Professional Documents
Culture Documents
Visit www.theiia.org/TopScoreWinners for a complete list of top CIA and CRMA score winners in 2020.
*Earn on average $38,000 more annually than those without a certification, according to The IIA’s 2017 Internal Audit Compensation Study (based on U.S. responses).
g2.com
The choice of how you attend this hybrid event is yours—join us virtually, from anywhere,
or onsite in Denver, Colorado, where social distancing, cleanliness, and safety protocols
are optimized:
Earn up to 38 CPEs by attending the conference and workshops! See the website
for conference specifics, as well as detailed health and safety information.
F E AT U R E S
COVER | E S G 44 An Eye Toward the Future The IIA’s
2021–2022 North American Board chairperson,
26 Is ESG the New Sarbanes-Oxley? LAURA SOILEAU, says getting young people
Internal audit needs to be ready to help hooked on internal auditing is crucial to the
organizations report on their environmental, sustainability of the profession.
social, and governance risks and initiatives.
BY LOGAN WAMSLEY 51 Determining Internal Audit’s ROI
A departmental cost-benefit analysis can help
33 A Standard Approach Internal audit internal audit measure and communicate its
can help companies realize the benefits of value. BY JACK PELIKAN
adopting nonfinancial reporting standards,
says the SASB’s Jeffrey Hales. BY NEIL HODGE 56 The Four Pillars of Remote Work for
Audit Teams Internal audit leaders need an
38 5 Things You Need to Know About effective strategy to support the move to flex-
ESG Internal auditors should consider sev- ible and work-from-home arrangements.
eral key questions when examining their BY W. KEN HARMON
organization’s ESG activities. BY CHERINE FOK
BDO provides assurance, tax, and advisory services to companies of all sizes,
across nearly every industry. Our global organization, combined with the
personal attention of experienced professionals, allows us to offer the services
and resources our clients need, everywhere in the world they do business.
www.bdo.com
D E PA R T M E N T S
PRACTICES 24 Fraud Findings Data
analytics reveal a diesel fuel
10 Update A global outlook backflow scam.
shows tough years ahead;
a new workforce ecosystem INSIGHTS
requires new strategies; and
more companies are auditing 62 Board Perspectives It’s
racial equity. special-purpose acquisition
company season.
14 Back to Basics Auditors
can benefit from a report writ- 66 The Mind of Jacka There
ing refresher. are no excuses for mediocrity.
O N L I N E InternalAuditor.org
Cannabis: Risks and Continuing the Con-
Opportunities in a versation The director of
Budding Industry With The IIA’s Environmental,
increased legalization, public Health & Safety Audit Center
sector auditors could soon shares her thoughts on the
COVER: ILLUSTRATION BY SANDRA DIONISI; THIS PAGE, TOP: LIGHTSPRING /
Internal Auditor ISSN 0020-5745 is published in February, April, June, August, October, and December. Yearly subscription rates: $60. No refunds on cancellations. Editorial and advertising office: 1035 Greenwood Blvd., Suite 401,
Lake Mary, FL, 32746, U.S.A. Copyright © 2021 The Institute of Internal Auditors Inc. Change of email address notices and subscriptions should be directed to IIA Customer Relations, +1-407-937-1111. Opinions expressed in Internal
Auditor may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by authors’ employers or the editor of this journal. Internal Auditor does not
attest to the originality of authors’ content.
Investing in the Future of the Profession
The Foundation, supported by the generosity of our donors, advances the practice of the profession by awarding academic grants,
executing global research, and producing educational publications to strengthen competency development.
“Internal audit has afforded me an incredible career that is fun yet meaningful.
The future of our profession requires investment and leadership. Let’s partner
together and do just that. Start with a small recurring amount and go from there.”
— Karla D. Munden, CIA, QIAL, CCSA, CFSA, CRMA, US
I
n this issue we tackle the many facets of environmental, social, and governance
(ESG). That’s no small feat given all ESG encompasses, but with increased atten-
tion — investor, regulatory, and social — it’s not something organizations, or
internal auditors, can afford to ignore.
A blog post from Jim Clifton, chairman and CEO of Gallup, proposes begin-
ning the company’s ESG effort with its employees. Gallup has identified metrics to
benchmark an organization’s current ESG state from the employees’ perspectives. “In
short, if your external communications say your organization is doing great things
for the environment, but your employees strongly disagree, something is not work-
ing,” the Gallup website says. “Recent corporate scandals have proven that major
ethical, social, and environmental risks can hide behind ‘good news.’”
Gallup, along with Chief Executives for a Corporate Purpose, recommends
organizations begin the journey now, start with what they can measure, benchmark
employees first, and “build a higher purpose around people and the planet.”
In this issue, we consider internal audit’s role in that journey. The IIA’s Inter-
nal Audit’s Role in ESG Reporting: Independent Assurance Is Critical to Effective
Reporting says internal audit has both an advisory and an assurance role. The paper
suggests that while ESG reporting is not required in annual reports, regulatory filings,
and proxy disclosures, it should be treated with the same care as financial reporting,
which raises the question, “Is ESG the New Sarbanes Oxley?” (see page 26).
From an assurance standpoint, The IIA says internal audit should incorporate
ESG into audit plans and:
» Review reporting metrics for relevancy, accuracy, timeliness, and consistency.
» Review reporting for consistency with formal financial disclosure filings.
» Conduct materiality or risk assessments on reporting.
From an advisory perspective, internal audit should recommend:
» Frameworks to mitigate and manage risks.
» Reporting metrics — data that accurately reflects relevant sustainability
efforts within the organization.
» Where ESG risk should be managed.
In our deep dive into ESG, we consider reporting and how the topic is being
addressed globally as well as the risks that make ESG challenging to manage. We also
interview Jeffrey Hales, Standards Board chairman of the Sustainability Accounting
Standards Board, about the importance of adopting sustainability standards.
From social justice movements to the mandate for net zero emissions, how does
one measure a company’s impact on the world? Today’s organizations are being chal-
lenged to do just that, and internal audit will be an integral part of the journey.
@AMillage on Twitter
© 2021 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd. In the U.S., visit gt.com for details
Introducing new tools of the trade that enhance the value of the profession and the
professional, at every level. From relevant research and resources to the practical tips,
templates, and how-to’s you’ve been seeking — there’s never been a better time to
discover more benefits of membership.
Update
CYBERWARFARE ON
THE FRONTLINES
The IT threat landscape is
becoming more intense, an
international insurer says.
43%
Companies
reporting 28%
cyberattacks. Companies
targeted
by hackers
21%
more than
five times in
2020.
TOUGH YEARS AHEAD
Portion of IT A global forecast sees an array compounding global challenges facing popu-
budget spent of intense challenges. lations,” the report says.
T
on cyberse- Propelling the disruption are climate
curity.
20%
Companies
he world is facing intense and cascad-
ing global challenges over the next
and economic change, the pace and reach
of technology, and changing demographics
reporting decades, according to the National as population growth slows and the median
16% cyberattacks
and boosting
cybersecurity
Intelligence Council. The council,
which advises the U.S. Director of National
age increases. Declining, older populations
will cause problems in developed countries,
Companies Intelligence, released Global Trends 2040, impeding progress in education, health, and
that have and audit the seventh edition of its quadrennial global poverty reduction, the report says.
dealt with requirements.
IMAGES: TOP, PRANCH / SHUTTERSTOCK.COM;
a ransom
demand. These challenges will repeatedly test the the world in 2040. First, rapid technological
resilience and adaptability of communities advances by the U.S. and its allies lead to a
Source: Hiscox Ltd., Cyber and countries, as well as the international resurgence of democracy. Second, the world
Readiness Report 2021 system of organizations, alliances, rules, and becomes directionless, chaotic, and volatile,
norms, according to the report. The interna- with China taking advantage of the West’s
tional system “is poorly set up to address the troubles to increase its influence. Third, the
U.S. and China establish a robust trade rela- global food catastrophe caused by climate
tionship, but compete for political influence, change and environmental degradation
governance models, technology, and strategic brings together the EU and China, plus non-
advantage. Fourth, the world fragments into governmental organizations and multilateral
rival economic and security blocs, including institutions, to implement sweeping changes
the U.S., China, the European Union (EU), to address climate change, resource deple-
Russia, and a few regional powers. Fifth, a tion, and poverty. — G. NORDHOFF
CULTIVATING
A WORKFORCE
ECOSYSTEM
New strategies are needed
to manage internal and
1,830
OF THE WORLD’S
external workers. BIGGEST COMPANIES
T
say they face or expect regu-
he definition of an organization’s auditors should be aware, though, that lation that places a price on
workforce is changing, with contrac- there are risks involved in the looser affili- carbon emissions.
tors, gig workers, service providers, ations of a workforce ecosystem, such as
and external developers working
alongside full- and part-time employees. In
reputation implications when contractors
represent the brand, changing international
60 %
OF THEM DO NOT
a survey of more than 5,000 managers from labor laws, and a sharper societal focus on IDENTIFY IT AS A
138 countries, 87% say their workforce diversity, equity, and inclusion. SUBSTANTIVE RISK
encompasses more than just their employ- The new workforce ecosystems may TO THEIR BUSINESS.
ees. One-third say they expect to increase require new leadership practices. “You have
“Companies need to start
their dependence on external workers over to think about it holistically, and you have anticipating these inevitable
the next 18 to 24 months, according to the to really harness the power that is your policy shifts, taking action
Workforce Ecosystems report by Deloitte entire workforce to be successful,” says U.S. in their value chains, and
and MIT Sloan Management Review. Army Maj. Gen. Ronald Clark, who over- disclosing these risks to their
The report says being able to manage sees military, civilian, and contracted per- shareholders,” says Nicolette
Bartlett, global director of
and engage such a flexible workforce can sonnel for the U.S. Indo-Pacific Command. Climate Change, CDP.
help drive success and innovation. Internal — C. JANESKO
Source: CDP, Nearly Half of World’s
Biggest Companies Factoring Cost of
Carbon Into Business Plans
M
any boards are on performing racial equity which analyze companies’
having heated audits, and not every orga- business models — from
debates on how nization is taking the same policies to products and ser-
to promote racial path, Bloomberg reports. vices — to determine whether
equality and equity. One ele- Racial equity audits are they cause, reinforce, or per-
ment of this debate centers conducted by outside groups, petuate discrimination. The
B
Amazon and Morgan Stanley
have said they will review lockchain is gaining acceptance as a
equity internally. technology for recording data and
The fact that these con- ensuring integrity in supply chains
versations are being had at all through the ability to track and trace
represents a shift in the role materials, products, and services, according to
organizations have played in a PwC Strategy + Business article. Current uses
racial equity. According to a of the public digital ledger range from ensur-
recent JUST Capital survey, ing the safe and swift global distribution of
all of the 100 largest U.S. COVID-19 vaccines to creating accountabil-
employers say they plan to ity in environmental, social, and governance blockchain, Jones advises leaders to consider
address racial equity through claims among manufacturers and retailers. whether its transactions are time-sensitive
PHOTO: LEFT, BET_NOIRE / ISTOCK.COM
anti-discrimination policies. Blockchain also can help identify fraud and and depend on two or more parties to record,
Of these companies, 98% contamination quickly and accurately. update, share, and view common data.
