Your Voices



Building a Better Auditor: Why Stress Management Is Critical to Your Career a Better Auditor: Why Stress Management Is Critical to Your Career<p>​<a href="" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;">The Chartered Institute of Personnel and Development (CIPD)</a> (PDF) found that workplace stress is the No. 1 cause of long-term employee absence. Every job has its inevitable ups and downs, but constant stress could be having a serious and extremely detrimental effect on your mental health. In fact, those in high-stress jobs are at twice as much risk of developing depression or anxiety, the CIPD says.<br></p><p>The internal audit sector can be a particularly challenging environment in which to work, making effective stress management a key component in forging a successful career. Here are some tips on how to better manage your own stress levels as well as those of your team.</p><h2>Spot Your Stress</h2><p>Learning to recognize your stressors and the physical responses that manifest from these stressors is a great place to start. Catching stress and managing it before it becomes a bigger issue is always preferential to dealing with the problem once it's had time to impact you more deeply.</p><h2>Speak Out</h2><p>Share your experiences with someone close to you. Sharing your concerns with co-workers can help you realize that you're not alone. Many people will be feeling exactly the same way.</p><p>Creating a solid support network through these conversations will keep you connected, which in turn helps to provide a protective barrier for your emotional well-being. The more isolated you become, the more vulnerable you can become to the negative effects that stress can inflict upon you.</p><p>Many organizations will have internal services to support employee well-being. Seek these out. The first step is always the hardest, but it's an important investment in yourself that will pay dividends.</p><h2>Say "No"</h2><p>Chronic stress can be debilitating — detrimental not only to your health but also to your career. Learning when to say "no" is crucial to its management. Work toward identifying when enough is enough, set boundaries, and communicate these to your team.</p><p>And for managers, having the confidence to say "no" will encourage other members of your team to do the same. The result: a happier, more productive group of people.</p><p>The huge increase in numbers of those working from home has brought further challenges. The boundaries between work and personal time have become blurred, creating extra pressure and anxiety. Re-establishing these boundaries and saying "no" to work once your day is finished is essential in nurturing that positive work-life balance that we're all striving for.</p><h2>Get Active</h2><p>Aerobic exercise is another very effective way to lift your mood and to give your mind a new focal point. Just 30 minutes of activity each day has been shown to be highly effective at combatting stress. Make those 30 minutes a nonnegotiable part of your daily routine.</p><p>If a situation at work becomes overwhelming, take a short walk outside. Removing yourself from the situation can create clarity, helping make issues more manageable.</p><h2>Eat Right</h2><p>Nutrition is an often-overlooked way in which to reduce stress. Eating small, frequent, healthy, high-fiber meals (think fruit and vegetables) can help maintain our blood sugar at steady levels, shielding us from the effects of those dreaded mood swings.</p><p>A pint and cigarette might seem like the ultimate stress reducer, but both can have adverse effects on your mood. Nicotine is a powerful stimulant that can increase anxiety, and alcohol is a strong depressant.</p><p>Is coffee currently your go-to? This is fine in moderation, but it's worth noting that caffeine can also contribute to feelings of anxiety and depression. Switching to decaffeinated versions could be a good alternative if herbal teas aren't your thing.</p><h2>Practice Mindfulness</h2><p>You've probably heard of the term "mindfulness." Despite being practiced for centuries, mindfulness has only very recently become popular in Europe and North America as a way of managing stress and promoting well-being.</p><p>Mindfulness is a technique that involves making an effort to notice what is happening in the present moment and in accepting those feelings and sensations without judgment. Many people find practicing both meditation and mindfulness beneficial in reducing their levels of stress, anxiety, and depression. And the science now backs this up. Check out apps such as Calm and Headspace to get you started.</p><h2>Lead the Way</h2><p>According to an <a href="" data-feathr-click-track="true" target="_blank"><em>Economia</em> article</a>, 90% of people believe admitting to a mental health condition could damage their career prospects. Making steps toward a culture of nonjudgmental openness is the only way in which people will feel more comfortable talking about these sensitive issues.</p><p>Speaking out will encourage others to do the same. Raising awareness and promoting these tough conversations is essential — and potentially even life-saving.</p><p>And however you wish to go about managing your levels of stress, remember that even small changes can make a huge difference.</p><p><strong> </strong></p><p>Jamie Burbidge, LLB (Hons), is founder of Bickham Montgomery in London.</p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank"><em>here</em></a><em> to learn how to contribute a blog post.</em><br></p>Jamie Burbidge0
Writing is Hard is Hard<p>You sit down at your desk, look at your computer, and breathe a heavy sigh knowing you are, once again, entering unto the breach, forced to complete one of the most naggingly mundane, while at the same time difficult, tasks in the business world. It's time to write something … again. You need to put together a memo or a report or an email or a note or a blog post (sorry, put myself in that last one) and, quite simply, your worn out from writing enough memos, reports, emails, notes, etc. to fill the Library of Alexandria. And if the same fate befell your collection as did the writings contained in that fabled library, you cannot imagine the same rending of garments over their destruction. In fact, you know you would be hard-pressed to find anyone who cared.</p><p>Well, I'm not going to convince you that every word you, me, or any other business person writes is worth the time and effort it would take to burn the papyrus upon which it is recorded. However, we live in a world and profession of communication. And, like it or not, the primary mode of such communication is the written word.</p><p>So what is a poor auditor to do, except for sing in a rock and roll band. (And, for the great majority of us, that ship has sailed.)</p><p>When faced with the blank screen (and in some instances, a blank mind) the first question should be "Is this communication really necessary?", followed in short order by question No. 2, "Is this the best way to communicate the information?"</p><p>We waste a lot of time writing emails, reports, memos, etc., sharing information that, when you get right down to it, ain't really all that important. It is just that the email, report, memo, etc., is our fallback approach. So, we fall back on it. And, even when something is worth communicating, falling back on the written word may not be the best approach.</p><p>One time an auditor was complaining that a client was not answering emails. My boss replied with a line that has been forever emblazoned in my memory: "Pick up the damn phone!" (Note that the boss was not the type to use such language, so the emblazonment was even more permanent.)</p><p>Lesson 1: Don't write just to write. </p><p>Lesson 2: Writing isn't always the best way to communicate.</p><p>And that leads to what may actually be the most important question/issue. Let's say the report/memo/email/note/blog post is something that must be written. There is something worth communicating and the best approach is through the written word. This leads to the next question: Are you approaching the task of written communication as another step in the process of getting your work done, or are you genuinely trying to communicate a critical thought, concept, or idea — something that must be shared as a key to success for the project, department, or organization?</p><p>Here is Tom Peters talking about presentations:<br></p><p><span class="ms-rteStyle-BQ">Never ever, ever, ever, give a presentation unless you are literally desperate to make your point.