ORG
Beyond
The FCPA
Compliance with the U.S. regulation
alone is not enough for companies
subject to anti-corruption standards
around the globe.
Get on our
guest list
today at
www.ACL.com/VIP
GET THE
ST R TREATMENT
AT IIA INTERNATIONAL
Vancouver is home for ACL, and we want to welcome IIA members by rolling
out the red carpet treatment for you the minute you land.
Sign up to be ACL’s special VIP guest at www.ACL.com/VIP and you will receive:
★★ Complimentary airport car service
★★ An All-Access Pass to our not-to-be-missed Gala Party
★★ Unlimited rides with FlyOver Canada, soaring coast to coast over
beautiful Canadian scenery
★★ Muscle-melting chair massages at ACL booth #313
Analytics
Audit
Controls
TeamMate CM is developed by the makers of the industry-standard TeamMate Audit Management System and is
part of an ecosystem designed to support auditors in all aspects of their daily work.
Copyright © 2014 Wolters Kluwer Financial Services, Inc. All Rights Reserved. 4127
Seren Dagdeviren
CPA, CIA
Internal Audit Manager
Ivanhoé Cambridge
Canada
ivanhoecambridge.com
casewareanalytics.com | salesidea@caseware.com
IDEA is a registered trademark of CaseWare International Inc.
June 2015 Volume lxxIi: iii
f e at u r e s
28 COVER Beyond the FCPA Strong internal controls and effective internal audit are critical in
global anti-corruption efforts. By Jonathan T. Marks and Thomas R. Fox
D E P A R T M E N T S
PRACTICES INSIGHTS
11 Update Facing the cyber- 65 Governance Perspectives
security job talent dearth; audit Internal audit’s focus on
committees and CAEs differ on risk needs to shift from
priorities; and new guidance for retrospective to proactive.
health-care company boards.
69 The Mind of Jacka Audit
15 Back to Basics Delegating clients don’t always embrace
creates opportunities for ownership of controls.
improvement.
70 Eye on Business Many
19 ITAudit Six factors can considerations go into creating
determine analytics’ success. an ethical workplace.
7 Editor’s Note
22 Risk Watch COSO 2013 72 In My Opinion Internal
9 Reader Forum can enhance fraud prevention. audit needs to demonstrate
its commitment to making the
25 Fraud Findings A fake organization better.
vendor scheme nets an
employee US$600,000.
O N L I N E InternalAuditor.org
Think Like a Leader Audit Committee Silence
Leadership can be exhibited In a video blog, IIA President
at every level of the audit and CEO Richard Chambers
function by practitioners who presents five topics the audit
think strategically about the committee may not want to
business. discuss.
Internal Auditor ISSN 0020-5745 is published in February, April, June, August, October, and December. Yearly subscription rates: $75 in the United States and Canada, and $99 outside North America. No refunds on cancellations.
Editorial and advertising office: 247 Maitland Ave., Altamonte Springs, FL 32701-4201, U.S.A. Copyright © 2015 The Institute of Internal Auditors Inc. Change of address notices and subscriptions should be directed to IIA Customer
Service, +1-407-937-1111. Periodicals postage paid in Altamonte Springs, Fla., and additional offices. POSTMASTER: Please send form 3579 to: Internal Auditor, 247 Maitland Ave., Altamonte Springs, FL 32701-4201, U.S.A. Canada Post
International: Publications Mail (Canadian Distribution) Sales Agreement number: 545880; GST registration number: R124590001. Opinions expressed in Internal Auditor may differ from policies and official statements of The
Institute of Internal Auditors and its committees and from opinions endorsed by authors’ employers or the editor of this journal. Internal Auditor does not attest to the originality of authors’ content.
Stand Out From Your Peers
and Save Up to US$200!
The CRMA is designed for those with responsibility for and experience in
providing risk assurance, governance processes, quality assurance, or control
self-assessment (CSA).
CSA practitioners at any experience level who are responsible for driving
organizational change are prime candidates to earn their CCSA designation.
Submit your application via CCMS during the waiver period and save!
2015-5028
Visit www.theiia.org/certification
for more information.
Editor’s Note
L
ike most magazines, we regularly survey our readers to ensure we’re provid-
ing the content they want and need. The results of the recent 2014 Internal
Auditor Magazine Survey are revealing, not so much because of what readers
had to say about the content, but because of their lack of awareness of all
Internal Auditor has to offer.
Although two-thirds of respondents indicate they access Internal Auditor’s
website at least monthly, one-third are not aware that it offers exclusive con-
tent, and many are unaware of the site’s improvements since the redesigned site
launched last August. Obviously, we haven’t done enough to let our readers know
the full scope of the Internal Auditor brand.
InternalAuditor.org features a new, mobile-friendly design, easier navigation,
and an enhanced search function. The site, which has nearly 90,000 page views per
month, also features content not found in the magazine, including blogs and vid-
eos from industry experts and articles related to technology, fraud, and other areas
of interest to internal auditors.
Of those who visit the website, many are unaware of the digital edition
(e-magazine) that is available on the site. The digital edition is an exact replica of
the print edition with added features such as videos. By clicking on “View Current
Issue” on InternalAuditor.org, readers can not only access the most recent digital
edition, but also a digital archive that dates back to 2004.
The Internal Auditor mobile app also features the digital edition, as well as
a daily news feed and our “Chambers on the Profession” and “Marks on Gover-
nance” blogs. The app is available for free download via the Apple App Store or
Google Play. Search for Internal Auditor Magazine. Once an issue is downloaded,
it can be viewed anywhere, anytime, regardless of wireless connectivity.
Finally, Internal Auditor is very active on social media. Our Twitter news
feed, accessible via @IaMag_IIA, provides regular updates of the news important
to internal auditors. The news feed also is viewable on InternalAuditor.org and
as mentioned, on the app. Our followers on the Internal Auditor Magazine Face-
book page receive internal audit-related information, as well as updates when new
articles are posted to InternalAuditor.org.
In today’s world, where people like to choose how they view content, it’s
important our readers know there is a lot more available to them than just the
print publication. The Internal Auditor brand — print, website, digital edition, app,
and social media — offers comprehensive coverage of the internal audit profession
through a variety of mediums. Give them a try!
@AMillage on Twitter
CYBER SECURITY
Are You Protected?
From big data to outsourcing and services provided
in the cloud, today’s connected and global networks
present complex challenges for IT and security
professionals to manage. You recognize that
traditional models of protecting your perimeter
network systems are no longer sufficient, but may
not know where to turn for the best solutions.
objective. It is more useful for those contributing factors that may have
aspects of the objective to be clearly helped form a given issue. Auditors not
articulated and risks to the objectives only have to be skilled enough to find
identified rather than to start by try- out why an issue arises, but also disci-
ing to identify risks. The key to risk plined enough to continue asking “why”
identification is an acknowledgement until we discover the root cause.
that one cannot possibly identify all RICHARD FOWLER comments on Mike
risks to an objective, especially in one Jacka’s “Cause Trumps Condition” (“The
Mind of Jacka,” February 2015).
sitting. Ongoing risk identification is
“Fake President” Fraud one of the things internal audit should Reporting Responsibilities
This type of scam was around long be looking for in assessing that pro-
Audit committees should continue to
before social media. Con artists could cess, rather than simply lambasting an
be more vigilant in the review of annual
get executive information from pub- engagement client for not having iden-
financial statements. Skilled members
licly accessible trade journals, and an tified a particular risk.
should perform appropriate and rigorous
urgent telegram with enough perti- KAYA KWINANA comments on the From
the Mind of Jacka blog post, “Quit Looking analysis and lead the discussions. Marks’
nent information would be sent with
for Unknown Risks.” blog post suggests comparative analysis,
instructions to wire or transfer money
and internal audit departments are ide-
immediately. Social media makes it Root Cause
ally placed to deal with these analyses
easier to get the information, and I’ve been in half a dozen audit groups,
and report on the results to the commit-
email allows for quicker turn around and one of the best things I’ve learned
tee. More importantly, the committee
to allow more time to take the money is the “5 Cs” basis of report writing. For
should understand, with the assistance
and run. any issue, we need to identify the con-
of internal audit, the driving factors and
PHIL CASKANETTE comments on Alistair dition (what was found?), the criteria
Beauprie’s “The ‘Fake President’ Fraud” risk universe of results-driven organiza-
(what is required?), the cause (why did
(“Fraud Findings,” April 2015). tions, and focus on the accounting driv-
this happen?), the consequence (what
ers that will influence those results.
What Is a Risk? is the risk of doing nothing?), and the
SMARTRYK CALITZ comments on the
A risk is only a risk if it has a prob- correction (what do we recommend?). Marks on Governance blog post, “Financial
able impact on some aspect of the However, there are usually several Reporting and the Audit Committee.”
CONTRIBUTING EDITORS Gary Jordan, CIA, CRMA Sonia Thomas, CRMA CONTA CT INFORMA TION
Mark Brinkley, CIA, CFSA, CRMA Sandra Kasahara, CIA, CPA Stephen Tiley, CIA ADVERTISING
John Hall, CPA Eila Koivu, CIA, CCSA, CISA, CFE Robert Venczel, CIA, CRMA, CISA
J. Michael Jacka, CIA, CPCU, CFE, CPA
advertising@theiia.org
Robert Kuling, CIA, CRMA, CQA Curtis Verschoor, CIA, CPA, CFE
Steve Mar, CFSA, CISA +1-407-937-1109; fax +1-407-937-1101
Michael Levy, CRMA, CISA, CISSP David Weiss, CIA
James Roth, PHD, CIA, CCSA, CRMA Merek Lipson, CIA Scott White, CIA, CFSA, CRMA SUBSCRIPTIONS, CHANGE OF ADDRESS, MISSING ISSUES
JUNE 201 5 Paul J. Sobel, CIA, QIAL, CRMA Thomas Luccock, CIA, CPA customerrelations@theiia.org
VOLUME LXXII: III
Laura Soileau, CIA, CRMA Michael Marinaccio, CIA IIA PRESIDENT AND CEO +1-407-937-1111; fax +1-407-937-1101
EDITOR IN CHIEF Norman Marks, CPA, CRMA Richard F. Chambers, CIA, EDITORIAL
Anne Millage EDITORIAL ADVISORY BOARD Alyssa G. Martin, CPA QIAL, CGAP, CCSA, CRMA David Salierno, david.salierno@theiia.org
Dennis Applegate, CIA, CPA, CMA, CFE Dennis McGuffie, CPA +1-407-937-1233; fax +1-407-937-1101
MANAGING EDITOR Lal Balkaran, CIA, CGA, FCIS, FCMA Stephen Minder, CIA IIA CHAIRMAN OF THE BOARD PERMISSIONS AND REPRINTS
David Salierno Mark Brinkley, CIA, CFSA, CRMA Kenneth Mory, CIA, CPA, CISA, CRMA Anton van Wyk, CIA, QIAL, CRMA editor@theiia.org
Adil Buhariwalla, CIA, CRMA, CFE, FCA Jack Murray, Jr., CBA, CRP +1-407-937-1232; fax +1-407-937-1101
ASSOCIATE MANAGING
EDITOR Daniel J. Clemens, CIA Hans Nieuwlands, CIA, RA, CCSA, CGAP
WRITER’S GUIDELINES
David Coderre, CPM Michael Plumly, CIA, CPA
Tim McCollum InternalAuditor.org (click on “Writer’s Guidelines”)
Michael Cox, FIIA(NZ), AT Sarah Purkeypile, CIA, CFSA
SENIOR EDITOR Dominic Daher, JD, LLM Jeffrey Ridley, CIA, FCIS, FIIA
James Fox, CIA, CFE Marshall Romney, PHD, CPA, CFE Authorization to photocopy is granted to users registered with the
Shannon Steffee
Peter Francis, CIA James Roth, PHD, CIA, CCSA Copyright Clearance Center (CCC) Transactional Reporting Service,
ART DIRECTION Michael Garvey, CIA Katherine Shamai, CIA, CA, CFE, CRMA provided that the current fee is paid directly to CCC, 222 Rosewood
Yacinski Design, LLC Nancy Haig, CIA, CFE, CCSA, CRMA Debora Shelton, CIA, CRMA Dr., Danvers, MA 01923 USA; phone: +1-508-750-8400. Internal Auditor
Daniel Helming, CIA, CPA Laura Soileau, CIA, CRMA PUBLISHED BY THE cannot accept responsibility for claims made by its advertisers, although
PRODUCTION MANAGER INSTITUTE OF INTERNAL staff would like to hear from readers who have concerns regarding
J. Michael Jacka, CIA, CPCU, CFE, CPA Jerry Strawser, PHD, CPA
Gretchen Gorfine Keith E. Johnson, CIA Glenn Sumners, PHD, CIA, CPA, CRMA AUDITORS INC. advertisements that appear.
Internal Auditor magazine will recognize up-and-coming internal audit professionals in its annual
“Emerging Leaders” article in December.
www.InternalAuditor.org
2015-1076
Compliance guidance for health boards… U.S. accounting case filings up...
CAEs and audit committees differ on risk… Hackers target health records.
Update
New COSO a Win
Most U.S.-listed companies
have implemented the
2013 update of the Internal
Control–Integrated
Framework.
2,318
Use updated
COSO framework
Hiring challenges
looking for Talent are a big cyberthreat.
513
E
ighty-two percent of organizations opening. “If there is any silver lining to this
expect to be victims of cyberattacks looming crisis, it is the opportunities for
in 2015, and more than one-third of college graduates and professionals seeking a Use original COSO framework
them are unable to fill open informa- career change,” says Robert Stroud, interna-
tion security positions, according to State of tional president of ISACA.
Cybersecurity: Implications for 2015, pub-
lished by ISACA and the RSA Conference.
