IIA Magazine Aug 2016 issue

Cybersecurity is an area where it is lacking among major companies. Companies need to step up to beef this area up. Productivity is a main concern for employees. Ethical pressure is greater during organizational change. The COSO framework is expected to be updated in 2017. It will be updated to include the latest risk management thinking and principles. IoT is going to have a big impact moving forward and there needs to be a comprehensive approach to go about doing it.

Analytics-Driven Audits. Before tackling data analytics, internal auditors need to understand the types of data, how it is stored, and how to apply it. Automated audits are the new trend now. It can be applied to many aspects of the audit too. Understand what are qualitative and quantitative data and their measurements. Understand how data is stored and the various formats. Any outliers should be thoroughly investigated. There are 4 types: descriptive, diagnostic, predictive and prescriptive. Learn to gain insight into the business.

The Mind of a Credit Card Hacker. Smart hackers usually lay low. They can steal credit card details and then sell them. Hackers use a vector to steal data, such as phishing. They also need to collect the data quickly and then cover their tracks. The hacker will verify that the cards are valid and start off with transactions of small amounts. If they go undetected, they may get bolder. IA can encourage the company to encrypt the credit card information and monitor access to networks. Access control needs to be checked too. IA is the third line of defence.

Make the Most of Assurance. Assurance maps can enable internal audit to team with other assurance providers to visually convey how risk is managed. IA can work with other assurance providers and depict the results in an assurance map. The map allows one to spot gaps in risk coverage or any overlaps. Assurance maps can enhance and give value to AC too. The map should not be too complex.

Tough Consequences. Adequate contract administration can save organizations a tremendous amount of grief and money. It is important to monitor vendor contracts properly. The contract administrator should be the liaison party and highlight any non-compliance. There needs to be adequate financial controls over the cash receipts and revenue cycles at the vendor’s end.

A World of Connections. The IoT requires IA to confront risks that are not so neatly contained. The impact of this is growing. IoT is about interacting with the environment for business benefit. Emerging risks from IoT must be monitored closely. There are many benefits from using IoT devices too. Management needs to be aware of the risks too. There needs to be a deployment strategy too. A policy needs to be drawn up.

Cyber Resilience. IA should work collaboratively and proactively to address breaches and build resistance to future attacks. Banks need to protect the SWIFT codes. A cyber breach might definitely occur in future. There is increasing use of software to pick up behavioural anomalies. There needs to be both a protective and detective strategy. A response plan is important. Customer data should be given top priority in a cyberattack response. IA needs to understand IT from a technical and controls perspective.

Auditing the Cloud. IA should delve into the complexities and unique risks of moving to a cloud platform. Many companies are making use of the cloud as compared to traditional data center infrastructure. Less manpower is needed to maintain a cloud as well. Servers can be added on demand too. IA needs to verify the security, reliability and availability of the data. No two clouds are the same but the common ones are infrastructure as a service, software as a service, platform as a service etc. It is good to obtain the SSAE 16 report on the vendor as evidence of its controls. It is difficult to track cloud deployment. Cloud assets can keep varying as well and it is difficult to monitor. The data is now stored on the same physical equipment as other organizations and there is a risk of leakage. A security program is still a must. Penetration testing needs to be done periodically to prevent hackers. Relying on the SSAE 16 report is useful, but not sufficient.

Trust but Verify. Control self-assessments can increase audit efficiency and spread control awareness throughout the organization. This is for process owners to self-evaluate the effectiveness of controls. This could be done via workshops/ questionaires etc. Sometimes, it is not possible to deploy a team to perform audits in every area. When CSAs are used, IA needs to explain the rationale to the management. The process owners must be identified clearly. IA needs to independently verify some of their responses. For example, only key controls or only those rated as ineffective may be selected for further testing. Continuous support is a must and training must be provided. The right level of project sponsorship is important too. It can be implemented gradually. CSA enables IA to allocate resources to focus on areas with significant control weaknesses.

