Saturday, December 13, 2014

2015 Internal Audit Horoscope !

 Internal Audit, here is your 2015 horoscope  :

  • January : It's normal to question why you are still in internal audit ,there is a more rewarding career in your future !
  • February :You are still confused about the difference between risk appetite and risk tolerance. Simply put, the former is the amount of food you want to eat when you are hungry (or fasting) , the latter is the maximum amount of food you can eat before you end up in the emergency room ! *
  • March : Your CIA certificate is valuable , but consider obtaining a CPA and/or a CISA  certificates if you consider a career change in the future .
  • April : keep pursing your independence ,but keep in mind that the CEO will always be the boss !
  • May :You still don't know the difference between LinkedIn and Facebook. Keep working on your IT and social media  skills !
  • June: Cyber risk is real. Your spouse will always try to access your data and browsing history.
  • JulyQuality assessment is not an intellectual luxury. Revisit IIA standards 1300 -1322.
  • August : Keep dreaming ,one day you may have a seat at the table !
  • September :Integrity and objectivity are your bread and butter ,don't leave home without them.
  •  October : Being courageous is not a risk, but an opportunity to another career !
  •  November: Posting 100 tweets and Facebook  status updates daily does not improve your communication skills .
  • December: Seriously, why did you become an internal auditor ?

The above is my attempt to be humorous ! I hope I have not offended anyone .If I did, please accept my  sincere apology.
Although I am not an internal auditor per se, I remain a strong internal audit advocate !
Wishing you all a happy ,healthy and prosperous new year .
    *This is not a technical discussion, but rather an over simplification for the purposes of this  humorous presentation !

Sunday, December 7, 2014

Internal Audit : Do you Apply " Self Root Cause Analysis" When you Fail ?

This post was insipid by a recent post by Norman Marks entitled " Why Internal Audit Fails at Many Organizations " and a training document presented by Larry D. Hubbard  entitled "Reporting Audit Issues and Root Cause Analysis " . I thought of combining the two subjects in this post !

First, we know that internal audit fails from time to time ,
Second, we know that IIA standard 2320 stipulates that Internal Audit must base conclusions and engagement results on appropriate analysis and valuations .Practice Advisory 2320 - 2 deals with root cause analysis for internal auditors .

Internal auditors are encouraged to perform root cause analysis to provide a meaning to their audit findings and recommendations.

Before I get to my point, here is a quick reminder:

What is Root Cause Analysis ?

Think Reliability website defines it as "  an approach for identifying the underlying causes of why an incident occurred so that the most effective solutions can be identified and implemented. It's typically used when something goes badly, but can also be used when something goes well."

Root Cause Analysis Techniques :

Some of the widely used techniques are :
  • The famous five why's analysis .Remember by the fifth why, you should be able to identify the root cause !
  • The Pareto analysis ( also known as the 80/20 rule)
  • Fishbone diagram
  • Fault Tree Analysis
  • Flowcharting of process flow, system flow and data flow .
The following document provides comparison of common root cause analysis tools and techniques.

Now ,when  internal audit fails , do internal auditors take a moment to perform a root cause analysis of their own failure ? I honestly ,doubt that ! It is easy to blame the failure on the lack of audit committee oversight and  lack of management support ( and these are very legitimate reasons) ,but the key to identify the root cause of the failure should start with soul searching and hard look at the internal audit activity itself !

Let's get into a hypothetical  scenario and assume that your internal audit activity has failed and you decide to perform a root cause analysis using the 5 why's .What will your why's be ?

Please participate in this mental exercise !


Wednesday, December 3, 2014

Stop calling me an "auditee"!

A reader of my post "Internal Audit Survival Kit" posted the following comment:

"Not calling Internal Audit clients "auditees" should also be on the list!". He was referring to the list of skills/characters needed for an internal auditor to survive in which I have used the term "auditee".

Let's be honest, when was the last time someone in your organization objected to the term and asked you to stop calling him an auditee ? Does anyone really care?  Does the term "auditee" enforce the "policeman" image internal auditors are trying to avoid? Does it have a negative effect on the relationship between internal audit and the rest of the organization?

This subject has been debated many times in the past and I was not planning on addressing it again. However, I thought I should address the reader's comment and the concerns of those who are offended by the term!

Many Internal Auditors believe it is an issue from the past. They believe internal auditors have already moved on and started to use "customer " and "client" instead of "auditee"! Others think it is the right term to use as it reflects what internal auditors do. They think we should call things as they are, not as people would like it to be. They object to the window dressing of the term "auditee"!

 Anyway, is the term "customer" or "client " the right term to use just because somebody said so?

Some internal auditors have suggested alternative terms such as process owners, benefactor, improvement partner and subject, in addition to client and customer

blog by Richard Chambers written a few years ago commented on this as follows:

"Auditee" is old-school.
A few years back, people undergoing an audit were most often referred to as "auditees." Today, many experts believe that the phrase has negative connotations and that "auditee" implies someone who has something done to them by an auditor. Internal audit has become a collaborative process, and terms such as "audit client" and "audit customer" indicate that we are working with management, not working on them.

As far as I am concerned, a healthy and professional relationship that adds real value to the organization is what matters at the end of the day regardless of "terms" used.

 Please share your thoughts.

Are you getting the most from the ethics mandatory hours?

 Like many of you at this time of year, I have been looking to take the mandatory two hours of ethics training to comply with the IIA cpe  r...