Your Voices

Portuguese translations



On the Frontlines: An Auditor’s Reflections on Afghanistan the Frontlines: An Auditor’s Reflections on Afghanistan<p>​In 2017, I worked for an international development organization that was headquartered in Bangladesh, with operations in nine countries. That year, our chief audit executive (CAE) assigned me to a country office audit in Afghanistan. With the recent news of the fall of Afghanistan's government following the withdrawal of U.S. troops, I reflect upon my unique adventure as an internal auditor during those days.</p><p>As my flight descended on Kabul, I could see scattered greenery and the disorderly placement of houses and buildings through the land and mountains. Upon arrival, my internal audit team were welcomed by fine weather and a nice climate. We observed people busy with day-to-day errands and children playing in the streets.</p><p>Our opening meeting with the country head gave us an overview of the strategic challenges, operational context, project, and human resources capacity of our Afghanistan office. The country head explained that our organization had been delivering projects in infrastructure development, education, and health-care services using a community-based approach across many provinces in Afghanistan. The team outlined our audit engagement objectives to the country head and began the fieldwork.</p><p>From the outset, it was apparent that security was a real concern for expatriates working in the country. We were restricted from moving freely outside our accommodation premises at any time of day or night. For example, we were expected to commute between our accommodations and the office using an office vehicle, even though the two locations were on the same block and separated by only 10 to 12 buildings.</p><p>The golden rule was not to visit sites after a certain hour of the day and not to move around without a local guide. Our colleagues told us a story about an expat engineer who had failed to heed those warnings and was abducted during a visit to a project site. After months in custody, the engineer was returned safely and was sent home to his family.</p><p>Restricted in making site visits, our team used data analytics to look at the financial transactions from the project spending by the country office. By analyzing the mobile allowances of employees at field offices, we spotted discrepancies such as a variation of limits from month to month and an employee who received multiple top-ups in the same month. Textual analysis of signatories also flagged indications of unauthorized transactions.</p><p>Auditors working in Afghanistan must comprehend that local norms, behaviors, and cultural views are different from other parts of the world. The procurement team shared their experience of interacting with local contractors to enhance the use of appropriate documentation. Those contractors tended to find documenting transactions in writing unnecessary, noting that verbal commitments are strong, faithful, and conclusive. However, with some convincing and training, the contractors learned to use a standard set of documentation related to tender, bids, etc.</p><p>Engaging third-party, local subcontractors is the usual method to perform work because of restrictions for expats in certain parts of the country. Subcontractors' work was documented using photographs as evidence of completion of schools, infrastructure, and roads. This method was particularly helpful for confirming work was completed because auditors could verify the actual photograph alongside a completion certificate attached to project documents.</p><p>Toward the end of our audit engagement, I facilitated a day-long training session for the internal auditors of the country office, which enabled wider interaction and learning that had a positive impact among the team.</p><p>Four years later, the current conditions in Afghanistan raise the need even higher for public and private organizations to sustain a secure workplace and ensure business continuity. In my opinion, internal auditors in Afghanistan should focus on:</p><ul><li><em>Advocating for business continuity planning for the organization.</em> Internal auditors should develop the required skills or engage experts in the field to guide and advise the organization's leaders on the need to train employees at all levels to ensure business continuity.</li><li><em>Ensuring the safety and security of the internal audit team and all employees.</em> CAEs must give clear instructions on how to address security concerns. For example, auditors should limit site visits, use local guides, and receive updates about current news from the public relations function.</li><li><em>Using data analytics and remote auditing techniques.</em> It is time for internal auditors to learn to use modern analytics applications to achieve audit objectives, as business activities are vulnerable to internal control failures and fraud.</li><li><em>Developing robust policies and procedures for the organization.</em> Internal auditors must step up as trusted advisors and assist business leaders in establishing documented, comprehensive organizational procedures.</li><li><em>Hiring and training local internal auditors.</em> Having local internal auditors in the team will benefit the department to accomplish certain aspects of assurance or consulting engagements. The youth are talented and ready to take on challenging roles.</li></ul><p><br>During my stay in Afghanistan, my 3-year-old daughter Yusairah used to call me and ask in her tender voice, "When will you return from Abbanistan?" My team returned home safe from "Abbanistan,"<em> </em>and the memories shall live long and fresh in my heart. Specifically, the kabab and naan — meat and flatbread — will be difficult to forget. I remember the conversations with the local people who were so good-hearted. The climate was so blissful, and the entire city of Kabul looked enriched by the natural beauty of mountains and valleys.</p><p>For now, the people of Afghanistan have been displaced, are devasted, and face insecurity. We all should pray for and support the people of Afghanistan to sustain peace, security, and prosperity for future generations.</p><p><br></p><p>Kamal Uddin Gazi Jishan, CIA, CRMA, is internal audit manager at Ali Bin Ali in Doha, Qatar, and a 2018 <em>Internal Auditor</em> magazine Emerging Leader.</p><p>Want to be a part of Your Voices? Click <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank">here</a> to learn how to contribute a blog post.<br></p>Kamal Uddin Gazi Jishan0
Building a Better Auditor: Visibility Leads to Promotability a Better Auditor: Visibility Leads to Promotability<p>​It's not working hard that determines your promotion. It's making your hard work and yourself visible that determines your promotion.</p><p>It's true. Visibility leads to promotability.</p><p>Visibility involves connecting the dots from the work you do to the promotion you are looking for, meaning you are working to make your hard work and yourself visible to be noticed, recognized, and rewarded. Visibility opens the door wide for promotion as key decision-makers come to know and like you, hear and feel the impact of the work you do, and imagine your potential for the organization.</p><p>Getting promoted fast is the gateway for rewarding career moves within and beyond current employment over a 30-year horizon. The obvious financial rewards and further career advancement possibilities compound over time to create considerable professional and personal value.</p><p>If I were to rewind my career 25 years, I would have done a few things differently, sooner rather than later. The Pareto principle says that 20% of our activities drive 80% of the results we tend to get in any area. I believe this principle holds in corporate life, as well.</p><p>Let me list the top 3 things that continue to work for me to get visibility with key decision-makers.</p><h2>1. Make Your Voice Heard Where It Matters</h2><p>It is easy to remain quiet in a meeting, presentation, or discussion if you are not specifically called upon or where you feel it's not your area of expertise. Why risk sounding stupid, right?</p><p>At the same time, consistently making your views heard creates a strong impression that you are vocal and have a view. Introverts may have a challenge in these situations as they typically need more time to process information before they can make their views known.</p><p>The downside in remaining quiet or less vocal is that it creates undesired impressions with key decision-makers about our perceived value over time and evolves into entrenched perceptions that we don't have a view or are nor visible enough.</p><p>I invite you to check in with yourself about whether you are confidently making your views heard with key decision-makers.</p><h2>2. Cultivate Relationships With Key Decision-makers Early on</h2><p>In corporate life, the focus is on delivering results. Building relationships typically is not front and center of our minds and tends to be dealt with as and when required to get things done.</p><p>Relationship building with key people, however, is a prerequisite to getting things done effectively and efficiently. Our ability to influence key decision-makers will largely be determined by the level of relationship we have established with each of them. This principle has been one of my biggest lessons over the course of my corporate life: Establish the relationship first before you start calling on someone's help or support to get things done.</p><p>In many situations, challenges in getting work done can be attributed to poor investment in relationships with key people who matter. Where do you see the current challenges in getting things done? Assess the level of relationships established with people in these areas.