Internal Auditing Flashcards by John Jonah Jameson Jr.

How well did you know this?

Not at all

Perfectly

No 1 Attributes for Auditors who want to be change agents:
General business acumen:
- Financial
- Marketplace
- Operational
- Technology
- Strategic
Know your business : “Our IAs do a great job, but I wish they knew our business better” Credibility.
Being strategic. We need to have a strategic plan for IA. Look beyond the horizon. Can we have a 5 year strategic plan - what capabilities do we need
Be perceptive and connect the dots.
Be assertive, but be patient and persistent and flexible.
Ability to build and sustain relationships.

How well did you know this?

Not at all

Perfectly

How well did you know this?

Not at all

Perfectly

Good qquestion to ask: Does our advice transcend into real value for the organisation?

How well did you know this?

Not at all

Perfectly

The issue with Internal Audit: Unfortunately, internal audit’s efforts are often lost in translation.
We have difficulty explaining our mission. We don’t make a strong case
for change because we don’t speak our customer’s language. We struggle
to understand what’s important because we tend to “tell” instead of
“ask.”

How well did you know this?

Not at all

Perfectly

consider a process that has weak controls to comply
with a regulation. In conjunction with the internal customer, assess
the cost of noncompliance. For example, if noncompliance could
result in fines and penalties of $500,000, civil suits of $1,000,000,
and loss of revenue of $5,000,000, total perceived benefits would be
$6,500,000. Now consider the same for perceived cost of auditing to check for compliance.

How well did you know this?

Not at all

Perfectly

of a

You can assess if Internal Audit is adding value by asking a few simple questions.
* Is the customer willing to pay for audits?
* Is the customer cheering for audit’s participation on projects?
* Does the customer call internal audit when a significant
problem
arises?
* Has internal audit been involved in change that had a positive
impact?

How well did you know this?

Not at all

Perfectly

Traditionally, the audit profession has focused on assurance services.
The Institute of Internal Auditors defines assurance services
as “an objective examination of evidence to provide an independent
assessment of governance, risk management, and control processes
for the organization.”

How well did you know this?

Not at all

Perfectly

How well did you know this?

Not at all

Perfectly

What is most critical to the executive team? Meet with them
to understand their needs. Do they reference structural and
process inefficiencies, excessive cost of operations, or budgetary
pressures? All of these may be indicative of opportunities
to add value.

How well did you know this?

Not at all

Perfectly

Seventy-one percent of Internal Audit Departments did not measure value provided to management through quantitative methods. For those that did quantitatively measure value, 61% used customer surveys, 42% measured cost savings in dollars, 40% measured
cost avoidance in dollars, 35% cited the number of controls improved, 35% measured revenue recovery in dollars, 33% stated number of findings, and 33% said the number of major risks mitigated. Note that respondents could chose all that applied.

How well did you know this?

Not at all

Perfectly

How well did you know this?

Not at all

Perfectly

Internal Audit’s (Larry’s) value proposition was “Creating Positive Change with a Sense of Urgency.”

How well did you know this?

Not at all

Perfectly

One of the questions I typically ask is “If one thing could change to make your job easier, what would it be?”

How well did you know this?

Not at all

Perfectly

When I met external stakeholders (my customers), my first question was simple. What do you think of internal audit? Some people weren’t aware of internal audit’s purpose. Others had negative views. The one theme that consistently came through was one of constraint.
There was a perception that internal audit was at the company to constrain
innovation and collaboration because it was focused on compliance.

How well did you know this?

Not at all

Perfectly

Internal audit’s brand was the polar opposite of the company’s value proposition and mission. Significant change was needed. I followed basic system theory: inputs, process, and outputs. Inputs are the data and information needed to understand the current
state and customer expectations for what a value-added internal audit organization looked like. Process was the infrastructure to enact the change required. Outputs represented the tangible changes and the types of services to be offered by internal audit.

How well did you know this?

Not at all

Perfectly

Does the internal audit organization view itself as a necessity arising out of its charter and mandate or does it view itself as a source of value for the company.

How well did you know this?

Not at all

Perfectly

The audit may be on the audit plan as a result of the company’s
risk assessment—perhaps an urgent or emerging risk or developing
regulatory requirement—justifies looking at a particular process or set
of controls. It’s important to connect that justification to the customer’s
own interests. How does it relate to the customer’s goals, objectives,
and strategic plan? Translate the need in customer terms. Having a
meaningful value proposition for every audit or project creates buy-in
and engagement.

For example, an audit of information security was included in the
audit plan because the cyber threat to the company is constantly evolving
and the executive team needs assurance that the program is effective
at addressing cyber risks. A value proposition for the executive
team and the Chief Information Security Officer (CISO) could be
“Internal Audit will provide assurance about whether the information
security program can support customer growth of 25% over the next
24 months.”

How well did you know this?

Not at all

Perfectly

Traditional Objective Statement: “Verify that controls are effective and
efficient to comply with Sarbanes–Oxley regulatory requirements.”
Value Proposition Statement: “Assess Sarbanes–Oxley controls in
preparation for the Company’s initial public offering.”
We could easily substitute the “initial public offering” with whatever
the current strategic plan reflects—perhaps its growth, a planned
acquisition or merger, or cost optimization effort. The key point is
that internal audit is not simply justifying the audit on the grounds
of an existing regulatory requirement—we are illustrating value to
the customer beyond compliance and approaching the audit with the
expectation of value-added deliverables.

How well did you know this?

Not at all

Perfectly

How we approach the audit is equally important. What specific
value-added deliverables will be provided to the customer during the
review? Without thoughtful planning, audits may focus entirely on
answering questions about compliance or the effectiveness of controls.
Every engagement should provide “ah-ha” moments and golden nuggets
for the customer. Dr. Carlson described golden nuggets as a key
to success that might be in the form of “a new, enabling technology,
a relationship, a novel manufacturing process, or a new business
model.”

For example, performing a process analysis using the SMART system, described in the Change Management and Process Optimization Factor, could reveal low value activities, duplicative controls, or ways the customer can better meet objectives. Golden nuggets could be provided by enabling customers to better understand their business through data analytics. Benchmark information regarding industry and peer company practices
provide valuable insights too. Each of these examples necessitates conscious planning and setting expectations for the audit team early in the audit process.
We also need to provide a full accounting of costs too. Audit recommendations tend to be cost additive because new or enhanced controls are being recommended. Helping management understand the net benefit of a change drives buy-in. Make it as easy for customers to understand your value proposition in all that you do.

How well did you know this?

Not at all

Perfectly

Competition to IA: What are the alternative solutions (competition) to performing
the audit. The company could pull together a cross-sectional project team or hire an external consultant. Maybe there’s another group within the company that does special projects. What makes internal audit stand out as the best option and how do you convey that to the customer?

How well did you know this?

Not at all

Perfectly

Cost of an Audit: Estimate the total cost or what we’ll call an “investment” in an audit. Three auditors working eight, 45 hour workweeks, at $75 an hour represents $81,000 in cost.
Two customers dedicating two, 45 hour workweeks, at $75 an hour to support the audit represents $13,500 in cost. Therefore, the overall investment for the audit would be $94,500 ($81,000 + $13,500). Ask yourself—Wouldn’t you occasionally check an investment account
worth $100,000? Like personal investments, we want to monitor the company’s investment in completed audits.

