SSA 265 – Communicating Deficiencies in Internal Control to those Charged with Governance and Management

SSA 265 Summary

The auditor is required to obtain an understanding of internal control relevant to the audit when identifying and assessing the risks of material misstatement. Auditor can consider internal control when developing audit procedures, but there is no need to express opinion on internal control effectiveness.

The auditor needs to communicate appropriately with those charged with governance (CWG) on any deficiencies (must explain potential effects) in internal control identified during the audit. This must be done in writing. However, it is okay if there is earlier communication orally. The level of detail in the communication depends on auditor’s professional judgment.

Auditor should clarify with appropriate level of management (one that has authority to evaluate deficiencies and take necessary remedial action) if one or more deficiencies in internal control are identified. If the finding calls into question management’s integrity/competence, it may not be appropriate to discuss it directly with management.

This SSA also indicates examples and indications of significant deficiencies in internal control.

If the significant deficiency is not rectified in prior years, the auditor can communicate the same deficiency in the current year.

The communication of other deficiencies (not significant) may be communicated to management orally only. Communication of this to those CWG is also optional and dependent on the auditor’s professional judgment.

auditing-service-singapore

 

Advertisements

SSA 210 – Agreeing the Terms of Audit Engagement

This SSA is effective after periods ending 15 Dec 2016.

This SSA deals with auditor’s responsibilities in agreeing the terms of the audit engagement with management and those charged with governance.

The objective of the auditor is to accept or continue an audit engagement only when the basis upon which it is to be performed has been agreed:

  1. a) Establish whether preconditions for an audit are present; and b) confirm whether there is a common understanding between auditor and management

Preconditions are firstly that the FR framework is acceptable. Next, management understands its responsibility to prepare FS in accordance with the FR framework and to have internal controls to enable the preparation of FS to be free from material misstatement, whether due to fraud or error (via a management representation to the auditor). Agreeing the terms of the audit engagement will help avoid misunderstanding about one another’s responsibilities.

Management should allow the auditor (i) access to information; (ii) any additional information; (iii) unrestricted access to persons for whom the auditor determines necessary to obtain audit evidence.

If the preconditions are not met, auditor shall discuss with management and auditor will consider not to accept the proposed engagement. If not possible due to law/regulations, auditor will need to explain to management the importance of these matters and implications for the auditor’s report.

Auditor needs to draft an engagement letter. Auditor should not agree to changes to the terms when there is no reasonable justification for doing so, for instance from changing from an audit engagement to a review engagement in order to avoid the qualified opinion that will be issued by the auditor. If there are changes, both parties will need to acknowledge them.

Assurance and audit engagements may only be accepted when the practitioner considers that relevant ethical requirements such as independence and professional competence will be satisfied, and when the engagement exhibits certain characteristics.

Some general purpose frameworks are the Financial Reporting Standards (FRS) promulgated by the Accounting Standards Council etc.

Please read the SSA for more details of what sections are required in the engagement letter.

For Singapore incorporated companies, the description of responsibilities for the financial statements is as follows:

Management is responsible for the preparation of FS that give a true and fair view in accordance with the provision of the Companies Act, Chapter 50 and Financial Reporting Standards in Singapore, and for devising and maintaining a system of internal accounting controls sufficient to provide a reasonable assurance that assets are safeguarded against loss from unauthorized use or disposition; and transactions are properly authorized and that they are recorded as necessary to permit the preparation of true and fair financial statements and to maintain accountability of assets.

auditing-service-singapore

SSA 220 – Quality Control for an Audit of Financial Statements

This SSA concerns the responsibilities of the auditor relating to quality control procedures and also the responsibilities of the EQCR (engagement quality control reviewer). This is necessary in order to comply with SSQC1. EQCR is useful as it gives assurance that the audit complies with professional standards and applicable legal and regulatory requirements.

The engagement partner shall take responsibility for the overall quality on each audit engagement. Quality is essential in performing audit engagements. He needs to remain alert for evidence of non-compliance with ethical requirements (ACRA code). If there is non-compliance, appropriate action must be taken.

The partner also needs to assess and conclude on the independence requirements (eliminate the activity, withdraw the engagement if not-independent). He needs to be satisfied on appropriate procedures in relation to acceptance and continuance of client relationships and audit engagements. He needs to be satisfied that the engagement team has the right competence and capabilities. He is also responsible for the right direction, supervision (track progress of engagement, address significant matters, identify matters for consultation) and performance of the audit engagement.

