JUNE 2021 A PUBLICATION OF THE IIA

Is ESG the New SOX?

SASB’s Jeffrey Hales on Taking
a Standards-based Approach
Is Your Organization Prepared?
Answer 5 Key ESG Questions
IIA North American Board Chair:
Looking Toward the Future

THE ESG JOURNEY

Internal audit should play an integral role in helping
organizations fulfill their environmental, social,
and governance mandate.
 Accelerate Your Success

The IIA Congratulates the 2020 CIA Exam Award Winners!

Professionals with the Certified Internal Auditor® (CIA®) credential enjoy greater credibility and earn more
respect, promotions, and money* than their peers without a certification.

William S. Smith Award – Gold Dr. Glenn Sumners Award – Student

(Highest Scoring Candidate) (Highest Scoring Student Candidate)
Andrew Easton, CIA USA Philipp Steinmueller, CIA USA

A.J. Hans Spoel Award – Silver Kurt Riedener Award – Bronze

(2nd Highest Scoring Candidate) (3rd Highest Scoring Candidate)
Lars Geisler, CIA Germany Kristina Kobus, CIA Germany

Visit www.theiia.org/TopScoreWinners for a complete list of top CIA and CRMA score winners in 2020.

*Earn on average $38,000 more annually than those without a certification, according to The IIA’s 2017 Internal Audit Compensation Study (based on U.S. responses).

Begin your journey toward the only globally recognized

certification for internal auditors.

Apply today at www.theiia.org/CIA.

2021-2538
AUDIT
TOGETHER,
FROM
ANYWHERE.

In today’s world, the global risk

environment is more dynamic than ever.

And with audit teams spread across offices and

homes around the globe, the simplest of tasks can
feel burdensome.

You need software that can keep up. AuditBoard’s

top-rated audit platform provides the simplicity,
connectivity, and efficiency you need to deliver
on today’s goals and tomorrow’s vision.

Top Rated Audit Software On

g2.com

Request a demo at auditboard.com/demo

9–11 August 2021 | Virtual and Denver, CO

Click With Great Minds in

Governance, Risk, and Control
Virtually or Onsite—You Choose
Elevate your focus, impact, and future in governance, risk, and control—at the conference
that aligns them all. The IIA and ISACA® in partnership are raising education, networking,
insight, and choice to new heights at the GRC Conference 2021.

The choice of how you attend this hybrid event is yours—join us virtually, from anywhere,
or onsite in Denver, Colorado, where social distancing, cleanliness, and safety protocols
are optimized:

• Masks—worn by everyone in the convention and exhibition area

• Social distancing—in expansive presentation rooms
• Hand washing and sanitizer—encouraged and facilitated
• Expanded safety measures—throughout the hotel and convention center

Earn up to 38 CPEs by attending the conference and workshops! See the website
for conference specifics, as well as detailed health and safety information.

Register Now: https://www.isaca.org/GRC

 JUNE   2021   VOLUME LXXVIII: III

F E AT U R E S
COVER | E S G
26 Is ESG the New Sarbanes-Oxley?
Internal audit needs to be ready to help
organizations report on their environmental,
social, and governance risks and initiatives.
BY LOGAN WAMSLEY
33 A Standard Approach Internal audit
can help companies realize the benefits of
adopting nonfinancial reporting standards,
says the SASB’s Jeffrey Hales. BY NEIL HODGE
38 5 Things You Need to Know About
ESG Internal auditors should consider sev-
eral key questions when examining their
organization’s ESG activities. BY CHERINE FOK
44 An Eye Toward the Future The IIA’s
2021–2022 North American Board chairperson,
LAURA SOILEAU, says getting young people
hooked on internal auditing is crucial to the
sustainability of the profession.
51 Determining Internal Audit’s ROI  
A departmental cost-benefit analysis can help
internal audit measure and communicate its
value. BY JACK PELIKAN
56 The Four Pillars of Remote Work for
Audit Teams Internal audit leaders need an
effective strategy to support the move to flex-
ible and work-from-home arrangements.  
BY W. KEN HARMON

DOWNLOAD the Ia app on the

App Store and on Google Play!

FOR THE LATEST AUDIT-RELATED HEADLINES visit InternalAuditor.org

People who know
Global Risk, know BDO.

COMING IN JUNE 2021

BDO’s Annual Global Risk

Landscape Report:
The Art of the Unknown

BDO provides assurance, tax, and advisory services to companies of all sizes,
across nearly every industry. Our global organization, combined with the
personal attention of experienced professionals, allows us to offer the services
and resources our clients need, everywhere in the world they do business.

www.bdo.com

© 2021 BDO USA, LLP. All rights reserved.

 JUNE   2021   VOLUME LXXVIII: III

D E PA R T M E N T S
PRACTICES 24 Fraud Findings Data
analytics reveal a diesel fuel
10 Update A global outlook backflow scam.
shows tough years ahead;
a new workforce ecosystem INSIGHTS
requires new strategies; and
more companies are auditing 62 Board Perspectives It’s
racial equity. special-purpose acquisition
company season.
14 Back to Basics Auditors
can benefit from a report writ- 66 The Mind of Jacka There
ing refresher. are no excuses for mediocrity.

18 ITAudit SolarWinds after- 68 Eye on Business Auditors

7 Editor’s Note math raises questions for need to assess third-party tech-
internal audit. nology threats.
67 Calendar
20 Risk Watch A new study 70 In My Opinion Emotional
highlights the pandemic’s intelligence is an internal audi-
effect on financial reporting. tor must-have.

O N L I N E InternalAuditor.org
Cannabis: Risks and Continuing the Con-
Opportunities in a versation The director of
Budding Industry With The IIA’s Environmental,
increased legalization, public Health & Safety Audit Center
sector auditors could soon shares her thoughts on the
COVER: ILLUSTRATION BY SANDRA DIONISI; THIS PAGE, TOP: LIGHTSPRING /

find their work intersecting growing momentum behind

SHUTTERSTOCK.COM, BOTTOM: OLEKSANDRUM / SHUTTERSTOCK.COM

with this growing market. ESG reporting.

Read All About It Looking to ​ EI: Key to Strategy and

D
stay current on audit-related Competitiveness Internal
news? Internal Auditor’s auditors should help organiza-
Newswire features the latest tions consider a strategy that
headlines on issues and devel- positions diversity, equity, and
opments affecting the internal inclusion as essential to busi-
audit profession. ness success.

Internal Auditor ISSN 0020-5745 is published in February, April, June, August, October, and December. Yearly subscription rates: $60. No refunds on cancellations. Editorial and advertising office: 1035 Greenwood Blvd., Suite 401,
Lake Mary, FL, 32746, U.S.A. Copyright © 2021 The Institute of Internal Auditors Inc. Change of email address notices and subscriptions should be directed to IIA Customer Relations, +1-407-937-1111. Opinions expressed in Internal
Auditor may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by authors’ employers or the editor of this journal. Internal Auditor does not
attest to the originality of authors’ content.
Investing in the Future of the Profession
The Foundation, supported by the generosity of our donors, advances the practice of the profession by awarding academic grants,
executing global research, and producing educational publications to strengthen competency development.

“Internal audit has afforded me an incredible career that is fun yet meaningful.
The future of our profession requires investment and leadership. Let’s partner
together and do just that. Start with a small recurring amount and go from there.”
— Karla D. Munden, CIA, QIAL, CCSA, CFSA, CRMA, US

Invest in the future of internal audit – make your contribution today.

www.theiia.org/Foundation

RESEARCH | ACADEMIC ADVANCEMENT | EDUCATIONAL PUBLICATIONS

 Editor’s Note

THE ESG JOURNEY

I
n this issue we tackle the many facets of environmental, social, and governance
(ESG). That’s no small feat given all ESG encompasses, but with increased atten-
tion — investor, regulatory, and social — it’s not something organizations, or
internal auditors, can afford to ignore.
A blog post from Jim Clifton, chairman and CEO of Gallup, proposes begin-
ning the company’s ESG effort with its employees. Gallup has identified metrics to
benchmark an organization’s current ESG state from the employees’ perspectives. “In
short, if your external communications say your organization is doing great things
for the environment, but your employees strongly disagree, something is not work-
ing,” the Gallup website says. “Recent corporate scandals have proven that major
ethical, social, and environmental risks can hide behind ‘good news.’”
Gallup, along with Chief Executives for a Corporate Purpose, recommends
organizations begin the journey now, start with what they can measure, benchmark
employees first, and “build a higher purpose around people and the planet.”
In this issue, we consider internal audit’s role in that journey. The IIA’s Inter-
nal Audit’s Role in ESG Reporting: Independent Assurance Is Critical to Effective
Reporting says internal audit has both an advisory and an assurance role. The paper
suggests that while ESG reporting is not required in annual reports, regulatory filings,
and proxy disclosures, it should be treated with the same care as financial reporting,
which raises the question, “Is ESG the New Sarbanes Oxley?” (see page 26).
From an assurance standpoint, The IIA says internal audit should incorporate
ESG into audit plans and:
» Review reporting metrics for relevancy, accuracy, timeliness, and consistency.
» Review reporting for consistency with formal financial disclosure filings.
» Conduct materiality or risk assessments on reporting.
From an advisory perspective, internal audit should recommend:
» Frameworks to mitigate and manage risks.
» Reporting metrics — data that accurately reflects relevant sustainability
efforts within the organization.
» Where ESG risk should be managed.
In our deep dive into ESG, we consider reporting and how the topic is being
addressed globally as well as the risks that make ESG challenging to manage. We also
interview Jeffrey Hales, Standards Board chairman of the Sustainability Accounting
Standards Board, about the importance of adopting sustainability standards.
From social justice movements to the mandate for net zero emissions, how does
one measure a company’s impact on the world? Today’s organizations are being chal-
lenged to do just that, and internal audit will be an integral part of the journey.

@AMillage on Twitter

JUNE 2021 INTERNAL AUDITOR 7

 CONTRIBUTING EDITORS Joe Martins, CIA, CRMA CONTACT INFORMATION
Wade Cassels, CIA, CCSA, CRMA, CFE Stephen Minder, CIA ADVERTISING
J. Michael Jacka, CIA, CPCU, CFE, CPA Rick Neisser, CIA, CISA, CLU, CPCU advertise@theiia.org
Steve Mar, CFSA, CISA Hans Nieuwlands, CIA, RA, CCSA, CGAP +1-407-937-1109; fax +1-407-937-1101
Grant Wahlstrom, CIA, CPA, CFE Manish Pathak, CA
James Roth, PHD, CIA, CCSA, CRMA Bryant Richards, CIA, CRMA SUBSCRIPTIONS, CHANGE OF EMAIL ADDRESS
Rick Wright, CIA James Roth, PHD, CIA, CCSA customerrelations@theiia.org
JUNE 2021 Katherine Shamai, CIA, CA, CFE, CRMA +1-407-937-1111; fax +1-407-937-1101
VOLUME LXXVIII: III EDITORIAL ADVISORY BOARD
Jennifer Bernard Allen, CIA Jerry Strawser, PHD, CPA EDITORIAL
Dennis Applegate, CIA, CPA, CMA, CFE Glenn Sumners, PHD, CIA, CPA, CRMA David Salierno, david.salierno@theiia.org
EDITOR IN CHIEF Robert Taft, CIA, CCSA, CRMA +1-407-937-1233; fax +1-407-937-1101
Anne Millage Lal Balkaran, CIA, FCPA, FCGA, FCMA
Andrew Bowman, CPA, CFE, CISA Brandon Tanous, CIA, CGAP, CRMA PERMISSIONS AND REPRINTS
MANAGING EDITOR
Robin Altia Brown Robert Venczel, CIA, CRMA, CISA copyright@theiia.org
David Salierno David Weiss, CIA fax +1-407-937-1101
Adil Buhariwalla, CIA, CRMA, CFE, FCA
ASSOCIATE MANAGING EDITOR Wade Cassels, CIA, CCSA, CRMA, CFE Rick Wright, CIA
WRITER’S GUIDELINES
Tim McCollum Stefanie Chambers, CIA, CPA IIA PRESIDENT AND CEO InternalAuditor.org (click on “Writer’s Guidelines”)
SENIOR EDITOR James Fox, CIA, CFE Anthony J. Pugliese, CPA, CGMA, CITP
Shannon Steffee Nancy Haig, CIA, CFE, CCSA, CRMA Authorization to photocopy is granted to users registered with the
Sonja Heath, CIA IIA CHAIRMAN OF THE BOARD
STAFF WRITERS Copyright Clearance Center (CCC) Transactional Reporting Service,
Daniel Helming, CIA, CPA Jenitha John, CIA, QIAL provided that the current fee is paid directly to CCC, 222 Rosewood
Christine Janesko
J. Michael Jacka, CIA, CPCU, CFE, CPA Dr., Danvers, MA 01923 USA; phone: +1-508-750-8400. Internal Auditor
Lauressa Nelson cannot accept responsibility for claims made by its advertisers, although
Sandra Kasahara, CIA, CPA
Geoffrey Nordhoff Michael Levy, CIA, CRMA, CISA, CISSP staff would like to hear from readers who have concerns regarding
Logan Wamsley Merek Lipson, CIA advertisements that appear.
PUBLISHED BY THE
ART DIRECTION Michael Marinaccio, CIA INSTITUTE OF INTERNAL
Carol Hardy Design Alyssa G. Martin, CPA AUDITORS INC.

Turn control It’s not what you expect.

testing into It’s cta.x, Grant Thornton’s
new automation solution.
competitive edge
gt.com/cta.x

© 2021 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd. In the U.S., visit gt.com for details

8 INTERNAL AUDITOR JUNE 2021

 MEMBERSHIP MEANS MORE
TOOLS OF THE TRADE
COMPLIMENTARY ACCESS NOW INCLUDED WITH MEMBERSHIP

Introducing new tools of the trade that enhance the value of the profession and the
professional, at every level. From relevant research and resources to the practical tips,
templates, and how-to’s you’ve been seeking — there’s never been a better time to
discover more benefits of membership.

Access Now. www.theiia.org/Tools

RESEARCH REPORTS | PLANNING TOOLS | TEMPLATES & HOW TO’S

2021-2152
 Strategies for a changing workforce… Boards consider racial equity audits…
Flexible workplaces create opportunity… Blockchains take on supply chains.

Update
CYBERWARFARE ON
THE FRONTLINES
The IT threat landscape is
becoming more intense, an
international insurer says.

43%
Companies
reporting 28%
cyberattacks. Companies
targeted
by hackers

21%
more than
five times in
2020.
TOUGH YEARS AHEAD
Portion of IT A global forecast sees an array compounding global challenges facing popu-
budget spent of intense challenges. lations,” the report says.

T
on cyberse- Propelling the disruption are climate
curity.
20%
Companies
he world is facing intense and cascad-
ing global challenges over the next
and economic change, the pace and reach
of technology, and changing demographics
reporting decades, according to the National as population growth slows and the median

16% cyberattacks
and boosting
cybersecurity
Intelligence Council. The council,
which advises the U.S. Director of National
age increases. Declining, older populations
will cause problems in developed countries,
Companies Intelligence, released Global Trends 2040, impeding progress in education, health, and
that have and audit the seventh edition of its quadrennial global poverty reduction, the report says.
dealt with requirements.
IMAGES: TOP, PRANCH / SHUTTERSTOCK.COM;

outlook report. The report presents five scenarios for

LEFT, LIGHTSPRING / SHUTTERSTOCK.COM

a ransom
demand. These challenges will repeatedly test the
resilience and adaptability of communities
Source: Hiscox Ltd., Cyber and countries, as well as the international
Readiness Report 2021 system of organizations, alliances, rules, and
norms, according to the report. The interna-
tional system “is poorly set up to address the
the world in 2040. First, rapid technological
advances by the U.S. and its allies lead to a
resurgence of democracy. Second, the world
becomes directionless, chaotic, and volatile,
with China taking advantage of the West’s
troubles to increase its influence. Third, the

FOR THE LATEST AUDIT-RELATED HEADLINES read the Newswire on InternalAuditor.org

10 INTERNAL AUDITOR JUNE 2021

 Practices/Update

U.S. and China establish a robust trade rela-
tionship, but compete for political influence,
governance models, technology, and strategic
advantage. Fourth, the world fragments into
rival economic and security blocs, including
the U.S., China, the European Union (EU),
Russia, and a few regional powers. Fifth, a
global food catastrophe caused by climate
change and environmental degradation
brings together the EU and China, plus non-
governmental organizations and multilateral
institutions, to implement sweeping changes
to address climate change, resource deple-
tion, and poverty. — G. NORDHOFF

CULTIVATING
A WORKFORCE
ECOSYSTEM
New strategies are needed
to manage internal and
1,830
OF THE WORLD’S  
external workers. BIGGEST COMPANIES

T
he definition of an organization’s
workforce is changing, with contrac-
tors, gig workers, service providers,
and external developers working
alongside full- and part-time employees. In
a survey of more than 5,000 managers from
138 countries, 87% say their workforce
encompasses more than just their employ-
ees. One-third say they expect to increase
their dependence on external workers over
the next 18 to 24 months, according to the
Workforce Ecosystems report by Deloitte
and MIT Sloan Management Review.
The report says being able to manage
and engage such a flexible workforce can
help drive success and innovation. Internal
say they face or expect regu-
auditors should be aware, though, that lation that places a price on
there are risks involved in the looser affili- carbon emissions.
ations of a workforce ecosystem, such as
reputation implications when contractors
represent the brand, changing international
60 %
OF THEM DO NOT
labor laws, and a sharper societal focus on IDENTIFY IT AS A  
diversity, equity, and inclusion. SUBSTANTIVE RISK
The new workforce ecosystems may TO THEIR BUSINESS.
require new leadership practices. “You have
“Companies need to start
to think about it holistically, and you have anticipating these inevitable
to really harness the power that is your policy shifts, taking action
entire workforce to be successful,” says U.S. in their value chains, and
Army Maj. Gen. Ronald Clark, who over- disclosing these risks to their
sees military, civilian, and contracted per- shareholders,” says Nicolette
Bartlett, global director of
sonnel for the U.S. Indo-Pacific Command. Climate Change, CDP.
— C. JANESKO
Source: CDP, Nearly Half of World’s
Biggest Companies Factoring Cost of
Carbon Into Business Plans

RACIAL EQUITY AUDITS ON THE RISE

IMAGES: TOP, SUMBERARTO / SHUTTERSTOCK.COM; RIGHT,
METAMORWORKS / ISTOCK.COM; BOTTOM, ISTOCK.COM

Pressure mounts for

independent reviews
for discrimination.

