IIA Magazine Aug 2016 issue

Cybersecurity is an area where it is lacking among major companies. Companies need to step up to beef this area up. Productivity is a main concern for employees. Ethical pressure is greater during organizational change. The COSO framework is expected to be updated in 2017. It will be updated to include the latest risk management thinking and principles. IoT is going to have a big impact moving forward and there needs to be a comprehensive approach to go about doing it.

Analytics-Driven Audits. Before tackling data analytics, internal auditors need to understand the types of data, how it is stored, and how to apply it. Automated audits are the new trend now. It can be applied to many aspects of the audit too. Understand what are qualitative and quantitative data and their measurements. Understand how data is stored and the various formats. Any outliers should be thoroughly investigated. There are 4 types: descriptive, diagnostic, predictive and prescriptive. Learn to gain insight into the business.

The Mind of a Credit Card Hacker. Smart hackers usually lay low. They can steal credit card details and then sell them. Hackers use a vector to steal data, such as phishing. They also need to collect the data quickly and then cover their tracks. The hacker will verify that the cards are valid and start off with transactions of small amounts. If they go undetected, they may get bolder. IA can encourage the company to encrypt the credit card information and monitor access to networks. Access control needs to be checked too. IA is the third line of defence.

Make the Most of Assurance. Assurance maps can enable internal audit to team with other assurance providers to visually convey how risk is managed. IA can work with other assurance providers and depict the results in an assurance map. The map allows one to spot gaps in risk coverage or any overlaps. Assurance maps can enhance and give value to AC too. The map should not be too complex.

Tough Consequences. Adequate contract administration can save organizations a tremendous amount of grief and money. It is important to monitor vendor contracts properly. The contract administrator should be the liaison party and highlight any non-compliance. There needs to be adequate financial controls over the cash receipts and revenue cycles at the vendor’s end.

A World of Connections. The IoT requires IA to confront risks that are not so neatly contained. The impact of this is growing. IoT is about interacting with the environment for business benefit. Emerging risks from IoT must be monitored closely. There are many benefits from using IoT devices too. Management needs to be aware of the risks too. There needs to be a deployment strategy too. A policy needs to be drawn up.

Cyber Resilience. IA should work collaboratively and proactively to address breaches and build resistance to future attacks. Banks need to protect the SWIFT codes. A cyber breach might definitely occur in future. There is increasing use of software to pick up behavioural anomalies. There needs to be both a protective and detective strategy. A response plan is important. Customer data should be given top priority in a cyberattack response. IA needs to understand IT from a technical and controls perspective.

Auditing the Cloud. IA should delve into the complexities and unique risks of moving to a cloud platform. Many companies are making use of the cloud as compared to traditional data center infrastructure. Less manpower is needed to maintain a cloud as well. Servers can be added on demand too. IA needs to verify the security, reliability and availability of the data. No two clouds are the same but the common ones are infrastructure as a service, software as a service, platform as a service etc. It is good to obtain the SSAE 16 report on the vendor as evidence of its controls. It is difficult to track cloud deployment. Cloud assets can keep varying as well and it is difficult to monitor. The data is now stored on the same physical equipment as other organizations and there is a risk of leakage. A security program is still a must. Penetration testing needs to be done periodically to prevent hackers. Relying on the SSAE 16 report is useful, but not sufficient.

Trust but Verify. Control self-assessments can increase audit efficiency and spread control awareness throughout the organization. This is for process owners to self-evaluate the effectiveness of controls. This could be done via workshops/ questionaires etc. Sometimes, it is not possible to deploy a team to perform audits in every area. When CSAs are used, IA needs to explain the rationale to the management. The process owners must be identified clearly. IA needs to independently verify some of their responses. For example, only key controls or only those rated as ineffective may be selected for further testing. Continuous support is a must and training must be provided. The right level of project sponsorship is important too. It can be implemented gradually. CSA enables IA to allocate resources to focus on areas with significant control weaknesses.

Audit Never Sleeps. IA must keep innovating and improving and focus on the organizations that we love. We need to constantly do the right thing and hone our communication skills. Effective communication is the key and getting to know the auditees well is the key. Listening well is crucial too. Nowadays, IA should adopt an integrated mindset. We need to broaden our IT knowledge to meet stakeholder expectations. Applying soft skills are important too. Our work must be guarded by ethics and transparency. We need our approach our work with a strategic focus too. There is also a need to focus on our future.

