IIA Magazine Apr 2016 issue

Soft skills seem to be lacking in some of the IA teams. There is the art of interviewing that must be executed properly. IA can set aside time to work with other parts of the business. Audit reports are not the only communication channel.

Time to Shift the Mindset. Pulse report urges IA to focus on culture and cybersecurity response. Board members should discuss with management to ensure that there is a common understanding. There is a risk of poor vendors and that firms could suffer from reputational damage. There needs to be strong third party risk practices.

Fraud Prevention. An effective control environment can deter or minimize the occurrence of fraudulent activities. Internal controls may not always be designed to prevent fraud. There must be a strong control environment for fraud prevention. Background checks and fraud related training can be useful indeed. Whistle-blowing hotlines can be set up. A certain level of anonymity must be ensured. No one person should complete control over a whole particular process, from start to end. Monitoring activities should take place on a frequent basis.

The Call no CAE wants to receive. A strong working relationship between IA and the CIO is essential to responding quickly to a cyber incident. This is important as cyber attacks can lead to reputational damage. One can verify the controls at the vendor and get them to fill up a data security risk assessment questionnaire. IA can be the trusted advisor that an organization needs.

Collaborative Risk Management. As organizations consolidate their risk processes, IA may not be able to continue to stand alone. Risk collaboration and organizing risks are more important nowadays. There is a need to be efficient about going about this. Risk needs to be organized neatly. ERM is one way to link everything together. Auditors should be open to other ideas on organizing and mitigating risk.

The Ticking Ethical Time Bomb. The financial loss from theft was secondary to the effect on company culture. Sometimes, the most obvious issue is no the more important one. Small frauds can lead to large ones. Reinforcing identity is also very smart sometimes, as it can help with ethical reinforcement. Increasing controls should not be done as a knee-jerk reaction sort of thing.

A Matter of Trust. Attention to detail and focused effort can help IA build the relationships required to be perceived as valued advisers. IA should be given time to innovate, gain an understanding of evolving challenges and talk to people in the business regularly about the issues they face. You help to build trust if you know what the regulators or other people are doing. Sometimes, top management might even tell CAE the problems that are upcoming. Relationship building and being part of the management team is crucial. However, there is still a need to be independent even if IA is like a trusted advisor. Try to leverage on technology.

‘IA can often be forgotten if it is not part of the core team, because it is less visible than those functions that meet and talk regularly.’

‘Auditors are there to make organizations better – it is a key part of the way they can add value. Not commenting when they see a better way to do something could show a certain lack of moral courage.’

Proactive Fraud Analysis. Integrating advanced forensic data analytics capabilities can help auditors mitigate fraud risks and demonstrate returns. IA can invest in such tools as it can help in the monitoring of risk. IA should ask ‘What are the high risk accounts?’; ‘When?’; ‘Where?’ etc. IA should focus on the low-hanging fruit first. The first project undertaken should be easy. Learn to go beyond the descriptive analytics. Learn to embrace both structured and unstructured data. Communication is the key. It would be good to automate the tests and involve the end-users. Also, learn to set a realistic timetable. Keep analytics simple and intuitive – don’t include too much information in one report so it isn’t easy to understand.

Getting More from Interviews. Instead of emphasizing formalities, IA should approach each interview like a conversation. You can gain insight into the way operations work and identify gaps etc. Plan your questions beforehand and be prepared. However, the less formal it is, the more information you can find out from the interview. Try to make it a conversation. Learning about the auditees’ life can help to build rapport and build the bond. Talk to others within the auditees’ same department. The interview’s purpose should be specific, attainable and outcome oriented. Preparing for the interview helps a lot. The location matters as well. Try to open in a way that makes the auditee at ease. Try to explain the purpose and the outcome of the interview. Learn to practise effective listening. One can ask thought provoking questions that will help to elicit information. Learn to practise active listening and show positive body language such as being attentive. You can prepare questions but there is no need to follow to a list strictly. It can be difficult to build rapport. Do not try to tell the interviewee that the interview must be done to complete the audit. Have lunch with auditees once in a while. People love to hear about themselves.

‘Auditors should be curious about the way processes work, the way the organization works, and perhaps most importantly, the people who make it work. Curiosity will lead to a better understanding of the organization, better ideas for improving the organization, and a better rapport with the individuals within the organization.’

