internal audit objectives

A Guide to Conducting a Successful Internal Audit Kickoff Meeting

Posted by External Dev | August 18, 2023 | Audit Career Trends, Auditor jobs, careers in audit, CIA Recruitment, ESG, Fraud Audit, Internal Audit, internal audit objectives, internal audit process, IT Audit

Audit International know the common expression, “you only get one chance to make a good first impression.” For internal audit, this chance often comes during the kickoff meeting. This introductory meeting will often set the tone for the entire audit. Its primary objective is to align the auditors and auditee on the audit’s scope, objectives, timeline, and expectations. The meeting provides an opportunity to establish clear lines of communication, clarify roles and responsibilities, and build rapport between the audit team and the auditee.

Here, Audit International will provide a step-by-step guide on how to conduct an effective internal audit kickoff meeting, highlighting its importance, objectives, key participants, and necessary preparations.

Preparing for the Internal Audit Kickoff Meeting

There are several steps internal auditors can take to prepare for the kickoff meeting. They include:

Define the Audit Objectives: Clearly articulate the purpose and goals of the audit. Identify the specific areas or processes to be examined and the desired outcomes.
Determine the Scope: Define the boundaries and limitations of the audit. Specify the time frame, departments, locations, or functions to be included.
Assemble the Audit Team: Select auditors with the relevant expertise and knowledge. Assign roles such as lead auditor, documentation reviewer, and subject matter experts as necessary.
Conduct Pre-Meeting Research: Familiarize yourself with the auditee’s processes, policies, and applicable regulations. Review previous audit reports, findings, and corrective actions.
Prepare an Agenda: Outline the topics to be discussed during the meeting. Allocate sufficient time for each agenda item and prioritize critical issues.
Send Invitations: Distribute meeting invitations to the key participants, including auditors, auditee representatives, management, and any other relevant stakeholders. Provide the agenda and any reading materials.

The Internal Audit Kickoff Meeting Process

If you have prepared well for the kickoff meeting it should go smoothly. Keep in mind that auditees may have some anxiety about the upcoming audit. They will often have preconceived notions that they audit may be an exercise in the internal auditors trying to play “gotcha!” It’s important to alleviate these fears and clearly communicate the purpose of the audit.

They may also have concerns about the schedule of the internal audit work and see the audit as a distraction from their day-to-day duties. Indeed, we all have busy schedules and they may view the audit as providing extra work on top of their already full days. For this reason, it’s also important to be transparent about the scheduling of the audit work and to work to make the audit as painless as possible for the process or unit that is being audited.

The following are some steps to take during the kickoff meeting to help allay these fears, set expectations, and communicate clearly to the auditees:

Introduction and Opening Remarks: a. Welcome all attendees and introduce yourself and the audit team members. b. State the purpose of the meeting and the audit’s importance to the organization. c. Outline the meeting’s agenda and expected outcomes.
Review of Audit Objectives and Scope: a. Present the audit objectives, scope, and expected deliverables. b. Provide an overview of the audit methodology and explain any unique approaches or tools to be used. c. Discuss the audit timeline, key milestones, and any dependencies.
Roles and Responsibilities: a. Clarify the roles and responsibilities of the audit team members. b. Define the roles and expectations for auditee representatives, including the provision of requested documentation or information.
Communication and Information Sharing: a. Establish channels and protocols for communication throughout the audit process. b. Discuss the frequency and format of progress updates, status meetings, and any interim reporting requirements. c. Specify the confidentiality of information shared during the audit and any data protection measures.
Document Review and Access: a. Discuss the documents, records, or systems that auditors may require access to during the audit. b. Explain the need for auditee cooperation in providing necessary documentation promptly. c. Address any concerns regarding sensitive or confidential information.
Q&A and Discussion: a. Provide an opportunity for auditees to ask questions or seek clarification. b. Encourage open dialogue and address any concerns or challenges raised. c. Seek input from auditees regarding specific areas of focus or potential risks.
Closing Remarks: a. Summarize the key points discussed during the meeting. b. Reiterate the importance of cooperation and commitment from all parties involved. c. Establish the next steps and confirm any follow-up actions or meetings.

Post-Kickoff Meeting Actions

Congratulations, you’ve conducted a great internal audit kickoff meeting. The internal audit team and the auditees are now on the same page and everyone knows what do expect during the audit. The initial work involving the kickoff meeting isn’t done, however. To set the upcoming audit on the right path there is still some work to do. Post-kickoff meeting activities include:

Documentation and Reporting: Document the meeting minutes, including the key discussions, decisions, and action items. Distribute the minutes to all attendees for review and confirmation.
Follow-up Actions: Assign responsibilities for any action items identified during the meeting. Set deadlines and establish accountability to ensure timely completion.
Ongoing Communication: Maintain regular communication with auditee representatives to address any queries or provide clarifications as needed. Share progress updates and adhere to the agreed-upon reporting schedule.

Conducting a well-executed internal audit kickoff meeting is a crucial step towards a successful audit process. It establishes a foundation for effective communication, collaboration, and understanding between auditors and auditees. By clearly defining the audit objectives, scope, roles, and responsibilities, the kickoff meeting ensures a focused and efficient audit process. Preparing adequately, following a structured meeting agenda, and documenting the discussions and action items contribute to a productive engagement. By leveraging the guidance provided in this article, organizations can maximize the value derived from internal audits and drive continuous improvement within their operations.

If you have executed the kickoff meeting well, the auditees will be all smiles when you arrive to conduct the actual audit.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc. across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com

What the Audit Committee Really Wants from Internal Audit?

Posted by External Dev | July 21, 2023 | Audit Career Trends, Audit Salary, Auditor jobs, careers in audit, ChatGPT, Chief Audit Executives, CIA Recruitment, Data analytics, ESG, Fraud Audit, FTSE 100 companies, Internal Audit, internal audit objectives, internal audit recruitment, IT Audit, Risk Audit

Audit International realise that for many internal auditors, the audit committee is a bit of an enigma. Most of you help the chief audit executive (CAE) or other internal audit leader with materials and content to provide to this subgroup of the board of directors. Much of your work, in summary fashion, ends up there. But, for the most part, we only know what happens behind the closed doors of the boardroom if your CAE conducts a post-meeting debrief. Yes, we know that the audit committee is important. We know that they take our work seriously. But what do they really want from us?

