APRIL 2020 A PUBLICATION OF THE IIA

Road Testing RPA Beyond Third Parties: Auditing the Business Ecosystem Assessing Knowledge Asset Risks 10 FAQs About Organizational Culture

THE RESPONSIBLE ORGANIZATION Internal audit needs to consider the value proposition around ESG and push the business case for change. Featuring Internal Auditor Blogs Voices with viewpoints on the profession

In addition to our award-winning Chambers on the Profession: publication content, we are proud Seasoned Refl ections on Relevant Issues to feature four thought-provoking From the Mind of Jacka: blogs written by audit leaders. Creative Thinking for Times of Change Each blog explores relevant topics Solutions by Soileau: Advice for Daily Audit Challenges affecting today’s internal auditors at every level and area of this vast Points of View by Pelletier: Insights and Innovations From an Insider and varied fi eld. Are you ready for the future of internal audit? $VVXUH$GYLVH$QWLFLSDWH

$VRUJDQL]DWLRQVSXVKWKHERXQGVRIGLVUXSWLRQWKHUROHRIWKHLQWHUQDO DXGLWIXQFWLRQQHHGVWRHYROYHWRQRWRQO\GHOLYHUDVVXUDQFHWR VWDNHKROGHUVEXWWRDGYLVHRQFULWLFDOEXVLQHVVLVVXHVDQGEHWWHU DQWLFLSDWHULVN7KURXJKFXVWRPODEVZHFDQKHOS\RXGHYHORSD VWUDWHJ\WRPRGHUQL]H\RXULQWHUQDODXGLWSURJUDPWDSSLQJLQWRWKH SRZHURIDQDO\WLFVDQGSURFHVVDXWRPDWLRQLGHQWLI\LQJDQGGHYHORSLQJ WKHVNLOOVDQGFDSDELOLWLHVUHTXLUHGWREXLOGDQGVXVWDLQWKHLQWHUQDO DXGLWIXQFWLRQRIWKHIXWXUHDQGLQFRUSRUDWLQJ$JLOHLQWHUQDODXGLWWR NHHSXSZLWKWKHUDSLGSDFHRIFKDQJH7KHIXWXUHLVQRZ

ZZZGHORLWWHFRPXVLD

CRS\ULJKWk'HORLWWH'HYHORSPHQW//&$OOULJKWVUHVHUYHG AMERICAN CORPORATE GOVERNANCE INDEX

The new American Corporate Governance Index (ACGI) is a collaboration of The IIA and the University of Tennessee Neel Corporate Governance Center. ACGI uncovers shortcomings in governance practices among publicly held companies, with insight into where improvements must be made. Know the score for American corporate governance.

Download your free copy today. www.theiia.org/ACGI

2019-4020 APRIL 2020 VOLUME LXXVII: II

FEATURES

26 COVER The Responsible Organization As investors focus on ESG reporting, there is opportunity for internal auditors to get involved and provide assurance. BY NEIL HODGE

32 An RPA Road Test Internal auditors at a chain of third, fourth, and fifth parties. freight transportation company take robotic pro- BY BRIAN KOSTEK cess automation for a test drive. BY RICK WRIGHT 50 10 Questions on Culture Several audit 39 Audit With Acumen Internal audit can committee FAQs can help guide practitioners incorporate elements of the Balanced Scorecard when assessing culture. BY PETER HUGHES, approach to build its ability to anticipate and ROBERT CAMPBELL, AND JOHN LERIAS meet the organization’s needs. BY BASIL ORSINI 54 Auditing Knowledge Management 44 The Value in the Business Ecosys- Knowledge assets’ increased value and contri- tem Internal audits must delve into risks bution to business objectives obliges internal posed by the organization’s ever-expanding auditors to focus on how they’re safeguarded. BY ISRAEL SADU

DOWNLOAD the Ia app on the App Store and on Google Play!

FOR THE LATEST AUDIT-RELATED HEADLINES visit InternalAuditor.org Donations Are Instrumental to Innovation Generous contributions are instrumental for the Internal Audit Foundation to conduct groundbreaking research, publish invaluable thought leadership, and forge new partnerships to elevate the profession.

For more than 40 years, the Foundation has served the internal audit profession by:

„ Delivering timely tools and research to help boost career growth. „ Providing educational products to empower internal auditors. „ Filling the employment pipeline with qualified candidates.

Help us orchestrate internal audit innovation by making your tax-deductible donation.

Support Your Foundation. www.theiia.org/Foundation

2020-0273 FND-April Ia Fundraising Ad-FNL.indd 1 2/19/20 3:26 PM APRIL 2020 VOLUME LXXVII: II

DEPARTMENTS

PRACTICES 23 Fraud Findings An employee tip reveals a 10 Update Audit plans miss multimillion-dollar T&E scam. key risks; boards fall short on diversity; and human error is INSIGHTS behind most data breaches. 60 Board Perspectives 14 Back to Basics Internal Internal audit can help assure a audit plays a role in develop- smooth process to handle CAMs. ing fraud policy. 63 The Mind of Jacka Audi- 17 ITAudit Benford’s Law can tors looking to succeed would do detect anomalies better than well to follow three rules. traditional techniques. 7 Editor’s Note 64 Eye on Business Cloud 20 Risk Watch Some organ- computing solutions come 8 Reader Forum izations have an irrational with challenges. aversion to risk. 67 Calendar 68 In My Opinion Boards sometimes have split priorities.

ONLINEInternalAuditor.org

My First Audit Committee Balancing Transforma- Meeting A veteran practi- tion With Security Boards, tioner shares lessons learned business units, and cyber- from his first time in the hot security functions aren’t seat fielding questions from all on the same page about committee members. protecting the organization’s digital initiatives. Auditing Culture: Famil- iar Techniques There’s Building Scheme Is No no need for a radically differ- Big Hit A businessman alleg- ent approach — tried and true edly used restaurant licens- methods can go a long way ing deals with country music on culture audits. stars as a lure to defraud U.S. construction developers.

Internal Auditor ISSN 0020-5745 is published in February, April, June, August, October, and December. Yearly subscription rates: $75 in the United States and Canada, and $99 outside North America. No refunds on cancellations. Editorial and advertising office: 1035 Greenwood Blvd., Suite 401, Lake Mary, FL, 32746, U.S.A. Copyright © 2020 The Institute of Internal Auditors Inc. Change of address notices and subscriptions should be directed to IIA Customer Service, +1-407-937-1111. Periodicals postage paid in Lake Mary, Fla., and additional offices. POSTMASTER: Please send form 3579 to: Internal Auditor, 1035 Greenwood Blvd., Suite 401, Lake Mary, FL, 32746, U.S.A. CANADA POST INTERNATIONAL: Publications Mail (Canadian Distribution) Sales Agreement number: 545880; GST registration number: R124590001. Opinions expressed in Internal Auditor may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by authors’ employers or the editor of this journal. Internal Auditor does not attest to the originality of authors’ content. COVER: ILLUSTRATION BY SEAN YATES; THIS PAGE, TOP: AKINDO / ISTOCKPHOTO.COM, BOTTOM: MAGIC PICTURES / SHUTTERSTOCK.COM Who Are Internal Auditing’s 2020 Emerging Leaders?

EMERGING What defines an LEADERS2019 ideas, and recommendations perform audits,” Wang says. After a stint in external audit, work with student interns. In almost every day to help Already, she has designed and MARILYN CARNEVALE has fact, she was so effective that add value to our organiza- built several data analytics been happily surprised by she soon earned the title of JIAHUI “BELLA” tions.” Wang accomplishes programs to support internal how gratifying she’s found her internship program supervi- WANG that with a firm foundation audit’s objective of executing internal audit career—par- sor. Carnevale remembers of technical knowledge, more effective testing, Wind- ticularly the newness of each people leaving her former CIA says her supervisor, Charles eknecht notes. Wang says her AIDAR assignment. “Internal audit public accounting firm for extraordinary 28 Windeknecht, Atlas Air’s vice department uses analytics ORUNKHANOV procedures often have to be internal audit positions, but SENIOR INTERNAL president, Internal Audit. routines during annual fraud developed from scratch to adds now: “Honestly, I did AUDITOR, COMPUTER 29 “She consistently exhibits a assessments to help manage- SOLUTIONS DIRECTOR meet the unique needs of an not even know if I would INFORMATION ANALYST deep understanding of the ment isolate higher risk trans- organization,” she says. “It’s be any good at it.” Her ties ATLAS AIR INC. TAMR risk and control consider- actions. “Senior management CAMBRIDGE, MASS. exceptionally challenging, to the university moved her PURCHASE, N.Y. ations she is assessing,” he is coming to us with more but completely rewarding to pursue the position she’s says, “by asking challenging requests to help them identify when our recommendations in. “The fact that I’d never questions in a relevant and process improvement oppor- come to fruition.” At Rutgers, heard of internal auditing internal auditor? BELLA WANG was surprised be effective,” the St. John’s meaningful manner.” The tunities,” she says. Wang is her alma mater, Carnevale until about four years into to learn how much soft University graduate explains. questions change, of course, also active with the youth was assigned to assist on “a my career is partially why I skills support the technical In particular, Wang says that as the technology that pow- education nonprofit Junior major, multi-phased project,” believe in advocating for the aspects of internal audit- recognizing the importance ers the profession changes. Achievement and often reports her supervisor, Marion profession,” she says. That ing. “I didn’t understand of sales skills was a profes- “Technology and automa- speaks at area college and AIDAR ORUNKHANOV approaches internal audit from a Candrea, manager, Audit and includes educating students the diversity of attributes a sional “aha!” moment. “We tion will make changes in university events about the different perspective. The University of Illinois at Urbana– Advisory Services. “It was part about options beyond public practitioner needs to have to are selling our expertise, how, where, and when we benefits of internal auditing. Champaign graduate started out in data analytics and came of a highly regulated area that accounting. In her free time, across internal auditing by chance. But he noticed that the required a rigorous learning Carnevale volunteers at The profession was beginning to implement data-driven meth- curve that she easily over- IIA’s Central Jersey Chapter, odologies and saw the potential to implement analytics. came,” Candrea says, adding attends Rutgers athletics He’s now back in data analytics, at a start-up that applies that Carnevale started taking events, donates her hair to Innovation, integrity, knowledge, and machine learning to data unification, but comments that the on lead auditor tasks right Locks of Love and Pantene massive amounts of data produced by new technology will away. With that responsibil- Beautiful Lengths—and propel internal auditing toward near-real-time functional- ity came the opportunity to plays the piano. Stephen Brown, CAE at PRGX Global, recalls the time ity and other elements of automation, raising some worries MEGAN BEESTON MEGAN BEESTON was working on an IT project for his about technology replacing humans. But he says the technol- MARILYN company as part of a co-sourced team when her supervi- CFE ogy can’t replace humans completely: “I’d call it ‘using new CARNEVALE passion, among other qualities. Do sor was injured and unavailable for an extended period. 29 tools’ rather than ‘managing robotic assets.’ Robotic process “Megan stepped up and successfully managed the project PRG SENIOR ASSOCIATE automation [RPA] is an ideal solution to frequently repeated CIA, CPA with minimal oversight, and exceeded expectations in every FRAZIER & DEETER LLC rule-based processes.” RPA, in fact, should free up time for 30 way,” Brown says. The Kennesaw State University graduate ATLANTA more creative and exciting work, he says. One example: He SENIOR AUDITOR

says the experience provided her tremendous opportunity INTERN led development of an automated dashboard at a former RUTGERS, THE STATE for learning and growth. “Working in public accounting employer that provides auditors with timely changes to risk UNIVERSITY OF NEW JERSEY you know a high-performing internal constantly involves quickly and seamlessly adapting to unex- profiles and data-enabled outliers for testing purposes. He also PISCATAWAY, N.J.

pected situations to avoid delays in projects and deadlines,” A OCTOBERco-led a2019 hands-on data analytics training program for 200 col- she says. She benefitted from having built good relationships AUD L leagues. In addition, OrunkhanovA PUBLICATION lectures at Boston OF THE Univer- IIA

with clients—and having the ear of her company’s manag- sity, teaching a graduate-level course in business analytics. On ers. Early on, she says, she stepped back and realized that IT which she saw as a perfect fit. Her internship exposed her to weekends, he enjoys travel photography. “The gear I carry has

internal audit has long used data analytics. But the progress OR a variety of roles and projects, piquing her interest even fur- grown exponentially,” he says,” but an incredible Instagram auditor who possesses the traits to underway now is even more exciting, she adds, as technol- ther. “The ability to wear many hats—as an extension of an picture is worth it all.” Orunkhanov also volunteers at a local

ogy increasingly enables internal auditors to expand their 2019 OCTOBER organization as its internal audit function, as a service audi- food bank and helps families file their tax returns. capabilities past current roles. “Integrating IT concepts into tor, or consulting through process improvements and security The Effect of Cognitive Biases our strategies will allow us to provide the most value-add to assessments—challenges me technically and as a person,” on Professional Skepticism our organizations,” she says. “Any initiative for research or she says. Outside internal audit, Beeston plays tennis and THIS YEAR’S HONOREES ARE MOTIVATED INDIVIDUALS WHO training in technology and how we can apply systems to be watches college football. She also fundraises for the Leukemia The Weakest Links in become tomorrow’s thought leader? more efficient is an important step for us.” Beeston came to & Lymphoma Society through her company, volunteers on UNDERSTAND THE VALUE OF THE CIA CERTIFICATION AND THE the profession when a professor presented it in a compelling select weekends with the pediatric grief counseling organiza- Supply Chains COMMITMENT TO MAKE A DIFFERENCE IN THEIR ORGANIZATIONS way—making her realize she could use people skills to make tion Kate’s Club, and co-chairs the mentor–mentee program her role more successful and help people solve problems, at her local IIA chapter. Six Myths of BusinessTHROUGH Ethics THIS GREAT PROFESSION.—Michael Fucilli, Emerging Leaders judge Acknowledge their dedication and 28 INTERNAL AUDITOR OCTOBER 2019 GoverningOCTOBER“ 2019Social Media INTERNAL AUDITOR ”29

nominate them today. LEADERS EMERGING Internal Auditor magazine will EMERGING recognize up-and-coming internal audit professionals in its annual LEADERS

These professionals are eager to expand internal audit’s

“Emerging Leaders” article in October. influence into new areas of collaboration with leadership. 2019

IN

TERNA

LA UDIT

Nominate by May 18, 2020 ORG OR at www.InternalAuditor.org.