On the Hunt for Payroll Fraud. Taking a close look at payroll risks can enable IA to help their organizations save money and identify wrongdoing. Payroll fraud is more common if there is irregular workforce patterns. Payroll is usually shrouded in secrecy. Overpayment is more common than underpayment. IA can also examine to seek actual cost savings/ productivity gains. IA can adopt a helicopter overview of payroll data and the payroll process. One can compare payroll costs with other organizations. Rosters should be designed to optimize the allocation of employees to operational needs. Management welcomes findings that reveal specific wrongdoing because they provide hard-to-dispute evidence. IA can look out for certain insights and then drill further. There are many common findings. The audit fieldwork needs to be well-researched and planned.

Guardians of Integrity. IA can provide insight into corporate identity and people-related risks. For instance, IA can evaluate the ethics and organizational integrity. IA must communicate with the board and management and be the corporate conscience. Testing the effectiveness of the ethics programs can be tough. It is important to understand how an organization defines success. It is important to uphold the code of ethics: integrity; objectivity; confidentiality; competence. IA should examine incident reports too. IA must be as wise as the board, as savvy as management, and as shrews as attorneys. Stakeholder surveys could be used to understand the management and employee ethics. IIA needs to exercise fair and ethical decision making.

Internal-Audit

audit financial company tax investigation process business accounting

Advertisements

IIA Magazine June 2017 Issue

Courage under Fire. Public sector auditors need to have the courage to raise issues despite the political agenda in the public sector. Audits provide a cornerstone of good public sector governance. Targeted relationship building is very important. Courage is a pre-requisite of being an internal auditor.

Terrorism and Geopolitical risks. Violence and political uncertainty threaten business interests internationally. Overall, terrorism and political violence have been at high levels. Businesses need to have strategies to deal with the geopolitical climate.

SWIFT has improved their security standards via a customer security control framework, where banks must comply annually. SWIFT will report banks which don’t comply with the new standards.

Corruption usually happen because of a poor tone from the top. The younger generation seems to be more lax when it comes to ethics and to managing others. There needs to be strong leadership from the top to tackle bribery and corruption. The board has oversight of the company’s culture but management has the best position to shape culture. Firms can get insights from departments like HR, finance on the company’s culture. Companies that allow employees to store personal information in emails etc is asking for trouble.

Key stakeholder surveys. Internal auditors should look to get feedback from their most important customers. A QAIP is a requirement but surveys are rarely given to the AC and executive management. Audit should have the habit of surveying at the end of each assurance or advisory activity. The respondent should be able to make comments as well. If the scores are not satisfactory, the CAE should recommend some course of action. Survey results should be shared with AC etc. These results can enter the QAIP as well.

‘It is common for audits with satisfactory ratings to receive high opinion scores while audits with unsatisfactory ratings receive low survey scores despite efforts to adhere to department policies and the Standards.’

Application Control Testing. Control reviews can help ensure critical software applications function effectively and securely. To audit effectively, it is necessary to audit application controls too. This covers every feature and function of the application. Next, one needs to identify the key application processes and the application controls. If necessary, an integrated audit should be performed. One can use the GTAG 8 to help. Auditors can validate input and output controls. Are the processing controls accurate? Are there critical errors in computations? There is a need to examine interface controls as well. IA needs to examine: output controls, storage controls, monitoring controls, configuration management, change controls and patch management.

The Risk in the Control Environment. Auditors need to think beyond check boxes to provide assurance that control processes are addressing risks. The control environment is difficult to measure. IA should not cover up control weaknesses to management. Policies change over time and become less applicable, hence the control environment shifts. SOD is useful, but in cases where the firm is too small, alternative measures need to be made. When there are personnel change, there might be an urgent need to re-train.

‘IA needs to ensure they have authority to analyse and communicate the situation beyond just the existence of policies. Ensure management understands the difference between a control gap and a control failure. It is important to know whether the gap has created a failure, but just because it hasn’t failed to date should not minimize the impact of the gap.’

The ‘Free Trail’ Scam. Data analytics uncovers a sales force fraud using pre-paid credit cards to boost commissions. Be wary of pre-paid credit card usage among commissioned sales forces. There is a need to check credit card transactions against a BIN database. Understand how many customer accounts are associated with a single credit card number. Companies should request for customer credit scoring and upfront payment to prevent customer defaulting on payments.