plan to do so through educa- Implementing blockchain should be part Also, Jones says they should determine
tion and training programs, of a wider digitization strategy, writes Hadyn whether transaction records must be verified
and 91% plan to do so Jones, a senior blockchain market specialist by intermediaries. In each of these cases, col-
through community invest- and director with PwC U.K. To determine laboration among industry peers may increase
ments. — L. WAMSLEY whether the organization can benefit from efficiencies and reduce costs. — L. NELSON
BREAKING DOWN
THE AUDIT REPORT
Concise, targeted
reports are of
great value to the
T
organization.
he International Pro- well as applicable recommen- Another way to articu-
fessional Practices dations and/or action plans. late condition, cause, and
Framework does not Where appropriate, the consequence is to ask three
require internal audi- internal auditors’ opinion important questions:
tors to issue a written report. should be provided.” What 1. Who is not doing what, or
So auditors can, in theory, should internal auditors what is not in place? The
communicate engagement include to make sure their report should indicate
results through any medium reports meet these criteria? what observation and
that suits the function and testing produced — evi-
the client. For most depart- Findings Also called issues dence of inadequate or
ments, though, this is done or observations, audit find- ineffective controls. For
via a written report that ings are the results of obser- example: “Senior manag-
documents the engagement vation and testing during ers in the facilities secu-
and prompts senior manag- an engagement. They may rity team do not check
ers to action. be nonexistent or failed con- applicants’ backgrounds
A well-written internal trols, but also can include for criminal or other rel-
audit report, which some instances of good practice evant records.”
may argue is a rare thing, that the auditor wants to 2. So what? The answer to
should be easy to read and share with the client. It’s this question should be
review and even easier to crucial to communicate any a real risk statement. In
act on. Whether new or issues clearly, so the client other words, auditors
experienced, internal audi- understands the problem and should state the real-
tors can always benefit from why he or she needs to act. world harm that has
a refresher on the basics of Many internal audit occurred, or could result
audit report writing. departments follow the five from, the control weak-
Cs model to structure their ness, rather than just
What Goes Into a Report? audit findings discussion another failed control.
Implementation Standard for clients: criterion, condi- For example: “As a result,
2410.A1: Criteria for Com- tion, consequence, cause, the organization may risk
municating, states: “Final and corrective action. How- reputational damage and
communication of engage- ever, the nonnegotiable ele- financial loss if it hires
ment results must include ments are condition, cause, people who have a history
applicable conclusions, as and consequence. of theft or other crimes.”
3. Why? Internal auditors should not settle for a superficial Because the active voice puts the responsible parties or
reason or a repetition of condition as the answer to this area first, it may come across as blaming. However, overusing
question. Instead, they should channel their inner four- the passive voice produces writing full of vague, possibly mis-
year-old and keep asking, “Why?” For example: “This has leading sentences. A good rule of thumb is to keep the use of
arisen because senior managers in the facilities security passive voice in the report below 20%, which Microsoft Word
team have not updated hiring processes in line with group readability statistics can calculate.
policy, which requires background checks.”
Brief Report readers are busy, so internal auditors should use
Executive Summary Once internal auditors have articulated simple words and keep sentence length to 20 words at most
the key findings, it’s time to write the executive summary. The (in English). Why would anyone want to wade through 20
IIA Practice Guide, “Audit Reports: Communicating Assur- pages when they could grasp the message in fewer than 10
ance Engagement Results,” says the executive summary should pages of plain language? Again, Microsoft Word’s readability
“provide a clear and concise overview of the engagement results statistics function will help, as it provides the average number
and efficiently deliver critical information with a persuasive, of words per sentence in a document.
well-substantiated key message to stakeholders.” However, the
summary should not be a condensed recitation of the findings. Concrete One way internal auditors can make their writing
Many clients will only take the time to read the execu- less abstract is to avoid nominalizations (also called verbal
tive summary, so it needs to provide high-level headlines. nouns). This happens when the writer takes a verb — ana-
Broader themes such as underlying cultural or behavioral lyze — and turns it into a noun — analysis. The result is a lon-
problems, a lack of governance, or other big items must fea- ger sentence. Instead of saying, “We performed an analysis of
ture in the executive summary. the data,” the writer should say, “We analyzed the data.”
Internal auditors should try to limit the executive sum- Nominalizations make writing even harder to follow
mary to a short paragraph. It’s harder than people think, but when people disappear completely from the sentence: “Anal-
readers appreciate such concise communication. ysis and further investigation led to discussions and decision-
making.” The reader cannot determine who is analyzing,
How to Write It investigating, discussing, and deciding.
Standard 2420: Quality of Communications says, “Com- Some auditors may shy away from communicating
munications must be accurate, objective, clear, concise, so directly, especially in cultures that may see this as rude.
constructive, complete, and timely.” To communicate in this However, if internal auditors have performed the engagement
thoroughly and have material findings
to report, the reader needs to know.
Trusting audit team members allows Whether in reports, emails, or briefings,
the ABCs will make it easier for readers
them to find their own flexible solutions. to understand the message and act on it.
O
about infrastructure
and network risks rganizations and devise safeguards against this Ʌ What are the most
officials worldwide and future attacks. effective security metrics
that internal audit
are still sifting boards should consume?
can help answer. through the dam- Protecting Infrastructure Ʌ How can boards oversee
age caused by the December In the aftermath of the effective third-party risk
2020 SolarWinds breach, SolarWinds incident, IT and management?
which impacted more than cybersecurity teams should
250 companies and govern- review and test more details Assessing Risks
ment agencies. Hackers and cover more transac- Internal audit should begin
inserted malicious code into tions. In time, audit com- by assessing the risk levels
the U.S. company’s Orion mittees, external auditors, represented by the Solar-
IT infrastructure monitoring and regulators may expect Winds breach. Organizations
and administration platform. internal audit to perform assume that infrastructure
The code spread more continuous assessments and network monitoring
through updates and patches and technical reviews of the tools can be a trusted part of
SolarWinds sent to all its infrastructure and network cybersecurity hygiene prac-
clients, the company’s CEO cybersecurity hygiene. tices. When the tool is cor-
Sudhakar Ramakrishna The level of investment rupted and open for hackers,
told a joint hearing of the and time to improve cyber- it increases all other risks and
U.S. Senate Oversight and security in the network and weakens controls.
Reform and Homeland infrastructure will need to Internal audit’s IT audi-
Security Committees in Feb- increase significantly, as well. tors should discuss with the
ruary (see “Congress Raises In a March presentation, the technology and information
Questions” on page 19). National Association of Cor- security teams ways to assess
The SUNBURST malware porate Directors (NACD) infrastructure and network
created backdoors through advised boards to “evaluate governance, risks, and con-
which hackers could access their programs’ effectiveness trols. Auditors may need
customers’ systems. compared to their spend.” more training on infrastruc-
Organizations that use The NACD suggests direc- ture and network processes.
the SolarWinds platform may tors discuss: Even with such exper-
already have been attacked. Ʌ How can boards ensure tise, IT auditors rarely will
Internal auditors should help companies are imple- review the actual code or
determine their risk and menting best practices? patch update. First, scans
A
ccording to several sources, the SolarWinds » Members called for improving best practices and
breach went undetected for at least nine months. cybersecurity hygiene. This may include more threat
That means the hackers could embed and hide hunting or proactive searches for cyber threats to
malicious code over an extended time. Several points organizational networks and infrastructure. For
arose during U.S. congressional hearings: example, the Department of Homeland Security
» Members of Congress and witnesses — which included Cyber Hunt and Incident Response Team Act of 2019
executives from cybersecurity firms and Micro- funds these activities for several federal government
soft — mostly agreed that the U.S. needs a more exten- departments and agencies.
sive and better-trained cybersecurity workforce. » Many members and witnesses called for a better
» Many attendees said more resources are needed to public–private partnership to deal with cybersecurity
strengthen the nation’s cybersecurity. This includes threats, including more robust reporting and sharing
more federal government investment to upgrade of cybersecurity-related information. However, disclo-
critical infrastructure, especially outdated software sure brings up issues about liability and reputational
and security systems. risks to companies that disclose significant breaches.
of patch update code require deep technical knowledge. Sec- Dynamic Application Security Testing (DAST) and Static
ond, auditors typically focus on timely and complete patch- Application Security Testing (SAST). DAST implements
ing — not scanning for malicious code in a vendor update. automated scans that simulate malicious external attacks.
For example, SolarWinds used external resources to SAST analyzes source code while the application is at rest or
identify the malware SUNSPOT, a highly sophisticated code static. Auditors should review the DAST and SAST strategy
designed to insert the SUNBURST backdoor malware dur- and approach to see what threats or vulnerabilities are tested.
ing the Orion platform build process. IT auditors would not
be expected to deal with the governance, risks, and controls Threat Hunting Internal auditors should determine whether
over such a detailed and technical process. However, there are technology and security teams should use threat-hunting
several ways internal audit can provide value. procedures. Security teams can deploy several types of threat-
hunting tools: structured, unstructured, intelligence-based,
Vendors and Partners Internal audit should review all infra- hypothesis, and custom hunting. Additionally, auditors should
structure vendors and supply chain partners, especially ven- determine whether the IT and information security teams fol-
dors that play a crucial security role. They should perform an low a threat-hunting model or framework.
inventory of vendors and analyze each provider’s risk profile.
Return on Investment Internal audit should assess the
Segmentation Auditors should review the current network maturity and level of return on the organization’s cybersecurity
and infrastructure segmentation to see whether isolating ven- investment. For example, what percentage of the technology
dor software into a higher risk zone will improve security. Seg- budget goes to cybersecurity? How does this investment com-
mentation is a practice of dividing and blocking certain traffic pare to the organization’s peers or industry standards? Does
into different parts to improve performance and control access. that investment make the infrastructure safer and stronger?
