| A Change Would Do You Good | | https://iaonline.theiia.org/blogs/jacka/2021/Pages/A-Change-Would-Do-You-Good.aspx | A Change Would Do You Good | <p>Whew. Been a crazy year, hasn't it? And crazy times have brought about a crazy amount of pontification on what has and will be happening. Don't know about you, but I never again need to hear the phrase "unprecedented times," "new normal," or any of the other recoined cliches we are seeing and reading everywhere.</p><p>However, fearful that the pitchforks and torches will be brought out with the spouting of another cliche, let me throw out another bromide. "The only constant is change." Sick of hearing it? Yes. Any less true for its over repetition? No.</p><p>So, if we all know change is constant, how were we in internal audit all caught so flat-footed?</p><p>Let's begin by admitting that, in the before times, we knew change was happening/going to happen. There was much talk and discussion about it in internal audit circles. Unfortunately, we seemed to think such change was far enough away that we need not take immediate action. And change, when we did implement it, happened at what we now can recognize as a glacial pace.</p><p>And then this black swan — a black swan so black it made all others look gray — flew into our lives. And change not only became a reality but accelerated beyond our wildest expectations. It hasn't been pretty.</p><p>The good news is that these events forced some changes that we in internal audit should have been implementing all along. The bad news is that much of the change we are trying to accomplish is a function of us doing little more than just trying to catch up. As a result, we now stand lip-deep in the muck, trying to find our way back to solid ground.</p><p>In spite of the gloom and doom that may seem to permeate the previous, it is not my objective to slap our collective wrists for not being ready. Yeah, we knew changes were coming (were happening) and we should have already been moving in the right direction. And, yeah, change rushed upon us so fast we did our best deer-in-the-headlights imitation. And, yeah, we need to dance as fast as we can to catch up.</p><p>However, we also need to learn lessons from our failure. There is a future beyond what is now occurring and, while we address our current predicaments, we must also prepare for the changes still to come. (Change does not stop just because it happened so quickly in the past.) While it is hard to focus on that future right now, we have to remember that the time to prepare for change is not when it occurs, but before it comes a-calling.</p><p>And therein lies the important point. We could not have predicted the specific changes we are now going through. All we could have known was that change, of some sort, was going to occur. Similarly, we cannot really predict the specific changes that will come. We can only know that change will occur. And that is why the concept of "managing change" really doesn't make sense. You cannot manage the unknown. Instead, rather than try to manage change, we must focus on using change, current and future, as an opportunity for growth and improvement — to prepare ourselves to ride the wave of change.</p><p>(And at this point I need to give you a reference. Some of the concepts I'll be talking about, including the prior discussion of managing change, come from the <em>Harvard Business Review</em> article, <a href="https://hbr.org/2021/09/a-futurists-guide-to-preparing-your-company-for-constant-change" data-feathr-click-track="true" target="_blank">"A Futurist's Guide to Preparing Your Company for Constant Change"</a> by April Rinne. You should be able to access it, but HBR does put a limit on how many articles you can view, so keep that in mind.)</p><p>The first thing every internal audit shop needs to do is change the mindset related to change. Too often, change is perceived as a risk. So, the department focuses on trying to mitigate that risk, ultimately removing the value any change might provide.</p><p>Don't believe me? Think about what it took/what it takes to implement any change in your department. How many questions are asked? How many approvals are required? How many "changes" are reformed and reformatted to the point where no change is recognized? And how many suggestions actually make it through?</p><p>This is the attempt to manage change. And it is why we do not take advantage of the opportunities that change provides. And it is why we are unprepared when the world changes around us.</p><p>This change in mindset has to start at the top. (Thank you, Captain Obvious.) It has to be preached from the top. Everyone has to understand this new mindset and be told again and again by leadership that the department wants to look forward, that it wants to prepare for what is to come, and that it now wants to accept change as something to be embraced rather than avoided. And then, the most important aspect of any mindset change, it has to be supported. Another cliché I hate, but one that is true: You must talk the talk, and then walk it. Our profession's history of risk-aversion and change-squelching means that even the slightest wobble in support may make all efforts moot.</p><p>As part of these efforts, leadership should be looking for change agents. Lurking within the department are people already chomping to be let loose — to make things better and different (not necessarily in that order.) They have to be given the freedom they need to do the things they dream. Some may not believe a different mindset has arrived and may hide. But they have to be given the chance to come forward and lead the department into new and valuable areas. Watch carefully. Leadership comes from anywhere.</p><p>Finally, the article discusses the concept of having someone assigned to "change-readiness." As you find those who want change, you will also identify people who can see the broader pictures — the ones who are looking at the future of internal audit within the perspective of your department; the ones who are seeing the tools, techniques, and adaptations that will make your department more effective; and the ones who can help the department prepare for a change-heavy future. Find that individual and give him or her the authority to start making your department change ready.</p><p>Let me note that I have addressed much of the foregoing to audit leadership. But change seldom comes from the official leaders; it comes from those who can see the work that is being done while seeing the opportunities. That means that this message is really for every auditor in every position. Change can be driven from anywhere. Yeah, it's a lot easier if leadership is right there with you. But a leader can come from anywhere. And you can be that leader.</p><p>Ultimately, this all comes down to a phrase that internal auditors have thrown around for years — internal auditors as change agents. But we have talked a lot and done very little about it. In fact, many professionals don't buy into our role as change agents. They see it is a violation of our independence and objectivity. </p><p>Sorry, but it is not a violation. (And I'm not going into that can of misinformed worms right now.) But becoming change agents — embracing change and looking at it as an opportunity rather than something that must be "managed" — is the way internal audit can remain relevant, not only watching for change, but leading change in our profession, in our organizations, and in our industries.<br></p> | Mike Jacka | 0 | | | |
| On the Frontlines: The Culture Risk of an Organizationwide COVID-19 Vaccination Policy | | https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/On-the-Frontlines-The-Culture-Risk-of-an-Organizationwide-COVID-19-Vaccination-Policy.aspx | On the Frontlines: The Culture Risk of an Organizationwide COVID-19 Vaccination Policy | <p>The COVID-19 pandemic hit every corner of the world and affected how people conduct business, interact with each other, and do basic things in their daily lives. Since the beginning of this year, though, several vaccines have become available, which have shown promising efficacy rates.</p><p>As a result of the vaccines, many countries have begun to relax their COVID-19 regulations and protocols. Organizations have followed suit by shifting operations from remote working to being physically in the office, at least part-time. These organizations have been banking on the goodwill of their employees to be vaccinated, but this has not been the case.</p><p>Because of the availability of information — and misinformation — about the vaccines and their safety from various sources online, many people have decided to wait before taking the vaccine or have refused to get it at all. For organizations, it is important to use information filtering and keep an open line of communication to consistently supply employees with factual information to reduce the fear of taking the COVID-19 vaccine.</p><p>Some organizations have decided to implement a policy that all employees must be vaccinated. Such a mandate can present a significant risk to the company's culture.</p><p>Management must be educated and aware that not all employees will want to take the vaccine. It is then important for the organization to establish a policy that is sensitive to the views of those employees, but still accomplishes the organization's objectives. Policies should always have a top-down approach in rollout, but a bottom-up approach when sensitizing it to the workforce.</p><p>Usually, policies begin with the organization's board, which should develop a general idea of what a vaccination policy should include. This should start with the company's values and ethics.</p><p>If the company values having a healthy workforce and wants to provide a safe environment for customers, this is a great starting place to build the policy. Questions the board should consider include:</p><ul><li>Will there be a deadline for employees to have received the vaccine?