The U.S. government also is feeling the
squeeze, according to a report from the Part- 201
Less than half of the 649 cybersecurity and IT nership for Public Services. In addition to
managers or practitioners responding to the the shallow talent pool, slow-moving hiring Did not disclose which
global survey say their security teams are able processes and low pay are working against it. framework company
to detect and respond to complex incidents. The partnership recommends exempt- is following
A talent shortage and skills gap is the ing all cybersecurity job openings from fed-
biggest culprit. Only 16 percent of respon- eral competitive-hiring guidelines. Currently, Source: Protiviti Inc. analysis of
publicly listed company filings
dents say at least half of the job applicants the U.S. Congress has allowed the National through April 3, 2015
illustration: Greg Mably
they receive are qualified, and 53 percent Security Agency, the intelligence community,
say it can take up to six months to fill an and the U.S. Department of Defense to
bypass hiring hurdles and adjust salaries to Security professionals continue to see a skills
compete with the private sector. gap among hired professionals in the ability to
When it comes to hiring a qualified can- understand the business (72 percent), techni-
didate for a position, the ISACA/RSA report cal skills (46 percent), and communication
states hands-on experience is most important. (42 percent). — S. Steffee
Healthy Oversight
Guidance advises health among the audit, compliance, and legal
organization boards on functions. In addition, the board should
compliance role. ensure that the three functions all have
H
access to appropriate information and
ealth-care organization boards of resources, and that both the compliance
69 directors have an obligation to review officer and internal audit maintain their
the adequacy of compliance systems independence, the guidance stresses.
new lawsuits and functions, says a new guidance In terms of reporting, the guidance says
were filed last year alleging document. Practical Guidance for Health boards should receive separate reports on the
accounting violations, Care Governing Boards on Compliance Over- organization’s risk mitigation and compliance
up 47 % sight is the result of a collaboration among the efforts from the internal audit, compliance,
American Health Lawyers Association, the human resources, legal, quality, and IT func-
from 2013, Association of Healthcare Internal Auditors, tions. It recommends boards ensure that
with more than 25% of filings the inspector general of the U.S. Depart- management and the board have processes
referring to an SEC ment of Health and Human Services, and the in place to identify risk areas, management
inquiry or action. Health Care Compliance Association. reviews and audits these areas, and manage-
A
a result of the SEC’s
heightened focus on udit committees financial risks No. 1, above group behind,” says Warren
accounting-related fraud,” and CAEs see inter- compliance, operational, Stippich, leader of Grant
says Elaine Harwood, nal audit priorities and strategic risks. “The Thornton’s national Gover-
vice president of differently, accord- continued compliance-heavy nance, Risk, and Compli-
Cornerstone Research.
ing to a recent Grant Thorn- environment makes it clear ance practice.
ton survey of more than 500 that internal audit must When asked to rank
Source: Cornerstone Research, U.S. CAEs and audit com- keep striving to rebalance the top three areas in which
Accounting Class Action Filings
and Settlements — 2014 Review mittee members. priorities without leaving internal audit can add value,
and Analysis The CAE respondents any key area or stakeholder CAEs listed identifying
to the Governance, Risk, improvement opportunities,
and Compliance survey rank mitigating risk, and increas-
compliance risks as the most ing efficiency. Audit com-
important priority, followed mittee members, however,
by operational, financial, ranked mitigating risk first,
and strategic risks. Audit followed by strengthening
committee members rank financial control compliance
tione
Practi ries
Se
r
Practitioner Study.
Rayt e
CAE, of Th
man
Chair er
ur Pip
Arth
CBObalKInternalKnAuowditledge
The Gloon Body of
Comm
EXCHANGE
Connect. Collaborate. Evolve.
GRAND HYATT WASHINGTON
WASHINGTON, DC
A
limited time and
create opportunity sk any internal can do it as well as I can,” »» Do I have enough
auditor how his and “No one else has the time to delegate
for improvement.
or her day or time either.” These excuses the task effectively
week is going, keep auditors from benefit- (train, answer ques-
and responses will almost ing from one of the best tions, check prog-
certainly include, “I’m so time-management tools. ress, and rework, if
busy,” “I wish I had more And even though it requires necessary)?
time,” or “There aren’t a lot of up-front effort on If the answer to two or more
enough hours in the day.” the part of the delegator, of these questions is “yes,” it
The combination when approached correctly is worth delegating the task
of shrinking workforces, delegation can allow for the using several steps.
greater stakeholder expec- growth of everyone involved
tations, and the produc- in the process. Involving Define the Task
tivity and concentration others can help develop It is important to clearly
challenges associated with their skills and abilities, define the activity to be per-
multitasking leave many so the next time a similar formed, including specific
internal auditors wishing project arises, tasks can be limitations, time frames for
there were more hours in a delegated with confidence. completing the activity, situ-
day. Because time is a fixed To determine if a task ations that require additional
asset, internal auditors need should be delegated, there clarification (e.g., unusual
to find ways to maximize it. are four key questions audi- circumstances that would
One approach is to del- tors should ask: require further discussion
egate activities. For internal »» Can someone else and direction), as well as a
auditors who are new to a do the task or is it high-level picture of what
senior position or supervi- critical for me to “complete” looks like. Any
sory role, delegation is espe- complete it? specific formatting, style,
cially important. »» Will it provide or other such criteria to be
Unfortunately, inter- someone else the adhered to should be identi-
nal auditors offer some opportunity to grow fied at this time. Too often,
common excuses for not and develop? internal auditors go into del-
delegating activities, such »» Will this or a similar egation without giving clear
as, “It will take less time if type of task recur in thought to the full scope of
I do it myself,” “No one the future? the activity and steps to be
performed, decreasing the probability that the delegation will requirements. Further, the lack of questions should not lead
be successful. the delegator to presume that the person who will be per-
forming the task has a clear understanding of what is being
Identify the Necessary Skills asked of him or her. To increase the odds of success, after
When delegating, it is critical to understand the skills providing an overview of the activity to be performed, the
necessary to complete the task and determine who within delegator should consider having the delegate repeat back a
the team exhibits those attributes. If a task is delegated to summary of the activity to provide visibility into any areas in
the wrong person, it is unlikely the task will be performed which the expectations may be unclear. This is also a good
adequately and within the expected time frame. Further, opportunity to provide examples of any unusual situations
the likelihood that similar activities will be delegated in the that may be encountered during which the delegate should
future also decreases. With that in mind, auditors should come back to seek additional guidance. Face-to-face meet-
consider who may be best positioned to complete the activ- ings are better suited than email to ensure there is a com-
ity within the established time frames and expectations. mon understanding; such meetings allow the delegator to
read the body language and facial expressions of the delegate
Communicate Expectations to help identify any areas that may be unclear.
Clear expectations are not always established and shared with
the delegate about the specific tasks to be performed. Com- Monitor Progress
mon failures in communicating expectations may include: For all delegated activities, particularly those that may span
ɅɅ Not providing the reason the task must be performed. multiple weeks or months, it is important to set regular
ɅɅ Providing direction that is too high level or vague. checkpoints with the person who will be responsible for
ɅɅ Providing guidance that excludes pertinent informa- completing the task. These checkpoints can help ensure that
tion, such as clearly defining the task to be completed the task is on schedule. In addition, checkpoints allow the
and the time line to complete the activity. opportunity for the delegate to ask any clarifying questions
ɅɅ Not communicating the intended audience of the that may have arisen through the course of completing the
activity/deliverable. activity. They also enable the delegator to confirm the task
ɅɅ Not providing relevant background information. is being performed correctly, which is better to identify early
ɅɅ Not discussing in advance specific formatting, style, or in the process rather than at the last minute. Finally, check-
other such criteria. points allow the opportunity to share any new expectations
that have arisen over the course of the
activity or re-establish existing expecta-
tions with the delegate.
Delegation may be a struggle, and it may
Opportunity for Improvement
push people out of their comfort zones. For the internal audit activity to best
meet the needs of its stakeholders, it
is important that all work throughout
While it is important to clearly define expectations, it is also the department is being performed at the most appropriate
important to keep in mind the difference between personal level. While delegation may sometimes be a struggle, and
preferences and mandatory business guidelines. For example, it may push both the delegator and delegate out of their
if there are no specific criteria for the formatting of a written comfort zones, it can give a fresh set of eyes to an activity
deliverable, the work does not necessarily need to be redone that has traditionally been performed by one person or one
if it comes back formatted differently than anticipated. role. This not only maximizes internal audit’s limited time,
but new insights can create opportunity for improvement
Ensure a Shared Understanding all around.
In addition to communicating expectations for the task
to be performed, it is important to ensure that the delega- Jared Soileau, CIA, CRMA, CISA, is an assistant professor
tor and the delegate have a mutual understanding of that of accounting at Louisiana State University in Baton Rouge.
task. The person who will be performing the task should Laura Soileau, CIA, CRMA, CPA, is an associate director
be encouraged to ask any clarifying questions necessary to in Postlethwaite & Netterville’s Consulting Department in
better understand the activity, time lines, and any other Baton Rouge.
RISK
PROFILE
WE WILL GENERATE
HARD DOLLAR
RECOVERIES
Our guarantee.
D
the technology more
effectively. ata analysis technol- organization, data analysis strategic objectives for audit
ogy has enabled often enables auditors to analytics is a vital starting
many audit teams provide insights into risk, point. For example, The IIA’s
to achieve success control, and performance Global Technology Audit
and return on investment. issues that no other function Guides 3 and 16 discuss how
A large car rental company can provide. combining responsibilities
transformed audit processes for continuous auditing and
and reportedly reduced Realizing the Benefits monitoring can enable inter-
traditional audit work by Despite data analytics’ ben- nal audit and the organiza-
10,000 hours annually by efits, most internal audit tion to achieve the strategic
using automated analysis to departments are still in the goal of continuous assurance.
test all revenue transactions early stages of usage and are Moreover, using data analysis
on an ongoing basis. Addi- far from achieving their full to support both audit objec-
tional tests identified nearly potential. This often stems tives and management’s
US$1 million a year in from a lack of understand- maintenance of effective con-
incorrect commission pay- ing of what is involved in trols aligns closely with The
ments and multiple instances the audit analytics process. IIA’s Three Lines of Defense
of payroll fraud that may However, six success fac- in Effective Risk Manage-
not have been discovered tors can help internal audit ment and Control model.
through manual methods. departments overcome The CAE’s active sup-
Data analytics has obstacles and realize the ben- port and involvement in an
helped such organizations efits of analytics. audit analytics implementa-
increase the productivity tion adds to its strategic
of the audit function and Strategy and Leader- importance and can help it
improve the quality and ship Many internal audit deliver significant, sustain-
value of audit findings by departments fail to make able benefits. The CAE
giving auditors the ability to progress in implementing should lead the effort by
examine and test entire pop- audit analytics because they communicating the vision,
ulations of transactions and do not treat it as a strategic strategy, and expectations.
balances that underlie an initiative, overall objec-
audit area. Because internal tives are unclear, and the Goals and Metrics Under-
audit has access to processes department lacks necessary lying the overall strategic
and data from across the resources. Defining the objective, internal audit
departments can establish specific objectives by prioritizing Training plans should reflect individual roles and related
the expected benefits. Goals and metrics could include: levels of knowledge. Those involved directly in data access
ɅɅ Data analysis to be used on x percent of audits within a and test development may require specialized training in
y-month time frame. specific software. Auditors performing simple analysis and
ɅɅ Reduction in audit hours of x percent because of use of tests may only require training in basic analysis concepts and
data analysis compared to the hours spent on the same introductory-level software usage. Managers and reviewers
audit using manual methods. should be trained in audit analytics processes overall.
ɅɅ Data analysis results in an x percent increase in positive A variety of roles are involved throughout the analytics
feedback from audit client departments about value process, including data access specialist, data analysis special-
added by internal audit. ist, and follow-up analyst to confirm any findings. Audit team
Establishing metrics and communicating progress helps align leaders should understand how to best organize the different
the audit team, provide a basis for managing the implementa- roles within their teams. In most audit departments, many of
tion process, and facilitate benchmarking with other organiza- the roles may be combined in one or two individuals. In large
tions. It also can communicate value to senior management. departments, roles may be allocated across different team
members, which allows for specialization and focus.
Planning and Project Management Audit analytics imple-
mentations often are undermined by poor management. As The Business Case for Resources Internal audit depart-
with any important technology-driven initiative, effective ments that achieve the most success in using analytics
planning and project management are critical to success. A develop a business case to identify investment costs and
well-managed implementation program helps ensure the use expected benefits and to measure progress in achieving objec-
of analytics is sustainable and not overly dependent on any tives. In compiling its case, the department should consider
one individual. benefits such as reducing audit staff hours, increasing pro-
To achieve greater benefits, audit analytics needs to be ductivity, increasing the value of advisory findings for audit
integrated into the overall audit process. This means under- clients, and achieving cost savings or revenue gains. Potential
standing at what point in the audit cycle different forms of costs include specialist resources and implementation assis-
audit analytics are best used. All members of the audit team tance, software, training, and startup funds. The business
case also can consider the effect of cost
sharing with risk management, compli-
Developing a business case for analytics ance, and other related functions.
can identify costs and expected benefits. Technology A wide range of data
analysis software can be used to support
audit analytics. Surveys indicate that
should be aware of when and how audit analytics are to be more internal auditors use Microsoft Excel for analysis than
used, together with their own role in the process. Audit ana- any other software. However, specialized audit data analysis
lytics can be used in virtually every stage of the audit process, software is also popular, especially in organizations that are
including audit planning and risk assessment, controls test- more advanced in using analytics. Other analysis technologies
ing, substantive procedures, reporting and quantifying audit can play a role, although these products may not support all
findings, and continuous auditing. aspects of the audit analytics process.
D
Control–Integrated
Framework may help aily headlines of pil- COSO’s Guidance and illegal acts. The inclusion
fered passwords and The discussion of fraud in of nonfinancial reporting
prevent fraud.
stolen credit card COSO 2013 centers on is a significant change that
data have put fraud Principle 8: “The organiza- covers sustainability, health
at the top of management’s tion considers the potential and safety, employment
risk management agenda. for fraud in assessing risks activity, and similar reports.
