Professional Documents
Culture Documents
ORG
INTERNAL AUDITOR
rsmus.com
RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. Visit rsmus.com/aboutus for more information
regarding RSM US LLP and RSM International.
McGladrey is now RSM. Learn more about our unified global network at rsmus.com/mcgladrey.
New Guidance
Released From The IIA
Free Downloads for IIA Members
As part of The IIA’s International Professional Practices Framework® (IPPF®), Implementation Guidance
assists internal auditors in applying the International Standards for the Professional Practice of Internal
Auditing and Supplemental Guidance provides detailed processes and procedures.
Implementation Guides
New implementation guidance is available to support newly updated standards:
Supplemental Guidance
■ Audit Reports: Communicating Assurance Engagement Results
*Nonmembers may purchase IIA Standards and Guidance publications online through The IIA Bookstore.
Visit www.theiia.org/newguidance to
download new guidance from The IIA.
2017-1588
f e at u r e s
22 COVER Auditing What Matters Internal auditors can add value by selecting audits that
contribute to achievement of strategic objectives. By Jane Seago
31 Core Principles and the QAIP Demon- internal audit to build its IT-related capabilities.
strating the effectiveness of the IPPF’s Prin- By Andrew Bowman and Haylee Deniston
ciples shows internal audit’s alignment with
stakeholder expectations. By Basil Woller 50 Breaking Down the Standards With the
right strategy, practitioners can divide confor-
38 Champions of Trust By modeling high mance into bite-size, easily digestible portions.
standards of ethical behavior, internal auditors By Christine Hovious
can help shore up faith in the organizations
they serve. By Richard F. Chambers 57 Auditing Organizational Governance
Internal audit has an integral role to play in
45 Infusing IT Auditing Into Engage- improving the organization’s strategic perfor-
ments A three-phase approach can enable mance. By Sridhar Ramamoorti,
Alan N. Siegfried, and P. Alan White
www.deloitte.com/us/internalaudit
D E P A R T M E N T S
PRACTICES 20 Fraud Findings Small
facilities can be especially
11 Update Executives vulnerable to embezzlement.
report shortcomings in cyber
resiliency; governmental INSIGHTS
budget information
underused; and market 62 Governance Perspectives
economic conditions a Quality is all about good
top risk. governance, and vice versa.
O N L I N E InternalAuditor.org
From Output to Outcomes On the Hook for Fraud
Five key steps can help Fraud expert Art Stewart dis-
internal auditors play a more cusses how small retailers can
Radzko, Julia Kopacheva / shutterstock.com); This page, Top: matejmo /
Internal Auditor ISSN 0020-5745 is published in February, April, June, August, October, and December. Yearly subscription rates: $75 in the United States and Canada, and $99 outside North America. No refunds on cancellations.
Editorial and advertising office: 1035 Greenwood Blvd., Suite 401, Lake Mary, FL, 32746, U.S.A. Copyright © 2017 The Institute of Internal Auditors Inc. Change of address notices and subscriptions should be directed to IIA Customer
Service, +1-407-937-1111. Periodicals postage paid in Lake Mary, Fla., and additional offices. POSTMASTER: Please send form 3579 to: Internal Auditor, 1035 Greenwood Blvd., Suite 401, Lake Mary, FL, 32746, U.S.A. Canada Post
International: Publications Mail (Canadian Distribution) Sales Agreement number: 545880; GST registration number: R124590001. Opinions expressed in Internal Auditor may differ from policies and official statements of The
Institute of Internal Auditors and its committees and from opinions endorsed by authors’ employers or the editor of this journal. Internal Auditor does not attest to the originality of authors’ content.
Your Team’s
Only as Great
as Their Goods.
Do You Have Your Team
Development Roadmap?
The IIA’s Team Training group provides
tailored, flexible, and affordable team
development plans that focus on seven
important steps on the continued road to
success. Let us help identify your current
internal audit training needs and future
audit team goals, as well as monitor your
progress to drive proven and lasting results. EXCLUSIVE OFFER!
Book On-Site Group Training
by March and receive a FREE
OnDemand course for your
Visit www.theiia.org/TeamDevelopment
team members.
or call +1-407-937-1388.
A
lthough the practice of internal auditing is more complex and the expecta-
tions of auditors greater than ever, the foundation of the profession — The
International Professional Practices Framework (IPPF) — remains strong
and continues to provide the foothold internal auditors need to be success-
ful. Internal Auditor’s first issue of 2017 begins by considering what matters most to
today’s organizations and then reminds internal auditors of the tools they should be
using, like the IPPF, to ensure a consistent and professional approach to addressing
those issues.
As author Jane Seago says in our cover story, “Auditing What Matters” (see page
22), “in any business, time and resources are limited, and internal auditors who want
to serve as trusted advisors to the organization must ensure their efforts provide max-
imum return on investment.” In other words, internal auditors need to make sure
they are auditing the right things. “An initial key step in elevating to be a strategic
partner is understanding the organization’s strategic mission, the objectives designed
to accomplish that mission, and the metrics by which success will be measured,” says
Luz Dary Bedoya Bedoya of Audilimited, Organización Corona in the latest IIA
Global Perspectives and Insights report, Elevating Internal Audit’s Strategic Impact.
Basing their work on the International Standards for the Professional Practice of
Internal Auditing is a must. However, in the 2015 Common Body of Knowledge
report, Looking to the Future for Internal Audit Standards, only 54 percent of
CAEs surveyed used all of the Standards, with 11 percent reporting they did not
use any of the Standards. Although an improvement on the numbers reported in
2010 — 46 percent and 14 percent, respectively — the findings indicate internal
audit has a ways to go.
I wonder, however, whether those who say they don’t use the Standards are actu-
ally following the guidance, but are unaware they are doing so. In “Breaking Down
the Standards” (page 50), Christine Hovious, director, IIA Global Standards and
Guidance, acknowledges that “The phrase ‘conformance with the Standards’ can
sound authoritative and overwhelming, suggesting a complex, resource-intensive
effort.” But, she explains, conformance is much easier to achieve than many CAEs
may believe. “In fact, numerous activities performed by practitioners likely conform
with the Standards already,” she says. In her article, Hovious details the components
of the Standards, breaking them down into bite-size, easily digestible pieces.
The remainder of the February issue delves deeper into the successful practice
of internal auditing. From integrated audits, to ethical practice, to auditing gover-
nance, to incorporating the Core Principals of the IPPF into quality assessments,
we’ve got you covered on what it takes to succeed in today’s organizations.
@AMillage on Twitter
Contributing Editors J. Michael Jacka, cia, cpcu, cfe, cpa David Weiss, cia conta ct INFOR MA TION
Mark Brinkley, cia, cfsa, crma Sandra Kasahara, cia, cpa Scott White, cia, cfsa, crma Advertising
J. Michael Jacka, cia, cpcu, cfe, cpa Michael Levy, crma, cisa, cissp Benito Ybarra, cia
Steve Mar, cfsa, cisa
advertising@theiia.org
Merek Lipson, cia
Bryant Richards, cia, crma +1-407-937-1109; fax +1-407-937-1101
Thomas Luccock, cia, cpa IIA President and ceo
James Roth, phd, cia, ccsa, crma Michael Marinaccio, cia Richard F. Chambers, cia, subscriptions, change of address, missing issues
february 2017 Paul J. Sobel, cia, qial, crma Norman Marks, cpa, crma qial, cgap, ccsa, crma customerrelations@theiia.org
Volume lxxiv: I
Laura Soileau, cia, crma Alyssa G. Martin, cpa +1-407-937-1111; fax +1-407-937-1101
Editor in chief Dennis McGuffie, cpa iia Chairman of the Board editorial
Anne Millage Editorial Advisory Board Stephen Minder, cia Angela Witzany, cia, qial, crma David Salierno, david.salierno@theiia.org
Dennis Applegate, cia, cpa, cma, cfe Jack Murray, Jr., cba, crp +1-407-937-1233; fax +1-407-937-1101
Managing editor Lal Balkaran, cia, cga, fcis, fcma Hans Nieuwlands, cia, ra, ccsa, cgap
permissions and reprints
David Salierno Mark Brinkley, cia, cfsa, crma Bryant Richards, cia, crma editor@theiia.org
Adil Buhariwalla, cia, crma, cfe, fca Jeffrey Ridley, cia, fcis, fiia +1-407-937-1232; fax +1-407-937-1101
Associate managing
Editor David Coderre, cpm Marshall Romney, phd, cpa, cfe
writer’s guidelines
Daniel J. Clemens, cia James Roth, phd, cia, ccsa
Tim McCollum InternalAuditor.org (click on “Writer’s Guidelines”)
Michael Cox, fiia(nz), at Katherine Shamai, cia, ca, cfe, crma
Senior editor Dominic Daher, jd, llm Debora Shelton, cia, crma
Haley Deniston, cpa Laura Soileau, cia, crma Authorization to photocopy is granted to users registered with the
Shannon Steffee
Kayla Flanders, cia, crma Jerry Strawser, phd, cpa Copyright Clearance Center (CCC) Transactional Reporting Service,
Art Direction James Fox, cia, cfe Glenn Sumners, phd, cia, cpa, crma provided that the current fee is paid directly to CCC, 222 Rosewood
Yacinski Design, LLC Peter Francis, cia Sonia Thomas, crma Dr., Danvers, MA 01923 USA; phone: +1-508-750-8400. Internal Auditor
Michael Garvey, cia Stephen Tiley, cia Published by the cannot accept responsibility for claims made by its advertisers, although
Production Manager institute of internal staff would like to hear from readers who have concerns regarding
Nancy Haig, cia, cfe, ccsa, crma Robert Venczel, cia, crma, cisa
Gretchen Gorfine Daniel Helming, cia, cpa Curtis Verschoor, cia, cpa, cfe auditors inc. advertisements that appear.
»» There were no granular rights is one I find quite important, yet number of red high risks and relatively
to folders or devices. I find it’s the least appreciated by few low ones, but that may be accept-
»» Employee access to the internet management. It will be nice to know able, given the organization’s risk appe-
was not monitored. how our profession can change that and tite and its tolerance for specific risks.
»» The internal network and break the mold. Similarly, a large number of deceptively
internet-facing devices were not roger ngong comments on the reassuring green low risks may look
segregated or fire-walled. Chambers on the Profession blog post, “5 comforting, but if they reflect very low
Resolutions for Internal Auditors in 2017 to
I hope the company learned a valuable Prepare for the Future.” likelihood but high consequence cata-
lesson and implemented appropriate strophic risks, or are simply beyond the
controls to monitor the activities of Heat Maps Don’t Show tolerance of the organization, they may
privileged users. the Whole Story still need urgent action. Boards may like
manoj agarwal comments on “The IT I agree with [Norman Marks] that heat their simplicity, but heat maps really
Guy” (InternalAuditor.org, January). maps fail to show the entire picture. aren’t adequate for communicating
Sure, they map out risks according to complex risks to decision-makers.
Break the Mold their rating, but that’s not the whole Chris MacLean comments on the Marks
Great article, Richard, with five great story and it can be grossly misleading. on Governance blog post, “What Does the
points. No. 2, talent management, There may be, for example, a large New Year Hold for Internal Audit?”
EVERYONE LIKES
A KNOW-IT-ALL
As an internal auditor, people depend on you to know a lot
about your organization. We get it, and we’re here to help.
ClearView allows you to stay informed by providing a secure and anonymous
ethics reporting/whistleblowing platform for your employees and stakeholders.
Our program is easy to use and allows for reporting incidents of wrongdoing,
as well as concerns or even suggestions for improvement.
Check us out today—your audit committee will thank you!
CLEARVIEWPARTNERS.COM
ClearView Connects™ Proud supplier to:
is a service of ClearView The Institute of
Strategic Partners. Internal Auditors
Grant Thornton International Ltd (GTIL) and the member firms are not a worldwide partnership. GTIL and each member firm is a separate legal entity. Services are
delivered by the member firms. GTIL does not provide services to clients. GTIL and its member firms are not agents of, and do not obligate, one another and are not
liable for one another’s acts or omissions. Please see grantthornton.global for further details.
Gaps in ability to use budget data… Top risks raise uncertainty globally…
Expectations for new U.S. president… Supply chains face deforestation risk.
Update
Emerging Threats
U.S. public company board
directors say five risk factors
will have the greatest impact
over the next 12 months.
1 60 %
Global
economic
2
uncertainty
58 %
Increased
regulatory
burden
3 53 %
Significant
The Cyber Resilience Challenge industry
4
changes
IT officers cite weaknesses centers (SOCs), continuous monitoring,
in breach recovery efforts. and active defense systems for building this
40 %
E
capability. Nonetheless, 42 percent say they Business
xecutives worldwide say they are con- do not have an agreed communications model
5
fident in their organization’s ability strategy in the event of a significant attack. disruptions
to predict and resist cyberattacks, And while more than half consider business
according to EY’s latest Global Infor-
mation Security Survey. Still, many indicate
continuity and disaster recovery a high pri-
ority, only 39 percent plan to invest more in
34 %
Cybersecurity
shortcomings in their ability to recover from it during the coming year. threats
an attack. “Organizations have come a long way
Half of the 1,735 private-sector IT in preparing for a cyber breach, but as fast as
officers and other executives surveyed say they improve, cyberattackers come up with Source: National Association of
Photo: matejmo / istockphoto.com
prepare for and fully address these inevitable information security controls or architecture
cybersecurity incidents.” as their highest vulnerability — an increase
When asked about identifying vulner- from 34 percent in the 2015 survey.
abilities, 44 percent of respondents indicate Respondents identified their top cyber-
that their company does not have an SOC security threats: malware, phishing, theft of
to continuously monitor for cyberattacks, financial information, and intellectual prop-
and 55 percent either do not have vulner- erty theft. Moreover, the top obstacles facing
ability identification capabilities or have only their information security function — budget
informal capabilities. More than half say they constraints, lack of skilled resources, and
experienced a significant cybersecurity inci- lack of executive support — are virtually
dent in 2016, and 48 percent cited outdated unchanged from last year. — D. Salierno
N
most used in
ew research finds a gap between the Eastern
the growing amount of budget Europe/Cen-
information that governments of tral Asia and
US$1 trillion developing nations are providing South Asia
is estimated to be paid in
bribes worldwide each year. to the public and the capacity of organi- regions (36
zations to use that information. For its percent), while
The poor pay up to report, How Does Civil Society Use Bud- they are least
13 percent get Information?, the International Bud-
get Partnership surveyed 176 respondents
used in sub-Saharan Africa (14 percent).
