IIA Magazine Jun 2016 issue

A toxic culture is present when your work negatively affects your health – physically and emotionally. An example of such could be a change in management or management through fear and intimidation. The two options are to leave or to name the problem and discuss to make it better. Payroll should have continuous checks and balances. It is not good to report risks on an ad-hoc basis. Talent issues and development need to be addressed. There is a strong need to fight corruption. However, whistle-blowing hotlines might be underutilized, as employees fear retaliation after reporting. There are some companies which do not trust enterprise cloud deployments still.

The Fire Drill. Auditors can learn to deliver a focused message that results in management action. Effective planning of our work is the key. For instance, we can look at past audit findings. Next, one should compensate with competence, meaning backing up observation with data and experience. Sell with the passion of a champion. Findings should be sold to address a control weakness that is causing an unacceptable risk. One needs to communicate the big risks well. In the end, we need to deliver a focused message that can result in management action.

The Tech-Savvy Auditor. Effective use of audit technology can enable audit departments to provide valuable insights. Most IA staff are not familiar with IT or have weak IT backgrounds. This is not acceptable. Technology can lead to a more efficient audit and also might cut fraud losses. There is a need to improve the audit software. There should be a data analytics centre in-house. There is a need to review software usage.

Integrating Key Risks and Performance Indicators. IA can leverage its risk knowledge to improve operational performance and reduce risks exposures. IA can provide assurance on the achievement of objectives. IA can encourage the formalization of KPIs and KRIs. KRIs can serve as an early signal of increasing risk exposure. There needs to be a formal project charter. There needs to be a KPI framework with proper planning, reporting, monitoring etc. The key metrics need to be identified and a dashboard can help to present graphically the results. The KRI should be closely linked to the KPI.

Toxic Leaders, Toxic Culture. IA can identify unhealthy behaviors that may undermine the organization. Culture will affect an organization’s success. Therefore, identifying the toxic leader is important. Toxic leaders want power and control. These tend to be autocratic leaders. They could have a strong sense of entitlement and focus on themselves and not the organization. Exerting power through fear can undermine morale. They do not like to be challenged and seek to manipulate others. Closed-minded leaders think of ‘My way or the highway’. There is no need to confront the toxic leader. IA can refer the person to compliance or legal counsel. One can use behavioural psychology to analyse. For a more objective method, one can look at the reasons for turnover and examine turnover rates. One can also look at employee engagement survey results. One needs to use experience and facts as much as possible.

Analytics and the small audit department. No matter the size of an audit function, analytics can be implemented for big gains. How to go about using analytics? Some simple ones to consider are benchmarking, variance analysis, ROA, turnover etc. The analytics must have goals and performance measures. Selecting the right data source is the key and there is a need to verify the accuracy of the source. Brainstorming can help to identify key data. It is crucial to have a plan that will allow IA to continue to improve its analytics capability. It is important to attain small wins in analytics.

Business Risk. Keynote speakers for this year’s IIA International Conference identify emerging risks facing organizations. Cyber risks is at the top of the priority list for many. Ransomware is a big threat to hospitals nowadays. Other threats include politics, the economy and terrorism. Social media risks sometimes aren’t within an organization’s control. Auditors should use corporate culture to work in their favour. An organization must monitor the external environment closely. There should be a common understanding of what the risk appetite and risk cultures are. Audit needs to adjust fast and invest continually in education. IA now also needs to learn to be innovative.

An Anti-corruption Check-up. Capability maturity models can help organizations assess the effectiveness of the anti-corruption programs. This model was developed at Carnegie Mellon University. One can use the model to identify strengths and weaknesses. There are basically 4 levels of maturity. There are 7 components that form the basis of anti-corruption maturity model. There is a need to tally the scorecard too.

Craft Our Role. IA should create the role for themselves that is best for both the organization and their own personal development. IA needs to be ingenious, use creativity and resourcefulness when developing their role. Do not limit the scope to be too small. It is important to be familiar with the business in order to value add properly. The control environment needs to be evaluated properly. One can develop business acumen. It is crucial to ask the right questions. IA should network more with the other departments to build rapport and also to get a feel about the management style in the department. Learn to practise combined assurance. One can work with another dept for a joint review. This is the way to maximize external resources.

