Takeaways from my 2023 ethics CPEs

 As you are aware, licensed CIA's are required to take at least two hours of training in the field of ethics. I have just completed mine and I would like to share with you some takeaways:

1. Becoming the everyday ethicist:

This session was presented by Amanda Erven. The one technique I liked about how to achieve this objective is by developing your own personal value statement and code of self-conduct! It is a great idea. I encourage internal auditors to adopt this important step towards becoming an everyday ethicist.

2. Exploring workplace honesty and ethical gray areas:

This session was presented by Christian Miller. I liked his discussion regarding the differences between an honest person and someone who exhibits honest behavior as shown below.

Finally, I came across a white paper by IIA Australia entitled "Why people do not accurately disclose their conflicts of interest". Here is a paragraph from it:

"There are three significant ways in which people withhold information about conflicts of interest:

1. People do not disclose conflicts of interest
2. People only partially disclose conflicts of interest
3. People give misleading disclosures that result in information being hidden

These are referred to in this White Paper as the sides of the ‘Conflict of Interest Bermuda Triangle’. Examining the reasons people do not make full disclosures of conflicts of interest will help us improve disclosure systems and internal controls over conflicts of interest."

Please share your takeaways from your ethics training with the group so we can raise awareness of the importance of ethics in our lives.

How will Internal Audit look like after COVID-19?

There have been many articles and posts dealing with the Internal Audit's role during the COVID-19 crisis. These were useful, but now we need to plan for what happens next. The economic, social and financial implications of the crises are expected to be severe at least for the short term.

Eventually, this crisis will pass and most businesses will resume operations and will have to adapt to the new realities to survive. Changes to operations and mindset will need to be made at all levels including at Internal Audit Departments.

As most of you are at home during this difficult time and are probably bored, let's try to think about how the internal audit function at your organization will look like after the crises! For example:

• Did the crisis change you as a person and how this will reflect on you as an internal auditor?
• What lessons have you learned during the crises and what are you going to do about it?
• What type of changes will you make to strengthen internal audit?
• Do you anticipate an increase or decrease in the number of auditors within your department?
• Do you anticipate management to change its perspective of internal audit (positive or negative)?
• What would you do to be prepared for the next crisis?

I look forward to hearing your thoughts and feedback!

The Proposed Internal Audit Code of Practice: A Necessity or A Duplication?

The Chartered Institute of Internal Auditors has published for consultation a draft of a proposed Internal Audit Code of Practice. According to the Institute, the 30 recommendations included in the draft are aimed at enhancing the overall effectiveness of internal audit, and its impact, in the UK and Ireland. The recommendations can be regarded as a benchmark of good practice against which organizations can assess their internal audit function.
The Institute emphasized that the code should be applied in conjunction with the existing International Professional Practices Framework (IPPF). It continued to mention that the code builds on the IIA standards and seeks to clarify expectations and requirements needed to strengthen the effectiveness and impact of internal audit.

The 30 principle-based recommendations cover the following areas:
·  Role and mandate of internal audit
· Scope and priorities of internal audit
· Reporting results
· Interaction with risk management, compliance and finance
·  Independence and authority of internal audit
· Resources
 The recommendations range from identifying the primary role of internal audit to calling for the internal audit to have sufficient and timely access to key management information and right of access to all of the organization’s records.
The code which is described as “voluntary” is written in the context of a reasonably sized organization operating in all private sector organizations within the UK and Ireland. Modifications may be needed to accommodate the size, scope, risk profile and complexity of operations of various organizations.

 After reading the recommendations, do you think they:

1.        Duplicate  the IIA standards and add little value
2.       Complement the IIA standards
3.        Add significant value to the IIA standards .

 Also, do you think other countries should adopt similar code through the  IIA chapters?

 Please share your thoughts.

  

My Publications!

Get Your Copy Today!

www.bibiconsulting.net

Educate your Internal Auditors While you Entertain Them!

The Cost of Bad Internal Audit Activities!

