Posts Tagged “internal auditors”

Have you ever had one of those days where you were determined to write that audit report? So you block off the time on your calendar, go into your office, shut the door, remove any and all distractions and breathe. Because now is the time to take all of those thoughts and perfect phrases running wild in your head and put them on paper. You sit down at your desk ready to make it happen. And you come up with nothing.

You decide to invite a colleague in to assist. Because after all, two heads are better than one. The two of you discuss the issues thoroughly, but nothing seems to sound right.

Writing objective observations takes time, skill, and tact. And if you’re like any other auditor, the audit issues sound wonderful in your head. But by the time you formulate the right words, reach for your pencil and place it on paper, that wonderful wording has become a distant memory. It’s worse if you’re in a group setting because you now become frustrated as the group begins asking you to repeat what you said. Unable to remember words uttered only seconds prior, it is only then that you realize how old you truly are.

If you’ve ever faced this situation, do not fear. There are several tools and techniques you can use to speed up and improve your report writing. But first, we must address the five big problems with writing reports:

1. We think faster than we write
2. Our million dollar thoughts come at the wrong time
3. We believe in writer’s block
4. We look for perfection in the first paragraph
5. We don’t understand and/or appreciate the writing process

5 Problems with audit report writing
We think faster than we write
We’ve all been there. Browsing through our cabinets trying to make a mental grocery list. Then you reach the point where there are too many items to remember. You decide to write a list. You reach for your paper and before the pen touches the pad, you’ve already forgotten the five items you wanted to write.

Our brains are fascinating. I can remember where I was in the summer of 1989, but I cannot remember what I ate for breakfast this morning. It is that forgetfulness that can derail your report writing.

Our million dollar thoughts come at the wrong time
Worse yet is when you have this wonderful idea, but then realize that it is 5:00 o’clock and you are stuck in traffic. There is no way you can capture that great thought without causing a pile up. So you try other techniques. You turn off the radio and repeat whatever it is over and over. You hope to continue this until you get home, or at least until you get to a stopping point. Of course something interrupts your thought and you forget what you were trying to remember.

We believe in writer’s block
Some people believe that writer’s block is a thing. I’m here to tell you, it is not. At least in the context of business writing or internal audit reports. Wikipedia define writer’s block as follows:

“Writer’s block is a condition, primarily associated with writing, in which an author loses the ability to produce new work or experiences a creative slowdown. This loss of ability to write and produce new work is not a result of commitment problems or lack of writing skills. The condition ranges from difficulty in coming up with original ideas to being unable to produce a work for years. Writer’s block is not solely measured by time passing without writing. It is measured by time passing without productivity in the task at hand.”

As you can see, writer’s block is a primary concern for creative writers. Our audit reports are, or should be, factually based non fiction. We are taking a series of facts, placing some logic and order to those facts, and providing management with a conclusion. What we are not doing, is creating new characters or developing plots and story lines. We know the beginning, middle and end of the story. Therefore, we know what to say. The problem is how do we say it so that it has the best impact given within the culture of the organization.

We look for perfection in the first paragraph
Because audit report writing is simpler than creative writing, we believe that we should be able to sit down and create the perfect prose in minutes. After all, we know the beginning, middle and end of the story. When we finally put pen to paper, our initial draft is usually not good. We then become frustrated. But I believe that frustration is because we don’t understand the writing process.

We don’t understand and/or appreciate the writing process
All the magic happens in the editing. Any writer will tell you this. Ernest Hemingway famously once said that “The first draft of anything is ****” (insert a very bad word here). As someone who has had articles published, I can tell you this is true. I can recall the first time I sent something to an editor. I thought it was an okay piece. But what came back was a magnificent manuscript. I fined tuned it a little and the result was something we were all pleased with. The writing process does not require perfection at the start. Your initial goal is to get something on the page. After that, trust the process and let the magic happen in editing.

3 tools you can use
Google voice typing
Because our brains seem to signal our mouths to speak faster than our hands can write, voice typing is the perfect shortcut to getting those wonderful words out of your head and on paper. For those unfamiliar with voice typing, you talk, it types. It’s as simple as that. Well, sort of.

The best free voice typing tool I’ve found is through Google. Log in to your account. Then, access Google Docs and open a document. Go to Tools, then Voice Typing (or you can press Ctlr+Shift+S).

You will see a microphone that may say Click to Speak. Click it, talk to it, and watch the magic happen. You will need to learn certain commands like period, comma and new paragraph. But other than that, if you speak clearly, it will recognize most speaking voices and words.

Your Cell Phone voice recorder
If barking out commands to your computer isn’t your thing, you’re in luck. There’s another option. If you’re like me, your cell phone is probably within arms reach. Grab your phone and go to your favorite app store. Search for a voice recorder. You should see several. Download one that piques your interest.

You can now record yourself talking about the audit issues. Now you will never miss that wonderfully worded paragraph that would sound great in an audit report. Once recorded, you can listen to the recording and pull out the impactful paragraphs.

Transcription
If you truly believe the recording represents your best work ever, you can have it transcribed. Yes, you heard me, transcribed. It’s not as bad or as expensive as you think. Before I get into that, I must say that I am not being paid by nor am I endorsing these specific products. there are several transcription services that I have used. Some use live transcribers while others use automated engines.