It can help block all or some traffic from reaching another
network, which may prevent infected software from accessing Third-party Safeguards
other high-risk data stored in a different network segment. The SolarWinds breach tarnished past assumptions and trust
Auditors should determine whether the IT team deploys in third-party software and patch update processes. To address
policies and controls to manage who can access high-risk data such catastrophic risks in the future, internal audit needs to
network segments. It also should find out what policies gov- assess the governance, risks, and controls over providers that
ern who can access higher risk networks. are essential to monitoring infrastructure and networks.
Security Testing Internal audit should review whether STEVE MAR, CFSA, CISA, is an adjunct professor at Seattle
technology and security teams plan to perform or set up University and the University of Hawaii.
FINANCIAL REPORTING
DURING THE PANDEMIC
A new study spotlights
how the crisis is
impacting financial
A
misstatement risks and
internal control audits. s the vaccine roll- broader insights into their these findings suggest that
outs raise hope that work during the pandemic. financial statements pre-
COVID-19 will Respondents who perform pared and audited during
subside, auditors external audits disagree with the pandemic are susceptible
may question how the pan- the notion that the crisis to higher risks of material
demic has impacted financial will lead to an increase in misstatements. Addition-
statements. There are many earnings management or ally, while some impacts of
views regarding how the attempted fraud. Although the crisis on the internal
crisis has changed the world this finding may reflect control environment may
and whether these changes respondents’ beliefs that be permanent — such as
are permanent. stakeholders will be more remote work — organiza-
The risk environment forgiving of reduced earn- tions may need to modify
definitely has changed. ings, management may have existing internal controls and
Specifically, there may be greater incentive to manipu- internal audit techniques
greater risk of material late earnings during the to accommodate the post-
misstatements in financial pandemic. Regardless, the pandemic paradigm.
statements, according to finding suggests that external
our study, “COVID-19 and auditors may be less likely The Impact on Control
the Accounting Profession,” to change their audit proce- When internal controls
published in May in the dures to identify and assess designed to prevent and
Journal of Accounting, Ethics, changes to risks of material detect financial statement
and Public Policy. Internal misstatements brought on errors and fraud fall short,
auditors should consider by the pandemic. Internal detection mechanisms such
how to incorporate the auditors should consider as reconciliations of accounts
impact of changes driven by the impact of a higher risk and internal audits serve to
the pandemic on account- of material misstatement in catch those errors and fraud.
ing processes into their risk their audit work. External audits add a layer of
assessment and planning for Ironically, survey resp- protection to prevent mate-
audit programs and work. ondents also agree the crisis rial misstatements.
will reduce the effectiveness However, both the pre-
Survey Findings of internal controls and vention and detection fea-
The study surveyed 139 acc- make it more difficult to tures of internal controls are
ountants in the U.S. to gain audit them. Taken together, susceptible to weakening due
Focus on Innovation
With more than 25 years of developing audit
solutions, we’re not only deeply invested
in the industry, but we also understand
the critical need for continuous innovation
to drive success for our customers.
V
long vehicle
refueling scheme. eronica Vanatamm EMC vehicles had the every Sunday and the first
was the inter- capacity to carry 5,000 liters day of the month, and
nal auditor for of diesel. After refueling, they compared actual measure-
East Mining Co. transported diesel fuel to ments to expected calculated
(EMC), an underground the underground mine and results. The calculated results
mining company that dispatched it to 12 under- were based on sales receipts
relied on heavy machinery ground tanks for trucks, from Best Fuel and meter
powered by diesel fuel it loaders, and stationary min- readings from the under-
purchased from Best Fuel ing machinery. Carrying ground tanks. Vanatamm
Plc. Vanatamm was assigned vehicles had fuel pistols with extracted data for three
to audit whether the diesel meters and underground months and discovered the
fuel consumed by EMC’s tanks had fuel counters. physically measured balance
machinery was accounted for EMC became the owner of diesel fuel was always
correctly and whether fraud of the diesel fuel when the precisely the same as the cal-
risks were mitigated. vehicle used to transport culated end balance. There
When Vanatamm diesel underground tanked never was a single liter differ-
began the audit, she learned at Best Fuel’s main on-land ence. She became suspicious
that the main refuel- facility. So, Vanatamm had to and extracted a new data set
ing facility was located at trace diesel from the time it looking at two years’ worth
EMC’s mine site, but the was purchased until its usage of data. Still, there was
equipment and diesel fuel was recorded and reported. always an exact match.
in the tanks were owned She decided to test whether Vanatamm discussed
by Best Fuel. EMC drivers the balancing equation her concern with Peter Kirs,
purchased diesel fuel in the worked. Namely, whether the mine’s main engineer. He
same way as at an ordinary the monthly end balance told her that EMC recon-
gasoline station. After refu- equaled the balance at the ciled the physical inventory
eling, EMC drivers received beginning of the month balance with the calculated
receipts that they would plus the purchased amount, inventory balance. However,
submit to EMC account- minus the amount consumed the reconciliation required
ing. Best Fuel transferred by the machines. an additional adjustment.
information about refueling EMC performed a During this step, any differ-
electronically to EMC at the physical inventory of the ences between the measured
end of each month. underground fuel tanks physical end balance and
N
o matter where you’ve turned in the and have an impact on internal audit
past year, business headlines have similar to how the U.S. Sarbanes-Oxley
heralded environmental, social, and Act of 2002 changed internal audit’s
governance (ESG) topics. In April, role in financial reporting.
hundreds of businesses and business Some internal auditors say it
leaders took a stand against Georgia’s might, at least for certain companies
controversial new voting law, enacted and business sectors, pointing out that
following a tumultuous U.S. presiden- many countries already require such
tial election. Earlier this year, Larry disclosures or at least are starting to
Fink, CEO of investment manage- explore them. While the U.S. Securi-
ment firm BlackRock, called on CEOs ties and Exchange Commission (SEC)
to address climate change and align hasn’t required ESG reporting, “the
greenhouse gas reduction with science winds are definitely changing with the
and global reporting standards. And new SEC chair and the Biden admin-
last year, #BlackLivesMatter and similar istration having this as a very high
campaigns arising from race-based kill- priority,” says Steve Wang, a manag-
ings brought social justice, equality, and ing director at Protiviti in St. Louis.
equity to the forefront — even in execu- Wang says internal audit has a key role
tive suites. to play in ESG reporting; however,
Logan Wamsley These examples encapsulate how the level of effort needed may not be
broad the scope of ESG truly is and equivalent to that put into Sarbanes-
Illustration by Sandra Dionisi the daunting task organizations have in Oxley compliance.
addressing its related risks. Investors,
politicians, regulators, and the public THE PRESSURE IS ON
are pressuring businesses to hold them- Although ESG reporting is becoming
selves more accountable. That raises an important resource for sharehold-
the question of whether comprehensive ers and regulators, it’s also important
ESG reporting will become mandatory for company stakeholders, including
employees and consumers. In fact, it of the 2006 Stern Review in the U.K.
is the pressure from stakeholders and and the signing of the Paris Agreement
not any one government entity that has on climate change in 2015. These
been the primary driver of change. initiatives have had a profound effect
A good example is the business on how organizations view economics
response to Georgia’s voting law, an and productivity against the threat of
unusually vocal move by corporate climate change.
America to shape the nation’s political Recent global actions have prom-
discourse. “If you do not have a point ised to take the ESG conversation
of view that supports equality, and that even further. In September 2020, the
represents justice and democracy, how World Economic Forum’s (WEF’s)
will you be a company that’s relevant International Business Council (IBC)
going forward?” asks Edith Cooper, published a white paper that established
co-founder of Medley, a membership- a set of “stakeholder capitalism metrics.”
“
based community for personal and These metrics are aimed at establishing
professional growth in New York, and consistency and comparability for com-
The investment an independent board director for Etsy panies reporting on ESG performance
community and Slack. in line with the United Nations Sustain-
Organizational psychologist Dr. able Development Goals. “We have to
realizes that
“
Ella Washington of Georgetown Uni- deliver great returns for our sharehold-
ESG is a risk, versity says the public now expects ers and help drive progress on society’s
There’s a offering the greater action from organizations to most important priorities,” said IBC
clear call for opportunity to address racial diversity, equity, and chairman Brian Moynihan, chairman
action that add financial inclusion (DEI) — particularly from and CEO of Bank of America, about
companies are value—or to board members. “The narrative at this
point has shifted because people of the
the white paper. “Common metrics will
help all stakeholders measure the prog-
responding limit it.” Black community and their allies glob- ress we are making and ensure that the
to, but their Douglas Hileman ally are saying, ‘OK, words are great, resources capitalism can marshal — from
follow-through but they’re no longer enough,’” she companies, from investors, and oth-
is what says. “There’s a clear call for action that ers — are directed to where they can
people are companies are responding to, but their make the most difference.”
follow-through is what people are really In March, the International Finan-
really paying paying attention to.” cial Reporting Standards (IFRS) Foun-
attention to.” To wit, Jason Kilar, the CEO of dation trustees formed a working group
Ella Washington
WarnerMedia, explicitly named racism of standards-setters to converge ESG
as a problem in the company and com- standards and set a foundation for the
mitted to work toward change, while International Sustainability Standards
BlackRock announced its intention to Board. The group includes the Climate
have an independent racial equity audit Disclosures Standards Board (CDSB),
conducted in 2022. International Integrated Reporting
Council, Sustainability Account-
TO COMMENT
on this article,
GLOBAL MOMENTUM ing Standards Board, Task Force on
EMAIL the While demand for ESG reporting is Climate-related Financial Disclosures
author at building in the U.S., there have been (TCFD), and WEF. “We are encour-
logan.wamsley@ significant advances globally. In fact, aged by the prospect of the creation of
theiia.org
ESG movements have a long history in such a sustainability standard by the
regions such as Europe. For example, IFRS, which would represent in prin-
Europe has led the charge on the envi- ciple the culmination of our original
ronmental and sustainability front, vision,” said CDSB chairman Richard
with initiatives such as the publication Samans in a statement. He noted that
A
wide-encompassing term, environmental, social, and governance in Kitchener, Ontario, foresees increased
(ESG) refers to any criteria that characterize an organization’s regulatory action. She points to the
operations as sustainable, responsible, or ethical. Although there heightened awareness of ESG, as well as
can be some overlap, ESG-related topics generally fall under one of the the need to align it with business strategy
three main categories represented in its abbreviation: and reinforce it through organizational
E: The “environmental” piece considers how an organization performs systems. “One can’t help but expect this
as a steward of nature. This can include issues related to carbon emis- to be a continued area of focus when
sions, waste management, water management, raw material sourcing, and evaluating a business,” she says.
climate change vulnerability. Adoption of standards has been
S: The “social” piece examines how organizations manage relation- slower in the U.S., where greater con-
ships with employees, customers, and the greater community. Risks that cern about ESG has not translated into
fall under this category can include corporate social responsibility, labor law or regulations. Under the Biden
management, data privacy, general security, and health and safety. With administration, the SEC has launched
the recent rise of high-profile movements related to addressing racial an ESG investing resource web page
injustice, social ESG-related subjects such as diversity, equity, and inclu- and made related risks a greater focus
sion have taken prominence. in its 2021 examination priorities. The
G: “Governance” refers to variables such as business ethics, organi- commission also established a Climate
zational leadership, executive pay, audits, internal controls, intellectual and ESG Task Force to proactively
property protection, and shareholder rights. Diversity risks, while social in identify ESG-related misconduct.
nature, also can fall under the governance umbrella in certain cases, such Moreover, President Biden has
as when actions are undertaken to improve board diversity. issued two recent executive orders,
Although there is a perception that ESG-related topics are nonfinancial including EO 13990, which directs all
in nature, long-term improvement of organizational performance and federal departments and agencies to
financial returns are central to the argument for increased ESG prioritiza- act to confront the climate crisis. The
tion. Ultimately, the goal of ESG reporting is to give investors and stake- second order, EO 14008, states that
holders more complete analyses that can help them make better-informed climate change should be incorporated
investment decisions. into U.S. foreign policy and national
security considerations.
