Latest Audit Information & News

Strategic Messaging and Influencing Skills: A Framework for Internal Auditors

In the mid-1930’s a researcher at Purdue University wanted to better understand what combination, or sequence, of events would best induce someone to take action. What he found, and want continues to be true in the decades upon decades since, is that whenever you’re trying to persuade someone to act, five different elements need to take place in your messaging, either overtly or understood. This tool called Monroe’s Motivated Sequence, has since gone on to inform persuasive messaging strategy in industries across the board, with audiences at all levels.

The five steps i.e. attention, need, satisfaction, visualization, and action manifest differently depending on your industry, role, and situation. Let’s dive into each of the five steps in the sequence and learn how to best utilize them to make your internal audit conversations more strategic and persuasive.

Focus Attention

In this step, you get the attention of your audience. In a presentation, this often takes the form of an opening story, a startling statistic, a shocking fact, etc. But in the business world we don’t need to be so dramatic.

Instead of thinking this as gaining attention, think of this step as setting the stage and getting people in the right frame of mind. Set expectations. Give clear instructions. And provide an outline or agenda for what is going to happen. Getting everyone on the same page allows the collective attention to focus on the task at hand instead of logistical concerns.

Establish a Need

Traditionally this step is done by bringing the needs of your audience to the surface and making sure everyone is aware that a need exists. Here you’re building up the premise for the solution you’re about to provide, or the action you want people to take. The goal is to convince your audience that they each have an incentive, need, or it’s in their best interest to act.

In the Internal Audit role, this is really about establishing the shared need that exists and allowing time for conversation and buy-in on what the need actually is. For example, if a department has to go under an audit every three years, we know that there is a tactical need for this so that we remain in compliance that should be communicated. But then there’s an additional step you can add. And that’s asking your audience what they need from the audit process.

People support what they help create. If you can get your audience to work with you to co-create the needs for the audit above and beyond any regulatory needs, you’ll be better off moving into the next step and the rest of your audit process.

Satisfy the Need

Now that you’ve established a need—you’ve identified a problem—you need to have the solution for that problem. Essentially, you’re satisfying the need. In this step, we get tactical by providing solutions and courses of action that can result in wins for all involved.

This is where in the internal audit process, you’ll communicate the process of the audit. The steps that need to happen. The procedures that need to be followed. This is also where you’ll communicate about alternative inputs to the process, and allow your audience agency in co-creating, where applicable.

Visualize the Result

It’s time to paint a picture with words. Traditionally, in this step you tell the audience what will happen when the solution is adopted, and what it will look like if it isn’t. It could be something positive like: “When we’re done, we’ll have a better picture of these specific functions and know how to move forward to better operate these roles.”

Take Action

In the internal audit world, this is when you make sure that everyone is crystal clear on the plan, on the timelines, and the responsibilities and accountabilities. Whether you’ve prepared detailed handouts, an email, or you’re using a note-taking technology so people who were unable to be at the meeting (or if you’re in geographically distributed teams) can have access to what was done, ensuring that this scaffolding for action is in place will lead to easier decisions and a more smooth audit process for all involved.

You’ve likely sensed a theme here about co-creation and getting everyone on the same page. This is essential for the auditor throughout the entire messaging process with the client. Combing these five steps helps you better focus your attention on ensuring buy-in and action—both persuasive elements of messaging that will help your communication be more strategic.

 

This week we take a look at the longer term benefits of choosing a career in Internal Audit and how it can help you develop a deep understanding of how a business and sector works in detail which will help you develop your long term leadership potential.

Why Talented Candidates Choose Internal Audit

The Internal audit role is full of opportunities to expand, learn the business, become better decision makers, hone communication skills, and become well-rounded professionals. Perhaps you are considering becoming an internal auditor or are looking for some material to convince someone to join your internal audit team. Here are five of the top reasons talented, young professionals choose to make a career of internal audit, as well as what they will gain from the pursuit.

