IIA Magazine Jun 2016 issue

A toxic culture is present when your work negatively affects your health – physically and emotionally. An example of such could be a change in management or management through fear and intimidation. The two options are to leave or to name the problem and discuss to make it better. Payroll should have continuous checks and balances. It is not good to report risks on an ad-hoc basis. Talent issues and development need to be addressed. There is a strong need to fight corruption. However, whistle-blowing hotlines might be underutilized, as employees fear retaliation after reporting. There are some companies which do not trust enterprise cloud deployments still.

The Fire Drill. Auditors can learn to deliver a focused message that results in management action. Effective planning of our work is the key. For instance, we can look at past audit findings. Next, one should compensate with competence, meaning backing up observation with data and experience. Sell with the passion of a champion. Findings should be sold to address a control weakness that is causing an unacceptable risk. One needs to communicate the big risks well. In the end, we need to deliver a focused message that can result in management action.

The Tech-Savvy Auditor. Effective use of audit technology can enable audit departments to provide valuable insights. Most IA staff are not familiar with IT or have weak IT backgrounds. This is not acceptable. Technology can lead to a more efficient audit and also might cut fraud losses. There is a need to improve the audit software. There should be a data analytics centre in-house. There is a need to review software usage.

Integrating Key Risks and Performance Indicators. IA can leverage its risk knowledge to improve operational performance and reduce risks exposures. IA can provide assurance on the achievement of objectives. IA can encourage the formalization of KPIs and KRIs. KRIs can serve as an early signal of increasing risk exposure. There needs to be a formal project charter. There needs to be a KPI framework with proper planning, reporting, monitoring etc. The key metrics need to be identified and a dashboard can help to present graphically the results. The KRI should be closely linked to the KPI.

Toxic Leaders, Toxic Culture. IA can identify unhealthy behaviors that may undermine the organization. Culture will affect an organization’s success. Therefore, identifying the toxic leader is important. Toxic leaders want power and control. These tend to be autocratic leaders. They could have a strong sense of entitlement and focus on themselves and not the organization. Exerting power through fear can undermine morale. They do not like to be challenged and seek to manipulate others. Closed-minded leaders think of ‘My way or the highway’. There is no need to confront the toxic leader. IA can refer the person to compliance or legal counsel. One can use behavioural psychology to analyse. For a more objective method, one can look at the reasons for turnover and examine turnover rates. One can also look at employee engagement survey results. One needs to use experience and facts as much as possible.

Analytics and the small audit department. No matter the size of an audit function, analytics can be implemented for big gains. How to go about using analytics? Some simple ones to consider are benchmarking, variance analysis, ROA, turnover etc. The analytics must have goals and performance measures. Selecting the right data source is the key and there is a need to verify the accuracy of the source. Brainstorming can help to identify key data. It is crucial to have a plan that will allow IA to continue to improve its analytics capability. It is important to attain small wins in analytics.

Business Risk. Keynote speakers for this year’s IIA International Conference identify emerging risks facing organizations. Cyber risks is at the top of the priority list for many. Ransomware is a big threat to hospitals nowadays. Other threats include politics, the economy and terrorism. Social media risks sometimes aren’t within an organization’s control. Auditors should use corporate culture to work in their favour. An organization must monitor the external environment closely. There should be a common understanding of what the risk appetite and risk cultures are. Audit needs to adjust fast and invest continually in education. IA now also needs to learn to be innovative.

An Anti-corruption Check-up. Capability maturity models can help organizations assess the effectiveness of the anti-corruption programs. This model was developed at Carnegie Mellon University. One can use the model to identify strengths and weaknesses. There are basically 4 levels of maturity. There are 7 components that form the basis of anti-corruption maturity model. There is a need to tally the scorecard too.

Craft Our Role. IA should create the role for themselves that is best for both the organization and their own personal development. IA needs to be ingenious, use creativity and resourcefulness when developing their role. Do not limit the scope to be too small. It is important to be familiar with the business in order to value add properly. The control environment needs to be evaluated properly. One can develop business acumen. It is crucial to ask the right questions. IA should network more with the other departments to build rapport and also to get a feel about the management style in the department. Learn to practise combined assurance. One can work with another dept for a joint review. This is the way to maximize external resources.

Fraud and related-party transactions. IA can identify red flags and reduce the risk and impact of related-party fraud. IA need to be able to recognize related-party fraud risks. Providing loans at below market rates is a red flag. Failing to disclose the related-party nature of the loan is a red flag. IA should try to identify related party transactions. Try to identify whether employees have link to companies that transact with the organization itself. It is also possible to compare cost variations among vendors to see how they differ from the average cost. The organization should not pay costs significantly above market prices.

Communicating Results. Sharing audit observations is one of the most important tasks auditors perform. Communicating properly can help enhance rapport. Make sure the observations are correct and are not challenged by management. Plan the timing of issue dissemination, which is as soon as possible. Try not to surprise management at the end of the audit. Write clearly. Exercise diplomacy.

‘One of the quickest ways to lose management’s respect is to make it clear that IA does not understand what is has been auditing. The answer is to take the time to learn the business, processes, and risk associated with the audited area.’

Care and Feeding of The Company’s Culture. How can IA help to ensure a healthy organizational culture? Auditing culture is certainly work examining. Healthy organizations should have guidance on norms and expectations and a healthy tone at the top. Transparency is important. Management should think long term and have a sound strategy. Ask yourself whether the root cause is behavioural or cultural in nature. The problem with culture is that it is not clear cut and might be hard to evaluate. Those who are toxic in nature might be held accountable and be responsible.

Internal-Audit

 

Advertisements

IIA Magazine Aug 2016 issue

Cybersecurity is an area where it is lacking among major companies. Companies need to step up to beef this area up. Productivity is a main concern for employees. Ethical pressure is greater during organizational change. The COSO framework is expected to be updated in 2017. It will be updated to include the latest risk management thinking and principles. IoT is going to have a big impact moving forward and there needs to be a comprehensive approach to go about doing it.

Analytics-Driven Audits. Before tackling data analytics, internal auditors need to understand the types of data, how it is stored, and how to apply it. Automated audits are the new trend now. It can be applied to many aspects of the audit too. Understand what are qualitative and quantitative data and their measurements. Understand how data is stored and the various formats. Any outliers should be thoroughly investigated. There are 4 types: descriptive, diagnostic, predictive and prescriptive. Learn to gain insight into the business.