M
any boards are on performing racial equity which analyze companies’
having heated audits, and not every orga- business models — from
debates on how nization is taking the same policies to products and ser-
to promote racial path, Bloomberg reports. vices — to determine whether
equality and equity. One ele- Racial equity audits are they cause, reinforce, or per-
ment of this debate centers conducted by outside groups, petuate discrimination. The

JUNE 2021 INTERNAL AUDITOR 11

 Practices/Update VISIT InternalAuditor.org to read an
extended interview with John Rodi.

audit consists of background

research along with a review
of strategic plans, job post-
ings, performance reviews,
and other materials that
reflect the corporate climate.
It also includes interviews
with staff and stakeholders,
as well as surveys. After the
process is completed, auditors
share the findings with orga-
nizational leaders and recom-
mend improvements.
These kinds of audits
are not new, with Airbnb and
Starbucks conducting them
in recent years following
accusations of discrimina-
tion, Politico reports. Today,
many investors and advocacy
groups are pressuring busi-
nesses to consider them in
the wake of U.S. protests
against social injustice.
Corporate response to
this pressure has been mixed.
Wealth manager BlackRock
has said it will have an
independent racial audit of
its operations conducted in
2022, but companies such as
THE POST-PANDEMIC WORKPLACE
A flexible work environment can create strategic opportunities, says
John Rodi, leader of the KPMG Board Leadership Center.
As workplaces begin to reopen, what should organi-
zations consider in determining how to reopen and
what the work environment should be? The COVID-19
pandemic drastically accelerated the shift toward flexible work
arrangements. Now, as health risks begin to fade, directors
need to understand how management is capitalizing on the
digital innovations that empowered virtual work. Recogniz-
ing that only about one-third of U.S. jobs can be done entirely
remotely, strategies will vary widely by industry and business.
Organizations should consider flexible work arrange-
ments as a strategic opportunity and determine where
individuals perform best. The concepts “work from home” and “remote work” should be
removed from our vocabulary. Work is what needs to get done, not where it gets done.
By focusing on “strategic work flexibility” — encompassing place and time — manage-
ment, boards, and professionals can reimagine a future of work that’s empowered by vir-
tual technology and based on a new mindset. This will allow organizations to capitalize on
the digital innovations that empowered flexible work during the global health pandemic.
For strategies to be successful, organizations need to pay close attention to their culture
and tone at the top, as well as opportunities for talent development.
BLOCKCHAIN BEYOND The digital ledger
could be a boost for
CRYPTOCURRENCY supply chains.

Amazon and Morgan Stanley
have said they will review
equity internally.
The fact that these con-
versations are being had at all
represents a shift in the role
organizations have played in
racial equity. According to a
recent JUST Capital survey,
all of the 100 largest U.S.
employers say they plan to
address racial equity through
B
lockchain is gaining acceptance as a
technology for recording data and
ensuring integrity in supply chains
through the ability to track and trace
materials, products, and services, according to
a PwC Strategy + Business article. Current uses
of the public digital ledger range from ensur-
ing the safe and swift global distribution of
COVID-19 vaccines to creating accountabil-
ity in environmental, social, and governance blockchain, Jones advises leaders to consider
claims among manufacturers and retailers. whether its transactions are time-sensitive
PHOTO: LEFT, BET_NOIRE / ISTOCK.COM

anti-discrimination policies.
Of these companies, 98%
plan to do so through educa-
tion and training programs,
and 91% plan to do so
through community invest-
ments. — L. WAMSLEY
Blockchain also can help identify fraud and
contamination quickly and accurately.
Implementing blockchain should be part
of a wider digitization strategy, writes Hadyn
Jones, a senior blockchain market specialist
and director with PwC U.K. To determine
whether the organization can benefit from
and depend on two or more parties to record,
update, share, and view common data.
Also, Jones says they should determine
whether transaction records must be verified
by intermediaries. In each of these cases, col-
laboration among industry peers may increase
efficiencies and reduce costs. — L. NELSON

12 INTERNAL AUDITOR JUNE 2021

 Do you have the blogging voice of choice?
Internal Auditor is seeking fresh perspectives for our new Your Voices blogs. Our platform is
the perfect place to share unique insights and practices and put a face to the internal audit
profession. As the world’s leading source of internal audit news and insights, Internal Auditor can
help you voice your voice — once or often — to more than 200,000 IIA members worldwide.

Guidelines available at www.theiia.org/Bloggers

 Back to Basics
BY SARA I. JAMES EDITED BY JAMES ROTH + WADE CASSELS
BREAKING DOWN
THE AUDIT REPORT
Concise, targeted
reports are of
great value to the
T
organization.
he International Pro-
fessional Practices
Framework does not
require internal audi-
tors to issue a written report.
So auditors can, in theory,
communicate engagement
results through any medium
that suits the function and
the client. For most depart-
ments, though, this is done
via a written report that
documents the engagement
and prompts senior manag-
ers to action.
A well-written internal
audit report, which some
may argue is a rare thing,
should be easy to read and
review and even easier to
act on. Whether new or
experienced, internal audi-
tors can always benefit from
a refresher on the basics of
audit report writing.
What Goes Into a Report?
Implementation Standard
2410.A1: Criteria for Com-
municating, states: “Final
communication of engage-
ment results must include
applicable conclusions, as
SEND BACK TO BASICS ARTICLE IDEAS to James Roth at jamesroth@audittrends.com
14 INTERNAL AUDITOR
well as applicable recommen-
dations and/or action plans.
Where appropriate, the
internal auditors’ opinion
should be provided.” What
should internal auditors
include to make sure their
reports meet these criteria?
Findings Also called issues
or observations, audit find-
ings are the results of obser-
vation and testing during
an engagement. They may
be nonexistent or failed con-
trols, but also can include
instances of good practice
that the auditor wants to
share with the client. It’s
crucial to communicate any
issues clearly, so the client
understands the problem and
why he or she needs to act.
Many internal audit
departments follow the five
Cs model to structure their
audit findings discussion
for clients: criterion, condi-
tion, consequence, cause,
and corrective action. How-
ever, the nonnegotiable ele-
ments are condition, cause,
and consequence.
Another way to articu-
late condition, cause, and
consequence is to ask three
important questions:
1. Who is not doing what, or
what is not in place? The
report should indicate
what observation and
testing produced — evi-
dence of inadequate or
ineffective controls. For
example: “Senior manag-
ers in the facilities secu-
rity team do not check
applicants’ backgrounds
for criminal or other rel-
evant records.”
2. So what? The answer to
this question should be
a real risk statement. In
other words, auditors
should state the real-
world harm that has
occurred, or could result
from, the control weak-
ness, rather than just
another failed control.
For example: “As a result,
the organization may risk
reputational damage and
financial loss if it hires
people who have a history
of theft or other crimes.”
JUNE 2021

3. Why? Internal auditors should not settle for a superficial
reason or a repetition of condition as the answer to this
question. Instead, they should channel their inner four-
year-old and keep asking, “Why?” For example: “This has
arisen because senior managers in the facilities security
team have not updated hiring processes in line with group
policy, which requires background checks.”
Executive Summary Once internal auditors have articulated
the key findings, it’s time to write the executive summary. The
IIA Practice Guide, “Audit Reports: Communicating Assur-
ance Engagement Results,” says the executive summary should
“provide a clear and concise overview of the engagement results
and efficiently deliver critical information with a persuasive,
well-substantiated key message to stakeholders.” However, the
summary should not be a condensed recitation of the findings.
Many clients will only take the time to read the execu-
tive summary, so it needs to provide high-level headlines.
Broader themes such as underlying cultural or behavioral
problems, a lack of governance, or other big items must fea-
ture in the executive summary.
Internal auditors should try to limit the executive sum-
mary to a short paragraph. It’s harder than people think, but
readers appreciate such concise communication.
How to Write It
Standard 2420: Quality of Communications says, “Com-
munications must be accurate, objective, clear, concise,
constructive, complete, and timely.” To communicate in this
Trusting audit team members allows
them to find their own flexible solutions.
way, internal auditors should follow the ABCs to keep writ-
ing active, brief, and concrete.
Active The audit report should be written in the active rather
than passive voice. Instead of saying, “The report was reviewed
by the manager,” the report should say, “The manager
reviewed the report.” The active version is shorter and clearer.
Often, report writers leave out the performer of the action
altogether. For example, “The report was reviewed” is short,
but it omits what could be useful information. A sentence such
as, “The findings were discussed, rewritten, approved, and
issued” contains four actions and no hint as to who performed
any of them. One person? One team? Different people on dif-
ferent teams? The active voice helps avoid such confusion.
JUNE 2021
TO COMMENT on this article,
EMAIL the author at sara.james@theiia.org
Because the active voice puts the responsible parties or
area first, it may come across as blaming. However, overusing
the passive voice produces writing full of vague, possibly mis-
leading sentences. A good rule of thumb is to keep the use of
passive voice in the report below 20%, which Microsoft Word
readability statistics can calculate.
Brief Report readers are busy, so internal auditors should use
simple words and keep sentence length to 20 words at most
(in English). Why would anyone want to wade through 20
pages when they could grasp the message in fewer than 10
pages of plain language? Again, Microsoft Word’s readability
statistics function will help, as it provides the average number
of words per sentence in a document.
Concrete One way internal auditors can make their writing
less abstract is to avoid nominalizations (also called verbal
nouns). This happens when the writer takes a verb — ana-
lyze — and turns it into a noun — analysis. The result is a lon-
ger sentence. Instead of saying, “We performed an analysis of
the data,” the writer should say, “We analyzed the data.”
Nominalizations make writing even harder to follow
when people disappear completely from the sentence: “Anal-
ysis and further investigation led to discussions and decision-
making.” The reader cannot determine who is analyzing,
investigating, discussing, and deciding.
Some auditors may shy away from communicating
so directly, especially in cultures that may see this as rude.
However, if internal auditors have performed the engagement
thoroughly and have material findings
to report, the reader needs to know.
Whether in reports, emails, or briefings,
the ABCs will make it easier for readers
to understand the message and act on it.
Trusted Advisors, Trusted Reports
When internal auditors understand their audience, keep
communication factual, and focus on solutions, they create a
professional and positive impression. They also avoid sending
mixed messages and then wondering why no one has acted on
the report recommendations.
Report writing — like all working practices — has changed
greatly since the pandemic and will continue to evolve. Many
internal audit departments are communicating more by phone
and video, and producing more concise, targeted reports. With
that goal in mind, internal auditors who can convey more with
fewer words are of greater value to the organization.
SARA I. JAMES, PHD, CIA, is an internal auditor and the owner
of Getting Words to Work in Oxford, U.K.
INTERNAL AUDITOR 15
THE NEXT-GENERATION
INTERNAL AUDIT JOURNEY
NEEDS TO BEGIN NOW
Protiviti’s 2021 Next-Gen Internal Audit Survey

© 2021 Protiviti Inc. An EOE M/F/Disability/Veterans. PRO-0521

Download full report
 ITAudit
BY STEVE MAR
THE AFTERMATH OF SOLARWINDS
The massive
cybersecurity breach
raises questions
O
about infrastructure
and network risks rganizations and
officials worldwide
that internal audit
are still sifting
can help answer. through the dam-
age caused by the December
2020 SolarWinds breach,
which impacted more than
250 companies and govern-
ment agencies. Hackers
inserted malicious code into
the U.S. company’s Orion
IT infrastructure monitoring
and administration platform.
The code spread
through updates and patches
SolarWinds sent to all its
clients, the company’s CEO
Sudhakar Ramakrishna
told a joint hearing of the
U.S. Senate Oversight and
Reform and Homeland
Security Committees in Feb-
ruary (see “Congress Raises
Questions” on page 19).
The SUNBURST malware
created backdoors through
which hackers could access
customers’ systems.
Organizations that use
the SolarWinds platform may
already have been attacked.
Internal auditors should help
determine their risk and
SEND ITAUDIT ARTICLE IDEAS to Steve Mar at steve_mar2003@msn.com
18 INTERNAL AUDITOR
devise safeguards against this
and future attacks.
Protecting Infrastructure
In the aftermath of the
SolarWinds incident, IT and
cybersecurity teams should
review and test more details
and cover more transac-
tions. In time, audit com-
mittees, external auditors,
and regulators may expect
internal audit to perform
more continuous assessments
and technical reviews of the
infrastructure and network
cybersecurity hygiene.
The level of investment
and time to improve cyber-
security in the network and
infrastructure will need to
increase significantly, as well.
In a March presentation, the
National Association of Cor-
porate Directors (NACD)
advised boards to “evaluate
their programs’ effectiveness
compared to their spend.”
The NACD suggests direc-
tors discuss:
Ʌ How can boards ensure
companies are imple-
menting best practices?
Ʌ What are the most
effective security metrics
boards should consume?
Ʌ How can boards oversee
effective third-party risk
management?
Assessing Risks
Internal audit should begin
by assessing the risk levels
represented by the Solar-
Winds breach. Organizations
assume that infrastructure
and network monitoring
tools can be a trusted part of
cybersecurity hygiene prac-
tices. When the tool is cor-
rupted and open for hackers,
it increases all other risks and
weakens controls.
Internal audit’s IT audi-
tors should discuss with the
technology and information
security teams ways to assess
infrastructure and network
governance, risks, and con-
trols. Auditors may need
more training on infrastruc-
ture and network processes.
Even with such exper-
tise, IT auditors rarely will
review the actual code or
patch update. First, scans
JUNE 2021

CONGRESS RAISES QUESTIONS
A
ccording to several sources, the SolarWinds
breach went undetected for at least nine months.
That means the hackers could embed and hide
malicious code over an extended time. Several points
arose during U.S. congressional hearings:
» Members of Congress and witnesses — which included
executives from cybersecurity firms and Micro-
soft — mostly agreed that the U.S. needs a more exten-
sive and better-trained cybersecurity workforce.
» Many attendees said more resources are needed to
strengthen the nation’s cybersecurity. This includes
more federal government investment to upgrade
critical infrastructure, especially outdated software
and security systems.
of patch update code require deep technical knowledge. Sec-
ond, auditors typically focus on timely and complete patch-
ing — not scanning for malicious code in a vendor update.
For example, SolarWinds used external resources to
identify the malware SUNSPOT, a highly sophisticated code
designed to insert the SUNBURST backdoor malware dur-
ing the Orion platform build process. IT auditors would not
be expected to deal with the governance, risks, and controls
over such a detailed and technical process. However, there are
several ways internal audit can provide value.
Vendors and Partners Internal audit should review all infra-
structure vendors and supply chain partners, especially ven-
dors that play a crucial security role. They should perform an
inventory of vendors and analyze each provider’s risk profile.
Segmentation Auditors should review the current network
and infrastructure segmentation to see whether isolating ven-
dor software into a higher risk zone will improve security. Seg-
mentation is a practice of dividing and blocking certain traffic
into different parts to improve performance and control access.
It can help block all or some traffic from reaching another
network, which may prevent infected software from accessing
other high-risk data stored in a different network segment.
Auditors should determine whether the IT team deploys
policies and controls to manage who can access high-risk data
network segments. It also should find out what policies gov-
ern who can access higher risk networks.
Security Testing Internal audit should review whether
technology and security teams plan to perform or set up
JUNE 2021
TO COMMENT on this article,
EMAIL the author at steve.mar@theiia.org
» Members called for improving best practices and
cybersecurity hygiene. This may include more threat
hunting or proactive searches for cyber threats to
organizational networks and infrastructure. For
example, the Department of Homeland Security
Cyber Hunt and Incident Response Team Act of 2019
funds these activities for several federal government
departments and agencies.
» Many members and witnesses called for a better
public–private partnership to deal with cybersecurity
threats, including more robust reporting and sharing
of cybersecurity-related information. However, disclo-
sure brings up issues about liability and reputational
risks to companies that disclose significant breaches.
Dynamic Application Security Testing (DAST) and Static
Application Security Testing (SAST). DAST implements
automated scans that simulate malicious external attacks.
SAST analyzes source code while the application is at rest or
static. Auditors should review the DAST and SAST strategy
and approach to see what threats or vulnerabilities are tested.
Threat Hunting Internal auditors should determine whether
technology and security teams should use threat-hunting
procedures. Security teams can deploy several types of threat-
hunting tools: structured, unstructured, intelligence-based,
hypothesis, and custom hunting. Additionally, auditors should
determine whether the IT and information security teams fol-
low a threat-hunting model or framework.
Return on Investment Internal audit should assess the
maturity and level of return on the organization’s cybersecurity
investment. For example, what percentage of the technology
budget goes to cybersecurity? How does this investment com-
pare to the organization’s peers or industry standards? Does
that investment make the infrastructure safer and stronger?
Third-party Safeguards
The SolarWinds breach tarnished past assumptions and trust
in third-party software and patch update processes. To address
such catastrophic risks in the future, internal audit needs to
assess the governance, risks, and controls over providers that
are essential to monitoring infrastructure and networks.
STEVE MAR, CFSA, CISA, is an adjunct professor at Seattle
University and the University of Hawaii.
INTERNAL AUDITOR 19
 Risk Watch
BY WENDY HELTZER + MARY MINDAK EDITED BY RICK WRIGHT
FINANCIAL REPORTING
DURING THE PANDEMIC
A new study spotlights
how the crisis is
impacting financial
A
misstatement risks and
internal control audits. s the vaccine roll-
outs raise hope that
COVID-19 will
subside, auditors
may question how the pan-
demic has impacted financial
statements. There are many
views regarding how the
crisis has changed the world
and whether these changes
are permanent.
The risk environment
definitely has changed.
Specifically, there may be
greater risk of material
misstatements in financial
statements, according to
our study, “COVID-19 and
the Accounting Profession,”
published in May in the
Journal of Accounting, Ethics,
and Public Policy. Internal
auditors should consider
how to incorporate the
impact of changes driven by
the pandemic on account-
ing processes into their risk
assessment and planning for
audit programs and work.
Survey Findings
The study surveyed 139 acc-
ountants in the U.S. to gain
SEND RISK WATCH ARTICLE IDEAS to Rick Wright at rick.wright@myYellow.com
20 INTERNAL AUDITOR
broader insights into their
work during the pandemic.
Respondents who perform
external audits disagree with
the notion that the crisis
will lead to an increase in
earnings management or
attempted fraud. Although
this finding may reflect
respondents’ beliefs that
stakeholders will be more
forgiving of reduced earn-
ings, management may have
greater incentive to manipu-
late earnings during the
pandemic. Regardless, the
finding suggests that external
auditors may be less likely
to change their audit proce-
dures to identify and assess
changes to risks of material
misstatements brought on
by the pandemic. Internal
auditors should consider
the impact of a higher risk
of material misstatement in
their audit work.
Ironically, survey resp-
ondents also agree the crisis
will reduce the effectiveness
of internal controls and
make it more difficult to
audit them. Taken together,
these findings suggest that
financial statements pre-
pared and audited during
the pandemic are susceptible
to higher risks of material
misstatements. Addition-
ally, while some impacts of
the crisis on the internal
control environment may
be permanent — such as
remote work — organiza-
tions may need to modify
existing internal controls and
internal audit techniques
to accommodate the post-
pandemic paradigm.
The Impact on Control
When internal controls
designed to prevent and
detect financial statement
errors and fraud fall short,
detection mechanisms such
as reconciliations of accounts
and internal audits serve to
catch those errors and fraud.
External audits add a layer of
protection to prevent mate-
rial misstatements.
However, both the pre-
vention and detection fea-
tures of internal controls are
susceptible to weakening due
JUNE 2021