Fraud and related-party transactions. IA can identify red flags and reduce the risk and impact of related-party fraud. IA need to be able to recognize related-party fraud risks. Providing loans at below market rates is a red flag. Failing to disclose the related-party nature of the loan is a red flag. IA should try to identify related party transactions. Try to identify whether employees have link to companies that transact with the organization itself. It is also possible to compare cost variations among vendors to see how they differ from the average cost. The organization should not pay costs significantly above market prices.

Communicating Results. Sharing audit observations is one of the most important tasks auditors perform. Communicating properly can help enhance rapport. Make sure the observations are correct and are not challenged by management. Plan the timing of issue dissemination, which is as soon as possible. Try not to surprise management at the end of the audit. Write clearly. Exercise diplomacy.

‘One of the quickest ways to lose management’s respect is to make it clear that IA does not understand what is has been auditing. The answer is to take the time to learn the business, processes, and risk associated with the audited area.’

Care and Feeding of The Company’s Culture. How can IA help to ensure a healthy organizational culture? Auditing culture is certainly work examining. Healthy organizations should have guidance on norms and expectations and a healthy tone at the top. Transparency is important. Management should think long term and have a sound strategy. Ask yourself whether the root cause is behavioural or cultural in nature. The problem with culture is that it is not clear cut and might be hard to evaluate. Those who are toxic in nature might be held accountable and be responsible.




Enough by John C. Bogle

Is there no limit to what enough is in modern society? Capitalism is at play. Management earn obscene amounts of compensation. Greed can cause a system’s downfall. How long can materialism and greed last? I have been given enough, in more aspects than just financially. My great grandfather was incredibly thrifty. My family was fraught with financial difficulty. I had to work when I was young in order to feed the family. I learnt to accept responsibility when I was young. I did well in school and mum put in so much effort into investing in my education. My attitude in life has been influenced by my family. The first ‘diamond’ of my life was my admittance to the Blair Academy. My family was incredibly close-knitted and that helped a lot. Later, I got admitted to Princeton University on a full scholarship. Even then, I had to take up temporary jobs for me to get paid. However, my parent’s marriage fell apart after that. I discovered that the mutual fund was new at that time and wrote about it. Mr Morgan was the boss of Wellington Fund. When I was 35, he said I could take over the firm. After a disagreement with the other shareholders, I got fired. My business model was to manage our affairs internally and not require any external party to manage it. Vanguard would have to do everything in-house if it wanted to succeed. Before 1875, I founded the world’s first index mutual fund. The fund didn’t need to be managed as the returns would track a basket of stocks that were representative of an index. ‘If you build it, they will come.’ Thankfully, we got approval from the SEC too. A donated heart was one of my ‘diamonds’ too. This heart enabled me to live healthily. Be blessed by the number of diamonds you have. Humans are all too interested in short-term gains. Companies should recount their past values which enabled them to thrive. Virtue doesn’t come from money. It comes from doing good.

Some men wrest a living from nature and with their hands; this is called work. Some men wrest a living from those who wrest a living from nature and with their hands; this is called trade. Some men wrest a living from those who wrest a living from nature and with their hands; this is called finance. – Old Epigram from 19th Century Britain

There is a food chain and the investor is at the bottom of it. The financial system cannot be too costly. We are often trading paper and paying bankers too much. In addition, the financial system is fraught with complexity. Young graduates like to enter banking. We should strive to do good in our jobs. Never let money alter your conscience. Do not invest in products which require you to pay high management fees etc. Serving your client is the highest priority. The sub-prime crisis was an example of extreme greed. The finance sector takes up too much of the earnings of the S&P 500. Sometimes, the markets crash but those people in IB keep making money. The ex-CEOs of Citigroup and Merrill Lynch were paid very well just before the sub-prime crisis. They were not penalised heavily after that. However, bankers earned nothing as compared to the hedge fund managers. The hedge fund industry demands high management fees and investors can’t survive. The number of CFAs are increasing all the time. There is an inherent disconnect between cost and value in our financial system. Humans have abandoned the traditional standards of investing. The author looks up to people like Benjamin Graham and uses value-investing. Speculation is rife nowadays. The cumulative costs keep growing. Does the financial system create more value than cost? My fear is that the finance sector is getting too big and out of control. There needs to be a financial system reform. As public investors, we should demand more from our financial system.

