Posts Tagged “lead auditor”

Here at Audit International, we have seen a significant shift in the way in which environmental, social, and governance (ESG) data has been perceived in recent years. It has gone from being an ‘add-on’ to being a vital opportunity for corporations to boost their competitiveness. As consumers become more discerning about environmental, social, ethical, and responsible business practices, organizations are increasingly starting to realize that reporting ESG data can have significant brand and reputational benefits.

However, this is just the beginning. The value of ESG data extends beyond reporting—when handled properly, it can unlock value for an organization in a variety of ways.

What is ESG and ESG Reporting?
It’s important to note that there is a distinction between ESG and sustainability. The terms are often used interchangeably, but there are important differences. Essentially, sustainability deals with how an organization’s operations impact the environment and society, whereas ESG has more to do with how an organization’s environmental, social, and governance initiatives affect its financial performance.

According to the Center for Audit Quality (CAQ), “ESG reporting encompasses both qualitative discussions of topics as well as quantitative metrics used to measure a company’s performance against ESG risks, opportunities, and related strategies.”

How companies can use ESG data to their advantage
When organizations treat ESG reporting as more than a box-ticking exercise to meet regulatory obligations, they stand to reap a number of benefits, as follows:

● Profitability and sustainability: Including ESG data in an extended planning and analysis (xP&A) strategy allows an enterprise to see how that data affects financial and operational data, which is key to making ESG initiatives sustainable and profitable.

● Risk management: Neglecting ESG issues can result in financial or reputational damage. Thus, all organizations should ensure that they incorporate ESG data into their risk management strategies. By voluntarily disclosing this information, they will demonstrate that they are taking sufficient steps to protect themselves and their stakeholders from ESG-related risks.

● Competitive advantage: Focusing on ESG can help an organization gain a better understanding of what matters to its stakeholders while also identifying opportunities. Furthermore, reporting ESG data will help stakeholders compare the organization with its competitors. This works in the organization’s favour if it is outperforming peers on the ESG front.

● Uncovering critical operational drivers for decision-making: ESG data can help an organization see where sustainable changes could improve efficiency and make its business more ethical and equitable. This can greatly enhance the decision-making process.

What are the main challenges to effective ESG Reporting?
ESG reporting is continuously evolving as governments announce new standards that companies need to comply with, as well as a new mandatory International Sustainability Standards Board (ISSB) standard that is expected to be announced by the end of the year (2022). It also touches every financial process. For these reasons, companies can find the whole ESG journey intimidating.

The following are some of the main obstacles that need to be overcome:

● Several ESG optional frameworks: The Global Reporting Initiative (GRI), Task Force on Climate-Related Financial Disclosures (TCFD), and the Sustainability Accounting Standards Board (SASB) are some of the more notable ESG frameworks, but there are plenty of others, many of which are specific to certain regions or industries. It can be challenging for companies, especially those operating in multiple countries, to know which ESG standards and frameworks to adhere to. This will all change when the mandatory ISSB standards are announced at the end of 2022.

● Complexity of data management: Whether meeting regulatory requirements or carrying out voluntary disclosures, companies need to be able to collect, translate, and process ESG data. This is a task that is complicated by the fact that the data is often siloed across different IT systems and is often stored in different formats. In addition, sustainability can be hard to quantify.

● Lack of ESG insight to inform decisions: Many organizations have difficulty seeing the connection between ESG data and financial results, especially when captured in spreadsheets, which means they are unable to use the data to improve their bottom line and sustainability initiatives.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Amidst issues like supply chain complexity, economic uncertainty, and increased digitalization, Audit International are finding many organizations are adding vendors or changing their existing relationships with those they currently conduct business with.

Working remotely has prompted many companies to add cloud vendors. Supply chain backlogs might have prompted your business to switch to local vendors. Or maybe you’ve added marketing agencies or other types of consultants that have flexible capacity, rather than increasing headcount.

These decisions can help businesses adapt to changing conditions and build resilience, but working with vendors may also introduce new risks. While you might feel like you have a handle on issues like in-house data security processes, you need to be sure that vendors also align with your needs in these areas.

Internal audit teams can play an important oversight role when it comes to vendor risk management. While they might not be making specific vendor management decisions, they can still be involved in making sure proper due diligence is followed when selecting vendors. And once vendor relationships are in place, internal audit teams can monitor these arrangements to ensure organizations aren’t opening themselves up to new risks.

What are the top vendor risk management issues?
Working with third parties like software vendors, managed service providers, cleaning companies, etc. can help businesses fill gaps in current capabilities, increase efficiency, and more. Yet, internal audit teams also need to make sure that their organizations are accounting for any and all potential risks:

Cybersecurity: Internal audit teams should review vendors’ cybersecurity practices to assess whether these meet your organization’s expectations, for example, data security controls and remediation capabilities.

Compliance: Third-party vendors can also create compliance risks, such as improperly storing customer data or engaging in illegal business practices. Even if these vendor issues do not lead to legal action against your organization, internal auditors should aim to get ahead of these issues to avoid reputational damage.

ESG: Environmental, social, and governance (ESG) scrutiny is increasingly extending into supply chains and can also create reputational risk. Internal auditors will want to assess how vendors align with their own ESG goals. This may in turn lead to implementing additional controls, for example, around data sharing practices so that your organization will be able to verify issues like vendor emissions.

Quality: Don’t automatically assume that vendors will provide the quality you’re expecting, even if they come recommended or are widely known. Internal auditors need to ensure that their organizations still conduct proper due diligence to see whether working with that vendor will provide the quality of work you’re expecting. Managing risk can also include looking at vendor performance controls to see if existing third-party vendors maintain appropriate quality standards.
These are just some of the many critical risks that can come from working with third parties. Keep in mind that vendors may also have their own networks of third parties, which could ultimately affect your organization.