The cost of not having an internal audit activity is relatively well recognized and understood by most corporations and investors. However, the cost of having a bad one may not be so obvious and understood by some!

But, what is the definition of bad as it relates to this post? I am sure the first thing that jumps to your mind is the “value adding” theme! Others may add “inefficient”, “ineffective”, “irrelevant”, "weak”, “stagnant” and “stress creating” to the list! The list can go on and on depending on who is providing the input!

Regardless of the definition, the cost of having a “bad” internal audit activity may include:

- Damage to the reputation of the Internal Audit profession as a whole!

- Damage to the credibility of management and the Audit Committee at the concerned organization.

- Loss of the public and investors’ trust in the organization.

- Management not getting relevant and timely information to help make  the right decisions. Or worse, getting wrong information resulting in major problems! 

- Management and other stakeholders getting false sense of security.

- Major risks go unidentified, undetected or underestimated.

- Waste of time, resources and money!

- Loss of opportunity for real improvement of operations.

- Distraction and loss of focus on real issues.

- Disruption of business and processes.

- Negative impact on other assurance and compliance functions.

Sadly,the above is not a comprehensive list! Can you suggest more items to it?

 You may have noticed that some of the costs listed above are also applicable to situations where internal audit activities do not exist at all! Based on that and If you have to choose between having a bad internal audit activity (on the basis that something is better than nothing!) or not having one at all, which would be your choice?

The first step in “fixing” a bad internal audit activity is by admitting that there is a problem, then having the courage to seek help!

These are my thoughts,please share yours!

The Big Question:Shall I Move from External to Internal Audit?

One of my LinkedIn connections  sent me the following message:

"Dear Wa'el
 hope everything is well. as I see that you are an internal auditor professional, so I would like to ask for you advise. I'm working for Big4 as an external auditor, and recently I have received an offer from international company for an internal auditor position and I am confused if I want to move on or to stay, so as you are an internal experience auditor what do you say? Thanks in advance"

I have replied as follows:
"Dear ....,
Thank you for contacting me. While I am not a career internal auditor (I provide internal audit consultation), I will attempt to address your question as objectively as I can!
1. I have started my professional life with Arthur Andersen in the Middle East and stayed there until I became a partner! Why? Because I loved and enjoyed what I was doing and secondly, my objective from day one was to make it to the partnership level.
 Now ask yourself these questions:
- When you wake up in the morning do you look forward to going to your office or working with   clients?
- Do you really enjoy what you are doing. Do you do it with passion, or is it only a job to you?
- Are your career objectives clear an do you know what you want to be in 10 years?
2. Internal audit comes with its own challenges and limitations! Unlike external audit, internal auditors gain deeper understanding of the business but at the same time their experience may be limited to their company or to the industry it is in! Many professionals join internal audit to gain experience and move out to operations at a later stage. For the fun of it, almost each new internal auditor I talked to in the past wanted to be the CEO of the company in the near future!
3.How the internal audit activity at the company is valued and treated should be a major factor in your decision to move there. Company culture and tone at the top is an essential indicator, so do your homework!
4.If there is no strong and courageous CAE (with a vision & mission) leading the internal audit activity, then the future does not look promising!
 At the end of the day, you are the only one who can take that decision. Take it without pressure and just follow your gut!
Good luck, and please keep me informed of your decision! "


What else would you add to my answer? Have you made the move from external to internal audit? If so, what was your experience?

These are my thoughts,please share yours!

Should Internal Audit Forge Relationships with Regulators & Other Outsiders?

