Internal Controls

Have you ever had one of those days where you were determined to write that audit report? So you block off the time on your calendar, go into your office, shut the door, remove any and all distractions and breathe. Because now is the time to take all of those thoughts and perfect phrases running wild in your head and put them on paper. You sit down at your desk ready to make it happen. And you come up with nothing.

You decide to invite a colleague in to assist. Because after all, two heads are better than one. The two of you discuss the issues thoroughly, but nothing seems to sound right.

Writing objective observations takes time, skill, and tact. And if you’re like any other auditor, the audit issues sound wonderful in your head. But by the time you formulate the right words, reach for your pencil and place it on paper, that wonderful wording has become a distant memory. It’s worse if you’re in a group setting because you now become frustrated as the group begins asking you to repeat what you said. Unable to remember words uttered only seconds prior, it is only then that you realize how old you truly are.

If you’ve ever faced this situation, do not fear. There are several tools and techniques you can use to speed up and improve your report writing. But first, we must address the five big problems with writing reports:

1. We think faster than we write
2. Our million dollar thoughts come at the wrong time
3. We believe in writer’s block
4. We look for perfection in the first paragraph
5. We don’t understand and/or appreciate the writing process

5 Problems with audit report writing
We think faster than we write
We’ve all been there. Browsing through our cabinets trying to make a mental grocery list. Then you reach the point where there are too many items to remember. You decide to write a list. You reach for your paper and before the pen touches the pad, you’ve already forgotten the five items you wanted to write.

Our brains are fascinating. I can remember where I was in the summer of 1989, but I cannot remember what I ate for breakfast this morning. It is that forgetfulness that can derail your report writing.

Our million dollar thoughts come at the wrong time
Worse yet is when you have this wonderful idea, but then realize that it is 5:00 o’clock and you are stuck in traffic. There is no way you can capture that great thought without causing a pile up. So you try other techniques. You turn off the radio and repeat whatever it is over and over. You hope to continue this until you get home, or at least until you get to a stopping point. Of course something interrupts your thought and you forget what you were trying to remember.

We believe in writer’s block
Some people believe that writer’s block is a thing. I’m here to tell you, it is not. At least in the context of business writing or internal audit reports. Wikipedia define writer’s block as follows:

“Writer’s block is a condition, primarily associated with writing, in which an author loses the ability to produce new work or experiences a creative slowdown. This loss of ability to write and produce new work is not a result of commitment problems or lack of writing skills. The condition ranges from difficulty in coming up with original ideas to being unable to produce a work for years. Writer’s block is not solely measured by time passing without writing. It is measured by time passing without productivity in the task at hand.”

As you can see, writer’s block is a primary concern for creative writers. Our audit reports are, or should be, factually based non fiction. We are taking a series of facts, placing some logic and order to those facts, and providing management with a conclusion. What we are not doing, is creating new characters or developing plots and story lines. We know the beginning, middle and end of the story. Therefore, we know what to say. The problem is how do we say it so that it has the best impact given within the culture of the organization.

We look for perfection in the first paragraph
Because audit report writing is simpler than creative writing, we believe that we should be able to sit down and create the perfect prose in minutes. After all, we know the beginning, middle and end of the story. When we finally put pen to paper, our initial draft is usually not good. We then become frustrated. But I believe that frustration is because we don’t understand the writing process.

We don’t understand and/or appreciate the writing process
All the magic happens in the editing. Any writer will tell you this. Ernest Hemingway famously once said that “The first draft of anything is ****” (insert a very bad word here). As someone who has had articles published, I can tell you this is true. I can recall the first time I sent something to an editor. I thought it was an okay piece. But what came back was a magnificent manuscript. I fined tuned it a little and the result was something we were all pleased with. The writing process does not require perfection at the start. Your initial goal is to get something on the page. After that, trust the process and let the magic happen in editing.

3 tools you can use
Google voice typing
Because our brains seem to signal our mouths to speak faster than our hands can write, voice typing is the perfect shortcut to getting those wonderful words out of your head and on paper. For those unfamiliar with voice typing, you talk, it types. It’s as simple as that. Well, sort of.

The best free voice typing tool I’ve found is through Google. Log in to your account. Then, access Google Docs and open a document. Go to Tools, then Voice Typing (or you can press Ctlr+Shift+S).