</p><h2>3. Create Opportunities to be Noticed</h2><p>If you look around, you will find avenues where you can easily put yourself in front of key decision-makers. These occasions may be in a work-related or social setting. Look for existing opportunities to engage with decision-makers on a wide range of matters from a work or personal perspective where you can add value to what they are already doing or what interests them.</p><p>In the beginning, operating this way may feel slightly unnatural if it's not your default style or personality preference. What you will find over time is that persistence with this approach opens the door to developing relationships with key people.</p><p>Here's the thing: These opportunities provide the platform to make your views heard and cultivate relationships at the same time. Consistency in creating and taking advantage of these opportunities is key to creating visibility with the range of key decision-makers who are relevant to your work now, in the near future, and over the long term.</p><p>I truly believe what author and motivational speaker Jim Rohn said, "You can't change your destination overnight, but you can change your direction overnight."</p><p> </p><p>Gerald Ebenezer, CA, CPA(M), is a career professional and coach with 25 years of experience spanning internal audit and business roles for large companies in Malaysia and New Zealand.<br></p><p>Want to be a part of Your Voices? Click <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;color:#6eabba !important;">here</a> to learn how to contribute a blog post.<br></p>Gerald Ebenezer0
#IAm Harold Silverman Harold Silverman<p>​As a senior external auditor at Arthur Andersen, I had opportunities to perform a number of internal audit engagements. As Andersen was building its internal audit outsourcing practice, it frequently leveraged external audit staff to help perform fieldwork of internal audit engagements during the slower summer months. Even if I didn't truly grasp the differences between internal and external audit at that time, I enjoyed the work.</p><p>Most of my staff colleagues on internal audit engagements were like me, Certified Public Accountants (CPAs) looking to do something different and find our niche in a large firm. I hadn't met anyone who truly saw himself or herself as an internal auditor, or at least anyone who was proud to say it aloud. Still, I began to consider internal audit as a potential career path.</p><p>On a snowy morning in January 2000, I picked up my briefcase, made sure I had plenty of clean crisp copies of my resume, and left the Boston office of Arthur Andersen. I walked across the street, where I had a series of interviews for a position on the PwC internal audit services team. </p><p>That is the morning I first met the individual who had the greatest impact on my professional life and, to this day, is my most significant role model. Brian Kinney, like me, was a senior auditor. Unlike me, he was not a CPA. He was a Certified Internal Auditor (CIA) and incredibly proud of it.</p><p>Brian had joined PwC's internal audit practice (actually its predecessor firm Coopers and Lybrand) a few years earlier, after graduating from the University of Massachusetts–Lowell. On top of being unimaginably happy and energetic, Brian's enthusiasm for the internal audit profession was infectious. I almost couldn't believe that it was genuine.</p><p>A few weeks later, I joined the PwC team, and Brian became a colleague, peer, and friend. Over the approximately 18 months that we worked together, I realized that every bit of Brian's enthusiasm, energy, and passion for internal auditing was authentic and consistent.</p><p>Brian was also the nicest person that I've ever met, and he let his personality shine in his work. Every interaction had a personal touch that showed that he not only cared about the topic at hand, he cared about you. He cared about his clients and wanted them to succeed. In turn, the clients adored him, confided in him, and trusted him. This allowed him to be a better auditor and to better serve our newly shared profession. </p><p>In the summer of 2000, Brian was promoted to manager. A year later, I also was promoted, and I don't think anyone was more excited for me than Brian. He also was a passionate member of The IIA–Greater Boston Chapter board of directors and encouraged me to volunteer my time to The IIA. </p><p>Tragically, our relationship ended suddenly when Brian was killed in 2001. As his obituary stated, "He could have taken care of that California client by phone. But on Sept. 11, Mr. Kinney boarded United Airlines Flight 175 because he wanted to shake the client's hand and see how he was really doing." The plane he had boarded in Boston was hijacked and crashed into the World Trade Center in New York.</p><p>Each of us will remember that awful day 20 years ago in our own context. I choose to think about Brian.  I feel the loss that hurt so much then and continues today. I also choose to remember the positive impact that he had on my life and career and the impact he had on others around him.   </p><p>In the ensuing 20 years, I have had the fortune of rising in the profession, eventually serving as a chief audit executive for two outstanding organizations. I continued to volunteer for the profession that Brian introduced me to, serving in IIA leadership positions at the chapter, North American, and global levels. I now serve the profession full-time at IIA headquarters.</p><p>Over the past two decades, I have gotten to know many passionate and proud internal auditors. I have many mentors and roles models. However, none of them has had the lasting impact on me as the first one who, on that snowy day in 2000, announced to me in no uncertain terms, "I AM AN INTERNAL AUDITOR!"</p><p>I miss you, Brian. I am a better person because of the time we spent together. Internal auditing is a stronger profession because you were a part of it.</p><p><br></p><p>Harold Silverman, CIA, CRMA, QIAL, CPA, is director, Executive Membership at The IIA.</p><p>Want to be a part of Your Voices? Click <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank">here</a> to learn how to contribute a blog post.<br></p>Harold Silverman0
On the Frontlines: Building Operational Resilience the Frontlines: Building Operational Resilience<p>​The past four years have seen an exponential increase in the number of policies, publications, and guidance to promote the resilience of firms, particularly financial market infrastructure firms. Examples around the world include the U.S. Federal Reserve's <a href="" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;">Sound Practices to Strengthen Operational Resilience</a> and the Monetary Authority of Singapore's <a href="" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;">Risk Management and Operational Resilience in a Remote Working Environment</a>.</p><p>In Europe, recent guidance and regulations include:</p><ul><li>The Bank of England, Prudential Regulation Authority, and Financial Conduct Authority's Operational Resilience: Impact Tolerances for Important Business Services.</li><li>The Basel Committee for Banking Supervision's<em> </em><a href="" data-feathr-click-track="true" target="_blank">Principles for Operational Resilience</a> and the work program and strategic priorities for 2021/2022.</li><li>The European Commission's draft Digital Operational Resilience Act and the Network and Information Security (NIS) 2 Directive.</li></ul><p><br>Following the release of <a href="" data-feathr-click-track="true" target="_blank">Operational Resilience: Impact Tolerances for Important Business Services</a> in June<em>,</em> U.K. financial services firms should focus on third-party risk management by considering emerging technology risk linked to the cloud strategy, concentration risk against the major providers, and sub-outsourcing risk. Firms should shift their focus from the internal critical functions to the important business services that, if disrupted, could harm consumers or market integrity as well as threaten the viability and image of firms.</p><p>Also, for each important business service, firms should set impact tolerances that quantify the maximum tolerable level of disruption. In determining these tolerances, they should work from the basis that the impact has already occurred, rather than the risk of it occurring.</p><p>Additionally, firms should identify and document the people, processes, technology, facilities, and information that support important business services. They should take actions to remain within the impact tolerances through a range of plausible disruption scenarios. Moreover, they should devise a plan to test important business services against the tolerances to provide assurance that:</p><ul><li>This is a true and accurate reflection of the organization's tolerance for disruption of that service.</li><li>The organization has a good understanding of its own level of resilience.</li></ul><p><br>The Basel Committee on Banking Supervision's <a href="" data-feathr-click-track="true" target="_blank">work program and strategic priorities for 2021/2022</a><em> </em>reflect the outcome of a recent strategic review by the committee. The review is intended to ensure that the committee continues to effectively promote global financial stability and strengthen the regulation, supervision, and risk management practices of banks worldwide. The work program focuses on three key themes:</p><ul><li>COVID-19 resilience and recovery monitoring and assessment of risks and vulnerabilities to the global banking system.</li><li>Horizon scanning and mitigation of medium-term risks and trends, including work related to the ongoing digitalization of finance, climate-related financial risks, and the impact on banks' business models resulting from a "low-for-long" interest rate environment.