Courage under Fire. Public sector auditors need to have the courage to raise issues despite the political agenda in the public sector. Audits provide a cornerstone of good public sector governance. Targeted relationship building is very important. Courage is a pre-requisite of being an internal auditor.
Terrorism and Geopolitical risks. Violence and political uncertainty threaten business interests internationally. Overall, terrorism and political violence have been at high levels. Businesses need to have strategies to deal with the geopolitical climate.
SWIFT has improved their security standards via a customer security control framework, where banks must comply annually. SWIFT will report banks which don’t comply with the new standards.
Corruption usually happen because of a poor tone from the top. The younger generation seems to be more lax when it comes to ethics and to managing others. There needs to be strong leadership from the top to tackle bribery and corruption. The board has oversight of the company’s culture but management has the best position to shape culture. Firms can get insights from departments like HR, finance on the company’s culture. Companies that allow employees to store personal information in emails etc is asking for trouble.
Key stakeholder surveys. Internal auditors should look to get feedback from their most important customers. A QAIP is a requirement but surveys are rarely given to the AC and executive management. Audit should have the habit of surveying at the end of each assurance or advisory activity. The respondent should be able to make comments as well. If the scores are not satisfactory, the CAE should recommend some course of action. Survey results should be shared with AC etc. These results can enter the QAIP as well.
‘It is common for audits with satisfactory ratings to receive high opinion scores while audits with unsatisfactory ratings receive low survey scores despite efforts to adhere to department policies and the Standards.’
Application Control Testing. Control reviews can help ensure critical software applications function effectively and securely. To audit effectively, it is necessary to audit application controls too. This covers every feature and function of the application. Next, one needs to identify the key application processes and the application controls. If necessary, an integrated audit should be performed. One can use the GTAG 8 to help. Auditors can validate input and output controls. Are the processing controls accurate? Are there critical errors in computations? There is a need to examine interface controls as well. IA needs to examine: output controls, storage controls, monitoring controls, configuration management, change controls and patch management.
The Risk in the Control Environment. Auditors need to think beyond check boxes to provide assurance that control processes are addressing risks. The control environment is difficult to measure. IA should not cover up control weaknesses to management. Policies change over time and become less applicable, hence the control environment shifts. SOD is useful, but in cases where the firm is too small, alternative measures need to be made. When there are personnel change, there might be an urgent need to re-train.
‘IA needs to ensure they have authority to analyse and communicate the situation beyond just the existence of policies. Ensure management understands the difference between a control gap and a control failure. It is important to know whether the gap has created a failure, but just because it hasn’t failed to date should not minimize the impact of the gap.’
The ‘Free Trail’ Scam. Data analytics uncovers a sales force fraud using pre-paid credit cards to boost commissions. Be wary of pre-paid credit card usage among commissioned sales forces. There is a need to check credit card transactions against a BIN database. Understand how many customer accounts are associated with a single credit card number. Companies should request for customer credit scoring and upfront payment to prevent customer defaulting on payments.
Under Siege. Public sector auditors can face intimidation, isolation, retaliation, suspension – even termination – just for doing their job. For instance, if the audit conflict with an agency’s head’s political agenda, the agenda usually wins. CAEs might have to sue the government in the end. Targeted relationship building is important. Retaliation might reduce in a reduction of CAE’s duties. Sometimes, they are told to cease investigations. Sometimes, the CEO will tell you want to audit but you are not allowed to listen to the Board. Sometimes, the CAE has to supress facts in a report. The CAE needs to drive an open and ethical environment with the AC to prevent such things from happening. If you want to be the CAE, you need to establish clear reporting lines and ensure you have access to the Board right from the start. If you are not comfortable, walk away. Auditors should build relationships with those they work with. Start by winning over staff and explain your audit charter to them. Keep open lines of communication. Document and verify any disagreements and understand the root cause. Learn to create a paper trail for your findings. Sometimes, resigning is the only option. It is still better to do the right thing.