In addition, they are responsible for consultations that are taken within the engagement team.

For audits that require EQCR, the partner shall discuss significant matters arising during the engagement with the EQCR reviewer. The audit report should only be stated on or after the EQCR review and the EQCR should be conducted in a timely manner.

The EQCR needs to look at discussion of significant matters, review of FS, review of selected audit documentation and evaluation of the conclusions reached. They also might need to examine independence of the audit firm, and whether there is appropriate consultation.

There needs to be a proper monitoring process for EQCR as well, and to ensure that P&P relating to system of quality control are relevant, adequate and operating effectively. Partners can usually rely on the system of quality control and the role of engagement teams.

Reviews by the engagement partner must be timely in nature and they should examine areas like critical areas of judgment, significant risks, other areas etc. The engagement partner need not review all audit documentation, but may do so. However, as required by SSA230, the partner documents the extent and timing of the reviews.

pic_internal_audit_big

 

IIA Magazine Apr 2016 issue

Soft skills seem to be lacking in some of the IA teams. There is the art of interviewing that must be executed properly. IA can set aside time to work with other parts of the business. Audit reports are not the only communication channel.

Time to Shift the Mindset. Pulse report urges IA to focus on culture and cybersecurity response. Board members should discuss with management to ensure that there is a common understanding. There is a risk of poor vendors and that firms could suffer from reputational damage. There needs to be strong third party risk practices.

Fraud Prevention. An effective control environment can deter or minimize the occurrence of fraudulent activities. Internal controls may not always be designed to prevent fraud. There must be a strong control environment for fraud prevention. Background checks and fraud related training can be useful indeed. Whistle-blowing hotlines can be set up. A certain level of anonymity must be ensured. No one person should complete control over a whole particular process, from start to end. Monitoring activities should take place on a frequent basis.

The Call no CAE wants to receive. A strong working relationship between IA and the CIO is essential to responding quickly to a cyber incident. This is important as cyber attacks can lead to reputational damage. One can verify the controls at the vendor and get them to fill up a data security risk assessment questionnaire. IA can be the trusted advisor that an organization needs.

Collaborative Risk Management. As organizations consolidate their risk processes, IA may not be able to continue to stand alone. Risk collaboration and organizing risks are more important nowadays. There is a need to be efficient about going about this. Risk needs to be organized neatly. ERM is one way to link everything together. Auditors should be open to other ideas on organizing and mitigating risk.

The Ticking Ethical Time Bomb. The financial loss from theft was secondary to the effect on company culture. Sometimes, the most obvious issue is no the more important one. Small frauds can lead to large ones. Reinforcing identity is also very smart sometimes, as it can help with ethical reinforcement. Increasing controls should not be done as a knee-jerk reaction sort of thing.

A Matter of Trust. Attention to detail and focused effort can help IA build the relationships required to be perceived as valued advisers. IA should be given time to innovate, gain an understanding of evolving challenges and talk to people in the business regularly about the issues they face. You help to build trust if you know what the regulators or other people are doing. Sometimes, top management might even tell CAE the problems that are upcoming. Relationship building and being part of the management team is crucial. However, there is still a need to be independent even if IA is like a trusted advisor. Try to leverage on technology.

‘IA can often be forgotten if it is not part of the core team, because it is less visible than those functions that meet and talk regularly.’

‘Auditors are there to make organizations better – it is a key part of the way they can add value. Not commenting when they see a better way to do something could show a certain lack of moral courage.’

Proactive Fraud Analysis. Integrating advanced forensic data analytics capabilities can help auditors mitigate fraud risks and demonstrate returns. IA can invest in such tools as it can help in the monitoring of risk. IA should ask ‘What are the high risk accounts?’; ‘When?’; ‘Where?’ etc. IA should focus on the low-hanging fruit first. The first project undertaken should be easy. Learn to go beyond the descriptive analytics. Learn to embrace both structured and unstructured data. Communication is the key. It would be good to automate the tests and involve the end-users. Also, learn to set a realistic timetable. Keep analytics simple and intuitive – don’t include too much information in one report so it isn’t easy to understand.