</li><li>Will there be increased educational sessions with employees to reduce the risk that employees will fear taking the vaccine?</li><li>Will there be exceptions to the policy?</li><li>Will the data be used as a benchmark to normalize the work environment?</li></ul><p><br>For management, it will be important to determine the procedures and details of monitoring the vaccine mandate policy to ensure that it is successful. Communicating with employees on a personal level will be key. Management must use its leadership skills to motivate and encourage employees about the benefits of taking the vaccine. This must be done with great respect and should be done in person — as long as that is safe — to offer a personal touch. Moreover, reporting must be included in the procedures, to keep the board abreast of any updates.</p><p>Inevitably, internal audit will be required to assess the effectiveness of the policy. We should start with the effectiveness of its rollout and its impact on the culture:</p><ul><li>Was there an increase of employee complaints or whistleblowing activities?</li><li>Was there a spike in resignations from the company, especially from positions that were determined to be key personnel?</li><li>Was there an increase in employees who spoke out against the company publicly or on social media?</li><li>Was there a general increase in negative comments about the organization on social media?</li></ul><p><br>These are only some of the risks that internal audit must look at to determine the policy's impact. Auditors also must verify that the policy is rooted in the company's ethics and values, and that they are consistently communicated across company lines.</p><p>Reviewing and reporting on the accuracy of the vaccination numbers will be the last test of the policy's effectiveness. If the company is close to 100% vaccinated with minimal residual risks associated, internal auditors should be able to provide reasonable assurance that the company's objectives were achieved.<br></p><p><br></p><p>Emilio Lui, CIA, is the senior internal auditor for a group of companies located in Belize City, Belize.</p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank"><em>here</em></a><em> to learn how to contribute a blog post.</em><br></p> | Emilio Lui | 0 | | | |
| Building a Better Auditor: Developing a Thick Skin | | https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/Building-a-Better-Auditor-Developing-a-Thick-Skin.aspx | Building a Better Auditor: Developing a Thick Skin | <p>Someone told me early on in my career that internal auditors need to develop a thick skin. While I found it amusing back then, over the years, I have realized there was truth in that statement. One of the essential attributes for an auditor is the ability to remain unmoved by criticism. That also means auditors should not expect any appreciation for a job well done.</p><p>The nature of the profession is such that we are expected to flag risks and propose actions to manage the risk effectively and efficiently. If carried out in the right spirit, this helps the organization avoid or reduce losses from events before they occur — and sometimes help prevent the risk, itself.</p><p>However, in the course of this work, internal auditors sometimes face resistance from audit clients. We often hear statements such as, "Internal audit doesn't understand the business," "Internal audit is flagging a risk that can never occur," and "It's a waste of management's time." The criticism may be justified at times, and auditors should have an open mind to listen to our clients.</p><p>On the flip side, when the client does accept audit recommendations, the fact that the business was protected from the impact of a potential risk by following those recommendations is rarely acknowledged. Let me explain with an example.</p><p>In late 2019, one of our audit teams performed an audit of the crisis management process in one of the company's regions. The audit client's management initially questioned the need for an audit of this nature, something it saw as nonessential. The audit team prevailed and completed the audit, providing recommendations to strengthen the crisis management and emergency response procedures, which were found to be inconsistent or lacking across entities in the region.</p><p>A couple of months after the audit, the COVID-19 pandemic was spreading like wildfire across the globe. Businesses had to make quick crisis-response decisions and take steps to ensure business continuity. Guess which region in the company was ready to immediately tackle the crisis and took steps to secure employees, assets, and operations? Yes, the one that internal audit had recently audited.</p><p>Did the client's management acknowledge and appreciate internal audit? No. However, we learned from a second-line compliance partner that the crisis management response and procedures had worked smoothly when this crisis broke out, unlike earlier years, and the partner felt the audit was timely and helpful.</p><p>Surely, I don't mean to claim that the audit team had a premonition of the upcoming crisis. The points I wish to make here are:</p><ul><li>It is important for auditors to stand our ground if we have done our homework and assessed the risks adequately. In this case, the audit team was convinced that this was an area to be reviewed and was not swayed by the resistance from the audit clients.</li><li>Unlike the above example, in most cases, auditors might not have an opportunity to demonstrate the visible impact of our work. If the business implements our recommendations and the risk is successfully averted, then how do auditors prove the risk would have occurred in the first place?</li></ul><p><br>That is the beauty and the bane of our profession. The most effective auditors are the ones who help the organization successfully manage risks before they could adversely impact the organization. However, that also means people might never acknowledge or realize the good work of the auditor because they actually do not see a loss.</p><p>Hence, it is important for auditors to be open and listen to what the business stakeholders have to say, yet maintain a healthy professional skepticism and do our own homework and due diligence on risks. Also, do not expect any reward for a job well done.</p><p>It helps to develop a thick skin in such cases, where there is no acknowledgment of the auditors' contributions. After all, our work itself is a reward, isn't it?</p><p><strong> </strong></p><p>Parikshith Acharya, CIA, CA, CISA, is a director of Internal Audit at Hewlett Packard Enterprise in Bangalore, India.</p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank"><em>here</em></a><em> to learn how to contribute a blog post.</em><br></p> | Parikshith Acharya | 0 | | | |
| A Fable of Observation and Analysis | | https://iaonline.theiia.org/blogs/jacka/2021/Pages/A-Fable-of-Observation-and-Analysis.aspx | A Fable of Observation and Analysis | <p>The following is adapted from something I saw posted on Facebook. Accordingly, I cannot vouch for its veracity. However, accurate or not, it is a fun story and, because there is a truth buried within, let's call it a fable.<br></p><p>The question was asked, "Do you ever start making things up in a paper and then look over it halfway through and think 'Wait a minute, I could be onto something here!'"</p><p>The first reply: "This is the definition of college."</p><p>The second reply: "As I was writing a paper on Asian saltwater crocodiles — something simple to satisfy a class requirement — I started noticing some inconsistencies in the scientific papers I was sourcing. I accidentally discovered that the crocodile's endangered species situation was misdiagnosed; it should have been classified as endangered. Now my professor is having me write a formal report to have the crocodile reclassified. All I wanted to do was write this paper on an animal I thought was cool and now I'm considered an expert on the species."<br></p><p>Two quick points. One, I hope you don't approach your audit reports this way. Two, don't ever expect anyone to consider you an expert over the area under review when you finish an audit. But between those two points is the interesting part.</p><p>We've all faced this question. "What makes you think you know more about this process/department/organization than I do? I've been working here [fill in the blank with a number of years that means the speaker is just shy of a Methuselian age.]"</p><p>Of course we don't know as much. But we have (to quote Liam Neeson) a very particular set of skills. To start with, we have a specialized understanding of risk, controls, and processes that should complement the business acumen of those within the department under review.</p><p>However, internal auditors also have other, more specific skills. Two that work closely together are observation and analysis. Unfortunately, they are often overlooked and underused. Many auditors get bogged down in prescribed audit programs, tests, worksheets, timesheets and other bric-a-brac that draws their attention away from the activities around them. Observation suffers. And the resulting analysis that should occur also suffers.</p><p>The best findings I've seen were not necessarily discovered by filling out the forms. Those issues were identified because the auditors looked up and saw what was occurring around them, using that information to analyze what was really occurring.<br></p><p>Internal audit is not just interviews and worksheets; it is recognizing that the work under review occurs outside the audit.</p><p>In our little fable, the funny part is that the guy was considered an expert when he wasn't really one. But the lesson is that he got to that lofty position by just looking around and analyzing the situation. It wasn't that he was smarter or more knowledgeable or in any real way better than others. It was that he was willing to look around and put the pieces together to understand the real picture.<br></p><p>And isn't that what internal audit is really about? Our job isn't to complete an audit program or fill out a form or even write a report. Our job is to gather information — look around, explore, and ask questions (which is different than interviewing) — and then analyze that information to get a picture of what is going on and how it might be made better.<br></p> | Mike Jacka | 0 | | | |
