Latest Audit Information & News

Internal Auditors who typically focus more on financial and operational audits are now required more and more to focus also on IT Audits.

 

This week we take a look at the skill sets required in order for you to transition your career to become an IT Auditor.

 

Are you interested in becoming an IT auditor?

Here’s what to know:

Skills required for becoming an IT auditor.

There are both hard skills and soft skills that recruiters look for when sourcing talent into junior IT audit roles. Typically, strong candidates hold at least a bachelor of science (B.S.) in Computer Information Systems, Information Technology, or another similar major. They also have a technical understanding of IT environments, are proficient in Microsoft Office, and ideally have experience with an auditing tool such as Audit Command Language (ACL) or an audit documentation application.

Candidates can also be set apart by relevant work experience whether it is an internship or a couple of years in a technology-related entry-level role. Many employers look for an industry-recognized certification, such as ISACA’s Certified Information Systems Auditor (CISA) or Certified Information Systems Manager (CISM). Top soft skills that make an IT auditor candidate desirable are being able to successfully influence others (process owners aren’t always quick to agree to an internal audit issue!), translate complex information security concepts into business language that is understood by non-technical management, and present audit issues to an executive audience.

Responsibilities of the role

First off, there are two types of IT auditors – internal and external. An internal IT auditor works for a public or private company and assesses the internal controls of the organization they work for, with the main purpose of helping strengthen the control environment. An external auditor typically works for a consulting firm or partnership and assesses the control environments of other organizations, usually public companies which have associated regulatory reporting requirements.

While both roles mostly have the same responsibilities, there are some minor differences. Key duties that are relatively similar include scoping the audit plan, interviewing process owners to understand their control environment, collecting evidence, selecting an appropriate population of samples, performing testing on the selected samples, and documenting test results. The biggest difference is that for the internal role, findings and issues are reported to the organization’s management and for the external role, findings and issues are reported to the client that hired the consulting firm or partnership to perform the audit.

Benefit on becoming IT auditor

Internal audit is a great career choice for many reasons. In the job market, one cannot recall a recent time when auditors were not in great demand. Regulatory requirements that need the work that an internal audit department performs are only increasing, especially in the technology and cybersecurity space. The internal audit function is a transferable skill across industries, meaning even if you start your career in IT audit in the financial services industry, many of the concepts apply to other corporate industries as well – manufacturing, consumer goods, insurance etc, so the job mobility is high.

There is the choice between internal audit and external audit, and although as we covered earlier slight differences do exist between the two, most of the responsibilities and necessary skills overlap. Just because you start as one, doesn’t mean you cannot easily switch to the other. Lastly, and arguably most importantly, the work an auditor performs is crucial to the success of an organization. Both public and private companies need to be focused on a strong control environment that reduces risk. Why? The occurrence of control failures may result in the loss of customer trust, negative financial impact, or broken operational processes. Any of these can damage a company in both the short and long term.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 59

Today our associates have been discussing innovation in the Internal Audit profession with a view to how the professional can evolve and innovate.

Through knowledge sharing of best practices via Audit Leaders- we discuss below how Internal Audit can get innovative?

Organizations do not achieve their objectives by merely adhering to adequate systems of internal control. To succeed, for-profit organizations are expected to innovate to remain viable in today’s competitive environment, and even non-profit entities are realizing that they must also search for new products and services and re-examine their operating practices to reduce cycle-time, lower costs and increase quality.

This is a reality for those on the operational side of things, but internal auditors must realize that they are not immune to these changing dynamics and the same expectations are levied on them too. As the governance, risk and compliance landscape continues to evolve, internal auditors must search for new ways to evaluate what is in their audit plans and become creative in support of management’s pursuit of business objectives.

There are many trends driving innovation in internal audit. For example, the requirement to prevent and detect fraud, the need for faster and more agile auditing, adding value with fewer resources, transitioning to risk-based auditing, using data analytics to examine more substantial numbers of records, better root-cause analysis, practical problem solving, formulating pragmatic recommendations, and helping management improve efficiency and effectiveness.

Following are some examples of ways that innovation can help internal auditors.