This concern coincides with to the achievement of objec- Because internal auditors
new guidance in The Com- tives.” Under the 1992 frequently provide assurance
mittee of Sponsoring Orga- COSO framework, most in this area, they can provide
nizations of the Treadway organizations viewed fraud insights into fraudulent non-
Commission’s (COSO’s) risk primarily in terms of sat- financial reporting.
2013 update of the Internal isfying U.S. Sarbanes-Oxley One useful document
Control–Integrated Frame- Act of 2002 requirements for performing a fraud risk
work that directs organiza- to identify fraud controls to assessment is Managing the
tions to conduct a fraud risk prevent or detect fraud risk Business Risk of Fraud: A
assessment as part of their at the transaction level. Practical Guide, produced
overall risk assessment. In COSO 2013, fraud by the American Institute
Now is an opportune risk becomes a specific com- of Certified Public Accoun-
time for internal auditors ponent of the overall risk tants, the Association of
to help their organization assessment that focuses on Certified Fraud Examiners,
re-examine its approach to fraud at the entity and trans- and The IIA. This guide to
fraud risk. For organiza- action levels. COSO now establishing a fraud risk man-
tions that have not formally requires a strong internal con- agement program includes
documented processes and trol foundation that addresses a sample fraud policy
controls to address fraud fraud broadly to encompass document, fraud prevention
risk, adopting COSO 2013 company objectives as part of scorecard, and lists of fraud
can jump-start a fraud risk its strategy, operations, com- exposures and controls.
prevention program. Orga- pliance, and reporting.
nizations that have a more Principle 8 describes Fraud Risk Governance
mature fraud risk assessment four specific areas: fraudulent Managing the Business
can use it to strengthen their financial reporting, fraudu- Risk of Fraud advises orga-
fraud prevention processes lent nonfinancial reporting, nizations to view fraud risk
and procedures. misappropriation of assets, assessment as part of their
corporate governance effort. This commitment requires a tone and financial statements, but also risk to their operations,
at the top that embraces strong governance practices, including brand value, and reputation, as well as criminal, civil, and
written policies that describe the expectations of the board and regulatory liability.
senior management regarding fraud risk.
But even organizations with committed senior leader- Fraud Prevention and Detection
ship may have inadequate fraud risk assessment programs. Fraud prevention requires both preventive and detective
Most organizations have some written policies to manage controls, but the Managing the Business Risk of Fraud
individual fraud components, but many don’t concisely guide points out these are not mutually exclusive: “If effec-
summarize these documents and activities so they can com- tive preventive controls are in place, working, and well-
municate and evaluate the completeness of their fraud known to potential fraud perpetrators, they serve as strong
management processes. Internal audit can help with this eval- deterrents to those who might otherwise be tempted to
uation and address the areas of fraud described in Principle 8. commit fraud. Fear of getting caught due to a company’s
known commitment to punishment is always a strong
The Assessment Process deterrent. Effective preventive controls are, therefore, also
Although a fraud risk assessment should ordinarily be con- strong deterrence controls.”
ducted as part of a broader evaluation of organizational risk Segregation of duties in small organizations can be
in an enterprise risk management program, it may initially difficult because of limited resources and personnel. These
be done on a stand-alone basis. Regulatory and legal mis- organizations need compensating controls such as periodic
conduct, such as U.S. Foreign Corrupt Practices Act viola- budget-to-actual analysis at a precise-enough level to flag and
tions, as well as reputation risk, also should be considered. investigate unusual activity.
Internal auditors can help ensure the fraud risk assessment is
sufficiently robust. Fraud Investigation and Corrective Action
The fraud investigation and response system should include
Assess and Identify Inherent Risk The fraud risk assess- a process for categorizing issues, communicating within
ment starts with a brainstorming session to uncover the the organization — including with the audit committee or
organization’s potential fraud risks, without consideration of those charged with governance — conducting the investiga-
mitigating controls. The review should be shaped by the orga- tion and fact-finding, monitoring the status of fraud cases,
nization’s operating environment, including industry practices, and resolving the investigation with a recommendation for
business culture, the state of the economy, applicable regula- prosecution. Standards, regulations, or laws may require par-
tory regimes, business practices, and business conditions. ties such as legal counsel, the board, the audit committee,
Each risk area should be examined, including fraudulent and external auditors to be notified if the allegation involves
reporting, possible loss of assets, and corruption. The assess- senior management or affects the financial statements.
ment should consider:
ɅɅ All types of fraud schemes and scenarios. An Opportunity for Improvement
ɅɅ The incentives (such as compensation programs), pres- Organizations that already have adopted COSO 2013 can
sures (such as a chief financial officer who needs to continue to build on that foundation to prepare for the fraud
hit an earnings estimate), and opportunities (such as a challenges ahead. For those organizations that haven’t yet
senior executive with override ability) to commit fraud. implemented the framework, the opportunity to improve
ɅɅ The IT fraud risks specific to the organization, which their fraud risk assessment should motivate them to adopt
may become pervasive without appropriate controls. it soon. In either case, internal auditors who are well-versed
Additionally, the fraud risk assessment needs to consider the in COSO 2013 can help the organization’s fraud risk assess-
potential bypass of controls, as well as areas where controls ment initiative by facilitating the assessment itself or helping
are weak or there is a lack of segregation of duties. align policies and fraud mitigation activities.
Assess Likelihood and Significance of Fraud Risk This Michael Rose, cia, cpa, cisa, cism, is a Business Advisory
review of identified fraud risks should be based on staff inter- Services partner at Grant Thornton LLP in New York.
views — including business process owners — known fraud Priya Sarjoo, CIA, is a Governance, Risk, and Compliance
schemes, and historical information, both internal and exter- practice leader at Grant Thornton in Dallas.
nal to the organization. In assessing fraud risk significance, Kevin Bennett, cfe, cica, is managing director of Forensic
organizations should consider not only exposures to assets and Valuation Services at Grant Thornton in Minneapolis.
I
her US$600,000
over three years. t was a hot Friday after- “Tell me what hap- After listening silently
noon in the Atlanta pened,” Rigby instructed. for almost 10 minutes,
airport. John Rigby’s “Charity is a longtime Rigby thanked Bell and
flight was delayed four friend of mine since high asked one follow-up ques-
hours, and he wanted to fill school,” Bell began to explain. tion: “Why are Smith’s pay-
that time productively. He “She’s a single mom with two ments mailed to your home
remembered he still had an young children, and she helps address and deposited into
unresolved audit exception me out from time to time your checking account?”
on a routine match of ven- when we have excess work Bell replied without
dor and employee addresses. and tight deadlines.” any hesitation, “Charity
The match was for the During the course of his lives out in the country, and
supervisor, Marilyn Bell, at conversation with Bell, Rigby with taking care of the kids
his client’s graphics depart- learned a lot about Smith. all day she has a hard time
ment only a few miles away During the last three years, getting to the bank in the
from the airport. when the need arose for nearest town to make her
After a 15-minute taxi new print materials — from deposits. It’s an hour of driv-
ride, Rigby opened the training manuals to quar- ing round trip to get to the
door to the small office and terly product catalogues to bank and back, so once a
announced himself. promotional posters and ban- month I deposit her checks
“I’m an outside con- ners — Smith was often called into my account, withdraw
tractor for the audit team on to handle the design work. the cash, and meet her half
at headquarters,” Rigby Smith worked from her way for coffee and to give
explained to Bell. “I just home office, often clocking her the money.”
need to follow up on an late night hours so she could Bell said she had always
exception we had on some better juggle the demands of intended to speak to her
routine audit testing of ven- client work and caring for boss about the arrangement,
dor files last month. Tell me her children. She sent her just to make sure he was
a little about your supplier, finished work and weekly aware of the situation, but
Charity Smith.” time sheet by email, which she never got around to it.
The blood drained from were reviewed by Bell, Rigby asked her to write
Bell’s face as her eyes started approved by Bell’s manager, down everything she told
watering. Rigby knew he was and sent to accounts payable him. He explained that he
on to something. for payment. needed something for his
Data Privacy
Our national team of legal,
compliance, and audit
experts can solve even the
BETTER IDEAS.
most complex privacy
challenges. Some of the
nation's top companies have
chosen us as a trusted privacy
advisor because of our
IT Audit
As a premier provider of IT
audit services, we
supplement your internal
audit plan with IT audit
projects that bring added
value to your organization.
Our professionals have the
capabilities to assess and
improve all aspects of your IT
environment.
sunera.com
Practices/Fraud Findings
To comment on this article,
email the author at john.hall@theiia.org
audit files to explain the exception, and that her write-up These included a new car, paying off credit cards and a
would take care of that. US$25,000 line of credit, new clothes, vacations, and a cus-
As Bell wrote, Rigby called a manager in charge of the tom home with expensive high-end finishes and a custom
office from the next room and asked for permission to send spa room.
Bell home. They agreed and called a manager from another Bell’s manager was held responsible for signing dozens of
office in Atlanta to come immediately to assist Rigby. fabricated time sheets and invoices from the three fake ven-
Bell wrote a 12-page report and confirmed verbally and dors. He trusted Bell and never checked the details.
in writing that it was all true. Before sending Bell home, Bell agreed to cooperate with the investigation and to
Rigby asked her to get Smith on speakerphone so she could make restitution. Her parents mortgaged their paid-off house
corroborate the report. Again, the blood drained from Bell’s to help, and her church took up a special collection as well.
face and her eyes teared up. She froze at the request. Just before her trial, Bell agreed to a plea arrangement that
kept her out of jail.
Jonathan T. Marks
Thomas R. Fox
The International Standards for the cases during the 15-year period covered
Professional Practice of Internal Auditing by the Organisation for Economic
(Standards) points out that although Co-operation and Development’s
internal auditors are not expected to (OECD’s) 2014 Foreign Bribery
have the expertise of a person whose Report. Germany sanctioned individu-
primary responsibility is detecting and als and companies in 26 cases, South
investigating fraud, they must possess Korea imposed sanctions in 11 cases,
the requisite knowledge to evaluate and Italy, Switzerland, and the U.K.
the potential for fraud — including each imposed sanctions in six cases.
corruption — to occur, along with the Four anti-bribery laws are notable.
methods the organization uses to man-
age fraud risk. Enforcement actions by U.S. The authority for most U.S. anti-
authorities in several nations provide corruption cases is the FCPA, which
valuable insight into the tools, pro- applies to all U.S.-based businesses,
cesses, and procedures regulators expect citizens, and residents. Moreover, the
organizations to follow to manage fraud FCPA also governs any “U.S. issuer,” a
risk. By reviewing such actions in the broad term that encompasses all foreign
context of recent global anti-corruption companies trading on U.S. exchanges
trends, internal auditors can build the as well as any other company that is
knowledge needed to meet their profes- required to file periodic reports with
sional responsibilities. the U.S. Securities and Exchange Com-
mission (SEC). It also applies to foreign
Growing Roster of Enforcers subsidiaries of U.S. companies and U.S.
The U.S. has pursued foreign bribery subsidiaries of foreign companies.
cases more actively than other coun- In addition to the anti-bribery
tries in recent years. U.S. authorities requirement, publicly traded companies
imposed sanctions against individuals are subject to FCPA accounting provi-
and companies in 128 foreign bribery sions that mandate that the books and
records accurately reflect all transactions the 10 largest penalties imposed by the
and internal control provisions that U.S. government in FCPA cases were
require companies to have appropriate assessed on companies headquartered
internal controls to prevent, detect, and outside the U.S. Moreover, the Latin
remedy FCPA violations. Internal audit American Law & Business Report news-
has a separate role in testing the books letter notes that, “foreign individuals
and records, as well as in assisting with and foreign companies that do not trade
designing and implementing internal on U.S. exchanges can also violate the
controls and then testing them. FCPA if they cause an act in furtherance
German-based Siemens AG and of a corrupt payment within the U.S.”
Daimler AG, U.K.-based BAE Sys-
tems, France’s Total S.A., and Japan’s U.K. Several other countries’ laws are
JGC Corp. are among the prominent even broader in scope. For example, the
companies that have been required to U.K.’s Bribery Act of 2010 applies to
pay steep FCPA-related fines in recent a wider range of companies and makes
years. As of the end of 2014, eight of a greater array of conduct illegal than
the FCPA does. It has authority over
any company that engages in any busi-
ness or part of a business in the U.K. In
Sharper Focus on Foreign Bribery addition to prohibiting the bribery of
I
n its 2014 Foreign Bribery Report, the OECD observed that “enforce- both government officials and nongov-
ment of anti-bribery laws has drastically increased” since the organi- ernment individuals, the Bribery Act
zation’s Convention on Combating Bribery of Foreign Public Officials penalizes the bribe receiver, not just the
in International Business Transactions took effect in 1999. The report bribe payer, as the FCPA does.
examined 427 cases of bribery involving foreign officials over the past The U.K. act also prohibits de
15 years. Prison sentences were handed down to 80 individuals in con- minimis “facilitation payments” for
nection with those schemes, and another 38 individuals received sus- certain routine government actions
pended sentences. Sixty-nine percent of the cases in the report were that do not provide the payer with an
settled by sanctions imposed through plea agreements, nonprosecution unfair competitive advantage. A com-
agreements, corporate probation, or similar settlement arrangements. mon example is the payment of a fee to
Altogether, 261 individuals and companies were fined, the report notes. speed up installation of telephone ser-
The highest combined fine against a single company totaled US$1.95 bil- vice by a state-owned telephone com-
lion, while the highest monetary sanction against an individual amounted pany. Practices such as this, regarded
to US$149 million. as a routine cost of doing business in
Clearly, the stakes are high, but as OECD Secretary-General Angel some countries, are afforded an exemp-
Gurría notes in the report’s preface, “With bribes averaging 10.9 per- tion under the FCPA but not under the
cent of the total transaction value, and combined monetary sanctions Bribery Act.
ranging from 100 percent to 200 percent of the proceeds of the corrupt
transaction in 41 percent of cases, the business case against corruption Canada In 2013, changes Canada
is clear.” made to its Corruption of Foreign Pub-
Another factor behind today’s greater focus on corruption is the lic Officials Act aligned it more closely
updated Internal Control–Integrated Framework released in 2013 by The with the FCPA. However, in some
Committee of Sponsoring Organizations of the Treadway Commission respects, such as the prohibition of
(COSO). Among the 17 principles spelled out in the revised COSO framework facilitation payments, the Canadian law
is the requirement that an organization consider the potential for fraud is more similar to the U.K. Bribery Act.
when it is assessing risks associated with the achievement of its objectives.
