Tuesday, May 12, 2020

Are you the same person you were before the COVID-19 crisis?

Now that you have stayed at home and working remotely for some weeks, it may be time to ask how this life-changing experience has affected you at the personal and professional levels?
Are you the same person you were before the crisis?
What has changed in your perspective of life, family, and your profession?
When you return to your office, hopefully in the near future, what would you be doing differently? Will you be doing audit planning, risk assessment the same way you used to do? How will your relationships with the stakeholders be reshaped? And more importantly, how your understanding of your role as an internal auditor has changed or evolved?
If you believe this experience has not changed you, can you share why you feel this way and what contributed to your status quo?
Please share your thoughts!




picture credit:https://liveboldandbloom.com

Sunday, April 5, 2020

How will Internal Audit look like after COVID-19?

There have been many articles and posts dealing with the Internal Audit's role during the COVID-19 crisis. These were useful, but now we need to plan for what happens next. The economic, social and financial implications of the crises are expected to be severe at least for the short term.

Eventually, this crisis will pass and most businesses will resume operations and will have to adapt to the new realities to survive. Changes to operations and mindset will need to be made at all levels including at Internal Audit Departments.

As most of you are at home during this difficult time and are probably bored, let's try to think about how the internal audit function at your organization will look like after the crises! For example:


  • Did the crisis change you as a person and how this will reflect on you as an internal auditor?
  • What lessons have you learned during the crises and what are you going to do about it?
  • What type of changes will you make to strengthen internal audit?
  • Do you anticipate an increase or decrease in the number of auditors within your department?
  • Do you anticipate management to change its perspective of internal audit (positive or negative)?
  • What would you do to be prepared for the next crisis?


I look forward to hearing your thoughts and feedback!


Tuesday, March 3, 2020

Can Internal Audit Apply Real-Time Quality Assurance?

I have recently attended a KPMG webinar that discussed "Trends and tips for internal controls over financial reporting". The presenter mentioned that the PCAOP is now focusing its reviews of the work of the accounting firms on the system of quality control such firms employe to ensure their audits meet the requirements. In response to this new approach, the presenter said that the accounting firms are improving their quality control process by shifting from "after the fact" to "real-time" quality control.

 In theory, Internal auditors should be applying the "real-time" approach to quality assurance as the International Standards for the Professional Practice of Internal Auditing require that the CAE must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity ( standard 1300). Moreover, standard (1311) calls for internal assessments to include ongoing monitoring of the performance of the internal audit activity.

The interpretation of standard  1311 explains ongoing monitoring as:

"Ongoing monitoring is an integral part of the day-to-day supervision, review, and measurement of the internal audit activity. Ongoing monitoring is incorporated into the routine policies and practices used to manage the internal audit activity and uses processes, tools, and information considered necessary to evaluate conformance with the Code of Ethics and the Standards". 

Do you believe the ongoing monitoring as mentioned above is equivalent to real-time quality control?
In practice, are you really able to apply ongoing monitoring on a daily basis?

Please share your thoughts and experience!






Picture credit:http://foothilllockandkey.com

Saturday, February 29, 2020

هل للتدقيق الداخلي دور يؤديه خلال أزمة فيروس كورونا؟



إن تأثير أزمة فيروس كورونا التي يمر بها العالم حاليا لا تقتصر على الأثار الإنسانية والصحية بل تتجاوزها لتؤثر على جميع مناح الحياة بما فيها الأثار المالية والاقتصادية سواء على مستوى الشركة أو الدولة أو العالم.