<br></span></p><p>Face it, written communication is a presentation. No, you're not literally orating in front of a crowd, but the reader is hearing what you have to say — a presentation of the mind. And, if you have decided (or it has been decided for you; yes, I know how these things go) that you will use written communication, then you must find the point you are "literally desperate to make."<br></p><p>You have to find the passion that underlies what you are going to write.<br></p><p>Is "Passion" a little too strong a word for you? Maybe "desperation" strikes you as a little melodramatic? Well, then how about something as simple as being engaged. Another quote, this one from Mary Ruefle from her strange little book <em>Madness, Rack, and Honey</em>:<br></p><p><span class="ms-rteStyle-BQ">Every time you write an unengaged letter, you are wasting another opportunity to be a writer.<br></span></p><p>Let's broaden that to fit our situation. Every time you write anything without engagement, you are wasting another opportunity to communicate and connect.</p><p>Finally, let's wrap this up in a neat, little bow with a quote from Joseph Conrad in the introduction to one of his novellas.</p><p><span class="ms-rteStyle-BQ">My task which I am trying to achieve is, by the power of the written word, to make you hear, to make you feel — it is, before all, to make you see. That — and no more, and it is everything.<br></span></p><p>Allow me one final modification to fit our situation. Our task, by the power of the written word, is to make you hear, make you feel, make you see, and to make you take action.</p><p>There is a mantra for every report, memo, email, note, and word you write as an internal auditor. (And maybe even a mantra for the occasional blog post.)<br></p>Mike Jacka0
10 Questions That Speak Volumes About Culture Questions That Speak Volumes About Culture<p>In a <em>Fast Company</em> article, <a href="" data-feathr-click-track="true" target="_blank">"10 Questions to Ask in a Job Interview That Will Really Expose a Company's Culture,"</a> author Karen Eber provides advice to those being interviewed for a new job. (And a quick note about this link. You do not have to subscribe to access it, but <em>Fast Company</em> does restrict the number of articles that can be viewed each month without a subscription.) The intent of the article is to provide interviewees with a different approach when confronted with the predictable/inevitable/dreaded line, "What questions do you have for us?"</p><p>Often, trying to actually learn a little about the department and the organization, the interviewee might ask, "What is the culture here?"</p><p>It is an important question that every job seeker should care about. But worded that way in that situation, it is a time waster, a bit of puffery that will provide no real information. No interviewer will answer that the culture is toxic, or numbing, or devoid of life, or advise the candidate to run away before it is too late. Instead, the response will be filled with blather, pontification, and assorted platitudes about what a wonderful place it is to work, followed by cliches derived from corporate and departmental vision and mission statements.</p><p>To get better answers, better questions need to be asked. To quote the article:<br></p><p><span class="ms-rteStyle-BQ">If you want to get a sense of the story of the leader and team's culture, use detailed questions. You will get a much better sense based on the responses, especially if the leader struggles to think of what to say. If you are a manager, prepare to answer detailed questions that illustrate your team's culture. </span></p><p>The article provides 10 questions that are a bit unexpected. Slightly aggressive (in a good way), they are constructed to dig deeper for answers that will speak volumes about the organization, department, and culture.</p><p>But I didn't call you here to provide questions to ask as you are being interviewed or to prepare you for the interviewee that is armed with these questions. (Not that either of these would be a bad thing.) Instead, I want to talk about the culture within your department.</p><p>There are a lot of things developing, visionary, and/or innovative internal audit departments want to accomplish. And this is a good thing. It is only by reaching beyond the mediocre and even the good that the profession will get better. But I have seen and talked with audit shops that say the words and audit leaders who think they are trying to achieve what the words mean. But nothing is accomplished; there is no forward movement, and leadership can't understand it. They think they really want change and think they are saying all the right things and think they are doing the right things. But it just doesn't take off.</p><p>In various presentations, I have a slide that says, simply, "Culture: Trust, Honesty, Openness, Freedom." The point: without a culture based on trust within the department, honesty among everyone, openness about what is going right and wrong, and the freedom of members to express themselves, any plans for creativity, innovation, entrepreneurship, leadership, and positive change will fall like seeds scattered on rocky ground. Leaders who cannot understand why change is not occurring need to take an honest look at the rocky culture on which they are trying to scatter the seeds.</p><p>The questions in this article provide a start — a very good start — in examining the culture that is allowing or inhibiting the change that is necessary for success. Let's take a look at a couple of the questions and what the answers might say.</p><p><strong>Tell me someone you are proud of.</strong> This single question will tell you audit leadership's priorities. Is the individual someone who has come up with new ideas? Is it someone who is an informal leader within the department? Is it someone the leader developed into greater positions within the organization? Any of these responses shows a focus on development of the department and/or the employees. However, if the individual is someone who always got his or her work done on time, completed all required audit documentation, or did not argue with organizational leadership during meetings (and I saw that one up close and personal) then the focus is not on getting better, but only filling in the blanks and getting work done. Laudable indeed, but not a department striving to become better.</p><p><strong>How do you focus on your own growth and development?</strong> As people reach higher and higher levels within an organization, there is a tendency for the focus on personal growth and development to wane. This question will reveal if the department is serious about lifelong learning, a foundational principle to any success. The focus on growth and development should be seen at all levels. And no matter how many years of experience the chief audit executive, vice president, associate vice presidents, directors, etc. have, they should still be striving to learn more. (Note: You're never too old to get the Certified Internal Auditor designation.)</p><p><strong>How did you start your last team meeting?</strong> Actually, let me change that one. What do your team meetings look like? Are they organized? Do you have an agenda? Do you have an objective? Are you holding them just to hold them? Are you the talking head? Is anyone besides you actually excited about the meeting? Are you even excited about the meeting? We all know meetings are a No. 1 time-waster. Yet, done correctly, they are integral to success. If the proper emphasis is not put on something as fundamental as holding effective meetings, it cannot be expected that the proper emphasis will be placed on any other operations within the department.</p><p>So, there's three of them — a taste. Go review the article and take a look at the questions, including what they might mean for your department. If you are a leader, ask yourself these questions. And, if you have the guts, share the answers with your team. (After all, you're a leader, so such bravery should come easily.) If you are not in a leadership position, still ask yourself these questions. And, if you have the opportunity, ask them of the leaders. And no matter what position you are in, evaluate the answers and determine what kind of culture exists within the department.</p><p>This is not a trivial exercise. Because, when the answers come in and the analysis is done and you step back and see what you have, you will know if you actually have a team or just a bunch of auditors doing nothing more than the work.<br></p>Mike Jacka0