How well did you know this?

Not at all

Perfectly

Follow up after a project is complete, and ask whether recommended changes are working as intended. Inquire about collateral effects. If an unnecessary control was eliminated, did policy exceptions arise? When an operational efficiency was implemented, did business workflow continue to operate smoothly? Ask whether further changes to the original management action plans would support customer success. Auditors typically
verify that management action plans have been completed but don’t ask about how the action plans affected operations.

How well did you know this?

Not at all

Perfectly

Building commitment means being available and ready. Audit teams should be flexible—setting aside unscheduled hours to respond to customer requests. We need to walk the walk. Theodore M. Hesburgh said, “Unless commitment is made, there are only promises and hopes…but no plans.” Reserve between 10% and 30% of audit hours for customer and management requests once relationships have been established. Flexibility is particularly important in the age of business agility. Audit teams must be agile

How do we do this in AF?

How well did you know this?

Not at all

Perfectly

PErspective: Many employees whose businesses are being audited have held their roles for years. Along comes the well-intentioned internal auditor. The auditor offers advice, undervaluing the customer’s experience. Internal auditors have a reputation for prescribing solutions, despite a lack of deep knowledge about the subject matter, and can seem authoritarian. Every auditee has experienced this at one time. Appreciate and respect the significant experience of customers. Be mindful of internal audit’s limitations. We must center our perspective on the needs of customers and not ourselves.

It’s critical to know and understand your customer. Do some sleuthing. Talk to those that understand them best. Who’s worked with them in the past? I’ve worked for four CFOs and three Audit Committee (AC) Chairs over the past 7 years. You can bet each is unique with varying expectations. Look to a broader network—who has worked with them at other companies? What are their pet peeves? Develop a list of promoted and avoidant behaviors for key relationships (CEO, CFO, AC Chair, etc.). Break down these do’s and don’ts into categories such as verbal communication, written communication, meeting protocols, work product/deliverables, and general expectations.

Use well phrased questions: With the slightest provocation, our ability to apply reason and logic can drop by 75 percent,” she says. “Using questions instead of statements can also help avoid triggering emotional hijacks in others. Our feeling mind wants to sense that we are included, autonomous, competent, valued, respected, and safe.

Imagine an opening meeting where an auditor says there are issues with a process. A barrier goes up and a fight instinct sets in immediately. The tone has been set. The customer views the auditor as biased, fears for their job, and may work to undermine the effort. Instead, we could ask what areas would be helpful to evaluate. The customer is now positively engaged by providing input on the objectives and scope of the review, and buying into the direction of the audit. They’re invested. Emotional barriers are down allowing cognitive skills to engage.

Opening Meeting—Contrasting Examples As a Statement: * We will identify controls weaknesses. As a Question: * How can we best add value? * Are there areas on which we should focus? * What is your vision of the ideal process?

Authenticity

Trust is the foundation of successful, long-term relationships. The same holds true for internal auditors and their customers. Internal auditors are challenged by competing demands as an advisor, a confidante, and a protector of shareholder interests on behalf of the board of directors. The more seasoned auditor understands that not all issues require raising the alarm bell to management or the Audit Committee. Many matters can be resolved through collaboration and problem-solving. So long as it’s not a matter of ethics or fraud, many issues can be handled at the process owner level by partnering to improve controls around a process. When it is necessary to raise an issue to the executive team or Audit Committee for nonfraud- related matters, it’s critical to afford customers the opportunity to fully understand the issue first. Before any audit observation is finalized, we should always explore mitigating control practices. If not, we are failing to provide fair treatment and proper context. This means providing an opportunity to explore compensating controls. Here we play an important role as process and risk experts. We facilitate the discussion. Customers are focused on achieving their goals and may not recognize that other practices are controls. Leading this dialog builds trust by demonstrating an investment in their success and adds value by helping them better understand their processes. It can also lead to optimizing the control structure. Perhaps the informal compensating control is more meaningful than the official control, and duplicative controls can be eliminated.

Achieving trust happens when we’ve demonstrated a pattern of helping our customer achieve their objectives. As Richard Chambers, the CEO of the IIA, says in his book Trusted Advisors, “We can’t just show up, articulate our views about risks, and expect people to heed our advice without first earning their trust. Neither can we expect them to respond favorably to our assurance work.” So how do we do that? We need to engage early and often and find opportunities outside of formal audits to provide value. One simple way to build trust is to consistently share meaningful information. Research regulatory developments, emerging practices, and current events that potentially impact your customer. Send a simple email saying, “I came across this article and thought it may be of interest.” The context should be nondirective.

A lack of transparency creates suspicion and destroys credibility. Likewise, never give the impression that “everything is fine,” and then surprise the customer at the closing meeting with a new observation or potential issue. Those surprises are unwanted guests at the closing meeting that create long-term, if not permanent, trust issues.

Harry Gordon Selfridge said, “Goodwill is the one and only asset that competition cannot undersell or destroy

Different customers will have different expectations. Ask customers what they value in terms of communication, when they want to hear from us, and how they want us to communicate with them. We have a broad set of customers: the AC, the executive team, internal process owners, employees of the company, and external parties, such as regulators. Each one will have different expectations around communications.

ARC communications: * New and useful insights. AC Chairs will be interested in your perspective and concerns vs. executive management. * A heads-up about potential controversial topics prior to the AC meeting. Connecting the dots between the results of audit work and board priorities. * Benchmarking information vs. other organizations. * A summary of the quarterly report prior to scheduled AC meetings. * Information on risks before realization. Add deep dives of risk discussion topics to quarterly agendas. * Connection between AC discussions and other board of director committee topics of interest. * Current topics being discussed by outside boards. * Insights into the tone at the top. * Anything additional that helps AC members fulfill their obligations as it relates to internal audit. * What’s working in enterprise and within the internal audit organization.

Executive Team Communications: * Emerging risks and potential solutions and options for resolving. * Observations on the tone at the middle. Are middle managers on board with the company’s strategic direction, goals, objectives, etc.? If not, what is the feedback? * Cost-saving opportunities. * Meaningful and relevant external benchmarking and industry data and a translation as to how it applies to the organization. Take the additional step to compare to company data. * Keeping them informed about what’s on the horizon and items that may impact strategy. * Insights into the big picture of the enterprise. * Information on what is being communicated to the AC Chair. Be as open and trusting in communications as possible. Leadership is generally concerned that you are “telling” the AC something they they aren’t aware of. Be transparent and open in both relationships.

Cyberattacks, human capital problems and business continuity pose the three biggests risks to organizations, EY said, citing a survey by the Internal Audit Foundation. “Although risk levels may vary from region to region, the areas of highest effort for internal audit are generally similar,” EY said. “The top areas of audit effort, worldwide, were as follows: 1) cybersecurity, 2) governance/corporate reporting, 3) business continuity, 4) regulatory change, 5) financial liquidity, and 6) fraud.”

Taken from the CFO Magazine report on Audit Committees

Have I connected the dots for the reader regarding larger risk questions? Where risks are noted in the report, have they been correlated with the bigger picture for the enterprise? Are the risks disclosed meteors or pebbles? Does the report clearly articulate that they are being addressed by management action plans?