Summary

Writing audit reports can be a daunting task. But it has to be done. Nowadays we have a lot of tools that can help streamline the process. Many of the biggest issues start with us. Writer’s block is only as real as we allow it to be. Sit down and put something on paper. Use some electronic tools to get your words on paper. Almost any words will do. Afterall, the magic happens in the editing.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

This week Audit International are taking a look at the 4 ways how Internal Audit can get a seat at the table.

When it comes to risk management and compliance, most organizations operate on a 3 Lines of Defense (3LOD) model, in which operational management, compliance, and internal audit work together in tandem to assess and mitigate risk and manage controls and compliance.

This model may be successful in theory, but as the risk management and compliance functions have grown more complex, it doesn’t always work as well as you might hope. Given the rising sophistication of cybersecurity threats and incidents of fraud, and the increasing compliance requirements posed upon organizations of all sizes, it can be difficult to keep an organization-wide pulse on threats and breaches in compliance as they arise.

The problem is, the three branches don’t always collaborate effectively, which may leave internal audit out of the loop and unable to provide much value to the organization. They may not have access to the data they need to generate effective recommendations. The internal audit team’s focus may be simply on checking boxes and ensuring compliance, rather than providing strategic insights that will help your organization understand and take steps to mitigate new threats.

If you want your internal audit team to move the needle at your organization, you need to get the ear of executives who can advocate for your work. By partnering with leadership, you’ll be able to spearhead new initiatives and gain critical access to data that will help your organization save money and reduce risk, proving your team’s value.

Here are four strategies for doing that effectively:

Identify the key people who can support you, and make a plan to build relationships with them
Your audit team will naturally be in touch with the managers who can provide key information needed to conduct your audits—but by focusing only on these contacts, you’re missing out on building relationships with the leaders who will be able to help you gain a more visible role in the organization. Build a plan for conducting periodic outreach to higher-level executives within your organization, such as your chief risk officer or your CTO. You can solicit feedback from them on any open questions they may want your team to review in your audits, or provide high-level executive briefs showcasing work that you’ve done and issues they may want to explore in further detail. Make sure that they know you and your team are available to support them and open for feedback.

Proactively address organization-wide trends
Rather than focusing solely on issues identified in individual audits, start looking at your audit results in aggregate to identify trends. Is a single department or office location having trouble resolving a specific compliance issue, or is it an across-the-board trend that should be shared with your executive team? Review your data frequently to understand risks that should be mitigated, and come up with step-by-step action plans for how they should be addressed, including who’s responsible and what the benchmarks for success are.

Pay close attention to third-party risks
Many audit teams take an insular view of risk management, failing to uncover the external risks brought on by vendors and technology partners. Make sure that you have policies in place to carefully vet and automate compliance on your third-party vendors, pulling in external data that will alert you to any financial or legal issues they may face. Regularly track all of your solutions and technology partners for red flags, and ensure that you have a strategy for mitigating them. You can showcase your findings in sessions with executives and other partners throughout the business, and collaborate to come up with a plan for any of your scenarios. Keep in mind that risks from big providers such as Amazon or Facebook may impact a lot of your customers or partners as well, so ensure that you map out all of the variables that may impact your company’s business model across the board.

Use best-in-class GRC technology to automate compliance and analyze data
In order to provide the most useful insights to your leadership team, it’s important to integrate your entire risk management function across an easy-to-use GRC platform. Your GRC platform should come with pre-built content that will help you automate your controls framework, regardless of your industry. It should make it easy to monitor compliance status and risk levels across the organization at any given time, with triggers prompting action when control levels are not being met. You should be able to easily drill down into your data and generate executive dashboards, so that you can share insights to justify recommendations and help your leadership team make better informed business decisions.

By building a cohesive strategy for integrating with the 3LOD, backed by in-depth data analytics, real-time data feeds, and workflow automation, your audit team will be able to generate insights that can help to identify new risks, and develop new strategies for mitigating risks across the entire organization. This will help you to become a highly visible, influential, and trusted partner to the business.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Audit International were in awe to hear this revolutionary news from the billionaire founder of the outdoor fashion brand Patagonia. He has announced just yesterday he is giving away his company to a charitable trust.

Yvon Chouinard said any profit not reinvested in running the business would go to fighting climate change.

The label has amassed a cult following due to sustainability moves like guaranteeing its clothes for life and offering reasonably priced repairs.

The brand’s website now states: “Earth is now our only shareholder.”

Mr Chouinard has always said he “never wanted to be a businessman”.

A rock climbing fanatic, he started out as making metal climbing spikes for himself and his friends to wedge into rocks, before moving into clothing and eventually creating a hugely successful sportswear brand with a cult following.
Founded in 1973, Patagonia’s sales were worth around $1.5bn this year, while Mr Chouinard’s net worth is thought to be $1.2bn.

He claimed that profits to be donated to climate causes will amount to around $100m (£87m) a year, depending on the health of the company.

“Despite its immensity, the Earth’s resources are not infinite, and it’s clear we’ve exceeded its limits,” the entrepreneur said of his decision to give up ownership.
The Californian firm was already donating 1% of its annual sales to grassroots activists and committed to sustainable practices. But in an open letter to customers, the apparently reluctant businessman said he wanted to do more.

Mr Chouinard said he had initially considered selling Patagonia and donating the money to charity, or taking the company public. But he said both options would have meant giving up control of the business and putting its values at risk.

