Artificial Intelligence Can Revolutionize Internal Auditing

Can We Trust in Our Technologies?

The IIA's New Global Board Chair Reimagines Resilience

The Magic in the Mission

A PUBLICATION OF THE IIAAUGUST 2020

DIGITALLY TRANSFORMED

The time is now for internal auditors and the organizationsthey serve to adopt a digital-first mindset.

Our Chief Priority Is You.

Customized solutions for today’s leaders.

THE IIA’S AUDIT EXECUTIVE CENTER

As a chief audit executive (CAE), you have to anticipate the unforeseen. To sharpen your focus, look to the all-new Audit Executive Center® (AEC®). The AEC is an exclusive membership-based resource developed to support CAEs in answering the demands of their evolving roles. It empowers members to perform by delivering unparalleled access to robust content, an engaged peer network, exclusive thought leadership, and benchmarking tools.Be at the center of everything we do. www.theiia.org/AEC

Enhance your specialized knowledge and showcase your expertise in 11 key areas by completing The IIA’s Financial Services Audit Certificate. Passing the exam at the end of the program demonstrates your competency and distinguishes you from your peers.

Learn more about this OnDemand program. I www.theiia.org/Certificate

NEW! The IIA’s Financial Services Audit Certificate

2020

-094

4

Exhibit Expertise

Enhance your specialized knowledge and showcase your expertise in 11 key areas by completing The IIA’s Financial Services Audit Certificate. Passing the exam at the end of the program demonstrates your competency and distinguishes you from your peers.

Learn more about this OnDemand program. I www.theiia.org/Certificate

NEW! The IIA’s Financial Services Audit Certificate

2020

-094

4

Exhibit Expertise

FOR THE LATEST AUDIT-RELATED HEADLINES visit InternalAuditor.org

F E A T U R E S

AUGUST   2020   VOLUME LXXVII: IV

24 COVER The Digitally Transformed Enterprise As organizations adapt to new ways of doing business, internal audit must expand its understanding of data and technology risk.  BY CHRISTINE JANESKO

30 The Artificially Intelligent Audit Function With planning and processes, AI can revolutionize internal audit’s work and value.  BY KITTY KAY CHAN AND TINA KIM

35 Trust in Technology Internal auditors can provide assurance that sophisticated data tools are living up to ethical standards and meeting legal requirements. BY NEIL HODGE

40 Reimagining Resilience JENITHA JOHN, chair of The IIA’s Global Board of Directors, says today’s crises require organizations to not 

DOWNLOAD the Ia app on the App Store and on Google Play!

only bounce back, but also bounce forward to achieve far-reaching transformation. 

47 Magical Words The Mission of Internal Audit makes a powerful statement about how auditors can provide the assurance, advice, and insights that matter to their organizations.  BY NORMAN MARKS

52 Agile Auditing Simplified This project management methodology can increase audit transparency, communication, and accountability. BY AMANPRIT KAUR KALLER

MEMBERSHIP MEANS MOREINDUSTRY-SPECIFIC CONTENT

Specialty Audit Centers Now Included With Membership

Your IIA membership now includes full access to our Specialty Audit Center resources at no additional cost. Discover a vast network of industry-specific content you can’t find anywhere else, created and aggregated to keep you influential, impactful, and indispensable.

Financial Services | Public Sector | Environmental, Health & Safety

Learn more. www.theiia.org/SpecialtyCenters

D E P A R T M E N T S

Internal Auditor ISSN 0020-5745 is published in February, April, June, August, October, and December. Yearly subscription rates: $75 in the United States and Canada, and $99 outside North America. No refunds on cancellations. Editorial and advertising office: 1035 Greenwood Blvd., Suite 401, Lake Mary, FL, 32746, U.S.A. Copyright © 2020 The Institute of Internal Auditors Inc. Change of address notices and subscriptions should be directed to IIA Customer Service, +1-407-937-1111. Periodicals postage paid in Lake Mary, Fla., and additional offices. POSTMASTER: Please send form 3579 to: Internal Auditor, 1035 Greenwood Blvd., Suite 401, Lake Mary, FL, 32746, U.S.A. CANADA POST INTERNATIONAL: Publications Mail (Canadian Distribution) Sales Agreement number: 545880; GST registration number: R124590001. Opinions expressed in Internal Auditor may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by authors’ employers or the editor of this journal. Internal Auditor does not attest to the originality of authors’ content.

O N L I N E InternalAuditor.org

Pandemic Poses Dual Cybersecurity Challenges Organizations need to secure the technology required for remote work now and antici-pate the security challenges of a post-crisis world.

Where Did All the Pay-ments Go? Nearly two decades after the Enron scan-dal, another big company is embroiled in a scandal over irregular accounting.

Managing in a Crisis The pandemic calls on audit func-tions to provide real-time assurance and adopt a more collaborative approach.

Auditing in a Disruptive Environment To keep pace with emerging technologies, practitioners must augment their skills and adapt to rap-idly changing conditions.

COVE

R: IL

LUST

RATI

ON

BY

SEAN

YAT

ES; T

HIS

PAG

E, T

OP:

AL

EXYZ

3D /

ISTO

CK.C

OM

, BO

TTO

M: S

ORB

ETTO

/ IS

TOCK

.CO

M

INSIGHTS

58 Board Perspectives There are distinct ties between COVID-19 and ESG.

61 The Mind of Jacka Shades of gray dominate in internal auditing.

62 Eye on Business New analytics offer deeper insight into business performance.

66 In My Opinion A culture of service should permeate internal audit.

7 Editor’s Note

8 Reader Forum

65 Calendar

PRACTICES

10 Update IIA releases revised Three Lines Model; DOJ updates compliance guid-ance; and boards share top governance challenges.

14 Back to Basics Internal audit should be involved in onboarding processes.

16 ITAudit Password manag-ers present security concerns.

19 Risk Watch Stress testing isn’t just for banks.

22 Fraud Findings A town board requests an audit of the school district’s budget.

AUGUST 2020 VOLUME LXXVII: IV

The IIA has converted some of the most popular training, events, and certification products and services to an online format. Internal auditors the world over can continue their professional development and stay up-to-date with the latest expertise.

With the best online professional development opportunities available.

Access Our Latest Online Training, Events, and Testing I www.theiia.org/Virtual

virtual training.ACTUAL GAINING.

2020

-087

1

2020-0871 MKP-July Int Virt Offer Full Page.indd 12020-0871 MKP-July Int Virt Offer Full Page.indd 1 7/2/20 9:03 AM7/2/20 9:03 AM

Editor’s Note

AUGUST 2020 7INTERNAL AUDITOR

WORD OF THE DAY: RESILIENCE

Merriam-Webster defines resilience as “an ability to recover from or adjust easily to misfortune or change.” The American Psychological Associa-tion says it is “bouncing back” from difficult experiences, including workplace and financial stressors. The resiliency of most of the world’s

population currently is being tested in ways that were previously unimaginable. From a business perspective, SearchCIO, an online news portal for IT execu-

tives, says resilience is an organization’s ability “to quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets, and overall brand equity.” To The IIA’s new Global Board chairperson, Jenitha John, resiliency is not only about bouncing back, but also bouncing forward to a new state of being (see “Reimagining Resilience,” page 40).

This issue of Internal Auditor focuses on the technologies that are enabling com-panies to become and remain resilient. In this month’s “Eye on Business” (page 62), Russell Stohr notes that although the pandemic has created disruption, “it has also created a tremendous opportunity for businesses to rethink their current perceptions of what is required to make the business run.”

Organizations that embraced data and new technologies before the crisis have had an advantage during the pandemic, but author Christine Janesko says it’s not too late for other firms. In “The Digitally Transformed Enterprise,” she writes, “Organi-zations that accelerate their digital transformation can still reap the benefits moving forward — and internal auditors can provide valuable assistance along the way.”

That assistance comes both in the form of monitoring the organization’s use of technology and using that technology within the audit function. In “The Artificially Intelligent Audit Function,” authors Kitty Kay Chan and Tina Kim consider how internal audit can refine their organization’s data management and analytics capabili-ties to revolutionize internal audit’s work. And, in “Trust in Technology,” author Neil Hodge explains how internal auditors can help monitor the use of cutting-edge tools to ensure consistency with ethical requirements and awareness of organizational risks.

A large part of being resilient is recognizing the need for change and taking the steps necessary to make change happen. Your magazine team has done just that. As we’ve been telling you, the magazine has evolved to a completely digital edition beginning with this issue. Let us know what you think at editor@theiia.org.

Finally, on a personal note, I’d like to bid a fond farewell to Gretchen Gorfine. Gretchen has been the production manager of the magazine for the past 29 years. She has decided to move on to the next chapter in her life, which includes a moun-tain view, a beach view, and more time with the grandchildren. She will be greatly missed, and we wish her nothing but the best.

@AMillage on Twitter

Reader ForumWE WANT TO HEAR FROM YOU! Let us know what you think of this issue.Reach us via email at editor@theiia.org. Letters may be edited for clarity and length.

AUGUST 20208 INTERNAL AUDITOR

CONTACT INFORMATIONADVERTISINGadvertise@theiia.org +1-407-937-1109; fax +1-407-937-1101SUBSCRIPTIONS, CHANGE OF ADDRESS, MISSING ISSUEScustomerrelations@theiia.org +1-407-937-1111; fax +1-407-937-1101EDITORIALDavid Salierno, david.salierno@theiia.org +1-407-937-1233; fax +1-407-937-1101PERMISSIONS AND REPRINTScopyright@theiia.org fax +1-407-937-1101WRITER’S GUIDELINES

InternalAuditor.org (click on “Writer’s Guidelines”)

Authorization to photocopy is granted to users registered with the Copyright Clearance Center (CCC) Transactional Reporting Service, provided that the current fee is paid directly to CCC, 222 Rosewood Dr., Danvers, MA 01923 USA; phone: +1-508-750-8400. Internal Auditor cannot accept responsibility for claims made by its advertisers, although staff would like to hear from readers who have concerns regarding advertisements that appear.

Embracing DigitalI enjoy the magazine, and have been taking the continuing professional education quiz for nearly 10 years now. As more of a “career auditor,” I enjoy the mix of thought leadership, managerial, and technical practice arti-cles. Going digital/mobile-only would seem to be a watershed moment, underscoring just how much technol-ogy, and our ubiquitous reliance on it, is truly at the core of our everyday pro-fessional lives. I previously referred to the print issue for reading and taking quizzes, but a couple of years ago went

digital. I like downloading the maga-zine online and “flipping” through the pages on screen.

KEVIN HITCHCOCK comments on Richard Chambers’ “Evolving to Meet Your Needs” (“President’s Message,” June 2020).

Crisis and Changing TimesIn this crisis, it is important that senior management initiate a relearning pro-cess, and who better than the internal control offices that apply knowledge and methodologies in identifying risks that may affect organizations? Directors need to listen to their internal control offices — which objectively evaluate the effectiveness of actions taken to face the new environment — and the degree of flexibility, adaptation, and innova-tion that organizations must have to be sustainable in changing times. This crisis has accelerated the virtualization of business functions and the strategic management of talent, revising the con-cepts of economic, social, and environ-mental productivity and sustainability.

MAURICIO MONTES comments on Rick Wright’s “Assessing Risk in a Post-pandemic World” (“Risk Watch,” June 2020).

Independence should be related to the organizational structure — who is direct-ing internal audit. Objectivity is more to do with the auditor’s state of mind. You may be independent but not objective (a chief audit executive reports directly to the CEO and audit committee but has a significant conflict of interest). And you may be objective but not independent (you are auditing your own boss, who reviews and approves the audit report).

SUBHASIS SEN comments on the From the Mind of Jacka blog post, “NOT a Declaration of Independence” (InternalAuditor.org).

An Opportunity for AbuseSeems to me an important element of trying to gain back trust in the func-tion, and safeguard independence, is removing the possibility for any elected official, including a president, to remove inspectors general (IGs). Clearly, that facility can be abused, and as long as that is hanging over IGs, there is no real independence.

CEES KLUMPER comments on the Chambers on the Profession blog post, “Independent Federal IGs Are Essential to Effectiveness and Integrity” (InternalAuditor.org).

EDITOR IN CHIEFAnne MillageMANAGING EDITORDavid SaliernoASSOCIATE MANAGING EDITORTim McCollumSENIOR EDITORShannon SteffeeART DIRECTIONCarol Hardy DesignPRODUCTION MANAGERGretchen Gorfine

PUBLISHED BY THE INSTITUTE OF INTERNAL

AUDITORS INC.

CONTRIBUTING EDITORSWade Cassels, cia, ccsa, crma, cfe

J. Michael Jacka, cia, cpcu, cfe, cpa

Matt KellySteve Mar, cfsa, cisa

Bryant Richards, cia, crma

James Roth, phd, cia, ccsa, crma

Rick Wright, cia

EDITORIAL ADVISORY BOARDJennifer Bernard Allen, cia

Dennis Applegate, cia, cpa, cma, cfe

Lal Balkaran, cia, fcpa, fcga, fcma

Andrew Bowman, cpa, cfe, cisa

Robin Altia BrownAdil Buhariwalla, cia, crma, cfe, fca

Wade Cassels, cia, ccsa, crma, cfe

Stefanie Chambers, cia, cpa

James Fox, cia, cfe

Nancy Haig, cia, cfe, ccsa, crma

Sonja Heath, cia

Kyle Hebert, cia

Daniel Helming, cia, cpa

J. Michael Jacka, cia, cpcu, cfe, cpa

IIA PRESIDENT AND CEORichard F. Chambers, cia, qial, cgap, ccsa, crma

IIA CHAIRMAN OF THE BOARDJenitha John, cia, qial

Sandra Kasahara, cia, cpa

Michael Levy, cia, crma, cisa, cissp

Merek Lipson, cia

Michael Marinaccio, cia

Alyssa G. Martin, cpa

Joe Martins, cia, crma

Stephen Minder, cia

Rick Neisser, cia, cisa, clu, cpcu

Hans Nieuwlands, cia, ra, ccsa, cgap

Manish Pathak, ca

Bryant Richards, cia, crma

James Roth, phd, cia, ccsa

Jerry Strawser, phd, cpa Glenn Sumners, phd, cia, cpa, crma

Robert Taft, cia, ccsa, crma

Brandon Tanous, cia, cgap, crma

Stephen Tiley, cia

Robert Venczel, cia, crma, cisa

David Weiss, cia

Rick Wright, cia

AUGUST 2020VOLUME LXXVI I : IV

Illuminating the Top Global Risks in 2020Explore Protiviti’s digital Executive Perspectives on Top Risks 2020 report and prepare for the risks likely to affect your organization this year.

Visit protiviti.com/toprisks for the full report.

© 2020 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0120

protiviti.com

FOR THE LATEST AUDIT-RELATED HEADLINES follow us on Twitter @TheIIA

Update

AUGUST 202010 INTERNAL AUDITOR

DOJ to consider risk in criminal cases… Crisis raises governance concerns… Auditors’ social justice role… Executives see blockchain’s digital value.

THE IIA UPDATES THREE LINES MODEL

In today’s fast-paced, technology-driven world, risk-based decision-making is as much about seizing opportunities as it is about defensive moves. A long-overdue

update to the popular Three Lines of Defense risk management model embraces this new reality.

“Risk management goes beyond mere defense,” says IIA President and CEO Rich-ard Chambers. “Organizations need effec-tive structures and processes to enable the achievement of objectives and support strong governance and risk management. The updated Three Lines Model addresses the complexities of our modern world.”

The IIA spearheaded a task force of audit practitioners, risk and compliance executives, stakeholders, and others to identify the rela-tionships between the central and common components of organizations and consider the continued relevancy of the Three Lines con-cept. “The update reinforces that organiza-tions must determine appropriate, pragmatic structures for themselves, taking into account their objectives and circumstances against a backdrop of an ever-evolving risk landscape,” says task force leader and IIA Global Chair Jenitha John.

The Three Lines Model is based on six principles: governance, governing body roles,

IMAG

E: A

LEXY

Z3D

/ IS

TOCK

.CO

M

New release considers risk and governance in a complex world.

THE HIGH COST OF MISSING RISKSStrategic initiative leaders say a timely risk response can be the difference between a successful proj-ect and expensive delays.

Completed ahead of schedule

Never behind schedule

Below original budget

Achieved more than 90% of objectives

Exceeded expectations

55%

38%

58%

52%

56%

25%

22%

40%

16%

20%

Source: Gartner Inc.

With timely risk response

Without timely risk response

AUGUST 2020 11INTERNAL AUDITOR

Practices/Update

management and first and second line roles, third line roles, third line independence, and creating and protecting value. It presents the accountability of the governing body for oversight, of management to achieve organiza-tional objectives, and of an independent inter-nal audit function for assurance and advice. The model notes that although the governing body, management, and internal audit all have

distinct responsibilities, “the basis for success-ful coherence is regular and effective coordina-tion, collaboration, and communication.”

“For implementation by organizations on both a reactive and proactive basis, these updates help modernize and strengthen appli-cation of the model to ensure its sustained usefulness and value,” Chambers says. — A. MILLAGE

BOARDS DETAIL CRISIS CONCERNSDirectors share top governance challenges during the pandemic.

Most U.S. board members say cre-ating a post-crisis strategy is the top

governance challenge at their organization, according to the National Association of Corporate Directors’ latest

COVID-19 Pulse Survey. Almost half of the nearly 300 directors surveyed also identify concerns about their ability to understand new

DOJ ISSUES COMPLIANCE GUIDANCEProsecutors to consider risk practices for assessing criminal liability.

risks arising from the pan-demic and to ensure employ-ees’ health and safety.

Looking ahead, direc-tors say shifts in the nature

IMAG

ES: T

OP,

SU

REEP

ORN

/ IS

TOCK

.CO

M; R

IGH

T,

ART

STO

CK C

REAT

IVE

/ SH

UTT

ERST

OCK

.CO

M

40%

OF 500 SURVEYED COMPANIES DELAYED 

REVENUE- GENERATING  INITIATIVES

for a month or more to prioritize remote work setup.