</li><li>Strengthening supervisory coordination and practices with a focus on the role of artificial intelligence/machine learning in banking and supervision, data and technology governance by banks, operational resilience, and the role of proportionality in bank regulation and supervision.</li></ul><p><br>In the European Union (EU), the <a href="" data-feathr-click-track="true" target="_blank">Digital Operational Resilience Act</a> aims to establish a foundation for EU financial regulators and supervisors to be able to expand their focus to ensure firms remain financially resilient through a severe operational disruption. Considerations for the proposed law include:</p><ul><li>Bringing critical information and communications technology (ICT) third-party providers — including cloud service providers — within the regulatory perimeter. In this way, one of the European Supervisory Authorities would have the power to perform off-site and on-site inspections and issue recommendations.</li><li> Setting EU-wide standards for digital operational resilience testing.</li><li>Harmonizing ICT risk management rules across financial services sectors, based on existing guidelines that ask to set the appropriate risk and impact tolerances for ICT disruptions as well as review the firm's business continuity and disaster recovery plans.</li><li>Harmonizing ICT incident classification and reporting, and opening the door to establish a single EU-hub for major ICT-related incident reporting by financial institutions. The measures, in aggregate, would provide EU regulators with a better picture of the kinds of vulnerabilities that are most common across firms and potentially help them take further action.</li></ul><p><br>The pandemic has confirmed the importance of preparing for the digital decade as well as the need to continually improve cyber resilience based on the growth of network and information systems dependences and interconnections among sectors and services.</p><p>To respond to the growing threats posed by digitalization and the surge in cyberattacks, the European Commission has proposed replacing the NIS Directive. The <a href="" data-feathr-click-track="true" target="_blank">NIS2 Directive</a> (PDF) would strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonized sanctions across the EU.</p><p>Most organizations have embarked on their own thinking and interpretation of these rules, and their approaches are likely to vary from one organization to another. Organizations will need internal audit's support to improve their resilience framework, alongside the contributions of risk and business continuity management experts.<br></p><p><br></p><p>Laura Zarrillo, MBCI, is an internal audit manager in the financial sector and a board member of the Business Continuity Italy Chapter.<br>Want to be a part of Your Voices? Click <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank">here</a> to learn how to contribute a blog post.<br></p>Laura Zarrillo0
The Knowledge Needed to Run Amuck Knowledge Needed to Run Amuck<p>In my last two blog posts, I talked at great length (probably too great a length) about allowing internal auditors the freedom to get their jobs done and to explore better ways to do it. In <a href="/blogs/jacka/2021/Pages/Living-in-the-Shadow-of-Fear.aspx" data-feathr-click-track="true">the first post</a>, I talked about the scourge of micromanagement, and <a href="/blogs/jacka/2021/Pages/Control,-Freedom-and-Trust.aspx" data-feathr-click-track="true">in the second</a> I talked about letting auditors free to truly explore. (Creative, but dangerous.)<br></p><p>After re-reading these posts and taking note of some comments I received, I realized that an important point fell by the wayside. In one paragraph I made the following comment: "When I first came into internal audit, I was lucky to work for leaders who allowed me a lot of freedom. Yes, I was trained, but I wasn't forced down a path."</p><p>Over 3,000 words in two separate blog posts and only once did I utter the phrase "I was trained."<br></p><p>I got so wrapped up in the preaching of freedom that I forgot such freedom can only occur when people have the knowledge necessary to get their jobs done. Picasso didn't blur the lines until he knew how to draw them. And internal auditors cannot know how to change internal audit until they know how the work is done.</p><p>So, yes, train, train, and train again. (And never allow yourself to quit learning; another topic for another time.) However, just because someone is still learning doesn't mean you have to hogtie them until such time as you think they've got it perfected.</p><p>When I first joined internal audit, my initial training consisted of learning the basics of how audit worked and then being given an audit program to complete. My supervisor walked me through it as we went along, and my manager was there if I needed additional help. </p><p>For my second audit, I was given an area to review, but was not provided an audit program. The expectation was that I should know how an audit was conducted and I was to use that knowledge to build and execute my own audit program. Yes, I was to ask questions as necessary, but it was my audit to complete — succeed or fail. (It should be noted that I found a quarter-million-dollar issue in that audit. Not bad for a newbie. Of course, I never did that again, but that is beside the point.)</p><p>Training, yes. Training first, yes. But do not using a perceived lack of training as an excuse to micromanage or to restrain initiative and creativity.</p><p>How do you approach training? What do you do after you have provided the basic information on how to get the work done — how to complete the audit? Do you let the auditor go free and see what happens? Or, in a fit of risk aversion, do you watch every step to ensure no step is out of line? If you continue to watch the auditor that closely, keeping them in line and changing things before they can go even one degree south, how do you know if that staff member is any good, or will ever be any good?</p><p>Here's my suggestion. If you really want to know how talented a person is — new auditors, experienced auditors, and anything in between — first make sure they have the tools they need — the training, the understanding of the work, etc. Then, let them go. Be available. Be there to answer any question. Have specific check points where you can be updated. But do not hover, watching and verifying every workpaper and note and spreadsheet and tic and tie, double-checking everything as if the expectation is failure.</p><p>You cannot know how good any employee is if you don't give him or her the freedom to explore, learn, and, yes, fail. (There are such things as "safe failures." Understand the concept and apply it.) And let's take it all one step further. Good does not mean the ability to follow all the rules that were learned during training — how to complete a form, how to complete the assigned test, how to conduct an interview. No, good means running into something new/different/unplanned and successfully navigating the necessary changes. Such skills will never be developed unless the auditor is given the freedom to practice them.</p><p>I started this post with the intent of reinforcing that people cannot be expected to be successful in doing normal or extraordinary work unless they have the necessary training. And I want to repeat that nothing I said in the last two posts, as well as this one, was meant to imply that training and knowledge should take a backseat. However, I've co-opted my own blog post and, once again, am pushing for creativity and freedom.</p><p>Here's my excuse. I think the profession does a pretty good job of finding talented people and giving them the training they need to get the work done. But I think we wait too long to even think about letting them step outside the limited scopes we have established.</p><p>Instead, use that talent, use that training, and build on those talented, trained people to make internal audit better. <br></p>Mike Jacka0
On the Frontlines: Finding the Right Working Balance in the New Normal the Frontlines: Finding the Right Working Balance in the New Normal<p>​While trying to understand what good has come from the work-from-home environment imposed by the pandemic, I look for what internal auditors can save and learn for the future. It can be difficult to contemplate the flexibility we gained from remote work and the constraints we incorporated.</p><p>For many internal auditors, this has been a period of working from home and not losing our jobs. From an outside perspective, we are among the lucky people who are still working and earning a salary. We know that this picture is partially true, yet while some auditors are gaining the maximum benefit from working remotely, others are going a little crazy.</p><p>I have about 10 years of experience in auditing, working in a small international team of about 25 auditors who are spread across Europe. Lately, I have noted changes in the audit life cycle (i.e., planning, fieldwork, issue discussion, action identification, report writing, and communication) during the pandemic and working from home. The new normal will not be exactly the same as the pre-pandemic era, and we need to prepare for how to best manage in the post-pandemic environment.</p><p>Being auditors, we would like the situation to always be under control so we are ready when the COVID-19 period is finally over. It's then that we will be able to manage some hours and days working from home and work in the office at other times.</p><p>It is easy — I would say obvious — to speak in general about the pros and cons of working from home compared to working in the office. While it becomes a bit more difficult to assess these factors when I speak about myself, it becomes very difficult when I work in a team to share thoughts to identify the best balance between home and office.