Instead, the Chouinard family has transferred all ownership to two new entities. The Patagonia Purpose Trust, led by the family, remains the company’s controlling shareholder but will only own 2% of its total stock, Mr Chouinard said.

It will guide the philanthropy of the Holdfast Collective, a US charity “dedicated to fighting the environmental crisis” which now owns all of the non-voting stock – some 98% of the company.

“Each year the money we make after reinvesting in the business will be distributed as a dividend to help fight the crisis,” Mr Chouinard said.
Patagonia combines high-end outdoor fashion with its own brand of environmental and social activism. It’s a heady combination that certainly appeals to a loyal, if predominantly well-heeled following.

Part of the attraction comes from the fact that its environmentally conscious stance isn’t new. It was preaching eco-awareness years before sustainable fashion became fashionable.

But it’s still pretty hard to save the planet, if your business depends on selling stuff, however many recycled or renewable products you use.

By ringfencing future profits for environmental causes, Patagonia’s founder Yvon Chouinard has done his best to square that circle.

But he is also clearly trying to ensure that Patagonia brand is future-proofed and can never fall into the hands of the kind of companies he has accused of greenwashing in the past.

It’s nice to bring a good news story to you readers, and it will be interesting to see if any other climate conscious companies will follow suit. The bar has well and truly been set.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Audit International are aware that public sector organizations face a variety of risks, ranging from cyber threats to budget constraints to compliance concerns. While internal audit teams in the government sector might not be responsible for solving all those risks, they need to make sure that they are following through with relevant risk management protocols.

Therefore, it is essential that internal audit teams are conducting internal audit risk assessments to figure out what these risks look like.

“Risk-based auditing ensures that the internal audit activity is focusing its efforts on providing assurance and advisory services related to the organization’s top risks… This requires internal auditors to have a working knowledge of basic concepts, frameworks, tools, and techniques related to risk and risk management,” explains the Institute of Internal Auditors (IIA).

In this article, we’ll examine five tips to help public sector internal auditors build better risk-based audit plans. These include:

1) Define your goals
Before you get too bogged down in the specifics of running an internal audit risk assessment, take a step back and consider what you’re trying to accomplish. Doing so includes finding internal alignment within your audit team and with other stakeholders.

As Baker Tilly advises, internal audit teams “should meet with the various stakeholder groups – management, the audit committee, and the governing body – to explain the process, set expectations for the results and listen to any desired outcomes, as a means of adapting the approach or identifying other activities where internal audit can add value.”

2) Organize your data
Conducting an internal audit risk assessment also requires strong data practices. But before you can get to a place where you are using data analytics to identify key risks, public sector organizations often need to organize their data first.

Information might be held in a variety of systems that makes analysis inefficient, if not ineffective. Tools like TeamMate+ use a data exchange API framework to pull together data from different sources, such as governance, risk, and compliance (GRC) systems and enterprise resource planning (ERP) tools, giving you a complete picture of what’s happening within your organization.

3) Get agile
If you go through an entire risk-based audit without getting any feedback along the way, then it’s easy to get off track. For one, risks might have changed from the time the audit started to when it eventually wraps up. And when you present to stakeholder leaders at the end of the risk assessment, it can be tough to then incorporate their feedback into your internal controls and assurance processes.

Engaging in agile auditing can help. By breaking an internal audit risk assessment down into more manageable chunks — where different risk areas go from the planning to presentation stages in short sprints — public sector internal auditors may have an easier time adapting to change and incorporating feedback.

4) Go dynamic
Agile auditing creates a dynamic internal audit risk assessment. Instead of approaching these assessments as an annual occurrence, you can review public sector risks on more of an ongoing basis.

That means collaborating with other departments throughout the year to keep up with emerging risks, which is where good data-sharing practices also come in handy. Dynamic or continuous risk assessments can also result in more frequent reporting so that you can keep everyone in the loop and get their timely feedback. Having a strong internal audit risk assessment tool like TeamMate that can help you simplify risk scoring and create efficient audit reports makes a big difference.

5) Keep up with public sector requirements
Lastly, working in internal audit in the government sector means staying on top of general risks like cybersecurity and financial concerns, along with meeting specific public policy guidelines and regulations. Public sector internal auditors often turn to sources like Wolters Kluwer, which provides resources like webinars and other Expert Insights so you can learn what you need to do to strengthen internal audit as a government organization.

Following these five tips can go a long way toward creating a strong internal audit risk assessment and a better audit process overall. Even if it seems like your organization doesn’t face many risks, conducting a risk-based audit can help you stay on top of any changes to your risk level. Rather than being caught off guard, building a reliable internal audit risk assessment plan can help your organization control risk, however that takes shape.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Audit International have been thinking recently about what internal audit should know about ESG risks, and where best to start but with the E, which is for Environmental.

In this, the first in a series of three articles, we will drill down on Environmental risk and explore how internal audit can have an impact by focusing on key risks.

Environmental risks :
There’s no single taxonomy of environmental risks. Consider what categories your organization uses and what is used elsewhere in the sector. The following should all be covered, at a minimum, but may be described in different ways using different terminology:

Climate change :
This should include the effect of greenhouse gas (GHG) emissions – we usually talk about carbon dioxide but there are seven gases covered by the GHG protocol
Pollution from emissions and discharge (i.e., water, soil, air)
Biodiversity loss and deforestation
Waste management
Resource use – impacts of raw materials, production, transportation, and distribution (consider water, energy, and other natural resources)
Hazardous materials
There is clearly an interplay between these risks, but as they represent the major environmental impacts, this offers a good starting point.