The Mind of a Credit Card Hacker. Smart hackers usually lay low. They can steal credit card details and then sell them. Hackers use a vector to steal data, such as phishing. They also need to collect the data quickly and then cover their tracks. The hacker will verify that the cards are valid and start off with transactions of small amounts. If they go undetected, they may get bolder. IA can encourage the company to encrypt the credit card information and monitor access to networks. Access control needs to be checked too. IA is the third line of defence.

Make the Most of Assurance. Assurance maps can enable internal audit to team with other assurance providers to visually convey how risk is managed. IA can work with other assurance providers and depict the results in an assurance map. The map allows one to spot gaps in risk coverage or any overlaps. Assurance maps can enhance and give value to AC too. The map should not be too complex.

Tough Consequences. Adequate contract administration can save organizations a tremendous amount of grief and money. It is important to monitor vendor contracts properly. The contract administrator should be the liaison party and highlight any non-compliance. There needs to be adequate financial controls over the cash receipts and revenue cycles at the vendor’s end.

A World of Connections. The IoT requires IA to confront risks that are not so neatly contained. The impact of this is growing. IoT is about interacting with the environment for business benefit. Emerging risks from IoT must be monitored closely. There are many benefits from using IoT devices too. Management needs to be aware of the risks too. There needs to be a deployment strategy too. A policy needs to be drawn up.

Cyber Resilience. IA should work collaboratively and proactively to address breaches and build resistance to future attacks. Banks need to protect the SWIFT codes. A cyber breach might definitely occur in future. There is increasing use of software to pick up behavioural anomalies. There needs to be both a protective and detective strategy. A response plan is important. Customer data should be given top priority in a cyberattack response. IA needs to understand IT from a technical and controls perspective.

Auditing the Cloud. IA should delve into the complexities and unique risks of moving to a cloud platform. Many companies are making use of the cloud as compared to traditional data center infrastructure. Less manpower is needed to maintain a cloud as well. Servers can be added on demand too. IA needs to verify the security, reliability and availability of the data. No two clouds are the same but the common ones are infrastructure as a service, software as a service, platform as a service etc. It is good to obtain the SSAE 16 report on the vendor as evidence of its controls. It is difficult to track cloud deployment. Cloud assets can keep varying as well and it is difficult to monitor. The data is now stored on the same physical equipment as other organizations and there is a risk of leakage. A security program is still a must. Penetration testing needs to be done periodically to prevent hackers. Relying on the SSAE 16 report is useful, but not sufficient.

Trust but Verify. Control self-assessments can increase audit efficiency and spread control awareness throughout the organization. This is for process owners to self-evaluate the effectiveness of controls. This could be done via workshops/ questionaires etc. Sometimes, it is not possible to deploy a team to perform audits in every area. When CSAs are used, IA needs to explain the rationale to the management. The process owners must be identified clearly. IA needs to independently verify some of their responses. For example, only key controls or only those rated as ineffective may be selected for further testing. Continuous support is a must and training must be provided. The right level of project sponsorship is important too. It can be implemented gradually. CSA enables IA to allocate resources to focus on areas with significant control weaknesses.

Audit Never Sleeps. IA must keep innovating and improving and focus on the organizations that we love. We need to constantly do the right thing and hone our communication skills. Effective communication is the key and getting to know the auditees well is the key. Listening well is crucial too. Nowadays, IA should adopt an integrated mindset. We need to broaden our IT knowledge to meet stakeholder expectations. Applying soft skills are important too. Our work must be guarded by ethics and transparency. We need our approach our work with a strategic focus too. There is also a need to focus on our future.

Optimizing IA. IA are being continually challenged to improve their effectiveness to better meet growing expectations and workloads. IA staffing levels remain relatively constant. IA must be aware of strategy and ensure that procedures align with that strategy. IA should understand what the external risks are. As for operational efficiency, IA should offer cost effective and sustainable solutions. Quality assurance is important to ensure quality and compliance with regulations. IA should identify cost savings, understand business goals, increase collaboration, optimize technologies and strive for continuous monitoring.

pic_internal_audit_big

IIA Magazine Oct 2016 issue

There needs to be reporting beyond just financial type. There is a need for a risk-based approach and to look at the major objectives of the organization. It is important to have a policy for conflict of interests. Do not simply give customers what we think we can deliver, but ask them what they need. Company culture is crucial in the employee rating of their CEO. Those CEOs who are the founders, have lower pay, have good profitability usually have better ratings. Some FIs are concerned by the staffing of their AML team and the adjustment needed for new regulations. The US is the most cyber aware country. However, there are some countries which are lacking in cybersecurity preparedness and that is a concern. Brexit might have the effect of changing the impact of globalization over time.

The Art of Recommending. Internal Auditors walk a fine line when presenting recommendations to management. IA needs to show how the recommendations fix gaps and mitigate risk. There needs to be a cost vs benefit analysis too. Recommendation can either be to address a gap or as a suggestion for improvement. There needs to be both internal and external sources of information. One needs to spend time documentation down potential recommendations. It should address the root cause. Avoid addressing a person. Indicate a repeat finding. Explain how the recommendation will mitigate the risk. For areas for improvement, list them separately from the gaps. Some external info could be ‘IIA research materials, professional literature, networking, procedures from other organizations.’

‘It is a good practice to jot down recommendation ideas as soon as they come to mind, even though they may not find a place in the final report. Even if internal audit testing does not result does not result in a finding, the auditor may still recommend improvements to the current process.’

‘It is internal audit’s prerogative to provide recommendations, regardless of whether management agrees with them. Persuasive and open-minded discussions with process owners are important to achieving agreeable and implementable recommendations.’

Big Data and IA. Today’s data analytics expand auditors’ ability to tap into all types of info generated by the organization. Auditors can mine data and analyse them. IA can use statistics or visualization tools to help them too. One can test all the transactions now. There is also a great variety of data available. Velocity of data now makes it possible for IA to perform continuous auditing. Learn to understand the data and acquire the analytics tools. It is also important to develop a road map too. Big data can be harnessed in a meaningful way.

Is IA in your Audit Universe? IA should seek to enhance and protect organizational value. IA should be audited via a QAR (quality assurance review). One can evaluate the IA’s conformance to the standards, code of ethics, efficiency and effectiveness of the IA activity. It must be conducted by someone who is objective in nature. An external assessment needs to be conducted once every 5 years.