to systemic organizational changes in response to the pan-
demic. Organizations and their auditors were not prepared
for the dramatic and immediate implications and ramifica-
tions of living and working through a global health crisis.
Unforeseen economic hardships and physical limitations
forced organizations to reallocate resources. People and other
resources that had been directed toward internal controls
were reallocated to other business functions deemed more
critical for survival. As an anonymous auditor commented,
“Clients were ‘distracted’ by the pandemic and therefore pro-
viding us with information became low priority.” In short,
internal control environments were impaired.
Employees’ execution of internal control activities also
was affected by work-at-home limitations and distractions,
coupled with the stress caused by the pandemic. The study
finds that the pandemic has impaired the quality of external
auditors’ work. One auditor explains the downsides of work-
ing from home: “It is taking longer to produce work, espe-
cially administratively. The office equipment at home, such
as printers and scanners, is not as fast as the office equipment
at the job office. … People have families and kids who can be
a distraction and do not necessarily allow for everyone to be
available at the moment you need them.”
Audit Difficulties
Specific preventive activities embedded in internal controls
also have been impacted. Because of limited workplace
access, the ability to separate certain duties has been reduced.
Physical access to workplace areas and resources may be
restricted to fewer individuals to decrease COVID-19 spread.
Physical restrictions to inventory and other assets may be
lifted out of necessity, as only a few, select individuals report
to work in person. Without the watchful eyes of fellow
employees, the ability of internal controls to prevent error
and fraud may fall short on other fronts, as well.
Regarding internal controls aimed at error and fraud
detection, employees without sufficient home office equip-
ment may be unable to reconcile accounts remotely. Without
co-workers in the same room during internal audits to brain-
storm or answer questions, a full evaluation and assessment
of the effectiveness of internal controls may be limited.
Unable to conduct physical walk-throughs of account-
ing departments and manufacturing plants, noncompliance
issues that would have been detected in person may go unde-
tected. Another survey participant says the pandemic caused
“difficulty being efficient as an audit team when not working
on the client premises and face-to-face. Internal control walk-
throughs (inquiry, observation, inspection) are more difficult
when done remotely, as are fraud discussions (harder to coor-
dinate and to physically inspect and observe).”
JUNE 2021
TO COMMENT on this article,
EMAIL the authors at wendy.heltzer@theiia.org
Other Audit Risks
While respondents agree that the pandemic has made it
harder to determine the effectiveness of clients’ internal con-
trols, the study also finds that assessments of going concern
questions could be more difficult. However, the study did
not find that the pandemic increases risk in all areas of finan-
cial audits.
For example, respondents neither agree nor disagree that
the pandemic:
Ʌ Will make it more difficult for auditors to determine
whether clients’ accounting numbers reflect the eco-
nomic reality of underlying events and transactions.
Ʌ Will lead clients to engage in greater earnings manage-
ment in their financial reporting.
Ʌ Will increase the risk that auditors will not be able to
detect material misstatements due to fraud in the finan-
cial statements and footnote disclosures.
Ʌ Will make it more difficult for auditors to determine
whether management has disclosed every important item
to investors and creditors in the financial statements so
users can make informed, strategic decisions.
Because the study did not find that the pandemic increases
risk in these areas, internal auditors need not change their
risk assessments with regard to valuations, earnings manage-
ment, fraud, or full disclosure.
Immediate and Future Implications
Financial statements prepared and audited during the pan-
demic will undoubtedly reflect business results differently
than preceding financial statements. It will be difficult to
disentangle the financial implications caused by crisis-related
economic hardships from errors or fraud attributable to
weakened internal controls. Economic indicators determined
using financial statements prepared and audited during the
pandemic should be addressed with caution.
Although it is uncertain when organizations will revert
to previous activities, there could be permanent shifts in
work habits on the other side of the pandemic. With the
crisis shining a spotlight on the susceptibility of internal
controls to work disruptions, internal auditors must learn
how to provide assurance over financial reporting and other
internal controls in a post-pandemic world. As organizations
re-examine their long-term strategic plans, they must revisit
internal controls and devote time, money, and reorganization
to these critical safeguards.
WENDY HELTZER, PHD, CPA, is an associate professor of
accounting at DePaul University in Chicago.
MARY MINDAK, PHD, is an associate professor of accounting at
DePaul University.
INTERNAL AUDITOR 21
 TeamMate+
Audit Management

Focus on Innovation
With more than 25 years of developing audit
solutions, we’re not only deeply invested
in the industry, but we also understand
the critical need for continuous innovation
to drive success for our customers.

TM-20-10448-MK-Core Capabilities-PAD-EN.indd 1 2/12/21 10:22 AM

 Reporting & Management Integrated
Collaboration Analytics

Technology Open Ease

Delivery Ecosystem of Use

Learn More at www.TeamMateSolutions.com

Copyright © 2021 Wolters Kluwer Financial Services, Inc. 10448

TM-20-10448-MK-Core Capabilities-PAD-EN.indd 2 2/12/21 10:22 AM

 Fraud Findings
BY ANNA KON EDITED BY GRANT WAHLSTROM
THE DIESEL FUEL HEIST
Using data analytics,
an internal auditor
uncovers a decade-
V
long vehicle
refueling scheme. eronica Vanatamm
was the inter-
nal auditor for
East Mining Co.
(EMC), an underground
mining company that
relied on heavy machinery
powered by diesel fuel it
purchased from Best Fuel
Plc. Vanatamm was assigned
to audit whether the diesel
fuel consumed by EMC’s
machinery was accounted for
correctly and whether fraud
risks were mitigated.
When Vanatamm
began the audit, she learned
that the main refuel-
ing facility was located at
EMC’s mine site, but the
equipment and diesel fuel
in the tanks were owned
by Best Fuel. EMC drivers
purchased diesel fuel in the
same way as at an ordinary
gasoline station. After refu-
eling, EMC drivers received
receipts that they would
submit to EMC account-
ing. Best Fuel transferred
information about refueling
electronically to EMC at the
end of each month.
SEND FRAUD FINDINGS ARTICLE IDEAS to Grant Wahlstrom at grantwahlstrom@gmail.com
24 INTERNAL AUDITOR
EMC vehicles had the
capacity to carry 5,000 liters
of diesel. After refueling, they
transported diesel fuel to
the underground mine and
dispatched it to 12 under-
ground tanks for trucks,
loaders, and stationary min-
ing machinery. Carrying
vehicles had fuel pistols with
meters and underground
tanks had fuel counters.
EMC became the owner
of the diesel fuel when the
vehicle used to transport
diesel underground tanked
at Best Fuel’s main on-land
facility. So, Vanatamm had to
trace diesel from the time it
was purchased until its usage
was recorded and reported.
She decided to test whether
the balancing equation
worked. Namely, whether
the monthly end balance
equaled the balance at the
beginning of the month
plus the purchased amount,
minus the amount consumed
by the machines.
EMC performed a
physical inventory of the
underground fuel tanks
every Sunday and the first
day of the month, and
compared actual measure-
ments to expected calculated
results. The calculated results
were based on sales receipts
from Best Fuel and meter
readings from the under-
ground tanks. Vanatamm
extracted data for three
months and discovered the
physically measured balance
of diesel fuel was always
precisely the same as the cal-
culated end balance. There
never was a single liter differ-
ence. She became suspicious
and extracted a new data set
looking at two years’ worth
of data. Still, there was
always an exact match.
Vanatamm discussed
her concern with Peter Kirs,
the mine’s main engineer. He
told her that EMC recon-
ciled the physical inventory
balance with the calculated
inventory balance. However,
the reconciliation required
an additional adjustment.
During this step, any differ-
ences between the measured
physical end balance and
JUNE 2021

LESSONS LEARNED
» When conducting an operational audit, technical
nuances and peculiarities of business processes
must be investigated so that auditors fully
understand what the purpose of each procedure
is. It could indicate that a claimed control is an
actual control or a smart workaround to conceal
process deficiencies.
» Understand the data. Data that is perfect or close
to perfect may have another story to tell. Internal
auditors should pay attention and try to compre-
hend the story behind it.
» Sometimes it is more convenient for managers
not to see fraud, even if it takes place on their
watch. Management might be content with expla-
nations of anomalies as long as the reasoning is
plausible. The role of any diligent auditor is to
work closely with management, and advise and
train them on fraud risks and anomalies.
calculated end balance were solved. Kirs explained that diesel
fuel contracts and expands depending on the temperature of
the environment. The mine maintains a temperature of
8 degrees Celsius, so, during winter months when it is colder
outside, the diesel expands in the underground tanks. How-
ever, during summer months, when it is warmer outside,
the diesel contracts in the underground tanks. As a result,
Kirs explained to Vanatamm, it was not possible to conduct
precise verifications without automated corrections that took
into account those peculiarities.
Vanatamm decided to verify Kirs’ statements. She inquired
with the IT department on exactly how the automatic algorithm
The weakest point in the process was in
the transportation of fuel.
worked and obtained data before corrections. From data and
algorithm analysis, she found that Kirs’ statement regarding con-
traction and expansion of diesel due to changes in temperature
was not the main reason automatic corrections were introduced
into the process.
Vanatamm discovered that almost every month, the
physical inventory of diesel fuel measured considerably less
than it was supposed to, according to expected, receipts-based
JUNE 2021
TO COMMENT on this article,
EMAIL the author at anna.kon@theiia.org
calculations. In addition, the variances existed in both winter
and summer months. The algorithm always neatly enlarged
the amount of diesel issued from underground tanks so that
figures would equal the calculated ones.
Vanatamm observed that there were substantial differ-
ences between purchased amounts and the diesel month-end
balance that could not be fully explained either by tempera-
ture changes or by imprecise counters. Her recommendation
was to inspect all tanks and vehicles and calibrate all meters
that belonged to EMC.
Three months later, Anton Pavlovski was appointed as
the new main mining engineer. He implemented Vanatamm’s
audit recommendations and spoke to her about their shared
feelings that diesel fuel was possibly being stolen. Vanatamm
pointed out that because there was video surveillance near the
underground tanks, she did not think fuel was being stolen
there. She believed that the weakest point in the process was
in the transportation of fuel from the ground facility to the
underground tanks. Pavlovski placed the refueling facility
under video surveillance, which captured one of the drivers
making a strange gesture near the diesel pistol. He conducted
a site visit of the refueling facility with representatives of Best
Fuel, where they discovered a backflow pipe with a tap.
The team found that EMC drivers would open the
backflow tap during the fueling process, allowing diesel fuel
to flow back into Best Fuel’s tank. The backflow was not
recorded. For example, while fueling a 5,000 liter tank, the
driver opened the backflow tap, allowing 300 liters of diesel
fuel to flow back into Best Fuel’s tank. The driver would
close the tap, collect the receipt for 5,000 liters, and trans-
port 4,700 liters underground.
The investigation found that the backflow scam had
been in place for more than 10 years and every EMC vehicle
driver was involved. Each driver would report how many
liters were pumped back to a “cashier” at Best Fuel and
would be paid for each liter. Shortages
were concealed with the help of the
work-around algorithm, shrinkage and
expansion explanations, and imprecise
underground meters.
The investigation results were sub-
mitted to the authorities, and a criminal
investigation was initiated. Management at Best Fuel claimed
to have no knowledge of any diesel surplus and said that
there was never any intention to defraud EMC. EMC drivers
involved in the scam were fired and investigated by police.
Financial loss was estimated to be in the hundreds of thou-
sand of dollars; however, not all of it was possible to prove.
ANNA KON is a head of internal audit in Tallinn, Estonia.
INTERNAL AUDITOR 25
Is ESG the New
Sarbanes-Oxley
Internal audit needs to be ready
to help organizations report on
their environmental, social, and
governance risks and initiatives.
N
o matter where you’ve turned in the
past year, business headlines have
heralded environmental, social, and
governance (ESG) topics. In April,
hundreds of businesses and business
leaders took a stand against Georgia’s
controversial new voting law, enacted
following a tumultuous U.S. presiden-
tial election. Earlier this year, Larry
Fink, CEO of investment manage-
ment firm BlackRock, called on CEOs
to address climate change and align
greenhouse gas reduction with science
and global reporting standards. And
last year, #BlackLivesMatter and similar
campaigns arising from race-based kill-
ings brought social justice, equality, and
equity to the forefront — even in execu-
tive suites.
Logan Wamsley These examples encapsulate how
broad the scope of ESG truly is and
Illustration by Sandra Dionisi the daunting task organizations have in
addressing its related risks. Investors,
politicians, regulators, and the public
are pressuring businesses to hold them-
selves more accountable. That raises
the question of whether comprehensive
ESG reporting will become mandatory
26 INTERNAL AUDITOR
and have an impact on internal audit
similar to how the U.S. Sarbanes-Oxley
Act of 2002 changed internal audit’s
role in financial reporting.
Some internal auditors say it
might, at least for certain companies
and business sectors, pointing out that
many countries already require such
disclosures or at least are starting to
explore them. While the U.S. Securi-
ties and Exchange Commission (SEC)
hasn’t required ESG reporting, “the
winds are definitely changing with the
new SEC chair and the Biden admin-
istration having this as a very high
priority,” says Steve Wang, a manag-
ing director at Protiviti in St. Louis.
Wang says internal audit has a key role
to play in ESG reporting; however,
the level of effort needed may not be
equivalent to that put into Sarbanes-
Oxley compliance.
THE PRESSURE IS ON
Although ESG reporting is becoming
an important resource for sharehold-
ers and regulators, it’s also important
for company stakeholders, including
JUNE 2021
 THIS IS THE SLUG LINE

JUNE 2021 INTERNAL AUDITOR 27

 IS ESG THE NEW SARBANES-OXLEY?
employees and consumers. In fact, it
is the pressure from stakeholders and
not any one government entity that has
been the primary driver of change.
A good example is the business
response to Georgia’s voting law, an
unusually vocal move by corporate
America to shape the nation’s political
discourse. “If you do not have a point
of view that supports equality, and that
represents justice and democracy, how
will you be a company that’s relevant
going forward?” asks Edith Cooper,
co-founder of Medley, a membership-
“
based community for personal and
professional growth in New York, and
The investment an independent board director for Etsy
community and Slack.
Organizational psychologist Dr.
realizes that
“
Ella Washington of Georgetown Uni-
ESG is a risk, versity says the public now expects
There’s a offering the greater action from organizations to
clear call for opportunity to address racial diversity, equity, and
action that add financial inclusion (DEI) — particularly from
companies are value—or to board members. “The narrative at this
point has shifted because people of the
responding limit it.” Black community and their allies glob-
to, but their Douglas Hileman ally are saying, ‘OK, words are great,
follow-through but they’re no longer enough,’” she
is what says. “There’s a clear call for action that
people are companies are responding to, but their
follow-through is what people are really
really paying paying attention to.”
attention to.” To wit, Jason Kilar, the CEO of
Ella Washington
WarnerMedia, explicitly named racism
as a problem in the company and com-
mitted to work toward change, while
BlackRock announced its intention to
have an independent racial equity audit
conducted in 2022.
TO COMMENT
on this article,
GLOBAL MOMENTUM
EMAIL the While demand for ESG reporting is
author at building in the U.S., there have been
logan.wamsley@ significant advances globally. In fact,
theiia.org
ESG movements have a long history in
regions such as Europe. For example,
Europe has led the charge on the envi-
ronmental and sustainability front,
with initiatives such as the publication
28 INTERNAL AUDITOR
of the 2006 Stern Review in the U.K.
and the signing of the Paris Agreement
on climate change in 2015. These
initiatives have had a profound effect
on how organizations view economics
and productivity against the threat of
climate change.
Recent global actions have prom-
ised to take the ESG conversation
even further. In September 2020, the
World Economic Forum’s (WEF’s)
International Business Council (IBC)
published a white paper that established
a set of “stakeholder capitalism metrics.”
These metrics are aimed at establishing
consistency and comparability for com-
panies reporting on ESG performance
in line with the United Nations Sustain-
able Development Goals. “We have to
deliver great returns for our sharehold-
ers and help drive progress on society’s
most important priorities,” said IBC
chairman Brian Moynihan, chairman
and CEO of Bank of America, about
the white paper. “Common metrics will
help all stakeholders measure the prog-
ress we are making and ensure that the
resources capitalism can marshal — from
companies, from investors, and oth-
ers — are directed to where they can
make the most difference.”
In March, the International Finan-
cial Reporting Standards (IFRS) Foun-
dation trustees formed a working group
of standards-setters to converge ESG
standards and set a foundation for the
International Sustainability Standards
Board. The group includes the Climate
Disclosures Standards Board (CDSB),
International Integrated Reporting
Council, Sustainability Account-
ing Standards Board, Task Force on
Climate-related Financial Disclosures
(TCFD), and WEF. “We are encour-
aged by the prospect of the creation of
such a sustainability standard by the
IFRS, which would represent in prin-
ciple the culmination of our original
vision,” said CDSB chairman Richard
Samans in a statement. He noted that
JUNE 2021
80% of companies worldwide report on sustainability, including 96% of the
world’s 250 largest companies, according to the KPMG Survey of Sustainability Reporting 2020.