This should fit neatly into your existing risk assessment process. Typical impacts for the organization will be reputational, legal and regulatory, financial, operational, and ultimately strategic. All things we are very familiar with.

Getting started – Determining the key risks
Every organization is different. You will need to start with a risk assessment to determine the key risks, potentially using the list above. To do this, you will need to understand the main environmental issues in your business, considering a number of factors:

What sector(s) you are in, and what are the main impacts of that sector. Search out industry guidance from standard setters such as GRI (Global Reporting Initiative), international business groups, such as the World Economic Forum, and thought leaders, such as McKinsey. It is important to consider all the main parts of your business, from the environmental impact of the raw materials you source, through transportation, production, and sales. Although focus on your immediate impacts may be easier, the impacts outside your organization’s immediate control are often more significant. For example, a significant environmental impact of electronics is the extraction of rare earth metals essential for their production.
Where your business is based, the places in which you operate, where you source materials from, and where you sell to. This is important for a number of reasons. It drives the nature and extent of legal and regulatory risk that the organization faces. It also influences the attitudes of stakeholders, such as customers and consumers, as these may vary significantly. But bear in mind, that these factors can change quickly and this needs to be built into any risk assessment.
Requirements of your customers. This may be contractual for government or corporate procurement, or the preferences and attitudes of consumers. This is also partly based on location (as mentioned above), but in global markets, it is never that simple.

All of this (and more) should have been considered by the business (first or second line) and internal audit should leverage their work, effectively challenging and validating. If this has not been done, internal audit needs to be taking a step back and conducting a more basic evaluation of the maturity of the organization’s risk assessment process.

Some types of environmental impact will be universal and significant no matter what your business activity. These include climate change and waste, which Audit International will dig a little deeper into later in the article. Others may apply to a much greater extent in certain industries, such as those in extractive industries (oil and mining for example) and heavy manufacturing (where there may be high levels of resource use – both raw materials as inputs and energy and water in the production process).

How internal audit can make an impact :
As with any aspect of audit planning, the greatest value internal audit can bring will depend on the major risks identified. But we can’t just consider the inherent risks, we need to understand what other sources of assurance are in place and, most importantly, what activities are contributing to both the risk and the assurance. Think about the following:

What do we know about environmental management processes that are in place? What is the scope of these systems and processes?
What reporting is in place? Are external reports assured? Which stakeholders use and rely on these reports?
Are environmental factors (risks and costs) incorporated into project evaluation and capital decisions?
A common factor across many environmental risks is availability and the quality of the data. Process and controls for environmental data are generally less mature and systems are not always equipped or configured to meet the complexities and nuances of this data. This is often a great opportunity for internal audit to add value, both by providing assurance over processes and systems, and by validating the data itself. Both leverage core internal audit skills.

We can also go further, confirming that reports meet whichever standards are being applied, that management reports or projects evaluations fairly, and that these completely reflect risks as well as opportunities. However, this may require more specialized knowledge.

Some examples :

Climate change
All organizations need a response to climate change, and so while the specific needs will differ, this is an issue increasingly relevant for everyone. How can internal audit add value? Let’s look at two potential opportunities:

Has the business considered the potential physical and transitional impacts of climate change? Best practice suggests this should be done using scenario analysis that includes a range of realistic scenarios. Physical vulnerabilities may result from gradual, long-term changes in climate (chronic risks), or short-term (acute) risks, such as storms and fires during heatwaves. These potentially impact the cost-of-capital, the availability and cost of insurance rates, and cause operational disruption. Transitional impacts include changes in legislation, markets, technology, and stakeholder expectations. Internal audit can review the process used to establish scenarios and determine the impacts and, more importantly, assess actions to improve resilience, mitigate risk, and maximize opportunities.

Many corporations are now publishing disclosures under TCFD (Task Force on Climate Related Disclosures). These are becoming mandatory in some countries and are an increasing expectation from investors. External assurance, if any, is usually very limited in scope. Internal audit can provide assurance over the processes to collate data and support assertions made in the disclosures. It can also audit the data and assess the evidence supporting those assertions. Other organizations may provide (voluntarily or by regulation) data on, for example, energy use or emissions. Again, internal audit can provide similar assurance over these processes or this data, as any external assurance will generally be limited.

Waste :
Waste is an issue for all organizations, although the specific impacts will be very different across businesses. As well as the environmental impact, businesses have a cost-incentive to reduce waste, as it is increasingly expensive to treat and dispose of. Internal audit can add value in a number of ways.

Here are some examples:

– Assess whether policies support the organization’s waste strategy. Are they specific to the business and relevant for the types and locations of waste produced? Do they take into account legislation and regulation in each jurisdiction? Are they effectively implemented, understood, and followed?
– Companies often report waste information, either in annual reports or to different public authorities. How is this validated? For example, how do we know that waste is recycled or reused? Are there controls to independently verify how the waste has been treated? In many countries, responsibility for safe disposal rests with the waste producer, not the waste contractor.