While it might not be possible to know every connection point that your vendors have with other third parties, you would likely want to assess what their own third-party risk management practices look like.

How can internal auditors improve third-party risk management?
Internal auditors shouldn’t be the only ones responsible for vendor risk assessments, but they should be mindful of the aforementioned vendor risk management issues and collaborate with other departments to stay on top of these risks.

For example, internal auditors can collaborate with IT leaders to create a vendor security due diligence checklist. From there, internal audit controls can make sure that this checklist is used across all vendor reviews.

Internal audit leaders can also integrate analytics into audit processes, such as collecting performance metrics on third-party vendors, to assess whether they meet your organization’s quality expectations on an ongoing basis.

Too often, however, adding analytics to audit reports is a manual, labor-intensive process that can create its own risks, like data errors. TeamMate Audit Benchmark found 79% of internal audit teams manually leverage data from other applications.

Audit tools like TeamMate+ can help internal auditors get the third-party data they need through automated API exchanges with other platforms, which makes continuous monitoring of risk more feasible. They can then create automated reports to share insights with other departments to stay on top of third-party risk.

By aligning with these steps and staying on top of evolving vendor management risks, internal audit teams can help their organizations stay safe while getting the most out of their third-party partnerships.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

A recent study revealed that 82% of finance and business leaders must comply with sustainability requirements or ESG regulations. Even without mandatory regulatory standards in place, Audit International would bet their bottom dollar that more companies would voluntarily take on sustainability initiatives and thus, produce ESG reports.

Why? Because more stakeholders are looking.

The number of parties with vested interests in ESG performance has dramatically increased. The tendency is to think of investors as the sole consumer, judge, and jury of ESG reports, but that’s changing, especially as other stakeholders find themselves subject to ESG expectations.

So, who’s really looking at your ESG reports? And why do they care?

Investors
Let’s start with the obvious: investors! Today’s investors want to ensure their money supports organizations that align with their values. Increasingly, those values are moving further and further away from brown stocks. Investors are leaning away from companies that might risk damaging the environment, operate with inequities, or are vulnerable to corruption.

While sustainable investing is value-based for many investors, it’s also the safer, more lucrative investment in many cases.

A study by Nordea Equity Research reported that, over three years, companies with high ESG ratings outperformed the lowest-rated companies by as much as 40%.

A Bank of America Merrill Lynch study found that firms with a healthier ESG record yielded higher three-year returns. They were also more likely to become high-quality stocks, less likely to experience significant price drops, and less likely to go bankrupt.

All this to say, an ESG score isn’t just a number. It indicates to investors that your company is a proactive, forward-thinking entity that will satisfy the investor’s need for ROI and their conscience.

Internal stakeholders
Many stakeholders within a business can benefit from ESG performance data.

For example:

Sales and marketing can use ESG data to showcase a company’s sustainability performance in their efforts to entice new customers.
IR and PR teams can tout ESG successes to improve the company’s reputation.
HR reps can use social data to attract talent.
Finance teams and chief executives can use ESG insights to improve profitability, contain costs, identify new business opportunities, and recognize areas of investment and divestment when ESG data is connected to financial performance.
Organizations can put ESG performance data to work in many ways. Regarding business value, ESG reports can give every department leverage in furthering the growth and goodwill towards an organization.

ESG scoring bodies
A good ESG score is a golden ticket to a favorable ESG reputation. To receive one, you’ll have to complete surveys or create reports designed by third-party providers, who then calculate ESG scores based on the metrics and ESG performance you reported. Like a credit score or a bond rating, an ESG score demonstrates your company’s ability to meet its ESG commitments, performance, and risk exposure.

Notable ESG scoring organizations are Bloomberg ESG Data Services, Sustainalytics, ESG Risk Ratings, JUST Capital, MSCI, Refinitiv, Dow Jones Sustainability Index Family, and RepRisk.

Banks and financial institutions
Banks, capital markets, and wealth managers are moving towards ESG agendas. This is not just an ethical move but one of demand, risk, and reward.

In terms of demand, millennials lean significantly towards sustainable investments. A survey by EY found that millennials are twice as likely to invest in a fund or stock if social responsibility is a component of the value creation narrative. (Might I remind you millennials are the demographic soon to be society’s primary wealth holders.)

In terms of risk, the liability to banks is two-fold. First, banks are subject to the same sustainability scrutiny as other businesses — customers want to bank with sustainably responsible banks. And second, banks face similar challenges to investors: lending to companies that aren’t sustainable could also pose threats to their business. Will a coal mine be able to repay its debts when sustainable alternatives take over? While banks might not be in this scenario just yet, in the future, it’s possible that businesses could see requests for funding denied if they don’t prove to be sustainable enough.

In terms of reward, again, we see companies with strong ESG performing better than those with weak ESG. An analysis completed by global investment manager BlackRock found that up to 88% of sustainable funds outperformed their non-sustainable counterparts between January 1, 2020, and April 30, 2020. Why would a wealth manager allocate funds to an unsustainable stock when a more sustainable and equally (if not more) profitable alternative exists? Why choose to lose/win when you could choose to win/win?

Regulators
Incoming! A stampede of regulations is making its way into the ESG reporting arena. Two regulations of note are:

The EU’s Corporate Sustainability Due Diligence (CSDD)

In February 2022, the European Commission published a draft of the CSDD. If passed, the CSDD would require companies to disclose the impacts of their operations on human rights and the environment.

The US’s new climate-related disclosures

In March 2022, the SEC proposed expansive new climate-related disclosures related to greenhouse gas emissions, climate risks, transition plans, and governance.

Sullivan and Cromwell LLP has a great round-up of the latest (up to May 2022) ESG regulatory advancements here. The bottom line: ESG is being written into everything from litigation to financial institutions, disclosure and governance, and law. While your particular flavor of ESG regulation will be subject to your jurisdiction and industry, you can bet on increased regulatory scrutiny coming your way soon.