Aneesa Ruffudeen, national culture

WHAT IS ESG? and conduct leader at Deloitte Canada

A
wide-encompassing term, environmental, social, and governance in Kitchener, Ontario, foresees increased
(ESG) refers to any criteria that characterize an organization’s regulatory action. She points to the
operations as sustainable, responsible, or ethical. Although there heightened awareness of ESG, as well as
can be some overlap, ESG-related topics generally fall under one of the the need to align it with business strategy
three main categories represented in its abbreviation: and reinforce it through organizational
E: The “environmental” piece considers how an organization performs systems. “One can’t help but expect this
as a steward of nature. This can include issues related to carbon emis- to be a continued area of focus when
sions, waste management, water management, raw material sourcing, and evaluating a business,” she says.
climate change vulnerability. Adoption of standards has been
S: The “social” piece examines how organizations manage relation- slower in the U.S., where greater con-
ships with employees, customers, and the greater community. Risks that cern about ESG has not translated into
fall under this category can include corporate social responsibility, labor law or regulations. Under the Biden
management, data privacy, general security, and health and safety. With administration, the SEC has launched
the recent rise of high-profile movements related to addressing racial an ESG investing resource web page
injustice, social ESG-related subjects such as diversity, equity, and inclu- and made related risks a greater focus
sion have taken prominence. in its 2021 examination priorities. The
G: “Governance” refers to variables such as business ethics, organi- commission also established a Climate
zational leadership, executive pay, audits, internal controls, intellectual and ESG Task Force to proactively
property protection, and shareholder rights. Diversity risks, while social in identify ESG-related misconduct.
nature, also can fall under the governance umbrella in certain cases, such Moreover, President Biden has
as when actions are undertaken to improve board diversity. issued two recent executive orders,
Although there is a perception that ESG-related topics are nonfinancial including EO 13990, which directs all
in nature, long-term improvement of organizational performance and federal departments and agencies to
financial returns are central to the argument for increased ESG prioritiza- act to confront the climate crisis. The
tion. Ultimately, the goal of ESG reporting is to give investors and stake- second order, EO 14008, states that
holders more complete analyses that can help them make better-informed climate change should be incorporated
investment decisions. into U.S. foreign policy and national
security considerations.
ESG reporting is already done
through some avenues, but the demand
the group will be “building in part made on external sustainability factors. for more is growing fast. “There have
upon the CDSB Framework and the This compliments the 2014 EU Non- long been regulatory requirements for
use of it by over 500 large listed com- Financial Reporting Directive, which reporting and disclosures to the SEC,
panies around the world.” mandates that all offices within the EU as well as agencies that enforce other
with more than 500 employees adhere aspects of ESG: environmental, safety,
THE FUTURE OF to a minimum requirement to report on labor, etc.,” says Douglas Hileman, a
STATUTORY REPORTING environmental matters, social matters, Los Angeles-based ESG specialist. “The
Across the world, there is already a human rights, anti-corruption and brib- investment community realizes that
litany of ESG reporting standards, both ery measures, and board diversity. ESG is a risk, offering the opportunity
current and planned. For example, Additionally, European companies to add financial value — or to limit it.”
the European Union (EU) Sustainable must maintain an awareness of the Hileman notes that investors are
Finance Disclosure Regulation went reporting requirements of individual looking for robust, meaningful, and
into effect in March. This law outlines countries. For example, the U.K. plans comparable ESG data. Moreover,
requirements for asset managers of to introduce new ESG disclosure business-to-business requirements for
investment firms to disclose how sus- requirements for Financial Conduct ESG reporting and performance create
tainability risks are incorporated in their Authority-authorized investment man- additional compliance requirements,
decision-making, as well as the princi- agers based on recommendations from which can be enforced through industry
pal adverse impact of any investments the TCFD. standards or contracts. “Noncompliance

JUNE 2021 INTERNAL AUDITOR 29

 IS ESG THE NEW SARBANES-OXLEY?
can put customer relationships — and
revenues — at risk,” he explains.
GROWTH IN REPORTING
Recent data indicates that organiza-
tions have responded to the changing
tides, although not comprehensively.
For example, about 90% of S&P 500
companies issue corporate sustainabil-
ity reports, but only 16% refer to any
ESG factors in their regulatory filings,
according to a July 2020 Government
& Accounting Institute study. That
creates a mismatch between what they
disclose officially to regulators and vol-
“
untarily to the public.
There also have been mixed results
The whole in incorporating the social aspects
of ESG, such as DEI, into reporting
aspect of structures, despite a wide recognition
culture risk
“
of the value such insight provides. In a
and DEI recent Greenwich Associates survey of
Organizations misalignment 92 investors and 22 intermediary dis-
should be can be tributors across France, Germany, Italy,
understood the Netherlands, the U.K., and the
looking for Nordic countries, 79% of respondents
any inconsist- from an see social considerations as having a
encies in internal positive impact on performance and
reporting auditor’s risk management in the long term, yet
between perspective.” 42% see a lack of established metrics
voluntary as the key barrier to social investing.
Aneesa Ruffudeen Additionally, 31% say a lack of clarity
disclosures over what constitutes a socially respon-
and the sible investment will hold firms back.
financials.” “This can be attributed in part
to the fact that the nature of social
Steve Wang
indicators can seem less tangible or
measurable, with standards that are
more likely to vary by region,” says
Jane Ambachtsheer, global head of
sustainability at BNP Paribas Asset
Management, which sponsored the
study. “However, the same can hold for
environmental and governance factors.”
HOW INTERNAL AUDIT CAN HELP
Internal audit can help the board
understand the importance of getting
ESG reporting right. A new IIA report,
Internal Audit’s Role in ESG Reporting
30 INTERNAL AUDITOR
discusses the value of independent assur-
ance of such reporting.
With an increasing body of laws
and regulations rapidly becoming a
reality, the enforcement potential for
public ESG reporting and disclosures
is growing. “ESG efforts are typically
widely distributed through an organiza-
tion, with varying degrees of rigor for
systems and controls for generating data
and information,” Hileman says. He
explains that internal audit’s assurance
role for internal controls over financial
reporting is understood, because of
Sarbanes-Oxley, and auditors can apply
the same skills to nonfinancial reporting
such as ESG. “With the pace of change,
it is a classic example of where internal
audit can provide value at the speed of
risk,” he says.
Likewise, Wang notes that the SEC
intends to review sustainability reports
that companies disclose voluntarily.
“They could open enforcement inves-
tigations where a sustainability report
or voluntary disclosure suggests that
something in the required filings could
be materially misleading,” he says. “The
risk right there should be evidence as
to why organizations should be look-
ing for any inconsistencies in reporting
between voluntary disclosures and the
financials, and internal audit can and
should play a role in that.”
In navigating the social aspects of
ESG without definitive metrics, inter-
nal audit’s involvement might be even
more important. IIA Standard 2060:
Reporting to Senior Management and
the Board requires internal audit to
report significant risk and control issues
requiring attention to senior manage-
ment and the board. Without clear
standards for reporting on DEI, for
example, internal audit could consult
with company leadership on what
information would be most valuable for
investors and stakeholders.
DEI is a good opportunity for
internal audit to discuss risk with
JUNE 2021
Among companies that report
on ESG, 61%
have a board-level ESG committee,
and 21% tie executive compensation to an ESG metric, according to a NASDAQ analysis of those reports.

management and the board. “The
whole aspect of culture risk and DEI
misalignment within organizations can
be understood from an internal audi-
tor’s perspective,” Ruffudeen says. To
determine a framework for DEI, she
advises breaking it into four pillars:
the organization’s culture, risk culture,
compliance needs tied to the culture,
and conduct risks. “If we talk to lead-
ers in the organization about it, we
can help them determine if we have
the right culture in our organization,
if we are living by the shared values we
promote, and where we can begin to
improve,” she says.
A CHANGING OF THE GUARD
Regardless of whether additional statu-
tory ESG reporting requirements mate-
rialize, that does nothing to diminish
ESG’s importance to the organization
or its place in internal audit’s risk
scope. ESG reporting does not just rep-
resent a moral imperative; in fact, long-
term productivity and success is a core
argument for increased ESG-related
disclosures. This can be seen in a vari-
ety of ways, including a reduction in
operational expenses, fewer costly regu-
latory and legal interventions, increases
in employee morale and productivity,
and significant top-line growth.
Additionally, organizations would
do well to account for the shifts in
cultural attitudes regarding ESG topics
in their long-term forecasts. In a recent
McKinsey & Co. report, more than
70% of consumers say they would pay
an additional 5% for a “green” product
if it met the same performance stan-
dards as a non-green alternative.
This is equally important on the
employee side. According to Deloitte,
three-fourths of the global workforce
in 2025 will be millennials — a genera-
tion deeply invested in climate change,
corporate accountability, consumer
ethics, and diversity. Companies whose
values align with those of their talent
pool will be best positioned to attract
the best people.
These are three key areas where
internal audit can gain the greatest
buy-in from board members and assist
in reporting. As the culture shifts, so
does the money. In many ways, the
push for ESG reporting can be seen as
downstream of culture , which is mov-
ing forward swiftly.
LOGAN WAMSLEY is manager, content
strategy and development, at The IIA.

IIA SMARTBRIEF
They Read Everything,
So You Don’t Have To

IIA SmartBrief provides a weekly snapshot of market

news and articles affecting internal auditors and their
stakeholders gleaned from leading global news sources
including The IIA.

There are weekly issues intended for all members as

well as monthly specialty issues focusing on financial
services, public sector, and global topics.

All you have to do is opt-in and take it all in.

Opt in for free at www.SmartBrief.com/IIA or
www.SmartBrief.com/IIA_Global (for outside of
North America).

JUNE 2021 INTERNAL AUDITOR 31

People who know
Internal Audit,
know BDO.

BDO’s Risk Advisory Services team is committed to

the Internal Audit community. We invite you to join
us for our webinar series.

Events are complimentary but registration is required.

Register today:

BDO provides assurance, tax, and advisory services to companies of all sizes,
across nearly every industry. Our global organization, combined with the
personal attention of experienced professionals, allows us to offer the services
and resources our clients need, everywhere in the world they do business.

www.bdo.com

© 2021 BDO USA, LLP. All rights reserved.

 A
Standard Approach
With internal audit’s help,
companies can realize
the benefits of adopting
nonfinancial disclosure
standards, says the SASB’s
JEFFREY HALES.
JUNE 2021
Neil Hodge
Illustration by Sandra Dionisi
T
he days of believing that a company’s
profit and loss account is the ultimate
indicator of future performance are
over. Investors, regulators, and other
stakeholders are acutely aware that there
is much more information that a com-
pany can disclose outside of the usual
financial reporting. This nonfinancial
INTERNAL AUDITOR 33

data can provide a better understanding
of the business’ long-term risks as well
as how those risks are managed.
Many companies fail to see — and
leverage — the benefits that a better
understanding of nonfinancial risks
can have on the long-term viability
of their business, known as corporate
sustainability. Instead, companies either
choose to ignore investor and regula-
tory demands for more information or
pay lip service to them, regarding such
requests as box-ticking compliance
exercises instead of opportunities to
understand, manage, and exploit nonfi-
nancial risks for their future benefit.
Standards and frameworks have
been developed worldwide to help
organizations examine and under-
stand the impact of environmental,
There has been a significant drive by
investors demanding more information
about companies’ long-term goals.
social, governance (ESG), and other
long-term risks to the business, and
how they can recognize — and real-
ize — opportunities stemming from
them. In 2011, the Sustainability
Accounting Standards Board (SASB)
was set up to provide “an expanded
accounting language that communi-
cates what yesterday’s performance
means for tomorrow’s prospects.” The
SASB has attempted to make such dis-
closure easier for companies, even hav-
ing developed specific standards for 77
different industries so that companies
can more easily identify ESG issues
that are most likely to be financially
material in a given industry.
Internal Auditor spoke to Jeffrey
Hales, chair of the SASB Standards
Board and sector chair for Finan-
cials and Renewable Resources and
34 INTERNAL AUDITOR
A STANDARD APPROACH
Alternative Energy and the Charles
T. Zlatkovich Centennial Professor of
Accounting at the University of Texas
at Austin, about the benefits for com-
panies — and stakeholders — of digging
deeper into nonfinancial risks, and
what role internal audit should play in
the process.
Are companies seeing the value of
nonfinancial reporting measures?
Good financial reporting is important,
but I also recognize the limitations of
traditional accounting. Now there is
so much more information that can
be drawn from to get a better under-
standing of corporate strategy and
performance than just numbers relating
to assets and liabilities. Over the past
five years there has been a significant
drive by investors demanding more
information about companies’ long-
term goals and strategies, and how these
organizations are assessing, preparing
for, and mitigating long-term risks such
as climate change. If investors think
this information is important, then
companies are far more likely to engage
and align their reporting with investor
expectations. And as soon as some lead-
ing companies make this move — and
many have — more will follow.
Which industries/types of compa-
nies are the best adopters of the
JUNE 2021
Links to financial performance are the key driverfor increased ESG focus
by institutional investors, according to Morrow Sodali’s 2021 Institutional Investor Survey.

FIVE REASONS FOR ADOPTION

H
ales offers these key takeaways for internal audit to help the board and executives
understand why adopting the SASB Standards makes sense for both corporate gover-
nance and corporate performance. There are obvious benefits for internal auditors to
push for their adoption.
1. SASB Standards are focused on financial materiality and long-term value creation. They are
also aligned with The IIA’s mission and internal audit’s professional values.
2. The Standards are detailed and specific, and they provide suitable criteria for assur-
ance. Tests also can be built around them, which means there is a strong role for inter-
nal audit involvement.
3. Directors are increasingly being given oversight of ESG and sustainability issues — especially
audit committees — so it is important that internal auditors support them by using a globally
recognized framework to provide them with the level of assurance that they need to inform
long-term decision-making.
4. Investors are demanding more information about sustainability issues. Therefore, it makes
sense for internal audit to push for ESG disclosures to be aligned to an established frame-
work so that their companies’ sustainability reporting meets investor expectations.
5. Sustainability is not just about reporting — it is primarily about managing the risks. Naturally,
internal audit, in particular, is going to play a crucial role when it comes to providing assur-
ance, assessments, oversight, and advice related not just to the reporting of this informa-
tion, but also how sustainability risks are managed internally within the company.

Standards and are living up to their
spirit? Similarly, which industries
are lagging?
Carbon- and energy-intensive indus-
tries — such as oil and gas, mining,
and infrastructure companies — have
been among the best early adopters
of the SASB and other sustainability
standards. This is partly because they
were the first industries to come under
closer investor scrutiny regarding the
impact they were having on the envi-
ronment and what steps they were tak-
ing for the future of the business as the
world moves toward greener, renewable
energy. Slower adopters include ser-
vice industries that have felt that their
operations do not have the same kind
of environmental or social impact as
large-scale mining and manufacturing
companies, for example. However, as
investor and activist pressure mounts,
we expect to see a change in the way
that they report and the information
they disclose.
Are companies adopting the Stan-
dards and reporting differently
based on their geography?
Adoption of SASB Standards in the
U.S., Europe, and Asia-Pacific region
is generally good. However, language
barriers have halted progress in some
regions, such as South and Central
America, which is why we have been
working on translating the Standards
TO COMMENT
and SASB guidance into Spanish. on this article,
French, German, and Japanese transla- EMAIL the
tions are also on the way. author at neil.
European companies have perhaps hodge@theiia.org
been given an additional incentive over
their U.S. counterparts to adopt the
SASB Standards. The European Com-
mission has been specific about the
types of issues that need to be disclosed
under the European Union’s nonfi-
nancial reporting directive — though
it is up to companies how they do so.
It has openly stated that adopting the
SASB Standards — or other established
ESG standards and frameworks, such as