On the Frontlines: Jedi ERM the Frontlines: Jedi ERM<p>​Internal auditors are, in essence, the Jedi of their organizations. Auditors, like Jedi, are dispatched throughout the galaxy of organizations with our audit plan to guide us in solving complex problems. The Jedi approach their missions in the same way auditors execute projects. Take the three phases of an audit:</p><ul><li><em>Planning</em>. A Jedi has to learn about an issue to identify problems and determine their root causes.</li><li><em>Fieldwork</em>. A Jedi must execute on what he or she has learned and gather evidence on reportable observations.</li><li><em>Reporting</em>. A Jedi must recommend solutions for high-risk issues, which if implemented may help the organization achieve objectives. (Hopefully, it doesn't come to aggressive negotiations.)</li></ul><p><br></p><p>If we are doing well in all of these phases, we earn the moniker of trusted advisor, aka Jedi master. Audit teams, like the Jedi, are independent business partners with a unique reporting structure. Internal audit is typically the only department to report directly to a committee of the board. (Tell me Jedi Council meetings do bear a striking similarity to audit committee meetings.)</p><p>One of the other vital services internal audit provides is relevant and valuable advice based on their risk assessments. And just like the Jedi using the force, auditors must constantly be aware of the ever-changing business and social landscapes to identify and evaluate current and future risks.</p><p>It is kind of ironic then that the Jedi were not more like internal auditors as they were awful at assessing risk. Had the Jedi allocated some resources to enterprise risk management or internal audit, maybe even included some books from The IIA bookstore in their vast library, they'd have detected and prevented the ultimate fraudster from becoming Emperor of the Galaxy.</p><p>Sith Lords turned out not to be the Jedi's specialty as Obi-Wan Kenobi once stated while standing a few feet away from the very Sith Lord, Palpatine, who not too long after directly caused the end of the Jedi Order as it was constituted. The Jedi completely ignored the risks posed by events transpiring throughout the three prequel movies, which led to inadequately addressing the issue of a Sith Lord being the leader of their governing body until it was far too late.</p><p>The Jedi's response was to ignore most red flags leading up to Sith Lord Palpatine's big reveal, despite having many, many years after first learning of the threat from Darth Maul's shenanigans. Imagine inadequately assessing your most significant risk for a decade. The Jedi were like the modern-day Blockbuster, which ignored the risk of emerging technologies of streaming services and then reacting far too late to survive in a meaningful way. Now, like the Jedi, there is the last Blockbuster out there.<br></p><div style="text-align:left;"></div><p style="text-align:left;"><span class="ms-rteStyle-BQ">"For over a thousand generations, the Jedi Knights were the guardians of peace and justice in the Old Republic. Before the dark times. Before the Empire." <span style="font-size:inherit;">― Obi-Wan Kenobi</span></span></p><p><br></p><p>Even organizations with the best of intentions must remain focused on identifying and adequately evaluating risks. Perhaps some additional due diligence would've been merited on the clone army that suddenly sprung up at a very convenient time for some needed mergers and acquisitions. The Jedi then went on and exceeded their objective as peacekeepers and became combat generals to an army of clones. Ethically questionable actions at best, and definitely outside any approved audit charter.<br></p><p style="text-align:left;"><span class="ms-rteStyle-BQ">"Who's the more foolish? The fool or the fool who follows him?" — <span style="font-size:inherit;">Obi-Wan Kenobi when asked for comment on the importance of proactive risk assessment.</span></span></p><p><br></p><p>There was no way Yoda was fostering a healthy corporate culture. He is the epitome of a micromanager. One day into training, he was already riding on Luke Skywalker's back and barking instructions at him. There's no way that method of teaching equates to a Jedi Academy having a winning formula for company culture. These are not the actions of an agency that takes risk management seriously.<br></p><p>Internal audit should be mindful of maintaining their independence while still seizing opportunities to provide objective and relevant insights to our business partners and stakeholders. And most importantly, it should be a champion for good culture and good governance while being mindful of staying within the scope of its audit charter. These are definitely lessons that even Jedi masters could learn from auditors.<br></p><p><br></p><p>Jason Stepnoski, CPA, CISA, CFE, is internal audit manager at VSP Global in Sacremento, Calif.<br></p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true"><em>here</em></a><em> to learn how to contribute a blog post.</em></p>Jason Stepnoski0
Man Eats Car Eats Car<p>In her book<em> Writing Down the Bones</em>, Natalie Goldberg provides tips and insights about writing. Note that Goldberg's book is about creative writing, not that boring business stuff we all have to live through. Nonetheless, there are insights that can help any internal auditor.</p><p>At one point she tells a story based on an article she did not read. Instead, she was told the story by someone else. (Dear internal auditors, this is not the time to raise issues of hearsay evidence or question the veracity of the story; just go along for the ride.) It was the story of how a yogi in India, over one year, ate a car. Of course, like Goldberg, we all have a lot of questions around this one. Did he drink the gasoline? Did he gain weight? How did his teeth fare? Was it served barbecued, sauteed, or broiled? And, ultimately, Why? Unfortunately, details were not forthcoming — to us or to Goldberg.</p><p>Subsequent to hearing the story, she shared it with a group of third-graders. There was general confusion from the group and noises that conveyed the group's disgust. But one student (as Goldberg put it "who will be my friend forever") burst out laughing. She joined in, writing, "It was fantastic! A man had eaten a car! Right from the beginning there is no logic in it. It is absurd."</p><p>Both the student and Goldberg embraced that absurdity. They let their minds wrap around it. They let the story nestle and roost. And then they let themselves succumb to the joy and inventiveness of something that made no sense, whatsoever.</p><p>Bear with me as I tell another story; this one is mine. Not quite as absurd as eating a car, but …</p><p>For a number of years — a large number of years — I have owned a succession of Goofy watches. One wears out, I buy another. Now, the mere presence of Goofy on a watch would be reason enough for the purchase. But the long-time devotion comes from another fact.</p><p>It is backwards. The hands run backwards, the numbers progress backwards, the numbers themselves are backwards (e.g., 12 is 21, and each numeral is a mirror image that my keyboard lacks the ability to reproduce), and even Goofy's name is backwards. It takes getting used to but, with a little practice, you can tell time — and tell it just as quickly as on a regular watch.</p><p>A manager working for me noticed the watch and just stared at me for a while. He then asked the question that sometimes comes up in these situations. "Why?" Many years' experience taught me the correct response. "If you have to ask, then you'll never understand."</p><p>There is no logic to either of these stories. Oh, maybe there is if you work hard enough. But that isn't the work we want to put in at this particular moment; we don't need to worry about logic. </p><p>What matters is that we allow ourselves to wrap our minds around the absurdity — seeing things differently, experiencing things differently, making our minds work differently. And from those sights, experiences, and work, allow our brains to have new perspectives. And from those new perspectives, allow ourselves to discover new ideas and innovations that will help internal audit be an important part of the upcoming post-pandemic world.