IIA Magazine Apr 2016 issue

Soft skills seem to be lacking in some of the IA teams. There is the art of interviewing that must be executed properly. IA can set aside time to work with other parts of the business. Audit reports are not the only communication channel.

Time to Shift the Mindset. Pulse report urges IA to focus on culture and cybersecurity response. Board members should discuss with management to ensure that there is a common understanding. There is a risk of poor vendors and that firms could suffer from reputational damage. There needs to be strong third party risk practices.

Fraud Prevention. An effective control environment can deter or minimize the occurrence of fraudulent activities. Internal controls may not always be designed to prevent fraud. There must be a strong control environment for fraud prevention. Background checks and fraud related training can be useful indeed. Whistle-blowing hotlines can be set up. A certain level of anonymity must be ensured. No one person should complete control over a whole particular process, from start to end. Monitoring activities should take place on a frequent basis.

The Call no CAE wants to receive. A strong working relationship between IA and the CIO is essential to responding quickly to a cyber incident. This is important as cyber attacks can lead to reputational damage. One can verify the controls at the vendor and get them to fill up a data security risk assessment questionnaire. IA can be the trusted advisor that an organization needs.

Collaborative Risk Management. As organizations consolidate their risk processes, IA may not be able to continue to stand alone. Risk collaboration and organizing risks are more important nowadays. There is a need to be efficient about going about this. Risk needs to be organized neatly. ERM is one way to link everything together. Auditors should be open to other ideas on organizing and mitigating risk.

The Ticking Ethical Time Bomb. The financial loss from theft was secondary to the effect on company culture. Sometimes, the most obvious issue is no the more important one. Small frauds can lead to large ones. Reinforcing identity is also very smart sometimes, as it can help with ethical reinforcement. Increasing controls should not be done as a knee-jerk reaction sort of thing.

A Matter of Trust. Attention to detail and focused effort can help IA build the relationships required to be perceived as valued advisers. IA should be given time to innovate, gain an understanding of evolving challenges and talk to people in the business regularly about the issues they face. You help to build trust if you know what the regulators or other people are doing. Sometimes, top management might even tell CAE the problems that are upcoming. Relationship building and being part of the management team is crucial. However, there is still a need to be independent even if IA is like a trusted advisor. Try to leverage on technology.

‘IA can often be forgotten if it is not part of the core team, because it is less visible than those functions that meet and talk regularly.’

‘Auditors are there to make organizations better – it is a key part of the way they can add value. Not commenting when they see a better way to do something could show a certain lack of moral courage.’

Proactive Fraud Analysis. Integrating advanced forensic data analytics capabilities can help auditors mitigate fraud risks and demonstrate returns. IA can invest in such tools as it can help in the monitoring of risk. IA should ask ‘What are the high risk accounts?’; ‘When?’; ‘Where?’ etc. IA should focus on the low-hanging fruit first. The first project undertaken should be easy. Learn to go beyond the descriptive analytics. Learn to embrace both structured and unstructured data. Communication is the key. It would be good to automate the tests and involve the end-users. Also, learn to set a realistic timetable. Keep analytics simple and intuitive – don’t include too much information in one report so it isn’t easy to understand.

Getting More from Interviews. Instead of emphasizing formalities, IA should approach each interview like a conversation. You can gain insight into the way operations work and identify gaps etc. Plan your questions beforehand and be prepared. However, the less formal it is, the more information you can find out from the interview. Try to make it a conversation. Learning about the auditees’ life can help to build rapport and build the bond. Talk to others within the auditees’ same department. The interview’s purpose should be specific, attainable and outcome oriented. Preparing for the interview helps a lot. The location matters as well. Try to open in a way that makes the auditee at ease. Try to explain the purpose and the outcome of the interview. Learn to practise effective listening. One can ask thought provoking questions that will help to elicit information. Learn to practise active listening and show positive body language such as being attentive. You can prepare questions but there is no need to follow to a list strictly. It can be difficult to build rapport. Do not try to tell the interviewee that the interview must be done to complete the audit. Have lunch with auditees once in a while. People love to hear about themselves.

‘Auditors should be curious about the way processes work, the way the organization works, and perhaps most importantly, the people who make it work. Curiosity will lead to a better understanding of the organization, better ideas for improving the organization, and a better rapport with the individuals within the organization.’

On the Hunt for Payroll Fraud. Taking a close look at payroll risks can enable IA to help their organizations save money and identify wrongdoing. Payroll fraud is more common if there is irregular workforce patterns. Payroll is usually shrouded in secrecy. Overpayment is more common than underpayment. IA can also examine to seek actual cost savings/ productivity gains. IA can adopt a helicopter overview of payroll data and the payroll process. One can compare payroll costs with other organizations. Rosters should be designed to optimize the allocation of employees to operational needs. Management welcomes findings that reveal specific wrongdoing because they provide hard-to-dispute evidence. IA can look out for certain insights and then drill further. There are many common findings. The audit fieldwork needs to be well-researched and planned.

Guardians of Integrity. IA can provide insight into corporate identity and people-related risks. For instance, IA can evaluate the ethics and organizational integrity. IA must communicate with the board and management and be the corporate conscience. Testing the effectiveness of the ethics programs can be tough. It is important to understand how an organization defines success. It is important to uphold the code of ethics: integrity; objectivity; confidentiality; competence. IA should examine incident reports too. IA must be as wise as the board, as savvy as management, and as shrews as attorneys. Stakeholder surveys could be used to understand the management and employee ethics. IIA needs to exercise fair and ethical decision making.

Internal-Audit

audit financial company tax investigation process business accounting

Advertisements

IIA Magazine Aug 2017 issue

The Technology Issue

 A technology revolution. Tech is moving at a fast pace and some businesses may not be able to reap the benefits. IA needs to understand the evolving risk landscape related to the business. Tech will continue to disrupt the landscape and IA needs to reassess what data means to them going forward. Auditors help organizations avoid getting into trouble by identifying issues early and avoid them being surfaced by regulators or the media.