</p><p>To assess the right balance, let's do some steps together.</p><p>Which audit and nonaudit activities are good to do at home and which are best performed in the office? The answer may depend on several factors — both personal and related to the kind of audit and organization for which auditors work. If we built a matrix where one axis measures our personal capabilities and the other axis lists the audit activities, would it enable us to choose for every intersection which activity should be performed at home versus in the office?</p><p>Here are questions that are worthwhile for auditors to answer individually and then share with the team:</p><ol><li>Which activities require 100% of my energy and concentration, and which can I do when I'm tired and have limited energy?</li><li>What is my daily energy cycle? Maybe I realize that I'm very active and energetic in the early morning, I'm a bit tired after lunch, and I feel very creative in the late evening.</li></ol><p>Combining these two answers I can plot a graph of which activities should be planned during the different hours of the day. For example, it would be good for me to carry out testing activities in the morning when I'm fresh and concentrated to focus on details. I should plan meetings in the afternoon when sharing and discussing information with others may help me to be more energetic after lunch. Likewise, I can complete planning and brainstorming activities in the late afternoon when I am more creative.</p><p>Despite our awareness of which is the best time to do each activity, auditors are not the only ones planning our agendas. We have external constraints depending on our boss, colleagues, family members' needs, etc. However, there are details that we can be aware of in advance:</p><ul><li>The time during the day when our home is quieter.</li><li>Our commuting time.</li><li>Our office working environment (e.g., a single office or an open space shared with many colleagues).</li></ul><p><br>Which leads to the third question: If I could choose when I want to work alone and when it is beneficial for me to be in the office to meet other colleagues and audit clients, how would I plan my week?</p><p>And finally, could I try to plan the time I spend at home or in the office taking into account these three questions? I'll return with some examples after I have discussed my findings with my team.</p><p> <br>Beatrice Saredo is internal audit senior manager at Borsa Italiana Euronext Group in Milan, Italy.</p><p>Want to be a part of Your Voices? Click <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank">here</a> to learn how to contribute a blog post.<br></p>Beatrice Saredo0
Control, Freedom, and Trust,-Freedom-and-Trust.aspxControl, Freedom, and Trust<p>Let me tell you a story.</p><p>For a period in the 2000s, I was in charge of the Farmers Insurance audit departments in Phoenix and Colorado Springs, Colo. I decided to bring the two groups together — 8 auditors — for a 2-day mini-conference. We met that summer at the halfway point, Durango, Colo. Not a bad gig.</p><p>It all went better than I could have hoped. It served as an excellent team-building experience, allowing two teams that worked well by themselves to get to know each other and become a cohesive single unit. I had each person do presentations over the two days, so there was a sharing of knowledge. And the interactions allowed me to see the auditors in a different situation, verifying my belief in the strengths of some, identifying issues with others, and finding a couple of hidden gems who I was able to bring to the attention of upper management. And, in the evenings, we were able to experience the fun and beauty of Southwestern Colorado. A good time was had by all.</p><p>It was an event that was often talked about within the group. And, during a meeting with upper audit management later that year, the team expressed their feeling that it was one of the best experiences they had ever had in internal auditing. They went on to explain that it wasn't just because they got a great trip out of it, but because of what they learned about the team, about auditing, and about the role of our department within the company.</p><p>Oh, did I mention that I did this without any official OKs, approvals, signatures, or real authority to do any of it?</p><p>Is this a tale of opportunity taken? Is it a tale of questioning the boundaries of acceptable behavior? Is it a cautionary tale of a manager run amok? Is it a tale meant to kick off a blog post because I'm not sure how best to begin? Is it a tale that has gone on too long and taken up way too much space?</p><p>Well, to be honest, it's all of those.</p><p>I want to continue a discussion we were having during our last visit — a discussion about how freedom can be used to control and how stifling internal auditors' freedoms in the name of control negatively impacts our effectiveness and our progress as a profession. And the above story provides an interesting backdrop to that discussion.</p><p><a href="/blogs/jacka/2021/Pages/Living-in-the-Shadow-of-Fear.aspx" data-feathr-click-track="true">Last week's post </a>started with a quote from Zen master Shunryu Suzuki: "To give your sheep or cow a large spacious meadow is the way to control him." </p><p>We discussed the fear internal auditors have of making mistakes and how this causes us to micromanage the work we do. To use Suzuki's metaphor, our fears result in us not only limiting the space in the meadow, but actually tying auditors to a metaphorical stake in that meadow.</p><p>But, once we allow ourselves to quit micromanaging (or, at the very least, overmanaging and over-reviewing — which may be the same thing), there is a greater freedom we need to talk about.</p><p>Last time, in an attempt to define just how much freedom auditors were allowed, I provided a list of "Are your auditors allowed to …" The first part focused on micromanagement issues. But the second part looked at broader freedoms: allowing them to explore new audit techniques, use new tools, or suddenly spin off on new projects for no apparent reason other than they seem like a good idea at the time.</p><p>To get a feel for where you may fall on the "freedom allowed" spectrum, let's look at a potential real-world example.</p><p>A current hot topic is robotic process automation (RPA). Related to that is the concept of the citizen developer — employees within each department (in our case, internal auditors) who develop programs without input or influence from the IT department. There's a lot more to the concept, but this is enough to get us through this discussion. (Note that it's well worth your time to find out more on the subject.)</p><p>Here's three scenarios. And, in all three scenarios, let's assume you believe the auditor has the skills needed to accomplish the requested project.</p><p>Scenario No. 1: One of your auditors comes to you and says, "I keep hearing about RPA, and I'd like to learn more about it, including its potential application within the department? Can I have some time to research it?"</p><p>The time the auditor needs may have some impact on the completion of the audit schedule.</p><p>Scenario No. 2: One of your auditors comes to you and says, "I've been hearing about RPA, and I've been doing a little research. In fact, I've been doing a little programming, and I think we could use it in the department. Can I have some time to explore developing programs that might be used within the department?"</p><p>The auditor has been doing this research at work, squeezing it in between audit projects. The time the auditor needs will definitely impact the audit schedule.</p><p>Scenario No. 3: One of your auditors comes to you and says, "I've heard a lot about RPA and started doing some programming. In fact, I've developed some programs we could use, right now, in internal audit. I'd like to start putting them into production, as well as begin looking into other opportunities."</p><p>One more time, the schedule is going to take a hit. In addition, you now have an explanation for why there have been delays in this auditor's recent work. (Nothing detrimental, but a definite slippage in timeliness.) Further, it is hard to tell how implementing these programs will further impact the schedule. Ultimately, it should increase efficiency. But, in the short term, there may be delays and even cancellations.</p><p>How do you respond to each scenario?</p><p>Get a group of auditor leaders together and these scenarios will engender some intense discussion. There are a lot of issues on the table and, if this were part of a seminar, I'd set aside at least one hour for cussing and discussing. But I'm heading to one particular point.</p><p>To begin with, if you shudder at the thought of any of these scenarios — if you see auditors stepping outside their boxes and taking liberties that should not be taken — or even if you think, "Well, these are nice ideas, but we'll all need to talk about whether this is the right direction for our department before taking any further action," then you have a problem. It is probably safe to say that creativity and innovation are crushed in your department before they can even make an appearance. Warning: More than likely your department is stagnating and you may want to start perusing the want ads.</p><p>But let's move on.