Making all types of fiscal data more
of their incomes in
bribes — the highest percent- in 70 countries representing civil society accessible could enhance transparency,
age of any income level. organizations (CSOs) such as advocacy the study suggests. This could be done by
groups and public policy think tanks. standardizing the formats in which data is
“The harm that corruption A glaring example of a gap is the low released, and consolidating information on
causes to development is,
in fact, a multiple of the use of audit reports by CSOs across all web portals. — T. McCollum
estimated volume, given the
negative impact of corrup-
tion on the poor and on eco-
nomic growth,” The World
Bank says. Global Executives say economic
conditions, regulation, and other
Uncertainties
shutterstock.com; left, Lightspring / shutterstock.com
Top, Natali Li / shutterstock.com; right, Rawpixel.com /
Source: The World Bank November top risks pose greater threat.
B
2016 anti-corruption brief
usiness executives say Management (ERM) Initia- surveyed say the potential
they are most con- tive at North Carolina State impact on their organizations
cerned that economic University. Seventy-two of recent global uncertain-
conditions in the percent of the 720 executives ties are a greater risk than in
markets their organization previous years, according to
serves will inhibit its growth Executive Perspectives on
opportunities in 2017, put- Top Risks for 2017.
ting it first among the top Scores for the top 10
10 risks reported by Protiviti risks are higher than in the
Inc. and the Enterprise Risk 2016 report, reflecting a shift
U
organizations may not be tak-
ing sufficient steps to address p to US$906 billion in annual rev-
them. Beasley says survey enue could be at risk as a result of
findings indicate “that orga- nearly a quarter of global company
nizations are not planning to sales depending on four commodi-
invest additional resources in ties linked to deforestation, according to the
enhancing their approaches Carbon Disclosure Project’s (CDP’s) report,
to risk management over the Revenue at Risk. Fewer than half (42 percent)
next 12 months.” The report of companies surveyed have evaluated how
notes that respondents’ inter- their growth strategy will be impacted by the
est in enhancing risk man- availability and quality of these commodi-
agement processes is lower ties — cattle products, palm oil, soy, and tim- the top of a supply chain, the effects will cas-
than in the previous two ber products — over the next five years. cade throughout.”
years’ surveys. This finding “Companies need to address the sus- Though 72 percent of respondents say
right, Mopic / shutterstock.com
may be because of resource tainability of products that drive deforesta- they are confident they will be able to source
constraints in some organiza- tion quite simply to protect their balance these supplies sustainably, only 44 percent
tions or an indication that sheets,” says Katie McCoy, head of forests of respondents with procurement standards
organizations are satisfied at the CDP, a London-based global disclo- monitor compliance with these standards and
with enhancements made sure system for investors, companies, and audit suppliers. The CDP calls for companies
in previous years, the report governments to manage their environmental to ask for transparency and disclosure from
posits. — T. McCollum impacts. “If unsustainable commodities enter their suppliers. — S. Steffee
Data Mining
By leveraging data,
internal auditors
can address issues
T
beyond the reach of
traditional analysis he vast amount of Instead, it requires thinking similar records. Also called
data generated by outside the box to come up clustering, this technique lets
techniques.
business and the with a range of scenarios. auditors see common factors
increase in data ware- Questions like, “What are underlying each segment.
houses and legacy systems the risks?” “What oppor- For example, a marketing
have created a treasure trove tunities exist for business audit can look at residents
of information to be mined improvements?” “How can of urban neighborhoods and
to draw meaningful insights this data be leveraged?” and affluent areas where wealth-
regarding fraud indicators, “What fraudulent activi- ier, older people live.
emerging risks, and business ties can occur?” can lead to
performance. Companies developing algorithms. Neural networks are a type
such as Amazon, Facebook, of artificial intelligence that
Google, and Netflix are Data Mining Techniques uses case-based reasoning
built on foundations of data The most common tech- and pattern recognition to
exploration and mining. niques used in data mining simulate the way the brain
Data mining, which are predictive modeling, processes, stores, or learns
includes text mining, is the data segmentation, neural information. In fraud detec-
discovery of information networks, link analysis, and tion, neural networks can
without a previously for- deviation detection. learn the characteristics of
mulated hypothesis where fraud schemes by comparing
relationships, patterns, and Predictive modeling uses new data to stored data and
trends hidden in large data “if then” rules to build algo- detecting hidden patterns.
sets are uncovered. It involves rithms. For example, during
using methods at the conver- a loan audit, auditors can cre- Link analysis establishes
gence of artificial intelligence, ate rules to show which cus- links between records or sets
machine learning, statistics, tomers in a specific age range of records. Such links are
and database systems. With (18-25, for instance) with called associations. Examples
the advent of big data, this balances exceeding US$5,000 include customers buying
niche-driven research disci- are likely to default. one product at a specific time
pline, developed in the 1980s, and then a different product
is now a powerful tool. Data segmentation a few hours later or a vendor
There are no roadmaps involves partitioning data supplying a raw material and
or directions in data mining. into segments or clusters of purchasing a byproduct. Or,
D
ata mining can detect a range of fraud indica- contents might include potential evidence of fraud and issues
tors such as bogus vendors, kickbacks, money of audit concern. For instance, emails from an employee to
laundering, insider trading, and claims fraud. customers when the employee does not hold a position that
In a telecommunications audit, for example, a normally communicates with customers would be a red flag.
model can be built to show patterns of call destina- Emails might contain an exchange of information
tions, duration, frequency, and time of day. Over between parties that can provide evidence of a wide range of
time, when actual calls vary from expected patterns, managerial fraud. Also embedded in email contents might
it will alert internal audit to the possibility of fraud. be issues relating to breaches of compliance requirements
Outcomes also can indicate cost-saving opportu- and their cover ups, privacy matters, and theft of intellectual
nities, potential irregularities, and patterns worthy property. As emails pass through gateways, they are easy to
of further investigation. For example, in a procure- archive, index, categorize, and monitor for keywords.
ment audit, using text mining that brings up common
products and services may determine that there is an Social Network Analysis
annual savings or discount to ordering cleaning sup- Analysis of employees’ Facebook, Linkedin, and Twitter
plies from one vendor instead of several vendors. accounts explores relationships or networks between email
In a retail audit of a bank branch, a review of cus- senders and recipients. Social network relationships may
tomer accounts can show single bank accounts con- presage kickbacks or collusion between employees and third
verted to joint accounts, indicating marriage. Internal parties. Within this context, social media analytics is a tremen-
audit may recommend cross-selling mortgages and dous tool. However, consideration should be given to such key
consumer loans to the joint account owners, which risks as security, privacy and confidentiality, loss/theft of intel-
can grow branch profitability. lectual property and trade secrets, and legal and compliance.
In a loan audit, nonperforming loans can be seg-
mented to show different factors for loan failures. Data Mining Tools
This can help guide the revamping of credit models Data mining can be performed with comparatively modest
and tightening of lending practices, which can reduce database systems and simple tools or off-the-shelf software
the number of nonperforming loans. packages. Microsoft Excel has a wide range of functions that
can be used in data mining without the hours of training
required for other programs. Generalized audit software and
in the case of a money laundering audit, identifying addresses server database software also are formidable data mining tools.
that have many wire transfers attached to them.
Raising the Bar
Deviation detection is pinpointing deviations from the Data mining demands considerable time, serious commit-
observations or model worthy of further investigation. An ment, a new mind-set, and new skills. Delays in getting the
example is detecting an unusual transaction on a credit or data, uncooperative management, time spent understanding
purchase card that does not fit the typical spending patterns the data, and scrubbing it are additional challenges. Data
of a cardholder, such as buying a refrigerator or booking a mining raises the bar on what can be achieved by addressing
vacation on a company’s purchase card. issues beyond the reach of traditional analysis techniques. It is
more than running complex queries on large data sets. Inter-
Email Mining nal auditors must work with the data to have it reorganized
The rapid evolution of data mining techniques on unstruc- and cleansed, and identify the format of the information
tured or semi-structured textual data now provides oppor- based on the technique or analysis they want to use. Data
tunities for audit analysis. Mining this vast text field is a key mining increases audit coverage, and with the internet and
tool in the internal auditor’s arsenal for fraud prevention and computer-assisted audit tools, auditors should be limited only
detection. Word searches using “kickback,” “bank account,” by their imaginations.
“funds,” “money,” and “override” could uncover fraud, while
words such as “flowers,” “anniversary,” “chocolate,” “gift,” Lal Balkaran, CIA, FCPA, FCGA, FCMA, is a risk,
“bar,” and “drink” could indicate office romances that breach governance, and internal audit consultant with LBA Consulting in
a company’s code. Scarborough, Ontario.
Intelligent Assessments
Government auditors
are using cognitive
technology to help
R
identify high-risk
areas. obust audit risk Auditors at the New capacity for extracting value
assessments — a York State Office of the State efficiently, as long as docu-
key building block Comptroller (OSC) have ment text is prepared in a
of high-impact developed a tool set that uniform format that both
audits — are, by nature, a leverages cognitive technol- humans and machines can
challenge for any internal ogy to extract and analyze understand. Applying natural
audit department, and even text from audit reports, creat- language processing (NLP) to
more so in today’s dynamic ing a search vehicle capable text can allow internal audi-
audit environment. Especially of identifying meaningful tors to tap into each sentence
in public sector organizations, data within documents that of every report, generating
where limited resources, collectively can help auditors mountains of new informa-
competing priorities, and lack identify high-risk areas. The tion. NLP is a field of artifi-
of subject matter expertise tool set enables auditors to cial intelligence that enables
impede risk identification, immediately access a wealth computers to understand
auditors are increasingly of publicly available, but until human language. For exam-
looking to technology for recently, elusive audit-critical ple, NLP enables the iPhone’s
solutions. Specifically, inter- information, minimizing Siri personal assistant to
nal auditors can augment time-consuming manual pro- answer users’ questions. NLP
their risk management activi- cesses to identify themes and can transform audit reports
ties by using automated solu- risks and ultimately improv- into a powerful source of
tions that assess the literature ing the effectiveness of risk insights for more targeted risk
in the field of interest to pre- management, control, and assessments and audits.
dict industry trends. governance processes within Searching for relevant
Cognitive technol- the agencies and organiza- audits requires varying
ogy — intelligent computer tions the OSC audits. amounts of information to
systems designed to perform be communicated through a
human tasks — has long been Distilling the Facts web browser. Audit reports
used to enhance research and Audit reports represent a are available on the web in
knowledge collection. This source of untapped data. It is a range of formats — from
technology has potential to difficult to extract value from the simple PDF to the
transform the internal audit data using time-consuming more sophisticated
profession, particularly in manual searches. Conversely, HTML — each with vary-
performing risk assessments. computers have unlimited ing levels of interoperability,
depending on how the back-end information is organized. overpayment, they can query the database for the word com-
Data can be “structured” text containing additional coded bination “overpayment–Medicaid.” The tool set then analyzes
information that facilitates machine reading, or “unstruc- all the reports in the database, identifies those that contain the
tured” text that lacks the required detail to enable efficient “overpayment–Medicaid” word combination, and ranks them
machine reading. The more structured the documents are, by frequency of word combination occurrence.
the more relevant the document retrieval can be. After auditors select the reports that are of interest, the
The OSC’s tool set creates a process to derive machine- computer can automatically extract audit concept informa-
readable data from audit reports by: 1) converting text to a tion from each. For example, certain words such as “ensure,”
standardized structure, 2) adding layers of meaning to the text, “need,” “reveal,” and “discover” are frequently used in reports’
and 3) teaching computers to use the information to recog- findings sections. The computer searches for these words and
nize and understand common audit language, concepts, and extracts sections from the reports that contain them. Informa-
themes, as well as to analyze associations. Although the OSC’s tion can be retrieved in source list or text display views. As the
work to date has involved performance audit reports only, the computer’s knowledge bank grows — by learning new queries,
tool set can be applied to any report type. understanding them in the context of existing queries, and
thus creating new knowledge — the technology will become
The Process increasingly intuitive of the user’s intent.
The OSC’s tool set uses optical character recognition engines
to extract plain text only from each document. We then Risk Assessment Transformed
apply NLP to the plain text. NLP creates additional layers of Applied to the OSC’s growing database of audit reports, the
linguistic information, which allows computers to put words tool set has transformed the office’s risk assessments by:
into context and derive meaning. ɅɅ Unlocking new insights from raw information in exist-
NLP uses grammar rules to identify and classify parts ing work, which expands the scope of risk assessment.
of speech, and codes them using annotation tags. Likewise, ɅɅ Speeding data collection.
it locates proper nouns, and classifies and tags them accord- ɅɅ Enabling auditors to assess the quality of data faster and
ing to predefined named entity categories. For example, take determine which are most useful.
the sentence, “For the two fiscal years ended June 30, 2010, ɅɅ Allowing auditors to leverage real-time data to continu-
the Mill Neck School claimed approximately $16.7 million ously monitor trends and more quickly identify new risks.
in reimbursable expenses.” NLP identifies and tags “Mill,” As a result, the OSC’s auditors are better equipped to iden-
“Neck,” and “School” each as a proper noun singular and tify threats to a program’s or an organization’s success and
then, based on their proximity, classifies and tags the proper sustainability, conduct more productive audits, make mean-
nouns collectively as the named entity “organization.” ingful recommendations, and ultimately deliver on their
Based on the NLP annotations, additional information professional commitment to improve governance, operations,
extraction techniques detect and tag audit-specific elements risk management, and control processes.
such as “auditee” and “finding.”