The Cyber Readiness Gap. Organizations may not be prepared for the attacks they are expecting. Ransomware is a big issue and thinks will get worse. Only half the organizations surveyed have a plan to address ransomware attacks. IA can help to scrutinize cybersecurity practices and plans. IT security governance needs to include the human factor in corporate risk analysis and assessment. IA can move from a supportive to front-seat role when building crisis-resilient culture.

More than Compliance with ‘A’. Transforming a compliance program into a value-adding activity starts with IA. Compliance with AML regulations are important. However, many managers do not see value in compliance work. IA needs to ensure compliance can provide real assurance. It is important to do the right thing and do things correctly. Ask yourself why there is a compliance requirement in the first place. IA needs to work with the first and second line of defence to ensure all risks are being addressed. IA should also question the need for, existence of, and adequacy of compliance with A. Sometimes, the original risks may not be present and hence the compliance requirement should not be relevant. One needs to examine the adequacy and effectiveness of the mitigating control. The audit needs to maximize the use of resources and analytics. One can use trend analysis to understand whether risk is increasing or decreasing. Effectiveness of controls can be tested with analytics.

‘But it should not be compliance simply for compliance sake. Internal audit should consider the overarching business objective and the controls that help mitigate risk to the achievement of the objective – even when examining compliance-related controls.’

Stop Clicking, Start Coding. SQL queries can enable internal auditors to uncover greater insights from organizational data. Data needs to be analysed etc. Some auditors are required to learn SQL. It is a language for managing data held in databases. To be good, logical thinking and reasoning are important and necessary for coding. SQL can be tailored for auditing needs and for ad-hoc queries. SQL and other audit software can form a powerful set of analytical tools.

Internal Audit needs risk management too. Managing its own risks can improve the audit function’s performance and demonstrate that it practices what it preaches. One key risk of IA is whether the department is strategically positioned within the organization its objectives. Other risks are whether the department has enough staff, on assurance etc. Reputation risks are important too, and so is compliance risks. Operational risks are like the resourcing problems, annual audit plan etc. If audits are behind schedule by about a month, it needs to be highlighted as a red flag. IA can also do a risk control self-assessment to evaluate internal controls in place.

The Cashier Cash Thief. Mounting family pressures and opportunity cause a trusted warranty clerk to pocket payments from customers. IA must emphasize the importance of SOD and monitor any exceptions. Trend analysis would allow organization to detect fraud more timely. Routine audits are vital for all cash processes. Mandatory vacations and rotation of duties should have prevented fraud from happening.

In Safe Hands. Organizations must grapple with a host of issues when determining how to best protect their data and manage the way it’s used. In Europe, there is a General Data Protection Regulation that goes into effect in spring 2018. It is a stricter regulation than ever before. Firms need to obtain consent for data collected from individuals. IA needs to go back to the drawing board to strike a balance. Respecting someone’s privacy rights is actually a soft skill and needs a soft approach. Privacy controls need to be engineered into business processes. Businesses must be clear about what they need the data for. Many companies do not know where their data comes from and how it is used. IA can be a role model in innovation etc.

Great tech expectations. As technology becomes more integrated with business processes, auditors must raise their IT skills. New auditors usually have better skills than older ones. People with expertise in IT will be in demand. Those with experience in DA will have an advantage over those who don’t. Experience with audit-specific software is also a plus. Auditors need to have an understanding of the infrastructure and applications being used. New authors are not usually well versed in soft skills. IA needs to have a good understanding of flow, controls and governance. Determine the specialty skills needed. Maintaining the right mix of generalists and specialists is a key IT challenge. IA needs to have a training plan for the IT risk and controls. Training hours need to be tracked and there needs to be information sharing at every meeting.

Building a data analytics program. Six strategies can facilitate progress when starting or furthering an analytics program. Many functions suffer from pitfalls/ setbacks. The six strategies are (1) create awareness rather than a silo; (2) understand the data before investing in a tool; (3) plan sufficiently; (4) think big picture; (5) Partner with IT; (6) Take advantage of visualization tools for inspired reporting.

#PurposeServiceImpact. The IIA’s 2017-2018 Global Chairman of the Board J Michael Peppers encourages IA to unify around the three concepts in his powerful hashtag. Purpose, Service and Impact are important words for our profession. It is about the why we do things. We should help enhance shareholder value through our work. Service is basically walking the talk. It is important to establish credibility with clients. We are both change agents and educators and need to do the right thing. Volunteering is important and internal auditors should strive to give back to the society. Always try to make a positive difference. We need to understand the purpose of the organization.

‘The best and most successful internal auditors I know understand that internal auditing is more than just a job: it is a sincere effort to improve the lot of others, whether organizations or individuals.’

The Root of the Matter. Performing root-cause analysis requires that auditors recognize common myths associated with the process. Addressing root cause will prevent the issue from recurring. Complex problems may be due a variety of factors. There may not be a single root cause at times. Use the 5 Why techniques. Sometimes, two root causes can lead to one problem. Some brainstorming is required to address all the root causes. One can use the fishbone diagram and identify problems in different categories like: Man, Machine, Measurements, Method, Materials, and Mother Nature. One can also use scatter diagrams to pair cause and effect and look for relationships. Good recommendations in the audit report should address the root causes of a problem. However, IA should understand that RCA requires time and resources and the organization must weigh the pros and cons of doing it.

Seven Steps to Transformation. IA can assist management throughout the many stages of business change. The first is pre-implementation review. It helps management to identify problems at the planning stage. Ask yourself what is the best ERP project model for ERP packages? The other steps are process/controls analysis, In-flight reviews, IT and User Acceptance Testing and Output/Results testing. The last 2 steps are post-implementation reviews and comparison to project management reviews.

It’s only one word. Excessive audit report wordsmithing is often a disservice to the client – and the audit function. Let those who did the work have a say in the changes. Never make a change unless you can explain why that change is necessary. Otherwise, you are just changing for personal preference. Always explain the reasons for any change to the person who wrote the original drafts. Do not be too anal about phrasing as this will result in rewriting and delays and frustrations.

