Your Voices

Portuguese translations



Analyzing the Words We Use the Words We Use<p><a href="/blogs/jacka/2021/Pages/Do-the-Pieces-Support-the-Whole.aspx" data-feathr-click-track="true" target="_blank">In my last post</a>, I talked about our need to understand why we write audit reports – their purpose. I focused on the general consensus that reports are written to persuade the reader to take action. I then went on to talk about how the contents of our reports do little to drive people to such action. My premise was that we need to closely inspect what and how we write to understand what is going right and what is going wrong.</p><p>I ended with a promise that I would take a deep dive — a very deep dive — into a rather innocuous but persistent sentence each of us has probably written innumerable times.</p><p>Welcome to the inquisition.</p><p>There is a line that our audit department had in every single audit report. (The following may not be verbatim, but it is close enough for our purposes.) "In our opinion, controls over <em>[insert area being reviewed here]</em> are <em>[insert opinion, e.g., effective, ineffective, etc.]</em>"</p><p>A good old fashioned opinion statement. It does its job, and it did its job in our internal audit reports for at least 20 years. I'm guessing you have a similar sentence, an opinion statement that has stood the test of time as it is used over and over again.</p><p>So, why pick this sentence for review? To begin with, it is an important sentence since, for a lot of readers, the opinion statement is the only sentence in the report they care about. In fact, sometimes it is the only sentence they read.</p><p>Also, as already noted, it is a sentence we have all used for a long time, trusting in it to withstand the test of time. Accordingly, it may deserve to be taken down a peg or two.</p><p>Why look closely at what has worked before? Here's a story I've told before, but you'll just have to sit through again. When I joined the Farmers Insurance audit team, there was a standard paragraph we wrote related to claims reserves — a paragraph we wrote many times since we reviewed at least one claims office per month. Within that paragraph we would write that inappropriate reserve setting [the amount set aside in expectation of a future payment of a claim] would result in those funds being "trapped in the system." After about a year, the home office QA team visited and one of the first things they asked was what "trapped in the system" meant. We had no answer. It was just what we wrote. And it had always worked in the past, so it must be relevant for all time. It promptly disappeared and the experience reminded us we needed to think about what we were writing.</p><p>The need to constantly review assumptions you assume to be perfect.</p><p>So, because the opinion statement is the primary focus for most of our readers, and because it is a sentence we seldom inspect closely, let's dissect its effectiveness in driving action and building excitement.</p><p>"In our opinion…" While this would seem to fit perfectly into what we are trying to say, in actuality it is not a good start. In our department, we had a section of the report titled "Opinion." And the only sentence in it was this opinion statement. Accordingly, this verbiage seems a bit redundant. While some might argue the phrase provides value by reemphasizing why the sentence exists, there is just as strong an argument that is it only cluttering the communication with redundancy.</p><p>Further, I would argue that it is evident that what follows is the internal audit department's opinion. It is our report, so it is our opinion. An argument might be made that everything else in the report represents the reporting of facts; so, since this is opinion, it might be good to reemphasize that fact. Could be. But that gets to the point of this exercise. There are no right and wrong answers when asking these questions. Instead, we are looking closely at the words and making personal/departmental decisions about what really supports the purpose of the report – what should stay and what should be changed.</p><p>Let's keep going.</p><p>"…controls over <em>[insert area being reviewed here]</em> …" Let's start with the last part — the part where you fill in the name of the area being reviewed. Do we need to restate the department/process that has been reviewed? It is in the background, it is in the title, it permeates everything else. Do we need to say it again?</p><p>Since this may be the only part of the report some people read, it could be argued that repeating the title is a good thing. However, it also represents another redundancy. As a profession, we seem to enjoy redundantly repeating ourselves in the name of clarity, and all it does is obscure what is important. We need to be watchful of the symptoms of redundisease.</p><p>But let's go back to the beginning of this phrase and the problematic word "controls". We use it like we all know what it means. But do your clients really understand what a control is — its purpose, its structure, its lot in life — and, to be honest, do we even know what it means?</p><p>That is not to say the word should not be used in the context of an opinion statement. This is our opinion on the controls. However, this emphasizes the need to ensure there is a shared nomenclature between ourselves and the client — that everyone involved knows exactly what is being said and the meaning of words that are being used.</p><p>Finally…</p><p>"…are <em>[insert opinion — e.g., effective, ineffective, etc.]</em>" Good news. I'm not going to dissect the word "are". However, the terms we use — effective, ineffective, needs improvement, needs some improvement, needs lots of improvement, needs improvement but not really a lot of improvement, needs to see someone about that cough — are very powerful. They are the Sword of Damocles hanging over every reader's head. They drive the action. They cause the need to take action.</p><p>In our organization, we used effective, needs improvement, and ineffective. However, over time we found that over 80% of reports were showing controls needed improvement. In other words, the terms were almost meaningless and they did not drive to action.</p><p>While we may not have had that part right (and we took various steps to do something about it) we did get one other thing right. We had an appendix in every audit report that laid out exactly what we meant by each of the opinions. So, unlike the word "control" which could get lost in obfuscation, the opinions themselves were well defined.</p><p>So, we come to the end of our dissection. What comes from all this? Well, first, you should have a better idea of what the sentence is trying to accomplish. But I'll also throw out a suggestion. How about if each report has a section titled "Opinion" or "Internal Audit's Opinion," allowing for the elimination of that introductory statement. Then let's also assume the reader already knows what process/department is under review. The section then contains only one sentence. "Controls are <em>[insert opinion — e.g., effective, ineffective, etc.]</em>"</p><p>Too abrupt? Not enough information?</p><p>Let me throw another one at you. We know that the main thing people care about is the opinion. So how about, after the title of the audit report, the very first sentence is "Controls are <em>[insert opinion — e.g., effective, ineffective, etc.]</em>"</p><p>Too soon? Too scary?</p><p>Okay, time to wrap this up. We've just gone through a lot of work for one 8- to 12-word sentence. And this is probably more exercise than you want to do on every sentence of every audit report. But every sentence deserves some scrutiny. And, once you've done it a few times you'll see that the analysis becomes second nature. The dross will disappear and the call to action will remain.</p><p>Note that I normally write these posts by talking about the general — the way things are in the real world — and work toward the specific — why internal audit should care. But, in this case, I'm going to take a second to come at it the other way because every part of what I've written in these two blog posts also relates to every word you write – memos, emails, letters, postcards, tweets, anything. What is the purpose of what you are writing? And is what you are writing actually communicating that purpose?</p><p>Practice these concepts in life and it will make your writing better, even when you write audit reports.</p><p>Now, you might think this is where our discussion comes to an end. But I have a confession. I don't agree with a basic premise I have used in both of these posts. Next time, my thoughts on why we write audit reports, and why our reasons may lead us down the primrose path.<br></p>Mike Jacka0
On the Frontlines: 3 Things to Do Now to Become More Agile the Frontlines: 3 Things to Do Now to Become More Agile<p>​In today's fast-paced landscape, the risk environment is constantly changing. Strategic and operational risks are ever-evolving, driven by external or internal factors — or both — causing risk exposure levels to escalate faster than ever before.</p><p>Internal audit teams are challenged to ensure that assurance goes beyond passively reviewing past events. We must offer deep insights considering macro-level organizational challenges and the current risk environment to advise management and the audit committee on navigating these challenges successfully.</p><p>Stakeholder expectations of assurance providers are rising in tandem with risk management pressures. Against this landscape, it has been worth critically assessing the inherent weaknesses of the traditional audit approach and how elements can be redesigned to deliver greater organizational value. Wolters Kluwer TeamMate's <a href="" data-feathr-click-track="true" target="_blank">Touchstone Insights for Internal Audit</a> report reveals that more than 70% of organizations are either planning to or are executing an Agile audit methodology (see box, below right).  <br></p><p>Audit teams have long been criticized for lack of timeliness. Stakeholders are frustrated with the time taken to deliver audit results, typically in the form of a final audit report. With the risk landscape volatility, senior management cannot afford to wait until the audit's conclusion to receive a long-form audit report. The sooner management receives the audit report, the swifter it can respond. </p><p><img src="/2021/PublishingImages/Naidoo-Picture1.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />In our age of collaboration, the auditor's "trusted advisor" vision seems disconnected from the actual audit approach, which can be perceived as "top-down," rather than collaborative. This approach is a fit for fraud investigations, given the nature of the work. However, for an audit, perhaps engaging more collaboratively means auditors will have experienced guides to help them more efficiently navigate the sometimes-unfamiliar terrain of the business process.