| On the Frontlines: The Map or the Medal? | | https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/On-the-Frontlines-The-Map-or-the-Medal.aspx | On the Frontlines: The Map or the Medal? | <p>When faced with the proposition to either accept a map to success or receive instant success/gratification, which would you choose? Let's compare two scenarios:</p><ul><li><strong>Scenario A:</strong> A business that succeeds but does not know how it succeeded.</li><li><strong>Scenario B:</strong> A business that fails but does not know how to succeed.</li></ul><p><br>One could argue that in Scenario B the business has failed and is therefore worse-off than in Scenario A. However, in the current economic climate we have seen the importance of sustainability and consistency in maximizing profitability for all stakeholders and the impact to businesses when this is not the case. Therefore, if we look at this scenario from a more strategic perspective, both are at risk of failure.</p><p>This is because in Scenario A, the success cannot be sustained as the business is unaware of potential threats and strengths within the company that led to the success, and there is a false pretense/expectation of future success. Similarly, in Scenario B<strong> </strong>the company has the knowledge of failure and is aware of the need to tighten controls but has not identified key controls to prioritize in correcting this failure.</p><p>In the same way, companies often are faced with the difficult choice of whether to prioritize core functions and key legislative requirements for compliance, with internal audit functions often bearing the brunt of cost savings. However, this means that companies are prioritizing their short-term profitability objectives at the risk of jeopardizing the long-term sustainability of operations.</p><p>To add the most value, internal auditors should leverage their assurance role to assist businesses in identifying triggers of business failure. They can accomplish this by drilling down into objectives, identifying control failures within the operations, and advising management on the possible impact of these failures if those failures are left unattended.</p><p>To achieve this objective, management will need to view internal audit as part of its core functions and not in isolation. Internal auditors can assist management by:</p><ul><li>Building relationships of honesty and ethical conduct with staff.</li><li>Expanding their knowledge of risk management practices and advocating for increased awareness.</li><li>Embedding themselves in industry knowledge, best practices, and benchmarking activities.</li><li>Advocating for the value of internal audit by holding management accountable.</li></ul><p><br>In doing so, internal auditors will be optimally positioned to identify potential weaknesses (control failures) that could have a greater impact on the success of the businesses and the achievement of the overall strategic objectives, if not detected and addressed timely.</p><p>This means that internal audit and risk management functions can help management draw a map of controls and activities that need to be followed to take advantage of opportunities to grow the business and maximize profitability and stakeholder return. Therefore, by working with internal audit, management can build a more sustainable road map to continuous success that prioritizes profitability without sacrificing oversight and insight into the business. Ultimately, that map can enhance management's foresight.</p><p>When faced with the difficult choice between the map and the medal, it is important to understand that although the map may take you on a longer journey, there are many races to be won.</p><p> </p><p>Maryam Makinde, CIA, CRMA, CSOE, is a senior associate at PwC in Pretoria, South Africa.</p><p>Want to be a part of Your Voices? Click <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank">here</a> to learn how to contribute a blog post.<br></p> | Maryam Makinde | 0 | | | |
| Hidden Goals | | https://iaonline.theiia.org/blogs/jacka/2021/Pages/Hidden-Goals.aspx | Hidden Goals | <p>Recently I've been reading Shunryu Suzuki's <em>Zen Mind, Beginner's Mind</em>. I understand it to be a cornerstone for understanding the practice of Zen. Unfortunately, I just don't get it. In fact, I think I can safely say I never will. (It reminds me of the times I've made forays into Einstein's book on relativity. For the first bit I'm flowing along nicely — paying attention and grasping new concepts. The next thing I know, I'm left in the dust of a logical train that approaches the speed of light while gaining infinite length and I've got no idea what happens next.)</p><p>In Zen, there appears to be a lot of discussion around the idea that Zen practice is about not recognizing that Zen is being practiced — about not thinking of the practice, of not looking for achievement, of progress being made when less is understood, of… Well, I'm sure I'm making a fool of myself trying to explain what I do not understand. And to any out there who practice Zen, two things. One, my apologies for this ham-handed (and possibly insulting) attempt to explain a nearly unexplainable concept. Two, I envy your ability to understand these concepts and your ability to practice them. (And, yes, such envy is the opposite of what Zen should be, but, again, I see few-to-no paths that will lead me to even beginning to gain a smidgen of enlightenment. I will just have to be envious.)</p><p>At the same time I was reading about what I will call (quite incorrectly) Zen's requirement to set aside focus on Zen, itself, I also became aware of Goodhart's Law and Strathern's Law.</p><p>Goodhart's law comes from British economist Charles Goodhart who advanced the idea in 1975.</p><p><span class="ms-rteStyle-BQ">Any observed statistical regularity will tend to collapse once pressure is placed upon it for control purposes.<br></span></p><p>In 1997, this was generalized by anthropologist Marilyn Strathern.</p><p><span class="ms-rteStyle-BQ">When a measure becomes a target, it ceases to be a good measure.</span></p><p>There is a lot of discussion out there about how auditors and their departments measure success. I've been caught in such verbal whirlpools myself. (I'd cite the blog posts, but there are too many.) While being a part of such discussions and encountering the measures being used, I've seen too many cases that support Strathern.</p><p>Which is where the world of Zen (as I misunderstand it) and Strathern's Law come together.</p><p>By trying to achieve a goal, have we lost the purpose of that goal? Just as Zen falls apart when the practitioner tries to focus on Zen, do goals fall apart when they become the focus of the one being measured?</p><p>Leading to the big question: Why is it required that we know any of the goals related to our performance or the performance of our department?</p><p>Before you all go ballistic on me, of course I know the answers we all spout. But are those answers correct? Or are we, once again, blithely moving forward on assumptions we assume to be correct?</p><p>If I am doing my job, if I understand what work is expected of me, if I focus on the quality of my work with an understanding of how to accomplish it effectively and efficiently, do I really need to know the specific measures?</p><p>In fact, does knowing those measures actually impact my work negatively? (See the laws quoted above.)</p><p>One year, my AVP gave me the measures that would be used for my evaluation in the coming year — full objectives that were specific, measurable, you know the drill. To be more precise, he gave me the 24 different measures that would be used for the coming year's evaluation.</p><p>I laughed in his face…literally. (Having me as an employee was never considered an easy gig at Farmers Insurance.) He looked nonplused, so I quickly explained that, while I saw the underlying value of every single measure (and there was a reason for each of them — some more important than others), I could not imagine any world in which any person could spend their time focusing on the excruciating details of 24 different measures while actually getting their work done.</p><p>I told him I didn't care what the measures were. He could feel free to put them in my annual appraisal, make them a part of my year-end evaluation, and take any actions he felt were necessary. But I couldn't spend my time worrying about those particular beads. Instead, I would focus on getting good work done in a timely fashion and hope that the numbers worked out in the end. And they did. I don't remember how many I met or by how much I missed any of the others, but I know I got a decent raise.</p><p>We all need feedback. We all need to know what we're doing right. We all need to know what we're doing wrong. We all need to know how to improve. But how important is it to know the actual numbers that will be used to determine if we are successful — the raw numbers that make up such evaluations. And, if we know those numbers, rather than spurring us forward, do they negatively impact what we do? And would not knowing really make our work worse?</p><p>I recognize the heresies contained herein. I mean, this is the same kind of thing we might write up as a finding. And to be honest, I'm not sure I agree with any or all of what I've said…</p><p>Yet.<br></p><p>So let me know your thoughts.</p><p>Just remember that 90% of all responses must be received within two weeks of the due date or your evaluations will suffer.<br></p> | Mike Jacka | 0 | | | |
