Latest Audit Information & News

Auditors who have not experienced conflicts and crisis in some way or another throughout their career are quite rare to come by.

This week we take a look at how the profession successfully approaches crisis situations to result in a positive outcome.

Crisis management by Internal Auditors

Crisis management provides the structure, leadership, decision-making, and communications to support the organization in managing a crisis situation. It encompasses business continuity, disaster recovery, cyber incident response, and financial market crisis response planning and execution.

Most major organizations have basic business continuity plans and disaster recovery plans in place, particularly for IT, supply chains, and facilities.

Usually, Internal Audit will, on a rotational basis, review those plans, provide assurance on related compliance, and conduct post-event reviews. However, the focus on continuity management has widened to include any event that could irreparably damage finances, operations, cyber capabilities, reputation, or other essential assets.

A crisis management plan provides a framework and contingency plans for senior executives should the need arise.

Responsibility for crisis management sits with senior leaders, which means that Internal Audit is the logical and perhaps only source of assurance and advice.

Consider: An organization needs a crisis management program encompassing governance, processes and risks. Governance organizes program ownership and the roles and responsibilities of security, legal, IT, Internal Audit, and other functions. Processes are needed to address crisis response, decision-making, recovery, communications, and contingency plans. Risks must be identified to enable scenario planning and response capability development through training and simulations. Aim to provide assurance and advice in each of those areas, and to anticipate events and promulgate best practices.

Consider whether leaders can answer the questions:

  • What are you prepared for?
  • How prepared are you?

Ensure that simulations are regularly conducted and used to develop and test overall plans as well as playbooks for specific events.

Go beyond regulatory guidance and checklists and audit not just the existence of plans, but their likely effectiveness.

Also, consider industry-specific issues and evolving regulations, such as the EU’s GDPR reporting requirements for breaches.

Internal Audit may need to up-skill or tap external sources to add value in this area, but doing so can save the entire enterprise.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 95

 

This week we take a look at the makeup of the successful audit team and how you go about analysing how your current team is performing?

Building the Competencies for Internal audit by IIA

Determine what is missing and take action!

Ask probing questions:

CAEs should assess the internal audit activity by asking probing and specific questions about the department’s maturity and structure, to determine if there are areas where competencies are failing.

Once the questions have been asked and the assessments have been completed, if the internal audit activity is found lacking, the bigger question is, “How do the internal auditors get to where they need to be?”

Here are suggestions on how to begin to first determine what is missing, take action, and then end with a re-engineered, well-structured, and progressive internal audit activity that conforms to the Standards and meets the expectations of the organization.

Perform an unofficial self-assessment:

Performing a self-assessment allows for fine tuning — increased productivity, narrowing of knowledge and performance gaps, and mastering of tasks. CAEs can use the following KPIs to measure internal audit efficiency and effectiveness:

  • The number of certified auditors on staff.
  • Collective knowledge of IT risks and controls and fraud risks and controls.
  • Staff CPE hours.
  • Opportunities to develop competencies.
  • Consideration of organisational changes, industry changes, and relevant regulatory issues.
  • Demonstration of critical thinking and problem-solving skills and Stakeholder satisfaction.

Invest in talent management efforts:

Develop well-thought-out and well-developed approaches geared to optimize the workforce.

For effectiveness, and to build, engage, and retain the best audit departments, CAEs will do well to develop strategies that include measuring what is needed from their existing staff members, what is needed from anticipated additions to staff, and, just as important, what their staff needs from them as leaders.

Where skillsets are in high demand, coordinating with both your internal hr specialists and/or engaging with a niche specialist recruiter can also ensure you not only get access to many candidates who are not “active” in the marketplace but also help save you time and money throughout on the hiring process.