</p><p>The three scenarios represent increasing degrees of freedom that might exist in audit departments. In the first, we see an auditor willing to explore new things. However, Auditor No. 1 wants to make sure everything is okay before moving forward. Is it good that the auditor asked permission to move forward? Maybe. I'm glad this individual is willing to explore, but …</p><p>Compare that to the second person who has actually taken steps to learn something new. That is a good thing. However, what opportunities may have been lost by not asking for additional time to do that research in the first place? It might have been better if Auditor No. 2 had asked earlier and been given the time to move the project along more quickly.</p><p>And then there is Auditor #3. I'm guessing many of you didn't like this approach. However, is it necessarily a bad thing? The auditor's excitement and inquisitiveness has driven this individual to explore new areas and come to you with solutions in hand. This auditor probably feels she has the freedom to move forward with an eye on any prize she thinks has value.</p><p>There is no right answer for any of these scenarios. But your reaction will speak volumes about the freedom you are giving your audit staff. (And, as an internal auditor, your expectations regarding the reactions you might receive from your leaders will speak volumes about the people for whom you work.)</p><p>But here is the fun part. The sooner you allow people the freedom to explore, the sooner they will return that trust with results. When I first came into internal audit, I was lucky to work for leaders who allowed me a lot of freedom. Yes, I was trained, but I wasn't forced down a path. And I believe this approach was part of the reason I was willing to explore and take the chances I did throughout my career.</p><p>Which brings us back to Durango.</p><p>Let's be honest. When I held that conference, I overstepped my boundaries. I went beyond the meadow. And it is only many years later, speaking with my then associate vice president, that I've learned I may have been in more trouble than I knew. (Note that this was not an isolated incident, but we can swap such stories later during happy hour.)</p><p>But I think I got away with it because of success. I succeeded with that venture, and I had succeeded with other ventures in the past. Our chief audit executive was fond of saying that a co-worker (Paulette Keller, to drop a name) and I were "creative, but dangerous." We bore that badge proudly because it showed we were trusted to explore, and we were trusted to do so in a way that would not damage the department or the company.</p><p>How many people do you have on your staff who are creative? How many do you have who are dangerous? Or do you even know the answer because you have tried to control the danger (and by default, the creativity) by keeping your staff fenced in a meadow that is smaller than it should be?</p><p>And how many good people have you lost because that meadow was too small? And, again, do you even know the answer to that last question because you never let them to do more than feed in the tiny meadow you allowed?</p><p>I started last week's blog post by implying that I was talking about management. And, when you talk micromanagement, well, it's in the word. But this has all really been about leadership. Good leaders lay out a future and then allow those they work with to achieve that vision. And good leaders know that can only happen when they trust the team with a large, spacious meadow.</p><p>And one more thing. If you haven't been to Durango, plan your trip today. You won't be disappointed.<br></p>Mike Jacka0
Building a Better Auditor: When the Leader Is Challenged a Better Auditor: When the Leader Is Challenged<p>​Xi joined a government agency a few years ago and has a good working relationship with the head of the agency, Xyrl. Xi has been able to provide assurance on the agency's objectives in a way that the agency has never seen before. Previously, Xyrl thought internal auditors only looked out for mistakes or what went wrong, but ever since Xi arrived, providing consulting expertise in addition to assurance engagements has really turned things around.</p><p>Xyrl has found the contributions very useful and has grown to trust Xi. Putting structures in place has eased her role as the head of the agency. At times, Xi highlights issues for the various departments to consider before, during, and after certain projects. Such contributions have changed their mindsets so that they see the internal auditor as a business partner. But Xi never forgets to remind them that there is a difference between assurance and consulting engagements.</p><p>Recently, Xi has noticed that Xyrl has changed her habits. Where Xyrl used to respond to emails and recommendations and look forward to suggestions, she has become somewhat distant. At an internal meeting with other stakeholders, Xyrl suggested that Xi may "take a break," as the recommendation made was not feasible. This was something Xyrl had never done before.</p><p>At another encounter, when Xi tried to discuss something urgent she had observed, Xyrl responded, "I'm sure you know how to handle it." Another time, Xyrl decided to override the risk mitigation procedures the internal audit team had recommended in a show of power of who heads the agency.  There were rumors that Xyrl's tenure at the agency may not be extended in a few months, which may have led to the recent "I don't care attitude." </p><p>Unfortunately, Xi also has noticed that motivation at work has been slightly affected and mistakes she never used to make when reporting are now occurring. The truth is there may be best governance practices, systems, and policies in place, but in real life, the human element could threaten all of these.</p><p>This scenario is typical during the last days of a leader's tenure — some handle their last days well, others burn the structures they had built over time, and some are in the middle. Xi's team noticed the behavior at the last meeting, and one of the junior team members said, "I don't like the way Xyrl talked to you at the meeting. How do you handle the situation?" Here are tips to address the problem Xi encountered.</p><h2>Be Professional: Work Must Go on</h2><p>Xi told her team member not to worry about the situation. "My job is to provide assurance on management's activities to relevant stakeholders and not to make enemies. Our work should be able to speak for us and end users must have confidence in our output," she said.</p><p>Xi wanted to make sure the junior staff did not see that event as an "us versus them" scenario where they take situations personally. She further assured her team that internal auditors are to conduct their work in a professional and competent manner. Do your job!</p><h2>Assume Leadership</h2><p>Every leader also is a follower of another leader. Thus, while Xi's team members were observing what is going on, Xi also has observed Xyrl's leadership style over time and noticed that her behavior has changed.</p><p>Xi is providing mentorship to her team by her actions during these changing times while trying to manage the challenges. Applying the philosophy of <a href="" data-feathr-click-track="true">Theory U</a> can help refocus the mind on performing core functions. Theory U is a method of addressing change that advises individuals to observe the environment, sense changes going on and let go of unnecessary/temporary distractions, reassess self-principles, and realign one's self with vision and intention. In assessing changes in behavior, internal auditors should remember that their responsibility is not to an individual but to the institution and stakeholders who rely on their work.</p><h2>Be Self-aware</h2><p>It is easy to read theories, scenarios, and case studies until these happen to you in real life and you have to make quick decisions. Rules are written in theory; principles are applied in contexts. Self-awareness is closely linked to principles and this can intersect with an ethical framework when situations arise. The IIA's Code of Ethics expects internal auditors to apply the principles of integrity, objectivity, confidentiality, and competency.</p><h2>Keep Documentation</h2><p>A compensating feature for internal auditors is documentation. While Xi may not have the power to make certain decisions that the agency's head can make, appropriate documentation of observations and issues provides evidence when the need arises. Documentation is not intended to present internal audit as an "I told you so" activity. Moreover, documentation helps when another individual assumes your role or during a handover period. </p><h2>Maintain Independence</h2><p>Xi is fortunate that as the resident auditor at the agency, she has a dual reporting role. Her primary responsibility is to the government, the government's audit branch, and the agency. Thus, she was not afraid of threats.</p><p>Certain situations arise where this scenario occurs in a private organization and Xyrl is the chief audit executive (CAE) who interacts with the board. In that case, auditors cannot override their bosses or call them out if they are doing the wrong things. Nonetheless, self-awareness is important in defining your principles and guiding the actions you take.</p><p>Independence is a core feature of internal audit. While internal audit provides assurance to management that controls are in compliance with relevant regulations and laws, auditors do not perform management responsibilities or act as if they are part of management.</p><h2>Handling Changing Situations</h2><p>At a private organization, this scenario could be dicier. If Xi reported directly to the CAE, she should assume leadership should be handled with care. That is, while displaying leadership qualities and not letting the situation affect them personally, auditors must take care that their actions do not send a signal to the CAE who frustrates them.</p><p>Also, some exiting leaders do not mind destroying structures upon leaving; they can burn bridges that may cause problems for auditors long after they have left. Thus, auditors should not come across as usurping the actual role but instead provide support to the departing leader as much as possible.</p><p>Organizational politics are unpredictable. In certain situations, depending on your relationship with the person in question, you can engage by talking, connecting, and sharing experiences. After all, "what is not discussed is not understood."</p><p> </p><p>Mustafa Yusuf-Adebola, CIA, CPA, CFE, CGA, is a fraud risk consultant and systems thinker in Ontario.</p><p>Want to be a part of Your Voices? Click <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank">here</a> to learn how to contribute a blog post.<br></p>Mustafa Yusuf-Adebola0
