IIA Magazine Apr 2016 issue

Soft skills seem to be lacking in some of the IA teams. There is the art of interviewing that must be executed properly. IA can set aside time to work with other parts of the business. Audit reports are not the only communication channel.

Time to Shift the Mindset. Pulse report urges IA to focus on culture and cybersecurity response. Board members should discuss with management to ensure that there is a common understanding. There is a risk of poor vendors and that firms could suffer from reputational damage. There needs to be strong third party risk practices.

Fraud Prevention. An effective control environment can deter or minimize the occurrence of fraudulent activities. Internal controls may not always be designed to prevent fraud. There must be a strong control environment for fraud prevention. Background checks and fraud related training can be useful indeed. Whistle-blowing hotlines can be set up. A certain level of anonymity must be ensured. No one person should complete control over a whole particular process, from start to end. Monitoring activities should take place on a frequent basis.

The Call no CAE wants to receive. A strong working relationship between IA and the CIO is essential to responding quickly to a cyber incident. This is important as cyber attacks can lead to reputational damage. One can verify the controls at the vendor and get them to fill up a data security risk assessment questionnaire. IA can be the trusted advisor that an organization needs.

Collaborative Risk Management. As organizations consolidate their risk processes, IA may not be able to continue to stand alone. Risk collaboration and organizing risks are more important nowadays. There is a need to be efficient about going about this. Risk needs to be organized neatly. ERM is one way to link everything together. Auditors should be open to other ideas on organizing and mitigating risk.

The Ticking Ethical Time Bomb. The financial loss from theft was secondary to the effect on company culture. Sometimes, the most obvious issue is no the more important one. Small frauds can lead to large ones. Reinforcing identity is also very smart sometimes, as it can help with ethical reinforcement. Increasing controls should not be done as a knee-jerk reaction sort of thing.

A Matter of Trust. Attention to detail and focused effort can help IA build the relationships required to be perceived as valued advisers. IA should be given time to innovate, gain an understanding of evolving challenges and talk to people in the business regularly about the issues they face. You help to build trust if you know what the regulators or other people are doing. Sometimes, top management might even tell CAE the problems that are upcoming. Relationship building and being part of the management team is crucial. However, there is still a need to be independent even if IA is like a trusted advisor. Try to leverage on technology.

‘IA can often be forgotten if it is not part of the core team, because it is less visible than those functions that meet and talk regularly.’

‘Auditors are there to make organizations better – it is a key part of the way they can add value. Not commenting when they see a better way to do something could show a certain lack of moral courage.’

Proactive Fraud Analysis. Integrating advanced forensic data analytics capabilities can help auditors mitigate fraud risks and demonstrate returns. IA can invest in such tools as it can help in the monitoring of risk. IA should ask ‘What are the high risk accounts?’; ‘When?’; ‘Where?’ etc. IA should focus on the low-hanging fruit first. The first project undertaken should be easy. Learn to go beyond the descriptive analytics. Learn to embrace both structured and unstructured data. Communication is the key. It would be good to automate the tests and involve the end-users. Also, learn to set a realistic timetable. Keep analytics simple and intuitive – don’t include too much information in one report so it isn’t easy to understand.

Getting More from Interviews. Instead of emphasizing formalities, IA should approach each interview like a conversation. You can gain insight into the way operations work and identify gaps etc. Plan your questions beforehand and be prepared. However, the less formal it is, the more information you can find out from the interview. Try to make it a conversation. Learning about the auditees’ life can help to build rapport and build the bond. Talk to others within the auditees’ same department. The interview’s purpose should be specific, attainable and outcome oriented. Preparing for the interview helps a lot. The location matters as well. Try to open in a way that makes the auditee at ease. Try to explain the purpose and the outcome of the interview. Learn to practise effective listening. One can ask thought provoking questions that will help to elicit information. Learn to practise active listening and show positive body language such as being attentive. You can prepare questions but there is no need to follow to a list strictly. It can be difficult to build rapport. Do not try to tell the interviewee that the interview must be done to complete the audit. Have lunch with auditees once in a while. People love to hear about themselves.