Conduct a gap analysis:

The gap analysis will identify strengths, weaknesses, challenges, and opportunities, and compare the actual performance of the audit team with the desired performance. The desired state ares:

  • Auditors are familiar with the Standards and the IPPF.
  • The department is fully aligned with the organisational strategic plan
  • The department is performing up to its potential.
  • The department has the competencies to perform audits.
  • The department has the resources to develop advanced methodologies and practices
  • The department has access to tools and resources needed to perform audits and
  • The department makes the best use of its resources.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 9

 

What Internal Auditors Need to Know about Robotic Process Automation

RPA, robotics, robots, bots as internal auditors have undoubtedly been hearing this terminology tossed around more and more. What exactly is it? Why is it such a hot topic? Why should Internal Audit care and what can we do to help our organizations embrace, adopt and realize the benefits of this technology?

What is RPA?

Robotic Process Automation (RPA) is a technology that configures computer software or a “robot” to capture and interpret existing data for processing a transaction, manipulating data, triggering responses and communicating with other digital systems.  The “robots” (aka “bots”) are programmable software that allows you to automate business processes currently performed by people. Bots are programmed to perform multiple repetitive steps based on defined rules and structured data. They can perform these activities more quickly, accurately and efficiently than humans.

Why RPA is Gaining Popularity?

RPA is rapidly gaining popularity because a wide variety of industries and business functions are beginning to better understand the technology and its benefits.

·         Cheaper and less complex than traditional/historical approaches to “automation”

·         Rapid Implementation cycle – weeks instead of months

·         Advancements in technology are making solutions more accessible, applicable and affordable

·         Smooth integration with other systems and applications

·         Keeps organizational and technological disruption to a minimum

·         Increased productivity and efficiency & Cost savings

·         Reduction in errors

·         Increased flexibility and scalability

·         Freeing of resources to do other tasks

Where are Organizations Using RPA?

RPA is being used differently in many departments such as:

·         Sales (Account service, Order processing, issue tracking and Credits / Refund)

·         Procurement (Vendor Management, Purchase Order and Invoice processing)

·         Accounting and Finance (AP / AR, Journal Entries and Account Reconciliation)

·         IT (Account Activation, Software installation, Cyber Threat Assessment)

How can RPA Benefit Internal Audit?

Often, Internal Audit is a time-consuming process extracting data from multiple applications/sources, performing repetitive steps, testing and reconciliations. Where the input data is digitally available, RPA is a good fit for the internal audit function.

1.      Data gathering and cleansing for analytics: An RPA can generate and standardize data to run custom analytics, like extracting the data for use by internal auditors, including validation for completeness of fields, comparisons and duplication.

2.      Risk assessment: Bots can assist Internal Auditors to classify risks based on transaction volumes with predefined rules and trends for risk assessment. This will allow quicker identification of high-risk areas/ transactions.

3.      Processing high volume transactions and data collation: Bots can help process high volumes of data (e.g. transaction audit) faster, more efficiently and accurately.

4.      Assistance in testing controls: Bots assist in performing control testing where the tests are standardized.

Key Things to Consideration when Selecting an RPA Software Platform and Partner

Our recommendation is to do your own research and determine the technology and provider that is best suited to meet your individual needs and business environment.  There are many experienced and reliable RPA providers in the market.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 95

 

This week our colleagues have been discussing the importance of attracting the right auditors but more importantly how to retain them within the business!

If you feel you need help in this area, then the experience shared below with for sure be of benefit to you!

How to Attract and Retain High-Impact Internal Auditors

Attracting and retaining top talent is critical to the success of a high performing internal audit function.  And, compensation alone is not the deciding factor in winning the battle for talent.  In order to attract and retain talent, organizations need to develop a reputation as a place where people want to work, grow and stay. Every department needs to be provided with the flexibility and tools needed to create micro-environments in which team members are able to execute their responsibilities while achieving their desire for learning, growth, and balance.

Whether the organization as a whole is onboard or not, corporate audit needs to develop and embrace programs designed to meet the needs of a changing workforce if they are to attract and retain top talent.