Living in the Shadow of Fear in the Shadow of Fear<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><p><em>To give your sheep or cow a large spacious meadow is the way to control him.<br></em><em>— Shunryu Suzuki</em></p></blockquote><p><br></p><p>For this one, let's talk to the supervisors and managers in the crowd. (And to the future supervisors and managers. And to people who used to be supervisors and managers. And to people occupying even higher positions. You know what? Let's talk to everyone.)</p><p>Here is what I believe to be a basic truism for supervision, management, etc. Success for the individual and for the department comes from allowing people the freedom to do their jobs, including the freedom to do their jobs the ways they find work best. That is why the above quote from Suzuki resonates with me. I believe success comes from giving people a very large meadow.</p><p>However, there seems to be a reluctance on the part of internal audit leadership (at all levels) to allow audit staff such freedom. "Nay, nay," you say. "We have no such issues in our department." OK, then ask yourself, are your auditors allowed to change a test, change an audit objective, change the audit, cancel the audit, explore new audit techniques, use new tools, suddenly spin off on new projects (during an audit, during quarterly planning, during annual planning, out of thin air) for no apparent reason other than it seems like a good idea at the time?</p><p>We'll get to the second part of the above list in a bit. But let's look at the first few items. When you started reading that list, you probably were thinking, "Why, of course we allow such changes … as long as they are appropriately discussed and vetted." </p><p>Which begs the question, why do you not allow the auditor — a professional you have hired because of, among other things, critical thinking skills — to execute navigational changes intended to make the audit more effective? Why does there have to be constant scrutiny, to the point that each and every step of the audit, change or no change, must be reviewed and approved?</p><p>Why do we feel the need to hand-hold internal auditors — internal auditors of every level — throughout the audit process? (And with that, our first whiff of the brimstone-laden phrase "micromanagement" makes its appearance.)</p><p>We are a very risk-averse profession. To illustrate, here's a current, weird example of two opposite reactions internal auditors have to the same event. (And, so as not to get into a philosophical imbroglio, I will not state my opinionated views on the following subject.) </p><p>I have spoken with auditors who did everything they could to get the COVID-19 vaccine as soon as possible believing it was the appropriate way to mitigate what they saw as a serious risk related to the effects of the disease. I have also spoken to auditors who held off on getting vaccinated because they wanted to mitigate what they perceived as a serious risk related to issues that might still exist with the vaccines.</p><p>Two different reactions — potentially overreactions — to different risk aspects of the same issue. This proclivity toward risk aversion results in our profession laboring under what I believe to be its No. 1 fear, loss of control. (No studies to back this up. It's just something I believe based on observation. Don't agree? Let's take it outside to the comment section.) </p><p>Which leads to an interesting and sometimes nearly fatal approach to our work: the fear that we will lose control, we might make a mistake, and/or we could be wrong results in our inordinate and possibly unnecessary reliance on oversight and (dare I say it) micromanagement. Rather than giving people Suzuki's metaphorical larger meadow, we use short leashes to tie them to stakes in the middle of that meadow.</p><p>I further believe (again, nothing to back this up except personal observance) that this fear of losing control results in our profession being comprised of some of the worst micromanagers in existence.</p><p>Let me tell you a story.</p><p>A number of years ago our department was involved in team-building exercises. We were split into three teams who were trying to accomplish involved tasks. We were randomly assigned positions — workers, supervisors, and managers — and provided separate instructions on the ensuing roleplay. (I'm still questioning the "random" part since I, as a manager, wound up with a "worker" position. But I've gotten over it, honest.)</p><p>The exercise started and, in short order, one of the "managers" (who in real life was a supervisor), was harping at us about how much time was left, how we might do the job better, and, in general, playing the perfect role of the micromanager. In fact, he was playing it so well I assumed it was part of the background that had been provided prior to the exercise — the role he was to play.</p><p>During the debrief I brought up his approach and the negative impact it had on the team's ability to accomplish the tasks. I asked if it was part of the background information he had been provided. He looked a bit flummoxed and ever-so-slightly chagrined and explained that, no, such an approach was not part of his instructions; he was just trying to make sure we got it done right and on time. Later, I spoke with his actual manager and discovered that such an approach was exactly the one he used in all work situations.</p><p>A show of hands. How many of you have worked for this guy at some point in your career? One, two, three, 10, 30, I think we've got a majority, a sweeping mandate, a nigh-on unanimous vote. OK, honesty time. How many of you take actions that might be considered micromanagement? Hmmmm, not seeing many hands this time. Seems unlikely.</p><p>Let me tell you another story.</p><p>Quite a while ago, I wrote a piece for<em> Internal Auditor</em> magazine about micromanagement. In that piece I actually spoke, circumspectly, about one of the two associate vice presidents (AVPs) with whom I was working — a chronic micromanager. After it got published, AVP1 walked up and said, "Does AVP2 know you were talking about him?" Two days passed and AVP2 walked up. "Does AVP1 know you were talking about him?"</p><p>For the record, I was talking about AVP1, but that is neither here nor there. Rather, it speaks to self-awareness, or the lack thereof. And it speaks to the need for each of us to more closely inspect the way we work with those we are in charge of — the need to honestly determine if we are allowing them the freedom to get their work done or are clamping down in an effort to ensure perfection.</p><p>Do the stories and anecdotes prove internal audit's penchant for micromanagement? Not in and of themselves. But, if you examine your experiences, if you look closely at some of our own actions, if you review the policies and procedures your department has put in place, you will see the signs of micromanagement. And even a little micromanagement can cause a lot of trouble</p><p>By acting insecure — living in fear that we will do something wrong, cowering in the belief that we are not allowed to make a mistake, trembling in dread that we might make a single error, and sure that any infraction will erode our client's confidence — we micromanage our work, striving for a perfection that is impossible and unnecessary.</p><p>And so we review everything, and we stick to the plan, and we don't make any changes until it is run through the chain of command, and we micromanage. And the entire time we are keeping the auditors tied to a stake using a short leash as they long for the open meadow before them.</p><p>And here's the funny part about the above. None of it is what I originally planned on talking about; none of it is why I included the Suzuki quote. I got sidetracked from the real sermon I wanted to preach. But I see everyone looking at their watches, the collection plate already passed, the benediction read, the potluck ready to be served, and nothing left but the singing of "Nearer My Finding to Thee." </p><p>So, next time we'll talk some more about that metaphorical field that represents opportunity. And we'll talk about the fact that, even when we don't tie auditors to the stake, we still place the fences too close.<br></p>Mike Jacka0