Blurred Lines. Internal auditors need to have the skills and perspective to deal with frauds that don’t match the standard villain story. One needs to look for the motivations and benefits. IA needs a clear perspective on how to approach fraud. One needs to analyse why did the fraudster want to commit the crime.

Taking the Lead on Nonfinancial Reporting. Internal audit is well-positioned to examine how its organization reports on nonfinancial issues. European companies now need to disclose in the annual report how they are discharging social, environmental and ethical issues. Non-financial info is important to gauge the society’s impact. Management needs to be concerned over non-financial reporting. Sustainability reports should disclose how the company performs in some specific areas. You need good non-financial reporting systems. In the US, sustainability reporting is not mandated and not practiced by many companies. Non-financial data are often over-looked by IA. IA needs to have the right process competencies for effective non-financial reporting. There needs to decisions on materiality over nonfinancial reporting. Strong communication skills are the key. It is possible to create a multidisciplinary team that can provide combined assurance. IA needs to engage the first line of defense first.

Audit processes take flight. The updated COSO Internal Control-Integrated Framework is at the heart of Boeing’s internal audit work. The new COSO framework has 17 guiding principles across the 5 control components. The principles-based approach is being used. It is important to give weight to all of the COSO components. Keep the focus on inherent risks. Every audit requires a detailed process flowchart.

Privacy in the workplace. Organizations must find ways to accommodate employees’ personal technology use while also meeting regulatory and other requirements. Digital technology has changed a lot of things. Privacy issues are becoming more important. Employees tend to violate privacy risks more. IA should be able to understand where the risks lie. A lot of data is being collected and analysed. Some form of employee monitoring is necessary, but not excessively. Who is responsible for lost data on a cloud? In the US and Europe, there are a lot of acts that company must comply in relation to global privacy laws and regulations. In Europe or Japan, the privacy laws are more absolute. There needs to be a strong governance/ privacy framework in place. A risk assessment should be performed on a frequent basis to evaluate the impact of changes to regulation. If an organization expands, IA should make sure controls are in place to manage privacy. Training and awareness needs to be made at every level. Trust must be built between employers and employees.

A Unified Approach to Compliance. Failure to comply with regulation could lead to fines and reputational damage. There needs to be a co-ordination between IA and compliance function. IA needs to understand the business goals and how the compliance team plans to assist the business in achieving them. One can examine from both a macro and a micro level. The IA charter should clearly document the role of the IA team in compliance. We should focus on the foundations of the assessment. IA should sound out levels of residual risks that are greater than risk appetite. How does the organization ensure completeness in the assessment? IA can rely on the compliance team to update them on the regulations. Key compliance decisions must be documented. IA and compliance teams should meet to discuss once in a while. IA can share audit reports with the compliance teams. IA can leverage and use the compliance risk assessment. However, IA should check whether it is complete. To achieve the IA mission, IA needs to include compliance too.

The Power of Rhetoric. Understanding the powers of persuasion and applying key rhetorical skills can improve the work of any IA. IA needs to possess rhetoric to persuade the auditee to accept the recommendations. The key elements are speech, audience, text. The author is usually the engagement lead. All members and groups of audience needs to be considered. The audit report is the written text. The team selected must be capable and know how to perform the engagement. Logos appears to one’s logic and the supporting documents. Pathos focuses on the audience’s irrational modes of response and is an appeal to emotions. Design of slides must be beautiful and also simple to read. Word selection is important and IA should give a balanced view.

The Red Flags of Fraud. Internal auditors’ knowledge of the business makes them ideal candidates to detect unethical behaviour. Fraud affects the bottom line and active measures to detect it are better. Red flags are signs that it could occur. IA can do a red flag analysis. There are different types of fraud, financial statement fraud, employee fraud, tech fraud etc. For FS fraud, personal enrichment is common. IA can scan the GL to look out for unusual trends etc. Analytical procedures can be used too. Employee theft of cash is possible. Other types of fraud are employee expense reimbursement fraud, payroll fraud and kickback scheme. Most frauds usually happen only after a year of service, because the employee needs to learn of the internal controls first. The chance of fraud is greater if the person is in financial difficulty. Data analytics can help to review red flags. Anti-fraud training must be conducted. Early detection is the key as if the fraud persists, the loss will be even greater.

‘Ethos is established when the audience determines that the author is qualified, trustworthy, and believable.’

Anticipating Information Security Regulation. As threats and data breaches become more common, so will regulatory oversight. Data breaches are more common and the risk to consumers are growing. One needs to establish a security risk assessment process. IA can adopt ISO 270001 to enhance their information security program. An employee security awareness program is very important too. IA needs to validate and assess the control environment too.

pic_internal_audit_big

IIA Magazine Dec 2016

One potential failure of ERM is that of green-washing, this is when crucial risks are pushed down into the larger collection of more trivial risks. Cybercrime is a current buzz risk. The first line of defence needs to take on better accountability for sound risk management and control.

Investors are pushing for more accountability and transparency behind decision-making. Shareholder activism is playing a big role nowadays.

The EU has released new general data protection regulation (GDPR) which intends to strengthen and unify data protection for individuals within the EU. However, most organizations say that they are not well prepared. Organizations should start preparing for this as it will kick off in May 2018.

Client Feedback. Audit performance can be fine-tuned with the right input from stakeholders. Feedback should aid audit performance. Feedback should be to the point and be specific and timely in order to be effective. Useful feedback can increase audit effectiveness. Feedback can be provided during the opening meeting, during the audit or during the closing meeting. The client should take the opportunity to clarify any concerns that they may have. During the closing meeting, IA needs to present the supporting documents and records. A post-audit questionnaire can be sent to the client after the audit.

Must-have Controls for Small Medium Enterprises. 5 controls can help SMEs protect themselves against cyber breaches. Sometimes, they do not have sufficient resources to deal with threats. Firstly, scan the network quarterly and identify vulnerabilities. Train employees on IT security. Protect sensitive information by inventorizing sensitive business processes and reviewing access to information. Learn to segment the network. Deploy extra protection for endpoints and encrypt the data. Learn to monitor the network, manage service providers, protect smart devices and monitor activity related to sensitive information.