Risk Assessments

1.      Expand the rating of risk impact beyond monetary measures. The impacts can also include bodily injury, reputational damage, negative publicity, brand erosion, lost opportunities, employee demotivation, lower productivity, lawsuits, and excessive turnover.

2.      Add velocity and persistence to risk assessments. Velocity pertains to the speed at which the risk may affect the organization. While some risks are slower to occur (e.g., demographic changes) others occur more quickly (e.g., technological change and cybersecurity attacks).  Persistence relates to the length of time over which the risk’s impacts may linger if the risk were to occur after the cause of it stops. Some risks’ impacts are short-lived, like a trucking company accidentally spilling milk, while others may last a long time, such as the same company spilling gasoline or pesticides.

3.      Expand the risk rating used beyond letters (e.g., High, Medium and Low) and consider using a numerical scale more conducive to mathematical calculations.

4.      Expand the assessment of risks to incorporate statistical inputs, historical error, accidents, insurance claims, incident rates, correlations, simulation, and probabilistic elements.

5.      Conduct broader brainstorming sessions to seek input from younger and not only more experienced personnel, from operationally involved but also individuals removed from day-to-day participation in the process, and those who think differently and creatively about unusual, emerging and diverging scenarios.

6.      Develop a partnership with management to use Key Risk Indicators (KRIs), so the organization moves toward pre-emptive risk management, and continuous monitoring and auditing.

Audit Plan

1.      Offer a broader selection of consulting and advisory services to the organization

2.      Recalibrate the allocation of time between compliance, financial, IT, operational, cybersecurity and advisory services based on the organization’s evolving risk maturity

3.      Audit non-traditional, yet essential, subjects, such as Corporate culture and ethics, Knowledge management, Physical security, Training and development, Social media, Project management, Change readiness and execution:

Planning

1.      Identify the business objectives every audit attempt to help management achieve. If business objectives are not defined, work with management to do so.

2.      Brainstorm risks on the program, process or unit being audited rather than only making cosmetic changes to past audit programs.

3.      Evaluate business dynamics more thoroughly, so only key risks and controls are tested.

4.      Examine more rigorously the timing, type, format, and extent of data and documents requested

5.      Brainstorm fraud scenarios with every audit.

6.      Make your department’s mission, and vision statements the driving force behind every engagement.

Fieldwork

1.      There are different types of sampling methodologies, so question the method used.

2.      Go beyond sampling and test the entire population whenever possible and feasible.

3.      Develop testing procedures based on the answer to the question: How do we know if this risk is happening?

4.      Include fraud detection procedures with every audit based on the answer to the question: How can we find out if fraud scheme X is occurring?

5.      Use subject matter experts (SMEs) whenever possible to help test unusual dynamics.

6.      Require root cause analysis and promote the use of tools, such as Ishikawa Diagrams, Affinity Diagrams, 5 Whys, Is-Is Not Comparative Analysis, Pareto Charts, Scatter Diagrams, vigorous brainstorming, Process Flow Analysis, SIPOC Maps, Run Charts, Control Charts, and Histograms.

Reporting

1.      Use various templates to be used based on the type and urgency of the communication.

2.      Update the layout of internal audit and audit committee reports.

3.      Increase the use of charts, graphs and other visual elements in audit reports.

4.      Streamline the reporting cycle to publish communications faster.

5.      Write every audit report from the perspective of a change agent.

Performance Monitoring

1.      Instill and reward individual skills and competencies applicable to modern internal auditing, such as critical thinking, business acumen, data analytics, flexibility, communication, and innovation.

2.      Make sure performance evaluations balance technical and soft skills that measure individual and team results.

3.      Develop Key Performance Indicators (KPIs) that focus on outcomes, not only output.

4.      Balance quantitative and qualitative performance metrics from within the internal audit department, but also from clients.

5.      Introduce and sustain a post-audit client survey and a 360-degree review program.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 59

 

 

This week our highly experienced audit associates share their knowledge for their more Junior peers in order to help with their communication skills in the Audit profession.

 

Communication Skills for Junior Auditors: What to Know and Why

It’s human nature to want to impress others. And when you’re in a new position, the urge to impress can be even stronger. Even if we’re not conscious of it as it’s happening, the urge to “prove ourselves” in new situations is real. And when this urge presents itself, there are some common communication mistakes that junior auditors make.