You will see a microphone that may say Click to Speak. Click it, talk to it, and watch the magic happen. You will need to learn certain commands like period, comma and new paragraph. But other than that, if you speak clearly, it will recognize most speaking voices and words.

Your Cell Phone voice recorder
If barking out commands to your computer isn’t your thing, you’re in luck. There’s another option. If you’re like me, your cell phone is probably within arms reach. Grab your phone and go to your favorite app store. Search for a voice recorder. You should see several. Download one that piques your interest.

You can now record yourself talking about the audit issues. Now you will never miss that wonderfully worded paragraph that would sound great in an audit report. Once recorded, you can listen to the recording and pull out the impactful paragraphs.

Transcription
If you truly believe the recording represents your best work ever, you can have it transcribed. Yes, you heard me, transcribed. It’s not as bad or as expensive as you think. Before I get into that, I must say that I am not being paid by nor am I endorsing these specific products. there are several transcription services that I have used. Some use live transcribers while others use automated engines.

Summary

Writing audit reports can be a daunting task. But it has to be done. Nowadays we have a lot of tools that can help streamline the process. Many of the biggest issues start with us. Writer’s block is only as real as we allow it to be. Sit down and put something on paper. Use some electronic tools to get your words on paper. Almost any words will do. Afterall, the magic happens in the editing.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

This week Audit International are taking a look at the 4 ways how Internal Audit can get a seat at the table.

When it comes to risk management and compliance, most organizations operate on a 3 Lines of Defense (3LOD) model, in which operational management, compliance, and internal audit work together in tandem to assess and mitigate risk and manage controls and compliance.

This model may be successful in theory, but as the risk management and compliance functions have grown more complex, it doesn’t always work as well as you might hope. Given the rising sophistication of cybersecurity threats and incidents of fraud, and the increasing compliance requirements posed upon organizations of all sizes, it can be difficult to keep an organization-wide pulse on threats and breaches in compliance as they arise.

The problem is, the three branches don’t always collaborate effectively, which may leave internal audit out of the loop and unable to provide much value to the organization. They may not have access to the data they need to generate effective recommendations. The internal audit team’s focus may be simply on checking boxes and ensuring compliance, rather than providing strategic insights that will help your organization understand and take steps to mitigate new threats.

If you want your internal audit team to move the needle at your organization, you need to get the ear of executives who can advocate for your work. By partnering with leadership, you’ll be able to spearhead new initiatives and gain critical access to data that will help your organization save money and reduce risk, proving your team’s value.

Here are four strategies for doing that effectively:

Identify the key people who can support you, and make a plan to build relationships with them
Your audit team will naturally be in touch with the managers who can provide key information needed to conduct your audits—but by focusing only on these contacts, you’re missing out on building relationships with the leaders who will be able to help you gain a more visible role in the organization. Build a plan for conducting periodic outreach to higher-level executives within your organization, such as your chief risk officer or your CTO. You can solicit feedback from them on any open questions they may want your team to review in your audits, or provide high-level executive briefs showcasing work that you’ve done and issues they may want to explore in further detail. Make sure that they know you and your team are available to support them and open for feedback.

Proactively address organization-wide trends
Rather than focusing solely on issues identified in individual audits, start looking at your audit results in aggregate to identify trends. Is a single department or office location having trouble resolving a specific compliance issue, or is it an across-the-board trend that should be shared with your executive team? Review your data frequently to understand risks that should be mitigated, and come up with step-by-step action plans for how they should be addressed, including who’s responsible and what the benchmarks for success are.

Pay close attention to third-party risks
Many audit teams take an insular view of risk management, failing to uncover the external risks brought on by vendors and technology partners. Make sure that you have policies in place to carefully vet and automate compliance on your third-party vendors, pulling in external data that will alert you to any financial or legal issues they may face. Regularly track all of your solutions and technology partners for red flags, and ensure that you have a strategy for mitigating them. You can showcase your findings in sessions with executives and other partners throughout the business, and collaborate to come up with a plan for any of your scenarios. Keep in mind that risks from big providers such as Amazon or Facebook may impact a lot of your customers or partners as well, so ensure that you map out all of the variables that may impact your company’s business model across the board.

