Saturday, December 13, 2014

2015 Internal Audit Horoscope !

 Internal Audit, here is your 2015 horoscope  :

  • January : It's normal to question why you are still in internal audit ,there is a more rewarding career in your future !
  • February :You are still confused about the difference between risk appetite and risk tolerance. Simply put, the former is the amount of food you want to eat when you are hungry (or fasting) , the latter is the maximum amount of food you can eat before you end up in the emergency room ! *
  • March : Your CIA certificate is valuable , but consider obtaining a CPA and/or a CISA  certificates if you consider a career change in the future .
  • April : keep pursing your independence ,but keep in mind that the CEO will always be the boss !
  • May :You still don't know the difference between LinkedIn and Facebook. Keep working on your IT and social media  skills !
  • June: Cyber risk is real. Your spouse will always try to access your data and browsing history.
  • JulyQuality assessment is not an intellectual luxury. Revisit IIA standards 1300 -1322.
  • August : Keep dreaming ,one day you may have a seat at the table !
  • September :Integrity and objectivity are your bread and butter ,don't leave home without them.
  •  October : Being courageous is not a risk, but an opportunity to another career !
  •  November: Posting 100 tweets and Facebook  status updates daily does not improve your communication skills .
  • December: Seriously, why did you become an internal auditor ?

The above is my attempt to be humorous ! I hope I have not offended anyone .If I did, please accept my  sincere apology.
Although I am not an internal auditor per se, I remain a strong internal audit advocate !
Wishing you all a happy ,healthy and prosperous new year .
    *This is not a technical discussion, but rather an over simplification for the purposes of this  humorous presentation !

Sunday, December 7, 2014

Internal Audit : Do you Apply " Self Root Cause Analysis" When you Fail ?

This post was insipid by a recent post by Norman Marks entitled " Why Internal Audit Fails at Many Organizations " and a training document presented by Larry D. Hubbard  entitled "Reporting Audit Issues and Root Cause Analysis " . I thought of combining the two subjects in this post !

First, we know that internal audit fails from time to time ,
Second, we know that IIA standard 2320 stipulates that Internal Audit must base conclusions and engagement results on appropriate analysis and valuations .Practice Advisory 2320 - 2 deals with root cause analysis for internal auditors .

Internal auditors are encouraged to perform root cause analysis to provide a meaning to their audit findings and recommendations.

Before I get to my point, here is a quick reminder:

What is Root Cause Analysis ?

Think Reliability website defines it as "  an approach for identifying the underlying causes of why an incident occurred so that the most effective solutions can be identified and implemented. It's typically used when something goes badly, but can also be used when something goes well."

Root Cause Analysis Techniques :

Some of the widely used techniques are :
  • The famous five why's analysis .Remember by the fifth why, you should be able to identify the root cause !
  • The Pareto analysis ( also known as the 80/20 rule)
  • Fishbone diagram
  • Fault Tree Analysis
  • Flowcharting of process flow, system flow and data flow .
The following document provides comparison of common root cause analysis tools and techniques.

Now ,when  internal audit fails , do internal auditors take a moment to perform a root cause analysis of their own failure ? I honestly ,doubt that ! It is easy to blame the failure on the lack of audit committee oversight and  lack of management support ( and these are very legitimate reasons) ,but the key to identify the root cause of the failure should start with soul searching and hard look at the internal audit activity itself !

Let's get into a hypothetical  scenario and assume that your internal audit activity has failed and you decide to perform a root cause analysis using the 5 why's .What will your why's be ?

Please participate in this mental exercise !


Wednesday, December 3, 2014

Stop calling me an "auditee"!

A reader of my post "Internal Audit Survival Kit" posted the following comment:

"Not calling Internal Audit clients "auditees" should also be on the list!". He was referring to the list of skills/characters needed for an internal auditor to survive in which I have used the term "auditee".

Let's be honest, when was the last time someone in your organization objected to the term and asked you to stop calling him an auditee ? Does anyone really care?  Does the term "auditee" enforce the "policeman" image internal auditors are trying to avoid? Does it have a negative effect on the relationship between internal audit and the rest of the organization?