You’ll Gain a Full Understanding How the Business Works

An internal audit cycle typically starts with completing a risk assessment and then an audit plan. Drafting such a plan, with the scope and the coverage of all the internal audits of the year, is a demanding exercise in coping with the constant flow of emerging risks that impact every facet of the business. An audit plan goes well beyond finance, of course, to include operations, strategy, marketing, and IT, as well as other areas of the business. Internal auditors need to grasp cybersecurity and data protection and many other IT concepts. The challenge of processing and gaining an understanding of so many varied aspects of the company is significant, but so is the learning potential.

When you work as an internal auditor, you will be exposed to a diversity of problems that teach you how a company really works and what makes it tick. You’ll learn to apply frameworks and map organizations, you will need to quickly make connections across sectors, cultures, and functions, and you will gain experience in assessing the dynamics of priorities and obstacles that affect a company’s performance.

You’ll Improve Your Analytic Abilities

The success of an internal audit relies heavily on the availability and thorough analysis of data, not only the gathering of the relevant documents and materials in the planning and scoping phase of the audit, but also the interpretation of operational and process data. Knowing where to find the data and seeing the potential for what it can tell you is a big part of internal audit and will serve all professionals well in roles outside of internal audit. In the quest for information in all aspects of an audit assignment, you will be able to develop and use the latest technology in analytics and develop a data-centric approach to problem solving. Data mining and big data solutions are increasingly becoming part of the internal audit toolbox, because they create transparency in operations and increase the level of assurance in any assignments by moving from sampling to full population analysis. Thus, you can provide better assurance to management and the board.

Gaining exposure to those technologies and working to navigate large streams of data will help you build analytics muscle.

You’ll Gain Leadership Skills

During your internal audit career, it’s likely that at some point you will experience resistance from management to accept your audit findings, or even outright hostility. In some cases, they may even disturb your audit fieldwork by providing piecemeal information or by being uncooperative as you gather documentation. You will have to deal with managers who disregard audit findings or push back on them because they do not like to be told what to do or refuse to take responsibility for problems in their departments. Some will consider auditors to be outsiders to their daily operations and will say they don’t understand how their functions or processes really work. Most people do not like to be under scrutiny and that’s understandable.

While these experiences can be unpleasant, your success will depend on your ability to create an environment in which managers are open to your recommendations and ideas and become receptive to acting on the audit findings. You will learn how to deal with ambiguity, how to influence others, and how to stay calm and handle objections without damaging long-term collaboration. These are critical skills to becoming a leader, a business partner, or an agent of change in a world of permanent transformation.

You’ll Become a Great Communicator

Highly effective communicators are good at asking questions, and then listening with both their eyes and their ears, as well as reading between the lines of what is being said. Internal auditors gain many opportunities to hone their communications skills. Indeed, success as an internal auditor depends on it. You will conduct interviews, perform walkthroughs, site tours, and interact with a large variety of people in many different positions both senior and junior. Asking good questions and understanding and interpreting what you hear, will be paramount and good internal auditors will develop these skills in spades, including reading between the lines, reading body language, interpreting what is not being said, and other communication necessities. Internal audit is all about communication.

You will need to think about your message: who is the hero in the story, what’s the goal, which obstacles are there to overcome, and what’s the moral of the story? You will need to adapt the story to your audience, use the right tone and perspective, and make sure you do not lose the attention of the intended audience. If you master those skills, you can easily interact and communicate with everyone in the business ecosystem: executives, customers, clients, co-workers, vendors, and others.

You’ll Learn to Be a Better Learner

A huge advantage to working in internal audit is that every day is different. You gain exposure to so many different areas and processes that you are forced to keep learning new things. This will make you a better learner in general. Audit forces people to acquire all the sets of skills and abilities they need. Internal auditors need to be quick studies and gain knowledge on a wide spectrum of topics. They also need to keep their proficiency up to date at all times. In order to stay effective, they need to stay in tune with industry standards and best practices in both financial and operational areas.

Good auditors are by definition relentless and avid learners. But acquiring knowledge is just the beginning. What you really need to master, is how to manage and apply that knowledge. In a digital world of constant change, you cannot afford to stand still. What you really need to do, is learn to keep on learning.

As Warren Buffet once said, “investing in yourself is the best thing you can do. Anything that improves your own talents; nobody can tax it or take it away from you.” Learning does not end when school ends: broaden your mind, evolve your thinking, and stay sharp. After all, complacency means extinction.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 59

 

Today, we look at the evolving landscape of internal audit and what auditors need to do to reinvent themselves and their departments to survive and thrive.