Getting More from Interviews. Instead of emphasizing formalities, IA should approach each interview like a conversation. You can gain insight into the way operations work and identify gaps etc. Plan your questions beforehand and be prepared. However, the less formal it is, the more information you can find out from the interview. Try to make it a conversation. Learning about the auditees’ life can help to build rapport and build the bond. Talk to others within the auditees’ same department. The interview’s purpose should be specific, attainable and outcome oriented. Preparing for the interview helps a lot. The location matters as well. Try to open in a way that makes the auditee at ease. Try to explain the purpose and the outcome of the interview. Learn to practise effective listening. One can ask thought provoking questions that will help to elicit information. Learn to practise active listening and show positive body language such as being attentive. You can prepare questions but there is no need to follow to a list strictly. It can be difficult to build rapport. Do not try to tell the interviewee that the interview must be done to complete the audit. Have lunch with auditees once in a while. People love to hear about themselves.

‘Auditors should be curious about the way processes work, the way the organization works, and perhaps most importantly, the people who make it work. Curiosity will lead to a better understanding of the organization, better ideas for improving the organization, and a better rapport with the individuals within the organization.’

On the Hunt for Payroll Fraud. Taking a close look at payroll risks can enable IA to help their organizations save money and identify wrongdoing. Payroll fraud is more common if there is irregular workforce patterns. Payroll is usually shrouded in secrecy. Overpayment is more common than underpayment. IA can also examine to seek actual cost savings/ productivity gains. IA can adopt a helicopter overview of payroll data and the payroll process. One can compare payroll costs with other organizations. Rosters should be designed to optimize the allocation of employees to operational needs. Management welcomes findings that reveal specific wrongdoing because they provide hard-to-dispute evidence. IA can look out for certain insights and then drill further. There are many common findings. The audit fieldwork needs to be well-researched and planned.

Guardians of Integrity. IA can provide insight into corporate identity and people-related risks. For instance, IA can evaluate the ethics and organizational integrity. IA must communicate with the board and management and be the corporate conscience. Testing the effectiveness of the ethics programs can be tough. It is important to understand how an organization defines success. It is important to uphold the code of ethics: integrity; objectivity; confidentiality; competence. IA should examine incident reports too. IA must be as wise as the board, as savvy as management, and as shrews as attorneys. Stakeholder surveys could be used to understand the management and employee ethics. IIA needs to exercise fair and ethical decision making.

Internal-Audit

audit financial company tax investigation process business accounting

Annual Conference and Global Internal Audit Leadership Summit 2017 (26 Oct)

Opening Address by Guest of Honour (Professor Tan Cheng Han). (SGX RegCo) Singapore Exchange Limited (SGX) has moved to a disclosure based regime for markets for regulators. Shareholders are active and can ask questions of the management or try to get rid of a few directors. There is a need to listen to businesses nowadays when trying to propose new regulations. We have moved from a prescriptive to a more principle based form of regulation. Nowadays, we listen to market participants and seek their inputs. We live in an uncertain world. Lawyers should facilitate transactions and not simply keep telling people want they cannot do. They should guide people to be able make decisions within the legal framework. In this way, it is similar to what Internal Audit does. As an auditor, it is important to stand your ground and do the right thing, all the time.

Transforming Internal Audit. (AIG) It is important for IA to be clear of their role. Internal Auditors should read the ‘Common Body of Knowledge’ by IIA and also the ‘Global Trends of 2030’. Our job is to find things and to help management see things that they have not been able to see (i.e. provide assurance). Many companies have evolved over the years, like IBM, GE, Rakuten in order to stay alive. Some might have to abandon their traditional model just to keep afloat. IA can also read ‘The Fourth Industrial Revolution’. Internal auditors should all get the Certified Internal Auditor certificate and show that they belong to a professional body with high standards. We all need to comply with IIA standards. The current IA role is shifting from one of assurance to also one of advice and insight. Some of the more recent trends in internal audit include performing data analytics on the whole population. Combined assurance is also one of the up and coming trends in Internal Audit.