For internal audit leaders themselves, the meetings can be intimidating. The majority of audit committee members are experienced executives from other companies and often serve on other boards. They are generally savvy, informed individuals, who spend a part-time role executing governance duties for the organization where we work. So, while they might, at times, be proactive—meaning, they raise questions or lines of inquiry based on something they initiate—mostly they are reactive, responding to what is presented to them. That means the onus is often on internal audit leaders to help them in their role by carefully choosing what to share with them.

Yet walking the fine line between providing too much detail and maximizing the little time we have with the audit committee can be tricky. Internal audit leaders often express anxiety about meeting with the committee. It can be difficult to anticipate what they may find important versus what they would consider a waste of time. Indeed, internal auditors can be forgiven if they just want to shout the famous Spice Girls refrain: “Tell me what you want, what you really, really want!” So, let’s give that a try: What does the audit committee really, really want?

First, What the Audit Committee Doesn’t Want

During an Internal Auditors career, you report functionally to an audit committee on separate occasions, with different companies. You might foolishly think that you would give them lots of information and let them decide what was important. It’s a trap that is easy to fall into. It takes time, experience, and some good mentors to gain the wisdom to realize that is absolutely the wrong tactic.

It is an evolutionary process to slowly realize that reporting to the audit committee is not about what you want to tell them. It’s only about what they need to know. To cite an often-used phrase: “be brief, be insightful, and be gone.” Keep it short, share the needed knowledge, and let others take their place on the agenda. It’s not about you; it’s about your audit committee members.

What the Audit Committee Does Want

Here are ten things that Audit International have learned that the audit committee of the board wants from internal audit. We hope they work for you when it is your turn to directly interact with the audit committee.

1) The essence of the quintessence: This phrase, “the essence of the quintessence,” was shared by a chief operating officer of a bank once, and it stuck with us. Basically, he was expressing that he and the other execs were busy folks and they want to get right to the bottom line. Don’t just tell me what you are telling me, but tell me why you are telling me. Get to the essence of the quintessence! And that’s what the audit committee wants too! So, if you feel you really must share something with the audit committee, ask yourself why it is so important that they know it. If you can start your phrase with, “this is important because …,” then they probably need to know it. They want the bottom line and the why. The rest is superfluous.

2) Not how you did something, but what you concluded: Have you ever asked someone how their vacation went and they start by telling you about the car ride to the airport? You are being polite, but all the while you wish they’d just answer the question. You want to know about the experience at the destination, not how they got there. Well, the same is true with the audit committee. All the work we did to arrive at our conclusions is important to us, but not to them. They only want to know the conclusion. So, cut to the chase. They trust you did all the right work to get there.

3) Your opinion, not just the facts: Internal auditors follow standards, confirm everything, and don’t spout wild, unsupported views on subjects. We are methodological in our pursuit of facts and the truth. So, when we have made a conclusion, we are usually armed with supporting facts. If not, we tend to refrain from going out on a limb with an opinion. Resist the urge, however, to stick only to the facts. You are not a robot; you are a person with a brain. You have a range of experiences to draw upon and see more of the organization than most anyone else. So, does the audit committee want a Joe Friday, “just the facts ma’am,” approach? Not really. They trust you have done the work and want to hear your views on various topics. If they ask your opinion, trust your instincts and give it to them. If you don’t, you really aren’t adding as much value as you can.

4) Your concerns, audited or not: Whether you are new to an organization or have been there for many years, your well-honed internal audit skills will leave you with an innate ability to have concerns about certain things, whether you have actually done internal audit work on the topic or not. If you had unlimited time and resources, you’d go check out all those nagging worries, and confirm or deny them. But you don’t. The audit plan may not have prioritized it, but that doesn’t mean the concern isn’t valid.

Now, the audit committee has no desire to hear lots of speculation or theories, nor are they interested in trivial things. But, believe me, if you have a good relationship with the audit committee, they want to hear your top concerns, even if you don’t yet have all the facts. You just need to be extra careful in how you position what you say, and you do so rather infrequently. But they do want to know. As they say, that’s why you get paid the big bucks.

5) Something of substance in executive session: One experience that is among the trickiest for a CAE to navigate is the executive session with the audit committee. During the typical executive session everyone who is not a board member leaves the room and the internal auditor meets with the audit committee alone. Over the course of a few years of executive sessions with the audit committee, I can say from experience that there are two things you never want to do: one is to have something to tell them in every executive session, and the other is to have nothing to tell them in any executive session. So, the goldilocks theory applies here, you want to strike the right balance. What to bring up, how to bring it up, and what you need to do both before and after you bring it up is a whole course in and of itself. It is an art, not a science. Don’t be trivial or cavalier about what you bring up. The audit committee wants you to bring things up, and they want them to be of substance.

6) Proof you really get the business and the strategic plan – Whether it is deserved or not, a common complaint by operating leaders and managers within many companies is that internal audit does not understand the business. The last thing you want is for the audit committee to second guess your conclusions. So, if you are confident that you know the business and the strategic plan (and you’d better be), let it show. It should show up in your audit plan, your priorities, and your explanation of internal audit’s observations and conclusions. Don’t risk having the audit committee doubt you. They want comfort that you know the business and are in lockstep with the strategic plan. Give them the confidence that you do.

Another point to make here is to remember that you are a businessperson. As we go about our internal audit work, we tend to put blinders on, as if the audit plan and the audit projects are the only reason for our existence. Of course, they are not. So, when we update the audit committee on what we are doing, what hat are we wearing? An auditor’s who happens to work for the business? Or a businessperson’s who happens to be an auditor? The audit committee wants the latter.

7) That you align with second line functions: Not always, but often the only way that second line functions (risk management, compliance, security, and others) coordinate and collaborate with internal audit is if internal audit (namely the CAE) initiates the coordination and takes a lead role in it. Apart from the added cost of redundant activities, the audit committee doesn’t want a bunch of disjointed terminology, reports, and conclusions coming from the various “risk and control” functions of your organization. They want you to coordinate and collaborate across the second and third lines. If they aren’t telling you that, they are telling someone else behind your back!

