Building The Audit Function - Instituut Van Internal Auditors Indonesia

FEBRUARY 2019 A PUBLICATION OF THE IIA
INTERNAL AUDITOR
FEBRUARY 2019
TRIALS AND
TRANSFORMATION
TRANSFORMATION
Ten years after the global

economic crisis, the internal
audit profession is strong
and ready to take on new
challenges.
Richard F. Chambers
INTERNALAUDITOR.ORG
IIA President and CEO

Updated – Aligned – Focused
As the only globally recognized certification for internal audit, the Certified Internal Auditor® (CIA®) is
changing. If you’ve been putting off earning your CIA, it’s time to take a fresh look at this important
step toward validating your knowledge, skills, and ability to carry out professional responsibilities for
any audit, anywhere.
Improve your credibility and proficiency. Learn more.

www.theiia.org/CIA
2018-1608 CERT-CIA Full Page Ad - Dec.indd 1 11/2/18 3:35 PM

Consulting (Oct 23)
Meet your challenges

when they’re still
opportunities.
RSM and our global network of consultants specialize in

working with dynamic, growing companies. This focus
leads to custom insights designed to meet your specific
challenges. Our experience, combined with yours, helps
you move forward with confidence to reach even
higher goals.
rsm us.com
RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. Visit rsmus.com/aboutus for more information regarding RSM US LLP and
RSM International.
“Consultants” can be replaced with the following specialties if necessary: Financial Advisory, Valuation, Forensic Accounting, Litigation, Technology and Management Consulting
Advisors, ERP and CRM, Infrastructure, Risk Advisory, Security and Privacy, and Internal Audit. “Middle market companies” can also be replaced by “dynamic, growing companies” when needed.
Learn
From The Leader.
IIA TRAINING ONDEMAND
PLATFORM OPEN 24/7
Featuring a suite of on-demand courses that tackle emerging issues

and challenges, IIA Training OnDemand provides convenient, self-
paced, and cost-effective professional development; accessible
online, anytime. With an expanded training catalog, you can easily
earn the CPEs needed to stay on the leading edge of the internal
audit profession’s best practices and proven techniques.
Get On Board. www.theiia.org/OnDemand
2018-1732 TRN-Global OnDemand Full-age Ad Feb IA.indd 1 12/13/18 1:18 PM

FEBRUARY 2019 VOLUME LXXVI: I
F E AT U R E S
24 COVER Trials and Transformation Ten years ago, amidst unprecedented economic
upheaval, Richard Chambers became The IIA’s president and CEO. The internal audit profession has
changed much since then, he says, and it will need to continue to evolve. BY ANNE MILLAGE
30 Building the Audit Function A strategic, sources and provide greater assurance.
measured approach to setting up shop can pro- BY CHRISTOPHER KELLY AND JAMES HAO
duce lasting results and strong relationships.
BY NEIL HODGE 48 An Audit of Strategy Four questions
can help internal auditors ensure an effective
36 The Audit Committee Connection strategic management process, the backbone
Internal audit’s ability to serve as a trusted of organizational success. BY MATEJ DRAŠCEK,
advisor to its primary stakeholder is key to ADRIANA REJC BUHOVAC, AND GAVIN LAWRIE
organizational success. BY SETH PETERSON
53 7 Practices for Better Audit Outcomes
42 Beneath the Data Auditing with self- The U.S. Department of Homeland Security
service business intelligence tools can help follows guidelines that improve the auditor–
practitioners mine the organization’s data auditee relationship. BY JIM H. CRUMPACKER
DOWNLOAD the Ia app on the

App Store and on Google Play!
FOR THE LATEST AUDIT-RELATED HEADLINES visit InternalAuditor.org

In the
Transformative Age,
is trust the most
valuable currency?
ey.com #BetterQuestions
© 2019 EYGM Limited. All Rights Reserved. ED 1119.

FEBRUARY   2019   VOLUME LXXVI: I
D E PA R T M E N T S
PRACTICES INSIGHTS
10 Update Basel compares NEW 57 Board Perspectives
cyber plans; businesses fear Audit committees and CAEs work
digital competitors; and crimi- best when they work together.
nals recruit money mules.
59 The Mind of Jacka Prac-
14 Back to Basics Opening titioners are more than just
and closing meetings are key auditors.
to successful audits.
60 Eye on Business Providing
16 ITAudit IT auditors prove foresight is a must for internal
their worth as trusted advisors. audit.
7 Editor’s Note 19 Risk Watch Audit’s role 64 In My Opinion The right

in addressing cyber risk is approach to client conversa-
8 Reader Forum evolving. tions can enhance internal
audit’s value.
63 Calendar 22 Fraud Findings A sales
rep capitalizes on weak inter-
nal controls.
O N L I N E InternalAuditor.org
Agile Planning With today’s Disruptive Leadership
COVER AND PREVIOUS PAGE: PHOTOS BY DOUG SCALETTA; THIS PAGE, TOP: HAKINMHAN /
rapidly shifting business pri- Watch Citigroup Chief Auditor

orities, established audit plans Mary McNiff explain the need
may need to be reshuffled for audit leaders to practice
quickly to meet stakeholder disruption, emphasizing its
demands. Are CAEs up to the key role in talent management
challenge? and innovation.
SHUTTERSTOCK.COM, BOTTOM: RA2STUDIO / SHUTTERSTOCK.COM
Assurance in the Privacy Fleecing the Crowd Despite

Regulatory Age Internal crowdfunding’s good inten-
audit can help ensure the tions, some campaigns may be
organization complies with raising money for fraud.
the new wave of privacy
regulations.
Internal Auditor ISSN 0020-5745 is published in February, April, June, August, October, and December. Yearly subscription rates: $75 in the United States and Canada, and $99 outside North America. No refunds on cancellations.
Editorial and advertising office: 1035 Greenwood Blvd., Suite 401, Lake Mary, FL, 32746, U.S.A. Copyright © 2019 The Institute of Internal Auditors Inc. Change of address notices and subscriptions should be directed to IIA Customer
Service, +1-407-937-1111. Periodicals postage paid in Lake Mary, Fla., and additional offices. POSTMASTER: Please send form 3579 to: Internal Auditor, 1035 Greenwood Blvd., Suite 401, Lake Mary, FL, 32746, U.S.A. CANADA POST
INTERNATIONAL: Publications Mail (Canadian Distribution) Sales Agreement number: 545880; GST registration number: R124590001. Opinions expressed in Internal Auditor may differ from policies and official statements of The
Institute of Internal Auditors and its committees and from opinions endorsed by authors’ employers or the editor of this journal. Internal Auditor does not attest to the originality of authors’ content.
Please join TeamMate and ArcelorMittal
for an engaging presentation
at the IIA GAM Conference
Session Name, Date, and Time:

Delivering Greater Value through Global Combined Assurance
Monday, March 11 from 2:00pm - 3:00pm
Description:
Many organizations are striving to create a combined assurance process
that is pragmatic, collaborative, and efficient. Getting all parties on board
and working towards this common goal can be challenging without a clear
vision and a well-defined process on how to get there. Learn how one
Fortune Global 500 organization has not only implemented a combined
assurance strategy, but also created both time and cost efficiencies along
the way.
Presented by:
Sign up to receive a Sneak Peek of the presentation

ahead of GAM and a full copy afterwords at
www.TeamMateSolutions.com/GAM19
Copyright © 2019 Wolters Kluwer Financial Services, Inc. 10322
TM-19-10322-MK-GAM19 Session-PAD-EN.indd 1 1/14/19 3:12 PM

Editor’s Note
10 YEARS ON
I
look back at late 2008 and early 2009 as the most difficult time of my 18-year
career with The IIA. It was the one time I was forced to let team members go,
and to watch friends and co-workers lose their jobs through no fault of their
own. At the time, the global economic crisis was making its way through orga-
nizations, and The IIA was not spared. The Institute was forced to part with more
than 40 employees despite efforts by leadership to steady the ship.
As that difficult time was beginning, The IIA’s Board of Directors brought
in Richard Chambers as The Institute’s ninth president. Chambers, along with
the Board, worked closely with IIA staff members to identify areas where The IIA
could cut costs and grow revenue. “Those early months of 2009 were really spent
working collaboratively,” Chambers says, adding that the process “really exempli-
fied the very best of who we are.”
Ten years on, I had the opportunity to sit down with Chambers at The IIA’s
Headquarters in Lake Mary, Fla. He reflected on those challenging days, discuss-
ing how The IIA and the internal audit profession responded to the financial crisis
and how both have grown in scope and influence since then. In “Trials and Trans-
formation” (on page 24), Chambers notes, however, that there is much room for
improvement when it comes to internal audit’s value proposition. For example, he
points out the need for practitioners to fully embrace the International Standards
for the Professional Practice of Internal Auditing and learn to provide foresight on
risks to the organization.
In “The Forward-looking Auditor” (on page 60), Shawn Stewart of Grant
Thornton and Sandy Pundmann of Deloitte take the internal audit foresight dis-
cussion further, delving into just what it will take for internal auditors to succeed
in this area. “If successful, internal auditors have an opportunity to inform and
shape the critical decisions that their management teams must make,” Stewart says.
Among those decision-makers is the audit committee, which is the focus of
Internal Auditor’s new department, “Board Perspectives,” on page 57. We have
revamped and renamed “Governance Perspectives” to focus on the expectations
of internal audit’s stakeholders — the board and audit committee. The depart-
ment is written from the perspective of the audit committee, featuring committee
members sharing their views on how internal audit can provide value to them and
the organization. These leaders also will discuss the audit committee’s oversight
responsibilities, ways to align internal audit with the audit committee, and timely
business events in which audit committees and internal audit should be involved.
Matt Kelly, editor and CEO of Radical Compliance, is the author of the new
department. Let us know what you think!
@AMillage on Twitter
FEBRUARY 2019 INTERNAL AUDITOR 7

Reader Forum
WE WANT TO HEAR FROM YOU! Let us know what you think of this issue.
Reach us via email at [email protected]. Letters may be edited for clarity and length.
our work relevant to the business, assessment for the more traditional
and not getting below the surface of value preservation objectives.
what causes issues to recur (e.g., root TIM LEECH comments on the Chambers
causes). It takes brains, teamwork, and on the Profession blog post, “‘We Are
Here to Help You’: Managing Relationships
good communication to get the right When Management Is Skeptical”
balance of thoughtful but practical (InternalAuditor.org).
and rigorous but not overcomplicated.
Let’s think critically about any book Fear of Organizational
with an overly simplistic answer to all Politics
our challenges. From my observations, rather than
J. PATERSON comments on Murray ignoring organizational politics due
Wolfe’s “Breaking Free of Mental Traps” to professionalism and ethical rea-
(December 2018).
sons, most of us are, in fact, afraid to
The Danger of Underthinking become actively involved in it. Maybe
I recognize a number of these Being Relevant to Management because there is an inverse correlation
issues — as I am sure many auditors I think the key is not for internal audit between strong analytical skills and
do — and they are some of the reasons to focus on the biggest risks, but, strong interpersonal ones. Whatever
audit is not as value adding and pro- instead, to focus on the top value cre- the reasons may be behind nonpar-
ductive as it could be. However, there ation and preservation objectives using ticipation in organizational politics,
is an irony when we hear of a book an objective-centric risk assessment it is a fact that our achievements are
about overthinking that is followed by that links to strategy and performance. significantly affected by our skills to
seven things not to do. In other words, That will immediately make audit’s understand the organization’s “shadow
arguably overthinking, itself. work more relevant to management, activities” and use their dynamics. Of
As I see it, we need to be wary of particularly if management’s com- course, my comments refer only to
all thought traps — overthinking and pensation is linked to performance. If positive politics.
overcomplicating things — but we also management and the board won’t allow ELTON XHAFA comments on the From the
need to be wary of underthinking: internal audit to look at value creation, Mind of Jacka blog post, “I Hate Politics”
doing superficial work, not making at least use an objective-centric risk (InternalAuditor.org).
CONTRIBUTING EDITORS Daniel Helming, cia, cpa David Weiss, cia CONTA CT INFORMA TION
Wade Cassels, cia, ccsa, crma, cfe Karin L. Hill, cia, cgap, crma Scott White, cia, cfsa, crma ADVERTISING
J. Michael Jacka, cia, cpcu, cfe, cpa J. Michael Jacka, cia, cpcu, cfe, cpa Rodney Wright, cia, cpa, cfsa [email protected]
Steve Mar, cfsa, cisa Sandra Kasahara, cia, cpa Benito Ybarra, cia
Bryant Richards, cia, crma
+1-407-937-1109; fax +1-407-937-1101
Michael Levy, cia, crma, cisa, cissp
James Roth, phd, cia, ccsa, crma Merek Lipson, cia SUBSCRIPTIONS, CHANGE OF ADDRESS, MISSING ISSUES
IIA PRESIDENT AND CEO
FEBRUARY 2019 Charlie Wright, cia, cpa, cisa Thomas Luccock, cia, cpa Richard F. Chambers, cia, [email protected]
VOLUME LXXVI: I +1-407-937-1111; fax +1-407-937-1101
Michael Marinaccio, cia qial, cgap, ccsa, crma
EDITOR IN CHIEF EDITORIAL ADVISORY BOARD Alyssa G. Martin, cpa EDITORIAL
Anne Millage Dennis Applegate, cia, cpa, cma, cfe Dennis McGuffie, cpa IIA CHAIRMAN OF THE BOARD David Salierno, [email protected]
MANAGING EDITOR Lal Balkaran, cia, fcpa, fcga, fcma Stephen Minder, cia Naohiro Mouri, cia, cpa +1-407-937-1233; fax +1-407-937-1101
David Salierno Andrew Bowman, cpa, cfe, cisa Rick Neisser, cia, cisa, clu, cpcu PERMISSIONS AND REPRINTS
ASSOCIATE MANAGING Mark Brinkley, cia, cfsa, crma Hans Nieuwlands, cia, ra, ccsa, cgap [email protected]
EDITOR Robin Altia Brown Manish Pathak, ca +1-407-937-1232; fax +1-407-937-1101
Tim McCollum Adil Buhariwalla, cia, crma, cfe, fca Bryant Richards, cia, crma WRITER’S GUIDELINES
SENIOR EDITOR Wade Cassels, cia, ccsa, crma, cfe Jeffrey Ridley, cia, fcis, fiia InternalAuditor.org (click on “Writer’s Guidelines”)
Shannon Steffee Faizal Chaudhury, cpa, cgma James Roth, phd, cia, ccsa
ART DIRECTION Daniel J. Clemens, cia Katherine Shamai, cia, ca, cfe, crma Authorization to photocopy is granted to users registered with the
Yacinski Design Michael Cox, fiia(nz), at Debora Shelton, cia, crma Copyright Clearance Center (CCC) Transactional Reporting Service,
PRODUCTION MANAGER Haylee Deniston, cpa Laura Soileau, cia, crma provided that the current fee is paid directly to CCC, 222 Rosewood
Gretchen Gorfine Kayla Flanders, cia, crma Jerry Strawser, phd, cpa Dr., Danvers, MA 01923 USA; phone: +1-508-750-8400. Internal Auditor
James Fox, cia, cfe Glenn Sumners, phd, cia, cpa, crma cannot accept responsibility for claims made by its advertisers, although
Michael Garvey, cia Stephen Tiley, cia PUBLISHED BY THE staff would like to hear from readers who have concerns regarding
Jorge Gonzalez, cia, cisa Robert Venczel, cia, crma, cisa INSTITUTE OF INTERNAL advertisements that appear.
Nancy Haig, cia, cfe, ccsa, crma Curtis Verschoor, cia, cpa, cfe AUDITORS INC.
8 INTERNAL AUDITOR FEBRUARY 2019

it’s time to
evolve.
Are you registered yet? 2018 was a sold-out event, and you don’t want to miss
this year’s future-focused, solution-based, and undeniably immersive program —
Looking Ahead: Turning Disruption Into Opportunity. Earn up to 16.5 CPE credits as you
engage with world-renowned influencers during 42 concurrent and 5 general sessions.
Register Today! www.theiia.org/GAM
GENERAL AUDIT MANAGEMENT CONFERENCE / M A RC H 1 1 –1 3 / D A L L A S - F T. W O R T H , T X

Digital capabilities are executives’ top risk… Low cost for cybercriminals…
Stakeholders’ internal audit expectations… “Mules” and money laundering.
Update
AI STEWARDSHIP
Businesses are acting to
ensure responsible use of
artificial intelligence (AI).
Boost AI security
64% with validation,

monitoring, and
verification.
Create transpar-
ent, explainable,
and provable
AI models.
61%
Create systems BASEL GAUGES International standards-
setter reviews cybersecurity
55% that are ethical,
understandable, CYBER RESILIENCE practices.
A
and legal.
Basel Committee on Banking Super- assessment and management, communica-
Improve gover- vision report compares bank, regulation, and interconnections with third-party
nance with AI
operating models
and processes.
52% tory, and supervisory cyber resilience
practices across the committee’s
member jurisdictions. Cyber-resilience:
service providers. Within these areas, the
research summarizes current challenges and
initiatives along 10 key findings, illustrated
Range of Practices draws from analysis of by case studies.
Test for bias in
47% data, models, and authorities’ responses to previous surveys and Among its findings, the committee
human use of exchanges between international experts. The reports that most supervisors leverage exist-
algorithms. report aims to help banks and supervisors ing standards for their cyber resilience efforts,
IMAGES: TOP, KIDA / SHUTTERSTOCK.COM;
LEFT, HAKINMHAN / SHUTTERSTOCK.COM
“navigate the regulatory environment” and including the International Organization for
Source: PwC, 2019 AI Predictions identify “areas where further policy work by Standardization’s ISO 27000 and the U.S.
the committee may be warranted.” National Institute of Standards and Technol-
The Basel Committee classifies its ogy Cybersecurity Framework. And while the
review of cyber resilience along four main report notes supervisory practices converge in
categories: governance and culture, cyber risk areas such as governance and testing, technical
FOR THE LATEST AUDIT-RELATED HEADLINES follow us on Twitter @TheIIA

Practices/Update
specifications and cybersecurity expertise dif- the report notes, “Jurisdictions expect banks
fer across jurisdictions. to have a strategy and framework to compre-
The report also found high levels of hensively map and actively manage their IT
maturity within IT and operational risk man- system architecture.” Still, the report finds
agement practices, pointing out that banks that banks generally do not have a board-
leverage these practices to address cyber risk approved strategy that clearly defines cyber
and supervise cyber resilience. In particular, risk appetite and tolerance. — D. SALIERNO
FEAR THE DIGITAL COMPETITORS

