Chief Audit Executives
Audit International realise that for many internal auditors, the audit committee is a bit of an enigma. Most of you help the chief audit executive (CAE) or other internal audit leader with materials and content to provide to this subgroup of the board of directors. Much of your work, in summary fashion, ends up there. But, for the most part, we only know what happens behind the closed doors of the boardroom if your CAE conducts a post-meeting debrief. Yes, we know that the audit committee is important. We know that they take our work seriously. But what do they really want from us?
For internal audit leaders themselves, the meetings can be intimidating. The majority of audit committee members are experienced executives from other companies and often serve on other boards. They are generally savvy, informed individuals, who spend a part-time role executing governance duties for the organization where we work. So, while they might, at times, be proactive—meaning, they raise questions or lines of inquiry based on something they initiate—mostly they are reactive, responding to what is presented to them. That means the onus is often on internal audit leaders to help them in their role by carefully choosing what to share with them.
Yet walking the fine line between providing too much detail and maximizing the little time we have with the audit committee can be tricky. Internal audit leaders often express anxiety about meeting with the committee. It can be difficult to anticipate what they may find important versus what they would consider a waste of time. Indeed, internal auditors can be forgiven if they just want to shout the famous Spice Girls refrain: “Tell me what you want, what you really, really want!” So, let’s give that a try: What does the audit committee really, really want?
First, What the Audit Committee Doesn’t Want
During an Internal Auditors career, you report functionally to an audit committee on separate occasions, with different companies. You might foolishly think that you would give them lots of information and let them decide what was important. It’s a trap that is easy to fall into. It takes time, experience, and some good mentors to gain the wisdom to realize that is absolutely the wrong tactic.
It is an evolutionary process to slowly realize that reporting to the audit committee is not about what you want to tell them. It’s only about what they need to know. To cite an often-used phrase: “be brief, be insightful, and be gone.” Keep it short, share the needed knowledge, and let others take their place on the agenda. It’s not about you; it’s about your audit committee members.
What the Audit Committee Does Want
Here are ten things that Audit International have learned that the audit committee of the board wants from internal audit. We hope they work for you when it is your turn to directly interact with the audit committee.
1) The essence of the quintessence: This phrase, “the essence of the quintessence,” was shared by a chief operating officer of a bank once, and it stuck with us. Basically, he was expressing that he and the other execs were busy folks and they want to get right to the bottom line. Don’t just tell me what you are telling me, but tell me why you are telling me. Get to the essence of the quintessence! And that’s what the audit committee wants too! So, if you feel you really must share something with the audit committee, ask yourself why it is so important that they know it. If you can start your phrase with, “this is important because …,” then they probably need to know it. They want the bottom line and the why. The rest is superfluous.
2) Not how you did something, but what you concluded: Have you ever asked someone how their vacation went and they start by telling you about the car ride to the airport? You are being polite, but all the while you wish they’d just answer the question. You want to know about the experience at the destination, not how they got there. Well, the same is true with the audit committee. All the work we did to arrive at our conclusions is important to us, but not to them. They only want to know the conclusion. So, cut to the chase. They trust you did all the right work to get there.
3) Your opinion, not just the facts: Internal auditors follow standards, confirm everything, and don’t spout wild, unsupported views on subjects. We are methodological in our pursuit of facts and the truth. So, when we have made a conclusion, we are usually armed with supporting facts. If not, we tend to refrain from going out on a limb with an opinion. Resist the urge, however, to stick only to the facts. You are not a robot; you are a person with a brain. You have a range of experiences to draw upon and see more of the organization than most anyone else. So, does the audit committee want a Joe Friday, “just the facts ma’am,” approach? Not really. They trust you have done the work and want to hear your views on various topics. If they ask your opinion, trust your instincts and give it to them. If you don’t, you really aren’t adding as much value as you can.
4) Your concerns, audited or not: Whether you are new to an organization or have been there for many years, your well-honed internal audit skills will leave you with an innate ability to have concerns about certain things, whether you have actually done internal audit work on the topic or not. If you had unlimited time and resources, you’d go check out all those nagging worries, and confirm or deny them. But you don’t. The audit plan may not have prioritized it, but that doesn’t mean the concern isn’t valid.
Now, the audit committee has no desire to hear lots of speculation or theories, nor are they interested in trivial things. But, believe me, if you have a good relationship with the audit committee, they want to hear your top concerns, even if you don’t yet have all the facts. You just need to be extra careful in how you position what you say, and you do so rather infrequently. But they do want to know. As they say, that’s why you get paid the big bucks.
5) Something of substance in executive session: One experience that is among the trickiest for a CAE to navigate is the executive session with the audit committee. During the typical executive session everyone who is not a board member leaves the room and the internal auditor meets with the audit committee alone. Over the course of a few years of executive sessions with the audit committee, I can say from experience that there are two things you never want to do: one is to have something to tell them in every executive session, and the other is to have nothing to tell them in any executive session. So, the goldilocks theory applies here, you want to strike the right balance. What to bring up, how to bring it up, and what you need to do both before and after you bring it up is a whole course in and of itself. It is an art, not a science. Don’t be trivial or cavalier about what you bring up. The audit committee wants you to bring things up, and they want them to be of substance.
6) Proof you really get the business and the strategic plan – Whether it is deserved or not, a common complaint by operating leaders and managers within many companies is that internal audit does not understand the business. The last thing you want is for the audit committee to second guess your conclusions. So, if you are confident that you know the business and the strategic plan (and you’d better be), let it show. It should show up in your audit plan, your priorities, and your explanation of internal audit’s observations and conclusions. Don’t risk having the audit committee doubt you. They want comfort that you know the business and are in lockstep with the strategic plan. Give them the confidence that you do.
Another point to make here is to remember that you are a businessperson. As we go about our internal audit work, we tend to put blinders on, as if the audit plan and the audit projects are the only reason for our existence. Of course, they are not. So, when we update the audit committee on what we are doing, what hat are we wearing? An auditor’s who happens to work for the business? Or a businessperson’s who happens to be an auditor? The audit committee wants the latter.
7) That you align with second line functions: Not always, but often the only way that second line functions (risk management, compliance, security, and others) coordinate and collaborate with internal audit is if internal audit (namely the CAE) initiates the coordination and takes a lead role in it. Apart from the added cost of redundant activities, the audit committee doesn’t want a bunch of disjointed terminology, reports, and conclusions coming from the various “risk and control” functions of your organization. They want you to coordinate and collaborate across the second and third lines. If they aren’t telling you that, they are telling someone else behind your back!
8) Courage: Like everyone else in the organization, days are always going to bring obstacles, difficult co-workers, things not going according to plan, changed schedules, broken promises, and other hurdles. But, more often than many other employees in other departments, you will from time to time be called on to summon up some courage. From an obstinate audit client that is making your job difficult to a senior audit client manager that is disagreeing with you no matter how right you are—not to mention fraud investigations, hotline accusations, and executives who are doing questionable things—you are going to come across matters that are so egregious that you must raise them, regardless of the consequence. They are, hopefully, rare, but if you are in internal audit long enough, those times will arise. They will require backbone and strength of conviction, and are not for the faint of heart. But guess what, that is exactly what the audit committee wants from you: a reservoir of courage and the ability to call on it when it matters most.