These include possible acts of corruption by the organization’s personnel, Brazil Also in 2013, Brazil’s congress
outsourced service providers, and other third parties. passed the Clean Company Act, which
went into effect in January 2014. It is
similar to the FCPA in that it targets
company was unprepared when Chi- Products Inc. According to settlement Petrobras CEO Maria das Gracas
nese officials accused it of using travel agreements with the SEC and the U.S. Foster and five board members have
agencies to funnel bribes to doctors and Department of Justice, the company’s been forced to resign, and Brazilian
officials under the guise of medical con- Chinese subsidiary paid US$8 million President Dilma Rousseff has come
ferences and other events. in bribes to Chinese officials in 2004 under pressure because of her former
Although the cost of monitor- in the form of cash, gifts, travel, and role as minister of energy and president
ing such payments would be high and entertainment. The purpose was to gain of the Petrobras board. The company’s
would involve the tedious work of access to officials who were drafting and former head of refining operations
verifying numerous receipts and scru- implementing new direct-selling regula- has told prosecutors that construction
tinizing countless transactions for signs tions in China. budgets for new projects were routinely
of fraud, the use of practices such as The Avon case demonstrates the inflated by 3 percent of their value to
GSK’s to hide payments to doctors was high cost of a failure by the internal cover bribes and kickbacks, some of
a well-recognized risk. One lesson inter- audit function — in this case fines and which were then routed to major Brazil-
nal auditors can draw from the case is investigative costs of more than US$500 ian political parties. Another defendant
clear: If the risks for a certain pattern of million. The bribes reportedly were has testified that more than a dozen of
corruption are well-known, a company detected by Avon’s internal audit func- Brazil’s largest construction companies
must devote whatever resources are tion in 2005 and 2006, but the compa- paid bribes to obtain contracts.
necessary to verify its compliance with ny’s CAE at the time was persuaded to The case also has significant global
relevant laws. withdraw the internal audit report and implications. In addition to banks in
destroy all evidence. This information Switzerland and the Cayman Islands,
Avon Another case of bribery allega- was never presented to Avon’s board, where funds allegedly were deposited,
tions involved cosmetic maker Avon which learned of the corruption only companies ranging from shipyards in
because of an internal whistleblower.
Weng lei - Imaginechina via AP Images
Sharpen your skills and enhance your knowledge base when you
select from more than 30 expert-led sessions across four impactful
learning tracks: IT Emerging Trends; A Holistic Approach to GRC
Processes & Implementation; ERM: Impact on Strategic Solutions;
and Regulatory & Compliance Issues: Best Practices.
Partners in
Assurance
A good relationship
with the audit committee
can enable CAEs
to better satisfy its
members’ expectations.
Russell A. Jackson
a different state of maturity with regard will such trust to life, but they can structure and time requirements. That
to the relationship,” Kirtley says. “To communicate their concerns. “If I felt orientation allows for input, feedback,
the extent the CAE and the audit com- the committee chair didn’t trust me, and questions at the outset, which has
mittee chair have more experience with I’d be open, honest, and candid,” says eliminated push-back from committee
what works well, you tend to see rela- Marc Woodward, director of internal members. After orientation, Decker
tionships that are strong and improv- audit at Hallmark Cards Inc. in Kansas resumes ad hoc meetings with the chair
ing. Experience really plays a key role.” City, Mo. “I’d say, ‘Tell me what it and with other members — including
And when the culture of the company takes for us to have an open, trusting occasional lunches. “Members change,
recognizes the critical functions per- relationship.’ If there’s no trust, I can’t and new members have different levels
formed by internal audit, the CAE’s be his eyes and ears.” of internal audit expertise,” she com-
relations with the committee tend to Christy Decker, vice president of ments. “Listen to their feedback and
improve, as well. internal audit services at Sharp Health- help them as much as possible with
Also central to a CAE’s relation- Care in San Diego, sets the tone for her questions along the way.”
ship with the audit committee is the reporting relationship with the audit
nature of the reporting relationship committee from day one with orienta- Setting the Parameters
between them; and there’s an aspect tion for each new member. The new A challenge from within is the reality that
of the reporting relationship that the member, the CEO, and Decker meet there is no formula for calculating how
CAE can’t always control: the audit to review examples of the reports they’ll much information the CAE should pro-
committee’s trust. CAEs can’t simply receive and walk through the meeting’s vide to the audit committee. In almost
An Uncomfortable relationship
F
or many CAEs, the external factor that has the most negative impact on relationships with
the audit committee is management. And it’s not always because management and the
audit committee have different expectations of internal audit. Many times CAEs find them-
selves in a difficult position when, for example, their CEO is uncomfortable with the CAE’s tight
bonds with the audit committee chair or other board director.
Indeed, many CAEs have horror stories of meddling executives who seem to fear the CAE’s
close relationship with the board. Of course, such meddling can negatively impact that relation-
ship. “I’ve been flat out told that I had to tell management everything I was telling the audit
committee,” says Cathy Young, who has served as CAE for five companies. “A CEO insisted I
copy him on all correspondence with the audit committee. I said, ‘You’ve got to be kidding me.’”
CAEs can work around the problem by keeping the three-way lines of communication open
among the CAE, the board, and management, and by shoring up the audit committee’s trust
so that if things get ugly, the CAE knows the chair has his or her back. “At the end of the day,
it’s important that the CAE consider both the CEO’s and the audit committee’s perspectives,”
notes Alan Siegfried, an audit committee member at Mid-Atlantic Farm Credit in Westminster,
Md., and an adjunct graduate professor at the University of Maryland. He says he’s aware of
CEOs who require CAEs to rehearse their upcoming conversations with audit committees and
cautions against letting that become the norm.
CAEs shouldn’t leave management out, though. Melissa Frazier, vice president, audit and
controls, at Comfort Systems USA in Houston, assures audit committee members that “there’s
nothing I’m going to tell you that I can’t talk to — or haven’t already talked to — management
about.” In fact, when her committee asks her company’s external auditors whether they trust
the internal audit function for the unvarnished truth, they always answer, “Absolutely.” When
nobody’s talking behind anybody’s back, there’s no worry about superiors feeling they’ve been
deceived or, perhaps worse, left out of the loop.
“
in context,” so the committee knows valid expectations of internal audit that
whether an issue is a one-time concern often don’t resemble those of the audit
or a structural matter that needs board- committee (see “An Uncomfortable Listen to
level attention, notes Melissa Frazier, Relationship” on page 36). new audit
vice president, audit and controls, at In general, audit committees committee
Comfort Systems USA in Houston. look for compliance with company members’
“I present the facts,” she says. “If they policy, generally accepted accounting feedback and
want to know my opinion, they ask. principles, and IT security mandates,
But I try to keep the discussion focused among other areas, Woodward says.
help them
on the processes, whether they’re The audit committee, he explains, “has as much as
working or they’re broken.” a fiduciary responsibility to make sure possible with
Absent a playbook for CAE–audit that the company’s exposure to risk is questions.”
committee relationships, internal audit at an acceptable level, and that includes
leaders need to provide enough infor- making sure i’s are dotted and t’s are Christy Decker
mation to facilitate the committee’s crossed.” Toward that end, the com-
“
effective completion of its required mittee seeks formal assurance of man-
tasks. If committee members want agement’s skill at wielding controls to
refinements to that information, they effectively manage risk. Management, I try to keep
need to ask for it. Once the informa- in most cases, is much more focused on the discussion
tional parameters are established, CAEs ways internal audit can add value to the focused on
need to make sure they’re staying within business and help it grow revenues. the processes,
them, and that requires precision in the Each entity wants both functions whether
delivery of internal audit services. to be carried out — management wants
“Know what audit committee internal audit to cover compliance;
they’re
members expect and deliver,” says the audit committee doesn’t want to working
Kevin Cantrell, vice president, internal snuff out the department’s value-added or they’re
audit at Plains All American Pipeline, activities — but neither may be aware broken.”
an oil and natural gas company based of how important the other’s preferred
in Houston. “Not too much. Not too function is. “Most management, outside Melissa Frazier
little. Be on target.” He accomplishes of executive-level management, does
that by setting an agenda for each not know about the audit committee’s
audit committee meeting — in con- differing expectations,” Woodward
sultation with the audit committee explains, “because they don’t have much
chair — that, at a minimum, includes interaction with the committee.” At the
updates from financial accounting, same time, he adds, the audit committee
“sees the value-added activity and may sending too much information, or
wonder why you spend so much time sending it in the wrong way. Do they
on it, so I explain that it’s also a part of send every audit report and expect
our job. They’re all for that.” board members to read all of them?
Indeed, he says, when internal That may be too much. Should the
audit departments really try to serve reports contain more graphics and
both masters, relations between CAEs more color? They may not be hold-
and audit committees tend to work ing the committee members’ interest.
“
out just fine. “Work hard to make sure “Develop a trusting relationship and
compliance is where it needs to be, so they’ll tell you,” Woodward says. “I’m
I ask the audit the audit committee is comfortable, very open to that, and I ask for it.”
committee, but remember that in every audit and
‘What can I do in every interaction with other parts of Discover Their Needs CAEs should
better to make the business, one goal is to add value,” remember that reports are designed
Woodward comments. for committee members to use, not
you more for CAEs to show their expertise and
effective?’” Tips for Good Rapport comfort with details. That disconnect
Communication underlies almost every may explain part of audit committees’
Marc Woodward
aspect of the relationship between CAEs frequent complaint about internal
and their audit committees, and internal audit failing to meet their informa-
audit practitioners cite robust communi- tion and assurance needs. “It’s good to
cation over and over as the key element ask the committee members if you’re
to a good rapport between the two par- meeting their needs and if there’s
ties. “It keeps coming back to communi- anything you can do to improve their
cation,” Decker says. “You have to keep understanding of the information,”
in contact and allow for open, flowing Kirtley suggests. “When you ask for
communication. Be a great communica- input like that, you’re showing that
tor. And keep smiling.” you’re there to service them with
what’s best for them — rather than
Take the Initiative If CAEs want to just giving them what you think they
know how to improve their relationship want you to produce.”
with the audit committee, they should
ask. “Every quarter, when I have a ses- Make Things Easy If audit executives
sion with the audit committee, I ask, follow the business maxim “Service
‘Am I giving you the information you your boss,” then making the audit
need?’” Woodward says. “‘Too much? committee’s job easier should be the
Too little? What can I do better to make CAE’s main goal. “Everyone always
your job easier and make you more hears about the workload of the audit
effective?’ Don’t try to guess. Ask.” committee, how much members are
expected to do, and the amount of
Focus on Details as Needed CAEs material they’re expected to cover,”
should ask the committee if they’re Kirtley says. “Anything you can do
Internal Audit
in the Crosshairs
A
new CAE was hired at a governmental agency following the previous CAE’s
departure over conflicts with management. The agency granted various types of
licenses to other organizations and maintained a zero-tolerance policy for bribery.
Shortly after taking the helm, the new CAE became aware of a significant and likely
ongoing bribery situation involving a key agency employee. The CAE knew the issue
was important and determined that it should be reported to both management and the
board, consistent with legal requirements and agency policy.
A strong-willed CEO led the agency and dominated the board. There was no audit
committee. When the CAE indicated the need to report the bribery to the board, the
CEO and the chief legal counsel rejected the idea. Their rationale included:
»» It’s not a big deal — paying these bribes is no different than providing a tip at a restaurant.
»» The board would not be interested in this situation, nor would it understand the context.
»» The board would not know enough to judge risks, and reporting the events would create confusion.
»» Everyone would look bad if the situation became known.
Nonetheless, the CAE continued to insist on issuing a report. Negative consequences ensued, including the threat of
a personal investigation from the human resources director and exclusion from organizational meetings and func-
tions. These actions had a personal impact on the CAE, who had trouble sleeping and suffered family stress because
of the long working hours and pressure of trying to meet professional obligations.
After seven months, the CEO agreed to formally report the problem to external authorities. A prosecutor was
presented with the evidence, and the employee was indicted for accepting bribes. Neither the CAE nor the CEO
reported the incident to the board directly, although the board became aware of it due to the legal action.