A Holistic Approach to IT Risk. The COBIT framework can help auditors understand and address their organization’s technology risks. IT can be very complex but IA needs to evaluate the full range of IT risks. COBIT is valuable for the whole process, from end to end. The 5 key principles are meeting stakeholder needs, covering the enterprise end-to-end, applying a single integrated framework, enabling a holistic approach, and separating governance from management. Internal auditors can use COBIT to understand the nature of IT risks that are unique to their organization.

A Toxic Culture. A department leader creates a hostile work environment by promoting friends and abusing employees and company assets. When many employees leave, there could be a sign of a toxic culture. There was an inadequate internal control system as no one tracked expenses. Critically review turnover data as this is a big red flag. Exit interview results should be reviewed regularly. Access control over reports should be reviewed and approved.

On The Rise. Learning is the key to do well in IA. Get students involved early and you can volunteer as a guest speaker on internal auditing topics. IA an get involved in many projects and act as change agents for the organization. Projects can allow one to build and develop business relationships with stakeholders. One can use data analytics during audit engagements. IA can add as a trusted advisor and perform consulting work. One can learn SQL, which is a tool for managing data. One could take others under their wing and mentor them so that they can grow. Interaction between auditee and IA must be positive. Spread the good word that your team does. IA should be innovative in addressing solutions. It is helpful to distinguish the different roles of EA and IA too. Communication skills are the key for IA’s success.

Growth through challenge. Current and past emerging leaders discuss the tough assignments that helped propel their careers forward. Challenges faced in your career can propel you to be a better auditor. It is good to share with others what are some of the common mistakes. See auditors as people and go in with a customer first mentality. Be client centric. Be prepared when you go for meetings and interviews. Get a mentor, build relationships, learn from your mistakes and learn to network. It is important to preserve independence and objectivity. Influencing mindsets are tough. Building relationships with auditees can be tough when you are new. It is important to have a good audit methodology. The learning curve can be steep especially if the industry is new for you. Some departments are resistant to let the IA perform audits on operations. Talent auditors are always in demand. Once you are good, you can engage the C-suite management easily and without fear. Young auditors are always eager for more opportunities.

It’s all in the delivery. Sharing difficult messages is an unavoidable part of the job for internal auditors. Some audit observations can be difficult to convey. You should always build the relationship before telling the bad news. Telling the bad news right away is unlikely to work. Using weekly updates once the exceptions are noted is the key. Preparation is the key to accomplishing objectives. It is important to be fair and factual. Focus on the process as well as content. If you can, you can tailor the response to the personality of the recipient. During the discussion, one can seek opportunities, offer to help, make it clear and maintain open body language. ‘If the audit report is the first time a client is seeing something in writing, that is the first and biggest mistake. Verbal updates are great, but periodic written updates go a long way. Auditors might get into trouble over their poor soft skills. Focus on the problem, include some positives, have a face-to-face meeting etc. The key is not to beat around the bush. EQ is important in helping good delivery. The key is to deliver bad news but still build a good relationship with the auditee.

Breaking Through. Women in business are taking on the barriers to advancement, and that’s good news for everyone. Diversity is good for the workplace. More women need to be in leadership positions. However, women might face issues like lack of support, exclusion, apathy. There needs to be sufficient support from male leaders. Men should be interested in achieving gender equality. Be You. Seize the Moment. Integrate Your Life. Earn Respect. Stay Behind Facts. Be realistic and practical. Forget silos. Think context before issue. Rethink reporting. Aim at destination with gratitude. Women may also face the motherhood penalty.

Mapping Assurance. Internal auditors can facilitate efforts to document the organization’s combined assurance activities. There are a variety of assurance providers. CAE can use an assurance map to co-ordinate assurance activities. It can also aid to prevent gaps in coverage. IA is well positioned to provide combined assurance. The plan should start with the organization’s strategic plan and the key risks that are associated with the strategic objectives. There should be 3 tiers of defence to provide assurance. IA need to assess the quality and quantity of assurance received.

A Winning Pair. Governance and automated controls must work in tandem to achieve maximum results. Good governance is the key. IA needs to access the current risk profile, mitigation activities and residual risks. Good behaviour requires time and employees should receive reminders in order to conduct good behaviour. Desired behaviour ultimately stems from the top.

The High-Performance Audit Team. Today’s complex, evolving business environment demands more of internal auditors. The world is changing and stakeholder expectations are increasing. IA can also rotate and fill other operational positions. An integrated internal audit function can boost performance. There is a strong need to invest in training and learning. Verbal, leadership, communication skills are very important. A high performance team can evolve to meet new challenges and reinvent itself. We also welcome constructive feedback from staff.

auditing-service-singapore

IIA Magazine Feb 2017 issue

IIA Feb 2017 Issue

Internal Auditors need to provide maximum return on investment and audit the right things. They need to understand the company’s strategic mission, objectives and KPIs. More auditors need to base their work on the International Standards for the Professional Practice of Internal Auditing.

The 5 emerging threats are (i) global economic uncertainty; (ii) increased regulatory burden; (iii) significant industry changes; (iv) business model disruption; (v) cybersecurity threats. Global economic uncertainty seems to a bigger risk in 2017 as compared to previous years. In the compliance space, with the new US administration, enforcement areas could see some change. Trump could change the legislative, regulatory and executive actions under Obama’s reign.

Although most companies feel that they could detect a sophisticated cyberattack, many of them do not have an adequate communication strategy in the event of a significant attack. Also, some of the BCP might be lacking. The continuous monitoring of cyberattacks is also a challenge.

Data Mining. By leveraging data, internal auditors can address issues beyond the reach of traditional analysis techniques. It involves making use of data which had previously no formulated relationships, patterns. Artificial intelligence, machine learning, statistics and database systems all come into play. Some of the techniques auditors can use are predictive modeling (IF), data segmentation (data clustering), neural networks (artificial intelligence), link analysis (links between records), deviation detection (red flags). The use of email mining can identify red flags in fraud etc. Social network analysis is also possible. IA should continue to look for ways to innovate their audit testing.

Intelligent Assessments. Use cognitive technology to help identify high-risk areas. These are intelligent computer systems that can aid in the performance of risk assessments. For instance, this tool can extract and analyze text from audit reports and analyze trends and high-risk areas. Natural language processing (NLP) has the power to tap into every sentence of every report to churn out more information. The machine will convert text to a certain structure and add meaning to the text and teach the computer to understand audit concepts. Words like ‘fraud’, ‘finding’, ‘auditee’ can be flagged out.

