Internal Auditing

Question 1

Question 2

No 1 Attributes for Auditors who want to be change agents:
General business acumen:
- Financial
- Marketplace
- Operational
- Technology
- Strategic
Know your business : “Our IAs do a great job, but I wish they knew our business better” Credibility.
Being strategic. We need to have a strategic plan for IA. Look beyond the horizon. Can we have a 5 year strategic plan - what capabilities do we need
Be perceptive and connect the dots.
Be assertive, but be patient and persistent and flexible.
Ability to build and sustain relationships.

Question 3

Question 4

Good qquestion to ask: Does our advice transcend into real value for the organisation?

Question 5

The issue with Internal Audit: Unfortunately, internal audit’s efforts are often lost in translation.
We have difficulty explaining our mission. We don’t make a strong case
for change because we don’t speak our customer’s language. We struggle
to understand what’s important because we tend to “tell” instead of
“ask.”

Question 6

consider a process that has weak controls to comply
with a regulation. In conjunction with the internal customer, assess
the cost of noncompliance. For example, if noncompliance could
result in fines and penalties of $500,000, civil suits of $1,000,000,
and loss of revenue of $5,000,000, total perceived benefits would be
$6,500,000. Now consider the same for perceived cost of auditing to check for compliance.

Question 7

of a

You can assess if Internal Audit is adding value by asking a few simple questions.
* Is the customer willing to pay for audits?
* Is the customer cheering for audit’s participation on projects?
* Does the customer call internal audit when a significant
problem
arises?
* Has internal audit been involved in change that had a positive
impact?

Question 8

Traditionally, the audit profession has focused on assurance services.
The Institute of Internal Auditors defines assurance services
as “an objective examination of evidence to provide an independent
assessment of governance, risk management, and control processes
for the organization.”

Question 10

What is most critical to the executive team? Meet with them
to understand their needs. Do they reference structural and
process inefficiencies, excessive cost of operations, or budgetary
pressures? All of these may be indicative of opportunities
to add value.

Question 11

Seventy-one percent of Internal Audit Departments did not measure value provided to management through quantitative methods. For those that did quantitatively measure value, 61% used customer surveys, 42% measured cost savings in dollars, 40% measured
cost avoidance in dollars, 35% cited the number of controls improved, 35% measured revenue recovery in dollars, 33% stated number of findings, and 33% said the number of major risks mitigated. Note that respondents could chose all that applied.

Question 13

Internal Audit’s (Larry’s) value proposition was “Creating Positive Change with a Sense of Urgency.”

Question 14

One of the questions I typically ask is “If one thing could change to make your job easier, what would it be?”

Question 15

When I met external stakeholders (my customers), my first question was simple. What do you think of internal audit? Some people weren’t aware of internal audit’s purpose. Others had negative views. The one theme that consistently came through was one of constraint.
There was a perception that internal audit was at the company to constrain
innovation and collaboration because it was focused on compliance.

Question 16

Internal audit’s brand was the polar opposite of the company’s value proposition and mission. Significant change was needed. I followed basic system theory: inputs, process, and outputs. Inputs are the data and information needed to understand the current
state and customer expectations for what a value-added internal audit organization looked like. Process was the infrastructure to enact the change required. Outputs represented the tangible changes and the types of services to be offered by internal audit.

Answer 16

Question 17

Does the internal audit organization view itself as a necessity arising out of its charter and mandate or does it view itself as a source of value for the company.

Question 18

The audit may be on the audit plan as a result of the company’s
risk assessment—perhaps an urgent or emerging risk or developing
regulatory requirement—justifies looking at a particular process or set
of controls. It’s important to connect that justification to the customer’s
own interests. How does it relate to the customer’s goals, objectives,
and strategic plan? Translate the need in customer terms. Having a
meaningful value proposition for every audit or project creates buy-in
and engagement.

Answer 18

For example, an audit of information security was included in the
audit plan because the cyber threat to the company is constantly evolving
and the executive team needs assurance that the program is effective
at addressing cyber risks. A value proposition for the executive
team and the Chief Information Security Officer (CISO) could be
“Internal Audit will provide assurance about whether the information
security program can support customer growth of 25% over the next
24 months.”

Question 19

Traditional Objective Statement: “Verify that controls are effective and
efficient to comply with Sarbanes–Oxley regulatory requirements.”
Value Proposition Statement: “Assess Sarbanes–Oxley controls in
preparation for the Company’s initial public offering.”
We could easily substitute the “initial public offering” with whatever
the current strategic plan reflects—perhaps its growth, a planned
acquisition or merger, or cost optimization effort. The key point is
that internal audit is not simply justifying the audit on the grounds
of an existing regulatory requirement—we are illustrating value to
the customer beyond compliance and approaching the audit with the
expectation of value-added deliverables.

Question 20

How we approach the audit is equally important. What specific
value-added deliverables will be provided to the customer during the
review? Without thoughtful planning, audits may focus entirely on
answering questions about compliance or the effectiveness of controls.
Every engagement should provide “ah-ha” moments and golden nuggets
for the customer. Dr. Carlson described golden nuggets as a key
to success that might be in the form of “a new, enabling technology,
a relationship, a novel manufacturing process, or a new business
model.”