The Landscape

A great deal has been written about the millennial generation and how they differ from previous generations. However, while millennial may define how they require their needs to be met differently than prior generations, their needs really aren’t all that different than those of (ageing) baby boomers and Gen X’rs.  At the end of the day, we all want financial security, career success, work/life balance and to work for an ethical organization.

Financial security: A competitive compensation package is critical to attracting and retaining talent and, interestingly, is closely linked to the three other needs. Millennials would like to live near where they work, give back to the community, travel, acquire new technology and avoid debt. They seek higher salary levels as they progress, but they have a different definition of what progression means. Millennial believe that financial security will come from advancement opportunities following their acquisition of new skills.

Career success: In late 2016, a report was created based on surveys of 19,000 millennial, including 8,000 associates in 25 countries.  Only 22 percent of those who answered the survey ranked ‘aspiring to lead’ as a top priority. Millennial don’t necessarily aspire to lead others to be successful but instead, to be recognized as highly qualified in their field. They desire to make a positive contribution, work with great people, and have the opportunity to grow their talents in a skill-based economy.

Work/life balance: The term means different things to different people. And, the ability to achieve it is always going to be influenced by the chosen career, including factors such as the nature of the industry and seasonal demands.  Millennial, in general, have learned from their parents ‘mistakes’ and want to do a better job achieving a good balance between their work and personal lives. Although they are constantly connected to work, they place a premium on their time outside of work.

Work for an ethical organization: All of us expect to work for organizations that do the right things, treat people fairly, and abide by rules and regulations. Every member of a workforce has opinions on geopolitical topics, corporate social responsibility, and gender/racial equity. However, while organizations cannot be all things to all workers, successful organizations strive to create environments where like-minded people can work on not only internal but also external projects that fuel their passions.

The Opportunity: The millennial workforce has a strong desire to learn and apply new skills. They have also grown up on the cutting edge of new technologies and are excited to leverage them to increase their productivity.  And, they enjoy working in collaborative environments to learn new skills and solve challenging problems while continuing to achieve the balance they desire. Corporate audit functions can serve as an incubator within organizations by trying new approaches to attract and develop talent.  Audit is an area where millennials can develop and sharpen their skills related to learning a business, interviewing, root cause analysis, critical thinking, problem-solving, project management, and oral and written communications – all skills critical to success in the global environment.

The Challenge: There are opportunities here for companies but not without some challenges to either the current culture or the business model.  Perhaps the most difficult is work/life balance as it means different things to different people.  It could mean a desire to work four 10-hour-days a week, or to not work late or weekends, or the desire to travel either less or not at all. The challenge is to make the time on-site more efficient by leveraging technology that facilitates concentration on high-risk transactions and audit focus areas.  Then when audit staffs return from the road, it’s going to be important to provide them with the flexibility to work remotely as long as project completion deadlines are met.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 95

Key steps to carry out an effective audit of Whistleblower Programs

As part of our ongoing commitment to knowledge sharing between the professionals that we are working with- our colleagues have kindly shared what they believe are the best steps to carry out when auditing whistleblower programmes.

Whistleblowing is the act of revealing inappropriate activities, often anonymously, to parties within or outside the organization with the purpose of alerting individuals who can take corrective action. It is preferable for Whistleblowing to occur within the organization, so management can correct the issue without the negative effects caused by the crisis that public disclosure often causes.  Whistleblowing programs should provide a mechanism for employees, contractors, and vendors, to discreetly and anonymously disclose their concerns without the fear of reprisals.

The Sarbanes-Oxley Act of 2002 Section 301 requires publicly-traded companies to have a Whistleblowing program.  But, how do we know if the program is effective? After all, the purpose of these programs is to encourage the disclosure of questionable accounting, internal controls, health, and safety, or fraudulent activities that may negatively impact the organization, its customers, shareholders, employees, investors, or the public at large. But if potential whistleblowers fear they will suffer retaliation, harassment, alienation, intimidation, discrimination, job loss, stress, or emotional hardship, they will be reluctant to contact the ethics hotline to report problems.

