IIA Magazine June 2017 Issue

Courage under Fire. Public sector auditors need to have the courage to raise issues despite the political agenda in the public sector. Audits provide a cornerstone of good public sector governance. Targeted relationship building is very important. Courage is a pre-requisite of being an internal auditor.

Terrorism and Geopolitical risks. Violence and political uncertainty threaten business interests internationally. Overall, terrorism and political violence have been at high levels. Businesses need to have strategies to deal with the geopolitical climate.

SWIFT has improved their security standards via a customer security control framework, where banks must comply annually. SWIFT will report banks which don’t comply with the new standards.

Corruption usually happen because of a poor tone from the top. The younger generation seems to be more lax when it comes to ethics and to managing others. There needs to be strong leadership from the top to tackle bribery and corruption. The board has oversight of the company’s culture but management has the best position to shape culture. Firms can get insights from departments like HR, finance on the company’s culture. Companies that allow employees to store personal information in emails etc is asking for trouble.

Key stakeholder surveys. Internal auditors should look to get feedback from their most important customers. A QAIP is a requirement but surveys are rarely given to the AC and executive management. Audit should have the habit of surveying at the end of each assurance or advisory activity. The respondent should be able to make comments as well. If the scores are not satisfactory, the CAE should recommend some course of action. Survey results should be shared with AC etc. These results can enter the QAIP as well.

‘It is common for audits with satisfactory ratings to receive high opinion scores while audits with unsatisfactory ratings receive low survey scores despite efforts to adhere to department policies and the Standards.’

Application Control Testing. Control reviews can help ensure critical software applications function effectively and securely. To audit effectively, it is necessary to audit application controls too. This covers every feature and function of the application. Next, one needs to identify the key application processes and the application controls. If necessary, an integrated audit should be performed. One can use the GTAG 8 to help. Auditors can validate input and output controls. Are the processing controls accurate? Are there critical errors in computations? There is a need to examine interface controls as well. IA needs to examine: output controls, storage controls, monitoring controls, configuration management, change controls and patch management.

The Risk in the Control Environment. Auditors need to think beyond check boxes to provide assurance that control processes are addressing risks. The control environment is difficult to measure. IA should not cover up control weaknesses to management. Policies change over time and become less applicable, hence the control environment shifts. SOD is useful, but in cases where the firm is too small, alternative measures need to be made. When there are personnel change, there might be an urgent need to re-train.

‘IA needs to ensure they have authority to analyse and communicate the situation beyond just the existence of policies. Ensure management understands the difference between a control gap and a control failure. It is important to know whether the gap has created a failure, but just because it hasn’t failed to date should not minimize the impact of the gap.’

The ‘Free Trail’ Scam. Data analytics uncovers a sales force fraud using pre-paid credit cards to boost commissions. Be wary of pre-paid credit card usage among commissioned sales forces. There is a need to check credit card transactions against a BIN database. Understand how many customer accounts are associated with a single credit card number. Companies should request for customer credit scoring and upfront payment to prevent customer defaulting on payments.

Under Siege. Public sector auditors can face intimidation, isolation, retaliation, suspension – even termination – just for doing their job. For instance, if the audit conflict with an agency’s head’s political agenda, the agenda usually wins. CAEs might have to sue the government in the end. Targeted relationship building is important. Retaliation might reduce in a reduction of CAE’s duties. Sometimes, they are told to cease investigations. Sometimes, the CEO will tell you want to audit but you are not allowed to listen to the Board. Sometimes, the CAE has to supress facts in a report. The CAE needs to drive an open and ethical environment with the AC to prevent such things from happening. If you want to be the CAE, you need to establish clear reporting lines and ensure you have access to the Board right from the start. If you are not comfortable, walk away. Auditors should build relationships with those they work with. Start by winning over staff and explain your audit charter to them. Keep open lines of communication. Document and verify any disagreements and understand the root cause. Learn to create a paper trail for your findings. Sometimes, resigning is the only option. It is still better to do the right thing.

‘It’s very difficult to make a change if the organization is dysfunctional. Sometimes you can make renovations to a house that will improve the functionality, but sometimes you just have to declare the house condemned and start over.’