44%

OF RESPONDENTS SAY THE POSTPONED 

WORK INCLUDED  CYBERSECURITY  

INITIATIVES. 

“This research indicates that with many employees remaining at home for the foreseeable future or even permanently, refining how we grant and manage digital access is more important than ever,” says Sectigo CEO Bill Holtz.

Source: Sectigo and Wakefield Research, 2020 Work-from-home IT Impact Study

Revised U.S. Department of Justice (DOJ) guidance provides recom-mendations to help prosecutors assess whether a company’s com-

pliance program was effective at the time of an offense, make informed charging decisions, and determine an appropriate penalty or resolution. Originally issued in 2017, Evaluation of Corporate Com-pliance Programs advises prosecutors to consider how the organization has defined its risk profile and whether risk assessment consists of ongoing examination.

Among key areas of review, the DOJ recommends prosecutors gauge the

effectiveness of the organization’s risk management process and determine what methodology it uses to “identify, analyze, and address the particular risks it faces.” They should look at the specific informa-tion the company collected to detect the type of misconduct in question.

The guidance also advises evaluating the company’s risk resource allocation, to help understand whether the company spends too much time focusing on low-risk areas. Moreover, prosecutors should exam-ine whether a process exists for updating and revising the risk assessment program. They also should consider whether the organization captures lessons learned from either its own compliance-related chal-lenges or those experienced by industry and geographic peers. — D. SALIERNO

Are you ready for the future of internal audit?Assure. Advise. Anticipate.

As organizations push the bounds of disruption, the role of the internal audit function needs to evolve to not only deliver assurance to stakeholders, but to advise on critical business issues and better anticipate risk. Through custom labs, we can help you develop a strategy to modernize your internal audit program, tapping into the power of analytics and process automation; identifying and developing the skills and capabilities required to build and sustain the internal audit function of the future; and incorporating Agile internal audit to keep up with the rapid pace of change. The future is now.

www.deloitte.com/us/ia

Copyright © 2020 Deloitte Development LLC. All rights reserved.

AUGUST 2020 13INTERNAL AUDITOR

Practices/Update

Executives seek to grow value of digital assets.

BACKING THE BLOCKCHAIN

Once considered a technology experi-ment, businesses are making block-chain and digital asset investments a top-five priority, says Deloitte’s

Global Blockchain Survey of nearly 1,500 senior executives. Nearly 40% report their organizations have implemented blockchain into production, up from 23% last year.

More than half of respondents view blockchain as a strategic priority, with 83% saying it is necessary to maintain a competi-tive advantage. As such, 82% plan to hire blockchain expertise in the next 12 months. “Like many disruptive technologies, block-chain has evolved from a merely promising and potentially groundbreaking approach to a now integral solution to organizational inno-vation,” says Linda Pawczuk, principal, Global and U.S. Consulting Leader for Blockchain

and Digital Assets at Deloitte Consulting LLP.

One key com-ponent in block-chain’s value is digital assets, which nearly 90% of respon-dents say will be important in the next three years. These assets include cryptocurrencies, financial instruments, tokenized debt or equity, and digital representations of land or commodi-ties. Among their benefits are the ability to trade them easily on secondary markets and their heightened transparency to traders. — T. MCCOLLUM

of work would be a chief concern, as would the tech-nological challenges of mov-ing their businesses forward. More than half say changes in how work is accomplished is one of their top three concerns. And almost one-third cite “accelerating digital transformation” as an ongo-ing priority.

As the need for commu-nication with management has increased during the pandemic, board members’ time commitment has risen. Directors say they expect to continue a more frequent meeting cadence after the crisis. “New, responsive best practices are potentially on the horizon with directors engaging more frequently with management and in new ways,” the report says.

Participants also note issues their board must add-ress as organizations continue to navigate the crisis. They cite, for example, the need to determine what information stakeholders require to main-tain confidence in the busi-ness, as well as lessons learned from management’s response to the pandemic.

Directors also say it’s important to consider whether the organization’s workforce should be rede-signed after the crisis, what business development oppor-tunities may have arisen, and what risks those oppor-tunities may present. Lastly, they note the importance of considering how boards can promote new leadership capabilities within the execu-tive suite. — D. SALIERNO

ADDRESSING SOCIAL JUSTICEBusinesses should be advocates for diversity and inclusion, says Dennis Kennedy, founder and chair of the National Diversity Council.

How can businesses support social justice issues such as Black Lives Matter, and how can internal auditors assist organizations in making changes to support social justice movements? Companies should advocate for diversity and inclusion for all people and not focus on the risk of being forthright in their stance against racial injustice. They should be inclusive in their messaging and equitable in their business practices, as change starts with leadership and affects how employees view their workplace experiences. Companies should focus on propelling themselves into an inclusive space where all can feel comfortable.

Internal audit can help companies thrive through these uncertain times by assisting them in making changes to support social justice movements through score cards, diversity and inclusion indexes, integration of equity conversations within their business functions, and using business resource groups to spread awareness. Diversity and inclusion promote growth, creativity, and innovation, and are a source of value for businesses. Recent social protests in the U.S. and around the world have stressed the urgency of creating diverse and inclusive organizations, not just as a matter of economics, but as a means to address systemic racism.

PHO

TO: R

IGH

T, Z

APP2

PHO

TO /

SH

UTT

ERST

OCK

.CO

M

VISIT InternalAuditor.org to read an extended interview with Dennis Kennedy.

Back to Basics

SEND BACK TO BASICS ARTICLE IDEAS to James Roth at jamesroth@audittrends.com

AUGUST 202014 INTERNAL AUDITOR

BY WALTER OBANDO EDITED BY JAMES ROTH + WADE CASSELS

Employee orientations are an opportunity to educate new hires about internal audit’s role.

ONBOARDING NEW EMPLOYEES

strategy for onboarding, in addition to becoming a part of the onboarding process, itself. This is espe-cially important during the COVID-19 pandemic, for example, as organiza-tions around the world have been forced to halt or change how they onboard employees during a time when most employees are working from home. Initiating a performance audit of the onboarding process may reveal areas where improvements can result in a more effective process. Like any perfor-mance audit, knowing what criteria to use is key when planning the audit. A review of human resources (HR) policies and proce-dures as well as HR goals and metrics with onboard-ing is a logical place to start. Reviewing feedback solicited from onboarding participants will provide critical insights.

Benchmarking with peer organizations may

Most medium- to large-sized organizations have a standard

onboarding process for new employees where they are briefed on topics such as the organization’s history, organizational structure, and employee benefits. The duration of new employee orientation and the topics covered may vary.

Internal audit can be involved in the onboarding process in two ways. First, it can audit the effectiveness of the process, itself. Second, internal audit can be a part of orientation by introduc-ing new employees to the department. Internal audit can share its purpose and explain the new employees’ responsibilities related to internal controls, coop-eration during audits, and reporting to a whistleblower or ethics hotline.

Auditing the ProcessInternal audit may opt to review the organization’s

highlight areas where the business can enhance the onboarding process. Internal audit should con-sider the time allotted for onboarding as well as the amount of information being covered. Based on these observations, internal audit may conclude that the onboarding process should be condensed or expanded. Determining whether the organization has a con-tingency plan to onboard employees remotely, during a time when most employ-ees are working remotely now, will determine the organization’s agility to adjust to changing circum-stances beyond its control. Lessons learned analysis will also highlight areas of improvement.

Internal audit’s review can expand beyond the general onboarding pro-cess given to all employees to include the process at each employee’s specific department. An audit can determine whether

AUGUST 2020 15INTERNAL AUDITOR

Many new employees will not be familiar with the internal audit function.

TO COMMENT on this article, EMAIL the author at walter.obando@theiia.org

employees were provided adequate training, resources, and guidance during their initial period of employment and help ascertain whether staff turnover may be higher in certain departments. A risk-based approach when planning will help determine what areas to include as part of an onboarding process audit.

Introducing Internal AuditEmployee orientation continues to evolve based on the changing topics organizations are legally required to address, and different departments may be brought in to introduce themselves and talk about their roles. Internal audit may be among those groups. The audit function can provide new employees with an overview of its responsibil-ities and how employees can help the organization achieve strategic goals by being cooperative during audits.

Explaining how employees play a significant role with helping internal audit achieve its mission is vital. The level of detail in this discussion can be scaled according to the audience and time allotted. New employees may not remember everything explained about internal audit during onboarding, but they may walk away with enough basic knowledge to recall when it becomes more relevant or when they are involved in an audit.

Revamping the ProcessIn organizations where internal audit is not part of onboarding, the chief audit executive (CAE) should dis-cuss with the HR department why adding internal audit is important to the organization’s mission. The CAE should provide details such as a proposed agenda, the people delivering the presentation, and materials to be incorpo-rated into the new employees’ welcome packages. A mock

presentation to HR can help sell it on the need to include internal audit in the orientation, so the CAE should con-sider whether to provide a slide presentation and a demon-stration of the department’s website.

If internal audit manages the organization’s hotline, the presentation can become an essential part of educating new employees on how to use the hotline to report suspected fraud, waste, abuse, or mismanagement. It also is important to explain the options and protections they may have for reporting suspected fraud.

Knowing the AudienceInternal auditors should remember that most new employ-ees will have no background in auditing, and many will not be familiar with internal audit’s responsibilities or may not have heard of it. With that in mind, topics should be kept as nontechnical as possible.

It’s equally important to keep the audience engaged in the discussion. Auditors should not assume anyone will know the correct definition of internal controls, audits, or other terms used during the presentation. The point is to keep them actively listening and interested, without overwhelming them. Auditors should allow enough time for questions at the end of the presentation.

Obviously, there will not be enough time for covering all aspects of internal auditing, so the presenter should try to cover what is most relevant and important for a new employee to know.

Doing the ResearchAn internet search may provide insight on what similar organi-zations include in their new employee orientation, while infor-mation about the process may be gleaned from networking with local IIA chapter members. After due diligence is done, internal audit may decide to collaborate with HR to introduce an online training module to highlight internal audit’s role and employees’ responsibilities. Research will help guide internal audit to a decision that is right for its organization. Over time, it will become obvious what works and what does not.

Getting Feedback Onboarding presenters should carefully read any feedback they receive from participants and adjust their presentation as necessary. If no formal feedback is solicited, an internal

audit colleague should sit in during the presentation and provide feedback. Presenting during orientation can be a great learning opportunity for audit staff members, especially when presenting opportunities are rotated among the staff.

The opportunity to enhance internal audit’s role within an organization begins with the cooperation of its employ-ees. Investing time up front to ensure all new employees have a basic understanding of internal audit’s role in the organization can add value and improve audit results down the road.

WALTER OBANDO, CIA, CISA, is a senior auditor at the U.S. Library of Congress, Office of the Inspector General, in Washington, D.C.

ITAudit

SEND ITAUDIT ARTICLE IDEAS to Steve Mar at steve_mar2003@msn.com

AUGUST 202016 INTERNAL AUDITOR

BY KARI ZAHAR + STEPHANIE ROBBERSON EDITED BY STEVE MAR

Password managers can safeguard login credentials — as long as the tools, themselves, are secured.

PROTECTING PASSWORDS

The database adminis-trator is gone, and he took our passwords with him,” the client

told internal audit. “What do we do?”

It was a nightmare scenario for the oil and gas company. The IT department used a password manager to store hundreds of system, database, and service account administrative passwords. It did not know that the soft-ware could mass-export an unencrypted list of usernames and passwords. Now that vital list was in the hands of a former employee.

Individuals and organi-zations have flocked to pass-word managers for a secure and convenient method to use passwords to access online services. Yet, despite their benefits, these tools raise security concerns for internal auditors.

Managing PasswordsA password manager stores account usernames, pass-words, credit card numbers,

and other sensitive informa-tion. Various types of pass-word managers accomplish different goals, and some work better than others.

Personal Password manag-ers intended for personal use allow the user to create one master password and encrypt the entire password vault storing the user’s various usernames and passwords. The user only has to remem-ber the master password to use the password vault.

Team This type of password manager enables a depart-ment to share corporate account passwords among staff members. Using a tool to share login information is more secure than sticky notes, email, or a spreadsheet of usernames and passwords. Each user has an account that grants that person access to the stored credentials within the team password manager.

Personal and team pass-word managers can auto-matically populate account

information when the user accesses a sign-in web page. Alternatively, the user can copy and paste it into the login fields of a web page.

Enterprise Often referred to as privileged access manage-ment, enterprise password managers are robust, custom-izable solutions that provide powerful functionality. These tools can automatically change passwords based on timed rotations or after each use of the account. Their monitoring and audit logging capabilities can record who accessed a privileged account, when, and why.

Security RisksPassword managers have two significant security risks. First, when the password manager is locked, the mas-ter password exists in the computer’s memory outside of the tool’s encryption in a plain text, readable format. An intruder could access this master password and expose the other passwords.

“

AUGUST 2020 17INTERNAL AUDITOR

TO COMMENT on this article, EMAIL the authors at kari.zahar@theiia.org

Second, password managers can mass-export passwords into a text file, which makes it easy to move passwords using an unencrypted USB drive. In the wrong hands, a password list can provide access to an organization’s environment.

Internal auditors can help organizations mitigate these risks by helping IT weigh password manager options to bal-ance a right-sized functionality for the organization with managing the related risk. Enterprise password managers are the most secure solution because they change passwords fre-quently. However, the tools are expensive because of the need for fit, IT or cybersecurity specialists, and architecture, and the cost may outweigh the benefits. Depending on the num-ber of accounts that need to be managed, budget-minded organizations may opt for a team password manager.

SafeguardsIf the organization chooses a personal or team password man-ager, internal auditors should provide advice on how to secure it. The organization should consider the tool’s maintenance schedule, security features, and access structure.

Apply Security Updates and Patches Organizations should check and frequently update software and patches to ensure they are current. When risks are identified, software fixes are the best way to stay protected against security flaws.

Check Security Features and Configurations Security features only work if they are used correctly. Auditors should check which security options are available and ensure that the organization has implemented controls such as:

Ʌ Validate that the password manager uses encryption. Also, verify that it is a legitimate tool and not a fake pass-word manager.

Ʌ Configure appropriate password controls, such as mini-mum length and complexity. The organization should use multifactor authentication, if the tool supports it.

Ʌ Disable users’ ability to mass-export passwords to plain text, if possible.

Ʌ Enable logging. Some tools log whether anyone per-forms a mass export of usernames and passwords.

Restrict Administrator Access Users with administrative access can view every password within the tool or modify the security configurations. Therefore, organizations should strictly limit the number of employees with administrative access.

Implement Role-based Security Most password managers can limit users’ password access to specific accounts or fold-ers. Organizations should take the approach of least privilege by only granting an employee access to a password as needed.

Review Password Sharing With External Users Some password managers support password sharing with external users, while others allow for external sharing of specific cre-dentials. A downside of this practice is that outside parties could gain unauthorized access to the organization’s data and systems. Auditors should review all the shared passwords in the password manager system, determine which passwords can be shared with users outside of the organization, and find out whether the password manager logs password sharing.

Consider Business Continuity For business continuity purposes, password managers for shared accounts are able to ensure that the keys to an important account are not in the hands of just one person. Tools that store account data in the cloud support business continuity by enabling businesses to access stored passwords during an outage.

If the tool is hosted on-site, the organization should consider how account information can be accessed remotely for business continuity. This requires a backup plan such as exporting all passwords to an external file. However, if the organization does this, it should have appropriate manage-ment approval, strictly limit access to the external file, and store the file on an encrypted device.

When a Breach OccursIf internal auditors receive a call from IT, concerned that former employees have access to stored passwords, there are ways they can help the organization respond.

First, lock all the doors. If all passwords were exported, auditors should assume all passwords are compromised. The best approach is to change all breached passwords. However, system and service accounts often are linked to background processes, so changing the password could cause crashes or outages. If auditors encounter this situation, they should advise IT to restrict virtual private network access and deny interactive login for those accounts.

Next, call for help — twice. The first call should be to IT and compliance professionals who can help identify potential exposures and related risks. The next call should be to a trusted security firm to execute attack and penetration scenarios aimed at validating whether the organization has addressed critical exposures.

Despite the potential threats, the benefits of password managers greatly outweigh the relative risks. With appropriate oversight and controls, those risk levels can be even lower.

KARI ZAHAR is a senior manager at Stinnett & Associates in San Antonio, Texas.STEPHANIE ROBBERSON, ACE, CCPA, CCO, is a senior associate at Stinnett & Associates in Oklahoma City.

Some advisory firms are known for using a cookie-cutter methodology. NOT US.

Let Stinnett customize an integrated solution for your company’s key business and technology activities to streamline

processes, decrease costs, reduce risk and enhance controls.

AREAS OF EXPERTISE

• Data Privacy & Cybersecurity

• Penetration and Application Testing

• Information Technology

• Operations Technology

• Business Process Improvement

• Internal Audit

• Sarbanes-Oxley Compliance

• Vendor Risk Management

• Cost Recovery

• Fraud & Forensics

• Business Resiliency Planning

• Quality Assurance Reviews

DALL ASDENVER

HOUSTONOKL AHOMA CIT Y

SAN ANTONIOTULSA

stinnett-associates.com • 888.808.1795

Have you experienced leaked passwords?

Need help starting remediation efforts?

FREE Remediation

Checklist

CLICK HERE

Risk Watch

SEND RISK WATCH ARTICLE IDEAS to Rick Wright at rick.wright@yrcw.com

AUGUST 2020 19INTERNAL AUDITOR

BY ANKIT GARG EDITED BY RICK WRIGHT

Organizations can learn from the banking industry’s use of stress testing to ensure they can respond to economic downturns.

THRIVING UNDER PRESSURE

In response to the global financial crisis of 2008, the U.S. government enacted regulatory reforms requir-

ing banks to perform an in-depth review of the risks in their businesses. Among the regulations, banks had to conduct stress testing and scenario analysis each year. These tests involved per-forming a “what-if” analysis of how their balance sheets, net income, capital cushion, and other key financial met-rics would evolve if an eco-nomic stress occurred.