9) That you understand the politics, but are not political – All organizations are political by nature. Whenever people get together and resources are scarce, win-lose games happen. Corporate politics are a fact of life. As much as we’d all like to be apolitical and let the facts drive what the right answers are, if we don’t learn how to navigate the organization’s politics, we will not be able to get our jobs done effectively. Does that mean we need to use the politics to our advantage? Sheepishly, the answer is yes, but not in an underhanded way. It’s important to know who to talk to, about what, and when; how to position what you are going to say; who needs a heads-up on what; who are the influencers in the organization; and so on. We need to know all that and leverage it to our advantage. Our audit committee members are some rather experienced and savvy businesspeople, and they are also navigating the organization’s politics to do their governance jobs. So, yes, they do expect you to understand the politics to get your job done well and know how to report things to them with an understanding of how the politics works, but they also don’t expect you to be overly political.
10) That you know when you may not be objective: Objectivity is such an important tenet to what internal auditors do and how we do it that we need to be ultra vigilant and self-aware when there is a risk of our objectivity being impaired. Audit committees expect us to be self-aware of when our objectivity might be impaired, or even the potential appearance of it being impaired. So, park that ego, realize you are subject to your own biases, and be self-aware enough to advise the audit committee when your objectivity could be impaired. They expect you to do that.
Earning that Paycheck
Even though they may not tell you directly, take it from us that your audit committee wants you to: be brief, tell them only what they need to know, share your professional opinion, be open about your concerns, leverage executive sessions properly, understand the company’s strategic objectives and strategic plan, collaborate with the second line, be courageous, know the business, navigate organizational politics, and say when your objectivity might be impaired. Easy peasy. Well, not really. But, as we concluded, that’s why you get paid the big bucks.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc. across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com
With one in five people pledging to pursue career goals and ambitions in their New Year Resolutions, Audit International have researched career experts advice on achieving these in 2023.
New Year, new (career) you! More than 20% of people toasted the start of 2023 with some form of New Year’s resolution and one in five of those pledged to pursue new career goals.
But with January now over, many of those good intentions may have already fallen by the wayside. If that sounds familiar, you’re not alone. In fact, people will typically ditch their ‘New Year New Me’ resolutions by the second week in January.
If that strikes a chord, don’t despair. Audit International has taken some insights from careers experts on their top tips on getting your career back on track.
Re-evaluate your current career choices :
For those with an established job, or who have taken time out of work to start and raise a family, it can be daunting to consider a new industry or completely change career path. However, it’s never too late to take your role in a different direction or re-enter education.
“If you’re looking to change careers in 2023, it’s important to evaluate your previous experience up until now. Consider which parts of your current or past job roles have brought you the most satisfaction or fulfilment, as this can help guide your new career path,”.
Adopt a continuous learning mindset :
Passing all of your exams is an amazing achievement, but that’s when the real learning starts. “Don’t assume you know everything now. Listen and ask questions and make notes and look things up. Every day is a school day!”
Work on your soft skills :
To get ahead in your career it’s also important that you develop soft skills that complement your technical prowess. “As part of your role, you will be expected to provide advice to clients and companies on any number of specific issues they may be experiencing, so developing strong soft skills including clear and concise communication, empathy, and the ability to make decisions to help resolve conflict will be key to your continued success.”
Develop a killer network:
Natural networking is everything. LinkedIn bombing everyone you think might be useful to you is annoying and will rarely achieve anything. Show an interest in everyone you meet and connect in a more genuine way. Try not to just focus on people you think are ‘important’.
Be authentic :
As an accountant, you are well-organised, a skilled number-cruncher and have a keen eye for detail. But as your career progresses and you become a team leader, you will need to focus more on management and people skills. If you get promoted to a management role without any formal training, it can be easy to act like the type of manager you’ve seen in the past. “People buy people, so be yourself, not the manager you think you should be”.
Focus on developing relationships :
Accountancy is a task-oriented job and it’s easy to get lost in the daily grind of completing tasks and hitting deadlines. But the real value you add as a manager is building relationships with staff and being an enabler and facilitator for the team. That means getting to know your colleagues on a personal level and understanding their strengths and capabilities.
Keep your eyes open for growth opportunities :
Don’t get bogged down in short-term deadlines and tasks. “These need to be done for sure, but you should also look more widely to find new areas of growth and challenges that can help you advance in your career”. That could mean studying for a qualification, taking on new responsibilities, or joining a cross-functional team. “Always look for ways to build your skills and contacts and your career will progress nicely.”
Don’t limit yourself to one area :
One of the best ways to elevate your career is by making sure you don’t limit yourself to just one part of the accountancy industry. “Gaining experience in a variety of roles – especially during the first few years of your career, as you decide the areas in which you thrive and most enjoy – will build your confidence and will provide you with essential skills that help boost your long-term career prospects”.
Connect with a mentor :
Regardless of where you are in your accountancy career, having the advice of someone more experienced than you can be invaluable. If you are unable to secure a mentor through work, it is also worth approaching people that you work with who could help you, or you could even look at joining an association that could pair you with someone.
Don’t put too much pressure on yourself :
It’s always good to be ambitious when it comes to your career and education, but avoid putting too much pressure on yourself when it comes to achieving all of your goals or training courses by the end of 2023. “Comparing yourself to others or putting pressure on yourself can lead to you feeling overwhelmed or burnt out. Take as much time as you need and find flexible options that work for you, especially if there are other important childcare or work commitments to take into consideration.”
Be ready to flex. Having a long-term career plan is great. However, things change and you will get frustrated if you can’t adapt or sometimes go with the flow.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Let’s face it. Even here at Audit International, we understand Internal audit still suffers from some rather negative stereotypes. There are plenty of companies or units where internal auditors are not welcomed with open arms. Audit clients may view internal audit with suspicion, expecting a “gotcha” mentality or may feel like they are under surveillance.
Sure, it’s often undeserved and some of it comes with the territory, but we may even be perpetuating such negative views with the words we use. Words and phrases that internal auditors consider just a normal part of the profession’s vocabulary may actually be words that trigger negative reactions in our audit clients. And often, internal auditors don’t realize they are contributing to the hostility by using them.
Words matter and good internal auditors choose them carefully. But auditors are also as prone to using professional jargon as anyone. These are words that have become so commonplace that we might not think too much about what they really mean, especially to others. We all use them. Yet, how they might be interpreted may not be how we intended. So, what can we do about it?
Here are seven words that we should consider their meanings more closely and either use them more carefully or strike them from our vocabulary completely.
1. “Finding”
Most internal auditors call what we consider reportable (in writing and verbally) a “finding.” Think about that for a moment, though. It’s not as if the vast majority of our audit observations were hiding or lurking in some hard-to-discover, dark and foreboding place, and it took our best Indiana Jones skills to unearth them. Lo and behold, ah ha! We have a “finding.” The word relates a context of sleuthing and uncovering things that were hidden, perhaps intentionally.
So put yourself in the shoes of your audit clients. We come along and have all these “findings,” as if they weren’t doing their jobs and it took us to find these gems of reportable conditions. Worse yet, we are often reporting as “findings” what audit clients told us directly. How would you feel if someone walked through your house and told you at the end of their visit that they found the carpets needed vacuuming, the furniture needed to be dusted, and relayed a few other of their insufficient housekeeping “findings.” You’d likely be inclined to never invite them back.
