IIA Magazine Dec 2016

One potential failure of ERM is that of green-washing, this is when crucial risks are pushed down into the larger collection of more trivial risks. Cybercrime is a current buzz risk. The first line of defence needs to take on better accountability for sound risk management and control.

Investors are pushing for more accountability and transparency behind decision-making. Shareholder activism is playing a big role nowadays.

The EU has released new general data protection regulation (GDPR) which intends to strengthen and unify data protection for individuals within the EU. However, most organizations say that they are not well prepared. Organizations should start preparing for this as it will kick off in May 2018.

Client Feedback. Audit performance can be fine-tuned with the right input from stakeholders. Feedback should aid audit performance. Feedback should be to the point and be specific and timely in order to be effective. Useful feedback can increase audit effectiveness. Feedback can be provided during the opening meeting, during the audit or during the closing meeting. The client should take the opportunity to clarify any concerns that they may have. During the closing meeting, IA needs to present the supporting documents and records. A post-audit questionnaire can be sent to the client after the audit.

Must-have Controls for Small Medium Enterprises. 5 controls can help SMEs protect themselves against cyber breaches. Sometimes, they do not have sufficient resources to deal with threats. Firstly, scan the network quarterly and identify vulnerabilities. Train employees on IT security. Protect sensitive information by inventorizing sensitive business processes and reviewing access to information. Learn to segment the network. Deploy extra protection for endpoints and encrypt the data. Learn to monitor the network, manage service providers, protect smart devices and monitor activity related to sensitive information.

A Holistic Approach to IT Risk. The COBIT framework can help auditors understand and address their organization’s technology risks. IT can be very complex but IA needs to evaluate the full range of IT risks. COBIT is valuable for the whole process, from end to end. The 5 key principles are meeting stakeholder needs, covering the enterprise end-to-end, applying a single integrated framework, enabling a holistic approach, and separating governance from management. Internal auditors can use COBIT to understand the nature of IT risks that are unique to their organization.

A Toxic Culture. A department leader creates a hostile work environment by promoting friends and abusing employees and company assets. When many employees leave, there could be a sign of a toxic culture. There was an inadequate internal control system as no one tracked expenses. Critically review turnover data as this is a big red flag. Exit interview results should be reviewed regularly. Access control over reports should be reviewed and approved.

On The Rise. Learning is the key to do well in IA. Get students involved early and you can volunteer as a guest speaker on internal auditing topics. IA an get involved in many projects and act as change agents for the organization. Projects can allow one to build and develop business relationships with stakeholders. One can use data analytics during audit engagements. IA can add as a trusted advisor and perform consulting work. One can learn SQL, which is a tool for managing data. One could take others under their wing and mentor them so that they can grow. Interaction between auditee and IA must be positive. Spread the good word that your team does. IA should be innovative in addressing solutions. It is helpful to distinguish the different roles of EA and IA too. Communication skills are the key for IA’s success.

Growth through challenge. Current and past emerging leaders discuss the tough assignments that helped propel their careers forward. Challenges faced in your career can propel you to be a better auditor. It is good to share with others what are some of the common mistakes. See auditors as people and go in with a customer first mentality. Be client centric. Be prepared when you go for meetings and interviews. Get a mentor, build relationships, learn from your mistakes and learn to network. It is important to preserve independence and objectivity. Influencing mindsets are tough. Building relationships with auditees can be tough when you are new. It is important to have a good audit methodology. The learning curve can be steep especially if the industry is new for you. Some departments are resistant to let the IA perform audits on operations. Talent auditors are always in demand. Once you are good, you can engage the C-suite management easily and without fear. Young auditors are always eager for more opportunities.