Consumers
B2C companies find themselves with a consumer who cares about their product, how it’s made, and who’s making it. Recent PWC research found that:

Consumers aged 17 – 38 years are almost twice as likely to consider ESG issues when making purchasing decisions than others.
Over half of consumers surveyed said that a company’s purpose and values played a role in their purchasing decisions.
49% of consumers and 66% of millennials use the internet to learn more about a company’s ESG practices before buying a product or service.
From this, we can conclude a few things. The future of the sales will be dependent on ESG performance. And consumers aren’t satisfied with marketing promises — they want the ESG evidence, and your reports will be front in center of their investigations.

Everyone’s looking at ESG
Don’t make stakeholders struggle to seek out your ESG performance. By using a corporate performance management approach to ESG reporting, you can tell your sustainability story, disclose according to multiple new and evolving frameworks, and connect financial outcomes, operational activities, and ESG performance to ensure sustainability is always tied to doing good for the earth, people, and your bottom line.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Transit systems. Healthcare facilities. Financial services firms. What do they all have in common? Organizations within these sectors — and essentially all industries, for that matter — have been hit by ransomware, a type of malware where cybercriminals demand a ransom payment to unlock access to your private and confidential systems and files.

While many cybersecurity risks exist, ransomware is often one of the more pressing challenges. Not only can it bring operations to a screeching halt, but it can also cause issues like data leaks and reputational damage. A global survey by cybersecurity software company Sophos finds that 66% of surveyed organizations suffered ransomware attacks in 2021. “It took on average one month to recover from the damage and disruption,” Sophos adds.

Given the severity of ransomware risk, internal auditors should aim to help their organizations reduce these threats, along with overall cybersecurity risks. How? As Audit International will examine in this article, internal audit departments can take steps such as conducting IT/cybersecurity audits and using technology like internal audit management software to improve internal controls and collaboration.

Review IT practices and controls :
Even though internal auditors generally aren’t responsible for choosing cybersecurity software and establishing employee training to recognize ransomware risks, they can still provide assurance over IT practices and controls, such as with an IT audit.

When IT teams conduct phishing tests to see whether employees are tricked by email scams that can cause ransomware issues, internal auditors are then able to review those results and ensure that the organization is meeting a sufficient standard to prevent social engineering. If the results demonstrate gaps in employee preparedness on ransomware risk or other cybersecurity risks, then internal auditors would likely want to communicate that risk to other stakeholders, like boards and senior management.

Internal audit leaders might also review remote work policies to ensure that IT teams are appropriately managing these with ransomware risk in mind, rather than just focusing on the functionality of work-from-home environments. While internal auditors often rely on guidance from IT leaders, they can still audit areas like access logs to ensure that only approved devices, with the appropriate threat intelligence and data protection technologies, are connecting to their networks.

Align key stakeholders :
Improving ransomware protection also means internal auditors need to align key stakeholders, rather than just collaborating with IT. That means pulling together information from multiple departments to make sure everyone’s on the same page.

Internal auditors should check with finance teams to see how they’re accounting for the potential costs of a ransomware attack, and then ensure that other key stakeholders, like boards and senior management, understand and agree with this approach. Otherwise, issues like not having a sufficient budget to recover from a ransomware attack may arise.

“Regardless of their size or revenue, organizations should assume they will be targeted with ransomware, and they should examine their prevention, detection, mitigation, response, and recovery measures,” notes Zachary Ginsburg, research director for the Gartner Audit and Risk practice, in a Gartner press release.

Leverage internal audit management software :
Internal auditors can mitigate ransomware risk by leveraging internal audit management software. Many technologies are designed to assist with cybersecurity risk management, but from an audit perspective, internal audit management software is important for gaining assurance.

Overall, internal audit teams have an opportunity to make a significant impact when it comes to ransomware risk management. Planning ahead and focusing on internal alignment can go a long way toward reducing ransomware attacks and other cybersecurity risks.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Having considered how internal audit can address environmental risks in the first article in this Audit International series, this article turns to the second element of ESG, social risk. This can be a sensitive area, and many risks are hard to quantify. But over the last decade, expectations of organizations have evolved significantly, and internal audit has a key role in providing assurance over the risks that this presents.

Social risks :
Social risk can be viewed from several perspectives. While we traditionally look at business activities, here it can also be helpful to look through the lens of different stakeholders to ensure all risks are captured and completely understood. For example, consider impacts on the organization itself, staff, customers, suppliers, investors, other third parties, and the wider communities in which you operate. Below are some of the key risks – not an exhaustive list — but those that outline the main risk areas you will want to capture:

– Health and safety – consider both workplace and customer safety.
– Labor standards – your own and those throughout your supply chain. This goes beyond compliance with legislation and international protocols to include issues such as well-being, benefits, and employee engagement.
– Equality, diversity, and inclusion (EDI) – very important to staff, customers, and the community, this is a significant topic in and of itself
– Sales practices – important to your customer base and the wider community, poor practices can quickly damage a reputation.
– Data privacy – sometimes considered a social risk, given its impact on staff, customers, and other partners.
– Community engagement – how effective is your organization in working with local (and broader) stakeholders to maximize the positive and minimize the negative impacts on the community. This started with CSR (Corporate Social Responsibility) but often goes much deeper.
– Other broad, but important, issues such as human rights and the rights of indigenous peoples.
– Typical impacts for the organization will be the same as for many other ESG risks – reputational, legal and regulatory, financial, operational, and ultimately strategic. Other than potentially using different stakeholder perspectives when considering risks, this fits well into your risk assessment process.