Try using the words “observations,” “conclusions,” or “conditions,” rather than “findings.” You may find they work better in your organization. Audit clients will feel less like they are being accused of hiding information or that they didn’t see something that the auditors later uncovered.
2. “Weakness”
When we observe an issue, we also sometimes couch that issue by using another troubling word, “weakness.” We may not be able to avoid calling breakdowns in internal controls, as they relate to SOX-like work, “control weaknesses” if the controls are not working as they should (or at all). But we should avoid calling observations outside of controls “weaknesses,” if possible.
Think about it. You go into the manager’s office during an audit, and you say, “excuse me, if you have a few minutes I’d like to go over a few weaknesses that have come to our attention during our review of your area.” Expect immediate defensiveness. We might as well be criticizing their first-born by pointing out weaknesses in how the child looks or plays with others. The word connotes physical ineptitude and can strike a visceral blow to any manager’s ego.
Like weaknesses, “deficiencies” isn’t any better for all the same reasons. So, perhaps, try “opportunities,” or “matters for attention,” rather than “weaknesses.” Even “challenges” or “difficulties” will garner a better response from audit clients.
3. “Material”
While the term “material” has been part of auditing language forever and, although tough to really quantify, is an important and meaningful word. I mean, if it’s not material why look at it or consider it at all? We also have the SOX-related nomenclature of “material weaknesses” (which people want to avoid as best as possible). Look, if you tell someone something is “material” and it truly is agreed that it is “material,” that’s a big deal.
Yet when we tell someone who is the owner of something that we want to talk with them about a matter that is “material,” what would be the natural reaction of the person on the receiving end of that word? Disbelief, denial, and outright defensiveness are natural human reactions when told something is “material,” in a bad way, which affects them or their responsibilities. Think about being in the doctor’s office because you have not been feeling well. After a bit of consultation and tests, the doctor comes in the room and tells you that there is something “material” to discuss. You are likely to act with disbelief, denial, and defensiveness, naturally. The word conveys an urgency we might not intend. Do we really want our clients to react that way, now or in the future?
Note that “material” has an important legal context. The Securities and Exchange Commission defines “materiality” as anything a reasonable investor would deem relevant to their decisions about whether and how to invest. While it’s important to use this word carefully in this legal context, it’s also easy to adopt the word and use it outside this context, which can result in misusing it. Another problem with “material” is that it implies that everything else isn’t important or that other aspects of an audit client’s work are meaningless, which is not a great sentiment to convey.
So, perhaps, when you don’t really have to use the word “material” (or “significant” for that matter) in consultation or in writing, maybe consider some different language. Hey, there’s something important I want to run by you when you have a moment, and maybe we can write about the top matters for attention without calling them “material” (unless, of course, we must).
4. “Disclosed” or “Uncovered”
Like the word “finding,” the word “disclosed” (or the word “uncovered’) has a similar connotation. It’s as if the issue was hiding and no one knew about it or would ever find it without you, and your brilliance—the internal audit superhero with x-ray vision. OK, sometimes things were truly hidden, unintentionally or, worse yet, purposefully, and we did use our internal audit superpowers to uncover it and then we get to puff our chest and—cue music here—disclose it. But, come on, that’s rare.
Yet, we use the terminology all the time. For example, resulting from of our testing, it was disclosed that blah, blah, blah. Or, based on our review of the area, it was uncovered that yada, yada, yada. Now, if you’ve got sneaky and underhanded clients, who are going around hiding stuff from you that you truly uncovered and want to disclose to the world, then fine. But most clients don’t do that, and you want to collaborate with them in the future.
Imagine how you’d feel if the external team you hired to do your Quality Assurance Review (QAR) started telling everyone, verbally and in writing, what their work (and only their work) disclosed and uncovered in your internal audit department? How would you react to that? “Disclosed” implies that something was formerly a secret and now you are airing the dirty laundry out for the world to see.
So, maybe we need to back off the “disclosed” and “uncovered” language, at least a bit. Options might include, “along with management, we identified …,” “taking full stock of the evidence, it can be concluded that …,” “testing demonstrated that …,” or similar language. Just don’t use “revealed” instead. That’s just as bad.
5. “Entrance” and “Exit”
OK, you may need to bear with me a bit on this one.
We’re going to start an audit project, and our first meeting with the client is called, in many companies, an “entrance meeting.” Then, when we’ve concluded all our fieldwork, what do we call the last meeting with the client to wrap things up and ride off into the sunset to work on the audit report for weeks on end? The “exit meeting.” They are decent terms, descriptive of exactly what they are … our entrance (ugh, the auditors are here) and our exit (yes, they are leaving, let’s party).
Let me ask you this, though. Is this audit, the one you are doing an entrance into and an exit from, the first and last time you will ever see these folks? I sure hope you have an ongoing relationship and are interacting all year long, or at least on occasion. If that’s the case, there is no entrance and there is no exit because, like the song Hotel California, you may never leave. And, if you’ve done your relationship management right, they are happy about that.
The point is that “entrance” and “exit” are old-school terms from when we did things on a cyclical basis and may or may not come back. Back then, relationship-building was less important and audits had a fixed beginning and end. So, maybe we need to stop calling them “entrance meetings” and “exit meetings,” and just call them something else that isn’t so clinical and auditor sounding. Schedule your Project Introduction Meeting at the beginning and, maybe, your Project Wrap-Up Session at the end, or something like that. And, if you are well down the path of an agile implementation, all that entrance and exit stuff becomes moot anyway.
6. “Consulting”
Back in 1999, the Institute of Internal Auditors introduced the well-accepted and globally codified definition of Internal Auditing as: “An independent, objective assurance and consulting [emphasis added] activity designed to add value…” Back then, the word “consulting” was viewed positively. And, for internal audit to be positioned to not only provide assurance, but to also be viewed as a consultant? Well, to borrow a ’90s term, that would be “da bomb!”
But, somewhere along the way, the word “consulting” came to be viewed less positively, and we’ve started to insert the word advising to soften the term. Should we blame consultants for tarnishing a good word, and making people view consultants and, in turn, consulting, negatively? Perhaps, but that’s not the point.
We all want to be advisors, and the gold standard, the place to be, the coolest accolade, would be to be trusted and be an advisor. So, in our pursuit of being that vaulted trusted advisor, let’s drop the word consulting from our vocabulary, once and for all. Look, your clients might want to “consult” with you, but hopefully you are “advising” them.
7. “Satisfactory”
Often, we as auditors don’t want to overcommit, and use words that might get us into trouble later if something is determined to be different than our work concluded. There is just so much we can evaluate and then we must draw a conclusion and move on. So, we settle on words like “satisfactory,” even if things are notably better than the word implies. From an internal audit perspective, we are hedging out bets. We don’t want to be overly flowery with praise, and just conclude something is either “satisfactory,” “needs improvement,” or “unsatisfactory.”
Put yourself on the other side of the table. Let’s say, for instance, you’ve worked hard at something, gone the extra mile, and made sure it was done exceptionally well. Then, someone comes in, looks it over, and decides that things seem “satisfactory.” Ouch, gut punch! You put in a ton of effort, expected to get an “A” grade, and the professor gives you a “C.” That’s kind of deflating.