‘Auditors should be curious about the way processes work, the way the organization works, and perhaps most importantly, the people who make it work. Curiosity will lead to a better understanding of the organization, better ideas for improving the organization, and a better rapport with the individuals within the organization.’

On the Hunt for Payroll Fraud. Taking a close look at payroll risks can enable IA to help their organizations save money and identify wrongdoing. Payroll fraud is more common if there is irregular workforce patterns. Payroll is usually shrouded in secrecy. Overpayment is more common than underpayment. IA can also examine to seek actual cost savings/ productivity gains. IA can adopt a helicopter overview of payroll data and the payroll process. One can compare payroll costs with other organizations. Rosters should be designed to optimize the allocation of employees to operational needs. Management welcomes findings that reveal specific wrongdoing because they provide hard-to-dispute evidence. IA can look out for certain insights and then drill further. There are many common findings. The audit fieldwork needs to be well-researched and planned.

Guardians of Integrity. IA can provide insight into corporate identity and people-related risks. For instance, IA can evaluate the ethics and organizational integrity. IA must communicate with the board and management and be the corporate conscience. Testing the effectiveness of the ethics programs can be tough. It is important to understand how an organization defines success. It is important to uphold the code of ethics: integrity; objectivity; confidentiality; competence. IA should examine incident reports too. IA must be as wise as the board, as savvy as management, and as shrews as attorneys. Stakeholder surveys could be used to understand the management and employee ethics. IIA needs to exercise fair and ethical decision making.

Internal-Audit

audit financial company tax investigation process business accounting

Advertisements

IIA Magazine Aug 2017 issue

The Technology Issue

 A technology revolution. Tech is moving at a fast pace and some businesses may not be able to reap the benefits. IA needs to understand the evolving risk landscape related to the business. Tech will continue to disrupt the landscape and IA needs to reassess what data means to them going forward. Auditors help organizations avoid getting into trouble by identifying issues early and avoid them being surfaced by regulators or the media.

The Cyber Readiness Gap. Organizations may not be prepared for the attacks they are expecting. Ransomware is a big issue and thinks will get worse. Only half the organizations surveyed have a plan to address ransomware attacks. IA can help to scrutinize cybersecurity practices and plans. IT security governance needs to include the human factor in corporate risk analysis and assessment. IA can move from a supportive to front-seat role when building crisis-resilient culture.

More than Compliance with ‘A’. Transforming a compliance program into a value-adding activity starts with IA. Compliance with AML regulations are important. However, many managers do not see value in compliance work. IA needs to ensure compliance can provide real assurance. It is important to do the right thing and do things correctly. Ask yourself why there is a compliance requirement in the first place. IA needs to work with the first and second line of defence to ensure all risks are being addressed. IA should also question the need for, existence of, and adequacy of compliance with A. Sometimes, the original risks may not be present and hence the compliance requirement should not be relevant. One needs to examine the adequacy and effectiveness of the mitigating control. The audit needs to maximize the use of resources and analytics. One can use trend analysis to understand whether risk is increasing or decreasing. Effectiveness of controls can be tested with analytics.

‘But it should not be compliance simply for compliance sake. Internal audit should consider the overarching business objective and the controls that help mitigate risk to the achievement of the objective – even when examining compliance-related controls.’

Stop Clicking, Start Coding. SQL queries can enable internal auditors to uncover greater insights from organizational data. Data needs to be analysed etc. Some auditors are required to learn SQL. It is a language for managing data held in databases. To be good, logical thinking and reasoning are important and necessary for coding. SQL can be tailored for auditing needs and for ad-hoc queries. SQL and other audit software can form a powerful set of analytical tools.