In Conversation with an Audit Committee Chairman. (SIA, DKSH) The IA team in PwC has grown tremendously since its inception. The role of IA is to provide an independent assurance on governance and risk management. Is the level of risk management adequate for the business? IA should also get inputs from management on their performance. One factor to judge the CAE is on whether the audit plan is incomplete and what the status of the plan vs is the execution. One option is to conduct a 360degree feedback exercise. A CAE’s pay package should be established by the remuneration committee and with inputs from the audit committee. The bonus paid is relevant to the company’s profits and individual performance. IA is a business partner and must not be seen as competing/slowing down the business. There is a need for internal auditors to retain a strong ethical and moral compass when discharging their duties. If you feel you are being mistreated by management, do highlight this fact to the Audit Committee. In cases of disagreement with management, it is important to highlight to the AC what is your position. It may be wise for audit partners to resign from the audits where there is serious disagreement with management. Before joining an organization, it is important to try and assess its culture and whether the culture is ethical etc. The CAE must be outgoing and interact seamlessly with other stakeholders. He must demonstrate leadership potential etc. One way to assess that is through conducting reference checks on his background etc. It is not necessary for internal auditors to have accounting backgrounds. However, it is difficult to be a CEO without a finance/accounting background. In general, having a diverse IA team is important. As the chairman of the AC, it is important to do preparatory work and also to meet the IA informally a few times a year. For young auditors, it is important to spend on your own career development and set 3 year career plans on what do you want to achieve etc.

Innovative and Agile Internal Auditing at Google. (Google) In Google, the employees practice moonshot or 10x thinking and they try their best to think differently. Waymo is their project on self-driving cars. They have many interesting projects like on Calico, Capital G, Deepmind, GV, Jigsaw, Nest, Sidewalk Lass, Verlly, Waywo, X etc. Google was incorporated in 1998 by Sergey and Larry. Read the Founders’ letter to get an insight of some of Google’s core values. Also, on their website, there is a hilarious list of ’10 Things we know to be true’. Their IA has also to fit in with the culture at Google and they are moving away from SOX compliance to other forms of combined assurance. An intense level of collaboration is expected at Google. They use many syncs, tools and techniques to get their work. The stakeholders are usually understanding and it is not difficult for IA to receive information. Also, the IA team uses software so that the client can see the IA reports at any time and also there is live QnA that happens every Friday. The software will enable the IA team to view the project status live and also to view audit working papers. Audit findings are tracked using software. As for hiring, Google looks for collaborative people. As for other skills, Google looks out for cognitive abilities, role knowledge, leadership and Googleyness. The top down approach doesn’t always work and Google tends to empower employees instead. Due to the speed of change, the IA team only develops a 6 mth rolling audit plan and revises it accordingly due to changing level of risks.

Auditing Big Data. (New York State Office) In the New York auditors’ office, the IA role has been expanded to include both artificial intelligence and data analytics. Big data makes decision making easier and faster. Avoid rolling out apps when not many have access to the network. The greatest opportunities will come at a risk. You have to get comfortable with being uncomfortable. There is a need for big data and technical skillsets. Big data is large, complex and covers many complex data sets. There is a trend of lower cost of data storage. Despite this, data tags will help in the data retrieval. Big data has really helped the audit team in NY to improve the audit efficiency and effectiveness. There are mainly 4 risks associated with Big Data: 1) program governance; 2) tech availability and performance; 3) security and privacy; 4) data quality, management and reporting. When using big data, it is important to ensure that there is no invasion of privacy and that it is legal to collect and use any particular form of data. It’s a massive leap to fully integrate by data and analytics. The auditors analyze social media like Craig’s list to detect unlicensed car repair workshops etc. The team also builds AI when it is not available.

Geopolitical Risks – What does it mean to Organizations and Internal Audit? (Focus Strategic Group Inc) Internal Auditors need to understand global and regional trends facing them. There are many geopolitical risks in this world and these threats can lead to supply chain disruptions. There is a massive distribution of wealth problem in this world. Some of the major events that have impacted the world are the Israel/Palestine conflict, war in Syria, Greece debt, Brexit, appointment of Trump, Spain/Catalonia separation. There is an increasing trend of protectionism for major economies and these countries are also against immigration. Trump is against the North American Treaty agreements, the TPP etc. In this world, there is only the certainty of uncertainty. People fight over many things, like land, resources, religion, perceived inequalities etc. China is also striving for more economic co-operation and wants to be the next Superpower via their one Belt one Road programme. They are also looking at how to harvest resources in the Arctic Circle. China started the Asian Infrastructure Investment Bank (AIB) and there are currently 57 countries on board with them. This bank can help provide funding for major infrastructure projects. The 3 prominent tech companies in China are Baidu, Alibaba, Tencent etc. In IA, we need to ask ourselves whether our organizations are secure. There is also a frequent need to check asset risks, read up on the latest news and check countries’ sovereign ratings. It is also possible to buy insurance to cover losses arising from geopolitical risks.