‘It’s very difficult to make a change if the organization is dysfunctional. Sometimes you can make renovations to a house that will improve the functionality, but sometimes you just have to declare the house condemned and start over.’
How to Audit Culture. Culture audits can help practitioners gain insight into the causes of poor organizational behaviour. Not enough firms are auditing culture. It can be challenging because it is subjective and complex. Culture is shaped by values that influence everyday behaviour within the organization. Management’s create sub-cultures among their teams. Different departments have different cultures and risk tolerances etc. There is no defined criteria for each aspect of the business too. One can start with a model to audit culture. Employees are the best source of information about the culture. Culture is largely perception based. The problem is that employees might be fully honest, they work in silos, they may like to complain etc. The Board and management need to believe that the IA team has what to takes to audit culture. Some of the questions to ask are ‘Do our HR and talent practices reinforce the desired behaviors throughout the organization?’; ‘Does your business manage risk appropriately and in line with our risk appetite?’; ‘What do our leaders communicate to us about risk, ethics, and how we should be doing our work?’; ‘Does the company’s environment promote accountability for desired risk behaviors?’ The audit report must be worded in not a sensitive manner. IA needs to obtain evidence via appropriate engagement techniques. Sometimes, soft evidence can work as well. Structured interviews can be conducted for auditees. It is good to gather evidence from many employees. It is possible to add questions on ethics and culture to the annual employee survey. IA could present a monthly dashboard etc on data like customer survey results, customer complaints, turnover statistics etc.
A smarter approach to third-party risks. Adopting a focused collaborative strategy can help improve management of outsourced service providers. Third-party risks are very real, especially functions which have been outsourced. Banks are to held responsible for their third-parties’ performance. Data breaches in recent times have made this even more important. It is important to manage the risk from third-party vendors. It is good to map a list of third-parties you work with and the risks to be assessed and monitored. It may be useful to develop key risk and KPIs for areas where risk is increasing. It could be useful to send questionnaires to the third party to understand their risk exposure and risk appetite. Some companies are looking at group intelligence as a means of sharing due diligence data. Some firms have already set up risk consortiums. Managing outsourcing risks is vital to protecting shareholder value.
The Innovative Internal Auditor. As businesses strive to find opportunities in a world driven by technological transformation, internal auditors need to continually innovate to stay ahead of the game. IA cannot be static if they want to survive in the environment. Change is part of modern life and IA needs to adapt to changing needs. There is a need for IA to be more forward looking. Because of this, IA needs to innovate in the areas like audit automation, data analytics etc. One needs to adopt a continuous improvement mindset. It takes courage to innovate, but the team will reap the rewards. Get someone on your team to be in charge of innovation. Robots might be able to perform routine control testing. We need to embrace technology to its fullest capacity.
The Dynamics of Interpersonal Behavior. To be successful, auditors need to cultivate their soft skills just as much as their technical abilities. Soft skills like listening, understanding, questioning etc are just as important as hard skills. Sometimes, audit reports are not in sync with what stakeholders want. IA people need to form effective interpersonal relationships. People-centric skills are not easy to master. Auditors need to build trust over a few days. IA needs to keep to promises on deadlines, listen to feedback and deliver their goals. Auditees might feel there is a big difference between themselves and auditors and tend to look down on auditors. IA must approach from the angle that you are trying to help. Having a good mentor will help. Ultimately, IA needs to meet stakeholders’ demands.
Opportunity from Disruption. IA should try to understand emerging risks. Be forward thinking, via a strategic planning process and have more internal audit’s risk assessment process. It is also important to create flexibility in the audit plan. Be inclusive and communicate with the other lines of defence. Be business minded and hire from a wide variety of sources and ensure they have different types of training. Be flexible by design. Evaluate the nature and timeliness of IA’s procedures. Be talent ready.
It is important for IA to issue audit reports and follow-up on corrective actions taken soon after. Although IA reports to the AC, it still has to administratively report to the CEO. Having no time is not an excuse.