أتابع ما يكتبه خبراء التدقيق الداخلي وإدارة المخاطر (وهو قليل) حول ما اذا كان هناك دورا للتدقيق الداخلي يؤديه خلال هذه الآزمة. سأستعرض في هذه المدونة ملخصا لما قرأت و بعضا من أفكاري حول هذا الدور:  

  • بداية و بديهيا على المدقق الداخلي القيام بواجبه الانساني في الحد من انتشار الفيروس عن طريق اتباع اجراءات الوقاية المطلوبة وابلاغ شركته فور الشك باصابته بالفيروس و الحرص على اتباع الاجراءات الصحية و الادارية للشركة و السلطات المختصة.
  •  أن لا يقف موقف المتفرج و يختبئ خلف حاجز " الاستقلالية و الحياد"  خلال هذه الازمة الحادة! المطلوب من التدقيق الداخلي ابداء المرونة و التصرف بواقعية خلال هذه الازمة التي قد تكون من اخطر ما واجهه العالم منذ عقود طويلة. اعجبني ما كتبه نورمان ماركس في مدونته الاخيرة حيث قال ان على التدقيق الداخلي عرض خدماته على الادارة لمساعدتها في ادارة الازمة واعطى امثلة على ذلك مثل مساعدتها بالقيام بالمهمات التنفذية (بشكل مؤقت) و المساعدة في جمع المعلومات و الاتصالات. انصح بقراءة المدونة لما تحوية من معلومات مفيدة.
  • باعتقادي ان اهم ما جاء بالمدونة سابقة الذكر هو ان لا يشغل التدقيق الداخلي الادارة بامور التدقيق الروتينية في هذا الوقت وان يفسح لها المجال للتعاطي مع ادارة الازمة. ويقول ان خطر هذه الازمة اهم من اي خطر تم تقييمه سابقا وبنيت عليه خطة التدقيق.
  • نشر معهد المدقيقن الداخليين منذ ايام نشرة  تحتوي على اسئلة على التدقيق الداخلي ايجاد اجابات لها فيما يتعلق باجراءات و سياسات الشركة الخاصة بادارة الكوارث و استمرارية العمل, منها على سبيل المثال التحقق من ان  هذه السياسات و الاجراءات قد تم تحديثها و التدرب عليها.  وغني عن الذكر  انه من المهم ان يكون التدقيق الداخلي قد قام بهذه المراجعة قبل وقوع الازمة بمدة حتى يتسنى اكمال النواقص بالوقت المناسب.
  • قد يطلب من التدقيق الداخلي زيادة تعاونه مع المدقق الخارجي بل و مساعدته بالقيام ببعض مهامه ان تعذر على المدقق الخارجي السفر و التنقل. تعطي مقالة في جريدة الوول ستريت جورنال مثالا على تعذر المدقق الخارجي  بالقيام بمهمات حساسة للوقت مثل جرد البضاعة.
  • على التدقيق الداخلي العمل على مراقبة المعلومات التي تنتشر في الشركة حول هذه الازمة والقدرة على تمييز المعلومة الصحيحة من الزائفة ولفت نظر الادارة الى اية معلومات خاطئة او اشاعات قد تضر بالشركة.
  • متابعة المستجدات عن الازمة وتاثيرها على اعمال الشركة و التأكد بان الادارة على علم كامل بها.
  • التقييم الدائم لما يستطيع التدقيق الداخلي تقديمه للمساعدة في تجاوز الازمة باقل الخسائر حسب اشتدادها او انحسارها.
  • تقديم الاقتراحات و البدئل التي قد تساهم في التخفيف من حدة الازمة على الشركة .
  هذه بعض الافكار التي طرحت وانا على يقين بان لديكم افكارا و اقتراحات اخرى فالرجاء مشاركتها معنا. 







Monday, January 20, 2020

Can Internal Auditors Identify Corporate Identity Crisis?

According to a Globe and Mail article published a couple of days ago, Canada's favorite coffee shop chain ( Tim Hortons) is going through an identity crisis that could erode its long-established brand. I will not be discussing Tim Hortons's situation in this post even though the coffee shop is an important part of the life of almost every Canadian ( It serves 8 of every 10 cups of coffee consumed outside the home in Canada), but rather I will use it as an inspiration to discuss whether internal audit is equipped to identify corporate identity crisis before it impacts the organization's brand and reputation.

What is Corporate Identity Crisis?