‘Far too often, the lead, manager, chief audit executive doesn’t like what is written and starts editing the audit report. The process often results in a report the auditor no longer recognizes and, in the worst situations, it says something the auditor never intended it to say.’

The Data Analytics Strategy. Adding analytics to the audit methodology requires careful change management. Funding and resources needs to be provided. Integrate data analytics requirements into the audit methodology. Look for quick wins if possible. Use a champion to lead the strategy. CAE must emphasize that analytics is good as it improves audit efficiency. Analytics can add value not just to fieldwork, but also risk assessment and planning. Data is also evidence and that’s what sells well.

From ratings to Recommendations. Behavioural psychology suggests internal auditors’ approach could benefit from more carrot and less stick. Audit gradings are hated by auditees as it sends a signal that they did something wrong and that things are really bad. The SDT (self-determination theory) shows that human motivation is optimized when the following 3 are present: developing one’s skills (competency); exercising free will (autonomy); feeling connected with others (relatedness). Give your auditee the chance by sharing about common goals and building good relationships with them.

auditing-service-singapore

IIA Magazine June 2017 Issue

Courage under Fire. Public sector auditors need to have the courage to raise issues despite the political agenda in the public sector. Audits provide a cornerstone of good public sector governance. Targeted relationship building is very important. Courage is a pre-requisite of being an internal auditor.

Terrorism and Geopolitical risks. Violence and political uncertainty threaten business interests internationally. Overall, terrorism and political violence have been at high levels. Businesses need to have strategies to deal with the geopolitical climate.

SWIFT has improved their security standards via a customer security control framework, where banks must comply annually. SWIFT will report banks which don’t comply with the new standards.

Corruption usually happen because of a poor tone from the top. The younger generation seems to be more lax when it comes to ethics and to managing others. There needs to be strong leadership from the top to tackle bribery and corruption. The board has oversight of the company’s culture but management has the best position to shape culture. Firms can get insights from departments like HR, finance on the company’s culture. Companies that allow employees to store personal information in emails etc is asking for trouble.

Key stakeholder surveys. Internal auditors should look to get feedback from their most important customers. A QAIP is a requirement but surveys are rarely given to the AC and executive management. Audit should have the habit of surveying at the end of each assurance or advisory activity. The respondent should be able to make comments as well. If the scores are not satisfactory, the CAE should recommend some course of action. Survey results should be shared with AC etc. These results can enter the QAIP as well.

‘It is common for audits with satisfactory ratings to receive high opinion scores while audits with unsatisfactory ratings receive low survey scores despite efforts to adhere to department policies and the Standards.’

Application Control Testing. Control reviews can help ensure critical software applications function effectively and securely. To audit effectively, it is necessary to audit application controls too. This covers every feature and function of the application. Next, one needs to identify the key application processes and the application controls. If necessary, an integrated audit should be performed. One can use the GTAG 8 to help. Auditors can validate input and output controls. Are the processing controls accurate? Are there critical errors in computations? There is a need to examine interface controls as well. IA needs to examine: output controls, storage controls, monitoring controls, configuration management, change controls and patch management.

The Risk in the Control Environment. Auditors need to think beyond check boxes to provide assurance that control processes are addressing risks. The control environment is difficult to measure. IA should not cover up control weaknesses to management. Policies change over time and become less applicable, hence the control environment shifts. SOD is useful, but in cases where the firm is too small, alternative measures need to be made. When there are personnel change, there might be an urgent need to re-train.

‘IA needs to ensure they have authority to analyse and communicate the situation beyond just the existence of policies. Ensure management understands the difference between a control gap and a control failure. It is important to know whether the gap has created a failure, but just because it hasn’t failed to date should not minimize the impact of the gap.’

The ‘Free Trail’ Scam. Data analytics uncovers a sales force fraud using pre-paid credit cards to boost commissions. Be wary of pre-paid credit card usage among commissioned sales forces. There is a need to check credit card transactions against a BIN database. Understand how many customer accounts are associated with a single credit card number. Companies should request for customer credit scoring and upfront payment to prevent customer defaulting on payments.

Under Siege. Public sector auditors can face intimidation, isolation, retaliation, suspension – even termination – just for doing their job. For instance, if the audit conflict with an agency’s head’s political agenda, the agenda usually wins. CAEs might have to sue the government in the end. Targeted relationship building is important. Retaliation might reduce in a reduction of CAE’s duties. Sometimes, they are told to cease investigations. Sometimes, the CEO will tell you want to audit but you are not allowed to listen to the Board. Sometimes, the CAE has to supress facts in a report. The CAE needs to drive an open and ethical environment with the AC to prevent such things from happening. If you want to be the CAE, you need to establish clear reporting lines and ensure you have access to the Board right from the start. If you are not comfortable, walk away. Auditors should build relationships with those they work with. Start by winning over staff and explain your audit charter to them. Keep open lines of communication. Document and verify any disagreements and understand the root cause. Learn to create a paper trail for your findings. Sometimes, resigning is the only option. It is still better to do the right thing.

‘It’s very difficult to make a change if the organization is dysfunctional. Sometimes you can make renovations to a house that will improve the functionality, but sometimes you just have to declare the house condemned and start over.’

How to Audit Culture. Culture audits can help practitioners gain insight into the causes of poor organizational behaviour. Not enough firms are auditing culture. It can be challenging because it is subjective and complex. Culture is shaped by values that influence everyday behaviour within the organization. Management’s create sub-cultures among their teams. Different departments have different cultures and risk tolerances etc. There is no defined criteria for each aspect of the business too. One can start with a model to audit culture. Employees are the best source of information about the culture. Culture is largely perception based. The problem is that employees might be fully honest, they work in silos, they may like to complain etc. The Board and management need to believe that the IA team has what to takes to audit culture. Some of the questions to ask are ‘Do our HR and talent practices reinforce the desired behaviors throughout the organization?’; ‘Does your business manage risk appropriately and in line with our risk appetite?’; ‘What do our leaders communicate to us about risk, ethics, and how we should be doing our work?’; ‘Does the company’s environment promote accountability for desired risk behaviors?’ The audit report must be worded in not a sensitive manner. IA needs to obtain evidence via appropriate engagement techniques. Sometimes, soft evidence can work as well. Structured interviews can be conducted for auditees. It is good to gather evidence from many employees. It is possible to add questions on ethics and culture to the annual employee survey. IA could present a monthly dashboard etc on data like customer survey results, customer complaints, turnover statistics etc.