2020-0289

2020-0289 PUB-Emerging Leaders Print Ad April-FNL2.indd 1 3/2/20 11:23 AM Editor’s Note

THE RESPONSIBLE INTERNAL AUDITOR

o you know a young internal auditor who is making a difference? Since 2013, Internal Auditor has been recognizing up-and-coming auditors from around the world who are advancing the profession in our annual “Emerg- Ding Leaders” article. How are they making a difference? The internal audit professionals chosen to be Emerging Leaders rise to the top based on their business acumen/leadership skills, innovative thinking, community service, and service to the profession. These well-rounded individuals care about their communities, understand their organiza- tions, and are always looking for new and better ways to do their jobs — three areas of focus in this issue. Our cover story, “The Responsible Organization” (page 26), considers inter- nal audit’s role in environmental, social, and governance (ESG) reporting. Paul Sobel, chair of The Committee of Sponsoring Organizations of the Treadway Commission, says internal audit needs to consider the value proposition around sustainability. “Internal audit needs to look at what future investor, regulatory, and stakeholder expectations are likely to be regarding sustainability risk manage- ment and reporting and push for management and the board to move in line — or ahead — of them,” he says. Every year, a common trait of our Emerging Leaders is their understanding of the importance of innovation in their organizations and in their departments. In “An RPA Road Test” (page 32), author Rick Wright takes readers through a pilot robotic process automation (RPA) program at his company, YRC World- wide. “Audit leadership saw RPA’s potential … as a critical piece of internal audit’s strategy,” Wright says. “Automating portions of the standard terminal audit pro- gram could free up valuable staff resources, allowing more focus on other value- added services.” Finally, in this issue, we tackle the important topic of business acumen, an area in which Emerging Leaders excel. In “Audit With Acumen” (page 39), author Basil Orsini offers four examples of business acumen in internal audit based on perspec- tives adapted from the Balanced Scorecard strategic planning and management tool. He writes, “Internal audit can build business acumen on a sound understanding and innovative implementation of the Standards and associated guidance.” As your internal audit team’s expertise grows in the areas of ESG, innovative thinking, and business acumen, who stands out? Now is the time to nominate them for Internal Auditor magazine’s 2020 Emerging Leaders and give them the recognition they deserve. Visit InternalAuditor.org to make your nomination. Nominations are open through May 18.

@AMillage on Twitter

APRIL 2020 INTERNAL AUDITOR 7 Reader Forum WE WANT TO HEAR FROM YOU! Let us know what you think of this issue. Reach us via email at [email protected]. Letters may be edited for clarity and length.

dealing with changes or on how to and provide assurance around controls resolve audit recommendations. The that mitigate these risks. article was straightforward and the UDAY GULVADI comments on Kevin Alvero example was on point to follow. Audi- and Wade Cassels’ “Bringing Clarity to the Foggy World of AI” (February 2020). tors could use this information to provide valuable information to senior management of their organizations. Doing What You Love FREDRICK W. LEE comments on Nancy What Mike Jacka describes is largely Haig’s “A Plan for Regulatory Change” why I left my last job — it was all (February 2020). about templates, checklists, forms over substance, etc. It reminds me of AI’s Inherent Bias playing the game Operation, where if One of the key risks is related to ethi- you veer 1 millimeter this way or that, Correction: In Louis Seabrooke and cal bias of artificial intelligence (AI) “Buzzz!” and you lose. Amy Felix’s “A Study in Risk Tolerance” in making a decision based on a com- With my new company, there’s (February 2020) there was an error in peting set of objectives or defining room to learn, explore, try, ask, chal- the chart, “The Risk Tolerance Model” the objectives too narrowly without lenge, and be — heaven forbid — cre- that affected the scoring system. The cor- balancing the needs of other stake- ative. I want to thank Jacka for helping rected chart appears at www.theiia.org/ holders and affected parties. Problems me to clarify my feelings and give me a AStudyInRiskTolerance. may also arise on the usage of data shot in the arm to keep trying and doing that has inherent biases such as facial what I love — improving organizations. Regulatory Blueprint recognition algorithms using images or SEAN BORZEA comments on Mike Jacka’s Nancy Haig’s article was excellent in information skewed toward or against “Drunk and in Charge of a Bicycle” (“The Mind of Jacka,” February 2020). laying out the blueprint for organiza- a certain race or gender. tions adapting to regulatory changes Internal auditors would need to that affect operations. This informa- focus on these inherent risks in the VISIT InternalAuditor.org tion should be printed on posters and design of AI/machine learning algo- to comment on the cards to give senior management when rithms in design and data governance, latest articles.

CONTRIBUTING EDITORS J. Michael Jacka, CIA, CPCU, CFE, CPA IIA PRESIDENT AND CEO CONTACT INFORMATION Wade Cassels, CIA, CCSA, CRMA, CFE Sandra Kasahara, CIA, CPA Richard F. Chambers, CIA, ADVERTISING J. Michael Jacka, CIA, CPCU, CFE, CPA CIA, CRMA, CISA, CISSP QIAL, CGAP, CCSA, CRMA Michael Levy, [email protected] Steve Mar, CFSA, CISA Merek Lipson, CIA IIA CHAIRMAN OF THE BOARD +1-407-937-1388; fax +1-407-937-1101 Bryant Richards, CIA, CRMA , CIA Michael Marinaccio J. Michael Joyce, Jr., CIA, PHD, CIA, CCSA, CRMA SUBSCRIPTIONS, CHANGE OF ADDRESS, MISSING ISSUES James Roth, Alyssa G. Martin, CPA CPA, CRMA APRIL 2020 Rick Wright, CIA Joe Martins, CIA, CRMA [email protected] VOLUME LXXVII:II Stephen Minder, CIA +1-407-937-1111; fax +1-407-937-1101 EDITORIAL ADVISORY BOARD EDITOR IN CHIEF Rick Neisser, CIA, CISA, CLU, CPCU EDITORIAL Jennifer Bernard Allen, CIA Anne Millage Hans Nieuwlands, CIA, RA, CCSA, CGAP David Salierno, [email protected] Dennis Applegate, CIA, CPA, CMA, CFE Manish Pathak, CA +1-407-937-1233; fax +1-407-937-1101 MANAGING EDITOR Lal Balkaran, CIA, FCPA, FCGA, FCMA David Salierno Bryant Richards, CIA, CRMA PERMISSIONS AND REPRINTS Andrew Bowman, CPA, CFE, CISA James Roth, PHD, CIA, CCSA [email protected] ASSOCIATE MANAGING Robin Altia Brown EDITOR Jerry Strawser, PHD, CPA +1-407-937-1232; fax +1-407-937-1101 Adil Buhariwalla, CIA, CRMA, CFE, FCA Tim McCollum Glenn Sumners, PHD, CIA, CPA, CRMA Wade Cassels, CIA, CCSA, CRMA, CFE WRITER’S GUIDELINES SENIOR EDITOR Robert Taft, CIA, CCSA, CRMA Stefanie Chambers, CIA, CPA InternalAuditor.org (click on “Writer’s Guidelines”) Shannon Steffee Brandon Tanous, CIA, CGAP, CRMA Faizal Chaudhury, CPA, CGMA Stephen Tiley, CIA ART DIRECTION James Fox, CIA, CFE Authorization to photocopy is granted to users registered with the Carol Hardy Design Robert Venczel, CIA, CRMA, CISA Nancy Haig, CIA, CFE, CCSA, CRMA Copyright Clearance Center (CCC) Transactional Reporting Service, David Weiss, CIA PRODUCTION MANAGER Sonja Heath, CIA provided that the current fee is paid directly to CCC, 222 Rosewood Rick Wright, CIA Gretchen Gorfine Kyle Hebert, CIA Dr., Danvers, MA 01923 USA; phone: +1-508-750-8400. Internal Auditor cannot accept responsibility for claims made by its advertisers, although Daniel Helming, CIA, CPA PUBLISHED BY THE staff would like to hear from readers who have concerns regarding Karin L. Hill, CIA, CGAP, CRMA INSTITUTE OF INTERNAL AUDITORS INC. advertisements that appear.

8 INTERNAL AUDITOR APRIL 2020 Learn From The Leader. IIA TRAINING ONDEMAND PLATFORM OPEN 24/7

www.theiia.org/OnDemand Boards fall short on ethnic diversity… Insider actions lead to data breaches… Audit’s role in a pandemic… Email fraud targets CEOs and employees. Update

THE STATE OF AI U.S. technology company decision-makers have high hopes and some concerns for artificial intelligence. 88% Companies should implement an ethics policy to govern their AI work. 69% Governments should regulate AI. 62% AI adoption is moving at an Cybersecurity and third appropriate speed across AUDIT PLANS parties are among the technology industry. IGNORE KEY RISKS omissions, Pulse says. % nternal audit departments are leaving key Then there is sustainability risk, which 61 risks out of their audit plans, The IIA’s only 10% include in their audit plan. Existing employees are prepared 2020 North American Pulse of Internal Although only 6% of respondents rate for AI adoption. IAudit reports. The survey of 630 chief sustainability a high risk, there is growing audit executives, directors, and managers investor interest in it (see “The Responsible % reveals a glaring disconnect between high Organization” on page 26). That also was 37 risks and audit priorities. the case for another rising investor prior- AI could Take cybersecurity, rated a high risk ity — governance and culture — which less replace their positions. by more than three-fourths of respondents. than half of respondents include in their Cybersecurity is the Pulse’s top risk, yet audit plan. almost one-third say it’s not included in the Such shortfalls in risk coverage were Source: KPMG, Living in an AI World internal audit plan. Another disconnect is noted in The IIA’s OnRisk 2020 and Ameri- 2020 Report: Technology Insiders third-party relationships — more than half of can Corporate Governance Index studies, respondents rate it a high risk, but less than says IIA President and CEO Richard Cham- half include it in the audit plan. bers. “The Pulse shows just how serious the FOR THE LATEST AUDIT-RELATED HEADLINES follow us on Twitter @TheIIA IMAGES: TOP, AKINDO / ISTOCKPHOTO.COM; LEFT, VENOMOUS VECTOR / SHUTTERSTOCK.COM

10 INTERNAL AUDITOR APRIL 2020 Practices/Update

problem is, and its impact on sustainability, The good news is more than half of operational efficiency, and culture,” he says. respondents say their department is perform- In addition to missing top risks, one in ing at the top two levels of the five-level five are performing below the midpoint (level model. Twelve percent rate themselves at the 3) of the Internal Audit Ambition Model, a top level (Optimizing), while 40% are at maturity scale developed by IIA–Netherlands Level 4 (Managed). Such functions support and LKO/NBA. Those functions aren’t con- strategic risk management, long-term plan- forming with the International Standards for ning, and continuous improvement. the Professional Practice of Internal Auditing. — T. MCCOLLUM

A U.K. report shows BOARDS FALL SHORT failure to prioritize ON DIVERSITY EFFORTS board ethnicity. THE IMPACTS FROM CLIMATE CHANGE ewer than half of Financial Times AND LOSS OF NATURE Stock Exchange (FTSE) 250 compa- COULD COST THE nies mention ethnicity in their board GLOBAL ECONOMY Fdiversity policy, according to research $ from the U.K.’s Financial Reporting Coun- 9.87 cil (FRC) and Cranfield University’s School trillion between now and 2050. of Management. The report, Ethnic Diver- sity Enriching Business Leadership, also THE ECONOMY shows that most of the broader FTSE 350 COULD LOSE lacks measurable ethnicity targets. $ Only 14% of FTSE 100 compa- diversity in succession planning, most of 327 nies — the U.K.’s largest publicly listed these firms emphasize progression compa- billion from damage to natu- ral protections from flooding, firms — set measurable objectives for board nywide, rather than at the top. storm surges, and erosion, ethnic diversity; the proportion drops to In light of the FRC’s report, the 2020 while loss of carbon storage 2% for the FTSE 250. Even where objec- Parker Review, an independent report on could cost $128 billion tives are established, FTSE 350 companies the ethnic diversity of U.K. boards, recom- by 2050. have not made progress against them. The mends companies report on diversity of research also finds that while just over 10% culture, geography, and nationality along- “Not only will losing nature of FTSE 100 firms plan to increase ethnic side ethnicity. — D. SALIERNO have a huge impact on human life and livelihoods, it will be catastrophic for our future prosperity,” says Marco Lambertini, director Human error is behind general of WWF International. INSIDER THREATS most data breaches, Source: WWF, Global Trade Analysis PUT DATA AT RISK research says. Project, and the Natural Capital Project, Global Futures hree-fourths of IT for Egress, a data security The Insider Data Breach professionals say solutions company. Survey 2020 polled more employees at their Additionally, 78% say than 500 IT leaders and Torganizations have employees have acciden- 5,000 employees at com- intentionally put data at tally done so. These insider panies with more than 100 risk in the last 12 months, threats pose a significant employees in Belgium, Lux- according to research con- security risk to organiza- embourg, Netherlands, the

IMAGES: TOP, ORDENT STOCK / SHUTTERSTOCK.COM; RIGHT, LIGHTSPRING / SHUTTERSTOCK.COM ducted by Opinion Matters tions, Egress reports. U.K., and U.S. It found that

APRIL 2020 INTERNAL AUDITOR 11 An Exclusive Opportunity

Join a select group of rising and distinguished internal audit professionals for a three-and-a-half-day, immersive executive development experience. “It helped me be a better leader for my internal audit department.”