</p><p>A blanket "top-down" approach for all assurance activities can, at best, result in audit-client resistance, and at worst, conflict. Either way, it's a disastrous outcome for internal audit's position as a trusted advisor and for the organization's ability to address risk.</p><p>The challenges with traditional audits also have included the characteristically long-winded exit process to confirm details of findings as well as receive and finalize management responses, including timeliness. These conversations are usually held only at the end of the audit based on the traditional audit methodology. This approach only further delays finalizing audit reports and the start of the real value-add — implementing management actions.</p><p>Collectively, this process creates situations where risks are identified and remain unmitigated, or control deficiencies remain unchecked for even longer. This situation leads to frustrated audit teams and management, disillusioned stakeholders, and more importantly, a greater risk to organizational objectives. On average, it takes about five weeks to communicate results — two weeks to issue a draft report, two weeks to receive management responses, and one week to issue a final report. </p><p>According to Touchstone Insights for Internal Audit, 79% of respondents say collaboration with the business is extremely important. To deliver valuable, timely results in a collaborative approach, audit teams should consider adopting an Agile methodology, based on the 12 principles enshrined in the Agile Manifesto designed for software development. Each audit department can interweave these principles across its audit process to strive toward a fully Agile approach to "steal the best bits."</p><p>Here are three things that internal audit functions can do today to become more Agile.<br></p><h2>1. Increase the Frequency of Risk Assessment Updates</h2><p><img src="/2021/PublishingImages/Naidoo-Picture2.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Risk assessments are the birthplace of a risk-based audit approach. Agile audit departments respond to the changes in the risk environment by continually pivoting toward new and emerging risks.</p><p>Traditionally, an organization's risk assessment was performed annually. Given today's rapidly changing risk landscape, an annual risk assessment is quickly outdated and can endanger the audit plan's relevance.</p><p>For audit teams to deliver relevant assurance, they must become more Agile and strive toward a risk assessment that continually reflects what is keeping senior management up at night. This means that risk assessment updates must be done more frequently, and certainly more than once a year.</p><p>According to Touchstone Insights for Internal Audit, 61% of respondents update their risk assessments annually (see box, right), and the frequency of these updates increases as departments adopt an Agile methodology. Of those teams that execute an Agile methodology, only 28% perform risk assessments annually. Most Agile functions have moved to at least quarterly updates.<br></p><h2>2. Adopt a Truly Risk-based Audit Approach</h2><p>Organizational management is constantly scrutinizing spending, and even internal audit is not immune to this scrutiny. Audit teams must continue to demonstrate value through assurance and consulting services across a broader spectrum amid growing complexity. Management and audit committees also want internal audit to display sound judgment by increasing focus on heightened risk areas.</p><p><img src="/2021/PublishingImages/Naidoo-Picture3-text.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Narrowing focus on areas of significant risk leads to more clearly framed objectives. A truly risk-based approach also is a building block of efficiency. With a clearly defined and refined set of objectives, Agile teams do not simply design and execute an audit program based on an exhaustive set of risks identified in a risk assessment. In doing so, the audit team balances the promise of reasonable assurance, the risk profile, resources, and value-add.</p><p>The Touchstone Insights for Internal Audit study shows that when audit teams adopt an Agile approach, these teams scope the risks to be covered and focus on the highest risks. The value of using an Agile approach is that audit teams can quickly pivot to areas of greater risk. Management and operational frontline staff involved in the audit are less burdened with audit procedures covering lower risk business areas. According to the survey, 40% of agile teams create their audit scope in conjunction with the business.</p><p>Moreover, audit committees prefer audit teams to focus time and effort on higher value-adding assurance activities. An Agile approach of flexible audit planning aims to improve audit committee satisfaction and confidence by delivering valuable, relevant assurance for the organization. </p><h2>3. Strive for Frequent Communication and Closer Collaboration</h2><p>Audit teams are moving toward an Agile methodology to sharpen their focus on delivering value. The value of audit findings can diminish sharply over time, as the organization faces an identified, but unmitigated, risk that threatens its objectives. Agile tools and processes ensure that teams plan and communicate audit findings timely to preserve their value.</p><p><img src="/2021/PublishingImages/Naidoo-Picture4-text.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Agile teams generally divide their work into time-boxed "sprints" around key or high risks. There are deliberate activities embedded within the approach to ensure more frequent communication and facilitate closer collaboration between the audit team and the organization.</p><p>During each sprint, audit teams already discuss and resolve issues and build a list of reportable issues, often before the draft reporting process begins. At the end of each sprint, auditors share their findings with management. This approach also allows management to plan its response or even address these issues before the final report is issued. </p><p>The delivery of the final audit results hinges on two key activities:</p><ul><li>Issuing the draft report.</li><li>Receiving management responses.</li></ul><p><br>When comparing traditional audit teams with Agile teams, Touchstone Insights for Internal Audit finds that Agile teams are more likely to issue draft reports within one week (see box, abovet right). The report also shows that for the 29% of teams that do not execute Agile activities, the focus is on tracking using estimated/scheduled time versus actual time. While this metric may help calculate utilization and time to complete the audit, it does not provide transparency into the work performed and the conclusions about risks to the organization.<br></p><p><img src="/2021/PublishingImages/Naidoo-Picture5-text.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Agile audit teams often use <a href="" data-feathr-click-track="true" target="_blank">Kanban boards</a>, and in some cases, share them with the organization to provide visualization of work in progress. This approach can make it easier to identify roadblocks. Kanban boards can range from simple to very complex. Teams striving to become more Agile can leverage existing tools to establish a visualization, which can build a collaborative foundation within the team and with the organization.</p><p>Establishing a collaborative foundation with management and more frequent communication are at the center of the Agile methodology. Together, they help a greater percentage of teams receive management responses and issue final audit reports within a week (see boxes, right).<br></p><p>Audit teams looking to become more Agile today can embed more frequent and open communication practices with management and build a collaborative culture to improve the timeliness of valuable audit insights.</p><p><br></p><p>Sio Naidoo, CIA, is product manager, Asia Pacific at Wolters Kluwer TeamMate in Sydney.<br></p><p>Want to be a part of Your Voices? Click <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank">here</a> to learn how to contribute a blog post.<br></p>Sio Naidoo0
Do the Pieces Support the Whole? the Pieces Support the Whole?<p>Why do internal auditors write audit reports?</p><p>That question will get you a lot of different answers: communicate what has occurred, show what was examined, document results, provide a basis for client/auditor discussion, provide a basis for client/auditor agreement, provide a basis for client/auditor arguments, provide assurance, follow the standards, drive the auditor crazy with reviews and rewrites that delay the report longer than the release of the final novel in the <em>Song of Ice and Fire </em>series. But one answer seems to pop up most often; persuade the reader to take action. The consensus is that reports should communicate a drive to action.</p><p>If this is the true purpose of the internal audit report (and join us in the next week or so for some thoughts on that one), then we all need to take a long, hard look at what we are writing because, in general, our reports are dry as dust, not even compelling the reader to actually read the report, let alone take action. The words, sentences, and paragraphs in most reports just exist, doing little more than listing data, thoughts, stuff, and things in the forlorn hope that the reader will slog through the Sargasso Sea of dreck and be persuaded. There is no call to action. In fact, there is little action at all.</p><p>Ain't it funny how that word action keeps popping up? I used it a lot in the prior two paragraphs. And, as noted above, it pervades internal auditors' discussions on the subject. And that's a wonderful thing. Persuading the reader is a high and worthy calling. But interesting questions arise from such pronouncements. First of which, do we even know what action we want the reader to take?</p><p>When we say, "persuade to action," is that action to complete the corrective action? Or is it to build a better process? Or is it to make a more successful department? Or have we ever really thought about what action we are discussing? For most of us, the knee-jerk answer is that we want action taken to correct identified issues. But, as we start to think about those broader answers – a better process, a more successful department – we realize that there may be loftier goals we are trying to achieve. And we have to wonder if we might need to take a broader look at the "action" we are looking for.