New information derived from NLP annotations allows Adapting to Changing Risk
auditors to data mine every sentence within a collection of The audit environment of today is highly dynamic: Risks are
documents using a variety of pre-set text recognition “rules” to increasing in number and complexity, as are the number of
identify high-relevance themes and risks. These rules, which regulations being created to control them. The OSC’s tool set
interact with the computer in the form of user queries, act as is a critical resource to help auditors adapt to these changes,
filters to guide the computer’s recognition of text. Rules can while supporting the profession’s advocacy of good gover-
vary in complexity, depending on the type of information the nance. It’s an example of how internal auditors globally could
user seeks. For example, users can filter documents based on leverage the benefits of technologies such as artificial intel-
the frequency of a certain word or word combination occur- ligence to address risk in real time.
ring within them (visually represented as a word cloud) or on
a cluster of specific words that are commonly associated with Xiaohu Nian is a research assistant at the New York State
a given audit concept such as a finding. Office of the State Comptroller in Albany.
Using the criteria of a given rule, the computer can Daniel X. Zimmerman is a research analyst at the New York
search a database of annotated documents and identify text State Office of the State Comptroller.
that fits the rule. For example, if auditors are interested in Mary McCoy is a senior editor at the New York State Office of
identifying areas within the Medicaid program at risk for the State Comptroller.
C
the organization’s
ethical onducting a fraud areas of the organization and and management overrides
risk assessment is identify the internal controls to circumvent internal con-
temperature.
an important step designed to mitigate each of trols. Although an internal
for internal audi- them. At a high level, this control might be in place to
tors who are evaluating analysis examines internal prevent fraudulent activity,
an organization’s internal controls and the internal the analysis must consider
control environment. As control environment, as well how this control could be
part of these assessments, as resources available to pre- circumvented, manipulated,
practitioners can use surveys, vent, detect, and deter fraud. or avoided. This evalua-
focus groups, and workshops tion can help the fraud risk
with employees to take the A Different Assessment assessment team understand
organization’s ethical tem- A fraud risk assessment eval- the actual robustness and
perature and determine its uates areas of potential fraud resilience of the control and
ethical baseline. to determine whether the the control environment,
Conducting a fraud risk current control structure and and estimate the potential
assessment is similar to an environment are addressing risk to the organization.
internal audit risk assessment the fraud risk at a level that One challenge at this
exercise carried out during aligns with the organization’s point in the process is ensur-
the audit planning process, risk appetite and risk toler- ing that the analysis assesses
but the focus is specifically ance. Therefore, it is impor- not just roles, but specific
on fraud risk. The most suc- tant during the development individuals who are respon-
cessful fraud risk assessments and implementation of the sible for the controls, as well.
are conducted in small risk management program Sometimes employees will
brainstorming sessions with to specifically address various feel uncomfortable contem-
the operational management fraud schemes to establish plating a fellow employee
of the area under discussion. the correct levels of control. or manager perpetrating
Facilitated by a fraud profes- The Association of Certified fraud. This is where an out-
sional such as a Certified Fraud Examiners’ Fraud Risk side fraud expert can help
Fraud Examiner or internal Assessment Tool provides a facilitate the discussion and
auditor with appropriate structured approach to iden- ensure that nothing is left
fraud training, these assess- tifying key fraud schemes. off the table. To ask the right
ments look at typical fraud Fraud risk assessments questions, the facilitator
schemes found in various emphasize possible collusion should keep in mind:
ɅɅ Fraud entails intentional misconduct designed to 9. Ethical behavior is a top priority of management.
avoid detection. 10. I know where I can go if I need to report a potential
ɅɅ Risk assessments identify where fraud might occur and issue of misconduct.
who the potential perpetrators might be.
ɅɅ Persons inside and outside of the organization could Interpreting the Results
perpetrate such schemes. The ethical baseline should not be measured on a point
ɅɅ Fraud perpetrators typically exploit weaknesses in the sys- system, nor should the organization be graded based on the
tem of controls, or may override or circumvent controls. survey results. The results should simply be an indicator of
ɅɅ Fraud perpetrators typically find ways to hide the fraud the organization’s ethical environment and a tool to identify
from detection. potential areas of concern. If done over time, the baseline can
help identify both positive and negative trends.
The Ethical Baseline The results of the ethical baseline survey should be dis-
It’s important to evaluate whether the organization’s culture cussed with management as part of a broader fraud risk assess-
promotes ethical or unethical decision-making. Unfortu- ment project. This is especially important if there are areas
nately, many organizations have established policies and with a lack of consensus among the survey respondents. For
procedures to comply with various regulations and guidelines example, if the answer to a question is split down the middle
without committing to promoting a culture of ethical behav- between strongly agree and strongly disagree, this should be
ior. Simply having a code of conduct or an ethics policy is discussed to identify the root cause of the variance. Most ques-
not enough. What matters is how employees act when con- tions should be worded to either show strong ethical behaviors
fronted with an ethical choice; this is referred to as measuring or to raise red flags of potential unethical issues or inability to
the organization’s ethical baseline. report such issues promptly to the correct level in the orga-
Organizations can determine their ethical baseline by nization. For example, if the answer to question 10 is heavily
conducting either an online survey of employees from various skewed toward Disagree, this could be an area that would need
to be discussed to find the root cause.
Strong ethical cultures would want a
An organization with a weak ethical channel for reporting potential issues.
By obtaining a clear snapshot of
baseline may need more frequent audits. the organization’s ethical temperature
at a point in time, internal auditors
can re-assess the evaluation of controls
areas and levels within the organization, or through workshop- beyond purely their design and effectiveness. Instead, they
based surveys using a balloting tool that can keep responses can consider areas that may need additional review.
anonymous. The broader the survey population, the more
insightful the results will be. For optimal results, surveys Bringing It All Together
should be short and direct, with no more than 15 to 20 ques- The results of the fraud risk assessment and ethical baseline
tions that should only take a few minutes for most employees survey can help internal auditors determine areas of risk and
to answer. An important aspect of conducting this survey is control that should be considered for upcoming audit projects.
ensuring the anonymity of participants, so that their answers For example, fraud risk schemes that are heavily dependent on
are not influenced by peer pressure or fear of retaliation. controls that can be easily overridden may require more fre-
The survey can ask respondents to rate questions or quent assurance from internal audits than those schemes that
statements on a Likert scale, ranging from 1–Strongly Dis- are mitigated by system-based controls. And an organization
agree to 5–Strongly Agree. Sample statements include: with a weak ethical baseline may require more frequent audit-
1. Our organizational culture is trust-based. ing of detective control procedures than one with a strong ethi-
2. Missing approvals are not a big deal here. cal baseline, which might rely on broader entity-level controls.
3. Strong personalities dominate most departments. By measuring their organization’s ethical temperature, internal
4. Pressure to perform outweighs ethical behavior. auditors will be turning up the heat on fraud.
5. I share my passwords with my co-workers.
6. Retaliation will not be accepted here. Steve Morang, CIA, CFE, CRMA, is senior manager–leader
7. The saying “Don’t rock the boat!” fits this organization. advisory fraud & forensics, with Frank, Rimerman & Co. in
8. I am encouraged to speak up whenever needed. San Francisco.
P
cover up her
embezzlement am Hardy, an inter- file. Hardy learned from Hardy decided to drive
nal auditor with five the temp agency that it had to the distribution center
scheme.
years’ experience at a been trying to obtain the the next day to meet with
large national com- Social Security numbers for Lamp, but their conversa-
pany, was auditing a remote these employees, but was tion was constantly being
distribution center when her told to pay the employees interrupted. Consequently,
routine sales and accounts until it could obtain and she suggested that they go
receivable tests revealed verify them. Further, Hardy to lunch together, but Lamp
minor discrepancies. Because noticed that the emergency was unable to attend because
the distribution center was contact information for one of urgent business. He asked
small, it hadn’t been visited of the two employees was the Wynn to take Hardy to
by internal audit for more same for the remote distri- lunch instead. During lunch,
than four years. Hardy bution center manager, Bob Wynn stated out of the
initially thought that the Lamp. She later discovered blue that her bank deposits
two-hour drive to the distri- from Sally Wynn, the plant had been consistently late
bution center wasn’t worth office manager, that the because she was too busy
the time. But when other red employee was Lamp’s son. and had to take the deposits
flags appeared in addition Growing uneasy about to the night drop on her
to the minor discrepancies, the circumstances, Hardy way home. Hardy hadn’t
Hardy knew she had to look decided to review the cen- asked about the deposits and
into things further. ter’s financials. Everything wondered why Wynn would
Comparing time clock looked fine except that volunteer that information.
work hours to the tempo- accounts receivable had Wynn then explained
rary payroll agency monthly significantly increased from how difficult it was being
billings, Hardy found a the prior year. She contacted a single mother to three
small difference in actual the corporate office that children. They would only
hours worked and hours performed the bank recon- wear designer clothes, cost-
billed for one employee. ciliations to inquire whether ing more than US$5,000,
In reviewing personnel there were any issues and and they’d recently taken
files, she also noted that was assured that there were a weekend family trip to
two employees hired for none. Hardy was relieved; Disney World. Hardy also
seasonal work didn’t have nevertheless, she was still noticed that Wynn drove
Social Security numbers on concerned about Lamp. a luxury automobile. Her
spending was far above an office manager’s salary. Wynn also Hardy confronted Wynn, who quickly confessed, stat-
complained she was so overworked that she never took vaca- ing she’d experienced financial problems and thought she
tions, only an occasional day off. would borrow the cash, intending to eventually make restitu-
As Wynn described her duties, Hardy realized she had tion. However, the longer the scheme went on, the more she
total control over cash collections, contrary to company poli- believed it would never be detected.
cies. Hardy learned that Wynn was receiving and recording In the aftermath, Wynn pleaded guilty and went to
the daily route cash proceeds, preparing daily deposits, tak- prison for two-and-a-half years. Because Hardy had so thor-
ing them to the bank, and entering sales invoices into the oughly documented the embezzlement, the insurance com-
accounting system. She was also posting accounts receivable pany fully paid the dishonesty claim. Corporate corrected
for mailed checks. the bank reconciliation protocols, and developed electronic
Hardy decided to review the cash book. She printed exception reports that would immediately identify locations
the daily sales reports and copied the cash book for the three with large cash discrepancies and changes in accounts receiv-
months prior. While Hardy was doing this, Wynn suddenly able as a percentage of sales. Further, all personnel were
became ill and left for the day, raising yet another red flag. required to take a full week of vacation, at a minimum.
Hardy requested and reviewed the bank reconciliations for
the two previous months. She quickly realized they were a Lessons Learned
recap of the bank statement monthly summary: beginning ɅɅ Small or remote locations can be especially vulnerable
balance plus deposits, minus disbursements equaling the to embezzlement. Controls consciousness on the part
ending balance. Notably, there was a difference in bank and of management can wane in such cases, especially when
book cash that hadn’t been investigated. There also were no controls are not audited regularly.
deposits in transit, whereas most locations had at least one. ɅɅ Don’t be afraid to change your fraud hypothesis. Hardy
Furthermore, there was no comparison between cash sales originally thought Lamp might be a fraudster, which led
and monthly changes in accounts receivable. her down the path to Wynn. Lamp’s only offense was
Puzzled, Hardy called the accounting clerk who had lack of appropriate controls at his distribution center.
been doing the reconciliations, who revealed there had been ɅɅ Wait to confront someone until after the facts have
so many problems reconciling the location’s cash that she had been reviewed. Start by analyzing the underlying docu-
mentation. Make a plan regarding
which documents need reviewing, who
Some auditors check the boxes but fail you’ll interview, and who needs to be
informed about the proceedings. If
to look at the big picture. there is predication of fraud, determine
who the most likely suspect is.
ɅɅ Be flexible and use common sense.
given up and wasn’t reconciling the account. Hardy looked at Some auditors check the boxes, but fail to look at the
the difference between the bank balance and general ledger big picture. The embezzlement could have been caught
cash and immediately knew there was a problem. There was sooner if someone had analyzed the change in accounts
a difference of almost US$210,000. Analyzing the cash book receivable as a percentage of sales and the large discrep-
compared to daily route sales and accounts receivable post- ancies between book and bank cash.
ings, Hardy suspected Wynn was stealing most of the cash ɅɅ Controls that aren’t operating effectively are useless.
and only depositing checks. The accounting clerk hadn’t reconciled the location’s
The first instance of missing cash occurred about a year bank account. Further, the supervisor had signed off
before. Hardy surmised Wynn had been lapping accounts without reviewing the reconciliations. Failing to appro-
receivable payments to cover the theft, misapplying customers’ priately apply controls can contribute to concealing
payments to avoid detection. When checks came in the mail, a theft.
she used them to conceal the cash embezzled from daily route
sales, balancing the deposit to daily cash sales. If a customer Donald K. McConnell, Jr., PHD, CPA, CFE, is a distin-
complained, Wynn always answered the phone, allowing guished teaching professor in the Department of Accounting at
her to shield complaints from Lamp. She also tried to apply The University of Texas at Arlington.
payments before subsequent billing dates, hoping customers Jean L. Manuel, CPA, CFE, CFF, is a fraud investigator
wouldn’t notice the late payment postings. and former internal auditor in Dallas.
22 Internal Auditor
AUDIT PLANNING
Jane Seago
O
Illustration by Sean Yates
t matters
between performing traditional internal audit activi-
ties — the time-honored “tick and tie” procedures — and
activities that contribute more directly to value cre-
ation. “Both those activities are important,” says Larry
Baker, a senior leader in internal audit, enterprise risk
management, and strategic planning in Oklahoma City.