To summarize, we have described the importance of environmental risk to all organizations and have shown how internal audit can respond to some of those risks. Internal audit can use existing tools and skills to get started, and leverage widely available sources of knowledge to find out more.

Keep an eye out for our next blog, discussing the S in ESG, which of course stands for ‘Social’.
We will explore how internal audit can address important social risks.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Audit International have been following this news closely for the past few months and we are all interested to see what will unfold for the Big4 giant over the next few months and perhaps years. Just this week, the EY bosses have approved the radical split in largest shake-up of Big Four accountants in decades, with the Big4 Auditor planning to create ‘two distinct, multidisciplinary organizations’ amid regulatory pressure.

Bosses at EY have agreed to push ahead with a split of its audit and consulting arms in the biggest shake-up of a Big Four accounting giant in decades.

The firm said on Thursday that it will ballot its partners on a plan to separate the 312,000-strong business into “two distinct, multidisciplinary organizations” following a strategic review.

EY’s partners will vote on the proposal in the coming months, with the process set to conclude in early 2023, the firm said.

The voting rules will vary by country, but in the UK, the firm will require 75pc of its partners to back the plan if it is to be ratified.

Hywel Ball, EY’s UK chairman, said: “The needs of our clients, people and stakeholders are changing and I’m proud that we are reviewing the shape of our business in the UK and globally so that EY is well positioned to build on its success into the future.

“We believe the creation of two strong, independent businesses would help us to better meet the needs of our clients; create compelling careers for our people; and serve the public interest by providing greater choice in the market and a global response to regulatory concerns.”

The plan could see EY publicly list its advisory division or sell a partial stake in the 312,000-strong firm in a move that would result in bumper payouts for partners, similar to Goldman Sachs’ flotation in 1999 and Accenture’s in 2001.

However, Mr. Ball said no decisions have been made about how the split might occur.

EY is proposing the split amid severe pressure from regulators worldwide over concerns around conflicts of interest at the Big Four firms.

EY, Deloitte, KPMG and PwC have been heavily rebuked by regulators in the UK and US over a perceived lack of independence in their auditing divisions because of the fees they also earn from advisory work.

In the UK, the Big Four have already been forced to start ringfencing their audit and consulting arms in a bid to reduce conflicts of interest following major corporate collapses such as Carillion and BHS.

The Financial Reporting Council has given the firms a deadline of 2024 to operationally split their audit arms from the rest of their advisory businesses.

A decision on the split at EY has been held up for months due to disagreements over how billions of dollars of liabilities should be split and regulatory issues in certain countries, including China.

Earlier this week, it was revealed that senior staff at EY were seeking to defect to rival firms in a sign of growing internal strife over its proposed break-up.

KPMG and PwC are among firms that have seen a significant increase in the number of applications from senior managers, directors and even new partners at EY in recent months.

In July, EY held a briefing on the proposed split for its UK partners at the five-star Royal Lancaster hotel near Hyde Park in west London.

Mr. Ball said views expressed in that meeting showed that partners were “proud” that EY was the first Big Four firm to try and split, adding: “We’ll redefine the profession in the coming years.”

Deloitte, KPMG and PwC have said they have no plans to engineer a similar split of their advisory and audit arms.

Separately, Deloitte posted record revenues on the back of a boom in tech consulting last year.

The firm reported revenues of $59.3bn (£51.5bn), a jump of nearly 20pc on the previous year.

Whatever happens with the split, Audit International will be following this story very closely and bringing you the latest updates on it.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Audit International recently came across a very interesting article, on improving Internal control systems, in the Wall Street Journal, and thought we’d share it with you.

Increasing business complexity and regulatory requirements are driving continual change to the risk environments for many organizations, and historical approaches to risk and controls may not be suited for the current atmosphere of digital transformation, persistent change, and uncertainty. As the business landscape continues to evolve, the risk of accounting and reporting misstatements rises, often due to the inability to respond to internal and external circumstances and adapt quickly to business changes.

Developing an internal controls framework with upgraded operating models, advanced technology integration, and new processes to monitor, implement, maintain, and optimize a risk and reporting structure can position an internal control program to stay ahead of risk and increase value. First, we will explore some of the internal and external factors driving challenges beyond traditional remediation and restatements in accounting and reporting, including considerations receiving attention from the SEC and AICPA. These critical change drivers, along with internal controls and automation opportunities, inform a new risk and controls framework empowered by more proactive and data-driven solutions.

External Factors Driving Remediation and Restatements

Remediation and restatement drivers include external challenges such as new accounting rules; the SEC and regulatory guidance; and environmental, social, and governance (ESG) reporting. Some of these external drivers were highlighted at the recent AICPA conference and featured prominently in recent SEC comments—including SEC reporting and rulemaking, ESG matters, auditor independence, and digital assets.1 2

Data quality and the importance of modernized reporting supported by new technology were prominent features at the AICPA conference, with an emphasis that organizations evaluate their standards, processes, and technologies to create accurate and easily accessible reports. In addition, responding to market demand for ESG information was a key theme throughout the conference and SEC comments. ESG is the universe of topics that reflect areas of performance management around the impacts and dependencies of the business on society and the environment. It is a dynamic and interactive process that will likely have far-reaching implications for an organization, and the overlap between sustainability and financial reporting is inherent. Still, given the scope and possible market share of ESG activities and resulting data volume, multiple possibilities of future regulatory requirements may cause uncertainty around developing a new reporting framework that can mitigate remediation and restatements and optimize the controls environment.