Digital uncertainty heads
executives’ top 2019 risks.
N 55 %
imble, “born digital” companies
are coming after their busi-
ness — that’s the top risk keeping OF FINANCIAL
business leaders up at night. And
SERVICE
PROFESSIONALS CITE
they are concerned their organizations GEOPOLITICAL RISK
aren’t ready to compete, according to in areas such as China, the
Executive Perspectives on Top Risks 2019. Middle East, and emerging
The report from North Carolina State Meanwhile, new competitors are markets as a top industry
risk for 2019.
University’s ERM Initiative and Protiviti is scaling up digital business models and
based on a survey of more than 800 board
members, CEOs, and senior executives.
“redefining” the customer experience so
quickly that established organizations don’t 49 %
IDENTIFY BREXIT
Specifically, respondents worry their see it coming. Such disruptive competition AS A TOP RISK.
organizations can’t adjust their existing could spell doom for organizations that
infrastructure and operations to meet per- can’t adjust their business models and core “It is critical that firms
formance expectations, the report notes. operations, warns Jim DeLoach, a manag- continue to remain vigilant
That concern is multifaceted, comprising ing director at Protiviti. to anticipate and prepare
for not only these emerging
uncertainty about the organization’s digital “Strategic error in the digital economy risks, but the potential cas-
readiness, ability to keep pace with chang- can result in the ultimate price, if a com- cading effects that may arise
ing market realities, and lack of innovative pany continues to play a losing hand in the from an increasingly inter-
thinking about its business model. marketplace,” he says. — T. MCCOLLUM connected financial system,”
says Michael Leibrock, chief
systemic risk officer for the
Depository Trust & Clearing
Corp. (DTCC).
Hackers need little money
MAKING CRIME PAY to cost victims millions. Source: DTCC, 2019 Systemic Risk
Barometer Survey
C
IMAGES: TOP, HIBRIDA / SHUTTERSTOCK.COM;
riminals responsible monthly operating invest- of dominating or defeating

RIGHT, MINISTOCKER / SHUTTERSTOCK.COM
for companies losing ment of $3,800 could yield an opponent impressively.

millions of dollars up to $1 million per month, The study points out
in coordinated cyber according to Deloitte’s that almost every criminal
attacks are making the most threat study, Black Market enterprise uses multiple
of a small investment. For Ecosystem: Estimating the related, but discreet, tools
as little as $34 a month, Cost of “Pwnership.” Pwner- and services purchased on
a criminal business could ship is gaming community the black market. It identi-
return up to $25,000. A slang that describes the act fies the most commonly

Practices/Update
used tools and services, their

average estimated costs, the
tools required to operate
HIGH EXPECTATIONS
real-world criminal busi- Audit committees need internal audit to help them navigate disruptive
nesses, and the estimated risks, says National Association of Corporate Directors President and
operating costs of various CEO Peter Gleason.
cybercrime businesses. What do audit committees expect of internal audit in
Keith Brogan, managing 2019? Given the current political and economic uncertainty,
director with Deloitte, says it progressive audit committees will have their internal audit
is important “to review and teams probe the effectiveness of management’s scenario
compare these criminal busi- planning and operating assumptions that underpin corpo-
nesses to help identify which rate strategy. In particular, they would like internal audit to
exploits are the most afford- test the effectiveness of controls and processes related to
able and lucrative for them the management of political risk.
to pursue.” Recognizing the significant investments made in shoring
When Deloitte mod- up corporate defenses, audit committees would like to get
eled enterprise operations better assurances that cybersecurity programs are effec-
for comparison, it found tively designed and implemented and whether appropriate controls are in place. Similarly,
that the most affordable they will expect internal audit to more thoroughly examine the effectiveness of data privacy
approach is phishing kits, programs in light of increased compliance requirements and reputational risk. Technology
while a campaign that uses governance is rapidly becoming a major mandate for boards, who will turn to internal audit
several types of malware is to better understand risks associated with emerging technologies.
the most expensive. It deter- Internal audit possesses a distinct view and perspective on a range of risks that are
mined this by looking at strategic to the company, and must find opportunities to contribute to board-level dialogue
the most common services, about disruptive risks that are likely to plague the company over the next one to two years.
tools, and enablers indepen-
dently, and calculating the
average cost in each category.
Researchers then identi-
fied which are necessary to
THE MONEY MULES
perform common malicious Criminals are recruiting individuals
activities to establish how to launder stolen funds.
A
the tools and services are
related to one another. recent money-laundering sting by
Rather than focusing European police authorities has
on taking down specific drawn attention to the use of
tools, organizations are “money mules” to hide the origin of
better off detecting cer- stolen funds. The three-month enforcement
tain types of behavior, the action resulted in 168 arrests and the identi-
PHOTO: LEFT, WAVEBREAKMEDIA / SHUTTERSTOCK.COM
report asserts. To challenge fication of more than 1,500 individuals alleg-

the criminal’s cost-benefit edly involved in transferring funds between
scenario, organizations can accounts, Europol reports.
monitor activities and alter Criminal organizations recruit money 21 acting as money mules, according to U.K.
security controls based on mules to move money through the individu- fraud prevention service Cifas. “Criminals
tactics, techniques, and als’ bank or payment accounts on their behalf. are more and more turning to social media
procedures — gleaned from Europol says these individuals often are to recruit new accomplices,” through fake-
threat intelligence — that young, new to a country, and unemployed or job and get-rich-quick posts, Europol states.
require criminals to rein- in financial distress. Cybercrime is the source of more than
vent their operations from Indeed, last year there was a 26 percent 90 percent of money mule transactions,
scratch. — S. STEFFEE increase in the number of individuals under Europol notes. — T. MCCOLLUM

CONNECTING DATA
AND TECHNOLOGY
TO EMPOWER
SMARTER RISK
AND COMPLIANCE.
Manage all areas of risk effectively:
enterprise, customer, third party,
regulatory, compliance, corporate
and financial.
refinitiv.com
The Financial and

Risk business of
Thomson Reuters
is now Refinitiv.
Back to Basics
BY SCOTT FELTNER EDITED BY JAMES ROTH + WADE CASSELS
OPENING AND CLOSING MEETINGS

Successful audits
start and end
with well-planned
I
meetings.
magine attending an a different audit that went the person on the phone as
opening meeting for a well. The clients are engaged the others disengage into
scheduled audit. The with the issues internal audit side conversations or check-
audit topic is somewhat finds and want to use the ing their phones and laptops.
controversial and there audit to help drive improve- Many times, internal
has been pushback on the ments in their business. The audit takes opening and
review’s timing. The auditor- meeting is held in a huge closing meetings for granted
in-charge worked hard to training room set up with and just goes through the
find time to get everyone to circular tables suitable for motions to conduct them.
attend (8-10 people). The 36 people. The auditor-in- The difference between
meeting is held in a huge charge had difficulty align- meetings that are successful
conference room, so people ing everyone’s schedules, and meetings that are not is
are waving across the room so the meeting is held at 4 preparation and clear objec-
and jokingly asking, “How’s p.m. on Friday. Six of the tives. Internal auditors can
the weather over there?” 18 people call in to attend follow guidelines that will
There is anticipation mixed the meeting while the rest ensure these meetings are
with nervousness and anxiety sit at the back of the room. informative and engage their
as the auditors introduce Unfortunately, the auditor- audit clients.
themselves. The auditor-in- in-charge shows up just five
charge turns on the projector minutes before the meeting Prepare for the Meeting
and forwards through the 12 starts and has multiple issues The meeting room should
slides in the opening meeting with the technology — he be visited the day before the
slide deck in about five min- neglects to bring an adapter meeting to make sure it is
utes. She asks if there are any for the laptop and doesn’t appropriate for the number
questions (there are none) know how to use the projec- of people attending and
and thanks them for their tor. As a result, the meeting that the auditor running
time. The group proceeds starts 15 minutes late. Two the meeting understands
to exit the conference room slides in, the meeting is how to use the technology
feeling deflated. Everyone derailed by someone on the in the room. If the auditor-
thinks, “What was the point phone asking a question, in-charge is uncomfortable
of that?” resulting in a five-minute speaking in front of people,
Now imagine attend- side conversation between he or she should rehearse the
ing a closing meeting for the auditor-in-charge and entire meeting.
SEND BACK TO BASICS ARTICLE IDEAS to James Roth at [email protected]

TO COMMENT on this article,
EMAIL the author at [email protected]
CONDUCTING EFFECTIVE MEETINGS
B
ecause the opening meeting can set the tone having a conversation. Use the slide deck and audit
for the audit and the closing meeting is a cru- report as a guide, not a crutch. If an auditor is unable
cial last step in the audit process, internal audi- to do that, then he or she has not prepared well
tors can benefit from tips to run the meetings in the enough for the meeting.
most professional manner possible. »» Remarks should be addressed to the most
»» Consider your appearance at the meetings. senior (nonaudit) person in the room. This is sim-
Because internal audit is positioning itself as a com- ply good etiquette.
petent team of professionals, they should look the »» Be culturally sensitive. In the U.S., staff members
part and dress appropriately. present their own findings as a development oppor-
»» Never sit opposite the clients in an “us vs. them” tunity. In other countries, the senior member of the
setup. The audit team should mingle to make the audit team is expected to do so. There may be some
meeting more collaborative. other cultural etiquette for meetings, as well. Internal
»» Don’t use “auditee” or other internal audit jargon auditors should always research cultural norms if
with clients or other meeting participants. The they are presenting in another country.
only people who use those words are auditors. »» The auditor-in-charge should stand up during the
»» Never read directly from the slides or the audit meeting, if appropriate. Standing reinforces that he
report. Points should be made as if the auditor is or she is facilitating the discussion.
Make Your Objective Clear A meeting must have a specific Sixty minutes is generally the longest time people can
and defined purpose. Before sending that calendar invitation, remain truly engaged. A Harvard Business Review article,
ask yourself: What do I want to accomplish? This should be “The 50-minute Meeting,” suggests allowing 10 minutes of
shared ahead of time with the client. the 60 minutes for travel and administrative time. And if
only 30 minutes is needed, don’t schedule an hour.
Consider Who Is Invited Think about who really needs
to be in the meeting. When people feel that what’s being Ban Technology Laptops and smartphones distract people
discussed isn’t relevant to them, or that they lack the skills or from being focused on the meeting or contributing to it.
expertise to be of assistance, they’ll view their attendance as a Instead, they’ll be sending emails or surfing the web.
waste of time. If there are any doubts about certain attendees,
make them optional and let them decide whether to attend. Note Action Items and Follow-up So that everyone is
on the same page, a follow-up email highlighting what was
Stick to the Schedule Create an agenda (or slide deck, in accomplished should be sent within 24 hours to all who
this case) that lays out everything that will be covered in the attended. Document the responsibilities given, tasks del-
meeting, along with a timeline that allots a certain number of egated, and any assigned deadlines.
minutes to each item, and email it to people in advance.
If opening and closing meetings seem repetitive and boring,
Be Assertive If one person is monopolizing the conversa- consider the actors who perform in some Broadway plays for
tion — the fastest way to derail a meeting — call him or her years. They strive to do every performance, even the 873rd,
out delicately. For example, “We appreciate your contribu- with the same passion as the first. They polish and perfect it
tions, but let’s get some input from others.” Establishing each time. Clients deserve the best from internal auditors, and
ground rules early on will create a framework for how the there will always be someone in the room who hasn’t seen the
group functions. Internal audit is in charge of the meeting. slide deck or been through an audit before. The right prepa-
Discussions of risk ratings, for example, can be a derailer that ration can make these meetings valuable and productive for
the auditor should consider discussing outside of the meeting. auditor and client.
Start on Time, End on Time Knowing that time is valu- SCOTT FELTNER, CIA, CISA, is vice president, internal audit, at
able, do not schedule any meeting for more than an hour. Kohler Co. in Kohler, Wisc.

ITAudit
BY PAUL SLYE + CHRIS WELTER EDITED BY STEVE MAR
TRUSTED FOR TECHNOLOGY

Nordstrom’s IT
audit specialists
pinpointed five areas
T
to prove their worth
as advisors. echnology is a key to understand the emerging National Institute of Stan-
enabler of business technologies with which their dards and Technology Cyber-
value. Internal audi- business partners are working security Framework.
tors must be able to as well as developments such Auditors translate the
verify that these processes as DevOps, the Internet of security requirements of
provide the intended return Things, and serverless archi- these frameworks into the
on investment and that tecture. In learning to provide language the audit clients
technology risk decisions such advice, technology audi- use. For example, applica-
and resources are optimized. tors focused on five areas. tion teams have adopted a
Without the necessary skills, DevOps structure whereby
auditors may not deliver Cybersecurity and Privacy any member of the team can
the value that the business Most industries consider make changes to production
expects of them. cybersecurity and privacy to code. Auditors explained to
Most technology be inherently high risks. As a the team the potential for
auditors at Nordstrom are company that relies on tech- unauthorized code change
integrated auditors — technology, Nordstrom has hired and the requirements
nologists with business professionals with cybersecu- contained in the security
degrees and years of consult- rity certifications to consult standards. That helped
ing firm experience. They and audit how to optimize team members realize they
work as peers to three other its risk posture. should implement logging
unofficial designations of In turn, technology and file-integrity monitor-
auditors: operations, business auditors have interpreted and ing linked to change tickets
intelligence, and compliance. applied controls from security as a compensating control
Nordstrom uses two frameworks to Nordstrom’s to ensure that unauthorized
metrics to determine whether new, cloud-based environ- changes would be detected
its technology auditors are ment. Two frameworks audi- immediately. As teams learn
trusted advisors: whether cli- tors use are the International about security risk and con-
ents return to request internal Organization for Standardiza- trols, they make more risk-
audit’s services and whether tion’s ISO 27002 — Informa- optimized decisions.
the audit recommendations tion Technology–Security
result in business value. To Techniques–Code of Practice Technology Governance
provide valuable counsel, for Information Security Nordstrom’s internal auditors
technology auditors need Controls and the U.S. rely on ISACA’s COBIT 5
SEND ITAUDIT ARTICLE IDEAS to Steve Mar at [email protected]

EMAIL the authors at [email protected]
framework to evaluate technology governance maturity on a Another example is the company’s user-access review
repeatable basis. Auditors merged COBIT 5 and ISO stan- and validation process. Auditors incorporated control owners’
dards to create a framework specific to Nordstrom as a basis control documentation into internal audit’s testing procedures
for audits. This framework enables auditors and audit clients and used RPA to test attributes. One test validated that users
to see where their activities fit into the big picture. had their access revoked timely. RPA has enabled auditors to
Having a framework has enabled the department to accomplish more testing within the same time frame.
partner operational auditors with technology auditors to per-
form integrated audits on nontechnical aspects of technology Communication
governance. In one review, auditors provided assurance that Nordstrom’s technology auditors have focused on improving
technology projects were delivering the value promised in the their verbal and written communication skills. To communi-
business case. The auditors on the integrated audit expanded cate effectively with the technology organization, the depart-
their knowledge by covering tech strategy, enterprise architec- ment’s IT audit director spent six months working directly for
ture, and performance measurement. technology leaders before starting his role in internal audit.
During this time, he learned those executives’ leadership and
Data Science communication styles, which internal auditors now incorpo-
Nordstrom’s auditors have written more compelling audit rate into their reports to increase their impact.
reports by testing 100 percent of populations using data Auditors also have become persuasive communicators,
science techniques. To write such reports, all auditors are effective negotiators, and great listeners. They have increased
expected to have basic knowledge of Microsoft Excel, statis- stakeholder buy-in by using data to buttress audit findings and
tics, and data validation. Internal audit leverages data extrac- action plans. Business partners now expect audit findings to be
tion tools to obtain data for use in creating impactful issue supported by data, even when the topic is difficult to quantify.
statements in reports. However, visualizing data is not required for all audit
Data science tools are especially useful when joining two reports. Sometimes, visualizations cause the client to jump to
or more data sets (see “Beneath the Data” on page 42). In assumptions without reading all the details. Some clients prefer
one project, internal audit extracted incident ticket informa- to read the text instead. While audit reports should always
tion and linked it with information about problem tickets, focus on the most important risks and opportunities, auditors
tailor the department’s report style to
meet stakeholders’ desired format.
Business partners now expect audit Earning Trust
findings to be supported by data. To benefit the organization, internal
audit needs to constantly develop staff
members into trusted advisors and retain
root-cause analysis, and application IDs from multiple sys- them. So far, Nordstrom’s efforts have:
tems of record. To extract knowledge from these unique data ɅɅ Increased risk-focused conversations led by leadership,
sets, auditors used data visualization tools to tell the story of resulting in more effective controls.
how well the company’s change-management controls were ɅɅ Led to a cultural shift to spend time building technology
performing and if it was learning from the incidents. The risk mitigation strategies.
client capitalized on the analysis to track how much progress In the process, technology auditors have received high client
was made since the report was delivered. satisfaction ratings as well as more requests from management
to perform work. Moreover, management is more proactive
Robotic Process Automation in driving change about issues that auditors have identified,
A recent development for Nordstrom’s internal auditors is even before they receive audit reports. Once clients realize that
the use of robotic process automation (RPA). Projects are an audit report can propel them faster toward achieving their
advisory in nature and aligned with internal audit’s goal of objectives, they tend to become repeat clients and tell their
identifying ways to reduce expense or work effort. Partner- peers throughout the organization.
ing with the company’s restaurant and tax divisions, auditors
created robots to automate manual processes relevant to food PAUL SLYE, CISSP, CISA, is an internal audit manager at
and beverage licensing and entry of invoices. Through this Nordstrom in Seattle.
automation, auditors reduced the clients’ payroll expenses. CHRIS WELTER, CISA, is an audit principal II at Nordstrom.

