Your Voices

Portuguese translations Spanish translations



Transformed by the Process by the Process<p>​Let's start with a quick, easy question. What are the three components of every process?</p><p>I ask this in training sessions, and it is interesting how participants are stymied. I think it is because they are looking for something deep and profound. All I'm asking for is the most basic information.</p><p>So, having given you a little time, did you come up with the answer? Think back to your introduction to the concepts of "process" (probably in college) and you may remember that a process is usually defined as having three components: input, action, and output.</p><p>There it is. About as basic as you can get.</p><p>However, this description has a serious flaw. Yes, every process is made up of actions. But a better word to describe what is going on between the input and output is "transformation." The input goes into the process where steps/operations/manipulations/efforts are taken to transform that input into something different — the output.</p><p>Redefining process so that we move from thinking in terms of action to actual transformation is not just splitting hairs. This redefinition allows for a better understanding of why the process exists and the value that should be inherent in the process. And if the input is not transformed — if the output is identical to the input — then there is no process. Instead, there is work, there is a waste of time, there is stuff happening, there is sound and fury signifying nothing…there is all of this, but there is no "process."</p><p>Here's an easy finding for you. First thing in any audit, take a look at the processes. If you see inputs where no transformation occurs once the work is done — outputs that look like the inputs — then suggest the process be eliminated. When you can start out an audit by showing the client steps that can be eliminated, then you will open doors you never knew were closed.<br></p><p>All well and good. And a quick and wonderful lesson about how to add value while performing audit work. But there is something else important in all of this.</p><p>Back in 2020, I came across this line in the comic strip "Macanudo" by the cartoonist Liniers.</p><p> <span class="ms-rteStyle-BQ">If a book is extraordinary, it is started by one reader and finished by a different one.<br></span></p><p>I've never heard this thought expressed quite this way. But it is a perfect articulation of what should happen to any of us when we read something extraordinary. In fact, I would say that by reading even the ordinary we are changed.</p><p>Input <span style="font-size:11pt;line-height:107%;font-family:calibri, sans-serif;">–</span> transformation <span style="font-size:11pt;line-height:107%;font-family:calibri, sans-serif;">–</span> output.</p><p>So, here's a question to get this rolling. When the client gets through all the audit work <span style="font-size:11pt;line-height:107%;font-family:calibri, sans-serif;">—</span> when they see the report and the results <span style="font-size:11pt;line-height:107%;font-family:calibri, sans-serif;">—</span> do they think that what they have seen is extraordinary?<br></p><p>Okay, maybe a bit of a stretch (a stretch worth stretching for, I might add), and not the point I'm trying to make. But, even if the audit work is only ordinary, there is still a fundamental question that should underlie what has occurred. What or who has been transformed?</p><p>An audit is, effectively, a process. There are a lot of different inputs. (For extra credit, I'll let you put together a potential list.) We take those inputs and transform them into results. Those results <span style="font-size:11pt;line-height:107%;font-family:calibri, sans-serif;">—</span> reports, meetings, intangibles <span style="font-size:11pt;line-height:107%;font-family:calibri, sans-serif;">—</span> are the output of the audit process. Input <span style="font-size:11pt;line-height:15.6933px;font-family:calibri, sans-serif;">–</span> transformation <span style="font-size:11pt;line-height:15.6933px;font-family:calibri, sans-serif;">–</span> output. And it doesn't matter if the audit is extraordinary, kinda-ordinary, or just ordinary; there should still be some transformation. And those transformations come at three different levels.<br></p><p>First, the area under review should have been transformed. This may seem to go without saying, but let's say it anyway. Further, the single most important objective of any auditor should be to make things better. We may not state it that way, but it is what we ultimately want to achieve. So the area under review should be transformed by being made better. And even if our work results in a clean report, we should be leaving those involved with a stronger sense of assurance that controls effectively ensure the achievement of objectives. A small transformation, but a transformation, nonetheless.</p><p>The second transformation shifts our focus away from the area being audited to the people being reviewed. How was the client transformed? Of course they now have the assurance spoken of above But how else have they been affected? Do they have a better understanding of what internal audit is all about? Do they have a better picture of how their department fits within the organization? Do they now understand the impact of their objectives on organizational success? What have they learned that the didn't know before? How will they do things differently <span style="font-family:calibri, sans-serif;font-size:14.6667px;">—</span> not just related to the audit, but to the department, to the organization, to everything <span style="font-family:calibri, sans-serif;font-size:14.6667px;">—</span> because of the experience they have been through? If we are effective, we should have an impact on the client beyond the results of the audit. And that is a transformation we should be striving for.<br></p><p>And finally, how were you, the internal auditor, transformed? What did you see, what did you learn, what came from the experience that will make you better? Every project, every audit, every review, every consultation, every big or small task is an opportunity for growth <span style="font-family:calibri, sans-serif;font-size:14.6667px;">—</span> for transformation. And you have to look at every job as a process <span style="font-family:calibri, sans-serif;font-size:14.6667px;">—</span> one that is taking you, the input, and causing a transformation. Now, every transformation is not necessarily good. Bad experiences transform us as significantly as good ones. So it is important to recognize that transformation will occur and manage that change. Look around, see the inputs around you, manage your transformation, and control the output that is your change.</p><p>Next time you get handed your assignment <span style="font-family:calibri, sans-serif;font-size:14.6667px;">—</span> whether it be as high-flying as a review of the organization's strategic direction or as petty as a petty cash audit, be aware of what will make the process, the client, and yourself better. And strive for transformations that will make that happen.</p><p>If an audit is effective, it is started by one auditor and finished by a different one.</p><p> </p>Mike Jacka0
On the Frontlines: Why Getting Involved in Politics is a Good Thing the Frontlines: Why Getting Involved in Politics is a Good Thing<p>​At the outset of my career as an internal auditor, I was warned repeatedly to avoid workplace politics at all costs. This type of advice is not uncommon to give to an ambitious and slightly arrogant young professional like I was. Numerous leaders suggested that getting involved in office politics would be career-limiting. Some even suggested that engaging in the politics of the company would impair my independence as an auditor and limit my ability to work and act objectively.</p><p>The concept of avoiding politics was an uncomfortable one for me. A few years before becoming an internal auditor, I had double-majored in political science and economics at the undergraduate level and had served as an intern for a congressman in Washington, D.C. During the orientation to my internship, I was given a challenge by one of the senior staffers to name all of the leaders to whom the congressman, our boss, would give the shirt off his back. This was a valuable exercise in understanding influence, power, and relationships, and I realized these are at the core of politics. It was a moment that stuck with me. </p><p>Now as an internal auditor, I have never had a desire to avoid workplace or office politics. Instead, I have consistently chosen to consciously engage in the politics of the organization. That may sounds strange, given how the term "politics" has such a negative connotation in our current society. However, understanding how "things get done" and who has the power to influence them in an organization is crucial to being able to have a positive impact on the organization. </p><p>Too often, I have seen internal auditors wasting time trying to influence individuals who may have important titles, but realistically have limited cross-functional influence in the organization. At the same time, they are failing to build and leverage relationships with the real power brokers, regardless of title. </p><p>One strategy that I learned in Washington came from watching lobbyists build close relationships with key staffers who had the ear of a politician. The lobbyists rarely started with the elected officials. Within organizations, leaders often look to specific subordinates to provide guidance on topics that internal audit brings to them. If the internal auditor bypasses these powerful political channels, they miss out on the opportunity to influence the leader. Instead, the politically savvy internal auditor knows who they need to lobby in in the organization in order to ensure that the leader with ultimate authority is receptive to their ideas and recommendations. </p><p>We know from the International Professional Practices Framework that internal auditing is an "independent, objective assurance and consulting activity designed to add value and improve an organization's operations." Unfortunately, simply identifying reportable observations and putting them into an audit report does not ensure that it has a positive impact or that an organization's operations are improved. </p><p>Being able to assess an organization and truly understand how the written and unwritten power structures work is an important competency for internal auditors. Without having strong relationships and understanding where power and influence sit within an organization it is nearly impossible to impact an organization. </p><p>I have tried to couple my interest in the study of organizational politics with my knowledge of the study of game theory, as learned in my economics studies. Game theory is the study of how rational actors make decisions based on their incentives. That is not to suggest that all actions made by leaders are rational, but it is a great starting point. When internal auditors are able to couple an understanding of power, influence, and individual incentives across an organization, they are well-positioned to increase the likelihood that recommendations made are implemented and organizational improvement is achieved.