</p><p>Warning. If you think things got weird going into the pandemic, wait until you see what happens as we exit it. You see, we're not going back to "normal." That is, the world is not going back to whatever we think/thought normal was. So internal audit can't afford to look backward to a normal that will not exist. </p><p>There is no normal anymore. The past year has forced everyone to come to a new understanding of what work is and how it is conducted. And internal auditors have to be right there in the middle of it, coming up with a new understanding of our work and how it is conducted. If we think the same old processes and the same old risks and the same old meetings and the same old tests and the same old reports and the same old anything we did a little over a year ago will work for 2021 and beyond, then we are in for a rude awaking.</p><p>We had to reimagine the profession in 2020 — just as the world around us was reimagined. And now there is a whole new set of reimaginings we will have to develop.</p><p>If you want to help ensure you, your organization, and your department are a part of that reimagining/that future/that world that we can't even figure out yet, then you have to embrace the absurd. You have to be willing to see the chances that need to be taken and you have to believe in things you never thought were possible.</p><p>Why eat a car? Why wear a Goofy watch? Why learn about robotic process automatio/artificial intelligence/business process management? Why focus on cyber? Why do strategic audits? Why do consulting? Why continue to do so many financial audits? Why do so much Sarbanes-Oxley work? Why issue reports? Why not be the control? Why anything? Why everything?</p><p>I've got answers for some of these. But my answers don't matter. What matters is that you are willing to ask and explore and embrace the absurdity that can come from such questioning. Understanding and accepting the absurd allows us to understand and accept the unusual, allows us to see things differently, and allows us to innovate.</p><p>And that's the way we survive.<br></p>Mike Jacka0
#IAm Joe Byer Joe Byer<p>​Life doesn't always go according to plan. Without a doubt, 2020 was one of the strangest and most challenging years of my life. I never thought I would see people hoarding toilet paper or hear the phase, "Sorry, I was on mute," dozens of times.</p><p>In March, I started working from home and tried to balance glitchy video software, helping my daughter with math, and taking master of business administration (MBA) classes in the evenings. Besides working from home and home schooling, our vacation plans were cancelled twice, and I missed my grandparents' 65th wedding anniversary. All of this resulted in a stressful year, to say the least.</p><p>Any change brings a degree of stress and anxiety because of uncertainty about the future. Think about these events: changing jobs, moving to a new city, and having a baby. All of these changes involve a major life event — although hopefully for the better.</p><p>However, change that is forced upon us is different. We didn't choose COVID-19, and we didn't think it was for the better. This was stressful and anxiety-producing for many people, while others felt isolated, lonely, and just plain bored from being stuck at home.</p><p>However, after several months of working from home, it started to feel somewhat normal. We all adapted to the new situation.</p><p>My wife and I worked together to get our daughter through the remainder of second grade. We talked and changed our plans to the new circumstances. In the fall, we decided that my wife would quit her job of 13 years to stay home with our daughter for the rest of third grade. My wife would be a stay-at-home mom and homeschool teacher. This was not our plan; COVID-19 changed that.</p><p>In August, I graduated with my MBA. I spent three years taking night classes. During that time, I studied every night and most weekends, but because of COVID-19, I was unable to attend my graduation ceremony. Instead, I received my diploma unceremoniously in the mail.<br></p><p><span class="ms-rteStyle-BQ">"It is not what happens to you, but how you react to it that matters." — Epictetus</span></p><p>I tried to look at the facts of our predicament and leave my value judgments behind. I could have mulled over the fact that I couldn't eat out, there was nothing to do, and how horrible I thought the situation was. Instead, I looked at the facts: I couldn't go to the office, and we were all at home together for the unforeseeable future. I tried to find the silver lining of the unusual circumstances. There was nothing I could do to change our situation, so I changed myself.</p><p>One positive aspect of working from home was I no longer had a commute. This freed up an hour per day. So in the mornings, I started walking in our neighborhood. Then I started walking at the local nature sanctuary. This allowed me to be outside and get some exercise — how wonderful!</p><p>I later started volunteering at the nature sanctuary on the weekends. I helped with a controlled burn of invasive plants, made birdhouses, and spread wood chips on the trails.</p><p>After I graduated in August, I had more time in the evenings to spend with my family. We cooked dinner every night and played board games, and I read stories to my daughter. I also had more time to practice my guitar, which is something I love to do. Then for Christmas, we got a Goldendoodle puppy. Her name is Sunny, and she is the cutest dog I have ever seen!<br></p><p><span class="ms-rteStyle-BQ">"Some things are in our control and others are not." — Epictetus</span></p><p>Looking back on 2020, almost nothing went according to plan. However, it was not a wasted year. We had challenges for sure, but through those challenges I found an inner resilience I did not know I had.<br></p><p>I realized there are some things that are out of my control. Call it fate or God or what have you, but we are just along for the ride. I can either fight it and get frustrated, or I can accept what happens to me with a good attitude and embrace it. I can only control how I respond to a situation, and that is what matters.</p><p>This is what I learned in 2020. I am proud that I was able to approach life joyfully regardless of what happened last year.</p><p>I am looking forward to life getting somewhat back to normal this summer and spending quality time with friends and family. I am looking forward to taking a much-needed vacation. I plan on going to Colorado, Chicago, and northern Michigan to see my grandparents and wish them a happy 66th anniversary.<br></p><p><span class="ms-rteStyle-BQ">"You have power over your mind, not outside events. Realize this and you will find strength." — Marcus Aurelius</span></p><p> </p><p>Joe Byer, CIA, is operational risk and controls consultant II at Truist Financial in Kansas City, Mo.</p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank"><em>here</em></a><em> to learn how to contribute a blog post.</em><br></p>Joe Byer0
Building a Better Auditor: Learn to Serve a Better Auditor: Learn to Serve<p>​I was on a film set working with my directing hero, Tracy Trost (<a href="" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;"><em>A Christmas Snow</em>,</a> <a href="" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;"><em>The Lamp</em></a>) when I discovered a key to great leadership. I was in awe of Tracy. We met for the first time in a hotel lobby at a film festival. I'd had a late night on set and scurried downstairs with my hair wet and no makeup on in desperate search of coffee when I heard my name. I was instantly frozen to the floor. </p><p>"That's Tracy Trost!" my brain raced. "Tracy Trost knows my name!" My heart leaped, then sank. "Tracy Trost has seen me in my most bedraggled state and he'll never cast me." </p><p>Fortunately, Tracy overlooked that day's lack of poise, and I have since been fortunate to act in two films and two national commercials under his direction. Film sets have possibly the most hierarchical structure in the business world. On a set, the director is king, czar, and emperor.</p><p>During lunchtime on set, I noticed Tracy hauling a large trash bag to the curb. I hurried over. As talent, I wasn't supposed to touch trash either, especially in costume, but I couldn't let the director do such a menial task.</p><p>"Here, let me do that!" I offered. Tracy ignored me and finished the job. I stared in shock. "You shouldn't be hauling trash; you're the director," I stuttered. </p><p>Tracy smiled and asked, "Jami, who's the greatest in the kingdom?" Stunned by his question, I slowly replied, "The servant."