James Anderson
September 29 MD Consent
ACTION OF THE MANAGING DIRECTORS OF
WORKIVA LLC
BY UNANIMOUS WRITTEN CONSENT
The undersigned, constituting all of the Managing Directors

(the “Board”) of Workiva LLC, a Delaware limited liability company (the
“Company”), in accordance with Section 5.1.6 of the Operating Agreement
of Workiva LLC dated September 17, 2014 (the “Operating Agreement”)
and Section 18-404(d) of the Delaware Limited Liability Company Act, by
unanimous written consent, as evidenced by the signatures set forth
below, do hereby consent in writing that the resolutions set forth in Appen-
dix A hereto are hereby ratified, confirmed and approved. It is each of the
undersigned’s intent that this consent be executed in lieu of, and consti-
tutes, a meeting of the Managing Directors pursuant to Section 5.1.6 of
the Operating Agreement, which consent shall be filed by the Secretary of
the Company with the minutes of the meetings of the Board. All terms not
defined herein shall have the meanings ascribed to them in the Operating
Agreement.
I hereby confirm that I have read and understand the resolutions set
forth in Appendix A hereto.
Yes No
I hereby consent to the adoption of the resolutions set forth in Appendix

A hereto.
Yes No
PDF Attachment: Workiva S-1.PDF
Matt
Date
Make 2019
Your Best Year Yet
Closing this year's audit plan is the optimal time to reevaluate
processes and tools that may be slowing you down.
Wdesk for Internal Audit Management is a streamlined, collaborative

platform that saves you valuable time. Focus on strategic areas that
position you for success in the months—and years—to come.
See how Wdesk works at workiva.com/ IIA-video

Risk Watch
BY LYNN FOUNTAIN EDITED BY CHARLIE WRIGHT
INTERNAL AUDIT’S EVOLVING

CYBERSECURITY ROLE
Auditors need to
become involved
in helping their
T
organizations
address cyber risks. echnology is pro- technology risks and their ɅɅ The threat of cyber
gressing at such potential impact. fraud to their organiza-
lightning speed that One of the most preva- tions and the manner
even IT specialists lent issues organizations face in which it could pres-
struggle to keep their fingers today is the constant threat of ent itself.
on the pulse of technological cyberattacks. Every day there ɅɅ Procedures that should
change. So how are internal is some new threat, breach, be followed to assess
auditors expected to ade- or cybersecurity incident. cyber risk.
quately assess and examine It is now imperative that all ɅɅ Types of new and exist-
the various risks emerging in internal auditors understand ing breaches.
this cyber age? the underlying drivers as ɅɅ Various tools for manag-
As technology continues well as the nature and causes ing cybersecurity issues.
to advance, internal auditing of cyber risks. With this ɅɅ Methods to prioritize
must evolve. For many years, knowledge, internal auditors assets at risk for protec-
internal audit departments can add significant value to tion plans.
relied on IT audit special- the organization by assessing ɅɅ Methods to appropri-
ists as partners in integrated and helping management ately allocate resources
audits. Although those spe- strengthen cybersecurity. to protect assets.
cialists focused on systems
and technology, integrated Knowledge Is Power Understand Cyber
audits worked best when Yes, internal auditors know Risk Frameworks
operational and financial how to use a computer and Organizations need to under-
auditors knew what to look a cell phone, but do they stand and use a structured
at from an IT perspective. realize the risks these tech- cyber risk framework to miti-
In today’s world, inter- nologies pose? What you gate threats. Although there
nal auditors cannot delegate don’t know can hurt you! are several frameworks, some
responsibility to their IT In today’s business environ- organizations may focus on a
departments or IT auditors. ment, training on cybersecu- specific framework, depend-
All auditors should have a rity issues should be a basic ing on their industry.
solid understanding and curriculum expected of inter- One of the most widely
awareness of more than just nal auditors. Training that is used frameworks is the
general and application con- essential for internal auditors U.S. National Institute of
trols. They should realize the includes understanding: Standards and Technology’s
SEND RISK WATCH ARTICLE IDEAS to Charlie Wright at [email protected]

A New Look
at Internal Auditing.
Audit Intelligence Suite

Benchmark | Assess | Survey
Benchmark your audit function, assess your team, and survey your key stakeholders. Once you know the results,
you will be in a better position to improve your audit function.
Learn More
www.theiia.org/AIS
Practices/Risk Watch
(NIST’s) Cybersecurity Framework. The framework directs incident. The objective is to contain the incident’s impact on
organizations to use a standard protocol in their cybersecu- the organization.
rity efforts to identify and protect assets, and respond to and Compare a cybersecurity incident to a fire. Both are “all
recover from incidents. hands on deck” events. If management has not structured a
cyber risk program appropriately, there may be many reactive
Identify and Protect Assets at Risk actions and ad-hoc approaches to plugging the gaps. Internal
The NIST framework recommends that organizations iden- auditors can be important consultants in this situation.
tify assets within the organization that are most susceptible to Often when a breach occurs, management looks for
cyber threat. Next, it advises organizations to prioritize assets the quick fix. This may not always be the best solution.
for protection, and develop and implement appropriate safe- The response must consider not just the tactical steps
guards to ensure delivery of critical infrastructure services. taken to fix the problem but all of the ancillary commu-
Identifying and protecting assets is similar to other risk nication and documentation that is required. In this cir-
assessment processes and is an area in which internal auditors cumstance, internal auditors can provide an independent
can provide valuable insight to help protect their organiza- perspective and guide management on the best path to
tions. Auditors can help their organization by: follow to respond to the incident. But to be helpful, audi-
ɅɅ Following a structured approach to perform a top- tors must understand the technology issues as well as the
down assessment. incident-response processes.
ɅɅ Evaluating cyber risks within individual audits.
ɅɅ Assessing the organization’s capabilities to manage Use Recovery to Learn Lessons
assets that might be impacted by a cyber risk event. Recovering from a cybersecurity incident is comparable
ɅɅ Evaluating whether management and the board have to recovering from an illness. When a person discovers he
developed a comprehensive cybersecurity strategy. or she has a serious illness, all focus is placed on acting to
ɅɅ Fully integrating cyber risks into the annual audit plan. respond to the illness. At that point, the mindset is survival
ɅɅ Determining whether management is using the most rather than recovery.
effective process to prioritize assets for protection and As defined by NIST, the recovery phase occurs after the
allocate resources. organization has responded to a breach. This phase includes
identifying activities to maintain plans for resilience and to
Monitor Detection Procedures restore any services that were impaired due to a cybersecurity
Detecting cyber threats is the third component the NIST incident. The organization must be able to constructively
framework recommends. Once assets have been identified review what occurred and extract appropriate lessons learned
and protected, the organization should develop and imple- from the incident. Then the organization must incorporate
ment appropriate activities to take action when a cybersecu- those lessons into its current response protocol.
rity event is detected. By assessing the lessons learned from an incident, internal
As with The Committee of Sponsoring Organizations audit can contribute to the ongoing viability of the organiza-
of the Treadway Commission’s Internal Control–Integrated tion’s cybersecurity incident plan. This assessment can assist the
Framework monitoring component, performing detection organization in evaluating gaps in how assets were identified
procedures is management’s responsibility. However, inter- and prioritized, how protection procedures were prioritized
nal auditors can test detection procedures to ensure they are and executed, how detection procedures were implemented,
designed appropriately. and how response procedures were put into effect.
Management should follow a well-devised protocol to
develop, design, and implement detection procedures. Audi- Internal Audit’s Expertise
tors can review and test that protocol and ensure detection The NIST Cybersecurity Framework’s guidance is just a
procedures are addressing the most vulnerable assets. This sample of important concepts to understand. As technology
act requires auditors to collaborate with management to fully evolves, so do the duties of internal auditors. The profession
understand the procedures used in the design phase and in needs to step out of its comfort zone and insert its expertise
identifying which assets are prioritized as higher risk. into addressing cyber risk.
Respond to Incidents LYNN FOUNTAIN, CRMA, CPA, CGMA, is an internal control,

This component of the NIST framework includes activities to risk management, and business process consultant in Overland
undertake when the organization has detected a cybersecurity Park, Kan.

Fraud Findings
BY GRANT WAHLSTROM + ANISA CHOWDHURY EDITED BY BRYANT RICHARDS
THE PHONY CUSTOMER FRAUD

An unscrupulous
employee reaps the
benefits of weak
B
internal controls.
rightstar Corp. is a representatives. At the end his offer letter allowing him
solar panel company of the presentation, Myers to keep all commissions for
with an annual rev- approached Schull and prior sales, even if custom-
enue of $4.5 billion. Cayden to discuss her con- ers cancelled their accounts.
It had recently acquired cerns about Eddie Fogbot- Myers suspected fraud.
Solarstar Inc., a smaller tom, a sales representative in Solarstar uses elec-
competitor. Both compa- the Austin, Texas, market. tronic contracts, which are
nies employ commission- Fogbottom was a rising emailed to the customer
only sales representatives; superstar at Solarstar. Before when completed. The cus-
however, commission plans joining the company, he was tomer reviews the contract,
vary between the compa- an executive in loss preven- and electronically signs and
nies. Brightstar pays sales tion at several large publicly returns it. Contracts are not
representatives upon the traded companies. He had legally binding until the
installation of a solar panel incredible success as a sales contract is returned and a
system, while Solarstar’s representative and was down payment is received.
commission plan pays half a recently promoted into a An electronic time and date
commission upon the sign- highly sought-after manager stamp is recorded on the
ing of a customer contract. role within the company’s contract as well as the cus-
The remaining commission national sales team. Shortly tomer’s computer internet
is paid after installation of after accepting his new posi- protocol (IP) address.
the system. If the customer tion, 39 of Fogbottom’s sales Schull and Cayden
cancels the installation, the were cancelled, representing began reviewing the can-
commission already paid $10,000 in commissions celled contracts. The team
is clawed back against that would need to be identified several days where
future commissions. clawed back. Because it was Fogbottom sold products to
Robert Schull and such a large amount, Myers multiple customers in what
Alysa Cayden, Brightstar’s contacted him to discuss a appeared to be strip malls
forensic audit team, were repayment plan. in the Austin market. What
conducting a training ses- Fogbottom told Myers caught the attention of
sion with the recently hired that the company could not Schull and Cayden was the
director of compensa- claw back the commissions. fact that the contracts were
tion, Lisa Myers, on fraud When he was promoted, signed and returned within
schemes perpetrated by sales he had a clause written into several minutes of each
SEND FRAUD FINDINGS ARTICLE IDEAS to Bryant Richards at [email protected]

other. Even more perplexing, the contracts were returned

from the same IP address. LESSONS LEARNED
The team began conducting customer service calls to »» A combination of fundamental internal control
the alleged customers to determine why they cancelled their activities helps minimize fraud.
purchases. Surprisingly, none of the phone numbers docu- »» Conduct and update a fraud risk assessment
mented on the contracts were in service. In addition, an regularly. In this case, a fraud risk assessment
internet review of the customers revealed that not a single should have identified the control weakness in the
customer had an internet presence. backlog report, commission payment process, and
The investigation team turned their attention to the revenue reconciliation process.
down payments received on the contracts. Solarstar required »» Conduct appropriate background checks on key
its sales representatives to collect a down payment when a employees to identify any red flags for possible
customer signed a contract. The sales representative would unethical behavior.
document the collection in the company’s order system. If »» Perform regular reviews of installation backlog
the down payment was paid with a check, the sales repre- reports to identify irregular activities. Detecting
sentative would bring the check into the local sales office to any potential exploitation is the best approach to
be compiled and sent to the company’s lockbox. A review of minimizing negative unintended consequences.
the order system revealed that Fogbottom documented that »» Conduct monthly reconciliations of revenue col-
checks were obtained during the contracting process, but lections. Discrepancies should be researched
none of them had been received in the lockbox. immediately and escalated if unresolved.
Cayden reviewed the customer sites using Google Earth.
The review revealed that many of the customer locations did
not appear to exist or had been constructed after Google’s
last update. Schull enlisted the assistance of Brightstar’s area When presented with the photographs of the empty
general manager, Michael Gonzalez. A 25-year Brightstar fields, Fogbottom’s demeanor changed. He alleged that a
veteran and lifelong resident of Austin, Gonzalez accompa- general contractor named Sal was constructing all three
nied Schull to the customer locations. It came as no surprise strip malls, and that the customers met him at a local coffee
when Schull and Gonzalez found themselves standing in shop where they all completed their contracts in succession.
empty fields. Schull documented the visits with photos of the Fogbottom could not remember Sal’s last name or produce
alleged customer sites. a contact number for him or any of the alleged customers.
Schull then reviewed Fogbottom’s employment history. Initially, Fogbottom refused to admit that he falsified the
An internet search revealed that Fogbottom had, in fact, contracts in question. However, after an extensive interview,
worked for the organizations he had listed on his résumé. Fogbottom admitted that he was having personal problems
However, no references were listed in his employment file. and was fired from his former employer. He also admitted
that he falsified the contracts for the
commissions because he had taken a
Fogbottom could not remember Sal’s substantial pay cut from his previous
role and was having trouble making
last name or produce a contact number. ends meet.
Fogbottom was terminated, but
no charges were brought, and the
Schull was suspicious about why a former loss prevention money was clawed back. Solarstar updated its commission
executive would accept an entry-level sales position. plans to only pay sales representatives upon installation. Two
Fogbottom was asked to come to the Austin office for an weeks after Fogbottom’s termination, Schull received a call
interview with Schull and Karol Vesey from human resources. from Brightstar’s Fresno, Calif., office where the same fraud
Schull believed the interview would be challenging as Fogbot- scheme was suspected and later validated.
tom had extensive interviewing experience in his loss preven-
tion role. During the initial stages of the interview, Fogbottom GRANT WAHLSTROM, CIA, CPA, CFE, is the forensic audit
presented himself as a professional loss prevention executive manager at a security company in South Florida.
turned successful national sales manager. He bragged about his ANISA CHOWDHURY, CPA, is a senior forensic auditor at a
experience and connections to the community. security company in South Florida.

STATE OF THE PROFESSION
Ten years ago, amidst unprecedented economic upheaval,

RICHARD CHAMBERS became The IIA’s president and CEO.
The internal audit profession has changed much since then,
he says, and it will need to continue to evolve.
Trials and
Transformation
R
nn
ichard Chambers became the ninth president of The IIA

in January 2009 during the onset of the global economic
crisis. It was a time when companies were experiencing a
major loss in shareholder confidence due to colossal risk
management failures and a lack of corporate accountabil-
ity. These dark times revealed vast new opportunities for
internal audit to help protect organizations and
enhance their performance.
Anne Millage Chambers says internal auditors grasped
Photograph by Doug Scaletta those opportunities by pivoting swiftly to focus
on the emerging risks brought on by the financial
crisis and the impact these risks were having on
their organizations. The profession became much
more risk-centric in those early years of the pro-
longed financial downturn. The result? Internal

TRIALS AND TRANSFORMATION
audit solidified the stature that it had earned in the prior risk-centric. If you think about it, there was not even a stan-
decade and became a critical component of the systems of dard that required internal audit to do a risk assessment as
risk management and internal controls in modern orga- part of its audit planning process until 2002. So, we had only
nizations. “The past decade has been about proving that a short time between the onset of the standards mandating a
the confidence that was conveyed to us in the early 2000s risk assessment and the beginning of the financial crisis to get
was deserved,” Chambers says. “This decade, I think we’ve a full appreciation of what being risk-centric meant.
earned that trust even more.” With the onset of the financial crisis in 2008, suddenly
On the eve of Chambers’ 10th anniversary with The there were countless new risks facing our organizations. The
IIA, we sat down to discuss how the internal audit profes- crisis had exposed the ineffectiveness of risk management,
sion was impacted by the financial crisis, how it responded, itself, as a critical risk. There was a notable spike in opera-
and how it has evolved. tional risks as companies were compelled to achieve greater
operational efficiency and effectiveness. And almost half of
INTERNAL AUDITOR You became The IIA’s CEO chief audit executives (CAEs) reported increased coverage
during the greatest economic upheaval since the in cost reduction and containment in 2008 and 2009. We
Great Depression. How was that crisis impacting started to see risks around technology, cybersecurity, culture,
internal audit? social media, and so on. And compliance risks became criti-
n n RICHARD CHAMBERS Having been in this profes- cal — particularly as we saw legislative provisions such as
sion over 30 years at that point — whether it was my time in those in the U.S. Dodd-Frank Wall Street Reform and Con-
government or in the corporate sector — my experience had sumer Protection Act make their way into regulation.
been that whenever organizations’ resources were severely So in the wake of the financial crisis, there was a radical
impacted, it would translate into an even more drastic impact and rapid rebalancing of internal audit’s focus. It reprioritized
on internal audit. Historically, I had witnessed internal audit and emphasized a broader portfolio of risks. Internal audit
departments being divested at a much higher rate than the was living up to its definition of being risk-based.
organization as a whole as executives sought to trim costs.
I was anticipating that scenario at the end of 2008, Was internal audit’s response to the financial
but I was pleasantly surprised as the next couple of years crisis appropriate?
unfolded and internal audit was not disproportionately n n It’s hard to argue with the success internal audit
downsized in most organizations. In fact, reductions in the achieved at the time. It was an unprecedented time for the
profession at that time were similar to what organizations profession. While we were busy rolling up our sleeves to
were experiencing overall as a result of the financial crisis. help our organizations respond to the emerging financial
crisis-related risks, there were already those asking, “Where
Why was it different this time? were the internal auditors, and why weren’t they looking at
n n Internal audit’s resilience appeared to be a reflection of risk management in financial services organizations?” And
the stature the profession had gained in the previous decade. my answer was, there wasn’t a lot of emphasis by internal
One difference between this recession and the recession of audit on the effectiveness of risk management before 2008
the early 2000s and those that came before, was there had because we were being asked to fight the last war by focus-
been a sea change in internal audit’s positioning within the ing on internal controls over financial reporting. Very few
governance structure. Following the financial reporting scan- people were focused on the effectiveness of risk manage-
dals of the early 2000s that involved Enron, WorldCom, and ment in financial services — including those management
others, we saw legislation and regulations implemented that and board members who were actually responsible for risk
fostered a stronger emphasis on controls — particularly finan- management. The emphasis was to ensure there were no
cial reporting controls. As a result, internal audit was ushered more Enrons and WorldComs. When you’re busy looking
from the back room to the boardroom where it developed a behind, you miss what lies ahead.
stronger relationship with the audit committee.
Are there areas in which the internal audit
Was internal auditing being redefined? profession has fallen short?
n n We didn’t redefine ourselves; we started living our defi- n n As a profession, we’re still not demonstrating some of
nition. In the early 2000s, internal audit became much more the attributes of great professions. For example, I don’t see