</p><p>Of course, no amount of political skills can make up for deficiencies in the competencies needed to be an internal auditor and covered in the exam for the CIA certification. However, to maximize their positive impact on an organization, internal auditors need to leverage their political acumen. </p><p>In my current role at The IIA, I work with leading audit executives every day. I have the opportunity to swap stories and hear how they have a positive impact on their organizations. It is clear that much of their success comes from their ability to work within their organizations' political systems. </p><p>That being said, development of one's political acumen is not something that should be deferred until reaching more advanced stages of a career in internal auditing. Successful internal audit leaders don't develop these skills when they become leaders. They become leaders, in part, because they have honed the ability to work within organizational political systems.<br></p><p> <br></p><p>Harold Silverman, CIA, CRMA, QIAL, CPA, is director, Executive Membership at The IIA.</p><p>Want to be a part of Your Voices? Click <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true">here</a> to learn how to contribute a blog post.<br></p><p><br></p><p> </p><p><br></p>Harold Silverman0
The Perfect Plan Perfect Plan<p>​Welcome to the new year. I'm sure you're prepared, pumped, and primed for what's to come. Your laptops are fired up, your Zoom backgrounds are polished and perfected, your pencils are sharpened to a deadly point, and your best laid plans have been planned — planned schedules, planned audits, and even plans to plan for planning in 2023.<br></p><p>Let me tell you a story about those best-laid plans. I was the Phoenix Regional Auditing Supervisor, it was about mid-year, and we were starting to drown. In simple terms, our projects were getting later and later, and our schedule was getting more and more tattered. Lots of excuses; no good reasons. The pressure was on, and I was frantically trying to find a way to dig us out of our hole. Then I got a call about an agent in Gallup, New Mexico. Within short order we determined that this was going to be our largest fraud ever.</p><p>And, with that simple realization, all the pressure was off. There was no way we could get any of our other work completed on time. All our planning and scheduling was blown sky-high. And it was incredibly freeing. The plans, the schedule, and anything we were trying to do in an attempt to "get everything done" no longer mattered. The cold, hard smack of reality shoved things in a different direction.<br></p><p><span class="ms-rteStyle-BQ">"Everyone has a plan until they get punched in the mouth."  ~ Mike Tyson</span></p><p>Of course, my simple story is nothing compared to that funny little incident from a couple of years ago, the one where we all knew exactly how the year was going to proceed and, next thing we knew, we were all working from home and learning how to use technologies we probably should have been using long ago, and determining if we could actually survive being cooped up with our families, and discovering the opinions of our various friends, neighbors and co-workers regarding science and a deluge of other impacts we don't have time for right now. With that one event, more than a lot of audit departments came to the realization that all prior planning was irrelevant. Unfortunately, I know of some internal audit shops that didn't really learn that lesson, even as it was unfolding around them — internal audit shops that made little-to-no adjustment to their schedules.<br></p><p>Let me tell you a story about inflexibility — another one that isn't pandemic specific. I was working with a client that was knee-deep in supporting SOX testing for the external auditors. The CAE told me that one of the tests being required had no bearing on the organization's situation. He explained this to the representative of the firm; he explained that any numbers produced would make no sense, would not match anything, and would provide no value. The representative nodded sagely, agreed, and then explained that the CAE would still be required to complete the test because it was required as part of the plan.<br></p><p><span class="ms-rteStyle-BQ">"We plan; God laughs."  ~ Yiddish proverb<br></span></p><p>If this is the way some people approach their plans — holy writ that is sacrosanct and immutable — then we should not be surprised these same people could not force themselves to make changes during the more seismic situation of a pandemic — audit departments frozen in fear and frozen because they did not know <em>how</em> to change.<br></p><p>There's an important aspect of planning that many of us, because we are so enmeshed in that planning, sometimes forget. A plan is only the start. An important start no doubt, but just the beginning. We let people know what that plan is — the clients, the audit committee, the audit department — in order to inform them how we plan…<em>plan</em>…to accomplish our objectives for the year. But the statement of a plan is no guarantee that those stated deliverables will match the deliverables we present at year end. Our plans have to be couched in terms that let everyone understand there will be the need to adjust/adapt/improvise as the year goes on.</p><p>For the person described in the previous story, the individual requiring those SOX tests, the need to adjust, adapt, and improvise were foreign concepts. And to some audit departments — the ones that went blithely on with their schedule in the face of a risk-changing, process-changing, event-changing pandemic — the plans were chiseled in stone and change was considered sacrilege. But, again, it is a problem that existed long before the pandemic. One team I spoke to in the "before times" explained that they could not change the schedule after it was presented to the audit committee because, if they changed it, members of the committee would question why changes were occurring. The inference was that such questions would mean the committee members felt internal audit failed in its initial planning and the department would look incompetent. (Note that if that was the department's fear, they probably were, indeed, incompetent.)</p><p>And even those audit departments who recognize the need to change face another issue. Many do not recognize how fast change needs to occur. We are not a quick-moving, agilely-adapting profession. And, as the world has moved faster, our ability to change must come faster. Changing and adapting are a good start. But real success comes with the ability to immediately improvise as events go rushing past. We must move quickly or be resigned to always doing nothing more than catching up.<br></p><p>And here's the positive spin on all this. When we shift our focus away from the risks inherent with change and start looking at the similarly-inherent opportunities, we are ready to improvise and quickly pivot to those opportunities.<br></p><p><span class="ms-rteStyle-BQ">"To succeed, planning alone is insufficient. One must improvise as well."  ~ Hari Seldon in Isaac Asimov's <em>Foundation</em><br></span></p><p>This week we lost Betty White, a queen of comedy. You've probably seen the memories posted by the famous and unfamous. Her work on "The Mary Tyler Moore Show" and "The Golden Girls" only scratches the surface. And, while "The Mary Tyler Moore Show" will always be one of my favorites, I'd like to share a clip from "The Golden Girls." Watch her comedic skills closely, but also watch how she handles the story she is telling.</p><p><a href="" data-feathr-click-track="true" target="_blank">The Great Herring War</a><br></p><p>The story about this scene is that, as it went along, Betty White began improvising. She saw the reactions of her co-stars and built a better and better story. The fact that her co-stars cannot maintain their composure as Betty's character innocently tells the story speaks to the power of how she adapted the original plan.</p><p>Comedy is rife with examples of successful improvisation. Watch "Whose Line Is It Anyway?" and you watch skilled professionals looking at opportunities and then improvising to make something better/funnier. Any plan they have goes out the window as the situations progress.</p><p>An important skill in successful improvisation is the ability to say "Yes, and…" Accept the premise that has been given and, rather than shoot it down, build on it. And that ability to not only accept but embrace change is exactly what any internal audit department requires in order to succeed.</p><p>Look at the stories I've shared. The story of the Gallup, New Mexico fraud is an example of embracing the coming change and, rather than fretting about how things were going wrong, looking for what might be next. The story of the individual who required the SOX test is an example of the exact opposite — of someone who was not accepting change nor trying to determine what is next.</p><p>And let's look at the example we are currently most familiar with. A lot of people, when blindsided by the pandemic, rolled up their tents and snuck away on the next train out of town or hunkered down in those tents hoping that this, too, would pass. However, the successful audit departments were the one that saw the pandemic and accepted it (said "Yes"), then decided how best to work with, in, and forward with the situation. (said "Yes, and…")</p><p>I like to think (I desperately hope) that the coming year will not be filled with the catastrophic transformations that have been occurring. However, transformations are and will be happening. A plan is a good start, but be ready to throw it out the window. And that means being ready to change all plans great and small. Maybe it's a test that has made you realize there is a lot more going on than was first suspected and the test should be abandoned for new research and testing. Maybe it's an interview that you started as a part of fact-finding, only to see it point the way to a fraud investigation. Maybe it's a scope that, after digging in, you find is too restrictive and will not allow you to accomplish the audit's objectives. Maybe it's a schedule you developed in the third quarter of the previous year that, by December, is so tied to the past that it has no bearing on reality.</p><p>Or maybe it is just that things change, and plans are nothing more than plans. They are not chiseled into rocks, but sketched out in sand, waiting to be altered as necessary with the changing tides.</p><p><span class="ms-rteStyle-BQ">"Remember, if plan A fails you have 25 letters left."  ~ Anonymous<br></span></p><p> <br></p><p> And now a postscript.</p><p>I did a rough draft of this post last Thursday. Then on Friday, we lost Betty White. Among the various memorials and fond memories, comedian Patton Oswald posted the scene I've shared with you.</p><p>I saw it, enjoyed it, and then realized it was an important part of — a positive spin on — what I was trying to say. That is how the last portion of this post came into existence.<br></p><p>Then I thought back to<a href="/blogs/jacka/2021/Pages/Books,-Intuition,-and-Elastic-Thinking.aspx" data-feathr-click-track="true" target="_blank"> my post from the previous week</a>. While a good portion of that post was about the use of intuition, it also discussed how intuition, creativity, and flexibility require inputs — inputs of all kinds from all different sources. And I realized that this current post was an example of just the kind of serendipitous information input I was talking about.<br></p><p>I got the idea while rereading <em>Foundation</em> by Asimov and discovering the Hari Seldon quote. The other quotes fell in place, along with the requisite stories about internal audit. Then I saw the Betty White clip and that gave me the more positive aspects of the issue that I knew were missing.<br></p><p>We never know where our ideas will come from. And we never know how innovation and improvisation will get started. But they have their best chance of success when we take in as many inputs as possible. And not just volume, but also variety. Take in as much as you can, take in as many different things as you can, and let them all spend their time percolating in your brain. Someday you're going to need an idea/an innovation/an improvisation, and those inputs will combine into an output that will catch everyone, even you, by surprise.<br></p>Mike Jacka0
Building a Better Auditor: New Year, New Traditions,-New-Traditions.aspxBuilding a Better Auditor: New Year, New Traditions<p>Traditions. We are all accustomed to them and they are often fresh on our minds right after the holiday season. If I asked you to recall your favorite holiday tradition, I guarantee you'd have an answer for me. I'd also bet that if you asked your next-door neighbor, their favorite tradition would look quite different from yours. A close proximity but a vastly different set of traditions.</p><p>This is the beauty of tradition. They are sacred and no two are the same. To be honest, many of us are resistant to the idea of replacing our traditions with something new — or worse, with someone else's traditions. Why is it so hard to let go of a tradition? Letting go of traditions can seem impossible because we find comfort in what we have clung to for years. Or maybe the fear of losing what once was gets in the way of what could be. Sometimes the traditions we've carried for many years can even get in the way of creating a better future for ourselves and for later generations. </p><h2>Collaborating for the Future<br></h2><p>If 2021 taught us anything, it's that we are all masters of change. It was a year where we were all forced to pivot whether we liked it or not. If a global pandemic can make us pivot the way we work, the way we choose to be present, and the way we view the future, then maybe we can let something hopeful, like the start of a new year, do the same.</p><p>The internal audit profession is made up of everyday heroes like you — mothers and fathers, athletes, culinary connoisseurs, avid hikers, movie experts — the list goes on. Whether this is your first year in internal audit or you are a veteran practitioner, you offer a unique perspective and lens through which you see life. That is why it is crucial that you share your experiences with fellow internal auditors and work toward a better future, together. Although changing traditions and letting go of old processes can be challenging, the legacy of the internal audit profession is worth the risk of welcoming some change. </p><h2>Starting Off Right in 2022<br></h2><p>For your New Year's resolutions in 2022, I want to challenge you with two questions to ponder and a few ideas to start you off:</p><p><strong>1. How do you want to leave your mark on the next generation of internal audit?</strong></p><p>Find a younger internal auditor in your area or in your local chapter and commit to some level of mentorship with them. This could mean giving them your personal email address so they can ask you any questions they might have about the profession. You could also meet for lunch to discuss how you might support them on their internal audit journey.<br></p><p>If you don't have the time to mentor someone, but you do have financial resources available, you could consider sponsoring a student membership. This is a great way to connect students with internal audit professionals. As members, students have access to networking opportunities and potential job opportunities through their local chapter. Members and chapters can conduct outreach to students from traditional as well as nontraditional majors to allow for a more diversified student pipeline. Paying for the membership of a student who may not have the available funds helps build the profession for the future. Email <a href="" data-feathr-click-track="true"></a> for more information on sponsoring student memberships, or reach out to <a href="" data-feathr-click-track="true"></a> for more information on your local chapter.</p><div><p>Another quick, yet powerful option is to communicate your internal audit story through social media. You could post a brief (up to one minute) video explaining why you chose to become an internal auditor and how you believe it's a key profession of the future.<br></p><p><strong>2. Are there areas in your work where you have chosen to do things a certain way for the sake of tradition rather than the actual benefit it brings?</strong></p><div><p>You can start small here: Make a list of three habits that you do because "we've always done it this way" even though you know there are more efficient or simpler methods. Challenge a colleague to do the same. Swap lists and collaborate together on how you can build a better future for your internal audit function.<br></p></div><div><p>The beauty of tradition isn't always in the tradition itself. It's often through legacy where tradition finds its meaning. The passing down from generation to generation. Although it is never easy to say goodbye to traditions or pivot our patterns of behavior, I challenge you to look at your role as an internal auditor in 2022 with a fresh perspective. </p><p>It might seem daunting to add another thing to your to-do list, but I will leave you with a quote from C.S. Lewis to prove to you it's worth it: "There are better things ahead than any we leave behind."<br></p><p><br></p><p>Rachel Cain is an associate manager of chapter engagement for The IIA and is based in North Carolina.<br></p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true"><em>here</em></a><em> to learn how to contribute a blog post.</em><br></p></div></div>Rachel Cain0
Books, Intuition, and Elastic Thinking,-Intuition,-and-Elastic-Thinking.aspxBooks, Intuition, and Elastic Thinking<p>True confession time. My initial plan for this particular blog post was going to be the tried-and-true, end-of-year approach — a list of books I had read in the last year I thought were worth everyone's time.<br></p><p>However, as I was working on that list (and a worthy list it is, too) I realized I was falling into a trap. I was being lazy. End of the year, we're all tired, another year is looming, so let's just look for the quick and easy solution before we have to get into the real work of starting a new year. Everyone does it, you do it, "they" do it, and I was about to do it.<br></p><p>Upon recognition of the trap into which I was blithely falling, the entire project lost its pizzazz, its zeal, its raison d'etre, the impact I hoped my blog post would have..</p><p>Don't get me wrong, you're going to wind up with a list — a list I feel includes some books that it would behoove you, for your personal and professional betterment, to read. However, I serendipitously came across an interesting interview regarding how we think, how we learn, and the impact of these processes on productivity. It appeared in a recent list from the New York Times — a list of overlooked stories. I missed, ignored, or overlooked this story, and I'm glad this list gave me a second chance.<br></p><p>In July, Ezra Klein, podcaster for the New York Times,<a href="" data-feathr-click-track="true" target="_blank"> interviewed Annie Murphy Paul </a>about her book <em>The Extended Mind</em> — an exploration of the active role environment has in driving our cognitive processes. Now, there is a lot in the interview, and many a deep dive could be performed from this material. However, for purposes of this post and related to the initial topic of "Books I've Read You Should Read," there is a specific discussion in the interview regarding how we take in information. Here is Ms. Paul discussing information input and gut feelings.<br></p><p><span class="ms-rteStyle-BQ">As we go through our everyday lives, there's way more information than we can process or retain consciously. It would just completely explode our mental bandwidth. But we are taking in that information, noting regularities and patterns, and storing them in the non-conscious mind so that it can be used later when we encounter a similar situation…The body lets us know. I mean, that's what we call a gut feeling or what psychologists, what scientists call interoception, which is the perception of internal sensations that arise from within the body. And people who are more attuned to those internal signals and cues are better able to draw on that wealth of information that we know but we don't know. We possess it, but we don't know it explicitly or consciously. So that's what a gut feeling is. It's sort of your body tugging at your mental sleeve and saying, hey, you've been here before. You've had this experience before. Here's how you responded. It worked or it didn't work. Here's what is the right thing to do now.</span></p><p>Gut feelings, intuition, and even the tingling of an auditor's Spidey-sense may be real things. Quite simply, the more information we have, the more we can rely on those gut feelings to guide us. Our experiences at work, our experiences in the audit world, our experiences in dealing with people — all our experiences are stored away, ready to provide us quick solutions to the problems we face.<br></p><p>This may be counterintuitive to the way we auditors like to think we think — we like to believe that logic and brainpower win the day. But admit it, we've all had those gut feelings while we've been working, and we have succumbed to those feelings, and, most importantly, we've all seen those gut feelings lead to the correct decisions.<br></p><p>So, the more inputs, the better the outputs — the better our guts can lead us.