Does the report tie to customer goals, strategy, objectives, and tactics? Have risks been described in monetary terms? If so, has proper context been provided? For instance, “non-compliance could result in monetary fines up to $100,000 per instance, but this has rarely occurred.” * Have the issues in the report been presented in terms of a value proposition for the customer? Do the observations clearly articulate an urgent need related to the customer’s interests? * Would the customer be willing to “pay” the result, if this was provided by an external party or consultant?

Exhibit 2.10 Report Expectations Matrix EXPECTATION SATISFACTORY? (Y/N) Tone □ Context □ Data supporting results □ All relevant stakeholders considered □ Fair and balanced □ Credit for effective processes □ Suitable for multiple audiences □ Connects the dots on risk □ Repeat issues disclosed □ Value provided □ Ah-ha realizations provided □ Clarity for conclusions □ Consistent structure □ What, how, why, and when □ Link to customer goals, strategy, objectives, and tactics □ Monetary linkage □ Articulated value proposition □

For years I’ve been asking customers, “What do you think the audit opinion should be?” vs. telling them the audit opinion. It’s a good test as to whether internal audit has been collaborative and transparent throughout the audit process. When an audit has been collaborative, I’ve found there is consensus on the overall audit opinion, the customer is responsive to the results, and the risks identified are swiftly addressed. Eventually, this led to the elimination of audit opinions. Observations and risks were clearly communicated, and the dreaded audit opinion was no longer the focal point of the review. There are plenty of audit teams and customers that spend countless hours debating audit opinions. I’ve known auditors that relish the moment an audit opinion is revealed. Those discussions frequently happen at the end of the audit and create a lasting impression. Who wants to be told they are inadequate? Yes, we primarily audit processes, not people—but it’s difficult for a customer not to take a negative opinion personally. What really matters is whether positive change happens!

Commit to customer success. Take time to understand customer priorities. Nurture the relationship. Grow your customer garden—providing nourishment, energy, and light. Check your investments in customers—reaching out to them throughout the year and after audits are completed to check on unintended impacts. Be ready, available, and flexible—committing means being there for our customers when they need us. Go above and beyond every time to help them solve a problem.

Executives responding to the World Economic Forum’s 2015 Technological Tipping Points Survey said that 30% of corporate audits would be conducted by artificial intelligence by 2025. This is consistent with the Oxford Martin School study in 2010, which predicted that 47% of US jobs would be lost to automation within 10–20 years. Ignoring the realities of the future will lead to obsolescence.

Our job is to always be in development mode, learning the newest technical and soft skills necessary to deliver value for customers. We must be our own talent agents, mindful of our ability to anticipate, and meet customer needs, sometimes before they know what those needs are. Therein lies the importance of the Talent Factor. Having skills to meet future customer requirements is foundational to thrive. Each of us needs to take personal responsibility

Ethics investigation results. Salary information. Pending company acquisitions. Internal audit has access to a vast amount of confidential information. Trust is critical. The executive team understands that internal audit has a duty to provide the Audit Committee insight on the risk environment. If you’ve formed a trusting relationship with your customers, leaders, and Audit Committee, minor mistakes will be overlooked. On the other hand, not having developed trust can create grave circumstances when mistakes occur.

What internal audit projects/opportunities would the team member like to pursue this year? * Does the team member want to remain in internal audit near term or rotate to a different role? * Identify roles and positions outside of internal audit that are realistic possibilities.

A boss is bossy. A leader leads. A manager manages.

Building a Competency Model The competency model is designed to reflect the company environment. Consider the following: Strategic objectives Technical ability Leadership Professional knowledge People/teaming

Strategic objectives * What are the company’s strategic objectives? * How do the objectives relate to internal audit’s mission? Translate each objective into internal audit goals. * What skills are necessary to achieve those goals? * How will performance against those goals be measured? * What behaviors demonstrate success?

Technical ability * What technical abilities are necessary to support goals and objectives? Consider skills in audit technique, critical thinking, information systems, process improvement, and data analysis. Pay special attention to industry and company-specific skills that support strategic objectives (e.g., manufacturing). * What type of job experience is required? Who will the audit team be interacting with? If the company is an engineering firm, will engineering expertise help the audit team assess engineering processes? If it is a healthcare company, will experience in evaluating healthcare systems be important? If the company works with government, will government experience be essential? * What behaviors demonstrate technical competence?

Leadership * What leadership qualities enable success at the company? Is it a command and control organization or a collaborative environment? * How is honesty and integrity demonstrated at the company? * How is reliability and dependability demonstrated? * How is courage exhibited? * Does the company culture encourage calculated risk taking (ethical risk taking)? * What behaviors reflect transparency? * How can auditors demonstrate accountability?

Communication and influencing * How do successful people and teams communicate at the company? * How is change influenced? * How do facilitators manage change? * What writing skills are necessary? * What presentation skills are necessary?

Professional knowledge * What professional certifications are needed? Consider the usual, such as Certified Internal Auditor, Certified Public Accountant, Certified Information Systems Auditor, but also nontraditional certifications such as Project Management Professional Certification.

People/teaming * What types of coaches and mentors would be helpful to encourage and accelerate talent growth? * How does the company recognize individual and team success? Translate to team behaviors. * How is organizational capability grown? * How is talent identified?

The International Standards for the Professional Practice of Internal Auditing (The Standards) states, “The internal audit activity adds value to the organization and its stakeholders when it considers strategies, objectives, and risks; strives to offer ways to enhance governance, risk management, and control processes; and objectively provides relevant assurance. At the end of the day, companies and process owners are looking to meet their objectives, which requires identifying and addressing risks that prevent achieving those objectives. The Standards also state, “When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks. So, there is a fine line for us to follow between leading risk awareness and managing risks.

A risk is anything that prevents the achievement of an objective. It covers strategy, operations, reporting, and compliance. Risks are ever present, continuously evolve, and have varying velocity. They are present at the highest level of an entity with broad potential impact, down to the individual worker striving to fulfill responsibilities. Risks are interdependent, driving complexity. Too often, risks are viewed in silos. For instance, two lower levels risks may drive the likelihood of other negative events occurring, creating a higher overall risk. An individual high or critical risk that management is comfortable accepting may be unacceptable when married with another high or critical risk. The realization of one risk may increase the likelihood that other risks will occur. Internal audit needs to help management make connections between risks and overall risk levels.

Capture the following information for each major risk: * Overall risk title: describes the risk in two or three words. * Risk description: a more detailed description of the risk including circumstances that make it relevant and the impact of the risk, if it were realized. * Influencers: factors that are influencing the risk to be more significant. * Near-term issues: the immediate concerns that management should be addressing related to the risk. * Management levers and initiatives: actions that management is taking to mitigate the risks. This is a high-level description of the action. A more detailed action plan/s should be documented and tracked separately. * Suggested audit actions: a description of how the top risk relates to the audit plan or other actions that internal audit may take, such as monitoring of a business activity.

