gain an iota of experience and knowledge from the project? How can you make it fit into the bigger picture of what you are trying to be as an internal auditor? Any of the above. All of the above. Some of the above. None of the above.</p><p>What do you want?</p><p>I have no idea if my newly grandiose scheme for a proposed presentation will come together. I do not know if it will match anything the client wants. I do not know if I can do it. I do not know if circumstances will get in the way. I do not know if anything will come of it. I do not know if it will happen. But I know I've found an extra excitement in this project that, if I hadn't been willing to ask the question, "What do I want?", would not have appeared.</p><p>And that should be what you are looking for — that something more; that opportunity for every project, assignment, and audit to give you what you want.</p><p>Sort it out. Figure it out. Know what you want. And then figure out how to use every project to get it.<br></p> | Mike Jacka | 0 | | | |
| Building a Better Auditor: Holding Ourselves Accountable | | https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/Building-a-Better-Auditor-Holding-Ourselves-Accountable.aspx | Building a Better Auditor: Holding Ourselves Accountable | <p>Even if you are not a Spider-Man fan, most persons have heard the quote, "With great power comes great responsibility." Auditors tend not to think of themselves as very powerful. Rather, we often sit in the background quietly playing our role as trusted professionals, solving problems and dedicating ourselves to continuous improvement so we can offer quality services to those who employ us.</p><p>However, internal auditors' power lies within the knowledge and training we receive that often is unique to our profession but has multifaceted purposes throughout society. From charities to public office to environmental issues, our training has afforded us insights that we have taken for granted as common knowledge. As auditors develop their careers, there are opportunities for us to apply those insights in governance and ethics to society at large.</p><p>An <a href="https://na.theiia.org/about-ia/PublicDocuments/Internal-Auditings-Role-in-Corporate-Governance.pdf" data-feathr-click-track="true" target="_blank">IIA Position Paper</a> (PDF) published in May 2018 defined <em>governance</em> as "the amalgam of processes and structures designed to help the organization achieve its objectives." The <em>Merriam-Webster Dictionary</em> defines <em>ethics</em> as "a set of moral principles or the principles of conduct governing an individual or a group." We often receive training in these topics, which at times stirs great debate in determining what constitutes good governance practices and hammering out the ethical behavior to employ when faced with certain scenarios.</p><p>If these topics can still create debate among learned professionals, then it is little wonder that society sometimes fails to grasp these principles. The line between right and wrong is not always clear. However, there are some areas within society where good governance practices and ethical principles are an absolute necessity, simply because of the impact their absence would create not just for ourselves but for those around us and future generations.</p><p>Internal auditors witness failures on a regular basis, whether it be a report on public finances with glaring red flags or poor/nonexistent controls. We witness decisions proposed or made that could harm the environment, be it a new plant rushed without an appropriate environmental assessment or sewage treatment plans without the necessary quality controls. We see new technological or digitization proposals that have not been adequately tested or have glaringly inadequate change-over procedures.</p><p>Sadly, there also are times that internal auditors witness inappropriate behavior, such as bribery, corruption, conflicts of interest, and lack of transparency in bidding processes, for which there may not always be a clear legal violation but, because of our training, we know that it represents a failure in good governance practices or ethical principles.</p><p>We know these things because we were trained to recognize them. But what is our responsibility outside of the role we were hired to do?</p><p>There is no IIA standard that forces us to speak out on these issues, particularly when it comes to matters of public interest. Indeed, speaking out is not everyone's strong suit and can at times come with adverse consequences and backlash. Do not fear: This post is not pushing for you to sacrifice yourself and your families to speak out on issues or topics that make you feel uncomfortable or worried about the safety of your loved ones!</p><p>I do hope, however, that you start to look for opportunities where your professional voice can add value to those around you:</p><ul><li>Maybe the church you attend has implemented a poor governance structure around the collection of money for fundraising events or the collection of tithes and offering.</li><li>Maybe your local community group has been struggling to understand technology that could ease the paperwork that burdens the group.