8) Courage: Like everyone else in the organization, days are always going to bring obstacles, difficult co-workers, things not going according to plan, changed schedules, broken promises, and other hurdles. But, more often than many other employees in other departments, you will from time to time be called on to summon up some courage. From an obstinate audit client that is making your job difficult to a senior audit client manager that is disagreeing with you no matter how right you are—not to mention fraud investigations, hotline accusations, and executives who are doing questionable things—you are going to come across matters that are so egregious that you must raise them, regardless of the consequence. They are, hopefully, rare, but if you are in internal audit long enough, those times will arise. They will require backbone and strength of conviction, and are not for the faint of heart. But guess what, that is exactly what the audit committee wants from you: a reservoir of courage and the ability to call on it when it matters most.

9) That you understand the politics, but are not political – All organizations are political by nature. Whenever people get together and resources are scarce, win-lose games happen. Corporate politics are a fact of life. As much as we’d all like to be apolitical and let the facts drive what the right answers are, if we don’t learn how to navigate the organization’s politics, we will not be able to get our jobs done effectively. Does that mean we need to use the politics to our advantage? Sheepishly, the answer is yes, but not in an underhanded way. It’s important to know who to talk to, about what, and when; how to position what you are going to say; who needs a heads-up on what; who are the influencers in the organization; and so on. We need to know all that and leverage it to our advantage. Our audit committee members are some rather experienced and savvy businesspeople, and they are also navigating the organization’s politics to do their governance jobs. So, yes, they do expect you to understand the politics to get your job done well and know how to report things to them with an understanding of how the politics works, but they also don’t expect you to be overly political.

10) That you know when you may not be objective: Objectivity is such an important tenet to what internal auditors do and how we do it that we need to be ultra vigilant and self-aware when there is a risk of our objectivity being impaired. Audit committees expect us to be self-aware of when our objectivity might be impaired, or even the potential appearance of it being impaired. So, park that ego, realize you are subject to your own biases, and be self-aware enough to advise the audit committee when your objectivity could be impaired. They expect you to do that.

Earning that Paycheck

Even though they may not tell you directly, take it from us that your audit committee wants you to: be brief, tell them only what they need to know, share your professional opinion, be open about your concerns, leverage executive sessions properly, understand the company’s strategic objectives and strategic plan, collaborate with the second line, be courageous, know the business, navigate organizational politics, and say when your objectivity might be impaired. Easy peasy. Well, not really. But, as we concluded, that’s why you get paid the big bucks.

What SOX can teach internal auditors about ESG.

Posted by External Dev | April 5, 2023 | ESG, Internal Audit, internal audit objectives, internal audit process, internal audit recruitment, Internal Controls, Sarbanes-Oxley

When SOX was first enacted in 2002, its goal was to increase the overall transparency of financial reporting while, at the same time, develop a more reliable system of checks and balances. It was understood that compliance was both a legal obligation and good business practice.

Affecting both public and private U.S. companies, as well as those non-U.S. companies with a U.S. presence, SOX is focused on corporate governance and financial disclosure. It requires that all financial reports include Internal Controls Reporting and demonstrate that a company’s financial data is complete and accurate, with an adequate number of controls established to safeguard it. It also encourages the disclosure of corporate fraud by protecting whistleblower employees of publicly traded companies or their subsidiaries who report illegal activities.

The continued evolution of ESG on the other hand, includes a variety of factors that are often used to evaluate a company’s commitment to sustainable operations. The environmental factors in ESG offer insight into an organization’s environmental impact, including its carbon footprint, climate change initiatives, waste management policies, natural resource conservation, pollution, or efforts to decrease deforestation.

The social component of ESG examines an organization’s treatment of stakeholders (workforce, customers, providers and suppliers, government, regulators, or the local or global community) on issues such as diversity, equity, and inclusion practices, wages and salaries, and sales practices.

Lastly, the ‘G’ in ESG focuses on the governance factors and how to assess whether a company’s internal processes are able to ensure the organization, and its employees, act with professionalism and integrity.

While SOX is primarily focused on financial information — working with finance professionals and accountants — ESG is more concerned with non-financial data and metrics. It shouldn’t come as any surprise when organizations faced with these evolving and new ESG reporting requirements ask themselves.

The role of internal audit, Starting small and look at the bigger picture:
In the years that followed the introduction of SOX, the effect that it had on the internal audit profession was clearly a double-edged sword. On the one hand, internal auditors were quickly recognized as the experts needed to step into this space and provide the guidance that so many organizations needed. This resulted in growth across both the internal audit profession, as well as the various functions internal auditors were able to provide assurances for. It’s fair to say that internal audit membership more than doubled during the first few years of SOX implementation.

However, due to the urgency and level of uncertainty that SOX presented, leaning heavily on internal auditors also resulted in their spending greater amounts of time focused exclusively on SOX priorities, and significantly less time focused on those risk-based audits that organizations depend on. From an internal audit perspective it was a massive undertaking, and one that led to organizations developing SOX-specific internal audit teams.

Over the course of the last 20 years, and as a direct result of SOX, internal audit’s role around internal controls for financial reporting has become well established. Many of those same auditing skills and practices can (and should) be applied to ESG. However, an all-too-common question that’s on everyone’s mind is — “Who is responsible for ESG?”

ESG should be viewed as a top-down initiative, particularly from an organizational perspective regarding mandates, targets, and how goals are being established, monitored, and reported on. Each area or department of an organization should be aware of and responsible for their ESG initiatives. However, internal audit has an opportunity to become trusted advisors and take on more of an influential role when it comes to those first step.
How can internal audit provide the greatest value?
Organizations should reflect on the experiences they had in the early days of SOX and focus on identifying and understanding what the key controls of ESG will be. Where SOX was focused exclusively on financial reporting, ESG falls into that category of “everything else”. It comes down to the accuracy and reliability of the information. But how does an organization go about achieving that? The same way financial reporting was achieved with SOX.