Excerpted from The Politics of Internal Auditing.
will experience political pressure in CAE participants in the IIARF evidence; takes pride in the quality
the organization at some point in their study offered several suggestions for of its analyses; and remains calm
career. Fortunately, numerous key prac- maintaining credibility, respect, and trust: and poised under fire.
tices and skills can help avoid, mitigate, ɅɅ Raise the right issues. CAEs ɅɅ Provide fact-based conclu-
or deal with these pressures. must understand the organization; sions with clear business
strategies, objectives, and priorities; implications. Internal audit must
Courage, Credibility, Trust and associated risks and mitigation clearly establish the factual audit
To be effective and credible, CAEs must activities to effectively judge the results — they should not be sub-
be willing to identify and explore dif- significance of issues identified. ject to disagreement. However,
ficult issues, collect sufficient evidence to ɅɅ Listen fairly and objectively, but management may disagree with
support conclusions, discuss the conclu- remember your ethical compass. the impact of those results and
sions — even in conflict — and maintain While remaining independent, the CAE’s subjective conclusion.
an unwavering stance when others apply CAEs must be open to hearing When presenting results, internal
pressure. If CAEs do not adhere to their the other side and considering the audit needs to be effective at iden-
principles, they lose credibility and most views and rationale of those who tifying and communicating the
likely will experience the same political disagree with internal audit. impact of its findings and focus on
pressures repeatedly. Practitioners need ɅɅ Build and maintain a strong business implications.
to define the line and criteria whereby team. A strong, professional team ɅɅ Play on the same team as man-
they resolve to stand their ground. understands The IIA’s Interna- agement. Several CAEs noted that
“Weak Governance Spells Trouble for tional Standards for the Professional it is never a bad idea to remind a
Internal Audit” on this page provides an Practice of Internal Auditing; knows manager who adamantly disagrees
example of a public sector CAE’s cour- how to plan, execute, and docu- with an audit observation that both
age and firm stance in the face of signifi- ment audits; demonstrates profes- parties are on the same team. Dem-
cant political pressure. sional skepticism; collects sufficient onstrating how audit findings relate
to organizational objectives helps internal audit may preempt pressure ranging from quick and informative
defuse challenging situations and from occurring. reporting to developing programs
earns long-term credibility. When meeting with executives that help the board or audit commit-
and the board, CAEs should go beyond tee members better understand new
Anticipating Pressure and routine interactions. Respondents to the risks — or even leading educational
Understanding Motives IIARF study shared several suggestions, programs on emerging topics such as the
Effective CAEs from the IIARF
study say they consider how they will
handle political pressures before they
actually occur. Some suggest having a CEO Expenses: Personal or Business?
T
discussion with the audit committee he CEO at a major U.S. manufacturer
and the CEO about potential pres- had adopted a lifestyle that he felt
sures and developing an understand- was commensurate with his role
ing of the role of the audit committee as a company executive. During an audit
in such situations. of customer-related expenses, internal
CAEs who say they successfully audit found that nearly US$1 million of the
navigate political risk also often have a CEO’s personal spending was billed to the
decision framework for stressful situ- company inappropriately. The expenses
ations. They think ahead to identify included vacation trips for the CEO and his
decision criteria that are relevant and spouse and parties at his home.
important. One CAE respondent shared The organization’s CAE reported functionally to the audit committee
criteria for determining when to quickly and administratively to the chief financial officer (CFO). The CEO was a
escalate a finding: strong figure who had placed like-minded individuals in officer roles, ulti-
ɅɅ Any time lives may be in danger. mately leading to a team of “yes men” who believed their first job was to
ɅɅ Any time there is a significant rep- protect the CEO. Moreover, the company had recently experienced a major
utational risk to the organization. change in governance with considerable turnover on the board, including
ɅɅ Any time it is financially material the loss of a very supportive audit committee chair who was replaced with
to the organization. one who had less interest in internal audit.
When an important business issue is The CAE shared the expense-audit findings with the CFO, who in turn
identified, members of the internal discussed them with the CEO. The CEO subsequently offered to pay back
audit team should also determine who the expenses, but estimated the amount due to be a small fraction of
is involved and what would concern internal audit’s finding. The CFO wanted to accept this payment, close
them if they were in that role. Under- out the audit, and inform the audit committee — without a special report.
standing other perspectives can help But the CAE continued to push for full repayment, based on the team’s
identify approaches to mitigate politi- detailed analysis of the data.
cal risk. Eventually, full repayment was made. Less than a year later, however,
the CAE was asked to move to a different position and was subsequently
Key Relationships “eased into retirement” after more than 20 years at the company. The
The personal relationship among the CAE believes these actions were taken in retaliation for the expense audit.
CAE, the audit committee chair, and When sharing this story, the CAE expressed amazement at how quickly
the CAE’s administrative report is a corporate culture can change with a shift in senior leadership. For many
critical factor in dealing with political years, the CAE said, the organization had a positive culture with strong
pressure. A solid relationship built on values. But the tone at the top deteriorated rapidly, and management
quality work, demonstrated business began focusing on protecting individuals instead of the company and its
acumen, shared objectives, reasoned stakeholders. The CAE emphasized the need for preparedness in anticipa-
judgment, and impeccable integrity tion of such change. Despite having a passion for the organization, the
means executives are much less likely CAE considered changing jobs after the shift in tone at the top, but ulti-
to distrust or dismiss a CAE who raises mately took the early retirement offer instead.
valid concerns. Organizational knowl- Excerpted from The Politics of Internal Auditing.
A
t a major retailer, the CEO asked the CAE to audit an executive’s travel and
entertainment expenses. Upon asking what prompted suspicion of policy viola-
tions, the CAE was told there were no known or suspected breaches. Instead,
the CEO said the executive was ineffectual and hoped internal audit would find evi-
dence to support termination.
After examining the situation, the CAE determined that an audit was not warranted.
The motives for the audit seemed unethical and would divert audit resources from
risk-based work. The CAE declined the CEO’s request and advised that it conflicted with
internal audit’s overall purpose to provide independent assurance that governance, risk
management, and internal control processes are operating effectively. The CAE also recommended addressing the
performance issue through the company’s established performance improvement protocols.
When relating this account, the CAE pointed out that buckling under political pressure invariably undermines the
internal audit function’s ability to live up to The IIA’s definition of internal auditing and to its International Standards
for the Professional Practice of Internal Auditing. It would also undermine internal audit’s credibility and its ability to
stand up to future pressures that may be exerted. The CAE added that this type of pressure directly conflicts with the
concepts of independence and objectivity; internal audit’s commitment to taking a systematic, disciplined approach to
gather and analyze evidence; and its ability to address key risks and help the organization achieve its objectives.
Excerpted from The Politics of Internal Auditing.
independent reporting line. The charter Board and Audit Committee the advantages to everyone concerned.
should be reviewed with management Effectiveness They lay the right groundwork so that
and the audit committee, and should Independent and effective boards and management understands the risks that
document internal audit’s unique audit committees are crucial to manag- will be assessed, and that internal audit
and valued role, authority, scope, and ing political pressure. In some situations, is working to find mutual areas of inter-
reporting relationships, as well as execu- however, board members empathize est — such as managing risks to achieve
tive and board expectations. with managers whose backgrounds are objectives. As issues are identified,
The CAE’s status also plays an similar to their own, deferring exten- CAEs need to communicate timely, at
important role in minimizing political sively to management while too readily the right level, and in the right way.
pressure and establishing a foundation dismissing the CAE’s concerns. CAEs
of support for the audit function. The need to have a frank discussion with the An Organizational Constant
right level of organizational clout is nec- board/audit committee and manage- Due to the nature of organizations —
essary to stave off political risks and lend ment, in advance, regarding approaches and our basic human desire to succeed
authority to audit findings. It is hard to to responding to political pressure. and be respected — political pressure
imagine a CAE standing up to an execu- When a politically charged situa- will always exist. The good news is that
tive vice president on an issue when the tion arises, the board/audit committee a proactive approach can be imple-
CAE reports administratively to a mid- needs to be objective and knowledge- mented in most situations to mitigate
level manager and rarely has access to the able about the risks to the organization. political pressure effectively. The
audit committee or the executive suite. It also needs to understand the chal- mitigating factors all start with a strong
lenging role of internal audit and have corporate culture that embraces clearly
Sound Judgment sufficient experience and judgment to defined organizational governance and
Sound business judgment builds respect exercise its fiduciary role. The IIARF values, competence, and objective, fact-
for the internal audit function. The study found several examples of nonex- based discussions and decisions.
CAE must decide which battles to fight istent or ineffective audit committees, But the onus lies not just with the
and be able to determine the difference particularly in areas such as governmen- organization — internal audit must
between major and minor issues. Raising tal units or smaller businesses. assess itself and determine whether its
value proposition is understood by, and
aligned with, that of its clients. More-
over, the CAE must build and staff
Addressing political risk is essential to a strong function that provides that
the success of the audit function. value. The CAE needs to possess integ-
rity and gain credibility and respect by
understanding the business, building
relationships, demonstrating objectivity
minor points or overlooking significant Communication Skills and good judgment, and communicat-
but controversial issues — or choosing The CAE and audit team must be sensi- ing tough issues fairly and thoughtfully.
not to report them — opens the door to tive and effective communicators when Addressing political risk is not
future pressure. “Executive Witch Hunt” dealing with a politically charged situ- an easy task. But it is essential to the
on page 44 describes how one CAE used ation. Awareness of who is, or may be, success — and even survival — of the
sound judgment to help withstand pres- affected by the audit findings and an internal audit function, and the organi-
sure from the organization’s CEO. understanding of their viewpoints are zation it serves.
Internal audit must also demon- essential to handling political pressure.
strate effective judgment to determine Learning how to communicate well in Patricia K. Miller, CIA, QIAL,
the level of evidence needed to support negative situations can be the difference CRMA, CPA, is owner, PKMiller Risk Con-
conclusions. More substantive testing between success and failure. sulting LLC, in Reno, Nev.
on large issues may be necessary to The tone for an audit is set with Larry E. Rittenberg, PHD, CIA, CPA,
ensure auditors have sufficient facts and the first communication management is professor emeritus at the University of
persuasive information. Issues need to receives about the role and objectives of Wisconsin in Madison and former Chair of
be compelling, clear about implications internal audit. Proactive CAEs explain The Committee of Sponsoring Organiza-
and risks, and based on solid data. why the audit will be performed and tions of the Treadway Commission.
Join AHIA as a new member by July 15, 2015 using special access code
SPECIAL IIA2015, and you will receive a $25.00 AHIA gift certificate* valid for
OFFERS! use on the purchase of webinars, regional seminars, Annual Conference
registration or membership dues renewal.
Complimentary issue of AHIA’s New Perspectives Journal: Contact us at
info@ahia.org to request your complimentary issue of our award-winning
journal and sample one of our many membership benefits. Reference
code IIANP in your correspondence.
*Offer valid through July 15, 2015 and is non-transferrable. Offer not valid
for existing member renewals. Gift certificate not redeemable for cash.
Visit www.ahia.org for more information and contact us at info@ahia.org or
888-ASK-AHIA with questions.
Diversity
A Focus
People
on
Arthur Piper
I
“
f you are going to be a global to point out that reaching this pinna-
player in today’s workplace, cle — and working to sustain this level
you must embrace diversity of achievement — has involved hard
in a big way,” Phyllis James, work, money, and a huge commitment
executive vice president, spe- from top management downward.
cial counsel for litigation and The benefits of these efforts are
chief diversity officer for MGM Resorts also evident in the transformation of
International, the global hospitality MGM’s internal audit department.
business, says. And the organization Today, with a staff of 82 people, the
has done just that — winning a raft of internal audit department employs
awards, including top ranking places geography, technology, and mathemat-
for its diversity and inclusion activities ics majors, and people with construc-
from the Women’s Business Enterprise tion and architectural backgrounds,
National Council, Hispanic Business among others, to better reflect the
magazine, Black Enterprise magazine, organization’s activities. Moreover, Bob
and the Association of Diversity Coun- Rudloff, MGM’s senior vice president
cils, to name just a few. James is the first of internal audit, has become one of the
biggest champions of diversity initiatives into their businesses. Those results are important in anchoring this in our cul-
in the organization. directly linked to the compensation ture and our business operations.”
system for the management group. The Supplier Diversity Program
A BUSINESS IMPERATIVE was introduced to help minority- and
In 2000, Terry Lanni, the late chair of no opting out women-owned businesses become
then MGM Mirage, was the first to Like most corporate initiatives, the competitive providers of their products
recognize the need for the company to diversity and inclusion program met and services. “They were sitting there
establish a formal diversity policy. That with plenty of skepticism and apathy under our noses and we had just never
year, he spearheaded the company’s in the beginning. James says one of the looked at them before,” James says.
diversity and inclusion initiative, which biggest obstacles lay in persuading key Pulling from a wider supplier base
was given impetus during the develop- influencers in the business that this made the company more competitive,
ment of a resort in Detroit. Lanni real- was not just management’s most recent she says, and helped persuade manag-
ized that if MGM was to successfully flavor of the month. The answer was ers that the diversity and inclusion
expand into other parts of the U.S. and tough leadership. “Our chairman and program was there to help rather than
further abroad, the company would entire board of directors took this up as hinder their work.
have to embrace greater diversity across a fundamental initiative and said, ‘This James also credits the program
the board — in terms of employees, is not negotiable by anyone in our with being one of the key drivers to
business partners, and customers. The company and no one gets to opt out,’” making the 2000 merger with Mirage
company launched a massive commu- James says. “Leadership was extremely Resorts and the 2005 US$7.9 billion
nications and training initiative, called
the Diversity Champion Workshop, to
explain why diversity and inclusion is so
important to the business — a program Diversity of Thought
‘‘
T
that still exists. he real value of diversity in the global marketplace today is not just ethnic-
“We have an operating prin- ity, not just gender, but also the diversity of thought that allows a company
ciple that everybody who is a man- to truly innovate,” says Larry Harrington, vice president of internal audit
ager — from the chairman down to at Raytheon, a global defense and security company, and champion of The IIA’s
the first level of management — must Diversity & Inclusion initiative.
complete this workshop,” James says. Traditionally, many professions — internal audit included — have tended to
Initially, that meant pushing thousands attract people of like minds, schooling, and backgrounds, he says. But the danger
of people through the program — no of this trend is twofold. First, it creates monocultures that are insular and con-
easy task. But while many organiza- servative in the way that they think. Second, people from minority cultures feel
tions reach this point, Lanni went invisible in such organizations and often leave because their views are not heard
further by insisting that diversity and or acted on.
inclusion is treated like any other busi- “It’s no secret that internal audit has tended to predominantly attract people
ness initiative. That meant formal stra- with financial and accountancy training,” he says. “But if the profession is to have
tegic planning, quarterly status reports, breakthrough thinking, it has to surround itself with people who don’t all think in
and establishing a designated diversity the same way.”
officer with a department to support Harrington says he is not a believer in reverse discrimination, promoting peo-
the program. ple purely on the basis of their race or gender to hit inclusion quota targets. How-
“A lot of companies stumble ever, Raytheon’s internal audit department has enviable inclusion and diversity
because there is no muscle behind statistics. Half of the team are women and 25 percent are people of color — and
their beliefs,” James says. By com- there are similar proportions of people with these attributes in the internal audit
parison, every business department at leadership team.