“Even when management is convinced the organization
is doing everything possible to ensure that a process is
working effectively, internal audit still needs to do an
independent audit of the controls that make manage-
ment feel so comfortable.”
KOPACHEVA, SUNS07BUTTERFLY / SHUTTERSTOCK.COM
INTERNAL AUDITOR 23
AUDITING WHAT MATTERS
repeatable. Then came the U.S. Sar- raise their focus on strategic initiatives,
banes-Oxley Act of 2002, which indi- they must maintain many custom-
rectly caused companies to re-examine ary audit activities, such as looking at
their control structures and how to segregation of duties, fraud potential,
improve controls, leading to evolu- regulatory compliance, and transac-
tion in other areas. “Internal auditors tions. However, Ames points out, even
today must think more broadly, across the traditional audit activities can and
the enterprise,” he notes. “Where is should “move toward strategy.”
the company strategy focused, what
are the major initiatives, and where THE RISK CONNECTION
is the money being spent? Those The upcoming revision of The Com-
answers tell you what’s important to mittee of Sponsoring Organizations of
“
the entity, and that’s where internal the Treadway Commission’s (COSO’s)
audit should focus.” Enterprise Risk Management–Integrated
Determine There is yet another question that Framework, scheduled for release in
in advance can help internal audit identify the early 2017, describes an enterprise
how the “right” risks to address, says Brad Ames, risk management (ERM) program
“
partnership internal audit director for Hewlett Pack- that is highly interrelated with con-
will accelerate ard Enterprise in Palo Alto, Calif.: Who trols. Whether internal auditors use
The important is accountable for a specific strategy? COSO ERM to guide their risk-
business thing is to “Once you know that, you can build driven strategic activities, or build
strategy.” show where an authentic relationship with them their own frameworks based on its
and make them your stakeholders,” he precepts and shaped by experience and
Brad Ames value is explains. “Ask them what they see that common sense, Watts warns against
created and would inhibit them from accomplishing “cherry-picking activities” from the
how it can their strategic objectives. Begin the risk framework. Focusing only on certain
be affected discussion, always establishing visibility parts of a framework while ignoring
by certain into risk so they don’t overvalue or fear others is likely to hinder generating
unwanted it. Determine in advance how the part- full benefit from the process, perhaps
nership will accelerate business strategy. even missing opportunities. Taking a
events — or This context will help them feel more broader, holistic view that aligns the
enhanced.” confident about the risk, making them organization’s ERM program with
Charlotta Löfstrand
less likely to allow it to cause them to strategy facilitates internal audit’s
Hjelm undercommit to the strategy.” understanding of the strategy itself
In most organizations, one of the and its role in the major initiatives the
areas of focus will involve technology. business deems critical to accomplish
All businesses must learn how to opti- the strategy.
mize the use of technology — not only This is not to say that an inter-
in any technology-enabled products nal audit focus on organizational
and services they offer to customers, objectives, as outlined in the strategy,
but also in their own internal business automatically improves ERM within
processes for greater efficiencies and the organization. “Hopefully it does,
effectiveness. Many organizations’ strat- but it’s far from given,” says Char-
egies include specific objectives related lotta Löfstrand Hjelm, chief internal
to technology, a clear signal that inter- auditor at Lansforsakringar AB in
nal audit must focus on it as well — in Stockholm. “If there is no objective,
Ames’ words, “presenting itself as rel- there is no risk. The important thing
evant to strategy.” is to show where value is created and
It is also important for internal how it can be affected by certain
auditors to recognize that, even as they unwanted events — or enhanced, if we
I
nternal auditors can make inroads into altering their organization’s culture to accept a more
strategic approach to internal auditing. Here are techniques the audit leaders interviewed for
this article recommend to lay the groundwork and prove the department’s readiness:
» Even while performing traditional internal audit activities, have the courage to step
outside the norm occasionally. Be sure to communicate the positive results of the “experi-
mentation” and the ways it benefited the organization. Use that win to build the next one.
» Take the “journey begins with a single step” approach and start by making one small
adjustment. Then, when the time is right, make another. The key is to take each step with
the firm intent of going on the whole journey.
» Spend more time talking to customers and listen carefully to their responses. If you are
doing a traditional activity such as matching invoices, spend an hour talking to the people
who process the invoices. It’s often possible to learn more from hearing than seeing, and
that knowledge, which may uncover previously unknown issues or opportunities, can help
you build a case for expanding internal audit’s role.
» Polish your soft skills. Those who can ask good questions, establish relationships (within
the bounds of independence and objectivity), listen carefully, and summarize succinctly are
generally more effective in uncovering truths — and in building compelling business cases for
desired outcomes based on those truths.
» Arm yourself with expertise before acting. In today’s environment, there is a lot of
pressure to do more with less, add value, and show productivity. This may cause internal
auditors to jump into activities they don’t fully understand. Don’t make that mistake. Be pre-
pared. Perform research, get training, and ask experts to help you where needed. If you are
given a chance to try something new, the odds of getting a second chance will depend on
doing the first one well.
» Don’t fear failure. Not every effort will be a success, but that can’t be a reason to give up.
Develop your resilience by learning from failure and moving on.
can articulate how to capture this.” business, positioning internal audit as auditors must find ways to remain
Showing how goals affect value and partners in strategy. informed and take proactive measures.
risk in other areas can be helpful, as Lisa Lee, vice president, Audit at
can positioning objectives as the link THE NEED FOR SPEED Google Inc. in Mountain View, Calif.,
between the audit plan — including A phrase often used to characterize says in a fast-paced environment, the
consulting and advisory activities, not one aspect of the relationship between key for internal auditors to add value
only assurance audits — and the differ- internal audit and risk management is is to communicate concerns quickly.
ent plans from the organization, such that internal auditors must “audit at “Where it makes sense, engaging early
as strategic plans, business plans, and the speed of risk.” In today’s business with process owners to conduct risk
risk reports. environment, types of risk, likelihood assessments and assess control design
Auditors tend to be good at using of occurrence, and degrees of impact effectiveness will help provide clarity
a risk-focused approach. In fact, Ames change almost daily. If internal audit is on the highest risks that need to be
speculates that management tends focused on supporting strategic objec- managed,” she explains. Moreover,
to perceive internal audit as being all tives, and if a key factor in accomplish- she says, “Assessing the maturity of
about compliance or risk. In his view, ing those objectives is understanding the controls can help provide meaningful
a risk-based approach is “our founda- risk surrounding them, then the speed information, as manual or detective
tion,” but internal auditors should be at which internal audit can identify type controls may be appropriate
more focused on increasing value to the and act on risk is important. Internal when a process or product is first
C
ritical objectives often have critical risks. Knowing how to identify those risks, prioritize
them, and develop mitigation plans can help internal audit focus its efforts on value-
producing activities for the organization. The following process, described by Larry
Baker, has been in use at his previous employer, Devon Energy Corp., for many years. Each
step is facilitated by internal audit.
It takes approximately 18 months to cover all 20 areas. Internal audit uses these results to iden-
tify any new information or changes that need further examination. Significant changes often
relate to areas most critical to the organization and, therefore, guide internal audit’s effort in
valuable, strategic, and risk-driven directions.
launched, but as the process or prod- The traditional approach of hav- maintains a running list of initiatives and
uct matures and scales, so should ing an annual audit plan may not mesh commits to a quarterly audit plan based
controls.” Using a maturity model, well with the speed of today’s business. on addressing the current high risks.
such as a scale from 0 (indicating a Internal auditors may struggle to adhere
nonexistent control) to 5 (indicating to the plan while also trying to accom- GETTING BUY-IN
an optimized control), can be help- modate constant change and ensure Making changes to the way internal
ful in instances where there may be a focus remains on the most critical risks. audit operates may not always be
need for more robust controls. Lee notes that at Google, internal audit welcomed with open arms. In some
INTERNAL AUDITING
AROUND THE WORLD
Perspectives From Women in Audit Leadership
Roles − How Technology Is Impacting Internal
Audit Functions
Volume XII
“
that will help executives do their job ance also transforms to insight — a
better or help them achieve their goals, transformation expected of a trusted
then buy-in isn’t a problem because advisor. She counsels, “The audit If internal
they see value in internal audit’s work.” report is not the main result of our audit can
But what if it is internal audit’s work. The main result becomes our provide
“
own leadership that needs to be con- identification and description of what information
vinced of the value of a more strategic consequence a risk or a combination that will help
approach to internal auditing? Accord- of risks has. Internal auditors’ under-
executives do If we don’t
ing to Ames, “It’s difficult for audit standing, knowledge, and ability to
their job better assess risk
departments to break through from a communicate in business language
or help them and controls
routine, traditional approach to a more can help the board and C-suite focus
optimized, innovative view without on ‘hot’ areas.” achieve their with objectives
support from the leadership in the audit Focusing internal audit’s activity goals, then in mind, why
department, itself. You might have a few on the strategic objectives that matter buy-in isn’t a do it?”
who reach those levels, but never the most to the organization is a value-
whole department. And internal audit producing proposition. And, in fact,
problem.” Larry Baker
won’t become a partner in the strategy.” while it is a topic of attention now, it Lisa Lee
The CAE is the linchpin. When may not be an entirely new concept.
risk is discussed in the organization, Perhaps it is, instead, a matter of
the CAE must step up to highlight recommitting to basic, long-held beliefs
the need for a strategic approach and that may have slipped out of view for a
explain the audit committee’s mission. time, in the rush of checking items off
If the mission described in that explana- the daily to-do list. Baker notes, “We
tion is focused only on protecting, the sometimes forget that our whole life in
opportunities for enhancement may internal audit has involved objectives,
be limited. The opportunities are even risk, and controls. Sometimes we focus
more limited if the CAE chooses not more on controls, other times we zero
to listen to his or her internal auditors’ in on risk. But objectives have always
suggestions for how they can contribute been there. And if we don’t assess risk
more value to the organization. “Then and controls with objectives in mind,
perhaps it is time for the CAE to move why do it?”
on to another position,” Hjelm sug-
gests, while also admitting, “This is, of JANE SEAGO is a business and technical
course, easy to say, but hard to do.” writer in Tulsa, Okla.
BE THE
FUTURE
Win a US$1,000 Scholarship
2016-0443
Demonstrating the
effectiveness of the
IPPF’s Principles
shows internal
audit’s alignment
This is Me/Shutterstock.com
with stakeholder
expectations.
Basil Woller
Core
Internal Auditing, it provided a significant opportunity to
integrate and align these Principles into an internal audit activ-
ity’s quality assurance and improvement program (QAIP). The
challenge is how to do it in a practical and meaningful way that
provides incremental value to the internal audit activity and its
stakeholders. This is especially relevant in today’s dynamic busi-
Principles
ness environment, because demonstrating the effectiveness of
Core Principles as a component of the QAIP supports the cred-
ibility and value of internal audit and promotes its role within
the organization’s governance structure.
The best way to integrate Core Principles into the internal
and
audit activity’s understanding of quality is to develop a concept
and approach that is easy to understand, is adaptable to an indi-
vidual organization, and provides insight into how effectively
the Core Principles are being achieved. It also is important to
understand how achieving Core Principles could be an integral
component of the QAIP and an extension of the assessment
the QAIP
process. Even though QAIP external assessments do not require
auditors to evaluate conformance with the Core Principles,
they are a mandatory element of the IPPF. As such, chief audit
executives (CAEs) should have a perspective as to whether they
are being achieved and a way to communicate that perspective
to key stakeholders in a way that is easy Ethics and the International Standards view. There are five steps that provide
to understand and can be monitored, for the Professional Practice of Internal a roadmap for implementing a Core
measured, and reported over time. Auditing. It is assumed that if an inter- Principles Effectiveness Framework
nal audit activity is in general confor- into a QAIP.
Why Integrate the mance with the Code of Ethics and the
Core Principles?
Standard 1300: Quality Assurance and
Improvement Program is designed to
Standards, then it is achieving the Core
Principles. As a result, even though
Core Principles are mandatory, there
1 Establish a
Maturity Framework
The Core Principles Effectiveness
promote and support quality and con- is no mechanism defined to provide a Framework (see “Core Principles
tinuous improvement in an internal CAE with a view toward whether the Effectiveness Model” on this page)
audit activity. Internal and external Core Principles are being achieved. describes the infrastructure, process,
assessment components provide a In fact, there are other charac- and quality associated with differ-
framework to ensure quality is embed- teristics that demonstrate whether an ing levels of achieving effectiveness
ded into internal audit processes and internal audit activity is achieving the for the Core Principles. Progression
infrastructure. Communication of Core Principles beyond conformance along the maturity spectrum is a func-
results to senior management and the with other mandatory elements of the tion of demonstrating characteristics
board supports their fiduciary oversight IPPF. The most appropriate mechanism associated with each level. Movement
of the internal audit activity. Achieving to integrate Core Principles into the to a higher level of maturity assumes
these Core Principles is a professional QAIP is to use a maturity framework characteristics of all previous levels of
requirement. Embedding them into to describe levels of maturity related to maturity continue to be demonstrated.
the QAIP is an effective way to ensure each principle. This can provide insight Placement on the maturity spectrum
the internal audit activity is aligned into achieving Core Principles effi- is a matter of professional judgment
with these mandatory IPPF elements ciently using a combination of quanti- considering the “best fit” based on
or ensure that governance and over- tative and qualitative characteristics to defined characteristics. Effectiveness
sight activities related to internal audit define maturity. progresses from:
are consistent with successful practices The QAIP provides quantitative 1. An ineffective level – Infra-
and professional requirements. characteristics to the maturity frame- structure and processes support-
work through its internal and external ing the internal audit activity
How to Integrate assessment requirements. Other quali- are not well defined or operating
the Principles tative characteristics that help describe effectively and there are many
Quality standards require an evalua- placement on the maturity spectrum areas of partial or nonconfor-
tion of conformance with the Code of supplement the QAIP quantitative mance with associated standards.