Organizations have become comfortable with their financial reporting. They have been measured according to their financial results for a very long time. ESG in audit is different. It’s broader. It covers more ground and organizations will need to take some time to comprehend how to effectively turn the foundations of ESG into meaningful reports. Although it may be more complicated, the underlying processes that have been used for Sarbanes-Oxley for the last 20 years can be leaned on as a starting point when addressing ESG and identifying a methodology for assurance.

ESG presents a tremendous opportunity for internal audit to make an impact within their organizations. Because it is still evolving, and new guidelines and mandates are being released every day, a good strategy for internal audit would be to start small and identify those ESG factors that can be quickly included into your existing audit plan. Whether that’s reducing overall energy consumption throughout your office or working more closely with Human Resources to ensure new-hire practices are following appropriate guidelines, acknowledging the industry your organization resides in, understanding its risk landscape, and identifying a best-practices framework will give you the direction you need to successfully navigate ESG.

If there is one takeaway from the lessons learned when SOX was first implemented, it’s that those in the internal audit profession should avoid taking the “wait and see” approach with ESG. ESG is here and is gaining exposure and traction every day. The social ramifications of ESG alone should be enough for organizations to sit up and take notice. Understanding how to audit ESG — knowing your organization’s metrics and targeted reporting requirements, what to audit against and include in the final audit report — will better position you for success as a trusted advisor within your organization. Fill those essential Subject Matter Expert gaps early on with Audit International, identify and engage with key stakeholders, and avoid the reactionary trappings and costly mistakes of waiting too long and scrambling for solutions.

How ESG will change who you work with

Posted by External Dev | March 10, 2023 | Audit Career Trends, Audit Salary, Auditor jobs, Big 4 Accounting firms, careers in audit, CIA Recruitment, Data analytics, ESG, iac recruitmeny, Internal Audit, internal audit objectives, internal audit process, internal audit recruitment, Internal Controls, IT Audit

A new focus for Audit International and our clients is ESG. But there is one thing all of us are perhaps not considering as much : ESG’s impact on the workplace.

Environmental, Social, and Governance (ESG) factors are changing how companies conduct business in many ways, including:

– New ESG or climate-related disclosure regulations to comply with, especially in Europe.
– The need to effectively identify and manage ESG risks (including compliance, financial, and reputational risks), and integrate them within the existing enterprise risk management framework.
– Bringing a host of environmental and social metrics at par with financial information, especially with regards to data quality. There is a growing need for investor-grade ESG data.
– Ensuring that ESG factors give you a competitive edge in attracting investors, customers, and talent.

But there’s another change brought by ESG that’s not getting enough attention: The effects on workplace interactions.

– Firms that ‘get ESG right’ understand that ESG isn’t the responsibility of only one person. You can’t simply appoint a Vice-President or Director of ESG, or just place ESG under the Chief Financial Officer or Chief Sustainability Officer.

– Also, different departments can no longer work in their own little world with occasional collaborative efforts across functions. The important changes brought by ESG will also bring fundamental changes to the workplace.

The ESG team :
ESG is a team sport. People from different departments will have to work together as part of a single team.

You may be in Finance, Legal, Risk, HR, EHS, Sustainability, Operations, IT, or Procurement, but now, in addition to your regular teams and colleagues, you will also be part of the ESG team.

And your company’s ESG team will play a critical role because strong ESG performance drives corporate performance.

This represents a significant shift because suddenly key employees will have to align with a new set of stakeholders. They will have to work together with colleagues they might not have worked with before, or even knew. Here’s a sample of the types of interactions to expect:

EHS will have to provide key metrics to Finance for combined financial and ESG (or non-financial) reports.
EHS will also have to show to Finance and auditors (internal or external) how they provide limited or reasonable assurance on the data.
Procurement will seek guidance from EHS and the Sustainability team on how to capture greenhouse gas emissions data to calculate Scope 3 emissions.
HR will be asked to provide more tangible metrics on DEIB to Finance for inclusion in the combined financial/ESG report.
Did you bring together key stakeholders across departments as part of your ESG strategy?

Have you recruited members of your ESG team yet? If this is a topic you are actively hiring for, then please get in touch with us here at Audit International to assist you with any hiring needs you may have.

Conducting a cultural audit: Concluding the analysis

Posted by External Dev | March 10, 2023 | Audit Career Trends, careers in audit, CIA Recruitment, ESG, Internal Audit, internal audit objectives, internal audit process, internal audit recruitment, Internal Controls

Our journey discussing the benefits of auditing organizational culture is coming to an end. Audit International began this series by introducing initial cultural auditing concepts in the first article. Then, in the second article, we continued by more closely examining the first half of the top ten tips that were outlined. In this, the final article of the series, we wrap up with the second half of that list and conclude our analysis.

Auditing culture-
Auditing culture requires involving a wide range of stakeholders and will require you to consider alignment of the desired culture to the actual activities of many people. As we have seen, the leadership in the organizations and the people within the business are clearly very important. To get a true sense of culture you will also need to consider organizational partners and outside service suppliers.

If culture is the way things are done more informally, then this impacts everything in your entire organization’s wider sphere. In this context, procurement may be an important stakeholder to engage with in any cultural audit to better understand their selection methodologies, allowing you to form a view, for example, on how they consider cultural fit in the selection of any third-party suppliers. It also goes beyond the selection of suppliers to how we treat them once they are in place. Does the organization treat them fairly, or is the focus on cost at the expense of other, more important matters?

Ensure that you consider both design and operating effectiveness –
Auditing work should be examining both design and operating effectiveness. Cultural reviews are no different but have the tendency to focus on design at the cost of operating effectiveness. As with all audit work, you would typically begin with a risk and control assessment which can be developed in line with the cultural levers you have identified. Typically, an auditor would then request documents, allowing some desktop analysis ahead of the interviews. Interviews with management can focus on whether they understand the desired culture and can clearly articulate this, while also identifying which levers they see as being particularly important for ensuring the culture is real and lived on the front line. Interviews should also probe the extent to which management role model the desired culture every day and ensure their teams’ activities are in line with the culture.