Various operations help an organization achieve its objectives. Using the categories below, or other categories consistent with the organization’s operations, rate the desired risk appetite related to the following (rating can be broad, such as high, medium, or low, or precise, such as specific metrics that should not be exceeded): a. Meeting customer requirements b. Employee health and safety c. Environmental responsibility d. Financial reporting e. Operational performance f. Regulatory compliance g. Shareholder expectations h. Strategic initiatives/growth targets As you rate each category, indicate areas where you believe the organization is taking either too much or too little risk in pursuing its objectives.

How would you rate the effectiveness of the organization’s process for identifying, assessing, managing, and reporting risks in relation to the overall risk appetite? What are the major areas for improvement? * Are management’s strategies communicated sufficiently for there to be meaningful discussion of risk appetite in pursuit of those strategies, both at the broad organizational level and at the operational level, and for consistency to be analyzed? * How satisfied are you that the board is providing effective oversight of the risk appetite through its governance process? This includes board committees and/or the board itself to help set the appetite and to monitor over time that management is adhering to the overall risk appetite in pursuit of value. * Whom do you see as more accepting of risk or more willing to take risks to meet the goals of the organization? a. Management b. Board c. Management and board have similar levels of acceptable risk * Does the organization motivate management (senior management and operational management) to take higher than desired risks because of the compensation plans in place? If yes, how do you believe the compensation plans should be modified to bring approaches for generating high performance within the risk appetite? * What do you believe the organization should do? a. Reduce its risk appetite b. Increase its risk appetite c. Make no change * Do you believe there are risks considered to be above the organization’s existing risk appetite that need to be reduced? In other words, are there areas where the risk appetite, as currently used, is too low? * What risks over the past 5 years were, in your view, above the organization’s risk appetite? Were the risks understood when a strategy was developed? How could management have communicated its risk appetite so that the board could both (a) evaluate the risk appetite and (b) provide proper oversight? How could management have communicated its risk appetite so as to hold operational units to actions consistent with the risk appetite?

Risk Assessment at a Department / Sub-Department level: Likelihood of the risk occurring. Rate on an agreed upon scale (e.g., 1–3 or 1–5) * Impact of the risk occurring (operational, compliance, financial). Rate on the same scale used to rate likelihood * Controls in place to mitigate the risk * Perceived residual risk considering the controls identified Rate on the same scale already used * Total risk score (residual risk × risk impact) * Risk velocity (increasing, steady, decreasing) * Linkage to ERM top risk, if there is one. Where there is correlation with a top five risk, it is noted.

Defining Impact Impact is the severity of the effect on meeting the objective for this process and negative consequence. High impact indicates objectives will not be met resulting in a significant financial impact (>$ material to the company) that is not covered by insurance nd includes fines and penalties, customer reimbursements, and inability to bill for or receive revenue. Severe operational impacts could include loss of life or injuries, critical systems being unavailable for more than X days when needed, a breach that results in loss of government information or critical intellectual property, or an inability to meet contractual deliverables. Compliance impact could include external regulatory action such as debarment, disqualified business systems, credit downgrade, or other actions that significantly alter the ability to operate. Medium impact indicates a moderate financial impact ($ range based on risk appetite) to the company, operational disruption that lasts less than X days, and compliance issues that result in regulatory corrective action short of systems disqualification. Low impact indicates minimal financial impact (<$ a specified based on risk appetite) and negligible operational/systems disruption (intermittent or less than an hour), while objectives will still be met.

Risk questionnaire to employees: Ask employees to rate their level of agreement with each of the following six statements with a rating scale of “strongly agree,” “agree,” “neither agree nor disagree,” “disagree,” or “strongly disagree.” * I have the knowledge and training to meet compliance requirements associated with my job. * I am encouraged to ensure that financial records are accurate and truthful, regardless of the financial impact. * I am encouraged to follow policies by my manager. * My manager consistently demonstrates high standards of ethical conduct. If I reported a violation of the Standards of Conduct and Ethics to my manager, I believe appropriate action would be taken. * I know what action to take if I become aware of unethical or fraudulent behavior.

The second part of the survey can ask employees to “tell us in a few words, what you believe to be the single most significant risk facing the company.”

Division Risk Landscapes Partnering with division business leadership—the various sectors or divisions within a company—to develop Division Risk Landscapes can add real value. Division Risk Landscapes can capture a summary profile of the division (locations, staffing, turnover), compliance statistics, top risks for the division, higher risk initiatives, and major customers. The purpose is to facilitate risk discussions with the division presidents and determine whether internal audit engagement is needed. The landscapes can be shared with the CFO and CEO.

Some key facilitation questions to consider asking during a risk workshop: * Has anyone else faced a similar circumstance? * How would/does “X” impact the organization? * Are there any unknowns about “X” that the group should consider? * What are other companies doing to address “X”? * Does the function or organization have the resources necessary to address the risk? * Does the risk rise to the level of concern that it should be communicated to the executive team?

Added Value Factor = Perceived Benefits / Perceived Costs If the AVF is less than 1.0, reassess whether it is appropriate to invest internal audit resources. For management requests and consulting engagements, we need to ask the question, why should we do this project? As part of the analysis, estimate the potential benefit vs. cost of taking on the effort as outlined in the introduction. Determine whether there is executive support or if the request is supported, for instance, by middle management only. Without executive support, it may be difficult to apply resources to resolve the problem during the improvement phase. Determine the time period for resolving the problem. Projects that extend beyond 12 weeks may encounter changing business circumstances. There may be changes to processes, systems, and people that impact the initial problem statement. Resolution of the problem may be less meaningful to the customer if it takes too long. Generally, speed of delivery is considered a value-added benefit.

For an audit, first state the following clearly: Clear problem statement Understand who the customers are : who is the core customer, who can support, who should be consulted, who should be kept informed. Determine how each customer wants to engage on the project. Determine the data required - internal/external (benchmarks) data; which of it is produced? Who produces it? Do we need external parties or expertise to conduct the audit Clearly state the vision for the project. A vision statement is a compelling vision of what the future state would look like if goals are accomplished.

Vision Statement Look into the future imagining the improvements are in place and have been implemented for a sustained amount of time. The vision statement should * Be concise with one or two sentences at most * Include the AVF based on data * Avoid outlining the solution * Be forward-looking and positive * Cover a specific period of time and be measurable * Describe the impact to the business * Describe the gap between the current and future state in neutral terms

Desirable and Undesirable Effects of steps within a process: The next phase of the workflow assessment is looking at Desirable Effects (DEs) and Undesirable Effects (UDEs) in the process. A DE is anything that positively impacts the performance of the process, supports customer achievement of objectives, or leads to customer value. A UDE, also known as a “pain point”, is anything that negatively impacts performance of the process, prevents the customer from meeting objectives, or leads to customer dissatisfaction or non-value.

Be a part of improving the process: Now that the root causes have been selected, we need to support the customer in designing a solution. Internal auditors are sometimes hesitant to help design management action plans for fear of impacting objectivity and independence. The bottom line is that the customer is the ultimate owner and has the final decision on design. Avoiding design assistance can leave the customer feeling unaided at a crucial point in the process.