Audit Never Sleeps. IA must keep innovating and improving and focus on the organizations that we love. We need to constantly do the right thing and hone our communication skills. Effective communication is the key and getting to know the auditees well is the key. Listening well is crucial too. Nowadays, IA should adopt an integrated mindset. We need to broaden our IT knowledge to meet stakeholder expectations. Applying soft skills are important too. Our work must be guarded by ethics and transparency. We need our approach our work with a strategic focus too. There is also a need to focus on our future.

Optimizing IA. IA are being continually challenged to improve their effectiveness to better meet growing expectations and workloads. IA staffing levels remain relatively constant. IA must be aware of strategy and ensure that procedures align with that strategy. IA should understand what the external risks are. As for operational efficiency, IA should offer cost effective and sustainable solutions. Quality assurance is important to ensure quality and compliance with regulations. IA should identify cost savings, understand business goals, increase collaboration, optimize technologies and strive for continuous monitoring.

pic_internal_audit_big

Advertisements

IIA Magazine Dec 2016

One potential failure of ERM is that of green-washing, this is when crucial risks are pushed down into the larger collection of more trivial risks. Cybercrime is a current buzz risk. The first line of defence needs to take on better accountability for sound risk management and control.

Investors are pushing for more accountability and transparency behind decision-making. Shareholder activism is playing a big role nowadays.

The EU has released new general data protection regulation (GDPR) which intends to strengthen and unify data protection for individuals within the EU. However, most organizations say that they are not well prepared. Organizations should start preparing for this as it will kick off in May 2018.

Client Feedback. Audit performance can be fine-tuned with the right input from stakeholders. Feedback should aid audit performance. Feedback should be to the point and be specific and timely in order to be effective. Useful feedback can increase audit effectiveness. Feedback can be provided during the opening meeting, during the audit or during the closing meeting. The client should take the opportunity to clarify any concerns that they may have. During the closing meeting, IA needs to present the supporting documents and records. A post-audit questionnaire can be sent to the client after the audit.

Must-have Controls for Small Medium Enterprises. 5 controls can help SMEs protect themselves against cyber breaches. Sometimes, they do not have sufficient resources to deal with threats. Firstly, scan the network quarterly and identify vulnerabilities. Train employees on IT security. Protect sensitive information by inventorizing sensitive business processes and reviewing access to information. Learn to segment the network. Deploy extra protection for endpoints and encrypt the data. Learn to monitor the network, manage service providers, protect smart devices and monitor activity related to sensitive information.

A Holistic Approach to IT Risk. The COBIT framework can help auditors understand and address their organization’s technology risks. IT can be very complex but IA needs to evaluate the full range of IT risks. COBIT is valuable for the whole process, from end to end. The 5 key principles are meeting stakeholder needs, covering the enterprise end-to-end, applying a single integrated framework, enabling a holistic approach, and separating governance from management. Internal auditors can use COBIT to understand the nature of IT risks that are unique to their organization.

A Toxic Culture. A department leader creates a hostile work environment by promoting friends and abusing employees and company assets. When many employees leave, there could be a sign of a toxic culture. There was an inadequate internal control system as no one tracked expenses. Critically review turnover data as this is a big red flag. Exit interview results should be reviewed regularly. Access control over reports should be reviewed and approved.

On The Rise. Learning is the key to do well in IA. Get students involved early and you can volunteer as a guest speaker on internal auditing topics. IA an get involved in many projects and act as change agents for the organization. Projects can allow one to build and develop business relationships with stakeholders. One can use data analytics during audit engagements. IA can add as a trusted advisor and perform consulting work. One can learn SQL, which is a tool for managing data. One could take others under their wing and mentor them so that they can grow. Interaction between auditee and IA must be positive. Spread the good word that your team does. IA should be innovative in addressing solutions. It is helpful to distinguish the different roles of EA and IA too. Communication skills are the key for IA’s success.