In general, identity crisis in people describe a state of confusion about who they are, their role in society and what they want to achieve in life. When it comes to corporations it means that how the organization perceives itself and promotes itself is in conflict. This description was offered by Jeffery A. Jolton, Ph.D. and Tim L. Geisert of Kenexa in an article entitled "Corporate Identity Crises". They offer more explanation regarding the conflict:

"This conflict prevents the organization from being able to fully attain its goals. Some companies are well aware of the conflict, but either don’t see it as an obstacle (yet it is) or don’t know how to resolve it in order to move forward. Many companies, however, are clueless. Although it is something that others may see as obvious, the leadership isn’t aware there is a problem, and as a result, faces a wall in the company’s progress that it is unable to see"

There are many causes of identity crises in organizations such as a change in leadership, rapid growth, disruption, merger, and change in culture. The signs of identity crisis could be obvious and visible and in other times could be difficult to spot!

To identify the crisis. one should have a deep understanding of the organization's business, objectives, strategic plans, customers, competition and potential risks and disruptions.

Identity crisis could impact organizations negatively if not identified at an early stage and treated!


What Internal Audit Can Do?

Do you think internal auditors are capable of identifying the signs of corporate identity crises in their organizations? Were you personally involved in an identity crisis situation? If your answer is yes please share:


  • How you arrived at the conclusion that there may be an exposure to a crisis. What signs triggered your attention?
  • What audit steps and procedures did you employ to verify and measure the risk of identity crises?
  • What was the management reaction to your findings and recommendations?
  • Was the issue satisfactorily resolved?


In my opinion, the first step in identifying the issue is for internal audit to recognize that corporate identity crisis is a real risk that could happen to any organization! It should be part of the continuous risk assessment and audit planning.

Many techniques can be used to identify identity crisis such as observations, discussions with all levels within the organization, attending executive meetings, internal and external surveys, and culture audits.

These are my thoughts, please share yours!















Photo Credit: sdecoret/ Shutterstock)




Saturday, January 11, 2020

Internal Audit Relationship with Regulators

The Chartered Institute of Internal auditors has recently published an Internal Code of Practice which provides guidance on effective internal audit in the private and third sectors. This code builds on the success of its previous of a similar code for the financial services firms.

The code covers a wide range of areas:

  •   role and mandate of internal audit,
  •   scope and priorities of internal audit 
  •   interaction with risk management, compliance, and finance
  •   reporting results
  •   independence and authority of internal audit
  •   resources
  •   QIAP
  •   relationship with regulators
  •  Relationship with external auditors

I will limit the discussion in this post to the relationship with regulators. The code states that:

" The chief internal auditor should consider the impact of the regulatory environment and have an open, constructive and cooperative relationship with relevant regulators."


How do you interpret and apply the above statement in your country? 
Do you think the code should provide more details and guidance on this important issue?
Would your management accept an open and cooperative relationship with regulators?
What should be the nature, objectives, and scope of such a relationship?

Back in 2015, I wrote a post about  the same subject after reading a Thomson Reuters white paper, you may want to take a look at it:


Please provide your thoughts!




Sunday, January 5, 2020

Should The IIA & ISACA merge?

In a joint IIA and ISACA press release back in 2010, the following statement was included to explain why the management of both organizations have met to discuss shared challenges and opportunities:


"Given the similar—but not same—nature of ISACA’s and The IIA’s professional areas, it is not surprising that the organizations have faced many of the same situations over the past several years." 


A decade later and while we acknowledge that there is a reasonable level of coordination between both organizations, one can not stop wondering if there is a need for both organizations to merge to better serve their members and customers!

Should the rapid change in professional roles, technology, disruption, risks and stakeholders' expectations justify a merger? There were indications throughout various surveys that CAE's are now more involved in the management of IT audits and that this trend is expected to continue in the future. Is this enough reason to start thinking about a merger?

I have raised the merger issue in several posts in the past but did not receive enough feedback! I hope we can now start a debate on this issue. I would love to hear the views of those who support and oppose such a merger!

These are my thoughts, please share yours.




 

Are you the same person you were before the COVID-19 crisis?

Now that you have stayed at home and working remotely for some weeks, it may be time to ask how this life-changing experience has affected...