Let’s not forget that the word “satisfactory” means acceptable or good enough, but not outstanding or great. Yes, there are reasons to fall on the crutch of concluding, placing our highest auditor grade on something, that it is “satisfactory.” But, perhaps, if we can avoid it, we take the risk, rely on our work, and conclude that something better than a measly “satisfactory.” Don’t be afraid to say if something is exceptional, great, works well, or exceeds the requirement.
The Last Word
There is a lengthy list of good reasons, justifications, and rationalizations for why we use the words we do as internal auditors. Many of them have stood the test of time. Many are in use, and still exist, because we are hearing the world through our own ears, and not our clients’.
If we stop for a minute, and consider what these words sound like and what they actually mean, and the impressions they may leave on the ears of our clients who hear them, perhaps they are not the best words to use. Perceptions are reality, and if you want to change perceptions, maybe one way to do that is to change our vocabulary. In other words, say what you mean and mean what you say.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Audit International recommend five ‘Under the Radar’ Areas to Audit that May Not Be on the Audit Plan.
As internal auditors, we all have a “spidey sense” of what we should be auditing.
Sure, we should, of course, conduct comprehensive risk assessments that drive our audit plan, and many of the usual suspects will end up on that plan: cybersecurity, regulatory compliance, financial reporting, third-party relationships, and you know the rest.
But there are things, we would strongly profess, that should be audited, even if we aren’t formally auditing them and they never make it to the actual audit plan. Just by being aware—casting that web, if you will—you should constantly informally “audit” a few critical areas.
What might be some of those things we should (lower case) audit, even if we aren’t (upper case) Auditing them? Here’s Audit Internationals take on five:
1
Culture: Are Disconnects, Even if Subtle, Surfacing?
So much has been written and said about doing culture audits and internal audit’s potential role in doing such a review. Perhaps, however, your organization doesn’t support internal audit doing a full-blown culture audit. Does that mean you throw your hands up and do nothing with the topic? Heck, no!
Look, we are among the very few in the organization who have the benefit of both grasping the desired culture and viewing the entire company because of our day-to-day work. So, why not leverage that and tune into what is going on around us and notice the organizational behaviors, actions, and attitudes that are consistent with, as well as (importantly) counter to, the desired culture.
So, what’s an internal auditor to do?
Some caveats, though. First, be sure you completely understand the desired culture, both what is formally stated through things like the organization’s listed core values as well as what is implied in the “how things are done around here” subtleties. The formal and the informal culture are equally important. Then, as you go about your work in various departments and interact with people at all levels of the organization, be cognizant of behaviors, language, demeanor, protocols, and other elements that seem inconsistent with what you expected.
Now, if you witness such imbalances, and you’ll know because it will make you a bit uncomfortable, talk with close colleagues or discuss it amongst your team. If something seems amiss, continue to keep your eyes and ears open and provide your internal audit function leadership with examples of what you are witnessing. If there are culture issues in a particular area of your organization, it is likely manifesting itself in a number of other issues as well. Your internal audit function leadership will guide you on what to do and may provide guidance on the next course of action. Chief audit executives will need to consider when and how to elevate such delicate issues. Yes, it’s a sensitive topic, but something that might be critical to address. Your spidey sense will guide the way.
2
Employee Engagement: Are People Checking Out?
While it has been a topic in the corporate world for more than 20 years, at least since the Gallup Organization and their Q12 employee survey instrument brought it into the lexicon, “employee engagement” has re-emerged these days. By now, we’ve all heard the new buzz phrase “quiet quitting.” While it’s a catchy label that has been slapped on what is, in essence, just disengagement, it’s not to be taken lightly. Employees who have become disengaged in your company’s mission, vision, and values don’t have passion to do their best. This should be deeply problematic to executive leaders and, in turn, to you. It is a significant and costly drain on everything your organization does.
So, what’s an internal auditor to do?
Just like with the culture topic, we, as internal auditors, interact with more of the organization across all levels (along with HR) than most anyone else in the entire organization. Therefore, we have our finger on the pulse when it comes to engagement and its evil twin, disengagement. Do we have a general sense though the course of our internal audit work that people care or if they are they just going through the motions? Sure, we do.
We don’t need to be scientific about it, and we don’t have to call anyone or any function, department, or location out, per se, but if we see that there is a trend developing toward greater levels of disengagement, let it be known. Make it a part of what we absorb about the organization on a daily, weekly, and monthly basis. Elevate the concerns, whether to HR, department levels, or even the senior management. In other words, don’t ignore it.
3
The Physical Facilities: Are Things in Disrepair?
As much as we may not all be going into a physical office as much anymore, many employees will still spend at least some time in the office or at company facilities. And, the physical state of the office location, branch, facility, or building space is important. Not only can facility disrepair be unhealthy or unsafe, but it can also just negatively affect employee psyche or customer impressions. Pay attention to what things look like and what is the state of the physical environment around you. It may signal deeper problems or an overall neglectful view of the business.
We all have stories about what we’ve witnessed. I remember walking past a locked closet and smelling a damp odor. I could have just ignored it, thought it was just me, or figured that someone else was probably aware of it. Instead, I decided to mention it to the facilities manager of the location. And, lo and behold, behind the rightfully locked door a roof leak had infiltrated the space and it was a wiring closet. It could have been a big problem if it were ignored for any length of time.
So, what’s an internal auditor to do?
Keep your eyes and ears open as you go about your work. Does something seem amiss regarding the physical location? Mention it to someone who could do something about it. What’s the worst that could happen? They tell you “thanks, we are aware of it.” At best, you help address an issue before it gets out of hand. Sometimes we all become blind to our physical surroundings because we’ve just been there for so long. But a fresh set of eyes and ears might just help the organization out and make employees and customers even more appreciative of the physical space they show up to and that the organization spends so much money on. Internal audit can have a unique perspective of noticing what gets unnoticed.
4
The Parking Lot Check: Is Fraud Hiding in Plain Sight?
Closely related to the physical state of the facilities is the state of the employees. Ever see a change in someone’s habits that don’t sync-up with what has gone on in the past, and you wondering “what’s up with that?” Perhaps someone is showing up to the office in a new luxury car, expensive clothes, or talking about some lavish vacation they went on?
Most often, there is a great explanation, and it is none of our business. But, also, any of us who have been around the block a few times will also know that, occasionally, these changed behaviors are clues that something is amiss and that someone may be on the take. You could call this “doing a parking lot audit.” So many frauds and embezzlements have left a trail of these clues as the perpetrator wanted to channel their ill-gotten gains into the fruits of luxury and apparent success. It’s not an outright indicator or fraud, of course, but it might be a red flag to dig deeper, especially if things weren’t adding up already.
So, what’s an internal auditor to do?
Just keep your eyes and ears open, being observant to uncharacteristic behaviors, purchases, and chatter could provide clues to someone who is taking advantage of their position and situation to pilfer from your company. No, don’t go around accusing people of things where you have no proof, of course. But eyes open and be vigilant. And, if you see something, say something to a trusted colleague within your internal audit department. If necessary, elevate it within your department and, if warranted and approved, do some follow-up in a clandestine manner. You may just catch something in its preliminary stages and head it off at the pass, so to speak. Most people steal from the company in small increments, and it escalates from there if they feel they are getting away with it undetected. But, in hindsight, there were usually always clues … perhaps no further away than in the parking lot.