</li><li>Maybe you have observed a way that your neighborhood could improve the way it disposes of waste safely and cost-efficiently that you can share with the sanitation services department.</li><li>Maybe you could volunteer to teach a session to a community/religious group, school, or charity on the importance of ethics, governance, or finance.</li><li>Or maybe you may be bold enough to speak out when your local government engages in practices that are not entirely above board or skate the legality lines.</li></ul><p><br>However you decide to help, never feel as though your contribution is too small to make a difference. We may not be obligated to make a difference in our communities, but if we are going to hold the organizations that we work for accountable for corporate governance, should we not also hold ourselves accountable for being good corporate citizens?</p><p>I view the role of auditor as a noble profession and a career that has imbued me with the privilege of understanding these principles. I hope that this post has encouraged you to seek out opportunities where you can lend your expertise towards the improvement of others, your communities, or the society at large. In the words of Edmund Burke, the only thing necessary for the triumph of evil is for good men to do nothing.</p><p><br></p><p>Krystle Howell, CIA, CPA, ALMI, ACS, is an internal auditor with Sagicor Life Inc. in St. Michael, Barbados.</p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank"><em>here</em></a><em> to learn how to contribute a blog post.</em><br></p> | Krystle Howell | 0 | | | |
| On the Frontlines: Internal Audit’s Role in ESG | | https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/On-the-Frontlines-Internal-Audits-Role-in-ESG.aspx | On the Frontlines: Internal Audit’s Role in ESG | <p>The IIA's recent <a href="https://global.theiia.org/about/about-internal-auditing/Public%20Documents/White-Paper-Internal-Audits-Role-in-ESG-Reporting.pdf" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;">white paper</a> (PDF), Internal Audit's Role in ESG Reporting: Independent Assurance Is Critical to Effective Sustainability Reporting, is clear about why and how all internal auditors should be contributing to the global achievement of the United Nations' (UN's) 2015 sustainable development goals. Auditors' scope, assurance, consulting, and practices should all be working toward accomplishing each of the 17 U.N. goals for environmental, social, and governance (ESG).</p><p>Logan Wamsley's excellent article, <a href="/2021/Pages/Is-ESG-the-New-Sarbanes-Oxley.aspx" data-feathr-click-track="true">"Is ESG the New Sarbanes-Oxley?"</a>, and Anne Millage's <a href="/2021/Pages/Editors-Note-The-ESG-Journey.aspx" data-feathr-click-track="true">Editor's Note</a> in the June issue of <em>Internal Auditor</em> each set out the way forward for all internal audit functions across all sectors throughout the world. There are signs this is happening, but those signs are too few. Past and current research evidence has shown that few practitioners address the connectivity of national and global ESG issues in their risk-based internal auditing.</p><p>Yet, any study of The Institute's history of modern internal auditing since 1941 can find many examples of guidance for internal auditors to recognize their role beyond just organizational and regulatory governance. Auditors must focus more widely on how their organization commits to public needs and interest as part of its culture.</p><p>This focus is being driven today by many regulators globally. All internal auditors must be drivers — not just passengers — as the long-term, sustainable future of all people, the planet, and global prosperity enfolds. These three P's must be everyone's guiding light. Otherwise, we all fail.</p><p>My first internal audits in the U.K. in the early 1960s, as a senior internal auditor in two major U.S. manufacturing companies, covered material waste control and recycling in production areas. Little did I realize at the time that I was addressing some aspects of ESG in my scope, planning, and practice. The lessons I learned in those audits influenced a lot of my future work as an internal auditor, manager, academic, board member, and author, even though at the time there was little regulatory or public interest in the waste that companies produce. </p><p>Today, regulatory and public interest should be in the scope, planning, practices, and reporting of all internal audit assignments. This has to be today's paradigm shift for our profession, just as it was in the past with fraud in publicly listed companies.