However, understanding operating effectiveness requires a wider approach and talking to a wider range of employees. Focus groups or surveys can be effective to gather data from employees and may provide more diverse views. If focus groups are operated, they will require additional skill, with the lead needing to manage the group so that a fair range of positive and negative views are heard.

Despite the limitations of cultural measures these too should be requested for each of the levers to understand the extent to which the organization has cultural measures and whether the results are acted upon. Measures that you may wish to consider typically involve people management activity, such as employee turnover, exit interview data, grievances raised by employees, whistleblowing information, and absence data. Other areas should also be explored, such as customer complaints data. However, collecting these may present a challenge. If culture is important in the organization, then it will be available and likely reviewed. If not, there is the potential your first audit finding on the need for management to have appropriate measures in place to track whether the desired culture is being delivered in practice.

In Audit International’s experience, there is no, single best way of conducting cultural audits. Rather, you need to form a view of what is right for your organization. One aspect you will need to consider is whether you conduct specific cultural reviews in your audit plan, have it as a component in all audits that you conduct, or draw out cultural consideration into an off-plan piece of work. I’ve seen all aspects of all three of the options successfully implemented.

Don’t go for a grand plan –
It is important that you consider how you introduce cultural auditing into your program of work. It’s a sensitive topic, and management will often be wary of audit getting too involved. Your internal audit colleagues may also be nervous about whether an area like culture can, in fact, be meaningfully audited. The best advice being — don’t go for a grand plan, but rather start small, test, and learn as you go. This includes building support from the Board and executive leadership by demonstrating, as you go, the insights gained from the cultural examination you have completed and the possibilities to go further with increased resources and business buy-in to this challenging area.

This lends itself to the suggestion to start with a pilot, or a proof of concept, where you identify an area of the business to work with and look to introduce the concept of auditing culture at this point. This should be an area where you know you have a senior auditee who is an advocate of internal audit and willing to work with you to make the pilot a success. Audit International have found that success breeds more success and considerable momentum can be delivered in this manner. Early on, it is also good to share examples of your work and the value it is bringing. I call this the “test, share, and impress approach.”

Collaborate with your business colleagues –
It is also very important to work with the business. The tip here being: Collaborate with your business colleagues – independence is a mindset. Audit International have spent time with many auditors who have been reluctant to collaborate in any deep manner with the business, citing the audit charter and the need for full independence from first-and-second-line activity. We agree, our independence as internal auditors is very important. We need to be objective in all we do to avoid threatening this. However, Audit International don’t believe independence means that we cannot work closely with the business where it makes sense to do so.

One such area, for example, is the identification of the cultural levers discussed earlier – an organization-wide conversation on this is helpful in building appropriate understanding and support for the examination you wish to conduct. Also important is the identification and quick access to relevant data for your cultural work, both at an organization-wide level, but also in divisional units of your business. There is likely to be shared interest in this area, particularly with your HR function. Given this shared interest, it makes sense for all those interested in cultural understanding to come together to share ideas and data for the benefit of the business. For example, this may mean developing a shared data area that all can access. Identify across your business who is interested in this space and join with them to share, learn, and progress.

Upskill all auditors at all levels –
Finally, ensure that the program of work you want to introduce is a sustainable approach to auditing culture. Find a way to get your people behind this approach. At heart, we are a people business and any push to audit this challenging area on a sustainable and systematic basis will depend on the skills and knowledge of your teams.

This leads to the final tip to upskill all auditors at all levels. As we identified earlier, your impact is likely to be much higher if your teams integrate consideration of cultural levers and impacts throughout your audit work and not just in any standalone audit you may do. Understanding the nuances of culture is not simply reserved for HR and psychologists but is a core competency for all auditors. This should be reflected in the recruitment and development approach for your team.

This is likely to mean that if you are going to make cultural assessment a core part of your internal audit work you will need to provide training to the audit team. This will need to cover the organizational cultural levers that you have identified, the data that can help you understand these levers, and the interviewing techniques that will need to be employed to get to actual, as well as espoused, culture. Be honest with yourself and acknowledge where you don’t have the skills that are needed. You will likely need to draw on other sources of expertise, including business and external consultancy support. These can allow you to supplement both the capacity and capability of your team.

And, of course, think carefully about how you organize to deliver this challenging area of work. Our current view is that a multidisciplinary (sometimes called Hybrid) approach is most successful. This is all about how you set up your operating model to deliver your cultural audit work. Some larger functions have established dedicated, well-resourced teams to examine culture in their organization and have staffed this with a blend of expertise, including behavioral psychologists. This group of specialists work alongside and coach front-line auditors who are then encouraged to consider cultural levers in all their audit work as we discussed earlier. Clearly, this is more relevant for larger organizations, but even in smaller functions, you may choose to appoint a cultural lead (or champion) with the responsibility to support and drive the integration of cultural aspects into all your audit work.

Conclusion –
There is no silver bullet for the successful development and implementation of a cultural audit program. Hopefully, the tips that Audit International provided throughout this series of articles will be a useful catalyst for your work in this space as you consider the conditions needed for you to achieve momentum around the idea of auditing culture in your organization.

Conducting a cultural audit: The first five steps.

Posted by External Dev | February 23, 2023 | Audit Career Trends, Audit Salary, Auditor jobs, careers in audit, CIA Recruitment, ESG, Fraud Audit, Internal Audit, internal audit objectives, internal audit process

Audit International now bring you the second part in this three part series – Having introduced the initial concepts of what is involved with auditing organizational culture in the first article of this three-part series, we now can begin the process of drilling down and more closely examining the first five of the top ten tips to conduct a culture audit.

Identify your cultural levers:
The first step to successfully conducting a cultural audit is to identify the daily management activities that occur throughout the organization – your cultural levers. These levers look to align the culture we desire with the day-to-day activities of everyone in the organization. If we understand what leaders focus on to deliver this alignment, then we have a starting point for identifying what to test to provide our opinion on the effectiveness of culture.