Use best-in-class GRC technology to automate compliance and analyze data
In order to provide the most useful insights to your leadership team, it’s important to integrate your entire risk management function across an easy-to-use GRC platform. Your GRC platform should come with pre-built content that will help you automate your controls framework, regardless of your industry. It should make it easy to monitor compliance status and risk levels across the organization at any given time, with triggers prompting action when control levels are not being met. You should be able to easily drill down into your data and generate executive dashboards, so that you can share insights to justify recommendations and help your leadership team make better informed business decisions.

By building a cohesive strategy for integrating with the 3LOD, backed by in-depth data analytics, real-time data feeds, and workflow automation, your audit team will be able to generate insights that can help to identify new risks, and develop new strategies for mitigating risks across the entire organization. This will help you to become a highly visible, influential, and trusted partner to the business.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Audit International were in awe to hear this revolutionary news from the billionaire founder of the outdoor fashion brand Patagonia. He has announced just yesterday he is giving away his company to a charitable trust.

Yvon Chouinard said any profit not reinvested in running the business would go to fighting climate change.

The label has amassed a cult following due to sustainability moves like guaranteeing its clothes for life and offering reasonably priced repairs.

The brand’s website now states: “Earth is now our only shareholder.”

Mr Chouinard has always said he “never wanted to be a businessman”.

A rock climbing fanatic, he started out as making metal climbing spikes for himself and his friends to wedge into rocks, before moving into clothing and eventually creating a hugely successful sportswear brand with a cult following.
Founded in 1973, Patagonia’s sales were worth around $1.5bn this year, while Mr Chouinard’s net worth is thought to be $1.2bn.

He claimed that profits to be donated to climate causes will amount to around $100m (£87m) a year, depending on the health of the company.

“Despite its immensity, the Earth’s resources are not infinite, and it’s clear we’ve exceeded its limits,” the entrepreneur said of his decision to give up ownership.
The Californian firm was already donating 1% of its annual sales to grassroots activists and committed to sustainable practices. But in an open letter to customers, the apparently reluctant businessman said he wanted to do more.

Mr Chouinard said he had initially considered selling Patagonia and donating the money to charity, or taking the company public. But he said both options would have meant giving up control of the business and putting its values at risk.

Instead, the Chouinard family has transferred all ownership to two new entities. The Patagonia Purpose Trust, led by the family, remains the company’s controlling shareholder but will only own 2% of its total stock, Mr Chouinard said.

It will guide the philanthropy of the Holdfast Collective, a US charity “dedicated to fighting the environmental crisis” which now owns all of the non-voting stock – some 98% of the company.

“Each year the money we make after reinvesting in the business will be distributed as a dividend to help fight the crisis,” Mr Chouinard said.
Patagonia combines high-end outdoor fashion with its own brand of environmental and social activism. It’s a heady combination that certainly appeals to a loyal, if predominantly well-heeled following.

Part of the attraction comes from the fact that its environmentally conscious stance isn’t new. It was preaching eco-awareness years before sustainable fashion became fashionable.

But it’s still pretty hard to save the planet, if your business depends on selling stuff, however many recycled or renewable products you use.

By ringfencing future profits for environmental causes, Patagonia’s founder Yvon Chouinard has done his best to square that circle.

But he is also clearly trying to ensure that Patagonia brand is future-proofed and can never fall into the hands of the kind of companies he has accused of greenwashing in the past.

It’s nice to bring a good news story to you readers, and it will be interesting to see if any other climate conscious companies will follow suit. The bar has well and truly been set.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Audit International are aware that public sector organizations face a variety of risks, ranging from cyber threats to budget constraints to compliance concerns. While internal audit teams in the government sector might not be responsible for solving all those risks, they need to make sure that they are following through with relevant risk management protocols.

Therefore, it is essential that internal audit teams are conducting internal audit risk assessments to figure out what these risks look like.

“Risk-based auditing ensures that the internal audit activity is focusing its efforts on providing assurance and advisory services related to the organization’s top risks… This requires internal auditors to have a working knowledge of basic concepts, frameworks, tools, and techniques related to risk and risk management,” explains the Institute of Internal Auditors (IIA).