Getting started – Determining the key risks :
Your risk assessment should always be the starting point. In order to do this, you will first need to go through several steps to get sufficient background context:

Understand your organization’s approach to social risk. Given the variety of risks and the number of stakeholders, it is likely that it will sit across the organization with many different risk owners. For example, staff-related risks and issues will be owned by Human Resources, whereas supply chain risks will be owned by the relevant business unit or a procurement function. Are there anywhere these risks are also considered and assessed together or across the organization, such as part of a risk function?
Consider who the key stakeholders are. Some will be common to all organizations – staff and customers for instance. Others will be specific to your business – such as a community close to a quarry.
As always, consider key sector and industry risks, drawing on industry guidance, frameworks, and other resources, and on standards such as GRI (Global Reporting Initiative).
Pay attention to your supply chain, particularly if sourcing (directly or indirectly) from jurisdictions where labor or safety standards may not reflect those in your home country.
Understand legal and regulatory requirements in all jurisdictions in which you operate.
With this background information, you can start to include social risks into your risk assessment, leveraging work done by the first and second lines, and begin to provide assurance over these key risks.

How internal audit can make an impact :
Clearly, we should be focusing on the biggest risks for the organization. However, we often need to consider the impact on stakeholder groups in aggregate, rather than just for each risk. Staff is a good example. We should certainly consider risks around compliance with labor laws but understanding the impacts on staff also requires the inclusion of wellbeing, health and safety, benefits, employee engagement, and EDI to assess the potential risk around staff as a group. Internal audit can add value by looking at risk in this way and provide more holistic assurance over risks relating to specific stakeholders.

Internal audit can also take a broader look at the organization’s approach to social risk. As I suggested earlier, it is often a distributed responsibility, but the risks do not exist in isolation. Some questions you can ask:

What is the organization’s attitude towards social risks? Are social factors (collectively or specific issues) considered in strategic planning or discussed at the Board level?
Have key stakeholders been identified? Do these make sense given what you know?
Is social impact considered in decision-making, particularly investment decisions and project evaluation? For government and social-purpose organizations, this will often be a core part of the decision-making process. But even in commercial organizations, evaluation of social risks and impacts will often be built in.
Are there targets and performance metrics in place? For key risks there often are metrics, but they may not be evaluated as a whole – which could be acceptable if they have sufficient prominence. As for other ESG risks, the availability and quality of the data may be a challenge as standards, systems, and processes are evolving. This provides an opportunity for internal audit to make an impact by evaluating systems and processes and by validating the data.
Some examples
Labor standards
The subject of labor standards is broad, but if we consider it in two parts, it may help. First there are fundamental rights at a global level which most countries are adhering to as members of the International Labour Organization. These cover issues such as forced labor, child labor, maternity, working hours, discrimination, health and safety, and unionization rights. Second, there are expectations beyond this, which often vary by country and include benefits, well-being, and employee engagement. There are many ways for internal audit to make an impact here. I will address two very different audit examples:

An organization’s own employment activities have always been part of an audit universe. There is an opportunity to take this further, providing insight and assurance into, for example, employee wellbeing and engagement. Most large organizations conduct surveys covering one or both, but how effectively do they select, track, and use metrics? Also, how effective are follow-up plans? These are sensitive areas, but this is largely about how data is collected and used, and how effectively plans are defined and implemented. All are very well aligned to core internal audit skill sets.
The broader issue of labor standards risk incorporates many parts of a business. As well as an organization’s own employees, we need to consider those in the supply chain, service companies, and any other partners. The focus of an audit is likely to be on procurement and contract management processes. Do contracts stipulate appropriate measures (which vary on the size and nature of the organization)? What independent verification is available that standards are complied with? What monitoring is in place within the organization to highlight emerging issues? All questions internal audit is well-positioned to consider and provide assurance over.

Sales practices :
Sales practices have been under the microscope at various points over the last century. Often it relates to providing dishonest or misleading information, or selling products or services are known not to be in the best interest of the buyer. The banking crisis of 2008 highlighted unethical practices which led to a significant shift to providing services based on the customer. Earlier examples are tobacco and baby formula, the health impacts of which were not accurately portrayed. In both cases, poor practices continued in parts of the developing world long after they were prohibited in the West.

Risks are primarily reputational, but often there are legal and regulatory considerations that can be substantial. Let’s look at two ways in which internal audit can make an impact in this area:

The first is not about the sales process itself, but about whether organizations are considering the customer in the products and services they sell. All jurisdictions have regulations about product quality or the types of services that can be sold to different groups of consumers. Examples range from food standards to complex financial products. In addition, there are overarching responsibilities to ensure customer health and safety (whether on-site or through the products or services they are using) that should be considered. This could be as obvious as ensuring products don’t cause a choking hazard or more complex such as the danger posed when providing social media platforms to young people. Internal auditors should understand the relevant regulations, and any voluntary codes, to provide assurance that there are appropriate controls over these risks, often as part of an existing audit. But you can also go further by considering the more complex aspects of risk and raising concerns if these have not been appropriately considered as customer needs and welfare are an integral part of product/service design and production.
Internal audit can provide assurance over the sales process itself. In any setting and for any customer group, there should be defined processes for marketing, customer communications, and best practices and guidelines a salesperson should consider when making the sale. For complex products such as insurance, this may be very structured, whereas a very light touch would be expected for simple products. Controls may include guidelines, review, and approval for marketing materials, standard templates for communications, and certifications and training for sales. When auditing, we need to be mindful of having realistic expectations for the type of products and services being sold but also be prepared to challenge when processes are insufficient or not well-evidenced. Additional considerations include data privacy, avoidance of discrimination, and the need to look at practices in all relevant jurisdictions.
To summarize, we have shown the variety of social risks within ESG and how internal audit can use their skill set to make an impact by providing assurance over some of these key risks. There are good sources of information freely available to understand different issues in more detail to help assess how social risks may impact your organization and your audit response.

The third and final article in this series will focus on the “G” (Governance) in ESG which covers a broad range of corporate activities. It is important to understand these risks as they provide the foundation for effective ESG program management.