ESG reporting is already done
through some avenues, but the demand
the group will be “building in part made on external sustainability factors. for more is growing fast. “There have
upon the CDSB Framework and the This compliments the 2014 EU Non- long been regulatory requirements for
use of it by over 500 large listed com- Financial Reporting Directive, which reporting and disclosures to the SEC,
panies around the world.” mandates that all offices within the EU as well as agencies that enforce other
with more than 500 employees adhere aspects of ESG: environmental, safety,
THE FUTURE OF to a minimum requirement to report on labor, etc.,” says Douglas Hileman, a
STATUTORY REPORTING environmental matters, social matters, Los Angeles-based ESG specialist. “The
Across the world, there is already a human rights, anti-corruption and brib- investment community realizes that
litany of ESG reporting standards, both ery measures, and board diversity. ESG is a risk, offering the opportunity
current and planned. For example, Additionally, European companies to add financial value — or to limit it.”
the European Union (EU) Sustainable must maintain an awareness of the Hileman notes that investors are
Finance Disclosure Regulation went reporting requirements of individual looking for robust, meaningful, and
into effect in March. This law outlines countries. For example, the U.K. plans comparable ESG data. Moreover,
requirements for asset managers of to introduce new ESG disclosure business-to-business requirements for
investment firms to disclose how sus- requirements for Financial Conduct ESG reporting and performance create
tainability risks are incorporated in their Authority-authorized investment man- additional compliance requirements,
decision-making, as well as the princi- agers based on recommendations from which can be enforced through industry
pal adverse impact of any investments the TCFD. standards or contracts. “Noncompliance
can put customer relationships — and discusses the value of independent assur-
revenues — at risk,” he explains. ance of such reporting.
With an increasing body of laws
GROWTH IN REPORTING and regulations rapidly becoming a
Recent data indicates that organiza- reality, the enforcement potential for
tions have responded to the changing public ESG reporting and disclosures
tides, although not comprehensively. is growing. “ESG efforts are typically
For example, about 90% of S&P 500 widely distributed through an organiza-
companies issue corporate sustainabil- tion, with varying degrees of rigor for
ity reports, but only 16% refer to any systems and controls for generating data
ESG factors in their regulatory filings, and information,” Hileman says. He
according to a July 2020 Government explains that internal audit’s assurance
& Accounting Institute study. That role for internal controls over financial
creates a mismatch between what they reporting is understood, because of
disclose officially to regulators and vol- Sarbanes-Oxley, and auditors can apply
“
untarily to the public. the same skills to nonfinancial reporting
There also have been mixed results such as ESG. “With the pace of change,
The whole in incorporating the social aspects it is a classic example of where internal
of ESG, such as DEI, into reporting audit can provide value at the speed of
aspect of structures, despite a wide recognition risk,” he says.
culture risk
“
of the value such insight provides. In a Likewise, Wang notes that the SEC
and DEI recent Greenwich Associates survey of intends to review sustainability reports
Organizations misalignment 92 investors and 22 intermediary dis- that companies disclose voluntarily.
should be can be tributors across France, Germany, Italy, “They could open enforcement inves-
understood the Netherlands, the U.K., and the tigations where a sustainability report
looking for Nordic countries, 79% of respondents or voluntary disclosure suggests that
any inconsist- from an see social considerations as having a something in the required filings could
encies in internal positive impact on performance and be materially misleading,” he says. “The
reporting auditor’s risk management in the long term, yet risk right there should be evidence as
between perspective.” 42% see a lack of established metrics to why organizations should be look-
voluntary as the key barrier to social investing. ing for any inconsistencies in reporting
Aneesa Ruffudeen Additionally, 31% say a lack of clarity between voluntary disclosures and the
disclosures over what constitutes a socially respon- financials, and internal audit can and
and the sible investment will hold firms back. should play a role in that.”
financials.” “This can be attributed in part In navigating the social aspects of
to the fact that the nature of social ESG without definitive metrics, inter-
Steve Wang
indicators can seem less tangible or nal audit’s involvement might be even
measurable, with standards that are more important. IIA Standard 2060:
more likely to vary by region,” says Reporting to Senior Management and
Jane Ambachtsheer, global head of the Board requires internal audit to
sustainability at BNP Paribas Asset report significant risk and control issues
Management, which sponsored the requiring attention to senior manage-
study. “However, the same can hold for ment and the board. Without clear
environmental and governance factors.” standards for reporting on DEI, for
example, internal audit could consult
HOW INTERNAL AUDIT CAN HELP with company leadership on what
Internal audit can help the board information would be most valuable for
understand the importance of getting investors and stakeholders.
ESG reporting right. A new IIA report, DEI is a good opportunity for
Internal Audit’s Role in ESG Reporting internal audit to discuss risk with
management and the board. “The ESG’s importance to the organization This is equally important on the
whole aspect of culture risk and DEI or its place in internal audit’s risk employee side. According to Deloitte,
misalignment within organizations can scope. ESG reporting does not just rep- three-fourths of the global workforce
be understood from an internal audi- resent a moral imperative; in fact, long- in 2025 will be millennials — a genera-
tor’s perspective,” Ruffudeen says. To term productivity and success is a core tion deeply invested in climate change,
determine a framework for DEI, she argument for increased ESG-related corporate accountability, consumer
advises breaking it into four pillars: disclosures. This can be seen in a vari- ethics, and diversity. Companies whose
the organization’s culture, risk culture, ety of ways, including a reduction in values align with those of their talent
compliance needs tied to the culture, operational expenses, fewer costly regu- pool will be best positioned to attract
and conduct risks. “If we talk to lead- latory and legal interventions, increases the best people.
ers in the organization about it, we in employee morale and productivity, These are three key areas where
can help them determine if we have and significant top-line growth. internal audit can gain the greatest
the right culture in our organization, Additionally, organizations would buy-in from board members and assist
if we are living by the shared values we do well to account for the shifts in in reporting. As the culture shifts, so
promote, and where we can begin to cultural attitudes regarding ESG topics does the money. In many ways, the
improve,” she says. in their long-term forecasts. In a recent push for ESG reporting can be seen as
McKinsey & Co. report, more than downstream of culture , which is mov-
A CHANGING OF THE GUARD 70% of consumers say they would pay ing forward swiftly.
Regardless of whether additional statu- an additional 5% for a “green” product
tory ESG reporting requirements mate- if it met the same performance stan- LOGAN WAMSLEY is manager, content
rialize, that does nothing to diminish dards as a non-green alternative. strategy and development, at The IIA.
IIA SMARTBRIEF
They Read Everything,
So You Don’t Have To
BDO provides assurance, tax, and advisory services to companies of all sizes,
across nearly every industry. Our global organization, combined with the
personal attention of experienced professionals, allows us to offer the services
and resources our clients need, everywhere in the world they do business.
www.bdo.com
Standard Approach
With internal audit’s help,
companies can realize
the benefits of adopting
nonfinancial disclosure
standards, says the SASB’s
JEFFREY HALES. T
he days of believing that a company’s
profit and loss account is the ultimate
indicator of future performance are
over. Investors, regulators, and other
stakeholders are acutely aware that there
is much more information that a com-
pany can disclose outside of the usual
financial reporting. This nonfinancial
H
ales offers these key takeaways for internal audit to help the board and executives
understand why adopting the SASB Standards makes sense for both corporate gover-
nance and corporate performance. There are obvious benefits for internal auditors to
push for their adoption.
1. SASB Standards are focused on financial materiality and long-term value creation. They are
also aligned with The IIA’s mission and internal audit’s professional values.
2. The Standards are detailed and specific, and they provide suitable criteria for assur-
ance. Tests also can be built around them, which means there is a strong role for inter-
nal audit involvement.
3. Directors are increasingly being given oversight of ESG and sustainability issues — especially
audit committees — so it is important that internal auditors support them by using a globally
recognized framework to provide them with the level of assurance that they need to inform
long-term decision-making.
4. Investors are demanding more information about sustainability issues. Therefore, it makes
sense for internal audit to push for ESG disclosures to be aligned to an established frame-
work so that their companies’ sustainability reporting meets investor expectations.
5. Sustainability is not just about reporting — it is primarily about managing the risks. Naturally,
internal audit, in particular, is going to play a crucial role when it comes to providing assur-
ance, assessments, oversight, and advice related not just to the reporting of this informa-
tion, but also how sustainability risks are managed internally within the company.
Standards and are living up to their Are companies adopting the Stan-
spirit? Similarly, which industries dards and reporting differently
are lagging? based on their geography?