Since then, stress test-ing has helped banks greatly improve their skills at identi-fying, quantifying, and man-aging risks. That has enabled them to provision capital to absorb losses arising from sys-tematic risk events.

But stress testing isn’t just for banks. The nega-tive economic impact of the COVID-19 pandemic reveals the need for orga-nizations to be prepared to respond to economic shocks. Organizations and audit

functions in other industries can learn from the banks’ processes to implement stress testing in their business.

The Banks’ ExperienceFor banks’ capital-planning exercise, internal audit pro-vides assurance that current, new, or changing processes are functioning as designed and controls are in place to mitigate risks. Auditors also identify improvements to enhance the accuracy of the results of stress tests.

Within stress-testing exercises, internal audit must review the entire end-to-end process — rather than individual components — to assess compliance with regulatory and board expec-tations. Companies must provide a summary of inter-nal audit’s findings in their capital plan submissions to the Federal Reserve Bank.

The dynamic nature of capital, risk, and stress man-agement poses unique chal-lenges for internal auditors at banks. Auditors often must

learn new systems, review complex loss and forecasting models, track remediation in real time, manage multiple engagements, and work on a timed schedule. Such requirements make planning imperative for these audits.

Any Organization Can Stress TestRegardless of industry, inter-nal audit can ensure that stress testing encompasses sound foundational risk management, effective loss and resource-estimation methodologies, a granular capital impact assessment, and robust internal controls and governance.

Assess Risks Within Sce-narios U.S. publicly listed companies report “risk fac-tors” in their annual 10-K Securities and Exchange Commission filings. This information details the most significant risks to the com-pany such as major industrial accidents, cyberattacks, or employee malfeasance. By

William C. Anderson Member of the Year

Rick KokoszkaChapter Board of Governors

Kyle O’RourkeChapter Senior Vice President and Consulting Manager at Baker Tilly

New Member of the Year

Melissa DonnerAudit Supervisor at Bank of America

Shaun FarmerChief Internal Auditor at the Illinois Tollway

Auditor of the Year

Committee Chairperson of the Year

Puja ShahChapter Secretary and Executive Director at UBS

Christopher PriesDirector of Internal Audit at Panduit

Educator of the Year

Special Recognition

Eric SimagaChapter Treasurer and Audit Manager at Northern Trust

Mike ManrotDirector of Internal Audit at DSC Logistics

Congratulationsto the 2020 Annual Award Recipients of The IIA’s Chicago Chapter!

To learn more about the IIA Chicago Chapter and our events, please visit our website: https://chapters.theiia.org/chicago/Pages/default.aspx

AUGUST 2020 21INTERNAL AUDITOR

Practices/Risk WatchTO COMMENT on this article, EMAIL the author at ankit.garg@theiia.org

quantifying those risks and modeling their impact into the organization’s financial outlook, risk managers can provide insights into its vulnerabilities to key risks. However, organiza-tions often view these risks in silos, which can lead them to miss today’s more complex, interconnected risks.

Organizations can greatly enhance this exercise by focus-ing on the scenario that may evolve and by reviewing the impact of a cluster of interrelated risks within that scenario. Risk managers then can focus on scenarios that may impact the business most severely.

Estimate the Impact of Tail Events A common risk management practice is modeling broader everyday mar-ket variables such as gross domestic product, inflation, or business-specific variables. Scenario analysis then focuses on whether core risk factors are likely to develop in the future.

Risk managers usually disregard low-likelihood “tail” events, preferring to focus on those events that are more plau-sible in their experience. They assume that in such extreme scenarios, teams can rally together to sustain business opera-tions. However, COVID-19 is highlighting how seemingly low-probability events can add together to create a highly probable event with material impact.

Thinking about one-off events, such as a natural disaster or pandemic, can greatly enhance the versatility of a stress-testing exercise. The same is true of events that may have a more extreme outcome such as a large drop in revenues or staff reduction. In looking at such events, organizations can develop a deeper understanding of the impact these shocks could have on their business. That insight would enable them to allot resources to continue business operations under stress.

Model the Risk Mitigation Impact While it’s a good start to have a more in-depth review of potential business risks and plan for risk mitigation strategies, corporate boards can benefit from modeling the impact of those strategies on con-tinued operations. Risk mitigating responses, such as reduc-ing dividends and selling business assets, can develop into their own risks over the long term.

For example, during the pandemic, selling business assets may seem to be a quick way to recapitalize a busi-ness. However, those sales may have their own idiosyncratic impact that may show up only after the stress has subsided. Modeling the impact of such measures in response to the original stress event can give senior management more confi-dence in the exercise’s robustness.

Internal audit can be part of a cross-department initia-tive that assesses the impact on different interests such as employees, competitors, suppliers, regulators, and customers. Discussing how risk scenarios may impact each team and

running reactions through models are ways auditors can help the business devise an organizationwide strategy.

Integrate Results With Strategic Planning The useful-ness of stress testing will be limited if its results aren’t linked to strategic planning, capital allocation, and other business man-agement decisions. A variety of senior management executives should participate to ensure testing has a meaningful impact. Performing an integrated risk measurement and planning exercise can quantify the amount of capital the organization would need to absorb stress and sustain operations.

Stress Testing AuditsJust like their counterparts at banks, internal auditors in other industries can help set up a stress-testing exercise. They also can provide assurance that the processes are being executed as intended.

Internal audit should consider several factors when set-ting up its audit plan:

Ʌ Well-defined objectives, oversight, and governance. Stress-testing frameworks should be designed with clear and well-documented objectives, and a governance structure that must be reviewed and approved by the board.

Ʌ Material risk capture. Testing should identify and quan-tify material risk that is relevant to the business. The risk-identification process should be comprehensive and consider both tangible and intangible risks.

Ʌ Resourcing. Staff members who are involved in stress testing should be well-trained and possess advanced skills. They should have sufficient oversight to provide guidance of their work.

Ʌ Challenge and review. Models, results, and the frame-work should be subject to independent challenge and periodic review.

Ʌ Technology and systems. Modeling and forecasting of stress and risks require robust systems and IT infra-structure. Such exercises deal with large amounts of data that need to be stored and processed appropriately.

Making Testing SustainableA well-planned audit can enable senior management to rely on internal audit’s ability to identify weaknesses in the stress-testing process, both from a stability and regulatory compli-ance perspective. Moreover, the audit can elevate material issues that may warrant management’s attention. By address-ing the deficiencies internal audit uncovers, process owners and risk managers can make stress testing more sustainable.

ANKIT GARG is vice president—Risk Internal Audit at JPMorgan Chase in New York.

Fraud Findings

SEND FRAUD FINDINGS ARTICLE IDEAS to Bryant Richards at bryant_richards@yahoo.com

AUGUST 202022 INTERNAL AUDITOR

BY DEANNA POLLI FOSTER EDITED BY BRYANT RICHARDS

Administrators turn their district’s budget into personal play money.

SCHOOLHOUSE FRAUD

When the Welling-ton School District budget crisis hit the

local newspaper, citizens were shocked. The superin-tendent, Tina Franken, and business manager, William McKenzie, implemented innovative programs that improved employee morale and productivity — not only for the central office, but also for the eight schools within the district. Before Franken’s arrival, the school district was often an embarrassment to the town, as employee issues led to frequent firings or resignations and the airing of dirty laundry in the local news. When the longtime district accountant resigned and filed a legal complaint against McKenzie, which consisted of fraud, abuse of town policies, and violations of state laws, gossip among district employees and citi-zens implied there were ties between the legal complaint and the budget crisis.

With a school budget shortfall of $2 million at fiscal year-end and a legal complaint, the select board for the town had no choice but to act. It asked the town’s internal auditor, Denise Silva, to review the school district’s budget process.

Silva knew town govern-ment issues could get messy and complicated. So she pre-pared a high-level audit pro-gram and planned to spend a lot of time exploring. First, she reviewed the district’s budget policies and proce-dures and requested the pre-vious year’s approved budget with all planning comments and 12 months of results by month and account. She planned to interview employ-ees involved in the process and take deeper dives into any areas with significant overruns. After receiving the budget documents, she real-ized that she needed to clear her calendar.

Silva detected several red flags in her initial review of the budget documents. First,

McKenzie put the budget together under four large categories — instructional supplies, curriculum, payroll, and equipment — with lump sum amounts under each. Once the town approved it, the business manager arbi-trarily assigned amounts to line item accounts in each category. Silva could not discern any reason for the assignment of funds. The sec-ond thing that stood out to her were hundreds of trans-fers throughout the line item accounts each month that were not approved by the school committee or board. Lastly, there were no budgets in place for revenue accounts, even though large amounts of money were collected for sports fees, bus fees, and stu-dent activities. These collec-tions were recorded as petty cash for the school district to use on purchases.

Silva first interviewed McKenzie about his bud-get process. He explained that the budget process was cumbersome and a source

AUGUST 2020 23INTERNAL AUDITOR

TO COMMENT on this article, EMAIL the author at deanna.foster@theiia.org

LESSONS LEARNED » The budget process should be included in the risk

assessment and reviewed regularly, especially in regulated environments like municipalities. A quick review would have caught many of these issues in the first year.

» Removing key controls from important processes should raise red flags. If the controls had been reviewed regularly, the budget crisis and fraud could have been avoided.

» Small internal audit departments should consider rotational reviews that provide greater coverage

across the organization. In this example, reviews of petty cash, budget, vendors, payroll, or accounting would have identified smaller issues that would have raised red flags and the need for additional reviews.

» Messy situations may require internal audit to shut down the audit schedule for the rest of the year. Not only is it important to focus internal audit resources on high-risk areas, but it is critical to those respon-sible for oversight that they receive the clearest picture possible to make the most informed decisions about how to move forward.

of significant productivity issues, so he streamlined the two-month planning cycle to one week. Instead of provid-ing a detailed number for each line item, McKenzie broke the accounts down into four categories based on prior years and departmental needs, and assigned each category a lump number. The school committee and board voted on and approved the categories. The town approved this process because it trusted Franken and McKenzie.

When Silva asked about missing revenue accounts in the process, McKenzie insisted that the district accountant required that all cash collections be received into petty cash, so budget figures weren’t necessary. Adjustments were made at the end of the year to reflect the accounting. McKenzie blamed the district accountant for many of the budget challenges.

Silva’s findings list was filled with broken policies, regulations, and accounting rules, but she knew more data was needed. Some basic analytical testing found that admin-istrators in the central office were using funds to purchase large flat screen televisions, office equipment, and laptops. However, these items could not be located anywhere in the district, so Silva assumed that administrators were taking them home. She began testing invoices, which showed that the district often reimbursed administrators for conferences and travel more than once. On several of the travel reimburse-ments, spouses were included and paid for by the district. The amounts submitted for reimbursement exceeded the threshold specified in the district’s policy.

When Silva conducted interviews with staff in the cen-tral office, she found there were relatives of administrators on the payroll who never showed up for work. And though the office was open until 5 p.m., many administrators left at 2 p.m. Lastly, an employee who worked in disbursements revealed that administrators received kickbacks from vendors for large purchases and the awarding of contracts.

Silva identified $2 million of fraud and abuse while reviewing five years of data. But she was unable to quantify much of the activity, such as the vendor kickbacks. A reason-able comparison of the actual costs of big-ticket items and what was paid by the school district added another $2 mil-lion to the total.

As a result of Silva’s investigation, Franken and McKenzie were forced to resign and are currently serving jail time for their part in the fraud schemes. Silva quantified the known abuses — like the technology gifts, no-show jobs, time theft, and travel and expense violations — per administrator, and found that nearly

every one of them received, on average, an additional $10,000 per year on top of their salary. Those in higher lev-els of administration received more. The district accountant received none and acted as a whistleblower by filing a legal complaint. Franken and McKenzie were making significant money with kickback and petty cash schemes, using gifts, no-show jobs, and abridged schedules to keep staff from com-plaining or noticing, and covering their tracks with a convo-luted budget process.

DEANNA POLLI FOSTER is an assistant professor of accounting and program director, Master of Science in Accounting, at Nichols College in Dudley, Mass.

Gifts, no-show jobs, and abridged schedules kept staff from complaining.

THIS IS THE SLUG LINE

AUGUST 2020 25INTERNAL AUDITOR

DIGITAL TRANSFORMATION

early every organization — from multinational corporations to small, brick-and-mortar enter-prises — is in some stage of digital transforma-tion, but just where businesses are along the technology spectrum varies significantly. What is clear is that the challenges and complexities behind getting it right are daunting, especially for internal audit functions that must provide assur-ance over digital transformation while relying on traditional processes.

“At San Francisco Bay-area companies, you probably see a lot more chief audit executives being success-ful with data and data analytics,” says Tom Rudenko, head of audit at Yelp. “I think it’s just the nature of our compa-nies — you have to adopt their methods, adopt their tools, because if you don’t, you’re going to become obsolete very, very fast. Whereas in the more traditional companies that are not in technology, it’s more of a struggle to get to that point.”

Whatever stage organizations find themselves, digital transformation is ultimately about data — how businesses pres-ent data to customers; how they use and manage customer

Christine Janesko

Illustration by Sean Yates

As organizations adapt to new ways of doing business, internal audit must expand its understanding of data and technology risk. N

The Digitally Transformed Enterprise

AUGUST 202026 INTERNAL AUDITOR

THE DIGITALLY TRANSFORMED ENTERPRISE

data; and how they aggregate and analyze business data to increase effi-ciency, accuracy, profit, and speed. The technology used to parse or deliver this data encompasses cloud computing, data analytics and data mining, robotic process automation (RPA), and artifi-cial intelligence.

Chief audit executives (CAEs) must be aware of the strategic risks associated with embracing or neglecting data and new technology, and they must under-stand its inherent ability to disrupt busi-ness plans and models. Indeed, CAEs rank data and new technology risk as likely to grow markedly in relevance over the next five years, according to The IIA’s OnRisk 2020 report.

Still, acknowledging the risk does not always translate into its successful management. Despite recognizing that this risk is likely to grow in relevance,

CAEs give themselves and their orga-nizations low marks in relation to their personal knowledge of data and new technology risk and their organizations’ ability to manage it, the report notes.

Many factors affect just how invested organizations are in technol-ogy, such as whether they developed before the computer age or were “born digital.” Either way, organizations that embrace the use of data and new technology have enjoyed a decided advantage in connecting with custom-ers, coordinating with new digital plat-forms, or shifting to remote operations during the pandemic (see “COVID-19

Accelerates Need for Digitization” on page 27). But it is not too late. Orga-nizations that accelerate their digital transformation can still reap the ben-efits moving forward — and internal auditors can provide valuable assistance along the way.

DIGITAL MATURITYPart of the reason some companies are further behind than others when it comes to adopting technology and data processes has to do with culture. Domi-nique Vincenti, who serves as global head of Internal Audit and CAE for Uber, likes to use the generational term digital native to describe organizations that were “born” using and manipu-lating technology and data — such as Uber and Yelp.

Vincenti explains that older indus-tries and those that are not inherently

digital are facing some of the same challenges Baby Boomers and Genera-tion X have faced in comparison to digital-native Millennials and Genera-tion Z. “Those who’ve been operating in industries where data and technol-ogy is not at the heart of the business model, [but are] ‘going there because we have to’ — they’ve found themselves in that non-digital-native situation, and it’s probably more uncomfortable,” Vincenti says.

For Rudenko, there are pros and cons to working with digitally savvy companies like Uber and Yelp, but one clear advantage is that they are

“EverythingthatYelpinternalauditisdoingisgearedtowardbecomingamoredata-driveninternalauditfunction.”  

— Tom Rudenko, head of audit, Yelp 

AUGUST 2020 27INTERNAL AUDITOR

48% of IT decision-makers say their organization has already adopted a digital-first strategy, while 26% were in the development stage of becoming a digital business, according to a 2019 IDG survey.

naturally faster at adopting and using technology to solve problems. “The tech companies are not as mature, and they might not have those best practices, but they are very nimble and move fast, and you’re not weighed down by decades of legacy systems, people, and processes,” he says.

Larger, older organizations may have more mature, formal processes, which can be a good thing, Rudenko says. On the other hand, they are also more likely to have bureaucratic pro-cesses or silo mentalities where people are reluctant or unable to share infor-mation or effectively collaborate across business units. “In my experience with more mature companies, navigating through the organization and just get-ting access to the data can be a time-consuming and difficult process,” he

says. “By the time you were able to ana-lyze it, it was already kind of old news.”

Regardless of their organization’s level of digital maturity, Vincenti says CAEs looking for a better grasp of data and new technology risk need to understand how their organization is approaching the risk strategically. As with any risk assessment, auditors must know what they’re dealing with. They need to consider how important data and new technology are to the organi-zation’s evolving business model and where their organization is with respect to digital transformation.

Vincenti suggests CAEs ask them-selves: “Is data and new technology becoming a core enabling function? Or is it just sitting on the side as technol-ogy has been for many, many years, and is just a way of making things a

COVID-19 ACCELERATES NEED FOR DIGITIZATION

The COVID-19 pandemic has had an economic impact on organizations worldwide. Busi-nesses that were already technology- and data-driven have had an advantage, even in challenging sectors. Organizations that were already comfortable with “virtualization”

tools and working with digital data were able to more easily transition to setting up remote workforces and processes, connecting with customers, and delivering some services online.

For instance, while Uber has definitely lost revenue from the slowing of its ride-sharing services, the company’s Uber Eats division was ready to ramp up to meet the growing demand for food deliveries and groceries. Meanwhile, in April, the company launched Uber Direct and Uber Connects — pilot projects involving the delivery of other types of goods, such as over-the-counter medications and packages to loved ones. “We were already using the technology platforms, so it’s really adapting the technology platform to embrace the new activities,” Vincenti explains.

The pandemic has also pushed customers and businesses alike into developing new behav-iors and habits. Telemedicine, previously slow to catch on as a viable alternative to office visits, is becoming more mainstream. For example, telehealth provider Carenet Health reported an 80% spike in telehealth visits during the first weeks of the pandemic. Other examples include transportation and logistics companies switching to “contactless” paperwork and internal auditors using drones and security cameras to conduct inventory audits, according to an April 2020 Wall Street Journal article. And a recent PYMNTS.com study on U.S. attitudes and con-sumer behavior during the pandemic shows that for as many as 23% of respondents, the shift to more online working, shopping, and meal ordering may be a permanent one.