Internal Controls and Automation Opportunities

Understanding both the external and internal drivers to risk and reporting structures helps inform the structure of a new internal control program to be more resilient, efficient, and agile through a changing risk profile. In addition, developing the new program using a change framework that identifies what to monitor, implement, maintain, and optimize in the controls program implementation may further enable a more resilient and efficient framework.

In addition to the external challenges to remediation, addressing internal challenges and opportunities is also necessary when developing the new control program. Disruptions from new technology and digital transformation are potential examples of prevailing internal challenges that may lead to restatements and remediation. However, the digital transformation also enables opportunities with automation, enhanced analytics, artificial intelligence, and data-driven solutions for the evolving risk and controls landscape and reporting lifecycle.

Automation Opportunities Across the Reporting Lifecycle

Process automation—includes manual, repetitive, rules-based processes and enables transaction automation, dynamic data manipulation, and streamlined communication. Examples include report generation, data reconciliation, and trend tracking.
Shared services process automation—includes processes with multiple interactions across different systems that enable process synergies. Examples include payroll, onboarding, education and training, and IT functions such as infrastructure, directories, and file management.
Outsourcing process automation—can be built for outsourcing contracts using robotic process automation (RPA) solutions. Examples include reconciliations, claims processing, inventory processing, production support, and network monitoring.
Developing a New Internal Controls Program

This five-step guide to developing a new internal controls framework can be considered to help address the external and internal challenges and utilize automation and data-driven solutions to move a control program forward and reduce the chances of accounting and reporting remediation throughout the transformation.

Conduct dynamic risk assessment and scoping updates that are periodically refreshed to remain agile, identify fraud risk considerations, and create a communication plan.
Develop internal control program methodologies, update operating models, and ascertain control owners and operators, including areas to automate.
Introduce technology to help automate and monitor the control environment and obtain electronic evidence with data and analytics.
Establish automated control methodology, develop a digital testing approach to control automation, and evaluate and update protocols for data security and cybersecurity.
Lead with the process, data, and user experience, all enabled by advanced analytics, data visuals, automation, and intelligent technology integrated within the framework.
Potential Benefits of an Updated Control Framework

Using remediation and restatement drivers to create a modernized controls framework may offer benefits beyond mitigation of risks in controls reporting. Developing a framework for a changing risk profile built on a foundation of new technology elevates the quality of reporting by increasing transparency and visibility into business processes with meaningful insights into managing risks. These deeper insights allow the function to refocus efforts and move away from point-in-time solutions to address issues continuously with more transparent monitoring and visualization capabilities.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Any company operating successfully in this day and age, no matter its capacity, needs to effectively leverage its technology systems and make effective use of data. It is inevitable now that if a company wants to progress it must make a significant investment in technology. While these technology investments and innovations are required, it comes at a cost. This increased dependence on IT by extension increases the level of technological risk that an organisation faces, which has the knock-on effect of therefore increasing the relevance of IT audit.

The necessity of conducting IT audits within an organisation comes from its role in supporting effective risk management, particularly with regards those risks posed by weak cyber security measures. Data breaches and cyber-crime have escalated in response to the world’s digitalisation, an issue not limited to the financial services industry as world leading sports technology brand, Garmin, became one of the most recent victims of hacking. Thus proving that businesses large and small are equally vulnerable to attack.

The need for a strong IT audit function, while critical to the way businesses are now utilising technology to better navigate the market, also affects the way they relate to their staff. Since our daily lives are greatly integrated into our devices, that coupled with existing technological advancements, and the current professional climate means that businesses have been forced to interact with their employees very differently. Numerous processes have been digitalised, from annual leave forms to team meetings, paper and people have been replaced with electronic alternatives. Thus as the adoption of technology adoption increases, we see a knock-on effect of introducing risk into the environment.

IT audits focus on the gamut of risks associated with a business, identifying and evaluating them with a view to implementing the proper controls needed to action them in the best way. In helping an organisation understand the potential risks it faces, IT audit gives an organisation a clear strategy on how to action those risks, whether they can be eliminated, mitigated or tempered by the use of proper controls.

The IT auditors are there to guide the ‘implementers’ of the organisation through the resulting internal and external changes effected by the increasingly technologically-driven working environment. Many companies have struggled to adjust to the changes, falling short of successful strategic execution on the big money-making projects. This is where IT audit has proven its relevance as being that objective voice in the room to play devil’s advocate and advise on where those people implementing the changes may need to refocus their attention.

Applying regular and thorough IT audits keeps the relevant systems in check by raising potential security risks and actioning any solutions. Looking at the areas of company performance, business resilience in the face of crisis planning, compliance with existing and emerging standards and regulations, and financial health; the IT audit function exists to weed out any inaccuracies or inefficiencies within both the organisation’s management and the way it’s conducting itself as a business.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Audit International have put together a brief guide to strategic audit planning and resourcing.

Managing your audit requires strategic planning whilst ensuring that all internal resources are appropriate and effectively deployed.

Strategic audit planning
An audit needs assessment (ANA) exercise should be undertaken to inform the development of the organisation’s internal audit strategy (IAS). This ANA should be regularly updated and the IAS amended as necessary to reflect the changing assurance needs of the organisation.

