Sunday, April 5, 2020

How will Internal Audit look like after COVID-19?

There have been many articles and posts dealing with the Internal Audit's role during the COVID-19 crisis. These were useful, but now we need to plan for what happens next. The economic, social and financial implications of the crises are expected to be severe at least for the short term.

Eventually, this crisis will pass and most businesses will resume operations and will have to adapt to the new realities to survive. Changes to operations and mindset will need to be made at all levels including at Internal Audit Departments.

As most of you are at home during this difficult time and are probably bored, let's try to think about how the internal audit function at your organization will look like after the crises! For example:


  • Did the crisis change you as a person and how this will reflect on you as an internal auditor?
  • What lessons have you learned during the crises and what are you going to do about it?
  • What type of changes will you make to strengthen internal audit?
  • Do you anticipate an increase or decrease in the number of auditors within your department?
  • Do you anticipate management to change its perspective of internal audit (positive or negative)?
  • What would you do to be prepared for the next crisis?


I look forward to hearing your thoughts and feedback!


Tuesday, March 3, 2020

Can Internal Audit Apply Real-Time Quality Assurance?

I have recently attended a KPMG webinar that discussed "Trends and tips for internal controls over financial reporting". The presenter mentioned that the PCAOP is now focusing its reviews of the work of the accounting firms on the system of quality control such firms employe to ensure their audits meet the requirements. In response to this new approach, the presenter said that the accounting firms are improving their quality control process by shifting from "after the fact" to "real-time" quality control.

 In theory, Internal auditors should be applying the "real-time" approach to quality assurance as the International Standards for the Professional Practice of Internal Auditing require that the CAE must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity ( standard 1300). Moreover, standard (1311) calls for internal assessments to include ongoing monitoring of the performance of the internal audit activity.

The interpretation of standard  1311 explains ongoing monitoring as:

"Ongoing monitoring is an integral part of the day-to-day supervision, review, and measurement of the internal audit activity. Ongoing monitoring is incorporated into the routine policies and practices used to manage the internal audit activity and uses processes, tools, and information considered necessary to evaluate conformance with the Code of Ethics and the Standards". 

Do you believe the ongoing monitoring as mentioned above is equivalent to real-time quality control?
In practice, are you really able to apply ongoing monitoring on a daily basis?

Please share your thoughts and experience!






Picture credit:http://foothilllockandkey.com

Saturday, February 29, 2020

هل للتدقيق الداخلي دور يؤديه خلال أزمة فيروس كورونا؟



إن تأثير أزمة فيروس كورونا التي يمر بها العالم حاليا لا تقتصر على الأثار الإنسانية والصحية بل تتجاوزها لتؤثر على جميع مناح الحياة بما فيها الأثار المالية والاقتصادية سواء على مستوى الشركة أو الدولة أو العالم.

أتابع ما يكتبه خبراء التدقيق الداخلي وإدارة المخاطر (وهو قليل) حول ما اذا كان هناك دورا للتدقيق الداخلي يؤديه خلال هذه الآزمة. سأستعرض في هذه المدونة ملخصا لما قرأت و بعضا من أفكاري حول هذا الدور:  