As a result of these societal shifts, digital transformation is now even more urgent than before, Vincenti says. “If people needed a reminder to accelerate the process, I think that reminder is loud and clear.”

TO COMMENT on this article,

EMAIL the author at

christine.janesko@theiia.org

little bit more efficient — not necessar-ily an enabler of business but just a sup-port of business?”

A NEW WAY OF THINKINGWhile every industry is different, Vin-centi says it is important to consider competitors: “Are we at odds with how literally the world is evolving, and can we become the next Kodak or Block-buster in our industry? If auditors determine that digital transformation is now embedded in their business model — fundamentally, how business is now done — then the audit function must change its approach, as well,” Vincenti says.

Although internal auditors may have had a strong grasp of previous business processes, she adds, they need to realize fundamentally that today’s business is

AUGUST 202028 INTERNAL AUDITOR

THE DIGITALLY TRANSFORMED ENTERPRISE

done primarily with data and technology. They must understand the new business world as well as they grasped the former, less digitally based one.

Vincenti says CAEs also need to recognize that data, along with money and people, is a fundamental asset in this new way of doing business, whereas technology is just the means to use the data. “What I’ve told my

team and what I’m trying to tell people is that before understanding technol-ogy, do you understand data like you understand dollars? Because this is the raw material.”

BUILDING TRUST WITH SMALL STEPS While understanding data and tech-nology is important, it can take time for internal audit to become a trusted resource on data and technology risk if this is not already part of the organiza-tion’s culture. Rudenko recommends that internal audit build trust with easy wins using data analytics within the audit function. Although most organizations have all but eliminated travel in the current environment, one of the easiest places to piece together early wins is with travel and expense reporting. As an area at high risk for fraud and one that likely is already part of a reporting system, he says, it can be a good candidate for adaptation to an automated system.

“Whenyouareinadata-andnewtechnology-drivencompany,allrisksareundertheumbrellaofdataandnewtechnology.Itbecomesthemotherofallthings.”— Dominique Vincenti, global head of Internal Audit and chief audit executive, Uber

“You can extract the data out of that system and run it through a series of data-driven tests,” Rudenko says. “Run those tests a couple of times, get the process stabilized, and hand that back to the business. They usually love it, and they’re very happy for something that helps them manage their expenses.”

Both Rudenko and Vincenti agree that relationships are crucial. “You need

to have very robust relationships with the tech and data science communities of your company,” Vincenti says. “And one of the reasons is to leverage the systems and technologies that are already in place so that there are economies of scale.”

Vincenti asks, for example, why the audit function would consider buying RPA licenses if a privileged RPA vendor relationship and license agreement have already been estab-lished elsewhere in the organization. Understanding what technology is available and “piggybacking” wherever possible is key, she says. (See “Building Technology Into the Audit Process” on page 29.)

According to Rudenko, once inter-nal audit can demonstrate the efficacy of using data analytics tools, the payoff in trust can be great. “You get a trophy, and you put it on the shelf,” he says. “And you start to build your brand inside the organization, and people start to see the value that you’re bring-ing back to the company.”

AUGUST 2020 29INTERNAL AUDITOR

38% of participants in a May 2020 IIA webinar on technology said they were “somewhere in the middle” of the process of implementing data analytics into their internal audit function.

Management at Yelp sees internal audit as an important part of the com-pany’s strategic planning, rather than as an interloper. Rudenko and his team are consulted for advice on website development, data pipelines, reporting dashboards, and more. “They want our insight,” he says. “They want our knowledge of risks and controls.”

THE RIGHT TEAMBuilding competencies within the inter-nal audit team is also important if the

audit function intends to become more technically savvy, but that can take time. According to Rudenko, it is unrealistic to expect everyone on the team to be experts in data analytics, coding, and internal audit because such employees are considered “unicorns” — hard to find even in Silicon Valley.

At Yelp, Rudenko aims for at least half of the internal audit team to be technically savvy, but he also focuses on people who are a good cultural fit for the

company. To do this, he invites people from around the organization to par-ticipate in interviews for internal audit positions. Getting buy-in from people who will be working with his auditors helps promote teamwork and trust, Rudenko explains.

“In the end, it’s about building relationships,” he says. “That’s really what this all comes down to, but that doesn’t happen overnight.”

At Uber, Vincenti says she has strong technology audit muscle on her

team. “One of my directors is the tech-nology specialist, and he is our point-of-contact with the [chief technology officer] of the company,” she says. “On a daily basis, we’re touching base with the engineering teams.”

Vincenti describes her team of auditors as “specialized generalists.” In other words, while everyone has broad, general knowledge, they each have deep knowledge of one or two specialized areas relevant to Uber’s business model.

In addition, the audit activity has its own data science team. While the data scien-tists understand internal audit enough to work well with the auditors, they are the only true data specialists on the team.

THE DIGITAL-FIRST IMPERATIVEVincenti points out that, ultimately, analyzing data is not a new concept for internal audit. The difference is that the tools and the focus have changed. And internal auditors, like the orga-nizations they serve, need to adopt a digital-first mindset.

“The challenge today is to bring data and technology at the core of everything,” Vincenti says. “So today the core is the internal auditor, and the data analytics and technology are on the side — we need to turn the model upside down. We need to put technology in the middle and the internal auditors around to leverage it and add value.”

Christine Janesko is a content developer

and writer, Standards and Professional

Knowledge, at The IIA.

This article is based on Data and New Technology Risk, a Knowledge Brief available exclusively to IIA Audit Execu-tive Center members.

BUILDING TECHNOLOGY INTO THE AUDIT PROCESS

In a May 2020 IIA webinar titled “Utilizing Technology to Advance Internal Audit and Stay Relevant in

a New Risk Environment,” present-ers Scott Madenburg, director of Solutions Advisory Services, Audit-Board, and Eric Groen, managing director, Protiviti, provided examples of ways analytics technology can be used for reporting and planning:

» Root cause investigation. » Real-time exception management

(continuous risk management).

» Risk quantification. » Control simulation. » Predictive risk identification. » Risk profiling. » Test data simulation. » Statistical sampling. » Continuous controls monitoring. » Identification of fraud indicators.

A key takeaway from the webinar is that internal audit functions looking to incorporate data pro-cesses into their own work may not have to reinvent the wheel. There

may already be technology tools, data, and people (such as business analysts) that CAEs can leverage to start incorporating data ana-lytics testing and processes into internal audit engagements. CAEs might also consider forming a spe-cialized committee that includes participants from IT, management, and elsewhere to determine how data analytics could be incorpo-rated into and benefit current busi-ness practices.

Internal auditors, like the organizations they serve, need a digital-first mindset.

Kitty Kay ChanTina Kim

Illustration by Sean Yates

The Artificially Intelligent

Audit Function

AUGUST 202030 INTERNAL AUDITOR

31INTERNAL AUDITOR

ARTIFICIAL INTELLIGENCE

ather than poring over hand-written work logs one at a time, imagine if internal auditors could have thousands of scribbled notes automatically con-verted into text, analyzed, and recon-ciled with electronic time sheets. This is an example of how auditors can use natural language processing (NLP) and text analytics to verify the validity of reimbursements.

Artificial intelligence (AI) tech-niques such as these are dramatically changing the business landscape. AI refers to systems for managing and analyzing information in ways that mimic human intelligence. For example, smart maps use AI to iden-tify routes that minimize delivery cost and time. AI also powers new kinds of businesses such as social media and ride-sharing services.

Now it’s internal audit’s turn to take advantage of AI to transform audit work. By leveraging AI, internal auditors can capture and digest higher volumes of information, and analyze a broader range of data formats. More-over, they can perform those tasks faster than ever. In turn, auditors can deliver more insights to clients and increase stakeholders’ return on investment in audit services.

AUDIT APPLICATIONSWhile audit functions vary in size, scope, organizational goals, and regulatory requirements, they all con-tribute to improving their organiza-tion’s governance, risk management, and control processes. In their work,

With planning and processes, AI can revolutionize internal audit’s work and value.

R internal auditors analyze and evaluate information from numerous sources to draw conclusions and make recom-mendations. Recent progress in AI is partly fueled by advances in capturing and processing high volumes of data, which internal audit can harness in several ways.

Computer Vision Internal auditors can use computer vision technology to review the accuracy and reliability of financial and operating information by interpreting and analyzing digital images. Auditors often verify assets as part of their testing, which is time-consuming and done through sampling. Computer vision can improve the qual-ity and efficiency of this process, as well as provide access to previously unavail-able information. An example is using drones to measure entire populations of assets such as the number of trucks in a vehicle manufacturing plant or the level of coal stockpiles at a power plant.

NLP Internal auditors can use NLP to analyze text documents more efficiently. By combining NLP with machine learning techniques, auditors can scan vast amounts of text, such as email, contracts, and social media posts, with unprecedented speed to identify dis-crepancies and extract salient details. As a result, auditors can perform more comprehensive reviews such as scanning bank documents for legal compliance.

Machine Learning This technol-ogy extracts insights from data using

AUGUST 2020

AUGUST 202032 INTERNAL AUDITOR

THE ARTIFICIALLY INTELLIGENT AUDIT FUNCTION

algorithms that allow machines to automatically learn and improve on their own. Machine learning is used in areas such as recommending books to online shoppers and identifying whether an email is spam.

One way internal auditors can use machine learning is to detect anomalies and identify emerging risks. For exam-ple, auditors have used the technology to uncover irregular financial transac-tions and patterns of management fraud (see “How New York Uses AI for Vendor Risk” on page 33).

Internal auditors also can use machine learning to review all transac-tions and observations, rather than only a subset of data. During the risk assessment and planning stage, auditors determine high-risk areas based on reviewing a wide range and high volume of information such as organization-specific events, changing legal requirements, and industry trends. As part of this process, auditors must balance resource availability with the

comprehensiveness of each audit. With large-scale machine learning — which focuses on designing algorithms to work with large data sets — auditors can cover more information faster while capturing greater detail.

AI @ WORK Rebuilding a traditional audit func-tion to harness AI requires having the right skills, infrastructure, process, and culture. Although there is no one best design, there are components that are important to successfully incorporate AI into the audit function.

An AI Strategy That Aligns With Business Priorities and Links to Measurable Performance Incorporat-ing AI into the audit function is only a good business decision when it helps the organization overall achieve its mis-sion and goals. Hence, the design of the AI strategy must align with the organi-zation’s strategic priorities. The strategy should at least seek to add value in one of the organization’s core mission areas and assist in identifying new and emerging risks.

While audit functions share simi-lar business objectives, each depart-ment may have different immediate priorities. For example, they may have different starting dates for a fiscal year or seasonal variations in their organiza-tions’ businesses. Internal audit should align its AI strategy with how business priorities are expected to evolve over the short, medium, and long terms to best allocate resources to implement the strategy.

Internal audit should quantify the expected benefits associated with the AI strategy whenever possible. Some common measures include cost savings, revenue enhancement, and increased labor efficiency. Audit lead-ers should specify intangible benefits such as building goodwill with stake-holders through improved insights, as well. It also is essential to account for the time and resource costs needed to realize benefits.

Scalable AI Infrastructure Because analytics capabilities will evolve pro-gressively over time, it is important to build an AI infrastructure with a strong foundation that can efficiently scale up in capacity and complexity. In choos-ing the infrastructure of hardware and software to incorporate AI in the audit process, internal audit should consider business needs and how well the tech-nologies will integrate with the organi-zation’s existing systems.

Internal audit should quantify the expected benefits associated with the AI strategy whenever possible.

AUGUST 2020 33INTERNAL AUDITOR

16% of responding companies say they are gaining significant value from AI, and companies say they will raise AI budgets by nearly 10% over the next two years, according to a 2019 Protiviti report.

A significant part of the audit process involves recording, sharing, and reporting information. Therefore, a comprehensive infrastructure should cover data management and analytics tools, spanning from traditional record keeping, file sharing, and reporting to automation and cloud computing. Some issues to consider in selecting these tools include:

» Whether the system architec-ture uses a modular approach that can be easily adjusted and reintegrated as necessary.

» The level of support available from service providers.

» The training requirements for staff members with different technical backgrounds.

» The total costs, including up-front costs and ongoing expenses for system mainte-nance and upgrades.

Clear and Formal Governance Pro-cesses An AI strategy becomes more impactful and efficient with processes to govern its development and imple-mentation. Typically, internal auditors with specialized skills and knowledge apply AI across the different stages of the audit life cycle and different busi-ness needs of the audit function. Estab-lishing a structure to coordinate and align this work is crucial for high-value outcomes. Some recommendations to consider in building an effective AI ini-tiative process include:

» Develop data management and analytics protocols for each stage of the audit process.

» Establish job rotations or other processes to encourage collabo-ration across teams.

» Standardize and document analytics procedures whenever possible. This can enhance the

HOW NEW YORK USES AI FOR VENDOR RISK

As outsourcing of services and projects increases, internal auditors often must assess the risks that arise from working with vendors. In the past, auditors have relied on labor-intensive analysis of historic risk factors based on previous experience and knowledge

gleaned from the work of others to help assess vendor risk. This work often includes ratio analysis — comparing the share of total payments within a certain category — assessing trends over time, and reviewing prior audit results.

To address vendor risk, internal auditors for the state of New York developed a predictive model using machine learning techniques. The model ranks providers based on risks and pin-points those transactions that auditors should focus on during an audit. As part of this process, the state used AI and machine learning to automate previous manual processes for examining individual risk factors, such as late or missed payment information.

In addition, auditors built models to better understand how individual factors contribute to the risk of making improper payments and to account for complex interactions between indi-vidual risk factors. Furthermore, these models can include quantitative and qualitative factors. As a result, a single model can consider results from a ratio analysis, as well as information from the notes of audited financial statements that might indicate a red flag such as numerous related-party transactions.

The models provide a single score for the risk of improper payments for each vendor, which gives internal auditors a quantifiable, easy-to-understand way to evaluate risk. Auditors can group high-risk vendors into peer groups and statistically analyze these providers’ expenses to identify unusual practices. This application enables audit work to be more targeted, which has significantly increased return on investment and decreased audit time for the state’s auditors.

TO COMMENT on this article,

EMAIL the authors at kitty.chan@theiia.org

AUGUST 202034 INTERNAL AUDITOR

THE ARTIFICIALLY INTELLIGENT AUDIT FUNCTION

transparency, consistency of quality, and reproducibility of the analysis.

» Include a change-management plan in the initiative.

Commitment to Fostering AI Com-petence Internal audit needs people with relevant skills to drive high-value outcomes with AI. Therefore, it must be able to attract, develop, manage, and retain talent. The team structure should complement the audit func-tion’s existing structure and culture. Each team member should have dis-tinct roles and responsibilities.

Training and incentives may be needed to develop AI skills and mind-sets. Academic courses and job rota-tion training can build data analytics skills. Moreover, because AI may be a new concept for some staff members, internal audit should create a learning environment where auditors can ask questions and work through challenges.

Communications Plan to Engage Stakeholders and Build Support Collaboration with different depart-ments within the organization is crucial to ensuring AI strategy aligns with business needs. Communications at all business levels can build sup-port for embedding AI into the audit function. Moreover, a well-formulated communications plan can help ensure alignment with business needs and demonstrate success, which in turn can build buy-in.

At a high level, the communica-tions plan should identify stakeholders,

select channels, and develop customized messages for different groups, accord-ing to authors Sara LaBelle and Jennifer Waldeck in Strategic Communication for Organizations. It also should include provisions to monitor and evaluate the plan’s effectiveness. Some recommenda-tions for building a communications plan include:

» Communicate the reason for implementing the AI initiative to encourage participation.

» Use personalized, succinct, clear, and consistent communi-cations to build trust.

» Use key performance indica-tors to measure effectiveness and help ensure the AI strategy aligns with business priorities.

OPTIMIZING AITaking advantage of the power of AI can help internal auditors provide stakeholders with confidence in their organizations’ operations and deliver higher return on investment in audit services. Accomplishing these goals requires an audit department that nur-tures the development of data, infra-structure, people, and processes. Above all, it entails good planning.

Internal audit leaders must under-stand the current state of data manage-ment and analytics capabilities, and refine these capabilities to optimize the value AI can generate. It is a big responsibility, but incorporating AI in audit processes can enable auditors to provide critical advice and assurance in a digitally transformed age.

KITTY KAY CHAN, PHD, is professor of professional practice in Applied Analytics and academic director of the Master of Science in Applied Analytics at Columbia University in New York.TINA KIM, CIA, CRMA, CISA, CPA, is deputy comptroller for State Government Accountability, New York State Office of the State Comptroller, in Albany.

Collaboration with different departments is critical to ensuring AI strategy aligns with business needs.

35INTERNAL AUDITOR

utting-edge technologies in artificial intelligence (AI) and machine learning are transforming the way businesses operate and opening up new commer-cial opportunities for organizations to leverage data. But such progress comes with risks: The technology is not infal-lible, and companies that are becoming increasingly reliant on it rarely question how the process works, whether it is ethical or trustworthy, or what harm it could cause.

Countless examples show that machine-learning systems can generate prejudicial output — from gender-recognition cameras that only work on white men to algorithms that display ads for lower paying jobs to women. These problems occur because the data that trains AI programs often reflects the biases of its human compilers, while machine-learning systems are molded entirely by their imperfect learning environment. As such, if the input data is skewed and one-dimensional, and the environment from which the data is sampled is similarly restricted, the out-put will be wholly predictable.

For example, if an online executive recruitment AI system is trained on the resumes of Fortune 500 or FTSE100

Internal auditors can provide assurance that sophisticated data tools are living up to ethical standards and meeting legal requirements.

Neil Hodge

Illustration by Sean Yates C

DATA ETHICS

TRUST in Technology

AUGUST 202036 INTERNAL AUDITOR

TRUST IN TECHNOLOGY

also can be manipulated to mislead or deceive, resulting in fraud or other harm to the organization. The output also may run afoul of legal provisions as well as organizational policy. Inter-nal auditors can help keep a watchful eye on the use of these cutting-edge tools, ensuring consistency with ethical requirements and awareness of organi-zational risks.