This subject has been debated many times in the past and I was not planning on addressing it again. However, I thought I should address the reader's comment and the concerns of those who are offended by the term!

Many Internal Auditors believe it is an issue from the past. They believe internal auditors have already moved on and started to use "customer " and "client" instead of "auditee"! Others think it is the right term to use as it reflects what internal auditors do. They think we should call things as they are, not as people would like it to be. They object to the window dressing of the term "auditee"!

 Anyway, is the term "customer" or "client " the right term to use just because somebody said so?

Some internal auditors have suggested alternative terms such as process owners, benefactor, improvement partner and subject, in addition to client and customer

blog by Richard Chambers written a few years ago commented on this as follows:

"Auditee" is old-school.
A few years back, people undergoing an audit were most often referred to as "auditees." Today, many experts believe that the phrase has negative connotations and that "auditee" implies someone who has something done to them by an auditor. Internal audit has become a collaborative process, and terms such as "audit client" and "audit customer" indicate that we are working with management, not working on them.

As far as I am concerned, a healthy and professional relationship that adds real value to the organization is what matters at the end of the day regardless of "terms" used.

 Please share your thoughts.

Thursday, November 27, 2014

Internal Audit Survival Kit !

In preparation for winter, I always make sure that my car is equipped with a survivor kit ( after all , I live in Canada !) . The kit includes : a snow shovel, a thermal blanket ,water, biscuits ,matches, candles ,flash light , battery booster ,thick car tow rope ,first aid materials ...etc). Obviously, the purpose of this post is not to discuss winter preparation ,although it does not hurt to remind ourselves of its importance ,but rather to discuss internal audit !  So let's start !

like any other living thing in the world, internal audit needs to survive, not only in turbulent times ,but on daily basis .To survive ,there are certain attributes and skills that internal auditors must have.

My internal audit kit always includes my 4 p's :

- Professionalism : act professionally at all times and under any circumstances.
- Patience : it pays off at the end of the day to be patient and calm.
- Persistence :don't give up on a difficult person or process
- Personalization :people are different , study auditees and personalize how you approach them.

Other things to consider in your kit:

- Communication Skills :if you can't communicate effectively, you don't exist !
- Minimum IT knowledge : It is a must to survive !Don't become illiterate.
- Learning: make it a point to learn something new every day. Don't become a Dinosaur .
- Risk Sensors :ensure that your risk sensors are activated and working.

There are many other soft and hard skills that may be added to the kit, the above are only the basics or the "must have" to survive !

What's in your kit? What will you add to mine ?

Please share your thoughts !


Sunday, November 23, 2014

Internal Audit Independence Debated!

A recent post by Norman Marks discussing the issue of internal audit independence has started a good discussion about this very important issue . The post raised the issue of " whether the emphasis on independence should be increased o​r diminis​​​hed ." Norman has listed the views of those who support more emphasis and those who support less emphasis on independence. Both sides have some interesting and convincing arguments !

Independence is important and plays a vital role in the effectiveness and efficiency of a meaningful internal audit activity ,but it should not be used as an obstacle in performing internal audits that add value to the organization .

My comment on the issue was as follows:
" There is no such thing as absolute independence! Independence ,in my opinion, is a combination of mindset , integrity, objectivity and the ability to stand up for what you believe in !"

How do you feel about this issue ?

Saturday, November 15, 2014

Absence and Absenting of Internal Audit !

A recent tweet by Richard Chambers, Global CEO of IIA, has inspired me to write this post. His tweet read as follows :

"Absence of an internal audit function is a leading indicator of a company headed for risk management and control calamity "

I certainly strongly agree with this statement. I would like to add that there are two types of absence :
  • Actual absence: meaning that internal audit function does not exist 
  • Intentional absenting of internal audit by management: meaning that internal audit is disempowered and constrained by management.
Actual absence, when internal audit is not mandatory,  maybe due to : 
  • Size of organization
  • Available  resources
  • Assurance is provided by other sources such as external auditors, risk management and management monitoring
  • Management does not appreciate the value of internal audit
Absence. when internal audit is mandatory, is the failure to comply with regulations for reasons that may include the above or simply an indication of a possible act or intention of misconduct!