How to Audit Culture. Culture audits can help practitioners gain insight into the causes of poor organizational behaviour. Not enough firms are auditing culture. It can be challenging because it is subjective and complex. Culture is shaped by values that influence everyday behaviour within the organization. Management’s create sub-cultures among their teams. Different departments have different cultures and risk tolerances etc. There is no defined criteria for each aspect of the business too. One can start with a model to audit culture. Employees are the best source of information about the culture. Culture is largely perception based. The problem is that employees might be fully honest, they work in silos, they may like to complain etc. The Board and management need to believe that the IA team has what to takes to audit culture. Some of the questions to ask are ‘Do our HR and talent practices reinforce the desired behaviors throughout the organization?’; ‘Does your business manage risk appropriately and in line with our risk appetite?’; ‘What do our leaders communicate to us about risk, ethics, and how we should be doing our work?’; ‘Does the company’s environment promote accountability for desired risk behaviors?’ The audit report must be worded in not a sensitive manner. IA needs to obtain evidence via appropriate engagement techniques. Sometimes, soft evidence can work as well. Structured interviews can be conducted for auditees. It is good to gather evidence from many employees. It is possible to add questions on ethics and culture to the annual employee survey. IA could present a monthly dashboard etc on data like customer survey results, customer complaints, turnover statistics etc.

A smarter approach to third-party risks. Adopting a focused collaborative strategy can help improve management of outsourced service providers. Third-party risks are very real, especially functions which have been outsourced. Banks are to held responsible for their third-parties’ performance. Data breaches in recent times have made this even more important. It is important to manage the risk from third-party vendors. It is good to map a list of third-parties you work with and the risks to be assessed and monitored. It may be useful to develop key risk and KPIs for areas where risk is increasing. It could be useful to send questionnaires to the third party to understand their risk exposure and risk appetite. Some companies are looking at group intelligence as a means of sharing due diligence data. Some firms have already set up risk consortiums. Managing outsourcing risks is vital to protecting shareholder value.

The Innovative Internal Auditor. As businesses strive to find opportunities in a world driven by technological transformation, internal auditors need to continually innovate to stay ahead of the game. IA cannot be static if they want to survive in the environment. Change is part of modern life and IA needs to adapt to changing needs. There is a need for IA to be more forward looking. Because of this, IA needs to innovate in the areas like audit automation, data analytics etc. One needs to adopt a continuous improvement mindset. It takes courage to innovate, but the team will reap the rewards. Get someone on your team to be in charge of innovation. Robots might be able to perform routine control testing. We need to embrace technology to its fullest capacity.

The Dynamics of Interpersonal Behavior. To be successful, auditors need to cultivate their soft skills just as much as their technical abilities. Soft skills like listening, understanding, questioning etc are just as important as hard skills. Sometimes, audit reports are not in sync with what stakeholders want. IA people need to form effective interpersonal relationships. People-centric skills are not easy to master. Auditors need to build trust over a few days. IA needs to keep to promises on deadlines, listen to feedback and deliver their goals. Auditees might feel there is a big difference between themselves and auditors and tend to look down on auditors. IA must approach from the angle that you are trying to help. Having a good mentor will help. Ultimately, IA needs to meet stakeholders’ demands.

Opportunity from Disruption. IA should try to understand emerging risks. Be forward thinking, via a strategic planning process and have more internal audit’s risk assessment process. It is also important to create flexibility in the audit plan. Be inclusive and communicate with the other lines of defence. Be business minded and hire from a wide variety of sources and ensure they have different types of training. Be flexible by design. Evaluate the nature and timeliness of IA’s procedures. Be talent ready.

It is important for IA to issue audit reports and follow-up on corrective actions taken soon after. Although IA reports to the AC, it still has to administratively report to the CEO. Having no time is not an excuse.

Internal-Audit

audit financial company tax investigation process business accounting

Advertisements

IIA Magazine April 2017 issue

Business Resiliency is about the organization’s ability to quickly adapt to risk events such as these while maintaining continuous operations and safeguarding its employees, assets, and brand equity.

Malware, Ransomware and man-in-the-middle attacks are common security issues for organizations

Some organizations lack a clear risk management program and that is a problem. Lack of resources, complexity and inability to get started are some of the reasons cited.

  1. Communication errors/ misinformation over company performance through channels other than financial reports; 2. Environment, health and safety is an area which is high risk, but not many IA covers this.

Cyber risks are also a main area where IA needs to be concerned about.

Learn to work smart and not harder. Employers should 1) acknowledge the problem; 2) appreciate the employee; 3) identify the root cause; 4) define the roadblock; 5) Devise a solution (training, resource allocation, process improvements); 6) Circle back. Guiding an employee well will result in an increase in productivity and morale.

The Data Museum. IA can compile organizational data in structured exhibits. Auditors need to use data warehousing principles to clean the data and structure it once that it is ready for analysis. Before storing data, consider the following: relevance, reliability; reusability; rarity. For instance, SQL can be used to extract, transform and load the data. Learn to run SQL statements. As for audit tools, auditors can use data visualization and advanced reporting techniques. Use a relational database and start small. Ensure that there are audit trails and logs.