The motivation of too many of those rushing into finance is more aligned with what they can get from society than what they can give back to it. – John C Bogle

Too Much Speculation, Not Enough Investment. Investing is about long-term ownership of the business. Speculation is just the opposite and is about short term gains. One of Keynes’ famous works is the ‘General Theory of Employment, Interest and Money’. In the long run, the stock price must be aligned with the business fundamentals. Speculators cannot capture the inherent value in a stock. Markets are volatile because of speculators. In the expectations market, prices are set based on the expectations of investors. These are not based on ‘real value’ per se. We live in an era of speculation. However, it is true that investors win and speculators lose in the long run. Stock markets have crashed, just like on Black Monday in 1987. Short term outcomes can’t be predicted accurately nowadays. There have been little cases of black swans in the long term market. The financial system is prone to innovation. Learn to emulate tortoises. Market timing is not sound. Market timing doesn’t work. It is difficult to make the right decision consistently on market timing. We need to improve the balance between entrepreneurial innovation and more traditional values. We cannot allow the whirlwind of speculation to continue unabated.

In investing, tortoises tend to win far more often than hares over the turns of the market cycle…Placing large bets on an unknown future is worse than gambling because at least in gambling you know the odds. Most of the decisions in life motivated by greed have unhappy outcomes. – Peter L. Bernstein

Too Much Complexity, Not Enough Simplicity. Simplicity has been the key to successful investing. Technology has complicated our lives. There are many middlemen in a CDO offering. Some banks are also not concerned with the creditworthiness of such offerings. The market has been flooded with interest rate swaps, credit default swaps etc. The value of the derivatives market is huge. ‘As long as the music is playing, you have to keep dancing.’ The Federal Government has also backed such offerings. It is better to buy an index fund as it has better returns. Innovations have hurt investors. The winners are usually the fund managers or distributors. Innovations like stock index fund, bond index fund have done investors well. ETFs are great. However, they are being traded too frequently, leading to speculation. Some ETFs also do not contain stocks that track the stock market index. There are many different types of funds nowadays, like market neutral, hedging, commodities, private equity etc. However, please examine the track record before buying. Commodities are purely speculative in nature. Fund expenses must be cut if investors are to gain. Fund failure rate is very high amongst idiosyncratic funds. Some funds are not concerned with shareholder performance. It is time to get down to basics. The author believes that the simple way is the best way. The mutual fund industry often fails to provide market-beating returns. The fund manager should serve investor’s interests.

Too Much Counting, Not Enough Trust. We often place too much emphasis on numbers and trust them. Then, we have optimistic views on the future because of them. Even numbers produced by the government can be questionable at times. We need to understand the sources of stock returns. Do not project future returns based on past historical rates. This causes the expected rate of return of investments to rise. The bubble of investor optimism will have to burst someday. It is smarter to set your expectations for future earnings on basis of current sources of returns. There is a bias towards optimism in the future. CEOs often paint too optimistic pictures for earnings and analysts tend to agree with them. The standard for analysts has changed from GAAP earnings to operating earnings. Pro-forma earnings also exclude all the one-time losses etc. Creative accounting is a big issue nowadays. Pension holders might lose money on their investments and this will have other repercussions as well. Businesses like to use M&A to create ‘value’. For each M&A deal, the bankers and lawyers earn huge sums of money. ‘Paper’ companies have acquired ‘rock’ companies that make. In Vanguard, we believe in organic growth, not forced growth. Nowadays, we do not know how to ask without any numbers and this is a scary fact. Trust is important.