Turning Up the Heat on Fraud. A fraud risk assessment can help auditors take the organization’s ethical temperature. There are many ways to do it, example, through surveys, focus groups, workshops etc. The focus is mainly on fraud risk. It works best in small brainstorming sessions with operational management. Using the ACFE’s Fraud Risk Assessment Tool can be useful as it provides a structured approach. Risk assessment is about identifying where fraud might occur and the potential perpetrators. IA can do surveys to measure the ethical climate and voting can be anonymous. The results of the survey can be discussed with management. If there are high risk areas with fraud risks, IA can pay more attention to them.

The Accidental Discovery. Small or remote locations can be more susceptible to embezzlement, especially when they are not audited regularly. Confront someone after the facts have been reviewed. Look at the big picture. Controls that aren’t operating effectively are as good as them not being there.

Auditing what matters. Add value by selecting audits that contribute to achievement of strategic objectives. Auditors now should start looking at this area. Look at where the company spends the most money, what their main programmes are etc. Find out who is responsible for the strategy and make them IA’s stakeholders. Traditional audit activities can move towards strategy too. IA should use the COSO ERM framework in its entirety. The aim is for IA to a strategic partner to management. Don’t fear failure and find out more from the auditee by talking to them. The trick is to engage with processor owners easy and evaluate control design. IA should do the following: (i) Identify and define the risks; (ii) rate the risks; (iii) address risks in detail. Getting management buy-in is also important. The CAE must convince the AC to highlight the need for a strategic approach. Most IA wants to be a trusted advisor.

Core Principles and the QAIP. The new IPPF in 2015 can be incorporated into the QAIP to show that the IA is aligned with the mandatory IPPF elements. Learn to develop a concept and approach that is easy to understand. Core principles are a mandatory element of the IPPF. IA need to have general conformance with the Code of Ethics and Standards. The 5 steps are (i) establish a maturity framework (ineffective, partially effective, effective, sustainable, world class); (ii) map core principles with the standards and code of ethics; (iii) Define characteristics of maturity in 3 aspects of standards and QAIP characteristics, infrastructure and process characteristics, core principles and specific characteristics; (iv) perform internal and external assessment consistent with requirements of QAIP; (v) Evaluate and report maturity levels for core principles.

Champion of Trust. By modelling high standards of ethical behaviour, IA can help shore up faith in the organizations they serve. How can IA be a trusted advisor that is well respected? One way is via ethical commitment. IA needs to model ethical conduct in everything they do. IA must have the courage to sound off before things get in trouble. Ethical commitment is the key to a well-functioning IA. Ethics should come naturally to all. We also need to build ethical resilience (integrity, courage, honesty, accountability, trustworthiness).

Infusing IT Auditing into Engagements via a three-phase approach. The tech sector is growing at a rapid rate. Internal auditors also need to develop IT-related capabilities. IA needs to think about the future of integrated auditing. For a start, IA can incorporate IT perspectives into current audit engagements. This can involve documenting down what are the IT automated controls. One can also read IT policies or those on change management. One should also identify resources and pinpoint where they are stored (example: servers). Map core IT resources and data to key business objectives. Respond to IT risks and identify audit objectives that can add value. An integrated audit can help in this. In the middle term, IA can build an IT audit team, understand the IT framework like COBIT, perform IT audits and also foster relationships with IT and management. In the long term, IA can leverage on data analytics and obtain professional certifications (like IIA and CISA).

Breaking Down The Standards. With the right strategy, practitioners can divide conformance into bite-size, easily digested portions. The standards consist of attribute standards (series 1000 to 1322) and performance standards (series 2000 to 2600). Some IA may neglect the attribute standards and focus on the performance standards instead. However, both are very important. IA should perform an assessment of how well they are conforming to the Standards. An external assessment must be conducted once every 5 years. The audit work program needs to be reviewed and approved by the CAE before engagement commencement. Ultimately, conforming and understanding the principles behind the Standards are important.

Auditing Organizational Governance. IA has an integral role to play in improving the organization’s strategic performance. This area is becoming increasingly important in recent years. Governance reviews can help prevent governance failures. Less than 1 in 6 IAs conduct reviews for their organization’s strategy. Sometimes, it might be difficult to conduct a separate governance review. Rather, it might be easier to incorporate it as part of routine audits. One can focus on both the governance structures as well as the organizational culture. Some of the soft controls can include management competence/style; mutual trust and openness; strong leadership; high performance and quality expectations; shared values and understanding; high ethical standards. However, for some of these measures, there are no hard data to analyse. Hence, it is important for IA to read the signs. IA can also provide a more advisory role, which is educating board about developments and trends in the industry and governance best practices. In terms of strategic reviews, IA has much to work on. There is a tendency to focus on weaknesses in financial reporting etc.

Good Governance is All About Quality. The 5 quality rules are (i) customer focus; (ii) management leadership; (iii) Teamwork; (iv) Measurement; (v) Total commitment to continuous improvement.

pic_internal_audit_big

 

IIA Magazine April 2017 issue

Business Resiliency is about the organization’s ability to quickly adapt to risk events such as these while maintaining continuous operations and safeguarding its employees, assets, and brand equity.

Malware, Ransomware and man-in-the-middle attacks are common security issues for organizations

Some organizations lack a clear risk management program and that is a problem. Lack of resources, complexity and inability to get started are some of the reasons cited.

  1. Communication errors/ misinformation over company performance through channels other than financial reports; 2. Environment, health and safety is an area which is high risk, but not many IA covers this.

Cyber risks are also a main area where IA needs to be concerned about.

Learn to work smart and not harder. Employers should 1) acknowledge the problem; 2) appreciate the employee; 3) identify the root cause; 4) define the roadblock; 5) Devise a solution (training, resource allocation, process improvements); 6) Circle back. Guiding an employee well will result in an increase in productivity and morale.

The Data Museum. IA can compile organizational data in structured exhibits. Auditors need to use data warehousing principles to clean the data and structure it once that it is ready for analysis. Before storing data, consider the following: relevance, reliability; reusability; rarity. For instance, SQL can be used to extract, transform and load the data. Learn to run SQL statements. As for audit tools, auditors can use data visualization and advanced reporting techniques. Use a relational database and start small. Ensure that there are audit trails and logs.