Demonstrates integrity •
Demonstrates competence and due professional care •
Is objective and free from undue influence (independent) •
Aligns with strategic objectives and risks of the organization •
Is appropriately positioned and adequately resourced •
Demonstrates quality and continuous improvement •
Communicates effectively •
Provides risk-based assurance •
Is insightful, proactive, and future-focused •
Promotes organizational improvement •
Redkoala/Shutterstock.com
clear view and differentiation between standards.
the levels. When viewed in combination, »» External assessments performed more frequently
these definitions provide a useful tool to than the five-year requirement.
facilitate the placement of a specific Core
Principle onto the maturity spectrum. As
with any maturity framework, placement
on the spectrum is a “best fit” based on
the judgment of the professional per-
forming the assessment. “Demonstrates
Integrity Characteristics,” this page, Sustainable »» Generally in conformance with all standards asso-
establishes the characteristics for the ciated with the Core Principles.
Core Principle, “demonstrates integrity.” »» Conformance demonstrated in at least two con-
The Standards, QAIP, infrastructure, and secutive external assessments.
process characteristics are the same for all »» At least two consecutive external assessments
Core Principles. performed. All external assessments performed
within the five-year requirement.
Core Principle
Infrastructure and Process Characteristics Specific Characteristics
»» Internal audit charter supports internal audit role in Three Lines of »» Independence and objectivity
Defense Framework. are supported by annual aware-
»» Functional reporting to the board supported by active oversight pro- ness training.
cesses. Administrative reporting includes seat at the table for executive- »» Independence and objectivity
level strategy-setting and direction. actively managed at individual,
»» QAIP viewed as opportunity to become world class. Passion for excel- engagement, and internal audit
lence. Status quo not acceptable. activity level.
»» Active benchmarking with peers to identify ideas and opportunities for
improvement.
»» Internal audit charter approved by the audit committee annually. »» Independence and objectivity
»» Functional reporting to the board and administrative reporting to are actively managed by inter-
the CEO. nal audit.
»» QAIP in place with primary focus on continuous improvement. »» Internal audit management and
»» Internal audit manual updated annually to ensure alignment with staff sign annual confirmation
changes to the Standards and successful internal audit practice. of independence and objectivity
and agree to abide by the Code
of Ethics.
»» Internal audit charter approved by the audit committee. All required ele- »» Internal audit charter requires
ments in place. conformance with the Code of
»» Functional reporting to the board and administrative reporting to a Ethics.
direct report of the CEO. »» Internal audit policies and proce-
»» QAIP in place and documented with all required elements. dures require conformance with
»» Internal audit infrastructure and processes defined and documented in the Code of Ethics.
manual. All required elements included. »» Real or perceived conflicts of
interest disclosed appropriately.
»» Internal audit charter approved by the audit committee. Not all required »» Internal audit charter references
elements in place. the Code of Ethics.
»» Functional reporting to the board. Administrative reporting to level »» Internal audit policies and pro-
below a direct report of the CEO. cedures reference the Code of
»» QAIP in place and documented but does not include all required elements. Ethics.
»» Internal audit infrastructure and processes defined and documented in
manual. Not all elements included.
»» Internal audit charter not in place or not approved by the audit committee. »» Specific examples of operating in
»» Functional and administrative reporting does not support independence conflict with the Code of Ethics.
and objectivity. »» No disclosure of real or perceived
»» No QAIP in place. conflicts of interest.
»» Internal audit infrastructure and process not defined and documented
in manual.
RY
INTERNAL AUDIT
CGAP
PE
PRACTITIONER
DU
TE
CY I
N
CCSA
®
CPSA
®
*According to The IIA’s 2017 Internal Audit Compensation Study, 51% of certified internal
auditors have higher salaries than those who have no certification (based on U.S. responses).
2017-1636
assessment provides the opportunity increases the likelihood that placement is the practice of internal auditing in the
to assess conformance with the Code appropriate and consistent with defined organization and that the internal audit
of Ethics and the Standards to provide characteristics. A maturity framework activity is aligned to their requirements.
data associated with the defined char- provides the foundation and perspective Using a maturity framework provides
acteristics, and is essential to provide to make reasoned and professional judg- a context for this communication that
insight into conformance in the periods ments regarding the levels of maturity is measureable and easy to understand.
between external assessments. An exter- for each Core Principle. From an orga- It also provides better insight into the
nal assessment provides the perspective nizational perspective, some principles activities that support the profession and
of an independent assessor or assess- might be more relevant than others in can promote a deeper understanding of
ment team qualified in the practice of achieving objectives. Increasing the level internal audit’s role in the governance
internal audit and external assessment of maturity and the resulting investment mechanism of organizations. As the
related to levels of conformance. Fre- might be appropriate. Standards change, the Core Principle
quency of external assessment is a factor Effectiveness Framework is scalable
in determining level of maturity. Aligning Internal Audit and adaptable. Each Core Principle’s
The Core Principles established in the defined characteristics can be adapted to
Principles Effectiveness Framework is a provides the perfect mechanism to dem- Basil Woller, CIA, CRMA, is principal
matter of professional judgment. Using onstrate to stakeholders that this manda- and owner of Basil Woller & Associates in
a systematic and defined framework tory element of the IPPF is relevant to The Woodlands, Texas.
2015-1636
Champions
of Trust
38 Internal Auditor February 2017
ethics
By Richard F. Chambers
Illustration by Timothy Cook
P
consumer and regulatory backlash against a corporation embroiled in scandal,
the repercussions of those misgivings can be profound.
This growing distrust reflects a fundamental erosion of faith in the insti-
tutions that are the bedrock of modern civilizations. As internal auditors,
we are guardians of trust in the organizations we serve, and to be effective,
our stakeholders must be confident that we will do the right thing, speak the
truth, and be courageous. I gave a great deal of thought to what makes a
trusted leader while researching my new book, Trusted Advisors: Key Attri-
butes of Outstanding Internal Auditors. My research, assisted by The IIA’s
ublic trust in government and Audit Executive Center (AEC), included surveying some of the top profession-
big business is dropping at an alarm- als in internal auditing about what attributes they believe are essential to
ing rate. Whether viewed through a becoming a trusted advisor. Toward the top of the list is ethical commitment.
political lens in the surprising Brexit An excerpt from the book focuses on this trait and discusses why internal
and U.S. presidential votes, or the auditors must go beyond commitment and demonstrate ethical resilience.
I
enjoy watching football (that is, American football, not soccer). Sometimes during the game,
when an infraction is committed before the play begins, the referee will throw a penalty flag.
The flag often signifies a false start if certain players on the offensive team move before they’re
supposed to. At times, there are referees who either ignore the infraction or are passive about
making the judgment call.
Internal auditors who sit on the sidelines and fail to call out inefficiency, waste, fraud, or
mismanagement are spectators. More commonly, internal auditors are referees, observing the plays
that make up the normal course of business operations and blowing a whistle or throwing a yellow
flag when circumstances warrant. They are objective in assessing whether a foul or infraction has occurred,
but they are in reactive mode — responding to what took place in the past.
The most effective internal auditors are those with enough fortitude to blow the whistle before trou-
ble ensues. They see troubling issues in the formation stage, raise a concern, and take a stand to ensure
things are done right.
But, as I discovered years ago, there has to be a high degree of trust between internal auditors and
those whom they are cautioning about pending wrongdoing or calamity. Without trust as a basis for
engagement, the conversation can become awkward or even polarizing.
Ethics is an area that plays a significant role in my view of outstanding internal audit performance;
so much so that I decided to feature ethical resilience as my first area of focus. I’ve been known to char-
acterize ethics as “table stakes” for those wishing to engage in internal auditing. It’s a strong statement,
but I stand by it. Internal auditors can’t accomplish their mission without a diligent, unceasing commit-
ment to ethical behavior.
Larry Sawyer, an iconic internal audit author, wrote about the importance of trust in ethical behavior.
He wrote, the “key to any profession is the trust placed in it by its clients.” Everyone knows how important
ethics are; that’s a foregone conclusion. But I believe that, for internal auditors, ethical behavior is so critical,
it goes beyond just a commitment. Outstanding internal auditors do more than just commit to ethics; they
model ethical conduct in everything they do by being resilient, even when it may not be a popular stance.
They may be tested ethically, but they withstand the challenges to their ethical convictions and bounce back
stronger than ever.
Obviously, the CAEs who responded to the AEC survey agreed with this view. More than half of
them selected ethical commitment as one of the top three traits shared by successful internal auditors.
Reinforcing that viewpoint, the
Internal Audit Foundation’s Common
Body of Knowledge (CBOK) 2015
Outstanding internal auditors do more Global Internal Audit Practitioner Survey
than just commit to ethics; they model asked CAEs around the world to rate
themselves on their perceived level of
ethical conduct in everything they do. competency on 10 core competencies,
with 1 being “novice” to 5 being “expert.”
The survey data indicated that CAEs
rated themselves highest in ethics (4.3
overall), which validates my point that ethical resilience is a top attribute for outstanding internal auditors.
Paul Sobel, vice president/CAE for Georgia-Pacific LLC, states it very simply and powerfully: “In
our role as auditors, ethics and integrity are the foundation for our ability to provide objective assurance,
advice, and insights. In essence, it’s the foundation for our credibility.”
...
Committing to Ethics
As the leader of a global organization that requires compliance with a formal Code of Ethics to serve as
a member or hold a certification, I have an unwavering commitment to behaving ethically. At The IIA,
we don’t skirt the issue; we believe internal auditors must stand for what is right, adhere to the highest
ethical code, and never yield to pressures to bend the rules. An ethical lapse by one internal auditor can
undermine trust not only in that individual but also in those around him or her. The higher in the orga-
nizational chart the transgression occurs, the more damaging the potential impact. We in the profession
must share a commitment to ethics. For the most part, I believe we do.
In most organizations, the internal auditors are perceived as being far more likely to disclose ethi-
cal misconduct than to act unethically themselves. But we are human. I will never forget my surprise and
disappointment when I viewed the results of a survey of 70 CAEs attending an IIA event a few years ago.
One-third of the respondents acknowledged that they had “discovered or witnessed unethical actions”
within their own internal audit functions.
Making the effort to clean our own ethical house is important not only in the context of what internal
auditors do in their everyday jobs, but also in their role as business leaders. In her book, 7 Lenses: Learning the
Principles and Practices of Ethical Leadership, Linda Fisher Thornton says getting employees to act ethically is
largely driven by their desire to “follow the leader.” If they see top management behaving ethically, desiring to
serve others, and making a positive difference, they are inclined to respond in kind.
Organizational commitment to ethical behavior is not just a matter of hosting an “ethics day” or
showing a slide presentation during new-hire orientation, although all efforts at communicating expec-
tations relative to ethics are valuable. The most impactful things leaders can do to influence employees
are subtler: openly discussing ethical gray areas, acknowledging the complexities that can arise in work
situations, treating ethics as an engrained way of behaving, celebrating displays of ethical conduct,
showing respect for those with different opinions and difficult personalities, and expecting everyone to
meet ethical standards.
These behaviors (at any rank in
the organizational chart) should not
be difficult. If we think of ethics as a An ethical lapse by one internal auditor
way we interact, collaborate, and cre-
ate synergies with others, it should be can undermine trust not only in that
natural to act ethically and expect the
same behavior from others. individual but in those around him or her.
The results of such behavior
can yield unexpected results. Early
in my career as a CAE, the chief financial officer (CFO) asked my internal audit team to perform an
audit. He had a strong personality and was sure the company was being billed for purchases it didn’t
make. He wanted my team to find evidence to support his belief. I sent the internal auditors to con-
duct the audit and they found no evidence of transgression, which put me in a bit of a tight situation.
The support from the CFO and other executives was important and necessary to me, yet I knew that
our audit results weren’t what he wanted to hear. By telling him he was wrong, I risked losing both his
fledgling trust in the internal audit department and his willingness to use us for future projects, but I
knew I had to be straightforward with him. As expected, he did express some disappointment that we
didn’t validate his concerns.
Not long after that, he called me to ask my team to do some work in another of his functional
areas. After I expressed our willingness to do so, I told him I was surprised he had contacted me for an
additional project since I didn’t give him the news he wanted to hear the last time. He responded that
my honesty in those circumstances proved to him that my team and I would be fair and objective and he
could rely on our work. I don’t think he intended our first encounter to be a litmus test, but it was. Once
your stakeholders have a chance to check your ethical compass and confirm that it’s pointing true north,
they know they can follow you because you won’t lead them in the wrong direction.
Ethical Behaviors
No one is saying that exercising ethical behavior is easy, but maybe half the challenge is in agreeing on
exactly what constitutes ethical resilience. In the AEC survey, we used the following terms to elaborate
on what we meant by ethical commitment, and I suspect few would argue with their inclusion:
No Gimicks
No Metaphors
No Ridiculous Claims
No Clichés
“Inner courage: to follow leads, to follow your gut belief, to professionally confront manage-
ment and the board, to raise the questions few people want you to raise, to put it all on
the line (in terms of taking the risk to do what is right).”
“Courage: the ability to express one’s opinion and give advice even when the ideas are not
popular or wanted.”
“Courage to stand alone, if needed, when tough issues need to be raised to management VISIT
and the board.” our Mobile app
+ InternalAuditor.
org to watch a
Courage is what drove Bethmara Kessler, senior vice president, integrated global services, and video discussion
former CAE of Campbell Soup Co., to select ethical commitment as one of her top two choices on auditing the
in the AEC survey. She explains that courage is a particular challenge for auditors because in her organization’s
long experience of managing audit teams, she has seen internal auditors sometimes waver in their ethical standards.
defense of difficult findings for a variety of reasons: They, like most humans, want to be liked; they
want to avoid difficult conversations; they feel the pressure to serve too many masters with compet-
ing needs; and they fear their actions may hinder their future career opportunities in the business.