  • بداية و بديهيا على المدقق الداخلي القيام بواجبه الانساني في الحد من انتشار الفيروس عن طريق اتباع اجراءات الوقاية المطلوبة وابلاغ شركته فور الشك باصابته بالفيروس و الحرص على اتباع الاجراءات الصحية و الادارية للشركة و السلطات المختصة.
  •  أن لا يقف موقف المتفرج و يختبئ خلف حاجز " الاستقلالية و الحياد"  خلال هذه الازمة الحادة! المطلوب من التدقيق الداخلي ابداء المرونة و التصرف بواقعية خلال هذه الازمة التي قد تكون من اخطر ما واجهه العالم منذ عقود طويلة. اعجبني ما كتبه نورمان ماركس في مدونته الاخيرة حيث قال ان على التدقيق الداخلي عرض خدماته على الادارة لمساعدتها في ادارة الازمة واعطى امثلة على ذلك مثل مساعدتها بالقيام بالمهمات التنفذية (بشكل مؤقت) و المساعدة في جمع المعلومات و الاتصالات. انصح بقراءة المدونة لما تحوية من معلومات مفيدة.
  • باعتقادي ان اهم ما جاء بالمدونة سابقة الذكر هو ان لا يشغل التدقيق الداخلي الادارة بامور التدقيق الروتينية في هذا الوقت وان يفسح لها المجال للتعاطي مع ادارة الازمة. ويقول ان خطر هذه الازمة اهم من اي خطر تم تقييمه سابقا وبنيت عليه خطة التدقيق.
  • نشر معهد المدقيقن الداخليين منذ ايام نشرة  تحتوي على اسئلة على التدقيق الداخلي ايجاد اجابات لها فيما يتعلق باجراءات و سياسات الشركة الخاصة بادارة الكوارث و استمرارية العمل, منها على سبيل المثال التحقق من ان  هذه السياسات و الاجراءات قد تم تحديثها و التدرب عليها.  وغني عن الذكر  انه من المهم ان يكون التدقيق الداخلي قد قام بهذه المراجعة قبل وقوع الازمة بمدة حتى يتسنى اكمال النواقص بالوقت المناسب.
  • قد يطلب من التدقيق الداخلي زيادة تعاونه مع المدقق الخارجي بل و مساعدته بالقيام ببعض مهامه ان تعذر على المدقق الخارجي السفر و التنقل. تعطي مقالة في جريدة الوول ستريت جورنال مثالا على تعذر المدقق الخارجي  بالقيام بمهمات حساسة للوقت مثل جرد البضاعة.
  • على التدقيق الداخلي العمل على مراقبة المعلومات التي تنتشر في الشركة حول هذه الازمة والقدرة على تمييز المعلومة الصحيحة من الزائفة ولفت نظر الادارة الى اية معلومات خاطئة او اشاعات قد تضر بالشركة.
  • متابعة المستجدات عن الازمة وتاثيرها على اعمال الشركة و التأكد بان الادارة على علم كامل بها.
  • التقييم الدائم لما يستطيع التدقيق الداخلي تقديمه للمساعدة في تجاوز الازمة باقل الخسائر حسب اشتدادها او انحسارها.
  • تقديم الاقتراحات و البدئل التي قد تساهم في التخفيف من حدة الازمة على الشركة .
  هذه بعض الافكار التي طرحت وانا على يقين بان لديكم افكارا و اقتراحات اخرى فالرجاء مشاركتها معنا. 







Monday, January 20, 2020

Can Internal Auditors Identify Corporate Identity Crisis?

According to a Globe and Mail article published a couple of days ago, Canada's favorite coffee shop chain ( Tim Hortons) is going through an identity crisis that could erode its long-established brand. I will not be discussing Tim Hortons's situation in this post even though the coffee shop is an important part of the life of almost every Canadian ( It serves 8 of every 10 cups of coffee consumed outside the home in Canada), but rather I will use it as an inspiration to discuss whether internal audit is equipped to identify corporate identity crisis before it impacts the organization's brand and reputation.

What is Corporate Identity Crisis?

In general, identity crisis in people describe a state of confusion about who they are, their role in society and what they want to achieve in life. When it comes to corporations it means that how the organization perceives itself and promotes itself is in conflict. This description was offered by Jeffery A. Jolton, Ph.D. and Tim L. Geisert of Kenexa in an article entitled "Corporate Identity Crises". They offer more explanation regarding the conflict:

"This conflict prevents the organization from being able to fully attain its goals. Some companies are well aware of the conflict, but either don’t see it as an obstacle (yet it is) or don’t know how to resolve it in order to move forward. Many companies, however, are clueless. Although it is something that others may see as obvious, the leadership isn’t aware there is a problem, and as a result, faces a wall in the company’s progress that it is unable to see"

There are many causes of identity crises in organizations such as a change in leadership, rapid growth, disruption, merger, and change in culture. The signs of identity crisis could be obvious and visible and in other times could be difficult to spot!

To identify the crisis. one should have a deep understanding of the organization's business, objectives, strategic plans, customers, competition and potential risks and disruptions.

Identity crisis could impact organizations negatively if not identified at an early stage and treated!


What Internal Audit Can Do?

Do you think internal auditors are capable of identifying the signs of corporate identity crises in their organizations? Were you personally involved in an identity crisis situation? If your answer is yes please share:


  • How you arrived at the conclusion that there may be an exposure to a crisis. What signs triggered your attention?
  • What audit steps and procedures did you employ to verify and measure the risk of identity crises?
  • What was the management reaction to your findings and recommendations?
  • Was the issue satisfactorily resolved?


In my opinion, the first step in identifying the issue is for internal audit to recognize that corporate identity crisis is a real risk that could happen to any organization! It should be part of the continuous risk assessment and audit planning.

Many techniques can be used to identify identity crisis such as observations, discussions with all levels within the organization, attending executive meetings, internal and external surveys, and culture audits.

These are my thoughts, please share yours!















Photo Credit: sdecoret/ Shutterstock)




Saturday, January 11, 2020

Internal Audit Relationship with Regulators

The Chartered Institute of Internal auditors has recently published an Internal Code of Practice which provides guidance on effective internal audit in the private and third sectors. This code builds on the success of its previous of a similar code for the financial services firms.