</p><p>For those who have not read the U.S. Treadway Commission Report of 1987, there are many parallels to learn for today's ESG risks and mitigations. This report predated the global corporate governance movement of the early 1990s and as it moved into the 21st century. It placed internal auditing ahead of the pack in promoting the principles of openness, integrity, and accountability in good governance. Ultimately, the report led to the establishment of The Committee of Sponsoring Organizations of the Treadway Commission (COSO), its <em>Internal Control–Integrated Framework</em>, and The IIA's updated Three Lines Model. </p><p>What is less known and mentioned is COSO's 2018 statement on the "evolving landscape of environmental, social, and governance (ESG)-related risks that can impact their profitability, success, and even survival." COSO partnered with the World Business Council for Sustainable Development to develop <a href="https://www.wbcsd.org/Programs/Redefining-Value/New-pages-Testing/Redefining-Value/Making-stakeholder-capitalism-actionable/Enterprise-Risk-Management/Resources/Applying-Enterprise-Risk-Management-to-Environmental-Social-and-Governance-related-Risks" data-feathr-click-track="true" target="_blank">guidance</a> to "help risk management and sustainability practitioners apply enterprise risk management concepts and processes to ESG-related risks." This is guidance that every internal auditor should study, if not every board and audit committee member. If they do not follow this guidance, they are in peril of being challenged on it by governments, regulators, and other key stakeholders. </p><p>This challenge is real. It will never go away. </p><p>The IIA has been on the ESG stage for many years with environmental management and assurance, as well as with the International Integrated Reporting Council, which combined with the Sustainability Accounting Standards Board in June to form the Value Reporting Foundation. That organization's global membership is promoting and developing business and investor ESG decision-making and reporting.</p><p>The direction of our profession has always been there, beginning with The IIA's first Statement of Responsibilities in 1947, which defined the activity of the internal auditor to "Ascertain the extent to which company assets are properly accounted for and safeguarded from losses of all kinds." The IIA was the first professional institution to establish a global Code of Ethics for its members in 1968. Since then, The Institute has progressed from issuing its first professional <em>Standards</em> in 1978, to releasing its current Core Principles for the Professional Practices of Internal Auditing, which underpin the International Professional Practices Framework.</p><p>Those Core Principles embrace all that is required for quality and improvement in the services internal auditors provide. The evaluation of that quality and improvement in every internal audit function must now include how internal auditors, management, and boards are walking the talk of ESG.</p><p>Is this happening in your organization today? If not, it should be. Do not delay!</p><p> </p><p>Jeffrey Ridley, CIA, is a visiting professor at Birmingham City University, University of Lincoln, and London South Bank University. He was the first president of the Chartered Institute of Internal Auditors in the U.K. in 1975-1976.<br></p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank"><em>here</em></a><em> to learn how to contribute a blog post.</em><br></p> | Jeffrey Ridley | 0 | | | |
| Paying Attention to Paying Attention | | https://iaonline.theiia.org/blogs/jacka/2021/Pages/Paying-Attention-to-Paying-Attention.aspx | Paying Attention to Paying Attention | <p>When our audit department first got laptop computers (a long time ago in an insurance audit department far, far away), I had lots of reasons to instantly embrace them. One of the more mundane/unusual was because I wanted to use them to take notes. You might not think that would be a big deal. But it is important to use any tool to make things better, and boy did I need to make my notes better.</p><p>I have handwriting akin to an uncalibrated seismograph, an affliction with which I've suffered my entire life. In high school, my taking a typing class was not an option, it was a necessity. (And, yes, the class was literally called "Typing." And one of my great memories from it was my friends who said they didn't need to take typing because they "would have their secretaries do that." What can I say? It was the 1970s. And I still fondly think of them when I imagine them sitting at their computers hunting and pecking at 20 words per minute, wondering when the world passed them by. As usual, I digress.)</p><p>My handwriting was a detriment to the professionalism of my workpapers. But there was no option, so I struggled to write more slowly, more legibly, and more succinctly. (An accidental benefit to the whole thing.)</p><p>Laptops opened up a new world. I could type my notes.</p><p>And with that I realized I had a skill some others did not. I could type as I listened. I would sit down with an interviewee, open up the computer, and explain I would be taking notes on the computer. I would then begin the interview and, while maintaining appropriate eye contact, take relevant notes regarding what I was hearing. No interruption in the flow. No unusual interruptions as I documented a particularly juicy morsel. No scribbling and erasing and scratching out. Just a flow of documentation without ever looking at the keyboard.