2020 VISION UNIVERSITY SESSIONS EXECUTIVE DEVELOPMENT

Boston, MA San Diego, CA Chicago, IL June 15–18 Sept. 14–17 Nov. 2–5 Omni Parker House Kimpton Solamar Hotel Kimpton Hotel Palomar

Your CAE Success Story Starts Here

www.theiia.org/VisionU Practices/Update

41% of employees who have accidentally leaked informa- THE PRESSURE OF PANDEMICS tion did so because of phish- During an outbreak, internal audit should focus on stronger controls, ing emails. Nearly one-third says Business Continuity Management Institute President Moh Heng Goh. caused a breach by sending an email to the wrong per- How can internal audit functions support business son, and almost half have continuity during pandemics? Once a pandemic like the received an email recalling coronavirus (COVID-19) has occurred, there is little an auditor information sent in error. can be involved in as major audit activities should be reduced Egress CEO Tony Pep- due to the possibility of transferring infection between audi- per explains that organiza- tor and client. Additionally, the client’s focus may be on the tions and their security teams response and recovery of its critical business functions. weigh the advantages of effi- While the outbreak is occurring, the audit team can cient communications against focus on possible breakdowns in controls of processes as data security considerations. business functions operate from a remote or alternate “Frequently they compromise location, or even from home. The key is to strengthen the on the latter,” he says. controls to minimize the potential for errors resulting from manual interventions and the Employee misconcep- possibility of fraud. It is important to note that the observance of noncompliance with exist- tions about data owner- ing protocols should be based on its materiality so that the organization can respond and ship negatively impact recover in the shortest possible time. information security, the Business continuity plan reviews are typically predetermined by a business continuity survey shows. Two out of five management policy. The frequency of review and updating is usually annual. During a pan- employees don’t recognize demic, like any other disruption, these reviews may need to be conducted more frequently that the organization owns when an audit client’s environment has frequent staff turnover, or if outsourcing or trans- its data exclusively, and only ferring business functions to a third party results in an interdependency risk. 37% say everyone is equally responsible for keeping it safe. “Employees want to Hackers target own the data they create and NO. 1 CYBERCRIME: work on, but don’t want the company employees responsibility for keeping it EMAIL FRAUD in record numbers. safe,” Pepper says. “This is a toxic combination for data usiness email compromise accounted protection efforts.” for more than half of total reported The more senior the U.S. cybercrime last year, according employee, the less likely Bto the Federal Bureau of Investiga- he or she is to accept data tion’s (FBI’s) 2019 Internet Crime Report. protection accountability These scams, which typically involve a crimi- liability — just 8% of direc- nal mimicking a legitimate email address, tors say everyone shares resulted in more than $1.7 billion in losses responsibility, compared to in 2019. They were responsible for nearly more than half of clerical 24,000 complaints made to the FBI’s Inter- staff. Directors also are most net Crime Complaint Center (IC3) last year. likely to take data with them Many compromised emails are CEO to a new job. Of those who fraud, where an email sender impersonates where hackers mimic an employee requesting intentionally broke company an executive within the company. The email an update to his or her direct deposit informa- policy, 68% did so when requests payment that appears legitimate but tion. The change then routes that employee’s they changed jobs, compared actually directs funds to a criminal. paycheck to a scammer’s account. to the overall average of IC3 also reports an increase in com- Last year saw the largest number of cyber- — S. STEFFEE — D. SALIERNO

PHOTO: LEFT, HANSS / SHUTTERSTOCK.COM 46%. plaints that involved diversion of payroll, crime complaints since 2000.

APRIL 2020 INTERNAL AUDITOR 13 Back to Basics

BY CHRIS ERRINGTON, MICHELE NISI + KEVIN M. ALVERO EDITED BY JAMES ROTH + WADE CASSELS

BREAKING DOWN THE FRAUD POLICY Internal auditors need to be involved in, and understand, the organization’s fraud detection and early half of all To do this, internal auditors the development and prevention efforts. global organizations need to understand the key implementation of the in PwC’s 2018 elements of a strong policy, fraud policy. NGlobal Economic and who it should involve. E It clearly spells out Crime and Fraud Survey personnel roles and admit to having been the The Building Blocks responsibilities. victim of fraud and eco- Any organization can be a E It explains the disciplin- nomic crime in the past two victim of fraud, regardless of ary and legal actions the years, resulting in more than its size, industry, or location. organization will take. $7 billion in total losses and The most effective recourse E It makes anonymous a median loss of $130,000 is to develop a strong and hotlines and reporting per case. Nearly half of those implementable fraud policy options available. frauds were because of inter- that defines unacceptable E There is an effective nal control weaknesses. behavior and how the orga- communication plan Internal audit plays nization will respond to around the policy. several key roles in the it. While policies can vary While no fraud policy can prevention, detection, and depending on the organiza- define every fraudulent monitoring of fraud risks. tion’s number of employees, action, a well-written policy First, as internal audit has industry complexity, and uses clear language and relat- broad visibility into the dif- operating environment, able examples to help reduce ferent areas of the enterprise, the fundamental elements uncertainty of what the it should be aware of poten- remain the same: organization considers illegal tial red flags of fraud in all E The policy has top- activity. It also provides clear audit engagements and iden- down support. instructions regarding the tify ones that may warrant E It includes clear, spe- responsibilities and proce- further investigation. Also, cific language and dures to be followed by all internal audit should assess examples. involved when illegal activity the effectiveness of controls E It accurately and effec- is suspected or uncovered. designed to mitigate fraud tively defines fraud. However, it doesn’t risk. Finally, internal audit E There is policy owner- matter how well the fraud can lend valuable expertise in ship, so a specific person policy is written if it sits in a an advisory role to the devel- or group of people are three-ring binder gathering opment of the fraud policy. charged with overseeing dust. The organization must SEND BACK TO BASICS ARTICLE IDEAS to James Roth at [email protected]

14 INTERNAL AUDITOR APRIL 2020 TO COMMENT on this article, EMAIL the author at [email protected]

ensure that the fraud policy is not only created, but also read The fraud policy must include a statement that all appropri- and understood by all internal personnel and external parties ate measures to deter fraud will be taken and all instances with which it engages. The greater the importance the orga- of suspected fraud will be investigated and reported to the nization places on this document, the greater the likelihood appropriate authorities. employees will place an equal amount of importance to it. Generally, organizations have four options when fraud From regular manager/employee policy reviews to live train- is uncovered: criminal prosecution, civil fraud lawsuit, a ing to role playing, the same message, stance, and emphasis mutually agreed upon termination of the perpetrator, or no on eliminating fraud can be reinforced. Regular communica- action. There are varying schools of thought as to which of tion not only promotes understanding, but also can deter these actions should apply to different fraud situations. For potential fraudsters. example, it can be argued that taking no action is one of Occupational fraud is most efficiently organized into the surest ways to promote an organization’s susceptibility three categories, each of which companies must identify and to future fraud because of the perception of impunity. On communicate with personnel. the other hand, there also are cases when the cost of pros- E Asset misappropriation is the stealing or misuse of enter- ecution exceeds the cost of the fraud and other disciplinary prise resources by personnel. This occurred in more actions may be preferred. Some organizations will prosecute than 89% of all reported cases and resulted in a median all fraud regardless of monetary value. From the internal loss of $114,000, according to the Association of Certi- auditor’s perspective, however, the key question is whether fied Fraud Examiner’s (ACFE’s) Report to the Nations: the organization has considered the risks of its disciplinary 2018 Global Study on Occupational Fraud and Abuse. policy (reputational risk, cost, future fraud risk, etc.) and is E Corruption schemes occur when personnel misuse their comfortable with them. influence during business transactions to obtain benefit The fraud policy must provide personnel with instruc- and violate their duties to the employer. According to tions regarding the steps to take when suspecting fraud. the ACFE study, this results in 38% of occupational The policy should remind personnel that they are not fraud cases with a median loss of $250,000. prosecutors of the law and that their job is to report their findings to the organization’s appro- priate party. The fraud policy should It’s critical that the fraud policy conveys provide anonymous avenues to give employees confidence that they can a plan of disciplinary action. safely report potential fraud, such as a fraud hotline number. In addition to verifying the existence of a hotline, E Financial statement fraud occurs when personnel inten- internal audit also may want to understand whether it is tionally cause misstatements or omit information in being used and how effectively the company has responded enterprise financial reports. It is the least common but to these tips. most costly, averaging $800,000 per incident. A Preventive Measure Prosecuting Fraud In the end, a fraud policy is an inexpensive and effective While fraud detection and prevention is an organizationwide method for reducing the threat of potentially crippling finan- effort, clearly defined roles must be instituted to promote cial losses. Furthermore, all departments, including internal responsibility and reduce confusion. For example, the board audit, can play major roles in its development. This stand- of directors is responsible for corporate fraud governance, alone document should be seen by all personnel as playing an and management must be engaged in executing these poli- integral role in the organization’s health and longevity. cies. Internal audit’s role should be clearly defined, as well. Auditors must have the authority to ensure fraud controls are CHRIS ERRINGTON, CRCMP, CSPO, GRCP, is a senior appropriate and effective, to investigate instances of possible communications specialist in the Internal Audit department at fraud, and to support management in executing the fraud Nielsen in Oldsmar, Fla. risk assessment. MICHELE NISI, CIA, CFE, CPA, is a manager in the Internal Without the threat of prosecution, a fraud policy is little Audit department at Nielsen. more than a toothless tiger. Therefore, it’s critical that the KEVIN M. ALVERO, CISA, CFE, is senior vice president, Internal policy conveys a plan of disciplinary action to all personnel. Audit, Compliance, and Governance, at Nielsen.

APRIL 2020 INTERNAL AUDITOR 15 Illuminating the Top Global Risks in 2020

Explore Protiviti’s digital Executive Perspectives on Top Risks 2020 report and prepare for the risks likely to affect your organization this year.

Visit protiviti.com/toprisks for the full report.

protiviti.com

© 2020 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0120 ITAudit

BY LAL BALKARAN EDITED BY STEVE MAR

BENFORD’S LAW IN A BIG DATA WORLD Applying the mathematical digital analysis tool to large data sets can help auditors detect fraud he power of Benford’s It does this by determining departments can work with and other problems. Law has never been as the expected frequency for the organization’s IT function critical given the rise any digit in a set of discrete to adopt a step-by-step Ben- Tof big data and com- numbers such as journal ford analysis using established puting power. The digital entries, disbursements, and formulas to analyze company analysis tool has been used in revenues. This means that a data for unusual patterns. numerous high-profile foren- digit in a number in a given sic investigations, including data set is mathematically Revealing Fraud investigations of voter fraud predictable. Because the Because few fraudsters know in the 2009 Iranian election expected frequency for each about Benford’s Law, the and Greece’s efforts to hide digit is known, every item numbers they cook up stand its debt in 2015. in excess of that frequency out. As a result, the position A Benford’s Law review is deemed unusual. of each digit in their transac- of 5,400 contracts at a With large amounts of tions will not follow Ben- Canadian nonprofit orga- data to analyze, Benford’s ford’s analysis, revealing their nization found the numeral Law can detect anomalies crime (see “Benford’s Basics” “4” as the first digit 16% of better than traditional audit on page 19). the time, compared to the techniques. For example, For example, during a expected 9.7%. That finding research shows that compa- purchasing audit at a retail enabled the internal auditor nies whose financial state- company, internal auditors to uncover questionable con- ments are significantly out of discovered there were 550 tracts in amounts between compliance with Benford’s purchase orders issued with $40,000 and $49,999 that Law are likely to get caught the first two digits “96,” totaled $15 million. Those for accounting irregularities. compared with the expected contracts were approved by A before-and-after com- count of 289 purchase an employee who directed parison of restated earnings orders. Benford’s Law analy- them to vendors who were showed that the new, real sis showed 145 purchase his associates. numbers aligned with Ben- orders of between $9,600 In addition to detect- ford analysis. and $9,690 were approved ing fraud, internal auditors Internal auditors can by a director whose approval can use Benford’s Law to leverage audit software with authority was limited to identify inefficient pro- Benford’s Law functional- $10,000. Further investiga- cesses and computer bugs. ity. Additionally, some audit tion revealed that over a SEND ITAUDIT ARTICLE IDEAS to Steve Mar at [email protected]

APRIL 2020 INTERNAL AUDITOR 17 2018-0267 Take aGuidedTour | ReadSample Pages Prepare withConfidence&Convenience. A SystemforSuccess. Professional PracticesFramework(IPPF)andTheIIA’s | Try FreeQuestions latest industrystandards,includingtheInternational International StandardsfortheProfessionalPractice parts oftheCIAexam.It’s updated toalignwiththe review program,combiningreadingmaterialsand online studytoolstoteachandreinforceallthree The IIA’s CIALearningSystemisaninteractive Prepare toPass. | GetExamTips LEARNING SYSTEM www.LearnCIA.com CIA THE IIA’s of InternalAuditing ® .