Mistake: Over-explaining something to prove that you know it.

Correction: Ask questions, be quiet, and really listen.

Ever experience that eyes-glazed-over look when someone is explaining something to you? Don’t be that person! The tendency to over-explain something to prove yourself is high in people new to any position. Smart communicators know that the real power and confidence lies in not saying anything at all. And savvy professionals know how to navigate conversations so that they allow others to share more than they do. To shift the communication dynamic, all you need to do is ask a question, sit back, and truly listen.

People support what they help create. By asking questions and letting others do the explaining, you’re allowing them agency in the process. When you give someone agency, they are likely to feel more ownership. This results in increased responsibility and follow-through. All things that internal auditors really need from their clients and their colleagues.

Mistake: Giving “formal” presentations.

Correction: Take a seat and change the presentation to a conversation.

if you’re presenting to a group of 12 people or less and you’re able to see everyone from a seated position, don’t stand to give the presentation. Instead, present—and have a conversation—while seated with the rest of the group.

Standing in a conference room where everyone else is seated, or standing behind a podium in a larger audience, creates a nonverbal barrier between you and your clients. Instead, sit down. That way you create an environment that demonstrates your confidence and your willingness to have a conversation about a report instead of you being the only purveyor of information. I dive deep into this topic here if you want to learn more. There’s also a great article on designing effective visuals and PowerPoints slides to help supplement your presentations here.

Mistake: Not owning your statements by using pronouns like “they” or “we” or attributing blame.

Correction: Use “I” to show confident communication and own your words.

It’s easy to attach blame. And it’s easier, during stressful or difficult conversations, to point a proverbial finger than to do the processing necessary to take responsibility for your choice. It’s the same when it comes to conversations with your team members. Don’t start a sentence with the word “you.” Instead, start with “I.”

Here are two more statements to demonstrate the difference, even when giving positive statements.

“You did a great job on this presentation.”

“I noticed your hard work on this presentation. Great job.”

When we hear statements starting with “you” we tend to go on the defensive, even when we don’t know what will follow! Whenever the urge to respond with an excuse, or to point your proverbial finger at someone (even if it’s good) arises, rephrase the statement in your head so that it starts with “I” and then the choice you made. Doing so will demonstrate ownership and confidence.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 59

 

 

Fraud Investigation Reports vs. Audit Reports: What’s the difference?

Fraud and audit reports must be distinct because they are intrinsically different from one another. Read on for ways to present a full and succinct fraud investigation report using report design, content and tone. From the onset, fraud reports include different information and you want these reports to look distinct, but still look like part of the fleet of reports that internal audit cranks out. For example, you’ll probably need to stay within the font and design conventions of your company, but consider how the following areas can be changed to distinguish the fraud report.

Be specific: Make sure that the first thing your audience reads is “Fraud Investigation Report” so there is no confusion on the purpose of the report.

Enlarge the word Confidential: “Confidential” should be at the top of the report. Make it large and boldface the word. Fraud investigations are typically not shared outside of HR and upper management.

Change the color scheme: If your audit reports have a blue header, consider a different color header for the fraud report.

Content: Write to Your Audience. Because investigative reports mainly involve personnel and legal issues, your audience is limited. Your typical fraud audience will be the Chief Executive Officer, Chief of HR, Chief of Law, Chief Audit Executive, and Head of the Audit Committee. This small and informed audience knows the situation, and they are ready to move forward, so you can skip the internal audit fluff (e.g., scope, background, audit notes, distribution list). Because of the knowledge level of your audience, you can start your report in the middle of the conversation.

Design: Keep It Simple and Succinct. Fraud investigation reports are around 4-6 pages (excluding the Appendix). Once you’ve determined the outline for the fraud report, move on to deciding how to write each section of the fraud report.

Content: For Fraud Eyes Only. The outline above looks very different than typical audit reports. Here’s a quick breakdown of what to write in each section and i.e. Title, Date, Allegations (one paragraph under 70 words, or 3-4 sentences), Results (2-3 sentences per allegation) and Approach (Single sentence) and from Pages 2-4: Policy/Rule Violations, Summary of Evidence and Appendix

 

Allegations: in typical reports, there are no allegations – you look at a predetermined process or operation. In fraud, we have a specific allegation we’re going in to review. The report and content is always different.” How many allegations should you include in a fraud investigation? It varies depending upon the situation and the number of people involved.