Answer 20

For example, performing a process analysis using the SMART system, described in the Change Management and Process Optimization Factor, could reveal low value activities, duplicative controls, or ways the customer can better meet objectives. Golden nuggets could be provided by enabling customers to better understand their business through data analytics. Benchmark information regarding industry and peer company practices
provide valuable insights too. Each of these examples necessitates conscious planning and setting expectations for the audit team early in the audit process.
We also need to provide a full accounting of costs too. Audit recommendations tend to be cost additive because new or enhanced controls are being recommended. Helping management understand the net benefit of a change drives buy-in. Make it as easy for customers to understand your value proposition in all that you do.

Question 21

Competition to IA: What are the alternative solutions (competition) to performing
the audit. The company could pull together a cross-sectional project team or hire an external consultant. Maybe there’s another group within the company that does special projects. What makes internal audit stand out as the best option and how do you convey that to the customer?

Question 22

Cost of an Audit: Estimate the total cost or what we’ll call an “investment” in an audit. Three auditors working eight, 45 hour workweeks, at $75 an hour represents $81,000 in cost.
Two customers dedicating two, 45 hour workweeks, at $75 an hour to support the audit represents $13,500 in cost. Therefore, the overall investment for the audit would be $94,500 ($81,000 + $13,500). Ask yourself—Wouldn’t you occasionally check an investment account
worth $100,000? Like personal investments, we want to monitor the company’s investment in completed audits.

Question 23

Follow up after a project is complete, and ask whether recommended changes are working as intended. Inquire about collateral effects. If an unnecessary control was eliminated, did policy exceptions arise? When an operational efficiency was implemented, did business workflow continue to operate smoothly? Ask whether further changes to the original management action plans would support customer success. Auditors typically
verify that management action plans have been completed but don’t ask about how the action plans affected operations.

Question 24

Building commitment means being available and ready. Audit teams should be flexible—setting aside unscheduled hours to respond to customer requests. We need to walk the walk. Theodore M. Hesburgh said, “Unless commitment is made, there are only promises and hopes…but no plans.” Reserve between 10% and 30% of audit hours for customer and management requests once relationships have been established. Flexibility is particularly important in the age of business agility. Audit teams must be agile

Answer 24

How do we do this in AF?

Question 25

PErspective: Many employees whose businesses are being audited have held their roles for
years. Along comes the well-intentioned internal auditor. The auditor offers advice, undervaluing the customer’s experience. Internal auditors have a reputation for prescribing solutions, despite a lack of deep knowledge about the subject matter, and can seem authoritarian. Every auditee has experienced this at one time. Appreciate and respect the significant experience of customers. Be mindful of internal audit’s limitations. We must center our perspective on the needs of customers and not ourselves.

Question 26

It’s critical to know and understand your customer. Do some sleuthing. Talk to those that understand them best. Who’s worked with them in the past? I’ve worked for four CFOs and three Audit Committee (AC) Chairs over the past 7 years. You can bet each is unique with
varying expectations. Look to a broader network—who has worked with them at other companies? What are their pet peeves? Develop a list of promoted and avoidant behaviors for key relationships (CEO, CFO, AC Chair, etc.). Break down these do’s and don’ts into categories such as verbal communication, written communication, meeting protocols, work product/deliverables, and general expectations.

Question 27

Use well phrased questions: With the slightest provocation, our ability to apply reason and logic can drop by 75 percent,” she says. “Using questions instead of statements can also help avoid triggering emotional hijacks in others. Our feeling mind wants to sense that we are included, autonomous, competent, valued, respected, and safe.

Answer 27

Imagine an opening meeting where an auditor says there are issues with a process. A barrier goes up and a fight instinct sets in immediately. The tone has been set. The customer views the auditor as biased, fears for their job, and may work to undermine the effort. Instead, we could ask what areas would be helpful to evaluate. The customer
is now positively engaged by providing input on the objectives and scope of the review, and buying into the direction of the audit. They’re invested. Emotional barriers are down allowing cognitive skills to engage.

Question 28

Opening Meeting—Contrasting Examples
As a Statement:
* We will identify controls weaknesses.
As a Question:
* How can we best add value?
* Are there areas on which we should focus?
* What is your vision of the ideal process?

Question 29

Authenticity

Question 30

Trust is the foundation of successful, long-term relationships. The same holds true for internal auditors and their customers. Internal auditors are challenged by competing demands as an advisor, a confidante, and a protector of shareholder interests on behalf of the board of directors. The more seasoned auditor understands that not all issues require raising the alarm bell to management or the Audit Committee. Many matters can be resolved through collaboration and problem-solving. So long as it’s not a matter of ethics or fraud, many issues can be handled at the process owner level by partnering to improve controls around a process. When it is necessary to raise an issue to the executive team or Audit Committee for nonfraud- related matters, it’s critical to afford customers the opportunity to fully understand the issue first. Before any audit observation is
finalized, we should always explore mitigating control practices. If not, we are failing to provide fair treatment and proper context. This means providing an opportunity to explore compensating controls. Here we play an important role as process and risk experts. We facilitate the discussion. Customers are focused on achieving their goals and may not recognize that other practices are controls. Leading this dialog builds trust by demonstrating an investment in their success and adds value by helping them better understand their processes. It can also lead to optimizing the control structure. Perhaps the informal compensating control is more meaningful than the official control, and duplicative controls can be eliminated.