The code covers a wide range of areas:

  •   role and mandate of internal audit,
  •   scope and priorities of internal audit 
  •   interaction with risk management, compliance, and finance
  •   reporting results
  •   independence and authority of internal audit
  •   resources
  •   QIAP
  •   relationship with regulators
  •  Relationship with external auditors

I will limit the discussion in this post to the relationship with regulators. The code states that:

" The chief internal auditor should consider the impact of the regulatory environment and have an open, constructive and cooperative relationship with relevant regulators."


How do you interpret and apply the above statement in your country? 
Do you think the code should provide more details and guidance on this important issue?
Would your management accept an open and cooperative relationship with regulators?
What should be the nature, objectives, and scope of such a relationship?

Back in 2015, I wrote a post about  the same subject after reading a Thomson Reuters white paper, you may want to take a look at it:


Please provide your thoughts!




Sunday, January 5, 2020

Should The IIA & ISACA merge?

In a joint IIA and ISACA press release back in 2010, the following statement was included to explain why the management of both organizations have met to discuss shared challenges and opportunities:


"Given the similar—but not same—nature of ISACA’s and The IIA’s professional areas, it is not surprising that the organizations have faced many of the same situations over the past several years." 


A decade later and while we acknowledge that there is a reasonable level of coordination between both organizations, one can not stop wondering if there is a need for both organizations to merge to better serve their members and customers!

Should the rapid change in professional roles, technology, disruption, risks and stakeholders' expectations justify a merger? There were indications throughout various surveys that CAE's are now more involved in the management of IT audits and that this trend is expected to continue in the future. Is this enough reason to start thinking about a merger?

I have raised the merger issue in several posts in the past but did not receive enough feedback! I hope we can now start a debate on this issue. I would love to hear the views of those who support and oppose such a merger!

These are my thoughts, please share yours.




 

Friday, December 20, 2019

What Exactly is An Agile Internal Audit?



Can Internal Auditing become Agile? Seven Keys to Thinking the Unthinkable.
 That was the title of a Forbes Article in 2017 written by Steve Denning the author of the book "The Age of Agile". Now that the unthinkable he referred to is becoming a reality for some internal audit functions and a wish list item for many functions around the world, I will in this post provide a simplified basic understanding of the agile concept for the benefit of those who are not yet familiar with it!


What is Agile?

According to the oxford dictionary, Agility means the “ability to move quickly and easily”. It is also defined as “the ability to think quickly and in an intelligent way” when it is referenced to the mindset.

Simply put, the agile methodology is a type of project management method and was mainly developed by the software development industry to reduce costs, time and improve quality & delivery. It achieves this by breaking a project into several short incremental and repeatable tasks (known as sprints that are usually 1-4 weeks in length) and by seeking the collaboration of all stakeholders and by conducting daily scrum meetings.

Scrum is a popular agile framework (process) that helps teams work together. A simple definition of scrum is described by the Altasian website as” Scrum describes a set of meetings, tools, and roles that work in concert to help teams structure and manage their work”. It also explains the difference between agile and scum by describing agile as a “mindset” while scum is the framework that gets things done!

You will often come across the term “scrum master” which is equivalent to a “project manager” in a traditional project management environment. Other important terms you need to get familiar with are:
  • Backlog:: A changing list of product requirement based on customer's needs
  • Daily Scrum: A short daily meetings (10-15 minutes) to update plan
  • Point of View (PoV): A summary of the relevant insights gained from observations
  • Definition of Done (DoD):  A set of predetermined criteria that a product needs to meet in order to be considered as being done


  An agile manifesto was developed by 17 thought leaders in 2001 which consisted of 4         core values and 12 principles:


No.
Values
Principles
1.
Individuals and Interactions Over Processes and Tools
Customer satisfaction through early and continuous software delivery
2.
Working Software Over Comprehensive Documentation
Accommodate changing requirements throughout the development process
3.
Customer Collaboration Over Contract Negotiation
Frequent delivery of working software
4.
Responding to Change Over Following a Plan
Collaboration between the business stakeholders and developers throughout the project
5.
Support, trust, and motivate the people involved
6.
Enable face-to-face interactions
7.
Working software is the primary measure of progress
8.
Agile processes to support a consistent development pace
9.
Attention to technical detail and design enhances agility
10.
Simplicity
11.
Self-organizing teams encourage great architectures, requirements, and designs
12.
Regular reflections on how to become more effective


What Does it Mean to Have an Agile Internal Audit?