MGM Resorts International — from Instead of using quotas, Harrington says he has recruited from non-typical
supplier and construction to human places, such as the National Association of Black Accountants for financial staff,
resources and public relations — is other parts of Raytheon for people with expert business knowledge, and to novel
required to report annually to the places to acquire the skills the internal audit function needs.
board of directors about how they
have integrated diversity and inclusion
acquisition of Mandalay Resort Group come to stay with us, or who entertain
work. Numerous studies have shown with us. That message has become
that such mergers look good on paper, embedded in our culture.”
but often fall apart because the separate
cultures do not gel as a single entity. DIVERSITY CHAMPIONS
The inclusion message became a The internal audit department is respon-
unifying platform for the three very dif- sible for auditing the accuracy of the
ferent organizations, James says. “The diversity data that the program generates
fundamental message of our diversity and that is publicly reported. Given the
and inclusion initiative is mutual prominence of the initiative within the
respect, regardless of race or ethnic organization, Rudloff says that when
origin, regardless of where you came he first stepped into the role 12 years
from and what company you used to be ago, the CEO emphasized audit’s role
with,” she says. “It has become a pow- in challenging the data to ensure figures
erful, unifying force for understanding were correctly stated. But internal audit’s
that we are a part of one whole com- involvement with the program goes way
pany, that we are all dedicated to one beyond verifying data.
mission — which is to provide world- When Rudloff joined the inter-
“
class guest services to the people who nal audit function, it had a staff of
A lot of
companies
stumble
Before working at Raytheon, for example, Harrington worked as head of audit
at a life and health insurer. He decided to hire two female nurses who knew the
because there
health industry from the inside. “People thought I was a bit crazy, but those is no muscle
nurses were able to give internal audit insight into things we’d never looked at behind their
before, to better improve process, streamline efficiencies, and reduce costs.” beliefs.”
He says when he reaches out to minority groups about what he is trying to
achieve in the internal audit department and what Raytheon is trying to achieve, Phyllis James
the message is generally well received. “I’m able to attract really high-quality peo-
“
ple because they want to be part of an organization that has upward mobility, that
will invest in them, and in which they’ll feel respected and included,” he says.
Raytheon’s diversity and inclusion efforts have won it accolades. In 2014, for We needed
example, the Women’s Business Enterprise National Council listed the business some diversity
as one of the top corporations for supporting women’s business enterprises — of thought on
specifically through its supply chain procurement. The same year, it ranked eighth
in the top 50 U.S. organizations for providing multicultural business opportunities.
the team to
From 2010 to 2014, Harrington headed this initiative as Raytheon’s executive bring us fresh
diversity champion. He credits his time in that post, during which he met thou- ideas.”
sands of people, with helping him build companywide trust for the internal audit
Bob Rudloff
department. It has not only helped him recruit from across the organization, but it
has made people understand that Harrington and his team are on their side.
“If you truly have a brand that says ‘we’re here to help’ — if they believe it, they
are going to use more of your services,” he says. “And if when they use your ser-
vices, you have such a diversity of people that you are truly able to relate to their
way of doing things, think about things differently, and bring solutions to the table
they never thought about, then they want more.”
“
“The makeup of my team now national currently runs 15 different
represents the employee work base employee network groups. People of
My involve- and it allows us to engage better with like minds, backgrounds, and interests
our employees at all levels,” he says. communicate with each other and feed
ment with “Sometimes it takes getting a con- their concerns and ideas into the orga-
[the groups] versation going in someone’s own nization via these networks. Rudloff
has quickly language so they don’t feel threatened encourages his team to be active in these
allowed me by us as the auditors coming in to deal groups. In fact, he says, internal auditors
to expand my with them.” hold more network leadership positions
professional and offices than other departments in
“
WALKING THE TALK the organization. Rudloff chairs the
network.” Two years ago, Rudloff made a personal interfaith group, for example, and Jerry
My role has Jerry Hancock challenge to members of his team to Hancock, senior internal auditor at
been to go through the organization’s Diversity MGM Resorts, is actively involved in
Champion Workshop. This workshop the Veterans and lesbian, gay, bisexual,
proactively is now seen as a rite of passage for all and transgender (LGBT) employee
consider who become managers. But Rudloff network groups. Participation in the
potential wanted to go further, to encourage network groups has multiple benefits,
objections and team members at all levels of seniority including individual development, the
decide to keep to participate. opportunity to contribute to the busi-
interactions “Audit team members interact with ness, and networking.
people in different parts of the business “My involvement with the com-
positive.” through the workshop and develop pany’s Veterans and LGBT employee
Yakima Brookins relationships that can last through their network groups has quickly allowed
careers,” Rudloff says. “On the other me to expand my professional network
side, people in the business develop while developing stronger relationships
relationships with internal auditors and in the company,” Hancock says. “As I
see that we are not bad guys.” continue to build trust and expand my
network, I gain greater influence, which He says this experience has made on in our business. It’s created a mind-
provides more opportunities to contrib- him think more about the stereotypes set beyond the narrow scope of what
ute value to the company.” that people may have about internal internal auditors do, which is of great
Hancock says that the company’s audit — such as seeing them as the benefit to the business.”
diversity training made him reflect on company police. That has made him
the business’ motto, “You don’t have strive to conduct himself in ways that A BROADER VISION
to be one of to stand with,” which aim to change other peoples’ percep- This broader view, the creation and
means that you do not have to belong tions of his audit work and of the inter- acceptance of diverse and unexpected
to a particular demographic to sup- nal audit profession. viewpoints, is the real goal of MGM’s
port equality. Audit staff members also are diversity and inclusion initiative. As
“During the two-day Diversity involved in the broader enterprises Lanni realized in 2000, the company’s
Champion workshop, we did an under the organization’s corporate future success depended on its ability
emotionally charged activity that social responsibility initiative, includ- to innovate and empathize in equal
underscored that fact,” he recalls. “It ing environmental sustainability and measure. To be a 21st century com-
involved identifying harmful stereo- community engagement. “When they pany in a global market requires the
types and associating them with actual go out to our different business units wide-ranging, inclusive outlook that
people in the room. The objective was to audit, they are now naturally seeing diversity enables.
to show the tremendous power that things from a sustainability standpoint,
words can have while reinforcing the for example,” Rudloff says. “They Arthur Piper is a writer who special-
idea that, when united, people can often have very untypical internal izes in corporate governance, internal
make a difference.” audit input into what they see going audit, risk management, and technology.
www.TheIIA.org/goto/ExecutiveDevelopment
2015-5016
2015-5016
June 2015 VU-June Ia Youre Invited HP Ad.indd 1 4/22/15
Internal 11:14 AM
Auditor 51
North American Board
make
YOUR MARK
Photographs by Alyssa Schukar The new chairman of The IIA’s
North American Board,
Mike Joyce, says now is the time
for internal auditors to step up, be
recognized, and have an impact.
facilitate review and mitigation of key strong relationships with their compli- events, or charitable initiatives allows
risks, including those with the finance, ance functions if they are separately the auditor to interact with employees
IT, human resources, and legal depart- organized, as there is a strong mutual in a nontraditional, nonthreatening
ments. Periodic lunches or meetings benefit to working together to identify environment. The most impactful audit
with relevant personnel, when there is no risk management opportunities. observations often result directly from
specific audit to discuss, go a long way That collaborative approach will employees who, based on the rapport
toward establishing long-term rapport. not be successful, however, without and trust previously established by the
We are unique given the dual account- a deliberate and continuous effort to internal auditor, volunteer information.
abilities we have for internal audit and establish the audit function’s credibility, Establishing strong rapport and
our internal ethics/compliance program. objectivity, and integrity and a mutual visibility with the audit committee and
We must be careful to acknowledge and focus on the success of the organization. senior management, as well as reinforc-
work to lessen the possible blurring of Industry knowledge can be acquired ing the professional and standards-
identity between the second and third through specialized training and on- driven orientation of the internal audit
lines of defense, as well as ensure that our the-job experience, but auditors who function, help foster a corporate culture
Finance & Audit Committee is comfort- are respected within their organizations where internal audit is respected and
able with the objectivity that has been also seek to contribute in other ways. has earned a seat at the table. The abil-
established. I have often spoken about For instance, volunteering for special ity to proactively identify and prioritize
the merits of audit functions building corporate task forces, employee social corporate risks, maximize finite audit
resources through efficient and inno-
vative audit techniques, and develop
value-added recommendations for
The IIA North American Board enhancing operations to help manage-
T
ment achieve its objectives are tangible
he North American Board is charged with overseeing all IIA metrics internal auditors can demon-
operations in the U.S., Canada, and Caribbean through provid- strate to make their mark within their
ing strategic direction and guidance to Institute staff. These organization. At BCBSA, we build an
annual plan as a guide for addressing
responsibilities include establishing membership rates and approving
identified risks; however, we continually
annual budgets; approving new chapter formations/chapter dissolu- adjust that plan as necessary to react to
tions; providing for an extensive volunteer structure to support local,
regional, and national IIA activities and training programs; and estab-
lishing reporting and control requirements to promote consistency
among chapter volunteer leadership.
Early in 2015, the North American Board went through an inten-
sive strategic planning session to ensure that its core purpose and
2015–2020 strategic goals were appropriately aligned with the
revised IIA Global Strategic Plan, while focused on the unique needs
of the North American membership. In fact, the refinement of our
core purpose — to advance the internal audit profession and serve
our members — reiterates the Board’s commitment to ensuring that
all of our efforts continually provide value to our chapters and our
members. The four North American goals that were crafted — Pro-
fessionalism, Advocacy, Sustainable Value, and IIA as Leader — are
being finalized with specific tasks and expected outcomes that mem-
bers should be seeing and experiencing as part of our messaging and
communication outreach efforts over the next several years.
“Chicago
is a great
city, and it
has been my
home for 20
years. However,
I will always be
a proud native
of Pittsburgh
and a lifelong
Steelers fan. I
also have a pas-
sion for music.
While working
both in Dallas
and Chicago, I
performed in
bands with my
56 Internal Auditor
“We can serve as role models and representatives of the internal audit
profession and make our mark by sharing our skills, talents, and enthusiasm in a variety of ways.”
Becoming involved with The IIA is persuasion, organizational acumen, and more effectively. Internal auditors can
obviously a great opportunity for inter- the ability to complete tasks through give back in many ways. Serving as
nal auditors to get more invested in the peer motivation, rather than through the treasurer of a private school board
profession. I was encouraged to volun- designated management authority. taught me more quickly about internal
teer for the IIA–Dallas Chapter shortly politics, especially when it came to
after becoming an IIA Audit Group In the Community raising tuition rates, than years in a cor-
member in 1989. That first committee It is important that internal auditors porate environment alone ever could.
assignment has led to an almost unbro- also make their mark in their communi- These outside activities can help to bet-
ken string of committee, officer, and ties, as this helps expand the reach and ter prepare us for our corporate roles.
local board roles. I served as the Chi- awareness of the profession. Whether
cago Chapter president in 2001-2002. I through activities for our children, or The Year Ahead
also have served on various international through our own favorite hobbies or In my year as chairman of the North
and North American committees and civic causes, we can serve as role models American Board, I plan to work closely
assignments since 2003. The friends I and representatives of the internal audit with IIA staff, chapter leaders, and indi-
have made along the way continue to be profession and make our mark by shar- vidual members to ensure that we are
valued resources and mentors. I encour- ing our skills, talents, and enthusiasm in making our mark in the services that we
age all members to make their mark a variety of ways. For many people we provide. I intend to continue to advo-
through becoming involved with their encounter, it may be the first time they cate for the great work and critical role
local IIA activities and helping grow the have ever met or come to personally of internal audit professionals. I plan to
next generation of audit leaders. know an internal auditor, so we need to fully engage our volunteers in helping
The IIA’s long-standing motto, make those connections count. to implement the new North American
“Progress Through Sharing,” is achieved Internal auditors have many skills Strategic Plan and will work to help our
when we realize that what we put into a that would be extremely useful in a members realize their full potential and
volunteer role comes back to us many- variety of local community volunteer or make their mark.
fold in the form of resources, friends, charitable groups. Through their finan-
and the support of a network of experts. cial acumen, ability to suggest reason- Mike Joyce, CIA, CRMA, CPA, is the
Often overlooked, however, is the ben- able controls, or strategic business sense, chief auditor and compliance officer at
efit to our own skills when we achieve internal auditors can help community Blue Cross Blue Shield Association based
results in a volunteer role through organizations achieve their objectives in Chicago.
fellow internal
auditors and
played in a
variety of local
venues. Drum-
ming and play-
ing guitar with
staff members
who are talented
auditors and
musicians has
enabled all of us
to fully embrace
the ‘auditor as
rock star’
mantra, if only
for a few hours
at a time!”
Internal Auditor 57
Are your insights creating an impact?
Deloitte differs in how we help you deliver uncommon business insight through internal audit.
How we seamlessly shape a tailored client experience through leading-edge technologies and
methodologies. How we lead through innovation to deliver internal audit results with more
accuracy, efficiency, and value. And most important, how we turn insight into foresight. Developing
and delivering ideas that are focused not just on any tomorrow, but on your tomorrow.
See where a new approach to internal audit can take you. See where insights lead.
Learn more about how Deloitte is enabling internal audit departments to gain efficiencies, reduce
hours and impact cost recovery for their organizations. Visit us at www.deloitte.com/us/iat.
As used in this document, “Deloitte” means Deloitte LLP and its subsidiaries. Please see www.deloitte.com/us/about for a
detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest
clients under the rules and regulations of public accounting.