</p><p>And from all this springs the scariest question. If we haven't really thought about what action we are looking for, then how can we expect purposeful action to be taken?</p><p>But let's pretend we know what action we mean. Because the point I really want to raise here relates to the content of our reports. Specifically, how do the contents of our reports support and drive such action. Does every paragraph/sentence/word have a role in supporting that purpose? Does every detail help communicate a drive to action?</p><p>Take the time to think about what you are writing. How does a paragraph work to actually drive action? How do the sentences within support the paragraph and the associated action? How do the phrases provide support? How do the words provide support? How does every detail support that call to action?</p><p>As internal auditors, we tend to fall back on tried-and-true phrasings – the cliches of our profession, the buzzwords, the time-tested terminology we think says something but may be meaningless to the readers. Or, even if the readers are in on it, they've seen it so many times that sentences about risk, mitigation, and control lull them to sleep quicker than … well, there are few things that will lull people to sleep quicker than an audit report.</p><p>Look closely at the words you are using. Do they mean anything to the reader? Do they really mean anything to you? Would the report be the same (or probably better) if some just disappeared? Or might a search for a new, more energetic, more meaningful way to express the concepts actually bring life to the report and incite more action from the reader?</p><p>And, when I say "look closely," I am not exaggerating for effect. It is worth the time to fully understand the nuts, bolts, nails, and punctuation that make up our reports. Come back next time and I'll show you what I mean as I take a deep dive into one sentence almost every one of us has written.<br></p>Mike Jacka0
On the Frontlines: An Auditor’s Reflections on Afghanistan the Frontlines: An Auditor’s Reflections on Afghanistan<p>​In 2017, I worked for an international development organization that was headquartered in Bangladesh, with operations in nine countries. That year, our chief audit executive (CAE) assigned me to a country office audit in Afghanistan. With the recent news of the fall of Afghanistan's government following the withdrawal of U.S. troops, I reflect upon my unique adventure as an internal auditor during those days.</p><p>As my flight descended on Kabul, I could see scattered greenery and the disorderly placement of houses and buildings through the land and mountains. Upon arrival, my internal audit team were welcomed by fine weather and a nice climate. We observed people busy with day-to-day errands and children playing in the streets.</p><p>Our opening meeting with the country head gave us an overview of the strategic challenges, operational context, project, and human resources capacity of our Afghanistan office. The country head explained that our organization had been delivering projects in infrastructure development, education, and health-care services using a community-based approach across many provinces in Afghanistan. The team outlined our audit engagement objectives to the country head and began the fieldwork.</p><p>From the outset, it was apparent that security was a real concern for expatriates working in the country. We were restricted from moving freely outside our accommodation premises at any time of day or night. For example, we were expected to commute between our accommodations and the office using an office vehicle, even though the two locations were on the same block and separated by only 10 to 12 buildings.</p><p>The golden rule was not to visit sites after a certain hour of the day and not to move around without a local guide. Our colleagues told us a story about an expat engineer who had failed to heed those warnings and was abducted during a visit to a project site. After months in custody, the engineer was returned safely and was sent home to his family.</p><p>Restricted in making site visits, our team used data analytics to look at the financial transactions from the project spending by the country office. By analyzing the mobile allowances of employees at field offices, we spotted discrepancies such as a variation of limits from month to month and an employee who received multiple top-ups in the same month. Textual analysis of signatories also flagged indications of unauthorized transactions.</p><p>Auditors working in Afghanistan must comprehend that local norms, behaviors, and cultural views are different from other parts of the world. The procurement team shared their experience of interacting with local contractors to enhance the use of appropriate documentation. Those contractors tended to find documenting transactions in writing unnecessary, noting that verbal commitments are strong, faithful, and conclusive. However, with some convincing and training, the contractors learned to use a standard set of documentation related to tender, bids, etc.</p><p>Engaging third-party, local subcontractors is the usual method to perform work because of restrictions for expats in certain parts of the country. Subcontractors' work was documented using photographs as evidence of completion of schools, infrastructure, and roads. This method was particularly helpful for confirming work was completed because auditors could verify the actual photograph alongside a completion certificate attached to project documents.</p><p>Toward the end of our audit engagement, I facilitated a day-long training session for the internal auditors of the country office, which enabled wider interaction and learning that had a positive impact among the team.</p><p>Four years later, the current conditions in Afghanistan raise the need even higher for public and private organizations to sustain a secure workplace and ensure business continuity. In my opinion, internal auditors in Afghanistan should focus on:</p><ul><li><em>Advocating for business continuity planning for the organization.</em> Internal auditors should develop the required skills or engage experts in the field to guide and advise the organization's leaders on the need to train employees at all levels to ensure business continuity.</li><li><em>Ensuring the safety and security of the internal audit team and all employees.</em> CAEs must give clear instructions on how to address security concerns. For example, auditors should limit site visits, use local guides, and receive updates about current news from the public relations function.</li><li><em>Using data analytics and remote auditing techniques.</em> It is time for internal auditors to learn to use modern analytics applications to achieve audit objectives, as business activities are vulnerable to internal control failures and fraud.</li><li><em>Developing robust policies and procedures for the organization.</em> Internal auditors must step up as trusted advisors and assist business leaders in establishing documented, comprehensive organizational procedures.</li><li><em>Hiring and training local internal auditors.</em> Having local internal auditors in the team will benefit the department to accomplish certain aspects of assurance or consulting engagements. The youth are talented and ready to take on challenging roles.</li></ul><p><br>During my stay in Afghanistan, my 3-year-old daughter Yusairah used to call me and ask in her tender voice, "When will you return from Abbanistan?" My team returned home safe from "Abbanistan,"<em> </em>and the memories shall live long and fresh in my heart. Specifically, the kabab and naan — meat and flatbread — will be difficult to forget. I remember the conversations with the local people who were so good-hearted. The climate was so blissful, and the entire city of Kabul looked enriched by the natural beauty of mountains and valleys.</p><p>For now, the people of Afghanistan have been displaced, are devasted, and face insecurity. We all should pray for and support the people of Afghanistan to sustain peace, security, and prosperity for future generations.</p><p><br></p><p>Kamal Uddin Gazi Jishan, CIA, CRMA, is internal audit manager at Ali Bin Ali in Doha, Qatar, and a 2018 <em>Internal Auditor</em> magazine Emerging Leader.</p><p>Want to be a part of Your Voices? Click <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank">here</a> to learn how to contribute a blog post.<br></p>Kamal Uddin Gazi Jishan0
Building a Better Auditor: Visibility Leads to Promotability a Better Auditor: Visibility Leads to Promotability<p>​It's not working hard that determines your promotion. It's making your hard work and yourself visible that determines your promotion.</p><p>It's true. Visibility leads to promotability.</p><p>Visibility involves connecting the dots from the work you do to the promotion you are looking for, meaning you are working to make your hard work and yourself visible to be noticed, recognized, and rewarded. Visibility opens the door wide for promotion as key decision-makers come to know and like you, hear and feel the impact of the work you do, and imagine your potential for the organization.</p><p>Getting promoted fast is the gateway for rewarding career moves within and beyond current employment over a 30-year horizon. The obvious financial rewards and further career advancement possibilities compound over time to create considerable professional and personal value.</p><p>If I were to rewind my career 25 years, I would have done a few things differently, sooner rather than later. The Pareto principle says that 20% of our activities drive 80% of the results we tend to get in any area. I believe this principle holds in corporate life, as well.</p><p>Let me list the top 3 things that continue to work for me to get visibility with key decision-makers.</p><h2>1. Make Your Voice Heard Where It Matters</h2><p>It is easy to remain quiet in a meeting, presentation, or discussion if you are not specifically called upon or where you feel it's not your area of expertise. Why risk sounding stupid, right?</p><p>At the same time, consistently making your views heard creates a strong impression that you are vocal and have a view. Introverts may have a challenge in these situations as they typically need more time to process information before they can make their views known.</p><p>The downside in remaining quiet or less vocal is that it creates undesired impressions with key decision-makers about our perceived value over time and evolves into entrenched perceptions that we don't have a view or are nor visible enough.</p><p>I invite you to check in with yourself about whether you are confidently making your views heard with key decision-makers.