The ANA should be updated at least annually but, increasingly, organisations are seeking to achieve more organic strategies that evolve more frequently to reflect the increased speed of change which many are experiencing – particularly fuelled by technology and competition. This requires continuous monitoring of the internal and external environment, and frequent and meaningful dialogue with both senior management and the audit committee.

The ANA represents a critical ingredient in the provision of an adequate, relevant and timely internal audit. It should be used to direct internal audit resources to those aspects of the organisation that represent the greatest risk to the achievement of its objectives, and where internal audit can aid management of those risks.

The ANA process should include:
-Review of the organisation’s risk register / board assurance framework
-Review of performance management data
-Review of previous audit opinions and progress on actions
-Review of other second and third line sources of assurance
-External major incidents/risks and other factors such as industry issues
-Planned organisational changes or major projects
-Reports from regulators
-Discussion with senior management, audit committee and external audit

All of the above should be considered in the context of organisational risk appetite, current risk exposure and acceptance of risks.

In organisations which have moved their risk management arrangements on to reflect the board assurance framework, this is a useful tool in the ANA process. This approach starts with strategic objectives, the risks to achieving those objectives, and then typically the ‘three lines of defence’ within the organisation which aim to manage risk to within appetite.

The first line of defence is the internal control environment recognising the policies, procedures and processes put in place by management. The second line of defence is management’s own monitoring and risk assurance processes including those escalated up through the governance framework. The third line of defence is independent assurance, providing a position statement for internal audit within organisations.

When considering the focus of the organisation’s IAS, the board assurance framework can help internal audit identify where it can provide assistance in its ‘consulting’ role surrounding business critical risk exposure beyond risk appetite. It can also help identify where ‘independent’ assurance will add most value by focusing upon those controls which the organisation believes are managing business critical risks within risk appetite.

The IAS should prioritise reviews over a particular timeline. The timing of reviews will be driven by a number of factors such as:
-Priority for each area of coverage, in terms of the level of risk exposure and risk appetite
management or audit committee concerns regarding a particular area.
-Degree of stability in respect of systems, staff and other organisational change
-Time since last audit and audit outcomes
-When specific risks are considered likely to materialise and impact
The audit resources necessary to deliver individual assignments will be driven by a number of factors such as:

System complexity:
-Factors such as number of locations, transactions and frequency
-The assurance which can be brought forward from previous audits
-The envisaged scope and objectives of the proposed audit

The IAS and the annual plan (year 1) within it will normally be subject to audit committee review and approval, with changes in subsequent years approved as appropriate in accordance with agreed protocol.

Resource management
Few managers have a blank cheque when it comes to budgets. Internal audit is no different.

Internal audit will typically adopt a medium timeline for strategic planning purposes allowing the chief audit executive (CAE) to balance assurance needs and resources within a defined budget envelope to provide reasonable assurance to audit committee and senior management. Short term or specific skills gaps can be bridged through recruitment, training or co-sourcing.

Where the budget of the department is insufficient to meet the assurance needs of the audit committee and senior management, the CAE will need to raise such concerns and explain the impact of such limitations upon the assurance they are able to provide. The audit committee can direct a review of resources and approve as required to meet its needs.

In determining and managing the resource need:
-Identify the number of individuals, skills mix and specialist skills necessary to deliver the approved IAS
-Analyse your current resources against this need to identify resource shortfalls and skills gaps based upon realistic target -Utilisation / efficiency levels
-Allocate audits based upon skills and experience to in-house team members
-Identify how resource shortfalls will be met – recruitment, out-source or co-source
-Ensure that planned audits are delivered in accordance with the approved budgets to identify and take timely action in -Respect of any deviation to keep delivery of the audit plan on-track

When managing co-sourced or out-sourced relationships to support the audit plan:
-Tender for specialist work suitably balancing cost and quality considerations
-Ensure robust and clear contracts are in place with: requirements, pricing, confidentiality, data security, ownership of -Intellectual copyright and working papers, dispute resolution, and exit terms
-Establish clear operating procedures and approval processes within a service level agreement to ensure that each assignment is delivered in accordance with expectation

IT solutions may enable more efficient and effective internal auditing. However, this will be dependent upon a number of factors such as the size of the audit plan, size of the respective team, geographical spread and degree of standardisation or repetition within the audit plan.

Increasingly, internal audit is utilising a risk based approach to audit strategy, rather than simply providing coverage of the audit universe on a set cycle. Some of the value within traditional IT solutions can be limited and not justify their cost. Therefore as with any system acquisition you should undertake a detailed needs analysis and review the product offering to determine if it will meet those needs and provide value for money.

Likewise with increased functionality within common office IT products, there is the ability to utilise existing software to automate elements of the audit documentation and facilitate analysis of large volumes of data if it can be extracted in a common format from the organisations core management information systems.

Knowledge management
The internal audit function must develop the skills, experience and knowledge within its team members. Importantly it must also ensure that as team members change, their knowledge is retained as far as possible or transferred to other team members. Effective audit management systems, notice periods, team working and knowledge sharing practices will assist in minimising associated key person risks.