MULTIPLE POINTS OF EXPOSUREExperts say biases can easily be intro-duced into AI technologies because — at their most basic level — they operate relatively simply: Programs process data that is fed into them, following a pre-defined algorithm, and then generate outputs. “There is scope for manipula-tion in the design and operation of all three of these stages,” says Paul Her-ring, global chief innovation officer at professional services firm RSM Global in London.

For example, he says, it is pos-sible to select the input data in a way that is intended to deliberately skew results. If a financial services firm wanted to attract investors to put money into a Ponzi scheme, for instance, it could generate a mislead-ing report by selecting a sample of existing customers that only includes those who had made enormous returns. Unsurprisingly, the report would show amazing results.

Furthermore, the algorithm or functions applied to the data could be defined in a way to generate skewed results. Continuing with the Ponzi scheme example, even if the inputs included all investors — both winners and losers — the program or algorithm could be defined to ignore the losers or inflate the performance of investors. And even if these first two steps are unbiased and appropriately config-ured, the report can still be manipu-lated to highlight certain findings or suppress others.

companies, the technology will assume it should be targeting white, middle-aged men to fill CEO and board-level roles. Without appropriate checks and bal-ances, experts say, AI systems will just perpetuate the bias that exists in the real world.

“The central problem is that neu-ral networks operate by seeking patterns in data rather than following clear rules of logical inference,” says James Loft, chief operating officer of intelligent automation firm Rainbird in London. “This means they can easily draw irra-tional conclusions from data, and it can be difficult for humans to understand the causes of their biases.”

And bias is far from the only risk. Data from sophisticated technology

AI output can run afoul of legal provisions and organizational policy.

AUGUST 2020 37INTERNAL AUDITOR

More than one-fourth of senior executives say they felt uncomfortable about the use of data at some time during their careers, according to a recent survey by the World Federation of Advertisers.

outcomes it produces, Colaner says. They also should ask what the perim-eters of the algorithm are meant to be, and whether machine learning is pro-ducing the agreed objectives, he adds.

However, Colaner also says there is a significant risk of organiza-tions turning a blind eye to how an algorithm produces data. “Too many organizations focus on the results of the process, rather than look at — or even question — the process itself,” he says. “There needs to be more skepticism around AI-produced decision-making. At the moment, however, there is a ten-dency to just accept the results without questioning how they were arrived at.”

THE NEED FOR TRANSPARENCYSteve Mintz, professor emeritus of accounting at California Polytechnic State University in San Luis Obispo, says there needs to be full transparency and disclosure about how AI machines are generating data and decisions, how that data is being used within the organization, and what the outcomes of such data use are, both for organiza-tions and individuals. He says internal audit functions should be working with the organization’s IT team so they understand:

» The technology and its risks. » What the technology is meant

to achieve for the organization. » What safeguards the technol-

ogy team has put in place to prevent bias.

» What measures the team has established to alert the organiza-tion that decisions produced by the technology may be flawed.

Mintz also says internal auditors can help manage ethical risks, including the risk that internal fraudsters com-promise the data. “If you can’t trust the level of transparency about how data is being used, then how can you trust the system?” he asks. “There needs to be better explainability and auditability

To protect themselves from these risks, Herring says, companies — and internal auditors — need to ask ques-tions about how the technology works in practice, and what safeguards it either has built into it, or needs to establish. “It is important to gain an understanding of the methods used by the program to execute the capture and processing of data as well as reporting results,” Herring says. He adds that auditors should inquire “about any built-in biases in each stage.”

SPEED AND OVERRELIANCESeveral experts point out that data has always had biases in the way it is used. The problem is that “AI has the potential to produce and replicate these biases more quickly in its decision- making processes,” says Nathan Col-aner, senior instructor, director of busi-ness analytics, at Seattle University.

“The job of machine learning tech-nologies is to predict outcomes from the data it is being fed, but any ‘prediction’ is a judging in advance, or pre-judging,” Colaner says. “As a result, no one should be surprised that the decisions it makes could be prejudiced.”

One of the main concerns Colaner has about AI adoption is that orga-nizations become overreliant on the technology and algorithms. “Organiza-tions tend to get swept up with the pos-sibilities that technology allows them to embrace,” he says. “However, while algorithms are an important tool, they should not be used as a crutch — the information they produce is just one source of information among several sources available to the business. Just because the information is produced quickly by a machine does not mean that it is complete and trustworthy.”

Consequently, internal auditors should ask what safeguards are in place to interrogate the integrity of the data used by the algorithm, and what mea-sures exist to question the resulting

TO COMMENT on this article,

EMAIL the author at neil.

hodge@theiia.org

AUGUST 202038 INTERNAL AUDITOR

TRUST IN TECHNOLOGY

around every part of a process in which a machine makes a decision — plain and simple.”

To check whether the source data is being used appropriately, Ali Hes-sami, a London-based advisor at tech-nology standards-setter the Institute of Electrical and Electronics Engineers (IEEE), says internal auditors should ask who will ultimately use the results from the analysis. Potential recipients include board members, salespeople, employees, customers, and business partners. Will those individuals or groups use the data to facilitate busi-ness decision-making, or perhaps to help identify risks or boost sales? Hes-sami says organizations should ask themselves who should — and should not — be able to access the data, and what internal controls might be neces-sary to ensure the data is kept safe from

potential unauthorized internal use or external hacking.

“It is important for internal audit to establish who will be impacted by the use of the results, how they will be impacted, and whether the rights, free-doms, or opportunities of any individu-als or groups could be affected by use of the analyzed data,” Hessami says. Inter-nal auditors, he adds, need to question whether the organization has explicit permission, as well as the data subjects’ informed consent, to access the data necessary for analysis.

Other experts agree that transpar-ency around data collection and use is paramount. Maurice Coyle, chief data scientist at data analytics specialist Truata in Dublin, says developers, IT vendors, and IT departments should be able to justify their decisions and opin-ions, and audit teams should be query-ing those justifications to understand their root.

“Above all else, companies should always be asking developers ‘Why do you think that?’” Coyle says. “Internal audit teams should make sure they understand the reasoning behind what developers implement. Understanding the root of these decisions is the key to gaining assurance that the technology will not cause harm through its pro-cesses or outcomes.”

For Peter van der Putten, assistant professor at Leiden University in the Netherlands and director of AI deci-sioning at software vendor Pegasystems, companies “should favor transparency over accuracy so they know in detail how an AI program arrived at each decision and can then explain this to a customer.” Privacy regulations, such as the European Union’s General Data Protection Regulation, require that companies possess this capability.

Furthermore, van der Putten says internal auditors should ask specifically whether predictive models and the logic behind them are transparent and tested

Auditors should ask if predictive models are transparent and tested for bias.

AUGUST 2020 39INTERNAL AUDITOR

Only 15% of universities worldwide are teaching artificial intelligence ethics, according to Anaconda Inc.’s survey, The State of Data Science 2020: Moving From Hype Toward Maturity.

for bias. He adds that auditors should question “whether the AI systems are ‘black box’ machine learning systems, or whether it is possible to impose ethi-cal policies, rules, and constraints on top of them to keep these learning sys-tems under control.”

DATA GOVERNANCEAt the heart of checking the effective-ness — as well as the shortfalls and dangers — of AI technologies, van der Putten says, is the need to establish robust AI and data governance. “AI governance will soon become a real dis-cipline, and more importantly should not just be a matter of guidelines on paper for people and processes,” he says. “It needs to be translated and operationalized into practical guardrails and encoded into AI technical plat-forms, models, and rules.”

According to van der Putten, any governance framework should include “tangible definitions and levers” of trade-offs between the company’s objec-tives and those of the customer when it comes to automated decisions. It also should include procedures for appropri-ate measurement of bias in models and business rules, while recognizing that bias detection should not just be a sin-gle step in a release cycle for new mod-els and rules. “The framework should be measured in an ongoing, continuous basis, as the most modern AI systems are actually learning and optimizing themselves live, in real time,” he says.

Tim Mackey, principal security strategist at software provider Synopsys’ Cybersecurity Research Centre in Bos-ton, says ethically focused governance should include not only an understand-ing of how data was collected but “how informed any data subjects were to the current or proposed use of their data.” When consumers provide their data, he says, there is an implicit expectation that only the required minimum of data is requested, and that both usage and

retention of provided data is aligned with the original transaction or con-sent. “When data collection, processing scope, or retention are misaligned with consumer expectations,” he says, “data governance risks increase.”

SEEKING ASSURANCEIn many organizations IT and technol-ogy risks remain the domain of the IT professionals, as they have the neces-sary in-house expertise to understand the process as well as the risks. But this approach presents the problem of IT functions essentially reviewing their own work and potentially downplaying risks related to any initiative for which they are responsible. As such, internal audit needs to grasp the nettle and ensure it is in a position to challenge the way AI is used in the organization and become actively involved in AI project development.

While many internal audit func-tions may not have the resources or in-house technical skills to audit AI technologies in the way they would like, this should not deter internal audit from doing its job — asking questions and seeking assurance. “Expert knowl-edge is obviously useful, but you don’t need to be a technical expert — nor do you need to understand everything about data and AI,” says Jim Pelletier, vice president of Standards and Profes-sional Knowledge at The IIA. “You just need to know enough to be able to ask good questions, understand your knowledge gaps, and bring in the right resources when they are needed.”

Pelletier says internal auditors should approach AI just as they would handle risks associated with a software upgrade or other technology imple-mentation. “The types of questions you need to ask to gain the necessary level of understanding and assurance are largely the same,” he says.

As trusted advisors, internal audi-tors need to tell management that data

ethics must align with corporate ethics, Pelletier says. Ideally, they also should be involved as early as possible in the discussions about how the organization is going to use AI to further the busi-ness, and how data will be leveraged to help achieve those objectives.

“Internal audit can provide insights and advice in the establish-ment of project governance processes early on,” he says. “That way, the tech team will not just focus on what the technology can do, but also on achiev-ing business objectives ethically while maintaining compliance with data privacy rules at the heart of the project. Internal audit can review what testing has been done to ensure compliance, how rigorous this testing was, and how the results were reported to — and understood by — management.”

Pelletier adds that getting involved in the project from the start also can help the organization realize its goals, especially given that IT proj-ects often fall short of intended results. He points to surveys noting examples of project managers checking to ensure technology is functioning correctly instead of determining whether it is an appropriate solution for the business. “Having internal audit involved early and asking whether the technology is doing what it is designed to do can save a lot of time and money in the long run,” he says.

POWERFUL, BUT NOT PERFECTAI is a powerful tool — but like any-thing else, it has its limits. Organiza-tions should come to terms with that fact and remain skeptical about the information the technology produces. And because AI is not 100% trustwor-thy, internal auditors have a key role in monitoring its usage and the decision-making processes it controls.

NEIL HODGE is a freelance journalist based in Nottingham, U.K.

AUGUST 202040 INTERNAL AUDITOR

IIA GLOBAL BOARD CHAIR

T

JENITHA JOHN, chair of The IIA’s Global Board of Directors, says today’s crises require organizations to not only bounce back, but also to bounce forward to achieve far-reaching transformation.

he last few months have catapulted internal auditors

into rethinking and reimagining how they can best

serve their organizations. Most of us have experi-

enced and witnessed businesses either progressing

or regressing within this evolving risk landscape. So

much has changed — perhaps permanently.

While life is about constant change, the pan-

demic has highlighted how rapid and deep change

can be. Resilience in its basic form is the capacity

to achieve your mandate in spite of the challenges

those changes bring. Although many people see

resilience as the capacity to bounce back, for me it

also involves bouncing forward to a new state no

Reimagining Resilience Photographs by Tendai Mhlanga

THIS IS THE SLUG LINE

AUGUST 2020 41INTERNAL AUDITOR

AUGUST 202042 INTERNAL AUDITOR

matter how difficult that may seem during this time of crisis. In my year as chair of The IIA’s Global Board of Directors, I will work to help our profession “Reimagine Resilience.” For internal auditors and their organizations, resilience demands far-reaching transformation.

CHALLENGES AND OPPORTUNITIESThe public health dimension of the pandemic has naturally been at the top of the current agenda; however, its other impacts have accelerated preexisting challenges for busi-nesses. One of the key issues over the past few years has been business model transformation. The components of this complex trend can be summed up in a neat formula: D2C5. If D2 is data and digital, which represents what many business models are increasingly based upon, these factors are further shaped by five pressing influences:

1. Customer expectations of online, real-time services backed up by fast fulfilment.

2. A Competitive landscape that is highly dynamic and unpredictable.

3. Culture and Conduct, which are molded by organi-zational philosophies and reputation.

4. Compliance imperatives guided by the regula- tory landscape.

5. Cyber platforms that present risks and opportunities.Each of these trends can have profound implications. For example, during the pandemic the control environment asso-ciated with the cyber world has rapidly evolved. It is often no longer predominantly on-site at the business. It has moved into homes and onto the cloud, making the cyber environ-ment much more vulnerable. Layered over these immediate challenges are new geopolitical trends, climate change, and

the fourth industrial revolution.But threats bring opportunities for those

ready and willing to grasp them. Throughout the pandemic, for instance, internal audit has had to find smarter ways of conducting audits and offering advice quickly through the effec-tive use of technology. Many internal auditors have revolutionized their working processes and departments to operate in tandem with their businesses. They have become trusted business advisors and represent pockets of

excellence throughout the world. Elsewhere, internal audit leaders must become more catalytic by encouraging innova-tion and smarter ways of working. They must realign their objectives with what is happening in their organizations.

I urge internal auditors to rise to the challenge by focus-ing on five core imperatives — technology, agility, collabora-tion, talent, and tenacity.

USE TECHNOLOGY STRATEGICALLYTechnology enables internal auditors to be strategic and focus on the bigger picture. With the holistic view technology can provide, auditors can help accelerate smarter ways of working and improve decision-making within the organization.

For example, at one stage in my career, I worked in a bank as chief audit executive (CAE). My team was given the job of evaluating different governance, risk, and compliance platforms that would be rolled out across the enterprise. We wanted to use the same platform to create a holistic view of the risk and control environment. Thus, we developed com-mon taxonomies for the organization so we were consistent in our reports to governance committees. This eliminated the common problem of partitioning risks within individual business units, and it added value to reporting to governance committees because the first, second, and third lines could talk consistently about any particular risk.

Few technology implementations run smoothly from day one, and there will be frustrations along the way. If the organization is lagging technologically, internal audit will need to encourage management to speed up its implemen-tations. Internal audit departments with few automated processes should start small and build over time. Where the business has been at a more advanced technological state than the internal audit department, for instance, internal audit should leverage the business’s expertise and experience to develop smarter audit techniques. This will enable internal audit to align its capabilities with the enterprise.

BE AGILE TO ADDRESS PRIORITIESFor internal auditors, being agile means ensuring their teams are aligned with organizational priorities and can respond quickly. Aside from just embracing agility in the audit pro-cess or methodology, internal auditors must provide relevant insights and advice that foster innovation and improvements

TO COMMENT

on this article,

EMAIL the author at jenitha.

john@theiia.org

Throughout the pandemic internal audit has had to find smarter ways of conducting audits and offering advice quickly through the effective use of technology.

AUGUST 2020 43INTERNAL AUDITOR

within organizations. Too many audit departments are locked into an annual audit planning cycle that stifles creativity and flexibility. CAEs need to be confident that their plan-ning process gives them the power to frequently realign and change their audit program so it reflects their understanding and anticipation of emerging issues.

Taking such an approach elevates the creation of the annual audit plan into an exercise in combined assurance. In my time as a CAE, for example, the process was underpinned by holding an annual audit planning workshop with key stakeholders. As part of such a workshop, the CAE should ask the CEO, chief risk officer, nonexecutive directors, and others how they see the risk and control environment and whether they think internal audit has missed anything important. The CEO has an opportunity to directly articu-late the key risk and control areas internal audit should address. That may include new corporate activities or merg-ers and acquisitions, where an internal audit exercise could add value. The CAE can list these critical activities and build them into the internal audit plan.

While the annual plan retains its importance in the agile audit process, it is equally important to engage more regu-larly with the audit committee and other board committees. A quarterly meeting can be effective in sharing which audit activities are in progress and which have been suspended because they have ceased to be key priorities for the organiza-tion. Agility enables the audit department to be risk-based in

its planning. It enables the CAE to use his or her seat at the table to listen to what’s happening and align the audit plan to reflect the organization’s most important priorities.

COLLABORATE TO COMMUNICATECollaboration is critical to internal audit’s success. While some internal auditors have specialist knowledge of par-ticular audit techniques or business areas, most are not specialists — those specialists are most likely sitting in the first and second lines. Internal auditors must leverage the knowledge and expertise in those lines without crossing the line of objectivity. In fact, CAEs must see collaboration as a strategic role for the internal audit function. Collaboration

AUGUST 202044 INTERNAL AUDITOR

creates alchemy across the three lines — that magical process of transformation and combination that happens when people work with each other and respond to, anticipate, and reshape what is taking place in the organization.

Strong relationships within the business also can help auditors better understand the nuances and dynamics of the risk landscape. In my roles as a CAE, every audit engagement began with a facilitated audit planning workshop with the managers in the target area and the risk and compliance peo-ple. That enabled the team to create a risk and control matrix that was reflected in the audit process and in the reporting.

Using this approach, the audit’s stakeholders receive regular communication from the audit team, and during the closing process the same participants come together in an issue-remediation workshop. The same players that were there at the planning stage discuss with internal audit the exposures that the organization faces if the risk manifests, the root cause of those risks, and the agreed management action to address them. Not only is the whole process done faster through collaboration, it also avoids internal auditors making best practice recommendations that may not be pragmatic for their particular organizations. Management actions are firmly owned by the very people who have helped identify them.