“If the fraud investigation is about a person,” “like someone skims cash, commits payroll fraud, and abuses the company-purchasing card, then we have three allegations: theft, payroll fraud, and misappropriation of assets. However, because the same person commits all of these allegations, the report is still a single investigation.”

Approach: Approach is similar to the audit report scope section; however, approach lists who was interviewed and what the fraud investigative team looked at. In this section, you can also refer the reader to various exhibits and more information located in the appendix portion of the report.

Results: The Results section isn’t long – around 2-3 sentences per allegation. This section will determine whether the allegation was substantiated, unsubstantiated, or inconclusive.

Summary of Evidence: The summary of evidence in fraud reports is the same as the body of the report (the issues) in audit reports. The length of the summary of evidence varies according to the results. If substantiated, the summary of evidence could be from a single page to 3-4 pages.

To organize your summary of evidence section, break it down into sections, or subcategories. Using the example from above, categories could be Theft, Payroll Fraud, and Purchasing Cards.

Content: The Skinny on Recommendation and Risk Assessment. You might think that fraud reports should borrow some sections from the audit report (like risk or recommendations). However, these sections detract from the single purpose of the fraud report, to inform.

Recommendations: After all the investigating, fraud auditors should include their recommendations for action, right? Wrong. “In fraud, we give no recommendations,” “but we have to provide enough supporting evidence so the recipient can take the information and decide what they need to do.”

Risk: Unlike audit reports that outline the risk of audit issues, the fraud audience has to determine the risk on their own. Fraud investigations trust the audience is already well aware of the risk. For fraud, what once was a risk has often already materialized into a financial, productive, or reputational loss to the company.

Tone: Keeping Your Cool: In audit reports, you have to be a little more diplomatic. In fraud reports, you get to be candid, and for many, writing frankly is a breath of fresh air.

This candid method presents pros and cons. On the upside, you have very few people reviewing this – and the person being investigated is not a reviewer, so you get to be blunt. On the downside, you could inadvertently use negative instead of neutral language – especially when the suspect is guilty. You have to allow the facts to stand on their own and keep your tone neutral.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 9

 

 

Auditors who have not experienced conflicts and crisis in some way or another throughout their career are quite rare to come by.

This week we take a look at how the profession successfully approaches crisis situations to result in a positive outcome.

Crisis management by Internal Auditors

Crisis management provides the structure, leadership, decision-making, and communications to support the organization in managing a crisis situation. It encompasses business continuity, disaster recovery, cyber incident response, and financial market crisis response planning and execution.

Most major organizations have basic business continuity plans and disaster recovery plans in place, particularly for IT, supply chains, and facilities.

Usually, Internal Audit will, on a rotational basis, review those plans, provide assurance on related compliance, and conduct post-event reviews. However, the focus on continuity management has widened to include any event that could irreparably damage finances, operations, cyber capabilities, reputation, or other essential assets.

A crisis management plan provides a framework and contingency plans for senior executives should the need arise.

Responsibility for crisis management sits with senior leaders, which means that Internal Audit is the logical and perhaps only source of assurance and advice.

Consider: An organization needs a crisis management program encompassing governance, processes and risks. Governance organizes program ownership and the roles and responsibilities of security, legal, IT, Internal Audit, and other functions. Processes are needed to address crisis response, decision-making, recovery, communications, and contingency plans. Risks must be identified to enable scenario planning and response capability development through training and simulations. Aim to provide assurance and advice in each of those areas, and to anticipate events and promulgate best practices.

Consider whether leaders can answer the questions:

  • What are you prepared for?
  • How prepared are you?

Ensure that simulations are regularly conducted and used to develop and test overall plans as well as playbooks for specific events.

Go beyond regulatory guidance and checklists and audit not just the existence of plans, but their likely effectiveness.

Also, consider industry-specific issues and evolving regulations, such as the EU’s GDPR reporting requirements for breaches.