Cultural levers often vary from organization to organization, so you need to work with management to identify what is influencing behavior within your specific organization. However, there are areas that I would expect to see. Published value statements are significant and an indication of what should be happening. Leadership is also significant, not just at the top but cascading throughout the organization at all levels. In this context, the organization’s approach to people management is vital with the impact this has on encouraging the behaviors that are needed for success. However, culture goes much deeper and is present in the management of other resources, including areas such as customer engagement, complaints handling, supplier management, corporate responsibility, risk management structures and profile, and internal and external communication.

This may appear daunting, but a well-organized approach to assessing each lever can quickly identify areas that are not truly aligned with the espoused values; a clear indicator that desired culture is not operating as expected.

The next four tips examine these cultural levers more closely to illustrate what they mean and to help inform you about the questions you might want to consider testing in order to arrive at an opinion on the organization’s culture.

Reputation:
Employees watch what leaders and key individuals in organizations do and how they operate. They see the dissonance between what the organization is saying, both in its external and internal communication, and their lived experience of working there. Assessing whether there is alignment is a key aspect of any audit of culture. This is even more important given the increased focus over recent times on aspects of corporate and social responsibility and the push for Environmental, Social, and Governance (ESG) activity from investors. Acquisitions of ‘greenwashing’ in your communications can be hugely damaging. This means that it is important to pay attention to external reputation and its alignment with internal messaging and should be considered across all social media.

Leadership:
The third tip is all about the examination of leadership’s role in owning and managing the culture in the organization. In internal audit, we need to examine whether this is occurring both at design and operational effectiveness levels. We are there to check that the activities of leaders are aligned with the espoused values and are supporting the delivery of the business strategy. In our audit work we should be looking for a consistency of message and actual managerial behavior. Leaders play a pivotal role in managing the business such that there is consistency across activities and that they work toward delivering the required culture for success. To do this practically, we need to build audit programs that look for evidence of areas such as misalignment in leadership actions and customer-centric examples that manifest in the practical activities of front-line colleagues. Leadership should be able to clearly demonstrate actions that they have conducted that help move the organization closer to accurately living the culture and evidence-measurement activity that supports this.

In this context, during an audit, I would expect leaders to be able to articulate how they ensure the culture is embedded through their team’s day-to-day activities, including examples of how they role model the culture in their own activities and interactions. Interviews will form a significant part of assessing these. However, data analytics can also be used to examine areas such as communications from leaders over a period of time looking for references to culture.

Simply put, what you are looking to establish here is whether the fine words on a page have a living connection with reality and link through to a real impact on the delivery of the organization’s strategy.

People management:
This leads us to the next cultural lever – people management. The key here, as with all aspects of cultural audit, is alignment. Across the entire employee lifecycle the behaviors we need to exhibit for the business to be a success need to be front and center. This starts with the employment brand, which should signal to potential recruits what the organization’s values are and includes the testing of new recruits against this. Objectives need to be set not only about what is needed to be delivered in terms of financial results, for example, but also how these results will be achieved.

Performance management needs to be expertly conducted to explore the colleague’s contribution to delivering organizational success in the way we want it delivered. This should be a continual process and include ongoing dialogue, not just an annual form-filling event. Promotion decisions should clearly consider this aspect and signal to all colleagues how behaving in the right way counts for personal success.

In developing your audit program, you need to consider all aspects of the employee lifecycle: attraction, reward, management, development, and exiting colleagues. In reviewing all these aspects, you need to be cognizant as to where the controls are operated. In most organizations, while the Human Resources function is likely to have a key role in the design of many of the practices mentioned, the management of the risk and operation of the controls largely sits within the business units of the organization. That is the place you need to be testing reality, not just within the HR function.

Identify key processes and assess alignment:
Next, we move on to two heavily connected cultural levers: process and change. When reviewing your organization, a key step is to identify the processes that are critical to the management of the organization’s culture. From this, you can review whether their operation is consistent with the outlined culture. In this case, we mean the culture promoted not only to your employees but outside your organization through your brand and external image to customers and other important stakeholders.
Employees, in their scanning of the organizational environment, will spot processes that do not sit well with declared ideal behaviors and values, where potentially the organization is looking to put short-term gain before longer-term goals. If these exist, it sends a huge signal to customers and colleagues that leadership does not really mean what they say. Included in these key processes are likely to be many of the internal processes around people and supplier management, but, most significantly, processes around how you deal with customers and how you respond to their feedback and complaints.

Alongside this, consideration needs to be given to how the organization’s change programs identify how changes they are looking to enact to systems and processes promote the desired culture. Change programs are a key touch point where the organization can ensure that the culture is being reflected in operating practices. However, they can also be a point of risk. Delivering efficiencies, while at the same time undermining the desired culture, can create problems that are hugely difficult to unpack.

Next up, in the third and final installment of this article series, Audit International finish identifying and discussing the remaining top ten tips to audit culture and conclude the journey that set out to help you deliver cultural insights within your organization. We hope you’ll stick with us.

Conducting a cultural audit: A holistic approach

Posted by External Dev | February 10, 2023 | Auditor jobs, Big 4 Accounting firms, careers in audit, CIA Recruitment, Data analytics, ESG, Internal Audit, internal audit objectives, internal audit process, internal audit recruitment, Uncategorized

At Audit International, we understand auditing organizational culture is a challenging area for internal audit. Culture is dynamic, and regularly changing. Successful auditing of culture requires a holistic approach across the internal audit function covering the development of internal auditor skills, adjustment to audit methodology, and buy-in from the business regarding the value insightful culture auditing can bring.

In this first article of a three-part series, Audit International examine and discuss the various factors for successfully auditing and influencing culture in your organization.

What is organizational culture, and why does it matter?
Before looking at how you audit culture, it’s necessary to first have a good understanding of what you mean by culture and why it’s important to organizational success.

The classic definition is around the phrase coined by Charles Handy, “the way things are done around here”. While helpful for us to gain insights into auditing culture, we need to unpack this further. Culture is about the interaction between values and behaviors and how these are seen in the organization’s activities and interactions with the range of stakeholders it has (e.g., employees, customers, suppliers, and society).