</p><p>Another role model, Charlie Wright, senior vice chairman of The IIA's Global Board of Directors, surprised me with his servant mindset. As a newer chapter leader, I invited him to come speak at a local IIA chapter meeting. He graciously accepted. What I remember most about his presentation was that this brilliant and dynamic leader focused his presentation not on his own innumerable successes but on the importance of living a life of integrity and serving others. </p><p>All of the great leaders I've known have had a common trait: They were first and foremost servants. They weren't focused on status, feeding their egos, or earning credit. Instead, they devoted their efforts to making the organization better and improving the lives of those around them.</p><p>This principle is especially true in audit leadership. The role of an auditor is to add value (serve) by helping management achieve its strategic objectives.</p><p>I've found that aspiring leaders often have all the requisite knowledge and skills, but their focus isn't in the right place. A leader is rarely made out of talent alone. It's how they use their talent that sets them apart.</p><p>In my experience, the best opportunities have come when I was simply focused on meeting others' needs. For example, I love serving as a district representative (DR) on The IIA's North American Chapter Relations Committee and count it among the best experiences of my career. I didn't start out my volunteer path with that leadership goal in mind. I started volunteering because I saw a need in my local chapter, and those years of serving as a chapter leader led to getting to serve even more people as a DR.   </p><p>While it's critical to set goals, such as achieving that next level of management, it's equally important to understand the motivation behind that goal. If I want to be promoted for the sole purpose of earning a better title, higher pay grade, or more respect, I'm doomed to fail. A great audit leader wants that next role to have increased influence and be better able to serve the organization.  </p><p>Leadership is far from glamorous. Sometimes it's hauling trash to the curb. Sometimes it's working until 8 p.m. so the rest of the team can go home. Sometimes it's having that hard conversation with senior management by pointing out a significant unmitigated risk. Sometimes it's not taking credit for a great idea, but being satisfied because positive change is occurring.</p><p>If you aspire to a higher role in your audit department, it's essential to demonstrate a commitment to growth, develop technical and soft skills, and discuss your goals with your supervisor. But above all, it's essential to commit to serving.</p><p>A chief audit executive will be impressed with a technically savvy auditor, but an auditor who constantly offers to help wherever needed — and follows through — is invaluable. As you demonstrate your commitment to supporting your audit leadership and the organization, the promotions will naturally follow.</p><p>I encourage you to take that first step today. Find a need in your organization, and offer assistance. As you shift your focus to meeting the needs of others, your influence will grow, and amazing opportunities will come to you.</p><p> </p><p>Jami Shine, CIA, CRMA, CISA, CRISC, is the corporate and IT audit manager for QuikTrip Corp. in Tulsa, Okla. </p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank"><em>here</em></a><em> to learn how to contribute a blog post.</em><br></p>Jami Shine0
What We Forget We Forget<p>​A long time ago in an audit universe far, far away, I was having a conversation with a fellow audit manager. We were in one of those "in my day" type conversations that included "these kids today." (And to add a bit of irony to the story, my hair was nowhere near as white as it is now, the wrinkles were not as deeply etched, and, in general, I look back at myself and think, "What was that young whipper-snapper thinking?" Anyway…)</p><p>The main focus of our lamentations regarded how little the auditors working for us knew about internal audit, the industry, and our company. We kvetched for quite a while until one of us suddenly stopped and provided this bit of blindingly obvious insight. "Do you know why we know so much more than they do? Because we've been at this a lot longer than they have; they don't have the 10/15/20 years of experience we have. Why do we expect them to know as much as we know after just a few years?" And with that, we paused and contemplated our temerity. And then, well, I don't remember for sure, but I'm willing to bet we started complaining about something else.</p><p>OK, probably not the exact words that were spoken, but whatever was said similarly expressed the realization that we had been given a lot more time to become the "experts" we seemed to think we were.</p><p>Here is the quick, easy, actually-get-to-the-point-earlier-than-later-like-I-usually-do point of all this. The more experience you have, the more likely you are to forget how little you used to know. And the more you assume that others know what you know.</p><p>Recently, I read this quote from Leita Hart-Fanta, founder at <a href="" rel="nofollow" data-feathr-click-track="true" style="background-color:#ffffff;"></a>:<br></p><p><span class="ms-rteStyle-BQ">"I often hear audit leaders complain that the staff is not using their brain. And that is simply not true; they are just using their brain to get on top of the basics of how an audit works."</span></p><p>Nailed it.</p><p>It is far too easy for any of us with any experience to forget what it is like getting started — the learning, the time commitment, and the struggle. And, as we all know, just when you think you know something, there's always more to learn.</p><p>And, as a bit of lagniappe, there is an even bigger picture to all this. Here's Seth Godin talking to Tom Peters about extreme humanism:</p><p><span class="ms-rteStyle-BQ">"It … is about realizing that people do not know what you know. They don't want what you want. They don't even see what you see, and that's OK. Because if we are not willing to go where they are, it's naïve to think that they're willing to come to us."</span></p><p>We have to understand that others do not know what we know. For the new internal auditor, our experience in the profession and the organization outstrips the knowledge they are only beginning to gather. For the client, our understanding of the role, benefits, and value internal audit can provide may be an aspect of the profession they have never seen. And for any human being with which we interact, the life we have led will not match the life they have lived, our knowledge will not match their knowledge, and our experience will not match their experience.</p><p>Accordingly, we cannot expect the new auditor, the client, or any other human being to come running to us, begging for our understanding, unless we are willing to come to them, both parties recognizing that each has a piece of the bigger picture that will lead to unexpected solutions.</p><p>Be willing to be patient, be willing to train, and be willing to learn.</p><p>And be willing to remove yourself from whatever lofty position of knowledge, power, and empowerment you feel you are due.<br></p>Mike Jacka0
On the Frontlines: The Information-gathering Phase of Engagements the Frontlines: The Information-gathering Phase of Engagements<p>​A preliminary survey, or process understanding, is usually the first phase of audit field work after completing the engagement planning stage. At this step in the audit's information-gathering phase, internal auditors are primarily collecting background information on the client's operations. During this time, auditors also will obtain the data they will rely on for performing tests and corroborating observations based on the evidence they derive from it.<br></p><p>Auditors may use several tools and techniques to gather data and information during the preliminary survey such as questionnaires, checklists, focus groups, and walkthroughs. Personal interviews are by far my favorite method.</p><p>There are two different types of interviews: structured and unstructured. A structured interview is similar to a questionnaire because auditors use the same set of predetermined questions, each of which has a corresponding set of predetermined answers for the interviewee to select from.</p><p>On the other hand, an unstructured interview flows more freely, with more of an emphasis on open-ended questions. This enables the interviewee to provide a narrative, which, depending on the auditors' perspective, can draw the engagement in a completely different light. In addition, unstructured interviews allow auditors to ask the interviewee to elaborate on his or her responses and to explore areas that may be of interest.