the level of conformance to the International Standards for truth even when someone isn’t interested in hearing it. And
the Professional Practice of Internal Auditing that we should we have to be courageous enough to speak truth to power.
be witnessing. I chaired the Internal Audit Standards Board If a CEO is engaged in questionable activities, or fraud, the
in 2002 when we adopted the first standards that required CAE must summon the courage to alert the audit committee.
external quality assessments. If you told me in 2002 that I’d
be sitting here in 2019 saying that we still have such limited Are there other reasons internal auditors fail to
conformance, I would not have believed it. speak up?
When I say there’s nonconformance, I don’t mean to n n Internal audit is still reluctant, in some instances, to
imply that no one is paying attention to the Standards. I’m take on risks that are outside of its comfort zone. For exam-
talking about conformance with the full set of Standards. ple, culture, cybersecurity, and blockchain technology are
There is definitely widespread adherence to parts of the Stan- areas in which internal audit may not have a lot of expertise,
dards around the world. There’s a much so they are frequently neglected despite
I
higher degree of conformance in large, the risks they present to the organization.
publicly traded companies in North Internal audit’s mandate is to be risk-
America and Europe than in other types centric, not just risk-centric in the risks
of companies or organizations in other with which we’re comfortable.
markets. But is conformance where it Internal audit also has not made the
should be? Absolutely not. kind of progress that organizations need
Additionally, I would have thought in identifying emerging risks. We are still
there would be greater recognition of
f we don’t inclined to see the risks that lie immedi-
our Standards around the world. The
IIA’s Standards are widely acknowledged
help our organiza- ately in front of us. If we don’t help our
organizations anticipate risks that may lie
within the profession, but they’re not tions anticipate risks beyond the line of sight, we’re likely to
necessarily widely recognized by oth- be ill-prepared to help them when those
ers, such as regulatory bodies, relying on that may lie beyond risks materialize.
internal audit’s work. I continually deliver
this message to global regulatory bodies: the line of sight, You’ve talked a lot about expectation
“There is only one set of global internal gaps with stakeholders over the
audit standards in the world. Why aren’t we’re likely to be years. Why does internal audit
you promoting them?” struggle to narrow those gaps?
ill-prepared to help n n Throughout my career, I’ve
Are there other areas in which
internal audit could improve?
them when those risks witnessed how dynamic stakeholder
expectations can be and how quickly
n n I’m concerned that the profession is materialize. they can pivot. In the early 2000s, there
not as assertive as it should be in speak- were some who thought internal audit
ing out. There’s a certain comfort level needed to be consultants in their organi-
that says, “Nobody is pushing me to do zations — out there helping people better
this; therefore, I’m going to stay the course.” And when you understand their own risks and problems.
take that approach, you leave your organization vulnerable to Then came tbe U.S. Sarbanes-Oxley Act of 2002. And
value-destructive calamities or scandals. For example, internal regulatory compliance risks associated with financial report-
auditors are reluctant to tackle sensitive topics such as corpo- ing controls rapidly became the priority of internal audit’s
rate culture, executive compensation, or management of risks stakeholders. By 2005, according to a PwC survey that I
associated with sexual harassment policies in their organiza- led, 71 percent of internal auditors at publicly traded U.S.
tions. As a result, these are risks that seem to routinely get companies reported they were spending more than half of
companies in trouble. their time on Sarbanes-Oxley compliance. With the onset
Too often, a courage deficit exists. Internal audit has to of the financial crisis in 2008, the risks that companies faced
be courageous enough to address issues such as these that are and internal audit stakeholder expectations changed quickly.
not popular. We have to be courageous enough to speak the Internal audit realigned its coverage to address new risks. By

TRIALS AND TRANSFORMATION
PULLING TOGETHER
R
ecessions and swift economic Navigating through the crisis “Throughout this decade, we’ve
downturns are very challeng- required full involvement — from continued to make great progress
ing for professional associa- the Board, volunteers, and IIA staff. in serving the members,” Chambers
tions. As Richard Chambers puts it, “Those early months of 2009 were adds. Membership continues to
“If other sectors catch a cold during really spent working collaboratively,” grow, and The IIA is poised to crest
a recession, not-for-profits catch the Chambers says. “One of the greatest to 200,000 members worldwide.
flu.” The impact of the 2008 finan- achievements of The IIA in the past The results of the last 10 years
cial crisis on The IIA was great. “One 10 years was those first few months have allowed The IIA to make some
of the first things that companies when the staff came together.” The extraordinary investments that
cut if the economy turns very soft is Institute put together action teams to Chambers says will become more
training and travel dollars,” Cham- look at opportunities to cut costs and evident to members over the next
bers explains, “so the impact was to grow revenue. “It was a collabora- couple of years. “We’re making
swift and severe.” tive process that really exemplified unprecedented investments in tech-
Chambers says he knew when the very best of who we are,” Cham- nology in support of the profession,”
he became president and CEO in bers says. The board was “absolutely he notes.
January 2009 that the financial unwavering” in its support of the The IIA takes a strategic view of
challenges were going to necessi- steps The IIA took, he adds. its role in supporting the organiza-
tate downsizing to a leaner, In the ensuing months, The IIA tion and in serving its members. Its
re-engineered Global Headquar- discontinued some initiatives and strategic plans have served as the
ters. He and the Global Board of refocused on serving its members. blueprints for supporting member
Directors had to make some dif- “We redefined what service meant,” expectations and meeting the needs
ficult calls. “We didn’t really have a Chambers says. “We began to look at of the profession. “The IIA has never
lot of choices,” he recalls. the member value proposition.” been stronger,” Chambers says.
JULIE FLETCHER
Chambers says IIA Board support has been integral to The Institute’s success over the past decade. Chambers and
Board chairs from the past 10 years recently gathered at The IIA’s Midyear meetings in Orlando, Fla. From left to
right: J. Michael Peppers, Denny Beran, Günther Meggeneder, Phil Tarling, Richard Chambers, Patty Miller, Anton
van Wyk, Naohiro Mouri, Larry Harrington, and Paul Sobel. (Not pictured: Angela Witzany and Rod Winters)

2012, according to an IIA survey, the percentage of internal industrial revolution — a new era that extends digital tech-
audit plans dedicated to Sarbanes-Oxley compliance had nologies in new and unanticipated ways. We are in an era
fallen to less than 15 percent while the combined percentage where the volume and complexity of data dwarfs anything
of coverage dedicated to operational and compliance risks we’ve seen. It defies imagination in some ways. Internal
surged to more than 40 percent. Stakeholder expectations are audit has to recognize not only what that means in terms of
changing yet again, 10 years after the financial crisis. the risks our organizations face, but also the approach we
Recent reports suggest that management and boards are take to auditing them.
looking for internal audit to focus on key risks beyond finan- In the coming decade, artificial intelligence (AI) is
cial reporting and compliance. As KPMG recently observed, going to become much more pervasive. I often get asked
risks related to culture, incentive structures, cybersecurity, data whether AI is a threat to the internal audit profession.
privacy, global supply chain, and outsourcing, as well as envi- It’s not a threat unless internal audit continues to do the
ronmental, social, and governance risks, things that we’ve always done. A lot
I
can significantly impact share value. It of the activities that internal audit
remains to be seen how extensively and has historically done are susceptible
rapidly internal auditors will pivot to to being replicated or done through
address these risks. However, I am con- AI. Hindsight is much easier for AI
fident that they will. to do, for example, than foresight. As
The greatest danger of an expecta- yet, however, AI cannot combine data,
tions gap occurs when there is a swift and information, trends, rumors, breaking
sudden shift in the risks that an orga-
nternal audit news, competitors’ actions, and even
nization faces. There’s often a lag time has a huge obligation hallway gossip to formulate reasoned
between when a risk becomes critical for and rational suggestions of future
an organization and how quickly inter- in the next decade to developments and their associated risks
nal audit can address it. And it’s in that and opportunities — foresight. We
window where stakeholder expectations embrace the fourth have the opportunity and the obliga-
get ahead of internal audit. That’s why it tion to address AI and similar techno-
is critical in 2019 and beyond for inter- industrial revolu- logical innovations not only from the
nal auditors to have the agility to change standpoint of what the risks are to our
direction swiftly to keep pace with stake- tion — a new era that organizations, but also in terms of how
holder expectations. internal audit uses it. AI can be a great
extends digital tech- contributor to internal auditing. It can
Where do you see internal audit nologies in new and help us become more efficient and tar-
in 10 years? get our efforts and resources.
n n If, in some respects, in the early unanticipated ways.
2000s internal audit fell back into the era So how does the profession
of hindsight — looking at whether finan- continue to grow?
cial controls were appropriately designed n n Internal audit is definitely on
and implemented — there’s been a much greater emphasis on stronger footing than we were 20 years ago, or even 10 years
insight in this last decade. ago. However, this profession, like all professions, should
The decade ahead offers internal audit a great opportu- always be prepared to prove its worth. I don’t think we have
nity to continue to build on the way we serve organizations any guarantees of what lies ahead for internal audit. We are
by also providing foresight. Being able to look at emerging a respected resource right now, and we will stay there as long
risks, to look out further and identify what actions need to as we recognize the responsibility that comes with it. Inter-
be taken, and to talk more about what risks may present nal audit must always be prepared to lean forward and not
themselves if certain actions aren’t taken provides tremen- rest on its laurels.
dous value.
Internal audit also has a huge obligation — and ANNE MILLAGE is editorial director and editor-in chief of
opportunity — in the next decade to embrace the fourth Internal Auditor magazine.

PRACTICES
Building
the
Audit
Function
A strategic,
measured
approach to
setting up shop
can produce
lasting results
and strong
relationships.
B uilding an
internal audit
function from
the ground up
may seem like a daunting task, but tak-
ing a measured approach and prioritiz-
ing what should be done first can ease
some of the difficulties. Handling these
initial steps with care also helps build
trust in organizations that may have no
experience with internal audit or may
be suspicious of its motives. By select-
ing key areas of focus and seeking to
make “quick wins,” chief audit execu-
tives (CAEs) can soon win over man-
agement and the rest of the business,
Neil Hodge and establish a solid foundation for the
audit function.
Illustrations by
Edwin Fotheringham THE LAY OF THE LAND
Alyssa Martin, partner in charge at risk
advisory services firm Weaver in Dal-
las, is no stranger to setting up internal

audit functions from scratch. She says
she typically sets up around three or
four functions per year on behalf of cli-
ents, and that she has established — or
“reconstituted” — more than 20 in her
career to date.
Martin says the reason behind
the organization’s decision to set up an
audit function can provide vital clues
about what it will look like and how
it will be resourced. Potential reasons
include regulatory requirements; past
governance failures that impacted
operations; financial incentives such
as improving processes, increasing
efficiency, and minimizing potential
frauds; or pressure from a large cus-
tomer to provide it with more assur-
ance. “The different circumstances
behind the move to set up an internal
audit function can influence the way
it is developed, what its scope is, and

BUILDING THE AUDIT FUNCTION EMAIL the author at [email protected]
what budget and resources it will have,” The head of internal audit also Like Martin, Zaman says internal
she says. needs to look closely at the budget he audit must know who will champion
The way in which internal audit or she has been given. “A low budget the audit function — usually the second
will operate also needs adequate consid- impacts hiring choices and what you line of defense functions like compli-
eration, Martin adds. If, for example, can realistically do,” Martin says. “It ance or risk management. He adds that,
the function comprises a head of also means that you have to prioritize to maintain independence, internal
internal audit who oversees a fully out- areas that need the most work or imme- audit should report to the audit com-
sourced team, that individual must be diate focus.” She advises audit leaders mittee or directly to the board. Once
a strong leader with lots of experience. not to complain about receiving less the reporting line is defined, the head
He or she must be able to take charge funding than expected, noting that of internal audit should ensure that
and establish what the function’s pri- effective use of allotted resources can three documents are drawn up quickly:
orities should be, as well as determine allow for quick
what expertise the organization needs wins and help
to obtain quickly. build confidence
Martin says internal audit needs with managers
a “sponsor” within the organization to who control the
champion the function and to send a purse strings,
message to the board and the rest of the thereby making
organization that internal audit is a key them more likely
player in ensuring effective governance to agree to
and sound practice. Moreover, CAEs additional fund-
need to liaise and establish good working later.
ing relationships with key second-line
assurance functions in the business, OBTAINING
particularly the chief risk and compli- BUY-IN
ance officers, as well as maintain com- Arif Zaman,
munication with the chief financial head of internal
officer (CFO). “Internal audit can’t act audit at real
in isolation, and especially not when estate company
it is a new department,” she says. “It Emaar Indus-
needs to establish key partnerships with tries and Invest-
other functions in the business to see ments based in
how they operate, how they view risk, Dubai, United
and to learn their approaches.” Arab Emirates, was formerly a risk »» An audit committee charter to
Martin also notes the importance advisor at a consulting firm where he define the role and responsi-
of building a good relationship with helped large corporate clients set up bilities of the committee (with
the audit committee, management, or reconstitute internal audit func- board approval).
and the organization in general, and tions. Zaman says the experience »» An internal audit charter
she stresses the need for audit heads taught him what a “good” internal to define the scope, role,
to understand the audit universe and audit function should look like, and responsibilities, and reporting
identify which activities are a priority what constitutes best practice. structure of the internal
for internal audit’s involvement. “Find Having board buy-in from the audit function.
out where internal audit needs to be start is essential to the success of any »» The standard operating pro-
active first and what skills and experi- internal audit function, Zaman says. cedures, which are policies
ence you need to have to make a good “Once you have board backing, you and procedures that cover the
impression straight away,” she says. can then get approval for the internal annual audit plan, approval
“You have to choose where you can audit framework and reporting struc- process, engagement plan,
make an immediate impact first to ture, which will allow internal auditors audit execution, audit report-
gain trust with management and to maintain their independence and ing, follow-up, reporting, and
the organization.” objectivity,” he explains. quality assurance.

82% stakeholders
of say internal audit finds potential revenue enhancement,
cost savings, or smarter capital expenditure spending, according to a 2018 KPMG survey.
QUICK CHECKLIST*
S»»
everal activities should be considered when establishing an internal
audit function:
Identify key internal and external stakeholders and obtain a clear
understanding of their expectations.
»» Communicate the role of internal audit to the board, audit committee,
executive management, and the rest of the organization.
»» Ensure that there is a functional reporting line to the audit committee
and — ideally — an administrative reporting line to the CEO.
»» Put an internal audit charter in place — one that is approved by the
audit committee.
»» Conform with The IIA’s International Standards for the Professional
Practice of Internal Auditing.
“
»» Prepare an internal audit strategic plan that considers the organiza-
tion’s objectives and key risks as well as any gaps within its assur-
ance framework. You have to
»» Assess the organization’s risk maturity to help determine the internal choose where
audit strategy and approach. you can make
»» Agree with management on an annual internal audit plan that is
approved by the audit committee.
an immediate
»» Agree with management on budgets (financial and staffing). impact first to
»» Coordinate internal audit work with that of other assurance providers gain trust with
(internal and external). management
and the
*A version of this checklist originally appeared in the Chartered Institute organization.”
of Internal Auditors guide, How to Set up a New Internal Audit Activity.
“
Adapted with permission. Alyssa Martin
It is very
important to
According to Zaman, understand- the U.S., U.K., or elsewhere in Europe,” be acquainted
ing the business, how it operates, he says. “These countries have an under- with the
and — crucially — its culture, also are standing and appreciation of what inter- culture and
key steps to successfully setting up nal audit can provide. But in developing
an internal audit function. “It is very markets, awareness of what internal
business
important to be acquainted with the audit is supposed to do, and what it is acumen of the
culture and business acumen of the capable of, can be quite low.” company.”
company,” he says. “It gives a general To help gain trust in the organiza-
Arif Zaman
idea of the company’s risk maturity and tion, Zaman says it may be best if inter-
its control environment. It also pro- nal audit has a pragmatic — rather than
vides useful insight about how an inter- dogmatic — mindset. He stresses that
nal auditor should determine his or her flexibility may be necessary, as a “by the
approach and how to pitch the internal book” approach may intimidate busi-
audit department framework within ness units and deter them from coming
the organization.” forward and reporting problems. “You
Zaman also notes the importance of want to establish a culture of open-
considering the culture of the country in ness and transparency that encourages
which the organization operates. “Inter- people to come forward with concerns,
nal audit is nothing new in countries like rather than reinforce the stereotype of

BUILDING THE AUDIT FUNCTION
internal audit being an internal police- compelling case about why they need
man,” he says. more resources so early on. Sumani
Zaman also agrees with Martin advises an assertive approach. “Dis-
that achieving quick wins early on can agreements with senior management
help turn people’s attitudes around in can become quite common, quite
the auditors’ favor. He warns against tense, and quite political,” he says.
starting with sweeping, ambitious “But you have to be firm — yet per-
objectives such as advising an overhaul suasive — and be able to demonstrate
of the way the organization is run or that you have the knowledge and
recommending controls around every experience to back up what you are
single business process. Instead, Zaman asking for.”
suggests looking at simple ways to help For example, Sumani notes that
cut costs and increase efficiencies, being he was given a budget for seven team
“
sure to quantify the immediate and members and was advised to outsource
long-term cost savings. “Concentrate the IT audit function. Instead, he
“Any new on just doing the main audit work you wanted an experienced IT auditor,
internal audit need to do first and where you know which can be an expensive hire. “In the
function will you can succeed,” he says. end, I was able to get what I wanted
live or die by but it was not an easy argument to
REPLACING A win,” he says. There was also pres-
the people PREVIOUS FUNCTION sure on him to deliver results quickly,
it has on its Seidu Sumani, senior vice president, though he wasn’t convinced that the
team.” head of internal audit, at MFS Invest- areas management wanted internal
ment Management previously set up audit to address first were in fact the
Phil Tarling
an internal audit function at another riskiest or the best use of audit’s lim-
“
investment management firm in Bos- ited resources. “So I took a risk-based
ton after it was sold by its U.S. parent approach, which was risky for me
If internal company. “The organization had pre- because results were not as quick,” he
viously been served by a group inter- says. “However, the results were more
audit wants nal audit function, so management appropriate and in the end the stake-
to show it is had a mature view of what internal holders appreciated that.”
independent, audit did and the value it could add,” Sumani also recruited someone
it needs to he says. who had more business experience than
assert that With management buy-in audit experience — two years in audit
independence already a given, Sumani had to work but a wealth of financial services experi-
out quickly which departments and ence; plus he had worked within the
from the processes needed audit focus first, as business. The new hire could “speak the
beginning.” well as demonstrate that he and his same language” as managers in differ-
newly appointed team understood ent departments, understood how they
Seidu Sumani
the business and the risks it faced. “I worked, and knew the key risks their
needed to establish what my priori- departments faced, as well as how they
ties were very quickly, and what skills addressed them. “As a result, we gained
and experience I would need for my management’s trust very early on,”
team,” he says. he says. In fact, he hired three people
Sumani notes that it can be a from within the business based on their
struggle for heads of internal audit to knowledge of organizational processes
assert their authority at the beginning. and their ability to learn internal audit-
Budgets can often be decided by the ing quickly.
CFO, for example, and if they are Sumani warns against hiring
too low, audit heads need to deliver a certain staff members just because