Growth through challenge. Current and past emerging leaders discuss the tough assignments that helped propel their careers forward. Challenges faced in your career can propel you to be a better auditor. It is good to share with others what are some of the common mistakes. See auditors as people and go in with a customer first mentality. Be client centric. Be prepared when you go for meetings and interviews. Get a mentor, build relationships, learn from your mistakes and learn to network. It is important to preserve independence and objectivity. Influencing mindsets are tough. Building relationships with auditees can be tough when you are new. It is important to have a good audit methodology. The learning curve can be steep especially if the industry is new for you. Some departments are resistant to let the IA perform audits on operations. Talent auditors are always in demand. Once you are good, you can engage the C-suite management easily and without fear. Young auditors are always eager for more opportunities.

It’s all in the delivery. Sharing difficult messages is an unavoidable part of the job for internal auditors. Some audit observations can be difficult to convey. You should always build the relationship before telling the bad news. Telling the bad news right away is unlikely to work. Using weekly updates once the exceptions are noted is the key. Preparation is the key to accomplishing objectives. It is important to be fair and factual. Focus on the process as well as content. If you can, you can tailor the response to the personality of the recipient. During the discussion, one can seek opportunities, offer to help, make it clear and maintain open body language. ‘If the audit report is the first time a client is seeing something in writing, that is the first and biggest mistake. Verbal updates are great, but periodic written updates go a long way. Auditors might get into trouble over their poor soft skills. Focus on the problem, include some positives, have a face-to-face meeting etc. The key is not to beat around the bush. EQ is important in helping good delivery. The key is to deliver bad news but still build a good relationship with the auditee.

Breaking Through. Women in business are taking on the barriers to advancement, and that’s good news for everyone. Diversity is good for the workplace. More women need to be in leadership positions. However, women might face issues like lack of support, exclusion, apathy. There needs to be sufficient support from male leaders. Men should be interested in achieving gender equality. Be You. Seize the Moment. Integrate Your Life. Earn Respect. Stay Behind Facts. Be realistic and practical. Forget silos. Think context before issue. Rethink reporting. Aim at destination with gratitude. Women may also face the motherhood penalty.

Mapping Assurance. Internal auditors can facilitate efforts to document the organization’s combined assurance activities. There are a variety of assurance providers. CAE can use an assurance map to co-ordinate assurance activities. It can also aid to prevent gaps in coverage. IA is well positioned to provide combined assurance. The plan should start with the organization’s strategic plan and the key risks that are associated with the strategic objectives. There should be 3 tiers of defence to provide assurance. IA need to assess the quality and quantity of assurance received.

A Winning Pair. Governance and automated controls must work in tandem to achieve maximum results. Good governance is the key. IA needs to access the current risk profile, mitigation activities and residual risks. Good behaviour requires time and employees should receive reminders in order to conduct good behaviour. Desired behaviour ultimately stems from the top.

The High-Performance Audit Team. Today’s complex, evolving business environment demands more of internal auditors. The world is changing and stakeholder expectations are increasing. IA can also rotate and fill other operational positions. An integrated internal audit function can boost performance. There is a strong need to invest in training and learning. Verbal, leadership, communication skills are very important. A high performance team can evolve to meet new challenges and reinvent itself. We also welcome constructive feedback from staff.

auditing-service-singapore

Lean and Six Sigma for Beginners by G Harver

A Quickstart Beginner’s Guide to Lean Six Sigma

Learn to involve everyone in the organization’s processes. Six Sigma is one of the best ways to cut cost. The Six Sigma certificate is very valuable indeed. This is about finding confidence in your business and learning how to streamline processes. Six Sigma can also be applied in the government setting. Learn to adopt a six sigma approach. Your business’ performance should improve as a result.