Internal Audit needs risk management too. Managing its own risks can improve the audit function’s performance and demonstrate that it practices what it preaches. One key risk of IA is whether the department is strategically positioned within the organization its objectives. Other risks are whether the department has enough staff, on assurance etc. Reputation risks are important too, and so is compliance risks. Operational risks are like the resourcing problems, annual audit plan etc. If audits are behind schedule by about a month, it needs to be highlighted as a red flag. IA can also do a risk control self-assessment to evaluate internal controls in place.

The Cashier Cash Thief. Mounting family pressures and opportunity cause a trusted warranty clerk to pocket payments from customers. IA must emphasize the importance of SOD and monitor any exceptions. Trend analysis would allow organization to detect fraud more timely. Routine audits are vital for all cash processes. Mandatory vacations and rotation of duties should have prevented fraud from happening.

In Safe Hands. Organizations must grapple with a host of issues when determining how to best protect their data and manage the way it’s used. In Europe, there is a General Data Protection Regulation that goes into effect in spring 2018. It is a stricter regulation than ever before. Firms need to obtain consent for data collected from individuals. IA needs to go back to the drawing board to strike a balance. Respecting someone’s privacy rights is actually a soft skill and needs a soft approach. Privacy controls need to be engineered into business processes. Businesses must be clear about what they need the data for. Many companies do not know where their data comes from and how it is used. IA can be a role model in innovation etc.

Great tech expectations. As technology becomes more integrated with business processes, auditors must raise their IT skills. New auditors usually have better skills than older ones. People with expertise in IT will be in demand. Those with experience in DA will have an advantage over those who don’t. Experience with audit-specific software is also a plus. Auditors need to have an understanding of the infrastructure and applications being used. New authors are not usually well versed in soft skills. IA needs to have a good understanding of flow, controls and governance. Determine the specialty skills needed. Maintaining the right mix of generalists and specialists is a key IT challenge. IA needs to have a training plan for the IT risk and controls. Training hours need to be tracked and there needs to be information sharing at every meeting.

Building a data analytics program. Six strategies can facilitate progress when starting or furthering an analytics program. Many functions suffer from pitfalls/ setbacks. The six strategies are (1) create awareness rather than a silo; (2) understand the data before investing in a tool; (3) plan sufficiently; (4) think big picture; (5) Partner with IT; (6) Take advantage of visualization tools for inspired reporting.

#PurposeServiceImpact. The IIA’s 2017-2018 Global Chairman of the Board J Michael Peppers encourages IA to unify around the three concepts in his powerful hashtag. Purpose, Service and Impact are important words for our profession. It is about the why we do things. We should help enhance shareholder value through our work. Service is basically walking the talk. It is important to establish credibility with clients. We are both change agents and educators and need to do the right thing. Volunteering is important and internal auditors should strive to give back to the society. Always try to make a positive difference. We need to understand the purpose of the organization.

‘The best and most successful internal auditors I know understand that internal auditing is more than just a job: it is a sincere effort to improve the lot of others, whether organizations or individuals.’

The Root of the Matter. Performing root-cause analysis requires that auditors recognize common myths associated with the process. Addressing root cause will prevent the issue from recurring. Complex problems may be due a variety of factors. There may not be a single root cause at times. Use the 5 Why techniques. Sometimes, two root causes can lead to one problem. Some brainstorming is required to address all the root causes. One can use the fishbone diagram and identify problems in different categories like: Man, Machine, Measurements, Method, Materials, and Mother Nature. One can also use scatter diagrams to pair cause and effect and look for relationships. Good recommendations in the audit report should address the root causes of a problem. However, IA should understand that RCA requires time and resources and the organization must weigh the pros and cons of doing it.

Seven Steps to Transformation. IA can assist management throughout the many stages of business change. The first is pre-implementation review. It helps management to identify problems at the planning stage. Ask yourself what is the best ERP project model for ERP packages? The other steps are process/controls analysis, In-flight reviews, IT and User Acceptance Testing and Output/Results testing. The last 2 steps are post-implementation reviews and comparison to project management reviews.