Developing the Audit Program: Like any important program, processor control, whistleblowing hotlines should be audited. The following are key steps that should be considered when auditing these programs:

1. Review the program’s protocol: Make sure there is clear and specific guidance on what to do and whom to contact when an allegation is received. The protocol should also include escalation provisions to address emergency situations.

2. Examine allegation file: Verify that information is collected fully and consistently so investigations are not impaired. Auditors should also verify that the whistleblowers’ identities were protected.

3. Review the composition of the investigative team: This is important to make sure it is multi-functional. The response team should be prepared to take quick and decisive action in the event of questionable activities, so the investigation can be conducted without delays. The investigative team should be highly qualified, cross-functional in their backgrounds, and have high integrity.

4. Verify the autonomy of the program: The whistleblower program must be independent by having a direct reporting line to the board or other high-level oversight function.

5. Review performance report: This step is essential to make sure all reports are accurate, useful, produced timely, and shared narrowly. The oversight board (or audit committee) should agree on the content and frequency of reports. Employees’ opinions are essential to the success of whistleblower programs because if they are unaware of it, or refuse to use it, the program is a failure.

6. Review references to key documents: The whistleblower program should be mentioned in the employee manual, code of ethics, and code of conduct to make sure the whistleblower program is referenced in these policy documents.  This will add to the program’s legitimacy and make it a permanent component of the organization’s corporate governance infrastructure. It should be clear that retaliation is forbidden.

7. Verify access to the program: Make sure the phone and fax numbers, e-mail address, and web links are correct, operational 24 hours a day and 7 days a week, and staffed by qualified individuals.

8. Confirm the qualifications of case management staff: Staff should be able to handle stressful situations, communicate with whistleblowers professionally, be discreet and in general have superior customer service skills to collect sufficient and actionable information so fair and thorough investigations can be conducted.

9. Survey employees: The objective is to determine if employees are aware of the program, believe in its usefulness, feel safe from retaliation, and believe that the organization is committed to integrity, transparency, fairness and compliance.

10. Verify advertisement of the program: Make sure the whistleblowing program is advertised in high-traffic areas. Advertising can also include business cards, magnets, mouse pads, mugs, key chains and the company’s newsletter.  Awareness can also increase by including a note in company contracts and purchase orders, providing reminders during staff meetings, and during the annual Code of Ethics and Conflict of Interest recertification processes.

Internal auditors should audit their organizations’ whistleblowing program to make sure perceptions, practices and awareness are as expected and the program is working as it should.”

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 95

 

Being Creative While Conducting Internal Audits

Creativity is the use of imagination or original ideas, but it’s not that important for internal auditing. After all, the main thing auditors have to do is know the rules that set the criteria for review, check transactions and business activities to see if people and systems are doing what the criteria requires and document discrepancies. Since the criteria are set by management they are indisputable and compliance with regulations is non-negotiable. Accounting and financial reporting rules are non-negotiable either and internal auditors don’t write the rules; they make sure the rules are enforced.

Business dynamics are changing rapidly, and internal auditors must realize that the criteria (i.e. what constitutes “the expected practice”) is often changing, how audits are performed, how results are communicated, what recommendations are appropriate and the timeline for remediation are often changing too. Internal auditors must change, adapt, and be responsive. But how?

Creativity in internal audit can be applied in every phase of the internal audit cycle i.e. planning and defining the scope:

Consider the following examples:

The increase in accidents at the factory could be due to lax training that originated when the company trainer retired 18 months ago and new hires since then have not received adequate workplace safety training.  The higher employee turnover may have started two years ago when new managers stopped getting supervisory training, and performance evaluations were just filed away without being examined by anyone in Human Resources.

Developing the Testing Procedures: Instead of downloading a checklist, or merely replicating prior internal audit programs, internal auditors should brainstorm what procedures would help answer the fundamental questions:

  • What are the objectives of the area being audited and are they being achieved efficiently, effectively and economically?
  • How do we know if all the relevant risks, including fraud, IT and security-related, have been identified and mitigated appropriately by the related controls?