Question 31

Achieving trust happens when we’ve demonstrated a pattern of helping our customer achieve their objectives. As Richard Chambers, the CEO of the IIA, says in his book Trusted Advisors, “We can’t just show up, articulate our views about risks, and expect people to heed
our advice without first earning their trust. Neither can we expect them to respond favorably to our assurance work.” So how do we do that? We need to engage early and often and find opportunities outside of formal audits to provide value.
One simple way to build trust is to consistently share meaningful information. Research regulatory developments, emerging practices, and current events that potentially impact your customer. Send a simple email saying, “I came across this article and thought it may
be of interest.” The context should be nondirective.

Question 32

A lack of transparency creates suspicion and destroys credibility. Likewise, never
give the impression that “everything is fine,” and then surprise the customer at the closing meeting with a new observation or potential issue. Those surprises are unwanted guests at the closing meeting that create long-term, if not permanent, trust issues.

Question 33

Harry Gordon Selfridge said, “Goodwill is the one and only asset that competition cannot undersell or destroy

Question 34

Different customers will have different expectations. Ask customers what they value in terms of communication, when they want to hear from us, and how they want us to communicate with them. We have a broad set of customers: the AC, the executive team, internal process owners, employees of the company, and external parties, such as regulators. Each one will have different expectations around communications.

Question 35

ARC communications:
* New and useful insights. AC Chairs will be interested in your perspective and concerns vs. executive management.
* A heads-up about potential controversial topics prior to the AC meeting.
Connecting the dots between the results of audit work and board priorities.
* Benchmarking information vs. other organizations.
* A summary of the quarterly report prior to scheduled AC meetings.
* Information on risks before realization. Add deep dives of risk discussion topics to quarterly agendas.
* Connection between AC discussions and other board of director committee topics of interest.
* Current topics being discussed by outside boards.
* Insights into the tone at the top.
* Anything additional that helps AC members fulfill their obligations
as it relates to internal audit.
* What’s working in enterprise and within the internal audit organization.

Question 36

Executive Team Communications:
* Emerging risks and potential solutions and options for resolving.
* Observations on the tone at the middle. Are middle managers on board with the company’s strategic direction, goals, objectives, etc.? If not, what is the feedback?
* Cost-saving opportunities.
* Meaningful and relevant external benchmarking and industry data and a translation as to how it applies to the organization.
Take the additional step to compare to company data.
* Keeping them informed about what’s on the horizon and items that may impact strategy.
* Insights into the big picture of the enterprise.
* Information on what is being communicated to the AC Chair.
Be as open and trusting in communications as possible. Leadership is generally concerned that you are “telling” the AC something they they aren’t aware of. Be transparent and
open in both relationships.

Question 37

Cyberattacks, human capital problems and business continuity pose the three biggests risks to organizations, EY said, citing a survey by the Internal Audit Foundation.

“Although risk levels may vary from region to region, the areas of highest effort for internal audit are generally similar,” EY said. “The top areas of audit effort, worldwide, were as follows: 1) cybersecurity, 2) governance/corporate reporting, 3) business continuity, 4) regulatory change, 5) financial liquidity, and 6) fraud.”

Answer 37

Taken from the CFO Magazine report on Audit Committees

Question 38

Have I connected the dots for the reader regarding larger risk questions? Where risks are noted in the report, have they been correlated with the bigger picture for the enterprise? Are the risks disclosed meteors or pebbles? Does the report clearly articulate that they are being addressed by management action plans?

Question 39

Does the report tie to customer goals, strategy, objectives, and tactics?
Have risks been described in monetary terms? If so, has proper context been provided? For instance, “non-compliance could result in monetary fines up to $100,000 per instance, but this has rarely occurred.”
* Have the issues in the report been presented in terms of a value proposition for the customer? Do the observations clearly articulate an urgent need related to the customer’s interests?
* Would the customer be willing to “pay” the result, if this was
provided by an external party or consultant?

Question 40

Exhibit 2.10 Report Expectations Matrix
EXPECTATION SATISFACTORY? (Y/N)
Tone □
Context □
Data supporting results □
All relevant stakeholders considered □
Fair and balanced □
Credit for effective processes □
Suitable for multiple audiences □
Connects the dots on risk □
Repeat issues disclosed □
Value provided □
Ah-ha realizations provided □
Clarity for conclusions □
Consistent structure □
What, how, why, and when □
Link to customer goals, strategy, objectives, and tactics □
Monetary linkage □
Articulated value proposition □

Question 41

For years I’ve been asking customers, “What do you think the audit opinion should be?” vs. telling them the audit opinion. It’s a good test as to whether internal audit has been collaborative and transparent throughout the audit process. When an audit has been collaborative, I’ve found there is consensus on the overall audit opinion, the customer
is responsive to the results, and the risks identified are swiftly addressed. Eventually, this led to the elimination of audit opinions. Observations and risks were clearly communicated, and the dreaded audit opinion was no longer the focal point of the review. There are
plenty of audit teams and customers that spend countless hours debating audit opinions. I’ve known auditors that relish the moment an audit opinion is revealed. Those discussions frequently happen at the end of the audit and create a lasting impression. Who wants to be told they are inadequate? Yes, we primarily audit processes, not people—but it’s difficult for a customer not to take a negative opinion personally. What really matters is whether positive change happens!