The Many Facets of Risk. Risk is always multi-faceted. Look at the product and market research life cycle. It is important to do the strategy and competitive analysis like via SWOT, Porters’ 5 forces etc. Financial Management like NPV calculations aid in project-making decisions. Operations Management is about maintaining the optimum amount of inventory, like the EOQ method. Forecasting sales and demand is also a risk. Human resource risks and quality management risks are also possible. IA can act to cross-pollinate risks via mathematical or management methods.

Life of Luxury (Embezzlement). When too much power, accounting and budgeting etc, resides with the head, too much risks exists and there is potential fraud risk. There were too many over budgeted accounts in this case. Also, a person spending excessively or leading a lavish lifestyle will arouse suspicion. There are many lessons that the IA can learn: include riskier businesses in the IA plan; question how beneficial is the whistle-blowing hotline; an audit on payroll can detect payment to ficitious persons/ other people; review the acceptable use policy for all corporate-issued credit cards.

Resilience Through Crisis. Organizations all need to overcome crises and emerge stronger. The BP oil-spill PR was handled badly. IA can audit the crisis management plan. A crisis team should be cross-functional and with each goal clearly defined. IA should also be part of the team to ensure that the team is addressing the appropriate issues. The team should identify potential crises and IA can chip in. Next, a comprehensive crisis plan should be developed. Effective communication is the key and there must be a plan to inform stakeholders quickly. It is also important to have a spokesperson to handle the media etc. General templates can be used for media statements. Experts can be used as well. Crisis simulations should be conducted, like table-top exercises etc. IA should be the observer in all simulations. After the crisis, the crisis management team should evaluate the effectiveness and the performance of the plan.

Hit the Ground Running. The trend is to convert interns in IA into the permanent establishment as they already understand some of the company’s operations. One option is to transfer existing staff to IA. Interns who perform well stand to be converted. Interns are also less costly and can be used during peal-periods. There needs to be a significant investment in developing a good internship programme. There needs to be a plan all along. When you plan, it is important to prepare a job description, program budget, hiring plan and schedule. Provide guidelines for the interns to do work and make the audit project interesting for them. Teach them soft skills in the audit. Give them real assignments. Stretch them and ensure that they can contribute and make their internship meaningful.

Climbing the Scale. Turn to maturity models. Maturity models can rank from 1 to 5. They can be expanded into many business areas nowadays. Maturity models can be more meaningful than a simple pass/fail. Using this can convey a more positive collaborative tone too. Acknowledge what the client is doing already to improve processes and controls. A maturity model also focuses more on processes than people and seems more non-threatening. The models you can use are CMMI, C2M2, COBIT, P3M3, RMM, TMMi etc. Develop a dynamic risk assessment approach. IA should provide both assurance and insight. One can use the ISO standardized frameworks to compare the organization’s maturity level against. At times, the highest level of maturity might not be required as a lot of resources will be required. Maturity models can be very judgemental indeed. To succeed, IA needs to choose the correct model and be flexible when applying it. Build the best model and find a project champion if possible.

From the Same Playbook. IA needs to align its work with the organization’s strategy. There are debates as to whether IA should provide assurance around risks affecting company strategy. It depends on the CAE. However, not all top executives will want to discuss strategy with the CAE. There can be a disconnect as IA usually does not audit the latest transformations and developments in the company. Some IA prefer to audit compliance, which they are more familiar with. Two big risks are not having effective strategy or not executing them properly. CAE should think like CEOs and think through different perspectives and figure out how to maximize shareholder value. IA can perform gross profit margin analysis etc. There needs to be a balance between strategic-level audits and compliance based audits. Have discussions with management and the audit committee on strategy. It is for IA to look into strategy risks and the risks of entering any particular strategy.

Three Lines in Harmony. A Centralized testing model will enable the 3 lines of defence to rely on each others’ work. Front-line management is the first line of defense, risk/compliance functions are the second line of defense, internal audit is the third line of defense. It is important to co-ordinate so as to ensure all areas are covered and there are no duplications. Relying on others can also provide an increase in efficiency. Ensure that there are proper service agreements if there is a centralized testing unit. Automatic testing preferred and desired. There is a need to document the risk framework.

Signature Audits. Auditors should try to identify and respond to emerging risks. Most IA confirm concerns already identified by management. IA can do a mystery shopper role, or perform simulations to test controls. IA now need to be more innovative and curious. Signature Audits refer to thinking out of the box to design appropriate test procedures (example: penetration testing or social engineering). IA can identify best practices or try to circumvent processes rather than test them.

Internal-Audit

How to Listen to Great Music by Robert Greenberg (Part 1)

A Guide to its History, Culture and Heart

Understanding and Listening to Music. Humans love music and the musical experience can be very intimate. Essentially, it is just vibrations. It is a universal language. Say it with music. It intensifies the human experience. The artist defines his work and gives voice to his time. There has to be a historical context. All music is contemporary music if you understand the history behind it. It is important to grasp the context. Try to google and listen to the pieces featured in the book. The focus of this book is on the best of Western music. Music notation was invented in the 10th and 11th century. The ‘classical music’ phase is from 1750 to 1800. The book focuses on the period between 1600 and 1900. Simple musical notation is easy to understand.

Music is a universal language; one need not speak Ashanti in order to groove to West African drumming; or German in order to be emotionally flayed by Beethoven; or English to totally freak when listening to Bruce Springsteen. – Robert Greenberg

A Mad Dash Through the Roots of Western Music. Music is reflective of the culture. If you know the culture, you will appreciate music better. There has been much change in Western music over the last 1000 years. This was because of composer’s work. The later composers had bigger egos and wanted their music to represent who they were. It was reflective of their experiences. Personal feelings were important for composers. Historical periods change over time. Art becomes different through time and it not necessarily become well. You cannot simply compare music from different eras and judge which is better. Great art is timeless. Music played a role in Ancient Greece. It was humanistic in spirit. They believed in the healing properties of music and thought it was connected with truth and beauty. Music and carnivals were played during their sports events. Ethos was associated with a moral quality. Music was governed by laws from the Cosmos. It heightened the power of words. The Church emerged after the Greek era. The Church became the central philosophic, spiritual issues for Western Europe. Music in church should be divine and it should teach Christian thoughts. They rejected classical music and large choirs. These were the Dark Ages.