Carbon- and energy-intensive indus- Adoption of SASB Standards in the
tries — such as oil and gas, mining, U.S., Europe, and Asia-Pacific region
and infrastructure companies — have is generally good. However, language
been among the best early adopters barriers have halted progress in some
of the SASB and other sustainability regions, such as South and Central
standards. This is partly because they America, which is why we have been
were the first industries to come under working on translating the Standards
TO COMMENT
closer investor scrutiny regarding the and SASB guidance into Spanish. on this article,
impact they were having on the envi- French, German, and Japanese transla- EMAIL the
ronment and what steps they were tak- tions are also on the way. author at neil.
ing for the future of the business as the European companies have perhaps hodge@theiia.org
world moves toward greener, renewable been given an additional incentive over
energy. Slower adopters include ser- their U.S. counterparts to adopt the
vice industries that have felt that their SASB Standards. The European Com-
operations do not have the same kind mission has been specific about the
of environmental or social impact as types of issues that need to be disclosed
large-scale mining and manufacturing under the European Union’s nonfi-
companies, for example. However, as nancial reporting directive — though
investor and activist pressure mounts, it is up to companies how they do so.
we expect to see a change in the way It has openly stated that adopting the
that they report and the information SASB Standards — or other established
they disclose. ESG standards and frameworks, such as
change on ESG reporting. There has explains these issues (and the risks
certainly been a change in the expecta- behind them) to the board and can
tions that investors are pushing for and recommend that management put any
the kind of disclosures that they want necessary controls in place to help miti-
from companies. There is also more gate potential shocks arising from them.
pressure on asset managers about the Over the years a much stron-
kind of ESG information they should ger focus on sustainability issues has
be asking for from companies they are developed at the board level; the role
prepared to invest in. of the audit committee is increasingly
There is also evidence that share- focused on managing these issues and
holder proposals are getting increased it is, therefore, a key opportunity for
support around key sustainability issues internal auditors to connect with the
from institutional investors and other audit committee and help them rec-
large asset owners, such as pension ognize that part of the committee’s
funds. Other trends, like active portfolio responsibility is not just making sure
management — which is used by inves- that financial reports are high quality,
tors to monitor which companies are but also that sustainability issues are
positioning themselves to better manage interconnected with financial reporting
ESG issues and how they may impact and that nonfinancial information also
the business — are also gaining momen- needs to be of equal quality.
tum and are making a significant impact.
T
he Three Lines Model should encompass environmental, social, and governance (ESG) issues. Organizations
can establish a sustainability function and provide suitable capacity building to support the management and
oversight of ESG-related concerns, with internal audit providing independent assurance.
GOVERNING BODY
team may have been tasked with clear directive that ESG is integral and have adopted a growth mindset to
incorporating ESG considerations in to organizational purpose and val- embracing it.
its supplier policies despite knowledge ues — and therefore core to business
gaps around technical understanding strategy. Everyone throughout the 3. Which ESG topics are being
and evolving science. Internal audi- organization must understand that measured and reported, and why?
tors should assess whether additional sustainability is an imperative, with Internal auditors should not set the
expertise is necessary to supplement each individual committed to the same organization’s ESG strategy, but they
what an organization can accomplish vision and outcomes. Auditors can find must understand stakeholder priori-
in house. Moreover, preparedness to evidence of this commitment in the ties, material ESG issues, and most
embrace sustainability may differ from establishment of ESG considerations importantly, the intersection between
one organization to another. Building within risk management processes, the two. Ultimately, internal and
ESG key performance indicators into decision-making metrics, balanced external reporting should reflect both
balanced scorecards and remuneration scorecards, and remuneration frame- current state (what the organization
frameworks can drive the success of works. But these formal structures is doing) and future state (what the
ESG adoption. alone cannot drive sustainability. Prac- organization intends to do), with
A strong sustainability culture titioners also should make sure individ- metrics showing the efficacy of ESG
exists when leadership establishes a uals are fully engaged on ESG topics initiatives. Internal auditors need to
The IIA’s
2021–2022
North
American
Board
chairperson,
LAURA
SOILEAU, says
getting young
people hooked
on internal
auditing is
crucial to the
sustainability
of the
profession.
will be on investing in the next genera- as the Internal Audit Student Exchange. the audit function can play a pivotal
tion of internal auditors. I’ll be work- This event, hosted annually in Septem- role in advancing DEI enterprisewide.
ing with The IIA’s new President and ber, is aimed at college students with Ultimately, diversity can only improve
CEO Anthony Pugliese to enhance experience or interest in the field. our audit departments. Diversity of
and expand our student engagement thought helps us communicate
strategy and be more proactive about ENCOURAGING DIVERSITY better, understand different points of
getting in front of universities and stu- IN THE PROFESSION view, and assess risk from many differ-
dents. This will all be part of a larger To engage the next generation, we ent angles.
effort to grow a diverse and engaged must work to change the perception of
IIA membership that includes expand- the internal audit profession as boring UNDERSTANDING THE NEXT
ing opportunities for volunteerism and and the belief that internal auditors GENERATION OF AUDITORS
helping peers connect. are “just accountants.” Instead, we As we welcome the next generation
must encourage more nontraditional of internal auditors, we also have to
ELEVATING INTERNAL AUDIT’S paths to the profession. We need be open to generational differences.
PROFILE AT THE COLLEGE LEVEL to work with universities beyond Granted, the last year has given us all
I was lucky enough to stumble on that their accounting programs to help an opportunity to practice our technol-
operational audit course, but many people from different disciplines and ogy skills while working remotely. But
young people in business, accounting, backgrounds — such as liberal arts, for students coming out of college now,
or data science programs are not aware computer science, data analytics, and Zoom, Teams, and other collaborative
of internal auditing as a profession. We management — understand that inter- technologies are second nature.
need more university courses like the nal auditing benefits from a diverse and When I need to chat, I am one
one I encountered initially and more inclusive pool of professionals and is a of those people who will pick up the
programs like the one at Louisiana viable, fun, and exciting career. phone and call or — when we were
State University, which is an IIA Inter- We know that as more teams still in an office — pop by for a quick
nal Auditing Education Partnership embrace technology solutions in inter- face-to-face exchange. For some of
Center of Excellence program. We also nal auditing, students with backgrounds the younger generation that I work
need to continue fostering opportuni- in IT and data analytics will be needed. with, they’re more likely to send me an
ties to connect with students. And of course, not all new auditors are instant message. It’s sometimes been
Some of The IIA’s chapters have straight out of college. Some move over hard for me to remember to keep our
connected with universities to promote from other departments within a com- chat client on and respond, but part of
internal auditing, like the mentorship pany because of the skills they can bring being open and inclusive is not neces-
program that 2020 Emerging Leader to the audit function. sarily expecting everybody to adapt to
Bonnie Tse of IIA–Seattle launched Our internal audit teams need to be my approach. We have to be willing to
with local university students. The IIA diverse beyond skills and backgrounds. meet people where they are.
also supports chapters in presenting an If one looks at the organizations internal The next generation also could
annual chapter challenge to help engage auditors serve, they will see they are be an asset to internal audit functions
students and grow them into mem- made up of diverse people. The more as chief audit executives look to add
bers. We should double down on these the internal audit department reflects the technology competencies within their
efforts, connecting with professors and organization as a whole, the more we’re teams. There may even be opportuni-
university programs, to make it clear going to be able to relate to our internal ties for reverse mentoring, where less
there are jobs for future practitioners. audit customers and stakeholders. experienced auditors are able to teach
To help chapters and global affili- Diversity, equity, and inclusion some technical skills to more expe-
ates with outreach, The Institute has (DEI) is a strategic area of focus for rienced teammates. Research shows
posted an Academic Relations Toolkit the North American Board, so I’m also that when a company encourages the
on TheIIA.org. In it, members can find looking forward to continuing work in exchange of ideas across generations,
resources for starting an academic rela- this important area. Later this year, the it improves productivity, profitability,
tions plan in their area, along with best Internal Audit Foundation, in collabo- and worker morale for all.
practices from other chapters. The IIA ration with Deloitte, will embark on a Organizations are going to have
also offers grants, scholarships, awards, study to explore both the importance to be more flexible and innovative
and events for prospective auditors, such of DEI in the audit function and how in how they engage the younger
I
t was at Louisiana State University (LSU), where I earned a master’s and exercise their soft skills, then other
degree in accounting with a specialization in internal auditing, that I first things, such as opportunities for fur-
got involved in The IIA as a student member. I enjoyed the opportunity ther contribution, will naturally fall
to network and participate in chapter events. into place.
While at LSU, I passed the CIA exam, receiving the Student Highest
Achievement Award for my performance. Passing the exam while I was GROWING THROUGH THE IIA
still a student allowed me to start my career a step ahead. On my first day For auditors new to the profession or
on the job, I already understood the fundamentals. looking to advance their careers, The
During my time at LSU, I interned at Avery Dennison, a Fortune 500 IIA has many helpful initiatives. Take
manufacturing company based in Pasadena, Calif. Following my gradu- the Emerging Leaders Task Force
ation in 2001, I continued with the company, starting first as an internal (ELTF), for example. Made up of IIA
auditor and moving up to senior internal auditor in 2003. The internal volunteers, the task force encourages
audit team traveled up to 80% of the time, including internationally, emerging internal audit leaders to
which gave me an opportunity to see the world. engage, connect, and contribute to
In 2004, the company transitioned me to a financial analyst role, which the profession.
was based in Cleveland, Ohio. I quickly realized that I missed internal The task force recently launched
auditing, so after a year, I took a job with International Paper, a Fortune the Emerging Leaders Mentoring Pro-
100 manufacturing company based in Memphis, Tenn. This job taught me gram. I served as a mentor through
the importance of relationship-building with internal audit stakeholders the inaugural program, and I am very
and allowed me to hone my leadership skills. enthusiastic to participate again this
Finally, a little more than 10 years ago, my husband and I relocated to year. Being a mentor has allowed me to
Baton Rouge, and I joined my current organization, Postlethwaite & Net- develop new relationships and given me
terville. I started as a manager and was promoted to associate director a better understanding of the challenges
and now director, which is a partner equivalent. I love my current job and I internal auditors are facing today at dif-
couldn’t imagine doing anything else. ferent stages in their careers.
Throughout my internal audit career, The IIA has enabled me to net- The ELTF also recently launched
work and learn from peers outside my organization, contribute to and stay The IIA’s Emerging Leaders LinkedIn
on top of developments in the profession, and further grow my leadership Group, a place for the next generation
skills. I’ve participated at the chapter level, serving as the IIA–Memphis of internal auditors to network. Young
Chapter president and on the IIA–Baton Rouge Chapter Board of Gover- professionals can share their knowledge
nors, and at the North American committee level through the Publications on the Group page, learn about IIA
Advisory Committee, where I served as a member for six years. Through opportunities, and find curated IIA
this affiliation, I authored and co-authored multiple articles for Internal resources most relevant to them.
