Sunday, December 27, 2015

2016 Internal Audit Horoscope!


Following my annual tradition, here is your 2016 horoscope!

Word of caution: it is provided for entertainment purposes only, so don't rely on it and certainly don’t be offended by it! Having said that, it does contain “between the lines” messages to internal auditors!


       January:                 OMG, you made it to the new year! You are still an internal auditor!

    February:              There is a cybersecurity breach in your future! Stay calm, IT Audit will step in  and solve it for you!

    March:                   Get serious, CIA does not stand for “Clown in Action”! Although this one can be achieved without an exam! A better meaning for it would be “Competence, Integrity & Availability”

     April:                     Don’t worry, your seat at the table is reserved McDonald’s!

     May:                     This is your month! Celebrate as never before, management will understand!

     June:                    There is a promotion in your future. You may finally be promoted to your dream 2nd LoD position!

     July:                    Yes, you are the eyes and ears of management, but avoid sticking your nose in their business!

     August:               Your reputation is at risk! Watch out what you do on social media! Particular attention should be given to LinkedIn!

     September:        Auditors can be audited” is not a myth! Watch your back and keep your business in order!

     October:             Just because you are now calling Auditees "customers", does not mean that the customer is always right!

     November:        The year is almost over and you have not audited company culture! What are you waiting for?

     December:        If you still can’t explain what you do to a 10-year-old, it is time to move on and pursue another career!

   On a serious note, I wish you and your families a happy, healthy and prosperous new year!

Tuesday, December 1, 2015

Should IT Audit Report to the CAE?

The ISACA/Protiviti fifth annual IT Audit Benchmarking Survey in the third quarter of 2015 was released today. While I have not had the chance to read the full 48-page report, a quick scan focused my attention on one area of the survey. It relates to the relationship between IT Audit and Internal Audit. The heading for it is:

                             “IT Audit in Relation to the Internal Audit Department”

The survey starts by stating that there has been no significant change in the relationship over the years. It says that many companies still have established reporting structure for IT audit that are less than optimal. It continues to say that having the IT Audit Director report to the CAE or equivalent is best practice.

Interesting statistics from the survey:

58% of the surveyed companies have an IT Audit Director or equivalent position.

91% of the surveyed Oceania companies have an ideal reporting structure (reporting to the CAE or a director under him/her) for the IT Audit director.

The break down for the rest of the world is as follows:

Africa  63%

Asia    86%

Europe  70%

Latin/South America  79%

Middle East 79%

North America 79%

Oceania 91%

How is the IT Audit structured in your company and to whom it reports?

Do you agree that IT Audit should report to the CAE?

Few years ago I wrote a short but wild blog post asking for the merger of the IIA and ISACA, I still stand by this crazy idea!

These are my thoughts, please share yours!

When Management Says: is this what internal auditors do?

If you have heard your management saying “is this what internal auditors do?”, chances are it was meant as a compliment not a complaint! It means that you, the internal auditor, has said or done something that took management by surprise and exceeded what is expected from a traditional internal auditor!
If you have not heard that question /statement yet, you better start wondering why!

How do you get there?
It takes someone with an open mind, courage, flexibility and very high level of curiosity to get there! In particular, you need to:

Think outside the box, but stay inside it!
The concept of “think outside the box” while widely accepted as a unique way of providing solutions, is also criticized by some as being flawed! In an 2014 Forbes article, Dileep Rao questioned the meaning of this widely used cliché and asked who defined the box .What I find interesting in the article is how he talked about the imaginary box and the real one! He said:

The imaginary box is one that you have imposed on yourself. This box can be based on your assumptions. The real box is more difficult to define, but it is there. It can be based on what your market is willing to accept, or on the strategy you have selected, or on your capabilities.
MY TAKE: There is always a real box that you should stay inside of. The laws of physics still apply. But this real box can change with new trends and technologies. Yesterday’s real box is usually different from today’s real box. The key is to be able to separate today’s real box from the imaginary one. Yes, by all means think outside the imaginary box that imposes artificial constraints on your achievements. But stay inside the real box that is defined by your market and your capacity to satisfy your customers – if you want to win.”

For me, thinking outside the box means leaving your comfort zone, being creative, learning new things and being curious. It does not mean going stray!

Not limiting yourself
Nothing kills a profession like the self-imposed and imaginary limitations! There is no limitation on thinking, applying common sense, imagining and day dreaming!
Keep in mind that the IPPF is not a fence that limits the internal audit process, it is rather its cornerstone! So, build on it and always try to improve it. The IIA cited that the development of the standards is an ongoing process, so be part of it.

You can free yourself from your imposed limitations and turn them into abilities by unleashing these powers within you:

                                Imagination +day dreaming+ curiosity +courage

Never underestimate the power of imagination and day dreaming! Never underestimate your capabilities! Challenge yourself every day, you won’t be disappointed!

Richard Bach once said:

                                      “Argue for your limitations, and sure enough they're yours.

Utilize your special status
Internal auditors enjoy a very unique status! They combine the characteristics of insiders and outsiders. They are insiders because they are employees of the company and possess thorough understanding of its operations. They are at the same time outsiders in the sense that they are independent and are not involved in the management process.
This gives internal audit the opportunity to take an independent, fresh and holistic look at the operations from both an outsider and insider perspective.

 Release your thoughts
If you have a thought that could improve operations and/or minimize risk, research it and share it! Don’t keep it in the back of your mind. Act on it even if it sounds wild! Don’t be shy to ask for advice and help in exploring and developing your thoughts.

This quote from  Stephen Richards explains what thoughts are about:

                     Reality is a projection of your thoughts or the things you habitually think about.” 


These are my thoughts, please share yours!

Are you getting the most from the ethics mandatory hours?

 Like many of you at this time of year, I have been looking to take the mandatory two hours of ethics training to comply with the IIA cpe  r...