But, she remarks, “We have to remind internal auditors that courage is important and they should
step forward when they see something. Look at Harry Markopolos, who tried multiple times to
break open the Madoff scandal. He just kept going back to the [U.S. Securities and Exchange
Commission] over and over to make his point. I’m sure it was not an easy thing to do. It took a lot
of courage. In my view, he’s a hero.”
Another internal audit hero who deserves notice is Heidi Lloce-Mendoza, currently undersecre-
tary general for the United Nations Office of Internal Oversight Services, and before that, commis-
sioner and officer-in-charge of the Commission on Audit (COA) of the Philippines. Mendoza came
to the world’s attention as a result of a 2002 audit her team conducted that uncovered massive bid
rigging by former Makati City Mayor Elenita Binay. Mendoza served as a government witness in
some of the antigraft cases filed against the former mayor. In response to her speaking out against the
former mayor’s corruption, Mendoza’s home was broken into multiple times and she was the target
of threats that required special security protection. Yet, despite her admission that she was still being
harassed about her role in the corruption trials 13 years after the fact, when she resigned from the
COA in 2015 she indicated that her passion for her work had not abated and she felt “no pain, no
trace of regret” for her experiences.
...
Ethical resilience is a trait that not only provides value in and of itself, it also supports the other
traits mentioned in this book. Having a firm grip on our own ethical beliefs clears away some of the
clutter that can distract us from focusing on desired results.
Richard F. Chambers, cia, QIAL, CGAP, CCSA, CRMA, is president and CEO of The IIA.
Trusted Advisors: Key Attributes of Outstanding Internal Auditors is available at The IIA’s Bookstore.
Explore at www.theiia.org/ondemand
2016-1668
Infusing IT A three-phase
approach can enable
Into
Engagements
technology into their assurance and advisory work will not needed to prepare a comprehensive plan over the short (2 to
be able to keep up with the evolving risks, strategies, and 3 years), middle (3 to 5 years), and long term (5 to 7 years).
needs of their organizations. The timing in which internal audit implements these ele-
Like any new audit endeavor, internal audit needs to ments may vary based on the organization, internal audit
gather information and form a plan for incorporating IT department, and internal auditors’ capabilities. At each
audit techniques into their audit work. Although each orga- stage, the elements should be completed concurrently, with
nization will require a different mix of effort and materials the internal audit department thinking holistically about
to obtain this information, some common elements are the future of integrated auditing at its organization.
A
separate IT audit is not internal controls, but also talk to the Second, pinpoint data stored on
required to start infusing individuals responsible for maintaining these core IT resources that are vital
IT-related capabilities into and supporting accounts payable data to current operations and achieving
the current internal audit function; and processing systems. Moreover, key business objectives. Key data
already-scheduled audit engage- internal audit should document auto- could include vendor bank account,
ments can incorporate elements mated controls such as access controls address, and contact information, as
of IT auditing, further enabling to the vendor master file. well as invoice distribution coding.
the internal audit department to Locate and read IT policies, focusing Analyze current risk assessments
identify resources and educa- on change management, segregation of the underlying risks of this data.
tion needed in the long term. As of duties, and information security. Examples of accounts payable risks
the internal audit department Consider obtaining training from IT include phantom vendors, duplicate
becomes more knowledgeable experts on applications used within payments, and corrupt or incorrect
about the organization’s IT envi- the organization such as enterprise data. Assessing the current landscape
ronment, auditors can educate resource planning (ERP) software. reveals the most critical IT systems
organizational management about Areas in which internal audit should and data that need to be audited. Map
the benefits of IT auditing in rela- develop skills include cybersecurity, core IT resources and data to key busi-
tion to business objectives. In the data mining, audit analytics, crisis ness objectives.
short term, the department should management planning, vendor gover-
focus on creating a solid founda- nance, corporate and data governance, Respond to IT Risks and Identify
tion that allows for development continuous auditing, and software and Audit Objectives That Can Add
of future efforts. system life cycle management. Value IT supports nearly all business
functions and allows management
Incorporate IT Perspective Into Identify Resources Leveraging their to make accurate, timely, and appro-
Current Audit Engagements knowledge of the organization’s IT priate decisions that drive business
Internal audit management should environment, internal auditors should operations. Integrated audits can
encourage staff members to incor- inventory the IT resources used across support management’s risk assess-
porate IT audit methods into their the organization. Start with core ment to help align business objec-
engagements. During the planning functions, including resources driv- tives and IT. Research by Peter
phase, auditors should recognize ing financial, human resources, and Weill and Jeanne Ross, published in
the role IT plays in the internal customer data. IT resources include IT the MIT Sloan Management Review
Review,
controls for the processes cur- platforms (servers, routers, and work- shows that appropriate alignment
rently being audited. Document stations) and software (databases, and of organizational objectives and IT
internal audit’s understanding of proprietary and off-the-shelf applica- can deliver as much as a 20 percent
the organization’s IT environment. tions). In the accounts payable exam- higher return on investment.
For example, when auditing the ple, IT resources could include ERP Internal audit should identify top
accounts payable process, audi- software and other electronic records areas for review, with estimated
tors should not only interview such as spreadsheets used to house resource requirements, based on the
the accounts payable clerk about important calculations. risk assessment and the risk tolerance
W
hile using the current audit engagement sched- framework helps determine whether the organization’s
ule in the short term, chief audit executives IT business objectives comply fully with business rules
(CAEs) should evaluate the department’s pre- and are structured, maintainable, and upgradable.
paredness to grow into a more mature model in which
individual IT audit engagements are expected and the Perform IT Audits Identify the scope of IT audits that
CAE has worked with organizational management to can be handled internally based on the IT experience of
link business risks with IT audit techniques. In the middle internal auditors and outsource coverage of any remain-
term, internal audit must get the right people on board ing risks. Consider the organization’s adoption of the IT
and work with the IT department and the organization framework and the amount of resources management
at large to use a common IT framework. Moreover, it has devoted to the endeavor. Specific areas audits
should partner with management and the IT department should address include: 1) segregation of duties to ensure
to facilitate long-term planning. the integrity of automated controls; 2) security, includ-
ing physical and logical access, to safeguard the core
Build a Team Audit leaders should recruit quali- systems as well as critical and sensitive information; and
fied personnel with IT skills within the internal audit 3) change management to ensure integrity of system
department. Look for people within the department changes. A benefit to implementing an IT framework is
who have current IT audit skills or an aptitude for access to audit programs that are available for these
technology that would enable them to gain those three areas as well as additional auditable areas for
skills. Create a training plan that will address the core future engagements. Internal auditors should devote
IT systems used within the organization and IT audit time to understanding the audit programs and the areas
areas that will need to be covered in future audits. they cover so they will obtain efficiencies.
Consider hiring an IT expert into the internal audit
department to help the department establish a solid Foster Relationships With IT and Management
relationship with the IT department. Internal audit’s relationship with the IT department is
the foundation of a successful IT audit engagement.
Understand the IT Framework Organizations perform Internal audit should understand the metrics and goals
optimally when they use a consistent IT framework, the IT department uses in the monitoring and evalua-
which requires assessing the current state of the IT tion process of the IT framework. Through this process,
environment, defining a target state, implementing internal audit can determine whether the linkage of IT
improvements, operating and measuring, and moni- metrics and objectives aligns with organizational goals.
toring and evaluating. Examples of frameworks and Moreover, it can allow internal audit to help discover
standards include the International Organization for and articulate to organizational management which IT
Standardization’s ISO/IEC IT standards, ISACA’s COBIT, initiatives can produce cost savings. Additionally, under-
and the U.S. National Institute of Standards and Tech- standing the IT department’s goals and metrics can help
nology Cybersecurity Framework. If the organization internal audit facilitate communication between the IT
has not implemented an IT framework, internal audit department and management. The value provided from
should highlight the need for one that will allow for these efforts can position internal audit to recommend
communication across business functions. Use of an IT enhancements to achieve operational goals.
Earn up to 18.3 CPE credits as you gain real-world knowledge from expert
practitioners who lead more than 50 general and concurrent sessions in
the following tracks: ®
Audit Executive Center
• Mitigating Risk in Information Technology Pre-conference Forum &
Networking Event*
• Meeting Evolving Stakeholder Expectations
Sunday, March 19
• Supporting Governance and Addressing Risk 1:00 to 5:00 pm
• Delivering Innovation in Internal Audit
• Maximizing Talent and Resources For more information,
• In Conversation With… contact cae@theiia.org.
LONG TERM
Advanced and Emerging IT Audit Capabilities
A
s the department’s IT audit capabilities solidify and mature, it is a
good time to start thinking about the long-term direction in which
they will be applied to audit engagements. Performing IT audit
engagements should give the department the foundational knowledge
needed to help its consulting efforts. In the long term, internal audit
should continue to develop and mature integrated engagements, grow
consulting engagements, and improve IT audit skills with a focus on how
organizational IT objectives will shape internal audit.
Leverage Data Analysis Data analytics allow internal audit to search for
Internal audit can patterns and plausible interrelationships and anomalies, helping improve
operational efficiency and effectiveness, as well as fraud detection and
take a measured prevention. Moreover, analytics can enable reliable financial reporting
and adequate compliance with laws and regulations.
approach to The best time for internal audit to perform data analysis is early in the
IT life cycle, when it can enable auditors to use time and resources more
cultivate IT-related effectively. In this way, using data analytics can better inform IT audit
capabilities. planning and foster a more dynamic internal audit environment that
moves from a traditional and post-mortem planning strategy to one that
is more innovative and consultative.
T
o some, the idea of tackling conformance with the International Standards for the
Professional Practice of Internal Auditing may seem like a steep, uphill climb. The
phrase “conformance with the Standards” can sound authoritative and overwhelm-
ing, suggesting a complex, resource-intensive effort. But conformance is actually
much easier to achieve than many chief audit executives (CAEs) may think. In
fact, numerous activities performed by practitioners likely conform with the Stan-
dards already.
Composed of principles-based, core requirements, the Standards provide a
framework for performing and promoting internal audit services and are essential
in meeting the responsibilities of internal auditors and the internal audit activity.
Conformance with The IIA’s cornerstone of Mandatory Guidance begins with an
awareness of the Standards and of how they provide a blueprint for the internal
audit activity to evaluate and contribute to the improvement of organizational
governance, risk management, and control processes. The Standards consist of two
main categories:
» Attribute Standards (series 1000–1322) address the attributes of organiza-
tions and individuals performing internal auditing.
» Performance Standards (series 2000–2600) describe the nature of internal
auditing and provide quality criteria against which the performance of
these services can be measured.
A close examination of these areas reveals a relatively simple path to conformance,
and one that many practitioners may already have begun to take. While not
intended to provide confirmation of conformance, thinking about the Standards as
advised can help internal auditors better navigate the requirements and streamline
their approach.
ATTRIBUTE STANDARDS
Attribute Standards help establish the internal audit activity’s position within
the organization. Performance Standards, by contrast, involve the performance
which may explain why some of the most common areas of nonconformance
have fallen within the Attribute Standards (see “Top Areas of Nonconformance”
on page 53).
Conformance with the Attribute Standards can be assessed by breaking them
down into simple concepts: 1) reviewing the internal audit charter; 2) determin-
ing the independence of the internal audit activity and objectivity of the internal
auditors; 3) evaluating the proficiency and due professional care with which
engagements are performed; and 4) confirming the completion, maintenance,
and communication of the quality assurance and improvement program (QAIP).
“Attributes Standards Overview,” on page 52, provides a detailed breakdown
along each of these areas.
For existing internal audit activities, these concepts should already be estab-
lished. Evidence of conformance can be demonstrated by ensuring that all elements
of the Attribute Standards are formally Performance Standards The 2100 series pertains to the
documented — or by reviewing exist- Performance Standards consist of steps nature of audit work and requires
ing documentation and updating it as internal auditors perform on a regular internal audit activities to evaluate
necessary. Newly formed (or forming) basis. Four of the top 10 standards and contribute to the improvement
internal audit activities should deter- least conformed with, according to of the organization’s governance,
mine how they are going to apply the IIA Quality Assurance data, consisted risk management, and control pro-
Attribute Standards, and then imple- of Performance Standards. As with cesses by using a systematic, disci-
ment and document them, as they help the Attribute Standards, conformance plined, and risk-based approach.
set the stage for why the internal audit with Performance Standards can also Conformance with this series of
activity exists and how it will function. be broken down into simple concepts. standards requires the internal audit
The easiest way to determine the Standards series 2000 requires all activity to devise an appropriate
level at which an internal audit activ- internal audit activities to be managed strategy to evaluate the organization,
ity conforms with the Standards is effectively with policies and proce- which involves:
through an internal assessment. QAIPs dures to ensure value is added to the 1. Obtaining an understanding
require an internal assessment, which, organization. The process includes of how the organization makes
per Standard 1311: Internal Assess- establishing, communicating, and decisions, manages and com-
ments, includes: obtaining approval on a risk-based municates risk, promotes ethics
»» Ongoing performance moni- plan that can be deployed by appro- and values, and ensures effective
toring, using processes, tools, priate and sufficient resources. Most performance and accountability
and information considered internal audit activities likely follow (Standard 2100: Governance).
necessary to evaluate confor- these principles and therefore may 2. Evaluating risk exposures and
mance with the Code of Ethics conform to this series. assessing the adequacy and
and the Standards.