While updating my electronic internal audit library, I realized there are some documents that I have not read yet! One of these was a June 2015 white paper by Thomson Reuters entitled” A new order: The key skillsets necessary to thrive as Head of Internal Audit today”. The document lists skillsets that most of us are familiar with these days such as:

·         A thorough understanding of the (new) basic requirements

·         Critical thinking and the ability to continue learning

·         Deep industry experience and corporate knowledge

·         Leadership and ability to “belong” in the C-suite

·         A firm grasp of the importance of teamwork and partnering

·         And finally: The ability to view the organization with external holism

The last skillset caught my attention as I rarely come across anything similar to it in other literatures! The whitepaper explains this as:

“As regulators move beyond the strict letter of the law to point a finger at companies on issues involving culture, conduct and IT security, the burden on compliance and internal audit to anticipate appropriate standards and tests has become a constantly moving target”

It adds:

“Consulting typically requires more creative thinking than assurance work, and this may involve the acquisition of new expertise, either by the internal auditor or through subcontracting.  It is important not only for compliance and legal, but for internal audit to forge relationships with regulators, subsidiaries, suppliers and major customers and to be able to anticipate changes affecting the business”

Do you agree with this? What type of relationships (objectives, scope and nature) with regulators, customers and suppliers are you willing to forge? How do you balance this with internal audit independence?

Do you agree with the statement that consulting requires more creative thinking?

Please share your thoughts and experience!

The Fine Line Between Arrogance & Self Confidence!

A recent experience with a young Realtor, during the process of selling my house using a "for sale by owner system", has inspired me to re-examine the issue of arrogance, big ego, and self-confidence! I was contacted by the realtor's representative and was asked to give his firm a chance to present their  "sales pitch" in an effort to convince me to list my property with them instead of selling it by myself. What I took from his unsolicited visit was that " I should be humbled and honored because he showed up personally at my house since he does not chase customers (!!! ) and that his marketing technique is one of a kind "! I don't think he was pleased when I conveyed that "I have seen this movie before". Do I need to tell you that I will not be using his services any time soon!

While I strongly encourage young professionals to have self-confidence, I always warn them to be careful not to confuse it with arrogance. After all, there is a fine line between both of them!

Let's examine the definition of both terms :

Self Confidence: When you google "self-confidence" the first result that jumps at you is this definition:" a feeling of trust in one's abilities, qualities, and judgment". A simple but yet a thorough definition.

Arrogance: Urban dictionary provides my favorite definition: "The assumption that one's self-worth is far superior to others. A false sense of pride. Foolishly believing that everyone is inferior to you, looks up to you, and should bow down to your graces"

I hope the above clearly shows the difference between self-confidence and arrogance.

A May 15,2011 article in the Washington Post mentions that arrogant people (the article is about job candidates) tend to, among other things, :

• Have a tendency to speak using overbearing and harsh tones and intimidating body language.
• Display limited active listening skills.
• Answer questions almost too quickly, using “canned” or mechanical responses.

 Having said that, does arrogance lead to success?
Leisa A. Bailey, Ph.D.  said: "Arrogant people can and often do have successes but there are significant costs. Relationships are often shallow and superficial or strained. Additionally, professional successes can be fragile due to difficulties in accepting guidance and feedback and impaired abilities to accept and learn from mistakes."

My last message is: remember to check your ego at the door!

 

 

Does Courage Lead to a Career Suicide ?

Like me, you probably have recently read a few articles and blogs about the political pressure on internal auditors including the IIRF report. You may, or may not, have first-hand experience with pressure, but you know that it is a fact of life!                                                                                   

 And you probably agree with me that the CAE* should have the courage to tell things as they are. After all, courage is one of seven traits of top audit executives according to the President and CEO of The IIA. He says :

"Internal auditing is not for the faint of heart; it requires courage — real courage. Doing the right thing is not always easy, especially when pressured by circumstances and those holding the power. And yet having courage is one of the CAE’s highest callings.
The top CAEs have the courage of their convictions, the courage to call it as they see it, and the courage to step out and step up with a proactive approach to both existing and anticipated risks. They are integral to their organization’s decisions, their executive management’s knowledge and their audit committee’s confidence and peace of mind."

I couldn't agree more.