A smarter approach to third-party risks. Adopting a focused collaborative strategy can help improve management of outsourced service providers. Third-party risks are very real, especially functions which have been outsourced. Banks are to held responsible for their third-parties’ performance. Data breaches in recent times have made this even more important. It is important to manage the risk from third-party vendors. It is good to map a list of third-parties you work with and the risks to be assessed and monitored. It may be useful to develop key risk and KPIs for areas where risk is increasing. It could be useful to send questionnaires to the third party to understand their risk exposure and risk appetite. Some companies are looking at group intelligence as a means of sharing due diligence data. Some firms have already set up risk consortiums. Managing outsourcing risks is vital to protecting shareholder value.

The Innovative Internal Auditor. As businesses strive to find opportunities in a world driven by technological transformation, internal auditors need to continually innovate to stay ahead of the game. IA cannot be static if they want to survive in the environment. Change is part of modern life and IA needs to adapt to changing needs. There is a need for IA to be more forward looking. Because of this, IA needs to innovate in the areas like audit automation, data analytics etc. One needs to adopt a continuous improvement mindset. It takes courage to innovate, but the team will reap the rewards. Get someone on your team to be in charge of innovation. Robots might be able to perform routine control testing. We need to embrace technology to its fullest capacity.

The Dynamics of Interpersonal Behavior. To be successful, auditors need to cultivate their soft skills just as much as their technical abilities. Soft skills like listening, understanding, questioning etc are just as important as hard skills. Sometimes, audit reports are not in sync with what stakeholders want. IA people need to form effective interpersonal relationships. People-centric skills are not easy to master. Auditors need to build trust over a few days. IA needs to keep to promises on deadlines, listen to feedback and deliver their goals. Auditees might feel there is a big difference between themselves and auditors and tend to look down on auditors. IA must approach from the angle that you are trying to help. Having a good mentor will help. Ultimately, IA needs to meet stakeholders’ demands.

Opportunity from Disruption. IA should try to understand emerging risks. Be forward thinking, via a strategic planning process and have more internal audit’s risk assessment process. It is also important to create flexibility in the audit plan. Be inclusive and communicate with the other lines of defence. Be business minded and hire from a wide variety of sources and ensure they have different types of training. Be flexible by design. Evaluate the nature and timeliness of IA’s procedures. Be talent ready.

It is important for IA to issue audit reports and follow-up on corrective actions taken soon after. Although IA reports to the AC, it still has to administratively report to the CEO. Having no time is not an excuse.

Internal-Audit

audit financial company tax investigation process business accounting

Annual Conference and Global Internal Audit Leadership Summit 2017 (27 Oct)

Managing Cyber Risks. (KPMG) Cybersecurity is one of the top 5 risks as rated by CAEs. Cyberattacks are one of the top 3 man-made risks which can be addressed. In a survey, Asian CEOs aren’t as well prepared as their US counterparts when dealing with cyber risks and cybersecurity. There is a need for cybersecurity risk assessment. Sometimes, insiders can provoke a cyberattack too. Due to the widening of the digital footprint, it can lead to greater cybersecurity threats. External threats like new technology, technology change, regulatory compliance and changing market forces will continue to affect the cyber landscape. The new cybersecurity bill by CSA is slated to be released in Feb 2018. The Bill will affect CIIs from 7 different industries. The cyber risk gap needs to be plugged through the use of specialist reviews and audits. Some of the losses that an organization could face are theft of client information, IP, corporate date, DOS attacks etc. Nowadays, it is quite common for the attacker to attack your service provider (since there are less strict internal controls) and get information from them about your company. Some of the staff from your vendor might not be well screened also. Usually, there is no point trying to figure out who the cyber-attacker is as it is hard to prosecute if it’s not in Singapore jurisdiction. Some of the tactics that cyber-attackers use is ransomware, key loggers, phishing, insider data theft and man in the middle attacks. Do not give away passwords at any cost. Training/education is important, more so that IT tools at times. As auditors, we can audit the data classification in an organization. Cybersecurity is a growing factor and needs to be included as a risk indicator. There needs to be a detailed response plan after being attacked. There is also a need to link the cybersecurity threats to your business. One can read the ISO27000 series, MAS TRM Guidelines, NIST, COBIT and others.

SAP Case Study. (SAP) SAP is a German company. Maintenance costs is a big part of the implementation costs of having such an ERP software. For SAP itself, some of the risks facing the organization are acquisition risks, cloud computing etc. Within the audit team, they use the SAP Audit Management Software, which is automated from the end to end auditing process. One will be able to see clear audit plan overviews and also real time status updates of the plan. There are also resource management tools in place which will help improve the global resource transparency. In addition, there are audit executive dashboards in use. All these lead to better cost savings, user satisfaction and faster audit cycles for the organization. As a result, during quality assessments, the IA function scores better. Analytics helps in audit sampling for auditors.