Under Siege. Public sector auditors can face intimidation, isolation, retaliation, suspension – even termination – just for doing their job. For instance, if the audit conflict with an agency’s head’s political agenda, the agenda usually wins. CAEs might have to sue the government in the end. Targeted relationship building is important. Retaliation might reduce in a reduction of CAE’s duties. Sometimes, they are told to cease investigations. Sometimes, the CEO will tell you want to audit but you are not allowed to listen to the Board. Sometimes, the CAE has to supress facts in a report. The CAE needs to drive an open and ethical environment with the AC to prevent such things from happening. If you want to be the CAE, you need to establish clear reporting lines and ensure you have access to the Board right from the start. If you are not comfortable, walk away. Auditors should build relationships with those they work with. Start by winning over staff and explain your audit charter to them. Keep open lines of communication. Document and verify any disagreements and understand the root cause. Learn to create a paper trail for your findings. Sometimes, resigning is the only option. It is still better to do the right thing.

‘It’s very difficult to make a change if the organization is dysfunctional. Sometimes you can make renovations to a house that will improve the functionality, but sometimes you just have to declare the house condemned and start over.’

How to Audit Culture. Culture audits can help practitioners gain insight into the causes of poor organizational behaviour. Not enough firms are auditing culture. It can be challenging because it is subjective and complex. Culture is shaped by values that influence everyday behaviour within the organization. Management’s create sub-cultures among their teams. Different departments have different cultures and risk tolerances etc. There is no defined criteria for each aspect of the business too. One can start with a model to audit culture. Employees are the best source of information about the culture. Culture is largely perception based. The problem is that employees might be fully honest, they work in silos, they may like to complain etc. The Board and management need to believe that the IA team has what to takes to audit culture. Some of the questions to ask are ‘Do our HR and talent practices reinforce the desired behaviors throughout the organization?’; ‘Does your business manage risk appropriately and in line with our risk appetite?’; ‘What do our leaders communicate to us about risk, ethics, and how we should be doing our work?’; ‘Does the company’s environment promote accountability for desired risk behaviors?’ The audit report must be worded in not a sensitive manner. IA needs to obtain evidence via appropriate engagement techniques. Sometimes, soft evidence can work as well. Structured interviews can be conducted for auditees. It is good to gather evidence from many employees. It is possible to add questions on ethics and culture to the annual employee survey. IA could present a monthly dashboard etc on data like customer survey results, customer complaints, turnover statistics etc.

A smarter approach to third-party risks. Adopting a focused collaborative strategy can help improve management of outsourced service providers. Third-party risks are very real, especially functions which have been outsourced. Banks are to held responsible for their third-parties’ performance. Data breaches in recent times have made this even more important. It is important to manage the risk from third-party vendors. It is good to map a list of third-parties you work with and the risks to be assessed and monitored. It may be useful to develop key risk and KPIs for areas where risk is increasing. It could be useful to send questionnaires to the third party to understand their risk exposure and risk appetite. Some companies are looking at group intelligence as a means of sharing due diligence data. Some firms have already set up risk consortiums. Managing outsourcing risks is vital to protecting shareholder value.

The Innovative Internal Auditor. As businesses strive to find opportunities in a world driven by technological transformation, internal auditors need to continually innovate to stay ahead of the game. IA cannot be static if they want to survive in the environment. Change is part of modern life and IA needs to adapt to changing needs. There is a need for IA to be more forward looking. Because of this, IA needs to innovate in the areas like audit automation, data analytics etc. One needs to adopt a continuous improvement mindset. It takes courage to innovate, but the team will reap the rewards. Get someone on your team to be in charge of innovation. Robots might be able to perform routine control testing. We need to embrace technology to its fullest capacity.

The Dynamics of Interpersonal Behavior. To be successful, auditors need to cultivate their soft skills just as much as their technical abilities. Soft skills like listening, understanding, questioning etc are just as important as hard skills. Sometimes, audit reports are not in sync with what stakeholders want. IA people need to form effective interpersonal relationships. People-centric skills are not easy to master. Auditors need to build trust over a few days. IA needs to keep to promises on deadlines, listen to feedback and deliver their goals. Auditees might feel there is a big difference between themselves and auditors and tend to look down on auditors. IA must approach from the angle that you are trying to help. Having a good mentor will help. Ultimately, IA needs to meet stakeholders’ demands.