The first step is to measure what can be easily measured. This is okay as far as it goes. The second step is to disregard that which cannot be measured, or give it an arbitrary quantitative value. This is artificial and misleading. The third step is to presume that what cannot be measured really is not very important. This is blindness. The fourth step is to say that what cannot be measured does not really exist. This is suicide. – Daniel Yankelovich

Modern capitalism has two parts: there’s business, and there’s finance. Business is renting you a car at the airport. Finance is something else. – Michael Kinsley

Too Much Business Conduct, Not Enough Professional Conduct. Professional associations are now run like business enterprises. However, professionals should be responsible and selfless in their service towards their clients. Times have changed nowadays. Professional conduct is less well regarded as in the past. Too many banks are seeking competitive advantages at the expense of their customers. The battle for professional independence is never won. Trust and be trusted. Capitalism has eroded as well and this is a big issue. Owners’ capitalism has been transformed to managers’ capitalism. Institutional investors are a big thing nowadays. Managers are not acting as they should for their principal. Beware of negligence and profusion have prevailed among corporate management. How much should the CEO be compensated? It is hard to determine how much value a CEO has added. Sometimes, their salary growth outstrips the corporate profit rate. There are accountability issues. Institutional money managers hold a lot of power. CEO stock based compensation should be based on intrinsic value and not actual stock price. The compensation consultant has also become more popular. Many CEOs are also paid according to how they fair in their peer group. A basic set of ethical principles is needed to guide the profession. Financial engineering is getting more and more popular. Capitalism must be fair, regulated and ethical.

Money management extracts value from the returns earned by our business enterprises, and in the process of maximizing its own commercial benefits, the industry seems to have lost its professional bearings. – John C Bogle

Too Much Salesmanship, Not Enough Stewardship. The industry is characterized by salesmanship too. Mutual fund size has grown by a tremendous rate recently. Fund investors start trading funds instead of simply holding them. The holding period for stocks has been cut from 6 years to 1 year. Fund costs have soared as well. The fund industry is more like a marketing industry now. Investment focus has been truncated. Some funds are only created because of the latest market fad. There is a need for reform. We need to cut down costs for investors. Serve the investor for a lifetime. There are too many choices of funds out there and this makes people confused. There is a need to have long term investment horizons. Serve the long term investors. We must all return to the index fund. Put fund investors in the driver’s seat. Shareholder education takes time. The industry should aim to be objective and unbiased. We need to have an industry that is of the shareholder, by the shareholder, and for the shareholder. We need a mutual fund industry with vision and values. We must build companies that stand for something. Stewardship will pay off. It is important to keep the faith every day.

Too Much Management, Not Enough Leadership. Our large corporations are over-managed but underled. Managing and leading are completely different. The leader is more original. The leader should be able to inspire. They should care about the deeper values of the organization. There are 10 rules for building a great organization. 1) Make caring the soul of the organization. 2) Forget about employees (call them crew members instead). 3) Set High Standards and Values – and Stick to Them. 4) Talk the Talk. Repeat the Values Endlessly. 5) Walk the Walk. Action Speaks Louder than Words. 6) Don’t over-manage. 7) Recognize Individual Achievement. 8) Loyalty is a Two-Way Street. 9) Lead and Manage for the Long-Term. 10) Press On, Regardless. A superior company thinks about its dream. It also applies unconventional thinking. We were based on value profit chain concepts. I built a company that would endure. Businesses should have purposes besides making money.

The institution must be the object of intense human care and cultivation. Even when it errs and stumbles, it must be cared for, and the burden must be borne by all who work for it, all who own it, all who are served by it, all who govern it. Every responsible person must care, and care deeply, about the institutions that touch his life. – Howard W. Johnson

Too Much Focus on Things, Not Enough Focus on Commitment. Where are the things by which one measures one’s life? Don’t let things measure the man instead. Life is never smooth and we might lose our wealth one day. However, your character is the one that will endure. Boldness and commitment is all important. Commit the most to make a second life. It is crucial to be committed to your family. Commitment to neighbours and the community is also important. We thrive as human beings and have faith in ourselves. Give credit to those who have helped you along the way. You didn’t succeed on your own. Be bold and summon your magic.