HIRE THE RIGHT TALENTEffective talent management enables internal auditors to achieve the optimum mix of skills and experience to serve their organizations well. Internal auditors at every level of the pro-fession must be committed to continuous professional devel-opment. That entails both understanding what is happening in their own industries and in the internal audit profession at large. The IIA globally has been enhancing its services to help internal auditors achieve their potential as professionals who can become trusted advisors with a holistic outlook.

Traditional internal auditors are fast becoming obsolete. Today, all auditors need to have the knowledge and skills to audit the entire value chain. Recruiting the right new people, sometimes with nontraditional audit skills — those with dif-ferent ways of thinking, who embrace change and are will-ing to adopt new ways of working — has become even more essential. CAEs must ensure they work with human resources (HR) so the recruitment and selections processes do not reflect outmoded stereotypes of attracting the right internal

audit talent. By working with the head of HR, CAEs can ensure they communicate what the business needs and that the right skills are developed within the team.

CAEs must use all the tactics available to build talent, including hiring secondments from the first and second lines and cosourcing from a third party. Staff must be equipped with the right IIA qualifications and training. CAEs can boost skills by creating networking forums in specialist areas to spread knowledge among the entire team. They should consider using The IIA’s Global Internal Audit Competency framework alongside the audit plan to identify gaps and plan for the future skills needed in the team.

BE TENACIOUSIndividuals and organizations that are not tenacious are not resilient. Tenacity enables internal auditors to change chal-lenges into opportunities. That requires having the courage to share views on the risk landscape that business leaders may not want to acknowledge nor accept. That is what it takes to have a seat at the top table.

Looking at the challenges posed by D2C5, tenacity becomes a vital resource. In some respects, I am fortunate enough to have a bold personality — I am naturally able to voice my opinions, accept criticism, and learn from my mis-takes. But I also live by a certain motto that says competency builds confidence. If internal auditors commit to lifelong learning and are able to demonstrate their competence to themselves and others, they will develop the courage neces-sary to understand, learn, speak up, and open themselves to new challenges.

On a very practical level for CAEs, that means using their seat at the table to invite constructive criticism. I have always used customer satisfaction reviews as part of my inter-nal audit routine. After every audit and also biannually, I issued a report card to stakeholders. Any criticism is a good starting point for improving the audit process. Sometimes it is going to be difficult to retain one’s composure, but inter-nal auditors must be able to navigate corporate politics. As I often say, persistence pays profits.

WORK TOGETHERIf that all sounds like too much to take on, internal audi-tors should remember they are not alone. They are part of a

Traditional internal auditors are fast becoming obsolete. Today, all auditors need to have the knowledge and skills to audit the entire value chain.

AUGUST 2020 45INTERNAL AUDITOR

REIMAGINING RESILIENCE

A RESILIENT LIFE

The theme of resilience reso-nates with me because I grew up in an orthodox, deprived

family during the apartheid years in South Africa. Both of my parents died in middle age — an experience that forced me to derive indepen-dence from a young age. These events led to me constantly and tenaciously reimagining my future.

Today, I have more than 26 years of corporate experience, including working as an internal auditor in diverse industries, and I have become known as a change agent in the profession. For 16

global profession that is working together to achieve excel-lence in organizations. The Global IIA is a treasure trove of resources — whether it is the formal qualifications, train-ing, webinars, and conferences, or the informal networks and special interest groups. For example, Global IIA has been very active during the pandemic, putting together the COVID-19 Resource Exchange where members can freely tap into the different ways of auditing during this time. Working with the Global IIA team has been fantastic for me, personally, because it has allowed me to network with like-minded individuals.

I urge all internal auditors in this difficult time to reimagine resilience, both in their own professional lives and in the internal audit functions in which they work. Be enthusiastic, commercially aware, and not afraid of moving into uncharted territory. If internal auditors can learn to bet-ter shape the destinies of the organizations that we serve, we can help those organizations bounce forward as they emerge from the crisis.

JENITHA JOHN, CIA, QIAL, is CEO of the Independent Regulatory Board for Auditors in Johannesburg.

years, I also served as a nonex-ecutive director of both public and private sector entities, which boosted my strategic and opera-tional knowledge. Being an inter-nal auditor has provided me with the best platform for making a significant difference in the orga-nizations in which I have worked.

I moved from being senior vice chair to global chair of the IIA Global Board of Directors in July 2020. I am currently CEO of the Indepen-dent Regulatory Board for Auditors (IRBA). The IRBA is a public protec-tion statutory body established to protect the financial interests of the public by ensuring registered audi-tors and their firms deliver services of the highest quality.

Recognized as “South Africa’s Internal Auditor of the Year” in 2014, I have overcome my fear of public speaking by addressing conferences around the globe on a variety of topics, such as corporate governance, risk man-agement, auditing, combined assurance, women in leadership, and the impact of AI and robotics on industries. In addition, I par-ticipate in mentoring circles, panel discussions, and networking ses-sions throughout the world, and

I strongly believe in developing young minds.

I participated on the King IV Corporate Governance technical committee before its release in November 2016. I am also one of the contributing authors to the seventh edition of Sawyer’s Inter-nal Auditing. This book is used globally at universities to teach internal auditing. Most recently, I chaired a global working group spearheading The IIA’s Three Lines Model, which is an update of The Three Lines of Defense and was released in early July.

I continue to reside in South Africa. And with my supportive hus-band, we are raising two teenage daughters and a Maltese poodle.

PHO

TO B

Y TI

YAN

A JO

HN

2020-0529

Learn more about availability and eligibilityat www.theiia.org/OnlineProctoring.

NEW! CIA and CRMATest From HomeNow AvailableFor a Limited Time

2020-0529 CERT-Online Proctoring Ia Mag Ad.indd 12020-0529 CERT-Online Proctoring Ia Mag Ad.indd 1 4/23/20 9:04 AM4/23/20 9:04 AM

Norman Marks

AUGUST 2020

n 2015, an IIA task force composed of leading practitioners from around the world considered whether the 1999 Defi nition of Internal Auditing should be updated. The task force concluded that the defi nition remained an excellent description of internal auditing:

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disci-plined approach to evaluate and improve the effectiveness of risk management,

control, and governance processes.However, the task force supplemented the defi nition with the Core Principles

for the Professional Practice of Internal Auditing and the Mission of Internal Audit. These were a signifi cant step forward in guiding internal audit functions around the world.

The task force wrote the Core Principles and Mission very carefully. Its intent was to make them concise as well as punchy and powerful. In addition to some

IMagical

ASSURANCE

The Mission of Internal Audit makes a powerful statement about how auditors can provide the assurance, advice, and insights that matter to their organizations.

47INTERNAL AUDITOR

CHAI

NAR

ON

G PR

ASER

TTH

AI /

ISTO

CK.C

OM

AUGUST 202048 INTERNAL AUDITOR

insig

htadviceInternal controls not only provide assur-

ance on managing or mitigating the downside, but they also enable seizing and optimizing the upside. In fact, inter-nal controls surround the processes for making the decisions about which risks to take. They provide assurance that the right people are making important busi-ness decisions, based on timely and qual-ity information — including input from others who might be affected — after weighing all the things that might hap-pen, both harmful and beneficial.

The task force recognized that con-sidering downside risks without the con-text of the potential reward is not a wise way to make decisions, run the business, and be successful. Internal audit needs to help management make informed and intelligent decisions, taking the right risks to achieve enterprise objectives.

RISK-BASEDThe traditional internal audit risk assessment process involves prioritiz-ing the organization’s business units, processes, and systems based on factors such as revenue, complexity, and his-tory of control issues. Internal audit performs a second risk assessment before each audit engagement starts to identify the more significant risks to the specific business unit, process, or sys-tem. Those lower level risks become the scope for the audit.

For example, when I became the chief audit executive (CAE) at a large global manufacturing business, I inher-ited an annual risk assessment process that identified the locations that should be audited based on those traditional risk factors. One of those locations was the operation in Austin, Texas. In its planning for the audit, the team had identified information security, pro-curement, and accounting as the more significant areas of risk where they would test related controls.

I had only been with the company a week when I was given the draft audit

important language, they contain mag-ical words that carry great meaning.

The brief Mission, which is intended to be optional guidance for audit functions that wanted to create a mission statement for their own depart-ment, reads: “To enhance and protect orga-nizational value by providing risk-based and objective assurance, advice, and insight.”

Let’s break down that statement to show how internal audit can apply those words, especially the three magical words — assurance, advice, and insight — to help the organization achieve its objectives.

ENHANCE AND PROTECTTraditionally, internal audit has focused on assessing the design and operation of the controls that keep risks within desired boundaries. The emphasis has been on protecting the organization from harm. Internal auditors iden-tify the things that might happen to impair the ability of the organization to achieve its objectives, commonly referred to as risks. They assess the level of those risks and determine whether management has an effective system of control in place that provides rea-sonable assurance that the risks are at acceptable levels.

But, the task force members believed that internal audit has the ability to help the organization not only protect, but enhance, value. For example, auditors can consider whether management has effective processes, systems, and controls to:

Ʌ Optimize the value of the deals made with customers.

Ʌ Seize opportunities when com-petitors stumble.

Ʌ Recognize the possibilities pre-sented by new technology for enhancing the organization’s pro-cesses, systems, or operations.

Ʌ Hire outstanding individuals, even when the organization does not have open positions.

MAGICAL WORDSTO COMMENT on this article, EMAIL the author at norman.marks@theiia.org

AUGUST 2020 49INTERNAL AUDITOR

49% of respondents say their audit function provides signifi cant value to the organization, and 41% say C-level executives are very satisfi ed with internal audit, according to a 2020 Internal Audit Foundation study.advice We published one report with our

assessment of our enterprise ability to source quality materials at a reasonable price. The report identifi ed Penang as being world-class, with opportunities for the company if its practices were adopted by the other locations. We also shared individual assessments in reports to each of the locations’ man-agement teams.

Instead of providing information that mattered to local management, we provided information that mattered to enterprise management. This is enter-prise risk-based auditing.

ASSURANCEThe Mission of Internal Audit says internal audit provides “risk-based and objective assurance, advice, and insight.” While it is fairly clear what objectivemeans, not everybody understands what the statement means by assurance.

Assurance, advice, and insight are magical words. They carry huge signifi -cance, and if internal auditors are able

to optimize the quality of the assurance, advice, and insight they provide to leaders of the organization, they will be highly valued.

Assurance is much more than expressing an opinion on the adequacy of controls and detailing the controls that are less than effective. For example, when I asked my audit committee chairman how well internal audit was performing, he said we “helped him and the other board members sleep through the night.” We gave him assur-ance that he could rely on the compa-ny’s organization, systems, people, and processes to perform as management

report for Austin to review. The team had identifi ed several issues that they assessed as signifi cant, and after review-ing its work, I agreed. My problem was that the issues were only signifi cant to operating management in Austin. They were not signifi cant to senior manage-ment of the company. The audit had focused on risks to operations in Austin rather than risks to the enterprise.

I changed the audit planning pro-cess so the audit plan was designed to address the more signifi cant sources of risk — and opportunity — to the orga-nization’s objectives. We started with understanding those objectives, identify-ing the more signifi cant sources of risk to achieving them. Then we determined what we should audit and where to obtain assurance that those enterprise risks were addressed appropriately.

One of the more signifi cant sources of risk and opportunity was the company’s ability to source quality materials at a good price at its more than 150 plants around the world. The business operated with very low mar-gins, and our ability to meet customer demands and make a profi t depended heavily on the effectiveness of the pro-curement processes.

I designed an approach with mul-tiple audit engagements. Three of my best people — the two leaders of my U.S. and Asia teams and our specialist in procurement and contract audit-ing — performed consecutive audits of some of our largest operations, in Bordeaux, France; Charlotte, N.C.; Penang, Malaysia; and Suzhou, China. They also looked at the global procure-ment department at our corporate headquarters in California, which negotiated global contracts with our primary vendors. Not only did they assess the design and operation of the procurement functions at each location individually, but they also considered how well they shared best practices and worked together.

and the board needed. Any time there was a serious weakness that threatened the achievement of objectives, he knew we would not only fi nd it but work with management to correct it.

Similarly, when I asked the CEO of the division that owned 6,000 con-venience stores and gas stations for his assessment, he said, “We helped the organization stay effi cient.” That was a critical need for him because this is a very low-margin business.

The highly effective CAE provides business leaders with the assurance they need that the more signifi cant potential harms will be addressed and opportuni-ties seized. The CAE shares his or her assessment of the systems of internal control and enterprise risk manage-ment that the organization relies on to manage the business and the things that might happen on the road to suc-cessfully achieving objectives.

In the previous example, the opin-ion statement in the audit report pro-vided management with the assurance

it needed relative to the organization’s ability to source materials and achieve cost-control objectives. But internal auditors do more.

ADVICE AND INSIGHTMany internal auditors are uncom-fortable sharing their advice, let alone their insight. They will recommend corrective actions for the control weaknesses they identify, but they are reluctant to go further. Yet, sev-eral of the task force members spoke eloquently about how the less formal advice they gave management in one-on-one meetings often was of greater

as·sur·ance a positive declaration intended to give confi dence.

2020 IIA INTERNATIONAL CONFERENCE2–4 November / Miami, Florida

CRUISEinto internal audit

JOIN US either in-person or via livestreaming from wherever you are!

Earn 17.7 CPEs!

Register today! ic.globaliia.org

2020-0887 CON-Miami IC Ad UPDATE.indd 1 6/23/20 4:24 PM

AUGUST 2020 51INTERNAL AUDITOR

“Today’s rapidly changing risk landscape demands that internal auditors assess risksfrequently, even continuously,” notes The IIA Practice Guide, Developing a Risk-based Internal Audit Plan.

assurancevalue than what they were able to put in the formal report.

Internal auditors are professionals. Their position as objective observers of the organization and its processes enables them to obtain insights that, if shared with management, can be very

valuable to them. When internal audi-tors combine their professional insightswith their ability to give advice to man-agement or the board, they are deliver-ing great value to the organization.

Just as doctors and mechanics are entitled to their professional opinion, so are internal auditors. It is not neces-sary to have the level of proof that will stand up in court; auditors can rely on their experience and intelligence in forming their judgments and insights.

Sharing those insights in the form of advice is easier when management sees internal auditors as professionals and respects their objective assess-ments. In my experience, management will listen and thoughtfully consider that advice before making its own judgment and decision.

My experiences, which are similar to others in the task force, included:� Discussing with senior manage-

ment the inability of a department head to trust his employees, dele-gate work, or motivate his employ-ees. As a result, he was overworked and making mistakes in account-ing and customer billing.

� Reviewing a proposed organiza-tional realignment with the chief information offi cer and giving him my opinions on how well it might work.

� Sharing the audit team’s experi-ence at a prior employer with the

software that the IT department was planning to implement.

� Helping a division CEO under-stand that his relationships with his direct reports and micromanage-ment of capital spending was inhib-iting their performance.

� Advising a recently acquired subsidiary’s chief fi nancial offi cer about how to work effectively with the corporate fi nance team.

� Informing an executive that some of his people were excellent and of high potential.

I recall a meeting I had with a senior executive that went well over the allot-ted time. As we went to the door to leave for our respective meetings, I thanked him for his time and apolo-gized for going over. He turned to me and told me not to apologize. Our meeting, when we had discussed at length the division’s operations and challenges, was one of the few times he was able to sit and think about the business rather than constantly fi ghting fi res. He respected my insights, appreci-ated the way my questions made him think, and valued my advice.

MAKE A DIFFERENCEBusiness leaders welcome the assurance, advice, and insight that a respected professional, such as the CAE, can share about his or her operations. When we talk about what matters to them — their ability to succeed — they value:

� Assurance that they can sleep at night, knowing they can rely on the organization’s people, systems, processes, and controls.

� Advice on how they can address any defi ciencies and improve their effi ciency and effectiveness.

� Insights on other matters that affect how they run the organization, making the informed and intelli-gent decisions necessary for success.

Internal auditors should not restrict their work — their products and ser-vices — to assessing only the controls that protect value. They should provide the assurance, advice, and insight that leaders need, when they need it, on what matters to the success of the orga-nization. That includes creating value as well as protecting it. Internal auditors are professionals with the ability to help management and the board succeed, and should not unnecessarily limit their ability to make a difference.

NORMAN MARKS, CPA, CRMA, is a retired CAE and chief risk offi cer who has written several books on internal auditing and risk management.

in·sight a clear, deep, and sometimes sudden under-standing of a complicated problem or situation.

ad·vice guidance or recommendations offered with regard to prudent future action.

+

AUGUST 202052 INTERNAL AUDITOR

he Agile methodology can be trans-formative for an internal audit depart-ment. A few years ago, while working at one of the largest banking institu-tions in the U.S. with global opera-tions, I had the opportunity to pilot Agile auditing, and then successfully rolled it out within my global audit team. Since then, I have also imple-mented Agile auditing at a smaller financial institution.

When the methodology is exe-cuted correctly, it provides account-ability and transparency that enables audit processes to be performed more efficiently, while empowering

T

AUDIT PRACTICE

staff. Internal audit departments that haven’t yet adopted Agile auditing should learn more about the tools and processes.

APPLYING AGILE TO AUDITSAs a project management methodology, Agile can apply a consistent approach to audits — essentially projects — pro-viding staff members with tools for success, and thereby decreasing the risk that audits will be poorly managed.

Short, Efficient Cycles Agile breaks the audit down into small chunks of work that are delivered within short M

IKH

AIL

GRAC

HIK

OV

/ SH

UTT

ERST

OCK

.CO

M

AUGUST 2020 53INTERNAL AUDITOR

Amanprit Kaur Kaller

This project management methodology can increase audit transparency, communication, and accountability.

Agile Auditing Simplified

cycles — such as two weeks — of work called sprints. Each sprint has a series of meetings or events that facilitate the management of work.

Sprints begin with a planning meeting, where the team agrees on what work will be completed within the sprint. This is followed by short, daily “stand-up” meetings, where team members discusses their work to ensure that it can be successfully delivered.