5
Hotline Activity: Is Volume Up, or Has Volume Decreased?
Most internal audit functions have some role in monitoring their organization’s whistleblower hotline for employees, and sometimes also third parties, to file complaints. This may seem like a no-brainer, but you’d be surprised how often small complaints (that point to bigger problems) go unnoticed. Your internal audit function may have complete ownership of managing what comes though, you may partner with someone else in the organization, such as compliance, human resources, or legal, or you just get things passed to you for review or investigation as needed from one of these organizational partners. Regardless, you need to have some role in monitoring the volume of activity. What types of activity are coming through? Are there recurring issues? What are the trends? It doesn’t take an audit, but it does take awareness. Changes in volume can be very telling, and that could be changes in either direction (increased or decreased volume).
Increases in activity might spell some brewing issues of a more macro sense and, alternatively, decreases in volume may spell a level of distrust in the confidentiality of the hotline or a perceived lack of seriousness with which reported items might be getting addressed.
So, what’s an internal auditor to do?
It doesn’t have to be you, so long as someone in your internal audit function is attuned to the trends, both in terms of volume and types of activity. And, if there are notable changes in the trends, up or down, it might be time for a deeper understanding of what might be going on. This could be a signal of troubles brewing that are inconsistent with the desired culture.
—-
To be clear, internal auditors don’t need a formal audit plan initiative to keep abreast of important developments in the organization. It’s not easy, I know, as the formal audit plan has us busy enough, but a little observation may go a long way. Head up, eyes and ears open, use all your senses and leverage your well-honed intellectual curiosity and professional skepticism. Do some ad-hoc auditing of things you might not be able to (upper case) Audit and don’t necessarily make it to the formal audit plan. The organization will be better for it, and you will enhance your engagement and contributions innumerably.
As popularized in the Spiderman comics of yesteryear and said in more recent movies, “with great power comes great responsibility.” Wield it judiciously!
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Amidst issues like supply chain complexity, economic uncertainty, and increased digitalization, Audit International are finding many organizations are adding vendors or changing their existing relationships with those they currently conduct business with.
Working remotely has prompted many companies to add cloud vendors. Supply chain backlogs might have prompted your business to switch to local vendors. Or maybe you’ve added marketing agencies or other types of consultants that have flexible capacity, rather than increasing headcount.
These decisions can help businesses adapt to changing conditions and build resilience, but working with vendors may also introduce new risks. While you might feel like you have a handle on issues like in-house data security processes, you need to be sure that vendors also align with your needs in these areas.
Internal audit teams can play an important oversight role when it comes to vendor risk management. While they might not be making specific vendor management decisions, they can still be involved in making sure proper due diligence is followed when selecting vendors. And once vendor relationships are in place, internal audit teams can monitor these arrangements to ensure organizations aren’t opening themselves up to new risks.
What are the top vendor risk management issues?
Working with third parties like software vendors, managed service providers, cleaning companies, etc. can help businesses fill gaps in current capabilities, increase efficiency, and more. Yet, internal audit teams also need to make sure that their organizations are accounting for any and all potential risks:
Cybersecurity: Internal audit teams should review vendors’ cybersecurity practices to assess whether these meet your organization’s expectations, for example, data security controls and remediation capabilities.
Compliance: Third-party vendors can also create compliance risks, such as improperly storing customer data or engaging in illegal business practices. Even if these vendor issues do not lead to legal action against your organization, internal auditors should aim to get ahead of these issues to avoid reputational damage.
ESG: Environmental, social, and governance (ESG) scrutiny is increasingly extending into supply chains and can also create reputational risk. Internal auditors will want to assess how vendors align with their own ESG goals. This may in turn lead to implementing additional controls, for example, around data sharing practices so that your organization will be able to verify issues like vendor emissions.
Quality: Don’t automatically assume that vendors will provide the quality you’re expecting, even if they come recommended or are widely known. Internal auditors need to ensure that their organizations still conduct proper due diligence to see whether working with that vendor will provide the quality of work you’re expecting. Managing risk can also include looking at vendor performance controls to see if existing third-party vendors maintain appropriate quality standards.
These are just some of the many critical risks that can come from working with third parties. Keep in mind that vendors may also have their own networks of third parties, which could ultimately affect your organization.
While it might not be possible to know every connection point that your vendors have with other third parties, you would likely want to assess what their own third-party risk management practices look like.
How can internal auditors improve third-party risk management?
Internal auditors shouldn’t be the only ones responsible for vendor risk assessments, but they should be mindful of the aforementioned vendor risk management issues and collaborate with other departments to stay on top of these risks.
For example, internal auditors can collaborate with IT leaders to create a vendor security due diligence checklist. From there, internal audit controls can make sure that this checklist is used across all vendor reviews.
Internal audit leaders can also integrate analytics into audit processes, such as collecting performance metrics on third-party vendors, to assess whether they meet your organization’s quality expectations on an ongoing basis.
Too often, however, adding analytics to audit reports is a manual, labor-intensive process that can create its own risks, like data errors. TeamMate Audit Benchmark found 79% of internal audit teams manually leverage data from other applications.
Audit tools like TeamMate+ can help internal auditors get the third-party data they need through automated API exchanges with other platforms, which makes continuous monitoring of risk more feasible. They can then create automated reports to share insights with other departments to stay on top of third-party risk.
By aligning with these steps and staying on top of evolving vendor management risks, internal audit teams can help their organizations stay safe while getting the most out of their third-party partnerships.
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Here at Audit International this week, we are are all talking about the Chartered Institute of Internal Auditors dropping their ‘Risk in Focus 2023’ report. The report compiles the results of 9 in-depth interviews, 4 round table events with 39 participants, and responses from 834 Chief Audit Executives (CAE)’s from across 15 European countries. In a nutshell, the report has some solid contributors, meaning, the top 10 areas which are concerning other CAE’s, might be worth you thinking about also – especially as you prepare your 2023 annual plan.
The Risk in Focus 2023 report has had a great refresh and shows the movement of each of the risks over the years. This year’s report shows 15 categories worth consideration:
– Mergers and acquisitions
– Health, safety and security
– Communications, reputation and stakeholder relationships
– Fraud, bribery and the criminal exploitation of disruption
– Organisational culture
– Organisational governance and corporate reporting
– Financial, liquidity and insolvency risks
– Supply chain, outsourcing and ‘nth’ party risk
– Business continuity, crisis management and disasters response
– Climate change and environmental sustainability
– Digital disruption, new technology and AI
– Changes in laws and regulations
– Macroeconomic and geopolitical uncertainty
– Human capital, diversity and talent management
– Cybersecurity and data security
The report finds that the greatest movers, in terms of focus / attention given to this particular topic by CAE’s, found the following four categories had the most increased attention and focus since 2020:
– Macroeconomic and geopolitical uncertainty
– Human capital, diversity and talent management
– Supply chain, outsourcing and ‘nth’ party risk
– Climate change and environmental sustainability
This years report also highlights the impact the war in Ukraine has had on many of the businesses and risks highlighted in the report.
For each of the risks, the report provides suggestions on how Internal Audit can help the organisation.