<br></p><p>In this context, the number one input source is the experience gained with every day's work in the audit field. But there is another side of the whole "inputs" discussion. As noted, we need a lot of inputs. But that is not just restricted to our work experience. Later, Ms. Paul discusses how the brain uses all the information it has taken in and stored for later use.<br></p><p><span class="ms-rteStyle-BQ">[The brain is] assembling its thought processes from what's available in its environment. And that means that thinking better is not about working the brain ever harder. It's about creating a space and a set of capacities wherein you have more and better resources from which to assemble your thought processes.</span></p><p>Of course there's a dandy chance I've misinterpreted what she has to say, but I see this as recognizing that our brains need inputs from everywhere — that intuition, adaptability, and creativity require lots of input. And when we restrict the types of inputs we are willing to accept, we restrict intuition, adaptability, and creativity. The more varied the inputs, the better the results. <br></p><p>What this all comes down to is that, for auditors to provide the greatest value — to provide new ideas and creativity and see things that others may not be seeing — it is important to look well beyond the sources we generally fall to in an effort to get better at our jobs. Yes, read Internal Auditor and the white papers put out by professionals and books on internal audit and books on business and all the standard resources we think of when we think of being a "better" internal auditor. But the obtuse and weird resources — the books, articles, and social media sources that do not seem to immediately apply — will give the brain the additional inputs it needs to be intuitive, to be adaptable, and to be creative. (Adaptable intuition, intuitive creativity, creative adaptability — put those words together any way you want and you have the beginning of what can be accomplished when exploratory learning is allowed to flourish — when the typical is eschewed for the unusual.)<br></p><p>And with that, having used up a good portion of my thesaurus and my word count, let me give you that list I promised: a list of books I read or reread this year (or maybe in the last couple of years) that I think have value. The purpose and value of some of these will be self-evident. But others may not exactly scream, "This is a book that applies to what you do!" But then, that is the point. Self-evidency is not a requirement.<br></p><p>My list of books:<br></p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><p><em>Radical Leadership</em> – Steve Farber<br><em>Madness, Rack, and Honey</em> – Mary Ruefle<br><em>Writing Down the Bones</em> – Natalie Goldberg<br><em>Range: Why Generalists Triumph in a Specialized Word </em>– David Epstein<br><em>Humor, Seriously</em> – Jennifer Aaker and Naomi Bagdonas<br><em>Elastic: Unlocking Your Brains Ability to Embrace Change </em>– Leonard Mlodinow<br><em>One! Hundred! Demons! </em>– Lynda Barry<br><em>Dream Teams</em> – Shane Snow<br><em>The Excellence Dividend </em>– Tom Peters<br><em>Being Wrong</em> – Kathryn Schulz<br><em>Predictably Irrational: The Hidden Forces that Shape Our Decisions</em> – Dan Ariely<br><em>Thinking Fast and Slow </em>– Daniel Kahneman</p></blockquote><div><br></div>And feel free to share with all of us any books that moved you this year.<div><p><br></p></div>Mike Jacka0
On the Frontlines: When an Audit Leader Changes Your Findings the Frontlines: When an Audit Leader Changes Your Findings<p style="text-align:justify;">In the everyday work of internal auditors, it sometimes happens that an audit manager makes changes to the drafted audit findings. An audit leader may delete some or even all of a finding or change the risk criticality. If the auditor and audit manager agree that the changes are needed to improve the quality of the audit report or ensure consistency with the risk criticality methodology, there is no issue. However, what happens in situations when there is no mutual agreement about the necessity to change the drafted findings and their risk criticality? More importantly, what happens if the audit manager's changes result in a report that presents totally different facts than what was intended — or even wrong conclusions?</p><p style="text-align:justify;">There are several reasons why an audit manager might want to change audit findings and their criticality ratings — other than a desire to improve the quality of the audit report. One of them could be that the manager does not want to have a too-critical report, as it may attract a lot of attention. The opposite could also be true: The audit manager feels the report <em>should</em> attract more attention, so it should be made more critical. Another, unfortunate reason might be that the audit leader is misusing audit reports for reasons involving internal politics. </p><p style="text-align:justify;">Or it's possible the audit manager uses audit reports in the context of personal relationships with other managers. This could include a situation in which the audit manager wants to keep good relationships with all the other managers in the organization and thus does not want to have a lot of severe findings in the audit reports. The opposite situation is possible too — having a bad relationship with another manager in the organization and using the audit report to present this manager's area as riskier than it objectively is.<br></p><p style="text-align:justify;">Regardless of the reason behind the changes of audit findings and their risk criticality, there are several steps auditors can take in their everyday work to stay in compliance with The IIA's <a href="" data-feathr-click-track="true"><em>International Standards for the Professional Practice of Internal Auditing</em></a> and protect themselves from any potential adverse effects.</p><p style="text-align:justify;"><strong>Be objective and fact based.</strong> Objectivity is one of the main pillars of audit work. Auditors should strive to be and even appear to be subjective in their work. If the objectivity of audit team members involved in the engagement is impaired, that could be a reason for a misunderstanding with the audit manager.</p><p style="text-align:justify;"><strong>Document your work</strong>. Even though there are different opinions about this aspect of audit work, documenting work is a regular part of an audit engagement and becomes very important when needing to present the facts and provide evidence for conclusions. Documentation should be kept at a reasonable level — one that would enable a third party to come to the same conclusions as the auditor.</p><p style="text-align:justify;"><strong>Consider the audit manager's perspective.</strong> Imagine the audit manager's role in the situation and try to talk openly. Perhaps there are certain aspects involved with the findings of which the audit team is not aware. Taking all relevant factors into consideration may help the parties involved reach a win-win situation. </p><p style="text-align:justify;"><strong>Ask for an additional opinion.</strong> Involving another auditor who was not involved with the specific audit engagement could be helpful in situations when a common understanding is hard to reach. A "fresh pair of eyes" can contribute to objectively assessing the findings.</p><p style="text-align:justify;"><strong>Take a stand and have arguments for it</strong>. Auditors should be brave enough to stand for their findings. However, this does not mean they should not be willing to change a single letter of what they have written. Having a strong stand should be balanced with being reasonable.</p><p style="text-align:justify;"><strong>Inform the audit managers of requirements based on the </strong><strong><em>Standards</em></strong><strong>.</strong> It is always useful to remind team members about The IIA <em>Standards</em> requirements. Sometimes a simple thing like this can resolve the misunderstanding and help in achieving a solution.<br></p><p style="text-align:justify;"><strong>Revaluate your position</strong>. As trusted advisors, auditors should be adding value to the organization with their work. It might be useful to ask, "How does this work add value to the organization?" Thinking about it this way could put the audit findings into an entirely different, yet important perspective.</p><p style="text-align:justify;"><strong>Finally, choose your battles wisely</strong>. Auditors are creative magicians in using words, graphics, pictures and all forms of communication to pass their messages to the audience. Often just a small change in wording or a slightly different presentation can help change the appearance of the findings and make everyone happy, while the facts remain unchanged.<br></p><p style="text-align:justify;"><br></p><p>Maja Milosavljevic, CIA, CRMA, is an internal auditor in Vienna and a 2015 <em>Internal Auditor</em> Emerging Leader.</p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true"><em>here</em></a><em> to learn how to contribute a blog post.</em></p>Maja Milosavljevic0
Top Ten 'Your Voices' Blogs of 2021 Ten 'Your Voices' Blogs of 2021<p>Readers of the "<a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=a1dd2380-a348-46e0-80b5-05b49e30d4cb" data-feathr-click-track="true" target="_blank">Your Voices</a>" blogs on were focused on career development and improving their mental approach to the profession. With nearly 60,000 page views in the blog series' first 10 months, the Top 10 most-read blog posts were equally split between <em>Building a Better Auditor </em>and <em>On the Frontlines</em>.</p><p>The most-read blog, penned by ServiceNow internal audit leader Brian Foster, CIA, focused on the value of professional certifications and certificates. In <a href="/blogs/Your-Voices/2021/Pages/Building-a-Better-Auditor-Certificates-and-Certification-Two-Keys-to-Career-Advancement.aspx" data-feathr-click-track="true" target="_blank">Certificates and Certification — Two Keys to Career Advancement</a>, Foster notes his first-hand observations of how certificates and certifications support personal and career development and influence how potential employees view the holder. "So, should you seek out certificates or certifications? The answer is yes. They both provide value to those who invest the time and energy to earn them, and to their employers."</p><p>In <a href="/blogs/Your-Voices/2021/Pages/Building-a-Better-Auditor-Why-Stress-Management-Is-Critical-to-Your-Career.aspx" data-feathr-click-track="true" target="_blank">Why Stress Management Is Critical to Your Career</a>, Jamie Burbidge suggests that effective stress management is a key component of forging a successful career. Burbidge, the founder of Bickham Montgomery in London, goes on to offer a series of tips for managing personal stress levels as well as those on a team.