Panel Discussion: Transforming Internal Audit. (VISA, GIC, Google, SIA) There is a need for internal auditors to develop a more diverse set of skills especially in this world of digitalization. IA can be the change agent and also shape the company’s culture. For listed companies, IA can check compliance with the listing rules with methodology. The modern IA role is beyond compliance and more towards advisory. There may be a need for IA to revamp its methodology and include the need for analytics. IA needs to be proactive, adaptable and diligent. As auditors, we need good communication and networking skills and have the willingness to do things better. There is a need to use CAATs like Qlikview, SQL, Tableau to improve data analytics skills. There is a need for executive support before a data analytics programme can be rolled out successfully. One should start with the small DA projects with ROIs in order to show to management that it can work. An advanced maturity of data analytics would include things like predictive/behavior analytics and robotic process reengineering/augmented intelligence. Whereever possible, it would be good for IA to be able to automate its processes. IA can perform the prediction and look through the red flags. It is important to have good mentors who will grow and support you in your relationship. Auditors need to be curious and learn continuously. Company culture can be assessed via analytics and by the conducting of employee opinion surveys.

Internal-Audit

audit financial company tax investigation process business accounting

IIA Magazine Aug 2016 issue

Cybersecurity is an area where it is lacking among major companies. Companies need to step up to beef this area up. Productivity is a main concern for employees. Ethical pressure is greater during organizational change. The COSO framework is expected to be updated in 2017. It will be updated to include the latest risk management thinking and principles. IoT is going to have a big impact moving forward and there needs to be a comprehensive approach to go about doing it.

Analytics-Driven Audits. Before tackling data analytics, internal auditors need to understand the types of data, how it is stored, and how to apply it. Automated audits are the new trend now. It can be applied to many aspects of the audit too. Understand what are qualitative and quantitative data and their measurements. Understand how data is stored and the various formats. Any outliers should be thoroughly investigated. There are 4 types: descriptive, diagnostic, predictive and prescriptive. Learn to gain insight into the business.

The Mind of a Credit Card Hacker. Smart hackers usually lay low. They can steal credit card details and then sell them. Hackers use a vector to steal data, such as phishing. They also need to collect the data quickly and then cover their tracks. The hacker will verify that the cards are valid and start off with transactions of small amounts. If they go undetected, they may get bolder. IA can encourage the company to encrypt the credit card information and monitor access to networks. Access control needs to be checked too. IA is the third line of defence.

Make the Most of Assurance. Assurance maps can enable internal audit to team with other assurance providers to visually convey how risk is managed. IA can work with other assurance providers and depict the results in an assurance map. The map allows one to spot gaps in risk coverage or any overlaps. Assurance maps can enhance and give value to AC too. The map should not be too complex.

Tough Consequences. Adequate contract administration can save organizations a tremendous amount of grief and money. It is important to monitor vendor contracts properly. The contract administrator should be the liaison party and highlight any non-compliance. There needs to be adequate financial controls over the cash receipts and revenue cycles at the vendor’s end.

A World of Connections. The IoT requires IA to confront risks that are not so neatly contained. The impact of this is growing. IoT is about interacting with the environment for business benefit. Emerging risks from IoT must be monitored closely. There are many benefits from using IoT devices too. Management needs to be aware of the risks too. There needs to be a deployment strategy too. A policy needs to be drawn up.

Cyber Resilience. IA should work collaboratively and proactively to address breaches and build resistance to future attacks. Banks need to protect the SWIFT codes. A cyber breach might definitely occur in future. There is increasing use of software to pick up behavioural anomalies. There needs to be both a protective and detective strategy. A response plan is important. Customer data should be given top priority in a cyberattack response. IA needs to understand IT from a technical and controls perspective.