What exactly is Lean Six Sigma? Six Sigma is focused on minimizing waste. It also about reducing poor performance and monitoring processes to know how well you are doing. It is simple and it is about consistent delivery to the customer. Your performance should be measured well. You want to achieve your intended specifications. Your actual results must be as close to your planned ones as possible. Learn to align projects with your strategic objectives and be able to assess them. You want every input to drive revenue creation. There should be no bottlenecks or downtime. It is about clearing everything that slows you down. Look out for 1) downtime. The projects should be clear and every employee’s efforts should be measured so that they fall in line with organization’s objectives. It will keep employees on their toes.

How Lean Six Sigma Works on a Daily Basis. You must aim for 100% quality. We all want as much profit as we can make. Motorola used Six Sigma back in 1986. Both quality, quantity and speed of production are the key. You should avoid any wastage that leads to poor workmanship. Please avoid overproduction. Low consumption is a bad sign. Time is money. Any time that your employees are not working or slacking is a loss to the company. Utilize your talents and make them multi-task even if necessary. There must be no wastage in transportation. Inventory storage cost must be factored in. Just-in-time inventory is the best. The key is that inventory must be processed once it arrives and without any undue delay. Do not over-process as it is time consuming and eats into your profits.

The fact is that you are just wasting time walking here, there and everywhere; in the process, you are adversely influencing other people towards your bandwagon. That is why you need to minimize aimless movements during working time. You need to appreciate that idle movements do not constitute leisure. Scheduled leisure time is helpful but idling about is not. – G Harver

Beneficiaries of Lean Six Sigma. Employees will feel challenged and drive in the same direction as the company. Motivated and healthier employees rarely take leave or absent themselves. Technology can help to improve efficiency and productivity. Time taken to attract customers is reduced. It is an efficient tool throughout the industry. People who are skilled in Six Sigma are employable and can work as consultants in a big company. For example, you could work as a lead manufacturing engineer. You can work as a business process analyst etc. There are many roles in an organization that seeks to improve company performance.

Salaries Associated with Lean Six Sigma. The roles are unique and command good salaries. A Green Belt certification will boost your credentials. Lean Six Sigma trainers earn even more. You can consult for IT companies, F&B companies etc. The master black belts are the best paid. Try to get the company to sponsor you for your training.

Things for CEO to note in readiness to implement Lean Six Sigma. Do not wait till you are making losses before implementing six sigma. Make improvements that will get you to 100% perfection. It is a structured approach. Decisions are based on accurate data. Success is based on a small margin of error. It is highly dependent on accurate data. It is important to have strict discipline when implementing six sigma. Analyzing data and looking at it from the right perspective is the most important thing you can do. Learn to take each project one at a time. Embrace solutions only when there is conclusive evidence that it will work. You need everyone on-board if you want to implement Six Sigma effectively. Senior Management must also be kept in the loop and updated. Empower people to carry out new initiatives even if it means eliminating paperwork. Bring an expert who can conduct training for your staff. Always be receptive to feedback.

Tying Lean to Six Sigma Method for Best Performance. Lean means travelling light. You must deliver your product or services fast. Delivery must be of high quality too. The cycle should be fast. There may be internal problems in your team that affect delivery, such as low morale, work too complex, multi-tasking, correcting of product defects, lack of flexibility, inefficient systems etc. How do you overcome the above? Understand your customers’ demands. Reduce number of tasks people do at the same time. Work towards smaller deliveries rather than a huge one. Develop a routine and expectations with your customer. Take orders only if you have the capacity to fulfil them.

Actual 6 Sigma Gauge. Some form of normal loss in the manufacturing process should be expected and this can be predicted at the start. This is pre-determined. Sigma Level 6 has a success rate of 99.99966%. The more you succeed, the higher you fair on the sigma scale. There are 6 sigma scales and each documents the defect level per 1 million units produced. Your ultimate business goal should be to reach only 3.4 defects in every 1 million units produced. This is known as the 6 sigma level.