Practices/ITAudit TO COMMENT on this article, EMAIL the author at [email protected]

BENFORD’S BASICS enford’s Law made its debut in the audit profes- digit in data sets, appearing 30% of the time, followed sion in the 1990s through the efforts of Mark by “2” (17.6%), “3” (12.5%), “4” (9.6%), “5” (7.9%), “6” BNigrini, an expert on the theory. First discov- (6.6%), “7” (5.8%), and “8” (5.1%). The initial digit “9” ered in 1881 by mathematician Simon Newcomb, the appears the least often (less than 5%). theory lay dormant for almost half a century until Benford’s Law works because the distance from the 1930s when it was again discovered by physicist “1” to “2” is far greater than the distance from “9” to Frank Benford. “10.” For example, if a data set begins with the digit Benford determined that leading digits are distrib- “1,” it has to increase by 100% before it begins with uted in a specific, nonuniform way. This discovery led to the digit “2.” To get from “2” to “3” requires a 50% the mathematical theory that in large sets of data, the increase; from “3” to “4,” 33%; “4” to “5,” 25%; “5” initial digits of amounts will tend to follow a predictable to “6,” 20%; “6” to “7,” 16%; “7” to “8,” 14%; “8” to pattern. The initial digit “1” is most common as the first “9,” 12%; and “9” to “10,” 11%.

two-year period, the director made $3.5 million in purchases of a number. The expected proportion for each of for personal items such as electronics, jewelry, and appliances. these combinations is 1%. Any excess is rounded off or are invented numbers. Five Types of Analysis Basic tests in Benford’s Law cover first-digit analysis, second- When to Use It digit analysis, first two-digit analysis, first three-digit analysis, Benford’s analysis is best used on data sets with 1,000 or and last two-digit analysis. more records that include numbers with at least four digits. » First-digit Analysis Auditors can chart the expected As the data set increases in size, closer conformity to the and actual occurrence for each digit from “1” to “9.” expected frequencies increases. They can drill down further on unusual differences However, not all financial data lend themselves to such for analysis and action. tests. Benford’s analysis cannot be used in scenarios such as: » Second-digit Analysis Like the first-digit analysis, » A data set made up of assigned numbers such as the second-digit analysis is a test of reasonableness. At Social Security, contract, invoice, phone, customer, a health-care company, an analysis of the second digits and check numbers. in more than 21,000 payroll records revealed that the » Psychological thresholds such as $199.99. numeral “0” turned up as the second digit twice as » Minimum and maximum numbers such as a petty- often as it should have. The numeral “5” showed up cash fund disbursing between a $10 minimum and a 60% more often than expected. Based on those find- $40 maximum. ings, the records were deemed fraudulent. » Where no transaction is recorded such as thefts, kick- » First Two-digit Analysis (F2D) There are 90 pos- backs, and contract rigging. sible combinations (10 through 99) for the first two » Limiting a sample of transactions to only between a digits in a number. For example, the first two digits narrow range, such as between $100 and $999. of 110,364 are “11.” In an F2D test, Benford’s Law would note there is a 3.8% likelihood that “11” Extract Needles From Digital Haystacks would be the first two digits. This is a much more Benford’s Law can be a powerful way to combat the costly focused test as the purchase order example showed. scourge of fraud. It is like placing a magnet over a haystack and » First Three-digit Analysis (F3D) In F3D tests, there extracting the needles, enabling internal auditors to analyze an are 900 possible combinations (100 through 999), entire population of data. All it takes is an interest and a will- allowing for an in-depth analysis of large data sets. It ingness to learn new approaches. provides greater precision for picking up abnormal duplications in sets with 10,000 or more transactions. LAL BALKARAN, CIA, FCPA, FCGA, FCMA, is an internal » Last Two-digit Analysis There are 100 possible auditor and independent consultant with more than 30 years’ combinations (00 through 99) in the last two digits experience based in Scarborough, Ontario.

APRIL 2020 INTERNAL AUDITOR 19 Risk Watch

BY RICK WRIGHT

A RATIONAL MINDSET Risks, like snakes, are often viewed as threats, despite their potential benefits. emember the scene prey and striking when they of internal audit work, the from Raiders of the least expect it. An objective conversation gravitates Lost Ark where Indi- study of snakes reveals a toward an unbalanced, neg- Rana Jones enters the much more accurate view ative attitude about risk. Well of the Souls, which of these complex creatures. One time, my audit happens to be a snake- Not all snakes are aggres- team was conducting an infested pit? After throwing sive, nor are they all venom- audit workshop with a a torch into the pit to reveal ous or massive constrictors group of business managers. his plight, he exclaims, capable of inflicting great The team was explaining “Snakes … why did it have harm to people, as we often how our audit activities to be snakes?” see in movies or hear about were risk-based so that we Granted, this scene is in the news. focused on things that mat- plotted to presume the snakes In fact, snakes can be ter most to their functions’ are venomous, so Indiana’s beneficial. Take the black rat success. The supervisor fear is rational. But his initial snake, which is effective at for this group of managers reaction reveals his bias about controlling harmful rodent interrupted our discussion snakes in general — the same populations. One black rat to admonish the group that way some people are irratio- snake can eat 100 mice per they needed to be focused nally averse to risk. acre in a year. What farmer on risk to eliminate it from Internal auditors have a wouldn’t readily adopt at the company. While it professional duty to remain least a couple of these hunt- was an innocent exclama- objective as they perform ers to offset the negative tion the supervisor truly their work. This unbiased impact mice have on prop- believed, it was an unfortu- mindset must extend to erty and equipment, not to nate and unplanned distrac- remaining rational when it mention the potential spread tion from our discussion comes to communicating of disease? that the audit team had with audit clients about risk. People sometimes to clarify with the work- perceive risk with the same shop participants. Why Did It Have irrational viewpoint. Too The interruption to Be Risk? often, when discussing turned out to be a blessing Snakes are vilified as ani- risk and risk management in disguise. It enabled the mals that hide in dark philosophy with business internal audit team to lead places, stealthily seeking out professionals in the course a healthy discussion about SEND RISK WATCH ARTICLE IDEAS to Rick Wright at [email protected]

20 INTERNAL AUDITOR APRIL 2020 TO COMMENT on this article, EMAIL the author at [email protected]

the opportunities that also accompany risk, while explain- stakeholders are more likely to respond to risk with a more ing that eliminating risk was not realistic nor necessarily a rational mindset. desirable goal. Thinking Differently About Risk Shifting the Risk Mindset Let’s think about snakes and risk a little differently. A more With all the focus organizations have devoted to enterprise neutral word to use for snake is reptile. Some reptiles can risk management and updated risk management frameworks, cause harm to people in certain circumstances such as they still get trapped in a vortex where risk is seen in a lopsid- swimming in a lake known to have large alligators or walk- edly negative light. Internal audit should thoughtfully redi- ing through terrain known for rattlesnakes. In other situa- rect this line of thinking when such an uninformed view of tions, such as rodent control, reptiles are benign or helpful. risk and risk management is expressed. Likewise, a less polarizing term for risk is uncer- The snake analogy is a good proxy for reframing the tainty — specifically, about some outcome. Risk is neither risk discussion. The word risk often is misunderstood. Like bad nor good; it’s just uncertainty. When auditors use the snakes, risk can do serious harm, so people instinctively proj- word uncertainty when discussing risk, they can have a ect harm to all risk. But is this rational? more objective, and less polarized, discussion and avoid In finance, risk frequently is paired with the word reward the biased, negative connotation. This allows auditors to to describe offsetting outcomes related to a decision. While unlock the real value of an intellectual discussion about taking any given risk may result in a bad outcome, there also risk — refocusing attention on decision-making. is the prospect of a good outcome. No risk, no reward, as the Uncertainty hinders decision-making. The more uncer- saying goes. This is a more rational view of risk. tainty that exists about a pending decision, the more difficult Internal auditors can help organizations balance atti- it is to make a decision that will result in a favorable outcome. tudes about risk by talking and acting rationally about The better decision-makers can understand the uncertainty risk. For instance, they shouldn’t use risk exclusively as a they are faced with in a decision, the more likely they should be able to optimize the outcome they are seeking from any given decision. The more uncertainty that exists, the The coronavirus pandemic comes to mind. In the present, fear of the more difficult it is to make a decision unknown is dominating the response conversation. This is a crisis that has that will result in a positive outcome. not been experienced in most of the modern world, and government leaders are struggling to craft effective responses “four-letter word” in discussions with other business profes- because of the uncertainty that exists. sionals. Risk mitigation is only one potential risk response In time, this threat will subside. The world is cur- alternative. When approaching risk assessments or new rently experiencing negative outcomes; however, positive audit engagements, internal auditors should talk about outcomes could emerge, such as a more resilient health-care how informed risk-taking is essential to the organization’s system to deal with similar threats in the future. growth prospects. Internal auditors should counsel clients that risk accep- Risk Doesn’t Have to Be Scary tance is sometimes the best risk response. This can be the When risk is obscure and lurking in the darkness, it seems case when other risk response alternatives are costly or when more like a rattlesnake waiting to strike against an unsus- the risk is relatively mild. Accepting a risk while continuing pecting victim. But when risk is visible, understood, and to monitor it for changes that may justify a different response appreciated for its potential benefit, organizations can is a rational reaction. exploit it for a beneficial outcome or control it to mini- In other instances, it is appropriate to exploit risk for mize a negative outcome. With this shift in mindset, risk its opportunity. In times of crisis or disruption, offsetting becomes less of a scary monster and more of a device that opportunities can present themselves in the face of emerg- uses rational decision-making to optimize risk outcomes. ing risks. In these instances, risk opportunities can serve as a hedge against simultaneous negative risk outcomes. When RICK WRIGHT, CIA, is director, Internal Audit and ERM, at YRC internal auditors set a good example, clients and other Worldwide in Overland Park, Kan.

APRIL 2020 INTERNAL AUDITOR 21 spread the word. TELL THE WORLD.

May is International Internal Audit Awareness Month.

What happens when you tell 5 people that internal audit is indispensable to effective governance?

If all 200,000 IIA members spread the word, 1 million people will hear our message.

Learn how you can tell the world. www.theiia.org/Awareness #IIAMay

2020-0274 GLOB-Awareness Month Print Ad-FNL.indd 1 2/27/20 4:08 PM Fraud Findings

BY GRANT WAHLSTROM + ANISA CHOWDHURY EDITED BY BRYANT RICHARDS

THE DOUBLE DIPPER An employee tip uncovers a multimillion-dollar travel and expense scam. obert Shull and Alysa addition, he frequently used approve the expenditure, Cayden, the foren- the card for alleged business thus avoiding the scrutiny of sic audit team at meetings at establishments Cooper’s manager. He also RMidnight Sun that bordered on adult enter- alleged that Cooper coached Inc. (MSI), sat with Justin tainment. Much to his sur- him before the interview on Planter, a regional sales prise, Planter’s employment what to say and promised manager at the solar power was subsequently terminated. that there would be no sig- company, as he rolled After the interview, nificant disciplinary action. his eyes and made con- Shull and Cayden felt some- To review Planter’s alle- descending faces. MSI’s thing was amiss. Cooper gations, Shull and Cayden procurement department approved all of Planter’s obtained all T&E reports forwarded Planter’s travel T&E reports but was not for Cooper and his manage- and expense (T&E) reports suspicious of any of his ment team. Data analytics to Cathy Francis, the human spending. Also, they noticed compared the company resources manager, after an that Cooper’s statements policy against spending. employee noted that spend- were inconsistent, requiring One area of focus was cash ing was not consistent with him to revise them on sev- reimbursements for expenses the company’s T&E policy. eral occasions. below $25, the minimum Francis reviewed the reports After his firing, Planter amount requiring receipts to and was concerned that contacted MSI’s CEO, James be submitted. there was a greater pattern of Spicolli, and explained how The results were shock- abuse, so she requested that Cooper allowed his manage- ing. Cooper’s team members Shull and Cayden examine ment team members to use used their corporate credit his T&E reports. their corporate credit cards cards for expenses well out- Sitting next to Planter to dine out, make personal side the T&E policy. Further- was his boss, Thomas Coo- purchases, and charge mile- more, Cooper approved every per, a veteran regional man- age for business travel despite expense report submitted to ager with more than 25 years being reimbursed through him. They found numerous of experience with MSI. another program. Planter abuses of travel expenses: During the interview, Planter also claimed that Cooper » Managers split admitted to purchasing a attended many of the din- expenses to stay personal cell phone using ners and instructed him to below the $25 his company credit card. In pay the bill so that he could internal control SEND FRAUD FINDINGS ARTICLE IDEAS to Bryant Richards at [email protected]

APRIL 2020 INTERNAL AUDITOR 23 TeamMate+ Expert Solutions

For auditors who are challenged to improve audit productivity while delivering strategic insights, TeamMate provides expert solutions, delivered with premium professional services, to over 3,000 global customers.