Reinventing internal audit in an ever-changing risk landscape.
 
High performance and effectiveness demand that internal audit departments focus their efforts on the key risks and issues facing organizations—a task made more difficult in today’s environment of continued complexity, uncertainty, and change.

It is, therefore, important that the internal audit departments consider incorporating the following high impact risk areas into their audit plans.  

Cyber security
Reports on major breaches of proprietary information and damage to organizational IT infrastructure have become rife with
the dawn of cloud computing, social media, mobile technology,
Internet ofThings, etc.

The ways in which internal audit groups define and prepare to address cyber risk will largely determine their effectiveness in cyber security audits.

Hence, cyber security needs to be defined comprehensively and should cover all digital assets and the data processes and systems. As the third line of defense in risk management, internal audit should verify that the steps taken by the first line (business) and second line (risk management) are equal to existing and anticipated cyber risks.  

Key Performance Indicator (KPI) assurance

KPI assurance has been identified as another high-impact area. GaugingKPIs with an auditing scale is critical to improve related processes, systems, and controls. Management reports on leading trends and practices,
etc. and statements about customer service and product quality, demand accurate and reliable KPIs.

Firstly, internal audit should determine whether management is tracking the right KPIs for what is being measured and whether the underlying processes are well-designed and controlled, and then, over time, provide assurance on the data and processes.  

Leveraging automation and analytics:

The regulatory, legal, and competitive environments, and rapid evolution of technology combined with ever increasing volumes of information, are driving many organizations to look for new high impact areas like Internal Audit Analytics, Data visualization, governance & life cycle management, and IT internal audit.

The core internal audit professionals should work cohesively with the data scientists and analysts and call on subject matter specialists as appropriate.

Data Visualization has emerged as a powerful area of data analytics which streamlines the snowballing size and complexity of information. Visualization can depict trends, patterns, and exceptions very precisely and succinctly during an audit. Visualization aids better reporting through more comprehensible and recallable data projection techniques. Besides, it is also important to manage the data throughout the life cycle. Information life cycle management involves consistent management of information from inception to final disposition. Given the pace of technology development and the value of digital assets, organizations should consider grouping IT audit activities into the core, advanced, and emerging technology categories.  

Planning for dynamic internal audit and crisis management:

Dynamic internal audit planning can create a flexible, adaptable approach in which data analytics and continuous monitoring supplement annual risk-based assessments. Dynamic internal audit planning uses qualitative and quantitative methods on a continuous basis to identify issues and allocate resources to key risks. Crisis management planning is important to ensure that impacts of a crisis do not compromise stakeholders’ interests and the organization’s operations and data.  

Vendor governance
While third-party relationships provide many benefits, they also present risks, and management cannot outsource accountability for risks.

Clarity at the front-end smoothens the relationship on both sides, with many vendors appreciating early notice of errors and contract interpretation issues rather than lengthy back-end recovery proceedings.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements,please feel free to reach us on 0041 4350 830 59

Internal Auditors who typically focus more on financial and operational audits are now required more and more to focus also on IT Audits.

 

This week we take a look at the skill sets required in order for you to transition your career to become an IT Auditor.

 

Are you interested in becoming an IT auditor?

Here’s what to know:

Skills required for becoming an IT auditor.

There are both hard skills and soft skills that recruiters look for when sourcing talent into junior IT audit roles. Typically, strong candidates hold at least a bachelor of science (B.S.) in Computer Information Systems, Information Technology, or another similar major. They also have a technical understanding of IT environments, are proficient in Microsoft Office, and ideally have experience with an auditing tool such as Audit Command Language (ACL) or an audit documentation application.

Candidates can also be set apart by relevant work experience whether it is an internship or a couple of years in a technology-related entry-level role. Many employers look for an industry-recognized certification, such as ISACA’s Certified Information Systems Auditor (CISA) or Certified Information Systems Manager (CISM). Top soft skills that make an IT auditor candidate desirable are being able to successfully influence others (process owners aren’t always quick to agree to an internal audit issue!), translate complex information security concepts into business language that is understood by non-technical management, and present audit issues to an executive audience.