In this article, we’ll examine five tips to help public sector internal auditors build better risk-based audit plans. These include:

1) Define your goals
Before you get too bogged down in the specifics of running an internal audit risk assessment, take a step back and consider what you’re trying to accomplish. Doing so includes finding internal alignment within your audit team and with other stakeholders.

As Baker Tilly advises, internal audit teams “should meet with the various stakeholder groups – management, the audit committee, and the governing body – to explain the process, set expectations for the results and listen to any desired outcomes, as a means of adapting the approach or identifying other activities where internal audit can add value.”

2) Organize your data
Conducting an internal audit risk assessment also requires strong data practices. But before you can get to a place where you are using data analytics to identify key risks, public sector organizations often need to organize their data first.

Information might be held in a variety of systems that makes analysis inefficient, if not ineffective. Tools like TeamMate+ use a data exchange API framework to pull together data from different sources, such as governance, risk, and compliance (GRC) systems and enterprise resource planning (ERP) tools, giving you a complete picture of what’s happening within your organization.

3) Get agile
If you go through an entire risk-based audit without getting any feedback along the way, then it’s easy to get off track. For one, risks might have changed from the time the audit started to when it eventually wraps up. And when you present to stakeholder leaders at the end of the risk assessment, it can be tough to then incorporate their feedback into your internal controls and assurance processes.

Engaging in agile auditing can help. By breaking an internal audit risk assessment down into more manageable chunks — where different risk areas go from the planning to presentation stages in short sprints — public sector internal auditors may have an easier time adapting to change and incorporating feedback.

4) Go dynamic
Agile auditing creates a dynamic internal audit risk assessment. Instead of approaching these assessments as an annual occurrence, you can review public sector risks on more of an ongoing basis.

That means collaborating with other departments throughout the year to keep up with emerging risks, which is where good data-sharing practices also come in handy. Dynamic or continuous risk assessments can also result in more frequent reporting so that you can keep everyone in the loop and get their timely feedback. Having a strong internal audit risk assessment tool like TeamMate that can help you simplify risk scoring and create efficient audit reports makes a big difference.

5) Keep up with public sector requirements
Lastly, working in internal audit in the government sector means staying on top of general risks like cybersecurity and financial concerns, along with meeting specific public policy guidelines and regulations. Public sector internal auditors often turn to sources like Wolters Kluwer, which provides resources like webinars and other Expert Insights so you can learn what you need to do to strengthen internal audit as a government organization.

Following these five tips can go a long way toward creating a strong internal audit risk assessment and a better audit process overall. Even if it seems like your organization doesn’t face many risks, conducting a risk-based audit can help you stay on top of any changes to your risk level. Rather than being caught off guard, building a reliable internal audit risk assessment plan can help your organization control risk, however that takes shape.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Audit International have been thinking recently about what internal audit should know about ESG risks, and where best to start but with the E, which is for Environmental.

In this, the first in a series of three articles, we will drill down on Environmental risk and explore how internal audit can have an impact by focusing on key risks.

Environmental risks :
There’s no single taxonomy of environmental risks. Consider what categories your organization uses and what is used elsewhere in the sector. The following should all be covered, at a minimum, but may be described in different ways using different terminology:

Climate change :
This should include the effect of greenhouse gas (GHG) emissions – we usually talk about carbon dioxide but there are seven gases covered by the GHG protocol
Pollution from emissions and discharge (i.e., water, soil, air)
Biodiversity loss and deforestation
Waste management
Resource use – impacts of raw materials, production, transportation, and distribution (consider water, energy, and other natural resources)
Hazardous materials
There is clearly an interplay between these risks, but as they represent the major environmental impacts, this offers a good starting point.

This should fit neatly into your existing risk assessment process. Typical impacts for the organization will be reputational, legal and regulatory, financial, operational, and ultimately strategic. All things we are very familiar with.