View a Demo Today at: TeamMateSolutions.com/Demo

Copyright © 2020 Wolters Kluwer Financial Services, Inc. 10411

TM-20-10411-MK-TeamMate+ Expert Solutions-PAD-EN.indd 1 2/17/20 1:28 PM Practices/Fraud Findings TO COMMENT on this article, EMAIL the author at [email protected]

violation. Text analysis on words such as “gift card,” “baby LESSONS LEARNED shower,” and “party” identified miscoded or out-of-policy » Periodically conduct a T&E audit to ensure employ- expenditures. They selected samples, reviewed receipts attached ees are in compliance with the T&E policy. Review to the expense reports, and documented all policy violations. and update the T&E policy and educate employees Finally, the investigation team interviewed the employees who as part of annual code of conduct training. Low-cost submitted the expense reports. Policy violations included: software can review all T&E reports in real time. » A lack of review by managers of exceptions identified » Management should review subordinates’ T&E by the T&E program, which flagged millions of dol- assumptions during its annual budgeting period. In lars of expenditures that were outside policy. MSI’s investigation, a management team used the » Abuse of cellphone reimbursement. T&E budget as a slush fund for personal spending » Abuse of meal reimbursement, first-class travel, and and out-of-policy entertainment. hotel lodgings. » T&E policies should not allow for the use of money » Cash reimbursement where no invoice was submitted service providers (e.g., PayPal). These providers to support the expense. allow for the purchase of goods and services or the » Personal spending at online retailers. transfer of funds for personal use. They also have » Spending and funds transfers through money service limited audit trails, which enhances the risk of fraud. providers, such as PayPal and Venmo, which have » The organization should block merchant category limited audit trails. codes on corporate T&E cards for goods and ser- » Purchases of gift cards. vices that would not be appropriate for its business » Numerous spending violations in Las Vegas, includ- or allowable under its T&E policy. ing front row seats to shows and $1,000 dinners at four-star restaurants. Individual violations included: » An employee transfered $7,000 from his corporate threshold. In one instance, two managers split credit card to his personal business through a money unknown expenses at a liquor store. service provider. » One manager submitted for cash reimbursement for » Employees shared their credit cards with one another client meetings over lunch or dinner for $24.99 every when they reached their card limits. other day for more than two years. » A manager sponsored a “kids” event at a local bar. » Multiple holiday parties and team meetings were » A manager purchased gifts for his secretary at a popu- reimbursed, including a substantial liquor bill at each. lar women’s lingerie company. » Team members expensed mileage reimbursement twice. After the investigation, MSI invested in T&E audit software Shull and Cayden put together detailed profiles on Cooper to review all reports in real time. When the software identifies and each manager, including their expense reports, support- T&E reports with excessive policy violations, the procure- ing invoices, and the section of the T&E policy they violated. ment department rejects them. In extreme cases, procurement Additional evidence gathered during interviews resulted in the forwards them to the forensic audit team. In addition, MSI termination of Cooper and several other managers. Cooper started blocking spending on company credit cards by mer- justified the expenditures by explaining he was under budget chant category codes, which classify businesses by the products for T&E expenses on his annual profit and loss statement. or services they provide. The T&E policy was updated to elimi- Shull and Cayden then embarked on a companywide nate the use of money service providers. T&E audit. They obtained six months of data from MSI’s In most cases of fraud, the employee was terminated. online T&E reporting program. The program allowed Employees who violated the T&E policy were reprimanded, employees to book transportation and lodging, code expen- and demand notices for repayment were sent to employees ditures by spending category, and submit expense reports for whose misdeeds were discovered after they left MSI. After one approval. Deviations from policy were flagged for the employ- year, T&E spending was reduced by more than $5 million. ee’s manager to review before approving the expense report. Shull and Cayden organized and ranked all spending by GRANT WAHLSTROM, CIA, CPA, CFE, is the forensic audit employee and spending category. Their team selected T&E manager at a privately held company in Hollywood, Fla. reports for detailed testing for the most egregious spending by ANISA CHOWDHURY, CPA, CA, is a senior forensic auditor at a category based on total spending and frequency of policy security company in South Florida.

APRIL 2020 INTERNAL AUDITOR 25 GOVERNANCE

The Responsible Organization

n January, BlackRock CEO Larry Fink published an open letter to company CEOs warning them that if they didn’t take immediate steps to help their busi- nesses become more resilient to climate and environmental risks, they risk being dropped from pension fund portfolios. This kind of announcement has the ability to spark boardroom conversations during a time when the push for orga- Inizations to identify, mitigate, control, and disclose the myriad risks to their businesses to a wider range of stakehold- ers — not just shareholders — continues to gather pace worldwide. Companies now report not only Neil Hodge on the financial risks to their busi- ness, but also the nonfinancial risks Illustration by Sean Yates they face. These risks include climate change, business ethics, human rights abuses, slavery and child labor, and their operations’ impact on the environ- ment — which fall under the realm of environmental, social, and governance (ESG) reporting. In fact, the current revision of the International Integrated Reporting Council’s Framework aims to “further embed integrated

26 INTERNAL AUDITOR APRIL 2020 As investors focus on ESG reporting, there is opportunity for internal auditors to get involved and provide assurance.

APRIL 2020 INTERNAL AUDITOR 27 TO COMMENT on this article, THE RESPONSIBLE ORGANIZATION EMAIL the author at [email protected]

reporting and thinking into main- the business and what steps manage- sustainability has become an umbrella stream business practice.” ment is taking to address them. But buzzword for every risk that doesn’t have Yet despite such reporting prog- research from international accounting an immediate financial price tag attached ress, the consensus view of several firm Mazars found that disclosures to it. Many organizations are either over- experts is that many organizations are around carbon emissions in Financial whelmed by the scale of work required paying lip service, disclosing only the Times Stock Exchange reports are “not to report meaningfully on the array of bare minimum of detail to comply or fit-for-purpose” and are “in many cases risks included, or are simply confused satisfy investors, regulators, and other a box-ticking exercise that does not by the term and the issues being covered stakeholders. Some organizations, appear to be integral to the way man- under ESG reporting (see “ESG Met- meanwhile, are struggling to get their agement runs the business.” The Finan- rics” on this page). heads around what exactly they need to cial Reporting Council, the U.K.’s Experts have some sympathy, but report — or how to do it, they add. corporate governance regulator, and the they say that organizations — and inter- “Sustainability reporting is largely European Union — where sustainability nal audit — cannot be indifferent to the done as a paper exercise,” says Lawrence risk reporting has been mandatory for problem, and they stress the need for Heim, managing director at audit and the past two years — have raised con- deeper audit involvement. consulting firm Elm Sustainability Part- cerns about the quality of disclosures Heim says organizational sustain- ners in Atlanta. He adds that “internal around sustainability risks. ability is not clearly understood by audit needs to be more involved in sus- Aside from nonfinancial reporting either internal auditors or boards, and tainability reporting, or become involved being voluntary for most organizations as a result, levels of assurance are decid- if it is not already part of the process.” around the world, there are several rea- edly mixed. Globally, he says there are Such views are shared by other experts. sons why efforts to improve sustainabil- more than 300 different ratings used by ity reporting and risk management are investors to assess ESG reporting, and QUESTIONABLE DISCLOSURES failing. First, the bulk of all mandatory it is unclear just what criteria they are In the U.K., listed companies have a disclosures is still concerned with finan- using to base their assessments. duty to disclose how sustainability risks cial reporting and most of the effort goes “There is no agreed on, single may impact the long-term viability of into getting that right. Second, the term definition of what is meant by

ESG METRICS The NASDAQ 2019 ESG Reporting Guide 2.0 lists 30 ESG metrics that can provide clarity and direction for internal audit departments getting involved with their organization’s ESG reporting.

CORPORATE ENVIRONMENTAL (E) SOCIAL (S) GOVERNANCE (G)

E1. GHG Emissions S1. CEO Pay Ratio G1. Board Diversity E2. Emissions Intensity S2. Gender Pay Ratio G2. Board Independence E3. Energy Usage S3. Employee Turnover G3. Incentivized Pay E4. Energy Intensity S4. Gender Diversity G4. Collective Bargaining E5. Energy Mix S5. Temporary Worker Ratio G5. Supplier Code of Conduct E6. Water Usage S6. Nondiscrimination G6. Ethics & Anti-corruption E7. Environmental Operations S7. Injury Rate G7. Data Privacy E8. Climate Oversight/Board S8. Global Health & Safety G8. ESG Reporting E9. Climate Oversight/Management S9. Child & Forced Labor G9. Disclosure Practices E10. Climate Risk Mitigation S10. Human Rights G10. External Assurance

Source: ESG Reporting Guide 2.0. Reprinted with permission from Nasdaq Inc. The complete Reporting Guide is available at Nasdaq.com/ESG-Guide.

28 INTERNAL AUDITOR APRIL 2020 Data availability is the major impediment to developing an explicit process for identifying and assessing climate risks and opportunities, according to the IIF/EBF Global Climate Finance Survey.

organizational sustainability,” Heim need to provide assurance to the board says. “The term means different things that the information meets their fi nan- to different sets of people, and to some cial, risk, and ESG reporting require- extent, it’s an umbrella term for a lot ments before it is released to the public.” of nonfi nancial risks. This is a night- mare for internal auditors.” GUIDANCE IS LACKING Organizations are using stand-alone AN EXERCISE IN PR sustainability programs with separate According to Heim, sustainability reporting, which means the claims reporting is often done cheaply and made in sustainability reports cannot be usually by public relations (PR) or independently verifi ed or appropriately marketing people rather than anyone benchmarked, Pojasek says. As such, trained in ESG issues to provide an there is some reluctance to accept them additional narrative to the fi nancial fi g- because of a lack of rigor associated with ures. “These reports are not thorough, the collection of the information, as not validated, and contain inaccuracies, well as a lack of internal auditing of the yet boards are happy to put their names data-gathering activity. Many invest- on them,” he says. ment fi rms, for example, will not accept There are two trends in sustain- ESG information in their sustainability ability reporting that amount to PR report because it is not complete and it and marketing exercises that Heim says is not independently verifi ed. internal auditors need to try to prevent Part of the problem, Pojasek says, is Internal audit their organizations from following. that there is little guidance for internal knowledge One is “greenwashing.” This is when auditors because of the array of func- around“ companies play up their environmen- tions involved in collecting the data: sustainability tally friendly efforts and credentials, sustainability teams, consultants, cor- programs is while downplaying — or ignoring porate social responsibility teams, and probably not as entirely — the areas of their business corporate citizenship groups, among that may be damaging to the environ- others. “It is diffi cult for internal audi- comprehensive ment, or that do not conform to stake- tors to understand the sustainability as it could or holder expectations of what constitutes program because there are few practice should be...” long-term sustainability. The other is guides available and auditors are con- “greenwishing,” where they talk about fused by the different kinds of stand- Robert Pojasek what they hope to achieve versus what alone sustainability programs,” he says. they’ve actually implemented. This Pojasek says internal auditors also includes a reduction in carbon emis- may lack knowledge and experience in sions, reduced waste, lower energy and sustainability reporting because there is water usage, increased telecommuting, no mandatory requirement to do so in cuts in air travel, and so on. disclosures to the U.S. Securities and Robert Pojasek, senior strategist Exchange Commission, as such informa- at risk and ESG consultancy Strategic tion is not often included in Form 10-K Impact Partners in Boston, agrees that and 40-F. As a result, he says, “internal sustainability reporting leaves a lot to audit knowledge around sustainability be desired. “The primary focus of the programs is probably not as comprehen- sustainability report is to improve its sive as it could or should be as a result of ranking in rating schemes, such as the not being involved in this activity.” Corporate Knights, Newsweek, Corpo- Heim adds that voluntary report- rate Responsibility Top 100, and similar ing on ESG and sustainability issues ratings,” he says. To ensure accuracy and often means that while the topics and meaningful disclosure, he says, “auditors risks are being discussed, they are not