Internet of Things. (Microsoft) The Internet has shifted from the Internet of content to service to people and now to ‘Things’. Internet is very commonly used nowadays as it is more efficient and has led to increased productivity. It has brought the whole world together through Skype. There is data in chips in our everyday devices and such data can be harnessed for decision making. Some of the benefits of IoT are that it leads to 1) safety, comfort and efficiency; 2) faster decision making; 3) revenue generation. Some of the risks of IoT are 1) privacy, security and legal (types of data collected can be collected and should be collected etc). The major challenges that will be faced are to obtain the business and IT buy-in and also the fact that data magnitude can be huge and complex and hard to interpret. It is important for IA to stay ahead of the changes and understand the risks emanating from IoT. We need to be trusted advisers to the business. CAEs need to determine the skillsets required, like from data scientists, private specialists etc. IA needs to recruit the right people. We need to change our approach to how to audit etc. The process flow is like this: device connection -> data sensing -> communication (access rights) -> data analytics (queries etc) -> data value -> human value

Data Analytics at MAS. (MAS) Data is the new AIR that we breathe. Insight is the new storage of value also. There are a few Vs we need to be aware of: Veracity, Value etc. We have approached the other departments, like banking, insurance and capital markets, to understand what are the pain points of these departments. We have moved from rule based (AML + STR) to machine learning. There is a strong need to enforce data quality and to move from just big data to smart data. Labels must be given for supervised machine learning in order for it to work more efficiently. However, there is also such a thing as unsupervised machine learning etc. For data, there is a need to achieve generalisability. An important question to ask is whether your model can work on future data? Or just past data? Ensure that your data can be interpreted and cleaned before it can be used. The process is as follows: 1) know the question; 2) understand the data; 3) find the right algorithm; 4) be aware of the limitations; 5) be sceptical; 6) automate; 7) experiment. It is important to share insights across the different departments. Machine learning is a programme which automatically improve its performance through learning and experience. Culture is hard to change and in fact, culture is more important than the application of an algorithm.

Cybersecurity Lessons Learned. (SWIFT Asia Pacific) SWIFT is a co-operative that is based out of Belgium. Nowadays, cyberattacks are tailored for a particular institution and that can be really scary. Hackers are now able to perform multi-stage attacks. There is a hacker collaboration space in the dark web. Cross-border banking usually requires the use of SWIFT. Hackers have different motivations for committing crimes and it is difficult to predict. Cyber must be managed from the top-down. One needs to understand that spending money doesn’t make you more secure and there is a need to evaluate cost-benefit analysis. At times, it could be the client servers which have issues. There is a need to dictate how the client runs their programmes in order to secure their environment. There needs to be a cyber-response plan in place to address attacks and to recover. In future, SWIFT would make it compulsory for banks to report on their compliance to SWIFT’s assurance framework. This will certainly help to improve transparency.

Ethics in a Digital World. (Avande) Avanade is a cloud service provider and is a partnership between Accenture and Microsoft. In this digital age, there is a debate between Personalization vs Privacy. Facebook tried to have two bots chats with one another, but they turned racist and eventually had to be put down. Although AI development is swift, it might be necessary to put the guardrails on AI and curb its growth in view of ethical considerations. What is morally acceptable in today’s society? What is lawful? Digital is becoming a way of life and ethical behaviour is vital in this day and age. Is there a need for a framework to manage ethical dilemmas? What are the possibilities of digital tech? Core ethical values are embodied by leadership and there needs to be a good tone from the top.

IA in the Age of Transformation. (Asia Pacific Black Sun, Sofitel Singapore, UOB, NTUC, EDB) What are the elephants in the room? This refers to important issues that are not being addressed by IA. IA needs to keep themselves relevant. 43% of jobs in Singapore can eventually become automated (mechanized, robotized, digitalized) etc. However, there are still many opportunities in the audit space to add value. IA needs to be high tech, high touch (build strong relationships with management), and high trust. IA’s job is to highlight exceptions to management and in order to do so, they need to be loud and courageous in the boardroom and not shirk from difficult conversations. IA needs to avoid getting on the newspaper. IA needs to familiarize themselves in the area of sustainability reporting and professional scepticism. IA needs to constantly update themselves through attending training etc. Industrial domain knowledge is also important and this is usually learnt on-the-job. People retention is important and there could be a risk of knowledge loss without people. There is a need for IA to provide inputs on controls for IT projects right at the start. If there are no audit findings, it is possible for IA to issue a clean audit report. IA should gradually take on a more advisory role for the business.

auditing-service-singapore

Annual Conference and Global Internal Audit Leadership Summit 2017 (26 Oct)

Opening Address by Guest of Honour (Professor Tan Cheng Han). (SGX RegCo) Singapore Exchange Limited (SGX) has moved to a disclosure based regime for markets for regulators. Shareholders are active and can ask questions of the management or try to get rid of a few directors. There is a need to listen to businesses nowadays when trying to propose new regulations. We have moved from a prescriptive to a more principle based form of regulation. Nowadays, we listen to market participants and seek their inputs. We live in an uncertain world. Lawyers should facilitate transactions and not simply keep telling people want they cannot do. They should guide people to be able make decisions within the legal framework. In this way, it is similar to what Internal Audit does. As an auditor, it is important to stand your ground and do the right thing, all the time.

Transforming Internal Audit. (AIG) It is important for IA to be clear of their role. Internal Auditors should read the ‘Common Body of Knowledge’ by IIA and also the ‘Global Trends of 2030’. Our job is to find things and to help management see things that they have not been able to see (i.e. provide assurance). Many companies have evolved over the years, like IBM, GE, Rakuten in order to stay alive. Some might have to abandon their traditional model just to keep afloat. IA can also read ‘The Fourth Industrial Revolution’. Internal auditors should all get the Certified Internal Auditor certificate and show that they belong to a professional body with high standards. We all need to comply with IIA standards. The current IA role is shifting from one of assurance to also one of advice and insight. Some of the more recent trends in internal audit include performing data analytics on the whole population. Combined assurance is also one of the up and coming trends in Internal Audit.