Finding and implementing solutions: Too often, solutions and management action plans are designed in a vacuum with little information. We need to bring together the “core customers” and a selection of “consulted customers” to brainstorm potential solutions. By engaging consulted customers early, we collaboratively design the solution, which leads to quicker acceptance. There are many instances of internal auditors making recommendations, which the auditee feels compelled to implement, without consideration for downstream impacts. There is also a reluctance among some internal auditors to consider all of the options to resolving a root cause. This is driven by lack of creativity, time constraints, and pressure to issue reports, poor customer relationships, and lack of subject-matter expertise.

The last step in the change process is to track the progress of the changes made. Inherent in tracking is a need to have clearly identified action owners, as well as metrics. We also want to make sure that the change is institutionalized. This means updating policies and procedures, training programs, and finding additional champions to make sure the change takes hold.

Serially successful innovators have a method to support their achievements. Likewise, internal auditors need a system to help customers improve processes, identify cost savings and efficiencies, accelerate change, and design the best future state solutions. In other words, a method to consistently deliver value. The SMART system offers such a system. SMART raises the value of audits and special projects for our customers. Start by stating and understanding the problem to be addressed. Measure current practices and business workflows for understanding. Analyze the root causes of UDEs and pain points. Prioritize resolving the most impactful root causes. Refine solutions to address the desired future state. Make certain to anticipate things that could go wrong and update designs to address potential failures. Track the solutions and validate whether the expected value has been delivered. If it hasn’t, revisit the solution and iterate. Remember that solutions should be dynamic and responsive to new circumstances and conditions.

Data Analytics: We leverage software to perform data analytics, but in order to achieve value-added results, we need to understand which questions to ask, what relevant data to examine, and how the problem relates to the data. We need to decipher what is important and what is not. Data analytic software is only as effective as the person behind the design of the analysis. It’s really about critical thinking skills.

Data analytics provides powerful value to the enterprise including insights on how to reduce the cost of operations, recover and optimize revenue, monitor compliance, lean out business processes, optimize information systems, and detect fraud. We are able to eliminate random or haphazard sampling for testing by using data analysis. Instead, we can analyze 100% of transactions and focus on outliers for further examination.

What if the opening meeting included profiles of the customer’s data with insights and trends? I believe a meeting should not happen unless there is value derived for the customer. We need to conceptualize the possibilities for the operation being analyzed. Consider the following: * Is there an important problem to solve? If so, what is the problem? * What do we envision as the outcome for the analysis? * What value will be provided? What are the perceived benefits? * At the end of the analysis, what “ah-ha” moment are we looking to provide for the customer? * Will the customer’s fundamental thinking about their operation change?

Partner with the customer to identify his or her priorities for the analysis. Understand the operation before analyzing the associated data. Leverage documented workflows and other artifacts as discussed in the chapter on Process Optimization. Consider the following questions: * How has the operation changed over the last 12, 24, and 36 months? Include all relevant data. * What impact have changes had on the operation and the enterprise overall? * What spending does the operation control? Follow the money. * What drives operational expenditures? What could go wrong? * How does the operation impact revenue? * What types of information systems are used, and how do they relate to other operations within the company? * Can data be manipulated?

Perform a Benford’s Law Analysis on the data. Benford’s Law Analysis is available in most analytic software packages.

Some additional areas that I’ve found to be fruitful include Inventory, Petty Cash, Payroll, Corporate Credit Cards, Accounts Receivable, Overtime Pay, Benefits Programs, Consultants, Computer Hardware, Intellectual Property and Licensing, Construction, and Major Vendor Agreements.

While this fact of auditor “need” when it comes to client involvement during audits is daunting, there is a glimmer of good news. The need is not an insurmountable barrier but does represent a significant challenge to every auditor. But to overcome this barrier, the auditor will have to recognize and accept one indisputable fact when it comes to the internal audit and business partner relationship. And that fact is, no matter what type of relationship is being discussed – whether it is boyfriend and girlfriend, husband and wife, or auditor and client – there is always one person in every relationship who wants it a little more than the other. Okay. So, what does that mean? It means one person will always work harder and be more flexible to ensure the relationship continues to grow and stay strong. Auditors must realize early on in the relationship development process that we are the party recognizing we will have to work harder and be more flexible than our business partner to ensure the relationship stays strong and intact.

In every one of the meetings you have with the business owner, prepare effectively by confirming the meeting objective prior to the event and mastering the data. Then remember one additional key to effective meeting facilitation and relationship building with your business partner: Never try to defend the questions you are asking.When asking questions or clarifying potential exceptions with your business partner, always use the data to support (not defend) the specific questions being asked. The data will drive the support for your message and will always give you the confidence as you seek clarification for questions posed.

As in every assigned audit, the auditor should begin with an understanding of the audit objective. Unfortunately, most audit teams get assigned an audit and never bother to review the annual risk assessment to determine why this audit was included in the annual plan. The auditors just figure that the annual planning was completed, and it was decided to include this audit in the current year. What the auditors do not realize is that the information compiled in the annual audit plan provides a solid foundation as to what the business process includes, key personnel, systems utilized in the business process, as well as any potential process risks. Also included in the annual planning documentation is the audit history, which details when the area was last reviewed, what the audit rating (opinion) was, and issues identified that required management action. Auditors might not recognize how valuable this information could be.

When it comes to control, no business team is sitting in their offices looking for ways to add new controls to their process to strengthen the environment of their business operations. Most business units are wondering how they can do what they do faster so they can get more business and process more transactions. And in the business effort to go faster and process more transactions, it creates an environment that is ultimately not well controlled. As the auditor introduces the control concept, it should be linked to the idea of removing any barriers that could impede the business process from being completed in the most effective and efficient manner.

One of the outcomes of an audit is that the audit results will show the business process has been effectively designed, built, implemented, executed, and accurately reported. These five factors of the business process, when done correctly, will produce the expected results. Keep in mind, every process will deliver a result. The key, which must be verified through data examination and effective reporting, is whether the business process achieves the intended result. The examination of the data and reporting should be done on an ongoing basis by the business unit and is the same information the audit team will examine during their review. The other outcome of an audit is that after a detailed review of the data and validation with the business partner, the audit reveals a breakdown(s) in the business process that does not produce the intended results. This breakdown is going to be directly linked to one of the five factors from design to reporting, and it is the job of the auditors, in partnership with their business partner, to identify the root cause

When audit departments start receiving calls from business unit management asking for audit representation on a project team, for a specific audit to be started, for an operational review to be facilitated, or an opinion on a simple process enhancement, internal audit will know not only that their marketing efforts are beginning to change the misconceptions regarding audit activities but also that the internal audit department is gaining credibility across the company.

internal audit functions are essential for: Ensuring Internal Control Systems: They evaluate and strengthen mechanisms, policies, and procedures to protect assets, provide accurate financial reporting, and prevent mismanagement or fraud. Enhancing Risk Management: By assessing and mitigating risks, they help organizations adapt to changing conditions and align risk management with strategic goals. Ensuring Compliance: They verify that the organization adheres to laws, regulations, and industry standards, avoiding legal penalties and building stakeholder trust. Promoting Operational Efficiency: Through process audits, they streamline operations, reduce costs, and optimize resource allocation for more sustainable growth. Providing Independent and Objective Assessments: They offer unbiased and reliable assessments. This can foster transparency and accountability for stakeholders.