JUNE 2021 INTERNAL AUDITOR 35


those produced by the Global Report-
ing Initiative and the International
Integrated Reporting Council — is one
way of complying with the require-
ments. As a result, the Commission’s
recommendation is a great example of
a regulator telling companies that fol-
lowing the SASB Standards would be
one way to deliver compliance in non-
financial ESG reporting.
The U.S. Securities and Exchange
Commission (SEC), however, has not
been so explicit. It has said that the
Standards are helpful, but has neither
The SEC is relying on the idea that if it is
important, you ought to be talking about
it. That approach is likely to change.
specified which particular standards
nor has it been prescriptive about how
they would help. In fact, the SEC has
been more principles-based in so far as
if there is a material issue, companies
need to disclose it, but there are no
real specifics about how they should
best achieve this. For example, the
SEC recently asked for more disclosure
around the issue of human capital, but
it did not specifically say that using
SASB Standards — which have metrics
to help evaluate the impact — are a way
of complying with this rule. The SASB
has put out guidance detailing how our
Standards can help companies comply.
Rather than singling out issues for
companies to report on — which poten-
tially risks them taking a box-ticking
approach to ESG issues — the SEC is
relying on the idea that if it is impor-
tant, you ought to be talking about it.
That approach is likely to change. The
SEC has recently called for comment
on climate-related disclosures and what
information investors need, and it has
also put forward a review on the quality
36 INTERNAL AUDITOR
A STANDARD APPROACH
of climate-related disclosure to make sure
that climate risks are discussed in a way
that is meaningful for investors.
Are there noticeable differences in
SASB adoption in different coun-
tries if national regulators endorse
the Standards specifically?
Every region works differently in terms
of “push and pull.” In some countries,
private sector efforts and investor
demand have pushed companies to
disclose, while in others, government
has stepped in to set policy and pull
corporate reporting in a particular
direction. Strong government backing
for companies to endorse sustainability
standards is obviously a major result for
any standards-setter. For example, the
Securities and Exchange Board of India
recently said that the top 1,000 com-
panies need to report on sustainability
issues, and specifically mentioned that
the SASB Standards would be a way of
helping them do that.
But even if governments or regula-
tors do not specifically back the SASB
Standards, or do not call for better or
deeper ESG reporting, it does not mean
that sustainability issues just sit on the
backburner or are ignored. In fact, we
have found that lax regulation actually
leads to a greater need for information.
If reporting/disclosure requirements are
not mandated, investors will simply ask
for the details anyway, especially if that
level of disclosure is called for in other
countries. There is now a much greater
understanding among companies that
markets are global and that there is a
much broader expectation that ESG
needs to be reported in a way that
reflects the kind of information that
investors and other stakeholders are
used to getting around the world.
How has shareholder activism
influenced SASB Standards?
There can be no doubt that inves-
tor demands have driven meaningful
JUNE 2021
Climate change was identified by 68% of respondents as the most material
ESG issue, followed by resource scarcity (62%) and supply chain (49%), in a 2021 poll conducted by Verdict.
change on ESG reporting. There has
certainly been a change in the expecta-
tions that investors are pushing for and
the kind of disclosures that they want
from companies. There is also more
pressure on asset managers about the
kind of ESG information they should
be asking for from companies they are
prepared to invest in.
There is also evidence that share-
holder proposals are getting increased
support around key sustainability issues
from institutional investors and other
large asset owners, such as pension
funds. Other trends, like active portfolio
management — which is used by inves-
tors to monitor which companies are
positioning themselves to better manage
ESG issues and how they may impact
the business — are also gaining momen-
tum and are making a significant impact.
What role can internal audit play
in sustainability reporting and
promoting the benefits of adopting
the Standards?
Sustainability is inextricably linked
to corporate strategy and not philan-
thropic endeavors. The management
of ESG issues is at least as important
as the reporting of them. Sustainability
means thinking about material risks
and opportunities that relate to a com-
pany’s business. When you start to see
it through the lens of strategy, risk, and
opportunity, then the role of internal
auditors comes into focus because their
mission and professional responsibility
is to help companies assess what those
issues are and manage them through
assurance, advice, and insight.
Internal auditors can play a key
role in helping to assess, manage, and
provide insight around key sustain-
ability issues. They should make the
link between sustainability and effective
long-term corporate governance very
clear, as well as spell out how material
risks will impact the operations and
future of the business. The function
JUNE 2021
explains these issues (and the risks
behind them) to the board and can
recommend that management put any
necessary controls in place to help miti-
gate potential shocks arising from them.
Over the years a much stron-
ger focus on sustainability issues has
developed at the board level; the role
of the audit committee is increasingly
focused on managing these issues and
it is, therefore, a key opportunity for
internal auditors to connect with the
audit committee and help them rec-
ognize that part of the committee’s
responsibility is not just making sure
that financial reports are high quality,
but also that sustainability issues are
interconnected with financial reporting
and that nonfinancial information also
needs to be of equal quality.
Internal audit should make the link
between sustainability and effective long-
term corporate governance very clear.
We know that so much more
information is pertinent to the perfor-
mance of a company than the figures
relating to assets and liabilities. We
now understand the importance of
recognizing other sources that have
implications for the financials going
forward, as well as managing that
information, acting on it, setting tar-
gets, and assessing performance. The
accounting profession is central, but it
has been a challenge — even for a pro-
fessor of accounting like me — to push
the importance of sustainability infor-
mation. Even the CEO can be more
receptive to the merits of nonfinancial
reporting than the finance, investor
relations, and accounting teams.
NEIL HODGE is a freelance journalist
based in Nottingham, U.K.
INTERNAL AUDITOR 37
 5 Things You Need
to Know About ESG

E nvironmental, social, and gov-

ernance (ESG) issues represent
a growing area of focus among
today’s stakeholders. In the World
Economic Forum’s Global Risks
Report 2021, businesses surveyed
point to multiple ESG-related risks
high in likelihood and impact,
including extreme weather events,
climate action failure, natural resource crisis, and infec-
tious diseases. The report noted each as a threat not only to
business activities, but to resilience of social infrastructure,
emphasizing both economic and societal challenges.
Business leaders, according to the KPMG 2020 Global
CEO Outlook survey, face increased pressure to address these
challenges. Nearly 80% of CEOs polled say their effective-
ness in managing ESG risks and opportunities will play a
role in determining if they can keep their job over the next
five years. In fact, leaders are already called to account for the
way they navigate these risks — and for their ability to turn
them into strategic advantages.
But ESG risks are complex and dynamic, making them
challenging to predict, monitor, and manage. They also
are highly prolific, with the potential to impact business
growth trajectories. An unanticipated severe weather event,
for example, can cause physical damage to infrastructure,
resulting in a standstill of business activities, job loss,
stranded asset values, penalties from failure to deliver on
contractual commitments, and even increased insurance

38 INTERNAL AUDITOR JUNE 2021

Internal auditors should consider
several key questions when
examining their organization’s
environmental, social, and Cherine Fok

governance activities. Illustration by Sandra Dionisi

JUNE 2021 INTERNAL AUDITOR 39

 5 THINGS YOU NEED TO KNOW ABOUT ESG
premiums. The consequences can be
severe and long-lasting.
Internal auditors must keep abreast
of ESG developments and carefully
consider their potential impact on the
organization. The audit function plays
an important role in ensuring ESG
issues are cascaded down the organiza-
tion’s three lines (see “The IIA’s Three
Lines Model” on page 41) and acting as
stewards for the relevance and reliability
of ESG data. And because the audit
committee regularly reviews internal
audit’s effectiveness, the committee’s
oversight extends to the processes for
managing ESG information. With
these considerations in mind, internal
auditors must ask, and have answers to,
five key questions regarding the organi-
zation’s ESG-related activities.
1. Has the organization established
a structured ESG framework? If so,
how is it integrated with the Three
Lines Model?
A structured ESG framework provides
clarity on sustainability objectives and
governance over topics that are mate-
rial to an organization. Integrating the
ESG framework with the existing risk
management system reduces the risk
that deficiencies may be undetected, as
mismanagement of material ESG fac-
tors may cause organizations to devi-
ate from achieving their strategic and
operational objectives. For example,
water often constitutes a material issue
for food production companies. If
the company secures a comparatively
low cost for water use, it provides a
strategic opportunity and a competi-
tive advantage. At the same time, risks
related to water include scarcity, which
causes escalating water prices and dis-
ruption to supply.
Viewing risks through an ESG
lens helps the organization and the
internal auditor focus more acutely
on the ESG implications of both
new and existing risks. For instance,
40 INTERNAL AUDITOR
occupational health and safety is an
ESG issue widely found in risk reg-
isters. It is not a new risk. However,
applying an ESG lens draws attention
to the wider social connotation of
“occupational safety.” For example,
are safety practices in the workplace
tracking local regulatory requirements
and wider and emerging societal
expectations such as mental well-
ness? An ESG perspective also helps
stakeholders realize that managing
this risk effectively can increase social
capital, enhance enterprise value, and
even allow the company to expand its
socioeconomic contribution.
ESG risks should be closely moni-
tored as part of the Three Lines Model.
When examined in this context, ESG
features prominently within each of the
three lines:
 Line 1 — Management should
take a proactive role in determin-
ing material ESG factors and
actively seek to mitigate their
potential impacts. This effort
could include setting ESG policies
and procedures that are aligned
with the organization’s sustain-
ability objectives.
 Line 2 — Risk and compliance
functions should provide tactical
oversight, guidance, and chal-
lenge, and work closely with man-
agement on ESG-related matters.
 Line 3: The internal audit func-
tion needs to help ensure man-
agement is on the right track in
managing material ESG factors.
2. Does the organization possess
the expertise, and a suitable
culture, to manage ESG effectively?
While some ESG issues may fall within
traditional functions, others may not
be as clear cut. Areas such as green
innovation, for example, may reside
under strategy and research and devel-
opment functions where outcomes
are less defined. Or the procurement
JUNE 2021
More than 80% of managers and executives across the U.S., U.K., France, and Germany say
their company has a formal ESG program in place, according to a recent Navex Global survey.

THE IIA’S THREE LINES MODEL

T
he Three Lines Model should encompass environmental, social, and governance (ESG) issues. Organizations
can establish a sustainability function and provide suitable capacity building to support the management and
oversight of ESG-related concerns, with internal audit providing independent assurance.

GOVERNING BODY

EXTERNAL ASSURANCE PROVIDERS

Accountability to stakeholders for organizational oversight

Governing body roles: integrity, leadership, and transparency

MANAGEMENT INTERNAL AUDIT

Actions (including managing risk) to achieve Independent assurance
organizational objectives

First line roles: Second line roles: Third line roles:

Provision of products/ Expertise, support,
services to clients; monitoring, and chal-
managing risk lenge on risk-related
matters
Independent and objec-
tive assurance and
advice on all matters
related to the achieve-
ment of objectives

KEY: Accountability, Delegation, direction, Alignment, communication,

reporting resources, oversight coordination, collaboration

team may have been tasked with
incorporating ESG considerations in
its supplier policies despite knowledge
gaps around technical understanding
and evolving science. Internal audi-
tors should assess whether additional
expertise is necessary to supplement
what an organization can accomplish
in house. Moreover, preparedness to
embrace sustainability may differ from
one organization to another. Building
ESG key performance indicators into
balanced scorecards and remuneration
frameworks can drive the success of
ESG adoption.
A strong sustainability culture
exists when leadership establishes a
clear directive that ESG is integral
to organizational purpose and val-
ues — and therefore core to business
strategy. Everyone throughout the
organization must understand that
sustainability is an imperative, with
each individual committed to the same
vision and outcomes. Auditors can find
evidence of this commitment in the
establishment of ESG considerations
within risk management processes,
decision-making metrics, balanced
scorecards, and remuneration frame-
works. But these formal structures
alone cannot drive sustainability. Prac-
titioners also should make sure individ-
uals are fully engaged on ESG topics
and have adopted a growth mindset to
embracing it.
3. Which ESG topics are being
measured and reported, and why?
Internal auditors should not set the
organization’s ESG strategy, but they
must understand stakeholder priori-
ties, material ESG issues, and most
importantly, the intersection between
the two. Ultimately, internal and
external reporting should reflect both
current state (what the organization
is doing) and future state (what the
organization intends to do), with
metrics showing the efficacy of ESG
initiatives. Internal auditors need to

JUNE 2021 INTERNAL AUDITOR 41

 5 THINGS YOU NEED TO KNOW ABOUT ESG
understand how ESG brings new risks
to the organization’s business model
and opportunities for growth and
transformation. Each organization
will have its own mix of ESG priori-
ties, encompassing those that are key
to its business success and important
to stakeholders.
4. What processes and controls
already exist over ESG data
collection and reporting?
Data collection — especially in global,
multiline businesses — can be challeng-
ing. For instance, many businesses cur-
rently report on their greenhouse gas
emissions using the Greenhouse Gas
Protocol, a global standard launched in
2001 by the World Resources Institute
and the World Business Council for
Sustainable Development. The proto-
col outlines a clear standard recognized
by most investor groups. But tracking
greenhouse gas emissions requires
that each office, division, region,
and business line is aligned on met-
rics, reporting style, cadence, and
TO COMMENT other areas. In addition, traditional
on this article, approaches to risk management — even
EMAIL the with horizon scanning to identify new
author at cherine.
and emerging risks — may not be suf-
fok@theiia.org
ficient for effective ESG management,
as they typically examine the manifes-
tation of risks within a predetermined
time frame.
The Financial Stability Board’s
Task Force on Climate-related Finan-
cial Disclosures recommends the
use of scenario planning, sensitivity
analysis, and stress testing to ascertain
an organization’s resilience against
climate risks. Those tasked with risk
management and sustainability initia-
tives should harmonize their processes
to facilitate cross-sharing of infor-
mation and data control activities.
Internal auditors should ask probing
questions to understand the proce-
dures and controls in place and assess
their effectiveness.
42 INTERNAL AUDITOR
5. What is the organization
currently publishing in its ESG
reporting?
Different reporting styles come with
different levels of rigor. The data’s
importance to an organization’s overall
ESG strategy, risk appetite, and finan-
cial materiality should align with the
corresponding regulations and levels
of risk associated with the data. Thor-
oughly assessing these areas should
help determine the reporting method.
Likewise, ESG information included in
a management analysis should be moni-
tored with the same rigor as traditional
financial metrics. A data-driven ESG
approach helps make conceptual risks
real and can more practically inform
corporate strategy. Internal auditors
should consider the risks associated with
reporting strategies for certain met-
rics — especially as stakeholder demands
rapidly increase — and help ensure the
accuracy of disclosed data and measures.
KEEPING ESG ON TRACK
In an increasingly volatile environment,
internal auditors play a critical role in
helping the organization accomplish
its goals by ensuring a systematic, dis-
ciplined approach to ESG. Material
ESG issues should be addressed in the
structured ESG framework — and when
assessed to be of high impact and prob-
ability, these issues should be monitored
through the organization’s established
enterprise risk management processes.
Internal audit also should assess the
risks that may not be covered in the
framework, making sure adequate
and effective measures are in place to
address them. Using a thoughtfully
considered approach, internal audit can
help ensure the organization’s overall
ESG-related risk is managed effectively
and that any residual ESG risks can be
mitigated to an acceptable level.
CHERINE FOK, CA, is director, Sustain-
ability Services, at KPMG in Singapore.
JUNE 2021
 Exhibit Expertise

NEW! The IIA’s Financial Services Audit Certificate

Enhance your specialized knowledge and showcase your expertise in 11 key areas by
completing The IIA’s Financial Services Audit Certificate. Passing the exam at the end of
the program demonstrates your competency and distinguishes you from your peers.

Learn more about this OnDemand program. I www.theiia.org/Certificate

2020-0944
 An eye
toward
the
future

I discovered internal auditing through an operational audit-

ing course at the University of Arkansas. At the time, I was
an accounting major, but I had come to realize I didn’t
like tax work or working solely with debits and credits.
This introduction to internal auditing wasn’t like my other
classes — instead, it offered case studies that allowed students
to evaluate risks, find ways to increase effectiveness, and iden-
tify root causes.
Like many other internal auditors, I love analyzing pro-
cesses. Drop any good internal auditor into a driver’s license
bureau or other typically slow-moving system, and we’re
likely to start thinking: “How can I serve customers faster?”
“Where are the risks?” “How can I redesign this for a better
outcome?” The operational audit course got me excited about
this kind of systems thinking. It was the reason I decided to
pursue a master’s degree at Louisiana State University and
specialize in internal auditing. I have never looked back.
The future of the internal audit profession is dependent
upon the next generation being aware of all it has to offer
and seeing themselves as practitioners. As the 2021–2022
chair of The IIA’s North American Board, much of my focus

44 INTERNAL AUDITOR Photographs by Troy Kleinpeter JUNE 2021

 THIS IS THE SLUG LINE

The IIA’s
2021–2022
North
American
Board
chairperson,
LAURA
SOILEAU, says
getting young
people hooked
on internal
auditing is
crucial to the
sustainability
of the
profession.

JUNE 2021 INTERNAL AUDITOR 45


will be on investing in the next genera-
tion of internal auditors. I’ll be work-
ing with The IIA’s new President and
CEO Anthony Pugliese to enhance
and expand our student engagement
strategy and be more proactive about
getting in front of universities and stu-
dents. This will all be part of a larger
effort to grow a diverse and engaged
IIA membership that includes expand-
ing opportunities for volunteerism and
helping peers connect.
ELEVATING INTERNAL AUDIT’S
PROFILE AT THE COLLEGE LEVEL
I was lucky enough to stumble on that
operational audit course, but many
young people in business, accounting,
or data science programs are not aware
of internal auditing as a profession. We
need more university courses like the
one I encountered initially and more
programs like the one at Louisiana
State University, which is an IIA Inter-
nal Auditing Education Partnership
Center of Excellence program. We also
need to continue fostering opportuni-
ties to connect with students.
Some of The IIA’s chapters have
connected with universities to promote
internal auditing, like the mentorship
program that 2020 Emerging Leader
Bonnie Tse of IIA–Seattle launched
with local university students. The IIA
also supports chapters in presenting an
annual chapter challenge to help engage
students and grow them into mem-
bers. We should double down on these
efforts, connecting with professors and
university programs, to make it clear
there are jobs for future practitioners.
To help chapters and global affili-
ates with outreach, The Institute has
posted an Academic Relations Toolkit
on TheIIA.org. In it, members can find
resources for starting an academic rela-
tions plan in their area, along with best
practices from other chapters. The IIA
also offers grants, scholarships, awards,
and events for prospective auditors, such
46 INTERNAL AUDITOR
TO COMMENT on this article,
EMAIL the author at laura.soileau@theiia.org
as the Internal Audit Student Exchange.
This event, hosted annually in Septem-
ber, is aimed at college students with
experience or interest in the field.
ENCOURAGING DIVERSITY
IN THE PROFESSION
To engage the next generation, we
must work to change the perception of
the internal audit profession as boring
and the belief that internal auditors
are “just accountants.” Instead, we
must encourage more nontraditional
paths to the profession. We need
to work with universities beyond
their accounting programs to help
people from different disciplines and
backgrounds — such as liberal arts,
computer science, data analytics, and
management — understand that inter-
nal auditing benefits from a diverse and
inclusive pool of professionals and is a
viable, fun, and exciting career.
We know that as more teams
embrace technology solutions in inter-
nal auditing, students with backgrounds
in IT and data analytics will be needed.
And of course, not all new auditors are
straight out of college. Some move over
from other departments within a com-
pany because of the skills they can bring
to the audit function.
Our internal audit teams need to be
diverse beyond skills and backgrounds.
If one looks at the organizations internal
auditors serve, they will see they are
made up of diverse people. The more
the internal audit department reflects the
organization as a whole, the more we’re
going to be able to relate to our internal
audit customers and stakeholders.
Diversity, equity, and inclusion
(DEI) is a strategic area of focus for
the North American Board, so I’m also
looking forward to continuing work in
this important area. Later this year, the
Internal Audit Foundation, in collabo-
ration with Deloitte, will embark on a
study to explore both the importance
of DEI in the audit function and how
the audit function can play a pivotal
role in advancing DEI enterprisewide.
Ultimately, diversity can only improve
our audit departments. Diversity of
thought helps us communicate
better, understand different points of
view, and assess risk from many differ-
ent angles.
UNDERSTANDING THE NEXT
GENERATION OF AUDITORS
As we welcome the next generation
of internal auditors, we also have to
be open to generational differences.
Granted, the last year has given us all
an opportunity to practice our technol-
ogy skills while working remotely. But
for students coming out of college now,
Zoom, Teams, and other collaborative
technologies are second nature.
When I need to chat, I am one
of those people who will pick up the
phone and call or — when we were
still in an office — pop by for a quick
face-to-face exchange. For some of
the younger generation that I work
with, they’re more likely to send me an
instant message. It’s sometimes been
hard for me to remember to keep our
chat client on and respond, but part of
being open and inclusive is not neces-
sarily expecting everybody to adapt to
my approach. We have to be willing to
meet people where they are.
The next generation also could
be an asset to internal audit functions
as chief audit executives look to add
technology competencies within their
teams. There may even be opportuni-
ties for reverse mentoring, where less
experienced auditors are able to teach
some technical skills to more expe-
rienced teammates. Research shows
that when a company encourages the
exchange of ideas across generations,
it improves productivity, profitability,
and worker morale for all.
Organizations are going to have
to be more flexible and innovative
in how they engage the younger
JUNE 2021
 IIA NORTH AMERICAN BOARD CHAIR

As we welcome the next generation of

internal auditors, we have to be open to
generational differences.