Top ten tips:
Given the fact that you are reading this article, hopefully you are already convinced that internal audit has a role to play within the organization when it comes to assessing culture. You may already be on this journey delivering cultural insights through your work to your Board, or you may simply be interested in learning more about how to begin this journey. Whichever stage you find yourself, the following top 10 tips will provide you with some initial and practical thoughts that provide a view on culture and the direction needed to influence both management and the Board.
1 – Identify your cultural levers
2- Reputation, Identify whether the organizations actions and messaging, internal and external, are aligned
3- Leadership, Do they own and manage the culture?
4- People Management, Is desired culture integrated into people-management activities?
5- Identify key processes and access alignment.
6- Auditing culture, is this holistic approach being considered by a wide range of stakeholders?
7- Be sure that you consider both design and operating effectiveness.
8- Don’t go for a grand plan.
9- Collaborate with your business colleagues, independence is a mindset.
10- Upskill all auditors at all levels.

In the coming second and third articles of this three-part series on auditing culture, Audit International will take a closer look and provide a more in-depth examination of each of these suggested ten tips. These follow-up articles will offer examples and provide opportunities to more successfully audit and influence the culture at your organization.

Internal Audit Trends for 2023: Talent Demands, Escalating Risk Velocity, and More

Posted by External Dev | February 1, 2023 | Audit Career Trends, Audit Salary, Big 4 Accounting firms, careers in audit, CIA Recruitment, Data analytics, ESG, iac recruitmeny, Internal Audit, internal audit objectives, internal audit process, internal audit recruitment, Internal Controls, IT Audit, Risk Audit, SAP

There is currently a misalignment in the world of Internal Audit. As Richard Chambers and AuditBoard’s 2023 Focus on the Future Report reveals, there are key areas where significant gaps exist between risk levels and planned efforts. The ability to attract and retain top talent, macroeconomic factors and geopolitical uncertainty, and business model disruptions due to the evolving risk landscape were all listed as top concerns for major organizations, yet only 13-20% of businesses have meaningful plans to devote substantial resources to these issues. Internal audit teams need to be ready to identify and address this kind of disconnect to ensure that their organizations are positioned for success in 2023. In this article, Audit International will identify three top internal audit trends, the challenges they present, and how internal audit teams can leverage software solutions to deploy team resources strategically against the most pressing concerns — setting themselves, and their business, up for success.

Trend 1: Velocity of Risk and Technology Change
Teams must continually provide assurance while adapting to evolving risks, digital disruption, and regulatory changes. Today we’re seeing significant contributions from the digital revolution, climate change, and stakeholder expectations, as the speed of decisions, the amount of connectivity, and the availability of data have all increased. Companies are learning that they have to balance pressures regarding what’s coming from governments, investors, and society as a whole. Stakeholders expect companies to act legally and with a conscience, and regulators are focusing on things like climate change, data privacy, and security.

Challenges in this area hit in numerous ways. First, there is an expanded purview required from emerging technologies and related risks. Second, there are repeated shifts to audit scope that put new burdens on teams. Third, there is an increased depth and breadth of data that brings along associated issues — including data reliability, related required team efforts, and resource constraints.

Technology can help audit teams develop solutions for these issues. Audit planning software accelerates risk and change responses from teams. With this preparation, teams can create risk-based audit plans with risk metadata to allow for efficient execution and continuous assurance.

Trend 2: Growing Internal Audit Talent Gap
Staff shortages, changing attitudes towards work, and a pre-existing skills gap are increasing talent risk and influencing how internal audit teams approach their work. Many teams are reporting that they are losing talent and struggling to replace them. Meanwhile, for the remaining team members, expectations are growing. They want to do more, and we need to keep them engaged. We have to support the folks that we have and give them opportunities to work in cybersecurity, sustainability, and other areas of interest.

The challenges created by the talent gap are as expected. Due to greater cost-cutting and efficiency demands often put in place by organizational leadership, teams are being asked to do more with less as headcount may be frozen or cut. There are the aforementioned difficulties retaining people and improving their skills, plus there are increasing specialization and training needs for team members.

A technology solution in this area is software with resource planning capabilities. This can help teams manage, optimize and retain talent by deploying resources more strategically, and it allows teams to improve individual and overall skills, efficiency, and experiences.

Trend 3: Align With the Business Objectives
The highly competitive corporate landscape and economic disruptions are driving the internal audit profession to refocus efforts on improved strategic alignment. Richard Chambers speaks often about auditors needing to become agents of change. When contemplating initiatives like cybersecurity, diversity, equity, inclusion, and third-party risk management, executive teams and audit committees all want better strategic alignment from internal audit teams. Internal audit must understand and embrace stakeholder needs and challenges so that we can better support their strategic initiatives.

The challenge for internal audit teams in this area is aligning audit with business priorities, which isn’t always as simple as that might seem. Plus, there is an increased requirement to validate internal audit resources. We have to start thinking in new ways, provide more value propositions, and be able to deliver more in less time.

5 Ways to Ace Your Audits in 2023

Posted by External Dev | January 13, 2023 | Audit Career Trends, Audit Salary, Auditor jobs, Big 4 Accounting firms, careers in audit, CIA Recruitment, Data analytics, ESG, Fraud Audit, internal audit objectives, internal audit process, IT Audit, Risk Audit

In 2023, organizations may face new and expanded cybersecurity and compliance mandates, which could vary from location to location and from one industry to the next. As a result, your organization may be looking to obtain a certification or will need to pass an audit for a specific set of standards or requirements.

While recognition for demonstration compliance or receiving certification is a great reason to celebrate, the process leading up to that is often time-consuming and sometimes dreaded, especially if you must undergo an audit first.

But audits don’t have to be as frustrating as they once were. With the right resources and tools, you can pass your next audit with ease. Here are five tips from Audit International to help:

Know your current program state.
Don’t wait until the audit is underway to find out where you might have gaps or weaknesses. Go ahead and assess your current compliance state so you know what you need to address before your real assessment gets underway. Consider using a cybersecurity compliance platform that automates these assessments for you and look for a platform that gives you real-time compliance scoring, so you’re never caught off-guard if something isn’t functioning as you intended or you’ve overlooked an important control or other security measures.