| On the Frontlines: Auditing Human Factors Risk | | https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/On-the-Frontlines-Auditing-Human-Factors-Risk.aspx | On the Frontlines: Auditing Human Factors Risk | <p>Although the human element has recently grabbed the attention of cybersecurity and enterprise risk management professionals, little has been done to formalize human factors risk in audit risk assessments. Human factors science examines the relationship between people and the systems with which they interact by focusing on improving efficiency, creativity, productivity, and job satisfaction, with the goal of minimizing errors. </p><p>Opportunities exist to enhance risk management by assessing human factor risks. A failure to apply human factors principles is a key aspect of most adverse events in health care, aerospace, auto manufacturing, and many other industries, according to the <a href="https://www.who.int/patientsafety/education/curriculum/who_mc_topic-2.pdf" data-feathr-click-track="true">World Health Organization</a> (PDF).</p><p>In a study, <a href="https://basicmedicalkey.com/risk-management-and-human-factors/" data-feathr-click-track="true">"Risk Management and Human Factors,"</a> Brendon Coventry, a professor at the University of South Australia School of Psychology, Social Work, and Social Policy, found:<br></p><p><span class="ms-rteStyle-Quote">"Evidence has accumulated to demonstrate that the relative risk of a legal claim being made against a medical practitioner is related to a range of factors including: 1) communication failures, 2) continuing professional development, and 3) failures of the systems that are in place to support and assist the medical practitioner in their medical practice (Goodwin </span><a href="https://basicmedicalkey.com/risk-management-and-human-factors/#CR9" data-feathr-click-track="true"><span class="ms-rteStyle-Quote">2000</span></a><span class="ms-rteStyle-Quote">). Conversely, research has demonstrated no significant difference in the relative risk of litigation between trauma surgery and elective surgery (Stewart et al. </span><a href="https://basicmedicalkey.com/risk-management-and-human-factors/#CR22" data-feathr-click-track="true"><span class="ms-rteStyle-Quote">2005</span></a><span class="ms-rteStyle-Quote">)."</span><br class="ms-rteStyle-Quote"></p><p>To put this excerpt in a business context, replace "medical practitioner" with "business leader" and "medical practice" with "risk practice." The one common denominator in all organized business endeavors is people. </p><p>This excerpt is one simple example of the diverse human factors that exist in any business environment where work processes, staff development, communications, and systems are crucial to managing risks. Human factors risk has been cited as the main cause of cybersecurity failures, operational risk events, and corporate blunders in all industries and is increasingly considered the largest contributor to losses and risk events.</p><p>An <em>ISACA Journal</em> article about Verizon's 2016 Data Breach Investigations Report (DBIR) shows the danger of the human factor: <br></p><p><span class="ms-rteStyle-Quote">"The latest DBIR reaffirmed the fact that employees continued to play a major role in many of the breaches in the past year. Some 63% of confirmed breaches involved weak, default, or stolen passwords. </span></p><p><span class="ms-rteStyle-Quote">Worse, miscellaneous error — staff sending information to the wrong person — accounted for nearly 18% percent of breaches. Despite a wealth of preventive measures, employees remain one of the costliest vectors in a number of data breaches and security incidents, which are increasing at an alarming rate." </span><br></p><p>Increasingly, courts and regulators are holding the board and senior executives accountable for these events, suggesting that blaming employees is not a viable defense strategy. Conversely, internal auditors are expected to provide assurance that human factors risk is being addressed, yet there is very little formal guidance for audit leaders to leverage. </p><p>"The normal sources that guide program evaluation — various documents provided by the U.S. National Institute for Standards and Technology, the International Organization for Standardization, and the U.S. Health Insurance Portability and Accountability Act, among others — provide only vague descriptions of awareness program standards and requirements," according to ISACA. </p><p>Training and awareness programs are the normal response to human risk factors, but these efforts are increasingly problematic for IT professionals and employees alike, whose training is often based in theory. "They receive very little hands-on training; thus, the skill sets need to be developed on the job," ISACA notes. </p><p>As a result, the value of a cybersecurity degree has begun to decline in the eyes of employers. Surveys indicate that as many as 80% of hiring managers no longer believe a four-year degree adequately prepares students for cybersecurity jobs, according to a 2019 Center for Strategic & International Studies <a href="https://virginiacyberalliancecareers.org/wp-content/uploads/190129_The-Cybersecurity-Workforce-Gap.pdf" data-feathr-click-track="true">report</a> (PDF). </p><h2>12 Risk Factors</h2><p>Chief audit executives (CAEs) can still make a difference in human risk factor assurance through a better appreciation of behavioral and cognitive science concepts. No degree in psychology is needed, only common-sense approaches to assess the work environment. </p><p>Before we explore human factor risk assurance, let's be clear about the diversity of human factors that exist beyond human resources, ergonomics, and conduct risks. Industries that use human factor analysis are calling for standardization of human factors audits, so the practice is still evolving, according to the <a href="https://www.nrc.gov/reactors/operating/ops-experience/human-factors/definition-list.html" data-feathr-click-track="true">U.S. Nuclear Regulatory Commission</a> and the <a href="https://www.nationalauditprojects.org.uk/downloads/NAP5%20Chapter%2023.pdf" data-feathr-click-track="true">National Audit Project</a> (PDF). </p><p>Human factor risks for auditors to consider fall into 12 categories: </p><ol><li>Organizational governance factors.</li><li>Communications factors.</li><li>Risk appetite factors.</li><li>Workflow complexity factors.</li><li>Transparency factors.</li><li>Legacy operating systems factors.</li><li>Manual processes factors.</li><li>Human-machine interactions factors.</li><li>Decision-making factors.</li><li>Risk assessment factors.</li><li>Customer and third-party interaction factors.</li><li>Problem resolution factors.</li></ol><p>Internal audit can incorporate these factors into an audit of human factor risks. Many of the human factor risks involve the board, senior executives, communications, operations, decision-making, the workforce, systems, risk management, and stakeholder interactions. This list is interchangeable depending on the organization; however, let's look at how these risks might impact a fictitious firm. <br></p><h2>How a Human Factors Audit Works</h2><p>RetireRich Inc. has been in business for five years, catering to wealthy Silicon Valley entrepreneurs to protect their wealth. The start-up's board has requested a human factors audit of its risks. </p><p>The CAE has assigned a senior team of well-respected internal auditors to evaluate the factors that may lead to human factor risks. The audit plan may include one, many, or all of the 12 human factor risks. </p><p>For example, the assessment may include a self-assessment with the board and senior executives (human factors 1-3), followed by an assessment of the outcomes of strategic initiatives. At the operational levels (human factors 4-7), auditors may conduct a staff self-assessment and review data on the operational effectiveness (errors, events, losses, and audit findings) related to each risk. Lastly, auditors may conduct a self-evaluation of the department's oversight performance (human factors 8-12) to assess lessons learned and to determine whether those lessons have been implemented to affect change.</p><h2>Strengthening Performance</h2><p>Human factor risk audits require an organization to be open to constructive feedback about its performance. These audits are purely for the benefit of the organization to improve performance and to enhance operations through human factors. When performed correctly, the observations and data internal auditors collect will serve as a road map for strengthening the most important factors in organization performance, the human factor. </p><p>Human factor risk audits are part of a discovery process, and their findings should not be used to punish people. Any negative connotations from human factor risk audits will diminish the positives learned in the process.</p><p>Lastly, human factor risk audits provide an opportunity for CAEs to provide consultative guidance to build resilience in operations, cybersecurity, and enterprise risks. These audits also engage the entire organization in process improvement when taken seriously. Some organizations will achieve outsized gains in productivity, and most will teach their organization the importance of good risk management through self-evaluation.<br></p><p><br></p><p>James Bone is executive director of GRCIndex and principal investigator at the Cognitive Risk Institute in Lincoln, R.I.<br></p><p>Want to be a part of Your Voices? Click <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank">here</a> to learn how to contribute a blog post.<br></p> | James Bone | 0 | | | |