Auditor magazine, as well as served In addition, the ELTF supports
as a contributing editor to the mag- Internal Auditor magazine’s annual
azine and on its Editorial Advisory Emerging Leaders program, which
Board. In 2017, I joined The IIA’s since 2013 has been recognizing up-
North American and Global boards. and-coming internal auditors who have
On a personal level, I spend the potential to be future leaders. I was
my weekends watching my eight- honored to be chosen as an Emerg-
year-old son play sports, and you’ll ing Leader in 2014 and will be the
find us at many of the LSU sport- first alumni to serve as the chair of the
ing events in Baton Rouge. I also North American Board.
enjoy running, and my family is On the volunteer side, The IIA is
looking forward to the day we can making it easier for internal auditors
resume traveling. to get involved with the association
by transitioning certain committees to
advisory committees and promoting
A departmental
cost-benefit
analysis can help
internal audit
measure and
communicate
its value.
Jack Pelikan
Determining
Internal Audit’s ROI
L
ike all departments in an organization, incurs, such as payroll, travel, software,
internal audit is an investment expected and training expenses.
to yield a meaningful return. But unlike While each internal audit function
departments where return on investment faces different perceptions and unique
(ROI) is easily calculated and traceable expectations of value, internal audit
to the bottom line, internal audit is chal- teams can use a cost-benefit analysis to
SILPIN / SHUTTERSTOCK.COM
lenged to assess the inherently qualitative measure, drive, and communicate their
benefits of its work — such as compli- value, and, ultimately, their ROI.
ance with laws, risk mitigation, process
improvements, or providing manage- COST-BENEFIT ANALYSIS
ment with peace of mind via assur- Completing a departmental cost-benefit
ance — against the quantitative costs it analysis is a way to address stakeholder
MONETARY BENEFITS
CONTROLLABLE COSTS
Salaries/Benefits $500K $700K $700K Increased in 2021 due to hire of new staff.
NONMONETARY BENEFITS
Engagements Completed 10 20 40
Recommendations 10 30 80
Implemented
deficit, they should be included in a an internal audit function, particularly a quarterly and annual views, a longer
companion schedule. Tracking and new and growing one, should not limit term cost-benefit analysis may paint a
reporting nonmonetary benefits will not its cost-benefit analysis or ROI goals to more accurate picture of the internal
only raise stakeholder awareness of inter- a single year. Rather, a growing team audit function and its trajectory. In
nal audit’s many value streams, but it may expect to incur additional costs “Cost-Benefit and ROI of a Global
will also provide important context that and further invest in personnel and Manufacturing Firm’s Internal Audit
the department’s value is not limited to tools over multiple years and use them Department: 2020–2022” (this page),
the list of monetary benefits reported. to deliver greater value in the long run. the internal audit function appears to
In these cases, a cost-benefit analy- be operating at a deficit, or at least from
Planned Benefits As is common in sis with only a one-year view may reveal a monetary cost-benefit perspective.
investing, an ROI goal may not be a far bleaker picture than reality. While However, due to investments in person-
achievable in the short term. Similarly, conventional budgetary reporting uses nel and technology that continue to
analyses may reveal encouraging signs analyses with internal stakeholders and if during an operational audit, internal
of improvement. However, in the event clients first can further validate results audit identifies and provides training
of stalled progress, ongoing analysis and assumptions, and lead to further on automated reporting that saves the
can provide opportunities for further revisions before sharing it with execu- accounts receivable manager five hours
change and improvement. tive leadership, the audit committee, a week, then those weekly time sav-
As a caveat, internal audit’s cost- and the board. ings should be considered as reportable
benefit and ROI analysis should not be nonmonetary benefits. However, if the
tied to team member compensation or Degree of Detail The degree of detail time savings achieved were applicable to
incentives, which could lead to conflicts in a cost-benefit analysis will vary based part-time, hourly associates whose total
of interest, impaired independence, on the stakeholder. For instance, execu- workload was reduced as the result of
and failure to objectively measure and tive leadership and the audit committee the efficiencies realized, then the poten-
report benefits. Additionally, to avoid may be interested in just the total costs tial payroll savings could be classified as
inflation of internal audit’s reported and monetary benefits along with a a monetary benefit.
benefits, the quantitative benefit values summary of key items and trends. Con-
reported should be fully validated with versely, business unit leads may be more A MEANINGFUL RETURN
the appropriate business stakeholders interested in the item-level detail of Internal auditors are well aware of their
before finalizing. the projects impacting their areas along function’s capabilities and potential to
Nonetheless, if the team remains with past and planned benefits. further drive organizational value, but
committed to improvement and con-
tinues to measure progress and adjust
as needed, the assessment results will
continue to improve. Ultimately, these Every internal audit function faces unique
results can be shared with stakeholders
as evidence of the department’s progress perceptions and expectations of value.
and increasing value to the organization.
COMMUNICATE VALUE Basis for Assumptions Like other many stakeholders remain skeptical
While every internal audit function data models, a cost-benefit analysis of due to a general lack of understanding
faces unique perceptions and expecta- internal audit is both art and science. about the function’s overall impact,
tions of value, each one has a custom- Some inputs are clear and easily mea- particularly on the organization’s bot-
ized strategy for communicating value surable — such as payroll and travel tom line. While each audit function
to stakeholders. Nonetheless, each strat- expenses on the cost side or realized sav- faces different stakeholder perceptions
egy should consider three elements. ings confirmed by the business on the and challenges, each is an organiza-
benefits side — while others are more tional investment expected to yield a
Target Audience Once internal audit subjective and require assumptions. meaningful return. Internal auditors
has completed its cost-benefit analysis Limiting the analysis to easily mea- can measure their controllable costs
and has collectively agreed to share it surable elements may represent only a and benefits, set goals, and revisit their
with stakeholders, the target audience subset of internal audit’s actual value. project mix to provide more value
should be considered. The audience Instead, the analysis should consider and, ultimately, report on these items
should include stakeholders that inter- other nonmonetary, quantitative ben- to stakeholders to ensure common
nal audit reports to directly, such as efits, such as engagements completed, awareness of internal audit’s value and
the CEO, chief financial officer, and recommendations implemented, and potential. Like any other investment,
audit committee. However, a broader time savings, or qualitative benefits, an internal audit function with a clear,
audience, including various business such as prevention of noncompliance meaningful, and sustainable ROI will
unit leads, may be necessary, espe- with specific laws. In situations where garner widespread appreciation and
cially if those individuals are skeptical it is possible to reasonably estimate the merit continued investment.
about internal audit’s value. That may monetary impact of a benefit using
include departments where internal consistent, logical, and documented JACK PELIKAN, CPA, CISA, CISSP,
audit would like to establish or expand assumptions, such items should be is a senior director of internal audit at
its value-added services. Sharing these reflected in the analysis. For instance, Caleres Inc. in St. Louis.
F
lexible work options are common
in the internal audit profession,
but the COVID-19 pandemic has
ushered in a new time when more
and more auditors are working from
home. Some audit departments were
ready and adapted easily, while oth-
ers scrambled to install appropriate
infrastructure, security, and pro-
cesses to support remote work. As
the threat of the pandemic begins to
ebb, some teams will return to tradi-
tional work environments while oth-
ers may consider permanent changes
to their office-centric arrangements.
ible, distributed work arrangements, as a primary reason for leaving a job. They
IMAGES: COLUMNS: FUNMILL; COLUMN IMAGES, LEFT TO RIGHT:
well as their pitfalls. Allowing internal desire, and increasingly expect, a flex-
audit teams to work from home can ible work environment. Job flexibility
have significant benefits, but any dis- directly improves employee morale and
tributed work strategy must carefully reduces turnover because employees
consider all potential security, manage- receive tangible benefits such as:
rial, and behavioral issues. Trust. Allowing employees this
type of flexibility sends the mes-
BEYOND THE OFFICE sage they are trusted to manage
Today’s office environment was born their time.
during the Industrial Revolution Respect. Flexible work arrange-
when workers needed access to paper ments demonstrate respect for the
documents and to be close to other various pressures and demands
employees face from all facets office-based days can create tremen-
of their lives. This is key for dous savings.
employee retention. To realize the full benefits of flex-
Reduced commutes. Long com- ible work arrangements, internal audit
mutes to and from work can be a functions need a carefully executed
primary contributor to unhappi- strategy. This strategy should be built
ness with one’s job. Eliminating upon four pillars: 1) infrastructure and
commutes, even for a few days a security, 2) expectations management,
week, can reduce frustration, give 3) communication requirements, and
team members a greater sense of 4) management adaptation.
control, and provide them extra
time on those days when their
only commute is to another room
in their home. Pillar 1: Infrastructure and Security
T
Belonging. Although it may seem he need to adjust work structures arose quickly
counterintuitive, when employees with the pandemic. Audit teams were sent
have flexibility, they tend to be home to work and, in many cases, discovered
more loyal to the organization. team members had inadequate computers, slow
Providing a work-from-home internet connections, and lacked the means to main-
option decreases employee turn- tain data and access security.
over by 50%, according to a Stan- To have an effective long-term strategy, the inter-
ford University study published in nal audit function must anticipate these needs and be
The Quarterly Journal of Economics. willing to make the necessary investment. Leaders can-
not view such expenses as additive, and instead should
Increased Productivity Employees see them as substitutions for other investments that
who are more satisfied with their jobs would come in the long run.
tend to be more productive. The Stan- Ideally, the audit team should prepare a budget
ford study finds that employees who that identifies additional expenses for a remote work
work at home experience a 13% boost strategy. This budget should start with a full inventory
in productivity versus those who work of all software, hardware, and infrastructure required.
in a traditional office. Employees who For example, audit teams may need to invest in cloud-
telecommute work the equivalent of based software rather than machine dependent
1.4 more days per month than do their software, virtual private network lines for audit team
office-based counterparts, according to members to protect the data in transmission, encryp-
a 2020 study by online employment tion software for data storage, reliable high-speed
company Airtasker. internet service, standardized laptop computers, and
mobile phones.
Cost Savings When executed as These expenses can appear daunting, but manage-
part of a larger infrastructure strategy, ment should be aggressive in identifying cost savings
allowing team members to work from to offset them. Internal audit could easily reduce the
home can result in significant savings. hardware and software licenses required in the office.
The increase in employee retention Reducing the amount of office space could provide the
and improved performance can directly greatest cost savings.
influence the bottom line. For many
audit groups, though, the greatest sav-
ings can be from dramatically reduc-
ing the office space required. Even in
hybrid operations where team mem-
bers work at home and at the office, a
carefully executed strategy that staggers
Pillar 2:
Expectations
Management
W
ith a change in workplace
structure comes a related
change in expectations.