Effective application of lean six sigma, including in profession. View your profession as a business. Serving your auditee fast means saving your organization’s time. Learn to offer high quality services. Learn to create projects that are well defined. Every move your organization takes has an impact on the bottom line. Train key personnel. Use DMAIC – Define, Measure, Analyze, Improve and Control. Define the problem. Use only individuals who are compatible. Set working parameters. Overhaul your processes if there is fraud present in your organization. Have an effective plan for data collection and system analysis. Analyze the problem. The next step is to improve the situation. Propose a solution and execute a plan. Your solution must have a clear cost-benefit analysis. Present your plan to the stakeholders of the project. Learn to control the situation. Communicate both your goals and achievements to your stakeholders and get their buy-in.

Lean 6 Sigma in Government Operations. Wastage is bad for the government and it can bring the house down. Governments can consider VSM (Value Stream Mapping). To do a VSM, present both alternatives and show both mappings. Show 1 for the current process and the other for the new process. In Kaizen, the changes are incremental in nature. There is a lot of red tape in government and should be addressed through kaizen improvement.

Challenges to Anticipate in Lean Six Sigma Implementation. Identification the correct process owner is the most important thing. However, some of them may not be very enthusiastic. Some of the departments may not be working well with one another. You might encounter barriers in language. You must obtain management buy-in. The trick is to display any small wins quickly so as to show others that the project is working well. Develop rapport with everyone concerned. Learn to resolve issues quickly together. Have charts to indicate progress. Ensure that you have a project implementing team.

Why adopt the Lean 6 Sigma Style? A black belt certification means that you are highly valued. There is even a body called International Association for Six Sigma Certification. Six Sigma is about enhancing efficiency, reducing waste and leading to an increase in revenue.

Lean 6 Sigma for SMEs. Downtime is not good for any organization, even SMEs. Many SMEs are at level 3 or 4 currently. This is eating into their revenues. You want to spend as little time as possible fighting fires. Small organizations are more nimble and can implement 6 sigma more easily.

How to embark on implementing lean six sigma. You need to identify a project champion. You need this person to be involved as soon as possible. Gauge your project against your organization’s strategic objectives. The project champion is concerned with the big picture.

Yellow and Green Belt Certification in Lean Six Sigma Training. There are yellow, green and black belts available. The yellow belt training takes 2 days. It will teach you how to calculate the sigma level, defects per million units of output, yield. The green belt requires takes 8 days.

Black Belt Level of Certification within Lean Six Sigma. The Black Belt training also takes 8 days. You will need green belt before you can take the black belt. This level involves statistical analysis. You will understand how to perform sampling. You will be able to compute metrics and control charts. You will be able to handle regression etc. There is also a master black belt certification which is available for use. The MBB exam is over 2.5 hours long.

How does 6 Sigma Compare to Total Quality Management. TQM improvement is on a gradual basis. It involves more statistics and not so much on behavioural change. Six Sigma is not about ruthless cost cutting.

Details of Waste Eliminated by Lean 6 Sigma. Cutting waste in the transport area is important. Do not store unnecessary inventory as it is heavy. Unnecessary non-value adding work is also a waste of time. Excessive waiting time should be eliminated. Overproduction is bad. Underutilizing skills and defects are also undesirable and are a type of waste.

Lean and 6 Sigma above quality assurance. Quality assurance is good and system is important. Get rid of business steps which are redundant.

Why Companies Are not Taking Advantage of Lean Six Sigma. Six Sigma is one of the best ways to cut costs. The key benefits are 1) improving quality of products/services; 2) improving customer experience; 3) Increasing bottom line. Sometimes, there a lack of information hindering companies from applying 6 sigma. Some people believe it is a fad. There are also costs associated with 6 sigma implementation. Some people feel their business is too small for 6 sigma to be effective. A group of people might feel it is too mathematical.

Six-Sigma