| Building a Better Auditor: Which Way Should I Go? | | https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/Building-a-Better-Auditor-Which-Way-Should-I-Go.aspx | Building a Better Auditor: Which Way Should I Go? | <p>The dialogue in <em>Alice's Adventures in Wonderland</em> goes something like this:<br></p><p><em>Alice</em>: I wonder which way I ought to go. … Would you please tell me which way I ought to go?</p><p><em>Cheshire Cat</em>: Well, that depends on where you want to get to.</p><p><em>Alice</em>: Well, it really doesn't matter, as long as I get somewhere.</p><p><em>Cheshire Cat</em>: Then, it really doesn't matter which way you go. <br></p><p>Not long ago, but it seems like an eternity now, we did not have maps integrated with our smart phones. If we needed to go somewhere new or were simply not that familiar with an area, we would grab a printed map and trace our route. We would keep our collection of maps handy and refer to them often. Unlike Alice, we knew where we wanted to go, and as we travelled along we would ask people for more refined directions or to validate we were on the right track. Some people where exceptionally helpful, some gave half-way answers, others frankly did not want to be bothered, and every now and then we would encounter a Cheshire Cat. <br></p><p>Eventually we would arrive at our destination. Sometimes we were on time, but on other occasions late, as we took a wrong turn or were a bit lost — we may even have had our map upside down — and just did not want to ask for directions. Sometimes, we were lucky and arrived a little ahead of schedule as we drafted our route perfectly or we came across a wise pedestrian who knew the landscape and gave us a useful tip. Something similar can occur with our careers. <br></p><p>Whether we are right out of college in our first professional job or somewhat later in our careers, we have all begun our internal audit journey. A voyage in this rewarding profession exposes us to so much in our organizations, and at some point, we ask ourselves what path we need to take to become a chief audit executive (CAE). <br></p><p>Maybe for some us our first role in the profession <em>is</em> CAE. Maybe some of us are rotating through an internal audit department or feel we have been in internal audit for too long and are questioning what we need to do to transition out and become a team leader or a chief "something" in that next role. Regardless, we are all asking, where am I right now, what is my destination, and how do I arrive at where I want to go? Well, think of <a href="https://na.theiia.org/standards-guidance/Pages/Internal-Audit-Competency-Framework.aspx" data-feathr-click-track="true">The IIA's Competency Framework</a> as your road map.<br></p><p>The Competency Framework is a tool that can assist you in developing a plan, regardless of where you are in your career. While this versatile tool assists professionals at a personal level, it also can support internal audit leaders in creating talent development programs for their teams. Like mentioned in The IIA's Insights to Quality, How the IIA Competency Framework Supports Successful Internal Audit Practices, the framework can aid in other efforts such as succession planning, decision-making on use of subject-matter experts for specific engagements, and other talent management initiatives. <br></p><p>The framework presents four competencies: professionalism, performance, environment, and leadership and communication. For each of these four pillars, the framework illustrates a realm of key knowledge areas (e.g., ethical behavior, professional development, engagement planning, information technology, audit plan, and coordinating assurance efforts) to assist anyone in becoming a more well-rounded professional. At the same time, the framework provides three distinct competency levels: general awareness, applied knowledge, and expert practitioner. Whether an entry level auditor or seasoned executive, you may find yourself new to a knowledge area and your competency would then fit under the general awareness level. At the same time, you may be well-versed in another knowledge area and therefore considered to have applied knowledge or fall under the expert level. If that is the case, you can still advance and build upon that existing knowledge to strengthen your skills.<br></p><p>Following the analogy of the map, the framework can help you assess where you are, highlight your destination, and develop the path you need to travel to arrive there. It can help you triangulate competencies, knowledge areas, and your competency levels for each. Every internal audit practitioner should frequently refer to the Competency Framework. But remember, once you have built your map and traced your route, you ought to continually ask yourself and others along the way if you are on the right path. As you do that, you come across that wise pedestrian (e.g., a fantastic mentor, superb boss, marvelous colleague, or a sarcastic Cheshire Cat) who gives you that instrumental tip or sheds some light on your path.<br></p><p>Keep in mind also that reaching a desired competency level in one area can highlight the need to polish another area. There will be new risks and opportunities along the journey, and throughout your career you will encounter other professionals inside and outside internal audit who can help you validate or recalibrate your route. Perhaps you are very technically competent in one area, but new technological tools have come out and you need to reskill or upskill along the way. Perhaps you need to take a slight detour to sharpen your communication skills. <br></p><p>Each career path is unique, the route may not be linear but it is your route, your career. There could be detours along the way, but keep focused and remain resilient as you reach your specific destination. Do not fall into the trap of Alice, who simply did not know where to go and just wanted to get somewhere. <br></p><p><br></p><p>David Dominguez, CIA, CRMA, CPA, CFE, is director of internal audit at Itafos in Houston.<br></p><p>Want to be a part of Your Voices? Click <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank">here</a> to learn how to contribute a blog post.<br></p> | David Dominquez | 0 | | | |
| Wrong Purpose; Wrong Results | | https://iaonline.theiia.org/blogs/jacka/2021/Pages/Wrong-Purpose-Wrong-Results.aspx | Wrong Purpose; Wrong Results | <p>I spent a great deal of time in my last two blog posts talking about the audit reports we write. <a href="/blogs/jacka/2021/Pages/Do-the-Pieces-Support-the-Whole.aspx" data-feathr-click-track="true" target="_blank">In the first, </a>I talked about the purpose of our reports and the need for us to be conscious of what we write in support of that purpose. <a href="/blogs/jacka/2021/Pages/Analyzing-the-Words-We-Use.aspx" data-feathr-click-track="true" target="_blank">In the second</a>, I went into depth (perhaps, too great a depth) analyzing one, short sentence that often appears in audit reports, such analysis all done in the name of understanding the impact of our word choices on the report's purpose.</p><p>Unfortunately, it is now time for true confessions. I talked about how most auditors see the purpose of the audit report being to persuade the reader to take action. I built my discussion on that purpose. And, well, sorry, but I don't believe that to be true. I do not believe the purpose of our audit reports should be to drive action. Don't believe it for a minute.</p><p>Let me quickly say that my state of apostasy does not undermine anything I had to say in those previous posts. Approaching a report as if it is meant to persuade the reader to action makes for a better, more readable, more concise audit report. As noted in those previous blog posts, it will help focus content and, with any luck, make all readers actually pay attention to what is written.</p><p>However, I sincerely believe that, if your primary purpose for issuing an internal audit report is to drive the reader to action, you have already failed.</p><p>You cannot wait until a report is written to convince the client/reader that action needs to be taken. Getting action — getting the client to buy-in to what has been found, to understand the impacts, to work on a way to make the process better, to agree and begin corrective procedures — has to permeate the entire audit process.</p><p>For audit reports (as well as audits) to have any value, agreement to take action, as well as the actual actions, must be occurring before the draft of the report is completed.</p><p>When I worked with Farmers Insurance, agreement was reached and, generally, action already started by the time the report was issued. Our reports were not a call to action; they were a record that action was taking place.</p><p>In fact, a long time ago when paperreportasaurs ruled the earth, we issued joint executive summaries — a document signed by both the audit director and the client responsible for action. It wasn't a report from internal audit; it was a joint report issued by both departments.</p><p>That is a powerful approach. That is agreement, that is action, and that is buy-in to the report, to the process, and to the value of internal audit.</p><p>I'll be honest, I don't know how the same thing could be achieved in this paperless world. I know we quit using the approach as times changed. But, again, the concept of a joint report is powerful. And it deserves a rebirth. I challenge anyone reading this blog post to explore how to wield such power by looking for opportunities to issue reports in this way.</p><p>Ultimately, your report speaks volumes about how you do your audit work. And, if you are using the report as a tool for persuasion, then you need to take a closer look at the work you are doing. Why isn't action already agreed to? Why isn't action being taken? And might that be part of the reason that, no matter how many reports you issue, things always stay the same. <br></p> | Mike Jacka | 0 | | | |