</p><p>And from this I learned something interesting. By focusing on what was said rather than documenting what was said — by letting my brain/fingers handle their roles almost unconsciously — I was able to better listen to what I was needing to hear.</p><p>How much do any of us listen to when we are interviewing someone. Most of us are aware of the concepts behind <a href="/blogs/Your-Voices/2021/Pages/Building-a-Better-Auditor-Expanding-Your-Internal-Audit-Role-Through-Active-Listening.aspx" data-feathr-click-track="true">active listening</a> — putting aside distractive thoughts, refraining from the pre-development of rebuttals, reflecting the answers, etc. But do we ever take it to the next level? Do we realize the impact that taking notes — of losing eye contact to document what has been said, even when it is typing the details in the computer — has on the flow of information and conversation? The sentence, "Could you hold on a minute while I get this down?" is a two-edged sword that, while showing the person that what they have to say is important, also interrupts whatever flow has been created. (Not to mention the fear that can be caused as the interviewee wonders what they said that was so important.)</p><p>In the book <em>Writing Down the Bones</em>, Natalie Goldberg shares a story told by Rabbi Zalman Schachter. When he was in rabbinical school, the students were not allowed to take notes. They had to just listen, and when the lecture was done, they were expected to know it.</p><p>How well would it work for you if you were only allowed to listen and remember what was said in any interview? How much closer attention would you pay to the words, the meaning, and the underlying messages?</p><p>Of course we can't do this during an audit. We have to document what we hear and ensure it is accurate. But, when that interview is over, can you sit back and remember, even with the help of having just documented it, what was said? And, if you can't, what does that say about your listening skills? And the follow-up question: How accurate are those notes if you are so busy writing them down that you are not hearing what is being said?</p><p>Practice typing notes as you interview. See if you can get it all down without it seeming like you are taking notes. Practice the Rabbi's exercise in noncritical situations. See if, after a conversation, you can remember what was actually said.</p><p>But, whether you type without looking, or never take a note and memorize every word that is being said, or go ahead and ask the interviewee to stop while you take notes to ensure you are accurately documenting the intent of the conversation — no matter your method — there is only one thing you really need to do.</p><p>Listen.<br></p> | Mike Jacka | 0 | | | |
| #IAm Steve Mar | | https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/IAm-Steve-Mar.aspx | #IAm Steve Mar | <p>Aloha. While attending an IIA–Hawaii Chapter meeting in 2017, I was introduced to some of the local Honolulu internal audit leaders. They asked me what I did, and I explained that I taught IT auditing part-time at Seattle University. <br></p><p>Within a week, while walking on Waikiki Beach, I received a phone call to meet with two University of Hawaii (UH) professors in the Shidler School of Business. They wanted to speak to me about teaching an IT audit course at UH during the winter. </p><p>See what happens when you attend IIA chapter meetings?</p><p>Now I "practice retiring in Hawaii" by teaching part-time in the winter, then going back to Seattle to teach part-time in the summer. All because of an IIA event I attended.</p><p>I spent most of my professional career in internal and external audit with some time in information security. Initially, I joined The IIA because of the internal audit group membership at Bank of America, where I began my professional career. I worked and grew from a new internal auditor to leading IT audit and information security teams in several organizations. After several years at Bank of America, I worked for many years at KPMG, Deloitte, Microsoft, RGP, and Nordstrom. </p><p>Throughout my career, I remained active with The IIA because I realized the many benefits and opportunities membership provided me. The IIA enabled me to develop my career and come into contact with many amazing and brilliant global internal audit leaders. </p><p>Over the years, I got to know wonderful individuals who worked directly for The IIA and visited them at The Institute's global headquarters whenever I had an opportunity. I served on several international committees such as the Research & Education Advisors and Advanced Technology. I also have edited and occasionally written articles for <em>Internal Auditor</em> magazine's ITAudit department. One September, I visited the <em>Internal Auditor</em> staff in person.