Responsibilities of the role

First off, there are two types of IT auditors – internal and external. An internal IT auditor works for a public or private company and assesses the internal controls of the organization they work for, with the main purpose of helping strengthen the control environment. An external auditor typically works for a consulting firm or partnership and assesses the control environments of other organizations, usually public companies which have associated regulatory reporting requirements.

While both roles mostly have the same responsibilities, there are some minor differences. Key duties that are relatively similar include scoping the audit plan, interviewing process owners to understand their control environment, collecting evidence, selecting an appropriate population of samples, performing testing on the selected samples, and documenting test results. The biggest difference is that for the internal role, findings and issues are reported to the organization’s management and for the external role, findings and issues are reported to the client that hired the consulting firm or partnership to perform the audit.

Benefit on becoming IT auditor

Internal audit is a great career choice for many reasons. In the job market, one cannot recall a recent time when auditors were not in great demand. Regulatory requirements that need the work that an internal audit department performs are only increasing, especially in the technology and cybersecurity space. The internal audit function is a transferable skill across industries, meaning even if you start your career in IT audit in the financial services industry, many of the concepts apply to other corporate industries as well – manufacturing, consumer goods, insurance etc, so the job mobility is high.

There is the choice between internal audit and external audit, and although as we covered earlier slight differences do exist between the two, most of the responsibilities and necessary skills overlap. Just because you start as one, doesn’t mean you cannot easily switch to the other. Lastly, and arguably most importantly, the work an auditor performs is crucial to the success of an organization. Both public and private companies need to be focused on a strong control environment that reduces risk. Why? The occurrence of control failures may result in the loss of customer trust, negative financial impact, or broken operational processes. Any of these can damage a company in both the short and long term.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 59

Today our associates have been discussing innovation in the Internal Audit profession with a view to how the professional can evolve and innovate.

Through knowledge sharing of best practices via Audit Leaders- we discuss below how Internal Audit can get innovative?

Organizations do not achieve their objectives by merely adhering to adequate systems of internal control. To succeed, for-profit organizations are expected to innovate to remain viable in today’s competitive environment, and even non-profit entities are realizing that they must also search for new products and services and re-examine their operating practices to reduce cycle-time, lower costs and increase quality.

This is a reality for those on the operational side of things, but internal auditors must realize that they are not immune to these changing dynamics and the same expectations are levied on them too. As the governance, risk and compliance landscape continues to evolve, internal auditors must search for new ways to evaluate what is in their audit plans and become creative in support of management’s pursuit of business objectives.

There are many trends driving innovation in internal audit. For example, the requirement to prevent and detect fraud, the need for faster and more agile auditing, adding value with fewer resources, transitioning to risk-based auditing, using data analytics to examine more substantial numbers of records, better root-cause analysis, practical problem solving, formulating pragmatic recommendations, and helping management improve efficiency and effectiveness.

Following are some examples of ways that innovation can help internal auditors.

Risk Assessments

1.      Expand the rating of risk impact beyond monetary measures. The impacts can also include bodily injury, reputational damage, negative publicity, brand erosion, lost opportunities, employee demotivation, lower productivity, lawsuits, and excessive turnover.

2.      Add velocity and persistence to risk assessments. Velocity pertains to the speed at which the risk may affect the organization. While some risks are slower to occur (e.g., demographic changes) others occur more quickly (e.g., technological change and cybersecurity attacks).  Persistence relates to the length of time over which the risk’s impacts may linger if the risk were to occur after the cause of it stops. Some risks’ impacts are short-lived, like a trucking company accidentally spilling milk, while others may last a long time, such as the same company spilling gasoline or pesticides.

3.      Expand the risk rating used beyond letters (e.g., High, Medium and Low) and consider using a numerical scale more conducive to mathematical calculations.

4.      Expand the assessment of risks to incorporate statistical inputs, historical error, accidents, insurance claims, incident rates, correlations, simulation, and probabilistic elements.

5.      Conduct broader brainstorming sessions to seek input from younger and not only more experienced personnel, from operationally involved but also individuals removed from day-to-day participation in the process, and those who think differently and creatively about unusual, emerging and diverging scenarios.