</p><p>One of the most significant advantages of an unstructured interview is that it allows auditors to identify and explore the differences that occur between what is documented and what is being done in real life. For example, while the organization's policies and procedures state that a certain transaction must occur in a specific way, the employees may have determined a more effective approach to processing the transaction.</p><p>A precise and effective preliminary survey can set a positive and productive tone for the audit as a whole by accomplishing several objectives:</p><ul><li>Establishing the auditor's persona and the rapport he or she will have with the audit client for the duration of the engagement.</li><li>Ensuring that the auditor is viewed as an ally and a consultant rather than as an adversary.</li><li>Identifying the areas where the auditor should dedicate more focus and time, which may be apparent to the shrewd auditor.</li><li>Allowing the audit client to express feedback about the audit area performance and control environment. The client also should be able to voice the opportunities and threats that it identifies, because as the process owner, the client is best situated to recognize value-generating opportunities.</li></ul><p><br></p><p>All of these objectives emphasize the importance of the auditor's interpersonal skills, such as relationship building with audit clients and process owners, fostering the collaborative and consultative relationship, and emphasizing the partnership connection with stakeholders. All of these can be achieved through effective communication skills, which are consistently ranked among the most desired skills for internal auditors. Auditors also need a continuous learning attitude that is ideally a trademark of the audit department.</p><p>Internal auditors can develop and improve these skills by working on building emotional intelligence. Successful internal auditors are able to relate to and create rapport with the process owner by using their communication skills to obtain the necessary information. When asking open-ended questions during unstructured interviews, auditors should take on the extra burden of ensuring respondents are replying to the questions completely and accurately, as well as documenting and analyzing the unstructured data they obtain.</p><p>Conducting the preliminary survey effectively and comprehensively, and establishing a positive collaborative and consultative relationship with the audit client can ensure that the audit proceeds smoothly and generates the most value.<br></p><p><br></p><p>Hassan Khayal, CIA, CRMA, is an internal auditor based in the United Arab Emirates and a 2020 <em>Internal Auditor</em> Emerging Leader.<br></p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;color:#6eabba !important;"><em>here</em></a><em> to learn how to contribute a blog post.</em><br></p><p><i>To a view <em>Portuguese</em> translation of this blog post, click <a href="/blogs/Your-Voices-Portuguese/2021/Pages/Nas-Linhas-de-Frente-A-Fase-de-Coleta-de-Informacoes-do-Trabalho.aspx" data-feathr-click-track="true">here</a>. </i></p>Hassan Khayal0
I Want You to Want Me Want You to Want Me<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><p style="text-align:left;"><em>I want you to want me. </em><em>I need you to need me.<br></em><em>I'd love you to love me. </em><em>I'm beggin' you to beg me.</em></p><p style="text-align:left;">"I Want You to Want Me" — Rick Nielsen, Cheap Trick</p></blockquote><p><br></p><p>A couple of posts ago, I referenced a <a href="" data-feathr-click-track="true" target="_blank">blog post by Seth Godin</a> in which he used a matrix to help determine the positioning of a product or service with its customers. One axis was price, the other was a continuum from "want" to "need." Based on Godin's descriptions, <a href="/blogs/jacka/2021/Pages/Is-internal-Audit-a-Want-or-a-Need.aspx" data-feathr-click-track="true">I went on to discuss</a> the need for internal auditors to understand how our services are positioned — the price our clients are willing to pay for our service, whether that service is a want or a need, and the impact these understandings have on how we market ourselves.</p><p>Apparently, the concept of "want" versus "need" raised a few professional eyebrows. One commenter on stated, "I question why 'want and need' are on a continuum. Can't we want and need something simultaneously? Should they really be in opposite directions?" </p><p>Responders on LinkedIn were more succinct. "Same being needed and wanted" and "Both want and need." Even one person who agreed with me seem to feel the distinction was not warranted: "Agreed. Internal audit must be needed and wanted."</p><p>There is an important difference between want and need. And comprehending that difference will help internal auditors understand how they are perceived within the organization, their place in the organization, and how they can best market themselves and grow within the organization.</p><p>Let's start with the concept of need.<br></p><p>A need is a requirement — a necessity that occurs because something is essential or very important. For example, oxygen is a need. It is essential to life and very important to the pursuit of happiness.</p><p>For internal audit, the most basic type of need is when our clients need us because regulations require us. And, for some clients, that is it; they have satisfied the need and they have no further use for the department.</p><p>But there is another aspect of need related to internal audit, one most of us in the profession recognize and one that is recognized by many of our clients. Organizations need an effective internal audit department as a fundamental part of a strong governance structure. An effective internal audit department is essential and very important to the successful achievement of organizational objectives.</p><p>And this is where all that marketing starts to come in. We have to ensure our clients understand that need. We have to market ourselves so that our clients understand we are not just a regulatory nuisance, but a basic requirement and essential component needed to help ensure success.<br></p><p>Which then leads us to the concept of "want."<br></p><p>A want is a desire, wish, demand, or craving for something. Of course, if I need oxygen, then I also want oxygen. But the concept of want goes beyond requirement. I need/require oxygen; I want oxygen that doesn't smell like it just came from a sewer.</p><p>In the internal audit world, when clients want our services, it means they have gone beyond just needing us. If we are merely a need, anyone can provide the same service we provide. However, as a want, then the client sees the internal audit department as the best provider of that service. There is nothing and no one else that can provide the same value — no one but the internal audit department.</p><p>Take a close look at why your clients have an internal audit department. Is it only because of the regulations? Or does the client understand the broader picture that it needs internal audit to help ensure a strong governance structure and increased assurance that objectives are being met?</p><p>Or, best of all, are you on the far end of the continuum? Have you marketed yourself, provided value, and scored successes to the point where you have developed raving fans who want you?<br></p><p>It is that far end of the continuum where we all want to reside — the position where it doesn't matter if the client needs us or not.</p><p>They want us.<br></p>Mike Jacka0