#IAm Shruthi Ramakrishnan Shruthi Ramakrishnan<p>​Dancing was a part of my life almost from the point I could walk. Although I grew up in Mumbai, my family origins are from the southern part of India in Tamil Nadu, and we all were very proud of that.</p><p>Like a lot of girls my age, I was really into Bollywood and dancing in general on my own, but my parents pushed me to learn classical dance that represented our heritage. So, at the ripe age of five they enrolled me in classes to learn the ancient dance style known as Bharatanatyam.</p><p>Learning this ancient dance form helped me stay connected to my roots and respect my tradition. It taught me to embrace my culture, and this is why I almost immediately fell in love with it. When I danced on the stage, I knew that it represented something more than a few mudras. It represented my people, my culture, and my tradition. I fell in love with it almost immediately, and it played a huge role in my life all the way to adulthood.</p><p>Bharatanatyam, the most popular of the main Indian classical dance forms, was originally a temple dance, before being brought to the public stage around the 1930s. Bharatanatyam includes a list of specific procedures that are performed by a single dancer — typically dressed in a colorful, fitted Sari, and adorned with symbolic jewelry that outlines the head and draws attention to the performer's heavily lined eyes. </p><p>Bharatanatyam is a form of illustrative anecdote of Hindu religious themes and spiritual ideas emoted by a dancer. Through incredibly elaborate hand movements and facial expressions, the dancers in stunning traditional costumes and makeup weave interpretive narratives about various Hindu lords.</p><p>I gained a deep understanding of the movements by learning about the religious stories I was portraying through dance. It is a precise, intricate, and all-around beautiful art form. Today, although there can be a religious element to it, most of the time it is done purely for entertainment and as a testament to India's rich cultural legacy.</p><p>As you might expect, when studying such an art, it takes a serious commitment. Of course, one can learn a Bharatanatyam dance on YouTube if one really wanted to, but those who wish to pursue the art in a serious, career-minded capacity need to enroll in a professional institution.</p><p>That's not to say there weren't moments of levity. On one occasion, one of my friends had all of her elaborate makeup melt in the Mumbai heat right before she was ready to go on, and on another occasion, the institution I studied at was featured on TV. Granted, that performance was more Bollywood than Bharatanatyam, but I still got my 15 minutes of fame!<br></p><p><img src="/blogs/Your-Voices/PublishingImages/Shruthi%20Ramakrishnan-380x300.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />There are several different levels one has to go through to be considered proficient in Bharatanatyam. Each level isn't completed on a timetable; rather, you progress when your instructor feels you are ready for your examination — which, like any examination, requires rigorous preparation.</p><p>I personally completed all levels except the final one: my Arangetram, which is something like a graduation ceremony. At 15, I stopped to pursue higher education, but I fully intend to go back and finish one day — after I brush up on everything I learned during the 10 years I studied it, of course!</p><p>Although I had to leave dancing behind, dancing really never left me. In so many ways it helped define the person I have become. Even today when I talk, you can still see elements of my past life come out in how I "speak" with my hands, in how I move, in how I express myself and interact with the world.</p><p>You can even see elements of it in the discipline, preparation, and passion I bring to my internal audit role. Under my professional demeanor, it's always there, just beneath the surface, ready to burst out when I need it the most. I can't imagine my life without it.</p><p><br></p><p>Shruthi Ramakrishnan, CA, CPA, is manager of internal audit at Atlas Air Worldwide in Purchase, N.Y. and a 2020 <em>Internal Auditor</em> magazine Emerging Leader.<br></p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank"><em>here</em></a><em> to learn how to contribute a blog post.</em><br></p>Shruthi Ramakrishnan0
On the Frontlines: Machine Learning or Human Learning? the Frontlines: Machine Learning or Human Learning?<p>​Remember the fable of the child, the old man, and the donkey? In this story, no matter what configuration they used during their trip (one riding, the other riding, both, none), they would find shame from not following simple rules of thumb that condemn cruelty to children, the elderly, and animals as well as waste and misuse of resources. Perhaps they should have ordered online and saved the trip on the donkey.</p><p>Regardless, the moral of the story is that it is good to recognize that sometimes there is no rule of thumb to follow and no "go to" answer that will be accepted.</p><p>Sound judgment is what happens when two or more of our highest values are in conflict, so that our rules of thumb do not apply. We struggle to teach this to our children, we struggle to learn it ourselves as we go into our careers, and it definitely will be one of those "final frontiers" as we try to teach machines to take on more complex work. </p><p>Consider Isaac Asimov's three laws of robotics:<br></p><p><strong>First Law<br></strong>A robot may not injure a human being or, through inaction, allow a human being to come to harm.</p><p><strong>Second Law<br></strong>A robot must obey the orders given to it by human beings except where such orders would conflict with the First Law.</p><p><strong>Third Law<br></strong>A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.</p><p> These laws are good and appear to be very generic "if/then" statements. In a way, they serve as rules of thumb on how to act, and in principle seem to cover all situations. Still, even when trying to comply with these rules, we still manage to have futuristic epics where robots must decide to save one human versus another, or hurt a human to protect another, and even prevent a human from eating bacon because his blood pressure has been high recently.</p><p>If you try to develop "follow-up" rules to reconcile these exceptions and make the three laws work, note that you have just stepped away from the "rule of thumb" approach. While you are at it, it also may be fun to consider if you would want those algorithms to change if one of those humans in the scenarios was yourself or a loved one.  </p><p>The point is our manuals and procedures cannot address every possible situation, because whoever writes them cannot foresee every possible scenario. For the sake of argument, imagine these manuals did include a perfect solution to each situation. Then, the time spent thumbing through the book to identify the ideal response to the scenario being experienced would be in conflict with our need to act timely — to save a life, engage the next customer, contain a scandal, etc. </p><p>The good news is sound judgment develops over time based on experience and modeling of other behaviors in difficult situations. That is why Karen wants to talk to her manager, because the manager may have a better perspective or understanding of the situation and find ways to quickly resolve whatever she needs to discuss. In other words, the manager may know what to do even if this situation is not written in the manual.   </p><p>That said, internal auditors know managers make mistakes. We find judgment lapses so frequently that we have some projects focused on fraud and some consulting engagements focused on process improvement. That is evidence of how difficult it is to achieve sound judgment.   </p><p>Returning to the idea that sound judgment can be taught: If this is true, over time we may be able to teach it to machines. Over time, but not yet.</p><p>For now maybe instead of machines, we can teach the next generation of auditors. To do this, we simply want machines to highlight potential exceptions for the auditor to assess and decide how to respond. Then, we pair the machine with our junior team members so they both slowly learn how we would handle the situations they encounter. In this process, we teach them to trust each other, while understanding what can be expected, what is not normal, and what should be raised to the manager. </p><p>Until then, let's continue to enjoy our bacon!</p><p><br></p><p>Francisco Aristiguieta, CIA, is responsible for internal audit analytics at Citizens Property Insurance Corp. in Jacksonville, Fla.</p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank"><em>here</em></a><em> to learn how to contribute a blog post.</em></p>Francisco Aristiguieta0
Stopwatch Auditing Auditing<p>In 1881, Frederick Winslow Taylor got out his stopwatch to begin what became a lifetime of analyzing work with the idea of optimizing and simplifying jobs. He felt that, by calculating the time needed for the various elements of a task, he could develop the "best" way to complete each task.</p><p>The result was a revolutionary approach to business that culminated in his 1911 book <em>The Principles of Scientific Management</em>. He proposed that, by optimizing and simplifying jobs, productivity would increase. And the stopwatch he first broke out in 1881 became an instrumental tool in measuring how work was done and how that work could be streamlined.</p><p>Sounds good at first blush. And there is some value in what he proposed, particularly when viewed through the lens of the times in which he worked. However, over time, there has been a lot of criticism of the Scientific Management Theory, primarily because it promotes "one right way" to do something; it takes away individual responsibility. There's a lot more behind this, and you can get part of the feel by checking out <a href="" data-feathr-click-track="true" target="_blank">this article from MindTools</a> (an article I used as a source for much of the above.)<br></p><p>OK. Apologies for the history lesson; it may be information you already knew. However, it's always a good idea for internal auditors to understand how work gets done and how we wound up where we're at. And, in this instance it is good to understand how, for good or bad, Taylor's approach became a foundation for the way a lot of work is still accomplished. Modern management theorists decry much of what Taylor brought forward. But much of it — the good and the bad — still permeates workplaces.</p><p>Which brings up the question we should ask often and always, what does this have to do with internal audit?