</p><h2>2. Cultivate Relationships With Key Decision-makers Early on</h2><p>In corporate life, the focus is on delivering results. Building relationships typically is not front and center of our minds and tends to be dealt with as and when required to get things done.</p><p>Relationship building with key people, however, is a prerequisite to getting things done effectively and efficiently. Our ability to influence key decision-makers will largely be determined by the level of relationship we have established with each of them. This principle has been one of my biggest lessons over the course of my corporate life: Establish the relationship first before you start calling on someone's help or support to get things done.</p><p>In many situations, challenges in getting work done can be attributed to poor investment in relationships with key people who matter. Where do you see the current challenges in getting things done? Assess the level of relationships established with people in these areas.</p><h2>3. Create Opportunities to be Noticed</h2><p>If you look around, you will find avenues where you can easily put yourself in front of key decision-makers. These occasions may be in a work-related or social setting. Look for existing opportunities to engage with decision-makers on a wide range of matters from a work or personal perspective where you can add value to what they are already doing or what interests them.</p><p>In the beginning, operating this way may feel slightly unnatural if it's not your default style or personality preference. What you will find over time is that persistence with this approach opens the door to developing relationships with key people.</p><p>Here's the thing: These opportunities provide the platform to make your views heard and cultivate relationships at the same time. Consistency in creating and taking advantage of these opportunities is key to creating visibility with the range of key decision-makers who are relevant to your work now, in the near future, and over the long term.</p><p>I truly believe what author and motivational speaker Jim Rohn said, "You can't change your destination overnight, but you can change your direction overnight."</p><p> </p><p>Gerald Ebenezer, CA, CPA(M), is a career professional and coach with 25 years of experience spanning internal audit and business roles for large companies in Malaysia and New Zealand.<br></p><p>Want to be a part of Your Voices? Click <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;color:#6eabba !important;">here</a> to learn how to contribute a blog post.<br></p>Gerald Ebenezer0
#IAm Harold Silverman Harold Silverman<p>​As a senior external auditor at Arthur Andersen, I had opportunities to perform a number of internal audit engagements. As Andersen was building its internal audit outsourcing practice, it frequently leveraged external audit staff to help perform fieldwork of internal audit engagements during the slower summer months. Even if I didn't truly grasp the differences between internal and external audit at that time, I enjoyed the work.</p><p>Most of my staff colleagues on internal audit engagements were like me, Certified Public Accountants (CPAs) looking to do something different and find our niche in a large firm. I hadn't met anyone who truly saw himself or herself as an internal auditor, or at least anyone who was proud to say it aloud. Still, I began to consider internal audit as a potential career path.</p><p>On a snowy morning in January 2000, I picked up my briefcase, made sure I had plenty of clean crisp copies of my resume, and left the Boston office of Arthur Andersen. I walked across the street, where I had a series of interviews for a position on the PwC internal audit services team. </p><p>That is the morning I first met the individual who had the greatest impact on my professional life and, to this day, is my most significant role model. Brian Kinney, like me, was a senior auditor. Unlike me, he was not a CPA. He was a Certified Internal Auditor (CIA) and incredibly proud of it.</p><p>Brian had joined PwC's internal audit practice (actually its predecessor firm Coopers and Lybrand) a few years earlier, after graduating from the University of Massachusetts–Lowell. On top of being unimaginably happy and energetic, Brian's enthusiasm for the internal audit profession was infectious. I almost couldn't believe that it was genuine.</p><p>A few weeks later, I joined the PwC team, and Brian became a colleague, peer, and friend. Over the approximately 18 months that we worked together, I realized that every bit of Brian's enthusiasm, energy, and passion for internal auditing was authentic and consistent.</p><p>Brian was also the nicest person that I've ever met, and he let his personality shine in his work. Every interaction had a personal touch that showed that he not only cared about the topic at hand, he cared about you. He cared about his clients and wanted them to succeed. In turn, the clients adored him, confided in him, and trusted him. This allowed him to be a better auditor and to better serve our newly shared profession. </p><p>In the summer of 2000, Brian was promoted to manager. A year later, I also was promoted, and I don't think anyone was more excited for me than Brian. He also was a passionate member of The IIA–Greater Boston Chapter board of directors and encouraged me to volunteer my time to The IIA. </p><p>Tragically, our relationship ended suddenly when Brian was killed in 2001. As his obituary stated, "He could have taken care of that California client by phone. But on Sept. 11, Mr. Kinney boarded United Airlines Flight 175 because he wanted to shake the client's hand and see how he was really doing." The plane he had boarded in Boston was hijacked and crashed into the World Trade Center in New York.</p><p>Each of us will remember that awful day 20 years ago in our own context. I choose to think about Brian.  I feel the loss that hurt so much then and continues today. I also choose to remember the positive impact that he had on my life and career and the impact he had on others around him.   </p><p>In the ensuing 20 years, I have had the fortune of rising in the profession, eventually serving as a chief audit executive for two outstanding organizations. I continued to volunteer for the profession that Brian introduced me to, serving in IIA leadership positions at the chapter, North American, and global levels. I now serve the profession full-time at IIA headquarters.</p><p>Over the past two decades, I have gotten to know many passionate and proud internal auditors. I have many mentors and roles models. However, none of them has had the lasting impact on me as the first one who, on that snowy day in 2000, announced to me in no uncertain terms, "I AM AN INTERNAL AUDITOR!"</p><p>I miss you, Brian. I am a better person because of the time we spent together. Internal auditing is a stronger profession because you were a part of it.</p><p><br></p><p>Harold Silverman, CIA, CRMA, QIAL, CPA, is director, Executive Membership at The IIA.</p><p>Want to be a part of Your Voices? Click <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank">here</a> to learn how to contribute a blog post.<br></p>Harold Silverman0
On the Frontlines: Building Operational Resilience the Frontlines: Building Operational Resilience<p>​The past four years have seen an exponential increase in the number of policies, publications, and guidance to promote the resilience of firms, particularly financial market infrastructure firms. Examples around the world include the U.S. Federal Reserve's <a href="" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;">Sound Practices to Strengthen Operational Resilience</a> and the Monetary Authority of Singapore's <a href="" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;">Risk Management and Operational Resilience in a Remote Working Environment</a>.</p><p>In Europe, recent guidance and regulations include:</p><ul><li>The Bank of England, Prudential Regulation Authority, and Financial Conduct Authority's Operational Resilience: Impact Tolerances for Important Business Services.</li><li>The Basel Committee for Banking Supervision's<em> </em><a href="" data-feathr-click-track="true" target="_blank">Principles for Operational Resilience</a> and the work program and strategic priorities for 2021/2022.</li><li>The European Commission's draft Digital Operational Resilience Act and the Network and Information Security (NIS) 2 Directive.</li></ul><p><br>Following the release of <a href="" data-feathr-click-track="true" target="_blank">Operational Resilience: Impact Tolerances for Important Business Services</a> in June<em>,</em> U.K. financial services firms should focus on third-party risk management by considering emerging technology risk linked to the cloud strategy, concentration risk against the major providers, and sub-outsourcing risk. Firms should shift their focus from the internal critical functions to the important business services that, if disrupted, could harm consumers or market integrity as well as threaten the viability and image of firms.</p><p>Also, for each important business service, firms should set impact tolerances that quantify the maximum tolerable level of disruption. In determining these tolerances, they should work from the basis that the impact has already occurred, rather than the risk of it occurring.</p><p>Additionally, firms should identify and document the people, processes, technology, facilities, and information that support important business services. They should take actions to remain within the impact tolerances through a range of plausible disruption scenarios. Moreover, they should devise a plan to test important business services against the tolerances to provide assurance that:</p><ul><li>This is a true and accurate reflection of the organization's tolerance for disruption of that service.</li><li>The organization has a good understanding of its own level of resilience.</li></ul><p><br>The Basel Committee on Banking Supervision's <a href="" data-feathr-click-track="true" target="_blank">work program and strategic priorities for 2021/2022</a><em> </em>reflect the outcome of a recent strategic review by the committee. The review is intended to ensure that the committee continues to effectively promote global financial stability and strengthen the regulation, supervision, and risk management practices of banks worldwide. The work program focuses on three key themes:</p><ul><li>COVID-19 resilience and recovery monitoring and assessment of risks and vulnerabilities to the global banking system.</li><li>Horizon scanning and mitigation of medium-term risks and trends, including work related to the ongoing digitalization of finance, climate-related financial risks, and the impact on banks' business models resulting from a "low-for-long" interest rate environment.