It’s only one word. Excessive audit report wordsmithing is often a disservice to the client – and the audit function. Let those who did the work have a say in the changes. Never make a change unless you can explain why that change is necessary. Otherwise, you are just changing for personal preference. Always explain the reasons for any change to the person who wrote the original drafts. Do not be too anal about phrasing as this will result in rewriting and delays and frustrations.

‘Far too often, the lead, manager, chief audit executive doesn’t like what is written and starts editing the audit report. The process often results in a report the auditor no longer recognizes and, in the worst situations, it says something the auditor never intended it to say.’

The Data Analytics Strategy. Adding analytics to the audit methodology requires careful change management. Funding and resources needs to be provided. Integrate data analytics requirements into the audit methodology. Look for quick wins if possible. Use a champion to lead the strategy. CAE must emphasize that analytics is good as it improves audit efficiency. Analytics can add value not just to fieldwork, but also risk assessment and planning. Data is also evidence and that’s what sells well.

From ratings to Recommendations. Behavioural psychology suggests internal auditors’ approach could benefit from more carrot and less stick. Audit gradings are hated by auditees as it sends a signal that they did something wrong and that things are really bad. The SDT (self-determination theory) shows that human motivation is optimized when the following 3 are present: developing one’s skills (competency); exercising free will (autonomy); feeling connected with others (relatedness). Give your auditee the chance by sharing about common goals and building good relationships with them.

auditing-service-singapore

IIA Magazine June 2017 Issue

Courage under Fire. Public sector auditors need to have the courage to raise issues despite the political agenda in the public sector. Audits provide a cornerstone of good public sector governance. Targeted relationship building is very important. Courage is a pre-requisite of being an internal auditor.

Terrorism and Geopolitical risks. Violence and political uncertainty threaten business interests internationally. Overall, terrorism and political violence have been at high levels. Businesses need to have strategies to deal with the geopolitical climate.

SWIFT has improved their security standards via a customer security control framework, where banks must comply annually. SWIFT will report banks which don’t comply with the new standards.

Corruption usually happen because of a poor tone from the top. The younger generation seems to be more lax when it comes to ethics and to managing others. There needs to be strong leadership from the top to tackle bribery and corruption. The board has oversight of the company’s culture but management has the best position to shape culture. Firms can get insights from departments like HR, finance on the company’s culture. Companies that allow employees to store personal information in emails etc is asking for trouble.

Key stakeholder surveys. Internal auditors should look to get feedback from their most important customers. A QAIP is a requirement but surveys are rarely given to the AC and executive management. Audit should have the habit of surveying at the end of each assurance or advisory activity. The respondent should be able to make comments as well. If the scores are not satisfactory, the CAE should recommend some course of action. Survey results should be shared with AC etc. These results can enter the QAIP as well.

‘It is common for audits with satisfactory ratings to receive high opinion scores while audits with unsatisfactory ratings receive low survey scores despite efforts to adhere to department policies and the Standards.’

Application Control Testing. Control reviews can help ensure critical software applications function effectively and securely. To audit effectively, it is necessary to audit application controls too. This covers every feature and function of the application. Next, one needs to identify the key application processes and the application controls. If necessary, an integrated audit should be performed. One can use the GTAG 8 to help. Auditors can validate input and output controls. Are the processing controls accurate? Are there critical errors in computations? There is a need to examine interface controls as well. IA needs to examine: output controls, storage controls, monitoring controls, configuration management, change controls and patch management.

The Risk in the Control Environment. Auditors need to think beyond check boxes to provide assurance that control processes are addressing risks. The control environment is difficult to measure. IA should not cover up control weaknesses to management. Policies change over time and become less applicable, hence the control environment shifts. SOD is useful, but in cases where the firm is too small, alternative measures need to be made. When there are personnel change, there might be an urgent need to re-train.

‘IA needs to ensure they have authority to analyse and communicate the situation beyond just the existence of policies. Ensure management understands the difference between a control gap and a control failure. It is important to know whether the gap has created a failure, but just because it hasn’t failed to date should not minimize the impact of the gap.’