Absenting may be due to :
  • Management not believing in internal audit ( whether as a philosophy or based on past experience).
  • Failure of internal audit to be relevant and to add value
  • Possible management misconduct or intention to commit one!
In my opinion, absenting of internal audit is far more dangerous than its actual absence. It should raise a big red flag!

We all know the consequences of not having an effective and efficient internal audit function. The question is how the absence or absenting of internal audit is treated by boards, regulators and those in power to make things happen!

 These are my thoughts, please provide yours!

Wednesday, November 12, 2014

Is This Your Vision of The Future Auditor?

Today, I have attended a webinar hosted by IIA Canada ( The Future Auditor: The CAE's Endgame). Below is a summary of the major points covered during the webinar for the benefit of those who are interested in this subject.

 It started by defining the future auditor as: "The term future auditor describes a CAE  who takes definitive steps toward making this vision a reality within the organization he/she serves"

While I understand that the focus of the webinar was on CAEs, I think the term "future auditor " should cover internal auditors at all levels. I have missed the first few minutes of the webinar, so I am assuming that what is meant by " this vision" in the above statement refers to the IIA definition of internal audit as that what preceded the above statement.

The detailed definition of the future auditor included, among others,:
  • Establishes relevance by understanding the organization's business objectives and strategy and identifying risks
  • Is authorized to evaluate and challenge the design and operating effectiveness of the organization's governance, risk management, and internal control processes.
  • Possesses escalation authority and proactively exercises that authority to bring important matters to management and board for resolution on a timely basis

The speaker, Chris Wright of Protiviti, identified 12 ways the future auditor can create value :

  1. Think more strategically when analyzing risk and framing audit plans.
  2.  Provide early warning on emerging risks
  3.  Broaden the focus on operations, compliance and non -financial reporting issues
  4.  Strengthen the lines of defense that make risk management work
  5. Improve information for decision making across the organization
  6. Watch for signs of a deteriorating risk culture
  7. Expand the emphasis on assurance through effective communications with management  and the Board
  8. Collaborate more effectively with other independent functions focus on managing risk and compliance
  9. Leverage technology - enabled auditing
  10. Improve the control structure ,including the use of automated controls
  11. Advise on improving and streamlining compliance management
  12. Remain vigilant with respect to fraud 

The above points are valid and important, but did not provide any new perspective ! Isn't this what many CAEs' are doing today ? Where is the vision for tomorrow ?

Please share your thoughts on how the future auditor should look like .

Saturday, November 8, 2014

CAE : How Many Windows Are Broken in Your Department ?

For those not familiar with the broken window theory* , it simply states that "If a window in a building is broken and left unrepaired, the rest of the windows will soon be broken as well, because the unrepaired window signals that no one cares".**

Simply put, the theory is mainly used by police departments (especially in big US cities) by making arrests for small crimes to prevent larger ones. As expected, there are supporters and critics of the theory ,the purpose of this post is not to offer an opinion on it, but rather to use it as a metaphor !

The internal audit "building" consists of many windows ,the CAE needs to check if any of these windows is broken in continuous basis and fix it immediately . Examples of  broken windows are:

  • lack of zero tolerance policy regarding weaknesses in integrity ,objectivity or independence,
  • Lack of  relevant training and poor hiring policy
  • Poor communication quality,
  • Lack or non- existence of a marketing plan
  • Lack of soft skills among the internal audit team,
  • Low self esteem
  • High turnover
  • Lack of IT skills
The above is not a comprehensive list, but a sample of weaknesses in the internal audit function .

I have not included lack of  understanding of the organization's strategic objectives,business and associated risks as windows ,because these are much bigger issues and constitute the foundation of the internal audit building !

The end game of having unfixed  broken windows in internal audit is that the internal audit looses respect and become irrelevant !

How many broken windows do you have in your internal audit department ?How do you discover and fix them ?

Please share your experience and thoughts .

* By James Quinn Wilson


Monday, November 3, 2014

Do External Auditors Take Internal Auditors Seriously ?