It’s all in the delivery. Sharing difficult messages is an unavoidable part of the job for internal auditors. Some audit observations can be difficult to convey. You should always build the relationship before telling the bad news. Telling the bad news right away is unlikely to work. Using weekly updates once the exceptions are noted is the key. Preparation is the key to accomplishing objectives. It is important to be fair and factual. Focus on the process as well as content. If you can, you can tailor the response to the personality of the recipient. During the discussion, one can seek opportunities, offer to help, make it clear and maintain open body language. ‘If the audit report is the first time a client is seeing something in writing, that is the first and biggest mistake. Verbal updates are great, but periodic written updates go a long way. Auditors might get into trouble over their poor soft skills. Focus on the problem, include some positives, have a face-to-face meeting etc. The key is not to beat around the bush. EQ is important in helping good delivery. The key is to deliver bad news but still build a good relationship with the auditee.

Breaking Through. Women in business are taking on the barriers to advancement, and that’s good news for everyone. Diversity is good for the workplace. More women need to be in leadership positions. However, women might face issues like lack of support, exclusion, apathy. There needs to be sufficient support from male leaders. Men should be interested in achieving gender equality. Be You. Seize the Moment. Integrate Your Life. Earn Respect. Stay Behind Facts. Be realistic and practical. Forget silos. Think context before issue. Rethink reporting. Aim at destination with gratitude. Women may also face the motherhood penalty.

Mapping Assurance. Internal auditors can facilitate efforts to document the organization’s combined assurance activities. There are a variety of assurance providers. CAE can use an assurance map to co-ordinate assurance activities. It can also aid to prevent gaps in coverage. IA is well positioned to provide combined assurance. The plan should start with the organization’s strategic plan and the key risks that are associated with the strategic objectives. There should be 3 tiers of defence to provide assurance. IA need to assess the quality and quantity of assurance received.

A Winning Pair. Governance and automated controls must work in tandem to achieve maximum results. Good governance is the key. IA needs to access the current risk profile, mitigation activities and residual risks. Good behaviour requires time and employees should receive reminders in order to conduct good behaviour. Desired behaviour ultimately stems from the top.

The High-Performance Audit Team. Today’s complex, evolving business environment demands more of internal auditors. The world is changing and stakeholder expectations are increasing. IA can also rotate and fill other operational positions. An integrated internal audit function can boost performance. There is a strong need to invest in training and learning. Verbal, leadership, communication skills are very important. A high performance team can evolve to meet new challenges and reinvent itself. We also welcome constructive feedback from staff.


The Most Important Thing By Howard Marks (Uncommon Sense for the Thoughtful Investor)

This book is about value investing and provides tips on how to avoid common pitfalls of common investors. The methods are proven and are similar to the methods used by Warren Buffett and Benjamin Graham. Risk must be properly managed at all costs. There is no one size fit all approach. Investment is an art. Independent thinking is the key for success. The market is not fully efficient and not all available information are priced into the stock. These gaps in efficiencies can be potentially exploited. The key is to estimate an intrinsic value for a stock and use that as a starting point. Choose value over growth. Buy something which is undervalued. However, do take note that the market can stay irrational for a long time. Do not buy something simply because it is popular. Do not use excessive leverage. Risk is subjective and deceptive. Construct probability distributions to predict outcomes. Risk management is the key. Risk can mean different things to different people. Learn to recognize risk early. Recognizing and controlling risk is the key to success. Understand that risk is present even if no losses are incurred. Good risk control will prevent losses from being incurred. Be attentive to cycles. Do not let psychology influence your decision making. Be aware of the pendulum. Try to identify the point that pendulums will reverse. Avoid fear, greed, following the herd, envy, ego etc. Contrarianism is the key. Think long-term. Learn to identify bargains. Undergo a rigorous process. The goal is to find underpriced assets. Be patient. It is okay to pass up good opportunities. Know what you don’t know. Forecasts are usually inaccurate. Have a sense for where we stand. Take a stand on the investing climate at the current moment. Appreciate the role of randomness as well sometimes. Practise defensive investing as well. Adopt the margin of safety concept. Learn to identify pitfalls. The aim should be always to outperform the market. Good luck!