Question 42

Commit to customer success. Take time to understand customer priorities. Nurture the relationship. Grow your customer garden—providing nourishment, energy, and light. Check your investments in customers—reaching out to them throughout the year and after
audits are completed to check on unintended impacts. Be ready, available, and flexible—committing means being there for our customers when they need us. Go above and beyond every time to help them solve a problem.

Question 43

Executives responding to the World Economic Forum’s 2015 Technological Tipping Points Survey said that 30% of corporate audits would be conducted by artificial intelligence by 2025. This is consistent with the Oxford Martin School study in 2010, which predicted
that 47% of US jobs would be lost to automation within 10–20 years. Ignoring the realities of the future will lead to obsolescence.

Question 44

Our job is to always be in development mode, learning the newest technical
and soft skills necessary to deliver value for customers. We must be our own talent agents, mindful of our ability to anticipate, and meet customer needs, sometimes before they know what those needs are. Therein lies the importance of the Talent Factor. Having skills to
meet future customer requirements is foundational to thrive. Each of us needs to take personal responsibility

Question 45

Ethics investigation results. Salary information. Pending company acquisitions. Internal audit has access to a vast amount of confidential information. Trust is critical. The executive team understands that internal audit has a duty to provide the Audit Committee insight
on the risk environment. If you’ve formed a trusting relationship with your customers, leaders, and Audit Committee, minor mistakes will be overlooked. On the other hand,
not having developed trust can create grave circumstances when mistakes occur.

Question 46

What internal audit projects/opportunities would the team member like to pursue this year?
* Does the team member want to remain in internal audit near term or rotate to a different role?
* Identify roles and positions outside of internal audit that are realistic possibilities.

Question 47

A boss is bossy. A leader leads. A manager manages.

Question 48

Building a Competency Model
The competency model is designed to reflect the company environment.
Consider the following:
Strategic objectives
Technical ability
Leadership
Professional knowledge
People/teaming

Question 49

Strategic objectives
* What are the company’s strategic objectives?
* How do the objectives relate to internal audit’s mission?
Translate each objective into internal audit goals.
* What skills are necessary to achieve those goals?
* How will performance against those goals be measured?
* What behaviors demonstrate success?

Question 50

Technical ability
* What technical abilities are necessary to support goals and objectives? Consider skills in audit technique, critical thinking, information systems, process improvement, and data analysis. Pay special attention to industry and company-specific skills that support strategic objectives (e.g., manufacturing).
* What type of job experience is required? Who will the audit team be interacting with? If the company is an engineering firm, will engineering expertise help the audit team assess
engineering processes? If it is a healthcare company, will experience in evaluating healthcare systems be important? If the company works with government, will government experience be essential?
* What behaviors demonstrate technical competence?

Question 51

Leadership
* What leadership qualities enable success at the company?
Is it a command and control organization or a collaborative environment?
* How is honesty and integrity demonstrated at the company?
* How is reliability and dependability demonstrated?
* How is courage exhibited?
* Does the company culture encourage calculated risk taking (ethical risk taking)?
* What behaviors reflect transparency?
* How can auditors demonstrate accountability?

Question 52

Communication and influencing
* How do successful people and teams communicate at the company?
* How is change influenced?
* How do facilitators manage change?
* What writing skills are necessary?
* What presentation skills are necessary?

Question 53

Professional knowledge
* What professional certifications are needed? Consider the usual, such as Certified Internal Auditor, Certified Public Accountant, Certified Information Systems Auditor, but also
nontraditional certifications such as Project Management Professional Certification.

Question 54

People/teaming
* What types of coaches and mentors would be helpful to encourage and accelerate talent growth?
* How does the company recognize individual and team success? Translate to team behaviors.
* How is organizational capability grown?
* How is talent identified?

Question 55

The International Standards for the Professional Practice of Internal
Auditing (The Standards) states, “The internal audit activity adds value to the organization and its stakeholders when it considers strategies, objectives, and risks; strives to offer ways to enhance governance, risk management, and control processes; and objectively provides relevant assurance. At the end of the day, companies and process owners are looking to meet their objectives, which requires identifying and addressing risks that prevent achieving those objectives. The Standards also state, “When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks. So, there is a fine line for us to follow between leading risk awareness and managing risks.

Answer 55

Question 56

A risk is anything that prevents the achievement of an objective. It covers strategy, operations, reporting, and compliance. Risks are ever present, continuously evolve, and have varying velocity. They are present at the highest level of an entity with broad potential impact, down to the individual worker striving to fulfill responsibilities. Risks are interdependent, driving complexity. Too often, risks are viewed in silos. For instance, two lower levels risks may drive the likelihood of other negative events occurring, creating a higher overall risk. An individual high or critical risk that management is comfortable
accepting may be unacceptable when married with another high or critical risk. The realization of one risk may increase the likelihood that other risks will occur. Internal audit needs to help management make connections between risks and overall risk levels.