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
At Audit International, we know when people hear buzzwords like ‘data analytics’, ‘artificial intelligence’ and ‘machine learning’, it can be intimidating. Many people don’t fully understand such concepts, but in truth, you don’t need to. You just need to get comfortable with them. And you probably already are: familiar services like Netflix or Spotify use artificial intelligence to understand your preferences and make subsequent suggestions based on that knowledge. The level of consumers’ expectations is continually increasing, and the successful companies are those that are advancing with technology. The same is true for businesses and their expectations. In audit, the revolution is underway and the sections that follow highlight the key drivers for this change.
Improve the audit experience –
The volume of data available to auditors is astounding, but in most cases, this data is simply not being used. If this were happening in any other industry, there would be questions to answer. Data analytics can improve the audit experience in several ways, for both the audit team and for the client.
Improve audit quality-
During the planning phase of the audit, audit teams must shift their focus away from the old mindset of “what could go wrong?” Through analytics, we can turn our attention from what could go wrong to what has gone wrong. Auditors have access to the client’s complete financial data for the period under audit – if they focus on analysing and understanding the data, they could identify an unexpected transaction or trend in the process. During the execution phase, auditors should also build on the knowledge gained in planning to truly understand the business in question and focus their attention on higher risk transactions. Finally, auditors should move away from a ‘random sample’ approach and, instead, focus on the transactions that appear unusual based on their knowledge of the client, business or industry. These are just a few areas where improvements in audit quality can be achieved using data analytics.
Improve efficiency-
In the examples above, the use of data analytics in planning will identify what has gone wrong and any associated unusual transactions. In execution, these transactions will be tested as part of the audit sample. It could also cover some requirements under auditing standards concerning journal entry testing, as the journal entries will likely be the data that highlighted what went wrong in the first place. Again, this is just one example of efficiencies gained without even considering the hours saved by automating processes like creation of lead schedules and population of work papers.
Post-pandemic world-
The world will be a very different place in years to come. Firms with the ability to perform in-depth analysis using data analytics undoubtedly have a significant advantage over those that do not, given the efficiencies they can gain and the potential reduction of physical evidence required from clients, among other things. Due to the changes we have all had to endure, auditors may also have additional procedures to perform (e.g. roll-back procedures where they were unable to attend stock counts at year-end due to the COVID-19 closures of businesses). Such procedures have the potential to be automated, saving even more time and effort for audit teams.
Improve engagement-
Rather than spend time performing mundane tasks such as testing large randomised samples, data analytics allows audit teams to jump into the unusual transactions. This will make the job more interesting to auditors and cultivate a curious and questioning mindset, which will, in turn, lead to improved scepticism and audit quality.
Improve client experience-
This might happen in two ways. First, the time saved by the client’s staff (who, in theory, will have fewer samples for which to provide support) and second, through the value the audit adds to the business. As an example, consider an audit team performing data analysis on the payroll for their client. As payroll is a standardised process, the audit team has an expectation around the number of debits and credits they would see posted to the respective payroll accounts each month. As part of their analysis, however, they find an inconsistent pattern. This can be queried as part of the audit and the client will be better able to understand a payroll problem, which they were previously oblivious to.
Client expectations-
Given the level of data analysis that occurs daily in the life of anyone using a smartphone, a consistent, high quality is understandably expected in people’s professional lives, too. Audit clients, like all consumers, want more. They want a better and faster audit. They want an audit that requires minimal interference with the day-to-day running of their business, without compromising the quality of the auditor’s work. With troves of data now available to auditors, such expectations are not entirely unreasonable. Audit firms have access to vast amounts of financial and related data – in some instances, millions of lines of information – that, if analysed robustly and adequately, would improve their processes, their clients’ experience, and the quality of their audit files.
Aspirations of professionals-
Audit professionals can often struggle with work-life balance, as we here at Audit International know. Though most firms are getting on top of remote working, the hours in busy season are long. In a time of continuous connectivity, the time frame around ‘busy season’ is also becoming blurred. Through the use of technology, we will one day make auditing a ‘nine to five’ job. Many will scoff at that idea and, although we do not expect this to happen in the next five years, or even ten years, it is possible. By automating mundane tasks and continuously upskilling our graduates, we can transform how an audit team completes work. There will be more scope to complete work before clients’ financial year-ends, thus moving much of the audit out of the traditional ‘busy season’. Machines can complete specific tasks overnight so that auditors could arrive at their desk, ready to work on a pre-populated work paper that needs to be analysed by a person with the right knowledge. With appropriate engagement by all parties (i.e. audit teams, senior management, and audit clients), we could significantly reduce the hours spent on audit engagements and give this time back to auditors. Along with attracting high-calibre graduates, we will retain high-quality auditors in the industry while also avoiding mental fatigue and burnout, which will again lead to better quality audits.
Graduate recruitment-
Graduates joining firms in recent years have particular expectations of the working world. They want job satisfaction, flexible hours, remote working, and an engaging role that will challenge them. Professional services firms have to compete for the very best graduates, and no longer just against each other – a host of technology-enabled businesses are attracting talent on an unprecedented scale by meeting the needs listed above. Technology, and data analytics, in particular, can offer the solution to the graduate recruitment challenge – by making the work more efficient and automating mundane and repetitive tasks, graduates can instead focus on analysis. Time and time again, when we talk to candidates, we always hear that if they find their work challenging and interesting, they will feel more engaged.
Challenges-
This move towards technology is not without its risks to the profession. Automating basic tasks removes the opportunity for graduates to form a deep understanding of these sections of the audit file. The onus is therefore on the current cohort of Chartered Accountants to take the reins, both to drive technology advancement forward and also provide practical, on-the-job coaching to ensure that this knowledge is not lost for the generations that follow.
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Transit systems. Healthcare facilities. Financial services firms. What do they all have in common? Organizations within these sectors — and essentially all industries, for that matter — have been hit by ransomware, a type of malware where cybercriminals demand a ransom payment to unlock access to your private and confidential systems and files.
While many cybersecurity risks exist, ransomware is often one of the more pressing challenges. Not only can it bring operations to a screeching halt, but it can also cause issues like data leaks and reputational damage. A global survey by cybersecurity software company Sophos finds that 66% of surveyed organizations suffered ransomware attacks in 2021. “It took on average one month to recover from the damage and disruption,” Sophos adds.
Given the severity of ransomware risk, internal auditors should aim to help their organizations reduce these threats, along with overall cybersecurity risks. How? As Audit International will examine in this article, internal audit departments can take steps such as conducting IT/cybersecurity audits and using technology like internal audit management software to improve internal controls and collaboration.
Review IT practices and controls :
Even though internal auditors generally aren’t responsible for choosing cybersecurity software and establishing employee training to recognize ransomware risks, they can still provide assurance over IT practices and controls, such as with an IT audit.
When IT teams conduct phishing tests to see whether employees are tricked by email scams that can cause ransomware issues, internal auditors are then able to review those results and ensure that the organization is meeting a sufficient standard to prevent social engineering. If the results demonstrate gaps in employee preparedness on ransomware risk or other cybersecurity risks, then internal auditors would likely want to communicate that risk to other stakeholders, like boards and senior management.