Fieldwork: Testing the entire population can provide deeper insights than a sample can, especially if the sample is not statistical. It is best to be creative when selecting the data and most effective analytical procedures. When there is a problem in a sample, identifying what is unique to all those items and examining that triggering event. It may also be helpful to pull all transactions with that same characteristic, time of day, shift, operator, vendor, or customer, to see how big the problem is. This quantification is also helpful to make the finding more persuasive and build a business case that is more compelling for action.

Root cause analysis: Internal auditors should avail themselves of the many tools available for root cause analysis, so they avoid the “this is broken, fix it” approach to writing audit findings. The 5 Whys, Cause and Effect Diagram, Is-Is Not Method, Affinity Diagrams, are all effective tools for root cause analysis that promote creativity and can be used individually or as a group.

Reporting: Is the department still writing text-heavy, jargon-laden, clumsy-sounding reports?  When the last time internal audit was asked the audit committee if the reports meet their needs, or showed the audit committee different formats, including some with charts, graphs and figures? Internal auditors are increasingly being creative and revising the layout, format, tone and visual appeal of their reports.

Internal auditors can no longer approach situations from a binary perspective.

The following are some binary-type questions and the limitations of such an approach:

  • Did the document have a signature showing approval? Yes/No. Well, lots of documents are signed without a review. It is called rubber-stamping.
  • Did they do reconciliation? Yes/No. Many reconciliations are mathematically incorrect, but they look fine because “a plug” is made so it ties out.
  • Did employees have an exit interview upon departure? Yes/No. Also important is asking why these individuals left. Would the departing employee consider returning? Did the person leave under duress? Notes are not always reviewed either, so sexual harassment and other workplace dysfunctions persist because it was not asked about, or it was not acted upon even though it was disclosed.
  • Is the amount accurate? Yes/No. Yes, but the purchases are unnecessary, and the purchased items were delivered to a non-company address anyway.
  • Was the amount posted in the correct period? Yes/No. But was the amount reversed in the next or a subsequent period because the merchandise was defective, not requested or the contract was rescinded indicating revenue manipulation?

Identifying present and emerging risks requires imagination. Finding innovative ways to examine risks within thousands or millions of transactions requires creativity.

Looking for anomalous transactions that could indicate abuse or fraud by someone who knows the controls requires “thinking like a fraudster”. Envisioning patterns that correlate one event with another, and an action with its effects, requires visioning.

Writing reports that convey the appropriate tone, and captures the attention of the audit committee and senior management is an art.

There is ample room for creativity in internal auditing and embracing this approach will add value to every engagement.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 95

This week our Internal Audit colleagues are kindly sharing their personal experiences on how they have increased the level of client buy-in upon presentation of your findings and recommendations?

How Internal Auditors can change how audit clients listen to them?

You’ve done your initial meeting. You’ve done your investigations. You’ve written your findings. Now the last piece of the puzzle is how you present those findings, and recommendations, to the audit client.

In a perfect world, the client is receptive, understands each recommendation, and takes immediate corrective action. But we all know that perfect world doesn’t exist. So how can we hedge our communicative bets so that we come as close to that perfect scenario as possible? What tools can we employ to ensure that we’ve done everything we can to set the client up for success?

By understanding how the audit client is listening to you

Of course how you’re listening to the client is important, but that’s not the focus here. Let’s flip the listening paradigm upside down and focus instead of how to tell how your client is listening to you. In order to be able to move people to action, you need to know how people are listening to you. Are they listening for information, or are they listening for knowledge? The answer is the difference between action and inaction.

Instead of a goal of your report presentation is to provide information, think of your goal as asking the right questions and then providing relevant answers that drive the conversation away from merely giving facts or data points, and instead helping your audience envision the recommended change in their world. Anyone can read a report. Not anyone can put the information into a specific context that drives targeted action.