The ‘Free Trail’ Scam. Data analytics uncovers a sales force fraud using pre-paid credit cards to boost commissions. Be wary of pre-paid credit card usage among commissioned sales forces. There is a need to check credit card transactions against a BIN database. Understand how many customer accounts are associated with a single credit card number. Companies should request for customer credit scoring and upfront payment to prevent customer defaulting on payments.

Under Siege. Public sector auditors can face intimidation, isolation, retaliation, suspension – even termination – just for doing their job. For instance, if the audit conflict with an agency’s head’s political agenda, the agenda usually wins. CAEs might have to sue the government in the end. Targeted relationship building is important. Retaliation might reduce in a reduction of CAE’s duties. Sometimes, they are told to cease investigations. Sometimes, the CEO will tell you want to audit but you are not allowed to listen to the Board. Sometimes, the CAE has to supress facts in a report. The CAE needs to drive an open and ethical environment with the AC to prevent such things from happening. If you want to be the CAE, you need to establish clear reporting lines and ensure you have access to the Board right from the start. If you are not comfortable, walk away. Auditors should build relationships with those they work with. Start by winning over staff and explain your audit charter to them. Keep open lines of communication. Document and verify any disagreements and understand the root cause. Learn to create a paper trail for your findings. Sometimes, resigning is the only option. It is still better to do the right thing.

‘It’s very difficult to make a change if the organization is dysfunctional. Sometimes you can make renovations to a house that will improve the functionality, but sometimes you just have to declare the house condemned and start over.’

How to Audit Culture. Culture audits can help practitioners gain insight into the causes of poor organizational behaviour. Not enough firms are auditing culture. It can be challenging because it is subjective and complex. Culture is shaped by values that influence everyday behaviour within the organization. Management’s create sub-cultures among their teams. Different departments have different cultures and risk tolerances etc. There is no defined criteria for each aspect of the business too. One can start with a model to audit culture. Employees are the best source of information about the culture. Culture is largely perception based. The problem is that employees might be fully honest, they work in silos, they may like to complain etc. The Board and management need to believe that the IA team has what to takes to audit culture. Some of the questions to ask are ‘Do our HR and talent practices reinforce the desired behaviors throughout the organization?’; ‘Does your business manage risk appropriately and in line with our risk appetite?’; ‘What do our leaders communicate to us about risk, ethics, and how we should be doing our work?’; ‘Does the company’s environment promote accountability for desired risk behaviors?’ The audit report must be worded in not a sensitive manner. IA needs to obtain evidence via appropriate engagement techniques. Sometimes, soft evidence can work as well. Structured interviews can be conducted for auditees. It is good to gather evidence from many employees. It is possible to add questions on ethics and culture to the annual employee survey. IA could present a monthly dashboard etc on data like customer survey results, customer complaints, turnover statistics etc.

A smarter approach to third-party risks. Adopting a focused collaborative strategy can help improve management of outsourced service providers. Third-party risks are very real, especially functions which have been outsourced. Banks are to held responsible for their third-parties’ performance. Data breaches in recent times have made this even more important. It is important to manage the risk from third-party vendors. It is good to map a list of third-parties you work with and the risks to be assessed and monitored. It may be useful to develop key risk and KPIs for areas where risk is increasing. It could be useful to send questionnaires to the third party to understand their risk exposure and risk appetite. Some companies are looking at group intelligence as a means of sharing due diligence data. Some firms have already set up risk consortiums. Managing outsourcing risks is vital to protecting shareholder value.

The Innovative Internal Auditor. As businesses strive to find opportunities in a world driven by technological transformation, internal auditors need to continually innovate to stay ahead of the game. IA cannot be static if they want to survive in the environment. Change is part of modern life and IA needs to adapt to changing needs. There is a need for IA to be more forward looking. Because of this, IA needs to innovate in the areas like audit automation, data analytics etc. One needs to adopt a continuous improvement mindset. It takes courage to innovate, but the team will reap the rewards. Get someone on your team to be in charge of innovation. Robots might be able to perform routine control testing. We need to embrace technology to its fullest capacity.