In Conversation with an Audit Committee Chairman. (SIA, DKSH) The IA team in PwC has grown tremendously since its inception. The role of IA is to provide an independent assurance on governance and risk management. Is the level of risk management adequate for the business? IA should also get inputs from management on their performance. One factor to judge the CAE is on whether the audit plan is incomplete and what the status of the plan vs is the execution. One option is to conduct a 360degree feedback exercise. A CAE’s pay package should be established by the remuneration committee and with inputs from the audit committee. The bonus paid is relevant to the company’s profits and individual performance. IA is a business partner and must not be seen as competing/slowing down the business. There is a need for internal auditors to retain a strong ethical and moral compass when discharging their duties. If you feel you are being mistreated by management, do highlight this fact to the Audit Committee. In cases of disagreement with management, it is important to highlight to the AC what is your position. It may be wise for audit partners to resign from the audits where there is serious disagreement with management. Before joining an organization, it is important to try and assess its culture and whether the culture is ethical etc. The CAE must be outgoing and interact seamlessly with other stakeholders. He must demonstrate leadership potential etc. One way to assess that is through conducting reference checks on his background etc. It is not necessary for internal auditors to have accounting backgrounds. However, it is difficult to be a CEO without a finance/accounting background. In general, having a diverse IA team is important. As the chairman of the AC, it is important to do preparatory work and also to meet the IA informally a few times a year. For young auditors, it is important to spend on your own career development and set 3 year career plans on what do you want to achieve etc.

Innovative and Agile Internal Auditing at Google. (Google) In Google, the employees practice moonshot or 10x thinking and they try their best to think differently. Waymo is their project on self-driving cars. They have many interesting projects like on Calico, Capital G, Deepmind, GV, Jigsaw, Nest, Sidewalk Lass, Verlly, Waywo, X etc. Google was incorporated in 1998 by Sergey and Larry. Read the Founders’ letter to get an insight of some of Google’s core values. Also, on their website, there is a hilarious list of ’10 Things we know to be true’. Their IA has also to fit in with the culture at Google and they are moving away from SOX compliance to other forms of combined assurance. An intense level of collaboration is expected at Google. They use many syncs, tools and techniques to get their work. The stakeholders are usually understanding and it is not difficult for IA to receive information. Also, the IA team uses software so that the client can see the IA reports at any time and also there is live QnA that happens every Friday. The software will enable the IA team to view the project status live and also to view audit working papers. Audit findings are tracked using software. As for hiring, Google looks for collaborative people. As for other skills, Google looks out for cognitive abilities, role knowledge, leadership and Googleyness. The top down approach doesn’t always work and Google tends to empower employees instead. Due to the speed of change, the IA team only develops a 6 mth rolling audit plan and revises it accordingly due to changing level of risks.

Auditing Big Data. (New York State Office) In the New York auditors’ office, the IA role has been expanded to include both artificial intelligence and data analytics. Big data makes decision making easier and faster. Avoid rolling out apps when not many have access to the network. The greatest opportunities will come at a risk. You have to get comfortable with being uncomfortable. There is a need for big data and technical skillsets. Big data is large, complex and covers many complex data sets. There is a trend of lower cost of data storage. Despite this, data tags will help in the data retrieval. Big data has really helped the audit team in NY to improve the audit efficiency and effectiveness. There are mainly 4 risks associated with Big Data: 1) program governance; 2) tech availability and performance; 3) security and privacy; 4) data quality, management and reporting. When using big data, it is important to ensure that there is no invasion of privacy and that it is legal to collect and use any particular form of data. It’s a massive leap to fully integrate by data and analytics. The auditors analyze social media like Craig’s list to detect unlicensed car repair workshops etc. The team also builds AI when it is not available.

Geopolitical Risks – What does it mean to Organizations and Internal Audit? (Focus Strategic Group Inc) Internal Auditors need to understand global and regional trends facing them. There are many geopolitical risks in this world and these threats can lead to supply chain disruptions. There is a massive distribution of wealth problem in this world. Some of the major events that have impacted the world are the Israel/Palestine conflict, war in Syria, Greece debt, Brexit, appointment of Trump, Spain/Catalonia separation. There is an increasing trend of protectionism for major economies and these countries are also against immigration. Trump is against the North American Treaty agreements, the TPP etc. In this world, there is only the certainty of uncertainty. People fight over many things, like land, resources, religion, perceived inequalities etc. China is also striving for more economic co-operation and wants to be the next Superpower via their one Belt one Road programme. They are also looking at how to harvest resources in the Arctic Circle. China started the Asian Infrastructure Investment Bank (AIB) and there are currently 57 countries on board with them. This bank can help provide funding for major infrastructure projects. The 3 prominent tech companies in China are Baidu, Alibaba, Tencent etc. In IA, we need to ask ourselves whether our organizations are secure. There is also a frequent need to check asset risks, read up on the latest news and check countries’ sovereign ratings. It is also possible to buy insurance to cover losses arising from geopolitical risks.

Panel Discussion: Transforming Internal Audit. (VISA, GIC, Google, SIA) There is a need for internal auditors to develop a more diverse set of skills especially in this world of digitalization. IA can be the change agent and also shape the company’s culture. For listed companies, IA can check compliance with the listing rules with methodology. The modern IA role is beyond compliance and more towards advisory. There may be a need for IA to revamp its methodology and include the need for analytics. IA needs to be proactive, adaptable and diligent. As auditors, we need good communication and networking skills and have the willingness to do things better. There is a need to use CAATs like Qlikview, SQL, Tableau to improve data analytics skills. There is a need for executive support before a data analytics programme can be rolled out successfully. One should start with the small DA projects with ROIs in order to show to management that it can work. An advanced maturity of data analytics would include things like predictive/behavior analytics and robotic process reengineering/augmented intelligence. Whereever possible, it would be good for IA to be able to automate its processes. IA can perform the prediction and look through the red flags. It is important to have good mentors who will grow and support you in your relationship. Auditors need to be curious and learn continuously. Company culture can be assessed via analytics and by the conducting of employee opinion surveys.