Have you ever had one of those days where you were determined to write that audit report? So you block off the time on your calendar, go into your office, shut the door, remove any and all distractions and breathe. Because now is the time to take all of those thoughts and perfect phrases running wild in your head and put them on paper. You sit down at your desk ready to make it happen. And you come up with nothing.

You decide to invite a colleague in to assist. Because after all, two heads are better than one. The two of you discuss the issues thoroughly, but nothing seems to sound right.

Writing objective observations takes time, skill, and tact. And if you’re like any other auditor, the audit issues sound wonderful in your head. But by the time you formulate the right words, reach for your pencil and place it on paper, that wonderful wording has become a distant memory. It’s worse if you’re in a group setting because you now become frustrated as the group begins asking you to repeat what you said. Unable to remember words uttered only seconds prior, it is only then that you realize how old you truly are.

If you’ve ever faced this situation, do not fear. There are several tools and techniques you can use to speed up and improve your report writing. But first, we must address the five big problems with writing reports:

1. We think faster than we write
2. Our million dollar thoughts come at the wrong time
3. We believe in writer’s block
4. We look for perfection in the first paragraph
5. We don’t understand and/or appreciate the writing process

5 Problems with audit report writing
We think faster than we write
We’ve all been there. Browsing through our cabinets trying to make a mental grocery list. Then you reach the point where there are too many items to remember. You decide to write a list. You reach for your paper and before the pen touches the pad, you’ve already forgotten the five items you wanted to write.

Our brains are fascinating. I can remember where I was in the summer of 1989, but I cannot remember what I ate for breakfast this morning. It is that forgetfulness that can derail your report writing.

Our million dollar thoughts come at the wrong time
Worse yet is when you have this wonderful idea, but then realize that it is 5:00 o’clock and you are stuck in traffic. There is no way you can capture that great thought without causing a pile up. So you try other techniques. You turn off the radio and repeat whatever it is over and over. You hope to continue this until you get home, or at least until you get to a stopping point. Of course something interrupts your thought and you forget what you were trying to remember.

We believe in writer’s block
Some people believe that writer’s block is a thing. I’m here to tell you, it is not. At least in the context of business writing or internal audit reports. Wikipedia define writer’s block as follows:

“Writer’s block is a condition, primarily associated with writing, in which an author loses the ability to produce new work or experiences a creative slowdown. This loss of ability to write and produce new work is not a result of commitment problems or lack of writing skills. The condition ranges from difficulty in coming up with original ideas to being unable to produce a work for years. Writer’s block is not solely measured by time passing without writing. It is measured by time passing without productivity in the task at hand.”

As you can see, writer’s block is a primary concern for creative writers. Our audit reports are, or should be, factually based non fiction. We are taking a series of facts, placing some logic and order to those facts, and providing management with a conclusion. What we are not doing, is creating new characters or developing plots and story lines. We know the beginning, middle and end of the story. Therefore, we know what to say. The problem is how do we say it so that it has the best impact given within the culture of the organization.

We look for perfection in the first paragraph
Because audit report writing is simpler than creative writing, we believe that we should be able to sit down and create the perfect prose in minutes. After all, we know the beginning, middle and end of the story. When we finally put pen to paper, our initial draft is usually not good. We then become frustrated. But I believe that frustration is because we don’t understand the writing process.

We don’t understand and/or appreciate the writing process
All the magic happens in the editing. Any writer will tell you this. Ernest Hemingway famously once said that “The first draft of anything is ****” (insert a very bad word here). As someone who has had articles published, I can tell you this is true. I can recall the first time I sent something to an editor. I thought it was an okay piece. But what came back was a magnificent manuscript. I fined tuned it a little and the result was something we were all pleased with. The writing process does not require perfection at the start. Your initial goal is to get something on the page. After that, trust the process and let the magic happen in editing.

3 tools you can use
Google voice typing
Because our brains seem to signal our mouths to speak faster than our hands can write, voice typing is the perfect shortcut to getting those wonderful words out of your head and on paper. For those unfamiliar with voice typing, you talk, it types. It’s as simple as that. Well, sort of.

The best free voice typing tool I’ve found is through Google. Log in to your account. Then, access Google Docs and open a document. Go to Tools, then Voice Typing (or you can press Ctlr+Shift+S).

You will see a microphone that may say Click to Speak. Click it, talk to it, and watch the magic happen. You will need to learn certain commands like period, comma and new paragraph. But other than that, if you speak clearly, it will recognize most speaking voices and words.

Your Cell Phone voice recorder
If barking out commands to your computer isn’t your thing, you’re in luck. There’s another option. If you’re like me, your cell phone is probably within arms reach. Grab your phone and go to your favorite app store. Search for a voice recorder. You should see several. Download one that piques your interest.

You can now record yourself talking about the audit issues. Now you will never miss that wonderfully worded paragraph that would sound great in an audit report. Once recorded, you can listen to the recording and pull out the impactful paragraphs.

Transcription
If you truly believe the recording represents your best work ever, you can have it transcribed. Yes, you heard me, transcribed. It’s not as bad or as expensive as you think. Before I get into that, I must say that I am not being paid by nor am I endorsing these specific products. there are several transcription services that I have used. Some use live transcribers while others use automated engines.

Summary

Writing audit reports can be a daunting task. But it has to be done. Nowadays we have a lot of tools that can help streamline the process. Many of the biggest issues start with us. Writer’s block is only as real as we allow it to be. Sit down and put something on paper. Use some electronic tools to get your words on paper. Almost any words will do. Afterall, the magic happens in the editing.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Audit International have been thinking recently about what internal audit should know about ESG risks, and where best to start but with the E, which is for Environmental.

In this, the first in a series of three articles, we will drill down on Environmental risk and explore how internal audit can have an impact by focusing on key risks.