Auditing the Cloud. IA should delve into the complexities and unique risks of moving to a cloud platform. Many companies are making use of the cloud as compared to traditional data center infrastructure. Less manpower is needed to maintain a cloud as well. Servers can be added on demand too. IA needs to verify the security, reliability and availability of the data. No two clouds are the same but the common ones are infrastructure as a service, software as a service, platform as a service etc. It is good to obtain the SSAE 16 report on the vendor as evidence of its controls. It is difficult to track cloud deployment. Cloud assets can keep varying as well and it is difficult to monitor. The data is now stored on the same physical equipment as other organizations and there is a risk of leakage. A security program is still a must. Penetration testing needs to be done periodically to prevent hackers. Relying on the SSAE 16 report is useful, but not sufficient.

Trust but Verify. Control self-assessments can increase audit efficiency and spread control awareness throughout the organization. This is for process owners to self-evaluate the effectiveness of controls. This could be done via workshops/ questionaires etc. Sometimes, it is not possible to deploy a team to perform audits in every area. When CSAs are used, IA needs to explain the rationale to the management. The process owners must be identified clearly. IA needs to independently verify some of their responses. For example, only key controls or only those rated as ineffective may be selected for further testing. Continuous support is a must and training must be provided. The right level of project sponsorship is important too. It can be implemented gradually. CSA enables IA to allocate resources to focus on areas with significant control weaknesses.

Audit Never Sleeps. IA must keep innovating and improving and focus on the organizations that we love. We need to constantly do the right thing and hone our communication skills. Effective communication is the key and getting to know the auditees well is the key. Listening well is crucial too. Nowadays, IA should adopt an integrated mindset. We need to broaden our IT knowledge to meet stakeholder expectations. Applying soft skills are important too. Our work must be guarded by ethics and transparency. We need our approach our work with a strategic focus too. There is also a need to focus on our future.

Optimizing IA. IA are being continually challenged to improve their effectiveness to better meet growing expectations and workloads. IA staffing levels remain relatively constant. IA must be aware of strategy and ensure that procedures align with that strategy. IA should understand what the external risks are. As for operational efficiency, IA should offer cost effective and sustainable solutions. Quality assurance is important to ensure quality and compliance with regulations. IA should identify cost savings, understand business goals, increase collaboration, optimize technologies and strive for continuous monitoring.

pic_internal_audit_big

IIA Magazine Dec 2016

One potential failure of ERM is that of green-washing, this is when crucial risks are pushed down into the larger collection of more trivial risks. Cybercrime is a current buzz risk. The first line of defence needs to take on better accountability for sound risk management and control.

Investors are pushing for more accountability and transparency behind decision-making. Shareholder activism is playing a big role nowadays.

The EU has released new general data protection regulation (GDPR) which intends to strengthen and unify data protection for individuals within the EU. However, most organizations say that they are not well prepared. Organizations should start preparing for this as it will kick off in May 2018.

Client Feedback. Audit performance can be fine-tuned with the right input from stakeholders. Feedback should aid audit performance. Feedback should be to the point and be specific and timely in order to be effective. Useful feedback can increase audit effectiveness. Feedback can be provided during the opening meeting, during the audit or during the closing meeting. The client should take the opportunity to clarify any concerns that they may have. During the closing meeting, IA needs to present the supporting documents and records. A post-audit questionnaire can be sent to the client after the audit.

Must-have Controls for Small Medium Enterprises. 5 controls can help SMEs protect themselves against cyber breaches. Sometimes, they do not have sufficient resources to deal with threats. Firstly, scan the network quarterly and identify vulnerabilities. Train employees on IT security. Protect sensitive information by inventorizing sensitive business processes and reviewing access to information. Learn to segment the network. Deploy extra protection for endpoints and encrypt the data. Learn to monitor the network, manage service providers, protect smart devices and monitor activity related to sensitive information.

A Holistic Approach to IT Risk. The COBIT framework can help auditors understand and address their organization’s technology risks. IT can be very complex but IA needs to evaluate the full range of IT risks. COBIT is valuable for the whole process, from end to end. The 5 key principles are meeting stakeholder needs, covering the enterprise end-to-end, applying a single integrated framework, enabling a holistic approach, and separating governance from management. Internal auditors can use COBIT to understand the nature of IT risks that are unique to their organization.