A Harvard business review article entitled "Courage as a Skill" says :

"In business, courageous action is really a special kind of calculated risk-taking. People who become good leaders have a greater than average willingness to make bold moves, but they strengthen their chances of success—and avoid career suicide—through careful deliberation and preparation. Business courage is not so much a visionary leader’s inborn characteristic as a skill acquired through decision-making processes that improve with practice. In other words, most great business leaders teach themselves to make high-risk decisions. They learn to do this well over a period of time, often decades."

The question is how do you balance between being a courageous CAE* and avoiding career suicide! A courageous CAE that does not bow to political pressure may end up being fired, downgraded or forced to resign. Do you think there should be an external mechanism of protection for the CAE? I believe the IIA chapters should take the lead in discussing with the local regulators, insurance companies and other relevant parties the introduction/improvement of suitable legal and financial protection plans if such plans do not exist. 

These are my thoughts, please share yours!

* I use the CAE as a symbol of all internal auditors!

picture credit:theazaragroup.com

Internal Auditors: Don't let Technology Turns you into Robots!

Those who follow my posts know that I always encourage internal auditors to become tech-savvy. This is because I strongly believe that IT knowledge is a "must-have" skill for internal auditors to survive, add value, and be relevant.

In this post, however, I want to warn you of a possible side effect: becoming robots! And by this, I mean losing your human touch!

Technology should make our lives and jobs much easier, but it should not control us and dictate our behavior.  More than ever before, we are dependent on electronic communication(if not addicted to) with others for social and business purposes. Emails, text messages, WhatsApp, Facebook, and other social media applications are becoming an integral part of our lives, and they are gradually replacing face-to-face interactions and phone calls.

Internal auditors need to have "soft skills," which include people management and communication skills. These can not be acquired and practiced through electronic communications alone.

The basic advice here is :

• Don't forget that you are a "human" first and a "user" of technology second.
• Don't let technology make decisions for you. Use it to make better decisions for yourself. 
• Don't let technology control you. Be in control.
• Don't "hide" behind the technology. Talk to your audit customers in person and by phone whenever possible.
• Don't put in writing what you can't tell your audit customers in person.
• Your audit customers are humans, and they expect you to treat them as such.

When was the last time you paid an audit customer a courtesy visit or picked up the phone to discuss an issue with him/her?

And finally, if you have to become a robot, be one with a heart!

These are my thoughts, please share yours!

Picture source: http://www.qwertechpost.com through Google search

How to tarnish your company's reputation in 30 seconds?‎

Yes it’s possible; it only takes an inappropriate tweet or a status update on a social media web-page such as Facebook , LinkedIn  or a short video on  You Tube to cause a major damage to a company’s hard earned reputation or brand .This could happen intentionally or as a result of ignorance or oversight.  While the company may not have control over the intentional acts, it can do something to eliminate, or at least minimize, the actions caused by ignorance or oversight. Here is what I think can be done:

• It starts with recognizing the power & risks of social media .If management does not believe in it, then such management is part of the problem, not part of the solution.
• Raise awareness at all levels in the company about the benefits and risks associated with social media.
• Conduct training to educate all employees on how to deal with social media at work or in their private life.
• Set a clear and concise social media policy and ensure that it is distributed to and understood by all employees.
• Include social media risks in the company’s risk management plan.
• Include social media behavior in the company’s Code of Ethics.
• Perform Social Media audits on continues basis.

Can you suggest more actions or discuss your company's experience with this issue ?

‎ Shall we promote the CAE to CAO?‎

The Head of the Internal Audit department is usually referred to as the Chief Audit Executives (CAE). It seems this is a generally accepted title and is being used worldwide. But, do you think that it undermines the position compared to the other “C” suite positions? For example, we don’t call the top financial person Chief Financial Executive ( CFE), we call him/her Chief Financial Officer ( CFO). The same applies to other executive positions  such as CEO, CIO , CRO...

If we really want a seat at the table, shall we start by having the right title!! Why not start by changing CAE to CAO (Chief Audit Officer).

I am interested in your views and I hope that it goes beyond “ this is a formality “ and “ substance over form” cliche!