Question 57

Capture the following information for each major risk:
* Overall risk title: describes the risk in two or three words.
* Risk description: a more detailed description of the risk including circumstances that make it relevant and the impact of the risk, if it were realized.
* Influencers: factors that are influencing the risk to be more significant.
* Near-term issues: the immediate concerns that management should be addressing related to the risk.
* Management levers and initiatives: actions that management is taking to mitigate the risks. This is a high-level description of the action. A more detailed action plan/s should be documented and tracked separately.
* Suggested audit actions: a description of how the top risk relates to the audit plan or other actions that internal audit may take, such as monitoring of a business activity.

Answer 57

Question 58

Various operations help an organization achieve its objectives. Using the categories below, or other categories consistent with the organization’s operations, rate the desired risk appetite related to the following (rating can be broad, such as high, medium, or low,
or precise, such as specific metrics that should not be exceeded):
a. Meeting customer requirements
b. Employee health and safety
c. Environmental responsibility
d. Financial reporting
e. Operational performance
f. Regulatory compliance
g. Shareholder expectations
h. Strategic initiatives/growth targets
As you rate each category, indicate areas where you believe
the organization is taking either too much or too little risk in
pursuing its objectives.

Answer 58

How would you rate the effectiveness of the organization’s process for identifying, assessing, managing, and reporting risks in relation to the overall risk appetite? What are the
major areas for improvement?
* Are management’s strategies communicated sufficiently for there to be meaningful discussion of risk appetite in pursuit of those strategies, both at the broad organizational level and at the operational level, and for consistency to be analyzed?
* How satisfied are you that the board is providing effective oversight of the risk appetite through its governance process? This includes board committees and/or the board itself to help set the appetite and to monitor over time that management is adhering to the overall risk appetite in pursuit of value.
* Whom do you see as more accepting of risk or more willing to take risks to meet the goals of the organization?
a. Management
b. Board
c. Management and board have similar levels of acceptable risk
* Does the organization motivate management (senior management and operational management) to take higher than desired risks because of the compensation plans in place? If yes, how do you believe the compensation plans should be modified to bring approaches for generating high performance within the risk appetite?
* What do you believe the organization should do?
a. Reduce its risk appetite
b. Increase its risk appetite
c. Make no change
* Do you believe there are risks considered to be above the organization’s existing risk appetite that need to be reduced? In other words, are there areas where the risk appetite, as currently used, is too low?
* What risks over the past 5 years were, in your view, above the organization’s risk appetite? Were the risks understood when a strategy was developed? How could management have communicated its risk appetite so that the board could both (a) evaluate the risk appetite and (b) provide proper oversight? How could management have communicated its risk appetite so as to hold operational units to actions consistent with the risk appetite?

Question 59

Risk Assessment at a Department / Sub-Department level:
Likelihood of the risk occurring. Rate on an agreed upon
scale (e.g., 1–3 or 1–5)
* Impact of the risk occurring (operational, compliance, financial).
Rate on the same scale used to rate likelihood
* Controls in place to mitigate the risk
* Perceived residual risk considering the controls identified Rate on the same scale already used
* Total risk score (residual risk × risk impact)
* Risk velocity (increasing, steady, decreasing)
* Linkage to ERM top risk, if there is one. Where there is correlation with a top five risk, it is noted.

Answer 59

Question 60

Defining Impact
Impact is the severity of the effect on meeting the objective for this process
and negative consequence. High impact indicates objectives will not be met resulting in a significant financial impact (>$ material to the company) that is not covered by insurance nd includes fines and penalties, customer reimbursements, and inability to bill for or receive revenue. Severe operational impacts could include loss of life or injuries, critical
systems being unavailable for more than X days when needed, a breach that results in loss of government information or critical intellectual property, or an inability to meet contractual deliverables. Compliance impact could include external regulatory action such as debarment, disqualified business systems, credit downgrade, or other actions that significantly alter the ability to operate. Medium impact indicates a moderate financial
impact ($ range based on risk appetite) to the company, operational disruption that lasts less than X days, and compliance issues that result in regulatory corrective action short of systems disqualification. Low impact indicates minimal financial impact (<$ a specified based on risk appetite) and negligible operational/systems disruption (intermittent or less than an hour), while objectives will still be met.

Question 61

Risk questionnaire to employees:
Ask employees to rate their level of agreement with each of the following
six statements with a rating scale of “strongly agree,” “agree,” “neither agree nor disagree,” “disagree,” or “strongly disagree.”
* I have the knowledge and training to meet compliance requirements associated with my job.
* I am encouraged to ensure that financial records are accurate and truthful, regardless of the financial impact.
* I am encouraged to follow policies by my manager.
* My manager consistently demonstrates high standards of ethical conduct.
If I reported a violation of the Standards of Conduct and Ethics to my manager, I believe appropriate action would be taken.
* I know what action to take if I become aware of unethical or fraudulent behavior.

Answer 61

The second part of the survey can ask employees to “tell us in a few words, what you believe to be the single most significant risk facing the company.”

Question 62

Division Risk Landscapes
Partnering with division business leadership—the various sectors or divisions within a company—to develop Division Risk Landscapes can add real value. Division Risk Landscapes can capture a summary profile of the division (locations, staffing, turnover), compliance
statistics, top risks for the division, higher risk initiatives, and major customers. The purpose is to facilitate risk discussions with the division presidents and determine whether internal audit engagement is needed. The landscapes can be shared with the CFO and CEO.