I have a confession to make! When I was in external audit (many years ago) ,the general feeling was that we, the big 5 ( back then ) consultants & auditors, are the best of the best in our industry and nobody is comparable to us! In that spirit, internal auditors were looked at as boring employees with no real skills and ambitions! Accordingly, using the work of internal auditors was not something that  some external auditors took seriously at that time !

The reason for this perception or stereotyping was due to external auditors suffering from the "big ego" syndrome and internal auditors suffering from the "low ego" syndrome! Needless to say both were wrong. At that time, internal auditors failed miserably to market themselves and to bring their skills up to date. The above statements are based on my personal experience at a  specific point of time in specific geographic areas ,but my feeling is that it was a wide spread perception!

That was the pas , what about the present? As for me personally, I have shifted my focus from external audit to internal audit and became a strong advocate of the internal audit profession. I am pleased with the progress internal auditors have made during the last decade although they still need to work harder on their development . I think there is a healthy shift in how external auditors perceive internal auditors  and a greater reliance on their work! But is it enough? Do external auditors take internal auditors seriously and seek to cooperate with them ?

I don't have a definitive answers to the above questions ,so please contribute to this discussion and share your views and experience .

Saturday, November 1, 2014

Internal Audit: It is Time for Self - Judgment Day!

As we approach the year-end, it would be a good time for the internal audit activity to take a moment to look hard at its achievements and shortcomings of the year. While the achievements are a pleasant topic to cover, the shortcomings are not!

In order to have a meaningful self-assessment/ self-judgment, the CAE should exercise:
 - and most importantly he/she should put his/her ego aside!

The self-assessment/self-judgment should be a continuous process and taken seriously by the CAE. Just remember that if you don't do it yourself, someone else will do it for you! It obviously should be an integral part of the activity's quality assurance and improvement program (QAIP).

 In my opinion,  it starts with determining the internal audit objectives for the year and the mechanism/ approach to achieve them. Let's not forget that we also need to assess the risks that might endanger reaching these objectives!

It may sound an old-fashioned approach, but preparing some sort of  a "register " to  captures the shortcomings as they are identified or detected may help in reviewing:

- what went wrong
- why it happened
- how can we fix it

During the " self-judgment day" the CAE should address, among other things, the following topics:

- Management and audit committee satisfaction with internal audit performance
- His/her satisfaction with the performance of the activity as well as audit team satisfaction!
- should honestly answer the question: did we really add value and made a difference?
- what new skills did the internal audit "as an aggregate" add to its skills pool?
- Is the internal audit up-to-date when it comes to risk, IT, business, regulatory issues?
The list of topics can go on and on depending on the complexity of the operations and the experience of the CAE! The purpose of this blog is not to list all these topics in details, but rather to serve as a reminder of the importance of taking an honest moment to evaluate our performance.

Happy self-judgment day!

Friday, October 17, 2014

Bibi Consulting : Where Quality Meets Integrity !

With us , you enjoy high quality professional services and high level of integrity (not to mention very reasonable fees ) !


Monday, October 13, 2014

Bibi Consulting : Your Trusted Internal Audit Consultants

A combination of the big firms' quality service and  the small firms' fee structure is what you will enjoy when you use our services .Our commitment to you is simple :

If you do not believe that we have added value to your organization, do not pay any fees !
 (only the associated expenses, if any)

So act today : call us and let's discuss your internal audit needs !


Saturday, August 16, 2014

Integrated Assurance : A practice or a wish ?

There has been many calls  over the years to coordinate internal audit ,risk management, compliance and other assurance work and align it with the strategic objectives of the organization ,not only to simplify reporting ,but also to streamline oversight.

Integrated assurance is also referred to as "coordinated" or "combined " assurance . Regardless of the name, those who support the notion of integrated assurance believe that it provides the following benefits:

- Elimination of duplication of efforts
- Cost Synergies
- Focus on important risks
- Better and simplified reporting to the Board
- Maximize control efficiencies

But, what is really meant by integrated assurance ? In researching the web for definitions , I kept finding references to the King III guidance in South Africa ,which provides the following definition :
"Integrating and aligning assurance processes in a company to maximize risk and governance oversight and control efficiencies, and optimize overall assurance to the audit and risk committee, considering the company’s risk appetite."
I have not seen any other source of definition !
Some people believe that Internal Audit should lead the integrated assurance . They base this on the requirement of IPPF standard 2050 which stipulates:
"The chief audit executive should share information and coordinate activities with other internal
and external providers of assurance and consulting services to ensure proper coverage and
minimize duplication of efforts."
Have your company integrated assurance activities ,or have you heard of any other company that did so ? How was it done and what role did internal audit play?
Please share your experience and thoughts !