For example, an audit manager
may expect a team member to be
available during certain hours, yet Pillar 3:
the team member may have dif- Communications
ferent views of the specific hours Requirements
M
in which work is to be done. Also, anagers should articulate
there could be expectations about their expectations for
response time to team members team member communica-
or clients, availability for meetings, tion, but they should be account-
and possibly even dress codes for able for enhanced communication,
virtual meetings. themselves. Remote work cultures
Audit teams face a unique generate a much greater need for
challenge because they often have communication, because team
large projects involving multiple members no longer have the
team members where each step interpersonal cues available in an
depends on the completion of a office environment.
task by someone else. This prob- For example, team mem-
lem is especially exacerbated when bers may have difficulty getting
work-from-home arrangements information from clients, face
can result in some audit team roadblocks on projects, get pulled
members working from different into other projects, or even face
time zones. personal struggles. Such difficul-
Too often, the greatest friction ties need to be communicated
arises because there are differ- to managers so they can adapt
ent expectations that have simply accordingly. However, while such
not been articulated. Accordingly, communication might come natu-
audit teams must develop formal rally during meetings in an office
policies that delineate expecta- setting, in remote settings, man-
tions. These policies should be agers and team members must
developed collaboratively so team initiate the necessary communica-
members fully understand the rea- tion proactively.
soning and necessity for such poli- Managers should be deliberate
cies. Because the policies may not about communicating frequently
anticipate all issues that may arise, and, at times, they should even
managers must revisit and revise place check-in calls that don’t
them regularly. have a specific work agenda.
These connections are critical;
otherwise, employees can feel
disconnected and not part of a
cohesive team. Managers cannot
communicate enough.
Pillar 4:
Management
Adaptation TO COMMENT on
C
hanging management’s atti- this article, EMAIL
the author at ken.
tude is the most important
harmon@theiia.org
and most difficult part of
implementing a work-from-home
strategy. Audit leaders often cite
concerns about a “looser” work
environment that would remove
A results-based focus that extends trust
elements of accountability and
result in reduced productivity,
to team members can be effective and
higher costs, poorer client service,
and lower quality. They imagine
result in a better workplace culture.
scenarios where team members
are easily distracted by their
home environment and don’t pri- REALIZING THE BENEFITS
oritize work. The pandemic has provided an evo-
At the center of this discomfort lutionary break from the traditional
is a feeling of loss of control and a office-centric paradigm. The work
major break from traditional meth- environment was already drifting
ods when remote work becomes toward more flexible arrangements
the norm. One reason for this feel- that included remote work, but the
ing is many managers are accus- pandemic hastened this trend and
tomed to measuring input rather provided a realistic peek inside the new
than output. If they can see a team reality. The evidence is clear that flex-
member, then they assume that ible work environments enhance pro-
individual is working. ductivity, boost employee morale, and
Simply stated, internal audit reduce expenses.
managers must adapt and start However, such benefits cannot
measuring results. For example, be realized unless there is a careful
rather than measuring time in approach that delineates expectations
the office or hours billed to a job, and provides clear parameters for audit
managers could assess audit proj- leaders and their staffs. Each strategy
ect effectiveness by measuring could vary based on the size and nature
project throughput, trends in audit of the audit department and organiza-
hours, hour variance from budget, tion, but any remote work strategy
or significance of analysis. Even in should include the four pillars to pro-
office environments, moving to a vide clarity to the team and generate
results-based focus that extends optimal results.
trust to team members can be
effective and result in a better W. KEN HARMON, DBA, is a professor in
workplace culture. the School of Accountancy at Kennesaw
State University in Georgia.
When quality, value, and convenience count, count on IIA Quality Services
for your internal audit activity’s external assessment.
S
pring is a time for for even more private com- has served on boards, him-
growth and renewal. pany targets. self. D’Alvia is bullish on
Animals come out Moreover, if a SPAC SPACs as an alternative to
of hibernation; fails to acquire a target traditional IPOs, although
flowers bloom across the within two years, it must he does concede, “Many
land. So perhaps this is a give its IPO cash back to its SPACs are good, but some
good time to talk about investors. So the pressure are dodgy.”
special-purpose acquisition is there to do deals, and do
companies (SPACs), since them quickly. Preparing for the
they’re also sprouting up all That raises serious Big Leagues
over the place. questions about corporate The most important ques-
SPACs are holding governance and financial tion for board directors at a
companies designed to go reporting issues. In the last private company is whether
DANIELE D’ALVIA public with piles of money six months, for example, the organization is fully
first, then acquire a pri- the U.S. Securities and prepared to merge with a
vately held operating com- Exchange Commission SPAC and live as a publicly
pany later — which SPACs (SEC) has issued five alerts traded company. The gov-
are doing right now with about SPACs, warning about ernance demands placed
great alacrity. According to everything from conflicts of upon a publicly listed com-
research firm Deal Point interest, to board composi- pany are enormous, and if
Data, SPACs held 247 ini- tion, to internal control and the business fails to meet
tial public offerings (IPOs) accounting policies, to the those demands, the direc-
in 2020 and raised more role that celebrity “advisors” tors who agreed to the deal
RAGU BHARGAVA than $75 billion to go play for a SPAC. could find themselves fac-
prowling for private com- One truth seems clear: ing difficult questions from
pany acquisition targets. SPACs are here to stay. “In regulators and shareholder
Another 300 SPACs held the U.S., this will be a per- lawyers, alike.
IPOs in the first quarter manent feature of the mar- “It’s not about public
of 2021 alone, according ket,” says Daniele D’Alvia, versus private,” says Ragu
to audit firm EY, raising a teaching fellow at Queen Bhargava, CEO of Global
another $93 billion for pri- Mary University in Lon- Upside Corp., which pro-
vate company acquisitions. don who is CEO of SPACs vides human resources and
So, even more prowling, Consultancy Ltd. and who related back-office functions
to companies preparing to go public. Bhargava, himself, has If companies don’t meet these criteria, and they rush into a
also served on private company boards. “It’s whether you have SPAC deal anyway, they could find themselves on the wrong
the right frame of mind, because being public is so very differ- end of an SEC enforcement probe or shareholder class-action
ent than being private,” he says. “You have to think so differ- lawsuits later.
ently about everything.”
When pursuing a traditional IPO, businesses have time to Finding a Good Partner
develop that understanding. A traditional IPO might take nine We also should not lose sight of the role the SPAC plays —
to 12 months, where the board and senior managers work with particularly the SPAC “sponsor,” which is the management
investment bankers, auditors, and law firms to construct the team at the SPAC that raises the money, approaches the tar-
necessary disclosures, internal control systems, and board com- gets, and closes the deal.
position for life after the IPO. If the process takes more time, Somewhat like a proposal of marriage, a private company
that’s not ideal, but typically it’s not a disaster, either. will need to consider whether the SPAC approaching it is a
SPAC mergers invert that process. A SPAC could knock worthwhile partner for long-term life as a publicly listed com-
on a private company’s door with piles of cash, and push to pany. “From the private company’s perspective, it’s not always
close the deal within three months. If the SPAC is near the end about how much cash the SPAC can offer,” D’Alvia says. “It’s
of its two-year window to find a target, the pressure to close about the SPAC’s management, who’s going to be there, the
a deal mounts. The SPAC might offer more money for faster SPAC experts, and the solidity of their business plan, so you
closing — and that’s how mistakes happen. know what you can do once you’re on the market.”
Even worse, the accounting issues in a SPAC merger are Evaluating would-be SPAC partners is likely to become
highly nuanced. For example, while the SPAC is the acquirer more important over time, simply because so many SPACs
from a legal perspective, the accounting treatment under U.S. are pouring into the mergers and acquisitions world, looking
Generally Accepted Accounting Principles is that the private for targets. So SPACs’ standards have gone from profitable
company target is the acquiring business. private companies, to EBITDA-positive companies, to pre-
We don’t need to get into the details of why that is. revenue companies.
The point is that SPAC mergers are complex things, not to “That can generate a concern,” D’Alvia says. “That’s
be undertaken on a whim. So first and foremost, a private more risky, if you’re not taking an operating company. You’re
company board should ask itself hard questions about how taking a company that’s making a promise.”
prepared the business truly is for an exit deal that might What we don’t know is whether the number of SPACs
come along. will continue to mushroom, or whether what we see now is
“The most important thing has nothing to do with going a wave that will recede to more normal levels. (According to
public,” Bhargava says. “It’s whether you’re ready to be public. Deal Point Data, U.S. capital markets averaged roughly 34
If you’re not, stop right there. Take time and get ready. Then SPAC IPOs annually in the late 2010s, before the numbers
talk about a SPAC or an IPO or whatever you want to do.” skyrocketed in 2020.)
The best way to do that would be a risk assessment from It’s possible that traditional IPOs will revive as the
internal audit, answering questions such as: pandemic recedes and the rhythms of investment banking
» Do we have the right senior management — the right return to normal. It’s also possible that recent SEC policy
CEO, chief financial officer, general counsel, and oth- announcements about SPACs will cool the sizzling market of
ers? Are they people who have experience taking com- today. Then there are SPAC stalwarts like D’Alvia: “I don’t
panies public, or long-time employees accustomed to see this as the next bubble to burst.”
the private world? Regardless, some basics of corporate governance will
» Do we have the right financial reporting and disclo- endure no matter what SPACs do next. “It’s all in how you
sure controls? For example, is internal control over assess risk, manage it, and then represent to someone that,
financial reporting effective? Do we have appropriate yes, you have controls in place to mitigate those risks,” Bhar-
conflict of interest policies, and have we disclosed all gava says. “That’s where the real challenge comes from.”
necessary conflicts? That was true long before SPACs showed up. It’s still
» Do we have the right board composition, both to true for the board now.
decide on a SPAC merger and to continue as part of
the listed company’s board of directors? Are they direc- MATT KELLY is editor and CEO of RadicalCompliance.com, an
tors who understand, and can fulfill, a publicly listed independent blog about audit, compliance, and risk management
company’s fiduciary duties? issues, based in Boston.