Here’s how you can figure out how your clients are listening to you and then let your expertise and hard work shine like it deserves by changing the way people listen to you from listening for information to listening for knowledge.

Listening for Information

When someone is listening for information, they’ll very rarely follow-through. The only case where this isn’t the truth is if they’re just looking for one key piece of information to complete a puzzle.

When you’re communicating recommendations, think of asking questions that will move your audience members beyond the data that you’re presenting and into thinking creatively of how they might solve their own problems. Here are some starts to questions that could help.

  • What do these numbers mean to?
  • What was the different between?
  • How did the change occur from?
  • What, in your opinion, caused?
  • Would you share with me what you think?

What these questions will do is start helping your audience contextualize knowledge. They’ll stop going through the act of listening and move towards active interpretation. Once someone starts to put the data into real situations in their world, the impact becomes clear. And they’ll start to listen in a different way. They’ll start to pay more attention. They’ll start to listen for knowledge.

Listening for Knowledge

When people are listening for knowledge they’re actively processing and trying to make sense of what you’re saying and how it relates to their situation. You’ll know if someone is listening for information if they’re asking you questions that go beyond facts and figures and instead of putting that data in a context.

When you’re presenting recommendations, it helps to get buy-in from the audience. One way to do this is to position your recommendations in their world, but in their words. You can do this by asking questions like the following:

  • How would your business change if?
  • What would it look like if your organization used?
  • How would your job be easier if?
  • What would be the best outcome for you if?
  • How would you react if?
  • What would it take for this to work in your way?
  • Can you see this working for your business?
  • Do you see this solving your problem?
  • Are you comfortable recommending this to?

The other magical side to these questions is when you can get your audience to tell you what they’d do in situations that you’ve presented, using their own data. This is because people support what they help create. If you allow them to come up with the conclusions and recommendations before you present them, you’re then instead agreeing with them instead of directing them. It’s a subtle shift, but I believe you’ll find it will make quite a big difference.”

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 95

This week, our team are discussing the importance of persuasion and just how important it is in order to obtain high levels of buy-in when presenting your findings to Senior Management.

How to Make Findings and Recommendations More Persuasive

Persuasion is an important aspect of internal auditing that doesn’t receive enough attention or coverage. It’s internal audit’s job to verify that conditions and practices are as expected, and to identify opportunities for improvement within organizations. If the internal auditor identifies issues but is unable to convince the relevant stakeholders to take action, how effective is that?  From an output perspective, the auditor could be producing many reports, maybe even voluminous ones. But from an outcome perspective, that same auditor could be considered ineffective due to the inability to get the right reaction from the board and management.

The difference is persuasion

Persuasion is not manipulation. It is the ability to get others to do something that is in their own best interest, but also in the internal auditors’ interest. In this case we are referring to enhancing the organization’s governance, risk management, compliance and operational excellence.

Furthermore, audit testing is generally done to answer some key questions:

Ø  Are we achieving our mission and objectives?

Ø  Are the right risks identified and mitigated appropriately?

Ø  Are controls doing what they are supposed to do?

The testing done answers those questions. If all is satisfactory, then there isn’t much more that needs to be done. But if the pursuit of the mission and objectives, or the dynamics surrounding risks and controls can be improved upon, then findings should contain the necessary details, and they should be presented clearly and concisely so that the recommendation is aligned with what the audit client is most interested in. After all, it is extremely difficult to persuade someone who is not interested in what you’re saying. So, findings and recommendations must be presented in the context of business goals and the entity’s mission if we hope to be convincing and compel management to take remedial action.

Persuasion is accomplished by appealing to:

Ø  Reason:  Derived from the Greek, Logos. People generally think they are logical and reasonable.

Ø  Character: Derived from the Greek word Ethos: People are more likely to be persuaded when the presenter (or source of the information) is considered trustworthy, honest, intelligent and credible.

Ø  Emotion: Derived from the Greek, Pathos: The ability to persuade increases when the presenter expresses feelings on a subject, get an emotional reaction, or both.