Answer 62

Some key facilitation questions to consider asking during a risk workshop:
* Has anyone else faced a similar circumstance?
* How would/does “X” impact the organization?
* Are there any unknowns about “X” that the group should consider?
* What are other companies doing to address “X”?
* Does the function or organization have the resources necessary to address the risk?
* Does the risk rise to the level of concern that it should be communicated to the executive team?

Question 63

Added Value Factor = Perceived Benefits / Perceived Costs
If the AVF is less than 1.0, reassess whether it is appropriate to invest internal audit resources. For management requests and consulting engagements, we need to ask the question, why should we do this project? As part of the analysis, estimate the potential benefit vs. cost of taking on the effort as outlined in the introduction. Determine whether there is executive support or if the request is supported, for instance, by middle
management only. Without executive support, it may be difficult to apply resources to resolve the problem during the improvement phase.
Determine the time period for resolving the problem. Projects that
extend beyond 12 weeks may encounter changing business circumstances.
There may be changes to processes, systems, and people that
impact the initial problem statement. Resolution of the problem may
be less meaningful to the customer if it takes too long. Generally,
speed of delivery is considered a value-added benefit.

Question 64

For an audit, first state the following clearly:
Clear problem statement
Understand who the customers are : who is the core customer, who can support, who should be consulted, who should be kept informed.
Determine how each customer wants to engage on the project.
Determine the data required - internal/external (benchmarks) data; which of it is produced? Who produces it?
Do we need external parties or expertise to conduct the audit
Clearly state the vision for the project. A vision statement is a compelling vision of what the future state would look like if goals are accomplished.

Answer 64

Vision Statement
Look into the future imagining the improvements are in place and have been implemented for a sustained amount of time.
The vision statement should
* Be concise with one or two sentences at most
* Include the AVF based on data
* Avoid outlining the solution
* Be forward-looking and positive
* Cover a specific period of time and be measurable
* Describe the impact to the business
* Describe the gap between the current and future state in neutral terms

Question 65

Desirable and Undesirable Effects of steps within a process:
The next phase of the workflow assessment is looking at Desirable Effects (DEs) and Undesirable Effects (UDEs) in the process. A DE is anything that positively impacts the performance of the process, supports customer achievement of objectives, or leads to customer value. A UDE, also known as a “pain point”, is anything that negatively impacts performance of the process, prevents the customer from meeting objectives, or leads to customer dissatisfaction or non-value.

Question 66

Be a part of improving the process:
Now that the root causes have been selected, we need to support the customer in designing a solution. Internal auditors are sometimes hesitant to help design management action plans for fear of impacting objectivity and independence. The bottom line is that the customer is the ultimate owner and has the final decision on design. Avoiding design assistance can leave the customer feeling unaided at a crucial point in the process.

Question 67

Finding and implementing solutions:
Too often, solutions and management action plans are designed in a vacuum with little information. We need to bring together the “core customers” and a selection of “consulted customers” to brainstorm potential solutions. By engaging consulted customers early, we collaboratively design the solution, which leads to quicker acceptance. There are many instances of internal auditors making recommendations, which the auditee feels compelled to implement, without consideration for downstream impacts. There is also a reluctance
among some internal auditors to consider all of the options to resolving a root cause. This is driven by lack of creativity, time constraints, and pressure to issue reports, poor customer relationships, and lack of subject-matter expertise.

Question 68

The last step in the change process is to track the progress of the changes made. Inherent in tracking is a need to have clearly identified action owners, as well as metrics. We also want to make sure that the change is institutionalized. This means updating policies and procedures, training programs, and finding additional champions to make sure the change takes hold.

Question 69

Serially successful innovators have a method to support their achievements. Likewise, internal auditors need a system to help customers improve processes, identify cost savings and efficiencies, accelerate change, and design the best future state solutions. In other words, a method to consistently deliver value. The SMART system offers such a system. SMART raises the value of audits and special projects for our customers. Start by stating and understanding the problem to be addressed. Measure current practices and business workflows for understanding. Analyze the root causes of UDEs and pain points. Prioritize resolving the most impactful root causes. Refine solutions to address the desired future state. Make certain to anticipate things that could go wrong and update designs to address potential failures. Track the solutions and validate whether the expected value has been delivered. If it hasn’t, revisit the solution and iterate. Remember that solutions should be dynamic and responsive to new circumstances and conditions.

Question 70

Data Analytics:
We leverage software to perform data analytics, but in order to achieve value-added results, we need to understand which questions to ask, what relevant data to examine, and how the problem relates to the data. We need to decipher what is important and what is not. Data
analytic software is only as effective as the person behind the design of the analysis. It’s really about critical thinking skills.

Answer 70

Data analytics provides powerful value to the enterprise including insights on how to reduce the cost of operations, recover and optimize revenue, monitor compliance, lean out business processes, optimize information systems, and detect fraud. We are able to eliminate random or haphazard sampling for testing by using data analysis. Instead, we can analyze 100% of transactions and focus on outliers for further examination.

