Thursday, November 27, 2014

Internal Audit Survival Kit !

In preparation for winter, I always make sure that my car is equipped with a survivor kit ( after all , I live in Canada !) . The kit includes : a snow shovel, a thermal blanket ,water, biscuits ,matches, candles ,flash light , battery booster ,thick car tow rope ,first aid materials ...etc). Obviously, the purpose of this post is not to discuss winter preparation ,although it does not hurt to remind ourselves of its importance ,but rather to discuss internal audit !  So let's start !

like any other living thing in the world, internal audit needs to survive, not only in turbulent times ,but on daily basis .To survive ,there are certain attributes and skills that internal auditors must have.

My internal audit kit always includes my 4 p's :

- Professionalism : act professionally at all times and under any circumstances.
- Patience : it pays off at the end of the day to be patient and calm.
- Persistence :don't give up on a difficult person or process
- Personalization :people are different , study auditees and personalize how you approach them.

Other things to consider in your kit:

- Communication Skills :if you can't communicate effectively, you don't exist !
- Minimum IT knowledge : It is a must to survive !Don't become illiterate.
- Learning: make it a point to learn something new every day. Don't become a Dinosaur .
- Risk Sensors :ensure that your risk sensors are activated and working.

There are many other soft and hard skills that may be added to the kit, the above are only the basics or the "must have" to survive !

What's in your kit? What will you add to mine ?

Please share your thoughts !


Sunday, November 23, 2014

Internal Audit Independence Debated!

A recent post by Norman Marks discussing the issue of internal audit independence has started a good discussion about this very important issue . The post raised the issue of " whether the emphasis on independence should be increased o​r diminis​​​hed ." Norman has listed the views of those who support more emphasis and those who support less emphasis on independence. Both sides have some interesting and convincing arguments !

Independence is important and plays a vital role in the effectiveness and efficiency of a meaningful internal audit activity ,but it should not be used as an obstacle in performing internal audits that add value to the organization .

My comment on the issue was as follows:
" There is no such thing as absolute independence! Independence ,in my opinion, is a combination of mindset , integrity, objectivity and the ability to stand up for what you believe in !"

How do you feel about this issue ?

Saturday, November 15, 2014

Absence and Absenting of Internal Audit !

A recent tweet by Richard Chambers, Global CEO of IIA, has inspired me to write this post. His tweet read as follows :

"Absence of an internal audit function is a leading indicator of a company headed for risk management and control calamity "

I certainly strongly agree with this statement. I would like to add that there are two types of absence :
  • Actual absence: meaning that internal audit function does not exist 
  • Intentional absenting of internal audit by management: meaning that internal audit is disempowered and constrained by management.
Actual absence, when internal audit is not mandatory,  maybe due to : 
  • Size of organization
  • Available  resources
  • Assurance is provided by other sources such as external auditors, risk management and management monitoring
  • Management does not appreciate the value of internal audit
Absence. when internal audit is mandatory, is the failure to comply with regulations for reasons that may include the above or simply an indication of a possible act or intention of misconduct!

Absenting may be due to :
  • Management not believing in internal audit ( whether as a philosophy or based on past experience).
  • Failure of internal audit to be relevant and to add value
  • Possible management misconduct or intention to commit one!
In my opinion, absenting of internal audit is far more dangerous than its actual absence. It should raise a big red flag!

We all know the consequences of not having an effective and efficient internal audit function. The question is how the absence or absenting of internal audit is treated by boards, regulators and those in power to make things happen!

 These are my thoughts, please provide yours!

Wednesday, November 12, 2014

Is This Your Vision of The Future Auditor?

Today, I have attended a webinar hosted by IIA Canada ( The Future Auditor: The CAE's Endgame). Below is a summary of the major points covered during the webinar for the benefit of those who are interested in this subject.

 It started by defining the future auditor as: "The term future auditor describes a CAE  who takes definitive steps toward making this vision a reality within the organization he/she serves"

While I understand that the focus of the webinar was on CAEs, I think the term "future auditor " should cover internal auditors at all levels. I have missed the first few minutes of the webinar, so I am assuming that what is meant by " this vision" in the above statement refers to the IIA definition of internal audit as that what preceded the above statement.

The detailed definition of the future auditor included, among others,:
  • Establishes relevance by understanding the organization's business objectives and strategy and identifying risks
  • Is authorized to evaluate and challenge the design and operating effectiveness of the organization's governance, risk management, and internal control processes.
  • Possesses escalation authority and proactively exercises that authority to bring important matters to management and board for resolution on a timely basis

The speaker, Chris Wright of Protiviti, identified 12 ways the future auditor can create value :

  1. Think more strategically when analyzing risk and framing audit plans.
  2.  Provide early warning on emerging risks
  3.  Broaden the focus on operations, compliance and non -financial reporting issues
  4.  Strengthen the lines of defense that make risk management work
  5. Improve information for decision making across the organization
  6. Watch for signs of a deteriorating risk culture
  7. Expand the emphasis on assurance through effective communications with management  and the Board
  8. Collaborate more effectively with other independent functions focus on managing risk and compliance
  9. Leverage technology - enabled auditing
  10. Improve the control structure ,including the use of automated controls
  11. Advise on improving and streamlining compliance management
  12. Remain vigilant with respect to fraud 

The above points are valid and important, but did not provide any new perspective ! Isn't this what many CAEs' are doing today ? Where is the vision for tomorrow ?

