Sunday, December 30, 2012

New Year Resolution suggestions for Internal Auditors!‎

As we are about to start a New Year in our professional life, I thought of putting together an example of suggested New Year resolutions for internal auditors:

- Improve your IT skills & knowledge (this is a must-have).
- Keep current with the latest business, corporate governance, and internal audit issues.
- Have the courage to report things as they are.
- Keep a close eye on current and developing risks.
- Be a strong advocate and promoter of internal audit and corporate governance.
- Listen more, speak less ( you need to speak up when you have to).
- Make sure you fully understand your company's strategic objectives.
- Educate Audit Committee (and others) on current trends in business, internal audit & other issues.  
- Set a goal of learning something new every day.
- Add value in everything you do.
- Always be proactive,
- Look at the big picture,
- Don't wait until December to earn your CPE!

Wishing you all a successful and prosperous new year.

Monday, December 17, 2012

Risk - based vs. Objectives - based Audits !

In complying with the IIA CPE requirements , I have re- read some of the articles in the Ia magazine .This has given me the opportunity to think about one particular article in the April 2012 issue " Step up to the Plate ".

The authors of the article say that internal auditors are shifting away from the traditional risk-based approach toward one where the company's goals and objectives become the focus.They define the new objectives - based approach as the approach where the company's objectives and goals become the central focus of the audit.The authors explain that " After all, risks are only relevant when seen in the context of the company's objectives".
The authors explain the advantsges of the new approach as follows :
"The chief advantage of the objective-based approach is that it enables a more targeted audit by focusing audit resources only on those risks that truly matter to the organization’s strategies and goals. It also accounts for low-priority risks and enhances the capacity of internal audit to achieve its objectives. Implementing an objective-based approach involves:
  • Relying on people for risk input. Managers across the organization deal with risks every day. Because they understand their objectives, they tend to know instinctively which risks may impact those objectives, making them best positioned to help auditors understand the relationship between the company’s objectives and its risks.
  • Mapping risks to objectives. Internal auditors can use managers’ responses to quantify the relationships between risks and objectives. Applying this method enables practitioners to discover risks they had not considered.
  • Identifying risk patterns. Risks interact with each other and with objectives in complex ways. Auditors need to understand these interactions instead of looking at each risk in isolation. The whole is often more dangerous than the sum of its parts—much like reading a book while crossing a road is more dangerous than doing each activity independently.
  • Focusing risk management on the most critical objectives. By putting objectives before risk, auditors can mitigate those risks that impair the achievement of objectives and exploit risks that enable value creation. This helps internal auditors use audit resources efficiently, facilitate transparency, and align risk management with business strategy."
 Do you agree with the above ? Are you shifting your focus to the objectives - based approach?
 Do you recognize the difference between the two approaches ,or do you think they are the same ? Aren't both of them , at the end of the day, focus on risks to the achievement of objectives?

Whatever you think about this subject ,I strongly recommend that you read the entire article .

Tuesday, October 23, 2012

Separating Governanace from Managemnet ( COBIT 5) : Does it work in practice ?

The fifth principle of COBIT 5 calls for the separation of Governance from Management on the basis that these two disciplines encompass different types of activities ,require different organizational structures and serve different purposes .

COBIT 5 also states that  governance is the responsibility of the Board of Directors under the leadership of the Chairperson, while Management is the responsibility of executive management under the leadership of the CEO.
It also recognizes that specific governance responsibilities may be delegated to special organizational structures at an appropriate level, particularly in large .complex enterprises.

The above , in theory , sounds like a good and desirable practice . My question to you is : Do you think this works in practice? Can we completely separate Governance from Management ? Do we really want management not to  take part of managing Governance  ?

Your views are appreciated.


Tuesday, October 16, 2012

Should ISACA & IIA merge ?

In a tweet today, I have raised the question of wether ISAAC & IIA should merge and become one body ? If there is an agreement that IT (IS) audit is part of internal audit and should be governed under one structure in a company,then why not merge ISACA & IIA ? Please shre you thoughts.

Sunday, August 12, 2012

My Fellow Auditors :Test your listening skills

One of the most important skills in auditors in general and internal auditors, in particular, is the ability to ‎listen.‎
I like an article entitled: Now Pay Attention, Here's Why You Need Good Listening Skills by Dawn ‎Rosenberg McKay ( Below are ‎some parts of it:‎

Why You Need Good Listening Skills
‎ Good listening skills make workers more productive. The ability to listen carefully will allow you to:‎
‎ •better understand assignments and what is expected of you; ‎
‎•build rapport with co-workers, bosses, and clients; ‎
‎•show support; ‎
‎•work better in a team-based environment; ‎
‎•resolve problems with customers, co-workers, and bosses; ‎
‎•answer questions; and ‎
‎•find underlying meanings in what others say.‎

I also would like to add that listening is a sign of respect for the other person!‎

How to Listen Well
‎ The following tips will help you listen well. Doing these things will also demonstrate to the speaker ‎that you are paying attention. While you may, in fact, be able to listen while looking down at the floor, ‎doing so may imply that you are not.‎
‎•maintain eye contact; ‎
‎•don't interrupt the speaker; ‎
‎•sit still; ‎
‎•nod your head; ‎
‎•lean toward the speaker; ‎
‎•repeat instructions and ask appropriate questions when the speaker has finished.‎

‎ A good listener knows that being attentive to what the speaker doesn't say is as important as being ‎attentive to what he does say. Look for non-verbal cues such as facial expressions and posture to get ‎the full list of what the speaker is telling you.

Barriers to Listening
‎ Beware of the following things that may get in the way of listening:
‎•bias or prejudice; ‎
‎•language differences or accents; ‎
‎•noise; ‎
‎•worry, fear, or anger; and ‎
‎•lack of attention span.

Do you think you are a good listener? Let’s put this to the test! Here are links to listening skills ‎tests:‎‎

Good luck!‎


Thursday, June 14, 2012

Soft Controls:The human angle of an audit!‎

I have recently attended an IIA webinar about Coordinating Risk Management and Assurance. One of ‎the poll questions was as follows:

Soft controls are easier to audit:

‎– True
‎– False
‎– Depends on circumstances

Almost two-thirds of the respondents choose “false” while the other third choose “it depends”.‎
Soft controls in the above-mentioned webinar were characterized as controls that” Tells you what’s ‎really inside the people”.

‎ Having determined the difficulty of auditing soft controls, my question is as follows: Are internal ‎auditors really trained to audit soft controls? Do we need some basic training in human behavior and ‎psychology?

Please share your thoughts and experience.‎

Picture credit:

Friday, June 8, 2012

Can a CAE become a CFO ?

I am always asked if a CAE can make the move to operations and become a CFO. My short answer is ‎‎“yes” and my detailed answer is “it depends”.‎

My” yes” answer assumes that the CAE has the experience, educations, and mindset that enables ‎him/her to function as a CFO. I strongly believe that you cannot audit what you do not understand; ‎accordingly, any successful CAE should have a good understanding of the CFO function.‎

My “it depends “answer refers to the fact that CFO roles may be influenced by the complexity and ‎nature of operations of the organization. I believe that there is no “CFO” fits all type of thing. Each ‎organization has specific requirements for its CFO experience and education. An organization going ‎through an IPO, for example, would require a different type of CFO than a small or not for profit ‎organization.‎

I would love to hear from CAEs who made it to the CFO position. Please share your experience, ‎recommendations and lessons learned during this process.‎

Are you getting the most from the ethics mandatory hours?

 Like many of you at this time of year, I have been looking to take the mandatory two hours of ethics training to comply with the IIA cpe  r...