Internal Audit may need to up-skill or tap external sources to add value in this area, but doing so can save the entire enterprise.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 95

 

This week we take a look at the makeup of the successful audit team and how you go about analysing how your current team is performing?

Building the Competencies for Internal audit by IIA

Determine what is missing and take action!

Ask probing questions:

CAEs should assess the internal audit activity by asking probing and specific questions about the department’s maturity and structure, to determine if there are areas where competencies are failing.

Once the questions have been asked and the assessments have been completed, if the internal audit activity is found lacking, the bigger question is, “How do the internal auditors get to where they need to be?”

Here are suggestions on how to begin to first determine what is missing, take action, and then end with a re-engineered, well-structured, and progressive internal audit activity that conforms to the Standards and meets the expectations of the organization.

Perform an unofficial self-assessment:

Performing a self-assessment allows for fine tuning — increased productivity, narrowing of knowledge and performance gaps, and mastering of tasks. CAEs can use the following KPIs to measure internal audit efficiency and effectiveness:

  • The number of certified auditors on staff.
  • Collective knowledge of IT risks and controls and fraud risks and controls.
  • Staff CPE hours.
  • Opportunities to develop competencies.
  • Consideration of organisational changes, industry changes, and relevant regulatory issues.
  • Demonstration of critical thinking and problem-solving skills and Stakeholder satisfaction.

Invest in talent management efforts:

Develop well-thought-out and well-developed approaches geared to optimize the workforce.

For effectiveness, and to build, engage, and retain the best audit departments, CAEs will do well to develop strategies that include measuring what is needed from their existing staff members, what is needed from anticipated additions to staff, and, just as important, what their staff needs from them as leaders.

Where skillsets are in high demand, coordinating with both your internal hr specialists and/or engaging with a niche specialist recruiter can also ensure you not only get access to many candidates who are not “active” in the marketplace but also help save you time and money throughout on the hiring process.

Conduct a gap analysis:

The gap analysis will identify strengths, weaknesses, challenges, and opportunities, and compare the actual performance of the audit team with the desired performance. The desired state ares:

  • Auditors are familiar with the Standards and the IPPF.
  • The department is fully aligned with the organisational strategic plan
  • The department is performing up to its potential.
  • The department has the competencies to perform audits.
  • The department has the resources to develop advanced methodologies and practices
  • The department has access to tools and resources needed to perform audits and
  • The department makes the best use of its resources.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 9

 

What Internal Auditors Need to Know about Robotic Process Automation

RPA, robotics, robots, bots as internal auditors have undoubtedly been hearing this terminology tossed around more and more. What exactly is it? Why is it such a hot topic? Why should Internal Audit care and what can we do to help our organizations embrace, adopt and realize the benefits of this technology?

What is RPA?

Robotic Process Automation (RPA) is a technology that configures computer software or a “robot” to capture and interpret existing data for processing a transaction, manipulating data, triggering responses and communicating with other digital systems.  The “robots” (aka “bots”) are programmable software that allows you to automate business processes currently performed by people. Bots are programmed to perform multiple repetitive steps based on defined rules and structured data. They can perform these activities more quickly, accurately and efficiently than humans.

Why RPA is Gaining Popularity?

RPA is rapidly gaining popularity because a wide variety of industries and business functions are beginning to better understand the technology and its benefits.

·         Cheaper and less complex than traditional/historical approaches to “automation”

·         Rapid Implementation cycle – weeks instead of months

·         Advancements in technology are making solutions more accessible, applicable and affordable

·         Smooth integration with other systems and applications

·         Keeps organizational and technological disruption to a minimum

·         Increased productivity and efficiency & Cost savings

·         Reduction in errors

·         Increased flexibility and scalability

·         Freeing of resources to do other tasks

Where are Organizations Using RPA?

RPA is being used differently in many departments such as:

·         Sales (Account service, Order processing, issue tracking and Credits / Refund)

·         Procurement (Vendor Management, Purchase Order and Invoice processing)

·         Accounting and Finance (AP / AR, Journal Entries and Account Reconciliation)

·         IT (Account Activation, Software installation, Cyber Threat Assessment)

How can RPA Benefit Internal Audit?