| Analyzing the Words We Use | | https://iaonline.theiia.org/blogs/jacka/2021/Pages/Analyzing-the-Words-We-Use.aspx | Analyzing the Words We Use | <p><a href="/blogs/jacka/2021/Pages/Do-the-Pieces-Support-the-Whole.aspx" data-feathr-click-track="true" target="_blank">In my last post</a>, I talked about our need to understand why we write audit reports – their purpose. I focused on the general consensus that reports are written to persuade the reader to take action. I then went on to talk about how the contents of our reports do little to drive people to such action. My premise was that we need to closely inspect what and how we write to understand what is going right and what is going wrong.</p><p>I ended with a promise that I would take a deep dive — a very deep dive — into a rather innocuous but persistent sentence each of us has probably written innumerable times.</p><p>Welcome to the inquisition.</p><p>There is a line that our audit department had in every single audit report. (The following may not be verbatim, but it is close enough for our purposes.) "In our opinion, controls over <em>[insert area being reviewed here]</em> are <em>[insert opinion, e.g., effective, ineffective, etc.]</em>"</p><p>A good old fashioned opinion statement. It does its job, and it did its job in our internal audit reports for at least 20 years. I'm guessing you have a similar sentence, an opinion statement that has stood the test of time as it is used over and over again.</p><p>So, why pick this sentence for review? To begin with, it is an important sentence since, for a lot of readers, the opinion statement is the only sentence in the report they care about. In fact, sometimes it is the only sentence they read.</p><p>Also, as already noted, it is a sentence we have all used for a long time, trusting in it to withstand the test of time. Accordingly, it may deserve to be taken down a peg or two.</p><p>Why look closely at what has worked before? Here's a story I've told before, but you'll just have to sit through again. When I joined the Farmers Insurance audit team, there was a standard paragraph we wrote related to claims reserves — a paragraph we wrote many times since we reviewed at least one claims office per month. Within that paragraph we would write that inappropriate reserve setting [the amount set aside in expectation of a future payment of a claim] would result in those funds being "trapped in the system." After about a year, the home office QA team visited and one of the first things they asked was what "trapped in the system" meant. We had no answer. It was just what we wrote. And it had always worked in the past, so it must be relevant for all time. It promptly disappeared and the experience reminded us we needed to think about what we were writing.</p><p>The need to constantly review assumptions you assume to be perfect.</p><p>So, because the opinion statement is the primary focus for most of our readers, and because it is a sentence we seldom inspect closely, let's dissect its effectiveness in driving action and building excitement.</p><p>"In our opinion…" While this would seem to fit perfectly into what we are trying to say, in actuality it is not a good start. In our department, we had a section of the report titled "Opinion." And the only sentence in it was this opinion statement. Accordingly, this verbiage seems a bit redundant. While some might argue the phrase provides value by reemphasizing why the sentence exists, there is just as strong an argument that is it only cluttering the communication with redundancy.</p><p>Further, I would argue that it is evident that what follows is the internal audit department's opinion. It is our report, so it is our opinion. An argument might be made that everything else in the report represents the reporting of facts; so, since this is opinion, it might be good to reemphasize that fact. Could be. But that gets to the point of this exercise. There are no right and wrong answers when asking these questions. Instead, we are looking closely at the words and making personal/departmental decisions about what really supports the purpose of the report – what should stay and what should be changed.</p><p>Let's keep going.</p><p>"…controls over <em>[insert area being reviewed here]</em> …" Let's start with the last part — the part where you fill in the name of the area being reviewed. Do we need to restate the department/process that has been reviewed? It is in the background, it is in the title, it permeates everything else. Do we need to say it again?</p><p>Since this may be the only part of the report some people read, it could be argued that repeating the title is a good thing. However, it also represents another redundancy. As a profession, we seem to enjoy redundantly repeating ourselves in the name of clarity, and all it does is obscure what is important. We need to be watchful of the symptoms of redundisease.</p><p>But let's go back to the beginning of this phrase and the problematic word "controls". We use it like we all know what it means. But do your clients really understand what a control is — its purpose, its structure, its lot in life — and, to be honest, do we even know what it means?</p><p>That is not to say the word should not be used in the context of an opinion statement. This is our opinion on the controls. However, this emphasizes the need to ensure there is a shared nomenclature between ourselves and the client — that everyone involved knows exactly what is being said and the meaning of words that are being used.</p><p>Finally…</p><p>"…are <em>[insert opinion — e.g., effective, ineffective, etc.]</em>" Good news. I'm not going to dissect the word "are". However, the terms we use — effective, ineffective, needs improvement, needs some improvement, needs lots of improvement, needs improvement but not really a lot of improvement, needs to see someone about that cough — are very powerful. They are the Sword of Damocles hanging over every reader's head. They drive the action. They cause the need to take action.</p><p>In our organization, we used effective, needs improvement, and ineffective. However, over time we found that over 80% of reports were showing controls needed improvement. In other words, the terms were almost meaningless and they did not drive to action.</p><p>While we may not have had that part right (and we took various steps to do something about it) we did get one other thing right. We had an appendix in every audit report that laid out exactly what we meant by each of the opinions. So, unlike the word "control" which could get lost in obfuscation, the opinions themselves were well defined.</p><p>So, we come to the end of our dissection. What comes from all this? Well, first, you should have a better idea of what the sentence is trying to accomplish. But I'll also throw out a suggestion. How about if each report has a section titled "Opinion" or "Internal Audit's Opinion," allowing for the elimination of that introductory statement. Then let's also assume the reader already knows what process/department is under review. The section then contains only one sentence. "Controls are <em>[insert opinion — e.g., effective, ineffective, etc.]</em>"</p><p>Too abrupt? Not enough information?</p><p>Let me throw another one at you. We know that the main thing people care about is the opinion. So how about, after the title of the audit report, the very first sentence is "Controls are <em>[insert opinion — e.g., effective, ineffective, etc.]</em>"</p><p>Too soon? Too scary?</p><p>Okay, time to wrap this up. We've just gone through a lot of work for one 8- to 12-word sentence. And this is probably more exercise than you want to do on every sentence of every audit report. But every sentence deserves some scrutiny. And, once you've done it a few times you'll see that the analysis becomes second nature. The dross will disappear and the call to action will remain.</p><p>Note that I normally write these posts by talking about the general — the way things are in the real world — and work toward the specific — why internal audit should care. But, in this case, I'm going to take a second to come at it the other way because every part of what I've written in these two blog posts also relates to every word you write – memos, emails, letters, postcards, tweets, anything. What is the purpose of what you are writing? And is what you are writing actually communicating that purpose?</p><p>Practice these concepts in life and it will make your writing better, even when you write audit reports.</p><p>Now, you might think this is where our discussion comes to an end. But I have a confession. I don't agree with a basic premise I have used in both of these posts. Next time, my thoughts on why we write audit reports, and why our reasons may lead us down the primrose path.<br></p> | Mike Jacka | 0 | | | |
| On the Frontlines: 3 Things to Do Now to Become More Agile | | https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/On-the-Frontlines-3-Things-to-Do-Now-to-Become-More-Agile.aspx | On the Frontlines: 3 Things to Do Now to Become More Agile | <p>In today's fast-paced landscape, the risk environment is constantly changing. Strategic and operational risks are ever-evolving, driven by external or internal factors — or both — causing risk exposure levels to escalate faster than ever before.</p><p>Internal audit teams are challenged to ensure that assurance goes beyond passively reviewing past events. We must offer deep insights considering macro-level organizational challenges and the current risk environment to advise management and the audit committee on navigating these challenges successfully.</p><p>Stakeholder expectations of assurance providers are rising in tandem with risk management pressures. Against this landscape, it has been worth critically assessing the inherent weaknesses of the traditional audit approach and how elements can be redesigned to deliver greater organizational value. Wolters Kluwer TeamMate's <a href="https://www.wolterskluwer.com/en/solutions/teammate/touchstone" data-feathr-click-track="true" target="_blank">Touchstone Insights for Internal Audit</a> report reveals that more than 70% of organizations are either planning to or are executing an Agile audit methodology (see box, below right). <br></p><p>Audit teams have long been criticized for lack of timeliness. Stakeholders are frustrated with the time taken to deliver audit results, typically in the form of a final audit report. With the risk landscape volatility, senior management cannot afford to wait until the audit's conclusion to receive a long-form audit report. The sooner management receives the audit report, the swifter it can respond. </p><p><img src="/2021/PublishingImages/Naidoo-Picture1.