Question 71

What if the opening meeting included profiles of the customer’s data with insights and trends? I believe a meeting should not happen unless there is value derived for the customer.
We need to conceptualize the possibilities for the operation being analyzed. Consider the following:
* Is there an important problem to solve? If so, what is the problem?
* What do we envision as the outcome for the analysis?
* What value will be provided? What are the perceived benefits?
* At the end of the analysis, what “ah-ha” moment are we looking to provide for the customer?
* Will the customer’s fundamental thinking about their operation change?

Question 72

Partner with the customer to identify his or her priorities for the analysis. Understand the operation before analyzing the associated data. Leverage documented workflows and other artifacts as discussed in the chapter on Process Optimization. Consider the following
questions:
* How has the operation changed over the last 12, 24, and 36 months? Include all relevant data.
* What impact have changes had on the operation and the enterprise overall?
* What spending does the operation control? Follow the money.
* What drives operational expenditures? What could go wrong?
* How does the operation impact revenue?
* What types of information systems are used, and how do they
relate to other operations within the company?
* Can data be manipulated?

Question 73

Perform a Benford’s Law Analysis on the data. Benford’s Law Analysis is available in most
analytic software packages.

Answer 73

Some additional areas that I’ve found to be fruitful include Inventory, Petty Cash, Payroll, Corporate Credit Cards, Accounts Receivable, Overtime Pay, Benefits Programs, Consultants, Computer Hardware, Intellectual Property and Licensing, Construction, and Major Vendor
Agreements.

Question 74

While this fact of auditor “need” when it comes to client involvement during audits is daunting, there is a glimmer of good news. The need is not an insurmountable barrier but does represent a significant challenge to every auditor. But to overcome this barrier, the auditor will have to recognize and accept one indisputable fact when it comes to the internal audit and business partner relationship. And that fact is, no matter what type of relationship is being discussed – whether it is boyfriend and girlfriend, husband and wife, or
auditor and client – there is always one person in every relationship who wants it a little more than the other. Okay. So, what does that mean? It means one person will always work harder and be more flexible to ensure the relationship continues to grow and stay strong. Auditors must realize early on in the relationship development process that we are the party recognizing we will have to work harder and be more flexible than our business partner to ensure the relationship stays strong and intact.

Question 75

In every one of the meetings you have with the business owner, prepare effectively by confirming the meeting objective prior to the event and mastering the data. Then remember one additional key to effective meeting facilitation and relationship building with your business partner: Never try to defend the questions you are asking.When asking questions or clarifying potential exceptions with your business partner, always use the data to support (not defend) the specific questions being asked. The data will drive the support for your message and will always give you the confidence as you seek clarification for questions posed.

Question 76

As in every assigned audit, the auditor should begin with an understanding of the audit objective. Unfortunately, most audit teams get assigned an audit and never bother to review the annual risk assessment to determine why this audit was included in the annual plan. The auditors just figure that the annual planning was completed, and it was decided to include this audit in the current year. What the auditors do not realize is that the information compiled in the annual audit plan provides a solid foundation as to what the business process includes, key personnel, systems utilized in the business process, as well as any potential process risks. Also included in the annual planning documentation is the audit history, which details when the area was last reviewed, what the audit rating (opinion) was, and issues identified that required management action. Auditors might not recognize
how valuable this information could be.

Question 77

When it comes to control, no business team is sitting in their offices looking
for ways to add new controls to their process to strengthen the environment
of their business operations. Most business units are wondering how they can do what they do faster so they can get more business and process more transactions. And in the business effort to go faster and process more transactions, it creates an environment that is ultimately not well controlled. As the auditor introduces the control concept, it should be linked to the idea of removing any barriers that could impede the business process from being completed in the most effective and efficient manner.

Question 78

One of the outcomes of an audit is that the audit results will show the business process has been effectively designed, built, implemented, executed, and accurately reported. These five factors of the business process, when done correctly, will produce the expected results. Keep in mind, every process will deliver a result. The key, which must be verified through data examination and effective reporting, is whether the business process achieves the intended result. The examination of the data and reporting should be done on an
ongoing basis by the business unit and is the same information the audit team will examine during their review. The other outcome of an audit is that after a detailed review of the data and validation with the business partner, the audit reveals a breakdown(s) in the business process that does not produce the intended results. This breakdown is going to be directly linked to one of the five factors from design to reporting, and it is the job of the auditors, in partnership with their business partner, to identify the root cause

Question 79

When audit departments start receiving calls from business unit management asking for audit representation on a project team, for a specific audit to be started, for an operational review to be facilitated, or an opinion on a simple process enhancement, internal audit will know not only that their marketing efforts are beginning to change the misconceptions regarding audit activities but also that the internal audit department is gaining credibility across the company.

Question 80

internal audit functions are essential for:

Ensuring Internal Control Systems: They evaluate and strengthen mechanisms, policies, and procedures to protect assets, provide accurate financial reporting, and prevent mismanagement or fraud.
Enhancing Risk Management: By assessing and mitigating risks, they help organizations adapt to changing conditions and align risk management with strategic goals.
Ensuring Compliance: They verify that the organization adheres to laws, regulations, and industry standards, avoiding legal penalties and building stakeholder trust.
Promoting Operational Efficiency: Through process audits, they streamline operations, reduce costs, and optimize resource allocation for more sustainable growth.
Providing Independent and Objective Assessments: They offer unbiased and reliable assessments. This can foster transparency and accountability for stakeholders.