Document and evidence.
You can do everything correctly and score 100 on your current assessment, but if you don’t have a document repository that puts everything you need right at your fingertips in one place, or if you can’t supply all the necessary proof and evidence an auditor may want, you likely won’t get credit for what you’re doing right. Put away those binders of dusty old printouts you haven’t looked at since your last audit. Instead, use a cybersecurity management platform to track and retain all of your evidence and documentation all in one place for easy, shareable access with your auditors.

Put teamwork to work for you.
Instead of chasing down who’s responsible for which compliance requirement and trying to understand what they’re doing and how well they’re doing it, use a compliance management platform to help you automate task assignments, track progress, send alerts when those tasks are complete, and assign new tasks as they pop up. A platform like Apptega can even externally alert your auditor when your team has completed an evidence request or other necessary task.

Communicate across your organization.
One of the challenges in building a compliance culture is often that program managers speak industry lingo and not the same language that people in different roles within the organization can understand and relate to their day-to-day responsibilities. Instead of scrolling through hundreds, maybe even thousands of rows of data to find what you need for your next compliance conversation, consider using a compliance management platform that has a pre-built library of reports you can quickly draw on for your next engagement, whether that’s your C-suite, an auditor, or your tech team.

Don’t go at it alone.
While you can meet all the requirements on an audit prep checklist, the reality is when you work on a program, it’s easy to overlook issues an outside eye might catch. Before your next audit, go beyond a self-assessment and consider working with an outside compliance consultant to take a closer look at your existing program and help you seek out and address issues before your auditor finds them.

Internal Audit ‘Hot spots’ for 2023

Posted by External Dev | January 7, 2023 | Audit Career Trends, Audit Salary, Auditor jobs, careers in audit, CIA Recruitment, Data analytics, ESG, Fraud Audit, Internal Audit, internal audit objectives, internal audit process, Internal Controls, IT Audit, Risk Audit

Audit International are stating the main Risks and Actions companies are putting on their 2023 internal audit plans. The past year concentrated attention and shone a spotlight on the increasing fragility of organizations. With a complex set of risks manifesting simultaneously, audit committees are prioritizing some of the most serious implications resulting from the ongoing war in Europe and a triple squeeze of supply chain, workforce and inflation pressures.

According to data from Gartner’s 2023 Audit Plan Hot Spots report, which identifies the key risks and recommended actions for Audit to benchmark their efforts against in the coming year, 81 percent of Chief Audit Executives polled have cyberthreats on their agenda to cover in audit activities over the next 12-18 months, with an additional 13 percent tentatively planning to do so. Even in a year with a high number of varied and seemingly imminent risks facing organizations, cyberthreats remained an agenda topping item for Audit Committees and senior executives as the drivers of the risk shifted from a generalized focus on inadequate security controls to specific need to prepare for highly sophisticated state-sponsored cyberthreats and new cyber breach disclosure requirements. Even as some risks remain perennial threats, shifting drivers can change the nature of the risk and need for updated mitigation and coverage plans.

Cyberthreats, however, are not the only vulnerability an organization faces in an increasingly fragile world. In developing this year’s report, the need for Audit to support their organizations through rethinking their approach to resilience in the face of growing fragility became evident as a key theme underlying several top organizational risks. These risks are generally under-covered in audit plans for 2023, in some cases less tangible and immediate than the category of risks that have been urgently prioritized as a result of the headline events of this year.

Resilience-related risks are manifesting with real world and high-velocity consequences all the same, and Audit needs to understand the risk indicators, urgency drivers and the right questions to ask the business to ensure that rethinking resiliency is on the agenda in 2023.

Below I review three such risks and strategies for Audit on how to approach them.

Climate Degradation
Nearly six in ten CAEs have no specific plans to provide assurance over climate degradation next year. This in and of itself is a key risk indicator for most organizations, as a failure to refresh business continuity plans related to climate risks puts an organization at higher risk for a key infrastructure failure and related loss of productivity among other risks.

While CAEs generally express limited confidence in their climate coverage plans, rethinking resilience means going beyond sustainability reports and identifying vulnerable assets. Audit departments need to incorporate in their plans the inevitability of increasingly severe weather events and mitigation strategies for the loss of key infrastructure, both their own and that of key third parties, such as suppliers.

Culture
Even more challenging for Audit is culture, traditionally a key source of resilience for many organizations that now is fraying under the weight of new working models (hybrid/remote), social and political polarization and a general lack of connection felt by employees who are reporting witnessed misconduct at rates 30 percent lower than pre-pandemic.

Despite such challenges, only 16 percent of CAEs are revisiting culture in light of shifting sociopolitical expectations of their workforce, investors and the media for next year, and just 10 percent report they are highly confident in providing assurance in this area. Internal Audit needs to push the business on reassessing how employee expectations and engagement are monitored in a hybrid and remote world, while policies related to political and social issues need to be formulated now and not in real time during a crisis.

Organizational Resilience
Ultimately, rethinking resilience means covering organizational resilience as a dedicated risk that is part of the audit coverage plan. Organizational resilience, broadly defined, is an organization’s ability to withstand shocks. This is likely to become ever more important in the face of new and ongoing geopolitical tensions, which can abruptly trigger a set of interconnected but differentiated risks to manifest simultaneously. While refreshing scenario planning and mitigating against change fatigue are necessary steps in this process, building true organizational resilience requires a view into the interconnected risks facing an organization and developing resilience-related initiatives across the enterprise.

With less than half of CAEs definitely planning to cover organizational resilience next year and just 32 percent highly confident in providing assurance specifically on matters of resilience, it’s clear there is more work to do in establishing this as a top audit priority. Chief Audit Executives can regain momentum by launching activities that encourage collaborative discussions between business units on interrelated risks and reviewing plans to address change fatigue within their organizations at a time when events over the past two years have likely dramatically diminished capacity in this area.

While these resilience-related risks feel less tangible and urgent than mitigating against “clear and imminent” dangers like supply chain vulnerabilities and state-sponsored cyberthreats, they are important and increasingly acute risks in their own right. Viewing them through the lens of rethinking what it means to be a truly resilient organization can be a useful framework for starting the right conversations within the Audit Committee and formulating effective coverage in next year’s audit plans.

Top ↑