</p><p>Well, first, this information could all be used to have a discussion about how internal auditors need to understand business principles — their use and misuse — as we analyze the processes we review. However, there is a bigger elephant in this particular room — understanding how these principles impact the way internal audit works and, relatedly, measures its success.</p><p>Taylor laid out four principles in his scientific management approach, the first being that the scientific method should be used to study work and determine the most efficient way to perform specific tasks. As previously noted, the implication is that there is one perfect way to perform any task. And, unfortunately, this is the foundation, in various guises, for the approaches used by some internal audit departments.</p><p>Well, you and I both know that, while the siren call of standardization can win over some audit departments, reality is not quite so … perfect. The vagaries of our work, while allowing that there can be <em>better</em> ways to accomplish things, mean that (quoting an obscure song by the obscure group, Goose Creek Symphony) "Every day's different and it's different every day."</p><p>The complete standardization of tasks within internal audit is a fool's game. This does not mean there aren't similarities in tasks. But the attempt to standardize approaches will lead to work that just isn't as good as when one uses one's brain. For example, one of my pet peeves is starting an audit — the very first step — by looking at what was done last time. Sure, this is an important part of any preaudit. But if that is your starting point, you have instantly put blinders on the possibilities.</p><p>But let's look at another aspect.</p><p>As was previously mentioned, what is built into Taylor's approach is that, by having the assessment of the most efficient way to perform tasks, then a measure of success is built for every task. And every employee is measured against it.</p><p>And, if we look closely (or maybe we don't have to look that closely) we can see audit departments fall into the trap of "perfect" measures of time for audits, projects, and tasks within every audit. I have seen audit shops that slavishly measure the amount of time spent by the auditors, digging to record the smallest tittle and jot, effectively robbing the auditors of the ability to use their brains in adjusting how the audit is accomplished.</p><p>OK, maybe I don't know any audit shop that measures its time down to the pencil strike, the keystroke, the item reviewed, the minutes per question, the length of the interview.<br></p><p>What's that you say? Mayhaps I've gone too far in my suppositions? No, I can't imagine measuring keystrokes (and if your department is doing this, maybe it is best not to share), but how detailed are the measures being used?</p><p>You may not measure how many questions should be asked in an interview and how much time should be allowed for each question. But if you track the amount of time each interview takes, are you building an underlying expectation about the "correct" amount of time for every interview. And with that, do the auditors believe interviews should be cut short to meet that measure?</p><p>Is there a similar estimate/assumption built into how long should be spent on every test, every walkthrough, every risk assessment, every report? Do you have an estimated amount of time for the audit to be completed? And do those assumptions result in work — quality work — taking a back seat to a stopwatch measure of success?</p><p>Maybe it's only tangentially related to this discussion, but I talked to one audit department — a large audit department — that did not establish estimated times for completion of their audits. Nor were they keeping track of their time. I never figured out how they did it, but they were successful.</p><p>There is not a word in any of the above that is meant to imply that I do not think you should have estimated times, or that you should not keep track of time. However, I <em>am</em> saying that we have to understand where some of the underlying concepts for keeping track of our time started. And from that understanding, reinspect the way we are doing things.</p><p>Much of what is now seen to be wrong with Taylor's theory is what leads some internal audit departments to mediocrity. The audits are not driving the numbers, the numbers are driving the audits.</p><p>Sure, have some estimated times established. But don't live and die by them. Know what needs to be done and adjust accordingly. Yes, there are ways to streamline our work and reviews (please, please, please, please, please streamline those reviews — primarily by eliminating them). But there is no magic, efficient way to get any specific audit completed. Successful completion in a timely manner (whatever timely may mean in each case) is one of the things internal auditors are paid to figure out. And mindless timekeeping and virulent adherence to milestones and estimated hours will serve no other purpose than to show success against valueless goals.</p><p>Because, ultimately, if our work can only prove its success by the measurements of a stopwatch, then we can be replaced. To paraphrase something a friend of mine says, our value is not in the clickety-click, but in the thinkity-think. And no stopwatch can find the perfect measure for how that is accomplished. <br></p>Mike Jacka0
Building a Better Auditor: Evolve Your Internal Audit Mindset a Better Auditor: Evolve Your Internal Audit Mindset<p>​I began thinking, what was one thing I wish someone had helped me understand and learn more about when I first started my career in internal auditing almost eight years ago? The first thing that came to me was mindset. The way we think about an engagement — even before gathering information — is one of the most important, if not <em>the</em> most important, aspects of being a professional practitioner.</p><p>Getting rid of the "policing" mentality is challenging, especially for new internal auditors who believe that it is their responsibility to "find something wrong." To all my internal audit colleagues, that is not your responsibility. We should aim to serve, to deliver value, and over deliver on our value proposition.</p><p>By evolving how internal auditors think about our organization's processes, controls, and risks, we can set a strong foundation of success for any engagement that we perform. Over the years, these are a few of the things that have reminded me to stay true to our mission of adding value.</p><h2>1. Delivering Value: No More "Policing" Attitude</h2><p>Internal auditors must think of ourselves as practitioners, as professionals, and as advisors delivering insight. Practitioners believe in delivering value to their clients, to their customers. Practitioners don't nitpick on a single issue; we place that issue into the context of the larger process.</p><p>The "policing" type of auditing only leads practitioners to try to find something that is wrong. This ultimately affects the way how auditors report those exceptions, and it doesn't lead us to determine the root cause. The "policing" mentality influences us to believe that the exceptions are the root cause, when they're really not.</p><p>It sounds a lot better to ask yourself, "What value am I going to deliver today?" as opposed to "What wrong can I find today?" Write it down on a Post-it Note, stick it on your desk, make it your mantra, and make it part of your daily routine.</p><h2>2. Become a Collaborator and a Trusted Advisor</h2><p>Internal auditors should always practice more of being and seeing ourselves as trusted advisors. To achieve that level, we must collaborate more with our stakeholders and keep them informed along the way. We can't be quiet, and only communicate when it's audit time or when it's reporting time. We must be visible; only then will they see us as part of the team and not the opposition.</p><p>We have to put ourselves in the shoes of our stakeholders and see processes from their perspective. We need to continue striving for the day when our phones will ring off the hook because a manager needs our insight, for example, on a change in a process or a risk the business unit is experiencing.</p><h2>3. Remove the Biases</h2><p>Biases are what hurt internal auditors the most. When auditors have preconceived notions about a process, an experience with a manager, or a policy and procedure manual that's not written correctly, we begin to judge, even before the engagement starts.</p><p>Always be objective, while maintaining "professional skepticism." Any ounce of bias in our work will affect the results and will further paint us as the critic, as opposed to a teammate. There are great resources out there about truth, confirmation, and halo biases.</p><h2>4. Enjoy the Process. Have Fun!</h2><p>The internal audit profession is dynamic. If we don't evolve our mindset, then achieving our value proposition will be difficult.</p><p>The enjoyment of internal auditing is being analytical, asking questions, understanding the business, and demonstrating our enthusiasm to partner with our stakeholders. Serving and adding value brings satisfaction; helping others should be the ultimate goal. Starting with this as our foundation can help us build a strong and energetic activity, and it can create enjoyment out of what we do. That is how we should measure our success.<br></p><p style="text-align:justify;"><br></p><p style="text-align:justify;">Emilio Lui, CIA, is the senior internal auditor for a group of companies in Belize City, Belize.</p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank"><em>here</em></a><em> to learn how to contribute a blog post.</em></p>Emilio Lui0

 ‭(Hidden)‬ Content Query

View RSS feed
  • AuditBoard-September-2021-Premium-1
  • FastPath-September-2021-Premium-2
  • All-Star-September-2021-Premium-3