Strategic
In periods of transformation, it is critical for the inter-
nal audit function to remain relevant and risk focused by
concentrating on the right risks at the optimal time in the
Alignment
Jason Pett
process. Internal audit can execute other end of the value spectrum, with
against that mandate through proactive those functions not adding as much
involvement in strategic initiatives. value more often involved reactively in
initiatives — by auditing processes and
SETTING ITSELF APART controls after risk occurrence.
At those organizations where senior
management and the board see inter-
nal audit departments as contributing
significant value to their companies, Through close involvement, internal
internal audit is more often involved
in the most important business initia- audit has a constant presence within
tives. In fact, according to the PwC
report, these internal audit functions
the business.
are involved in transformational initia-
tives up to twice as frequently as their
peers. Among those functions viewed PROACTIVE INVOLVEMENT
as contributing significant value to As leading internal audit functions
the business, many are involved in key align more closely with the strategic
areas, ranging from the implementa- direction of the company and provide
tion of new privacy and security strate- proactive perspectives on risk, stake-
gies, to cost-reduction initiatives and holders quickly realize that the value
new product and service development. internal audit brings is measured by
There is a clear correlation the risks that are identified, discussed,
between stakeholder perception of and effectively mitigated or accepted
value and proactive involvement from while moving the organization for-
internal audit on strategic initiatives. ward — or by the speed at which deci-
As such, nearly half of highly valued sions can be made with a more holistic
internal audit functions are providing understanding of risk — rather than
that proactive perspective compared the number of audit reports issued or
to 19 percent of less-valued internal findings identified.
audit functions. Proactive advice can present in
This does not mean that internal many forms. Through close involve-
audit is providing input on what the ment, internal audit has a constant
strategic initiatives should be. Rather, presence within the business. If an
internal audit is proactive in providing audit plan is in place, it should be
input on risks related to critical com- flexible and constantly evolving,
pany initiatives and in advising on pro- depending on the risks facing the
cesses, governance, and controls ahead organization. Advice doesn’t necessar-
of the risks’ occurrences. ily have to emerge in the form of an
Areas in which more than half audit, and communication doesn’t nec-
of highly valued functions are “ahead essarily have to appear in a traditional
To comment
of the risk” (or providing a proactive audit report. Highly valued internal on this article,
perspective on risks that arise from audit functions are consistently taking email the
strategic initiatives) include innova- four steps to ensure their involvement: author at jason.
1
tion, marketing and sales strategies, Participating regularly in strategic pett@theiia.org
increases in risk management and planning discussions with com-
compliance investments, changes in pany executives to keep internal
technology, geographic expansion, and audit’s efforts aligned with the
even the overall business model, itself. direction of the business and to
The same correlation is evident at the prompt pertinent risk discussions
I
nternal audit functions are innovating and aligning with critical business
strategies in diverse ways. Departments are adapting to the changing
risk environment to remain valuable contributors to the business.
» One health
industries
organization
» At a finan-
cial institu-
is significantly
increasing its use
tion, involvement
in strategic
initiatives goes
of outsourcing
to third parties
for cost man-
» Internal
audit’s
involvement in
hand-in-hand agement and major initiatives
with working progressively at a retail and
across lines of entering into consumer orga-
defense. Internal growth-focused nization starts
audit meets regu-
larly with risk
management, » At a finan-
cial services
joint initia-
tives. As those
programs
with meeting
with the strategic
initiative owners
» Proactive
involve-
ment depends on
compliance, and company, inter- launch, internal and facilitating internal audit’s
other second- nal audit has audit becomes working sessions awareness of
line-of-defense purview over all engaged early focused on pos- initiatives and
leaders to discuss key initiatives but in each process. sible new risks engagement with
work being per- is not actively For example, embedded in stakeholders.
formed, syner- involved in every because intellec- each initiative. To accomplish
gies that may be one of them. tual property is The focus in that, the internal
accomplished, Internal audit shared between these sessions audit function of
and where they rates the risks companies in is on identifying one technology
can better align. associated with the joint initia- risks that could company follows
In collaboration initiatives and tives, internal significantly a matrix organi-
with enterprise engages more audit assesses affect the com- zation structure
risk management deeply in those the third party’s pany and on with resources
(ERM), internal with the high- processes and defining specific aligned by prod-
audit follows the est residual risk. controls for mitigating strate- uct and business
ERM framework Internal audit their levels of gies. Once the process. That
and assesses reviews project data security business has specialty enables
emerging risks plans and mile- and privacy. As determined the the internal audit
for the organi- stones, reports to the number of metrics that will team leads to
zation. As ERM management and such programs define both the foster deep rela-
identifies risks, the audit commit- increases, success of the tionships with the
internal audit is tee, and provides internal audit initiative and the product teams,
part of the evalu- an independent reallocates its management keep active
ation process perspective on resources and of the risks, vigilance on the
and can provide the status of shifts its skill sets the metrics get business, and
input about other the key initia- to monitor the evaluated by more effectively
potential emerg- tives and the risk new risks associ- internal audit and understand and
ing or key risks to profile as they ated with those then monitored identify new and
the organization. progress. relationships. quarterly. emerging risks.
early on. Organizational goals unit. As a consistent point of result in enhanced efficiency —
are actively changing, and regular contact for the business, auditors the lines of defense have better
participation in strategic plan- build relationships and establish visibility into the information pro-
ning discussions helps internal an open communication channel duced by the other lines, and as
audit provide proactive guidance through which they build busi- a result are better able to leverage
on new initiatives, as well as plan ness acumen and provide advice their work.
how it will deliver future value to on risks on an ongoing versus
the organization. periodic basis.
4 Building stakeholder support
from the top. Internal audit’s
2015-0941
above expectations and engage and both industry and technical skills. Without such a plan, it’s difficult to
with the business in innova- Without a foundation built on the stay clear on internal audit’s vision and
tive new ways. When internal right talent, the function is limited to mission and take the necessary steps
audit and its stakeholders work executing only up to its existing capa- to evolve the function. Internal audit
together to determine how and bilities — not striving to deliver the should begin with a roadmap.
where internal audit should be value it should. Top performing talent Internal audit can move toward
contributing, it can result in enables internal audit to focus on the more proactive involvement in strategic
not only better alignment to the risks associated with the strategic direc- initiatives today. Concurrently, it can
overall business objectives and tion of the business so it is sought out initiate a strategic planning process that
direction, but also efficiency and as a major participant in the business’ advances its capabilities in alignment
greater value derived from inter- strategic initiatives. with broader business imperatives.
nal audit deliverables. Internal audit then has a roadmap
BUILD A ROADMAP from which it can develop talent, drive
THE RIGHT TALENT Even though most internal audit func- better alignment, invest in technology,
It is clear that to consistently add value tions have identified the need to evolve and deliver even greater value.
and execute on the strategy of align- their departments in some way — by
ing the internal audit function to the managing new risks, adding new skills, JASON PETT, CPA, is the U.S. Internal
business and to the business’s strategic collaborating with other risk functions, Audit Services Leader in Risk Assurance
initiatives, the function must comprise and applying technology — few have a Services at PricewaterhouseCoopers
resources with deep business acumen plan in place to attain those objectives. in Baltimore.
ActiveData delivers a comprehensive set of features at a fraction of the cost of existing CAATs solutions.
I
assessing risks.
n the early days of my with the benefit of 20/20 the most significant risks our
career, I was given the hindsight. Aside from the organizations face.
opportunity to lead an resentment and distrust this It is in our nature as
entrance conference to kick breeds with management, we internal auditors to want to
off an audit. It was on that need to ask ourselves whether ensure that what we audit
day that I met my first U.S. retrospective auditing really is in compliance with appli-
Air Force general. After I improves our organizations. cable rules and regulations.
enthusiastically went through Internal audit needs However, we need to avoid
my slides, the general said to to shift from a retrospective the trap of blindly enforcing
me, “Do you know who you audit/compliance focus to flawed rules. We need to ask
auditors are? You’re the ones proactively assessing emerg- whether the rule makes sense.
who come in after the battle ing risks to remain relevant The 2008 mortgage
to bayonet the wounded.” and provide value to our crisis serves as a compel-
As a young auditor, I felt organizations. Although ling example of “compli-
crushed. I did not see my retrospective auditing has ance myopia.” Using a
profession or myself that an important role in help- compliance-based checklist,
way. I was truly there to help ing ensure that controls are even the most byzantine of
improve things. Now, after working, some of the biggest mortgage products that were
having been an internal audi- threats to our organizations available in 2008 would
tor for more than 23 years, I are those we have not seen likely have passed an audit
look back and think that the before or are very compli- or regulatory review of the
general may have gotten it, cated and push us out of our loan package. The form was
partially, right. comfort zones. When we correctly filled out for the
Traditional audits tend limit ourselves to retrospec- sub-prime loan — check!
to be retrospective. Internal tive, compliance-based audits, However, the checklist did
auditors come in six months we underestimate the value not have a box that asked
or a year after a project we could provide our organi- whether this was a seriously
(battle) has ended — after the zations. Moreover, with risks flawed loan product that
tough decisions have been increasingly associated with would ultimately pose an
made and the hard work large, customer-facing system existential threat to those
completed — and second- implementations, complex companies offering it.
guess (bayonet) management regulatory environments, and This is not to say audi-
(the walking wounded) all cybersecurity, we are ignoring tors should stop enforcing
Over 350 standard reports, charts, dashboards and scorecards are provided. The system includes
an end-user reporting tool and configurable KPI/MI options.
Proactively alerts and prompts all stakeholders with the key information required to objectively
assess the effectiveness of the assurance framework.
Integrated
a single integrated yet modular relational database
Individual
configured and customized to meet your organization and users’ exact needs
Intuitive
easy to use system which evolves and grows with you
Innovative
improving your methodology, efficiency, delivery and profile
www.magiquegalileo.com
1-866-657-1627 (USA) * +44 (0)20 7002 1370 (UK) * +61 (0)2 8003 3641 (Aus)
Insights/Governance Perspectives
To comment on this article, email
the author at theresa.grafenstine@theiia.org
regulatory requirements or other rules. We should use our role audit has limited value, contributes to escalating project costs,
as a bully pulpit to get tragically flawed rules corrected and not and damages internal audit’s credibility.
wait until our organization — or global economy — is brought Even if we can all agree that proactive, risk-based auditing
to the brink of disaster. Internal audit needs to move from a does not affect our independence, we may not have the kind of
pure compliance focus to a strategic, risk-based focus. relationship with management and with our audit committee
No organization has ever gone out of business because that they would welcome our involvement. Building the right
it failed a timecard audit — but what about a major cyber relationships requires consistent and high-quality products;
hack and loss of intellectual property, a database breach that candid, professional, and frequent meetings; and a highly
trained and diversely skilled staff. Unless
we work at developing relationships with
key stakeholders, they will not trust us
We must get ahead of these risks, enough to invite us in while they are
identify vulnerabilities, and make trying to meet deadlines and make deci-
sions with imperfect data. The objective
recommendations to address them. is for management to see the internal
auditor as a proactive risk adviser who
will provide added assurance that man-
agement has considered a wider variety
compromises customers’ personally identifiable informa- of risks than they would have alone.
tion (PII), or a multimillion-dollar system implementation When we start adding the largest threats to our audit
failure? Yet, in The IIA’s 2015 Pulse of Internal Audit survey, plan, it can feel a bit overwhelming. The trick is prioritization.
only 6 percent of respondents indicate they included assess- Auditors should talk with management, the board, and the
ing strategic business risk in their audit plans. If we wait audit committee and develop a collective understanding of the
until six months or a year after strategic risks have occurred, risks the organization faces. This will provide a basis to priori-
it may be too late for audit, because our organization may tize resources and audit those things that present the highest
no longer exist. We need to get ahead of these risks, identify level of risk. If that leads to an area not addressed before, such
vulnerabilities, and make recommendations to address them as cybersecurity, the auditor will have to make a “build vs. buy”
before they are exploited. decision. Does the CAE have the requisite skills on staff that,
So what is stopping us? We are. Internal auditors fail to with some training, will be able to use available industry best
create timely, proactive, risk-centric, service-oriented audits practices to assess cyber vulnerabilities? If not, the CAE will
by misinterpreting independence and lacking strong relation- have to buy those skills by hiring outside resources. Although
ships with management and the audit committee. contracted resources can initially be expensive, avoiding exis-
Maintaining our independence is crucial if we are to pro- tential risks, like cybersecurity, is not an option. For starters,
vide unbiased recommendations. Although we should never the CAE should build into contracts the requirement that the
make management decisions, this does not prevent us from outside experts train the audit staff. The goal should be to cul-
providing proactive, risk-based recommendations. Consider tivate those skills within the audit organization so that there is
the example of most major system implementations. They a sustainable model to address these risks in the future.
can be very costly (e.g., system integrators, software, and The Bottom Line: Internal auditors are positioned to see
hardware), customer-facing, pose security risks if not correctly across an organization, to understand overarching risks. Unlike
configured, and damage our organization’s reputation and external auditors, we have the benefit of understanding the
credibility if not correctly deployed. We don’t have to wait corporate culture and internal business practices. Internal audit
until after the system has been deployed to assess whether needs to step up and be the proactive risk adviser that our
1) the project team has mapped the system design to regula- organizations desperately need. By being proactive and look-
tory and functional requirements; 2) basic project manage- ing at issues of strategic importance, auditors can strengthen
ment practices are in place and include provisions for robust the organization and help navigate the risks in an increasingly
testing; 3) contract terms are being met; 4) internal controls complex and dangerous world.
have been considered; and 5) people who will handle PII have
undergone background checks. These are the activities that Theresa M. Grafenstine, CIA, CGAP, CPA, CISA, is
auditors do well, and they do not violate our independence. inspector general of the U.S. House of Representatives in
Waiting until after the project crashes to swoop in and do an Washington, D.C.