APRIL 2020 INTERNAL AUDITOR 29 THE RESPONSIBLE ORGANIZATION

necessarily being audited. “Internal language they understand, and they auditors are not looking at any figures don’t like making investments that around ESG because they’re not related don’t pay off. “Provide evidence that to financial results, so these figures are shows that acting more sustainably adds published without challenge or any real value — operationally, in assuring com- assurance,” he says. pliance, reputationally, and even finan- “It should be impossible for any cially,” he says. “The area is dynamic, so company report to be made public by acting strategically now they can get without checking that the statements ahead of competitors and be better pre- are accurate, so sustainability report- pared and more resilient for future risks, ing is certainly an area where internal including environmental risks.” audit can get more deeply involved,” Third, he says, internal audit Heim says. “Internal audit has the should collaborate with other assurance skills to question the basis of these functions — compliance, risk manage- reports — how they were put together, ment, environmental, and in-house by whom, and using what information legal — to “push the case for better or evidence — and it should have a aggregated understanding and manage- duty to flag up to the board the risks of ment of sustainability risk. Clear, con- publishing material or claims that have cise communication of sustainability not been checked or may be false.” risk — and opportunities — can attract the attention and resources it deserves A UNITED FRONT and can also offer a vehicle for internal Douglas Hileman, an internal audit, audit to demonstrate how it can add If internal audit risk, and compliance consultant based value to the organization.” approaches in Los Angeles, agrees that internal There will be greater scope for sustainability“ audit is often excluded from reviewing internal audit to provide assurance on like any other sustainability strategies and report- sustainability issues going forward, says risk assessment, ing — mainly due to competing priori- Vanessa Havard-Williams, partner and executives ties and a lack of budget. “There’s very global head of environment at the Lon- little time, energy, or expertise to look don office of international law firm Lin- will take more at ESG risks, reputation risk, third- klaters. “As organizations — particularly notice.” party risk management, human rights, large corporations — begin to integrate slavery, health and safety, cyber risk, sustainability impacts at a detailed level Douglas Hileman and so on,” he says. “The audit com- into their enterprise risk management mittee decides internal audit’s priori- frameworks, internal audit will get ties, and at the moment, sustainability more closely involved in reviewing risk is not a top item on their agenda.” them and providing assurance on their Internal audit can try to address effectiveness to the board,” she says. this imbalance. First, Hileman says, “Executives are well aware of the internal audit should present sustain- damage that a tarnished reputation can ability in terms of current and long-term have on the company’s bottom line and business risks. “Boards and management customer base,” says Fay Feeney, CEO get risk — a lot of them don’t get sus- of emerging risk strategy consultancy tainability. If internal audit approaches Risk for Good and a board member sustainability like any other risk assess- in Hermosa Beach, Calif. “So internal ment, executives will take more notice.” audit should make it clear that an orga- Second, Hileman notes, internal nization’s failure to commit to sustain- audit should present a business case to able business practices will damage the incorporate sustainability into strategy. corporate brand among a wide variety Executives need to be talked to in a of stakeholders, including employees.”

30 INTERNAL AUDITOR APRIL 2020 42% of institutional investors incorporated ESG factors into their investment decision-making process in 2019, up from 22% in 2013, according to The Callan Institute’s 2019 ESG Survey.

Feeney also warns that auditors on the Purpose of a Corporation last need to be prepared to acknowledge August, they committed to, among that board members are overconfident other things, “respect the people in about the organization’s capability to our communities and protect the manage risks, as noted in The IIA’s environment by embracing sustainable OnRisk 2020 report. As a result, she practices across our businesses.” With says, “internal auditors need to assess support from major U.S. companies their boards’ understanding against their to adopt sustainable business practices knowledge of sustainability risks as there and embed reporting — and practice are likely to be gaps in their knowledge what they preach — the expectation is and areas where they do not fully under- that other organizations need to follow stand what needs to be done, and what suit, if they aren’t already. impact these risks can have on the busi- Internal audit needs to get more ness, its operations, and supply chains.” involved and leverage sustainability to find potential business opportunities SPEAK THE SAME LANGUAGE and use them to offset the business Internal auditors Paul Sobel, chair of The Committee of threats, Pojasek says. “Auditors need Sponsoring Organizations of the Tread- to look for the upsides of risk.” To need to assess way Commission, says internal audit do that, he says auditors need to raise their“ boards’ needs to make sure the board — and questions that can help their orga- understanding everyone else in the business — speaks nizations enjoy enhanced value: Are against their the same language around sustainability there ways to turn what looks like a knowledge of so the issues, risks, opportunities, and costly threat into sustained value for sustainability the organization’s long-term goals are the corporation? Does this provide understood in the same way. If everyone a better way to make sustainability a risks...” involved is thinking about risk in the key part of how the business is oper- Fay Feeney same way, he says, “it will be easier to ated to secure long-term financial discuss and appreciate the risks to the growth? Does this structured form organization — and what responses are of sustainability and uncertainty risk needed — in the same way, too.” afford a new opportunity to look at Sobel adds that internal audit needs the supply chain? to think about the value proposition There is little doubt of the need around sustainability and push the busi- for organizations to review their long- ness case for change, rather than follow term viability and resilience in light of most boards’ leads to consider it as a external risks, particularly around the cost or compliance headache. “Inter- environment and climate change. nal audit needs to look at what future If threats such as BlackRock’s do investor, regulatory, and stakeholder not make boards sit up and pay atten- expectations are likely to be regarding tion — nothing will. And if boards do sustainability risk management and not make a greater effort to consider reporting and push for management sustainability as a key risk issue, it and the board to move in line — or appears likely that shareholders will ahead — of them,” he says. “This means do so, as evidence shows investors are keeping up to date with best practice, becoming increasingly activist about reviewing ongoing trends, and engaging how they want companies to be run, more robustly with stakeholders.” and the priorities they want to see in the boardroom. CHANGING PRIORITIES When 181 U.S. CEOs signed the NEIL HODGE is a freelance journalist Business Roundtable’s new Statement based in Nottingham, U.K.

APRIL 2020 INTERNAL AUDITOR 31 An RPA

obotic process automation (RPA) has received a lot of attention lately for its ability to streamline processes and increase effi ciency. Simply stated, RPA is the automation via virtual robots (bots) of computer-based tasks traditionally performed by people. RPA bots consist of software programs that mimic repetitive actions exactly the way a person would perform them. In the business world, RPA has gained momentum as a tool for automating Rstandard repetitive tasks that require little human judgment or thought. The technology frees up meaningful time for humans to perform work that is, well, more human — tasks that require more analytical or intellec- tual brain power. Rudimentary RPA has been around for decades. Spreadsheet macros, for example, have long enabled users to record keystrokes and automate basic tasks with the click of a mouse. Today, RPA bot development is much more sophisticated. Bots are unbound from a single system or database and can manipulate unstructured data — such as by “scraping” it from a screen shot based on a keyword, phrase, or screen location. The technology’s powerful capabilities have enabled multiple uses of RPA, from automating account reconcilia- tions to performing audit tasks. With these capabilities in mind, the internal audit function at YRC Worldwide (YRCW), a trucking company specializing in freight transportation and logistics services for North American shippers, under- took a pilot program to implement RPA technology. The

32 INTERNAL AUDITOR APRIL 2020 ROBOTICS Road Test

Internal auditors at a freight transportation company take robotic process automation for a test drive.

Rick Wright PHOTO COURTESY OF YRC WORLDWIDE; ICON, RETRO67 / SHUTTERSTOCK.COM

APRIL 2020 INTERNAL AUDITOR 33 AN RPA ROAD TEST

effort was a success, paving the way repertoire of services. Audit leadership for a formal implementation plan and saw RPA’s potential in this regard as a future RPA rollout. critical piece of internal audit’s strategy. Automating portions of the standard THE IMPETUS FOR RPA terminal audit program could free up With a staff of 17, YRCW’s internal valuable staff resources, allowing more audit function is organized into two focus on other value-added services. distinct groups — one specializing in regulatory compliance and risk-based, PREPARING FOR AUTOMATION back-offi ce assurance and consulting In preparation for the audit of the engagements; the other focused on future initiative and its RPA compo- compliance and operational reviews nent, YRCW internal audit leadership related to YRCW’s network of more assessed several factors. First, leadership than 300 freight terminals. Internal examined staff capabilities, with an audit’s RPA pilot focused on this emphasis on analytical and technology latter area. skills. Although commercial RPA tools YRCW management has consis- have become increasingly user-friendly, tently made one request of the internal application development skills can audit team: Provide more audit cover- enhance RPA capabilities signifi cantly. age with the same amount of staff. And while YRCW internal auditors had In keeping with this challenge, audit upgraded their technology skills over leadership strives to innovate and has time through individual development embarked on a strategic mission to plans, they did not possess the desired coding or business analyst acumen to facilitate RPA. To incorporate these skills, internal Part of the department’s audit-of-the- audit leadership repurposed one of its analyst roles, which was vacant at the future strategy involved enhancing time, and rewrote the job description to include RPA competencies. Require- internal audit’s value proposition. ments included profi ciency with SQL or other relevant coding skills. Audit leadership also sought process improve- create the “terminal audit of the ment and business analyst experi- future.” Terminal audits consist of ence — in addition to a background transactional and observational testing in internal auditing. And while the to provide regulatory and operational candidate who eventually fi lled the role compliance assurance, using standard did not possess RPA experience per se, audit programs to provide a consistent the individual’s background and skills measuring stick for evaluating freight allowed for a short learning curve. terminal performance. Before launching the initiative, The YRCW audit function has a internal audit leadership also needed multiyear track record of year-over-year to establish roles for existing team audit coverage increases. With each members. They assigned a project lead successive year, however, these increases to learn RPA basics and inform other become more diffi cult to sustain. The team members about key features, goal of the audit-of-the-future strategy tools, and requirements. This effort is to not only increase audit coverage, led to a white paper deliverable aimed but also to enhance internal audit’s at defi ning what RPA was best suited value proposition by adding to its for, identifying key resource needs, and

34 INTERNAL AUDITOR APRIL 2020 66% of companies will increase RPA software spending by at least 5% over the next 12 months, according to a 2020 international survey by Forrester Research and UiPath.

BOT-BUILDING SKILLS etting started with RPA does not require specialized skills. Most RPA tools include typi- cal graphical user interfaces with point-and-click functionality that helps beginners get Gstarted right away. Anyone with an advanced foundation in the use of basic software tools like Microsoft Excel can develop rudimentary bots. Nonetheless, technical skills such as coding can be helpful when pursuing more sophisticated bot development, especially if the anticipated RPA initiative is more complex. More advanced RPA tools also provide for customized coding using either SQL or other cod- ing languages. Individuals who leverage business analyst and coding skills can add significant value to more complex bot development projects.

determining whether audit leadership’s as potential candidates for RPA. Steps vision for RPA was realistic. The white considered more transactional in paper included a basic description of nature, and those requiring the audi- RPA, as well as information about tor to log into multiple systems, were expected benefits, how RPA works, bot prioritized as optimal candidates. The setup options, common capabilities more difficult and time-intensive the and uses, risks, and top RPA vendors audit step, the better RPA candidate it and tools. The document was instru- was deemed. The analysis provided a TO COMMENT mental in level-setting the team’s base quantifiable picture of potential time on this article, knowledge and understanding of the savings, which ultimately affirmed that EMAIL the technology’s capabilities and limita- RPA had the potential to substantially author at rick. [email protected] tions. This common understanding increase terminal audit efficiency. The enabled the team to collaborate more collaborative analysis and discussions effectively on a business case for the use from the proof of concept exercise of RPA and plan for implementation. served as a green light to proceed with a project socialization plan and develop PROOF OF CONCEPT a pilot program. Armed with the white paper research, internal audit began working on a SOCIALIZING RPA proof of concept to determine RPA’s With the proof of concept well under- potential value related to the terminal way, internal audit leadership began audit program. The process consisted to socialize the initiative with key of determining which terminal audit stakeholders. Socialization represented program steps might be suited for an important step as the time commit- RPA conversion and highlighting ment required to fully implement RPA potential efficiency gains. The team would potentially impact audit cover- identified steps that involved trans- age in the near term and might require actional system testing and other monetary investment down the road. system-related test work versus obser- Key stakeholders in the socializa- vational steps for which automation tion effort included internal audit’s would not be feasible. reporting hierarchy (i.e., the audit Team members also estimated committee and the chief financial the current level of effort required officer) and operations leadership (the to complete audit steps, designating primary audit client). Additionally, each one as easy, moderate, or hard. support from YRCW’s IT team was Moderate or hard steps were flagged particularly important, as anticipated