Internal audit leaders might also review remote work policies to ensure that IT teams are appropriately managing these with ransomware risk in mind, rather than just focusing on the functionality of work-from-home environments. While internal auditors often rely on guidance from IT leaders, they can still audit areas like access logs to ensure that only approved devices, with the appropriate threat intelligence and data protection technologies, are connecting to their networks.
Align key stakeholders :
Improving ransomware protection also means internal auditors need to align key stakeholders, rather than just collaborating with IT. That means pulling together information from multiple departments to make sure everyone’s on the same page.
Internal auditors should check with finance teams to see how they’re accounting for the potential costs of a ransomware attack, and then ensure that other key stakeholders, like boards and senior management, understand and agree with this approach. Otherwise, issues like not having a sufficient budget to recover from a ransomware attack may arise.
“Regardless of their size or revenue, organizations should assume they will be targeted with ransomware, and they should examine their prevention, detection, mitigation, response, and recovery measures,” notes Zachary Ginsburg, research director for the Gartner Audit and Risk practice, in a Gartner press release.
Leverage internal audit management software :
Internal auditors can mitigate ransomware risk by leveraging internal audit management software. Many technologies are designed to assist with cybersecurity risk management, but from an audit perspective, internal audit management software is important for gaining assurance.
Overall, internal audit teams have an opportunity to make a significant impact when it comes to ransomware risk management. Planning ahead and focusing on internal alignment can go a long way toward reducing ransomware attacks and other cybersecurity risks.
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Having considered how internal audit can address environmental risks in the first article in this Audit International series, this article turns to the second element of ESG, social risk. This can be a sensitive area, and many risks are hard to quantify. But over the last decade, expectations of organizations have evolved significantly, and internal audit has a key role in providing assurance over the risks that this presents.
Social risks :
Social risk can be viewed from several perspectives. While we traditionally look at business activities, here it can also be helpful to look through the lens of different stakeholders to ensure all risks are captured and completely understood. For example, consider impacts on the organization itself, staff, customers, suppliers, investors, other third parties, and the wider communities in which you operate. Below are some of the key risks – not an exhaustive list — but those that outline the main risk areas you will want to capture:
– Health and safety – consider both workplace and customer safety.
– Labor standards – your own and those throughout your supply chain. This goes beyond compliance with legislation and international protocols to include issues such as well-being, benefits, and employee engagement.
– Equality, diversity, and inclusion (EDI) – very important to staff, customers, and the community, this is a significant topic in and of itself
– Sales practices – important to your customer base and the wider community, poor practices can quickly damage a reputation.
– Data privacy – sometimes considered a social risk, given its impact on staff, customers, and other partners.
– Community engagement – how effective is your organization in working with local (and broader) stakeholders to maximize the positive and minimize the negative impacts on the community. This started with CSR (Corporate Social Responsibility) but often goes much deeper.
– Other broad, but important, issues such as human rights and the rights of indigenous peoples.
– Typical impacts for the organization will be the same as for many other ESG risks – reputational, legal and regulatory, financial, operational, and ultimately strategic. Other than potentially using different stakeholder perspectives when considering risks, this fits well into your risk assessment process.
Getting started – Determining the key risks :
Your risk assessment should always be the starting point. In order to do this, you will first need to go through several steps to get sufficient background context:
Understand your organization’s approach to social risk. Given the variety of risks and the number of stakeholders, it is likely that it will sit across the organization with many different risk owners. For example, staff-related risks and issues will be owned by Human Resources, whereas supply chain risks will be owned by the relevant business unit or a procurement function. Are there anywhere these risks are also considered and assessed together or across the organization, such as part of a risk function?
Consider who the key stakeholders are. Some will be common to all organizations – staff and customers for instance. Others will be specific to your business – such as a community close to a quarry.
As always, consider key sector and industry risks, drawing on industry guidance, frameworks, and other resources, and on standards such as GRI (Global Reporting Initiative).
Pay attention to your supply chain, particularly if sourcing (directly or indirectly) from jurisdictions where labor or safety standards may not reflect those in your home country.
Understand legal and regulatory requirements in all jurisdictions in which you operate.
With this background information, you can start to include social risks into your risk assessment, leveraging work done by the first and second lines, and begin to provide assurance over these key risks.
How internal audit can make an impact :
Clearly, we should be focusing on the biggest risks for the organization. However, we often need to consider the impact on stakeholder groups in aggregate, rather than just for each risk. Staff is a good example. We should certainly consider risks around compliance with labor laws but understanding the impacts on staff also requires the inclusion of wellbeing, health and safety, benefits, employee engagement, and EDI to assess the potential risk around staff as a group. Internal audit can add value by looking at risk in this way and provide more holistic assurance over risks relating to specific stakeholders.
Internal audit can also take a broader look at the organization’s approach to social risk. As I suggested earlier, it is often a distributed responsibility, but the risks do not exist in isolation. Some questions you can ask:
What is the organization’s attitude towards social risks? Are social factors (collectively or specific issues) considered in strategic planning or discussed at the Board level?
Have key stakeholders been identified? Do these make sense given what you know?
Is social impact considered in decision-making, particularly investment decisions and project evaluation? For government and social-purpose organizations, this will often be a core part of the decision-making process. But even in commercial organizations, evaluation of social risks and impacts will often be built in.
Are there targets and performance metrics in place? For key risks there often are metrics, but they may not be evaluated as a whole – which could be acceptable if they have sufficient prominence. As for other ESG risks, the availability and quality of the data may be a challenge as standards, systems, and processes are evolving. This provides an opportunity for internal audit to make an impact by evaluating systems and processes and by validating the data.
Some examples
Labor standards
The subject of labor standards is broad, but if we consider it in two parts, it may help. First there are fundamental rights at a global level which most countries are adhering to as members of the International Labour Organization. These cover issues such as forced labor, child labor, maternity, working hours, discrimination, health and safety, and unionization rights. Second, there are expectations beyond this, which often vary by country and include benefits, well-being, and employee engagement. There are many ways for internal audit to make an impact here. I will address two very different audit examples:
An organization’s own employment activities have always been part of an audit universe. There is an opportunity to take this further, providing insight and assurance into, for example, employee wellbeing and engagement. Most large organizations conduct surveys covering one or both, but how effectively do they select, track, and use metrics? Also, how effective are follow-up plans? These are sensitive areas, but this is largely about how data is collected and used, and how effectively plans are defined and implemented. All are very well aligned to core internal audit skill sets.
The broader issue of labor standards risk incorporates many parts of a business. As well as an organization’s own employees, we need to consider those in the supply chain, service companies, and any other partners. The focus of an audit is likely to be on procurement and contract management processes. Do contracts stipulate appropriate measures (which vary on the size and nature of the organization)? What independent verification is available that standards are complied with? What monitoring is in place within the organization to highlight emerging issues? All questions internal audit is well-positioned to consider and provide assurance over.
Sales practices :
Sales practices have been under the microscope at various points over the last century. Often it relates to providing dishonest or misleading information, or selling products or services are known not to be in the best interest of the buyer. The banking crisis of 2008 highlighted unethical practices which led to a significant shift to providing services based on the customer. Earlier examples are tobacco and baby formula, the health impacts of which were not accurately portrayed. In both cases, poor practices continued in parts of the developing world long after they were prohibited in the West.