Optimizing IA. IA are being continually challenged to improve their effectiveness to better meet growing expectations and workloads. IA staffing levels remain relatively constant. IA must be aware of strategy and ensure that procedures align with that strategy. IA should understand what the external risks are. As for operational efficiency, IA should offer cost effective and sustainable solutions. Quality assurance is important to ensure quality and compliance with regulations. IA should identify cost savings, understand business goals, increase collaboration, optimize technologies and strive for continuous monitoring.



41 Ways to Improve the Audit Industry

Note: The following ideas are those which I feel might benefit the Audit Industry and lead to better job satisfaction for all. I have taken practical matters, such as cost and manpower issues, into consideration.

  1. Develop an updated centralized database of all Management Letter Points (MLPs). There is also a need to categorize them based on the various functions of a financial institution. Staff who raised the MLPs should bear the responsibility of uploading them to the MLP database after audit closure. During the off-peak season, staff are encouraged to read all the MLPs thoroughly as it will aid in their fieldwork.
  2. Try to provide comprehensive audit document request lists to the client at least a few days before commencement of the fieldwork and also to pre-empt what documents you may need from them (potential follow-up questions; based on previous similar audit engagements).
  3. Request for a slightly bigger audit room at the client’s premises in order to accommodate the documents that the client will send. This is also useful in view of any additional staff going to help out on the engagement.
  4. Remind the MAS officers-in-charge early of the need to approve our appointment as auditor for banks. Also, aim to conduct a discussion meeting with them as soon as possible.
  5. Aim to read the walkthrough + client’s policies and procedures before fieldwork. Identify the controls from your readings (PY walkthrough) even before conducting the walkthrough with the client.  Identify circumstances in which the client controls might fail and how the client can adequately address them (mitigating controls etc). Figure out what are the industry best practices and if possible, benchmark the client controls against the best practices.
  6. Fix the fieldwork dates with the client at least a few weeks in advance. It would be useful to give the client a warning about the fact that if they choose to go on leave during the fieldwork, it will hamper our audit progress and lead to an inefficient audit.
  7. Arrange for a fieldwork duration which is based on how much audit work is there to be performed. The fieldwork length should be sufficient so that audit work quality will not be compromised by staff rushing through their sections and performing shoddy work.
  8. Hiring more staff will ensure that engagements will have better staffing. Staff can then be more detailed in their fieldwork testing and this in turns, leads to better audit assurance over the financial statements/other reporting.
  9. Management should constantly negotiate for higher fees (by citing additional regulatory requirements, identifying cross-selling opportunities etc). There is also a need to redesign audit procedures so that it is more focused on the key risk areas and less focus is placed on the less material areas.
  10. Encourage managers to visit the client premises more often in order to build and maintain client relationships and also to address any audit issues that the audit team might face. The client would also be pleased to chat with someone more experienced.
  11. Try to factor in more time for audit fieldwork (especially for new clients) and also perform a thorough review of the predecessor’s audit documentation. More staff are needed to be booked for this file review process.
  12. Commence the interim audit early (like early August) so that it will be less difficult to meet the deadlines moving forward. The staff trak should be updated earlier so that at least some fieldwork can be completed in August. Trainings should be conducted in the month of July, if possible.
  13. Superiors can provide words of encouragement or by saying things like ‘Well Done! Thanks for the hard work!’ to their associates. Also, superiors can treat their juniors to desserts/snacks/meals as this is a good way to boost team morale. Superiors should also periodically ask whether the associates have any problems/questions about their work. This is due to the fact that shy associates might keep problems to themselves. Do not create a climate of fear.
  14. Try to reduce the amount of administrative work by hiring more general non-audit staff to take care of dispatch work; folding of confirmation letters; raising of billing; issuing and drafting of engagement letter etc. Issue out engagement letters only when there is a change in the SSAs or when the engagement letter template has a material change from last year.
  15. Often, there are delays in issuing the financial statements because the typists are over-worked and take quite some time before they put through any amendments. The solution is to hire more typists in order to prevent a bottle neck situation from occurring.
  16. Often, there are delays in issuing the financial statements because the printing room administrators are over-worked and take quite some time before they check through the financial statements and print them. Also, the printing machine is unreliable and tends to break down. The solution is to hire more printing room administrators in order to prevent a bottle neck situation from occurring.