Often, Internal Audit is a time-consuming process extracting data from multiple applications/sources, performing repetitive steps, testing and reconciliations. Where the input data is digitally available, RPA is a good fit for the internal audit function.

1.      Data gathering and cleansing for analytics: An RPA can generate and standardize data to run custom analytics, like extracting the data for use by internal auditors, including validation for completeness of fields, comparisons and duplication.

2.      Risk assessment: Bots can assist Internal Auditors to classify risks based on transaction volumes with predefined rules and trends for risk assessment. This will allow quicker identification of high-risk areas/ transactions.

3.      Processing high volume transactions and data collation: Bots can help process high volumes of data (e.g. transaction audit) faster, more efficiently and accurately.

4.      Assistance in testing controls: Bots assist in performing control testing where the tests are standardized.

Key Things to Consideration when Selecting an RPA Software Platform and Partner

Our recommendation is to do your own research and determine the technology and provider that is best suited to meet your individual needs and business environment.  There are many experienced and reliable RPA providers in the market.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 95

 

This week our colleagues have been discussing the importance of attracting the right auditors but more importantly how to retain them within the business!

If you feel you need help in this area, then the experience shared below with for sure be of benefit to you!

How to Attract and Retain High-Impact Internal Auditors

Attracting and retaining top talent is critical to the success of a high performing internal audit function.  And, compensation alone is not the deciding factor in winning the battle for talent.  In order to attract and retain talent, organizations need to develop a reputation as a place where people want to work, grow and stay. Every department needs to be provided with the flexibility and tools needed to create micro-environments in which team members are able to execute their responsibilities while achieving their desire for learning, growth, and balance.

Whether the organization as a whole is onboard or not, corporate audit needs to develop and embrace programs designed to meet the needs of a changing workforce if they are to attract and retain top talent.

The Landscape

A great deal has been written about the millennial generation and how they differ from previous generations. However, while millennial may define how they require their needs to be met differently than prior generations, their needs really aren’t all that different than those of (ageing) baby boomers and Gen X’rs.  At the end of the day, we all want financial security, career success, work/life balance and to work for an ethical organization.

Financial security: A competitive compensation package is critical to attracting and retaining talent and, interestingly, is closely linked to the three other needs. Millennials would like to live near where they work, give back to the community, travel, acquire new technology and avoid debt. They seek higher salary levels as they progress, but they have a different definition of what progression means. Millennial believe that financial security will come from advancement opportunities following their acquisition of new skills.

Career success: In late 2016, a report was created based on surveys of 19,000 millennial, including 8,000 associates in 25 countries.  Only 22 percent of those who answered the survey ranked ‘aspiring to lead’ as a top priority. Millennial don’t necessarily aspire to lead others to be successful but instead, to be recognized as highly qualified in their field. They desire to make a positive contribution, work with great people, and have the opportunity to grow their talents in a skill-based economy.

Work/life balance: The term means different things to different people. And, the ability to achieve it is always going to be influenced by the chosen career, including factors such as the nature of the industry and seasonal demands.  Millennial, in general, have learned from their parents ‘mistakes’ and want to do a better job achieving a good balance between their work and personal lives. Although they are constantly connected to work, they place a premium on their time outside of work.

Work for an ethical organization: All of us expect to work for organizations that do the right things, treat people fairly, and abide by rules and regulations. Every member of a workforce has opinions on geopolitical topics, corporate social responsibility, and gender/racial equity. However, while organizations cannot be all things to all workers, successful organizations strive to create environments where like-minded people can work on not only internal but also external projects that fuel their passions.

The Opportunity: The millennial workforce has a strong desire to learn and apply new skills. They have also grown up on the cutting edge of new technologies and are excited to leverage them to increase their productivity.  And, they enjoy working in collaborative environments to learn new skills and solve challenging problems while continuing to achieve the balance they desire. Corporate audit functions can serve as an incubator within organizations by trying new approaches to attract and develop talent.  Audit is an area where millennials can develop and sharpen their skills related to learning a business, interviewing, root cause analysis, critical thinking, problem-solving, project management, and oral and written communications – all skills critical to success in the global environment.