There is a reason why we turn to the paintings of Vermeer, the sculptures of Michelangelo, and the music of Bach, Mozart, Beethoven, and Brahms, to name just a few, in search of truth and edification, and it has nothing to do with nostalgia for the past. Great art is timeless and it speaks to us, directly and relevantly, across time. – Robert Greenberg

The Music of the Medieval Church. We are now in year 600CE to 1000CE. Europe was in a horrid state and most things were badly destroyed. The Church provided a sense of redemption. Churches were known to preserve culture and be the centre of art and education. Music was used as a ritual and for ceremony. It was monophonic texture, meaning it was just your voice and no instruments. Search ‘plainchant’. There were no large intervals between one note and another. It was calming. No one took credit for producing music. It was meant for the community and for glorifying God. Church music had a huge influence on Western music. Polyphony happened between 900 to 1000 years. Trade was established and wealth was emerging. Architectural technology emerged. Cathedrals were being built. Notre Dame was built in 1163. Polyphony is where two or more melodic parts are heard. This is when a second voice comes in but you are not singing it together. In terms of composition, it is more complicated. Now, we enter the 14th century. This was the end of theocratic age. Secular and non-religious ideas emerged. A new era of Roman art, literature and philosophy emerged. The Notre Dame Cathedral produced composers. ‘Quant en Moy’ is two love poems sung by a soprano and a tenor. It uses isorhythm, where rhythm and pitch can be varied. This was incredible during that period. It was composed in mid 1300s. Now is the Renaissance period. It was the complete breakdown of the Church. It was about humanism and focused on human life and accomplishments. People were explorers. Martin Luther led the Protestant Reformation. Secular education was very prominent. Printed music appeared. Painting and sculpture were very famous and so was music. The words in the song had to be understood. Music should also reflect the meaning of the words. Mass was invented. Examples are the imitation Mass. A madrigal is a secular vocal work for 4 to 6 people. They had to apply ‘word painting’ too. It was like trying to express a poem in music. Listen to Weeleks ‘As Vesta was from Latmos Hill Descending’.

A Necessary and Invigorating Excursion into the Worlds of Music Theory and Terminology. Music is defined by sound. How are pitches arrayed into melodies? A pitch is of a single fundamental frequency. This is the first property. The second is timbre. This refers to ‘tone colour’. Partial vibrations also produce a certain sound, known as a harmonic. Note is a pitch with duration. They are the building blocks of melodies. A chord is three of more pitches played simultaneously. There are series of chords around. Along a string, the various vibrations at various positions produce different sounds. Pitches are an octave apart. An octave is a one-to-two ratio. Texture is the number of melodies and the interaction of each melody with one another. Monophony is like a plainchant. A polyphonic is one where there are two or more principal melodic parts. Imitative polyphonic is where the melody is similar, but played at different time intervals. A strict imitative polyphony is known as a kanon. Sometimes, they are not so strictly imitative. Non-imitative polyphony is a different set of notes entirely. A homophony is where one melody is predominant and all other melodies are accompaniments. Hence, the tonal harmonic system was formed.

Emotional Exuberance and Intellectual Control. The Paradox of Baroque Art. Opera was invented in 1600. Opera transformed Western music. It celebrated human emotion. The orchestra was formed. The Baroque era was between 1600 to 1750. Baroque means ‘a pearl of irregular shape/colour’. It had a negative connotation in the past. This was the era of Galilei, Descartes, Bach, Kepler, Newton. God was still in the picture, but not as much. Everything had logic and symmetry. The music was characterized with tempered and systematic harmony. Theatres were popular too. There was less word painting but the feelings behind the words play centre-stage. The French overture was invented in 1660 for Royals. George Frideric Handel wrote the ‘Overture to Messiah’ in 1741.

Play it, Don’t Say It. The Rise of Instrumental Music. Instrumental music is an art form which can rival vocal music. It is a very abstract concept. Motives are a group of notes from which melody is grown via repetition, sequencing and then transformation. A tune is unique sort of melody. A theme is the idea of a certain section of music. There are conjunct (close together) melodies and also disjunct. The harpsichord was commonly used in the Baroque era and so was the piano. The octave was divided into 12 pitches, with a major and minor scale. Timing of notes was also introduced, whether it is x number of beats. The bass line was developed into a basso continuo. Listen to Bach’s Brandenburg Concerto 2. The basso consists of a harpsichord and a cello. The bass line contains the melodic lines.

What is instrumental music? It is music that has no words, no literary information beyond its title to explain why it exists and why it sounds the way it does. It’s neither physically dimensional nor concrete. – Robert Greenberg

National Styles (Italy and Germany). Beethoven’s 5th symphony is very recognizable. However, the Italian language is more long winded. Vivaldi stretched one word to 74 notes. Music styles are certainly influenced by how languages are spoken. Opera was invented in Italy. French loved their wind instruments. Italian is more similar to Latin. The melodies are usually smooth in nature. Italy was the centre of the Renaissance. Italian is closest to Latin. Vivaldi’s the 4 seasons are among the most frequently heard Baroque works. He usually composed for opera. The music is usually homophonic in nature. Martin Luther was against the Church and thought that one could interpret the Bible differently. All music was a gift to God. German language is full of strong consonants than vowels. There is usually 1 pitch per syllable. The melodies are usually clearly articulated. German music became more popular during the Protestant Reformation. List to Bach’s Brandenburg Concerto 2.

Fugue It! It combines extravagance with systematic organization. Composing is a tedious process. A fugue is a polyphonic composition. Fugues are a highlight of the Baroque era. Bach was a master of the fugue. It contains exposition, episodes and subject restatements. Listen to the Bach’s Fugue in C Minor from the Book one of the Well-Tempered Clavier. Each one is a voice. They will sing different voices at the same time. Each voice that enters must be the highest or the lowest to create effect. There are various episodes and restatements in the centre.

Opera (The Baroque Expressive Revolution in Action). Opera combines everything and is good. The music captures the meaning of the words. The medieval liturgical dramas were popular too. Intermezzo was the precursor to opera. They were commentaries which were sung during plays. It was like a halftime show during a play. Jacopo Peri wrote Euridice, one of the first operas. He invented the partial recitation of words and partial singing. Claudio Monteverdi composed too. His famous work is ‘Orfeo’. Aria literally means air. It is where the information is transmitted via the music itself rather than the vocals. Aria became more popular and the recitative art took a backseat.