</p><p>I have attended many IIA International and General Audit Management conferences, where I learned from other professionals from around the world. These internal auditors were from Australia, Brazil, China, Columbia, France, Germany, Japan, Malaysia, Mexico, The Netherlands, Singapore, South Africa, Sweden, and the U.K. I got to meet with many of the international committee members who volunteer their time and give back to the profession. Closer to home, I continue to serve on the IIA–Seattle Chapter Board. </p><p>Those IIA ties set me on the course toward "practicing retiring," but not before I took on one last job. I first met Dominique Vincenti when she was chief advocacy officer at The IIA and I was on an IIA committee. When she became chief audit executive at Nordstrom, she recruited me to the company in 2010. While still working at Nordstrom, Dominique offered me the opportunity to teach IT auditing at Seattle University. </p><p>I taught my first class in the 2015 summer quarter. I enjoyed the experience, but I realized I needed to improve so I could become a better instructor. After I retired from Nordstrom in 2016, I taught other courses in information systems and audit data analytics at Seattle University, all on a part-time basis.</p><p>When winter arrives in Seattle, I am off to Hawaii, where the warm weather, as well as the more relaxing culture and business climate, allow me to practice retiring in Hawaii, while having fun. As with The IIA, Hawaii brings back great memories.</p><p>For example, I first traveled to Honolulu many years ago while working at KPMG and Deloitte. One year, my wife, Betty, signed me up to run in the Honolulu Marathon. I thought she was crazy. After I finished the first race, I ran in 13 straight Honolulu Marathons. I never won the race, but I had fun trying. </p><p>Now, on the days I am not teaching at UH, I go swimming, jogging, boogie boarding, hiking, feed the homeless in Ala Moana Park through a local church, and go out dining with my wife for enjoyment.</p><p>My retirement practice continues to evolve. Donny Shimamoto, who I met through The IIA, discovered that I traveled to Honolulu each winter about two years ago. Donny asked me to join his company, IntrapriseTechKnowlegies, to perform IT audits part-time while in Hawaii.</p><p>So, you see joining The IIA can help you plan and "practice retiring in Hawaii." As we say in Hawaii: Mahalo no ka ho'olohe 'ana.</p><p><br></p><p>Steve Mar, CFSA, CISA, is a part-time professor in the Albers School of Business and Economics at Seattle University and in the Shidler School of Business at the University of Hawaii.<br></p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank"><em>here</em></a><em> to learn how to contribute a blog post.</em><br></p> | Steve Mar | 0 | | | |
| Building a Better Auditor: New Leader, New Team | | https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/New-Leader-New-Team.aspx | Building a Better Auditor: New Leader, New Team | <p>During my six years as a staff-level internal audit practitioner, I often thought, "If I ever get the chance to lead, I would do this or that differently." In September 2019, my opportunity arrived. I became the senior internal auditor with the chance to take our internal audit team into a new era.</p><p>My vision for the team was always to be future focused, while staying grounded in the present. I wanted to retool the team and make things more efficient. I also wanted to deliver value-added results to our stakeholders so they would seek us out for our high-level, professional services and solutions.</p><p>To achieve these objectives, I knew the team needed the right talent, team members who would always be open to learning and adaptable to change. To fill the staff position I was leaving, my main focus was to recruit someone who was professional, had a strong foundation in the financial world, and who could communicate his or her thoughts clearly, precisely, and concisely both verbally and in writing.</p><p>The next change I wanted to make right away was revamping our internal audit function's policies and procedures. During the six years I was a staff auditor, there had never been a review of our policies and procedures. I felt that they needed to be revised, not only to fit the vision I had for the team, but to fit the way the internal audit profession was going.</p><p>Among those revisions, was including specific times that the team would get together for brainstorming sessions on risks affecting the company. This would be a time to learn from each other and share our thoughts on any of the issues we believed could affect the business. During engagements, monitoring procedures also were needed so that we could hold ourselves accountable. This would also enable us to find more enjoyment in our day-to-day work, without feeling the weight of being stuck and not moving forward.</p><p>This planning was all done before even starting any engagements, and taking the reins of a team in the midst of its audit plan for the year presented a different challenge in itself. But once we had our foundation set, including how we would achieve our objectives, I trusted that everything else would fall into place.</p><p>Then came our trials. With both my staff practitioners having less than two years of experience in the profession, there was a sweet spot I was trying to find — the balance of getting the job done within our budget, while also providing in-depth training in how we should be doing things.