Environmental risks :
There’s no single taxonomy of environmental risks. Consider what categories your organization uses and what is used elsewhere in the sector. The following should all be covered, at a minimum, but may be described in different ways using different terminology:

Climate change :
This should include the effect of greenhouse gas (GHG) emissions – we usually talk about carbon dioxide but there are seven gases covered by the GHG protocol
Pollution from emissions and discharge (i.e., water, soil, air)
Biodiversity loss and deforestation
Waste management
Resource use – impacts of raw materials, production, transportation, and distribution (consider water, energy, and other natural resources)
Hazardous materials
There is clearly an interplay between these risks, but as they represent the major environmental impacts, this offers a good starting point.

This should fit neatly into your existing risk assessment process. Typical impacts for the organization will be reputational, legal and regulatory, financial, operational, and ultimately strategic. All things we are very familiar with.

Getting started – Determining the key risks
Every organization is different. You will need to start with a risk assessment to determine the key risks, potentially using the list above. To do this, you will need to understand the main environmental issues in your business, considering a number of factors:

What sector(s) you are in, and what are the main impacts of that sector. Search out industry guidance from standard setters such as GRI (Global Reporting Initiative), international business groups, such as the World Economic Forum, and thought leaders, such as McKinsey. It is important to consider all the main parts of your business, from the environmental impact of the raw materials you source, through transportation, production, and sales. Although focus on your immediate impacts may be easier, the impacts outside your organization’s immediate control are often more significant. For example, a significant environmental impact of electronics is the extraction of rare earth metals essential for their production.
Where your business is based, the places in which you operate, where you source materials from, and where you sell to. This is important for a number of reasons. It drives the nature and extent of legal and regulatory risk that the organization faces. It also influences the attitudes of stakeholders, such as customers and consumers, as these may vary significantly. But bear in mind, that these factors can change quickly and this needs to be built into any risk assessment.
Requirements of your customers. This may be contractual for government or corporate procurement, or the preferences and attitudes of consumers. This is also partly based on location (as mentioned above), but in global markets, it is never that simple.

All of this (and more) should have been considered by the business (first or second line) and internal audit should leverage their work, effectively challenging and validating. If this has not been done, internal audit needs to be taking a step back and conducting a more basic evaluation of the maturity of the organization’s risk assessment process.

Some types of environmental impact will be universal and significant no matter what your business activity. These include climate change and waste, which Audit International will dig a little deeper into later in the article. Others may apply to a much greater extent in certain industries, such as those in extractive industries (oil and mining for example) and heavy manufacturing (where there may be high levels of resource use – both raw materials as inputs and energy and water in the production process).

How internal audit can make an impact :
As with any aspect of audit planning, the greatest value internal audit can bring will depend on the major risks identified. But we can’t just consider the inherent risks, we need to understand what other sources of assurance are in place and, most importantly, what activities are contributing to both the risk and the assurance. Think about the following:

What do we know about environmental management processes that are in place? What is the scope of these systems and processes?
What reporting is in place? Are external reports assured? Which stakeholders use and rely on these reports?
Are environmental factors (risks and costs) incorporated into project evaluation and capital decisions?
A common factor across many environmental risks is availability and the quality of the data. Process and controls for environmental data are generally less mature and systems are not always equipped or configured to meet the complexities and nuances of this data. This is often a great opportunity for internal audit to add value, both by providing assurance over processes and systems, and by validating the data itself. Both leverage core internal audit skills.

We can also go further, confirming that reports meet whichever standards are being applied, that management reports or projects evaluations fairly, and that these completely reflect risks as well as opportunities. However, this may require more specialized knowledge.

Some examples :

Climate change
All organizations need a response to climate change, and so while the specific needs will differ, this is an issue increasingly relevant for everyone. How can internal audit add value? Let’s look at two potential opportunities:

Has the business considered the potential physical and transitional impacts of climate change? Best practice suggests this should be done using scenario analysis that includes a range of realistic scenarios. Physical vulnerabilities may result from gradual, long-term changes in climate (chronic risks), or short-term (acute) risks, such as storms and fires during heatwaves. These potentially impact the cost-of-capital, the availability and cost of insurance rates, and cause operational disruption. Transitional impacts include changes in legislation, markets, technology, and stakeholder expectations. Internal audit can review the process used to establish scenarios and determine the impacts and, more importantly, assess actions to improve resilience, mitigate risk, and maximize opportunities.

Many corporations are now publishing disclosures under TCFD (Task Force on Climate Related Disclosures). These are becoming mandatory in some countries and are an increasing expectation from investors. External assurance, if any, is usually very limited in scope. Internal audit can provide assurance over the processes to collate data and support assertions made in the disclosures. It can also audit the data and assess the evidence supporting those assertions. Other organizations may provide (voluntarily or by regulation) data on, for example, energy use or emissions. Again, internal audit can provide similar assurance over these processes or this data, as any external assurance will generally be limited.

Waste :
Waste is an issue for all organizations, although the specific impacts will be very different across businesses. As well as the environmental impact, businesses have a cost-incentive to reduce waste, as it is increasingly expensive to treat and dispose of. Internal audit can add value in a number of ways.

Here are some examples:

– Assess whether policies support the organization’s waste strategy. Are they specific to the business and relevant for the types and locations of waste produced? Do they take into account legislation and regulation in each jurisdiction? Are they effectively implemented, understood, and followed?
– Companies often report waste information, either in annual reports or to different public authorities. How is this validated? For example, how do we know that waste is recycled or reused? Are there controls to independently verify how the waste has been treated? In many countries, responsibility for safe disposal rests with the waste producer, not the waste contractor.

To summarize, we have described the importance of environmental risk to all organizations and have shown how internal audit can respond to some of those risks. Internal audit can use existing tools and skills to get started, and leverage widely available sources of knowledge to find out more.