This is the basic premise of opera: that music has the power to interpret and intensify the feeling and spirit behind the word. – Robert Greenberg

Opera Goes to Church. The principal genres of music are oratorio, cantata (performed outside religious service), mass, magnificat, passion, motet. These works make use of the chorus. Baroque genres are influenced by opera. Basso continuo was used during the Baroque. Solo singing were used during Masses. Oratorios were initially sacred dialogues. The chorus disappeared from Baroque opera house. George Frideric Handel’s Messiah is widely performed even today. It is the most famous oratorio in history. He travelled a lot and performed all over the world. He knew how to handle singers. He wrote English language oratorios. There are commentators in the middle of the works. It was 2 hours long. Handel’s music was very inspirational indeed. The ‘Hallelujah Chorus’ is very iconic indeed.

A New Liturgy Comes of Age: Lutheran Baroque Scared Music. The Holy Roman Empire was founded to consolidate power. The English were at odds with the French. The Lutheran community emerged from about 1650 to 1680. It was marked by must congregational singing. There were hymns too and they were popular. The sermon was a big thing too. Bach was one of the greatest composers of all time. He composed over 350 cantata in his life. The productive years was between 1723 to 1728. Cantatas were meant to sound like operas. They are the masterworks of the Baroque era. However, there are only about 209 of them still in existence. Cantata 140 is very famous.

Instrumental Form in Baroque Era Music. What do the words like scherzo, trio, allegro mean? Musical forms are important. This is the way to structure time and give order. You must learn to understand the form of music. There are some compositions that do not ascribe to a certain form. These are fantasies, toccata etc. Variations of a theme are quite common. Passacaglia was common too. The bass line was common but the melody might change. Listen to Bach’s Passacaglia in C minor. It has a very firm bass line that keeps repeating.

Baroque Era Musical Genres. There are solo or chamber works. Orchestras back then were not that common. Chamber works were popular, consisting about 6 or 7 musicians. The Baroque concerto appeared around 1680. It is like a soloist battling the collective. Brandenburg Concertos 3 and 6 are orchestral concertos, where there is no soloist section. Solo concertos are where there is a soloist. A double or triple concerto is where there are more than 1 soloist. Tutti refers to everyone. Brandenburg Concerto No 5 has the first movement in ritornello form. The theme are only heard at the beginning and the end. His six Brandenburg Concertos are world-renowned.

Enlightened Is as Enlightened Does – An Introduction to the Classical Era. This is the period from 1750 to 1827. The Enlightenment period was from 1730 to 1780. There was a new middle class emerging. They wanted new education and read to societal injustice. Life was important, even without religion. The middle class could shine. Classical music was meant to be accepted by all countries. It was a combination of all the different nations. Music has to be accessible and please the greatest number. Hadyn was a popular figure in this era. Vienna is the centre of classical music. It was the adoptive home to Mozart, Beethoven etc. The Baroque music was deemed to be more elitist and exclusive. Mozart doesn’t write excessive notes for his music, just enough to create the melody. Mozart’s melody can be easily sung. Hence, it is a vocally conceived melody. Mozart wrote Eine kleine Nachtmusik. It is true that the cultural environment creates the music. Classical music was punctuated with cadence, or punctuation marks. The music gets to stop and breathe, this was rarely the case for Baroque music. In the key of C major, the G pitch is the dominant pitch. There are open, closed cadences. There are also tonic pitches.

Putting It All Together: Classical Era Musical Form, Part 1. Music is now accessible to every person. A music form is the key. Musical form is the most important thing in music. There are theme, variation, minuet and trio form. The theme is usually a tune. Some use a theme as a melody. Listen to Diabelli Variations, Handel Variations, Haydn Variations, Paganini Variations. A theme and variation form a movement structure which is discontinuous. Theme and variations are very disciplined. The coda is an expanded final cadence. Theme and variation is very popular in classical music. Listen to Mozart’s 12 variation on Ah vous dirai-je, Mamam (Twinkle Twinkle Little Star). The first is to make the thematic melody very prominent. Later, there are 12 variations. Minuet and trios are very popular too. The French loved their dances and opera. Dance are also performed in suites, or in sequence. The French perfected their dances. The minuet was very popular in the ballroom. The minuet is a very popular social dance. There is usually the A-B-A structure. Joseph Haydn’s Symphony 88 is a brilliant minuet and trio. A rondo theme is more ambiguous. There is the ritornello form too. Listen to Beethoven’s piano sonata in G major, op. 49 no. 2. Opus literally means work of art.

Classical Era Musical Form, Part 2 (Sonata Form). The word ‘sonata’ has been over-used. It means a ‘sounded piece’. Cantata is a sung piece. There is a single principal theme. There is the exposition, the first large section of a sonata. There is a modulating bridge. This is an aspect of harmony. The keys might change without us knowing. However, this is what makes music fluid in nature. Listen to Mozart’s Symphony in Gminor K 550. Sometimes, there will be thematic changes in sonata. The recapitulation is set in the home key. Mozart was a brilliant child prodigy. Mozart was incredibly prolific. Almost all of them were masterpieces in their own right.

Classical Era Orchestral Genres, Part 1. This is the symphony: music for every person. There are different types of opera and they can vary dramatically. The symphony and the concerto are one of the most iconic of the classical music era. They mean the same thing. The Romans invented the word. The sinfonia had evolved into a symphony. An orchestra is a performing ensemble. ‘Philharmonic’ means loving harmony in English. There are also 4 movement symphonies. The first movement challenges the intellect and the soul and is usually the most complex. It is usually in sonata form. The second will address the heart. The third will usually be a minuet and a trio. The fourth will usually be fast and playful and in rondo form, leaving the audience with a smile on their faces. Recitation is applied to create dramatic effects. The individual melody is very prominent in the Classical music era. Music should be tuneful and entertaining. Hadyn redefied what a symphony sounded like. He wrote 104 of them. These symphonies made him very famous indeed. The London symphonies are among his most famous works. There was a balance between head and heart. The Symphony no. 92 in G Major is one of the most popular. The overture was very popular indeed. From head, to heart, to pelvis, to the toes. Many found his music to be brilliant. Many of his pieces are still performed among modern orchestras today.

howtolistentogreatmusic