The Challenge: There are opportunities here for companies but not without some challenges to either the current culture or the business model.  Perhaps the most difficult is work/life balance as it means different things to different people.  It could mean a desire to work four 10-hour-days a week, or to not work late or weekends, or the desire to travel either less or not at all. The challenge is to make the time on-site more efficient by leveraging technology that facilitates concentration on high-risk transactions and audit focus areas.  Then when audit staffs return from the road, it’s going to be important to provide them with the flexibility to work remotely as long as project completion deadlines are met.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 95

Key steps to carry out an effective audit of Whistleblower Programs

As part of our ongoing commitment to knowledge sharing between the professionals that we are working with- our colleagues have kindly shared what they believe are the best steps to carry out when auditing whistleblower programmes.

Whistleblowing is the act of revealing inappropriate activities, often anonymously, to parties within or outside the organization with the purpose of alerting individuals who can take corrective action. It is preferable for Whistleblowing to occur within the organization, so management can correct the issue without the negative effects caused by the crisis that public disclosure often causes.  Whistleblowing programs should provide a mechanism for employees, contractors, and vendors, to discreetly and anonymously disclose their concerns without the fear of reprisals.

The Sarbanes-Oxley Act of 2002 Section 301 requires publicly-traded companies to have a Whistleblowing program.  But, how do we know if the program is effective? After all, the purpose of these programs is to encourage the disclosure of questionable accounting, internal controls, health, and safety, or fraudulent activities that may negatively impact the organization, its customers, shareholders, employees, investors, or the public at large. But if potential whistleblowers fear they will suffer retaliation, harassment, alienation, intimidation, discrimination, job loss, stress, or emotional hardship, they will be reluctant to contact the ethics hotline to report problems.

Developing the Audit Program: Like any important program, processor control, whistleblowing hotlines should be audited. The following are key steps that should be considered when auditing these programs:

1. Review the program’s protocol: Make sure there is clear and specific guidance on what to do and whom to contact when an allegation is received. The protocol should also include escalation provisions to address emergency situations.

2. Examine allegation file: Verify that information is collected fully and consistently so investigations are not impaired. Auditors should also verify that the whistleblowers’ identities were protected.

3. Review the composition of the investigative team: This is important to make sure it is multi-functional. The response team should be prepared to take quick and decisive action in the event of questionable activities, so the investigation can be conducted without delays. The investigative team should be highly qualified, cross-functional in their backgrounds, and have high integrity.

4. Verify the autonomy of the program: The whistleblower program must be independent by having a direct reporting line to the board or other high-level oversight function.

5. Review performance report: This step is essential to make sure all reports are accurate, useful, produced timely, and shared narrowly. The oversight board (or audit committee) should agree on the content and frequency of reports. Employees’ opinions are essential to the success of whistleblower programs because if they are unaware of it, or refuse to use it, the program is a failure.

6. Review references to key documents: The whistleblower program should be mentioned in the employee manual, code of ethics, and code of conduct to make sure the whistleblower program is referenced in these policy documents.  This will add to the program’s legitimacy and make it a permanent component of the organization’s corporate governance infrastructure. It should be clear that retaliation is forbidden.

7. Verify access to the program: Make sure the phone and fax numbers, e-mail address, and web links are correct, operational 24 hours a day and 7 days a week, and staffed by qualified individuals.

8. Confirm the qualifications of case management staff: Staff should be able to handle stressful situations, communicate with whistleblowers professionally, be discreet and in general have superior customer service skills to collect sufficient and actionable information so fair and thorough investigations can be conducted.

9. Survey employees: The objective is to determine if employees are aware of the program, believe in its usefulness, feel safe from retaliation, and believe that the organization is committed to integrity, transparency, fairness and compliance.

10. Verify advertisement of the program: Make sure the whistleblowing program is advertised in high-traffic areas. Advertising can also include business cards, magnets, mouse pads, mugs, key chains and the company’s newsletter.  Awareness can also increase by including a note in company contracts and purchase orders, providing reminders during staff meetings, and during the annual Code of Ethics and Conflict of Interest recertification processes.

Internal auditors should audit their organizations’ whistleblowing program to make sure perceptions, practices and awareness are as expected and the program is working as it should.”