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />In our age of collaboration, the auditor's "trusted advisor" vision seems disconnected from the actual audit approach, which can be perceived as "top-down," rather than collaborative. This approach is a fit for fraud investigations, given the nature of the work. However, for an audit, perhaps engaging more collaboratively means auditors will have experienced guides to help them more efficiently navigate the sometimes-unfamiliar terrain of the business process.</p><p>A blanket "top-down" approach for all assurance activities can, at best, result in audit-client resistance, and at worst, conflict. Either way, it's a disastrous outcome for internal audit's position as a trusted advisor and for the organization's ability to address risk.</p><p>The challenges with traditional audits also have included the characteristically long-winded exit process to confirm details of findings as well as receive and finalize management responses, including timeliness. These conversations are usually held only at the end of the audit based on the traditional audit methodology. This approach only further delays finalizing audit reports and the start of the real value-add — implementing management actions.</p><p>Collectively, this process creates situations where risks are identified and remain unmitigated, or control deficiencies remain unchecked for even longer. This situation leads to frustrated audit teams and management, disillusioned stakeholders, and more importantly, a greater risk to organizational objectives. On average, it takes about five weeks to communicate results — two weeks to issue a draft report, two weeks to receive management responses, and one week to issue a final report. </p><p>According to Touchstone Insights for Internal Audit, 79% of respondents say collaboration with the business is extremely important. To deliver valuable, timely results in a collaborative approach, audit teams should consider adopting an Agile methodology, based on the 12 principles enshrined in the Agile Manifesto designed for software development. Each audit department can interweave these principles across its audit process to strive toward a fully Agile approach to "steal the best bits."</p><p>Here are three things that internal audit functions can do today to become more Agile.<br></p><h2>1. Increase the Frequency of Risk Assessment Updates</h2><p><img src="/2021/PublishingImages/Naidoo-Picture2.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Risk assessments are the birthplace of a risk-based audit approach. Agile audit departments respond to the changes in the risk environment by continually pivoting toward new and emerging risks.</p><p>Traditionally, an organization's risk assessment was performed annually. Given today's rapidly changing risk landscape, an annual risk assessment is quickly outdated and can endanger the audit plan's relevance.</p><p>For audit teams to deliver relevant assurance, they must become more Agile and strive toward a risk assessment that continually reflects what is keeping senior management up at night. This means that risk assessment updates must be done more frequently, and certainly more than once a year.</p><p>According to Touchstone Insights for Internal Audit, 61% of respondents update their risk assessments annually (see box, right), and the frequency of these updates increases as departments adopt an Agile methodology. Of those teams that execute an Agile methodology, only 28% perform risk assessments annually. Most Agile functions have moved to at least quarterly updates.<br></p><h2>2. Adopt a Truly Risk-based Audit Approach</h2><p>Organizational management is constantly scrutinizing spending, and even internal audit is not immune to this scrutiny. Audit teams must continue to demonstrate value through assurance and consulting services across a broader spectrum amid growing complexity. Management and audit committees also want internal audit to display sound judgment by increasing focus on heightened risk areas.</p><p><img src="/2021/PublishingImages/Naidoo-Picture3-text.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Narrowing focus on areas of significant risk leads to more clearly framed objectives. A truly risk-based approach also is a building block of efficiency. With a clearly defined and refined set of objectives, Agile teams do not simply design and execute an audit program based on an exhaustive set of risks identified in a risk assessment. In doing so, the audit team balances the promise of reasonable assurance, the risk profile, resources, and value-add.</p><p>The Touchstone Insights for Internal Audit study shows that when audit teams adopt an Agile approach, these teams scope the risks to be covered and focus on the highest risks. The value of using an Agile approach is that audit teams can quickly pivot to areas of greater risk. Management and operational frontline staff involved in the audit are less burdened with audit procedures covering lower risk business areas. According to the survey, 40% of agile teams create their audit scope in conjunction with the business.</p><p>Moreover, audit committees prefer audit teams to focus time and effort on higher value-adding assurance activities. An Agile approach of flexible audit planning aims to improve audit committee satisfaction and confidence by delivering valuable, relevant assurance for the organization. </p><h2>3. Strive for Frequent Communication and Closer Collaboration</h2><p>Audit teams are moving toward an Agile methodology to sharpen their focus on delivering value. The value of audit findings can diminish sharply over time, as the organization faces an identified, but unmitigated, risk that threatens its objectives. Agile tools and processes ensure that teams plan and communicate audit findings timely to preserve their value.</p><p><img src="/2021/PublishingImages/Naidoo-Picture4-text.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Agile teams generally divide their work into time-boxed "sprints" around key or high risks. There are deliberate activities embedded within the approach to ensure more frequent communication and facilitate closer collaboration between the audit team and the organization.</p><p>During each sprint, audit teams already discuss and resolve issues and build a list of reportable issues, often before the draft reporting process begins. At the end of each sprint, auditors share their findings with management. This approach also allows management to plan its response or even address these issues before the final report is issued. </p><p>The delivery of the final audit results hinges on two key activities:</p><ul><li>Issuing the draft report.</li><li>Receiving management responses.</li></ul><p><br>When comparing traditional audit teams with Agile teams, Touchstone Insights for Internal Audit finds that Agile teams are more likely to issue draft reports within one week (see box, abovet right). The report also shows that for the 29% of teams that do not execute Agile activities, the focus is on tracking using estimated/scheduled time versus actual time. While this metric may help calculate utilization and time to complete the audit, it does not provide transparency into the work performed and the conclusions about risks to the organization.<br></p><p><img src="/2021/PublishingImages/Naidoo-Picture5-text.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Agile audit teams often use <a href="https://en.wikipedia.org/wiki/Kanban_board" data-feathr-click-track="true" target="_blank">Kanban boards</a>, and in some cases, share them with the organization to provide visualization of work in progress. This approach can make it easier to identify roadblocks. Kanban boards can range from simple to very complex. Teams striving to become more Agile can leverage existing tools to establish a visualization, which can build a collaborative foundation within the team and with the organization.</p><p>Establishing a collaborative foundation with management and more frequent communication are at the center of the Agile methodology. Together, they help a greater percentage of teams receive management responses and issue final audit reports within a week (see boxes, right).<br></p><p>Audit teams looking to become more Agile today can embed more frequent and open communication practices with management and build a collaborative culture to improve the timeliness of valuable audit insights.</p><p><br></p><p>Sio Naidoo, CIA, is product manager, Asia Pacific at Wolters Kluwer TeamMate in Sydney.<br></p><p>Want to be a part of Your Voices? Click <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank">here</a> to learn how to contribute a blog post.<br></p> | Sio Naidoo | 0 | | | |