New auditors are going to have to be

intentional about connecting with people.
generation — and really all of us,
as that’s just good talent manage-
ment. It’s going to be important to
periodically get a sense from the
audit team about what’s important
to them — whether it’s community
involvement, mentoring opportunities,
or initiatives related to well-being or
social interaction — and try to incor-
porate some of that into the team or
the organization. As the pandemic has
taught us, communication is critical.
We also need to help new or pro-
spective auditors understand what a
career could look like within the orga-
nization, the different paths they could
take, and how this could ultimately set
them up to achieve their career goals.
The more we can adapt our approach
to meet their needs, the better off we’re
going to be.
BUILDING RELATIONSHIPS
IN THE NEW NORMAL
Most auditors new to the profession have
a passion for learning and an eagerness
for understanding how organizations
work. But they’re coming out of school
into a completely different environment
than the one I walked into at my first
internal audit job. The pandemic has
made relationship building that much
more challenging by removing those
chances for small chats when riding in
the elevator or running into someone in
the break room. Even on the other side
of the pandemic, the workplace is going
to look different; there’s going to be a
big emphasis on how to build relation-
ships in this environment. For me, it’s
about how I sustain and maintain my
relationships, but for the new genera-
tion, they’re walking in without these
relationships already in place.
New auditors are going to have to
be intentional about connecting with
people, whether it’s team members,
people within the organization, or

JUNE 2021 INTERNAL AUDITOR 47

 people who are part of their manage-
STEPPING STONES TO LEADERSHIP ment group. If they show that drive

I
t was at Louisiana State University (LSU), where I earned a master’s and exercise their soft skills, then other
degree in accounting with a specialization in internal auditing, that I first things, such as opportunities for fur-
got involved in The IIA as a student member. I enjoyed the opportunity ther contribution, will naturally fall
to network and participate in chapter events. into place.
While at LSU, I passed the CIA exam, receiving the Student Highest
Achievement Award for my performance. Passing the exam while I was GROWING THROUGH THE IIA
still a student allowed me to start my career a step ahead. On my first day For auditors new to the profession or
on the job, I already understood the fundamentals. looking to advance their careers, The
During my time at LSU, I interned at Avery Dennison, a Fortune 500 IIA has many helpful initiatives. Take
manufacturing company based in Pasadena, Calif. Following my gradu- the Emerging Leaders Task Force
ation in 2001, I continued with the company, starting first as an internal (ELTF), for example. Made up of IIA
auditor and moving up to senior internal auditor in 2003. The internal volunteers, the task force encourages
audit team traveled up to 80% of the time, including internationally, emerging internal audit leaders to
which gave me an opportunity to see the world. engage, connect, and contribute to
In 2004, the company transitioned me to a financial analyst role, which the profession.
was based in Cleveland, Ohio. I quickly realized that I missed internal The task force recently launched
auditing, so after a year, I took a job with International Paper, a Fortune the Emerging Leaders Mentoring Pro-
100 manufacturing company based in Memphis, Tenn. This job taught me gram. I served as a mentor through
the importance of relationship-building with internal audit stakeholders the inaugural program, and I am very
and allowed me to hone my leadership skills. enthusiastic to participate again this
Finally, a little more than 10 years ago, my husband and I relocated to year. Being a mentor has allowed me to
Baton Rouge, and I joined my current organization, Postlethwaite & Net- develop new relationships and given me
terville. I started as a manager and was promoted to associate director a better understanding of the challenges
and now director, which is a partner equivalent. I love my current job and I internal auditors are facing today at dif-
couldn’t imagine doing anything else. ferent stages in their careers.
Throughout my internal audit career, The IIA has enabled me to net- The ELTF also recently launched
work and learn from peers outside my organization, contribute to and stay The IIA’s Emerging Leaders LinkedIn
on top of developments in the profession, and further grow my leadership Group, a place for the next generation
skills. I’ve participated at the chapter level, serving as the IIA–Memphis of internal auditors to network. Young
Chapter president and on the IIA–Baton Rouge Chapter Board of Gover- professionals can share their knowledge
nors, and at the North American committee level through the Publications on the Group page, learn about IIA
Advisory Committee, where I served as a member for six years. Through opportunities, and find curated IIA
this affiliation, I authored and co-authored multiple articles for Internal resources most relevant to them.
Auditor magazine, as well as served In addition, the ELTF supports
as a contributing editor to the mag- Internal Auditor magazine’s annual
azine and on its Editorial Advisory Emerging Leaders program, which
Board. In 2017, I joined The IIA’s since 2013 has been recognizing up-
North American and Global boards. and-coming internal auditors who have
On a personal level, I spend the potential to be future leaders. I was
my weekends watching my eight- honored to be chosen as an Emerg-
year-old son play sports, and you’ll ing Leader in 2014 and will be the
find us at many of the LSU sport- first alumni to serve as the chair of the
ing events in Baton Rouge. I also North American Board.
enjoy running, and my family is On the volunteer side, The IIA is
looking forward to the day we can making it easier for internal auditors
resume traveling. to get involved with the association
by transitioning certain committees to
advisory committees and promoting

48 INTERNAL AUDITOR JUNE 2021

 IIA NORTH AMERICAN BOARD CHAIR
For me, volunteering has played a key role
in my professional development and has
opened the door to new opportunities.
volunteer opportunities on a more ad things like being accountable for one’s
hoc basis. This allows auditors who career, learning as much as possible
are busy at work or who have family about one’s organization and indus-
obligations — which includes some of try, and connecting with peers in the
our younger auditors — to pop in and internal audit profession. Showing a
contribute to a working group and commitment to internal audit advocacy
then pop back out, as necessary. For and the International Standards for the
me, volunteering has played a key role Professional Practice of Internal Auditing,
in my professional development and continuous learning, and engaging with
has opened the door to new opportuni- other practitioners can help internal
ties. It has given me the chance to meet auditors get there.
many talented and passionate internal New auditors need to go after
auditors from my community and the Certified Internal Auditor (CIA)
around the world (see “Stepping Stones certification because it will help them
to Leadership” on page 48). develop their understanding of the
Standards, which are the foundation
ADVANCING CAREERS of the profession. Having the CIA
Many of the things that make people demonstrates the auditor’s commit-
successful as professionals are still going ment to, and ultimately proficiency
to be there no matter the landscape —  in, internal auditing.
JUNE 2021
It’s important for the next genera-
tion of auditors to embrace as many
opportunities as possible. One of the
things that made a difference for me
in my career was being open to experi-
ences, and that included sometimes
taking assignments that nobody else
wanted and ones that stretched me,
resulting in greater learning and growth.
Those different opportunities and expe-
riences can help open doors in internal
auditors’ careers. It’s that growth poten-
tial that will attract the next generation
and help us collectively advance the
profession. I hope you will join me on
the journey.
LAURA SOILEAU, CIA, CRMA, CPA,
CISA, is a director at Postlethwaite &
Netterville in Baton Rouge, La.
INTERNAL AUDITOR 49
 Are you spending weeks on a manual
risk management process?

Our users used to spend about an hour rating the

different risks, and that process went down from
about an hour to about 20 minutes. We went from
a several week process of administering the survey, Gary Brendle
Director of Risk Oversight
digesting results, building the report, and presenting and Audit Operations

that to management — to it being a one man show.”

Hear how the MailChimp audit team leveraged

technology to boost risk management efficiency
by 300% with fewer resources.
 INTERNAL AUDIT VALUE

A departmental
cost-benefit
analysis can help
internal audit
measure and
communicate
its value.
Jack Pelikan

Determining
Internal Audit’s ROI

L
ike all departments in an organization,
internal audit is an investment expected
to yield a meaningful return. But unlike
departments where return on investment
(ROI) is easily calculated and traceable
to the bottom line, internal audit is chal-
incurs, such as payroll, travel, software,
and training expenses.
While each internal audit function
faces different perceptions and unique
expectations of value, internal audit
teams can use a cost-benefit analysis to
SILPIN / SHUTTERSTOCK.COM

lenged to assess the inherently qualitative
benefits of its work — such as compli-
ance with laws, risk mitigation, process
improvements, or providing manage-
ment with peace of mind via assur-
ance — against the quantitative costs it
measure, drive, and communicate their
value, and, ultimately, their ROI.
COST-BENEFIT ANALYSIS
Completing a departmental cost-benefit
analysis is a way to address stakeholder

JUNE 2021 INTERNAL AUDITOR 51

DETERMINING INTERNAL AUDIT’S ROI
misconceptions and skepticism over
internal audit’s value, and in some
instances, help make the case against
cosourcing or outsourcing the func-
tion altogether. Similar to the divisional
profit and loss statements seen through-
out an organization, a cost-benefit
analysis can provide tangible, quantita-
tive evidence of internal audit’s value
and overall ROI.
While each internal audit func-
tion’s cost structures, value streams,
goals, and key performance indica-
tors (KPIs) will vary, the cost-benefit
analysis should incorporate current and
planned monetary and nonmonetary
benefits and controllable costs.
Monetary Benefits These benefits
can take various forms — including
cost savings and revenue recoveries —
A cost-benefit analysis can provide
evidence of internal audit’s overall ROI.
and are most likely to garner stake-
holder interest and promote further
usage of, and investment in, the inter-
nal audit function.
Cost savings can be divided into
two categories: savings realized directly
by internal audit and savings realized
by the business as the result of inter-
nal audit’s work. The first category
can include external audit fee reduc-
tions achieved through reliance on
internal audit’s work. Cost reductions
implemented within the internal audit
department, itself, such as for travel or
audit cosourcing fees, will be reflected
as reductions to the controllable costs
section of the analysis as opposed to
increased monetary benefits. The sec-
ond category may include data analyses
and subsequent recommendations. For
example, an internal audit team at a
52 INTERNAL AUDITOR
global manufacturing firm performed
analytics on the company’s accounts
payable data, which resulted in the dis-
covery of $500,000 in various duplicate
payments and unclaimed vendor credits.
Through internal audit’s research and
communications with the accounts pay-
able team, the company subsequently
realized $400,000 of those credits,
which internal audit would then factor
into its monetary benefit calculation.
Internal audit also can perform
engagements that lead to funds recov-
ery, most commonly through contract
compliance audits. For example, if a
company has licensing agreements with
various international partners to dis-
tribute and sell its branded product, the
licensor may receive royalties, which are
typically based on a percentage of sales.
Additionally, the licensing agreement
may have minimum payment or per-
formance requirements that stipulate
additional compensation to the licensor
if not met. In this instance, if the agree-
ment contains an appropriate right-to-
audit clause, internal audit can review
the licensing agreement, compare it
to historical schedules and payments
received, request additional detail from
the licensee to validate reported num-
bers, and, in the event of discrepancies,
work with the business to ensure the
collection of additional amounts owed.
Nonmonetary Benefits The inability
to measure a benefit’s monetary impact
should not preclude it from being
tracked and reported to interested
stakeholders, especially if it can be
quantified in other ways. For instance,
if internal audit conducts train-
ing on data gathering and analytical
techniques that results in future time
savings for the participants, then the
cost-benefit analysis should include the
training hours and resulting time sav-
ings as nonmonetary benefits.
While nonmonetary benefits will
not alter the net monetary surplus or
JUNE 2021
21% of respondents cite business alignment for programs as the No. 1
benefit of ROI implementation, according to the ROI Institute’s 2019 Benchmarking Report.

COST-BENEFIT AND ROI OF A GLOBAL MANUFACTURING FIRM’S

INTERNAL AUDIT DEPARTMENT: 2020–2022
CATEGORY & 2020 2021 2022
DESCRIPTION (Actuals) (Forecast) (Plan) COMMENTS

MONETARY BENEFITS

Organizational Cost Savings Cost savings and revenue recoveries accel-

$350K $500K $900K
Achieved erating due to increase in value-add projects
made possible by hiring additional staff and
Revenue Recoveries $150K $300K $700K
investment in technology.

Total Monetary Benefit $500K $800K $1.6M

CONTROLLABLE COSTS

Salaries/Benefits $500K $700K $700K Increased in 2021 due to hire of new staff.

Travel $50K $50K $40K

Purchase of data analytics software in 2021

Software $0 $50K $10K
plus annual maintenance.

Consulting Fees $100K $0 $0 Consultants replaced by new hires in 2021.

Total Controllable Costs $650K $800K $750K

Net Monetary Benefit/Cost ($150K) $0 $850K

NONMONETARY BENEFITS

Total time saved by the business per week

150
Total Weekly Time Savings 40 hours 70 hours based on training and process efficiency rec-
hours
ommendations provided by internal audit.

Total Training Hours Provided 150 200 250

Engagements Completed 10 20 40

Recommendations 10 30 80
Implemented

deficit, they should be included in a
companion schedule. Tracking and
reporting nonmonetary benefits will not
only raise stakeholder awareness of inter-
nal audit’s many value streams, but it
will also provide important context that
the department’s value is not limited to
the list of monetary benefits reported.
Planned Benefits As is common in
investing, an ROI goal may not be
achievable in the short term. Similarly,
an internal audit function, particularly a
new and growing one, should not limit
its cost-benefit analysis or ROI goals to
a single year. Rather, a growing team
may expect to incur additional costs
and further invest in personnel and
tools over multiple years and use them
to deliver greater value in the long run.
In these cases, a cost-benefit analy-
sis with only a one-year view may reveal
a far bleaker picture than reality. While
conventional budgetary reporting uses
quarterly and annual views, a longer
term cost-benefit analysis may paint a
more accurate picture of the internal
audit function and its trajectory. In
“Cost-Benefit and ROI of a Global
Manufacturing Firm’s Internal Audit
Department: 2020–2022” (this page),
the internal audit function appears to
be operating at a deficit, or at least from
a monetary cost-benefit perspective.
However, due to investments in person-
nel and technology that continue to