</li><li>Strengthening supervisory coordination and practices with a focus on the role of artificial intelligence/machine learning in banking and supervision, data and technology governance by banks, operational resilience, and the role of proportionality in bank regulation and supervision.</li></ul><p><br>In the European Union (EU), the <a href="" data-feathr-click-track="true" target="_blank">Digital Operational Resilience Act</a> aims to establish a foundation for EU financial regulators and supervisors to be able to expand their focus to ensure firms remain financially resilient through a severe operational disruption. Considerations for the proposed law include:</p><ul><li>Bringing critical information and communications technology (ICT) third-party providers — including cloud service providers — within the regulatory perimeter. In this way, one of the European Supervisory Authorities would have the power to perform off-site and on-site inspections and issue recommendations.</li><li> Setting EU-wide standards for digital operational resilience testing.</li><li>Harmonizing ICT risk management rules across financial services sectors, based on existing guidelines that ask to set the appropriate risk and impact tolerances for ICT disruptions as well as review the firm's business continuity and disaster recovery plans.</li><li>Harmonizing ICT incident classification and reporting, and opening the door to establish a single EU-hub for major ICT-related incident reporting by financial institutions. The measures, in aggregate, would provide EU regulators with a better picture of the kinds of vulnerabilities that are most common across firms and potentially help them take further action.</li></ul><p><br>The pandemic has confirmed the importance of preparing for the digital decade as well as the need to continually improve cyber resilience based on the growth of network and information systems dependences and interconnections among sectors and services.</p><p>To respond to the growing threats posed by digitalization and the surge in cyberattacks, the European Commission has proposed replacing the NIS Directive. The <a href="" data-feathr-click-track="true" target="_blank">NIS2 Directive</a> (PDF) would strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonized sanctions across the EU.</p><p>Most organizations have embarked on their own thinking and interpretation of these rules, and their approaches are likely to vary from one organization to another. Organizations will need internal audit's support to improve their resilience framework, alongside the contributions of risk and business continuity management experts.<br></p><p><br></p><p>Laura Zarrillo, MBCI, is an internal audit manager in the financial sector and a board member of the Business Continuity Italy Chapter.<br>Want to be a part of Your Voices? Click <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank">here</a> to learn how to contribute a blog post.<br></p>Laura Zarrillo0
The Knowledge Needed to Run Amuck Knowledge Needed to Run Amuck<p>In my last two blog posts, I talked at great length (probably too great a length) about allowing internal auditors the freedom to get their jobs done and to explore better ways to do it. In <a href="/blogs/jacka/2021/Pages/Living-in-the-Shadow-of-Fear.aspx" data-feathr-click-track="true">the first post</a>, I talked about the scourge of micromanagement, and <a href="/blogs/jacka/2021/Pages/Control,-Freedom-and-Trust.aspx" data-feathr-click-track="true">in the second</a> I talked about letting auditors free to truly explore. (Creative, but dangerous.)<br></p><p>After re-reading these posts and taking note of some comments I received, I realized that an important point fell by the wayside. In one paragraph I made the following comment: "When I first came into internal audit, I was lucky to work for leaders who allowed me a lot of freedom. Yes, I was trained, but I wasn't forced down a path."</p><p>Over 3,000 words in two separate blog posts and only once did I utter the phrase "I was trained."<br></p><p>I got so wrapped up in the preaching of freedom that I forgot such freedom can only occur when people have the knowledge necessary to get their jobs done. Picasso didn't blur the lines until he knew how to draw them. And internal auditors cannot know how to change internal audit until they know how the work is done.</p><p>So, yes, train, train, and train again. (And never allow yourself to quit learning; another topic for another time.) However, just because someone is still learning doesn't mean you have to hogtie them until such time as you think they've got it perfected.</p><p>When I first joined internal audit, my initial training consisted of learning the basics of how audit worked and then being given an audit program to complete. My supervisor walked me through it as we went along, and my manager was there if I needed additional help. </p><p>For my second audit, I was given an area to review, but was not provided an audit program. The expectation was that I should know how an audit was conducted and I was to use that knowledge to build and execute my own audit program. Yes, I was to ask questions as necessary, but it was my audit to complete — succeed or fail. (It should be noted that I found a quarter-million-dollar issue in that audit. Not bad for a newbie. Of course, I never did that again, but that is beside the point.)</p><p>Training, yes. Training first, yes. But do not using a perceived lack of training as an excuse to micromanage or to restrain initiative and creativity.</p><p>How do you approach training? What do you do after you have provided the basic information on how to get the work done — how to complete the audit? Do you let the auditor go free and see what happens? Or, in a fit of risk aversion, do you watch every step to ensure no step is out of line? If you continue to watch the auditor that closely, keeping them in line and changing things before they can go even one degree south, how do you know if that staff member is any good, or will ever be any good?</p><p>Here's my suggestion. If you really want to know how talented a person is — new auditors, experienced auditors, and anything in between — first make sure they have the tools they need — the training, the understanding of the work, etc. Then, let them go. Be available. Be there to answer any question. Have specific check points where you can be updated. But do not hover, watching and verifying every workpaper and note and spreadsheet and tic and tie, double-checking everything as if the expectation is failure.</p><p>You cannot know how good any employee is if you don't give him or her the freedom to explore, learn, and, yes, fail. (There are such things as "safe failures." Understand the concept and apply it.) And let's take it all one step further. Good does not mean the ability to follow all the rules that were learned during training — how to complete a form, how to complete the assigned test, how to conduct an interview. No, good means running into something new/different/unplanned and successfully navigating the necessary changes. Such skills will never be developed unless the auditor is given the freedom to practice them.</p><p>I started this post with the intent of reinforcing that people cannot be expected to be successful in doing normal or extraordinary work unless they have the necessary training. And I want to repeat that nothing I said in the last two posts, as well as this one, was meant to imply that training and knowledge should take a backseat. However, I've co-opted my own blog post and, once again, am pushing for creativity and freedom.</p><p>Here's my excuse. I think the profession does a pretty good job of finding talented people and giving them the training they need to get the work done. But I think we wait too long to even think about letting them step outside the limited scopes we have established.</p><p>Instead, use that talent, use that training, and build on those talented, trained people to make internal audit better. <br></p>Mike Jacka0
On the Frontlines: Finding the Right Working Balance in the New Normal the Frontlines: Finding the Right Working Balance in the New Normal<p>​While trying to understand what good has come from the work-from-home environment imposed by the pandemic, I look for what internal auditors can save and learn for the future. It can be difficult to contemplate the flexibility we gained from remote work and the constraints we incorporated.</p><p>For many internal auditors, this has been a period of working from home and not losing our jobs. From an outside perspective, we are among the lucky people who are still working and earning a salary. We know that this picture is partially true, yet while some auditors are gaining the maximum benefit from working remotely, others are going a little crazy.</p><p>I have about 10 years of experience in auditing, working in a small international team of about 25 auditors who are spread across Europe. Lately, I have noted changes in the audit life cycle (i.e., planning, fieldwork, issue discussion, action identification, report writing, and communication) during the pandemic and working from home. The new normal will not be exactly the same as the pre-pandemic era, and we need to prepare for how to best manage in the post-pandemic environment.</p><p>Being auditors, we would like the situation to always be under control so we are ready when the COVID-19 period is finally over. It's then that we will be able to manage some hours and days working from home and work in the office at other times.</p><p>It is easy — I would say obvious — to speak in general about the pros and cons of working from home compared to working in the office. While it becomes a bit more difficult to assess these factors when I speak about myself, it becomes very difficult when I work in a team to share thoughts to identify the best balance between home and office.</p><p>To assess the right balance, let's do some steps together.</p><p>Which audit and nonaudit activities are good to do at home and which are best performed in the office? The answer may depend on several factors — both personal and related to the kind of audit and organization for which auditors work. If we built a matrix where one axis measures our personal capabilities and the other axis lists the audit activities, would it enable us to choose for every intersection which activity should be performed at home versus in the office?</p><p>Here are questions that are worthwhile for auditors to answer individually and then share with the team:</p><ol><li>Which activities require 100% of my energy and concentration, and which can I do when I'm tired and have limited energy?