Getting started – Determining the key risks
Every organization is different. You will need to start with a risk assessment to determine the key risks, potentially using the list above. To do this, you will need to understand the main environmental issues in your business, considering a number of factors:

What sector(s) you are in, and what are the main impacts of that sector. Search out industry guidance from standard setters such as GRI (Global Reporting Initiative), international business groups, such as the World Economic Forum, and thought leaders, such as McKinsey. It is important to consider all the main parts of your business, from the environmental impact of the raw materials you source, through transportation, production, and sales. Although focus on your immediate impacts may be easier, the impacts outside your organization’s immediate control are often more significant. For example, a significant environmental impact of electronics is the extraction of rare earth metals essential for their production.
Where your business is based, the places in which you operate, where you source materials from, and where you sell to. This is important for a number of reasons. It drives the nature and extent of legal and regulatory risk that the organization faces. It also influences the attitudes of stakeholders, such as customers and consumers, as these may vary significantly. But bear in mind, that these factors can change quickly and this needs to be built into any risk assessment.
Requirements of your customers. This may be contractual for government or corporate procurement, or the preferences and attitudes of consumers. This is also partly based on location (as mentioned above), but in global markets, it is never that simple.

All of this (and more) should have been considered by the business (first or second line) and internal audit should leverage their work, effectively challenging and validating. If this has not been done, internal audit needs to be taking a step back and conducting a more basic evaluation of the maturity of the organization’s risk assessment process.

Some types of environmental impact will be universal and significant no matter what your business activity. These include climate change and waste, which Audit International will dig a little deeper into later in the article. Others may apply to a much greater extent in certain industries, such as those in extractive industries (oil and mining for example) and heavy manufacturing (where there may be high levels of resource use – both raw materials as inputs and energy and water in the production process).

How internal audit can make an impact :
As with any aspect of audit planning, the greatest value internal audit can bring will depend on the major risks identified. But we can’t just consider the inherent risks, we need to understand what other sources of assurance are in place and, most importantly, what activities are contributing to both the risk and the assurance. Think about the following:

What do we know about environmental management processes that are in place? What is the scope of these systems and processes?
What reporting is in place? Are external reports assured? Which stakeholders use and rely on these reports?
Are environmental factors (risks and costs) incorporated into project evaluation and capital decisions?
A common factor across many environmental risks is availability and the quality of the data. Process and controls for environmental data are generally less mature and systems are not always equipped or configured to meet the complexities and nuances of this data. This is often a great opportunity for internal audit to add value, both by providing assurance over processes and systems, and by validating the data itself. Both leverage core internal audit skills.

We can also go further, confirming that reports meet whichever standards are being applied, that management reports or projects evaluations fairly, and that these completely reflect risks as well as opportunities. However, this may require more specialized knowledge.

Some examples :

Climate change
All organizations need a response to climate change, and so while the specific needs will differ, this is an issue increasingly relevant for everyone. How can internal audit add value? Let’s look at two potential opportunities:

Has the business considered the potential physical and transitional impacts of climate change? Best practice suggests this should be done using scenario analysis that includes a range of realistic scenarios. Physical vulnerabilities may result from gradual, long-term changes in climate (chronic risks), or short-term (acute) risks, such as storms and fires during heatwaves. These potentially impact the cost-of-capital, the availability and cost of insurance rates, and cause operational disruption. Transitional impacts include changes in legislation, markets, technology, and stakeholder expectations. Internal audit can review the process used to establish scenarios and determine the impacts and, more importantly, assess actions to improve resilience, mitigate risk, and maximize opportunities.

Many corporations are now publishing disclosures under TCFD (Task Force on Climate Related Disclosures). These are becoming mandatory in some countries and are an increasing expectation from investors. External assurance, if any, is usually very limited in scope. Internal audit can provide assurance over the processes to collate data and support assertions made in the disclosures. It can also audit the data and assess the evidence supporting those assertions. Other organizations may provide (voluntarily or by regulation) data on, for example, energy use or emissions. Again, internal audit can provide similar assurance over these processes or this data, as any external assurance will generally be limited.

Waste :
Waste is an issue for all organizations, although the specific impacts will be very different across businesses. As well as the environmental impact, businesses have a cost-incentive to reduce waste, as it is increasingly expensive to treat and dispose of. Internal audit can add value in a number of ways.

Here are some examples:

– Assess whether policies support the organization’s waste strategy. Are they specific to the business and relevant for the types and locations of waste produced? Do they take into account legislation and regulation in each jurisdiction? Are they effectively implemented, understood, and followed?
– Companies often report waste information, either in annual reports or to different public authorities. How is this validated? For example, how do we know that waste is recycled or reused? Are there controls to independently verify how the waste has been treated? In many countries, responsibility for safe disposal rests with the waste producer, not the waste contractor.