JUNE 2021 INTERNAL AUDITOR 53

DETERMINING INTERNAL AUDIT’S ROI
expand the department’s value-added
service offerings and improve the depth
and quality of work, a positive and sus-
tainable ROI is expected to begin the
following year.
While it may not be possible to
fully anticipate and quantify the future
benefits an internal audit team will pro-
vide, the cost-benefit analysis provides
an opportunity to outline its planned
benefits, which can be estimated based
on a combination of goals, extrapolation
of current or forecasted benefit run rates,
and opportunities identified during pre-
engagement risk assessments. As in any
forecast, the cost-benefit analysis should
document the rationale for key assump-
tions that support future estimates.
The cost-benefit should be an ongoing
measurement of internal audit’s progress.
Not only can a long-term outlook
on internal audit’s value positively
impact stakeholder perceptions and
increase use of the function, it also can
lead to further investment in inter-
nal audit to ensure realization or an
increase of anticipated returns.
Controllable Costs Every internal
TO COMMENT audit function incurs costs. Some are
on this article,
EMAIL the
direct and under its control, such as
author at jack. payroll, travel, professional member-
pelikan@theiia.org ships, training, software, and consult-
ing, while others are indirect and
outside its control, such as the depart-
ment’s allocation of rent, utilities,
insurance, and shared services. To avoid
unnecessary dilution of the depart-
ment’s true net benefit and ROI, the
analysis should focus on direct and
controllable costs. The rationale is that
the chief audit executive (CAE) can
budget and manage controllable costs,
whereas indirect, fixed-cost allocations
54 INTERNAL AUDITOR
are likely to be incurred by the com-
pany, regardless of internal audit. As a
caveat, the analysis should not disregard
shared costs that are variably tied to
internal audit’s resource consumption.
For instance, if the company uses a
cloud-based enterprise resource plan-
ning system, and pays per license (vs.
fixed fee), then those costs would be
considered direct and controllable and
should be a part of internal audit’s costs
in the analysis.
EVALUATE RESULTS
First and foremost, the cost-benefit
analysis should be used as an internal
benchmarking and planning tool. After
the initial analysis, an internal audit
team may discover that its costs cur-
rently exceed its benefits. The results,
either surprising or expected, present
a valuable opportunity for root-cause
analysis and subsequent goal setting.
The deficit may be caused by cost
management, limitations on the extent
of value-added projects the team can
perform, quality of execution, or the
inability to adequately quantify the
monetary impact of its value. Regard-
less of the cause, CAEs can refocus
their team’s efforts on addressing these
shortfalls and taking steps to improve
them. The CAE can use the initial
2020 cost-benefit analysis results in the
chart on page 53 to further manage
costs and establish goals and KPIs on
the benefits side. Additionally, if the
department determines that its total
benefits are falling short, it can revisit
its current project plan and ascertain
whether different, higher value projects
are necessary, provided they continue
to align with key risks and board
expectations, or consider expanding the
scopes of current projects with higher
value potential.
The cost-benefit should be an
ongoing measurement of internal
audit’s progress. If the team notes a
deficit in its initial analysis, subsequent
JUNE 2021
Budgets for internal audit departments
in 2020, says Gartner’s latest State of the Internal Audit Function report.
analyses may reveal encouraging signs
of improvement. However, in the event
of stalled progress, ongoing analysis
can provide opportunities for further
change and improvement.
As a caveat, internal audit’s cost-
benefit and ROI analysis should not be
tied to team member compensation or
incentives, which could lead to conflicts
of interest, impaired independence,
and failure to objectively measure and
report benefits. Additionally, to avoid
inflation of internal audit’s reported
benefits, the quantitative benefit values
reported should be fully validated with
the appropriate business stakeholders
before finalizing.
Nonetheless, if the team remains
committed to improvement and con-
tinues to measure progress and adjust
as needed, the assessment results will
continue to improve. Ultimately, these
results can be shared with stakeholders
as evidence of the department’s progress
and increasing value to the organization.
COMMUNICATE VALUE
While every internal audit function
faces unique perceptions and expecta-
tions of value, each one has a custom-
ized strategy for communicating value
to stakeholders. Nonetheless, each strat-
egy should consider three elements.
Target Audience Once internal audit
has completed its cost-benefit analysis
and has collectively agreed to share it
with stakeholders, the target audience
should be considered. The audience
should include stakeholders that inter-
nal audit reports to directly, such as
the CEO, chief financial officer, and
audit committee. However, a broader
audience, including various business
unit leads, may be necessary, espe-
cially if those individuals are skeptical
about internal audit’s value. That may
include departments where internal
audit would like to establish or expand
its value-added services. Sharing these
JUNE 2021
decreased 1.5% while workloads expanded
analyses with internal stakeholders and
clients first can further validate results
and assumptions, and lead to further
revisions before sharing it with execu-
tive leadership, the audit committee,
and the board.
Degree of Detail The degree of detail
in a cost-benefit analysis will vary based
on the stakeholder. For instance, execu-
tive leadership and the audit committee
may be interested in just the total costs
and monetary benefits along with a
summary of key items and trends. Con-
versely, business unit leads may be more
interested in the item-level detail of
the projects impacting their areas along
with past and planned benefits.
Every internal audit function faces unique
perceptions and expectations of value.
Basis for Assumptions Like other
data models, a cost-benefit analysis of
internal audit is both art and science.
Some inputs are clear and easily mea-
surable — such as payroll and travel
expenses on the cost side or realized sav-
ings confirmed by the business on the
benefits side — while others are more
subjective and require assumptions.
Limiting the analysis to easily mea-
surable elements may represent only a
subset of internal audit’s actual value.
Instead, the analysis should consider
other nonmonetary, quantitative ben-
efits, such as engagements completed,
recommendations implemented, and
time savings, or qualitative benefits,
such as prevention of noncompliance
with specific laws. In situations where
it is possible to reasonably estimate the
monetary impact of a benefit using
consistent, logical, and documented
assumptions, such items should be
reflected in the analysis. For instance,
if during an operational audit, internal
audit identifies and provides training
on automated reporting that saves the
accounts receivable manager five hours
a week, then those weekly time sav-
ings should be considered as reportable
nonmonetary benefits. However, if the
time savings achieved were applicable to
part-time, hourly associates whose total
workload was reduced as the result of
the efficiencies realized, then the poten-
tial payroll savings could be classified as
a monetary benefit.
A MEANINGFUL RETURN
Internal auditors are well aware of their
function’s capabilities and potential to
further drive organizational value, but
many stakeholders remain skeptical
due to a general lack of understanding
about the function’s overall impact,
particularly on the organization’s bot-
tom line. While each audit function
faces different stakeholder perceptions
and challenges, each is an organiza-
tional investment expected to yield a
meaningful return. Internal auditors
can measure their controllable costs
and benefits, set goals, and revisit their
project mix to provide more value
and, ultimately, report on these items
to stakeholders to ensure common
awareness of internal audit’s value and
potential. Like any other investment,
an internal audit function with a clear,
meaningful, and sustainable ROI will
garner widespread appreciation and
merit continued investment.
JACK PELIKAN, CPA, CISA, CISSP,
is a senior director of internal audit at
Caleres Inc. in St. Louis.
INTERNAL AUDITOR 55
 The 4 Pillars
of Remote
Work for
Audit Teams
Internal audit leaders
need an effective strategy
to support the move to
flexible and work-from-
home arrangements.
W. Ken Harmon

F
lexible work options are common
in the internal audit profession,
but the COVID-19 pandemic has
ushered in a new time when more
and more auditors are working from
home. Some audit departments were
ready and adapted easily, while oth-
ers scrambled to install appropriate
infrastructure, security, and pro-
cesses to support remote work. As
the threat of the pandemic begins to
ebb, some teams will return to tradi-
tional work environments while oth-
ers may consider permanent changes
to their office-centric arrangements.

56 INTERNAL AUDITOR JUNE 2021


This unique episode in business
has demonstrated the viability of flex-
ible, distributed work arrangements, as
well as their pitfalls. Allowing internal
audit teams to work from home can
have significant benefits, but any dis-
tributed work strategy must carefully
consider all potential security, manage-
rial, and behavioral issues.
BEYOND THE OFFICE
Today’s office environment was born
during the Industrial Revolution
when workers needed access to paper
documents and to be close to other
JUNE 2021
TALENT MANAGEMENT
employees to execute most processes.
This traditional office spawned man-
agement techniques in which employ-
ees reported to work at a designated
time, had controlled environments, and
could be seen conducting their work.
The digital revolution has over-
turned the need for a central workplace
by creating new opportunities for data
to be accessible virtually anywhere.
For example, internal auditors now
can conduct routine reviews without
being in the same location as the audit
client. Many audit team leaders have
embraced such efficiencies, including
remote work, but others have been
reluctant to let go of an office-centric
culture. This reluctance may be due to
audit leadership’s management philoso-
phy, but it also may reflect an organiza-
tional philosophy over which audit has
little control.
While remote work and other flex-
ible arrangements have novel challenges
and can have negative results, audit
leaders should take an objective view
of the trade-offs involved with them. A
well-executed telecommuting strategy
can yield tremendous benefits for inter-
nal auditors.
Enhanced Employee Morale and
Retention Employees often cite “lack
of respect for their time” as a leading
contributor to work dissatisfaction and
PESHKOV, FRANCKREPORTER, BERNARDBODO, BSWEI / ISTOCK.COM
a primary reason for leaving a job. They
IMAGES: COLUMNS: FUNMILL; COLUMN IMAGES, LEFT TO RIGHT:
desire, and increasingly expect, a flex-
ible work environment. Job flexibility
directly improves employee morale and
reduces turnover because employees
receive tangible benefits such as:
 Trust. Allowing employees this
type of flexibility sends the mes-
sage they are trusted to manage
their time.
 Respect. Flexible work arrange-
ments demonstrate respect for the
various pressures and demands
INTERNAL AUDITOR 57
THE 4 PILLARS OF REMOTE WORK FOR AUDIT TEAMS
employees face from all facets
of their lives. This is key for
employee retention.
 Reduced commutes. Long com-
mutes to and from work can be a
primary contributor to unhappi-
ness with one’s job. Eliminating
commutes, even for a few days a
week, can reduce frustration, give
team members a greater sense of
control, and provide them extra
time on those days when their
only commute is to another room
in their home.
 Belonging. Although it may seem
counterintuitive, when employees
have flexibility, they tend to be
more loyal to the organization.
Providing a work-from-home
option decreases employee turn-
over by 50%, according to a Stan-
ford University study published in
The Quarterly Journal of Economics.
Increased Productivity Employees
who are more satisfied with their jobs
tend to be more productive. The Stan-
ford study finds that employees who
work at home experience a 13% boost
in productivity versus those who work
in a traditional office. Employees who
telecommute work the equivalent of
1.4 more days per month than do their
office-based counterparts, according to
a 2020 study by online employment
company Airtasker.
Cost Savings When executed as
part of a larger infrastructure strategy,
allowing team members to work from
home can result in significant savings.
The increase in employee retention
and improved performance can directly
influence the bottom line. For many
audit groups, though, the greatest sav-
ings can be from dramatically reduc-
ing the office space required. Even in
hybrid operations where team mem-
bers work at home and at the office, a
carefully executed strategy that staggers
58 INTERNAL AUDITOR
office-based days can create tremen-
dous savings.
To realize the full benefits of flex-
ible work arrangements, internal audit
functions need a carefully executed
strategy. This strategy should be built
upon four pillars: 1) infrastructure and
security, 2) expectations management,
3) communication requirements, and
4) management adaptation.
Pillar 1: Infrastructure and Security
T
he need to adjust work structures arose quickly
with the pandemic. Audit teams were sent
home to work and, in many cases, discovered
team members had inadequate computers, slow
internet connections, and lacked the means to main-
tain data and access security.
To have an effective long-term strategy, the inter-
nal audit function must anticipate these needs and be
willing to make the necessary investment. Leaders can-
not view such expenses as additive, and instead should
see them as substitutions for other investments that
would come in the long run.
Ideally, the audit team should prepare a budget
that identifies additional expenses for a remote work
strategy. This budget should start with a full inventory
of all software, hardware, and infrastructure required.
For example, audit teams may need to invest in cloud-
based software rather than machine dependent
software, virtual private network lines for audit team
members to protect the data in transmission, encryp-
tion software for data storage, reliable high-speed
internet service, standardized laptop computers, and
mobile phones.
These expenses can appear daunting, but manage-
ment should be aggressive in identifying cost savings
to offset them. Internal audit could easily reduce the
hardware and software licenses required in the office.
Reducing the amount of office space could provide the
greatest cost savings.
JUNE 2021
63% of knowledge workers prefer a hybrid work model combining remote and in-office work, and
38% say remote work is less stressful, according to the Future Forum Remote Employee Experience Index.

Pillar 2:
Expectations
Management

W
ith a change in workplace
structure comes a related
change in expectations.
For example, an audit manager
may expect a team member to be
available during certain hours, yet Pillar 3:
the team member may have dif- Communications
ferent views of the specific hours Requirements

M
in which work is to be done. Also, anagers should articulate
there could be expectations about their expectations for
response time to team members team member communica-
or clients, availability for meetings, tion, but they should be account-
and possibly even dress codes for able for enhanced communication,
virtual meetings. themselves. Remote work cultures
Audit teams face a unique generate a much greater need for
challenge because they often have communication, because team
large projects involving multiple members no longer have the
team members where each step interpersonal cues available in an
depends on the completion of a office environment.
task by someone else. This prob- For example, team mem-
lem is especially exacerbated when bers may have difficulty getting
work-from-home arrangements information from clients, face
can result in some audit team roadblocks on projects, get pulled
members working from different into other projects, or even face
time zones. personal struggles. Such difficul-
Too often, the greatest friction ties need to be communicated
arises because there are differ- to managers so they can adapt
ent expectations that have simply accordingly. However, while such
not been articulated. Accordingly, communication might come natu-
audit teams must develop formal rally during meetings in an office
policies that delineate expecta- setting, in remote settings, man-
tions. These policies should be agers and team members must
developed collaboratively so team initiate the necessary communica-
members fully understand the rea- tion proactively.
soning and necessity for such poli- Managers should be deliberate
cies. Because the policies may not about communicating frequently
anticipate all issues that may arise, and, at times, they should even
managers must revisit and revise place check-in calls that don’t
them regularly. have a specific work agenda.
These connections are critical;
otherwise, employees can feel
disconnected and not part of a
cohesive team. Managers cannot
communicate enough.

JUNE 2021 INTERNAL AUDITOR 59

THE 4 PILLARS OF REMOTE WORK FOR AUDIT TEAMS
Pillar 4:
Management
Adaptation
C
hanging management’s atti-
tude is the most important
and most difficult part of
implementing a work-from-home
strategy. Audit leaders often cite
concerns about a “looser” work
environment that would remove
A results-based focus that extends trust
elements of accountability and
result in reduced productivity,
to team members can be effective and
higher costs, poorer client service,
and lower quality. They imagine
result in a better workplace culture.
scenarios where team members
are easily distracted by their
home environment and don’t pri-
oritize work.
At the center of this discomfort
is a feeling of loss of control and a
major break from traditional meth-
ods when remote work becomes
the norm. One reason for this feel-
ing is many managers are accus-
tomed to measuring input rather
than output. If they can see a team
member, then they assume that
individual is working.
Simply stated, internal audit
managers must adapt and start
measuring results. For example,
rather than measuring time in
the office or hours billed to a job,
managers could assess audit proj-
ect effectiveness by measuring
project throughput, trends in audit
hours, hour variance from budget,
or significance of analysis. Even in
office environments, moving to a
results-based focus that extends
trust to team members can be
effective and result in a better
workplace culture.
60 INTERNAL AUDITOR
TO COMMENT on
this article, EMAIL
the author at ken.
harmon@theiia.org
REALIZING THE BENEFITS
The pandemic has provided an evo-
lutionary break from the traditional
office-centric paradigm. The work
environment was already drifting
toward more flexible arrangements
that included remote work, but the
pandemic hastened this trend and
provided a realistic peek inside the new
reality. The evidence is clear that flex-
ible work environments enhance pro-
ductivity, boost employee morale, and
reduce expenses.
However, such benefits cannot
be realized unless there is a careful
approach that delineates expectations
and provides clear parameters for audit
leaders and their staffs. Each strategy
could vary based on the size and nature
of the audit department and organiza-
tion, but any remote work strategy
should include the four pillars to pro-
vide clarity to the team and generate
optimal results.
W. KEN HARMON, DBA, is a professor in
the School of Accountancy at Kennesaw
State University in Georgia.
JUNE 2021
 You don’t need to go anywhere else.
World-class external assessment expertise at an exceptional value.

When quality, value, and convenience count, count on IIA Quality Services
for your internal audit activity’s external assessment.

Schedule an external quality assessment. www.theiia.org/QualityServices

2020-0883

Quality Assessment I Readiness Assessment I Self-assessment With Independent Validation

 Board Perspectives
BY MATT KELLY
SPACs ARE SPROUTING
UP ALL OVER
Auditors need to assess the governance
and reporting issues associated with
these fast-moving acquisition companies.
S
pring is a time for
growth and renewal.
Animals come out
of hibernation;
flowers bloom across the
land. So perhaps this is a
good time to talk about
special-purpose acquisition
companies (SPACs), since
they’re also sprouting up all
over the place.  questions about corporate
SPACs are holding
companies designed to go
DANIELE D’ALVIA public with piles of money
first, then acquire a pri-
vately held operating com-
pany later — which SPACs
are doing right now with
great alacrity. According to
research firm Deal Point
Data, SPACs held 247 ini-
tial public offerings (IPOs)
in 2020 and raised more
RAGU BHARGAVA than $75 billion to go
prowling for private com-
pany acquisition targets.
Another 300 SPACs held
IPOs in the first quarter
of 2021 alone, according
to audit firm EY, raising
another $93 billion for pri-
vate company acquisitions.
So, even more prowling,
READ MORE ON STAKEHOLDER RELATIONS visit InternalAuditor.org
62 INTERNAL AUDITOR
for even more private com-
pany targets.
Moreover, if a SPAC
fails to acquire a target
within two years, it must
give its IPO cash back to its
investors. So the pressure
is there to do deals, and do
them quickly.
That raises serious
governance and financial
reporting issues. In the last
six months, for example,
the U.S. Securities and
Exchange Commission
(SEC) has issued five alerts
about SPACs, warning about
everything from conflicts of
interest, to board composi-
tion, to internal control and
accounting policies, to the
role that celebrity “advisors”
play for a SPAC.  could find themselves fac-
One truth seems clear:
SPACs are here to stay. “In
the U.S., this will be a per-
manent feature of the mar-
ket,” says Daniele D’Alvia,
a teaching fellow at Queen
Mary University in Lon-
don who is CEO of SPACs
Consultancy Ltd. and who
has served on boards, him-
self. D’Alvia is bullish on
SPACs as an alternative to
traditional IPOs, although
he does concede, “Many
SPACs are good, but some
are dodgy.”
Preparing for the
Big Leagues
The most important ques-
tion for board directors at a
private company is whether
the organization is fully
prepared to merge with a
SPAC and live as a publicly
traded company. The gov-
ernance demands placed
upon a publicly listed com-
pany are enormous, and if
the business fails to meet
those demands, the direc-
tors who agreed to the deal
ing difficult questions from
regulators and shareholder
lawyers, alike.
“It’s not about public
versus private,” says Ragu
Bhargava, CEO of Global
Upside Corp., which pro-
vides human resources and
related back-office functions
JUNE 2021
This Is Your
Call to ACTION
 Insights/Board Perspectives
to companies preparing to go public. Bhargava, himself, has
also served on private company boards. “It’s whether you have
the right frame of mind, because being public is so very differ-
ent than being private,” he says. “You have to think so differ-
ently about everything.”
When pursuing a traditional IPO, businesses have time to
develop that understanding. A traditional IPO might take nine
to 12 months, where the board and senior managers work with
investment bankers, auditors, and law firms to construct the
necessary disclosures, internal control systems, and board com-
position for life after the IPO. If the process takes more time,
that’s not ideal, but typically it’s not a disaster, either.
SPAC mergers invert that process. A SPAC could knock
on a private company’s door with piles of cash, and push to
close the deal within three months. If the SPAC is near the end
of its two-year window to find a target, the pressure to close
a deal mounts. The SPAC might offer more money for faster
closing — and that’s how mistakes happen.
Even worse, the accounting issues in a SPAC merger are
highly nuanced. For example, while the SPAC is the acquirer
from a legal perspective, the accounting treatment under U.S.
Generally Accepted Accounting Principles is that the private
company target is the acquiring business.  private companies, to EBITDA-positive companies, to pre-
We don’t need to get into the details of why that is.
The point is that SPAC mergers are complex things, not to
be undertaken on a whim. So first and foremost, a private
company board should ask itself hard questions about how
prepared the business truly is for an exit deal that might
come along.  will continue to mushroom, or whether what we see now is
“The most important thing has nothing to do with going
public,” Bhargava says. “It’s whether you’re ready to be public.
If you’re not, stop right there. Take time and get ready. Then
talk about a SPAC or an IPO or whatever you want to do.”  skyrocketed in 2020.)
The best way to do that would be a risk assessment from
internal audit, answering questions such as:
» Do we have the right senior management — the right
CEO, chief financial officer, general counsel, and oth-
ers? Are they people who have experience taking com-
panies public, or long-time employees accustomed to
the private world?
» Do we have the right financial reporting and disclo-
sure controls? For example, is internal control over
financial reporting effective? Do we have appropriate
conflict of interest policies, and have we disclosed all
necessary conflicts?
» Do we have the right board composition, both to
decide on a SPAC merger and to continue as part of
the listed company’s board of directors? Are they direc-
tors who understand, and can fulfill, a publicly listed
company’s fiduciary duties?
64 INTERNAL AUDITOR
TO COMMENT on this article,
EMAIL the author at matt.kelly@theiia.org
If companies don’t meet these criteria, and they rush into a
SPAC deal anyway, they could find themselves on the wrong
end of an SEC enforcement probe or shareholder class-action
lawsuits later.
Finding a Good Partner
We also should not lose sight of the role the SPAC plays — 
particularly the SPAC “sponsor,” which is the management
team at the SPAC that raises the money, approaches the tar-
gets, and closes the deal. 
Somewhat like a proposal of marriage, a private company
will need to consider whether the SPAC approaching it is a
worthwhile partner for long-term life as a publicly listed com-
pany. “From the private company’s perspective, it’s not always
about how much cash the SPAC can offer,” D’Alvia says. “It’s
about the SPAC’s management, who’s going to be there, the
SPAC experts, and the solidity of their business plan, so you
know what you can do once you’re on the market.” 
Evaluating would-be SPAC partners is likely to become
more important over time, simply because so many SPACs
are pouring into the mergers and acquisitions world, looking
for targets. So SPACs’ standards have gone from profitable
revenue companies. 
“That can generate a concern,” D’Alvia says. “That’s
more risky, if you’re not taking an operating company. You’re
taking a company that’s making a promise.” 
What we don’t know is whether the number of SPACs
a wave that will recede to more normal levels. (According to
Deal Point Data, U.S. capital markets averaged roughly 34
SPAC IPOs annually in the late 2010s, before the numbers
 