BY J. MICHAEL JACKA
I
There are seldom have a few regrets from say. And every time we issued when they were orig-
good reasons for my 30-year history with reached the end of a mad inally planned, or are you
Farmers Insurance inter- dash, we recommitted to buying the excuse that it is
not maintaining
nal audit. Don’t get me doing better. Then the just too hard to coordinate
high professional wrong, it was a great ride. next quarter would arrive, the parties involved? Are
standards. And I wouldn’t be where I and the same pandemo- you identifying true root
am today (wherever that is) nium reigned. causes, or are you buying
if it weren’t for the oppor- We often talked about the excuse that there isn’t
tunities and serendipities the importance of timeli- enough time to develop a
that occurred throughout ness, but we never took broader solution? Are you
my career. But there were effective steps to change our holding the department to
moments where, when I processes and start getting the highest possible stan-
look back, I did a little less the work done on time. dards, or are you buying
than shine. And while our work qual- the excuse that any group
We’ve all been there — ity had remained adequate, of people can only accom-
the poor decision, the things were beginning to plish so much?
incorrect conclusion, the slip. By accepting medioc- And finally, are you
act that may have, in ret- rity in one area, we were fulfilling the promises of
rospect, been beneath our starting to see the impact the audit profession, or are
standards. We try for the on others. you buying the excuses that
best, but we know we occa- We allowed the dates to cause you to be second best,
sionally fall short. slip, causing downtimes in constantly promising to do
One regret in particular the audit schedule. Down- better next time?
dawned on me recently. times negatively impacted There are always
During the last few years of the original schedule, and excuses. But there are
my career, the audit depart- disruption of the schedule seldom good reasons.
ment seemed to lose focus meant less time for sched- And if you are starting to
on the importance of meet- uled audits. Then, because fail — or even starting to
ing assigned due dates. We the schedule was impacted, accept the most minute of
wanted to meet the dates, we tried to compensate failures — take a look and
but we started believing our through better planning. find the reasons, not the
own excuses for why things And because of that effort, excuses.
could not be done on time. audit planning became a
I vividly remember rushing cottage industry unto itself. J. MICHAEL JACKA, CIA,
audits to conclusion because Our problem was execution, CPCU, CFE, CPA, is
we were preparing the quar- yet we tried to solve plan- cofounder and chief creative
terly report for the audit ning issues. pilot for Flying Pig Audit,
committee and had to have What are you let- Consulting, and Training
something — anything — to ting slip? Are your reports Services in Phoenix.
/JUNE/JULY/AUGUST/
/JUNE/JULY/AUGUST
Internal Auditing
Online
THE IIA OFFERS many learning opportunities throughout the year. For complete listings visit: www.theiia.org/events
How prepared are orga- occurring and the impact if and cybersecurity. Data is
nizations to assess and they actually occur. the currency, and protect-
mitigate technology SORENSEN Most organi- ing it from misuse, errors,
risks related to third zations engage third par- and exposures to unauthor-
parties? ties to take advantage of ized parties is required;
LEIFERMANN Organiza- specialization and cost sav- otherwise, the entire pur-
tions are becoming more ings. If the internal audit pose of outsourcing will be
dependent on technology function is not a key player lost. Sadly, most organiza-
for their business-critical in the foundation of these tions realize this only after
functions, and simulta- underpinning agreements, suffering a data breach or a
neously relying on third organizations often have public relations disaster.
parties to provide this tech- limited ability and access LEIFERMANN The biggest
PHIL LEIFERMANN nology for infrastructure to make an independent technology risk related to
Business Development and services. This means assessment of the control third parties is cloud com-
Director
Wolters Kluwer that the level of technol- environment of third par- puting, as organizations
TeamMate ogy risks, and specifically ties. Most organizations are using more and more
technology risks related to have little ability to man- cloud services for both
third parties, is continu- age risks in third parties, infrastructure and systems.
ally increasing. Although and trying to change an Not only does cloud com-
organizations are identify- existing agreement to gain puting present risks in and
ing, assessing, and mitigat- additional access rarely of itself, but it also presents
ing technology risks, this happens. risks related to legal, com-
is often more focused on pliance, privacy and data
what happens inside their What are the biggest breaches, as well as conse-
IT departments, rather technology risks related quential risks related to the
JEFFREY SORENSEN
Industry Lead
than what happens outside to third parties? organization’s reputation.
CaseWare IDEA the organization in their SORENSEN There are Other technology risks
service providers. Accord- many risks associated with related to third parties
ingly, organizations need to outsourcing operations to include artificial intelli-
do more to manage tech- third parties, but broadly gence, robotics, virtual and
nology risks related to third speaking, they fall into augmented reality, block-
parties, to minimize both these categories: process chain, 5G, and the Internet
the likelihood of these risks integrity, data governance, of Things.
How should internal auditors be using data analytics LEIFERMANN Working with their risk management
to assess third-party risks? departments, CAEs can raise organizational awareness of
LEIFERMANN Although internal auditors have been technology risks related to third parties. However, there
using data analytics for more than 30 years, many internal is a distinct difference between their responsibilities, with
audit departments have struggled to get value from them. risk management departments responsible for assisting
Recently, we have seen two trends related to risk assess- management in managing technology risks related to
ments — more regular risk assessments and data-driven third parties at the second line, and CAEs responsible for
risk assessments. More regular risk assessments move away ensuring that all technology risks related to third parties
from traditional annual assessments to quarterly, monthly, are appropriately managed at the third line. CAEs should
or even continuous ones, while data-driven risk assess- ensure that third-party technology risks have been identi-
ments use data from business systems to support these fied and that controls in place to mitigate these risks have
assessments. Data-driven risk assessments provide a great been assessed, and where controls are absent or lacking,
opportunity to use data analytics to regularly analyze this that these deficiencies are raised with management for cor-
data, including data related to third parties, and identify rective action.
trends related to business-critical risks, thereby getting
more value from the data analytics. What are the technology risks related to fourth parties?
SORENSEN Like any integrated audit, a risk assessment LEIFERMANN By looking at our third parties, we are
should be performed. Once key controls are identified, data attempting to ensure that the technology they use provides
analytics can efficiently hone in on control breakdowns. reliable and secure infrastructure and services. However, our
However, with outsourced operations, this can be difficult, service providers also rely upon third parties — our fourth par-
for internal audit often will not have access to any data ties. For example, our third party is an IT company that hosts
beyond what is contractually obligated. High-level service our data center, but its third party is a telecommunications
company that manages the high-speed
connection between this data center and
Internal audit needs to take a lead role our head office, making it our fourth
party. In the same way that internal
in all arrangements with third parties. audit ensures that all technology risks
If it is late to the party, there could be related to our third parties are appro-
priately managed, internal audit should
repercussions for years to come. also ensure that our third parties iden-
tify, assess, and mitigate their technol-
ogy risks related to their third parties.
agreement metrics often hide underlying problems, and SORENSEN Many organizations do not realize how com-
internal audit needs to push for details on how those met- mon fourth parties are. Increasingly, the outsourcers are
rics were calculated. Again, timely access to underlying data themselves outsourcing to even lower cost countries, mak-
should be in the agreement from the beginning, or data ana- ing it extremely difficult to limit access and effectively
lytics will have limited success. protect the information. Logical access control, cyberse-
curity, and control over information becomes extremely
How can CAEs raise organizational awareness of challenging and virtually impossible to legally enforce
these risks? across multiple countries. From an operational perspec-
SORENSEN Chief audit executives (CAEs) can often tive, communication becomes a nightmare, and account-
make the greatest impact on executive leadership via anec- ability is very difficult to establish in the event of failures.
dotal evidence. There is no shortage of stories in the media The only times I have seen this work successfully are when
about fraud, hacks, exposure of sensitive information, and the first-party company controls the IT systems and uses
ransomware. Presenting the audit committee with a similar third and fourth parties as a workforce, while still retain-
scenario and asking for a concrete action plan often brings ing ownership and transparency over the data at all times.
the point home with decision-makers. Even so, internal To the greatest extent possible, service agreements should
audit needs to take a lead role in all arrangements with grant complete transparency over information, at all stages
third parties. If it is late to the party, there could be reper- of processing, or third-party arrangements can change
cussions for years to come. from assets to liabilities.
BY BHAVIN RAITHATHA
K
Auditor competencies nowledge and tradi- audit committee all require University, auditors with
must extend well tional skills are extensive, careful interaction a high degree of EQ man-
essential to success, with stakeholders. Internal age pressures and timelines
beyond functional
but they can only auditors need to communi- better, exercise superior
expertise and take an auditor so far. Even cate well across all levels of judgment, and maintain
technical skills. for the most adept practi- the organization, ensuring a professional skepticism. The
tioners, objectives cannot robust understanding of their result is a better experience
be achieved merely with value proposition. for both auditor and client,
intelligence, technical pro- To ensure communica- and a superior outcome for
ficiency, and expertise. To tions are well-received and the organization.
work effectively with clients, acted upon, internal auditors The World Economic
internal auditors need strong also must be able to build Forum’s 2020 Future of Jobs
soft skills — many of which relationships — another area report ranked EQ among
fall under emotional intelli- requiring high EQ. Audit the top 10 high-demand
gence, or emotional quotient engagements are a team effort skills for organizations; just
(EQ). Emotionally intel- between auditor and client, five years ago, it was absent
ligent people understand, requiring practitioners to bal- from the ranking. High-EQ
accept, and manage their ance professional skepticism professionals are sought more
own emotions, and they can with the need for rapport. than ever for the value they
read the emotions of others. They must ask probing ques- can deliver to stakeholders.
Internal auditors with high tions related to risk and con- And in an era of increasingly
EQ treat people with empa- trols but avoid putting clients sophisticated technologies
thy and can manage feelings on the defensive. Taking the such as artificial intelligence,
and relationships just as right approach requires empa- the ability to manage and
well as objective, quantifi- thy and social skills — key respond to emotion is a key
able engagement goals. elements of EQ. trait separating the work of
Emotional intelligence is Delivering quality work, people from that of machines
vital to fulfilling our profes- and maintaining engagement and automation. EQ-related
sional responsibilities. schedules, also requires audi- competencies need to be an
Perhaps most impor- tor EQ. Multiple deadlines, integral part of every role in
tantly, having a high EQ heavy workloads, and other an organization, and they
enables practitioners to com- pressures can take a toll on must certainly be a top prior-
municate effectively. Assessing audit performance — and ity for internal auditors.
the organization’s risk man- even lead to burnout if not
agement framework, develop- managed correctly. But BHAVIN RAITHATHA, CA,
ing a risk-based audit plan, according to The Impact of CS, CISA, is assistant manager,
obtaining management agree- Emotional Intelligence on Group Internal Audit, at
ment in response to audit Auditor Judgment, published RAKBANK in Dubai, United
results, and reporting to the by Virginia Commonwealth Arab Emirates.
READ MORE OPINIONS ON THE PROFESSION visit our Voices section at InternalAuditor.org
Learn more.
www.theiia.org/ElevateScholarship
THE IIA’s
CIA
LEARNING SYSTEM ®
2020-0926