DIGITALISING INTERNAL AUDIT (Gartner Paper)

CAEs face pressure from above to become more digital and are also driven to keep up with the other functions in the organization. Forty-seven percent of CAEs report that the audit committee is increasing its expectations for innovation within the audit department. CAEs also identify specific technology areas where the audit committee expects substantial progress. These include better integration of data analytics into audit’s work (37%), greater use of automation and advanced technologies within the audit department (32%), and greater use of continuous monitoring and continuous risk assessment (30%).

Transformation involves pushing beyond the current capabilities and approaches used in audits by adopting net new digital techniques. Examples of transformation include: * Deploying advanced data analytics techniques, such as predictive modeling, to strengthen assurance outcomes * Discovering new insights by using techniques such as natural language processing or process mining * Generating analysis of high volumes of information by leveraging machine learning models * Using generative AI to assist in writing, summarization or coding tasks

Optimization involves applying technology to improve on audit’s current methods and processes, making them more efficient and effective. Examples of optimization include: * Using dashboards to track function performance and the progress of audits * Using data visualization tools to increase the impact of communication * Automating routine tasks

RISK ASESSMENT Data-driven continuous risk assessment, which leverages ongoing monitoring of key risk indicators (KRIs) to sense changes in the risk landscape, is a leading use case for digital tools in risk assessment. Digital audit functions can also leverage predictive analytics techniques. These approaches use machine learning models to assess the likelihood of future events, allowing for even greater agility than monitoring of potentially lagging KRIs. RBC’s automated risk detection tool illustrates the use of data and machine learning for risk assessment.

RBC developed an automated risk assessment tool — RaptOR (Risk Assessment Planning Tool and Organizer) — to facilitate continuous risk monitoring and dynamic audit planning. The tool continuously monitors the risk profiles of each audit entity using a composite of key risk indicators (KRIs), key performance indicators (KPIs), and key controls indicators (KCIs) from both internal and external data sources. The tool leverages a combination of statistical and machine learning techniques to measure deviations in risk profiles compared to historical baselines. The model flags elevated risks, which can then be used as an input in forming or adjusting the audit plan.

FIELDWORK Data analytics tests can also be automated to enable continuous assurance practices, including continuous monitoring, continuous auditing and continuous risk assessment. Many other digital tools and techniques can be leveraged in auditing, in addition to data analytics, and the scope of available technologies is constantly expanding. Growing advanced techniques include: * Robotic process automation (RPA) to streamline manual processes * Natural language processing to analyze textual information * Classification algorithms to handle unstructured data sources * Process mining to track the actual execution of business processes and pinpoint variations across business units or geographies * Analysis of digital twin models as a proxy for site visits or monitoring of physical systems

COMMUNICATION & DATA VISUALISATION Enterprise Holdings improved communication of findings from continuous monitoring of transactions for potential fraud by building a dashboard to consolidate information for stakeholders

Based on feedback about the volume of reports to review, Enterprise Holdings created a continuous monitoring dashboard compiling several legacy fraud detection reports into a single view to make monitoring more efficient. The dashboard helps the business focus on high-risk items without having to do a lot of their own analysis to find those items. Potential fraudulent transactions are categorized into “high,” “moderate” and “low” risk based on predetermined factors. While not all available continuous monitoring reports are included in the dashboard, it enables users to perform a more focused review. This results in less time spent running and analyzing reports, significantly reducing the time the business spends on continuous monitoring reviews. Once created, the dashboard is handed over to the business, so the audit only needs review to ensure the business is reviewing the dashboard per the company’s continuous monitoring accounting policy.

AUDIT DEPARTMENT OPERATIONS Digital audit functions not only use technology in their work but also for how they work. They leverage technology to manage the audit’s departmental operations, measure and track performance and streamline internal collaboration. Some examples of function management applications of the technology include: * Technology-enabled project management for audits, for example, through an audit management system or other project management platform * Cross-functional data and information sharing for aligned assurance efforts, for example, through a governance, risk and compliance tool * Communication and collaboration applications, including chat tools and cloud-based file sharing and version control tools * KPI monitoring and dashboards for tracking department and individual performance, including for quality assurance efforts Audit at Synchrony developed an internal dashboard to monitor audit progress and auditor efficiency.

As the assurance demands on audit increase, CAEs and audit department leadership need a centralized way to track department operations and enable decisions in order to assess and improve department efficiency. Synchrony’s audit leadership team uses an internal activity dashboard to see a real-time overview of department operations. Synchrony’s dashboard and its simple visualizations enable the CAE and different members of audit leadership to make quick decisions to improve department performance. Each audit leader has a tab to quickly view their team’s work status, while the CAE can either maintain a departmentwide view or drill down into each of their direct report’s teams. The dashboard helps audit leadership “run audit like a business’’ by using data to monitor KPIs (such as issues past due, audit budgets and engagements over 90 days) and quickly address issues as they arise.

AUDITING AT THE SPEED OF RISK NORMAN MARKS

The audit plan[9] is at the heart of the internal audit activity in more ways than one. It is the living, dynamic organ that provides continuous energy and purpose. It determines the work that internal audit will perform. When you know what work will be performed, you can make sure you have the resources to do it. It drives both staffing and training plans. It requires constant attention and care. When it is not as healthy as it should be, the entire function suffers.

When I talk about agile, I am not referring to the Agile methodology that is used in software development and some have tried to adapt for internal auditing. I am talking about the agility of the internal audit function, its ability to react with great flexibility in an environment where the business and its environment, including risks and opportunities, are changing at speed.

“To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.”

Our work is risk-based and extends beyond traditional audit reporting that highlights control and risk issues. It includes: Assurance that the leadership of the organization can rely on its systems, people, and processes to perform as needed for success Advice on how to improve the above, and The professional insight of the internal auditor, even if that is not included in the formal, written report to management and the board There is a huge difference between pointing out issues (negative assurance) and indicating whether risks are being adequately managed (positive assurance). The value to our customers in being told they can rely on the organization’s systems, processes, and people vs. being told of issues and being required to guess whether they can still rely, is immense.

“Plans are of little importance, but planning is essential.” Winston Churchill

Although it is common practice to develop an annual plan based on an annual assessment of risk, business risk changes constantly. If Internal Audit work is to be aligned with business risks, then the audit plan must be flexible and the assessment of business risk more continuous than an annual event. Therefore, the plan presented here is an approximation based on today’s knowledge of the projects that are likely to be completed in 2007. The schedule will be updated on a regular basis, reflecting either change in business risk or an increased knowledge of risk. Not every area that represents a risk to the business is an area meriting Internal Audit attention. The only projects planned are those where value is seen in such attention. Should the schedule of work change significantly, an update will be provided to the Audit Committee. Based on the risk assessment and an assessment of the potential value of Internal Audit attention, the following projects are likely to be completed in 2007.

Some companies have a management training program that has fast-track employees spend time as a member of the audit team. While they may not have auditing and interviewing skills, they bring with them deep insight into the business that can be of great value. At Dow Chemical, Doug Anderson was the CAE and he tells me that “80% of my staff were rotational to/from other departments in the company. In combination with experienced externals hires, they can bring real value to internal audit”.