60% of chief audit executives say their audit function lacks impact and influence,
according to the Deloitte 2018 Global Chief Audit Executive survey.
SET THE STANDARD
A
nyone setting up a new audit function should be 1200 — Proficiency and Due Professional Care
familiar with The IIA’s International Standards 2000 — Managing the Internal Audit Activity
for the Professional Practice of Internal Auditing. 2020 — Communication and Approval
Several standards, in particular, are especially relevant 2030 — Resource Management
to the process: 2040 — Policies and Procedures
2050 — Coordination and Reliance
1000 — Purpose, Authority, and Responsibility 2060 — Reporting to Senior Management and the Board
1110 — Organizational Independence 2230 — Engagement Resource Allocation
management wants them on the team. ramifications down the road as internal
“Choose your own team and hire who audit matures.
you need or want,” he says. He also Tarling says CAEs who are asked
advises against letting management to manage a completely outsourced
dictate what internal audit should function can enjoy certain advantages.
be doing, emphasizing that it’s the He points to the increased ease of say-
audit leader’s job to prioritize which ing that audit reports received are inad-
areas need the greatest resources and equate or requesting that a particular
immediate focus. “If internal audit partner or subject matter expert lead an
wants to show it is independent, it engagement, as well as leverage in nego-
needs to assert that independence from tiating additional services.
the beginning,” he says. “However, if Regardless of team composi-
you’re going to ask for more resources tion, Tarling, like Sumani, advises a
and go up against management, be sure firm, proactive approach. “If you are VISIT
you can do what you say you are going in charge of a fully outsourced func- www.theiia.org/
to do.” tion, or if you cosource, then make sure IAFunction for
IIA suggestions
you flex your muscle and get exactly and resources on
THE RIGHT PEOPLE what you want,” he says. setting up a small
Phil Tarling, an internal audit con- internal audit
sultant based in the U.K. and former A SOLID FOUNDATION function.
chairman of The IIA’s Global Board Setting up internal audit from scratch
of Directors, also emphasizes the will always present challenges, but tak-
importance of staffing-related deci- ing a steady and realistic approach that
sions early on. “Any new internal audit involves management buy-in from the
function will live or die by the people start will make the process a lot easier.
it has on its team,” he says. “The ques- And to build trust and avoid confu-
tion you need to ask is whether you sion or conflict, it is also important
want more low-level people who can to remember that internal audit must
do the nuts and bolts work effectively define its scope and terms of reference
and can cover a lot of basic audits from the outset. Management will be
across the business, or do you go for more likely to respond favorably if
high-level people who are willing to positive early impressions are made,
get their hands dirty, do the low-level and more likely to trust internal audit’s
work as well, but who can cover less judgment going forward.
ground?” He notes the answers depend
largely on management’s expectations, NEIL HODGE is a freelance journalist
adding that staffing decisions can have based in Nottingham, U.K.

STAKEHOLDER RELATIONS
Internal audit’s ability

to serve as a trusted
advisor to its primary
stakeholder is key to
organizational success.
T
rusted advisor relationships are all the
rage nowadays. Consultants in various
industries have made a case for their
services as trusted advisors, and the
term has become part of the lexicon of
internal audit. But does anyone really
know what it means? No listing for it
can be found in a dictionary, though
informal definitions include words
like mentor, guru, and go to. Given
the term’s nebulous meaning, why are internal auditors so
determined to promote themselves this way? And without a
universal definition, how do they know they have achieved
trusted advisor status?
The answers can be found, in part, by examining
internal audit’s relationship with the audit committee.
The committee will always be internal audit’s primary
stakeholder. Auditors owe it to themselves and the audit
committee to maximize this relationship, and nothing

The Audit Committee
Connection
Seth Peterson
Illustrations by Sean Yates
characterizes its ideal state better than the phrase trusted change. They also need to know when it’s appropriate to
advisor. This status is earned over time with painstaking escalate an issue and push for resolution.
attention to detail — it requires effective communica-
tion, strong relationships, and a willingness to facilitate Have an Opinion Internal auditors can’t just point to
organizational change. These overarching areas form pil- potential risks and opportunities. They serve as the eyes and
lars of trust with the audit committee, and by examining ears of the audit committee, and committee members will
each closely internal auditors can help determine whether frequently ask for their opinions. Auditors need to deliver
they’ve become trusted advisors. Failures may occur along opinions that are not only informed, but supported by
the way, but these failures can help cement the trusted facts and in line with the organization’s objectives. Trusted
advisor relationship. Getting this relationship right is advisors don’t stop at explaining the risks and potential
essential to the organization’s success. outcomes. When the audit committee asks internal audit’s
opinion on the progress or potential impact of a key initia-
PRESENCE AND VOICE tive, auditors should be well-versed enough to provide use-
Unlike the old adage that children should be seen and ful, relevant information.
not heard, internal auditors need to be both seen and
heard, loud and clear. They must have a presence in the Engage With Passion Practitioners from the chief audit
boardroom, the C-suite, and wherever significant organi- executive (CAE) down to the newest staff auditor need
zational decisions are made. But they shouldn’t be a fly on to be engaged and passionate about helping the organiza-
the wall — auditors need to provide insight and promote tion achieve its goals. A passionate, energetic audit team
FEBRUARY 2019 37
THE AUDIT COMMITTEE CONNECTION EMAIL the author at [email protected]
elicits confidence from the audit AGENTS OF CHANGE

committee and shows commitment While internal auditors may have a
to the organization. Internal auditors reputation for bringing awareness to
can demonstrate these qualities, for important issues, how often are they
example, by immersing themselves the ones willing to take action and
in the organization’s activities and facilitate organizational change? In their
stepping outside their comfort zone. capacity as advisors, practitioners can
They need to bring enthusiasm and perform a great deal of change-oriented
drive to everything they do — the work without compromising their
Auditors need to be both seen and heard, loud and

clear, with a presence in the boardroom, the C-suite,
and wherever significant decisions are made.
audit committee will take notice in independence. And nothing can solidify
the internal auditors’ communica- internal audit’s trusted advisor relation-
tions and actions, as well as the ship with the audit committee more
results they produce. than demonstrating the audit function’s
ability to drive positive change.
The Right Cadence Nobody wants
a reputation for “crying wolf,” but Wield Personal Power The audit
sometimes internal audit needs to committee needs to know that inter-
be persistent to have its message nal audit can facilitate change based
heard. The audit committee needs on its influence. However, influence
to know internal auditors are doing can’t be achieved solely through posi-
their job, and at times that means tional power, or the authority held
delivering bad news. Early in my by virtue of one’s place in the organi-
career, I expressed concern about a zation’s hierarchy. It must come
particular department’s culture and from personal power as well, drawing
the risk of it losing a large percent- on personality, knowledge, and
age of employees due to poor morale. social skills.
Similar to the boy who cried wolf, Positional power strategies can
my message received lots of atten- only go so far — often, they are effec-
tion at first but not nearly as much tive in the short term but damage
upon subsequent warning. By the relationships and create resentment
third time, my prediction about staff over time. CAEs who use their per-
departures unfortunately came true. sonal power to exert influence are
If I had developed the right cadence, much more effective. It can be a
my message would have achieved powerful tool for helping drive orga-
greater impact. Internal audit can’t nizational change, establish buy-in,
have a trusted advisor relationship encourage collaboration, and foster
until the audit committee knows the a more positive culture. Successful
auditors can gauge the appropriate CAEs rely almost exclusively on per-
frequency, tone, and timing for effec- sonal power, but they can also draw
tive communications. on positional power if needed. When

Understanding and considering risks that could affect the business ranked No. 1 in a list
of 10 mandates for audit committees in Protiviti’s Setting the 2019 Audit Committee Agenda report.
the audit committee sees the audit Be Proactive Taking on a project at

function leading change in the orga- the request of the audit committee
nization, driven by personal power, is an easy decision. Almost all of the
it will be more likely to view internal time, the answer needs to be yes. But
audit as a trusted advisor. trusted advisors go a step further by
getting involved even before they’re
Speak the Language Internal audi- asked. If auditors pay close atten-
tors need to show the audit commit- tion to organizational developments,
tee they are multilingual, though not they can proactively assess emerging
in the traditional sense of fluency in priorities before the audit committee
foreign languages. Organizations, requests their assistance. Questions
and even individual business units, often arise from committee members
often have their own unique lan- when the organization receives nega-
guage, jargon, and culture. Suppose tive publicity — they want assurance
internal audit needs to speak with the that the organization is protected.
external auditors, relay a message to Trusted advisors will take the initiative
the IT department, and then coor- to evaluate the situation, consider it
dinate with the head of sales. Even carefully, and present an objective pic-
in the most seamless environments, ture to the audit committee in antici-
what are the chances that all of these pation of its queries.
functions can easily understand each
other, much less effect organizational RELATIONSHIP BUILDING
change initiatives? Internal auditors Relationships play a key role in estab-
have a wide breadth of reach within lishing trust. Without adequate famil-
the organization that enables them iarity and comfort with the CAE,
to connect the dots and interpret for members of the audit committee may
others. They can synthesize what one not fully leverage internal audit’s capa-
area is trying to communicate into bilities. Several building blocks can
relevant information for another. strengthen audit’s relationship with
Nothing can solidify internal audit’s trusted advisor

relationship more than demonstrating the audit
function’s ability to drive positive change.
Most importantly, internal auditors the committee and provide confidence

can relay those communications to in its ability to deliver value.
the audit committee. They will know
they’ve become a trusted advisor to Maintain Integrity Auditors’ integrity
the committee when they can inter- represents the foundation of their
pret highly technical or jargon-filled role as trusted advisors. The audit com-
language and distill it into mean- mittee needs to have full confidence
ingful information that committee that audit practitioners are above
members can easily digest and act reproach, their motives are pure, and
upon, creating the desired change in they will act in the best interest of the
the organization. organization. Without such assurance, a

THE AUDIT COMMITTEE CONNECTION
trusted advisor relationship cannot to completing audit projects as part

exist. When faced with situations that of the audit plan, and they must back
may damage relationships, hurt the that up. They commit to performing
organization’s bottom line, or reflect their work with the necessary skills,
negatively on the audit function, abilities, and expertise, and they com-
practitioners must act in accordance mit to remaining independent and
with their core values. Some painful objective in the process. I recall a
conversations may be required along time when our team was struggling to
the way, but the audit committee will complete the audit plan as promised
Several building blocks can strengthen internal

audit’s relationship with the audit committee and
provide confidence in its ability to deliver value.
appreciate internal audit’s commitment in light of late-year turnover within

to integrity. the function. After completion of
the plan, one of the audit commit-
Answer All the Questions When tee members pulled me aside and
the audit committee asks questions, told me the deck was stacked against
more pressing issues often lie beneath us — that we shouldn’t have been
the surface. As trusted advisors, inter- able to complete the plan. I replied
nal auditors must get to the root of that we made a commitment and had
questions — the underlying reasons no intention of falling short. Instant
behind them. For example, the com- credibility was established, and the
mittee may ask, “How receptive have path to becoming a trusted advisor
departments around the organization was set. Trusted advisors fulfill com-
been to implementing the new tech- mitments and support their words
nology?” Is the question really about with actions.
departments’ receptiveness, or is the
committee seeking to understand CONFIDENCE AND TRUST
whether the technology has been Maintaining an effective relationship
worth the investment, or if there is a with the audit committee is vital to
holdout department that needs to be organizational success. When CAEs
addressed? Or perhaps it’s seeking to invest in that relationship and build a
probe an even deeper issue. Auditors stronger connection, mutual trust and
will know they have achieved trusted confidence is more likely to emerge.
advisor status when they answer all of No one can become a trusted advisor
the audit committee’s questions, both overnight, but once achieved the ben-
explicit and implicit. efits for both parties, and the organi-
zation as a whole, are well worth
Back Words With Action Internal the effort.
audit’s status as a trusted advisor is
contingent on its ability to fulfill SETH PETERSON, CIA, CRMA, QIAL, is
commitments to the audit commit- vice president, internal audit manager, at
tee — every time. Auditors commit The First National Bank in Sioux Falls, S.D.

Mission Critical Thinking
EXPLORE IMPERATIVE QUESTIONS, DISCOVER ESSENTIAL ANSWERS.
In this significantly restructured version, Sawyer’s Internal Auditing: Enhancing and Protecting Organizational Value,
7th Edition, 10 internal audit thought leaders tackle the challenges of defining what it takes to fulfill internal audit’s
mission of enhancing and protecting organization value. In short, Sawyer’s is universally considered the single most
important resource to help internal auditors of all levels and sectors think critically about changes in the environment
and business landscape, as well as the evolution of the audit plan and services that internal audit must develop and
deliver. Sawyer’s is critical to delivering the mission of internal audit.
Think critically, then fulfill your mission.

Order Today! www.theiia.org/Sawyers
2018-1809 FND-Bookstore_ Sawyer Full Page Ad.indd 1 12/12/18 3:43 PM

BUSINESS INTELLIGENCE
B ig data can tell unexpected stories:

The chief financial officer who had a
conflict of interest with a supplier to
whom he had awarded a multimillion-
dollar contract. The two employees
who provided their company-supplied fuel cards to family
members to refuel their personal vehicles. The executive who
had an affair with a union official during wage negotiations.
Internal auditors never could have discovered such
wrongdoing through traditional audit sampling, walk-
throughs, or reliance on the representations of management. Auditing with self-
They were only found by using business intelligence tools to
mine data sources that are now routinely available.
service business
intelligence tools
BUSINESS INTELLIGENCE FOR AUDITORS
Audits typically entail inquiries of management, walk- can mine the
throughs, and transaction sampling as a basis for statistically
inferring the effectiveness of each internal control attribute
organization’s data
under review. To be generalizable within a given confidence sources to provide
interval, transaction samples need to be both large and
randomized to represent the entire population. In doing
greater assurance.
so, internal auditors usually presume that the population
conforms to a normal bell curve. This brings with it the risk
Beneath the
Data
Christopher Kelly
James Hao
Illustration by Edmon de Haro

AUGUST 2018 43
BENEATH THE DATA EMAIL the authors at [email protected]
that if the sample is too small, the tests movement of thousands of nonhomo- organizations process thousands of sup-
are performed with insufficient care, geneous goods. Inventory is vulnerable plier payments daily, so errors are likely.
or the population is skewed differently to receipting errors, barcode misreads, Data mining can include:
from a normal bell curve, the auditor obsolescence, rot, and shrinkage. »» Matching supplier master data
may form the wrong conclusions about Things often go wrong in inven- such as bank account num-
the control’s true characteristics. If the tory, and audits often have revealed bers, addresses, and telephone
population contains any erroneous or downside errors of 10 percent of inven- numbers to employee and
fraudulent transactions, it is unlikely tory value. Therefore, internal audit next-of-kin master data for
they will turn up in a walk-through or could focus on ensuring quantity and unexpected relationships.
random sample. description data matches physical real- »» Isolation of purchase orders or
Today’s self-service business intel- ity through accurate goods receipting payments just below authoriza-
ligence tools expand internal audit’s into the accounting system, precise tion thresholds.
toolkit from mere questionnaires and sales capture, and reliable stock-taking. »» Erroneous duplicate invoice
sampling to mining entire data popula- Once inventory data reflects the physi- payments because of optical
tions. These tools make it easier for cal goods on hand, data mining can character recognition or human
auditors to mine data for errors such assist with identifying: error when entering invoice ref-
as anomalous transactions and fraudu- »» Slow-moving and excessive erences such as mis-entry of “I”
lent data correlations (see “Mining for inventory build-up. instead of “1,” or “S” instead of
“5,” or “/” instead of “\.”
»» Historic credit notes that have
Beyond financial transactions, auditors never been offset against sub-
sequent payments and remain
can use business intelligence tools to recoverable from suppliers.
Audits using these tests have experien-
access newly available data sources. tially revealed an average of 0.1 percent
in errors, which enabled organizations
to recover cash refunds from suppliers.
Errors” on page 45). In this way, audi- »» Book-to-physical adjustments Auditing over several prior years can
tors can pinpoint actual error, fraud, pointing to shrinkage or theft result in material financial recoveries.
and cost savings that demand action. by location.
Beyond financial transactions, audi- »» Refundable stock that can be Payroll For most organizations, payroll
tors can use business intelligence tools to returned to suppliers. is the largest single cost. The board
access newly available data sources such »» Stock-outs where the organiza- and audit committee need to know
as telecommunications, email, internet tion lost sales because of insuf- overpaying or underpaying employees
usage, road tolls, time sheets, mainte- ficient demand analysis. is minimized. Payroll data mining can
nance schedules, security incident logs, »» Negative quantities revealing include comparing hours paid to hours
clocking on/off, and electronic point- goods receipting or similar pro- actually worked by matching sick leave
of-sale transactions. Previously, many of cess errors. and holiday to other time- and location-
these sources either were not auditable This kind of audit analysis demon- stamped data such as building entry/exit
or were stored as manual records. Busi- strates the informational value of data, cell phone metadata, and email
ness intelligence tools open the door to a having accurate inventory data. Such data. In doing this, internal auditors can
variety of audits. information can lead the organization present management with compelling
to prioritize which inventory processes evidence that supports corrective action.
Inventory For many organizations, most need fixing. Moreover, previous audits have uncov-
inventory is a complex and poorly ered savings of about 1 percent of total
understood process. Organizations Supply Chain Organizations need to payroll cost from:
record movements in cash, debtors, know supplier agreements do not con- »» Claiming fictional hours on
and creditors within their financial ceal undeclared conflicts of interest and time sheets.
systems. Yet, inventory data easily can suppliers are paid no more than their »» Falsely claiming to be working
get out of step with the physical daily contractual entitlements. Even small at home or on paid sick leave.