It’s possible that traditional IPOs will revive as the
pandemic recedes and the rhythms of investment banking
return to normal. It’s also possible that recent SEC policy
announcements about SPACs will cool the sizzling market of
today. Then there are SPAC stalwarts like D’Alvia: “I don’t
see this as the next bubble to burst.” 
Regardless, some basics of corporate governance will
endure no matter what SPACs do next. “It’s all in how you
assess risk, manage it, and then represent to someone that,
yes, you have controls in place to mitigate those risks,” Bhar-
gava says. “That’s where the real challenge comes from.”
That was true long before SPACs showed up. It’s still
true for the board now.
MATT KELLY is editor and CEO of RadicalCompliance.com, an
independent blog about audit, compliance, and risk management
issues, based in Boston.
JUNE 2021
The IIA’s Internal Audit Competency Framework© provides clear and concise professional development
plans, tools, and techniques that evolve with current risk environment and career level.

We’ve mapped it out. You can make it work.

www.theiia.org/CompetencyFramework
2020-1514
 Insights/The Mind of Jacka
BY J. MICHAEL JACKA
EXCUSES FOR MEDIOCRITY
I
There are seldom have a few regrets from
good reasons for my 30-year history with
Farmers Insurance inter-
not maintaining
nal audit. Don’t get me
high professional wrong, it was a great ride.
standards. And I wouldn’t be where I
am today (wherever that is)
if it weren’t for the oppor-
tunities and serendipities
that occurred throughout
my career. But there were
moments where, when I
look back, I did a little less
than shine.
We’ve all been there —
 the poor decision, the
incorrect conclusion, the
act that may have, in ret-
rospect, been beneath our
standards. We try for the
best, but we know we occa-
sionally fall short.
One regret in particular
dawned on me recently.
During the last few years of
my career, the audit depart-
ment seemed to lose focus
on the importance of meet-
ing assigned due dates. We
wanted to meet the dates,
but we started believing our
own excuses for why things
could not be done on time.
I vividly remember rushing
audits to conclusion because
we were preparing the quar-
terly report for the audit
committee and had to have
something — anything — to
READ MIKE JACKA’S BLOG visit InternalAuditor.org/mike-jacka
66 INTERNAL AUDITOR
TO COMMENT on this article,
EMAIL the author at michael.jacka@theiia.org
say. And every time we
reached the end of a mad
dash, we recommitted to
doing better. Then the
next quarter would arrive,
and the same pandemo-
nium reigned.
We often talked about
the importance of timeli-
ness, but we never took
effective steps to change our
processes and start getting
the work done on time.
And while our work qual-
ity had remained adequate,
things were beginning to
slip. By accepting medioc-
rity in one area, we were
starting to see the impact
on others.
We allowed the dates to
slip, causing downtimes in
the audit schedule. Down-
times negatively impacted
the original schedule, and
disruption of the schedule
meant less time for sched-
uled audits. Then, because
the schedule was impacted,
we tried to compensate
through better planning.
And because of that effort,
audit planning became a
cottage industry unto itself.
Our problem was execution,
yet we tried to solve plan-
ning issues.
What are you let-
ting slip? Are your reports
issued when they were orig-
inally planned, or are you
buying the excuse that it is
just too hard to coordinate
the parties involved? Are
you identifying true root
causes, or are you buying
the excuse that there isn’t
enough time to develop a
broader solution? Are you
holding the department to
the highest possible stan-
dards, or are you buying
the excuse that any group
of people can only accom-
plish so much?
And finally, are you
fulfilling the promises of
the audit profession, or are
you buying the excuses that
cause you to be second best,
constantly promising to do
better next time?
There are always
excuses. But there are
seldom good reasons.
And if you are starting to
fail — or even starting to
accept the most minute of
failures — take a look and
find the reasons, not the
excuses.
J. MICHAEL JACKA, CIA,
CPCU, CFE, CPA, is
cofounder and chief creative
pilot for Flying Pig Audit,
Consulting, and Training
Services in Phoenix.
JUNE 2021
 IIA Calendar
Please check the website for more details on all of The
IIA’s in-person events, as they are subject to change.

JULY 12–23 AUG. 2–11

IIA IIA Tools for New Auditors Agile Auditing
CONFERENCES TRAINING Online Online
www.theiia.org/ www.theiia.org/training
conferences
JULY 13–22 AUG. 2–13
COSO-based Internal CIA Exam Preparation
Auditing Instructor-led Course
JUNE 14–18 JUNE 29–30 Online Part 2: Practice of
International Conference Fraud: Prevent, Detect, Internal Auditing
Virtual Respond JULY 13–27 Online
Online CIA Exam Preparation
AUG. 9–11 Instructor-led Course AUG. 2–13
Governance, Risk, & JULY 6–7 Part 3: Business Tools for Lead Auditors
Control Conference IT General Controls Knowledge for Internal Online
Gaylord Rockies Online Auditing
Denver and Virtual Online AUG. 3–12
JULY 6–13 Advanced Risk-based
SEPT. 20–23 Fundamentals of Risk- JULY 15 Auditing
IIA Canada National based Auditing Fundamentals of Internal Online
Conference Online Auditing
Virtual Online AUG. 3–12
JULY 7–9 Enterprise Risk
SEPT. 27–28 Examining Cybersecurity JULY 19–28 Management: A Driver for
Financial Services Concepts Communication Skills Organizational Success
Exchange Online for Internal Auditors: Online
Omni Shoreham Interviewing and
Washington, D.C., and JULY 12–15 Negotiating AUG. 5–6
Virtual Critical Thinking: A Vital Online Auditing the Cloud
Auditing Competency Online
SEPT. 29–30 Online JULY 20–28
Women in Internal Audit Fundamentals of AUG. 10–19
Leadership JULY 12–23 Cybersecurity Auditing Developing Leadership
Virtual CIA Exam Preparation Online Skills for Team Leaders
PHOTO: RAWPIXEL.COM / SHUTTERSTOCK.COM

Instructor-led Course Online

Part 1: Essentials of

/JUNE/JULY/AUGUST/
/JUNE/JULY/AUGUST
Internal Auditing
Online

THE IIA OFFERS many learning opportunities throughout the year. For complete listings visit: www.theiia.org/events

JUNE 2021 INTERNAL AUDITOR 67

 Eye on Business
THIRD-PARTY TECH THREATS
Organizations need to do more to
manage technology risks related to
their service providers.
How prepared are orga-
nizations to assess and
mitigate technology
risks related to third
parties?
LEIFERMANN Organiza-
tions are becoming more
dependent on technology
for their business-critical
functions, and simulta-
neously relying on third
parties to provide this tech-
PHIL LEIFERMANN nology for infrastructure
Business Development and services. This means
Director
Wolters Kluwer that the level of technol-
TeamMate ogy risks, and specifically
technology risks related to
third parties, is continu-
ally increasing. Although
organizations are identify-
ing, assessing, and mitigat-
ing technology risks, this
is often more focused on
what happens inside their
IT departments, rather
JEFFREY SORENSEN
Industry Lead
than what happens outside
CaseWare IDEA the organization in their
service providers. Accord-
ingly, organizations need to
do more to manage tech-
nology risks related to third
parties, to minimize both
the likelihood of these risks
READ MORE ON TODAY’S BUSINESS ISSUES in the Newswire on InternalAuditor.org
68 INTERNAL AUDITOR
occurring and the impact if
they actually occur.
SORENSEN Most organi-
zations engage third par-
ties to take advantage of
specialization and cost sav-
ings. If the internal audit
function is not a key player
in the foundation of these
underpinning agreements,
organizations often have
limited ability and access
to make an independent
assessment of the control
environment of third par-
ties. Most organizations
have little ability to man-
age risks in third parties,
and trying to change an
existing agreement to gain
additional access rarely
happens.
What are the biggest
technology risks related
to third parties?
SORENSEN There are
many risks associated with
outsourcing operations to
third parties, but broadly
speaking, they fall into
these categories: process
integrity, data governance,
and cybersecurity. Data is
the currency, and protect-
ing it from misuse, errors,
and exposures to unauthor-
ized parties is required;
otherwise, the entire pur-
pose of outsourcing will be
lost. Sadly, most organiza-
tions realize this only after
suffering a data breach or a
public relations disaster.
LEIFERMANN The biggest
technology risk related to
third parties is cloud com-
puting, as organizations
are using more and more
cloud services for both
infrastructure and systems.
Not only does cloud com-
puting present risks in and
of itself, but it also presents
risks related to legal, com-
pliance, privacy and data
breaches, as well as conse-
quential risks related to the
organization’s reputation.
Other technology risks
related to third parties
include artificial intelli-
gence, robotics, virtual and
augmented reality, block-
chain, 5G, and the Internet
of Things.
JUNE 2021

How should internal auditors be using data analytics
to assess third-party risks?
LEIFERMANN Although internal auditors have been
using data analytics for more than 30 years, many internal
audit departments have struggled to get value from them.
Recently, we have seen two trends related to risk assess-
ments — more regular risk assessments and data-driven
risk assessments. More regular risk assessments move away
from traditional annual assessments to quarterly, monthly,
or even continuous ones, while data-driven risk assess-
ments use data from business systems to support these
assessments. Data-driven risk assessments provide a great
opportunity to use data analytics to regularly analyze this
data, including data related to third parties, and identify
trends related to business-critical risks, thereby getting
more value from the data analytics.
SORENSEN Like any integrated audit, a risk assessment
should be performed. Once key controls are identified, data
analytics can efficiently hone in on control breakdowns.
However, with outsourced operations, this can be difficult,
for internal audit often will not have access to any data
beyond what is contractually obligated. High-level service
Internal audit needs to take a lead role
in all arrangements with third parties.
If it is late to the party, there could be
repercussions for years to come.
agreement metrics often hide underlying problems, and
internal audit needs to push for details on how those met-
rics were calculated. Again, timely access to underlying data
should be in the agreement from the beginning, or data ana-
lytics will have limited success.
How can CAEs raise organizational awareness of
these risks?
SORENSEN Chief audit executives (CAEs) can often
make the greatest impact on executive leadership via anec-
dotal evidence. There is no shortage of stories in the media
about fraud, hacks, exposure of sensitive information, and
ransomware. Presenting the audit committee with a similar
scenario and asking for a concrete action plan often brings
the point home with decision-makers. Even so, internal
audit needs to take a lead role in all arrangements with
third parties. If it is late to the party, there could be reper-
cussions for years to come.
JUNE 2021
TO COMMENT on this article,
EMAIL the author at editor@theiia.org
LEIFERMANN Working with their risk management
departments, CAEs can raise organizational awareness of
technology risks related to third parties. However, there
is a distinct difference between their responsibilities, with
risk management departments responsible for assisting
management in managing technology risks related to
third parties at the second line, and CAEs responsible for
ensuring that all technology risks related to third parties
are appropriately managed at the third line. CAEs should
ensure that third-party technology risks have been identi-
fied and that controls in place to mitigate these risks have
been assessed, and where controls are absent or lacking,
that these deficiencies are raised with management for cor-
rective action.
What are the technology risks related to fourth parties?
LEIFERMANN By looking at our third parties, we are
attempting to ensure that the technology they use provides
reliable and secure infrastructure and services. However, our
service providers also rely upon third parties — our fourth par-
ties. For example, our third party is an IT company that hosts
our data center, but its third party is a telecommunications
company that manages the high-speed
connection between this data center and
our head office, making it our fourth
party. In the same way that internal
audit ensures that all technology risks
related to our third parties are appro-
priately managed, internal audit should
also ensure that our third parties iden-
tify, assess, and mitigate their technol-
ogy risks related to their third parties.
SORENSEN Many organizations do not realize how com-
mon fourth parties are. Increasingly, the outsourcers are
themselves outsourcing to even lower cost countries, mak-
ing it extremely difficult to limit access and effectively
protect the information. Logical access control, cyberse-
curity, and control over information becomes extremely
challenging and virtually impossible to legally enforce
across multiple countries. From an operational perspec-
tive, communication becomes a nightmare, and account-
ability is very difficult to establish in the event of failures.
The only times I have seen this work successfully are when
the first-party company controls the IT systems and uses
third and fourth parties as a workforce, while still retain-
ing ownership and transparency over the data at all times.
To the greatest extent possible, service agreements should
grant complete transparency over information, at all stages
of processing, or third-party arrangements can change
from assets to liabilities.
INTERNAL AUDITOR 69
 Insights/In My Opinion
BY BHAVIN RAITHATHA
ARE YOU EMOTIONALLY
INTELLIGENT?
K
Auditor competencies nowledge and tradi-
must extend well tional skills are
essential to success,
beyond functional
but they can only
expertise and take an auditor so far. Even
technical skills. for the most adept practi-
tioners, objectives cannot
be achieved merely with
intelligence, technical pro-
ficiency, and expertise. To
work effectively with clients,
internal auditors need strong
soft skills — many of which
fall under emotional intelli-
gence, or emotional quotient
(EQ). Emotionally intel-
ligent people understand,
accept, and manage their
own emotions, and they can
read the emotions of others.
Internal auditors with high
EQ treat people with empa-
thy and can manage feelings
and relationships just as
well as objective, quantifi-
able engagement goals.
Emotional intelligence is
vital to fulfilling our profes-
sional responsibilities.
Perhaps most impor-
tantly, having a high EQ
enables practitioners to com-
municate effectively. Assessing
the organization’s risk man-
agement framework, develop-
ing a risk-based audit plan,
obtaining management agree-
ment in response to audit
results, and reporting to the
READ MORE OPINIONS ON THE PROFESSION visit our Voices section at InternalAuditor.org
70 INTERNAL AUDITOR
TO COMMENT on this article,
EMAIL the author at bhavin.raithatha@theiia.org
audit committee all require
extensive, careful interaction
with stakeholders. Internal
auditors need to communi-
cate well across all levels of
the organization, ensuring a
robust understanding of their
value proposition.
To ensure communica-
tions are well-received and
acted upon, internal auditors
also must be able to build
relationships — another area
requiring high EQ. Audit
engagements are a team effort
between auditor and client,
requiring practitioners to bal-
ance professional skepticism
with the need for rapport.
They must ask probing ques-
tions related to risk and con-
trols but avoid putting clients
on the defensive. Taking the
right approach requires empa-
thy and social skills — key
elements of EQ.
Delivering quality work,
and maintaining engagement
schedules, also requires audi-
tor EQ. Multiple deadlines,
heavy workloads, and other
pressures can take a toll on
audit performance — and
even lead to burnout if not
managed correctly. But
according to The Impact of
Emotional Intelligence on
Auditor Judgment, published
by Virginia Commonwealth
University, auditors with
a high degree of EQ man-
age pressures and timelines
better, exercise superior
judgment, and maintain
professional skepticism. The
result is a better experience
for both auditor and client,
and a superior outcome for
the organization.
The World Economic
Forum’s 2020 Future of Jobs
report ranked EQ among
the top 10 high-demand
skills for organizations; just
five years ago, it was absent
from the ranking. High-EQ
professionals are sought more
than ever for the value they
can deliver to stakeholders.
And in an era of increasingly
sophisticated technologies
such as artificial intelligence,
the ability to manage and
respond to emotion is a key
trait separating the work of
people from that of machines
and automation. EQ-related
competencies need to be an
integral part of every role in
an organization, and they
must certainly be a top prior-
ity for internal auditors.
BHAVIN RAITHATHA, CA,
CS, CISA, is assistant manager,
Group Internal Audit, at
RAKBANK in Dubai, United
Arab Emirates.
JUNE 2021
 EXTENDED THROUGH 2021
This program provides career development opportunities to internal auditors negatively impacted by COVID-19, to help
them build next-generation skills and competencies needed to secure their next job. The six scholarships available focus
on today’s most in-demand skills, from CIA exam prep to fundamentals and essentials to IT and data analytics.

Learn more.
www.theiia.org/ElevateScholarship
 THE IIA’s

CIA
LEARNING SYSTEM ®

Prepare to Pass, Fast.

Unparalleled CIA Exam Prep, Only The IIA Can Provide.

The all-new, redesigned CIA exam prep

system has been updated to provide the

most personalized, aligned, and efficient

study experience for express success.

2020-0926

Learn more at www.LearnCIA.com.