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 95

 

Being Creative While Conducting Internal Audits

Creativity is the use of imagination or original ideas, but it’s not that important for internal auditing. After all, the main thing auditors have to do is know the rules that set the criteria for review, check transactions and business activities to see if people and systems are doing what the criteria requires and document discrepancies. Since the criteria are set by management they are indisputable and compliance with regulations is non-negotiable. Accounting and financial reporting rules are non-negotiable either and internal auditors don’t write the rules; they make sure the rules are enforced.

Business dynamics are changing rapidly, and internal auditors must realize that the criteria (i.e. what constitutes “the expected practice”) is often changing, how audits are performed, how results are communicated, what recommendations are appropriate and the timeline for remediation are often changing too. Internal auditors must change, adapt, and be responsive. But how?

Creativity in internal audit can be applied in every phase of the internal audit cycle i.e. planning and defining the scope:

Consider the following examples:

The increase in accidents at the factory could be due to lax training that originated when the company trainer retired 18 months ago and new hires since then have not received adequate workplace safety training.  The higher employee turnover may have started two years ago when new managers stopped getting supervisory training, and performance evaluations were just filed away without being examined by anyone in Human Resources.

Developing the Testing Procedures: Instead of downloading a checklist, or merely replicating prior internal audit programs, internal auditors should brainstorm what procedures would help answer the fundamental questions:

  • What are the objectives of the area being audited and are they being achieved efficiently, effectively and economically?
  • How do we know if all the relevant risks, including fraud, IT and security-related, have been identified and mitigated appropriately by the related controls?

Fieldwork: Testing the entire population can provide deeper insights than a sample can, especially if the sample is not statistical. It is best to be creative when selecting the data and most effective analytical procedures. When there is a problem in a sample, identifying what is unique to all those items and examining that triggering event. It may also be helpful to pull all transactions with that same characteristic, time of day, shift, operator, vendor, or customer, to see how big the problem is. This quantification is also helpful to make the finding more persuasive and build a business case that is more compelling for action.

Root cause analysis: Internal auditors should avail themselves of the many tools available for root cause analysis, so they avoid the “this is broken, fix it” approach to writing audit findings. The 5 Whys, Cause and Effect Diagram, Is-Is Not Method, Affinity Diagrams, are all effective tools for root cause analysis that promote creativity and can be used individually or as a group.

Reporting: Is the department still writing text-heavy, jargon-laden, clumsy-sounding reports?  When the last time internal audit was asked the audit committee if the reports meet their needs, or showed the audit committee different formats, including some with charts, graphs and figures? Internal auditors are increasingly being creative and revising the layout, format, tone and visual appeal of their reports.

Internal auditors can no longer approach situations from a binary perspective.

The following are some binary-type questions and the limitations of such an approach:

  • Did the document have a signature showing approval? Yes/No. Well, lots of documents are signed without a review. It is called rubber-stamping.
  • Did they do reconciliation? Yes/No. Many reconciliations are mathematically incorrect, but they look fine because “a plug” is made so it ties out.
  • Did employees have an exit interview upon departure? Yes/No. Also important is asking why these individuals left. Would the departing employee consider returning? Did the person leave under duress? Notes are not always reviewed either, so sexual harassment and other workplace dysfunctions persist because it was not asked about, or it was not acted upon even though it was disclosed.
  • Is the amount accurate? Yes/No. Yes, but the purchases are unnecessary, and the purchased items were delivered to a non-company address anyway.
  • Was the amount posted in the correct period? Yes/No. But was the amount reversed in the next or a subsequent period because the merchandise was defective, not requested or the contract was rescinded indicating revenue manipulation?

Identifying present and emerging risks requires imagination. Finding innovative ways to examine risks within thousands or millions of transactions requires creativity.

Looking for anomalous transactions that could indicate abuse or fraud by someone who knows the controls requires “thinking like a fraudster”. Envisioning patterns that correlate one event with another, and an action with its effects, requires visioning.

Writing reports that convey the appropriate tone, and captures the attention of the audit committee and senior management is an art.

There is ample room for creativity in internal auditing and embracing this approach will add value to every engagement.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 95