Monday, August 4, 2014

IPPF Proposed Changes : A Real Change or A Cosmetic One ?

The IIA has released an exposure draft outlining proposed enhancements to the International Professional Practices Framework (IPPF). The last significant changes to the IPPF were in 2007.

Below is a summary of the proposed changes:


A quick review of the changes may indicate  it is  cosmetic in nature and did not add any meaningful change. In order to comment objectively on the proposed changes ,we have to study it in details .

Internal Auditors like to call themselves agents of change ! So did they manage to apply this to their own practices ? Only time will tell .

Sunday, June 22, 2014

CAE : The CFO could be your best friend or worst enemy ,you decide !

Although I discourage any reporting by the CAE to the CFO,  be it administrative or functional, I strongly encourage a close healthy professional relationship between both parties . Having said that, I am not suggesting that the CAE compromises his/her independence in any form or shape.

The CFO could be the best friend and strong supporter of internal audit or its worst enemy.This ,in my opinion is very much influenced by the actions of the CAE. This statement does not come from the vacuum ,but from my observations over the years as an independent consultant .

Here is the argument : 

- The CFO is the second most influential person after the CEO ( and in some cases, the first) and an important decision maker within the organization.
- The CFO is the owner of many business processes and risks .
- The CFO possesses a wealth of information about the business and the organization's strategic objectives.
- The CFO can significantly influence how internal audit is perceived in the organization .

The big question is : How can the CAE achieve this ?

- First perquisite is that the CAE possesses the personality and the mind set of a leader ! He/she should  act and deal with the CFO and other management members as an equal partner and earn their respect!
- The CAE should convince the CFO that he/she can actually add value and act as a trusted adviser.Actions speak  louder than words,so this has to be proven in practice !
- Needless to say that the CAE should possess top technical and soft skills to enable him /her to play the above mentioned role .
- I am a fan of direct and candid discussions .The CAE should arrange to meet with the CFO regularly to discuss a whole host of topics including what is going on within the organization, management's plans and directions,regulatory issue ,accounting issues, internal audit trends and updates and above all risks an risk management issues.

In my long consulting career,I have seen CAE's who try to ignore the CFO or submit to him/her .Both approaches do not work .There is no substitute to a healthy relationship based on mutual respect.

Please share your experience with your CFO !  

Tuesday, May 6, 2014

Do Internal Auditors Need a Slogan ?

Almost two years ago ,a member of my LinkedIn group "Internal Audit & Risk Management Consultants " posted a discussion asking members of the group to think about a slogan for the Internal Audit Department . I though the discussion was ended a long time ago , but when all of a sudden many new comments started to pop up ,I though to revisit the issue . I thought the timing is good since we are celebrating our awareness month !
At that time, my comment on the discussion was :
"Actions speak louder than words !! Do a great job for your organization and people will come up with a slogan for you ! "
I still stand by this belief .However ,many other members did volunteer slogans such as :
- Our Contribution is known by the Value Addition of our Services to the Company
- We are trusted partners driving the change agenda in the Group
- We Guarantee Quality
- We help to achieve Corporate Governance
- Success together
Do you think we need a slogan ? If so, what would you suggest .

Saturday, April 12, 2014

Can Internal Auditors Rely on the Work of External Auditors ?