APRIL 2020 INTERNAL AUDITOR 35 AN RPA ROAD TEST

transformational benefits required RPA tool selection is often the first PILOT RESULTS direct access to organizational data. barrier internal audit groups face when The pilot project yielded valuable To gain stakeholders’ buy-in and looking to pilot an RPA initiative. insights about bot development, such support, internal audit needed them to Especially for smaller internal audit as process intricacies often taken for understand both the long-term ben- functions, where resources tend to be granted when people perform testing. efits and the short-term impacts of the scarce, monetary investment in a tool For example, the team realized the RPA initiative. Socialization involved that may or may not add substantial value of direct access to data versus scheduling brief meetings to educate value can be a tough sell. Fortunately, indirect access via screen capture. Some stakeholders on RPA and its merits. several vendors offer web-based RPA steps in the bot development process Most of them were familiar with RPA tools that provide a basic functionality involved accessing mainframe screens from a business process perspective but version, enabling users to get started for and “scraping” the needed data from had not considered the application as free. Internal audit chose this approach them. However, certain application screens consist of mere images and not actual data — i.e., renderings for the user interface. People recognize images Even when factoring in the manual easily, but RPA tools vary in their abil- ity to process them. The pilot bot could work required, automation yielded not recognize data captured as imagery, causing problems at this point in the considerable time savings. audit step. The bot would either fail or seize up when encountering this task, requiring manual intervention to it related to the terminal audit process. for its pilot. After reviewing and trying complete the step. If direct access to the During the meetings, internal audit several free tools, internal audit selected data could be acquired, the bot would also presented the proof of concept one that had an established reputation be able to continue processing the audit results and proposed value proposition and appeared capable of accommodat- step to completion. At the time of the for RPA adoption. Because the white ing the pilot. pilot, direct access to some of the data paper and proof of concept supported The team chose a pilot audit step was not available. a definitive value proposition, socializa- that involved several manual audit As a result, the pilot bot produced tion proved merely a formality and the tasks: logging into multiple systems, favorable but incomplete results. The RPA initiative received unqualified sup- navigating to various application audit step chosen for the pilot usually port to proceed. screens, acquiring specific lists and took an auditor one to two hours to fields of data so that a sample of test complete manually. Up to the point PILOT BOT items could be identified, and analyz- where screen images proved a barrier, The proof of concept’s final phase ing the sample data in a spreadsheet to the pilot bot completed the step in involved developing a pilot bot. Devel- determine the test outcome. Moreover, about one minute, with an additional opment consisted of several steps: anticipated bot efficiencies enabled the 20 minutes of manual processing » Identifying an appropriate auditors to replace judgmental sampling required by an auditor. RPA tool. with full population testing. Even when factoring in the man- » Selecting a terminal audit After defining the new testing ual work, automation yielded consid- program step that would serve approach, the audit team initiated bot erable time savings. If direct access to as an appropriate candidate development. The process involved data could be obtained, the bot could for RPA. recording each of the audit tasks, step- complete the entire audit step even » Working with staff auditors to by-step, in the RPA tool. In many more efficiently — in two minutes or itemize the tasks required to ways, development resembled macro less. This discovery highlighted the complete the audit step. programming within a spreadsheet critical value of direct data access to » Developing the RPA bot logic. application — auditors captured tasks bot development for future RPA roll- » Testing, troubleshooting, and such as mouse clicks, keystrokes, and out. Through some additional support refining the bot. login credentials, which they automated provided by the IT group, internal » Demonstrating the bot. using the tool. audit ultimately acquired direct access

36 INTERNAL AUDITOR APRIL 2020 Robotic process automation, Internet of Things, and artifi cial intelligence are the top three technologies for today’s digital strategy, according to a 2020 PwC survey of senior executives.

THINK BEFORE YOU AUTOMATE nternal auditors should not undertake bot development projects hastily or without suffi cient planning and support. Audit functions looking to Ipursue RPA should consider: » A proof of concept (including pilot) should be performed to ensure adequate value exists to justify the RPA initiative. » Rudimentary (free) tools and skills can get the initiative started, but more advanced tools and coding skills may be required to complete the journey. » Direct access to data adds exponential value. » Partnering with IT or other groups using RPA enables internal audit to leverage internal subject matter expertise and reduce develop- ment expenditure. » Program quality and sustainability requires close attention to RPA governance.

to the necessary data and completed VEHICLE FOR CHANGE the pilot bot. Like many technology tools, RPA Internal audit compared the bot is not a one-size-fi ts-all solution. Its test results with results from manual application model and value potential completion of work to ensure consistent differ for each organization. Ultimately, outcomes. It found that pilot results the value of RPA lies in automating were of higher quality (full population standard activities that are performed testing vs. a sample) and signifi cantly frequently. Internal audit functions more effi cient (approximately 90 sec- whose audit plan includes substantial onds vs. 1–2 hours to complete the compliance assurance engagements audit step).

THE ROAD AHEAD Having validated the potential for bots Ultimately, the value of RPA lies in to increase audit effi ciency, YRCW internal audit is now poised to initiate a automating standard activities that are formal RPA implementation plan. The plan will prioritize audit steps for bot performed frequently. development as well as consider RPA’s governance implications. It will address many of the considerations necessary that are repeated frequently are likely in any IT development environment, to have a better business case for RPA including development standards, than those whose plan comprises a change management, and user testing. greater proportion of operational and Internal audit leadership will also consulting projects. For internal audit need to determine the appropriate post- functions where RPA makes sense, it pilot RPA tool to use, and if necessary, can be a game changer. build a business case to justify and secure funding. Additionally, leadership will RICK WRIGHT is director, Internal Audit need to evaluate how to redeploy staff and ERM, at YRC Worldwide in Overland once bot effi ciencies start to materialize. Park, Kan.

APRIL 2020 INTERNAL AUDITOR 37 DON’T JUST ACCEPT INNOVATION. Embrace it.

A helping hand in the face of disruption. Welcome to Status Go.™

gt.com/statusgo

Grant Thornton LLP is a member firm of Grant Thornton International Ltd (GTIL). GTIL and the member firms are not a worldwide partnership. Services are delivered by the member firms. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions. Please see www.gt.com for further details. © 2019 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd BUSINESS ACUMEN

Internal audit can incorporate elements of the Balanced Scorecard approach to build its ability to anticipate and meet the organization’s needs. Basil Orsini Audit With Acumen

oard and management stakeholders want internal audit to demonstrate greater business acumen. They want auditors to have a broad understanding of the organization, as well as anticipate how to help the organization achieve its objectives. That means auditors need to see beyond their area of expertise and responsibility. They must be agile to act proac- tively and congruently with the organization’s way of doing Bbusiness. By recognizing these expectations, internal audit can show that the department is an excellent place to develop business acumen.

FIT BUSINESS NEEDS Organizations expect all senior managers to have the busi- ness acumen to lead their areas of responsibility and support broader organizational success. Managers should be able to anticipate and act on ways to add value to the organization and its stakeholders. Likewise, internal audit needs to identify the best ways for the function to develop business acumen that fits the

-STRIZH- / SHUTTERSTOCK.COM organization’s needs. It can’t take a one-size-fits-all approach,

APRIL 2020 INTERNAL AUDITOR 39 TO COMMENT on this article, AUDIT WITH ACUMEN EMAIL the author at [email protected]

though, because business acumen will Their strategy for establishing business vary by industry, type of business, and acumen should involve human resource the kind of service a business unit pro- activities, such as hiring, promotions, vides. For example, internal audit will and career planning, as well as profes- require different aspects of business sional development activities. acumen than business lines, such as sales and production, or support ser- ENABLED BY THE STANDARDS vices such as fi nance and security. Internal audit’s use of business acumen Moreover, internal audit’s assur- must reinforce, and not compromise, ance role in relation to other assurance auditors’ professional competence. The roles within the organization impacts International Standards for the Profes- the kind of business acumen it needs. sional Practice of Internal Auditing place Developing business acumen can great importance on risk-based plan- enhance internal audit’s risk-based ning — multiyear, annual, and engage- ment — to ensure that services are strategic and add value. Having busi- ness acumen enables internal audit to Internal audit can build business proactively plan and adapt all forms of audit activity to anticipate the organiza- acumen on a strong understanding and tion’s assurance needs. This capability goes far beyond simply repeating cycli- implementation of the Standards. cal coverage or responding to senior management requests. There is no trade-off between coverage of the organization’s main demonstrating business acumen and lines of business, as well as the fi rst two conforming to the Standards. On the lines of defense. contrary, internal audit can build busi- In developing business acumen, ness acumen on a sound understanding internal audit should not be seen as and innovative implementation of the narrowly focused rule-followers who Standards and associated guidance. avoid innovation and taking risks. CAEs have used a variety of meth- Chief audit executives (CAEs) should ods and approaches to attune their staff ensure the audit staff understands the to the business needs of their organiza- capabilities of the organization’s fi rst tions. The examples in the boxes that two lines of assurance, as well as the begin on page 41 demonstrate how business’ main products and services. business acumen can work in internal

40 INTERNAL AUDITOR APRIL 2020 Business acumen is one of the top three skills CAEs focus on when recruiting, but 39% say it is very diffi cult to recruit effectively, according to the 2018 North American Pulse of Internal Audit.

GOVERNANCE hese examples can improve mutual understanding, enhance business Tcapabilities, and strengthen relationships at the governance level of the organization: » Have the CAE actively participate in regular meetings of the audit com- mittee operational governing body. » Assign individual audit managers to each of the major lines of business as account managers. » Build the internal audit universe on top of the organization’s strate- gic objectives. » Conduct organizationwide internal audits in support of key corporate activities such as internal communications.

CLIENT hese examples can improve mutual understanding, improve business audit. These examples are based on Tcapabilities, and strengthen relationships with the organization’s busi- four perspectives adapted from the Bal- ness units: anced Scorecard strategic planning and » Base multiyear, annual audit, and engagement plans on the organization’s management tool: governance, client, corporate and business risk profi les. internal processes, and innovation and » Include strategic upside risks of opportunities and strengths in annual learning. The boxes substitute gov- internal audit plans to complement the traditional focus on key downside ernance for the Balanced Scorecard’s risks of weaknesses and threats. fi nance measure. CAEs should plan, » Reinforce the role of other internal assurance functions (second line of track, and report to the board and defense), such as risk management and fi nancial control, by auditing management on initiatives in each of their processes. these areas. » Invite business units to link the timing of audit engagements to their busi- ness information needs, such as in support of future fi nancial approval INTERNAL AUDIT’S ACUMEN submissions for major initiatives or new programs. CAEs are likely undertaking some or » Provide information on assessment criteria well in advance of an audit many of these initiatives, as well as some engagement when there are known shortcomings, to enable managers to others. To get the attention and mutual take corrective action before the audit. understanding needed, annual internal

APRIL 2020 INTERNAL AUDITOR 41 Work !bvhĺ Not -r;uvĺ

root cause committee decks

real-time data surveys

business insight evidence

efficiently emails

connected PDFs

†|ol-|;|_;vl-ѴѴv|†@ĺ;m|u-ѴbŒ;-ѴѴubvh-m71olrѴb-m1; ‰ouhomom;1;m|u-ѴrѴ-oulĺ)bm0-1hlou;ঞl;|ovr;m7 om|_;ˆ-Ѵ†-0Ѵ;r-u|vo=‹o†ubm|;um-Ѵ-†7b|‰ouhĺ

Find out more at workiva.com/audit Knowledge of the organization and its risks and industry-specifi c knowledge are among the business acumen attributes spelled out in The IIA’s Global Internal Audit Competency Framework.

INTERNAL PROCESSES hese internal audit processes can improve mutual understanding and business capabilities, as Twell as strengthen client relationships throughout the organization: » Report more deeply on audit fi ndings by avoiding a narrow-minded approach to audit issues. For example, reports should discuss the broader implications and possibilities of fi ndings, such as their impact on broader business objectives. Internal audit also should show how fi ndings link to implications for other business purposes and recommend reducing ineffi cient internal controls. » Submit periodic status reports on the internal audit plan’s implementation and adjust them dur- ing the year to better address emerging business assurance needs. » Issue periodic reports on signifi cant operational risks based on analyses of internal audit fi nd- ings within the organization or across the industry. » Offer to provide consulting and research services in conjunction with individual engagements. » Invite internal audit team members to meet the audit committee and observe its discussion of their individual engagements.

INNOVATION AND LEARNING hese examples of innovation and learning can improve mutual under- Tstanding, enhance business capabilities, and strengthen relationships: » Assign talented employees from other business units to short-term audit plans and year-end reports should engagements within internal audit. This practice can develop those include a formal strategy on investments employees, as well as bring their insight to audit staff members. in building staff capabilities to better » Send talented internal auditors on developmental, nonaudit assignments respond to the emerging needs of the within business units. This practice can help those auditors build business organization. This approach can foster acumen and pass their knowledge to the teams with whom they work. productive discussions and improved » Bring internal auditors from fi eld offi ces to work at headquarters. understandings with management and » Train new managers on internal audit’s role and areas of expertise such as the audit committee. management control and risk management. » Participate in professional associations other than internal audit, such as BASIL ORSINI, CIA, CGAP, CRMA, CFE, risk management, IT, security, and fraud prevention. Such groups can help is a recently retired internal auditor from auditors keep abreast of leading practices and share lessons learned with the Government of Canada in Ottawa. audit colleagues.