Internal-Audit

audit financial company tax investigation process business accounting

Annual Conference and Global Internal Audit Leadership Summit 2017 (25 Oct)

Audit Committee’s Expectations of the Chief Audit Executive in an Uncertain World. (Singapore Institute of Directors) We live in an uncertain world with plenty of technological advancements and digitalization. The world can be termed as VUCA (volatile, uncertain, complex and ambiguous). The advent of tech companies like Uber, Airbnb have caused the downfall of many traditional businesses. One thing is for sure, technology is here to stay and it will continue to disrupt economies. The Financial Reporting Surveillance Programme by ACRA revealed that there is still work to be done in terms of complying with FRS for listed companies. The surveillance programme also reaches out now not just to companies with qualified audit opinions, but those with unqualified audit opinions. ACRA has stated 8 audit quality indicators which will be important for IAs to follow. The recent enhanced auditor report format requires the key audit matters and other information to be disclosed (notes to FS). In Jan 18, companies will need to comply with the IFRS 9 on Financial Instruments and the IFRS 15 on Revenue. Also, in general, there is a move from SFRS to IFRS convergence in Singapore. In addition, for listed companies, it is mandatory for them to produce sustainability reports. This is an area where auditors need to equip themselves with more knowledge. From the above, it is imperative that one unlearns, relearns etc. In addition to provide better assurance, IA can leverage off other assurance providers and work closely with ISD or consider performing co-sourcing etc. The 5 Ls that Internal Auditors need to possess are Learn (lifelong learning on data analytics and how to audit IT etc); Leverage (other assurance providers for AML, cybersecurity etc); Lead (lead the risk management, lead the combined assurance framework/Governance Risk Control framework etc); Live (treat Internal Audit as a form of meaningful work and be passionate about their work); Love (treat IA as a vocation, continue back to the IIA).

The Cyber Resilience Challenge. (RSM, DHL, Datalogic, CSA) To tackle cyber threats, there needs to be a good governance system in place. RSA has a GRC framework and business driven frameworks to address such risks. In addition to cyber risks, an organization must never forget the operational/financial risks and how the cyber risks linked to such risks. Due to the skill of hackers, it is likely everyone will be hacked and it is just a matter of time before it happens. There is a need to weigh the pros and cons of anti-cyber threat measures. In the audit space, IT auditors have a lot of potential to upscale and re-learn. For complex environments, it must be even necessary to develop a hacker mindset in order to perform vulnerability and threat testing. It is important for an organization to have a good risk culture. It is never wise to be naïve when it comes to cybersecurity. There is a need to consider the single points of failure as this might break the organization (for example: a lack of business continuity planning or the drawing up of DRP). In such cases, it might be better to build some form of redundancy. Ask yourself: if you were the CEO, what is the thing that keeps you awake at night? Do not ignore the threat of cybersecurity breaches in your organization.

Auditing at the Speed of Risk in the Digital Age. (DHL) Due to digitalization, IA needs to keep up to date with the latest market developments and update their risk assessments more frequently. Technology is the biggest game changer. Some of the threats that will be surfaced during a threat assessment would be things like malicious software, hacking attempts, unencrypted information, hacking and data theft. It is important to test the disaster recovery plans (DRPs) and BCPs. Ask yourself what do you fear? One should believe in lifelong learning.

Do one thing every day that scares you. – Eleanor Roosevelt

Maximising Value from the Three Lines of Defence. (DSTA) The first line is the management/ internal controls. The second line is risk management/safety/compliance functions. The third line is internal audit. IA has to move away from traditional assurance to advisory and advocacy work. However, do remember that the core IA work is still in still in assurance. Although advisory work is important, CAE should not take on roles that lead to conflict of interest. CAEs must remember that they do not endorse business decisions. The 3 lines of defence can be linked to the COBIT framework (IT governance). COSO framework also supports the 3 lines of defence model in an organization. Some of the attributes required for a successful 3LoDs are strategy, shared values, system, structure, staff and skills. IA could use dashboards and DA to make their work more efficient. Some are proposing a fourth line of defence for the financial industry (external auditor + MAS banking supervision). Internal Auditors must always fall back on the IPPF. KPIs like competency of procurement staff could be introduced.

The Customer Centric Audit: Learn How to Audit What Customers (and Your CEO) Actually Care About. (Proximity Risk and Assurance) How does one go about auditing the customer experience?  It is important to do so as it concerns the revenue area of the business. One can start by mapping out the customer journey. Identify the brand touchpoints with the customer and also assess the environment. Poor customer experience could have a negative impact on the business, like the United Airlines passenger who was thrown off the plane. IA needs to audit the risk of poor delivery. IA can indeed and should audit the customer experience. Avoid excessive controls as it might stifle the customer experience and affect the quality. Customer experience is something that will keep the CEO awake. IA can sometimes even pretend to be a mystery guest/customer to examine the quality of service. As part of documentation, IA can build up a customer journey matrix and add in the relevant departments responsible for the various sub-processes. Next, IA can test the expected journey vs actual feedback received from customers. If it’s the first audit report on this area, it would be advisable not to grade it. Always remember the importance of good customer experience as it is essential for customer retention.

Panel Discussion: Leading to Make a Difference. (Deloitte, Citi, MOHH, Olam) MOHH IA managed to evolve from a mainly compliance function to now one that fully incorporates DA. It has been a painful process but it has really helped to boost efficiency. IA is now moving beyond compliance. IA needs to adopt a pragmatic approach and look through the lens of the business. It is necessary to get the right strategy. The CAE must be able to engage the senior management well and also explain to them what IA is all about and how we can meet your expectations. In order to be able to influence management’s behavior, IA must have a deep in-depth knowledge of the business. IA should be seen as being impartial, but not be neutral. As the CAE, it is crucial to state one’s opinion and not sit on the fence. Although it may not be a right opinion, an opinion must be based on facts. To be seen as successful, IA needs to be seen as a growth enabler, and not slowing down the various processes. One such way to achieve this is that IA can get involved in the process design stage and give inputs and recommendations on controls. Olam has many e-learning modules to help IA team improve their competencies. Citi has a Chief Auditor for Innovation and they use many tools for analytics in their work. It is now very common for IAs to use data analytics to audit and now 100% sampling is possible. Due to the rigour of MAS’ inspections, banks like Citi needs to step up and comply. This forces the IA team to improve their quality. Instead of simply adding controls, auditors can remove controls to get rid of legacy issues which slow down processes. In order to stay relevant, Internal Auditors need to be passionate about their work and always remember their core job is still assurance.

auditing-service-singapore

IIA Magazine Dec 2016

One potential failure of ERM is that of green-washing, this is when crucial risks are pushed down into the larger collection of more trivial risks. Cybercrime is a current buzz risk. The first line of defence needs to take on better accountability for sound risk management and control.