The following techniques may assist in acquiring and developing in-house skills:

-Structured appraisal and performance management
-Informed training programmes at both a team and individual level
-In-house training programmes to deliver common training needs
-Procure external training for specific specialist training needs
mentoring programmes
-Joint delivery of reviews with co-sourced providers to facilitate knowledge transfer
effective knowledge management systems.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

It’s become a truism that the ‘new normal’ as the world emerges from Covid-19 lockdown will not, and cannot, be like the old normal. But what does this mean for internal auditors? What skills will be most in demand and what can you do about it if you do not feel that you have enough of these at the moment? Audit International have all these answers and more.
As in other areas of the wider economy, many of the skills that are going up in value and demand (and those that are going down) reflect longer term trends that have been exacerbated by the crisis. A strong suite of technical auditing skills now puts more emphasis on so-called ‘soft’ skills and less on some traditionally prized abilities to sift and process information, although independent judgment, logical reasoning and analysis will always be important.

IT auditing is becoming an increasingly specialist preserve that is beyond the scope of most internal auditors, however many employers now expect all internal auditors to have a strong grasp of the basics of data analytics and of what analytics programmes can do for audits and assurance. This IT-savvy must go hand in hand with a wide imagination about the potential uses of the technology and how it can be employed more effectively.
What is new, however, is that ‘soft’ skills and IT experience are no longer nice-to-haves. Whereas a few months ago, there was a shortage of internal auditors in many sectors, now employers are likely to be able to pick and choose. The post-Covid landscape is likely to be bleak for many sectors and internal auditors will not be immune. There will be redundancies and people will need to look more broadly at their CVs, personal skills development and, possibly, at the options available to them in a wider range of sectors.

Russell Bunker, director at Barclay Simpson, says that the highest demand is currently for “experienced internal auditors operating at the delivery level”. Fewer organisations are hiring senior audit managers or trainees, he says. However, he added that a number of fixed-term or interim job opportunities are emerging and there are new jobs appearing as a consequence of an increase in co-sourced internal audit work. Some of these trends may be short-lived, of course, and may reflect temporary bans on permanent hiring.

So, what are the key skills internal auditors will need to thrive in the short and longer term?
1. Communication is key
Emotional intelligence may not have always been top of the list for internal auditors, but it’s hardly a new requirement. Internal auditors have to be great communicators – if you cannot talk to people – and, just as importantly, listen to them – you can neither learn from them nor persuade and influence them.
As computers take on ever more of the analysis side of auditing, we need humans who understand how people operate in real life, what makes them tick? Internal auditors need to pick up the nuances to spot when things may be wrong behind the scenes. They need to use the right language to relate to the people they need to get on their side or to persuade people to change the way things are done and to understand the need to better governance. And they need to be able to convey important messages simply and effectively. This is not always about being ‘nice’ – it’s about being effective. Some of these messages may be tough and they need to be understood and acted on.
It’s also about being able to demonstrate the behaviour that you preach. Actions really can speak louder than words.

2. Business acumen
This has always been important, but is becoming ever more so. Internal auditors see the whole of the business from the inside, but they also need to be able to look beyond it, and beyond their sector and region, if they are to appreciate emerging risks and the bigger picture. They need to understand what keeps their CEO awake at night – and, even more importantly, what should be keeping him or her awake at night.
Increasingly, they are being expected to know a lot about the potential impacts of everything from macro economics to climate change and the complexities of supply chains. Sourcing and reviewing the most up to date and reliable information is vital, but you also need the acumen to know how this could affect your business and to spot the risks and opportunities. Those who do not display this knowledge will not gain the respect internal audit needs from senior management to be effective.

3. Flexible and agile
Speed is of the essence. How can you offer assurance more effectively, more rapidly and more effectively? This is the holy grail of internal audit and will become even more so in the post-Covid landscape. Technology can help, but it takes people to think about how they can use it better. Those with the imagination and the drive to improve, adapt and change will be most valuable to, and valued by, management.

4. Personal relationships and networking
Use your personal relationships and find out what peers, colleagues, friends and family are doing. Be curious and ask questions. This is partly about being well-informed and partly about good communications. There are loads of ways to keep in touch so use them – from social media to Facetime to old-fashioned phone calls. You never know what may come in useful in future but the broader the net, the more you are likely to benefit.

5. Proactive – use your imagination
Imagination and curiosity are now so important that they deserve a mention on their own. Again, they are not new skills for internal auditors, but they have never been more important. You don’t need a formal mentor to tell you to think about where you want your career or your audit team to be in six months’ time. But it can help to take some time out of your normal routine to practise thinking more imaginatively. Many things in the near future will need to change and someone will need to identify potential changes and the ways to achieve them.
Equally, imagination is an important part of effective communication. What are your auditees doing and why? What are they going through? What do you want them to be doing in future – and how can you help them to get there?

6. Sell, sell, sell
It’s been said that everyone is selling something – and if they say they’re not, they’re lying. Selling has a bad reputation in the UK. It’s seen as duplicitous and bad-mannered. However, sales skills are just as vital for good ends as for bad. Internal auditors are going to have to compete for attention even harder and many will have difficult messages to convey in the near future. If you want management, auditees and colleagues to listen to you and respond to your messages, you will need adequate sales skills.
And, if you’re in a sector that has been badly affected by the pandemic, you may need to brush up your CV and prepare to sell your own skills more aggressively. If you have what it takes to help organisations weather this crisis, don’t sell yourself short.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”