»» Periodic assessments to evalu-
ate conformance with the Attributes Standards Overview
Code of Ethics and the Stan- 1. Standard series 1000 — the inter- »» Determine the internal audit
dards performed by someone nal audit charter must: scope, perform work, and com-
in internal audit or within the »» Formally define the purpose, municate results without inter-
organization with sufficient authority, and responsibility of ference, or it must disclose such
knowledge of internal audit the internal audit activity consis- interference and implications to
practices. The individual must tent with the Mission of Internal the board.
possess at least an understand- Audit and recognize the manda- »» Confirm its organizational inde-
ing of all elements of the Inter- tory elements of the International pendence to the board, at
national Professional Practices Professional Practices Frame- least annually.
Framework (IPPF). work (IPPF). »» Communicate and interact directly
Such steps may already be incorporated »» Be documented, reviewed by the with senior management and the
into the routine policies and practices chief audit executive periodically, board with unrestricted access.
currently used to manage the internal and approved by senior manage- »» Perform engagements without
audit activity. If the activity is already ment and the board. compromising quality or subordi-
performing ongoing monitoring and »» Define the nature of assurance nating judgment on audit matters
periodic assessments as described, then and consulting services. to others.
it may be in conformance with Stan- »» Implement safeguards to limit
dard 1311. 2a. Standard series 1100 — the impairments to independence
The internal audit activity must internal audit activity must: or objectivity if asked to take
also conduct an external assessment »» Report to a level in the organi- on non-internal audit roles and
every five years, at minimum, to con- zation that allows the ability to responsibilities.
form with the 1300 series. Ensuring fulfill its responsibilities in an »» Collectively possess or obtain
this assessment is completed may dem- unbiased manner. the competencies required to
onstrate conformance with Standard
1312: External Assessments.
T
he IIA’s Quality Services identified the top 10 standards least conformed with, in order, by organizations for
which it had performed an external quality assessment in 2015. All Attribute Standards from the listing also
appeared in the top 10 from 2014.
Attribute or
Rank Performance Standard
1 A 1311 Internal Assessments
2 A 1010 Recognition of the Definition of Internal Auditing, the Code of Ethics, and the
Standards in the Internal Audit Charter
3 A 1320 Reporting on the Quality Assurance and Improvement Program
4 A 1310 Requirements of the Quality Assurance and Improvement Program
5 A 1312 External Assessments
6 P 2020 Communication and Approval
7 P 2300 Performing the Engagement
8 P 2100 Nature of Work
9 P 2500 Monitoring Progress
10 A 1300 Quality Assurance and Improvement Program
Work Program
Internal assessments need not be complicated and can be as easy as creating a simple template. This example
reflects a template to complete an assessment for IIA Standards 2240 and 2240.A1.
Status/
Standard Process Evidence Gaps
2240: Engagement An audit program is developed at the Documented work program with Generally
Work Program completion of the planning phase. The evidence of approval, including Conforms
Internal auditors must program includes the objectives and date approved. Audit program
develop and document scope of the engagement, with detailed was approved before commence-
work programs that audit steps. ment of fieldwork (see 2240.A1).
achieve the engagement
objectives. The engagement work program con-
tains key risks and controls under
review, along with the resources avail-
able and proficiency of each.
2240.A1 The work program contains detailed Work program was dated, con- Generally
Work programs must audit steps, including: tained review notes, and was Conforms
include the procedures »» Audit techniques that will be signed before implementation
for identifying, analyz- used to identify, analyze, and (as evidenced per email
ing, evaluating, and evaluate information. communication and fieldwork
documenting information »» Nature, extent, and timing of start date).
during the engagement. audit steps.
The work program must »» Documentation requirements. Confirmed that no adjustments
be approved prior to its The work program is reviewed and were made to the work program
implementation, and any approved by the chief audit execu- by comparing the original work
adjustments approved tive (or designee) before engagement program submitted for approval
promptly. commencement. to the final work program.
scope, results (applicable con- to determine whether management principles behind the Standards.
clusions, recommendations, has accepted a level of risk that may Demonstrating conformance is
and/or action plans), and be unacceptable to the organization. as simple as identifying current
applicable disclosures. This standard obligates the CAE processes in place related to each
Most internal audit activities likely to attain an understanding of the standard and then documenting
conform to these standards in prin- organization’s risk tolerance and risk sufficient evidence (see “Work Pro-
ciple — in other words, they conform acceptance process (if one exists). If gram” on page 54 for an example of
with the essence of the requirement. the CAE concludes that an unaccept- a straightforward assessment).
Internal audit activities that able level of risk has been accepted, The effort does not have to be
maintain a monitoring process to the matter must be discussed with daunting or consume an inordinate
follow up on the disposition of out- the organization’s senior manage- amount of resources. By reading and
standing audit engagement results ment; and if it is not resolved, the understanding the IPPF, including
most likely also conform to Standard matter must be brought to the the new Implementation Guides and
2500: Monitoring Progress. Confor- board’s attention. related Supplemental Guidance, and
mance can be evidenced by a routinely documenting their work, practitioners
updated exception tracking system, EASIER THAN IT SEEMS can easily align themselves with pro-
which may be a spreadsheet, database, Internal auditors need to remember fessional standards and enhance their
or other tool. that conformance does not hinge value to the organization.
Lastly, Standard 2600: Com- on following a set of prescribed
municating the Acceptance of Risks, rules. Instead, conformance is about CHRISTINE HOVIOUS is director, Global
requires the CAE to use judgment understanding and achieving the Standards and Guidance, at The IIA.
ACHIEVE EXCELLENCE
ON THE CIA EXAM
®
“ The IIA’s CIA Learning System worked very well for me, To learn more and see how Bill Flahr
helping me achieve the third highest score on the CIA exam achieved CIA exam excellence, visit
in 2015. The keys to my success were establishing and
sticking to a realistic study schedule, and using the written
LearnCIA.com/excel.
materials, online quizzes and practice exams.”
— Bill Flahr, CPA, CA, CIA
Kurt Riedener Bronze Medalist 2015
2017-1667
From saving millions of dollars each year to mitigating reputational damage to their organizations,
fraud fighters like you are making an impact around the world. More than 3,000 of these
leading anti-fraud professionals will unite in Nashville to share insights and best practices.
Keynote
Speakers
Auditing
Organizational
Governance
Focus on Risks
T
he board’s focus is understandably on governance, while executive management’s focus
is more on enterprise performance. The CBOK survey asked internal audit practitioners
what they thought about:
»» Corporate governance risk (CGR) and strategic business risk (SBR), in terms of placing them
in the top five risks for their organization.
»» The audit committee’s assessment of the importance of CGR and SBR in terms of being in
the top five risks affecting their organization.
»» Executive management’s assessment of the importance of CGR and SBR in terms of being
in the top five risks affecting their organization.
While internal audit and the audit committee have similar perceptions, especially in reference
to corporate governance risk, executive management is least concerned about corporate
governance risk (a value preservation orientation) and most concerned about strategic busi-
ness/performance risk (a value creation orientation). Therefore, executive management
exhibits the widest gap between perceptions of risk related to governance and performance
as illustrated below.
2. Auditing organizational culture impact the company’s reputation, value to organizational governance.
where qualitative factors may stakeholder satisfaction, and overall Culture embeds many intangibles,
need to be assessed and inter- growth and profitability. A wide swath including soft controls. As referenced
preted contextually to assess risk of stakeholders, including the board of in the CBOK report, Promoting and
(mostly based on soft controls directors and executive management, Supporting Effective Organizational
where intuition, common sense, seeks assurance about the information Governance, some of the soft controls
and understanding of human they use for strategic decision-making. that can be audited to help improve
behavior are indispensable). They also need assurance that the organizational governance include:
organization’s governance structures »» Management and board com-
Governance Structures and processes, founded upon a well- petence, philosophy, and style.
and Processes established system of internal controls, »» Mutual trust and openness.
Ensuring that an organization has operate effectively to achieve objec- »» Strong leadership and a power-
a sound governance structure with tives, increase company profit, and ful vision.
effective and ethical policies and prac- ensure sustainability. »» High performance and quality
tices — along with decision-relevant expectations.
information that is accurate, reliable, Organizational Culture »» Shared values/understanding.
and timely — is critical to the orga- Organizational culture and tone »» High ethical standards.
nization’s success. These combined at the top play a significant role These are areas in which most internal
factors, including a credible attitude in how involved the internal audit auditors lack audit experience and for
of transparency and accountability, function is in reviewing and adding which there are less formal training
and tools, making such culture audits cultures consists of many intangibles
much more challenging. that do not lend themselves to quan-
To comment Periodic culture and ethics audits titative measurement and analysis.
on this article, are one way to assess the ethical cli- Accordingly, to be successful, internal
email the mate and control environment. Audits auditors must possess soft skills, such
authors at sri. of incentives and compensation, as as relationship-building acumen, polit-
ramamoorti@
theiia.org
well as their alignment with the stra- ical and cultural savvy, interpersonal
tegic plan and capital structure among communication abilities, diplomacy
key stakeholders, may also be help- and tact, and an ability to read people
ful. For example, if the company is and situations quickly and correctly.
financed primarily through debt, the
strategic plan should be more conser- Assurance and Advisor Roles
vative and the executives’ compensa- Internal audit can undertake specific
tion should be more salary or bonus activities as part of their assurance and
and less stock. Otherwise, there is advisory work in supporting orga-
an inherent conflict between what is nizational governance (see “Internal
desired and what is incentivized. Audit Activities for Organizational
Clearly, the audit of soft controls Governance Assurance and Consult-
embedded within organizational ing” on page 58). Many organizations
enlist the assistance of internal audit to acknowledges the importance of strate- reviews, or strategic risks are given
provide fraud risk awareness training, gic risk and believes that management a low priority because they are not
or help divisional units carry out con- and the board place a high priority on perceived to be a matter for concern.
trol self-assessments by systematically strategic risk. In other words, internal It could also be that managment does
conducting risk and control mapping audit may not be meeting stakeholder not support internal audit being in
in their specific context. expectations when it comes to strategy this space, that internal audit lacks
audits (i.e., how well is the planned and support of the audit committee, or it
Assurance Services When providing approved strategy being executed?). doesn’t have sufficient resources.
assurance with respect to organizational
governance, internal audit assesses
the processes used to obtain relevant,
reliable, and timely information for A huge gap exists in terms of internal
strategic decision-making. By provid-
ing assurance regarding the accuracy, audit undertaking strategic reviews.
consistency, and reliability of informa-
tion, internal audit can help mitigate
information for decision-making A huge gap exists in terms of Looking Forward
risk. Internal audit’s work in assuring internal audit undertaking compre- In the future, more reliance will be
the quality of information used for hensive strategic reviews, even where placed on strategic and operational
decision-making allows the board and a long-term strategic plan is in place. risk and performance data (forward
executive management to use informa- According to the CBOK survey, while looking) and on internal audit func-
tion with confidence. approximately 50 percent or more of tions for more effective monitoring
respondents’ organizations around the and governance oversight. Opera-
Advisory Services Internal audit world have a long-term strategic plan tional data provide a closer look at
provides consulting and advisory ser- in place, internal audit only conducts what is really happening with the
vices to improve governance without strategic reviews 11 percent (South business, but they also provide early
assuming management responsibility. Asia) to 28 percent (Sub-Saharan warning signs of emerging risks
The types of consulting and advisory Africa) of the time. Just as they do that, if heeded, can prompt a critical
services that internal audit can offer for general governance reviews, Sub- and timely assessment of the busi-
include advising the board and execu- Saharan Africa and Middle East/ ness model and potentially preempt
tive management on decision-making North Africa have the highest levels of or avert business and governance
processes, providing information on activity for reviews of strategy linked failures. With internal audit’s help,
best practices, and offering interpreta- to performance. organizations can adapt to changing
tion/insight. Advisory services also Most surprising is that in North conditions in the marketplace, such as
encompass internal audit facilitating America, an average of 71 percent shifting consumer tastes and prefer-
board and executive management of respondents report having a long- ences and making needed course cor-
awareness and education, instilling best term strategic plan in place, but rections to strategy, which can ensure
practices in governance, and providing only 8 percent of internal auditors continued growth and success.
briefings on trending topics. report that they actually review the
organization’s strategic plan. The Sridhar Ramamoorti, PHD, CIA,
Strategic Gap reasons for this gap in the “strategic CPA, CFE, is an associate professor of
All over the world, internal audit plan existence vs. extensive strategic accountancy at Kennesaw State University
seems to take action more on risk reviews” could be that they perform in Georgia.
indicators from perceived or actual such reviews as part of other routine Alan N. Siegfried, CIA, CPA, CRMA,
weaknesses in internal controls over audits and make governance recom- CISA, is assistant academic director,
financial reporting, rather than those mendations along the way rather than internal audit track, at the University of
pertaining to strategic performance comprehensively, have immature or Maryland’s Smith School of Business
and operational risk factors, as indi- inexperienced internal audit functions in Crofton.
cated by the CBOK survey. This that are not adequately supported or P. Alan White is managing general part-
happens even though internal audit confident to carry out such strategic ner at Quetzal GRC LLC in Austin, Texas.
M
standards of quality
and governance. uch has been writ- I was asked to join its Qual- be seen in their visions and
ten about the ity Council, established to missions, their knowledge
benefits of quality drive a total commitment base, competency frame-
management: its to register the company to works, training, and qualifi-
measures and assurance in the international quality cations. Go to the Chartered
all types of organizations systems standard ISO 9000 Quality Institute website
worldwide. The performance (The International Organiza- (www.quality.org), or the
and success of hundreds of tion for Standardization has quality institute in your own
thousands of organizations recently published updated country, and compare these
and their operations around principles for its ISO 9000 rules with its strategic objec-
the world owe much to the Quality management sys- tives. World Quality Day,
development of, and compli- tems, www.iso.org). This Nov. 10, 2016, adopted the
ance with, quality standards, responsibility introduced me theme “Making Operational
total quality principles, qual- to total quality management Governance Count,” sending
ity auditing, and assurance principles and the principles the message that good gover-
frameworks. underpinning the standards nance is all about quality.