6.      Develop a partnership with management to use Key Risk Indicators (KRIs), so the organization moves toward pre-emptive risk management, and continuous monitoring and auditing.

Audit Plan

1.      Offer a broader selection of consulting and advisory services to the organization

2.      Recalibrate the allocation of time between compliance, financial, IT, operational, cybersecurity and advisory services based on the organization’s evolving risk maturity

3.      Audit non-traditional, yet essential, subjects, such as Corporate culture and ethics, Knowledge management, Physical security, Training and development, Social media, Project management, Change readiness and execution:

Planning

1.      Identify the business objectives every audit attempt to help management achieve. If business objectives are not defined, work with management to do so.

2.      Brainstorm risks on the program, process or unit being audited rather than only making cosmetic changes to past audit programs.

3.      Evaluate business dynamics more thoroughly, so only key risks and controls are tested.

4.      Examine more rigorously the timing, type, format, and extent of data and documents requested

5.      Brainstorm fraud scenarios with every audit.

6.      Make your department’s mission, and vision statements the driving force behind every engagement.

Fieldwork

1.      There are different types of sampling methodologies, so question the method used.

2.      Go beyond sampling and test the entire population whenever possible and feasible.

3.      Develop testing procedures based on the answer to the question: How do we know if this risk is happening?

4.      Include fraud detection procedures with every audit based on the answer to the question: How can we find out if fraud scheme X is occurring?

5.      Use subject matter experts (SMEs) whenever possible to help test unusual dynamics.

6.      Require root cause analysis and promote the use of tools, such as Ishikawa Diagrams, Affinity Diagrams, 5 Whys, Is-Is Not Comparative Analysis, Pareto Charts, Scatter Diagrams, vigorous brainstorming, Process Flow Analysis, SIPOC Maps, Run Charts, Control Charts, and Histograms.

Reporting

1.      Use various templates to be used based on the type and urgency of the communication.

2.      Update the layout of internal audit and audit committee reports.

3.      Increase the use of charts, graphs and other visual elements in audit reports.

4.      Streamline the reporting cycle to publish communications faster.

5.      Write every audit report from the perspective of a change agent.

Performance Monitoring

1.      Instill and reward individual skills and competencies applicable to modern internal auditing, such as critical thinking, business acumen, data analytics, flexibility, communication, and innovation.

2.      Make sure performance evaluations balance technical and soft skills that measure individual and team results.

3.      Develop Key Performance Indicators (KPIs) that focus on outcomes, not only output.

4.      Balance quantitative and qualitative performance metrics from within the internal audit department, but also from clients.

5.      Introduce and sustain a post-audit client survey and a 360-degree review program.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 59

 

 

This week our highly experienced audit associates share their knowledge for their more Junior peers in order to help with their communication skills in the Audit profession.

 

Communication Skills for Junior Auditors: What to Know and Why

It’s human nature to want to impress others. And when you’re in a new position, the urge to impress can be even stronger. Even if we’re not conscious of it as it’s happening, the urge to “prove ourselves” in new situations is real. And when this urge presents itself, there are some common communication mistakes that junior auditors make.

Mistake: Over-explaining something to prove that you know it.

Correction: Ask questions, be quiet, and really listen.

Ever experience that eyes-glazed-over look when someone is explaining something to you? Don’t be that person! The tendency to over-explain something to prove yourself is high in people new to any position. Smart communicators know that the real power and confidence lies in not saying anything at all. And savvy professionals know how to navigate conversations so that they allow others to share more than they do. To shift the communication dynamic, all you need to do is ask a question, sit back, and truly listen.

People support what they help create. By asking questions and letting others do the explaining, you’re allowing them agency in the process. When you give someone agency, they are likely to feel more ownership. This results in increased responsibility and follow-through. All things that internal auditors really need from their clients and their colleagues.

Mistake: Giving “formal” presentations.

Correction: Take a seat and change the presentation to a conversation.

if you’re presenting to a group of 12 people or less and you’re able to see everyone from a seated position, don’t stand to give the presentation. Instead, present—and have a conversation—while seated with the rest of the group.