To summarize, we have described the importance of environmental risk to all organizations and have shown how internal audit can respond to some of those risks. Internal audit can use existing tools and skills to get started, and leverage widely available sources of knowledge to find out more.

Keep an eye out for our next blog, discussing the S in ESG, which of course stands for ‘Social’.
We will explore how internal audit can address important social risks.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

The world of internal audit continues to advance. In recent years, audit teams have increasingly used data analytics and cloud technologies to increase efficiency and improve assurance. Now, emerging technologies like AI and robotic process automation (RPA) are further making their way into internal audit. Audit International take a look at what effect this will have on Internal Audit and Financial Services in the future.

It’s still early days, but the trend toward automation is clear. In fact, when asked about emerging technology, 20% participants of a recent audit teams survey said they’re already using RPA. In addition to that, 12% said they’re using AI, 3% said they’re using blockchain, and 15% said they’re using more than one type of emerging tech.

These technologies, particularly RPA, have the potential to enhance audit quality. For example, RPA can enable internal audit teams to spend more time collaborating with other departments and sharing results with boards, rather than getting bogged down in repetitive, less strategic tasks.

And in data-centric industries like financial services, these technologies can make a particularly large impact, as we’ll examine in this article.

What is RPA?
Physical robotics can perform motions that automate repetitive tasks, like putting a cap on a bottle or moving a box from one place to another. Similarly, RPA automates repetitive tasks, but the difference is that RPA is centered around software, not hardware.

“Robotic process automation (RPA), also known as software robotics, uses automation technologies to mimic back-office tasks of human workers, such as extracting data, filling in forms, moving files, et cetera. It combines APIs and user interface (UI) interactions to integrate and perform repetitive tasks between enterprise and productivity applications,” explains IBM.

What does RPA mean for internal audit?
One way that RPA can be used for internal audit is to make data-related tasks more efficient.

“If we cut to the chase, the job is straightforward: we download data, analyze it, and use it to discuss processes and controls…The issue is that we waste a lot of time obtaining and formatting data for each audit—the same tables and charts repeatedly,” writes Jean-Marie Bequevor, Expert Practice Leader Internal Audit at consultancy TriFinance, in an article for Internal Audit 360°.

RPA can also help to automate periodic reporting. If you know certain information is needed in every report, then an RPA program could potentially be set up to obtain and fill that information.

That said, RPA can also carry risk, both in terms of the use of RPA in audit programs and the use of RPA across other departments. Internal auditors need to consider RPA internal controls to make sure that RPA is being used appropriately. You wouldn’t want to end up with a misprogrammed bot that creates errors or security holes.

What does RPA mean for financial services?
In addition to being used for auditing, RPA can also play a role in corporate finance and the financial services industry more broadly.

Finance professionals — ranging from corporate treasurers to wealth managers to mortgage lenders — deal with large quantities of data. With RPA, financial services professionals can automate data-related processes like data collection, data cleansing, and analysis.

For example, an investment analyst might use RPA to improve their research process. Instead of manually creating and assembling a clean spreadsheet full of financial data, an RPA tool could automate that, freeing up time for the analyst to engage in more complex, nuanced tasks.

RPA in financial services can also help when it comes to client service and marketing tasks. For example, banks could automate activities like identifying customers that are a good fit for credit card offers or loan products. Rather than sending out these offers to all customers or manually reviewing every client file, an RPA program could be set up to compile a list of customers that meet certain criteria.

These are just a few of the many ways that RPA can be used in financial services and internal audit in general. A repetitive, data-oriented business process tends to be a good candidate for RPA. Many of these types of tasks exist in the financial services industry in areas ranging from compliance to customer onboarding.

With automation, financial services firms can free up time and focus on higher-value work, like building customer relationships and identifying new revenue opportunities. Meanwhile, internal audit professionals can use RPA to efficiently provide assurance.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Audit International have compiled a list of do’s and don’ts for auditors when potential wrongdoing surfaces.