A Toxic Culture. A department leader creates a hostile work environment by promoting friends and abusing employees and company assets. When many employees leave, there could be a sign of a toxic culture. There was an inadequate internal control system as no one tracked expenses. Critically review turnover data as this is a big red flag. Exit interview results should be reviewed regularly. Access control over reports should be reviewed and approved.

On The Rise. Learning is the key to do well in IA. Get students involved early and you can volunteer as a guest speaker on internal auditing topics. IA an get involved in many projects and act as change agents for the organization. Projects can allow one to build and develop business relationships with stakeholders. One can use data analytics during audit engagements. IA can add as a trusted advisor and perform consulting work. One can learn SQL, which is a tool for managing data. One could take others under their wing and mentor them so that they can grow. Interaction between auditee and IA must be positive. Spread the good word that your team does. IA should be innovative in addressing solutions. It is helpful to distinguish the different roles of EA and IA too. Communication skills are the key for IA’s success.

Growth through challenge. Current and past emerging leaders discuss the tough assignments that helped propel their careers forward. Challenges faced in your career can propel you to be a better auditor. It is good to share with others what are some of the common mistakes. See auditors as people and go in with a customer first mentality. Be client centric. Be prepared when you go for meetings and interviews. Get a mentor, build relationships, learn from your mistakes and learn to network. It is important to preserve independence and objectivity. Influencing mindsets are tough. Building relationships with auditees can be tough when you are new. It is important to have a good audit methodology. The learning curve can be steep especially if the industry is new for you. Some departments are resistant to let the IA perform audits on operations. Talent auditors are always in demand. Once you are good, you can engage the C-suite management easily and without fear. Young auditors are always eager for more opportunities.

It’s all in the delivery. Sharing difficult messages is an unavoidable part of the job for internal auditors. Some audit observations can be difficult to convey. You should always build the relationship before telling the bad news. Telling the bad news right away is unlikely to work. Using weekly updates once the exceptions are noted is the key. Preparation is the key to accomplishing objectives. It is important to be fair and factual. Focus on the process as well as content. If you can, you can tailor the response to the personality of the recipient. During the discussion, one can seek opportunities, offer to help, make it clear and maintain open body language. ‘If the audit report is the first time a client is seeing something in writing, that is the first and biggest mistake. Verbal updates are great, but periodic written updates go a long way. Auditors might get into trouble over their poor soft skills. Focus on the problem, include some positives, have a face-to-face meeting etc. The key is not to beat around the bush. EQ is important in helping good delivery. The key is to deliver bad news but still build a good relationship with the auditee.

Breaking Through. Women in business are taking on the barriers to advancement, and that’s good news for everyone. Diversity is good for the workplace. More women need to be in leadership positions. However, women might face issues like lack of support, exclusion, apathy. There needs to be sufficient support from male leaders. Men should be interested in achieving gender equality. Be You. Seize the Moment. Integrate Your Life. Earn Respect. Stay Behind Facts. Be realistic and practical. Forget silos. Think context before issue. Rethink reporting. Aim at destination with gratitude. Women may also face the motherhood penalty.

Mapping Assurance. Internal auditors can facilitate efforts to document the organization’s combined assurance activities. There are a variety of assurance providers. CAE can use an assurance map to co-ordinate assurance activities. It can also aid to prevent gaps in coverage. IA is well positioned to provide combined assurance. The plan should start with the organization’s strategic plan and the key risks that are associated with the strategic objectives. There should be 3 tiers of defence to provide assurance. IA need to assess the quality and quantity of assurance received.

A Winning Pair. Governance and automated controls must work in tandem to achieve maximum results. Good governance is the key. IA needs to access the current risk profile, mitigation activities and residual risks. Good behaviour requires time and employees should receive reminders in order to conduct good behaviour. Desired behaviour ultimately stems from the top.

The High-Performance Audit Team. Today’s complex, evolving business environment demands more of internal auditors. The world is changing and stakeholder expectations are increasing. IA can also rotate and fill other operational positions. An integrated internal audit function can boost performance. There is a strong need to invest in training and learning. Verbal, leadership, communication skills are very important. A high performance team can evolve to meet new challenges and reinvent itself. We also welcome constructive feedback from staff.

auditing-service-singapore