</li><li>What is my daily energy cycle? Maybe I realize that I'm very active and energetic in the early morning, I'm a bit tired after lunch, and I feel very creative in the late evening.</li></ol><p>Combining these two answers I can plot a graph of which activities should be planned during the different hours of the day. For example, it would be good for me to carry out testing activities in the morning when I'm fresh and concentrated to focus on details. I should plan meetings in the afternoon when sharing and discussing information with others may help me to be more energetic after lunch. Likewise, I can complete planning and brainstorming activities in the late afternoon when I am more creative.</p><p>Despite our awareness of which is the best time to do each activity, auditors are not the only ones planning our agendas. We have external constraints depending on our boss, colleagues, family members' needs, etc. However, there are details that we can be aware of in advance:</p><ul><li>The time during the day when our home is quieter.</li><li>Our commuting time.</li><li>Our office working environment (e.g., a single office or an open space shared with many colleagues).</li></ul><p><br>Which leads to the third question: If I could choose when I want to work alone and when it is beneficial for me to be in the office to meet other colleagues and audit clients, how would I plan my week?</p><p>And finally, could I try to plan the time I spend at home or in the office taking into account these three questions? I'll return with some examples after I have discussed my findings with my team.</p><p> <br>Beatrice Saredo is internal audit senior manager at Borsa Italiana Euronext Group in Milan, Italy.</p><p>Want to be a part of Your Voices? Click <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank">here</a> to learn how to contribute a blog post.<br></p>Beatrice Saredo0
Control, Freedom, and Trust,-Freedom-and-Trust.aspxControl, Freedom, and Trust<p>Let me tell you a story.</p><p>For a period in the 2000s, I was in charge of the Farmers Insurance audit departments in Phoenix and Colorado Springs, Colo. I decided to bring the two groups together — 8 auditors — for a 2-day mini-conference. We met that summer at the halfway point, Durango, Colo. Not a bad gig.</p><p>It all went better than I could have hoped. It served as an excellent team-building experience, allowing two teams that worked well by themselves to get to know each other and become a cohesive single unit. I had each person do presentations over the two days, so there was a sharing of knowledge. And the interactions allowed me to see the auditors in a different situation, verifying my belief in the strengths of some, identifying issues with others, and finding a couple of hidden gems who I was able to bring to the attention of upper management. And, in the evenings, we were able to experience the fun and beauty of Southwestern Colorado. A good time was had by all.</p><p>It was an event that was often talked about within the group. And, during a meeting with upper audit management later that year, the team expressed their feeling that it was one of the best experiences they had ever had in internal auditing. They went on to explain that it wasn't just because they got a great trip out of it, but because of what they learned about the team, about auditing, and about the role of our department within the company.</p><p>Oh, did I mention that I did this without any official OKs, approvals, signatures, or real authority to do any of it?</p><p>Is this a tale of opportunity taken? Is it a tale of questioning the boundaries of acceptable behavior? Is it a cautionary tale of a manager run amok? Is it a tale meant to kick off a blog post because I'm not sure how best to begin? Is it a tale that has gone on too long and taken up way too much space?</p><p>Well, to be honest, it's all of those.</p><p>I want to continue a discussion we were having during our last visit — a discussion about how freedom can be used to control and how stifling internal auditors' freedoms in the name of control negatively impacts our effectiveness and our progress as a profession. And the above story provides an interesting backdrop to that discussion.</p><p><a href="/blogs/jacka/2021/Pages/Living-in-the-Shadow-of-Fear.aspx" data-feathr-click-track="true">Last week's post </a>started with a quote from Zen master Shunryu Suzuki: "To give your sheep or cow a large spacious meadow is the way to control him." </p><p>We discussed the fear internal auditors have of making mistakes and how this causes us to micromanage the work we do. To use Suzuki's metaphor, our fears result in us not only limiting the space in the meadow, but actually tying auditors to a metaphorical stake in that meadow.</p><p>But, once we allow ourselves to quit micromanaging (or, at the very least, overmanaging and over-reviewing — which may be the same thing), there is a greater freedom we need to talk about.</p><p>Last time, in an attempt to define just how much freedom auditors were allowed, I provided a list of "Are your auditors allowed to …" The first part focused on micromanagement issues. But the second part looked at broader freedoms: allowing them to explore new audit techniques, use new tools, or suddenly spin off on new projects for no apparent reason other than they seem like a good idea at the time.</p><p>To get a feel for where you may fall on the "freedom allowed" spectrum, let's look at a potential real-world example.</p><p>A current hot topic is robotic process automation (RPA). Related to that is the concept of the citizen developer — employees within each department (in our case, internal auditors) who develop programs without input or influence from the IT department. There's a lot more to the concept, but this is enough to get us through this discussion. (Note that it's well worth your time to find out more on the subject.)</p><p>Here's three scenarios. And, in all three scenarios, let's assume you believe the auditor has the skills needed to accomplish the requested project.</p><p>Scenario No. 1: One of your auditors comes to you and says, "I keep hearing about RPA, and I'd like to learn more about it, including its potential application within the department? Can I have some time to research it?"</p><p>The time the auditor needs may have some impact on the completion of the audit schedule.</p><p>Scenario No. 2: One of your auditors comes to you and says, "I've been hearing about RPA, and I've been doing a little research. In fact, I've been doing a little programming, and I think we could use it in the department. Can I have some time to explore developing programs that might be used within the department?"</p><p>The auditor has been doing this research at work, squeezing it in between audit projects. The time the auditor needs will definitely impact the audit schedule.</p><p>Scenario No. 3: One of your auditors comes to you and says, "I've heard a lot about RPA and started doing some programming. In fact, I've developed some programs we could use, right now, in internal audit. I'd like to start putting them into production, as well as begin looking into other opportunities."</p><p>One more time, the schedule is going to take a hit. In addition, you now have an explanation for why there have been delays in this auditor's recent work. (Nothing detrimental, but a definite slippage in timeliness.) Further, it is hard to tell how implementing these programs will further impact the schedule. Ultimately, it should increase efficiency. But, in the short term, there may be delays and even cancellations.</p><p>How do you respond to each scenario?</p><p>Get a group of auditor leaders together and these scenarios will engender some intense discussion. There are a lot of issues on the table and, if this were part of a seminar, I'd set aside at least one hour for cussing and discussing. But I'm heading to one particular point.</p><p>To begin with, if you shudder at the thought of any of these scenarios — if you see auditors stepping outside their boxes and taking liberties that should not be taken — or even if you think, "Well, these are nice ideas, but we'll all need to talk about whether this is the right direction for our department before taking any further action," then you have a problem. It is probably safe to say that creativity and innovation are crushed in your department before they can even make an appearance. Warning: More than likely your department is stagnating and you may want to start perusing the want ads.</p><p>But let's move on.</p><p>The three scenarios represent increasing degrees of freedom that might exist in audit departments. In the first, we see an auditor willing to explore new things. However, Auditor No. 1 wants to make sure everything is okay before moving forward. Is it good that the auditor asked permission to move forward? Maybe. I'm glad this individual is willing to explore, but …</p><p>Compare that to the second person who has actually taken steps to learn something new. That is a good thing. However, what opportunities may have been lost by not asking for additional time to do that research in the first place? It might have been better if Auditor No. 2 had asked earlier and been given the time to move the project along more quickly.</p><p>And then there is Auditor #3. I'm guessing many of you didn't like this approach. However, is it necessarily a bad thing? The auditor's excitement and inquisitiveness has driven this individual to explore new areas and come to you with solutions in hand. This auditor probably feels she has the freedom to move forward with an eye on any prize she thinks has value.</p><p>There is no right answer for any of these scenarios. But your reaction will speak volumes about the freedom you are giving your audit staff. (And, as an internal auditor, your expectations regarding the reactions you might receive from your leaders will speak volumes about the people for whom you work.)</p><p>But here is the fun part. The sooner you allow people the freedom to explore, the sooner they will return that trust with results. When I first came into internal audit, I was lucky to work for leaders who allowed me a lot of freedom. Yes, I was trained, but I wasn't forced down a path. And I believe this approach was part of the reason I was willing to explore and take the chances I did throughout my career.</p><p>Which brings us back to Durango.</p><p>Let's be honest. When I held that conference, I overstepped my boundaries. I went beyond the meadow. And it is only many years later, speaking with my then associate vice president, that I've learned I may have been in more trouble than I knew. (Note that this was not an isolated incident, but we can swap such stories later during happy hour.)</p><p>But I think I got away with it because of success. I succeeded with that venture, and I had succeeded with other ventures in the past. Our chief audit executive was fond of saying that a co-worker (Paulette Keller, to drop a name) and I were "creative, but dangerous." We bore that badge proudly because it showed we were trusted to explore, and we were trusted to do so in a way that would not damage the department or the company.</p><p>How many people do you have on your staff who are creative? How many do you have who are dangerous? Or do you even know the answer because you have tried to control the danger (and by default, the creativity) by keeping your staff fenced in a meadow that is smaller than it should be?</p><p>And how many good people have you lost because that meadow was too small? And, again, do you even know the answer to that last question because you never let them to do more than feed in the tiny meadow you allowed?</p><p>I started last week's blog post by implying that I was talking about management. And, when you talk micromanagement, well, it's in the word. But this has all really been about leadership. Good leaders lay out a future and then allow those they work with to achieve that vision. And good leaders know that can only happen when they trust the team with a large, spacious meadow.</p><p>And one more thing. If you haven't been to Durango, plan your trip today. You won't be disappointed.<br></p>Mike Jacka0