The Many Facets of Risk. Risk is always multi-faceted. Look at the product and market research life cycle. It is important to do the strategy and competitive analysis like via SWOT, Porters’ 5 forces etc. Financial Management like NPV calculations aid in project-making decisions. Operations Management is about maintaining the optimum amount of inventory, like the EOQ method. Forecasting sales and demand is also a risk. Human resource risks and quality management risks are also possible. IA can act to cross-pollinate risks via mathematical or management methods.

Life of Luxury (Embezzlement). When too much power, accounting and budgeting etc, resides with the head, too much risks exists and there is potential fraud risk. There were too many over budgeted accounts in this case. Also, a person spending excessively or leading a lavish lifestyle will arouse suspicion. There are many lessons that the IA can learn: include riskier businesses in the IA plan; question how beneficial is the whistle-blowing hotline; an audit on payroll can detect payment to ficitious persons/ other people; review the acceptable use policy for all corporate-issued credit cards.

Resilience Through Crisis. Organizations all need to overcome crises and emerge stronger. The BP oil-spill PR was handled badly. IA can audit the crisis management plan. A crisis team should be cross-functional and with each goal clearly defined. IA should also be part of the team to ensure that the team is addressing the appropriate issues. The team should identify potential crises and IA can chip in. Next, a comprehensive crisis plan should be developed. Effective communication is the key and there must be a plan to inform stakeholders quickly. It is also important to have a spokesperson to handle the media etc. General templates can be used for media statements. Experts can be used as well. Crisis simulations should be conducted, like table-top exercises etc. IA should be the observer in all simulations. After the crisis, the crisis management team should evaluate the effectiveness and the performance of the plan.

Hit the Ground Running. The trend is to convert interns in IA into the permanent establishment as they already understand some of the company’s operations. One option is to transfer existing staff to IA. Interns who perform well stand to be converted. Interns are also less costly and can be used during peal-periods. There needs to be a significant investment in developing a good internship programme. There needs to be a plan all along. When you plan, it is important to prepare a job description, program budget, hiring plan and schedule. Provide guidelines for the interns to do work and make the audit project interesting for them. Teach them soft skills in the audit. Give them real assignments. Stretch them and ensure that they can contribute and make their internship meaningful.

Climbing the Scale. Turn to maturity models. Maturity models can rank from 1 to 5. They can be expanded into many business areas nowadays. Maturity models can be more meaningful than a simple pass/fail. Using this can convey a more positive collaborative tone too. Acknowledge what the client is doing already to improve processes and controls. A maturity model also focuses more on processes than people and seems more non-threatening. The models you can use are CMMI, C2M2, COBIT, P3M3, RMM, TMMi etc. Develop a dynamic risk assessment approach. IA should provide both assurance and insight. One can use the ISO standardized frameworks to compare the organization’s maturity level against. At times, the highest level of maturity might not be required as a lot of resources will be required. Maturity models can be very judgemental indeed. To succeed, IA needs to choose the correct model and be flexible when applying it. Build the best model and find a project champion if possible.

From the Same Playbook. IA needs to align its work with the organization’s strategy. There are debates as to whether IA should provide assurance around risks affecting company strategy. It depends on the CAE. However, not all top executives will want to discuss strategy with the CAE. There can be a disconnect as IA usually does not audit the latest transformations and developments in the company. Some IA prefer to audit compliance, which they are more familiar with. Two big risks are not having effective strategy or not executing them properly. CAE should think like CEOs and think through different perspectives and figure out how to maximize shareholder value. IA can perform gross profit margin analysis etc. There needs to be a balance between strategic-level audits and compliance based audits. Have discussions with management and the audit committee on strategy. It is for IA to look into strategy risks and the risks of entering any particular strategy.

Three Lines in Harmony. A Centralized testing model will enable the 3 lines of defence to rely on each others’ work. Front-line management is the first line of defense, risk/compliance functions are the second line of defense, internal audit is the third line of defense. It is important to co-ordinate so as to ensure all areas are covered and there are no duplications. Relying on others can also provide an increase in efficiency. Ensure that there are proper service agreements if there is a centralized testing unit. Automatic testing preferred and desired. There is a need to document the risk framework.

Signature Audits. Auditors should try to identify and respond to emerging risks. Most IA confirm concerns already identified by management. IA can do a mystery shopper role, or perform simulations to test controls. IA now need to be more innovative and curious. Signature Audits refer to thinking out of the box to design appropriate test procedures (example: penetration testing or social engineering). IA can identify best practices or try to circumvent processes rather than test them.

Internal-Audit