  17. Management should try and emphasize the goals and vision of our department on a bi-annual basis in a clear and coherent way. In this manner, the staff’s goals can be aligned to management’s and this will lead to less unhappiness on the ground.
  18. Staff should be allowed to request for a change in portfolio if they feel that they not progressing with their current ones. Staff who request for changes just after the promotion period should be given a higher chance of success.
  19. An increase in annual bonus payout would also lead to better staff retention and happiness.
  20. It would be good if audit firms are more transparent and start to disclose the firm’s financial statements to employees. Better transparency would lead to better accountability as well. Besides, audit firms can serve as role models to the industry by providing model IFRS disclosure in their financial statements.
  21. The counselor should strive to meet up with their mentees at least 4 times a year (every quarter). This can be used as a tool to track the staff’s development over the past quarter. This would ensure that the staff feels valued and has ample opportunity to voice out any concerns. Often, people are too shy and will not approach the counselor directly. Therefore, it would be very helpful if the counselor makes the effort to reach out and know their mentees.
  22. An annual review of the audit documentation/firm’s processes should be conducted. This is to necessary to streamline the firm’s processes for a more efficient audit the next year.
  23. There should be an emphasis towards the use of less manual working papers and a move towards more of an e-audit. An e-audit is more environmentally friendly and achieves the same level of audit assurance.
  24. Less admin work for audit staff could result if for instance, the firm’s processes have been streamlined and there is hiring of more general non-audit staff to perform some of the administrative duties.
  25. More empowerment can be given to staff. This could in terms of less micro-management by superiors. Staff can be given more responsibility if they want to bestow it upon themselves.
  26. Better autonomy can be given to staff in the workplace. During the off-peak season, for instance, staff can be allowed to conduct trainings (both audit and non-audit) if they want to share their own knowledge with others.
  27. Get associates to provide feedback on seniors’ performance (360degrees feedback). Similarly, seniors can give feedback on managers. These feedbacks can play a small role in their annual KPI assessment.
  28. Staff can choose to master in a specific number of regulations (Banking Act, SFA etc). These staff can then help out with the annual FSI training slides.
  29. New joiners (and subsequently staff at the end of each year) should be allowed the freedom to choose which sub-industry they would like to work on (funds, banks, commodities, insurance, capital market licenses etc). For those who do not want to specialize yet, they can fall under the general track.
  30. Annual Excel and Bloomberg courses should be conducted by management to staff. Most staff are not familiar with useful excel formulas and Bloomberg functions. It will be helpful to give them a formula sheet listing down the commonly used formulas.
  31. Upper management should talk to staff more to find out how they are doing. This could be done through the conducting of quarterly feedback sessions over breakfast etc, to understand concerns of the staff.
  32. In early July, a light hearted ‘End of Audit’ sharing session can be conducted for both staff and management to share any interesting findings they have uncovered during their audit.
  33. Staff should be engaged earlier and should be more be more involved in the preparing of regulatory checklists for the next financial cycle.
  34. It would be more ideal if there is at least 1 more printer in the department as FSG Q4 and Q6 break down too frequently.
  35. The wearing of ties for gentleman on weekdays is not exactly value-adding. Wearing of ties can be uncomfortable and might adversely affect the performance of staff’s work.
  36. Inter-department games are fine but there should not be any mentor league games. Personally, I do not see much interaction going on between the different mentor groups during the competition as well. The building of the car in the Soap-Box Derby is a waste of staff’s time and resources as the car has to be disposed after the race and does not serve any meaningful purpose.
  37. Aim to develop a culture whereby everyone is willing to help one another in difficult times and cover each other’s back. Management can emphasis on this point when they talk to staff.
  38. It would be good if staff have to clear less administrative review points and instead focus more on the audit work. Often, these administrative points provide little value to the client and do not provide additional audit assurance.
  39. More frequent rewards can be provided to staff, apart from the annual bonus. Rewards can take the form of holding more department outings/lunches and even through the use of words of encouragement.
  40. It is important to ensure that a new senior/manager is plotted before the previous one leaves the engagement. This is crucial in ensuring a smooth handover of duties and better audit efficiency.
  41. Noted the existence of an unhealthy completing-everything-at-the-last-minute culture. Everyone should strive to submit work/review work on a timely basis so as to avoid any client complaints and cause unnecessary stress to others.


– The End –