My LinkedIn connection and a member of my group " Internal Audit & Risk Management Consultants ", Mostapha Osman has written an article in the Banker Middle East magazine (page 36 of the March 2014 issue) raising an interesting issue : "Internal Audit Reliance on External Audit in the Middle East " The article discusses whether internal auditors can rely on the work of external auditors and use it as part of their internal audit work. The issue here ,obviously, relates to the work  external auditors perform in the course of their normal external audit procedures and does not refer to any internal audit outsourcing /co - sourcing activities. he concluded the article by saying :

 "We truly believe that Internal Audit function should not rely on external auditors "

I encourage you to read the article ( to which I have provided  link above) to get an understanding on  how he  has arrived at this conclusion. Please share your experience and thoughts .

P.S : I had the pleasure of meeting with Mostapha face to face ,and had a fruitful discussion about our profession ! 

Wednesday, April 2, 2014

Are Internal Auditors Still lagging Behind ?

I was saddened ,not surprised though , with some of the PwC's 2014 State of the Internal Audit Profession Study findings  :

  • On average only 49% of senior management and 64% of board members believe internal audit is performing well at delivering expectations .
  • More than half (55%) of  senior management do not believe internal audit adds significant value.
  • Significant differences of opinion  exist between stakeholders and CAEs on the nature of what is expected of internal audit. 

Although the above percentages show slight  improvement from the year before, it is, in my opinion, disappointing !
In your opinion ,as an internal auditor ,do you think that:
  • The results of this study reflect what is happening at your organization?
  • Internal auditors are not doing enough, yet, to prove themselves and gain a seat at the table .
  • Internal auditors are not doing a good job "marketing" themselves and communicating with management.
  • There is still a lack of awareness among senior management of the importance of internal audit.
  • Internal audit expectations are vague and unrealistic .
  • No body likes to be audited !
Please share your experience and thoughts ! I think the issue at hand is a result of all of the above !
P.S: You are invited to join my LinkedIn Group : "Internal Audit & Risk Management Consultants "



    Thursday, February 27, 2014

    When The CAE says : This Is Not Part of My Mandate !

    I read with interest what the Head of Internal Audit at Nigeria Police Pension Office has said when questioned by a court about missing funds  :

    " It is not part of my official mandate to report missing funds to the Auditor General's Office "

    While I do not know the details of the case ,and what the  Head of Internal Audit knew or did not know at the time, this case raises the following question :

    Have you faced a similar situation ? What did you do ?

    Please share your experience and thoughts .

    Wednesday, February 26, 2014

    Executive Perspective on Top Risks for 2014

    The results of a risk Survey by Protiviti was the subject of a webinar that I have attended today. The survey covered executives  from different industries with different sizes .According to the survey ,here are the top 10 risks:

     1. Regulatory change and heightened regulatory scrutiny
     2. Economic conditions
     3.Sovereignty risk / political gridlock
     4. Succession challenges
     5. Organic growth
     6 .Cyber threats
     7. Resistance to change
     8. Privacy / security
     9. Financial markets /currencies
    10.Health care reform

    Is the above list in line with your perspective  as an internal auditor ? If not, how your list of the 10 top risks will look like .

    Please share your  thoughts .

    Thursday, February 20, 2014

    Internal Auditors:What is your marketing Strategy?

    Today, I have attended a webinar presented by ISACA entitled:

    People-Centric Communications: Marketing Internal Audit & Conflict Management 

     The presenter identified three pillars of internal audit marketing as follows:

    1. Consistent Messaging: defining internal audit, focus on objectives and outreach with managers.
    2. Continuous Education: Alleviate the fear, Newsletters, Don't use independence as an excuse

         I prefer to re-label this to continuous communication! In fact, the three pillars fall under communication!
    3.Transparency: Try not to hide anything post the audit plan

    The presenter linked marketing internal audit and conflict together by offering the following explanation :

    "With the innate fear of the word audit, conflict naturally arises "
    I do not intend to go through the webinar in detail, but rather I would like to take this opportunity to ask you to share your experience with marketing your internal audit services within your organization.

    Do you have a structured marketing strategy?  
    What worked and did not work?

    More importantly, do you think you should have a marketing plan? I am personally, a strong advocate of marketing and promoting internal audits.I like to think that I was successful at this!

    Please share your experience .


    Are you getting the most from the ethics mandatory hours?

     Like many of you at this time of year, I have been looking to take the mandatory two hours of ethics training to comply with the IIA cpe  r...