As the audit progresses, new infor-mation or findings may be identified that require adapting the audit approach or audit work. “Storytime” meetings, held as needed, provide the flexibility to

AUGUST 202054 INTERNAL AUDITOR

AGILE AUDITING SIMPLIFIEDTO COMMENT on this article, EMAIL the author at amanprit.kaller@theiia.org

AUDIT PHASE USER STORY

DEFINITION OF DONE: DELIVERABLE TIPS AND BENEFITS

Pre- planning

As an auditor I want to perform a high-level walkthrough of process 1 So I can understand the process and identify key risks, controls, and stakeholders.

» Document the audit objectives and a high-level understanding of the process with key risks and controls to be considered for scoping.

» Identify key stakeholders and schedule walkthrough meetings for the planning phase and weekly status meetings.

» Where the audit is covering multiple processes, this user story could be broken down by process to enable separate meetings with process owners or kept together for an end-to-end view.

» It is helpful to complete this user story a couple weeks before the start of the audit, as it will help the auditor in charge draft an initial backlog of user stories and schedule key planning meetings.

Planning As audit management I want to understand the scope and audit approach So I can ensure the audit is scoped and executed appropriately.

» Document the audit planning memo (APM).

» This user story often is owned by the auditor in charge and tailored to the audit methodology. To keep the user story to a couple days of work, audit management can break it down into the sections of the APM or by planning phase deliverables.

Planning As an auditorI want to perform a detailed walkthrough of control XSo I can assess whether control X is designed effectively to mitigate risk A.

» Document the walkthrough with a design effectiveness conclusion.

» Define the operating effectiveness testing approach and document the testing table, if relevant, with the walkthrough sample(s) populated.

» Draft requests for documents, data, and/or meetings for operating effectiveness testing.

» A separate user story should be created for each control in scope. » Documenting the work at this level in planning helps ensure that the right

controls are included in the scope, that everyone is on the same page regarding test execution, and review time at the end of the audit is reduced as most of the workpaper has already been documented and reviewed.

» Capturing the operating effectiveness request list in planning enables requests to stakeholders to be made early, which, in turn, minimizes the impact of stakeholder delays on sprint execution.

Fieldwork As an auditor I want to test whether control X is operating as designed So I can assess whether control X is operating effectively to mitigate risk A.

» Document testing with an operating effectiveness conclusion.

» Update risk conclusion.

» A separate user story is created for each control in scope. » Where testing is going to take more than a few days, it should be broken

down into smaller tasks. This enables a “hot” or real-time review to ensure testing is being performed efficiently and documented appropriately. The movement of the user stories on the sprint board also helps provide a sense of accomplishment and progress.

» Separate user stories should be created where issues are identified, as these will require additional time to capture, communicate, and agree on the issues and obtain action plans. The user for this story also changes to the audit client, as it is the recipient of the issue.

Reporting As an audit client I want to understand the findings of the audit So I can respond appropriately to the results.

» Document, agree on, and communicate the audit report.

» As the issues are already being discussed in fieldwork, this user story is normally fairly straightforward to complete.

» A separate user story or task could be created for the audit exit meeting.

In sprint planning meetings, the team should break down user stories/tasks enough so that auditors are clear about what they are doing and why. It is a deli-cate balance to ensure that staff members see the progress of their user story

EXAMPLE HIGH-LEVEL USER STORY BACKLOG update the work to be completed within the audit or the sprint.

The audit team leverages a sprint review at the end of the cycle to show-case its sprint achievements, explain any tasks that were not completed, and add any tasks it identified during the sprint to the backlog. It holds a retrospective meeting to help the team continuously improve by asking what went well, what could be done better, and what should be implemented in the next sprint — whether it’s continu-ing something that worked or fixing something that didn’t.

Capturing the Work to Be Per-formed At the beginning of the audit, the audit team captures and prioritizes all the tasks or activities to be per-formed in the form of a backlog, which is updated, as needed, throughout the audit. This backlog comprises user sto-ries that are defined in the format:

» As a [User: Who is the task for?]

» I want [What needs to be done?]

» So I can [Why does user want this?]

User stories ensure expectations and deliverables are clearly captured and agreed upon before execution. Captur-ing the “why” helps provide a consistent understanding of the purpose of the audit work. Each task has a definition of “Done” so everyone knows what must be delivered. Each user story or task is also sized relative to the others. Sizing the work (extra small, small, medium, large, extra-large) helps track the level of effort required for each user story/task and provides visibility into the level of effort required to complete the audit.

The audit team is empowered to size the user stories in the initial audit planning meeting where the user story backlog is reviewed and prioritized. CAEs should think ahead about how

AUGUST 2020 55INTERNAL AUDITOR

39% of CAEs and directors expect to increase their use of Agile auditing techniques in the next 12 months, according to a June 2020 IIA Audit Executive Center Knowledge Brief.

AUDIT PHASE USER STORY

DEFINITION OF DONE: DELIVERABLE TIPS AND BENEFITS

Pre- planning

As an auditor I want to perform a high-level walkthrough of process 1 So I can understand the process and identify key risks, controls, and stakeholders.

» Document the audit objectives and a high-level understanding of the process with key risks and controls to be considered for scoping.

» Identify key stakeholders and schedule walkthrough meetings for the planning phase and weekly status meetings.

» Where the audit is covering multiple processes, this user story could be broken down by process to enable separate meetings with process owners or kept together for an end-to-end view.

» It is helpful to complete this user story a couple weeks before the start of the audit, as it will help the auditor in charge draft an initial backlog of user stories and schedule key planning meetings.

Planning As audit management I want to understand the scope and audit approach So I can ensure the audit is scoped and executed appropriately.

» Document the audit planning memo (APM).

» This user story often is owned by the auditor in charge and tailored to the audit methodology. To keep the user story to a couple days of work, audit management can break it down into the sections of the APM or by planning phase deliverables.

Planning As an auditorI want to perform a detailed walkthrough of control XSo I can assess whether control X is designed effectively to mitigate risk A.

» Document the walkthrough with a design effectiveness conclusion.

» Define the operating effectiveness testing approach and document the testing table, if relevant, with the walkthrough sample(s) populated.

» Draft requests for documents, data, and/or meetings for operating effectiveness testing.

» A separate user story should be created for each control in scope. » Documenting the work at this level in planning helps ensure that the right

controls are included in the scope, that everyone is on the same page regarding test execution, and review time at the end of the audit is reduced as most of the workpaper has already been documented and reviewed.

» Capturing the operating effectiveness request list in planning enables requests to stakeholders to be made early, which, in turn, minimizes the impact of stakeholder delays on sprint execution.

Fieldwork As an auditor I want to test whether control X is operating as designed So I can assess whether control X is operating effectively to mitigate risk A.

» Document testing with an operating effectiveness conclusion.

» Update risk conclusion.

» A separate user story is created for each control in scope. » Where testing is going to take more than a few days, it should be broken

down into smaller tasks. This enables a “hot” or real-time review to ensure testing is being performed efficiently and documented appropriately. The movement of the user stories on the sprint board also helps provide a sense of accomplishment and progress.

» Separate user stories should be created where issues are identified, as these will require additional time to capture, communicate, and agree on the issues and obtain action plans. The user for this story also changes to the audit client, as it is the recipient of the issue.

Reporting As an audit client I want to understand the findings of the audit So I can respond appropriately to the results.

» Document, agree on, and communicate the audit report.

» As the issues are already being discussed in fieldwork, this user story is normally fairly straightforward to complete.

» A separate user story or task could be created for the audit exit meeting.

or task within the sprint, but not in such detail that time is being wasted managing them. It is also helpful to number each user story so it can easily be referenced in discussions.

this backlog may be broken down into sprints throughout the audit.

In the sprint planning meeting, the audit team should break user sto-ries down into smaller tasks if they are more than a few days of work and describe them in detail so the task and deliverable are clear. During this meeting, auditors also can choose what user stories/tasks they will work on. The task owner is recorded so it is clear who is responsible for ensuring the user story/task is being delivered within the sprint. See “Example High-level User Story Backlog” starting on page 54 for a starter list that can be tailored to any audit.

Transparent Tracking During the sprint, the team tracks work using a sprint board or task board with col-umns labeled “Sprint Backlog,” “In Progress,” “Blocked,” “Review,” and “Done.” Initially, the sprint board captures all the tasks to be performed during the sprint in the sprint backlog column. Audit team members work on one task at a time and move it from “In-Progress” through “Review” to “Done.”

A team member will only begin work on the next task when the user story/task he or she is working on is “Done” or “Blocked,” mean-ing the task cannot be worked on anymore and action is required to move the audit work forward. This helps reduce the time auditors spend context switching between different tasks — remembering what they were doing so they can start working on a task again — and enables them to focus completely on one task. Cap-turing blocked tasks enables timely communication about where action or escalation is needed to complete audit work. The daily stand-up meetings also provide the auditor in charge visibility into where an auditor might need additional assistance, as

Download your complimentary eBook at wegalvanize.com/agile

Blast into a new era with agile audit. Internal auditors must be nimble to navigate today’s complex business world, where they’re expected to anticipate risks, add value, provide assurance, and be more strategic than ever before.

Discover best practices for implementing agile audit in your organization.

AUGUST 2020 57INTERNAL AUDITOR

Key factors to determine before adopting Agile include identifying objectives and the level of change the team is willing to make, according to Gartner’s Adopting Agile in Audit.

it helps monitor how long the team member has been working on a user story or task. The auditor in charge can follow up with the team member offline if a task is taking longer than expected. The team should only move tasks on the sprint board during one of the events (Agile meetings: plan-ning, daily stand-ups, storytime, or sprint review).

With the sprint board approach, the team reviews work in real time, so it can identify any complications with execution early and spread reviews of audit work throughout the audit, rather than compressing them at the end of the audit.

COMMON CONCERNS As with any change, adapting to Agile auditing can be challenging, especially for auditors accustomed to the tradi-tional audit approach or a less struc-tured project approach. Here are a few of the concerns I have heard in Agile audit training sessions and from new Agile audit adopters.

Agile Does Not Fit Our Audit Methodology Because Agile is a project management methodol-ogy, its principles can be adopted in any audit department and with any audit methodology. Audit work is performed and documented in line with the internal audit department’s existing audit methodology. Although internal audit functions often imple-ment Agile auditing alongside a move to a dynamic risk management audit methodology, they can benefit from Agile without a dramatic audit meth-odology change.

Daily Meetings Take Too Long and Are Hard to Manage Globally A common mistake in daily stand-up meetings is having detailed discussions that should be taken offline. They are purely touch points and should last no

longer than 15 minutes. These meet-ings can take as little as five minutes when they are limited to answering Agile daily stand-up questions, and they still provide visibility and sup-port. Stand-up questions include: What did you do yesterday? What are you going to do today? Are there any blocks to delivery (i.e., anything hin-dering delivery)? Have you identified any exceptions?

Meetings are easier when the audit team is based locally and can stand around and update a physical story-board. However, these meetings still add value with remote working. With a global team, it is best to set a time when everyone can attend and to have a virtual storyboard. Where this is not possible, auditors who cannot attend

simply send in their updates before the meeting. The auditor in charge can fol-low up with them after the meeting, if needed. Remote staff can view the vir-tual storyboard to see the team’s status so they still feel part of the team.

With the current remote working environment due to COVID-19, a virtual storyboard that can be accessed by the audit team is essential. It is helpful to have user stories in the same file as the storyboard. As the audit is broken down into small tasks, Agile provides visibility into remote work-ing productivity. The audit manage-ment team also can access the board to stay close to the audit and see how it is progressing.

Stakeholders Don’t Want Daily Meetings With Audit Stakeholder

engagement in the daily stand-up meetings is optional. Often, the audi-tor in charge will have daily catch-ups with the client’s audit liaison, so the information from the daily stand-up meetings is valuable to help resolve any blocks to completing audit work. Some audit clients prefer to have weekly status updates.

Other clients like the daily meet-ings, as they provide some oversight of the audit. In this case, the client meet-ing should take place immediately after the audit team’s daily stand-up meeting so it does not stop the audit team from raising concerns openly.

AGILE AUDITING MAKES SENSEAgile auditing empowers audit team members to choose what they work

on and to better understand why they are performing their work. By allow-ing staff members to select what tasks they work on, it is easier for them to manage their time and consider their other commitments, such as other audits. Agile project management methodology tools provide visibility without micromanaging. Best of all, Agile auditing helps spread out audit work, creating less pressure at the end of the audit to deliver everything at once. To put it succinctly, Agile auditing formalizes good project management practices, improving productivity, efficiency, collaboration, and communication.

AMANPRIT KAUR KALLER, ACA, CISA, CIPP/US, CISSP, is an audit director in New York.

Agile principles can be adopted in any audit department and with any audit methodology.

Board Perspectives

AUGUST 202058 INTERNAL AUDITOR

READ MORE ON STAKEHOLDER RELATIONS visit InternalAuditor.org

BY MATT KELLY

Understanding the connection between the two may be key to corporate resilience.

WHAT COVID-19 TEACHES US ABOUT ESG’S IMPORTANCE

They say that even a kick in the rear is a step forward, and COVID-19 has

delivered one mighty kick to corporate posteriors around the world. Now one question is whether boards will lurch forward — on, of all things, environmental, social, and governance (ESG) issues.

The ties between COVID-19 and ESG perfor-mance are more direct than one might assume. The virus has forced organizations to consider a host of specific questions, but the deeper, exis-tential questions boards face are two: How can we preserve sustainable operations amid unpredictable circumstances? And, how can we hold all our stakeholders together and con-tinue to create value?

Well, ESG issues ask those same questions. So boards that have considered how to fit ESG into corpo-rate governance may be better prepared for the crisis.

“It’s absolutely an acc-elerator, what’s happening

right now,” says Daniela O’Leary-Gill, who sits on the board of the Museum of Science and Industry in Chicago, as well as the board of BMO U.S. Funds, a mutual fund run by BMO Financial. O’Leary-Gill views COVID-19 as a test of cor-porate resiliency. Strong ESG governance fosters resiliency by driving the company to focus on issues such as sustainable supply chains, trust in the organization, and reliable governance that transcend any specific CEO or board directors.

That resiliency can then prove invaluable during extreme risk events. O’Leary-Gill says organizations ignore the connection between ESG and resilience at their peril. “The current situa-tion is a lesson in priorities,” she says. “Organizations are well-served to put ESG on the ongoing agenda versus an occasional discussion. That kind of preparedness provides greater resiliency to the com-pany’s operations.”

The Relevance of ESGIt might seem strange to talk up ESG these days, given the economic calamity and operational crisis all around us. When you examine the component parts of ESG, the relevance of those issues to the COVID-19 crisis becomes clear. Consider:

Ʌ Environment. One pil-lar of good environmen-tal stewardship is using as few natural resources as possible, and gener-ating as little waste as possible. That implies an efficiency of operations that’s welcome in a cost-sensitive environment. It’s also a nice hook to woo environmentally conscious consumers.

Ʌ Social. This can include everything from work-place safety, to paid sick leave, to workforce development. Regula-tors are already watching companies’ commit-ment to safe work envi-ronments in the time of COVID-19. Sick leave,

ANDREA BONIME-BLANC

DANIELA O’LEARY-GILL

AUGUST 2020 59INTERNAL AUDITOR

TO COMMENT on this article, EMAIL the author at matt.kelly@theiia.org

worker training, and similar policies about human capital also can prove valuable to help companies keep employee sentiment on their side.

Ʌ Governance. This principle encompasses the board’s over-sight of corporate conduct, shareholder rights, executive succession, and similar issues. First, the risk of corporate misconduct rises during difficult times, so a board skilled at risk management will do a better job policing against that threat. Second, a rigorous board, committed to good gover-nance, is likely to stay on the right side of investors and root out organizational shortcomings more quickly.

More broadly, boards should pay attention to ESG because investors, employees, business partners, and other stakeholder groups still consider ESG important — especially now as COVID-19 and the ensuing recession drive people to question what role companies should play in society.

Investment dollars, for example, are still gushing into ESG funds. According to Morningstar, ESG investment funds worldwide saw inflows of $45.7 billion in the first quarter of this year, while the broader investment world saw net outflows of $384.5 billion. Exchange-traded funds had been briskly marching toward all-time highs in 2020 until early March, when they tumbled by 30% or more. Now the largest of those funds is already flirting with its all-time high again.

“The shareholders are going to be better off because of this,” says Andrea Bonime-Blanc, a former board director of the Ethics and Compliance Officers Association and a current direc-tor for the National Association of Corporate Directors, New Jersey Chapter. “Maybe you can’t measure it quarter to quarter, but over the long term, you definitely can measure the progress.”

She, like O’Leary-Gill, stresses resilience. “To me, the best argument isn’t that the regulators are coming,” she says. “The

best argument is that you are building organizational resilience that allows you to survive and thrive in good times and bad.”

Putting It Into PracticeBoards that want to leverage ESG issues for long-term resiliency need to start with a direct question: Is the necessary experience in the boardroom? “To meet this crisis, boards should have more people who are not chief financial officers or CEOs,” Bonime-Blanc says, “but chief risk officers, chief ethics and compliance officers, and chief corporate responsibility officers.”

Likewise, O’Leary-Gill asks, what is the fluency on the board in ESG issues generally, as well as the specific ESG issues that might be most relevant to each board’s organization? That is, manufacturing companies might need more expertise in environmental sustainability. Software companies, in contrast, might want expertise in workforce diversity and pay equity.

From there, the work might start to sound familiar. Boards must decide which ESG issues are most important to their stakeholders, which key performance indicators (KPIs) match those issues, and what sustainability frameworks could help the organization steer those KPIs in the right direction.

This is where a strong audit function can assist. Frame-works need to be reviewed; metrics need to be developed and translated into policies, procedures, and internal con-trols — which will then need to be tested.

How well will all that effort pay off, with a vibrant organi-zation that can weather difficult times? That’s hard to say.

Then again, COVID-19 is only the crisis of the moment. Boards also need to consider climate change, social inequity, and other crises after that. Resiliency will be crucial to all.

MATT KELLY is editor and CEO of Radical Compliance in Boston.

To learn more about this topic, read The IIA’s latest Tone at the Top, “ESG’s Role in Managing COVID-19 Impacts and Risks.”