The Dynamics of Interpersonal Behavior. To be successful, auditors need to cultivate their soft skills just as much as their technical abilities. Soft skills like listening, understanding, questioning etc are just as important as hard skills. Sometimes, audit reports are not in sync with what stakeholders want. IA people need to form effective interpersonal relationships. People-centric skills are not easy to master. Auditors need to build trust over a few days. IA needs to keep to promises on deadlines, listen to feedback and deliver their goals. Auditees might feel there is a big difference between themselves and auditors and tend to look down on auditors. IA must approach from the angle that you are trying to help. Having a good mentor will help. Ultimately, IA needs to meet stakeholders’ demands.

Opportunity from Disruption. IA should try to understand emerging risks. Be forward thinking, via a strategic planning process and have more internal audit’s risk assessment process. It is also important to create flexibility in the audit plan. Be inclusive and communicate with the other lines of defence. Be business minded and hire from a wide variety of sources and ensure they have different types of training. Be flexible by design. Evaluate the nature and timeliness of IA’s procedures. Be talent ready.

It is important for IA to issue audit reports and follow-up on corrective actions taken soon after. Although IA reports to the AC, it still has to administratively report to the CEO. Having no time is not an excuse.

Internal-Audit

audit financial company tax investigation process business accounting

IIA Magazine Jun 2016 issue

A toxic culture is present when your work negatively affects your health – physically and emotionally. An example of such could be a change in management or management through fear and intimidation. The two options are to leave or to name the problem and discuss to make it better. Payroll should have continuous checks and balances. It is not good to report risks on an ad-hoc basis. Talent issues and development need to be addressed. There is a strong need to fight corruption. However, whistle-blowing hotlines might be underutilized, as employees fear retaliation after reporting. There are some companies which do not trust enterprise cloud deployments still.

The Fire Drill. Auditors can learn to deliver a focused message that results in management action. Effective planning of our work is the key. For instance, we can look at past audit findings. Next, one should compensate with competence, meaning backing up observation with data and experience. Sell with the passion of a champion. Findings should be sold to address a control weakness that is causing an unacceptable risk. One needs to communicate the big risks well. In the end, we need to deliver a focused message that can result in management action.

The Tech-Savvy Auditor. Effective use of audit technology can enable audit departments to provide valuable insights. Most IA staff are not familiar with IT or have weak IT backgrounds. This is not acceptable. Technology can lead to a more efficient audit and also might cut fraud losses. There is a need to improve the audit software. There should be a data analytics centre in-house. There is a need to review software usage.

Integrating Key Risks and Performance Indicators. IA can leverage its risk knowledge to improve operational performance and reduce risks exposures. IA can provide assurance on the achievement of objectives. IA can encourage the formalization of KPIs and KRIs. KRIs can serve as an early signal of increasing risk exposure. There needs to be a formal project charter. There needs to be a KPI framework with proper planning, reporting, monitoring etc. The key metrics need to be identified and a dashboard can help to present graphically the results. The KRI should be closely linked to the KPI.

Toxic Leaders, Toxic Culture. IA can identify unhealthy behaviors that may undermine the organization. Culture will affect an organization’s success. Therefore, identifying the toxic leader is important. Toxic leaders want power and control. These tend to be autocratic leaders. They could have a strong sense of entitlement and focus on themselves and not the organization. Exerting power through fear can undermine morale. They do not like to be challenged and seek to manipulate others. Closed-minded leaders think of ‘My way or the highway’. There is no need to confront the toxic leader. IA can refer the person to compliance or legal counsel. One can use behavioural psychology to analyse. For a more objective method, one can look at the reasons for turnover and examine turnover rates. One can also look at employee engagement survey results. One needs to use experience and facts as much as possible.