</p><p>I also realized that now, instead of thinking only of what I wanted to change, I was confronted with thoughts of what type of leader I was going to be. Would I be the person who demands work to be done by this date and time, and wants perfection daily? Would I be the laissez-faire leader?</p><p>The truth is I tried a variety of leadership styles, and I've learned that it's all situational. Reading the situation and using your best judgment, in most cases, will lead you in the right direction when it comes to managing a team.</p><p>With more than a year's experience as the senior internal auditor and with a recent addition to the team, I've learned that once you're in the leadership role, 100% of your focus needs to be on the path in front of you. Leaders have be adaptable to any changes and challenges, be able to make decisions swiftly, use their own wealth of experience to help the team develop, and be able to communicate their vision. They also have to set goals and targets and implement practical steps to help the team achieve those goals.</p><p>For other internal auditors who are thinking about what they would do differently if they were in a leadership role, having a vision is the first step. Once you get there, see what you want to accomplish, take decisive, well-thought-out steps to get there, and always deliver the best that you can.<br></p><p><br></p><p style="text-align:justify;">Emilio Lui, CIA, is the senior internal auditor for a group of companies in Belize City, Belize.</p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank"><em>here</em></a><em> to learn how to contribute a blog post.</em></p> | Emilio Lui | 0 | | | |
| Welcome Back, Let's Get Away | | https://iaonline.theiia.org/blogs/jacka/2021/Pages/Welcome-Back-Lets-Get-Away.aspx | Welcome Back, Let's Get Away | <p>I'm going to throw out an idea for you. Keep in mind that this comes from a man who is semi-retired; has no stake in the success or failure of any such idea; and doesn't have to worry about budgets, schedules, or the mundanities of everyday work-life. This comes from someone who was once burdened with the realities of the world, but can now ivory-tower his life away. However, I think it's a good idea. So, I throw it your way for you to contemplate and do with as you will.</p><p>Emerging like blinded animals who use their paws to shade their eyes after clambering out of their hibernation holes, we are starting to see a shift back to normalcy — or, at least, whatever normal will/has become. Risks still need to be identified, controls still need to be established, and work still needs to be done. So we follow our natural instincts and jump back into the fray (a fray we never really jumped out of, but go with me on this.)</p><p>However, as much as we would like to flip a switch and strategically, structurally, and emotionally go back a year-and-a-half to "The Before Times," it isn't going to happen. Even if we have kept abreast of the organization's moves and countermoves, more changes are on the way. And, for many of us, there is some catching up to be done. We are back in the real world, and the real world is not waiting for us.</p><p>Good audit leaders have kept things running and changing and adapting all along. Most departments are not taking off on this new race from a standing start. And the good leaders also know that more dramatic changes and adaptations are on the horizon (if not already crested past that horizon and on our doorsteps.)</p><p>But here is the thing most of us have missed. The dizzying rate of actions, reactions, changes, fly-by-the-seat-of-one's-pants, and adjustment to the revisions of the accommodations because of backlash from modifications because all heck broke loose, has led to a focus on the month-to-month, week-to-week, day-to-day, and even hour-to-hour changes necessary to be only slightly behind. And that means, for most, it has been a while since we have paused, taken a breath, and tried to look at the big picture.</p><p>Strategically, where is the organization headed, where is the department headed, and how is the department going to help the organization?</p><p>We are at an inflection point. And, yes, I hate that cliché as much as you do. However, in this case, it is not a cliché. It describes the interesting and rare opportunity that exists at this unique moment in history.</p><p>Here's my thought. Before everyone gets smashed back in their cubicles (literally and metaphorically) and forced to sort their way through the new reality, take the time to bring everyone together in order to spend some time looking back and, most importantly, looking forward.</p><p>Make it a couple of days. And make it something special. Call it an off-campus retreat, a free-form workshop, a set of very-happy hours. Get across the idea that this is not a time to work, but a time to find out how to work better. Maybe you can afford to sneak everyone to Durango, Colo. (Ask me about that story, later.) Maybe you meet at a local hotel/conference center. Maybe it is just getting together for a day or two at the executive's house. But get away before you all get back together.