Investors are pushing for more accountability and transparency behind decision-making. Shareholder activism is playing a big role nowadays.

The EU has released new general data protection regulation (GDPR) which intends to strengthen and unify data protection for individuals within the EU. However, most organizations say that they are not well prepared. Organizations should start preparing for this as it will kick off in May 2018.

Client Feedback. Audit performance can be fine-tuned with the right input from stakeholders. Feedback should aid audit performance. Feedback should be to the point and be specific and timely in order to be effective. Useful feedback can increase audit effectiveness. Feedback can be provided during the opening meeting, during the audit or during the closing meeting. The client should take the opportunity to clarify any concerns that they may have. During the closing meeting, IA needs to present the supporting documents and records. A post-audit questionnaire can be sent to the client after the audit.

Must-have Controls for Small Medium Enterprises. 5 controls can help SMEs protect themselves against cyber breaches. Sometimes, they do not have sufficient resources to deal with threats. Firstly, scan the network quarterly and identify vulnerabilities. Train employees on IT security. Protect sensitive information by inventorizing sensitive business processes and reviewing access to information. Learn to segment the network. Deploy extra protection for endpoints and encrypt the data. Learn to monitor the network, manage service providers, protect smart devices and monitor activity related to sensitive information.

A Holistic Approach to IT Risk. The COBIT framework can help auditors understand and address their organization’s technology risks. IT can be very complex but IA needs to evaluate the full range of IT risks. COBIT is valuable for the whole process, from end to end. The 5 key principles are meeting stakeholder needs, covering the enterprise end-to-end, applying a single integrated framework, enabling a holistic approach, and separating governance from management. Internal auditors can use COBIT to understand the nature of IT risks that are unique to their organization.

A Toxic Culture. A department leader creates a hostile work environment by promoting friends and abusing employees and company assets. When many employees leave, there could be a sign of a toxic culture. There was an inadequate internal control system as no one tracked expenses. Critically review turnover data as this is a big red flag. Exit interview results should be reviewed regularly. Access control over reports should be reviewed and approved.

On The Rise. Learning is the key to do well in IA. Get students involved early and you can volunteer as a guest speaker on internal auditing topics. IA an get involved in many projects and act as change agents for the organization. Projects can allow one to build and develop business relationships with stakeholders. One can use data analytics during audit engagements. IA can add as a trusted advisor and perform consulting work. One can learn SQL, which is a tool for managing data. One could take others under their wing and mentor them so that they can grow. Interaction between auditee and IA must be positive. Spread the good word that your team does. IA should be innovative in addressing solutions. It is helpful to distinguish the different roles of EA and IA too. Communication skills are the key for IA’s success.

Growth through challenge. Current and past emerging leaders discuss the tough assignments that helped propel their careers forward. Challenges faced in your career can propel you to be a better auditor. It is good to share with others what are some of the common mistakes. See auditors as people and go in with a customer first mentality. Be client centric. Be prepared when you go for meetings and interviews. Get a mentor, build relationships, learn from your mistakes and learn to network. It is important to preserve independence and objectivity. Influencing mindsets are tough. Building relationships with auditees can be tough when you are new. It is important to have a good audit methodology. The learning curve can be steep especially if the industry is new for you. Some departments are resistant to let the IA perform audits on operations. Talent auditors are always in demand. Once you are good, you can engage the C-suite management easily and without fear. Young auditors are always eager for more opportunities.

It’s all in the delivery. Sharing difficult messages is an unavoidable part of the job for internal auditors. Some audit observations can be difficult to convey. You should always build the relationship before telling the bad news. Telling the bad news right away is unlikely to work. Using weekly updates once the exceptions are noted is the key. Preparation is the key to accomplishing objectives. It is important to be fair and factual. Focus on the process as well as content. If you can, you can tailor the response to the personality of the recipient. During the discussion, one can seek opportunities, offer to help, make it clear and maintain open body language. ‘If the audit report is the first time a client is seeing something in writing, that is the first and biggest mistake. Verbal updates are great, but periodic written updates go a long way. Auditors might get into trouble over their poor soft skills. Focus on the problem, include some positives, have a face-to-face meeting etc. The key is not to beat around the bush. EQ is important in helping good delivery. The key is to deliver bad news but still build a good relationship with the auditee.

Breaking Through. Women in business are taking on the barriers to advancement, and that’s good news for everyone. Diversity is good for the workplace. More women need to be in leadership positions. However, women might face issues like lack of support, exclusion, apathy. There needs to be sufficient support from male leaders. Men should be interested in achieving gender equality. Be You. Seize the Moment. Integrate Your Life. Earn Respect. Stay Behind Facts. Be realistic and practical. Forget silos. Think context before issue. Rethink reporting. Aim at destination with gratitude. Women may also face the motherhood penalty.

Mapping Assurance. Internal auditors can facilitate efforts to document the organization’s combined assurance activities. There are a variety of assurance providers. CAE can use an assurance map to co-ordinate assurance activities. It can also aid to prevent gaps in coverage. IA is well positioned to provide combined assurance. The plan should start with the organization’s strategic plan and the key risks that are associated with the strategic objectives. There should be 3 tiers of defence to provide assurance. IA need to assess the quality and quantity of assurance received.

A Winning Pair. Governance and automated controls must work in tandem to achieve maximum results. Good governance is the key. IA needs to access the current risk profile, mitigation activities and residual risks. Good behaviour requires time and employees should receive reminders in order to conduct good behaviour. Desired behaviour ultimately stems from the top.

The High-Performance Audit Team. Today’s complex, evolving business environment demands more of internal auditors. The world is changing and stakeholder expectations are increasing. IA can also rotate and fill other operational positions. An integrated internal audit function can boost performance. There is a strong need to invest in training and learning. Verbal, leadership, communication skills are very important. A high performance team can evolve to meet new challenges and reinvent itself. We also welcome constructive feedback from staff.

auditing-service-singapore