Quality can be seen in for quality management Quality, like good gov-
the effectiveness of an orga- systems. At the time, I devel- ernance, is an assessor of risk
nization’s processes and the oped and published five qual- and a driver of control activi-
products and services it pro- ity rules to guide my learning ties. It requires high levels
vides; seen by its customers, (see “Five Quality Rules” on of accountability, integrity,
both internal and external, page 63). These rules have and openness in how it is
across all its supply chains; been a guide for me in under- achieved and perceived by an
and by those who use its standing how to achieve high organization’s stakeholders.
products and services. Qual- standards of quality and also Like good governance, trust
ity is created by a focus on the importance of achieving is at the core of all quality
customer needs, leadership, them in all that makes up systems and quality auditing.
teamwork, measurement, good governance. Quality assurance is a must
and a total commitment to Associations of qual- for every type of activity,
continuous improvement. ity professionals around the service, and product, both
As head of internal world recognize these rules for the supplier and the cus-
audit in a large manufactur- to be fundamental for a com- tomer. It is a requirement for
ing company in the 1980s, mitment to quality. They can the efficiency, effectiveness,
and economy of every organization in the performance of its defense in achieving good risk management and control. The
activities and achievement of its vision and missions. It must IIA promotes this in The Three Lines of Defense for Effective
always be present in the values the organization promotes for Risk Management and Control. Requiring collaboration at the
itself and in its services and products. second line of defense with other monitoring activities is fun-
In my five quality rules, replace the word “customer” with damental to good governance. In fact, quality should be more
“stakeholder” and “quality” with “good governance” to relate than a collaborator in an organization’s second or third lines of
each of the rules to the policies and regulations for good gover- defense; quality should be an attack.
nance. Good governance is all about quality, and quality is all Audit committees have a key role in monitoring gov-
about good governance — both for organizations and in the ernance in each of the three lines of defense throughout the
audit, inspection, and compliance services they use. organization. This monitoring should include the standard of
These rules can be found in the values of good corporate quality in the performance of all those it relies upon for assur-
governance. Quality achievement is required in each of the ance as a defense. Audit committees should also recognize the
recently redeveloped and published G20/Organisation for importance of quality, not just as a defense, but also as an attack
Economic Co-operation and Development corporate gov- on inefficiency, ineffectiveness, and waste in all its forms.
ernance principles. It can be found in corporate governance
codes everywhere, and in many standards and laws. It is a Jeffrey Ridley, CIA, is visiting professor of auditing at
requirement for all audit practices. Quality achievement and London South Bank University and visiting professor of corporate
monitoring also is seen by many as part of the second line of governance assurance at the University of Lincoln, England.
www.theiia.org/advertise
2016-1116
By J. Michael Jacka
I
Before they can magine you have just question an auditor should department’s objectives
establish credibility completed an audit. The ask is whether the cost of align with the organization’s
details are not impor- those controls matches the objectives? Can you articu-
with stakeholders,
tant. All you need to cost of the related risk. late the risks to the audit
practitioners know is that the depart- Next, why not streamline department’s achievement
must first get their ment is composed of pro- the process by removing of its objectives? Can you
own house in order. fessionals — individuals some (if not all) of the identify the controls that
whose jobs require them reviews? And third, what is ensure those risks are man-
to be self-directed, critical the root cause of the con- aged appropriately? And
thinkers who understand stant rewriting? perhaps most importantly,
the business and commu- Have you guessed when was the last time
nicate effectively. where I’m headed on this you took a good, hard look
You have identified two one? Procedurally, how at your processes to see
potential problems. First, much of the audit docu- where gaps might exist or
every action taken by each mentation you create has (much more likely) where
professional in the depart- to undergo a first and sec- those process might be
ment is subject to review by ond round of approvals? overcontrolled?
that individual’s superior. (Hint: The answer is prob- If internal audit wants
Subsequent to that review, ably all of it.) How many to ensure true credibility
the department conducts rewrites did your last with its stakeholders, we
a second set of reviews to audit report go through? must look inward — we
ensure the work is correct (Hint: If you answered must evaluate our own
and that the first review fewer than five, I’m not policies and procedures.
was completed. sure I believe you.) And in so doing, we will
Second, considerable It is internal audit’s job surely see that we are as
rework occurs before the to evaluate the efficiency and guilty of reportable issues
department publishes any effectiveness of processes, as anyone we audit. Quite
results. A disproportionate ensure risks are managed simply, internal audit must
amount of time is sched- appropriately, and ultimately, cast the beam from its own
uled on all projects simply help the organization achieve eye before it can see clearly
for the publication pro- its objectives. We expend enough to cast out the mote
cess. Moreover, the rework enormous foot-pounds of from the client’s eye.
results in significant deliv- energy toward that end. And
ery delays. yet, how much effort do we J. Michael Jacka, CIA,
Anyone with a modi- put into self-analysis? How CPCU, CFE, CPA, is
cum of internal audit skills much time do we spend cofounder and chief creative
should see these processes auditing ourselves? pilot for Flying Pig Audit, Con-
are the result of an overem- Are you able to explain sulting, and Training Services
phasis on controls. The first how the internal audit in Phoenix.
Managing Talent to
Address Emerging Risks
Auditors need to shift their attention
from traditional ways of addressing
risk to a bigger picture focus.
What are the biggest risks embarking on new and excit- that macro-environmental
internal auditors are not ing territory for meeting the business, industry, and
currently auditing? expectations of stakeholders company risks influence the
WATTS 1) Technology in addressing nontradi- audit universe. Each of these
risk — increasing complexities tional risks. Historical bias factors must be considered
of cyber threats and the pos- or repeating the past often in assessing and executing
sibility of security breaches, results in an audit program audit plans. Internal auditors
as well as the rapidly evolv- focused on financial or opera- must be astute in monitor-
ing Internet of Things; 2) tional controls. These remain ing and gathering the neces-
geopolitical and economic critical components of a stan- sary data points to direct
risk — fluctuations in oil and dard risk approach, but they their actions. The CAE can
other commodity prices, geo- may not address the most be a leader in disseminating
Brian Christensen, political conflict, and the rise relevant or timely concerns. facts, but more importantly,
executive vice president, and fall of emerging markets; Qualitative and abstract teaching team members how
Global Internal Audit,
Protiviti 3) evolving corporate report- topics such as culture, inno- to mine for information
ing — regulators worldwide vation, digitalization, and improves team performance.
are looking for more narrative geopolitical risk are current WATTS Internal auditors
in corporate reporting and examples of audit hot topics. need to pay closer atten-
more details on the signifi- These may not be the ordi- tion to external risks of the
cance of nonfinancial risks; nary top-of-mind audit risks; organization based on how
and 4) more complex domes- however, they are relevant to business is conducted, and
tic and global regulations. the boardroom and need to recognize the impacts on
Companies also need to be be addressed to demonstrate the organization’s strategy
aware of emerging global the value of internal audit. and performance. Auditors
Bill Watts, partner
and leader of Risk Global regulatory trends that could Auditors should embrace the can do this by: acquiring
Thought Leadership, be enacted in the U.S. or opportunity to measure and the technical skills to audit
Crowe Horwath affect their operations over- monitor these exposures. new reality and risks; know-
seas. Examples include the ing and maintaining an
proposed revenue recognition How can CAEs quickly understanding of industry
standards and executive com- bring their teams up to and risks — competitive land-
pensation disclosure. speed on these risks? scape, market drivers, and
CHRISTENSEN The CHRISTENSEN Internal applicable regulations; using
internal audit profession is audit teams must understand technology and software
tools that can render internal audit’s skills and knowledge only in traditional methods. Look for individuals with
more effective; and getting involved in operation group varied backgrounds who have a skill for problem solving
meetings and projects to better understand how the orga- and interest in areas that are new to the business world,
nization is changing. such as rapidly changing technology usage, data analytics,
and mathematics.
What is a longer term strategy for ensuring auditors
are prepared to address emerging risks? How can hiring managers ensure their audit team mem-
WATTS Auditors need to stay agile, relevant, and valu- bers represent a good cultural fit for the organization?
able by shifting focus from traditional ways of addressing WATTS This is the challenge for organizations as the work-
risk to a future thinking/bigger picture focus. This can force becomes more diverse. You must know not only your
be accomplished by aligning risk assessments to include organization’s culture, but also the internal audit group’s
market trends, research, and development at the organiza- unique culture. It is important that internal audit commu-
tion, and studying competitor changes. Change must be nicates and discusses these two areas with every candidate to
transformational, not just surface dressing, and will require ensure a strong fit in both environments.
bold moves to break down old paradigms and create a new CHRISTENSEN A common theme resonating with
model for the future. Internal audit must be proactive versus boards and management is that internal auditors need
reactive and embrace change while it is occurring instead of to be strong communicators with organizational insight.
after the fact. This might be interpreted to mean internal auditors can-
CHRISTENSEN Internal auditors must appreciate that not be lost on the audit trail hiding behind the technical
continuous and rigorous education is critical for long- mechanics. Stakeholders want interaction that is a cultural
term success in addressing emerging risks. Time and fit. Hiring managers should look at the entire work of the
experience are highly valuable to the core learnings in a candidate. The technical and educational experiences are
career. Additionally, exposure to new and emerging ideas often the base level, but what about the broader accom-
and concepts makes the internal auditor relevant, valu- plishments? Can the candidate demonstrate a service
able, and capable of addressing the latest trends and their mentality, team orientation, adaptability, and similar qual-
impact on an organization. itative characteristics? Life skills are developed in many
areas, and we all need to hone these traits. Hiring manag-
What advice do you have for CAEs struggling to ers will find these skills will highly correlate to candidates
determine the right mix of specialized expertise and with the best cultural fit.
audit generalists?
CHRISTENSEN All business leaders are tasked with the What is one key tip you would offer CAEs who are
challenge to build, buy, or rent the skills necessary to achieve developing a talent management strategy?
a task. The CAE is not immune to this decision tree. The CHRISTENSEN CAE success is dependent on the robust-
specific facts and circumstances will dictate the approach and ness of a talent management strategy. People want to be
level needed and which category. We live in a knowledge- inspired and led. They seek leaders who can show them the
based era, and CAEs must measure the return on their way. This is not a once-a-month activity or something that
investments and the value to the organization. Specialized can be relegated to someone else. The CAE must be the
IT skills are a great example. Does the value come from see- coach, mentor, teacher, and leader, every day, 24/7. Be a
ing many of the same thing or only seeing one thing for an role model to your people and you will be rewarded in ways
extended period? Different facts may result in different out- never imagined.
comes. The CAE must apply the decision tree and be flexible WATTS Blow up the traditional strategy and think outside
to maximizing the value equation. the box. Today’s environment is changing so rapidly that
WATTS It is not so much the balance vs. the evolving of the needs and skills can’t keep up. Think about the end
the type of auditors you must recruit and develop in your results that are desired in internal audit, and build back
group. You can no longer be one or the other, but must to what skills and people you need, not for today, but for
have the versatility to be both in certain areas. Auditors what is envisioned over the next three to five years. Be
need to be broad in their experience, but also constantly bold and challenge yourself and your organization to take
gain knowledge in specialized skills to help add value. The chances on hiring different skill sets and experiences to
future internal auditor will need to have good soft skills meet the organization’s risk based on where it is headed,
and process and operations knowledge, and not be trained not where it is today.
By Adam P. Krick
I
The final audit nternal auditors often information-gathering tool not by the quantity of
report should not approach their assign- follows behind the audit responses but by the quality
ments with a one-sided report that simultaneously of feedback from open-ended
mark the end of an
focus. Given all of the takes the pulse of recently questions. Open-ended
engagement. effort and resources devoted audited clients and sets comments often become the
to completing engagements, the foundation for future building blocks of improved
practitioners naturally pay audits: the post-audit survey. audit processes, leading to
close attention to their own Regardless of the delivery greater efficiency, better com-
findings, recommendations, method — online, paper- munication, and more pro-
and message delivery. But it’s based, or verbal — this oppor- ductive engagements.
just as important for audi- tunity for direct feedback can The auditor’s ultimate
tors to hear from clients on be a priceless resource. responsibility is not to
the outcome of an engage- While clients often seek out compliments on
ment, particularly when it’s are more inclined to share job performance or audit
in the form of constructive negative feedback, posi- quality, nor is it to invite
criticism. At a certain point, tive feedback should also denunciation or dispar-
auditors need to put away be captured and can be just agement. Constructive
the reports, turn off the as useful. When a client criticism provided after
PowerPoint slides, and open expresses appreciation during the issuance of the final
their ears to feedback from an engagement, auditors can report has great potential
the stakeholders they serve. suggest the survey during the to fuel positive improve-
Communication, of exit meeting as an appropri- ments, recognize success
course, is a two-way street. ate outlet for such accolades. or shortcomings, or simply
Auditors cannot operate in The process isn’t merely convey appreciation for a
a vacuum or perform their about notifying the chief courteous, well-rounded,
work effectively without audit executive of a job well and insightful audit that
gauging clients’ responses to done — post-audit surveys added value. While the post-
the audit process. Opening gather tangible data points audit survey can be easy to
up the process to feedback from which the auditors can overlook when planning
can only lead to insight learn and the audit process an engagement, auditors
and improvement, and it is may improve. should always include this
essential to understanding As with any survey, important tool — particu-
the client experience. constituents may choose larly because it involves the
Neither clients nor the not to participate — and simple task of asking just a
auditor should be prone to they should not be forced few more questions.
the mind-set that an engage- to. Moreover, regardless of
ment ends when the final whether feedback is positive Adam P. Krick, CIA, CFSA,
audit report is issued. On or negative, the success of a is a lead auditor at Customers
the contrary, an important survey should be measured Bancorp in Wyomissing, Pa.
Read more opinions on the profession visit our Voices section at InternalAuditor.org
Learn more at
www.theiia.org/SpecialtyCenters
2016-0776