We must remember that many audit clients are apprehensive of internal auditors. They also fear the consequences of audit findings, so they say as little as possible and provide as little information as possible. So, when trying to mobilize the organization, internal auditors should consider not only the rationale for the work done, the methodology followed, and the quantitative and qualitative benefits of recommendations. They should leverage their reputation as subject matter experts in the field of governance, risk management, and compliance. But internal auditors should also build up the image of being friendly, caring, and approachable. This does not mean that internal auditors should get into a personality contest.

Internal auditors also refer often to the main driving force for their work: Determine if the organization is achieving its objectives and if controls are effective mitigating risks. But when writing audit reports, quite often the focus is on the failed controls, without explaining the link between the failed controls, the exposure to the risks if they occur, and the threat to the achievement of the organization’s objectives and possibly, the mission itself. That story should be told. The message that “we’re all in this together” should be conveyed often and consistently.

Displaying confidence is also important. When internal auditors do good work, have evidence and facts to support their position, it is time to embed the emotional element of confidence into the equation. This confidence about the issues and recommendations will project onto the client and persuade them to take action. So, by demonstrating their competence, focusing on the facts, showing that they genuinely care about their clients, and appropriately referring to the emotional impact of errors on the individuals, teams, customers, vendors, and other stakeholders, internal auditors will be able to make their observations, findings, and recommendations more persuasive.

Another important aspect of persuasion is promoting a sense of urgency. To compel action, soon, internal auditors must instil a sense of urgency in their clients. Not by fearmongering, but by demonstrating the value lost, the opportunity cost or the increased exposure if action is delayed.  If the individuals are not motivated enough to do something immediately, it is unlikely that person will be motivated in the future. But, internal auditors should also act with a sense of urgency in their work, so they lead by example.

Internal auditors usually focus on reason (e.g. logic), character (e.g. credibility) and emotion in that order (with emotion often playing a distant third), but should use a balanced approach whenever possible to appeal more effectively to their stakeholders and persuade them to take the appropriate actions to meet the organization’s governance, risk management and compliance requirements. After all, people are emotional creatures and to persuade them to act we must appeal to their emotional needs too.

Audit International are specialists in the recruitment of Internal Auditors and Corporate Governance Professionals across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 95

 

The internal audit profession is made up of many diverse personalities and professional capabilities.

This week, we have taken a deeper look at the key competencies required by Internal Auditors in order to achieve the highest levels of quality.

Internal auditing requires a unique set of characteristics and competencies that differentiate the profession from others. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

Key attributes essentials for internal audit success are :

1.       Professionalism grounded in ethics: Professionalism refers to the knowledgeable use of significant skills, and performing work at the highest of levels. As trusted advisors, internal auditors should aspire to become certified and fulfil internal audit’s mission to “enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

2.       Management anchored by planning: The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing).

3.       Communication and delivery require connection and mindfulness: Final communication of engagement results must include applicable conclusions, as well as applicable recommendations and/or action plans. Where appropriate, the internal auditors’ opinion should be provided. An opinion must take into account the expectations of senior management, the board, and other stakeholders and must be supported by sufficient, reliable, relevant, and useful information.

4.       Collaboration unimpeded by independence: The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfil its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity. The chief audit executive must communicate and interact directly with the board. Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.

5.       Critical thinking promotes agility and flexibility: “The ability to think critically involves three things: (1) an attitude of being disposed to consider in a thoughtful way the problems and subjects that come within the range of one’s experiences, (2) knowledge of the methods of logical inquiry and reasoning, and (3) some skill in applying those methods.”

6.       Improvement and change spur high performance: The internal audit activity must evaluate and contribute to the improvement of the organization’s governance, risk management, and control processes using a systematic, disciplined, and risk-based approach. Internal audit credibility and value are enhanced when auditors are proactive and their evaluations offer new insights and consider the future impact.