We only hired people we thought truly understood the mission and reinforced it every day with team members and customers. IA functions need to focus on brand and image too, as a way to build trust, be invited to the table, and sought out to help”.

To develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls. The internal audit plan is intended to ensure that internal audit coverage adequately examines areas with the greatest exposure to the key risks that could affect the organization’s ability to achieve its objectives.

Linking critical risks to specific objectives and business processes helps the CAE organize the audit universe and prioritize the risks. The CAE uses a risk-factor approach to consider both internal and external risks. Internal risks may affect key products and services, personnel, and systems[51]. Relevant risk factors related to internal risks include the degree of change in risk since the area was last audited, the quality of controls, and others[52]. External risks may be related to competition, suppliers, or other industry issues. Relevant risk factors for external risks may include pending regulatory or legal changes and other political and economic factors.

Corporate Information Security, especially their risk assessment activity and corporate information security policies. We found that there was no sharing of tools and methods among the sites, let alone information and other resources. There was zero corporate leadership. Sales contract management. The various sites separately negotiated contracts with our major customers, even though they were (in most cases) customers of multiple sites. We were negotiating as trees, not as the forest – which was clearly sub-optimal. In at least one situation, two sites (Suzhou and Guadalajara) competed against each other, and only each other, for the same contract. They managed to drive the value of the contract down to the extent that it was barely profitable.

The objective of RBIA is to provide independent assurance to the board that: The risk management processes which management has put in place within the organisation (covering all risk management processes at corporate, divisional, business unit, business process level, etc.) are operating as intended. These risk management processes are of sound design. The responses which management has made to risks which they wish to treat are both adequate and effective in reducing those risks to a level acceptable to the board. And a sound framework of controls is in place to sufficiently mitigate those risks which management wishes to treat. RBIA starts with the business objectives and then focuses on those risks that have been identified by management that may hinder their achievement. The role of internal audit is to assess the extent to which a robust risk management approach is adopted and applied, as planned, by management across the organisation to reduce risks to a level that is acceptable to the board (the risk appetite).

If our work only provides assurance on what happens at an activity within the organization, it will matter to the managers of that activity but not necessarily to top management or the board.

I was surprised when people told me they were unable to perform an audit of risk management because there was none! My reply was that the audit can be completed very quickly indeed! We know what the assessment is: there is no enterprise-wide understanding and appreciation of how one or more risks could affect the organization as a whole. Now we need to do some work to understand and then communicate how severely this impairs the organization. It may not be as serious as it appears at first glance. For example, if each activity within the organization is effective in anticipating what might happen and considering that in its decision-making, we have a good start. If that is supplemented through constructive discussion of those significant risks among the department heads, perhaps at an executive committee meeting, then perhaps the big picture of how one or more risks could affect the organization is understood and addressed. In other words, management may not have a formal risk management function but may still be effectively identifying, evaluating, and acting on potential risks and opportunities. Organizations have been successful throughout history without a formal risk management program or function.

if there is no official enterprise-wide risk management program, I would advise the auditor to assess how significant this is to the business. Does the business have a good view of what might happen so it can make the informed and intelligent decisions necessary for success? If it does, even without a formal program, I would be reluctant to recommend a change that would add more form than substance – and might even impair the entrepreneurship and agility of the business.

The traditional approach is to interview the executives across the organization and ask them their opinion of the more significant risks. Very often, they will point to something somebody else is responsible for rather than potential weaknesses and vulnerabilities in their own areas. If management has not already been thinking about the more significant risks that might affect their operation, and therefore the business as a whole, there is a problem. This is not only a red flag that management has poor risk management practices, but it is also an opportunity for the internal auditor to help the manager get up to speed. There have been occasions where my team brought in a risk practitioner (or safety or other practitioner) to meet with the manager for a constructive conversation. At other times, my auditor explained the company’s risk management policies to the manager and helped them understand why they were important. I prefer to ask, in relation to achieving their objectives: What could go wrong? and What needs to go right? One of the best is: Where do you spend your time?

List that show operations as a mind map or a list of potential risks by various functions as a mind map. Getting my interviewees to use one of these as they thought about risks and opportunities broke them out of any siloed thinking. In fact, it turned the meetings into something they enjoyed rather than saw as a chore.

Some organizations are reluctant, but I am usually able to get a copy of the agendas for several months’ meeting of the CEO with his or her direct reports. In addition, the CFO (or other top executive to whom the CAE reports administratively) will generally share what the executive team discuss. It is a fair assumption that the more significant risks are where the top executives focus their time.

Relying on discussions with management is not sufficient in my opinion, as they can only share what they believe is happening. But the people in the front-line trenches who are working with customers, vendors, and others every day may tell a different story. In the same way that management science has the concept of “managing by walking around”, internal auditors can keep their ears to the ground by getting out into the field and taking the time to listen to the people in the trenches, as well as management.

In another example, my team performed an audit of the sales process at Business Objects. We found that the sales personnel were reluctant to update the customer relationship system. While they had been directed to record progress on potential customer contracts, they found the system more trouble than it was worth to them. So, they kept their records in personal Excel and other files. As a result, senior management was deceived when it came to understanding whether and when potential sales contracts would be realized. This impacted the reliability of sales forecasting, which then impacted cash flow forecasting, and any financial projections. However, the greater issue was that senior management didn’t know whether and when they should visit potential customers themselves. The head of Sales or even the CEO could meet with customer management to discuss a deal, and their record of moving sales along was impressive. The inability to effectively deploy and send in these big guns hurt performance.

value could be in one or more of: Assurance – that the leaders can rely on their people, systems, and processes to work as intended so that they can achieve enterprise objectives Advice – that helps management upgrade their systems, processes, and even the people involved Insight – where internal audit goes beyond what they are willing to put in a formal audit report (for which they usually require evidence) to share their professional insight on operations: their strengths, weaknesses, and opportunities for improvement

Which locations and systems are not directly managed by GTDP. could this be a source of risk? The corporate information security function (and even the corporate CIO) had little influence over what each of the more than a hundred sites were doing. This was a red flag. Inconsistency probably meant there were significant vulnerabilities.

The more significant technology-related sources of business risk should be included as potential areas of focus in the audit plan. (They are potential audits because they may have to compete with each other and with non-technology risks for space in the audit plan.)

Identifying technology-related risks of significance to enterprise business objectives doesn’t necessarily make them “IT audits” that require a technology specialist. Key is to understand where the controls lie so we can devise the appropriate audit project. Sometimes, there are sufficient detective controls in the business side to detect a failure of technology. For example, if the code of a report used in the bank reconciliation leads to that report containing errors, the reconciliation process should detect it. That detective control may be sufficient to address the related business risk. We will take that concept, understanding where the controls lie that management relies on, to determine which audits to include in the audit plan.