Fraud can occur within any organization regardless of size or sophistication, even when internal controls seem effective. Despite this harsh reality, many audit clients and auditors are caught off guard when they become aware of alleged fraud. This article addresses how auditors should respond if suspicions or allegations of fraud surface during a financial statement audit.

To begin with, it is important for an auditor to remember the definition of fraud in the context of an audit – “An intentional act by one or more individuals … involving the use of deception that results in a misstatement in financial statements that are the subject of an audit”

With allegations of fraud, the key consideration for an auditor is whether the fraud might result in material misstatement of the financial statements. While allegations of fraud should always be appropriately considered by the auditor, not all fraudulent acts will necessarily have a material impact on the financial statements. Auditors are mainly concerned with misstatements that result from either fraudulent financial reporting or misappropriation of assets.

Before discussing what to do as an auditor if you become aware of potential fraud, let’s highlight first what you should not do: Never draw conclusions of guilt or innocence
The legal determination of whether fraud has occurred is made by a judge or jury, not by management and not by the auditor. So, when suspicions or allegations surface during an audit, it is important not to make conclusive statements of guilt or innocence either orally or in writing.

Instead, advise your audit client to seek legal counsel regarding what steps to take in response to the allegations. Even though the client’s action or inaction in addressing suspected fraud may affect the trajectory of the audit engagement and raise issues such as whether an audit firm can issue an opinion or should withdraw from the engagement, it is not the auditor’s role to be legal adviser to the audit client. The auditor instead needs to focus on an appropriate audit response to the situation within the context of generally accepted auditing standards.

WHAT TO DO IF THERE IS SUSPECTED FRAUD

Our discussion to this point has focused mainly on what not to do, so what should you do if you become aware of suspicions or allegations of fraud during an audit?

Notify the right people :
Depending upon who is suspected of the fraud, identify the appropriate members of management or those charged with governance to contact. Notify only those client parties who need to know.

Ask questions :
Gather essential facts about the suspicions or allegations relevant to the audit.

Document your actions and determine the situation’s effect on the audit :
Consider the possible outcomes of a client’s fraud investigation and its impact on the audit, which could include termination of the employee accused of wrongdoing, a fidelity bond claim, legal action, or a combination of these. How a client responds to such allegations or suspicions of fraud will directly affect how an auditor should respond. If a client does not take such allegations seriously, withdrawal from the engagement may be necessary.
In summary, when suspicions or allegations of fraud surface during an audit, it is extremely important to demonstrate a sufficient response to the situation to support the auditor’s conclusions on the engagement.

And finally, make sure you are asking yourself these KEY QUESTIONS.

As you gather information relating to allegations or suspicions of fraud during an audit, consider the following key questions:

– Who will investigate the suspicious activity and follow up on the allegations?
– What are the client’s policies, and what outcomes may come from its investigation, such as termination of the employee, a fidelity bond claim, legal action, or a combination of these?
– What financial statement misstatements are suspicious? What transactions are suspicious? What assets are suspected of being missing?
– Who is the suspect? Is there more than one?
– How long has the suspect been employed at the organization? Note: The worst-case scenario is when allegations are toward a very long-tenured employee with limitless access and authorization to the organization’s assets and systems throughout his or her tenure.
– What is the period under suspicion?
– What roles/positions did the suspect have throughout his or her employment tenure?
– What access does, or did, the suspect have to assets and systems throughout his or her tenure?
– What are the possible ways the suspect could have committed fraud, considering his or her access and authorization to assets and systems? Has the suspect confessed to committing fraud? If so, what did the suspect confess?
– Are there any controls in place that would mitigate fraud risk and limit the amount of possible fraud committed?
– Can you estimate a “worst-case scenario” amount of how much cash or how many assets were stolen?
– What misstatements to the financials could result from the suspected fraud? Consider the possible impact on beginning net assets if prior years are involved.
– What disciplinary measures have already been taken toward the suspect? Did the client place the suspected employee on leave and limit his or her access to assets and systems?

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Audit International recently came across a very interesting article, on improving Internal control systems, in the Wall Street Journal, and thought we’d share it with you.

Increasing business complexity and regulatory requirements are driving continual change to the risk environments for many organizations, and historical approaches to risk and controls may not be suited for the current atmosphere of digital transformation, persistent change, and uncertainty. As the business landscape continues to evolve, the risk of accounting and reporting misstatements rises, often due to the inability to respond to internal and external circumstances and adapt quickly to business changes.