Building a Better Auditor: Why There’s Never Been a Better Time to Elevate Internal Audit’s Influence a Better Auditor: Why There’s Never Been a Better Time to Elevate Internal Audit’s Influence<p>​Internal audit stands at a critical juncture. The disruption of the past year has created an opportunity for the profession to evolve and position for an increasingly influential role. Several factors make this a pivotal time to equip auditors with the skills and technologies to anticipate and manage new and emerging risks — and significantly contribute to the decisions and success of their businesses in a rapidly changing world.</p><h2>1. Risk Can Be a Performance Enabler — When Internal Audit Gets Involved</h2><p>The expanding risk landscape creates a growing opportunity for internal audit to reach further. The uncertainty of the past year is expected to persist, as 81% of 5,000 audit and risk professional respondents say risk will continue to be dynamic and unpredictable in 2021, according to an AuditBoard survey.</p><p>The realities of a fast-shifting workplace also have driven necessary underlying change. The pandemic has accelerated digital transformation and the use of cloud technologies, which have pushed companies to be creative, innovate, and disrupt existing ways of doing business.</p><p>As cloud technology makes risks more measurable and tangible, organizations will be better able to determine an accurate upside for risk and encourage a healthy risk appetite that balances risks and rewards. To take advantage of the new possibilities and changes related to cloud technology, internal audit will need to get creative. Auditors should no longer just provide assurance over the typical audit universe, but also learn new technologies, understand enabling innovation, and be the organization's eyes and ears to identify risks and trends.</p><h2>2. Growing Cloud Technology Adoption Boosts Agility, Productivity, and Collaboration </h2><p>Cloud technology brings expanded capabilities for internal audit departments, increasing collaboration within internal audit and across the organization, streamlining communication, and boosting productivity. It is anticipated that internal audit's ongoing digital transformation will rapidly accelerate in 2021 as auditors embrace the opportunity and efficiency that cloud-based solutions offer.</p><p>Twenty-two percent of audit teams plan to implement cloud-based technology in 2021, according to a report by the Internal Audit Foundation (IAF) and AuditBoard, <a href="" data-feathr-click-track="true" target="_blank">Internal Audit's Digital Transformation Imperative</a>. Other recent IIA research has found that current cloud adoption in internal audit is just 20% of the market. So while the accelerated adoption in 2021 is a major step forward, this adoption rate still puts internal audit behind other enterprise functions like IT, which is projected to hit a 59% cloud adoption rate in 2021, according to an <a href="" data-feathr-click-track="true" target="_blank">IDG survey</a>.</p><p>As we approach a post-pandemic world, the IAF/AuditBoard report indicates that audit leaders are moving to the cloud to help them better navigate the complex risk environment, stay on top of expanding regulatory requirements, and enable much improved collaboration across their distributed workforces.         </p><h2>3. It's Never Been Easier to Build a Modern Audit Skill Set</h2><p>Empowering the internal audit function to streamline and automate processes leveraging modern technology is a critical step in advancing internal audit maturity, but it's not enough to drive the kind of change that's possible in today's environment. The audit team and individual practitioners must develop modern audit skills to maximize influence and potential. Understanding the fundamentals of audit management, risk management, agile practices, data analytics, and IT systems is becoming foundational, especially as more business processes are integrated with the cloud.</p><p>As big data increases in importance for today's organizations, internal auditors must know what makes the business tick to provide assurance over big data concerns, including significant related risks. The current wave of digital transformation is creating an ever-greater need for reliable assurance within the IT space. The ability to gather, understand, and analyze data is a critical driver of organizational success. Now is an opportune time for internal auditors to grow their skills and knowledge in key areas to contribute in greater ways to the performance, compliance, and resilience needs of the organization.</p><h2>4. A Plethora of Resources Are Available, Including the Elevate Scholarship</h2><p>Internal auditors have more opportunities than ever to access information and grow skills. <a href="" data-feathr-click-track="true" target="_blank">The IIA's training resources</a> are second to none and provide a wealth of topics and tracks to help practitioners pursue growth in any area of interest.</p><p>There's also a unique scholarship program in place to help auditors in need. The IIA and AuditBoard have partnered to offer the <a href="" data-feathr-click-track="true" target="_blank">Elevate Internal Audit Scholarship</a>, which provides the means for internal auditors to develop the next-generation skills to meet the challenges of the dynamic risk environment ahead. The program provides access to cutting-edge training and professional certifications for internal auditors who have experienced a layoff or furlough due to the economic pressures of the past year.<br></p><p>One scholarship recipient, Curtis Clapham, improved his skills with the Elevate Scholarship custom curriculum on his way to secure his current role as an audit manager at Visa. "The Elevate Scholarship program offered me the opportunity to revisit previously examined topics, such as ethical behavior, and exposed me to new areas, including auditing culture, during my transition from one role to the next," Clapham says. "The program provided true professional development — a spectacular learning opportunity designed to keep audit professionals on-point." </p><p>Today's internal audit career requires addressing globally relevant, emerging risks from an organizational perspective while applying modern technology to enable enhanced processes, insights, and collaboration. As audit teams increasingly embrace cloud technology to streamline and automate their operations, it's also crucial to invest in corresponding skills for individual team members. When auditors are given the resources and opportunity to position themselves with the skills they need to stay current, they'll be prepared not just to identify risk impacts, but also potential opportunities to help their organizations grow and succeed in a rapidly changing environment.</p><p> </p><p>John Reese is chief marketing officer at AuditBoard based in Cerritos, Calif.</p><p> <em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank"><em>here</em></a><em> to learn how to contribute a blog post.</em><br></p>John Reese0
Micro-measuring Success Success<p>​<span style="color:#777777;">Bo</span><span style="color:#777777;">y, did I just judge a book by its cover, or rather, misunderstand an article based on the title. The article was </span><a href="" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;">"Want Audit Analytics on Every Audit?"</a><span style="color:#777777;"> </span><span style="color:#777777;">and, if you are interested, you can follow the link. It won't really have anything to do with what is to follow, but more knowledge is always better than less.</span></p><p style="color:#777777;">I dove into the article prepared to go ballistic — prepared to take up arms against a sea of troubles and wrongheadedness — because of my suppositions. I thought it was going to discuss internal measures of success — how to build metrics in every single audit to prove the success or failure of the department, the audit, and the auditor. Instead, I found that the article is about the practice of using analytic tools — CAATs, data analytics, etc. — in every internal audit. Note that this can be a good thing.<br></p><p style="color:#777777;">So, why did I have this knee-jerk, neutron bomb reaction to what I thought the article was about? It all comes from my deep-seated belief that internal audit has an obsession with measuring itself that borders on the psychotic. And I don't think the morass of measurements most of us live with is effective. What I expected, and what was driving my unwarranted anger, was an article that would be on the wrong side of two of my pet peeves — how metrics are used and the fool's game that is objective measures of success.</p><p style="color:#777777;">Issue No. 1: Internal audit's fatal flaw is that too many of us measure for no other purpose than to measure; we don't measure to improve. I'm sure most of you have measures of success, key performance indicators, or metrics that provide information on where the department has been and where it is. </p><p style="color:#777777;">But how often are those actually used to show where the department is going? And, more importantly, how are they used to change the way the department works? If you don't meet those measures of success, what do you do? Do you promise to do better next time? Or do you actually take steps to determine what went wrong, how to fix it, and then actually effect change?