Opportunity from Disruption. IA should try to understand emerging risks. Be forward thinking, via a strategic planning process and have more internal audit’s risk assessment process. It is also important to create flexibility in the audit plan. Be inclusive and communicate with the other lines of defence. Be business minded and hire from a wide variety of sources and ensure they have different types of training. Be flexible by design. Evaluate the nature and timeliness of IA’s procedures. Be talent ready.

It is important for IA to issue audit reports and follow-up on corrective actions taken soon after. Although IA reports to the AC, it still has to administratively report to the CEO. Having no time is not an excuse.

Internal-Audit

audit financial company tax investigation process business accounting

IIA Magazine Dec 2016

One potential failure of ERM is that of green-washing, this is when crucial risks are pushed down into the larger collection of more trivial risks. Cybercrime is a current buzz risk. The first line of defence needs to take on better accountability for sound risk management and control.

Investors are pushing for more accountability and transparency behind decision-making. Shareholder activism is playing a big role nowadays.

The EU has released new general data protection regulation (GDPR) which intends to strengthen and unify data protection for individuals within the EU. However, most organizations say that they are not well prepared. Organizations should start preparing for this as it will kick off in May 2018.

Client Feedback. Audit performance can be fine-tuned with the right input from stakeholders. Feedback should aid audit performance. Feedback should be to the point and be specific and timely in order to be effective. Useful feedback can increase audit effectiveness. Feedback can be provided during the opening meeting, during the audit or during the closing meeting. The client should take the opportunity to clarify any concerns that they may have. During the closing meeting, IA needs to present the supporting documents and records. A post-audit questionnaire can be sent to the client after the audit.

Must-have Controls for Small Medium Enterprises. 5 controls can help SMEs protect themselves against cyber breaches. Sometimes, they do not have sufficient resources to deal with threats. Firstly, scan the network quarterly and identify vulnerabilities. Train employees on IT security. Protect sensitive information by inventorizing sensitive business processes and reviewing access to information. Learn to segment the network. Deploy extra protection for endpoints and encrypt the data. Learn to monitor the network, manage service providers, protect smart devices and monitor activity related to sensitive information.

A Holistic Approach to IT Risk. The COBIT framework can help auditors understand and address their organization’s technology risks. IT can be very complex but IA needs to evaluate the full range of IT risks. COBIT is valuable for the whole process, from end to end. The 5 key principles are meeting stakeholder needs, covering the enterprise end-to-end, applying a single integrated framework, enabling a holistic approach, and separating governance from management. Internal auditors can use COBIT to understand the nature of IT risks that are unique to their organization.

A Toxic Culture. A department leader creates a hostile work environment by promoting friends and abusing employees and company assets. When many employees leave, there could be a sign of a toxic culture. There was an inadequate internal control system as no one tracked expenses. Critically review turnover data as this is a big red flag. Exit interview results should be reviewed regularly. Access control over reports should be reviewed and approved.

On The Rise. Learning is the key to do well in IA. Get students involved early and you can volunteer as a guest speaker on internal auditing topics. IA an get involved in many projects and act as change agents for the organization. Projects can allow one to build and develop business relationships with stakeholders. One can use data analytics during audit engagements. IA can add as a trusted advisor and perform consulting work. One can learn SQL, which is a tool for managing data. One could take others under their wing and mentor them so that they can grow. Interaction between auditee and IA must be positive. Spread the good word that your team does. IA should be innovative in addressing solutions. It is helpful to distinguish the different roles of EA and IA too. Communication skills are the key for IA’s success.

Growth through challenge. Current and past emerging leaders discuss the tough assignments that helped propel their careers forward. Challenges faced in your career can propel you to be a better auditor. It is good to share with others what are some of the common mistakes. See auditors as people and go in with a customer first mentality. Be client centric. Be prepared when you go for meetings and interviews. Get a mentor, build relationships, learn from your mistakes and learn to network. It is important to preserve independence and objectivity. Influencing mindsets are tough. Building relationships with auditees can be tough when you are new. It is important to have a good audit methodology. The learning curve can be steep especially if the industry is new for you. Some departments are resistant to let the IA perform audits on operations. Talent auditors are always in demand. Once you are good, you can engage the C-suite management easily and without fear. Young auditors are always eager for more opportunities.