Analytics and the small audit department. No matter the size of an audit function, analytics can be implemented for big gains. How to go about using analytics? Some simple ones to consider are benchmarking, variance analysis, ROA, turnover etc. The analytics must have goals and performance measures. Selecting the right data source is the key and there is a need to verify the accuracy of the source. Brainstorming can help to identify key data. It is crucial to have a plan that will allow IA to continue to improve its analytics capability. It is important to attain small wins in analytics.

Business Risk. Keynote speakers for this year’s IIA International Conference identify emerging risks facing organizations. Cyber risks is at the top of the priority list for many. Ransomware is a big threat to hospitals nowadays. Other threats include politics, the economy and terrorism. Social media risks sometimes aren’t within an organization’s control. Auditors should use corporate culture to work in their favour. An organization must monitor the external environment closely. There should be a common understanding of what the risk appetite and risk cultures are. Audit needs to adjust fast and invest continually in education. IA now also needs to learn to be innovative.

An Anti-corruption Check-up. Capability maturity models can help organizations assess the effectiveness of the anti-corruption programs. This model was developed at Carnegie Mellon University. One can use the model to identify strengths and weaknesses. There are basically 4 levels of maturity. There are 7 components that form the basis of anti-corruption maturity model. There is a need to tally the scorecard too.

Craft Our Role. IA should create the role for themselves that is best for both the organization and their own personal development. IA needs to be ingenious, use creativity and resourcefulness when developing their role. Do not limit the scope to be too small. It is important to be familiar with the business in order to value add properly. The control environment needs to be evaluated properly. One can develop business acumen. It is crucial to ask the right questions. IA should network more with the other departments to build rapport and also to get a feel about the management style in the department. Learn to practise combined assurance. One can work with another dept for a joint review. This is the way to maximize external resources.

Fraud and related-party transactions. IA can identify red flags and reduce the risk and impact of related-party fraud. IA need to be able to recognize related-party fraud risks. Providing loans at below market rates is a red flag. Failing to disclose the related-party nature of the loan is a red flag. IA should try to identify related party transactions. Try to identify whether employees have link to companies that transact with the organization itself. It is also possible to compare cost variations among vendors to see how they differ from the average cost. The organization should not pay costs significantly above market prices.

Communicating Results. Sharing audit observations is one of the most important tasks auditors perform. Communicating properly can help enhance rapport. Make sure the observations are correct and are not challenged by management. Plan the timing of issue dissemination, which is as soon as possible. Try not to surprise management at the end of the audit. Write clearly. Exercise diplomacy.

‘One of the quickest ways to lose management’s respect is to make it clear that IA does not understand what is has been auditing. The answer is to take the time to learn the business, processes, and risk associated with the audited area.’

Care and Feeding of The Company’s Culture. How can IA help to ensure a healthy organizational culture? Auditing culture is certainly work examining. Healthy organizations should have guidance on norms and expectations and a healthy tone at the top. Transparency is important. Management should think long term and have a sound strategy. Ask yourself whether the root cause is behavioural or cultural in nature. The problem with culture is that it is not clear cut and might be hard to evaluate. Those who are toxic in nature might be held accountable and be responsible.

Internal-Audit

 

IIA Magazine Aug 2016 issue

Cybersecurity is an area where it is lacking among major companies. Companies need to step up to beef this area up. Productivity is a main concern for employees. Ethical pressure is greater during organizational change. The COSO framework is expected to be updated in 2017. It will be updated to include the latest risk management thinking and principles. IoT is going to have a big impact moving forward and there needs to be a comprehensive approach to go about doing it.

Analytics-Driven Audits. Before tackling data analytics, internal auditors need to understand the types of data, how it is stored, and how to apply it. Automated audits are the new trend now. It can be applied to many aspects of the audit too. Understand what are qualitative and quantitative data and their measurements. Understand how data is stored and the various formats. Any outliers should be thoroughly investigated. There are 4 types: descriptive, diagnostic, predictive and prescriptive. Learn to gain insight into the business.