Too many 21st century values, not enough 18th century values. Do not move away from the truth. Facts are everywhere. The Age of Reason occurred in the 18th century. Many of the great leaders spoke about the period of Enlightenment. Benjamin Franklin was a great leader in the 18th century. Joseph Schumpeter also described what an entrepreneur ought to be. Entrepreneurs and capitalists are not the same. Have the will to conquer, and the joy of a good battle. Franklin invented many tools for the public’s benefit. There are other motives for business other than profit. A man should have a mind to improve, a heart to cultivate and a character to form. Keep striving to improve. Return stewardship to capitalism. Lead with purpose. Virtue is all important. Franklin listed 13 virtues. He started his day by asking ‘What good shall I do this day?’ and ended it with ‘What good have I done today?’ His energy and persistence helped him in his public life.

Knowledge is not the personal property of its discoverer, but the common property of all. As we enjoy great advantages from the inventions of others, we should be glad of an opportunity to serve others by any invention of ours, and this we should do freely and generously. – Benjamin Franklin

The real test for an honest and productive society is not what a society has achieved, but what it aims to achieve. It can put honest people on a pedestal even if they do not maximize their personal benefits and preferences…and discard and shun as models of failure dishonest people who achieve their highest ambitions by fraud and abuse of trust. – Tamar Frankel

Too Much ‘Success’, Not Enough Character. We often chase success but success continually eludes us. Is success all about achieving wealth and fame? Financial wealth is not a good measure of success. Fame is a flawed measure too. Fame is used for other purposes now. One can contribute to society in a great way but yet not be famous at all. Power should not be used capriciously and arbitrarily. Power should be used for a worthy cause. Have we been chasing the fake rabbit of success? Success isn’t about meeting other people’s expectations too. You should just base success on your own expectations and make the most of your talents. We should admire those people in professions where they can contribute to society, but not achieve any fame or recognition. Modern life has forced people to be competitive. Life demands much more of us nowadays. What are you competing for? Without character and courage, nothing else lasts. To hone character, one must undergo tribulations etc. Be yourself and strive to be better. With age, you should better understand where the rabbits are. Challenge yourself and strive to be better. Chase the real rabbits of your life.

Success can be measured in our contributions to building a better world, in helping our fellow man, and in raising children who themselves become loving human beings and good citizens. Success, in short, can be measured not in what we attain for ourselves, but in what we contribute to our society. – John C Bogle

I long to accomplish a great and noble task, but it is my chief duty to accomplish humble tasks as though they were great and noble. The world is moved along, not only by the mighty shoves of its heroes, but also by the aggregate of the tiny pushes of each honest worker. – Helen Keller

Highly educated young people are tutored, taught, and monitored in all aspects of their lives, except the most important, which is character-building. But without character and courage, nothing else lasts. – David Brooks

What’s Enough? What is the relationship between happiness and success? Success is not the key to happiness, happiness is the key to success. Humans are resilient. Money only provides a transitory form of happiness. Autonomy, social interaction and competence are all important. How much money do you need? I want to give something back to the less fortunate. For example, give back to your alma mater. I also offered scholarships to the Blair students. It has been a thrilling ride indeed. I was born to save rather than spend. Our shareholders also have received superior returns. I do not like extravagance. My retirement plan is the largest in the family balance sheet. Saving early and regularly is the key for wealth accumulation. Postpone your first payment for Social Security. Stick with low-fund fees. There are still many people living in poverty in the US. The income disparity is growing. You must remember that you are fortunate but not all fellow Americans are enjoying it. The domination of the US will not happen forever.




IIA Magazine Aug 2016 issue

Cybersecurity is an area where it is lacking among major companies. Companies need to step up to beef this area up. Productivity is a main concern for employees. Ethical pressure is greater during organizational change. The COSO framework is expected to be updated in 2017. It will be updated to include the latest risk management thinking and principles. IoT is going to have a big impact moving forward and there needs to be a comprehensive approach to go about doing it.

Analytics-Driven Audits. Before tackling data analytics, internal auditors need to understand the types of data, how it is stored, and how to apply it. Automated audits are the new trend now. It can be applied to many aspects of the audit too. Understand what are qualitative and quantitative data and their measurements. Understand how data is stored and the various formats. Any outliers should be thoroughly investigated. There are 4 types: descriptive, diagnostic, predictive and prescriptive. Learn to gain insight into the business.