Your next case is just around the corner. Get the resource that will help you detect and
prevent fraud. Order your copy of Raise the Red Flag: An Internal Auditor’s Guide to
Detect and Prevent Fraud today.
Use Promo Code FRAUD15 to receive 10% off. Offer Expires June 30, 2015.
2015-0612
Insights/The Mind of Jacka
To comment on this article,
email the author at michael.jacka@theiia.org
By J. Michael Jacka
D
When clients ask us uring a session at procedures for them, it And as a side note, it’s
to do their procedural this year’s IIA Gen- speaks to the far too com- important to keep in mind
eral Audit Manage- mon misconception that how the solution to this
work, it is a sign
ment conference, an controls are internal audit’s issue became evident — by
that they have not audience member asked for job. It shows that the client stepping back from the
embraced ownership advice. His internal audit has not embraced owner- client’s argument about
of controls. group had reported that ship of controls and the writing procedures and
the company’s accounting related control structure. reframing it in a way that
controls could be strength- And it reminds us we have addresses the root prob-
ened by developing written the never-ending task of lem. The issue is not that
procedures. The accounting explaining to our clients internal audit should not be
department’s response? “We that internal audit is not writing procedures; it is that
don’t have the time; you responsible for controls. For clients should own their
write them for us.” that matter, it is not the job own controls. Any time
I’m sure every red- of executive management, auditors find themselves
blooded auditor reading this risk management, compli- in a losing argument, they
reacted just as the crowd ance, the Sarbanes-Oxley should take a breath, step
did — with shock, horror, team, purchasing, market- back, and make sure they
and the phrase “we don’t do ing, janitorial services, or are not arguing about the
original work” bursting from even a department that wrong problem.
their lips. I was right there happens to be named The So the next time some-
with everyone else. Place Where All Procedures one asks why internal audit
Much later, I looked Get Written. can’t write procedures for
back on the chum-filled The message that them, remember that they
feeding frenzy and realized should be delivered to are not questioning internal
we had spent a lot of time any department wanting audit or even the need for
focusing on the wrong issue. someone else to write its controls. They probably
Impassioned discussions procedures — to effectively just don’t understand what
about internal audit’s inde- outsource responsibility ownership of controls really
pendence, objectivity, and for controls — is that they means. And that is a prob-
integrity may make us feel may as well let someone lem we should be able to
good, but most of our cli- else take over their area. help them with.
ents believe these are noth- By abdicating control over
ing more than buzzwords controls, they are effectively J. Michael Jacka, CIA,
that serve as an excuse to saying that all processes can CPCU, CFE, CPA, is
find problems without being be turned over to someone cofounder and chief creative
part of the solution. else. And that means there pilot for Flying Pig Audit,
When someone asks is no longer any need for Consulting, and Training
us why we can’t write the department. Services in Phoenix.
What are the most O’LEARY As the global array of issues to contend
common ethical business landscape becomes with, including cyberse-
dilemmas organizations more complex, companies curity, data privacy, and
face today? are facing a more diverse social media.
CHRISTENSEN An often array of ethical dilem-
encountered dilemma mas, even compared to What impact do
is the consideration of just five or six years ago. generational attitudes
conflicting performance Traditional ethical issues and cultural standards
metrics around cost and around bribery, corruption, have on expectations
time, on the one hand, money laundering, human of an ethical environment?
and safety and quality, resource matters, inappro- O’LEARY Generational
Michael J. O’Leary on the other. This ethical priate financial reporting, attitudes and cultural stan-
Partner–Advisory conflict can manifest itself or earnings management dards can have a significant
Global Internal Audit
Leader in many ways — deferral continue to exist and impact on expectations
EY of scheduled maintenance, clearly need important around ethics in an orga-
outsourcing to low-cost/ education, awareness, nization. As acceptable
low-quality suppliers, monitoring, and preven- or common cultural and
shortcutting on quality tion investments from business practices can vary
standards, unbalanced organizations — especially across diverse popula-
reward systems, and blind given increased regulatory tions, it is important that
obedience to authority, scrutiny. However, with organizations recognize
leading to conflict avoid- the rapid investment and this variability when strat-
ance and group think. It is growth many organizations egizing around education,
ironic that those at the top are focused on in emerging awareness, company policy,
often are quick to blame markets well beyond just monitoring, and prevention
Brian P.
Christensen those who are on the fir- Brazil, Russia, India, and techniques. For example,
Executive Vice President ing line making the critical China, added complexity millennials’ attitudes and
Global Internal Audit decisions, even though permeates ethical consid- expectations around social
and Financial Advisory
Solutions Leader the leaders have primary erations. Additionally, the media introduce much
Protiviti Inc. responsibility for the very continued expansion of greater complexity to how
culture that drives the pres- the digital agenda across organizations handle the
sure points incentivizing organizations, sectors, and possible unintended or pur-
inappropriate decisions. markets adds a complex poseful consequences that
may be associated with information that is released into and real-time relevance to those efforts. But going beyond
the cyber world. pure assurance or compliance auditing, internal audit
CHRISTENSEN Generational attitudes and different can help companies assess the alignment of their ethics
cultures have a huge impact on sustaining an ethical envi- programs and evaluate the metrics companies have in place
ronment because each generation and culture may have to measure effectiveness and whether those metrics help
to be approached differently to achieve executive manage- promote ethical behavior.
ment’s objectives. For example, because every generation CHRISTENSEN Internal audit can play a key role in
was raised in a different environment, each has different ensuring an ethical work environment. Internal audit
attitudes, behaviors, expectations, and motivational touch should, for example, focus on the control environment
points. Likewise, different countries and regions have and culture, look for the warning signs of dysfunctional
distinctly different cultures, as do different organizations behavior, and watch for incongruities between the tone
that merge. It is imperative to understand generational and at the top and tone in the middle. Internal audit should
cultural differences when communicating with employees ensure that employee working conditions, both internally
in diverse organizations. and upstream with key suppliers, are fair, safe, and free
of human rights abuses, and that discriminatory hiring
What are best practices for promoting ethical practices are avoided. The auditors should evaluate the
behavior within an organization? What is the best balancing of costs of preventive maintenance, work shifts,
approach to ethics training? safety controls, and training with the health and safety
CHRISTENSEN Promoting ethical behavior in an orga- interests of employees. Finally, they should ensure an
nization begins with an effective code of ethics linked to open, transparent environment that provides upward
the organization’s code for effective corporate governance. communication to people who listen.
A code of conduct should be communicated, reinforced,
and integrated into how executive management “walks the What should internal auditors assess when looking at a
talk.” With respect to ethics training, it is important that whistleblower program?
everyone participates, including executive management, CHRISTENSEN Internal auditors should evaluate the
and that the training is real, meaning it focuses on ethi- organization’s risks, culture, management operating style,
cal dilemmas that are relevant to the organization and is internal resources, and existing procedures regarding
tightly linked to its core values. reporting of audit and accounting irregularities and fraud
O’LEARY Best practice is to start with a well communi- when assessing the design effectiveness of the program.
cated tone from the very top. When the CEO, board, In other words, the auditors need to understand the
or other executives actively and routinely promote the unique risks relating to fraud within the organization,
company’s values, culture, and ethical policies, it goes industry, and geographies in which the company
a long way in helping everyone consistently align with operates. Additionally, internal audit should ensure the
expectations. From there it’s all about discipline and program is communicated effectively and often within
detail in having well-orchestrated communications, the organization; ascertain whether the appropriate level
change management practices, and training programs that of objectivity is emphasized with respect to the reporting
are embedded within the business or function for each and investigation of complaints; ensure that laws and
employee. When companies help employees recognize regulations for protecting whistleblowers are being
that the ethical standards are not only important for addressed (e.g., Sarbanes-Oxley and Dodd-Frank in the
compliance but also for the success of the organization’s U.S.); and understand and consider the implications of the
business imperatives and personal advancement, it has a U.S. Federal Sentencing Guidelines.
much more profound impact. O’LEARY Internal auditors should assess the rigor of the
program, technology enablement, and alignment to the
What is internal audit’s role in ensuring an ethical sector- and geography-specific risk and compliance con-
work environment? siderations the organization faces. Additionally, internal
O’LEARY Internal audit can play many roles helping audit functions can help companies consider whether the
companies ensure an ethical work environment. Certainly, whistleblower program is effectively communicated and
traditional audit activities to monitor compliance continue whether awareness campaigns, education, training, and
to be relevant. Additionally, leveraging the power of data policies are fully aligned to enable the program to be opti-
analytics and other innovative strategies helps add vigor mally relevant.
A Matter of Value
M
Internal auditors can any of our clients improved performance, and their expertise can be put
take several steps maintain an unfor- quality enhancement. The into practice. For example,
tunate view of methodology could serve audit teams that possess Lean
to change negative
the internal audit as a tool for internal audit Six Sigma training could
perceptions and profession. Rather than see- fieldwork and planning, or look for opportunities where
demonstrate ing it as a source of support it could be used as a basis Lean principles can support
their expertise. and valued expertise, they for advising on Lean Six recommendations for busi-
consider internal audit a Sigma projects. Other types ness process improvement.
compulsory activity focused of certifications and training Similarly, fraud, technology,
primarily on finding errors. could also prove beneficial, or industry-specific expertise
They often don’t recognize especially those that link should be leveraged whenever
the critical role internal audits directly to operational and possible for enhancement and
play or how they serve to strategic objectives. support. Audit recommenda-
help improve organizational Just possessing these tions can be viewed, in part,
performance. Practitioners competencies, however, is as an opportunity to promote
bear the responsibility for not enough. Internal auditors the function’s value-added
these misconceptions, and also need to make sure clients services. Moreover, while
it is our job to correct them. are aware of the expertise remaining mindful of inde-
To change people’s views, we they possess by actively com- pendence, internal auditors
must demonstrate our value. municating it throughout the must actively participate in
Most importantly, organization. They should critical organizational projects
perhaps, internal auditors ensure these capabilities are underway or about to start.
must show clients that they understood by clients and To make sure the audit
possess the ability to make emphasize the value they function gains recognition
meaningful contributions can provide to the business. as a valued partner, it may
to the business. Beyond our Announcing new staff cre- be necessary to go above and
risk, compliance, and control dentials and competencies beyond these conventional
expertise, we need to dem- via a company newsletter or skills. By demonstrating a
onstrate a commitment to intranet site, for example, can commitment to organiza-
enhancing the organization help increase awareness. Inter- tional improvement, internal
with skills aimed specifically nal audit could also consider audit helps position itself as
at improvement. Internal meeting with key stakehold- a key adviser and an essential
audit could supplement its ers to discuss its capabilities source of expertise.
existing competencies, for and develop a brochure to
example, with business- promote value-added services. Mohamad Reeduan
specific acumen such as Lean To cement internal Mustapha, CMIIA, ICBB,
Six Sigma. Many businesses audit’s credibility and truly is internal audit manager
today are implementing demonstrate its abilities, at Terengganu Inc. in Kuala
Lean thinking for efficiency, auditors need to show how Terengganu, Malaysia.
Silver Partners
(US $1,000 – $4,999)
Anthony J. Ridley, CIA
Bonnie L. Ulmer
Diamond Partner
Brian P. Christensen
(US $25,000+)
Edward C. Pitts
IIA – Ak-Sar-Ben Chapter
IIA – Albany Chapter
IIA – Atlanta Chapter Platinum Partners
Diamond Partners IIA – Baltimore Chapter (US $15,000 – $24,999)
(US $25,000+) IIA – Birmingham Chapter
IIA – Central Illinois Chapter
IIA – Central Ohio Chapter
IIA – Chinese Taiwan Chapter
IIA – Lehigh Valley Chapter Gold Partners
IIA – Long Island Chapter (US $5,000 – $14,999)
IIA – Milwaukee Chapter Deloitte & Touche, LLP
IIA – Nashville Chapter IIA – Twin Cities Chapter
Platinum Partners IIA – Northern California-East Bay Chapter Lawrence J. Harrington, CIA, CRMA, QIAL
(US $15,000 – $24,999) IIA – Northwest Metro Chicago Chapter Liberty Mutual Insurance Group
IIA – Puerto Rico Chapter
IIA – Sacramento Chapter Silver Partners
IIA – San Antonio Chapter (US $1,000 – $4,999)
IIA – San Francisco Chapter
IIA – San Gabriel Valley Chapter Association of Fundraising Professionals –
IIA – Tulsa Chapter Central Florida Chapter
IIA – Vancouver Chapter IIA – Central Illinois Chapter
IIA – Washington DC Chapter IIA – Milwaukee Chapter
Keith L. Jones IIA – Ocean State Chapter
Paul J. Sobel, CIA, CRMA IIA – San Antonio Chapter
Gold Partners Richard J. Anderson, CFSA IIA – San Gabriel Valley Chapter
(US $5,000 – $14,999) Richard F. Chambers, CIA, CCSA, CGAP, IIA – San Francisco Chapter
CRMA, QIAL IIA – Washington DC Chapter
Chevron
ExxonMobil Corporation Stephen D. Goepfert, CIA, CRMA
Global Atlantic Partners Thomson Reuters Support of The IIA’s Academic
IIA – Detroit Chapter Wayne G. Moore, CIA Relations efforts is made possible
through the Internal Auditing Academic
Advancement Fund (IAAAF).
Like helping
you address
cybersecurity risks.
Our clients value the knowledge Crowe Horwath provides
in helping to address existing and emerging risks.
Raj Chaudhary
Principal, Crowe Horwath
Audit | Tax | Advisory | Risk | Performance The Unique Alternative to the Big Four ®
The governance, risk, and compliance management solutions from Crowe are endorsed by the American Bankers Association (ABA) through its subsidiary, the Corporation for American Banking.
The ABA endorsement of these solutions indicates they deliver high quality and meet performance standards, and offer the potential to improve your bank’s profitability and performance.
Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates
are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of
Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International.
© 2015 Crowe Horwath LLP RISK15001A7