7.       Learning requires self-commitment: Internal auditors must enhance their knowledge, skills, and other competencies through continuing professional development.

8.       GRC must meet expectations of boards and stakeholders: The internal audit activity must assess and make appropriate recommendations to improve the organization’s governance processes for:  Making strategic and operational decisions, Overseeing risk management and control, Promoting appropriate ethics and values within the organization, Ensuring effective organizational performance management and accountability, Communicating risk and control information to appropriate areas of the organization.

Audit International are specialists in the recruitment of Internal Auditors and Corporate Governance Professionals across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 95

 

Sustainability: The Environment & Social Ethics (Risk in focus – 2019)

Companies are increasingly expected to behave in an environmentally and socially responsible manner, both by regulators and the public. This is creating sustainability reporting challenges and is influencing the strategic decisions companies must take to achieve future growth.

Some 27% of our interviewee cohort cited environmental and social ethics as an area of focus, and this is the first time that this topic has made it into Risk in Focus; there was a notable bias towards the Netherlands, with half of CAEs in the country highlighting this as an area in need of attention. Further, in our quantitative survey nearly one in ten (8%) respondents cited environment and climate change as a top five risk faced by their organizations.

The EU’s Non-Financial Reporting Directive, applicable since 2017, requires that listed companies and banks with more than 500 employees publish reports on various policy implementation, relevant risks and performance results. These policies concern:

  1. Environmental protection
  2. Social responsibility and treatment of employees
  3. Respect for human rights
  4. Anti-corruption and bribery
  5. Diversity on company boards

Sustainability reporting requirements are clearly a welcome development — they help to improve corporate transparency and highlight the efforts companies are making to meet environmental and social targets. However, a major challenge is in providing accurate information. The maturity of sustainability reporting is far behind financial reporting and not all organizations are well equipped to measure and report on KPIs. This increases reputational risk as there is potential for a company’s behavior to be found to contradict or fall short of its claims. Even if sustainability reporting is deemed to be sufficiently accurate, any KPIs that show the organization has low standards relative to its peers will be looked upon unfavorably by investors, who increasingly benchmark companies’ environmental and social governance (ESG) performance

Social Impact: The increased impetus on organizations to be socially responsible and protect human rights represents another challenge. Compulsory non-financial reports must be published annually, and should include what steps are taken to identify risks to human rights in the company’s operations and how these are managed.

An internal audit perspective

Organizations must now report on what they are doing to identify and mitigate sustainability risks and should look to the Global Reporting Initiative’s Sustainability Reporting Standards (GRI Standards) for guidelines on how to achieve this.

Internal audit can assist by simply ensuring that this reporting requirement is being fulfilled, although it can go deeper by seeking evidence that what the company claims in its non-financial reports is accurate, complete, up to date and being put into practice. There is also value in seeking evidence of how processes are being developed to improve the maturity of such reporting, such as the number of KPIs measured and the accuracy of data collection. The deepest audits may assess sustainability reports within the relevant industry to benchmark both the organization’s reporting and its performance relative to its peers.

Key questions the Internal Auditor needs to look at:

  • Is the organization publishing non-financial reports as required by the EU?
  • Is there scope for internal audit to assess the maturity of sustainability reporting and review the extent to which the company’s environmental and social ethics statements reflect reality?
  • Does the organization benchmark sustainability performance against sector-specific KPIs? Is there a gap between both the organization’s sustainability reporting and performance compared with that of its industry peers?
  • Is the organization complying with all relevant environmental laws in all territories?
  • To what extent is tightening environmental regulation likely to impact the company’s strategy, e.g. targets to reduce carbon emissions? Is senior management aware of this likely impact?
  • Does senior management understand the importance of continuously improving operations in order to minimize environmental and social harm?

Is there value in internal audit assessing progress and providing evidence of relevant sustainability improvements?

Audit International are specialists in the recruitment of Internal Auditors and Corporate Governance Professionals across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 95

Copyright Audit International 2013