Keep an eye out for our next blog, discussing the S in ESG, which of course stands for ‘Social’.
We will explore how internal audit can address important social risks.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

The Characteristics of Highly Successful Internal Auditors
Nobody knows it better than us here at Audit International that Internal auditors are a rare breed. To perform well in their jobs, they must have a set of skills and characteristics that are typically uncommon in one person. For example, they need to be analytical with laser-like focus, while also being “people-persons” with great communication skills. They need to be rule-followers, while also having the creativity and curiosity to blaze new trails. No one ever said it was easy, but becoming a top internal auditor takes dedication, hard work, and, as Liam Neeson said in the movie Taken: “a particular set of skills.”
We recently set out to identify the skills and characteristics good internal auditors must possess to perform well in their jobs. We found that some, like curiosity and integrity, are typically characteristics that are just part of our personality or not. Others, like technological know-how and communication abilities can be learned and honed through professional development and training courses. Others lie somewhere in the middle.
This is by no means an exhaustive list. There are many other skills and attributes not listed here, such as knowledge of the business, project management capabilities, and relationship building that are important to thriving as an internal auditor. Yet these are the qualifications chief audit executives, senior managers, and board members cite most often as the key abilities they are looking for in good internal auditors.
Regardless of how we acquire them, and in no particular order, here are the top six characteristics internal auditors should possess:
1) Great Communication Skills
It’s no secret that internal auditors need to be excellent communicators to execute their jobs well, however, that requirement has only increased as the COVID-19 pandemic closed offices and employees were forced to work from their homes. Now internal auditors must often conduct audits remotely, interviewing process owners and others through phone calls and video conferencing. It’s one thing to assess body language, tone, and facial expressions from across a desk or conference table, but quite another to read those important non-verbal cues during a Zoom call or over some other digital communication platform.
It doesn’t stop there. Internal auditors have many constituencies to serve. From their audit customers to senior management and the board, they must be able to navigate many relationships within the organization and sometimes bridge seemingly conflicting views on what’s important to the company. That takes great communication skills and any internal auditor that doesn’t possess them will likely falter in their roles.
2) Unyielding Curiosity
Good internal auditors ask why? Great internal auditors keep asking “why?” Like a child who follows up one question of “why?” with “OK, but why?” top internal auditors keep asking questions until they fully understand the issues at hand. They are not easily swayed with a pat answer or put off the trail with an explanation that doesn’t quite add up. Their natural curiosity keeps them pushing until they find the answers and explanations that satisfies them—in other words, when there are no more “why” questions to ask.
Such intellectual curiosity doesn’t just serve good internal auditors well in the pursuit of fraud and wrongdoing, either. It helps them fully understand how controls, processes, and business units work, so they can make recommendations to improve them.
3) Technological Savvy
Increasingly, the job of the internal auditor relies on technological tools, such as data analytics, cloud-based application platforms, and data visualization. Indeed, the internal auditor of the future will likely also need to be an expert—or at least proficient—in such areas as artificial intelligence, machine learning, and technologies still out on the horizon. For this reason, internal auditors who don’t embrace new technologies and learn enough about them to at least begin to experiment with new ways of doing things will be left behind. While it’s important to embrace the more recent technologies that internal audit is increasingly coming to rely on to execute its duties, a digital revolution is taking place in just about every facet of the organization. To complete audits of nearly any process or function will require a working knowledge of increasingly complex technologies. It’s true too, that the top risks in any organization typically involve areas like cybersecurity, data governance, and information security, all of which require internal auditors to be tech savvy..
4) Ability to Work Independently and on a Team
It might seem contradictory to say that internal auditors must be able to work on their own, but then also be good team players, but it’s true, and the remote work scenarios brought on by the pandemic have only made it truer. Internal audit has always required a good bit of independent work, but the amount has increased with remote audits and auditors working from home. The ability to work independently relies on such underlying skills as self-motivation, self-management, and accountability. Without daily meeting in the conference room and the chief audit executive looking over their shoulders, internal auditors must be resourceful and reliable to keep projects humming along. That doesn’t mean they no longer have to be able to work well with others. More recent work models, particularly agile audit, require lots of interaction and coordination. This harkens back to the importance of communication abilities, but good internal auditors are also team players.
5) Drive to Be Life-long Learners
I once asked a chief audit executive: What is the single most important thing you look for when you are hiring a new member of your internal audit team? Without hesitation, he said: “I look for someone who is always looking to learn new things.” He explained that internal auditors must be generalists and specialists at the same time. Their jobs will take them to many places and expose them to new knowledge all the time..
The fact that internal auditors get exposure to lots of different aspects and units of the business is certainly one of the benefits of the job, but it comes with challenges. They must be able to constantly digest new information and learn new parts of the business. No two audits are ever the same and without the desire to learn something new, it will be difficult for an internal auditor to approach each new assignment with the sponge-like ability to absorb new knowledge and come up to speed quickly on a process or function.
6) Integrity and Courage
Perhaps above all else, integrity and courage must be at the core traits of a high-performing internal auditor. There will be times when internal auditors are asked to look the other way or ignore some faulty control or management wrongdoing, and they must simply be able to resist the urge. It’s never easy to confront someone who isn’t doing the right thing and bring it to light, but it’s a trait that top internal auditors all possess.
One more thought on integrity and courage: We often think of these things in terms of big crises and scandals, where the internal auditor stands up to an accounting fraud that is taking place in the organization or a CEO who is up to no good. Yet it more often integrity and courage will be called up for small things, where someone is looking to cut a corner or isn’t treating others with respect. This is when integrity, along with a good moral compass can help an internal auditor push past a roadblock and get an audit back on track.
Just Add Hard Work
So, call them what you may: characteristics, skills, qualifications, or abilities, but working on these six things will go a long way toward excelling as an internal auditor. Of course, they aren’t enough in themselves to ensure a quick rise through the ranks of the internal audit team. That requires hard work and dedication to the job. But they will certainly put you on the right track.
“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
• Switzerland 0041 4350 830 59 or
• US 001 917 508 5615
E-mail:
• info@audit-international.com”

Today, Audit International are hoping to clear up a few of the most common Internal audit myths. Let us know if there are any we have overlooked, and we bet we can debunk those ones too.