</p><p style="color:#777777;">Great quote from Seth Godin: "Don't measure anything unless the data helps you make a better decision or change your actions."<br></p><p style="color:#777777;">Why are you measuring what you are measuring? The term "measures of success" has built into it the idea that you are trying to show success. But are the measures actually related to success? And, again, if you do not meet them, are they areas where the department actually has control to effect change? Are you measuring to improve, or are you just measuring to measure?</p><p style="color:#777777;">OK. If you read my blogs with any regulatory, this is old news. This is an issue I've ranted about before and will probably rant about in the future.</p><p style="color:#777777;">But there is another issue here. And, even though it is another of my pet peeves, I'm not sure I've talked about it all that much.</p><p style="color:#777777;">Issue No. 2: We try to use objective measures to measure success, and success is subjective.</p><p style="color:#777777;">Most of us riddle our work with micro-metrics: milestones, report due dates, audit due dates, completeness of workpapers, timely review notes, timely review note responses, number of review notes, number of report rewrites — you know the drill.</p><p style="color:#777777;">These are all important. We need to know the audit is on track, the report got out on time/the audit was completed on time, workpapers are complete, review notes are timely, and review note replies are timely. We need to know the results related to every one of these metrics. And it is important to hold the internal audit team responsible for meeting those metrics.</p><p style="color:#777777;">However, even if every one of those metrics is met — even if every audit is on time, every workpaper complete, every review note timely, every report written with a minimum number of rewrites, every jot and tittle is jotted and tittled — they do not represent a guarantee that a single aspect of that audit is "good." There is no proof that a quality, value-adding audit was completed.</p><p style="color:#777777;">Objective measures only measure objective success, and this does not necessarily relate to the subjective success that is "quality."<br></p><p style="color:#777777;">For a few years at Farmers Insurance, we used a balanced scorecard to help measure how we were doing and how we might do better. And it worked pretty well …except for one manager. It was evident to even the most casual internal-audit-savvy observer that the department produced mediocrity. But, in our balanced scorecard, he recorded the second highest score of any manager. He knew how to hit the numbers.</p><p style="color:#777777;">And therein lies two tales. First, you get what you measure. (And any further on that one, deponent sayeth not.) But second is that measuring anything related to the quality of audits, the quality of the department, and the quality of the individual auditors is subjective. Yes, you can objectively measure timeliness and completeness and any of the myriad measures we have all built into our work. But it all comes down to one question: How good is the work? And that is a subjective measure.</p><p style="color:#777777;">Youch! That one hurts us internal auditors. We do not like the subjective; we like objectivity — knowing exactly how measurements were conducted — because then someone else can come back and verify the accuracy of our analyses. But that doesn't work when talking about true quality.</p><p style="color:#777777;">To be done right, everyone in the department must agree on what is meant by quality. There must be an understanding of the aspects of quality, what that means related to the work the department completes, and what that means for the client. Then, standards related to that quality must be established. And, once that is all determined and understood, everyone has to be held to those standards. There must be an honest evaluation of the quality and the value that comes from every audit and from every auditor.</p><p style="color:#777777;">The upshot of all this — the issue underlying everything above — is that you need to take a deep dive into how you measure the success of your department and of the individual auditors. What do you measure, why do you measure, what is the value of what you measure, what is a "quality" audit, and what is a "value-adding" audit?</p><p style="color:#777777;">And, ultimately, what are you going to do with all that information?<br></p>Mike Jacka0
On the Frontlines: Don’t Let Your Data Fall Between the Seams the Frontlines: Don’t Let Your Data Fall Between the Seams<p>​If your data analytics initiative is part of your internal audit program, sooner or later it will have to undergo a quality assurance review (QAR). Even if this was not the case, auditors know the importance of periodic self-evaluation to identify and manage risks and tighten our controls.</p><p>There are three aspects that can easily be missed during your self-assessments: who may want access to the data (beyond corporate data classification), data hand-offs between systems and teams, and how risks may be different on transient versus stable processes. </p><h2>Go Beyond Corporate Data Classification</h2><p>As a rule, if the data is not personally identifiable information (PII), then there is no risk. Right? Well, not really.</p><p>Different datasets have different levels of value for different people. Traditionally, we consider external data leaks to be the greatest treat, and so tax IDs, credit card numbers, and other PII are considered the most critical. We do this because this type of data may be attractive to hackers.</p><p>That said, auditors may be handling information that could be very harmful through internal data leaks — things hackers could not easily monetize or even care about. Examples include medical leave history, court-mandated salary retentions (garnishments), succession planning, or performance evaluations. These things require as much protection as PII to avoid unnecessary conflict in the team dynamics and possible legal consequences. This protection is needed even if the data is not explicitly linked to PII.</p><h2>Protect Data Hand-offs</h2><p>When auditors integrate data from several systems, it is most likely that different parts of the automated process are handled by the automation modules of each of these systems. This means it is very likely there are files that "get dropped" and are later "picked up" by different bots. When this happens, it is important to evaluate your level of comfort with the security of that temporal location where the file waits in transit.</p><p>To do this, consider what could happen to your file while in there, and when and how it stops being there. Key aspects include access to the temporal location, length of time in transition, and back-up/clean-up cycles of the location.</p><h2>Evaluate the Production and Development Processes</h2><p>Finally, when you review your data flow, you must realize that you are really considering two processes: development and production. On the surface these may look similar, but they are different enough to have different risks.</p><p>In production you may end up with only one transition file (or none at all), but in development you are likely to have multiple versions of information as you test each step of your automated process. This risk gets compounded when different team members may be working on different steps of the process as you integrate several systems.</p><p>Even if these files and routines are created in "lower environments" (i.e., test version using stale or manipulated PII data), the development may leave instructions on how to access the live data or even leave behind test files in less than ideal locations.</p><p> </p><p>Analytics programs are new business functions, and as such they have their own elements with independent objectives, risks, and controls. Self-reviews and QARs may attempt to focus on the key risks, but keeping in mind these three tips can help make sure internal auditors reduce the data breadcrumbs.</p><p>Is this consistent with your experience? Do you have any other tips to share?</p><p> </p><p>Francisco Aristiguieta, CIA, is responsible for internal audit analytics at Citizens Property Insurance Corp. in Jacksonville, Fla.</p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank"><em>here</em></a><em> to learn how to contribute a blog post.</em><br></p>Francisco Aristiguieta0

 ‭(Hidden)‬ Content Query

View RSS feed
  • AuditBoard-May-2021-Premium-1
  • Awareness-Month-May-2021-Premium-2
  • Virtual-IC-May-2021-Premium-3