Building a Better Auditor: When the Leader Is Challenged a Better Auditor: When the Leader Is Challenged<p>​Xi joined a government agency a few years ago and has a good working relationship with the head of the agency, Xyrl. Xi has been able to provide assurance on the agency's objectives in a way that the agency has never seen before. Previously, Xyrl thought internal auditors only looked out for mistakes or what went wrong, but ever since Xi arrived, providing consulting expertise in addition to assurance engagements has really turned things around.</p><p>Xyrl has found the contributions very useful and has grown to trust Xi. Putting structures in place has eased her role as the head of the agency. At times, Xi highlights issues for the various departments to consider before, during, and after certain projects. Such contributions have changed their mindsets so that they see the internal auditor as a business partner. But Xi never forgets to remind them that there is a difference between assurance and consulting engagements.</p><p>Recently, Xi has noticed that Xyrl has changed her habits. Where Xyrl used to respond to emails and recommendations and look forward to suggestions, she has become somewhat distant. At an internal meeting with other stakeholders, Xyrl suggested that Xi may "take a break," as the recommendation made was not feasible. This was something Xyrl had never done before.</p><p>At another encounter, when Xi tried to discuss something urgent she had observed, Xyrl responded, "I'm sure you know how to handle it." Another time, Xyrl decided to override the risk mitigation procedures the internal audit team had recommended in a show of power of who heads the agency.  There were rumors that Xyrl's tenure at the agency may not be extended in a few months, which may have led to the recent "I don't care attitude." </p><p>Unfortunately, Xi also has noticed that motivation at work has been slightly affected and mistakes she never used to make when reporting are now occurring. The truth is there may be best governance practices, systems, and policies in place, but in real life, the human element could threaten all of these.</p><p>This scenario is typical during the last days of a leader's tenure — some handle their last days well, others burn the structures they had built over time, and some are in the middle. Xi's team noticed the behavior at the last meeting, and one of the junior team members said, "I don't like the way Xyrl talked to you at the meeting. How do you handle the situation?" Here are tips to address the problem Xi encountered.</p><h2>Be Professional: Work Must Go on</h2><p>Xi told her team member not to worry about the situation. "My job is to provide assurance on management's activities to relevant stakeholders and not to make enemies. Our work should be able to speak for us and end users must have confidence in our output," she said.</p><p>Xi wanted to make sure the junior staff did not see that event as an "us versus them" scenario where they take situations personally. She further assured her team that internal auditors are to conduct their work in a professional and competent manner. Do your job!</p><h2>Assume Leadership</h2><p>Every leader also is a follower of another leader. Thus, while Xi's team members were observing what is going on, Xi also has observed Xyrl's leadership style over time and noticed that her behavior has changed.</p><p>Xi is providing mentorship to her team by her actions during these changing times while trying to manage the challenges. Applying the philosophy of <a href="" data-feathr-click-track="true">Theory U</a> can help refocus the mind on performing core functions. Theory U is a method of addressing change that advises individuals to observe the environment, sense changes going on and let go of unnecessary/temporary distractions, reassess self-principles, and realign one's self with vision and intention. In assessing changes in behavior, internal auditors should remember that their responsibility is not to an individual but to the institution and stakeholders who rely on their work.</p><h2>Be Self-aware</h2><p>It is easy to read theories, scenarios, and case studies until these happen to you in real life and you have to make quick decisions. Rules are written in theory; principles are applied in contexts. Self-awareness is closely linked to principles and this can intersect with an ethical framework when situations arise. The IIA's Code of Ethics expects internal auditors to apply the principles of integrity, objectivity, confidentiality, and competency.</p><h2>Keep Documentation</h2><p>A compensating feature for internal auditors is documentation. While Xi may not have the power to make certain decisions that the agency's head can make, appropriate documentation of observations and issues provides evidence when the need arises. Documentation is not intended to present internal audit as an "I told you so" activity. Moreover, documentation helps when another individual assumes your role or during a handover period. </p><h2>Maintain Independence</h2><p>Xi is fortunate that as the resident auditor at the agency, she has a dual reporting role. Her primary responsibility is to the government, the government's audit branch, and the agency. Thus, she was not afraid of threats.</p><p>Certain situations arise where this scenario occurs in a private organization and Xyrl is the chief audit executive (CAE) who interacts with the board. In that case, auditors cannot override their bosses or call them out if they are doing the wrong things. Nonetheless, self-awareness is important in defining your principles and guiding the actions you take.</p><p>Independence is a core feature of internal audit. While internal audit provides assurance to management that controls are in compliance with relevant regulations and laws, auditors do not perform management responsibilities or act as if they are part of management.</p><h2>Handling Changing Situations</h2><p>At a private organization, this scenario could be dicier. If Xi reported directly to the CAE, she should assume leadership should be handled with care. That is, while displaying leadership qualities and not letting the situation affect them personally, auditors must take care that their actions do not send a signal to the CAE who frustrates them.</p><p>Also, some exiting leaders do not mind destroying structures upon leaving; they can burn bridges that may cause problems for auditors long after they have left. Thus, auditors should not come across as usurping the actual role but instead provide support to the departing leader as much as possible.</p><p>Organizational politics are unpredictable. In certain situations, depending on your relationship with the person in question, you can engage by talking, connecting, and sharing experiences. After all, "what is not discussed is not understood."</p><p> </p><p>Mustafa Yusuf-Adebola, CIA, CPA, CFE, CGA, is a fraud risk consultant and systems thinker in Ontario.</p><p>Want to be a part of Your Voices? Click <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank">here</a> to learn how to contribute a blog post.<br></p>Mustafa Yusuf-Adebola0
Living in the Shadow of Fear in the Shadow of Fear<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><p><em>To give your sheep or cow a large spacious meadow is the way to control him.<br></em><em>— Shunryu Suzuki</em></p></blockquote><p><br></p><p>For this one, let's talk to the supervisors and managers in the crowd. (And to the future supervisors and managers. And to people who used to be supervisors and managers. And to people occupying even higher positions. You know what? Let's talk to everyone.)</p><p>Here is what I believe to be a basic truism for supervision, management, etc. Success for the individual and for the department comes from allowing people the freedom to do their jobs, including the freedom to do their jobs the ways they find work best. That is why the above quote from Suzuki resonates with me. I believe success comes from giving people a very large meadow.</p><p>However, there seems to be a reluctance on the part of internal audit leadership (at all levels) to allow audit staff such freedom. "Nay, nay," you say. "We have no such issues in our department." OK, then ask yourself, are your auditors allowed to change a test, change an audit objective, change the audit, cancel the audit, explore new audit techniques, use new tools, suddenly spin off on new projects (during an audit, during quarterly planning, during annual planning, out of thin air) for no apparent reason other than it seems like a good idea at the time?</p><p>We'll get to the second part of the above list in a bit. But let's look at the first few items. When you started reading that list, you probably were thinking, "Why, of course we allow such changes … as long as they are appropriately discussed and vetted." </p><p>Which begs the question, why do you not allow the auditor — a professional you have hired because of, among other things, critical thinking skills — to execute navigational changes intended to make the audit more effective? Why does there have to be constant scrutiny, to the point that each and every step of the audit, change or no change, must be reviewed and approved?