The Mind of a Credit Card Hacker. Smart hackers usually lay low. They can steal credit card details and then sell them. Hackers use a vector to steal data, such as phishing. They also need to collect the data quickly and then cover their tracks. The hacker will verify that the cards are valid and start off with transactions of small amounts. If they go undetected, they may get bolder. IA can encourage the company to encrypt the credit card information and monitor access to networks. Access control needs to be checked too. IA is the third line of defence.

Make the Most of Assurance. Assurance maps can enable internal audit to team with other assurance providers to visually convey how risk is managed. IA can work with other assurance providers and depict the results in an assurance map. The map allows one to spot gaps in risk coverage or any overlaps. Assurance maps can enhance and give value to AC too. The map should not be too complex.

Tough Consequences. Adequate contract administration can save organizations a tremendous amount of grief and money. It is important to monitor vendor contracts properly. The contract administrator should be the liaison party and highlight any non-compliance. There needs to be adequate financial controls over the cash receipts and revenue cycles at the vendor’s end.

A World of Connections. The IoT requires IA to confront risks that are not so neatly contained. The impact of this is growing. IoT is about interacting with the environment for business benefit. Emerging risks from IoT must be monitored closely. There are many benefits from using IoT devices too. Management needs to be aware of the risks too. There needs to be a deployment strategy too. A policy needs to be drawn up.

Cyber Resilience. IA should work collaboratively and proactively to address breaches and build resistance to future attacks. Banks need to protect the SWIFT codes. A cyber breach might definitely occur in future. There is increasing use of software to pick up behavioural anomalies. There needs to be both a protective and detective strategy. A response plan is important. Customer data should be given top priority in a cyberattack response. IA needs to understand IT from a technical and controls perspective.

Auditing the Cloud. IA should delve into the complexities and unique risks of moving to a cloud platform. Many companies are making use of the cloud as compared to traditional data center infrastructure. Less manpower is needed to maintain a cloud as well. Servers can be added on demand too. IA needs to verify the security, reliability and availability of the data. No two clouds are the same but the common ones are infrastructure as a service, software as a service, platform as a service etc. It is good to obtain the SSAE 16 report on the vendor as evidence of its controls. It is difficult to track cloud deployment. Cloud assets can keep varying as well and it is difficult to monitor. The data is now stored on the same physical equipment as other organizations and there is a risk of leakage. A security program is still a must. Penetration testing needs to be done periodically to prevent hackers. Relying on the SSAE 16 report is useful, but not sufficient.

Trust but Verify. Control self-assessments can increase audit efficiency and spread control awareness throughout the organization. This is for process owners to self-evaluate the effectiveness of controls. This could be done via workshops/ questionaires etc. Sometimes, it is not possible to deploy a team to perform audits in every area. When CSAs are used, IA needs to explain the rationale to the management. The process owners must be identified clearly. IA needs to independently verify some of their responses. For example, only key controls or only those rated as ineffective may be selected for further testing. Continuous support is a must and training must be provided. The right level of project sponsorship is important too. It can be implemented gradually. CSA enables IA to allocate resources to focus on areas with significant control weaknesses.

Audit Never Sleeps. IA must keep innovating and improving and focus on the organizations that we love. We need to constantly do the right thing and hone our communication skills. Effective communication is the key and getting to know the auditees well is the key. Listening well is crucial too. Nowadays, IA should adopt an integrated mindset. We need to broaden our IT knowledge to meet stakeholder expectations. Applying soft skills are important too. Our work must be guarded by ethics and transparency. We need our approach our work with a strategic focus too. There is also a need to focus on our future.

Optimizing IA. IA are being continually challenged to improve their effectiveness to better meet growing expectations and workloads. IA staffing levels remain relatively constant. IA must be aware of strategy and ensure that procedures align with that strategy. IA should understand what the external risks are. As for operational efficiency, IA should offer cost effective and sustainable solutions. Quality assurance is important to ensure quality and compliance with regulations. IA should identify cost savings, understand business goals, increase collaboration, optimize technologies and strive for continuous monitoring.

pic_internal_audit_big