</p><p>In the third most-read blog post, Edgardo Alifano provides insights into how little input internal auditors have on management remediation plans. In <a href="/blogs/Your-Voices/2021/Pages/On-the-Frontlines-The-Most-Important-Thing-Auditors-Dont-Do-.aspx" data-feathr-click-track="true" target="_blank">The Most Important Thing Auditors Don't Do</a>, Alifano, CAE for Darigold in Seattle, says that encouraging management to create acceptable action plans "provides a unique opportunity for auditors to exercise our role of business partners and trusted advisors more than ever." </p><p>Pumping up the volume on internal audit reports to get noticed is not unlike the story of "The Boy Who Cried Wolf," according to Maja Milosavljovic, CIA, CRMA. In <a href="/blogs/Your-Voices/2021/Pages/On-the-Frontlines-Why-Sensationalism-Is-Bad-for-Internal-Auditing.aspx" data-feathr-click-track="true">Why Sensationalism is Bad for Internal Auditing</a>, the Vienna-based internal auditor laments that, "auditors may compete with each other to come up with better, more critical, and more sensational findings." When this happens, internal auditors could be sacrificing their objectivity, she notes.</p><p>Two blog posts about altering how internal auditors think ranked fifth and sixth on the Top 10 list.</p><p>Emilio Lui, CIA, urges readers to get into an objective frame of mind before taking on engagements. In <a href="/blogs/Your-Voices/2021/Pages/Building-a-Better-Auditor-Evolve-Your-Internal-Audit-Mindset.aspx" data-feathr-click-track="true">Evolve Your Internal Audit Mindset</a>, the senior internal auditor from Belize City, says internal auditors must get rid of the "policing" mentality or thinking they have a responsibility to "find something wrong." He says, "To all my internal audit colleagues, that is not your responsibility. We should aim to serve, to deliver value, and over deliver on our value proposition."</p><p>In <a href="/blogs/Your-Voices/2021/Pages/Building-a-Better-Auditor-Developing-an-Internal-Auditors-Mindset.aspx" data-feathr-click-track="true" target="_blank">Developing an Internal Auditor's Mindset</a>, Mustafa Yusuf-Adebola, CIA, CPA, CFE, CGA, of Ontario, makes a case for specialized onboarding for new internal auditors. Looking for additional training openings for junior auditors provides audit leaders opportunities to mold them into effective team members.</p><p>Jeff Ridley, CIA, praises The IIA's focus on informing practitioners on where internal audit fits into the growing ESG risk area. However, in <a href="/blogs/Your-Voices/2021/Pages/On-the-Frontlines-Internal-Audits-Role-in-ESG.aspx" data-feathr-click-track="true">Internal Audit's Role in ESG</a>, Ridley suggests that few practitioners "address the connectivity of national and global ESG issues in their risk-based internal auditing." The long-time internal auditor and visiting professor at Birmingham City University, University of Lincoln, and London South Bank University says evaluating the quality and improvement of every internal audit function must now include how internal auditors, management, and boards are walking the talk of ESG.</p><p>Blog posts that round out the Top 10 focused on finding ways to become more effective and efficient auditors. In <a href="/blogs/Your-Voices/2021/Pages/On-the-Frontlines-Incorporating-Data-Analytics-for-Smarter-Audits.aspx" data-feathr-click-track="true" target="_blank">Incorporating Data Analytics for Smarter Audits</a>, Ryan Singer, CIA, says it is past time for internal audit to embrace data analytics. "Many internal auditors will agree that when it comes to data analytics in internal audit, we're much further along with talk than we are with action," he points out. The fix is to "tie data analytics into the internal audit group's overall strategy, which should ultimately feed into the larger strategy of the business," says Singer, a consulting senior manager at Crowe LLP in Columbus, Ohio.</p><p>Tim Berichon, CIA, QIAL, CPA, says a Six Sigma mindset can help internal auditors be more valuable. In <a href="/blogs/Your-Voices/2021/Pages/On-the-Frontlines-The-Six-Sigma-Mindset.aspx" data-feathr-click-track="true" target="_blank">The Six Sigma Mindset</a>, Berichon, the IIA's director of global advocacy, says people trained in the management technique make some of the best auditors "because they want to know why and how we can do better." He adds, "Internal audit, by definition, is designed to add value and improve operations to help our organizations meet, if not exceed, objectives. Six Sigma strives to eliminate defects and waste by improving processes to help the organization meet, if not exceed, objectives."</p><p>Rounding out the Top10 is <a href="/blogs/Your-Voices/2021/Pages/Building-a-Better-Auditor-Expanding-Your-Internal-Audit-Role-Through-Active-Listening.aspx" data-feathr-click-track="true" target="_blank">Expanding Your Internal Audit Role Through Active Listening</a>. Alex Rusate, CIA, CRMA, CCSA, CPA, describes active listening as a paramount skill for internal auditors. The senior internal auditor at New York Independent System Operator in Rensselaer, New York, says internal auditors, "cannot audit what matters if they do not listen to understand what matters." He goes on to share six key characteristics of active listening offered by the Center for Creative Leadership.<br></p><p><br></p><p>​Robert Perez is the director of content development and delivery at The IIA.<br></p><p><em>Want to be a part of Your Voices? We need you! Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;color:#6eabba !important;"><em>here</em></a><em> to learn how to contribute a blog post.</em><br></p><p><br></p>Robert Perez0
Even More Audit Carols for the Holidays More Audit Carols for the Holidays<p>In the past, I've provided some auditing carols for the holidays. You can find one collection <a href="/blogs/jacka/2016/Pages/Auditing-Carols-for-the-Holidays.aspx" data-feathr-click-track="true">here </a>and, if you have access to the magazine's archives, you can go way back to the December 2006 issue of Internal Auditor for the very first songs.</p><p>Well, it's been a while, so it's probably time for more auditing cheer. Let's warm up our vocal cords, spike up the wassail, and sharpen our pencils as we all sing along with these soon to be classics.</p><p> </p><p><strong>The Audit Scope<br></strong>(To the tune of "The 12 Days of Christmas")</p><p>This audit included:<br></p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><p>12 useless samples<br>11 days of writing<br>10 seconds of planning<br>9 evaluations<br>8 confusing tick marks<br>7 process flowcharts<br>6 observations<br>5 interviews<br>4 transaction checks<br>3 bad tests<br>2 file reviews<br>And a good cause to fire the auditor</p></blockquote><p> </p><p> </p><p><strong>Phony Books </strong>or "The Auditee's Lament"<br>(To the tune of "Silver Bells")</p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><p>Shredding files, making piles<br>Out of real work we've done<br>'Cause there's so much inside it we fear.<br>Bogus entries, all the hints we<br>Have been cooking the books,<br>Trying to hide it as audit comes near.</p><p>Phony books. Phony books.<br>It's audit time in the office.<br>In the red. Hear us shred.<br>Soon it will be audit day.</p></blockquote><p><strong><br></strong></p><p><strong>I Saw Three Tests<br></strong>(To the tune of "I Saw Three Ships")</p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><p>I saw three tests come trickling in<br>At audit close, at audit close.<br>I saw three tests come in real late<br>At audit close in the evening.</p><p>I asked the team "What happened here?"<br>At audit close, at audit close.<br>I asked them "Why are you so late<br>At audit close in the evening?"</p><p>They claimed things hadn't gone as planned<br>As deadlines loomed, as deadlines loomed.<br>They claimed some problems reared their heads<br>As deadlines loomed in the evening.</p><p>So, then I looked at all three tests<br>At audit close, at audit close.<br>I looked at all three tests in shock<br>At audit close in the evening.</p><p>And saw that fraud quite rampant was<br>At audit close, at audit close.<br>That there was nothing good to say<br>As audit close was approaching</p><p>Thus our report was quite delayed<br>Past audit close, past audit close.<br>Thus our report came out real late<br>Past audit close in the evening.</p><p>But by then there was no one left<br>Past audit close, past audit close.<br>No one to read a single word,<br>The business closed in the morning.</p></blockquote><p> </p><p><strong>The Audit Song<br></strong>(To the tune of  "The Christmas Song")</p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><p>Cash and checks are all left unsecured.<br>Fake employees on the rolls.<br>Vendors paid without any support.<br>And costs dressed up like income flows.<br>Everybody knows the clerks are stealing petty cash.<br>Kickbacks flowing left and right.<br>VPs caught with their hands in the tills<br>Will find it hard to sleep tonight.<br>They know the finding's on its way.<br>It's got lots of risks and weakness to convey.<br>And all the CFOs are gonna try<br>To see if they can blame it on the other guy.<br>And so I'm offering this simple phrase<br>To all from clerks to CEOs.<br>Although it's been said many times may ways,<br>You have got no controls.</p></blockquote><p> </p><p><strong>I Saw Mommy Audit Santa Claus<br></strong>(To the tune of "I Saw Mommy Kissing Santa Claus)</p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><p>I saw Mommy audit Santa Claus<br>Working late at home on Christmas Eve.<br>She didn't see me creep<br>Downstairs to have a peep.<br>She thought the red book had put me to sleep.</p><p>Then I saw Mommy question Santa Claus<br>About the balances that showed up red.<br>Oh what a laugh it would have been<br>If Daddy had only seen<br>Mommy question Santa Claus all night.</p><p>Then I heard Mommy say to Santa Claus,<br>"Here's blankets and a pillow for your head."<br>Oh what a laugh it's going to be<br>When Daddy comes in to see<br>Santa sleeping on the couch tonight</p></blockquote><p> </p><p><strong>I'm Dreaming of a Clean Audit<br></strong>(To the tune of "I'm Dreaming of a White Christmas")</p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><p>I'm dreaming of a clean audit,<br>Just like the one a year ago.<br>Where there were no findings<br>And no reminding<br>The clients that they've moved too slow.<br>I'm dreaming of a clean audit,<br>With every new control I see.<br>May your test work all be routine.<br>And may all your audits be clean.</p></blockquote><p><br></p>Mike Jacka0