Standing in a conference room where everyone else is seated, or standing behind a podium in a larger audience, creates a nonverbal barrier between you and your clients. Instead, sit down. That way you create an environment that demonstrates your confidence and your willingness to have a conversation about a report instead of you being the only purveyor of information. I dive deep into this topic here if you want to learn more. There’s also a great article on designing effective visuals and PowerPoints slides to help supplement your presentations here.

Mistake: Not owning your statements by using pronouns like “they” or “we” or attributing blame.

Correction: Use “I” to show confident communication and own your words.

It’s easy to attach blame. And it’s easier, during stressful or difficult conversations, to point a proverbial finger than to do the processing necessary to take responsibility for your choice. It’s the same when it comes to conversations with your team members. Don’t start a sentence with the word “you.” Instead, start with “I.”

Here are two more statements to demonstrate the difference, even when giving positive statements.

“You did a great job on this presentation.”

“I noticed your hard work on this presentation. Great job.”

When we hear statements starting with “you” we tend to go on the defensive, even when we don’t know what will follow! Whenever the urge to respond with an excuse, or to point your proverbial finger at someone (even if it’s good) arises, rephrase the statement in your head so that it starts with “I” and then the choice you made. Doing so will demonstrate ownership and confidence.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 59

 

 

Fraud Investigation Reports vs. Audit Reports: What’s the difference?

Fraud and audit reports must be distinct because they are intrinsically different from one another. Read on for ways to present a full and succinct fraud investigation report using report design, content and tone. From the onset, fraud reports include different information and you want these reports to look distinct, but still look like part of the fleet of reports that internal audit cranks out. For example, you’ll probably need to stay within the font and design conventions of your company, but consider how the following areas can be changed to distinguish the fraud report.

Be specific: Make sure that the first thing your audience reads is “Fraud Investigation Report” so there is no confusion on the purpose of the report.

Enlarge the word Confidential: “Confidential” should be at the top of the report. Make it large and boldface the word. Fraud investigations are typically not shared outside of HR and upper management.

Change the color scheme: If your audit reports have a blue header, consider a different color header for the fraud report.

Content: Write to Your Audience. Because investigative reports mainly involve personnel and legal issues, your audience is limited. Your typical fraud audience will be the Chief Executive Officer, Chief of HR, Chief of Law, Chief Audit Executive, and Head of the Audit Committee. This small and informed audience knows the situation, and they are ready to move forward, so you can skip the internal audit fluff (e.g., scope, background, audit notes, distribution list). Because of the knowledge level of your audience, you can start your report in the middle of the conversation.

Design: Keep It Simple and Succinct. Fraud investigation reports are around 4-6 pages (excluding the Appendix). Once you’ve determined the outline for the fraud report, move on to deciding how to write each section of the fraud report.

Content: For Fraud Eyes Only. The outline above looks very different than typical audit reports. Here’s a quick breakdown of what to write in each section and i.e. Title, Date, Allegations (one paragraph under 70 words, or 3-4 sentences), Results (2-3 sentences per allegation) and Approach (Single sentence) and from Pages 2-4: Policy/Rule Violations, Summary of Evidence and Appendix

 

Allegations: in typical reports, there are no allegations – you look at a predetermined process or operation. In fraud, we have a specific allegation we’re going in to review. The report and content is always different.” How many allegations should you include in a fraud investigation? It varies depending upon the situation and the number of people involved.

“If the fraud investigation is about a person,” “like someone skims cash, commits payroll fraud, and abuses the company-purchasing card, then we have three allegations: theft, payroll fraud, and misappropriation of assets. However, because the same person commits all of these allegations, the report is still a single investigation.”

Approach: Approach is similar to the audit report scope section; however, approach lists who was interviewed and what the fraud investigative team looked at. In this section, you can also refer the reader to various exhibits and more information located in the appendix portion of the report.

Results: The Results section isn’t long – around 2-3 sentences per allegation. This section will determine whether the allegation was substantiated, unsubstantiated, or inconclusive.

Summary of Evidence: The summary of evidence in fraud reports is the same as the body of the report (the issues) in audit reports. The length of the summary of evidence varies according to the results. If substantiated, the summary of evidence could be from a single page to 3-4 pages.