Data quality and management, discovery and visualization, and self-service
business
intelligence are the most important business intelligence trends, the BARC BI Trend Monitor 2019 reports.
MINING FOR ERRORS

T he diagram below summarizes the steps from raw data to audit findings when internal audi-
tors use Excel’s Power Query and Power Pivot features.
SELF-SERVICE BUSINESS
RAW DATA INTELLIGENCE TOOLS AUDIT FINDINGS
»» Financial Power Power »» Benford’s Law spikes

transaction Query used Pivot used »» Unexpected duplicates
tables for extract, to create »» Erroneous, extreme, or fictional
»» Master file transform, data model data values
tables and load readable by »» Irregular transaction volumes
»» Other heter- (ETL) Excel pivot »» Time-series data patterns
ogenous data tables »» Geographical location anomalies
sources
»» Missing scheduled training. matching this metadata to other sources under Excel 2016’s Data ribbon, where
»» Finding repetitive patterns of such as the organization’s telephone list it is also known as Get Data and, once
fictitious sick leave taken on and employee and supplier master files. opened, Query Editor.
Mondays, Fridays, and the day Internet usage metadata provides similar Power Query and Power Pivot have
before or after public holidays. insights. These data sources can help formula languages that allow users to
when investigating white collar conflicts create new data columns specific to their
Company Motor Vehicles Auditors of interest and fraud. own unique needs. Power Query uses M
can mine data gathered from vehicles, These are just a few areas where formula language and Power Pivot uses
including road tolls, refueling, traffic business intelligence opens new port- Data Access Expressions (DAX). Both
penalties, and insurance claims. This holes. Partnering with the chief infor- languages differ from Excel formulas.
jigsaw puzzle of data can show auditors mation officer can help internal audit Whereas Excel formulas are not case
how vehicles are being used for business access the organization’s databases. sensitive and usually do not distinguish
purposes, possible abuse of vehicles, and Once access is granted, auditors can among string, date, and numeric data
drivers with poor driving histories that use business intelligence tools with types, M and DAX are sensitive to both
result in unnecessary cost. This data can minimal assistance. text case and data type. This distinction
be obtained from external motor fleet is important when manipulating data
providers and insurers. Such audits can GETTING STARTED and performing calculations.
recover around 5 percent of fleet costs. With business intelligence, auditors Once internal auditors have loaded
are no longer constrained by Microsoft and edited the raw data down to only
Metadata While the content of Excel’s 1,048,576 row limit. Excel 2016 the needed columns in Power Query,
company-issued cell phone calls and includes built-in business intelligence they can add each table to the Power
text messages is confidential, the accom- tools, Power Query and Power Pivot. Pivot data model under the “Add to data
panying nonconfidential metadata Power Query is an extract, transform, model” option. Auditors can then access
includes called numbers, durations, date and load (ETL) tool that reads source Power Pivot from Excel under “Man-
and time stamps, and base station geo- data and makes it available for Power age data model.” From there, they can
graphical locations. Auditors can discern Pivot for data modeling. This source use the “Diagram view” to link tables
employee activity, interconnections, data typically comes from comma- or such as transaction files keyed to their
and external relationships during work tab-separated outputs from other sys- corresponding master files. The data
hours or while on paid sick leave by tems. Auditors can access Power Query model can handle multiple external data

BENEATH THE DATA
APPLYING BUSINESS INTELLIGENCE USING BENFORD’S LAW
T
he steps below illustrate how business intel- Data mining learning point: In this M formula, audi-
ligence tools can enable internal auditors to use tors are isolating the two leftmost digits and “[Amount]”
Benford’s Law to annotate original source data is the literal field heading from the source text file. Note
with leading digits. Leveraging Power Query, Power that the formula syntax differs from Excel.
Pivot, M, DAX, and standard pivot tables together can
produce audit insights. STEP 3. Once the desired Benford analysis columns
have been created in Power Query, refresh the data
STEP 1. Using a data-cleansed table created in Power model in Power Pivot.
Query, create additional field columns using “Add col- Data mining learning point: Now that the raw data is
umn/custom column” to capture the leftmost 1, 2, 3, etc. in the Power Pivot data model, auditors can access the
digits for Benford’s Law analysis. entire table, including the new column added in Step 1
Data mining learning point: Being able to create within Excel’s standard pivot tables.
custom columns in the data model is key to internal
audit’s ability to generate original insights. Auditors STEP 4. Show the leftmost digits using the pivot table’s
should not create too many new columns or the data “Show Values As/% of Grand Total” and compare this to
model may become unmanageable within their com- the expected logarithmic frequency under Benford’s Law.
puter’s memory limits. Then, visualize the resulting columns with a chart to high-
light spikes between actual and expected frequency.
STEP 2. To avoid picking up the dollar-cent decimal Deviations are most likely to have occurred where a
points, multiply the amount field by 100 to convert it systematic weakness has been exploited repeatedly.
into whole cents and then use an M formula to convert Data mining learning point: Double clicking each
the absolute amount to text and pick up the two (or deviant spike in the pivot table will display all the indi-
three or more) leftmost digits. For example: vidual transactions that caused the spike, which auditors
can then scrutinize for irregularities. In this way, Excel
= Text.Start(Text.From(Number. can instantly find the deviant transactions from a huge
Abs([Amount]) * 100), 2) data population.
BENFORD’S LAW FIRST 3 DIGITS ACTUAL TO EXPECTED FREQUENCY — INVOICES

0.7%
0.6% Frequency spikes can be seen on 100, 119, 149,

179, 199, 299, 599, 749, 799, 899 and 999.
0.5%
0.4%
0.3%
0.2%
0.1%
0.0%
100 200 300 400 500 600 700 800 900 1,000
Actual Frequency Expected Frequency

87% of organizations have low business intelligence and analytics maturity, yet Gartner
estimates self-service analytics and business intelligence will produce more analysis than data scientists in 2019.
sources as well as normal Excel tables. objective of testing the entire popula- Even with software, four trillion
This capability allows auditors to create tion. If time allows, the auditor may lookups could take several hours. Audi-
multidimensional relational databases cleanse the text files field-by-field in a tors can increase query efficiency by
rather than two-dimensional flat files. spreadsheet or word processor by rejoin- indexing, compartmentalizing a large
Power Pivot enables auditors ing broken records, recalibrating mis- query with efficient calculated fields,
to annotate the relational databases aligned fields, trimming stray characters and filtering out unwanted columns or
retrieved in Power Query with unique or spaces, replacing known error values transactions that are blank or below a
columns and measures specific to audit with blanks or zeros, and converting given materiality threshold.
needs, which can be analyzed using dates stored as text to real dates.
Excel’s pivot tables. “Applying Business Further cleansing may be required SECURING DATA
Intelligence Using Benford’s Law” on if source files are fragmented across dif- To avoid internal audit being the source
page 46 illustrates how Power Query, ferent years or subsidiaries and need to of a leak, or to limit the damage if the
M, Power Pivot, and Excel can work be joined into a single table, or if source unthinkable occurs, auditors should take
together to search for irregularities. files are tabulated differently from how care with data. Auditors can exclude
internal audit wants to use them. In fields that identify living individu-
DATA CLEANSING the first case, Power Query can append als, home addresses, or bank account
Data files usually need to be cleansed files into a single data source provided numbers from downloads or replace
before analysis. That is because over the field headings are identical. In the them with codes such as an employee
number instead of a name. They should
be cautious when transmitting data
Internal auditors should keep a record to ensure USB drives are secure and
electronic data is not emailed to unin-
of data cleansing actions in case future tended recipients. Auditors should check
recipient email addresses before hitting
rework is required. “send.” Password protection and encryp-
tion should be used when practical. As
auditors only need to work on copy
time, original source data is input by second case, auditors can untabulate data — rather than live data — they usu-
a variety of users whose training and inappropriately tabulated source files ally can destroy their version and wipe
attention to accuracy may be incon- back into a single column of data using USB drives after the audit is completed.
sistent. Some fields may hold invalid Power Query’s Unpivot command.
data as a result of being migrated from Internal auditors should keep a ORIGINAL INSIGHTS
different systems or different versions record of data cleansing actions in case Business intelligence tools unlock new
of the same system. Moreover, stack future rework is required. Any updates ways to audit. With only a little new
overflow and other error types may lurk to source data made in Power Query learning, business intelligence tools can
in historic data, the text files may have will need to be refreshed in the Power expand internal audit’s adventures into
misaligned some fields, and records may Pivot data model as well as in dependent new pools of financial and operational
be broken across two or more rows. pivot tables. data that may reveal risk and control
Comma-separated text files can insights. Moreover, because even the
present extra cleansing problems if users EFFICIENT QUERIES most innocuous transactions leave data
have input commas into individual Business intelligence tools are faster trails, imaginative analysis can uncover
fields. For example, “Kelly & Yang, Inc” than previous versions of Excel, but errors, fraud, and cost savings that
would translate into two separate fields internal auditors still need to be mind- transform audit reports into compelling
because of the comma, whereas “Kelly & ful of formula efficiency. If the auditor reading for executives and the board.
Yang Inc” would translate into one field. tries to add a new calculated field to
ETL tools will attempt to read all a data model that requires a row-by- CHRISTOPHER KELLY, DPROF, FCA,
transactions from the raw data files. row lookup of each element in a two- MIIA, is partner at Kelly & Yang in Mel-
But if the tool encounters errors, it million-row database, that could easily bourne, Australia.
may exclude them from the upload, result in two million x two million = JAMES HAO, CPA, is an associate at
resulting in loss of data that dilutes the four trillion separate lookups. Kelly & Yang in Melbourne.

STRATEGY
An Audit of S
Matej Drašcek
Adriana Rejc Buhovac
T
Gavin Lawrie
he International Standards for the Profes- measurement and control, and

sional Practice of Internal Auditing and The review meetings.
Committee of Sponsoring Organizations While it is not the role of internal audit
of the Treadway Commission’s (COSO’s) to validate the content of these steps as
Enterprise Risk Management–Integrating performed by the organization’s leader-
With Strategy and Performance emphasize ship, there is an important requirement
strategy as the basis for internal audits. for the internal audit function to con-
Despite this, auditors still often lack the firm that each step is being undertaken,
tools and methodologies to audit strategy and that the organization is using
development and implementation for sensible methods at each stage. It is also
their organizations. By understanding the important for the internal audit team to
needed competencies for tackling a strat- confirm that these steps are happening
egy audit, internal audit can help improve concurrently, with each of them operat-
governance, risk management, and inter- ing consistently and cooperatively.
nal controls in an organization’s strategic
management process. QUESTION 1: HAVE STAKEHOLDERS’
Strategic management process best EXPECTATIONS BEEN IDENTIFIED?
practices typically consist of four inter- Even though the idea of shareholder
dependent steps: maximization is always present, busi-
1. Identify owners’ (key stakehold- ness practice abounds with examples
ers) expectations. of owners balancing profits (financial
2. Analyze the broader environ- goals) with other goals — including
ment, industry, and organiza- corporate social, environmental, and
tion’s performance. economic performance. The first step
3. Develop a long-term vision (des- of auditing strategy is to assess whether
tination) and strategy leading to the board and senior management have
that vision, as strategies reveal identified stakeholder expectations of
causality between strategic activi- future performance in some practical
ties and strategic outcomes. way and have incorporated a response to
4. Implement strategy via com- these expectations within their strategy
munication, performance development process. In the long term,

of Strategy
Four questions QUESTION 2: DOES STRATEGY LIE
ON FIRM, ANALYTICAL GROUND?
can help internal Internal auditors should focus on the
auditors ensure
most important methodological aspects
of strategic analyses. recent history to a highly uncertain and
an effective Is data reliable, relevant, and suf-
variable future. Internal auditors should
use professional skepticism to assess the
strategic ficient? With information easily acces- quality of collected data.
management sible via the internet, internal auditors
should assess if the information gath- Have potential black swan and
process, the ered is reliable and from trustworthy black elephant scenarios been
backbone of sources. They also need to evaluate

whether the data is relevant (likely and
considered? Black swan events, such
as terrorism or natural disasters, are dif-
organizational impactful) and sufficient. ficult to predict and have major impact
on the organization. Black elephant
success. Have managers avoided the risks events, such as financial crisis cycles
of overconfidence and confirma- and climate change, are predictable,
tion bias? Managers are often over- detrimental events that people or soci-
the achievement of stakeholder expec- confident about the accuracy of their ety choose to ignore. Internal auditors
tations is the ultimate measure of the forecasts and risk assessments and far should assess whether the analytical pro-
performance of the organization’s senior too narrow in their assessments of the cess has addressed these unlikely events.
management team. It should serve as range of possible outcomes. They fre-
stakeholders’ basis for evaluating whether quently compound this problem with Have analysts identified historical
FLAMINGO IMAGES / SHUTTERSTOCK.COM
the organization is being managed effec- confirmation bias, which drives them information and emerging trends?
tively. As such, it is vital that the strategy to favor information that supports Big data has become a necessity rather
focuses on either meeting stakeholder their positions (typically successes) and than an advantage. Organizations
expectations directly, or building and suppress information that contradicts should analyze readily available data
managing a supportive consensus within them (typically failures). They might from public sources and also use pre-
the stakeholder community concerning anchor their estimates to readily avail- dictive analytics, prescriptive analyt-
the choices of which expectations to able evidence despite the known danger ics, or autonomous statistics. These
meet over time. of making linear extrapolations from approaches go beyond what and why

AN AUDIT OF STRATEGY EMAIL the author at [email protected]
something is happening to address what (strategic linkage models) outlining with a reported fail rate of 50 percent
will happen next. causality between strategic activities, to 90 percent. Internal auditors should
themselves, and between strategic be alert to the main causes of strategy
Have the organization’s current activities and strategic goals. They also implementation failure.
capabilities been analyzed for- should check whether strategic goals
mally? An organization’s ability to sat- include financial and nonfinancial goals Communication Effective com-
isfy stakeholder expectations is to some related to the activities the organization munication plays a critical role in
extent determined by the capabilities will need to implement the changes aligning the whole organization with
(technological or marketing, for example) required by the chosen strategy. This the strategy and giving employees an
of the organization. If the capabilities are includes short-term outcomes that the understanding of the pace of change
sufficient, the challenge is how to deploy organization can track to confirm the that will be required. Internal auditors
them to best satisfy expectations. If the actions taken are working as expected. should: 1) identify communication
organization does not have the right mix In addition, auditors should assess channels that senior management is
or sufficient capabilities, the strategy whether clear, long-term strategic goals using to support strategy execution; 2)
will need to include steps to expand and are quantified and associated with a assess the appropriateness of commu-
develop internal capabilities or to pur- specific time frame. Long-term goals nication channels from the perspective
chase the required capabilities from else- help the organization pick and set of frequency and reach; and 3) check
where. How will this support or hinder targets for the amount of activity that whether any guidelines or a strategy
work to satisfy stakeholder expectations? needs to be delivered and the time execution model exists. Internal audi-
frame for realizing required outcomes. tors can use a modified approach to
Is a strengths, weaknesses, oppor- Third, internal auditors should COSO’s updated ERM framework
tunities, and threats (SWOT) exami- assess the documentation of strategic to evaluate the strategy communica-
nation an appropriate summary activities. This should include at least: tion process.
of key analytical findings? Internal »» The owner or person respon-
auditors should assess whether the iden- sible for effective completion of Performance measurement and
tified strengths and weaknesses are sup- a strategic activity. control Strategic performance measure-
ported by an objective measurement or »» Tasks to be completed. ment systems support adequate infor-
assessment, and whether the identified »» Timeline of activity. mation sharing among individuals or
opportunities and threats are related to »» Financial and other resources. the business units responsible for strat-
external factors — such as events from »» How to mitigate the main risks. egy execution. Internal auditors should
the broader environment or industry. Finally, internal auditors should identify whether strategic activities and
check whether managers have ensured goals have at least one performance
QUESTION 3: HAS STRATEGY strategic alignment or the cascading indicator and target values (milestones)
DEVELOPMENT FOLLOWED of a designated strategy throughout to keep track of what has been achieved.
BEST PRACTICES? the organization. Cascading is the Then, auditors should assess the appro-
First, strategy development involves process by which the ultimate goals priateness of key performance indicators
clearly articulating the organization’s final are broken down into individual to make sure they are measurable, rel-
destination (vision) at some future date. departmental activities, allowing for a evant, and informative.
Internal auditors should assess whether more engaged and accountable work-
the organization’s vision statement force. Internal auditors should assess Review meetings Organizations
addresses owner/key stakeholder expecta- the responsibilities and ownership often lack senior management support
tions, is achievable and measurable, and of execution plans at lower levels for in strategy execution. To encourage
focuses on what the organization needs implementation decisions. participation and support, senior man-
to achieve vs. what it needs to do. agement should set up and manage
Second, internal auditors should QUESTION 4: IS STRATEGY the review meetings. Internal auditors
check whether the strategy reflects BEING IMPLEMENTED? should check the frequency of the
a business case, the logical causality The last part of a strategy audit is meetings, assess whether any con-
between strategic activities and strategic implementation. Empirical research trols have been put in place to ensure
outcomes (goals). Best practice strate- shows that strategy implementation implementation actions are carried
gies include cause-effect connections remains elusive regarding effectiveness, out, and evaluate whether any actions

35% of senior executives rank developing strategy implementation skills among executives
as a very high priority in the Project Management Institute’s Pulse of the Profession 2018.
KEY STRATEGY DEVELOPMENT AND IMPLEMENTATION RISKS

QUESTION MAIN AUDIT RISKS TO GUIDE INTERNAL AUDITORS
Have owners’ »» Owners’ expectations are not clear.

expectations »» Board and top managers are not familiar with owners’ expectations.
been identified?
Does strategy »» The SWOT analysis has been produced subjectively, without objective analytical methods
lie on firm ana- and data gathering.
lytical grounds? »» The strategic analyses used unreliable sources, so the data is irrelevant and insufficient.
»» Key analytical findings have been identified based on overconfidence and confirmation bias.
»» Analytical findings are built on extrapolations from past events without considering unlikely,
but highly impactful, events.
Has strategy »» The organization has unclearly articulated its final destination (unspecified goals and no
development time reference).
followed best »» The organization has a vague strategy. The goals are unclear and there is no causality
practices? between strategic activities and strategic goals.
»» Management has not established clear priorities regarding key strategic activities.
»» Strategic activities are not documented appropriately and are lacking activity owners, task
descriptions, timelines, or identified risks.
»» Cascading of strategy does not exist — responsibilities for execution plans are not clear.
Is strategy »» Information-sharing between individuals or business units responsible for strategy execu-
being imple- tion is poor or inadequate.
mented? »» Communication of responsibility for execution decisions or actions is unclear.
»» There are no feelings of ownership of a strategy or execution plans among key employees.
»» There are no guidelines or models to guide strategy execution.
»» Upper management support of strategy execution is lacking.
»» A comprehensive strategic performance measurement system — a system of measurable
key performance indicators with target values (milestones) for tracking progress along stra-
tegic activities and strategic goals — is missing.
»» There are no review meetings to assess the need for active interventions and action modifi-
cations to ensure strategy implementation.
have been modified to ensure strategic the potentially conflicting interests of that its approach to strategy develop-
goals are reached. these stakeholder groups and direct the ment and implementation is appropri-
organization to maximize the extent to ate and well-controlled.
PROVIDING REASSURANCE which these interests are satisfied. Orga-
Stakeholders — who can directly or nizational strategies document the plan MATEJ DRAŠCEK, CIA, CRMA, is the
indirectly influence the organization’s to modify and adapt the performance chief audit executive at LON Bank d.d. in
ability to operate — comprise a mix of of the organization in light of these Kranj, Slovenia.
interested parties, including financial stakeholder expectations. The role of ADRIANA REJC BUHOVAC, PHD, is a
owners, regulatory bodies, and com- internal audit is not to validate or con- professor in the Faculty of Economics at
munities impacted by the organiza- test the content of the strategy — which University of Ljubljana in Slovenia.
tion’s activities. A critical responsibility is the responsibility of senior manage- GAVIN LAWRIE is managing director at 2GC
of senior management is to balance ment — but to reassure the senior team Active Management in Maidenhead, England.