Building a Better Auditor: To Interview or Not to Interview a Better Auditor: To Interview or Not to Interview<p>I have long believed that one of my strongest traits as an auditor is my ability to quickly connect with people and build rapport. For an auditor, being able to gain the trust of an audit client or stakeholder to allow them to feel comfortable sharing with you is an invaluable skill.<br></p><p>Before the pandemic, the process of building trust was largely a face-to-face endeavor. Today we have various platforms by which an interview can be conducted. While it may not be as ideal as sitting in the same room, a virtual interview still allows us to see each other and gauge at least some body language. <br></p><p>However, the proliferation of remote audit engagements may push the internal audit team to forgo an interview altogether, in favor of a survey. <br></p><p>As with so many aspects of life, I believe the decision of whether to conduct a survey or an interview is one that deserves balanced consideration. A survey is an opportunity to gather a lot of feedback quickly and efficiently. If the internal audit team needs to acquire information from a large number of people, a survey may be a more efficient method. Some other factors that could contribute to the decision to favor a survey over an interview include:<br></p><ul><li><p>The auditor's preference for low or virtual contact versus an in-person meeting, possibly based on the circumstances. </p></li><li><p>The time budget. </p></li><li><p>The type of audit. For instance a compliance audit with a high amount of transaction testing may not require a lot of perspective from management. Alternatively, a performance audit of program implementation in the public sector, where feedback may be pertinent to the audit results, might necessitate an interview.</p></li><li><p>The stage of the audit, such as the planning or risk assessment phase versus the fieldwork phase. </p></li></ul><p>While there are valid reasons to conduct surveys, in many cases, there are some obvious drawbacks to relying on them. If an audit client is simply responding to a survey, there may not be the opportunity to expand upon thoughts or questions. Even with the inclusion of text boxes to encourage open commenting, audit clients may be less inclined to elaborate on their responses and may even fear putting their criticism or concerns into writing. <br></p><p>Further, if auditors conduct all questioning in a survey format, they may not be receiving the complete and objective input from the audit client needed to conduct the audit work. And if auditors draw conclusions from limited information, they risk not being able to adequately identify or address issues that may exist.<br></p><p>When faced with the same questions in a face-to-face or virtual setting, if the auditor can work to make the audit client feel comfortable, a simple question can potentially lead to valuable information about programs, processes, culture, and initiatives (and more) beyond what was initially requested. Internal auditors don't know what we don't know, and we don't always know what to ask on a survey. A survey alone does not easily provide an opportunity for a deeper dive. <br></p><p>In addition to the opportunity to glean valuable information, interviews are also an opportunity to market the internal audit function as a problem solver, build relationships with audit clients, and generally make a good impression to help build the audit activity's reputation as a valued partner in the organization. <br></p><h3>A Quick Primer on the Virtual Interview</h3><p>While virtual interviews may seem less natural, there are ways to conduct an effective interview while still following pandemic protocols or restrictions. As with any internal audit interview, in the virtual environment, the auditor must be aware of and manage potential distractions, including technical difficulties and background noise. Plan ahead and communicate in advance with the audit client, just as you would when scheduling an in-person interview. <br></p><p>Request that the audit client make themselves available on video if possible, to gauge body language. However, be prepared to be flexible — there may be circumstances beyond the audit client's control. If interruptions arise, be prepared to reschedule a portion of the conversation. Try not to assume negative intent.<br></p><p>Consider that even virtual interviews may be far superior to surveys in many cases. Where time allows, auditors should consider conducting some interviews — maybe by choosing to follow up on unexpected or unique survey responses. The auditor also can ask respondents to signify if they would like to follow up with an interview.<br></p><p>When it comes to the quandary of "to survey or not to survey," take a balanced approach, but don't forgo the art of interviewing altogether.<br></p><p><br></p><div>Pamela J. Stroebel Powers, CIA, CGAP, CRMA, CPA, is a director of professional guidance, specializing in the public sector, for The IIA. She resides in Salem, Oregon.<br></div><div><br></div><div><em style="text-align:justify;">Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;text-align:justify;color:#6eabba !important;"><em>here</em></a><em style="text-align:justify;"> to learn how to contribute a blog post.</em><br></div><p><br></p>Pamela J. Stroebel Powers0
Remember the 98 Account the 98 Account<p>I was talking with some old friends a while ago, friends I have known since the days we all worked together at Farmers Insurance. (That makes it quite a while ago.) For some reason, the 98 account came up. No rhyme nor reason, it just weaseled its way into the conversation of a group of people talking about the old days.</p><p>"What is a '98 account?'" you might ask. Well, that is pretty much what we were asking. The scary part is that, with very little mental prodding, I was able to recall that the 98 account was the escheatables account — the account that held the funds related to uncashed checks. As the group chided me for remembering something so arcane, I defended myself by noting that one of my first audits was a review of this account. I also noted that it was an audit I did more than a few times.</p><p>And therein lies a lesson about the way we used to audit back in the early 1980s. Our schedule was based on a cycle of audits. There may be a few of you out there old enough to remember this approach, but for everyone else, let me enlighten you. Somewhere in the organization's misty past, someone had decided which audits were the important ones to do. (Back in those days, that often meant a lot of financial audits.) Those audits were then scheduled throughout the year. And those same audits were done the next year, and the next year, and the next year, and so on. Sometimes there might be a two-year cycle. But in general, the same audits were done at the same time, over and over again.</p><p>It was not a great approach. Proof: Every May we did an audit of our salvage operations — looking at the cars, the sales, and the monitoring processes within the regional office. After a couple of audits, we realized the salvage clerks knew when we were coming and would pull all the diary strips to make it look like they were up to date on their work. (Don't know what a diary strip is? Ask your grandparents.)<br></p><p>Yeah, the cycle of audits was not a great approach, but it was all most of us knew. And the profession has definitely gotten better. But that is only the beginning of this little parable. We have more to cover, so let's move on.<br></p><p>Once our little coffee klatch finished exploring the 98 account (a short exploration), our discussion became a litany of numbers as we (for some reason, fondly) recalled the various accounts and related audits — the 88 account, the 74 account, the 14 account, and the 06 account (that was an important one because it was an uncontrolled account.) Yeah, we were reliving all the hits. (And I wish to also note that I am not making these up; these were accounts we actually audited.)</p><p>We then started talking about the way our audit planning evolved. (Yes, this was an audit-nerd convention.) Like so many others, we changed to a risk-based approach. It had its problems, just like everyone else's, but in general, it went very well. And that is where the story ended — at least as far as those in this conversation knew.<br></p><p>Because reminiscing about those accounts reminded me of an interesting discussion that occurred at the end of my tenure with the company. Internal audit was focusing on processes — operational audits intended to provide value by identifying opportunities for improved efficiency and effectiveness and generally helping everyone achieve their objectives. And because we were risk-based, we were focusing on processes where we thought the greatest risks resided. But I got to thinking about those accounts — all those numbers and all those transactions and all those dollars. I was wondering if we had developed a blind spot regarding some of that work and those accounts and, in general, a lot of those audits that had fallen by the wayside when we moved away from the cycle of audits. As an example, I couldn't remember the last time we had done a review of the 98 account. (I can't give you dollar totals, but I'm guessing you can figure out why this might be a big deal.)</p><p>I went to the CAE and made a case for reviewing some of these accounts. And I was summarily dismissed.</p><p>I was given some insubstantial reasons, but it all seemed to come down to this point: "Why should we care about those accounts? We have bigger issues and risks to address." And yeah, that could be a valid argument. But my additional concern was that we were not considering these accounts and processes in our risk assessments. That is, I would have been fine if we had included these in our assessments and agreed they were not an issue, but they were being summarily dismissed without any real deliberation.<br></p><p>And one more thing. I genuinely believe the CAE, someone who had been around as long as I had, was still distancing himself from our old approach to planning and audits — he was actively keeping away from the audits that were part of that cycle of audits approach we had dropped nearly 20 years before.</p><p>We never did any audits over those accounts. I retired. And, to the best of my knowledge, the audits were not done after I left. Farmers Insurance still exists, so I'm guessing the fact that internal audit did not look in those directions did not signal the demise of a 75-year-old company. However, as indicated before, there are a couple of lessons to be garnered here.<br></p><p>First, look back at the audit work that your organization has completed. Be willing to go way back and see if there was something done in the past <span style="font-size:11pt;line-height:107%;font-family:calibri, "sans-serif";">—</span> something that has a hidden component of risk you hadn't thought about — to determine if another visit might not be warranted.