To organize your summary of evidence section, break it down into sections, or subcategories. Using the example from above, categories could be Theft, Payroll Fraud, and Purchasing Cards.

Content: The Skinny on Recommendation and Risk Assessment. You might think that fraud reports should borrow some sections from the audit report (like risk or recommendations). However, these sections detract from the single purpose of the fraud report, to inform.

Recommendations: After all the investigating, fraud auditors should include their recommendations for action, right? Wrong. “In fraud, we give no recommendations,” “but we have to provide enough supporting evidence so the recipient can take the information and decide what they need to do.”

Risk: Unlike audit reports that outline the risk of audit issues, the fraud audience has to determine the risk on their own. Fraud investigations trust the audience is already well aware of the risk. For fraud, what once was a risk has often already materialized into a financial, productive, or reputational loss to the company.

Tone: Keeping Your Cool: In audit reports, you have to be a little more diplomatic. In fraud reports, you get to be candid, and for many, writing frankly is a breath of fresh air.

This candid method presents pros and cons. On the upside, you have very few people reviewing this – and the person being investigated is not a reviewer, so you get to be blunt. On the downside, you could inadvertently use negative instead of neutral language – especially when the suspect is guilty. You have to allow the facts to stand on their own and keep your tone neutral.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 9

 

 

Auditors who have not experienced conflicts and crisis in some way or another throughout their career are quite rare to come by.

This week we take a look at how the profession successfully approaches crisis situations to result in a positive outcome.

Crisis management by Internal Auditors

Crisis management provides the structure, leadership, decision-making, and communications to support the organization in managing a crisis situation. It encompasses business continuity, disaster recovery, cyber incident response, and financial market crisis response planning and execution.

Most major organizations have basic business continuity plans and disaster recovery plans in place, particularly for IT, supply chains, and facilities.

Usually, Internal Audit will, on a rotational basis, review those plans, provide assurance on related compliance, and conduct post-event reviews. However, the focus on continuity management has widened to include any event that could irreparably damage finances, operations, cyber capabilities, reputation, or other essential assets.

A crisis management plan provides a framework and contingency plans for senior executives should the need arise.

Responsibility for crisis management sits with senior leaders, which means that Internal Audit is the logical and perhaps only source of assurance and advice.

Consider: An organization needs a crisis management program encompassing governance, processes and risks. Governance organizes program ownership and the roles and responsibilities of security, legal, IT, Internal Audit, and other functions. Processes are needed to address crisis response, decision-making, recovery, communications, and contingency plans. Risks must be identified to enable scenario planning and response capability development through training and simulations. Aim to provide assurance and advice in each of those areas, and to anticipate events and promulgate best practices.

Consider whether leaders can answer the questions:

  • What are you prepared for?
  • How prepared are you?

Ensure that simulations are regularly conducted and used to develop and test overall plans as well as playbooks for specific events.

Go beyond regulatory guidance and checklists and audit not just the existence of plans, but their likely effectiveness.

Also, consider industry-specific issues and evolving regulations, such as the EU’s GDPR reporting requirements for breaches.

Internal Audit may need to up-skill or tap external sources to add value in this area, but doing so can save the entire enterprise.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 95

 

This week we take a look at the makeup of the successful audit team and how you go about analysing how your current team is performing?

Building the Competencies for Internal audit by IIA

Determine what is missing and take action!

Ask probing questions:

CAEs should assess the internal audit activity by asking probing and specific questions about the department’s maturity and structure, to determine if there are areas where competencies are failing.

Once the questions have been asked and the assessments have been completed, if the internal audit activity is found lacking, the bigger question is, “How do the internal auditors get to where they need to be?”

Here are suggestions on how to begin to first determine what is missing, take action, and then end with a re-engineered, well-structured, and progressive internal audit activity that conforms to the Standards and meets the expectations of the organization.