Automated Cross-Platform
Access Controls
The Fastpath Assure® suite is a cloud-based audit platform

that can track, review, approve, and mitigate access
risks across multiple systems from a single dashboard.
A perfect fit for your 2019 audit strategy.
Segregation Access Audit Trail/ User Emergency

of Duties Certifications Change Provisioning Access
Analysis Tracking
Visit gofastpath.com/iia
AUDIT OUTCOMES
7 Practices
for Better Audit
Outcomes The U.S.
Department
of Homeland
Security follows
guidelines aimed
at improving the
auditor-auditee
relationship.
Jim H. Crumpacker
W
hen it comes to ensuring successful audit outcomes, the two
parties involved — the auditors and the auditees — must be
committed to active cooperation. Throughout my career,
I have followed certain principles that, when consistently
adhered to by both parties, have resulted in successful audits.
I have worked in the U.S. Air Force Audit Agency and
in the Office of Inspectors General (OIGs) of both the U.S.
Postal Service and Department of Transportation. Since
2010, I have served as the director of the U.S. Government
Accountability Office (GAO) OIG Liaison Office for the
U.S. Department of Homeland Security (DHS). In my cur-
rent position, I facilitate nearly 250 GAO and various OIG
performance audits at one any time across DHS.
These seven principles, along with approaches DHS uses
to implement them, can easily be used by other organizations
seeking to improve their audit outcomes.

7 PRACTICES FOR BETTER AUDIT OUTCOMES EMAIL the author at [email protected]
1
Believe Audits Make Things Better
T
his foundational principle
2
requires auditors and auditees
to believe in the work they Understand and Respect
are doing and remember that it’s
not just a job. Auditors and auditees
Audit Independence
A
must do the best they can with a rguably, one of the least understood audit standards is the U.S. Generally
view that the results of their efforts Accepted Government Auditing Standard of Independence, which estab-
will add value to something greater lishes a foundation for the credibility of the auditor’s work. Independence
than themselves. For many at DHS, allows audit opinions, findings, conclusions, judgments, and recommendations to
believing this translates into know- be impartial and viewed as such by reasonable and informed third parties. Inde-
ing that audit’s efforts are helping pendence requirements relating to the audit organization and individual audi-
make the department’s programs, tor — including what independence of mind or in appearance means — and how
operations, and activities more professional skepticism is correctly defined, can be difficult to fully understand.
effective, thereby ensuring the U.S. When auditees have trouble with these or other aspects of independence, they
and its citizens are safe and resilient usually just need to learn more about the concept. It is more problematic when
against terrorism and other hazards. auditors do not fully understand what independence is and is not.
Tone at the top in both the During my more than 30-year career, I have seen instances of auditors know-
audit and audited organization is ingly or unknowingly misapplying the independence standard as leverage in an
crucial to successfully implement this attempt to get whatever they wanted, thereby impeding successful audit outcomes.
principle. For example, senior lead- For example, some auditors have told auditees that if they did not immediately
ers in the audited organization must produce exactly what they asked for, or let the auditors come and go throughout
have processes in place to demon- the organization whenever they wanted, then the auditee was impinging on audit
strate a personal awareness of, and an independence. This is quite an overreach. One way DHS mitigates misunder-
active interest in, the audits occurring standings about independence is through an annual joint DHS-wide town hall
within their organization. To facili- meeting hosted by the DHS under secretary for management with the inspector
tate this, DHS assigns a priority of general and attended by audit staff, agency leadership, and program officials. The
1, 2, or 3 to each audit using broadly meeting’s question-and-answer format provides an opportunity to openly discuss
defined criteria supplemented by topics such as independence and, more importantly, to correct misunderstandings.
professional judgment and experi- Without audit independence, the value of an audit is considerably diminished;
3
ence. Criteria include considering the auditors and auditees need to be in sync on independence and why it is needed.
level of taxpayer funding in a par-
ticular program or initiative and the
significance of potential violations of
statutory or regulatory requirements. at the program
Priority 1 audits warrant secretary or office level. The
deputy secretary of DHS attention; priority assigned Be Open and Transparent
Priority 2 audits are those that can to an audit is
T
be monitored at the component or subject to change, here should be no secrets when working with audi-
headquarters directorate level, such depending on tors. Honesty is the best policy, even if being less
as by the administrator of the Federal circumstances, than open and transparent may seem more expedient
Emergency Management Agency; as the audit pro- in the short term. Making sure there are no surprises at the
and Priority 3 audits are considered gresses through end of an audit goes a long way toward ensuring successful
less critical and can be monitored its life cycle. audit outcomes. The audit life cycle can be long, some-
times taking a year or more from research, announcement
and entrance, fieldwork, summarization, report writing,

A key change in the 2018 Yellow Book includes updated independence
requirements for auditors who prepare the financial statements of an audited entity.
5
Stay Engaged
E
arly and continuous involvement can be dif-
ficult, especially for auditees, because audits can
require significant time and are not part of their
primary day-to-day responsibilities. However, if auditees
believe audits make things better, they will give them
Be Responsive an appropriate level of attention among competing
mission-related priorities and demands. Likewise, audi-
S
uccessful audit outcomes require a commitment tors should be mindful that continuous and effective
to work collaboratively with the other dedicated communication with auditees ultimately enhances the
professionals involved with the audit. Responsive- flow of information and exchange of ideas. Auditors also
ness means reacting quickly and positively, and generally need to be understanding about responsiveness lag when
reflects how much someone cares about something. For other auditee duties occasionally take precedence over
example, consider how auditors and auditees respond to the audit.
information requests from one another. One way DHS engages with GAO and OIG during
One way to help ensure success is to set clear the audit life cycle to help ensure successful outcomes is
expectations for these interactions and adhere to them. through a standardized technical comments process for
Senior departmental leaders at DHS have consistently communicating and documenting management feed-
articulated expectations for the entire workforce regard- back on auditor statements of fact, notices of findings
ing cooperation with GAO and OIG, including their and recommendations, and discussion or draft reports.
contractors. To maximize effective implementation of Auditors receive and consider these comments, seek
this guidance, auditor-to-auditee communication is clarification when needed, and make changes to work
streamlined and, as a matter of practice, audit issues are products, as they deem appropriate. The comments are
addressed at the lowest organizational level possible, not intended to substantively alter audit findings, con-
trusting and empowering staff and elevating matters to clusions, or recommendations. Instead, they are meant
more senior leadership only when necessary. This involves to strengthen work products by improving accuracy
a certain degree of risk — for example, sometimes audi- and context, preventing the inadvertent disclosure of
tors do not receive the most fully informed response to sensitive information, helping validate actionable recom-
their questions — however, DHS has found the risk to be mendations, and minimizing the number of disagree-
acceptable given other controls implemented to balance ments. As a result of this process, DHS officials rarely
the risk for the benefit of both parties. find themselves questioning audit report narratives once
published and distributed to the U.S. Congress and the
public, including the media. Rather, conversations focus
on what is being done to implement recommendations.
exit, and management response, to final report publication.

Ample opportunities exist throughout the life cycle for audi-
tors and auditees to allow the truth to wander. This may organizational influence — typically at the chief of staff
involve something the auditor wants to know, such as how a level — and also are responsible for, and have authority
specific aspect of an internal control system might actually be over, their respective organization’s audit activities. The
functioning, or something the auditee wants to know, such SCAO enables and assists program officials, audit liaisons,
as what findings and recommendations the auditor might be and others with all aspects of the audit process, includ-
thinking about including in the final report. ing helping to resolve issues that could endanger open
DHS designates an executive-level senior component and transparent relationships with auditors. For example,
accountable official (SCAO) for audit activities within each SCAOs have mediated disputes concerning what sensitive
component and headquarters directorate. SCAOs have wide records may be shared with GAO and OIG auditors.

7 PRACTICES FOR BETTER AUDIT OUTCOMES
6
Prepare Detailed Management
Responses to Audit Reports
M
anagement responses can
7
contribute to successful
outcomes if they clearly Actively Follow up on
document management’s position
on the findings and recommenda-
Recommendation Implementation
D
tions, identify the corrective actions HS and its auditors view audit follow-up as a shared responsibility
that will be taken (with estimated and an integral part of good management. This view has significantly
completion dates), and assign improved and facilitated positive interactions among auditors and
responsibility for those actions. Audi- auditees. DHS devotes substantial attention to taking corrective actions on
tors generally include management audit findings and recommendations, a practice that is essential to improving
responses verbatim in an appendix operational effectiveness. This requires sustained leadership commitment at the
to final reports, which are then highest levels. For example, the DHS deputy secretary and/or the under secre-
widely distributed inside and out- tary for management meet with the SCAOs every two months to review and
side the organization. Well-written discuss the status of ongoing audits, open recommendations, and related per-
management responses represent an formance measures. Senior leadership also receives various periodic audit status
opportunity to demonstrate how reports in between these meetings, including a biweekly Priority 1 report.
seriously the auditee takes audits. If DHS management commits to an action in an audit response, it does
Also, when considered with the its best to follow through on that commitment timely. DHS also strictly
auditor’s evaluation and analysis of adheres to a practice of not closing any GAO and OIG audit recommenda-
the response — which provides addi- tions without first reaching agreement with the auditors. This provides Con-
tional audit perspectives on manage- gress and the public added confidence that appropriate actions have been
ment’s comments and is included taken to implement these recommendations or otherwise resolve any disagree-
in the final report — management ments. As a result, DHS averages less than one recommendation annually that
responses provide a good roadmap requires formal resolution.
for recommendation closure and the
resolution of disagreements.
DHS requires a written man-
agement response for all audit ɅɅ Outline what will be done to A POSITIVE APPROACH
reports with recommendations. implement the recommenda- Successful audit outcomes do not
Responses must: tions — including proposing just happen. The participants must
ɅɅ Clearly state agreement or alternative corrective actions if believe audits make things better and
disagreement (concur or program officials believe these be mindful of the six other principles
non-concur) with individual would be more effective. This for ensuring successful outcomes.
recommendations. Partial con- is typically stated in terms of Moreover, auditors and auditees have
currences are not allowed and it actions completed, ongoing, or a fundamental responsibility to ensure
is acceptable to non-concur as planned, being sure to address all that the resources expended on audits
long as the rationale for doing aspects of each recommendation. provide a positive return on investment
so is included. ɅɅ Include an estimated completion for stakeholders.
ɅɅ Specifically identify the orga- date for each action, which can
nization and office responsible be up to 12 months beyond the JIM H. CRUMPACKER, CIA, CFE, is
for taking the corrective action, estimated date of the final report, director of the U.S. Department of Home-
such as the U.S. Customs and or longer if interim milestones land Security’s GAO-OIG Liaison Office in
Border Protection Office of are included at approximately Washington, D.C. This article represents
Field Operations. six-month intervals. the personal views of the author and not
necessarily those of any U.S. government
department or agency.

Board Perspectives
BY MATT KELLY
IT’S ALL ABOUT TRUST

Audit committees and CAEs work best
when they pledge to work together.
A
udit committees and audit executives have to trust managing partner at Deloitte,
chief audit execu- that the other is thoughtful, audit committee chair of
tives (CAEs) talk competent, and looking out the Pentagon Federal Credit
constantly about for the best interests of the Union, former audit com-
how to foster more engage- organization. mittee chair of ISACA, and
ment with each other, and That’s all the more true former inspector general of
rightly so. Their relationship today in an immensely com- the U.S. House of Represen-
is one of the most important plex modern business world. tatives. “We need to see this
for an organization to get Audit committees have a as a partnership.”
THERESA right, if it wants effective cor- fiduciary (and for publicly
GRAFENSTINE
porate governance. traded companies, statutory) Trust Begins With
A good place to begin, responsibility to oversee risk Communication
then, is to consider the management at their orga- For starters, audit commit-
origin of the word engage- nizations. Audit executives tees and audit executives
ment. It descends from the are watching their profession can simply talk more often.
French verb engager. Today transform from an older era There should be executive
that word means “to hire” of financial statement audits sessions at the end of audit
or “to employ” — but 400 to a newer one of monitoring committee meetings with-
years ago, when engagement risk and working with other out management present.
MARTY COYNE
first crept into the English parts of the organization to The audit committee chair
language, engager actually manage risk (see “The Audit should schedule informal
meant “to pledge.” Committee Connection” on chats with the CAE between
That’s a useful point to page 36.) formal meetings, even with-
remember when contem- In other words, both out anything specific in
plating how to improve the parties now have more to do, mind. Talk.
relationship between audit and more to worry about. Marty Coyne, audit
committee and audit execu- That’s why cultivating a committee chair at Ocugen
tive. It’s about pledging to strong working relationship is and a past audit commit-
BRENDA GAINES
be there for each other: I will important. That’s why foster- tee member at numerous
help you, and you will help ing trust is important. Each other technology companies,
me, and we both know that. needs the other to succeed. swears by both practices. “It’s
In other words, it’s about “It’s a whole new world,” almost mandatory in my
trust. Audit committees and says Theresa Grafenstine, a mind,” he says. “If the audit
READ MORE ON STAKEHOLDER RELATIONS visit InternalAuditor.org

Board Perspectives
committee isn’t doing that, shame on them.” (In the most That also means the audit committee needs a healthy
recent North American Pulse of Internal Audit survey, nearly relationship with management, and needs to ensure manage-
one-third of audit executives say they do not meet in private ment and the CAE have a healthy, respectful relationship,
session with the audit committee.) too. Grafenstine calls it the “triangle of success” — each side
What questions should audit committees put to CAEs in having equal power, where they each understand the other’s
those sessions? Unless some specific issue demands attention, roles and responsibilities.
they should pose open-ended questions without any right or Coyne’s approach is, whenever possible, to bring all
wrong answers. What’s been happening in the last quarter? sides together in open communication at a committee meet-
Are there any challenges where they can help? Coyne’s go-to ing. After all, the CAE may be disappointed with the pace of
question in such meetings: “What didn’t you say?” improvement in a business process, but management might
Those questions give the CAE a chance to speak his or have a good reason for the delay: product launches, sudden
her mind, and to lead the discussion where the CAE believes it departure of key personnel, or some other operational issue.
The audit committee’s job is to
ensure such differences of opinion are
aired openly and respectfully. The best
The audit committee’s job is to ensure way to do that is to foster trust long
differences of opinion are aired openly. before that conversation happens.
“What you don’t want is all sorts
of back-door conversations going on,”
Coyne says, like the CEO and CAE
should go. “It’s so you can draw that person out,” says Brenda speaking to the audit committee members separately, but not
Gaines, audit committee chair for Tenet Healthcare. That, in to each other. “That’s a disaster when that happens.”
turn, can foster the CAE’s trust in the audit committee.
Audit committee chairs should take the extra step of An Environment of Trust
regular communication with the audit executive beyond That need for collegial relations with management raises
the standard audit committee meetings. Gaines schedules a another point. From today into the future, success as a CAE
monthly phone call; Coyne has met CAEs for coffee. How- will be more about exercising leadership and working with
ever the chair does it, that casual, unstructured line of com- other parts of the organization to manage risk, rather than
munication can be invaluable. technical mastery of audit techniques.
“It would help me frame out the agenda for the audit Good audit executives “are not only a valuable resource
committee meeting,” Coyne says. After all, audit committees to help the audit committee discharge its duties,” Gaines
have plenty of risks they can discuss in a formal meeting, and says. “They provide management with valuable insight as
time is limited. So Coyne would chat with the audit execu- well on whether risk mitigation is effective.”
tive to pinpoint which risks (aside from any standard matters Those risk issues can range from IT controls for cyber-
about financials, investigations, and so forth) truly warranted security, to successful integration of an acquisition, to the
the audit committee’s attention. rapidly rising concern of “culture risk.” Business processes
“There’s always room for a topic,” Coyne says, “and I might need improvement. Data analytics might provide valu-
want to make sure that the topic we talk about, beyond the able insights that someone needs to translate into updated
normal topics, is germane and important, and going to move controls and practices.
the needle.” A good audit executive can do all of that, even while
balancing the need for independent analysis of risk issues — if
Trust Endures Difficulty the audit committee fosters an environment of trust and open
All that communication and trust spadework can pay off in dialogue, and assures that the CAE has the resources he or she
several ways. First, the very act of creating an open culture needs (financial, technological, personnel) to do the job.
among senior executives and the audit committee reduces the It’s a lot to ask, of the audit committee and CAE,
chance that difficult matters will arise where the audit com- alike. One might almost say the French had it right 400
mittee needs to “take sides” in an impasse between internal years ago: Engagement really is about pledging yourselves
audit and management. Second, when those impasses do to each other.
arise (spoiler alert: sooner or later, they will), the audit com-
mittee can resolve it with the least amount of acrimony. MATT KELLY is editor and CEO of Radical Compliance in Boston.