</p><p>Second, (and somewhat related to the above) don't let the pendulum swing too far. In an effort to distance ourselves from the cycle of audits, we were potentially avoiding and missing some long-standing risks. And the profession falls into this trap just as easily as individual departments. Was SOX a response to too much of a focus on operational auditing? Are we so focused on cyber and IT that we're missing something in the non-technical world? Was our focus on all the latest, top-20, hot-off-the-presses risks the reason that, rather than being unprepared for the pandemic, we were <em>woefully </em>unprepared? No one type of audit approach is perfect. And finding the balance that is effective means keeping one foot in every type of audit. (And, yes, I know that means you need more than two feet for such a feat to be accomplished, but this has gone on too long for me to worry about perfecting metaphors. You know what I'm trying to say.)</p><p>But there's one more thing: a broader issue about management, leadership, and innovation. Make sure people know why decisions are being made. When I suggested the review of past accounts, I never really heard any discussion on why the idea was rejected. I got some generic excuses that all came down to nothing more than it would be a waste of time. And maybe it <em>was</em> a waste of time. Maybe not doing those audits <em>was</em> the right decision in that situation. But I will never know because I don't know how the decision was reached.<br></p><p>With every suggestion that is made, there is a chance it will be accepted or rejected. (And your percentage of success will vary.) Maybe they are good ideas; maybe they are bad. However, no matter the situation, let people know why the decision to accept or reject was made. Innovation and progress will only occur with an influx of new ideas. And nurturing that influx is key to successful innovation. To enhance creativity — to drive improvement and innovation to rise to the next level — you have to welcome ideas. And nothing will shut down the flow of creativity quicker than being summarily dismissed. No, you don't have to accept every idea. But when rejecting an idea, make sure you have established your reasons and thought them through. And let everyone involved know why the decision was made. And who knows, maybe when you think it through, you may realize that rejection isn't the way to go.<br></p><p>Now, what did I do with that check I forgot to cash?<br></p><p><br></p>Mike Jacka0
On the Frontlines: The Importance of Audit Testing the Frontlines: The Importance of Audit Testing<p>Internal auditors are known for their rigorous review of organizational processes and internal controls, and audit testing is where that skill really manifests. Specifically, the auditor assesses the adequacy and effectiveness of the processes and controls during this phase of the audit.<br></p><p>Testing for adequacy is checking on whether the internal control in place is appropriate and is able to serve the function for which it is intended. On the other hand, effectiveness refers to whether the control is actually performing as intended. The control may be adequate for its function, but if it is not being implemented correctly or at all, it will be unable to deliver its intended results.<br></p><p style="text-align:justify;">There are several different ways to conduct testing, which may include:<br></p><ul><li><strong>Observation or walkthrough</strong><strong>,</strong> where auditors monitors the audit clients while they perform the duties or — if that is not possible — where the audits would simulate the transaction to be able to witness first-hand the process and controls as they take place.</li><li><strong>Inspection</strong><strong>,</strong> which would include the auditor reviewing documents and records from relevant transactions. Examples of inspection include reviewing purchase orders, delivery notes, and invoices. This is the most common testing method.</li><li><strong>Reperformance or Recalculation</strong><strong>,</strong> which is also a common testing method. It involves the auditor redoing the work from scratch to compare the auditor's results against the original results.<br></li><li><strong>Confirmations</strong><strong>,</strong><strong> </strong>which may include the auditor validating the results of internally generated documents against an independent source, such as comparing the internal cash ledger to the bank statement or comparing the receivables ledger to a statement of account provided by a supplier.<br></li></ul><p style="text-align:justify;"><br></p><p style="text-align:justify;">Internal controls testing usually aims to validate certain criteria about the test data, such as:</p><ul><li><strong>Completeness</strong>, referring to whether the test data includes all relevant data, with no data omitted.</li><li><strong>Occurrence</strong>, validating that reported transactions actually took place and are not fictitious.</li><li><strong>Accuracy</strong>, to verify that the reported data is correct and is representative of the correct details of the transactions that occurred.</li><li><strong>Existence</strong>, ensuring that the transactions that took place are reflected in their physical capacity.<br></li></ul><p style="text-align:justify;"><br></p><p style="text-align:justify;">The type of test selected usually corresponds to the criteria being tested. Tests should be selected carefully so that they are able to generate results that would answer the query in question. A common error is conducting an irrelevant test. To avoid wasting audit resources and budget, the following considerations are helpful when planning audit testing:</p><ul><li>Start the test planning phase by clearly documenting the process to be tested and the internal controls that are related to it. This first step alone should provide insight as to whether the control is adequate.<br></li><li>Before selecting and documenting audit tests, outline in writing the intended objective of the audit tests to verify that the objective can be fulfilled with the intended test.</li><li>Include action points in the test plan using audit terminology such as "confirm" or "validate" and making testing procedures as detailed as possible rather than writing vague testing procedures such as "review" or "check."</li></ul><p style="text-align:justify;"><br></p><p style="text-align:justify;">The testing procedures should support the auditor in determining whether the control in question is indeed effective. The results of the testing procedures also will support the auditor's findings when the time comes to report observed audit exceptions.</p><p style="text-align:justify;">Not having sufficient and accurate support to back up one's findings can compromise internal audit's credibility and professionalism. Ultimately, the soundness of the audit test may have an impact on whether the auditor and audit team is well-positioned as a trusted advisor for the audit client and the organization.<br></p><p style="text-align:justify;"><br></p><p style="text-align:justify;">Hassan Khayal, CIA, CRMA, is an internal auditor based in the United Arab Emirates and a 2020 <em>Internal Auditor</em> Emerging Leader.​<br></p><p style="text-align:justify;"><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;color:#6eabba !important;"><em>here</em></a><em> to learn how to contribute a blog post.</em><br></p>Hassan Khayal0
Building a Better Auditor: The Significance of the Integrity Principle a Better Auditor: The Significance of the Integrity Principle<p>As many of us know, the purpose of The IIA's <a href="" data-feathr-click-track="true" target="_blank">Code of Ethics</a> is to promote an ethical culture in the profession of internal auditing. Principles within the Code include integrity, objectivity, confidentiality, and competency.</p><p>It could also be argued that all four principles defined in the Code are equal in importance. There is truth to this; internal auditors must comply with each of them equally. We cannot pay more attention to objectivity than confidentiality or focus on integrity while ignoring competency, and so forth.</p><p>However, the significance of the integrity principle, in my humble opinion, cannot be overstated. It is the foundation of all possible ethical values. As I stated in my previous blog post, <a href="/2021/Pages/Building-a-Better-Auditor-From-Staff-Auditor-to-CAE.aspx" data-feathr-click-track="true">"From Staff Auditor to CAE,"</a> without honesty, you will not be able to be objective or stay confidential. You will not even improve your competency appropriately, although you may (and there is a big chance that you will) pretend that you do.</p><p>Let us go a little bit deeper by considering possible risk scenarios triggered by a lack of integrity, as well as recommendations intended to mitigate these risks.</p><h2 style="letter-spacing:normal;">Dishonest Objectivity</h2><p><strong></strong>It is unlikely that a dishonest person would assess information objectively. Objectivity is a hard task even for a diligent person (considering all relevant circumstances is not an easy duty). So what would a dishonest auditor do? There could be many factors motivating him or her to behave in a biased manner.</p><h3 style="letter-spacing:normal;">Risk Scenarios<br></h3><p>In pursuit of posing as a value-adding auditor, our integrity-deficient auditor might overstate the significance of issues observed or report nonexistent findings (for example, by interpreting current issues as not compliant with respective guidance). A dishonest internal auditor might also conceal the existence of a conflict of interest if they are understating the deficiencies observed (resulting from a too-friendly relationship with an audit client) or overstating deficiencies (in the case of hostile relationship with an audit client).</p><h3 style="letter-spacing:normal;">Risk Fix</h3><p>To avoid overstatement, there should be a clearly-defined model for risk assessment and day-to-day control over audit assignments, such as through proper supervision. The negative scenario of nonexistent findings may also be detected by supervising audit engagements. And a preventive control for preventing a conflict of interest is an effective conflict of interest policy — which could include negative reinforcement for noncompliance.</p><h2 style="letter-spacing:normal;">Dishonest Confidentiality</h2><p><strong></strong>Unfortunately, the ability to keep things secret is not always characteristic of humans. It is equally uncharacteristic of a dishonest person to respect the privacy of information. It could be rather tempting to use valuable information for personal gain.</p><h3 style="letter-spacing:normal;">Risk Scenarios<br></h3><p>Just imagine how attractive the desire to benefit from confidential information is — how hard it would be not to withdraw money from a financial institution in the case of an increased liquidity risk or buy stocks knowing that there is high probability that share value will increase.