Now that you are familiar with the agile concept, let’s explore how the agile methodology applies to internal audit. Let’s start with the seven keys mentioned by Steve Denning in his above-mentioned article (these were based on a PwC report). According to the report, agile pioneers in internal audit embrace the following:

1.    active and broader involvement in disruption
2.    being prepared and adaptive
3.    assessing the risk of future disruption
4.    proactive involvement in disruptive events
5.    flexible talent management
6.    flexible planning
7.    meaningful collaboration with other lines of defense

Many articles and reports were written to discuss what an agile internal audit looks like. In general, there is an agreement that the characteristics of agile internal audit are:
  • Flexible & adaptable planning and execution of work
  • Continuous collaboration with stakeholders & daily scrum meetings
  • Performance of work in repeatable sprints
  • Less documentation
  • Visualization of work on scrum boards
  • Provision of incremental reporting
    
So, how does an agile internal audit compare to a traditional internal audit? A presentation by Deloitte included the following illustration which visualizes the difference: 


 




Many Internal audit manifestos were developed. Deloitte offered the following example:



Benefits of Agile Internal Audit

 There are many benefits of applying agile to internal audits which may include:
  • Higher- quality insights and faster insight generation
  • Increased customer satisfaction
  • Enhanced internal audit planning
  • Empowered internal audit teams
  • Faster responses to changing business needs
  • Less documentation
  •  Accelerated delivery cycle
  • Clearer outcome
It is important to understand that agile is not a call for internal audit to go rogue! Flexible planning, less documentation, and the empowerment of audit teams do not mean that there should be no discipline! It means that smarter use of time and resources are applied when and where most needed (i.e auditing what matters). And certainly, agile should not be interpreted as a call for internal audit to become "reactive”. The fact that internal audit shifts its focus to address emerging risks and disruptions does not mean that internal audit should be taken by surprise by an adverse event and struggles to react to it. Internal audit should anticipate such events, to the extent possible, and should be prepared to act quickly to address such issues in a timely manner.

  
Challenges of Agile Internal Audit

Obviously adopting and implementing an agile internal audit comes with challenges! An article published by Barclay Simpsons identified the following challenges:

  • Changing mindsets: Agile auditing overhauls existing processes, which often creates tension among teams resistant to change. 
  • Accessing support: Third-party coaching and development may be required to embed Agile methods into auditing functions effectively.
  • Preventing burnout: Agile audits can be intensive, which may lead to negativity and burnout if not properly managed. 
  • Apply Agile appropriately: Not all audits are suitable for the Agile approach. Businesses may need a hybrid framework to handle unique tasks rather than shoehorn every project through an Agile system.

Other challenges include appointing the right scrum master, adapting to less documentation, management buy-in and most importantly the availability of skilled and capable internal auditors who are willing participants in agile auditing!

How to Start?

The first step of becoming agile starts with the internal audit function itself. To be precise, it starts with the mindset of the internal audit leadership to determine if it is ready for the change! Once this is accomplished, an evaluation of the capabilities and willingness of the audit team should be performed and a conclusion reached on the amount and type of outside help needed for the transformation. You may wonder if the agile approach is valuable for all internal audit shops? The chairman of the IIA Canada has answered this question as follows:

" I would say, yes. Most internal audit shops are within organizations that are currently exposed to disruption and significant change. The more a process or an auditable entity changes the greater the need for internal audit to have an agile approach to both planning and executing audits. Although, if internal audit is conducting compliance audits or audits related to an area with very little change since the last audit, choosing an agile approach may not add much value", 

The next step would be to educate the audit committee on the importance of the transformation to the agile methodology and to seek their support as well as the support (buy-in) of management.

Many experts advise that the agile approach be applied to a pilot project first. This can be used as a learning curve to evaluate and adjust agile to the company's needs. It may sound funny, but you need to apply the agile methodology to your agile transformation!

Agile requires continuous collaboration and feedback, so make sure that you seek feedback from all stakeholders and evaluate and implement them on a timely basis.

 In conclusion, an agile internal audit is…

The ability and willingness of internal auditors to leave their comfort zone and act swiftly to anticipate & address emerging risks and disruptions through continuous risk assessment, timely & meaningful communications /collaboration with stakeholders and utilization of available technology. The ultimate purpose is to provide management with real-time ( or at the speed of risk as some like to call it) insight, advice, and assurance needed to assist them with the decision-making process.


These are my thoughts, please share yours!



 



 ----------------------------------------------------------------------------------------------
 References:



How will Internal Audit look like after COVID-19?

There have been many articles and posts dealing with the Internal Audit's role during the COVID-19 crisis. These were useful, but now w...