The Mind of a Credit Card Hacker. Smart hackers usually lay low. They can steal credit card details and then sell them. Hackers use a vector to steal data, such as phishing. They also need to collect the data quickly and then cover their tracks. The hacker will verify that the cards are valid and start off with transactions of small amounts. If they go undetected, they may get bolder. IA can encourage the company to encrypt the credit card information and monitor access to networks. Access control needs to be checked too. IA is the third line of defence.

Make the Most of Assurance. Assurance maps can enable internal audit to team with other assurance providers to visually convey how risk is managed. IA can work with other assurance providers and depict the results in an assurance map. The map allows one to spot gaps in risk coverage or any overlaps. Assurance maps can enhance and give value to AC too. The map should not be too complex.

Tough Consequences. Adequate contract administration can save organizations a tremendous amount of grief and money. It is important to monitor vendor contracts properly. The contract administrator should be the liaison party and highlight any non-compliance. There needs to be adequate financial controls over the cash receipts and revenue cycles at the vendor’s end.

A World of Connections. The IoT requires IA to confront risks that are not so neatly contained. The impact of this is growing. IoT is about interacting with the environment for business benefit. Emerging risks from IoT must be monitored closely. There are many benefits from using IoT devices too. Management needs to be aware of the risks too. There needs to be a deployment strategy too. A policy needs to be drawn up.

Cyber Resilience. IA should work collaboratively and proactively to address breaches and build resistance to future attacks. Banks need to protect the SWIFT codes. A cyber breach might definitely occur in future. There is increasing use of software to pick up behavioural anomalies. There needs to be both a protective and detective strategy. A response plan is important. Customer data should be given top priority in a cyberattack response. IA needs to understand IT from a technical and controls perspective.

Auditing the Cloud. IA should delve into the complexities and unique risks of moving to a cloud platform. Many companies are making use of the cloud as compared to traditional data center infrastructure. Less manpower is needed to maintain a cloud as well. Servers can be added on demand too. IA needs to verify the security, reliability and availability of the data. No two clouds are the same but the common ones are infrastructure as a service, software as a service, platform as a service etc. It is good to obtain the SSAE 16 report on the vendor as evidence of its controls. It is difficult to track cloud deployment. Cloud assets can keep varying as well and it is difficult to monitor. The data is now stored on the same physical equipment as other organizations and there is a risk of leakage. A security program is still a must. Penetration testing needs to be done periodically to prevent hackers. Relying on the SSAE 16 report is useful, but not sufficient.

Trust but Verify. Control self-assessments can increase audit efficiency and spread control awareness throughout the organization. This is for process owners to self-evaluate the effectiveness of controls. This could be done via workshops/ questionaires etc. Sometimes, it is not possible to deploy a team to perform audits in every area. When CSAs are used, IA needs to explain the rationale to the management. The process owners must be identified clearly. IA needs to independently verify some of their responses. For example, only key controls or only those rated as ineffective may be selected for further testing. Continuous support is a must and training must be provided. The right level of project sponsorship is important too. It can be implemented gradually. CSA enables IA to allocate resources to focus on areas with significant control weaknesses.

Audit Never Sleeps. IA must keep innovating and improving and focus on the organizations that we love. We need to constantly do the right thing and hone our communication skills. Effective communication is the key and getting to know the auditees well is the key. Listening well is crucial too. Nowadays, IA should adopt an integrated mindset. We need to broaden our IT knowledge to meet stakeholder expectations. Applying soft skills are important too. Our work must be guarded by ethics and transparency. We need our approach our work with a strategic focus too. There is also a need to focus on our future.

Optimizing IA. IA are being continually challenged to improve their effectiveness to better meet growing expectations and workloads. IA staffing levels remain relatively constant. IA must be aware of strategy and ensure that procedures align with that strategy. IA should understand what the external risks are. As for operational efficiency, IA should offer cost effective and sustainable solutions. Quality assurance is important to ensure quality and compliance with regulations. IA should identify cost savings, understand business goals, increase collaboration, optimize technologies and strive for continuous monitoring.