</p><p>Why do we feel the need to hand-hold internal auditors — internal auditors of every level — throughout the audit process? (And with that, our first whiff of the brimstone-laden phrase "micromanagement" makes its appearance.)</p><p>We are a very risk-averse profession. To illustrate, here's a current, weird example of two opposite reactions internal auditors have to the same event. (And, so as not to get into a philosophical imbroglio, I will not state my opinionated views on the following subject.) </p><p>I have spoken with auditors who did everything they could to get the COVID-19 vaccine as soon as possible believing it was the appropriate way to mitigate what they saw as a serious risk related to the effects of the disease. I have also spoken to auditors who held off on getting vaccinated because they wanted to mitigate what they perceived as a serious risk related to issues that might still exist with the vaccines.</p><p>Two different reactions — potentially overreactions — to different risk aspects of the same issue. This proclivity toward risk aversion results in our profession laboring under what I believe to be its No. 1 fear, loss of control. (No studies to back this up. It's just something I believe based on observation. Don't agree? Let's take it outside to the comment section.) </p><p>Which leads to an interesting and sometimes nearly fatal approach to our work: the fear that we will lose control, we might make a mistake, and/or we could be wrong results in our inordinate and possibly unnecessary reliance on oversight and (dare I say it) micromanagement. Rather than giving people Suzuki's metaphorical larger meadow, we use short leashes to tie them to stakes in the middle of that meadow.</p><p>I further believe (again, nothing to back this up except personal observance) that this fear of losing control results in our profession being comprised of some of the worst micromanagers in existence.</p><p>Let me tell you a story.</p><p>A number of years ago our department was involved in team-building exercises. We were split into three teams who were trying to accomplish involved tasks. We were randomly assigned positions — workers, supervisors, and managers — and provided separate instructions on the ensuing roleplay. (I'm still questioning the "random" part since I, as a manager, wound up with a "worker" position. But I've gotten over it, honest.)</p><p>The exercise started and, in short order, one of the "managers" (who in real life was a supervisor), was harping at us about how much time was left, how we might do the job better, and, in general, playing the perfect role of the micromanager. In fact, he was playing it so well I assumed it was part of the background that had been provided prior to the exercise — the role he was to play.</p><p>During the debrief I brought up his approach and the negative impact it had on the team's ability to accomplish the tasks. I asked if it was part of the background information he had been provided. He looked a bit flummoxed and ever-so-slightly chagrined and explained that, no, such an approach was not part of his instructions; he was just trying to make sure we got it done right and on time. Later, I spoke with his actual manager and discovered that such an approach was exactly the one he used in all work situations.</p><p>A show of hands. How many of you have worked for this guy at some point in your career? One, two, three, 10, 30, I think we've got a majority, a sweeping mandate, a nigh-on unanimous vote. OK, honesty time. How many of you take actions that might be considered micromanagement? Hmmmm, not seeing many hands this time. Seems unlikely.</p><p>Let me tell you another story.</p><p>Quite a while ago, I wrote a piece for<em> Internal Auditor</em> magazine about micromanagement. In that piece I actually spoke, circumspectly, about one of the two associate vice presidents (AVPs) with whom I was working — a chronic micromanager. After it got published, AVP1 walked up and said, "Does AVP2 know you were talking about him?" Two days passed and AVP2 walked up. "Does AVP1 know you were talking about him?"</p><p>For the record, I was talking about AVP1, but that is neither here nor there. Rather, it speaks to self-awareness, or the lack thereof. And it speaks to the need for each of us to more closely inspect the way we work with those we are in charge of — the need to honestly determine if we are allowing them the freedom to get their work done or are clamping down in an effort to ensure perfection.</p><p>Do the stories and anecdotes prove internal audit's penchant for micromanagement? Not in and of themselves. But, if you examine your experiences, if you look closely at some of our own actions, if you review the policies and procedures your department has put in place, you will see the signs of micromanagement. And even a little micromanagement can cause a lot of trouble</p><p>By acting insecure — living in fear that we will do something wrong, cowering in the belief that we are not allowed to make a mistake, trembling in dread that we might make a single error, and sure that any infraction will erode our client's confidence — we micromanage our work, striving for a perfection that is impossible and unnecessary.</p><p>And so we review everything, and we stick to the plan, and we don't make any changes until it is run through the chain of command, and we micromanage. And the entire time we are keeping the auditors tied to a stake using a short leash as they long for the open meadow before them.</p><p>And here's the funny part about the above. None of it is what I originally planned on talking about; none of it is why I included the Suzuki quote. I got sidetracked from the real sermon I wanted to preach. But I see everyone looking at their watches, the collection plate already passed, the benediction read, the potluck ready to be served, and nothing left but the singing of "Nearer My Finding to Thee." </p><p>So, next time we'll talk some more about that metaphorical field that represents opportunity. And we'll talk about the fact that, even when we don't tie auditors to the stake, we still place the fences too close.<br></p>Mike Jacka0
#IAm Shruthi Ramakrishnan Shruthi Ramakrishnan<p>​Dancing was a part of my life almost from the point I could walk. Although I grew up in Mumbai, my family origins are from the southern part of India in Tamil Nadu, and we all were very proud of that.</p><p>Like a lot of girls my age, I was really into Bollywood and dancing in general on my own, but my parents pushed me to learn classical dance that represented our heritage. So, at the ripe age of five they enrolled me in classes to learn the ancient dance style known as Bharatanatyam.</p><p>Learning this ancient dance form helped me stay connected to my roots and respect my tradition. It taught me to embrace my culture, and this is why I almost immediately fell in love with it. When I danced on the stage, I knew that it represented something more than a few mudras. It represented my people, my culture, and my tradition. I fell in love with it almost immediately, and it played a huge role in my life all the way to adulthood.</p><p>Bharatanatyam, the most popular of the main Indian classical dance forms, was originally a temple dance, before being brought to the public stage around the 1930s. Bharatanatyam includes a list of specific procedures that are performed by a single dancer — typically dressed in a colorful, fitted Sari, and adorned with symbolic jewelry that outlines the head and draws attention to the performer's heavily lined eyes. </p><p>Bharatanatyam is a form of illustrative anecdote of Hindu religious themes and spiritual ideas emoted by a dancer. Through incredibly elaborate hand movements and facial expressions, the dancers in stunning traditional costumes and makeup weave interpretive narratives about various Hindu lords.</p><p>I gained a deep understanding of the movements by learning about the religious stories I was portraying through dance. It is a precise, intricate, and all-around beautiful art form. Today, although there can be a religious element to it, most of the time it is done purely for entertainment and as a testament to India's rich cultural legacy.</p><p>As you might expect, when studying such an art, it takes a serious commitment. Of course, one can learn a Bharatanatyam dance on YouTube if one really wanted to, but those who wish to pursue the art in a serious, career-minded capacity need to enroll in a professional institution.</p><p>That's not to say there weren't moments of levity. On one occasion, one of my friends had all of her elaborate makeup melt in the Mumbai heat right before she was ready to go on, and on another occasion, the institution I studied at was featured on TV. Granted, that performance was more Bollywood than Bharatanatyam, but I still got my 15 minutes of fame!<br></p><p><img src="/blogs/Your-Voices/PublishingImages/Shruthi%20Ramakrishnan-380x300.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />There are several different levels one has to go through to be considered proficient in Bharatanatyam. Each level isn't completed on a timetable; rather, you progress when your instructor feels you are ready for your examination — which, like any examination, requires rigorous preparation.</p><p>I personally completed all levels except the final one: my Arangetram, which is something like a graduation ceremony. At 15, I stopped to pursue higher education, but I fully intend to go back and finish one day — after I brush up on everything I learned during the 10 years I studied it, of course!</p><p>Although I had to leave dancing behind, dancing really never left me. In so many ways it helped define the person I have become. Even today when I talk, you can still see elements of my past life come out in how I "speak" with my hands, in how I move, in how I express myself and interact with the world.</p><p>You can even see elements of it in the discipline, preparation, and passion I bring to my internal audit role. Under my professional demeanor, it's always there, just beneath the surface, ready to burst out when I need it the most. I can't imagine my life without it.</p><p><br></p><p>Shruthi Ramakrishnan, CA, CPA, is manager of internal audit at Atlas Air Worldwide in Purchase, N.Y. and a 2020 <em>Internal Auditor</em> magazine Emerging Leader.<br></p><p><em>Want to be a part of Your Voices? Click </em><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=969adc5e-ebb9-41f3-888c-a7f03ab61d8a" data-feathr-click-track="true" target="_blank"><em>here</em></a><em> to learn how to contribute a blog post.</em><br></p>Shruthi Ramakrishnan0

 ‭(Hidden)‬ Content Query

View RSS feed
  • AuditBoard-September-2021-Premium-1
  • FastPath-September-2021-Premium-2
  • All-Star-September-2021-Premium-3