Insights/The Mind of Jacka
BY J. MICHAEL JACKA
WE ARE NOT AUDITORS
H
Practitioners should ow do you respond know what I am going to “I work with management to
not let themselves when asked, do next. I think you can be help eliminate problems before
“What do you imprisoned if you think of they occur.”
be defined by just
do for a living?” yourself as a noun.”
one word. It shouldn’t be tough, And therein lies the Any one of these will lead
but answering that ques- problem. We describe our- to a better conversation,
tion can be an exhausting selves as a noun. We make speak to the value internal
exercise in diplomacy and ourselves a thing. And by auditing can provide to an
obfuscation. If you say that thus naming ourselves, we organization, and keep the
you are an auditor, almost become that thing. We are other person from scuttling
inevitably the person then auditors. We conduct audits. away like a lobster con-
asks, “Oh, do you work We perform audit work. We fronted with a pot of boil-
for the Internal Revenue produce audit reports. We ing water.
Service?” Or some may are part of an audit depart- I am not suggesting
just suddenly disappear in ment. Our identity and our that we no longer use the
search of what they believe future become inextricably title auditor. But we have
will be a more interesting intertwined with the con- to identify ourselves in a
conversation — such as crete solidity of a thing that way that helps us and oth-
the rate of moss growth has been named. ers understand we are free
on redwoods or observa- Instead, we need to to be more. We provide
tions on the drying of define ourselves as verbs. assurance; we consult; we
paint. Even if they don’t We need to identify with advise; we fulfill the mis-
run away, their eyes have what we do, not what we sion, principles, and defini-
usually rolled to the back are. And that means we tion of internal auditing
of their head by that point need to describe ourselves that help establish who
as they check out of the to others by talking about we are. When we real-
conversation, mentally fil- what we do, not what we ize we are not just audi-
ing your mug shot in The are. The next time someone tors — when we make the
Hall of Individuals With asks what you do for a liv- transition away from being
Whom I Will Never Talk ing, try one of these: a noun — we are free to be
Again. All because of one the verbs that describe the
word — auditor. “I work with executive real value we provide.
English comedian and managers to help ensure they
actor Stephen Fry once said, achieve their objectives.” J. MICHAEL JACKA, CIA,
“We are not nouns, we are CPCU, CFE, CPA, is
“I help streamline processes to
verbs. I am not a thing — an cofounder and chief creative
ensure management succeeds.”
actor, a writer — I am a pilot for Flying Pig Audit,
person who does things — I “I provide oversight to help the Consulting, and Training
write, I act — and I never organization succeed.” Services in Phoenix.
READ MIKE JACKA’S BLOG visit InternalAuditor.org/mike-jacka

Eye on Business
THE FORWARD-LOOKING AUDITOR

Foresight is a skill internal auditors
need to master in today’s disruptive
business environment.
Why is it so important to go through tremendous advise and anticipate risks.

for internal auditors to change. Many internal Internal audit must be pro-
add foresight to their job audit functions will need active. That said, assurance
description? to transform themselves to activities are critical, and
STEWART Disruptive provide foresight and serve we’re seeing more capabili-
technologies and the in this new capacity. The ties like automated assur-
trends impacting business real question is whether ance help internal audit do
are expected to intensify those currently in the block-and-tackle analyses
in coming years, mak- profession will recognize of control effectiveness.
ing markets even more the opportunity, prepare Taking those learnings,
dynamic, competitive, and themselves, and rise to the analyzing them, and using
opportunistic. Successful occasion or whether the them to identify risks
SHAWN STEWART
Partner and National
organizations will need to transformation will be led before things actually hap-
Controls Advisory be agile and accelerate their by an influx of new tal- pen is what sets standout,
Practice Leader decision-making in an envi- ent who may be viewed as forward-thinking internal
Grant Thornton
ronment where prolonged more equipped to embrace auditors and CAEs apart
periods of rapid change change. I suppose it will from the rest.
will be the new norm. be a combination of both,
Internal audit will have an and each of us will decide How can providing fore-
opportunity to help man- our future to the extent we sight help the organiza-
agement better evaluate its are willing and prepared to tion compete?
preparedness to deal with embrace change. PUNDMANN It’s important
future events and the “what PUNDMANN The No. for internal auditors to take
if ” scenarios that will most 1 thing I hear from key what they’re seeing from a
SANDY PUNDMANN likely impact the business. internal audit stakehold- historical perspective and
U.S. Internal Audit If successful, internal audi- ers — namely, chief apply it to the future of the
Leader tors have an opportunity financial officers, audit organization. If they can
Deloitte
to inform and shape the committee chairs, and identify an emerging risk
critical decisions that their CEOs — is they need new or trend early and com-
management teams must chief audit executives municate that insight to
make. The reality is that (CAEs) to come into their stakeholders, they can help
most professions — internal roles ready to not only pro- the business gain competi-
audit included — are about vide assurance, but also to tive advantage. Whether
READ MORE ON TODAY’S BUSINESS ISSUES follow us on Twitter @TheIIA

What can internal auditors do to shift to a focus

ON THE HORIZON on foresight?
P
undmann and Stewart say internal audit should STEWART Internal audit professionals must become more
be aware of, and ready to address, several aware of, and educated on, business trends, disruptive
emerging risks, including: technologies, the movements of competitors, and alterna-
»» Cybersecurity tives and must be able to anticipate forward-looking risks.
»» Data and cognitive analytics This will require greater industry perspective, stronger
»» Artificial Intelligence interactions between internal audit and the business, greater
»» Robotic process automation leverage of subject-matter experts, and advanced risk identi-
»» Blockchain fication techniques. Internal audit must shift from the tradi-
»» Culture tional and conventional to being more strategic and focused
»» Third-party on what might impede the organization’s most important
»» The rapidly changing strategies of competitors business objectives.
»» Threats from alternative products and innovative PUNDMANN Technology can help a lot. In the future,
business models most internal audit functions will tap risk sensing, pre-
»» Generational and social trends dictive analytics, robotic process automation, cognitive
»» Climate change computing, machine learning, and — someday — artificial
»» Geopolitical changes intelligence to help them look to risks and opportunities
»» Government intervention and regulation on the horizon.
»» Competition for investment dollars
»» Fierce competition for talent What is the risk if internal audit doesn’t provide forward-
looking assessments?
PUNDMANN Internal auditors who don’t offer forward-
looking insights may diminish their relevance and their level
an organization is launching a new product or service or of impact and influence within the organization. Internal
implementing a new technology system, internal auditors auditors need to be proactive and anticipatory to help their
should be involved early to assure appropriate steps are companies gain and maintain competitive advantage. New
taken, anticipate risks, and advise on controls and pro- technologies can help give internal auditors broader and
cesses. Things change so fast — it’s important to ensure deeper views into the risks they help manage, helping them
necessary capabilities and controls are built into major deliver both insight and foresight.
efforts long before launch time, and the organization STEWART An ability to adequately and quickly contem-
maintains a regular pulse throughout the planning. plate the potential risks, benefits, and capabilities of the
STEWART In the future, the success of an organization organization to achieve its objectives for multiple “what
may be determined more often by an ability to anticipate if ” future scenarios will become so important in decision-
change, to make the right decision within a compressed making that a failure to have this foresight will not be an
time frame, and to execute ahead of the competition. option for most organizations. This will be particularly
An ability to quickly contemplate the potential risks and true for areas deemed to be most critical to the organiza-
benefits of multiple “what if ” scenarios will become key tion’s success. Management and audit committees will
to effective decision-making and execution. Internal audit see value in the objective perspective in forward-looking
has an opportunity to transition from its past of monitor- assessments that internal auditors can provide and will
ing historic transactions and controls through more recent seek to transform internal audit functions so they are
efforts to establish continuous monitoring where errors or capable of providing this foresight. Internal audit func-
deficiencies can be quickly corrected, toward a future of tions that fail to make this transition likely will find
what might be termed predictive monitoring, theoretical themselves in a less favorable position in the value chain
monitoring, or simply forward-looking assessments, where of their organization, will have to deal with an unfavor-
outcomes can be anticipated, competing ROIs validated, able contrast to the more advanced internal audit func-
and changes made proactively to enhance execution and tions of their peers, likely will see more of their budgets
improve outcomes. Those organizations that make the best and opportunities repurposed to other functions that can
decisions and execute on those decisions in this new para- support this need, and may ultimately be deemed obsolete
digm will have an advantage over their competition. and prime to be replaced.

Featuring
Internal Auditor Blogs
Voices with viewpoints on the profession
In addition to our award-winning Chambers on the Profession:

publication content, we are proud Seasoned Reflections on Relevant Issues
to feature four thought-provoking From the Mind of Jacka:
blogs written by audit leaders. Creative Thinking for Times of Change
Each blog explores relevant topics Solutions by Soileau:

Advice for Daily Audit Challenges
affecting today’s internal auditors
at every level and area of this vast Points of View by Pelletier:
Insights and Innovations From an Insider
and varied field.
READ ALL OF OUR BLOGS. Visit InternalAuditor.org.
2017-1087 PUB-Ia Blog Generic Mag Ad-FNLcrx.indd 2 1/22/18 3:09 PM

IIA Calendar
SEPT. 16–17 MARCH 6–7

IIA Environmental Health & IIA Data Analysis for Internal
CONFERENCES Safety Exchange
Washington Hilton
TRAINING Auditors
Online
www.theiia.org/ www.theiia.org/training
Washington, DC
conferences
MARCH 18–21
SEPT. 16–17 Seminar Week — Multiple
MARCH 11–13 Financial Services NEW Auditing IT Courses
General Audit Exchange Governance Las Vegas
Management Conference Washington Hilton On Demand
Gaylord Texan Washington, DC MARCH 19
Dallas/Ft. Worth FEB. 4–15 Fundamentals of Internal
SEPT. 18 CIA Exam Preparation — Auditing
APRIL 29–30 Women in Internal Audit Part 2: Practice of Online
Leadership Academy Leadership Internal Auditing
Disney’s Yacht Club Resort Washington Hilton Online APRIL 1–12
Orlando Washington, DC CIA Exam Preparation —
FEB. 12–14 Part 1: Essentials of
JULY 7–10 SEPT. 20–22 IT General Controls Internal Auditing
International Conference Internal Audit Education Online Online
Anaheim Convention Partnership ( IAEP)
Center Exchange FEB. 12–15 APRIL 2–5
Anaheim, CA Rosen Centre Seminar Week — Multiple Seminar Week — Multiple
Orlando, FL Courses Courses
AUG. 12–14 Phoenix Orlando
Governance, Risk, & OCT. 21–23
Control Conference All Star Conference FEB. 19–28 APRIL 2–11
The Diplomat MGM Grand Fundamentals of IT Enterprise Risk
Fort Lauderdale, FL Las Vegas Auditing Management: A Driver for
Online Organizational Change
Online
MARCH 5–14
Performing an Effective
PHOTO: RAWPIXEL.COM / SHUTTERSTOCK.COM
Quality Assessment
Online
EBRUARY/MARCH/APRIL THE IIA OFFERS many learning opportunities throughout the year. For complete listings visit: www.theiia.org/events

Insights/In My Opinion
BY LIZ ORMSBY
THE LOST ART OF CONVERSATION
A
Auditors need to s auditors, asking meeting with senior man- roam and flow. When this
ensure they’re questions is our agement revealed the cash happens, some of the top-
bread and but- process was a lower audit ics clients want to discuss
talking to the right
ter. Practitioners priority than my team and I inevitably won’t conform to
people, and having are expected to be curious, originally thought. We could the auditors’ agenda. Letting
the right kind of inquisitive, and even chal- have obtained this informa- the discussion take its course,
discussions. lenging when conducting tion much sooner by holding however, might lead to new
engagements. But some- additional conversations with insight on what clients view
times, despite asking what someone who possessed a as key risks or opportunities.
feels like a million questions, more objective point of view. In chatting with my
our audits don’t progress as Even so, identifying the four-year-old, I’ve recon-
we expect or hope. Reflecting best individuals to speak with sidered the value of a stock
on a recent failed attempt does not always guarantee question — asking what train
to find out what my four- the most relevant informa- he played with, for example,
year-old did at day care tion will surface — the dis- got a much more detailed
(“What did you do at day cussion itself also requires response than the standard,
care today darling?” “Noth- close attention. Auditors “What did you do at day
ing, Mummy”), I realized this typically prepare questions care?” Likewise, a stock ques-
lack of progression can occur in advance of client discus- tion used in audit planning
when we aren’t asking the sions, to make the best use such as, “What keeps you
right people the right ques- of everyone’s time. While awake at night?” sometimes
tions — we need a different the process constitutes best leads to a useful answer, but
kind of audit conversation. practice, it also presents risks. often it yields nothing new.
Problems can arise The auditors may think the Auditors should experiment
initially when conversations meeting is running efficiently with different questions,
take place solely with internal as they work through each using the audit team’s collec-
audit’s designated client con- question, but they could miss tive wisdom to come up with
tact — typically the manager the opportunity to explore a variety of possibilities. The
in charge of the area being risks through a more con- right approach to client con-
audited. At a previous orga- versational, back-and-forth versations can significantly
nization, I led a cash-related exchange. If the client simply enhance internal audit’s
audit after my primary con- answers questions with yes or value, turning a lost art into
tact confirmed the process no responses (or “nothing,” a productive tool for gather-
was critical enough to merit like my four-year-old), the ing information.
internal audit’s attention. But information gathered may be
this individual oversaw the unhelpful or misleading. LIZ ORMSBY, CIA, ACA,
process under review — so Auditors should occa- CAPM, is a deputy city auditor
of course it was considered sionally give themselves per- at the City Auditor’s Office,
important. A subsequent mission to let the conversation City of Calgary, Alberta.
READ MORE OPINIONS ON THE PROFESSION visit our Voices section at InternalAuditor.org

An Exclusive
Opportunity
Join a select group of rising and distinguished internal audit professionals
for a three-and-a-half-day, immersive executive development experience.
2019 VISION UNIVERSITY SESSIONS

EXECUTIVE DEVELOPMENT
Orlando, FL Boston, MA San Diego, CA Chicago, IL

Feb. 25-28 June 24–27 Sept. 9–12 Nov. 18–21
Bohemian Hotel, Celebration Omni Parker House Kimpton Solamar Hotel Kimpton Hotel Palomar
Your Success Starts Here
www.theiia.org/VisionU
2019-1878 TRN-VU Full-page Ad Ia Magazine.indd 1 12/20/18 2:29 PM

Customize Your Membership
with a Specialty Audit Center
INFLUENTIAL. IMPACTFUL. INDISPENSABLE.
The IIA’s Specialty Audit Centers provide targeted resources focused

on issues that matter most to you and your stakeholders — to keep
you influential, impactful, and indispensable.
Learn more at www.theiia.org/SpecialtyCenters

2017-0766
• GOVERNMENT • FINANCIAL SERVICES • ENVIRONMENTAL, HEALTH & SAFETY
2017-0766 Specialty Audit Print Ad.indd 3 11/28/17 11:57 AM

Building The Audit Function - Instituut Van Internal Auditors Indonesia

Uploaded by

Copyright:

Available Formats

Building The Audit Function - Instituut Van Internal Auditors Indonesia

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Building The Audit Function - Instituut Van Internal Auditors Indonesia

Uploaded by

Copyright:

Available Formats

FEBRUARY 2019 A PUBLICATION OF THE IIA

Ten years after the global

IIA President and CEO

Improve your credibility and proficiency. Learn more.

2018-1608 CERT-CIA Full Page Ad - Dec.indd 1 11/2/18 3:35 PM

Meet your challenges

RSM and our global network of consultants specialize in

Featuring a suite of on-demand courses that tackle emerging issues

2018-1732 TRN-Global OnDemand Full-age Ad Feb IA.indd 1 12/13/18 1:18 PM

DOWNLOAD the Ia app on the

FOR THE LATEST AUDIT-RELATED HEADLINES visit InternalAuditor.org

© 2019 EYGM Limited. All Rights Reserved. ED 1119.

7 Editor’s Note 19 Risk Watch Audit’s role 64 In My Opinion The right

rapidly shifting business pri- Watch Citigroup Chief Auditor

Assurance in the Privacy Fleecing the Crowd Despite

Session Name, Date, and Time:

Sign up to receive a Sneak Peek of the presentation

Copyright © 2019 Wolters Kluwer Financial Services, Inc. 10322

TM-19-10322-MK-GAM19 Session-PAD-EN.indd 1 1/14/19 3:12 PM

FEBRUARY 2019 INTERNAL AUDITOR 7

8 INTERNAL AUDITOR FEBRUARY 2019

Register Today! www.theiia.org/GAM

GENERAL AUDIT MANAGEMENT CONFERENCE / M A RC H 1 1 –1 3 / D A L L A S - F T. W O R T H , T X

64% with validation,

FOR THE LATEST AUDIT-RELATED HEADLINES follow us on Twitter @TheIIA

10 INTERNAL AUDITOR FEBRUARY 2019

FEAR THE DIGITAL COMPETITORS

riminals responsible monthly operating invest- of dominating or defeating

for companies losing ment of $3,800 could yield an opponent impressively.

FEBRUARY 2019 INTERNAL AUDITOR 11

used tools and services, their

report asserts. To challenge fication of more than 1,500 individuals alleg-

12 INTERNAL AUDITOR FEBRUARY 2019

The Financial and

OPENING AND CLOSING MEETINGS

SEND BACK TO BASICS ARTICLE IDEAS to James Roth at [email protected]

14 INTERNAL AUDITOR FEBRUARY 2019

CONDUCTING EFFECTIVE MEETINGS

FEBRUARY 2019 INTERNAL AUDITOR 15

TRUSTED FOR TECHNOLOGY

SEND ITAUDIT ARTICLE IDEAS to Steve Mar at [email protected]

16 INTERNAL AUDITOR FEBRUARY 2019

FEBRUARY 2019 INTERNAL AUDITOR 17

ACTION OF THE MANAGING DIRECTORS OF

BY UNANIMOUS WRITTEN CONSENT

The undersigned, constituting all of the Managing Directors

I hereby consent to the adoption of the resolutions set forth in Appendix

PDF Attachment: Workiva S-1.PDF

Wdesk for Internal Audit Management is a streamlined, collaborative

See how Wdesk works at workiva.com/ IIA-video

INTERNAL AUDIT’S EVOLVING

SEND RISK WATCH ARTICLE IDEAS to Charlie Wright at [email protected]

FEBRUARY 2019 INTERNAL AUDITOR 19

Audit Intelligence Suite

Respond to Incidents LYNN FOUNTAIN, CRMA, CPA, CGMA, is an internal control,

FEBRUARY 2019 INTERNAL AUDITOR 21

THE PHONY CUSTOMER FRAUD

SEND FRAUD FINDINGS ARTICLE IDEAS to Bryant Richards at [email protected]

22 INTERNAL AUDITOR FEBRUARY 2019