Myth: There is little creativity in internal auditing
This couldn’t be further from the truth. Internal auditors are called on to do a hard job, that much is true. That job can be operationally challenging, “dry” in content (which is subjective), and seemingly “behind the scenes”. However, as Workiva states, IAs are increasingly using brand power and social media to better communicate what they do and its centrality to business operations.
• “For instance, a team I used to work on rebranded from “Internal Audit” to “Risk Advisory and Assurance.” It helped answer questions about what we do and provided clarity to the types of services we provided”.
If internal audits are seen to be working in the shadows, the time is now to dispel those rumours of bean-counting and step into the fore!

Myth: IAs are the business police
Stinnett Associates describes how they go about amending this viewpoint perfectly, by urging internal auditors to focus on “process improvement” as the real essence and philosophy of the role, rather than letting stakeholders confer amongst themselves that IAs are only in it to stifle business, innovation, creative thought or operational independence.
Owning this new narrative is super important: IAs are integral to business success, and vital elements in non-auditors doing even better in their roles thanks to IA’s fastidious attention to regulatory and ethical performance.

Myth: Aren’t internal auditors just accountants by another name?
While accounting provides some critical skills needed to be a successful internal auditor, the industry draws from a wide range of backgrounds and skills, from tech and IT to engineering.
The real skills needed – diligence, a high regard for quality services, fastidiousness, great communication and creative thinking – means that people from a wide variety of backgrounds with training can enjoy a career in internal audit.

Myth: Internal audits are the same as external audits
No, they are not the same. While some parts of the day-to-day job of an internal and external auditor are parallel – both evaluate controls, report to seniors, and work with audit programmes – the outcomes and flexibility of internal auditing drastically differs.
As Moss Adams in their presentation titled Busting the Myths Surrounding Internal Audit states, “(IA) focuses on future events by evaluating controls to help the organisation accomplish its goals and objectives” rather than just meeting “materiality thresholds”.
By offering a service more “broad in scope” than external auditors, IAs provide direct, measurable business outcomes and improvements.

Myth: Internal audit is a lonely job
While “independence” of an IA’s role is a prerequisite, the truth of the matter is internal auditors straddle every department in an enterprise.
As mentioned above, the job is focused entirely on improvements, working closely with internal controls (which is a separate but often conflated field) to mitigate fraud and perfect business outcomes. This means that IA professionals get to work with their own team and every department in a company.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
• Switzerland 0041 4350 830 59 or
• US 001 917 508 5615
E-mail:
• info@audit-international.com”

This week Audit International are taking a very tongue-in-cheek look at how Internal Auditors can be the most liked person in the office, and who everyone wants to talk to around the water cooler. Read on for some insightful tips.

Outside of boxing or MMA, internal auditing has to be one of the most contentious careers around. You would never hear a department stating, “Let’s invite the internal auditors to our next staff meeting.” But I don’t think they are destined to be the policing bad guys that everyone hates to see coming. I believe that there are truly opportunities for internal auditors to become partners with audit clients.
As a matter of fact, I have heard of recent experiences that have further increased my belief in the auditor’s ability to be a trusted partner, even a sought after consultant. My source has been at their current organization almost ten years. They get along very well with audit clients, even the ones that have had bad audits results. They have open, honest relationships where they all care about the organization and its success.
My source has always been a very good technical auditor, but their current organization taught them a lot about the human side of the workplace. Many of the people they work with have become almost like an extended family. Recently, another organization approached them about being their Executive Director of Internal Auditing. This was an opportunity that they just could not refuse. Now as they reflect on the previous role, the things that they most miss are the people.
As they walked around spreading the word of leaving, they found out that the feeling was mutual. The kind words and warm hugs nearly brought them to tears and as everyone told them how big of a loss that leaving was to the company, they could not help but remind them, “You do understand, I am an auditor.”
Realistically I don’t think that other departments are supposed to like auditors, but most of them truly valued the time together. Those who didn’t like my source, at least respected them and the craft.
But then they began to wonder, what had they done to gain the trust and respect of the audit clients. So they asked a few. And I’d like to share with you the general themes I heard repeated.
Honesty is Honourable. Over the years, there were some heated discussions surrounding certain people, places and processes. Throughout it all the truth was still gently told. And this is one thing clients said they liked. Even when the news was bad. Empathy Creates Engagement. They had never considered themselves as overly empathetic at work. They believed there was always a strict line not to be crossed between work and personal. The last 10 years have taught them that there is a line and that sometimes it is okay (or even necessary) to tip toe up to it, step on, and even cross it occasionally. Your fellow co-workers are human. And these humans have hearts that sometimes need to be tended to. Kindness is Contagious. I like people. I like to see people smiling. I like to smile and laugh and joke. In the past, people would conceal this side at work. I thought work meant being serious all the time. Now I realize, if we cannot laugh at the place we spend a majority of our time, something is wrong. This applies to your colleagues too, even if you are on the audit team – it is OKAY to have a joke. And no one deserves to be treated mean when they make mistakes. Even if they are not cut out for a job, they still deserve common courtesy and decency. If we treat our audit clients with kindness, they are more receptive to the audit process. Conclusions My source has been an auditor for a long time. They say they have occasionally failed and sometimes succeeded. Through it all, they have had decent relationships with most audit clients. Technical auditing skills are extremely important, but to truly be successful you must hone in on the human side of the profession. My sources wonderful clients have taught them that honesty is honourable, empathy creates engagement, and kindness is contagious. So the one piece of advice I can offer is this; When communicating with any clients – be honest, be caring and be kind.