Risks are primarily reputational, but often there are legal and regulatory considerations that can be substantial. Let’s look at two ways in which internal audit can make an impact in this area:
The first is not about the sales process itself, but about whether organizations are considering the customer in the products and services they sell. All jurisdictions have regulations about product quality or the types of services that can be sold to different groups of consumers. Examples range from food standards to complex financial products. In addition, there are overarching responsibilities to ensure customer health and safety (whether on-site or through the products or services they are using) that should be considered. This could be as obvious as ensuring products don’t cause a choking hazard or more complex such as the danger posed when providing social media platforms to young people. Internal auditors should understand the relevant regulations, and any voluntary codes, to provide assurance that there are appropriate controls over these risks, often as part of an existing audit. But you can also go further by considering the more complex aspects of risk and raising concerns if these have not been appropriately considered as customer needs and welfare are an integral part of product/service design and production.
Internal audit can provide assurance over the sales process itself. In any setting and for any customer group, there should be defined processes for marketing, customer communications, and best practices and guidelines a salesperson should consider when making the sale. For complex products such as insurance, this may be very structured, whereas a very light touch would be expected for simple products. Controls may include guidelines, review, and approval for marketing materials, standard templates for communications, and certifications and training for sales. When auditing, we need to be mindful of having realistic expectations for the type of products and services being sold but also be prepared to challenge when processes are insufficient or not well-evidenced. Additional considerations include data privacy, avoidance of discrimination, and the need to look at practices in all relevant jurisdictions.
To summarize, we have shown the variety of social risks within ESG and how internal audit can use their skill set to make an impact by providing assurance over some of these key risks. There are good sources of information freely available to understand different issues in more detail to help assess how social risks may impact your organization and your audit response.
The third and final article in this series will focus on the “G” (Governance) in ESG which covers a broad range of corporate activities. It is important to understand these risks as they provide the foundation for effective ESG program management.
Have you ever had one of those days where you were determined to write that audit report? So you block off the time on your calendar, go into your office, shut the door, remove any and all distractions and breathe. Because now is the time to take all of those thoughts and perfect phrases running wild in your head and put them on paper. You sit down at your desk ready to make it happen. And you come up with nothing.
You decide to invite a colleague in to assist. Because after all, two heads are better than one. The two of you discuss the issues thoroughly, but nothing seems to sound right.
Writing objective observations takes time, skill, and tact. And if you’re like any other auditor, the audit issues sound wonderful in your head. But by the time you formulate the right words, reach for your pencil and place it on paper, that wonderful wording has become a distant memory. It’s worse if you’re in a group setting because you now become frustrated as the group begins asking you to repeat what you said. Unable to remember words uttered only seconds prior, it is only then that you realize how old you truly are.
If you’ve ever faced this situation, do not fear. There are several tools and techniques you can use to speed up and improve your report writing. But first, we must address the five big problems with writing reports:
1. We think faster than we write
2. Our million dollar thoughts come at the wrong time
3. We believe in writer’s block
4. We look for perfection in the first paragraph
5. We don’t understand and/or appreciate the writing process
5 Problems with audit report writing
We think faster than we write
We’ve all been there. Browsing through our cabinets trying to make a mental grocery list. Then you reach the point where there are too many items to remember. You decide to write a list. You reach for your paper and before the pen touches the pad, you’ve already forgotten the five items you wanted to write.
Our brains are fascinating. I can remember where I was in the summer of 1989, but I cannot remember what I ate for breakfast this morning. It is that forgetfulness that can derail your report writing.
Our million dollar thoughts come at the wrong time
Worse yet is when you have this wonderful idea, but then realize that it is 5:00 o’clock and you are stuck in traffic. There is no way you can capture that great thought without causing a pile up. So you try other techniques. You turn off the radio and repeat whatever it is over and over. You hope to continue this until you get home, or at least until you get to a stopping point. Of course something interrupts your thought and you forget what you were trying to remember.
We believe in writer’s block
Some people believe that writer’s block is a thing. I’m here to tell you, it is not. At least in the context of business writing or internal audit reports. Wikipedia define writer’s block as follows:
“Writer’s block is a condition, primarily associated with writing, in which an author loses the ability to produce new work or experiences a creative slowdown. This loss of ability to write and produce new work is not a result of commitment problems or lack of writing skills. The condition ranges from difficulty in coming up with original ideas to being unable to produce a work for years. Writer’s block is not solely measured by time passing without writing. It is measured by time passing without productivity in the task at hand.”
As you can see, writer’s block is a primary concern for creative writers. Our audit reports are, or should be, factually based non fiction. We are taking a series of facts, placing some logic and order to those facts, and providing management with a conclusion. What we are not doing, is creating new characters or developing plots and story lines. We know the beginning, middle and end of the story. Therefore, we know what to say. The problem is how do we say it so that it has the best impact given within the culture of the organization.
We look for perfection in the first paragraph
Because audit report writing is simpler than creative writing, we believe that we should be able to sit down and create the perfect prose in minutes. After all, we know the beginning, middle and end of the story. When we finally put pen to paper, our initial draft is usually not good. We then become frustrated. But I believe that frustration is because we don’t understand the writing process.
We don’t understand and/or appreciate the writing process
All the magic happens in the editing. Any writer will tell you this. Ernest Hemingway famously once said that “The first draft of anything is ****” (insert a very bad word here). As someone who has had articles published, I can tell you this is true. I can recall the first time I sent something to an editor. I thought it was an okay piece. But what came back was a magnificent manuscript. I fined tuned it a little and the result was something we were all pleased with. The writing process does not require perfection at the start. Your initial goal is to get something on the page. After that, trust the process and let the magic happen in editing.
3 tools you can use
Google voice typing
Because our brains seem to signal our mouths to speak faster than our hands can write, voice typing is the perfect shortcut to getting those wonderful words out of your head and on paper. For those unfamiliar with voice typing, you talk, it types. It’s as simple as that. Well, sort of.
The best free voice typing tool I’ve found is through Google. Log in to your account. Then, access Google Docs and open a document. Go to Tools, then Voice Typing (or you can press Ctlr+Shift+S).
You will see a microphone that may say Click to Speak. Click it, talk to it, and watch the magic happen. You will need to learn certain commands like period, comma and new paragraph. But other than that, if you speak clearly, it will recognize most speaking voices and words.
Your Cell Phone voice recorder
If barking out commands to your computer isn’t your thing, you’re in luck. There’s another option. If you’re like me, your cell phone is probably within arms reach. Grab your phone and go to your favorite app store. Search for a voice recorder. You should see several. Download one that piques your interest.
You can now record yourself talking about the audit issues. Now you will never miss that wonderfully worded paragraph that would sound great in an audit report. Once recorded, you can listen to the recording and pull out the impactful paragraphs.
Transcription
If you truly believe the recording represents your best work ever, you can have it transcribed. Yes, you heard me, transcribed. It’s not as bad or as expensive as you think. Before I get into that, I must say that I am not being paid by nor am I endorsing these specific products. there are several transcription services that I have used. Some use live transcribers while others use automated engines.
Summary
Writing audit reports can be a daunting task. But it has to be done. Nowadays we have a lot of tools that can help streamline the process. Many of the biggest issues start with us. Writer’s block is only as real as we allow it to be. Sit down and put something on paper. Use some electronic tools to get your words on paper. Almost any words will do. Afterall, the magic happens in the editing.
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