ESG AND SOCIAL JUSTICE

COVID-19 isn’t the only urgent concern for boards these days. This spring also saw throngs of people take to the streets in the U.S. and around the

world, protesting systemic racism and social injustice. It’s another example of how attention to ESG issues

can better position a company for swift, unexpected dis-ruption. “It’s a double whammy of ESG issues corpora-tions should pay attention to,” Bonime-Blanc says.

Since the protests erupted in late May, organizations have rushed to support the Black Lives Matter move-ment or — as happened with the CrossFit fitness com-pany — to part ways with chief executives who inflame the situation with racist comments.

The Black Lives Matter protests do raise a challeng-ing point. Social questions — the “S” in ESG — are the most fraught issues to address, with substantial reputational risk. At the same time, they have the least guidance about what boards should do. (Compared to environ-mental regulations, for example.)

“The spotlight will be on the S,” O’Leary-Gill says. “Not to take away from the importance of E or the G … but I think the S is the part that is least prescribed, and the least standardized across companies.”

So how can companies systematically measure corporate culture, or equity in the workforce? “That’s where the focus needs to be,” O’Leary-Gill says.

Leverage a Virtual External Quality Assessment Let IIA Quality Services make your next external assessment a virtual reality. We offer a proven virtual approach for providing tools, expertise, and services to support internal audit. Look to IIA Quality Services’ expert practitioners to provide:

■ Insightful external quality assessment services.

■ On-time solutions and successful practice suggestions based on extensive field experience.

■ Enhanced credibility with a future focus.

Learn more at www.theiia.org/Quality 2020

-061

4

AUGUST 2020 61INTERNAL AUDITOR

BY J. MICHAEL JACKA

READ MIKE JACKA’S BLOG visit InternalAuditor.org/mike-jacka

Insights/The Mind of JackaTO COMMENT on this article, EMAIL the author at michael.jacka@theiia.org

to write a report, one right way to correct an identified issue, and one right way to audit.

That is not the real world. And that is not real internal auditing. There are better answers, but not per-fect ones.

Talk to five chief audit executives about their No. 1 risk and you’ll get five dif-ferent answers. Talk to 10 auditors about how to write a report and you’ll get 10 different solutions. And talk to any client about his or her idea for a “perfect” solution to an identified issue and it may be 180 degrees from yours.

No one is right. And everyone may or may not be wrong. Internal auditors must recognize that there may be any number of answers. Our challenge is to help clients determine what answer might be best.

And how do we solve that problem? Well, it depends. …

J. MICHAEL JACKA, CIA,

CPCU, CFE, CPA, is

cofounder and chief creative

pilot for Flying Pig Audit,

Consulting, and Training

Services in Phoenix.

One goal shared among attendees at new auditor semi-nars is learning

the best ways to get things done. They are thirsty for information about how to perform their new jobs correctly — how to do things “right.”

But as an instructor, my initial response to their questions can be frustrat-ing. They ask what The IIA’s International Standards for the Professional Practice of Internal Auditing require, and I answer that they provide guidance but do not specify exactly what to do. The right answer, I tell them, depends on individual circumstances and the requirements of the organization. They ask how best to handle a certain situation, and I say it depends on the circum-stances and the depart-ment. They ask how best to accomplish an audit step, and I say it depends. Even-tually, they ask a question, I smile back, and they say, “I know; it depends.” I am not being flip; I am trying to help them see the reali-ties of working in the inter-nal audit profession.

Students are trained to always expect a right answer. They are graded on the absolute correctness of their exam responses, they hear real-life case studies that have a single solution, and in accounting, they memorize rules and con-cepts that lead to correct outcomes. At the end of their studies, they graduate assuming that the business world is built on the exis-tence of such right answers.

Thrust into the real world, they learn that shades of gray dominate. And this is just as true for internal auditors as it is for anyone — except that the profession doesn’t always act that way.

Auditors do not like to make mistakes. Maybe it’s because we’re supposed to be the masters of con-trols, maybe it’s because we are supposed to know how to mitigate all risks, or maybe it’s just because we think making mistakes hurts our credibility. But whatever the reason, we act as though there has to be a single right answer to everything — one right way to test, one right way to assess risk, one right way

The real world, and real internal auditing, comprises multiple shades of gray.

THERE ARE NO RIGHT ANSWERS

Eye on Business

AUGUST 202062 INTERNAL AUDITOR

READ MORE ON TODAY’S BUSINESS ISSUES follow us on Twitter @TheIIA

RAJIV MAKHIJANISenior Vice President of Product AuditBoard

RUSSELL STOHR Global Head of Sales Refinitiv

THE STATE OF ANALYTICS USE New technologies help audit leaders think more broadly about the organization and offer a deeper level of insight into factors that affect business performance.

Internal audit can leverage new data analytics to better focus its findings on help-ing the business understand emerging risks to business objectives and proactively help business partners under-stand actions they can take. This is critical, as today most organizations are forced to rethink every aspect of their daily operations in response to the COVID-19 pandemic.

Curiosity is a close second. Nearly every audit leader understands the potential value hidden in the massive amounts of data available. Emerging technolo-gies such as machine learning and natural language process-ing can help internal audit harvest data in unique and informative ways. MAKHIJANI Success in today’s data-driven environ-ment is nearly impossible without having a central system to maintain the risks, controls, deficiencies, and audit engagements the department is responsible for. A number of pressures

What is the state of the art in data analytics? MAKHIJANI In today’s data-driven world, analyt-ics refers to a range of data analysis, automation, and business intelligence capabili-ties. The future is audit intel-ligence — leveraging these capabilities to continuously monitor organizational risk and drive an integrated risk-first, data-centric approach to audit. Analytics enable audit departments to provide real-time assurance, address rele-vant risks, and provide better insights and increased value to the entire organization. STOHR In simplest terms, state of the art is the ability to combine data from multiple internal sources and multiple external sources to better inform audit planning, real-time execution, and audit reporting. For example, it is the ability to combine finan-cial performance data and strategic metrics, organized by audit entity, with relevant external inputs such as regu-latory enforcement actions

and applicable global news to better prepare the audit risk assessment, prioritize audit resources, or report finding priorities in the areas that may experience emerging risks. Traditional audit tools pro-vide plenty of support for the underlying audit execution processes. The new generation of technology is providing additional value by allow-ing audit teams to combine a wide range of internal and external data, including arti-ficial intelligence (AI) driven content, to provide better insights to inform decision-making throughout the audit cycle. These new technologies help audit leaders think more broadly about the company and offer a deeper level of insight into factors that may affect business performance.

What’s driving the use of analytics? STOHR For most audit teams, the driver is always managing cost while demon-strably increasing internal audit’s value perception.

AUGUST 2020 63INTERNAL AUDITOR

TO COMMENT on this article, EMAIL the author at editor@theiia.org

are at play. There is an expectation that internal audit is oper-ating like a modern business unit and can reliably report on department performance to executive leadership and the audit committee. Industry pressure is leading audit departments to break silos and prioritize data sharing across the three lines of defense. Today’s economic environment multiplies the pres-sure to improve efficiency and effectiveness of audit programs. To stay competitive, businesses need reliable data to react to emerging risks. Lastly, the new normal is a remote-first and often global workforce that requires a system in which audit teams can effectively operate from anywhere in the world.

What are internal audit functions at the mature level doing well?MAKHIJANI At a higher level of maturity, internal audit has successfully integrated data with its counterparts in risk man-agement and compliance. It is now focused on integrating its data with key systems and data across the organization. Ulti-mately, internal audit is seeking two outcomes: 1) increased performance and ability to be strategic by leveraging cross-functional data, and 2) the ability to drive broader organiza-tional value by sharing audit insights with the business.STOHR These audit functions are creating and articulating a strong vision and road map for how audit will leverage tech-nology and data to better inform and improve business per-formance. They are incorporating operating and emerging risk perspectives in audit risk assessment and planning. They are monitoring business performance and adjusting audit execu-tion as needed. They are leveraging better data integration and analytics to improve coordination with second line functions. And, they are adjusting their talent acquisition and develop-ment to support their technology-enabled vision.

How does internal audit move its analytics capabilities to a higher level?STOHR Once a technology-enabled internal audit vision is established, the first step is identifying an audit technology that is capable of integrating data and content from many sources and presenting that data in informative and context-sensitive ways throughout the audit process. The next step is identifying the questions internal audit would like to answer at each step of the audit process. For example, during audit planning inter-nal audit may want to know which areas of the business have traditionally produced a high number of findings compared with areas seeing an uptick in regulatory activity. With the key questions in mind, internal audit can begin identifying sources of data. In this example, internal audit needs to mine audit history by audit entity and overlay it with emerging regulatory risk data. With a prioritized set of questions and associated data sources, the audit team can begin incrementally incorporating

the new analytics in its audit processes and reports. The goal should be to evolve the data sets and analytics over time. MAKHIJANI Embedding data analytics into the organization’s culture in a way that positively impacts the organization and affects how decisions are made is an ongoing evolution that often takes years. It’s important to take a layered, incremental approach. Internal audit should start with where its audit data is, and build from there. If the audit team hasn’t digitized its internal audit program yet, it should start by unifying its data in a central audit management system, ideally one that can be integrated with other departments to pull insights to improve the program as well as the business. Another approach is to look at what the organization is already using for analytics and find an audit solution that can integrate with those solutions. Once internal audit has a system for its audit, risk, and compliance data, it should begin thinking about where else in the organiza-tion it can pull data from to target more important risk areas or key controls. What’s important is looking for solutions that can grow with internal audit.

How can analytics help internal audit during the current crisis?MAKHIJANI Without a modern audit management system in place, operating effectively during the crisis can be a night-mare. Centralizing data in an intuitive system that the entire organization can rely on is key to department continuity and success. Then, internal audit can effectively leverage analytics to monitor key business processes and risks. This type of con-tinuous monitoring can enable internal audit to surface prob-lems arising from a rapidly changing environment, enabling the business to stay ahead of the curve.STOHR While the current crisis has created turmoil and disrup-tion for nearly every business, it has also created a tremendous opportunity for businesses to rethink their current perceptions of what is required to make the business run. An audit group we work with helped its business partner identify 22 produc-tivity factors for which it had reliable data available before the pandemic. The concern was by forcing employees to work from home productivity would fall off. After six weeks they checked the productivity factors again and were shocked to find that not only was productivity sustained, but nearly every factor it mea-sured had actually increased. As a result of the analytics the chief audit executive provided, the decision was made to permanently close half of the 120 office locations globally and reinvest the savings into technologies to better enable and connect the dis-tributed workforce. Further, initiatives were launched to change the nature of hiring practices to expand talent acquisition into regions where the organization had not previously looked for tal-ent. In this case, the audit analytics helped the business embrace and harvest the change to achieve a positive outcome.

Reach Your Target Market

Gain a competitive edge with unique IIA advertising and sponsorship opportunities that are as diverse as the 200,000 members we serve in 170+ countries.

Contact +1-407-937-1388, Sales@theiia.org, or www.theiia.org/MediaKit for more information.

Opportunities:Internal Auditor magazine | Newsletters | Websites Webinar/web events | Conference exhibit & sponsorships

THE IIA OFFERS many learning opportunities throughout the year. For complete listings visit: www.theiia.org/events

IIA Calendar

PHO

TO: R

AWPI

XEL.

COM

/ S

HU

TTER

STO

CK.C

OM

AUGUST 2020 INTERNAL AUDITOR 65

JUNE/JULY/AUGUST

PHO

TO: R

AWPI

XEL.

COM

/ S

HU

TTER

STO

CK.C

OM

JUNE/JULY/AUGUST

PHO

TO: R

AWPI

XEL.

COM

/ S

HU

TTER

STO

CK.C

OM

/JUNE/JULY/AUGUST/JUNE/JULY/AUGUST SEPTEMBERSEPTEMBERSEPTEMBERSEPTEMBER/SEPTEMBER/ /SEPTEMBER/SEPTEMBER OCTOBER/OCTOBER/

IIATRAININGwww.theiia.org/training

*Livestreaming available

AUG. 24–SEPT. 4Tools for New AuditorsOnline

AUG. 25–27Fraud: Prevent, Detect, RespondOnline

SEPT. 1–4Multiple Courses*New York

SEPT. 1–4Multiple Courses*Tampa

SEPT. 2–11Agile AuditingOnline

SEPT. 8–17Fundamentals of IT AuditingOnline

SEPT. 8–24Tools for Audit Managers Online

SEPT. 9Fundamentals of Internal AuditingOnline

SEPT. 9–18Root Cause Analysis for Internal AuditorsOnline

SEPT. 10–11Data Analysis for Internal AuditorsOnline

SEPT. 14–23Cybersecurity Auditing in an Unsecure WorldOnline

SEPT. 14–25CIA Exam Preparation — Part 1: Essentials of Internal AuditingOnline

SEPT. 15–18Multiple Courses*Boston

SEPT. 15–24Critical Thinking in the Audit ProcessOnline

SEPT. 28–OCT. 9 Tools for Lead AuditorsOnline

SEPT. 29–OCT. 2Multiple Courses* Dallas

OCT. 5–14COSO-based Internal AuditingOnline

OCT. 5–16CIA Exam Preparation — Part 3: Business Knowledge for Internal AuditingOnline

OCT. 6–9Multiple Courses*Charlotte, NC

OCT. 6–9Multiple Courses*San Diego

OCT. 6–15Building a Sustainable Quality ProgramOnline

OCT. 6–22 Tools for New AuditorsOnline

OCT. 7–9IT General ControlsOnline

IIACONFERENCESwww.theiia.org/conferences

AUG. 17–19Governance, Risk & Control Conference Virtual

SEPT. 14–15Financial Services ExchangeVirtual

SEPT. 16–17Women in Internal Audit LeadershipVirtual

NOV. 2–4International ConferenceFontainebleauMiami Beach, FLAnd Virtual

Please check the website for more details on all of our in-person events as they are subject to change.

READ MORE OPINIONS ON THE PROFESSION visit our Voices section at InternalAuditor.org

AUGUST 202066 INTERNAL AUDITOR

Insights/In My OpinionTO COMMENT on this article, EMAIL the author at bhavin.raithatha@theiia.org

BY BHAVIN RAITHATHA

Relationship building and exceeding expectations are key to delivering audit value.

A CULTURE OF SERVICE

Service-oriented audit-ing is not a new con-cept. For many years internal audit leaders

have built client-focused practices into their approach, such as agreeing well in advance on convenient times for engagements, clearly com-municating the scope of work to be completed, and con-firming engagement details in writing with management. Essentially, they seek to work with clients as business part-ners rather than using a box-ticking, compliance-oriented approach. And while these are constructive practices that help build relationships, they fall well short of the level of service to which we should all aspire. To best serve the orga-nization, we need to embed a culture of service in the audit function — where manage-ment is kept continuously informed and expectations are regularly exceeded.

A culture of service permeates the entire audit function, not just its leader-ship. The audit team collec-tively should understand the importance of client relation-ships and their value to the audit process. Accordingly, every member of the audit function should help ensure

that anyone who interacts with internal audit is well-informed of relevant audit objectives, what to expect from engagements, and time-lines for deliverables. These efforts will help develop and solidify client relationships in day-to-day interactions across all levels of the department.

Communication plays a key role in providing superior service — it should be both frequent and ongoing. As common practice, auditors share the audit announce-ment, written scope of work, and audit report. But there is a lot more to offer during planning, fieldwork, and reporting — and auditors should not limit their deliv-erables to only these few documents. Additional writ-ten communication can include minutes from meet-ings with management, sta-tus updates on engagement progress, and preliminary observations identified.

More frequent verbal communication can also be valuable, such as explain-ing audit objectives for internal control testing and clarifying document requests. Although these communications may not be necessary, they can help

maintain open dialogue with clients and enable them to better understand the audit process. And by keeping clients informed, internal auditors are more likely to be seen as professional ser-vice providers rather than overseers assigned to judge people, process, and perfor-mance. The effort not only facilitates better relationships but can also dramatically improve the audit function’s image in the organization.

Famed NFL quarter-back Roger Staubach said, “There are no traffic jams along the extra mile.” In other words, the pack begins to dwindle when extra effort is required. For internal auditors, that extra effort can help build strong relation-ships and distinguish inter-nal audit as a trusted advisor. Embedding a culture of service in the audit function doesn’t have to involve addi-tional costs, delays, or com-promises — but going the extra mile will always bring the best possible results.

BHAVIN RAITHATHA, CA, CS, CISA, is assistant manager, Group Internal Audit, at RAKBANK in Dubai, United Arab Emirates.

2018

-026

7

THE IIA’s

CIALEARNING SYSTEM®

The IIA’s CIA Learning System is an interactive

review program, combining reading materials and

online study tools to teach and reinforce all three

parts of the CIA exam. It’s updated to align with the

latest industry standards, including the International

Professional Practices Framework (IPPF) and The IIA’s

International Standards for the Professional Practice

of Internal Auditing.

Prepare with Confidence & Convenience.

A System for Success.

Prepare to Pass. www.LearnCIA.com

Take a Guided Tour | Read Sample Pages | Try Free Questions | Get Exam Tips

Earn the professional recognition you deserve.

Write for Internal Auditor

I N T E R N A L A U D I T O R

2020-1013

As the world’s leading publication covering the internal audit profession, Internal Auditor can help you share your valuable experiences with more than 100,000 members worldwide.

Have you found a new way to audit a high-risk area or to meet your stakeholders’ ever changing needs? Can your “how-tos” help a colleague avoid pitfalls or guide a new audit function down the right path? Share your knowledge in Internal Auditor.

Getting started is as easy as visiting the Writer’s Guidelines where you will find information on how to develop an idea, submit your proposal, and work with The IIA’s editorial staff to fine-tune your message.

Accepted articles appear in the digital magazine on InternalAuditor.org, and on the Internal Auditor mobile app.

Published authors are eligible for the prestigious John B. Thurston Award for Literary Excellence.

Internal Auditor is the perfect place to gain recognition and share your valuable knowledge to advance the profession. Visit InternalAuditor.org/guidelines.