Question 81

DIGITALISING INTERNAL AUDIT (Gartner Paper)

Question 82

CAEs face pressure from above to become more digital and are also driven to keep up with the other functions in the organization. Forty-seven percent of CAEs report that the audit committee is increasing its expectations for innovation within the audit department. CAEs also identify specific technology areas where the audit committee expects substantial progress. These include better integration of data analytics into audit’s work
(37%), greater use of automation and advanced technologies within the audit department (32%), and greater use of continuous monitoring and continuous risk assessment (30%).

Question 83

Transformation involves pushing beyond the current capabilities and approaches used in audits by adopting net new digital techniques. Examples of transformation include:
* Deploying advanced data analytics techniques, such as predictive modeling, to strengthen assurance outcomes
* Discovering new insights by using techniques such as natural language processing or process mining
* Generating analysis of high volumes of information by leveraging machine learning models
* Using generative AI to assist in writing, summarization or coding tasks

Question 84

Optimization involves applying technology to improve on audit’s current methods and processes, making them more efficient and effective. Examples of optimization include:
* Using dashboards to track function performance and the progress of audits
* Using data visualization tools to increase the impact of communication
* Automating routine tasks

Question 85

Question 86

RISK ASESSMENT
Data-driven continuous risk assessment, which leverages ongoing monitoring of key risk indicators (KRIs) to sense changes in the risk landscape, is a leading use case for digital tools in risk assessment. Digital audit functions can also leverage predictive analytics techniques. These approaches use machine learning models to assess the likelihood of future events, allowing for even greater agility than monitoring of potentially lagging KRIs. RBC’s automated risk detection tool illustrates the use of data and machine learning for risk assessment.

Answer 86

RBC developed an automated risk assessment tool — RaptOR (Risk Assessment Planning Tool and Organizer) — to facilitate continuous risk monitoring and dynamic audit planning. The tool continuously monitors the risk profiles of each audit entity using a composite of key risk indicators (KRIs), key performance indicators (KPIs), and key controls indicators (KCIs) from both internal and external data sources. The tool leverages a combination of statistical and machine learning techniques to measure deviations in risk profiles compared to historical baselines. The model flags elevated risks, which can then be used as an input in forming or adjusting the audit plan.

Question 87

FIELDWORK
Data analytics tests can also be automated to enable continuous assurance practices, including continuous monitoring, continuous auditing and continuous risk assessment.
Many other digital tools and techniques can be leveraged in auditing, in addition to data analytics, and the scope of available technologies is constantly expanding. Growing advanced techniques include:
* Robotic process automation (RPA) to streamline manual processes
* Natural language processing to analyze textual information
* Classification algorithms to handle unstructured data sources
* Process mining to track the actual execution of business processes and pinpoint variations across business units or geographies
* Analysis of digital twin models as a proxy for site visits or monitoring of physical
systems

Question 88

COMMUNICATION & DATA VISUALISATION
Enterprise Holdings improved communication of findings from continuous monitoring
of transactions for potential fraud by building a dashboard to consolidate information for
stakeholders

Answer 88

Based on feedback about the volume of reports to review, Enterprise Holdings created a continuous monitoring dashboard compiling several legacy fraud detection reports into a single view to make monitoring more efficient. The dashboard helps the business focus on high-risk items without having to do a lot of their own analysis to find those items. Potential fraudulent transactions are categorized into “high,” “moderate” and “low” risk based on predetermined factors. While not all available continuous monitoring reports are included in the dashboard, it enables users to perform a more focused review.
This results in less time spent running and analyzing reports, significantly reducing the time the business spends on continuous monitoring reviews. Once created, the dashboard is handed over to the business, so the audit only needs review to ensure the business is reviewing the dashboard per the company’s continuous monitoring accounting policy.

Question 89

AUDIT DEPARTMENT OPERATIONS
Digital audit functions not only use technology in their work but also for how they work. They leverage technology to manage the audit’s departmental operations, measure and track performance and streamline internal collaboration. Some examples of function management applications of the technology include:
* Technology-enabled project management for audits, for example, through an audit management system or other project management platform
* Cross-functional data and information sharing for aligned assurance efforts, for example, through a governance, risk and compliance tool
* Communication and collaboration applications, including chat tools and cloud-based file sharing and version control tools
* KPI monitoring and dashboards for tracking department and individual performance, including for quality assurance efforts
Audit at Synchrony developed an internal dashboard to monitor audit progress and auditor efficiency.

Answer 89

As the assurance demands on audit increase, CAEs and audit department leadership need a centralized way to track department operations and enable decisions in order to assess and improve department efficiency. Synchrony’s audit leadership team uses an internal activity dashboard to see a real-time overview of department operations. Synchrony’s dashboard and its simple visualizations enable the CAE and different members of audit leadership to make quick decisions to improve department performance. Each audit leader has a tab to quickly view their team’s work status, while the CAE can either maintain a departmentwide view or drill down into each of their direct report’s teams. The dashboard helps audit leadership “run audit like a business’’ by using data to monitor KPIs (such as issues past due, audit budgets and engagements over 90 days) and quickly address issues as they arise.