The Technology Issue
A technology revolution. Tech is moving at a fast pace and some businesses may not be able to reap the benefits. IA needs to understand the evolving risk landscape related to the business. Tech will continue to disrupt the landscape and IA needs to reassess what data means to them going forward. Auditors help organizations avoid getting into trouble by identifying issues early and avoid them being surfaced by regulators or the media.
The Cyber Readiness Gap. Organizations may not be prepared for the attacks they are expecting. Ransomware is a big issue and thinks will get worse. Only half the organizations surveyed have a plan to address ransomware attacks. IA can help to scrutinize cybersecurity practices and plans. IT security governance needs to include the human factor in corporate risk analysis and assessment. IA can move from a supportive to front-seat role when building crisis-resilient culture.
More than Compliance with ‘A’. Transforming a compliance program into a value-adding activity starts with IA. Compliance with AML regulations are important. However, many managers do not see value in compliance work. IA needs to ensure compliance can provide real assurance. It is important to do the right thing and do things correctly. Ask yourself why there is a compliance requirement in the first place. IA needs to work with the first and second line of defence to ensure all risks are being addressed. IA should also question the need for, existence of, and adequacy of compliance with A. Sometimes, the original risks may not be present and hence the compliance requirement should not be relevant. One needs to examine the adequacy and effectiveness of the mitigating control. The audit needs to maximize the use of resources and analytics. One can use trend analysis to understand whether risk is increasing or decreasing. Effectiveness of controls can be tested with analytics.
‘But it should not be compliance simply for compliance sake. Internal audit should consider the overarching business objective and the controls that help mitigate risk to the achievement of the objective – even when examining compliance-related controls.’
Stop Clicking, Start Coding. SQL queries can enable internal auditors to uncover greater insights from organizational data. Data needs to be analysed etc. Some auditors are required to learn SQL. It is a language for managing data held in databases. To be good, logical thinking and reasoning are important and necessary for coding. SQL can be tailored for auditing needs and for ad-hoc queries. SQL and other audit software can form a powerful set of analytical tools.
Internal Audit needs risk management too. Managing its own risks can improve the audit function’s performance and demonstrate that it practices what it preaches. One key risk of IA is whether the department is strategically positioned within the organization its objectives. Other risks are whether the department has enough staff, on assurance etc. Reputation risks are important too, and so is compliance risks. Operational risks are like the resourcing problems, annual audit plan etc. If audits are behind schedule by about a month, it needs to be highlighted as a red flag. IA can also do a risk control self-assessment to evaluate internal controls in place.
The Cashier Cash Thief. Mounting family pressures and opportunity cause a trusted warranty clerk to pocket payments from customers. IA must emphasize the importance of SOD and monitor any exceptions. Trend analysis would allow organization to detect fraud more timely. Routine audits are vital for all cash processes. Mandatory vacations and rotation of duties should have prevented fraud from happening.
In Safe Hands. Organizations must grapple with a host of issues when determining how to best protect their data and manage the way it’s used. In Europe, there is a General Data Protection Regulation that goes into effect in spring 2018. It is a stricter regulation than ever before. Firms need to obtain consent for data collected from individuals. IA needs to go back to the drawing board to strike a balance. Respecting someone’s privacy rights is actually a soft skill and needs a soft approach. Privacy controls need to be engineered into business processes. Businesses must be clear about what they need the data for. Many companies do not know where their data comes from and how it is used. IA can be a role model in innovation etc.
Great tech expectations. As technology becomes more integrated with business processes, auditors must raise their IT skills. New auditors usually have better skills than older ones. People with expertise in IT will be in demand. Those with experience in DA will have an advantage over those who don’t. Experience with audit-specific software is also a plus. Auditors need to have an understanding of the infrastructure and applications being used. New authors are not usually well versed in soft skills. IA needs to have a good understanding of flow, controls and governance. Determine the specialty skills needed. Maintaining the right mix of generalists and specialists is a key IT challenge. IA needs to have a training plan for the IT risk and controls. Training hours need to be tracked and there needs to be information sharing at every meeting.
Building a data analytics program. Six strategies can facilitate progress when starting or furthering an analytics program. Many functions suffer from pitfalls/ setbacks. The six strategies are (1) create awareness rather than a silo; (2) understand the data before investing in a tool; (3) plan sufficiently; (4) think big picture; (5) Partner with IT; (6) Take advantage of visualization tools for inspired reporting.
#PurposeServiceImpact. The IIA’s 2017-2018 Global Chairman of the Board J Michael Peppers encourages IA to unify around the three concepts in his powerful hashtag. Purpose, Service and Impact are important words for our profession. It is about the why we do things. We should help enhance shareholder value through our work. Service is basically walking the talk. It is important to establish credibility with clients. We are both change agents and educators and need to do the right thing. Volunteering is important and internal auditors should strive to give back to the society. Always try to make a positive difference. We need to understand the purpose of the organization.
‘The best and most successful internal auditors I know understand that internal auditing is more than just a job: it is a sincere effort to improve the lot of others, whether organizations or individuals.’
The Root of the Matter. Performing root-cause analysis requires that auditors recognize common myths associated with the process. Addressing root cause will prevent the issue from recurring. Complex problems may be due a variety of factors. There may not be a single root cause at times. Use the 5 Why techniques. Sometimes, two root causes can lead to one problem. Some brainstorming is required to address all the root causes. One can use the fishbone diagram and identify problems in different categories like: Man, Machine, Measurements, Method, Materials, and Mother Nature. One can also use scatter diagrams to pair cause and effect and look for relationships. Good recommendations in the audit report should address the root causes of a problem. However, IA should understand that RCA requires time and resources and the organization must weigh the pros and cons of doing it.
Seven Steps to Transformation. IA can assist management throughout the many stages of business change. The first is pre-implementation review. It helps management to identify problems at the planning stage. Ask yourself what is the best ERP project model for ERP packages? The other steps are process/controls analysis, In-flight reviews, IT and User Acceptance Testing and Output/Results testing. The last 2 steps are post-implementation reviews and comparison to project management reviews.
It’s only one word. Excessive audit report wordsmithing is often a disservice to the client – and the audit function. Let those who did the work have a say in the changes. Never make a change unless you can explain why that change is necessary. Otherwise, you are just changing for personal preference. Always explain the reasons for any change to the person who wrote the original drafts. Do not be too anal about phrasing as this will result in rewriting and delays and frustrations.
‘Far too often, the lead, manager, chief audit executive doesn’t like what is written and starts editing the audit report. The process often results in a report the auditor no longer recognizes and, in the worst situations, it says something the auditor never intended it to say.’
The Data Analytics Strategy. Adding analytics to the audit methodology requires careful change management. Funding and resources needs to be provided. Integrate data analytics requirements into the audit methodology. Look for quick wins if possible. Use a champion to lead the strategy. CAE must emphasize that analytics is good as it improves audit efficiency. Analytics can add value not just to fieldwork, but also risk assessment and planning. Data is also evidence and that’s what sells well.
From ratings to Recommendations. Behavioural psychology suggests internal auditors’ approach could benefit from more carrot and less stick. Audit gradings are hated by auditees as it sends a signal that they did something wrong and that things are really bad. The SDT (self-determination theory) shows that human motivation is optimized when the following 3 are present: developing one’s skills (competency); exercising free will (autonomy); feeling connected with others (relatedness). Give your auditee the chance by sharing about common goals and building good relationships with them.