| Do the Pieces Support the Whole? | | https://iaonline.theiia.org/blogs/jacka/2021/Pages/Do-the-Pieces-Support-the-Whole.aspx | Do the Pieces Support the Whole? | <p>Why do internal auditors write audit reports?</p><p>That question will get you a lot of different answers: communicate what has occurred, show what was examined, document results, provide a basis for client/auditor discussion, provide a basis for client/auditor agreement, provide a basis for client/auditor arguments, provide assurance, follow the standards, drive the auditor crazy with reviews and rewrites that delay the report longer than the release of the final novel in the <em>Song of Ice and Fire </em>series. But one answer seems to pop up most often; persuade the reader to take action. The consensus is that reports should communicate a drive to action.</p><p>If this is the true purpose of the internal audit report (and join us in the next week or so for some thoughts on that one), then we all need to take a long, hard look at what we are writing because, in general, our reports are dry as dust, not even compelling the reader to actually read the report, let alone take action. The words, sentences, and paragraphs in most reports just exist, doing little more than listing data, thoughts, stuff, and things in the forlorn hope that the reader will slog through the Sargasso Sea of dreck and be persuaded. There is no call to action. In fact, there is little action at all.</p><p>Ain't it funny how that word action keeps popping up? I used it a lot in the prior two paragraphs. And, as noted above, it pervades internal auditors' discussions on the subject. And that's a wonderful thing. Persuading the reader is a high and worthy calling. But interesting questions arise from such pronouncements. First of which, do we even know what action we want the reader to take?</p><p>When we say, "persuade to action," is that action to complete the corrective action? Or is it to build a better process? Or is it to make a more successful department? Or have we ever really thought about what action we are discussing? For most of us, the knee-jerk answer is that we want action taken to correct identified issues. But, as we start to think about those broader answers – a better process, a more successful department – we realize that there may be loftier goals we are trying to achieve. And we have to wonder if we might need to take a broader look at the "action" we are looking for.</p><p>And from all this springs the scariest question. If we haven't really thought about what action we are looking for, then how can we expect purposeful action to be taken?</p><p>But let's pretend we know what action we mean. Because the point I really want to raise here relates to the content of our reports. Specifically, how do the contents of our reports support and drive such action. Does every paragraph/sentence/word have a role in supporting that purpose? Does every detail help communicate a drive to action?</p><p>Take the time to think about what you are writing. How does a paragraph work to actually drive action? How do the sentences within support the paragraph and the associated action? How do the phrases provide support? How do the words provide support? How does every detail support that call to action?</p><p>As internal auditors, we tend to fall back on tried-and-true phrasings – the cliches of our profession, the buzzwords, the time-tested terminology we think says something but may be meaningless to the readers. Or, even if the readers are in on it, they've seen it so many times that sentences about risk, mitigation, and control lull them to sleep quicker than … well, there are few things that will lull people to sleep quicker than an audit report.</p><p>Look closely at the words you are using. Do they mean anything to the reader? Do they really mean anything to you? Would the report be the same (or probably better) if some just disappeared? Or might a search for a new, more energetic, more meaningful way to express the concepts actually bring life to the report and incite more action from the reader?</p><p>And, when I say "look closely," I am not exaggerating for effect. It is worth the time to fully understand the nuts, bolts, nails, and punctuation that make up our reports. Come back next time and I'll show you what I mean as I take a deep dive into one sentence almost every one of us has written.<br></p> | Mike Jacka | 0 | | | |
| On the Frontlines: An Auditor’s Reflections on Afghanistan | | https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/On-the-Frontlines-An-Auditors-Reflections-on-Afghanistan.aspx | On the Frontlines: An Auditor’s Reflections on Afghanistan | <p>In 2017, I worked for an international development organization that was headquartered in Bangladesh, with operations in nine countries. That year, our chief audit executive (CAE) assigned me to a country office audit in Afghanistan. With the recent news of the fall of Afghanistan's government following the withdrawal of U.S. troops, I reflect upon my unique adventure as an internal auditor during those days.</p><p>As my flight descended on Kabul, I could see scattered greenery and the disorderly placement of houses and buildings through the land and mountains. Upon arrival, my internal audit team were welcomed by fine weather and a nice climate. We observed people busy with day-to-day errands and children playing in the streets.</p><p>Our opening meeting with the country head gave us an overview of the strategic challenges, operational context, project, and human resources capacity of our Afghanistan office. The country head explained that our organization had been delivering projects in infrastructure development, education, and health-care services using a community-based approach across many provinces in Afghanistan. The team outlined our audit engagement objectives to the country head and began the fieldwork.</p><p>From the outset, it was apparent that security was a real concern for expatriates working in the country. We were restricted from moving freely outside our accommodation premises at any time of day or night. For example, we were expected to commute between our accommodations and the office using an office vehicle, even though the two locations were on the same block and separated by only 10 to 12 buildings.</p><p>The golden rule was not to visit sites after a certain hour of the day and not to move around without a local guide. Our colleagues told us a story about an expat engineer who had failed to heed those warnings and was abducted during a visit to a project site. After months in custody, the engineer was returned safely and was sent home to his family.</p><p>Restricted in making site visits, our team used data analytics to look at the financial transactions from the project spending by the country office. By analyzing the mobile allowances of employees at field offices, we spotted discrepancies such as a variation of limits from month to month and an employee who received multiple top-ups in the same month. Textual analysis of signatories also flagged indications of unauthorized transactions.</p><p>Auditors working in Afghanistan must comprehend that local norms, behaviors, and cultural views are different from other parts of the world. The procurement team shared their experience of interacting with local contractors to enhance the use of appropriate documentation. Those contractors tended to find documenting transactions in writing unnecessary, noting that verbal commitments are strong, faithful, and conclusive. However, with some convincing and training, the contractors learned to use a standard set of documentation related to tender, bids, etc.</p><p>Engaging third-party, local subcontractors is the usual method to perform work because of restrictions for expats in certain parts of the country. Subcontractors' work was documented using photographs as evidence of completion of schools, infrastructure, and roads. This method was particularly helpful for confirming work was completed because auditors could verify the actual photograph alongside a completion certificate attached to project documents.</p><p>Toward the end of our audit engagement, I facilitated a day-long training session for the internal auditors of the country office, which enabled wider interaction and learning that had a positive impact among the team.</p><p>Four years later, the current conditions in Afghanistan raise the need even higher for public and private organizations to sustain a secure workplace and ensure business continuity. In my opinion, internal auditors in Afghanistan should focus on:</p><ul><li><em>Advocating for business continuity planning for the organization.</em> Internal auditors should develop the required skills or engage experts in the field to guide and advise the organization's leaders on the need to train employees at all levels to ensure business continuity.</li><li><em>Ensuring the safety and security of the internal audit team and all employees.</em> CAEs must give clear instructions on how to address security concerns. For example, auditors should limit site visits, use local guides, and receive updates about current news from the public relations function.</li><li><em>Using data analytics and remote auditing techniques.</em> It is time for internal auditors to learn to use modern analytics applications to achieve audit objectives, as business activities are vulnerable to internal control failures and fraud.</li><li><em>Developing robust policies and procedures for the organization.</em> Internal auditors must step up as trusted advisors and assist business leaders in establishing documented, comprehensive organizational procedures.</li><li><em>Hiring and training local internal auditors.</em> Having local internal auditors in the team will benefit the department to accomplish certain aspects of assurance or consulting engagements. The youth are talented and ready to take on challenging roles.</li></ul><p><br>During my stay in Afghanistan, my 3-year-old daughter Yusairah used to call me and ask in her tender voice, "When will you return from Abbanistan?" My team returned home safe from "Abbanistan,"<em> </em>and the memories shall live long and fresh in my heart. Specifically, the kabab and naan — meat and flatbread — will be difficult to forget. I remember the conversations with the local people who were so good-hearted. The climate was so blissful, and the entire city of Kabul looked enriched by the natural beauty of mountains and valleys.</p><p>For now, the people of Afghanistan have been displaced, are devasted, and face insecurity. We all should pray for and support the people of Afghanistan to sustain peace, security, and prosperity for future generations.</p><p><br></p><p>Kamal Uddin Gazi Jishan, CIA, CRMA, is internal audit manager at Ali Bin Ali in Doha, Qatar, and a 2018 <em>Internal Auditor</em> magazine Emerging Leader.</p><p>Want to be a part of Your Voices? Click <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank">here</a> to learn how to contribute a blog post.<br></p> | Kamal Uddin Gazi Jishan | 0 | | | |