Perform an unofficial self-assessment:

Performing a self-assessment allows for fine tuning — increased productivity, narrowing of knowledge and performance gaps, and mastering of tasks. CAEs can use the following KPIs to measure internal audit efficiency and effectiveness:

  • The number of certified auditors on staff.
  • Collective knowledge of IT risks and controls and fraud risks and controls.
  • Staff CPE hours.
  • Opportunities to develop competencies.
  • Consideration of organisational changes, industry changes, and relevant regulatory issues.
  • Demonstration of critical thinking and problem-solving skills and Stakeholder satisfaction.

Invest in talent management efforts:

Develop well-thought-out and well-developed approaches geared to optimize the workforce.

For effectiveness, and to build, engage, and retain the best audit departments, CAEs will do well to develop strategies that include measuring what is needed from their existing staff members, what is needed from anticipated additions to staff, and, just as important, what their staff needs from them as leaders.

Where skillsets are in high demand, coordinating with both your internal hr specialists and/or engaging with a niche specialist recruiter can also ensure you not only get access to many candidates who are not “active” in the marketplace but also help save you time and money throughout on the hiring process.

Conduct a gap analysis:

The gap analysis will identify strengths, weaknesses, challenges, and opportunities, and compare the actual performance of the audit team with the desired performance. The desired state ares:

  • Auditors are familiar with the Standards and the IPPF.
  • The department is fully aligned with the organisational strategic plan
  • The department is performing up to its potential.
  • The department has the competencies to perform audits.
  • The department has the resources to develop advanced methodologies and practices
  • The department has access to tools and resources needed to perform audits and
  • The department makes the best use of its resources.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 9

 

What Internal Auditors Need to Know about Robotic Process Automation

RPA, robotics, robots, bots as internal auditors have undoubtedly been hearing this terminology tossed around more and more. What exactly is it? Why is it such a hot topic? Why should Internal Audit care and what can we do to help our organizations embrace, adopt and realize the benefits of this technology?

What is RPA?

Robotic Process Automation (RPA) is a technology that configures computer software or a “robot” to capture and interpret existing data for processing a transaction, manipulating data, triggering responses and communicating with other digital systems.  The “robots” (aka “bots”) are programmable software that allows you to automate business processes currently performed by people. Bots are programmed to perform multiple repetitive steps based on defined rules and structured data. They can perform these activities more quickly, accurately and efficiently than humans.

Why RPA is Gaining Popularity?

RPA is rapidly gaining popularity because a wide variety of industries and business functions are beginning to better understand the technology and its benefits.

·         Cheaper and less complex than traditional/historical approaches to “automation”

·         Rapid Implementation cycle – weeks instead of months

·         Advancements in technology are making solutions more accessible, applicable and affordable

·         Smooth integration with other systems and applications

·         Keeps organizational and technological disruption to a minimum

·         Increased productivity and efficiency & Cost savings

·         Reduction in errors

·         Increased flexibility and scalability

·         Freeing of resources to do other tasks

Where are Organizations Using RPA?

RPA is being used differently in many departments such as:

·         Sales (Account service, Order processing, issue tracking and Credits / Refund)

·         Procurement (Vendor Management, Purchase Order and Invoice processing)

·         Accounting and Finance (AP / AR, Journal Entries and Account Reconciliation)

·         IT (Account Activation, Software installation, Cyber Threat Assessment)

How can RPA Benefit Internal Audit?

Often, Internal Audit is a time-consuming process extracting data from multiple applications/sources, performing repetitive steps, testing and reconciliations. Where the input data is digitally available, RPA is a good fit for the internal audit function.

1.      Data gathering and cleansing for analytics: An RPA can generate and standardize data to run custom analytics, like extracting the data for use by internal auditors, including validation for completeness of fields, comparisons and duplication.

2.      Risk assessment: Bots can assist Internal Auditors to classify risks based on transaction volumes with predefined rules and trends for risk assessment. This will allow quicker identification of high-risk areas/ transactions.

3.      Processing high volume transactions and data collation: Bots can help process high volumes of data (e.g. transaction audit) faster, more efficiently and accurately.

4.      Assistance in testing controls: Bots assist in performing control testing where the tests are standardized.

Key Things to Consideration when Selecting an RPA Software Platform and Partner

Our recommendation is to do your own research and determine the technology and provider that is best suited to meet your individual needs and business environment.  There are many experienced and reliable RPA providers in the market.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 95