We also performed focused audits of: The reliability of the information provided to the board The effectiveness of the legal function The measurement of management team performance and compensation Employee awareness of the company’s ethics policies Directors’ and officers’ expenses

The traditional internal audit department talks about an “audit universe”. For example, the Institute of Chartered Accountants of Scotland says[72]: An internal audit universe comprises several distinct auditable entities which can range from a few to several hundred or perhaps even thousands depending on the scale and complexity of your organisation. These auditable entities are often constructed according to business unit, product or service line, legal entity, regulatory required audit, processes, programmes, or systems. Alternatively, an auditable entity may simply be constructed according to a key risk or key control. In practice, the internal audit universe is often a combination of all or most of the above. Put simply, if you think of your organisation as a big cake; how best do you slice that cake to arrive at sensible bite-sized chunks that can be easily and effectively audited? Each chunk is an auditable entity and collectively the chunks are known as the internal audit universe. It’s a subjective process. Once the nature and scope of these auditable entities are determined, internal audit will assess the risk of each auditable entity to assist in producing a risk-based internal audit plan which lists the internal audits to be carried out

Internal audit should be focused on auditing risks to the objectives of the enterprise. Therefore, the concept of an “audit universe” needs to be put in the rearview mirror and replaced with a risk universe, which I define as: The risks and opportunities that might have a significant impact on the objectives and strategies of the organization, where an audit project is likely to add value.

Most audits are intended to provide assurance, indicating whether management has adequate controls over the risks included in scope While the primary customer of an assurance engagement is the Audit Committee with top management a secondary customer, in a consulting engagement management is the main customer. In many situations, there is no reporting to top management or the board. (The exception is where a serious issue is identified by a consulting engagement, upon which the CAE has an obligation to share that information with the board and top management.)

I am a huge believer in the principle, borne of years of experience, that most problems occur as the result of change – whether that be from a change in systems or people. I am also a huge believer in the principle that it is far better to consult on a change initiative and prevent a controls or security issue, than it is to perform an audit after-the-fact. Fixing something that is broken is harder and more expensive than correcting it at the start.

The appropriate role for internal audit and the resource commitment … will depend largely on the maturity of the organization’s governance structures and the organization’s size and complexity. The CAE should discuss and reach an agreement with the board on internal audit’s role in assessing organizational governance. The idea is that when the processes are seen as less mature, internal audit may be more effective by encouraging and helping improvement rather than performing a traditional audit with the inevitable assessment that practices are inadequate. What this means is that the CAE should consider how best to add value to the organization. Is it by performing an assurance engagement that delivers an opinion on the quality of controls and related processes, or is it by helping management upgrade their activities with a consulting engagement?

Reliance on other Assurance Providers There are times where it makes sense to rely on the work of others, such as the Quality team in a manufacturing company, or the Quality Assurance function (QA) in IT[80]. The first performs inspections and other work that internal audit can rely on to address risks relating to the quality of the company’s products (once their processes, etc. have been found reliable in an audit of the function). The second tests the functionality and reviews the documentation of new systems. As with reliance on management’s risk assessment activity, internal audit needs to audit the function on which it will rely. It needs to obtain reasonable assurance that the function will perform the work to a satisfactory standard, without undue influence from management. In such cases, I will make it clear in the text of the audit plan that I am relying on these functions for specific risks. “Reliance” implies that internal audit will not perform their own audit work, but will place full reliance on the other assurance provider. However, there are options, such as: Reviewing the work performed by the assurance provider and only testing a smaller sample of controls or otherwise limiting the extent and nature of internal audit testing. This is very similar to what the external auditor does when “relying” on internal audit testing for SOX compliance. Downgrading the level of risk assigned to an area because the other assurance provider has audited it. Doug Anderson did this at Dow Chemical. Teaming with the other assurance provider on a joint audit. I did this a couple of times at Solectron where the audit team comprised individuals from (Manufacturing) ISO 9000 Quality and the external audit firm as well as internal audit. On occasion, I have also relied on the IT QA team for their independent testing of new or modified software

Control Self Assessment (CSA) I upgraded the questionnaire and had my team send it to every site, not just those where we planned an on-site audit. Each member of the team was charged with being the liaison with management of several sites. They would: Review the completed questionnaires and check for omissions, obvious errors, and inconsistencies. I called this a “desk review”. Have a conversation with management about those issues, identified deficiencies and corrective actions, and anything else management felt we should know. Ask management to send additional documentation, such as examples of policies or evidence of control operation, as needed. Assess the possibility, based on that review, that controls at the site were not adequate for one or many risks. Recommend whether we should have a short visit to the site to discuss the questionnaire and any issues, a longer on-site audit (in which case, the auditor would define the scope of the work) or rely on management’s self-assessment. The CSA approach allowed the team to address a far larger proportion of the global organization. Where we felt the risk was higher, we performed on-site audits that focused on a select number of risks. Where the risk was lower, we relied on management self-assessment. (Note: as I indicated above, we often asked for supporting documentation to be sent to us before we decided to rely on management’s assessment.) This is a form of “trust and verify”. The other change I made from my predecessor’s practice is that where management was, without satisfactory reason, providing us with clearly wrong self-assessments that fact was included in the audit report.

There are other situations where a survey and a review of the results constituted almost the entire audit engagement. For example, an audit of ‘culture’ or employee awareness of the ethics policy and expectations might leverage a survey. I would work with the Human Resources function to ensure their routine employee survey had useful questions, and review the results. A survey was also used heavily in the ‘Revenue recognition policy awareness & clarity’ engagement at Business Objects

Audits of contractors and vendors for compliance. We did this extensively at Tosco. Each year, my team of contract audit specialists obtained a 12:1 return on investment (actual monies recovered compared to my costs). In the Refining division, we found overcharges and other non-compliance, but over time we migrated to providing consulting advice to the procurement team that helped them negotiate better contracts. Instead of recapturing money, we worked with management to stop it leaving our coffers.

Audits of customers. At Business Objects S.A., I had a specialist team[90] that was able to find situations where our customers were using our software excessively, violating the terms of the license. If they purchased a license for, say, 10 people and 20 were actually using it, my team would find out and work with management to have the customer remedy the situation – usually by purchasing the additional licenses. We worked with management to minimize customer dissatisfaction over being caught out, yet still recovered substantially more money (revenue) than our costs.

Audits of healthcare providers and insurance companies. This is a fairly common practice for internal auditors, where they determine whether they are being overcharged, for example for employees who have the left the organization. Our audits were able to confirm the charges we received were accurate, but I have heard of other internal audit teams identifying serious problems with the billing.

Cards made up to page 130 of the book Auditing at The Speed of Risk _Norman Parks

SPEED OF RISK - RICHARD CHAMBERS

Trusted advisors don’t practice the following; make sure you don’t either: Don’t dwell on the past; instead, focus on the future. Don’t shrink from getting to the bottom of issues. Don’t take a myopic view of potential solutions. Don’t neglect to seek input from those you are auditing. Don’t view the world in black and white.

As an audit executive, nothing frustrated me more than watching internal auditors or audit teams generate vast amounts of data and audit evidence without being able to identify and connect the critical issues hidden in the material. They were not bad auditors; they developed excellent risk-based audit plans and gathered information thoroughly and effectively. They simply failed to use critical thinking skills to convert raw information to a well-reasoned, nuanced understanding of the situation and subsequently make appropriate recommendations. Don’t let intellectual arrogance (I know the answer) or intellectual laziness (good enough is good enough) get in the way.

Internal Auditing Flashcards

(134 cards)