Developing an internal controls framework with upgraded operating models, advanced technology integration, and new processes to monitor, implement, maintain, and optimize a risk and reporting structure can position an internal control program to stay ahead of risk and increase value. First, we will explore some of the internal and external factors driving challenges beyond traditional remediation and restatements in accounting and reporting, including considerations receiving attention from the SEC and AICPA. These critical change drivers, along with internal controls and automation opportunities, inform a new risk and controls framework empowered by more proactive and data-driven solutions.

External Factors Driving Remediation and Restatements

Remediation and restatement drivers include external challenges such as new accounting rules; the SEC and regulatory guidance; and environmental, social, and governance (ESG) reporting. Some of these external drivers were highlighted at the recent AICPA conference and featured prominently in recent SEC comments—including SEC reporting and rulemaking, ESG matters, auditor independence, and digital assets.1 2

Data quality and the importance of modernized reporting supported by new technology were prominent features at the AICPA conference, with an emphasis that organizations evaluate their standards, processes, and technologies to create accurate and easily accessible reports. In addition, responding to market demand for ESG information was a key theme throughout the conference and SEC comments. ESG is the universe of topics that reflect areas of performance management around the impacts and dependencies of the business on society and the environment. It is a dynamic and interactive process that will likely have far-reaching implications for an organization, and the overlap between sustainability and financial reporting is inherent. Still, given the scope and possible market share of ESG activities and resulting data volume, multiple possibilities of future regulatory requirements may cause uncertainty around developing a new reporting framework that can mitigate remediation and restatements and optimize the controls environment.

Internal Controls and Automation Opportunities

Understanding both the external and internal drivers to risk and reporting structures helps inform the structure of a new internal control program to be more resilient, efficient, and agile through a changing risk profile. In addition, developing the new program using a change framework that identifies what to monitor, implement, maintain, and optimize in the controls program implementation may further enable a more resilient and efficient framework.

In addition to the external challenges to remediation, addressing internal challenges and opportunities is also necessary when developing the new control program. Disruptions from new technology and digital transformation are potential examples of prevailing internal challenges that may lead to restatements and remediation. However, the digital transformation also enables opportunities with automation, enhanced analytics, artificial intelligence, and data-driven solutions for the evolving risk and controls landscape and reporting lifecycle.

Automation Opportunities Across the Reporting Lifecycle

Process automation—includes manual, repetitive, rules-based processes and enables transaction automation, dynamic data manipulation, and streamlined communication. Examples include report generation, data reconciliation, and trend tracking.
Shared services process automation—includes processes with multiple interactions across different systems that enable process synergies. Examples include payroll, onboarding, education and training, and IT functions such as infrastructure, directories, and file management.
Outsourcing process automation—can be built for outsourcing contracts using robotic process automation (RPA) solutions. Examples include reconciliations, claims processing, inventory processing, production support, and network monitoring.
Developing a New Internal Controls Program

This five-step guide to developing a new internal controls framework can be considered to help address the external and internal challenges and utilize automation and data-driven solutions to move a control program forward and reduce the chances of accounting and reporting remediation throughout the transformation.

Conduct dynamic risk assessment and scoping updates that are periodically refreshed to remain agile, identify fraud risk considerations, and create a communication plan.
Develop internal control program methodologies, update operating models, and ascertain control owners and operators, including areas to automate.
Introduce technology to help automate and monitor the control environment and obtain electronic evidence with data and analytics.
Establish automated control methodology, develop a digital testing approach to control automation, and evaluate and update protocols for data security and cybersecurity.
Lead with the process, data, and user experience, all enabled by advanced analytics, data visuals, automation, and intelligent technology integrated within the framework.
Potential Benefits of an Updated Control Framework

Using remediation and restatement drivers to create a modernized controls framework may offer benefits beyond mitigation of risks in controls reporting. Developing a framework for a changing risk profile built on a foundation of new technology elevates the quality of reporting by increasing transparency and visibility into business processes with meaningful insights into managing risks. These deeper insights allow the function to refocus efforts and move away from point-in-time solutions to address issues continuously with more transparent monitoring and visualization capabilities.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”