Please share your thoughts on how the future auditor should look like .

Saturday, November 8, 2014

CAE : How Many Windows Are Broken in Your Department ?

For those not familiar with the broken window theory* , it simply states that "If a window in a building is broken and left unrepaired, the rest of the windows will soon be broken as well, because the unrepaired window signals that no one cares".**

Simply put, the theory is mainly used by police departments (especially in big US cities) by making arrests for small crimes to prevent larger ones. As expected, there are supporters and critics of the theory ,the purpose of this post is not to offer an opinion on it, but rather to use it as a metaphor !

The internal audit "building" consists of many windows ,the CAE needs to check if any of these windows is broken in continuous basis and fix it immediately . Examples of  broken windows are:

  • lack of zero tolerance policy regarding weaknesses in integrity ,objectivity or independence,
  • Lack of  relevant training and poor hiring policy
  • Poor communication quality,
  • Lack or non- existence of a marketing plan
  • Lack of soft skills among the internal audit team,
  • Low self esteem
  • High turnover
  • Lack of IT skills
The above is not a comprehensive list, but a sample of weaknesses in the internal audit function .

I have not included lack of  understanding of the organization's strategic objectives,business and associated risks as windows ,because these are much bigger issues and constitute the foundation of the internal audit building !

The end game of having unfixed  broken windows in internal audit is that the internal audit looses respect and become irrelevant !

How many broken windows do you have in your internal audit department ?How do you discover and fix them ?

Please share your experience and thoughts .

* By James Quinn Wilson


Monday, November 3, 2014

Do External Auditors Take Internal Auditors Seriously ?

I have a confession to make! When I was in external audit (many years ago) ,the general feeling was that we, the big 5 ( back then ) consultants & auditors, are the best of the best in our industry and nobody is comparable to us! In that spirit, internal auditors were looked at as boring employees with no real skills and ambitions! Accordingly, using the work of internal auditors was not something that  some external auditors took seriously at that time !

The reason for this perception or stereotyping was due to external auditors suffering from the "big ego" syndrome and internal auditors suffering from the "low ego" syndrome! Needless to say both were wrong. At that time, internal auditors failed miserably to market themselves and to bring their skills up to date. The above statements are based on my personal experience at a  specific point of time in specific geographic areas ,but my feeling is that it was a wide spread perception!

That was the pas , what about the present? As for me personally, I have shifted my focus from external audit to internal audit and became a strong advocate of the internal audit profession. I am pleased with the progress internal auditors have made during the last decade although they still need to work harder on their development . I think there is a healthy shift in how external auditors perceive internal auditors  and a greater reliance on their work! But is it enough? Do external auditors take internal auditors seriously and seek to cooperate with them ?

I don't have a definitive answers to the above questions ,so please contribute to this discussion and share your views and experience .

Saturday, November 1, 2014

Internal Audit: It is Time for Self - Judgment Day!

As we approach the year-end, it would be a good time for the internal audit activity to take a moment to look hard at its achievements and shortcomings of the year. While the achievements are a pleasant topic to cover, the shortcomings are not!

In order to have a meaningful self-assessment/ self-judgment, the CAE should exercise:
 - and most importantly he/she should put his/her ego aside!

The self-assessment/self-judgment should be a continuous process and taken seriously by the CAE. Just remember that if you don't do it yourself, someone else will do it for you! It obviously should be an integral part of the activity's quality assurance and improvement program (QAIP).

 In my opinion,  it starts with determining the internal audit objectives for the year and the mechanism/ approach to achieve them. Let's not forget that we also need to assess the risks that might endanger reaching these objectives!

It may sound an old-fashioned approach, but preparing some sort of  a "register " to  captures the shortcomings as they are identified or detected may help in reviewing:

- what went wrong
- why it happened
- how can we fix it

During the " self-judgment day" the CAE should address, among other things, the following topics:

- Management and audit committee satisfaction with internal audit performance
- His/her satisfaction with the performance of the activity as well as audit team satisfaction!
- should honestly answer the question: did we really add value and made a difference?
- what new skills did the internal audit "as an aggregate" add to its skills pool?
- Is the internal audit up-to-date when it comes to risk, IT, business, regulatory issues?
The list of topics can go on and on depending on the complexity of the operations and the experience of the CAE! The purpose of this blog is not to list all these topics in details, but rather to serve as a reminder of the importance of taking an honest moment to evaluate our performance.

Happy self-judgment day!

Are you getting the most from the ethics mandatory hours?

 Like many of you at this time of year, I have been looking to take the mandatory two hours of ethics training to comply with the IIA cpe  r...