</p><p>Done correctly, it is an opportunity for the staff to get to know each other again — a chance to become reacquainted with the humans behind the screens. But, after that, it is a time to discuss where, in this new world, the department is headed and how it can help the organization. And, for best results, make it an open discussion. Of course the leader should lead, but everyone has to be a part of the discussion. And part of the final decisions.</p><p>Make it valuable. Make it meaningful. Make if fun. And, from this should come a new direction and a new purpose for the department — one that reflects the world that changed and is still changing.</p><p>As I say, real easy for me to throw this out here. It's no skin off my audit schedule. But if I were in charge, or at least had some clout to help drive such a decision, I would be doing my best to get this done. (Again, ask me about Durango.)</p><p>And if you have no power? As is so often the case in these situations, search for those who are like-minded. Maybe you can't change the direction of the department or establish a new purpose. But for yourself or for that group of like-minded people, look for a chance to get together and start envisioning the future while determining the steps needed to get there.</p><p>Let me know if you think this would work, let me know why you don't think it would work, let me know why you won't try it, and let me know if you do try it. I'm really interested to know.<br></p> | Mike Jacka | 0 | | | |
| Take the Time | | https://iaonline.theiia.org/blogs/jacka/2021/Pages/Take-the-Time.aspx | Take the Time | <p>When you get right down to it, I don't have a real hectic life. Being semi-retired, I kind of make my own schedule and do only what I want when it comes to the world of internal audit. Over the last year-plus that meant some virtual presentations and a lot of writing. But no real pressure. Trust me, most afternoons were filled with thinking about, maybe, possibly, but not likely, doing something. (If anyone asks you, retirement does not stink.)</p><p>So, the idea of my taking a week-long vacation to Yellowstone National Park (something I did last week) may seem like it would have had no real impact on that internal audit world. But a fascinating thing happened.</p><p>Even though, as I say, all I have been doing is a little speaking and some writing (primarily keeping up on this blog), I found that, when I had returned, that week-long excursion had allowed me to depressurize, even though I didn't know any pressure had been building. There was a new-found freedom in my choices; in the work I was doing; and in my ability to explore, examine, and learn.</p><p>Now, in those olden days when I had a real job, there was no doubt I needed such respites. (It's something I have written about in the past.) And I have always been a raving advocate for anyone and everyone to take their vacations, to cut themselves off, to take time to step away from the real world in order to come back revitalized and newly enthusiastic.</p><p>But we have gone through weird times. We've been locked up, we've worked in new and confusing situations, and we've faced challenges and change at an unprecedented rate. And that means, even if we haven't felt the pressures — even if we haven't realized the pressures are there — we need to step back and take a breath before we plunge into the new reality.</p><p>Almost everyone I talk to has a lot — a LOT — of vacation they have not taken. (Where were any of us going to go?) And that means, unfortunately, that a lot of vacations will not be taken.</p><p>Do not fall into the trap. Again, we have been working in a strange world with strange pressures. It is about to change. We are not going back to the way things were. Instead, we are going to some hybrid that will cause us new tensions and new pressures. Better to relieve the existing pressures before the new ones start to build.</p><p>I know the excuses. We have too much going on. We have too many new responsibilities. We have too much to do. We have no time. We have, we have, we have, we have… All wonderful and all valid. And not a single one is worth its weight in workpapers against the need to get away and start afresh.</p><p>I spent a week in Yellowstone battling crowds, paying too much for gasoline, waiting in bison jams, and, in general, facing the frustrations that come from a crowded national park. And it was worth every minute for what I saw and for how I felt when I came back.</p><p>I expected the former; the latter caught me by surprise.</p><p>And it will catch you by surprise, too — how much you need it and how much it will change your attitude upon your return.</p><p>Take what is yours. Take your time to take the time to regroup, refresh, and re-energize.</p><p>And when you come back…well, maybe it still isn't quite time to jump back into the fray. Next time, some thoughts on how the department may want to confront everything that is about to happen to the department and to the organization.<br></p> | Mike Jacka | 0 | | | |