</p><h3 style="letter-spacing:normal;">Risk Fix</h3><p>The first step in managing the confidentiality of an organization is classifying information by its secrecy level (stakeholders must understand which information is confidential). Further steps include offering internal guidance on the disseminating of information and conducting periodic monitoring on compliance with the rules. For instance, in a liquidity risk scenario, it would not be so time-consuming to monitor whether internal auditors used confidential information for personal gain.</p><h2 style="letter-spacing:normal;">Dishonest Competency</h2><p>Even the competency principle would inevitably be impaired by dishonesty. It is hard to believe that a dishonest person would improve his or her skills in a disciplined manner. However, our integrity-lacking internal auditor would likely improve on their "cheating" competencies.</p><h3 style="letter-spacing:normal;">Risk Scenarios<br></h3><p>In the desire to be evaluated as a competent auditor, internal auditors might overstate the knowledge and skills they possess and engage in audit assignments not familiar to them. Alternatively, in an attempt to comply with the requirement to continuously improve on proficiency, an internal auditor might take ineffective courses in order only to check the box within an individual development program.</p><h3 style="letter-spacing:normal;">Risk Fix<br></h3><p>The best way to keep auditors aligned with the competency principle is a quality assurance and improvement program (QAIP), ensuring that all components stated by the respective standards are in place. For competency frameworks establishing requirements for each position within the internal audit function and respective evaluation practices, these must be designed and implemented. In the presence of approved individual development plans, also a feature of QAIPs, opportunities to select ineffective trainings will be definitely reduced.</p><p>It would be impossible to summarize all risks related to a lack of integrity and possible measures intended to manage them. The simplest way to avoid risks related to the integrity principle is to maintain an ethical climate within the organization as a whole, and specifically within the internal audit function. We must promote the integrity principle every single minute of our lives.</p><p><br></p><p>Aziz Fataliyev, CIA, is president and chairman of the board of IIA–Azerbaijan, and head of the internal audit department at Yelo Bank OJSC in Azerbaijan.<br></p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;"><em>here</em></a><em> to learn how to contribute a blog post.</em></p><p><br></p>Aziz Fataliyev0
A Future More Rosy Than Black Future More Rosy Than Black<p>Here's an interesting fact. According to my pree-cise calculations (in other words, I think this is right, but don't take that bet to the casino), this is my 800<sup>th</sup> blog post. That … is a lot of words. In fact, almost 575,000 of them. And I'm not sure what should scare you more: that I have done that much writing or that I know how many posts and how many words I have written.</p><p>Recently, I went through some of those posts and recognized something that has been pointed out by more than one person. I can come off a little negative. In fact, it seems I spend more time ranting, raving, railing, and raging about the current state of internal audit than I do talking about the things we do well.</p><p>Well, to paraphrase a common bumper sticker, "If you're not mad, you're not paying attention." And my passion comes from a good place. I think internal audit is one of the best professions out there, and I do not want to see it fade away because of neglect. There is a lot of complacency in the internal audit world, and you do not turn off complacency by uttering phrases of great calm. Because I believe in the sleeping giant that is internal audit, I feel the best way to wake that giant is to scream in its ear. To quote the Twisted Sister song "Wake Up (the Sleeping Giant)":<br></p><p><span class="ms-rteStyle-BQ">Long ago and far away<br><span style="font-size:inherit;">We had a voice, you know that we had a say<br></span><span style="font-size:inherit;">We won't live for yesterday.<br></span><span style="font-size:inherit;">Ready or not, we're gonna have our way.</span></span></p><p>We need to realize we've lost that voice, we can't live for yesterday, and we need to have our say.</p><p>That was part of the message/sermon I was delivering/preaching in my <a href="/blogs/jacka/2021/Pages/Future-Imperfect.aspx" data-feathr-click-track="true">most recent post</a>. And if I hadn't been careful, that tirade could have wound up being my 800<sup>th</sup> blog post. But I didn't want that. I wanted something different for this milestone. I wanted to shed light on the hope and opportunities that exist in internal audit. Because, for all my wailing and gnashing of teeth, there are a lot of good things going on in the profession.<br></p><p>(And with that, I finally get to the point. My apologies. But, if you have read even a smidgen of the previous 799 posts, you know that getting to the point is not my long suit.)</p><p>I look back at my 35+ years in the profession, and I see steady progress. (In the profession, not in myself. File my attempts at progress under "Lost Causes.") In my day (as the old-timers say), we just reported things (no corrective actions), operational audits were an unnamed luxury, we performed our work using the cycle of audits (risk-based auditing joining operational audit in the pantheon of mythical, internal audit creatures), and there was a lot — a <em>lot </em>— of compliance and finance work. And while I know a lot of shops are still mired in these quagmires (along with the SOX subsummation), there are a lot of shops that are exploring new and different things.<br></p><p>Such progress is a good thing. But I am also seeing signs that bigger changes are afoot. And I want to give you a few examples that crossed my path in the last few weeks.<br></p><p>A sure sign that the profession has not given up and is trying to move forward is reflected in what is being written about the theory and practice by those involved in the theory and practice. Yes, I know written words can only do so much. But the more that is written and the more that is said, the more those ideas become a part of the work that is being done. Let's look at one of the best pieces I've read in a long time.</p><p>Hal Garyn has been a thought leader in the profession for a long time, with a list of bona fides that put the rest of us to shame. In a short piece titled <a href="" data-feathr-click-track="true" target="_blank">Six Common Internal Audit Miscues to Avoid</a>, he shows how formal and pedantic approaches to internal audit can be harmful to the individual department, as well as the profession. He articulates the things people do wrong in internal audit and, in the process, outlines how internal audit can be better than the strictures we place on ourselves. He is nice enough to call them miscues, but they are foundational errors and obstacles to success. (Hal, if I misunderstood or overstated what you were saying, feel free to let us all know.)<br></p><p>There are also a lot of people trying to figure out how to make the work of internal audit go better. We've all had to learn new approaches to our work as the world moves into what feels like some weird part of the multiverse. But some people are making significant strides in changing how we might get work done.</p><p>Bryant Richards, a former head of internal audit and current professor with Nichols College, is taking giant steps (there's that giant again) helping the profession better use new and developing technologies. He has established the <a href="" data-feathr-click-track="true" target="_blank">Center for Intelligent Process Automation (CIPA)</a>, which brings together students and professionals to help implement digital transformation. More specifically, CIPA is helping auditors, accountants, and all business professionals understand the power of Robotic Process Automation (RPA), including using the tool as a potential steppingstone to AI. (And Bryant, if I've gotten any of this wrong, I know you, too, will be more than happy to correct me.)</p><p>And finally, there is something I recently saw from Protiviti — the video that made me realize there are people really stretching the idea of what internal audit needs to know, needs to do, and needs to be. I have no idea how this popped in my inbox, but I saw the name Michio Kaku paired with Protiviti and I instantly clicked through to see what was going on.<br></p><p>For those who don't know, Michio Kaku is a theoretical physicist, futurist, and bestselling author who uses science to help us everyday people understand what the future may have in store. And that is exactly what you will see in <a href="" data-feathr-click-track="true" target="_blank">this video </a>— a discussion that starts out being about the future of cities, but wanders into advanced AI, brain net, fusion power, and digital immortality.<br></p><p>Not a word in the discussion about internal audit. The listener has to fill in those blanks. And I know Protiviti is much more than just internal audit. But, again, this popped in my inbox as an internal audit related piece. And, no matter what you might think, everything Kaku is saying needs to be understood and applied by any internal auditors smart enough to know the future is what we are supposed to be concerned about.<br></p><p>The video is extraordinary in its own right — the idea that internal auditors should be interested in and hear Kaku's comments. But it appears to be part of something bigger; Protiviti seems to be developing content around the concept of vision — exploring transformational forces that will impact all of us. It looks to me to be an attempt to help professionals understand and be prepared for the incredible changes that are coming. More specifically, a chance for internal auditors to really explore the future and, by exploring that future, better understand the risks, opportunities, and vision of what may be in our clients' futures. (And to anyone at Protiviti, just as I said to Hal and Bryant, if I have misunderstood what is trying to be accomplished, let me know.)</p><p>I was recently rereading a leadership book a friend gave me many, many moons ago — <em>Radical Leadership</em> by Steve Farber. The author talks about four aspects of leadership. The one that caught my eye was "to inspire audacity." He goes on with the question. "How are we going to change the world?"</p><p>There it is folks; that's the question internal audit should be asking. Not just what is on the schedule, what are the risks, what does the client want, or what changes are occurring. But asking how we are going to change the world. And, in the examples I've provided, I see the profession taking steps toward that audacity.</p><p>Now, how are you going to respond?<br></p>Mike Jacka0

 ‭(Hidden)‬ Content Query

View RSS feed
Become a Blogger
  • AuditBoard-January-2022-Premium-1
  • CIA-January-2022-Premium-2
  • 2022-GAM-January-2022-Premium-3