It’s all in the delivery. Sharing difficult messages is an unavoidable part of the job for internal auditors. Some audit observations can be difficult to convey. You should always build the relationship before telling the bad news. Telling the bad news right away is unlikely to work. Using weekly updates once the exceptions are noted is the key. Preparation is the key to accomplishing objectives. It is important to be fair and factual. Focus on the process as well as content. If you can, you can tailor the response to the personality of the recipient. During the discussion, one can seek opportunities, offer to help, make it clear and maintain open body language. ‘If the audit report is the first time a client is seeing something in writing, that is the first and biggest mistake. Verbal updates are great, but periodic written updates go a long way. Auditors might get into trouble over their poor soft skills. Focus on the problem, include some positives, have a face-to-face meeting etc. The key is not to beat around the bush. EQ is important in helping good delivery. The key is to deliver bad news but still build a good relationship with the auditee.

Breaking Through. Women in business are taking on the barriers to advancement, and that’s good news for everyone. Diversity is good for the workplace. More women need to be in leadership positions. However, women might face issues like lack of support, exclusion, apathy. There needs to be sufficient support from male leaders. Men should be interested in achieving gender equality. Be You. Seize the Moment. Integrate Your Life. Earn Respect. Stay Behind Facts. Be realistic and practical. Forget silos. Think context before issue. Rethink reporting. Aim at destination with gratitude. Women may also face the motherhood penalty.

Mapping Assurance. Internal auditors can facilitate efforts to document the organization’s combined assurance activities. There are a variety of assurance providers. CAE can use an assurance map to co-ordinate assurance activities. It can also aid to prevent gaps in coverage. IA is well positioned to provide combined assurance. The plan should start with the organization’s strategic plan and the key risks that are associated with the strategic objectives. There should be 3 tiers of defence to provide assurance. IA need to assess the quality and quantity of assurance received.

A Winning Pair. Governance and automated controls must work in tandem to achieve maximum results. Good governance is the key. IA needs to access the current risk profile, mitigation activities and residual risks. Good behaviour requires time and employees should receive reminders in order to conduct good behaviour. Desired behaviour ultimately stems from the top.

The High-Performance Audit Team. Today’s complex, evolving business environment demands more of internal auditors. The world is changing and stakeholder expectations are increasing. IA can also rotate and fill other operational positions. An integrated internal audit function can boost performance. There is a strong need to invest in training and learning. Verbal, leadership, communication skills are very important. A high performance team can evolve to meet new challenges and reinvent itself. We also welcome constructive feedback from staff.

auditing-service-singapore

The Most Important Thing By Howard Marks (Uncommon Sense for the Thoughtful Investor)

This book is about value investing and provides tips on how to avoid common pitfalls of common investors. The methods are proven and are similar to the methods used by Warren Buffett and Benjamin Graham. Risk must be properly managed at all costs. There is no one size fit all approach. Investment is an art. Independent thinking is the key for success. The market is not fully efficient and not all available information are priced into the stock. These gaps in efficiencies can be potentially exploited. The key is to estimate an intrinsic value for a stock and use that as a starting point. Choose value over growth. Buy something which is undervalued. However, do take note that the market can stay irrational for a long time. Do not buy something simply because it is popular. Do not use excessive leverage. Risk is subjective and deceptive. Construct probability distributions to predict outcomes. Risk management is the key. Risk can mean different things to different people. Learn to recognize risk early. Recognizing and controlling risk is the key to success. Understand that risk is present even if no losses are incurred. Good risk control will prevent losses from being incurred. Be attentive to cycles. Do not let psychology influence your decision making. Be aware of the pendulum. Try to identify the point that pendulums will reverse. Avoid fear, greed, following the herd, envy, ego etc. Contrarianism is the key. Think long-term. Learn to identify bargains. Undergo a rigorous process. The goal is to find underpriced assets. Be patient. It is okay to pass up good opportunities. Know what you don’t know. Forecasts are usually inaccurate. Have a sense for where we stand. Take a stand on the investing climate at the current moment. Appreciate the role of randomness as well sometimes. Practise defensive investing as well. Adopt the margin of safety concept. Learn to identify pitfalls. The aim should be always to outperform the market. Good luck!