| On the Frontlines: Why Sensationalism Is Bad for Internal Auditing | | https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/On-the-Frontlines-Why-Sensationalism-Is-Bad-for-Internal-Auditing.aspx | On the Frontlines: Why Sensationalism Is Bad for Internal Auditing | <p>There is an old story about a shepherd who falsely warned his colleagues that a wolf was approaching them. The shepherd raised the alarm so many times that when the wolf really was approaching, no one believed him. Something similar happens with internal auditors in many organizations.</p><p>Internal auditors come across different issues in their work. Sometimes the issues are very severe and critical for the organization; sometimes they are not. Regardless of how critical the findings identified are, it is tempting for auditors to present their findings as sensational things.</p><p>When internal audit's practices include presenting findings sensationally, with the chief audit executive's (CAE's) support, auditors may compete with each other to come up with better, more critical, and more sensational findings. Doing so can not only be self-promotional, it also may lead auditors to present less severe issues as more severe to keep clients interested in their audit work.</p><p>Sensationalistic findings become common for different reasons. The internal audit department may not be appreciated by the rest of the organization and use this approach to try to improve its position. In other organizations, internal audit's value-adding role may not be understood. The CAE may support and promote sensationalism to motivate the internal audit team members who are less motivated than their peers. Additionally, the organization's top management may appreciate and request such an approach.</p><p>Sensationalism can bring attention to internal audit's work in the short term, but is it a good and sustainable approach for auditors to take? In the IIA's <a href="https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Code-of-Ethics.aspx" data-feathr-click-track="true" target="_blank">Code of Ethics</a>,<em> </em>Principle 2: Objectivity states:<br></p><p><span class="ms-rteStyle-BQ">"Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments."</span></p><p>Here are some guidelines to help auditors refrain from sensationalism, while complying with the <a href="https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx" data-feathr-click-track="true" target="_blank"><em>International Standards for the Professional Practice of Internal Auditing</em></a><em> </em>and creating value for the organization.</p><p><strong>Preserve Objectivity During Auditing</strong> Principle 2 requires auditors to keep an unbiased mental attitude and perform their work in an uncompromising manner. Auditors can comply with this principle by not accepting anything that may impair, or be presumed to impair, their independence and by disclosing any facts that may influence activities under review.</p><p><strong>Build and Maintain Trustful Relationships With the Organization</strong> Auditors always should have in mind a long-term perspective and expectation that internal audit should add value to the organization. Building a trusting relationship with clients is not easy, but it can be lost in seconds and may never be restored.</p><p><strong>Stick to the Facts</strong> The <em>Standards</em><em> </em>require auditors' work to produce balanced and objective results. Their findings must be supported by sufficient, reliable, relevant, and useful documentation that would enable a similarly informed individual to come to the same conclusions.</p><p><strong>Report on Audit Results</strong> Avoiding sensationalism is important in audit reporting. Being brave enough to report on difficult and sensitive issues, while finding the right words and ways to present the issues identified, is the heart of internal auditing. Sticking to the audit methodology when making professional judgments about the severity of findings is a great support to balanced audit reports.</p><p><strong>Present Audit Results</strong> In addition to their written report, auditors are expected to present their audit results and speak in more detail in front of audiences such as managers, the audit committee, and the board. The keys to a successful presentation are good preparation, sticking to the facts that confirm the issues identified, and avoiding subjectivity.</p><p><strong>Be a Change Agent, Not a Judge</strong> Internal auditors are expected to be change agents and trusted advisors. Their job is to focus on improving the organization and add value. This implies finding a root cause and giving recommendations on how to improve the situation, rather than making judgments about who is guilty or not.</p><p>Sensationalism is not a sustainable strategy for promoting internal audit, nor does it comply with the <em>Standards</em> and Code of Ethics. Auditors should not compromise their position and reputation in the organization to achieve short-term sensationalistic results, while endangering the long-term perspective.</p><p><br></p><p>Maja Milosavljevic, CIA, CRMA, is an internal auditor in Vienna and a 2015 <em>Internal Auditor</em> Emerging Leader.</p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank"><em>here</em></a><em> to learn how to contribute a blog post.</em></p> | Maja Milosavljevic | 0 | | | |