APRIL 2020 INTERNAL AUDITOR 43 THIS IS THE SLUG LINE

44 INTERNAL AUDITOR APRIL 2020 THIRD-PARTY RISK

Internal audits must delve into the risks posed by the organization’s ever-expanding chain of third, fourth, and fifth parties.

hether they know it or not, consum- ers in today’s economy are likely being impacted by an organization’s third parties daily. From online merchants, and the delivery partners they use to complete the transaction, to call cen- ters and other support services, third parties support organizations in almost W every imaginable way. Brian Kostek In the end, these end-to-end busi- ness “ecosystems” are what drive value creation and revenue for today’s organiza- tions. Some examples may not be in the control of the organization or its third parties, such as the recent coronavirus outbreak that has had a global impact on operational value chains. And as things go wrong, it is likely that the organization with the brand name is the one impacted and not the third party supporting the product or service in the marketplace. Understanding an organization’s end-to-end processes and how those pro- The cesses deliver value should be the objective and outcome of an internal audit. That means internal auditors must look beyond third parties to incorporate key fourth, fifth, and sixth parties into planning, scoping, and executing every audit — a pro- cess known as “ecosystem management.” Value SHIFTING THE EMPHASIS Focusing on an organization’s ecosystem can change the underlying approach and output of an internal audit. Aiming scoping questions, walk-throughs, and outputs in the at the organization’s external partners shifts the emphasis from control gaps, issues,

DOUG ROSS / ILLUSTRATIONSOURCE.COM Business Ecosystem

APRIL 2020 INTERNAL AUDITOR 45 TO COMMENT on this article, THE VALUE IN THE BUSINESS ECOSYSTEM EMAIL the author at [email protected]

and items requiring resolution to how Include Business Resilience in the the business protects its value-driving Context of Business Activities To activities and profi t-making ability. get operational resilience right requires This doesn’t mean that an organiza- a change in perspective by manage- tion should change how it plans its ment, boards, IT functions, and control annual internal audit schedule. Instead, functions. For a long time, organiza- it should integrate three key principles tions have focused on determining the into how it executes each audit. In probability of an adverse event occur- other words, the annual audit schedule ring and ways to prevent it or minimize should continue to focus on higher risk the damage. As part of this approach, areas, but the scope of each audit should most organizations have developed include the ecosystem principles. This business continuity and disaster recov- approach may result in longer and more ery plans, including simulated testing. complex audits. Business resilience is broader than those traditional topics, though, encompass- Focus on End-to-end Processes ing business, cyber, infrastructure, and Audits should focus on the auditable third-party resilience. Internal audit entity and how each process supports can help drive the broader perspective the desired inputs and outputs. The of operational resilience by integrating scope of the audit of each end-to-end these concepts into its ecosystem man- process should include a view of third, agement approach. fourth, and fi fth parties that drive business value. This approach requires INTEGRATE PROCESS auditors to conduct activities as if the DOCUMENTATION external parties are internal to the orga- When conducting integrated ecosystem nization. The audit should demonstrate audits, internal audit should combine how the auditable entity delivers value: internal and external process documen- tation into a single and consistent docu- mentation standard. Auditors should communicate this standard to the Organizations should determine who auditable entity to allow enough time to capture external party documentation in the third parties of the third party are. the preferred format, including process and control information. This approach gives internal audit through internal people, processes, and and other internal parties a single view- technologies only; external parties; or a point on how business activities are mix of both. driving value and profi ts. Additionally, it enables internal audit to effectively Focus on Return on Investment challenge each auditable entity on the (ROI) and Value-generating Activi- risks and underlying strength of its con- ties Audits should focus on how each trols, and how they protect the interests process and end-to-end activity sup- of the organization. ports ROI generation. If the process doesn’t support the organization’s ROI, MANAGE THIRD AND auditors should question its role in the FOURTH PARTIES broader organizational ecosystem. The Does the organization know who its role of external parties in supporting third parties are and how they sup- value-generating activities should be a port value-generating activities (see key focus of this exercise. “Ecosystem and Extended-party Risk

46 INTERNAL AUDITOR APRIL 2020 66% of respondents rate third-party relationships as a high future risk, an increase from 60% who consider it a high current risk, according to The IIA’s OnRisk 2020 report.

auditors should still be able to under- ECOSYSTEM AND EXTENDED-PARTY stand how the auditable entity monitors RISK QUESTIONS third parties’ performance in delivering The following examples are questions specific to third-party management inputs or services. That knowledge can that can be used in ecosystem audits: improve their understanding of the value 1. Does a third party support the business activity in meeting its market external parties deliver to the entity. and customer needs? 2. How does the organization monitor the quality of its third parties and LINK TO OPERATIONAL RESILIENCE their ability to continue to meet the organization’s needs? Business resilience requires organiza- 3. Does the decision to leverage a third party align with the organization’s tions to focus on activities that are strategic decisions and key competencies? critical to their customers and mar- 4. Does the use of a third party expose the organization to additional kets, and the infrastructure needed reputation and brand risks that must be monitored and managed? to continue to provide those services. 5. What outputs of the process drive value- and profit-generating activi- Within ecosystem audits, internal ties for the organization? audit should help capture and chal- 6. Does the use of a third party create potential disruption risks, including lenge the business understanding impacting the organization’s ability to continue to operate and gener- of the end-to-end ecosystem, and ate value? whether business leaders are consid- 7. Does the third party maintain plans to ensure its services would con- ering all the risks associated with it. tinue in the event of a disruption? Auditors should leverage recent indus- try and world events as examples to challenge the business on whether it is truly resilient to known and unknown Questions” on this page)? If it does not its value-generating activities. Parties risks to value-generating activities. know, that could spell problems for the that have direct inputs are defined as organization as a whole and for auditors value-generating. Identify Critical Services The orga- conducting an audit, as it should be Once an organization has an end- nization should identify which of its the starting point to completely under- to-end view of internal and external activities are critical to customers, other standing the ecosystem. processes, it should consider controls market participants, the ongoing conti- Maintaining a list of contracts among the entities. This requires inter- nuity of the organization, or the econ- and data that does not explain which nal audit to document the operating omy. It should prioritize these services processes are supported by third parties controls of both the auditable entity for resiliency and have clear tolerances does little to enhance this understand- and the external parties supporting for disruption to those services. ing. Organizations should go beyond the delivery of the activity. They also such lists by determining who the third must capture the controls monitoring Understand Impact Tolerance The parties of the third party (fourth par- the transition of processes (hand-offs) organization should use scenarios to ties) are. This exercise boils down to between the entities. estimate the extent of disruption to a two questions: That last category becomes more business service that it could tolerate. » Does the organization under- important for key activities that are out- Scenarios should be severe but plausible stand how it delivers its value sourced to fourth, fifth, or sixth parties. and assume that a failure of a system proposition to the marketplace? In such scenarios, the organization may or process has occurred. The organiza- » Does that understanding rely on an external entity to monitor tion must then decide the point at include how its suppliers, service the quality of delivery of those activi- which disruption becomes no longer providers, or other entities con- ties. While this may seem like a lot of tolerable. While using cyber events tribute to that overall mission? additional work, in theory, the business for such scenarios can focus attention, The organization does not need to already should have a view of these key the organization also should use other know every single party within the activities and monitoring protocols in events in scenario analysis such as failure chain of external relationships. How- place to protect its own interests. of change or IT implementation, and ever, it should have a solid understand- If a third party refuses to provide disruption at third parties, outsourced ing of those parties that help to support the requested support or documentation, providers, or offshore centers. Senior

APRIL 2020 INTERNAL AUDITOR 47 THE VALUE IN THE BUSINESS ECOSYSTEM

management and the board should audits can benefi t the organization by use the information to update policies focusing on the criticality of value- and contractual agreements, and drive generating activities. As a result, they investment decisions around improving can help the organization identify key business processes. business risks. During these audits, business personnel typically are more Understand Change Processes The comfortable discussing why the business operational resilience program should operates in the manner it does. More- evolve with the business as it changes. over, integrated audits limit the need to perform targeted audits on third-party risk, business continuity, cyber risk, and Internal audit should understand the operational resilience. Standalone Audits For organizations future state of key third parties. that can’t integrate these ecosystem concepts into business-as-usual audits, an ecosystem management audit The organization should understand can help them understand how the what external or internal factors could business delivers value. That under- change over time and the trends that standing is fundamental to gaining could impact key business services, and a holistic view of the organization’s adjust its resilience plans accordingly. risks. Conducting this audit starts with answering questions about the FOCUS ON VALUE value delivered to external and inter- Embedded in the audit methodol- nal stakeholders. ogy should be a focus on the business’ Questions for external stakehold- value-identifi cation, value-generation, ers include: and value-realization activities. Every » What products and services business audit should capture docu- does the organization offer? mentation consistently to support the » How does the organization understanding of internal and external deliver its products and services? processes and controls. » What would happen if the Internal auditors should ask about organization couldn’t deliver its external entities and collect data to products and services? understand the future state of key third » How does the organization parties. They should discuss the criti- confi rm that its products and cality of activities and their relation to services are meeting the needs value-generating activities. Auditors of the market? should link the concept of key activities, » How does the organization third parties (and additional parties), and confi rm that its products and process inputs and outputs to value gen- services are meeting its legal eration and ROI across the organization. and regulatory obligations? Finally, they should provide an opinion For internal stakeholders, auditors on whether activities are generating should ask: the most value possible and whether » How does the organization the business is allocating the necessary continue to operate profi tably resources to meet that objective. and promote its core values? » How does the organization Business-as-usual Audits Integrating continue to meet board mem- these concepts into business-as-usual bers’ expectations?

48 INTERNAL AUDITOR APRIL 2020 Outsourcing and third-party risk is rated the No. 4 operational risk by risk executives and senior practitioners — up from No. 6 in 2019 — in Risk.net’s Top 10 Operational Risks for 2020.

» How does the organization them? For example, does the organization’s capabilities. While this promote the continued success organization provide 100% of is a reasonable view, those practitioners of its employees and their future products and services through should keep in mind that without well-being? internal processes, or does it the value the business generates, their rely on third parties to provide role within the organization would Risk Management Program The 50% of inputs, outputs, or not exist. answers to these questions can help the continued servicing? Internal audit functions should organization build core data to sup- » What are the core business drive value to an organization wher- port an ecosystem risk management objectives, and how does the ever possible. Standalone audits program. The organization can leverage organization manage them? of value-chain operations can be this data across its enterprise risk man- » Does the organization’s culture benefi cial to ensuring they function agement frameworks to provide a com- align with its products and ser- effectively. However, by embedding mon taxonomy for how the business vices, and is it consistent with ecosystem management concepts drives value. the core business objectives? into business-as-usual activities, Moreover, the answers can help internal auditors can drive a deeper the organization address additional A DEEPER UNDERSTANDING understanding of the organization’s questions that could provide a basis for OF THE BUSINESS value-generating activities and most developing an ecosystem mindset for Some internal auditors may fi nd the profi table businesses. future-state audits: ecosystem management audit concept » What products and services do far-fetched. These professionals may BRIAN KOSTEK, CRCM, is a managing we offer, and how do we deliver think such audits are beyond their director at Protiviti Inc. in Tampa, Fla.

Focus on Team Development in 2020

Train your team by bundling any combination of in-person and online options with IIA Group Training. We’ll even bring IIA Group Training to your location. No matter what your team development needs, The IIA will tailor our training to meet your goals.

Our place or your place. Our pace or your pace. www.theiia.org/2020TeamDevelopment

Discover additional benefits of group training by calling +1-407-937-1388 or email [email protected]. 2020-0275

APRIL 22020020-0275 SEM-Group Training IA Half-page Ad.indd 1 INTERNAL AUDITOR2/24/20 1:2498 PM Peter Hughes Robert Campbell John Lerias QUESTIONS on Culture

Several audit committee FAQs can help guide practitioners when assessing culture.

mong an organization’s key sheet line item under U.S. generally accepted accounting prin- 10assets, perhaps none is more ciples underscores that effective culture is a bottom-line essen- Avaluable than the culture tial, not a fuzzy nice-to-have. In fact, a business’ culture may that permeates it from top to carry a book value — in the form of goodwill — higher than bottom. In the words of management consultant and author any other asset on the balance sheet. Peter Drucker, “Culture eats strategy for breakfast,” meaning Culture impacts nearly every aspect of an organization, that even a great strategic plan will likely fail if the organiza- including morale, productivity, and achievement of goals, tion’s mindset and workforce don’t align with it. making it an essential area for internal audit to examine. An The word culture, as it applies to organizations, refers to FAQ on culture, assembled from years of questions received the attitudes and workplace behaviors that drive customer and from audit committees and stakeholders, can serve as a employee relations, the quality of goods and services, and prof- primer on the topic and help guide internal auditors plan-

MONKEY BUSINESS IMAGES / SHUTTERSTOCK.COM itability. Recognition of business culture as a legitimate balance ning to conduct a cultural assessment.

50 INTERNAL AUDITOR APRIL 2020 CULTURE

1How is culture formed? Periodic assessments can identify rogue or ineffective manag- An organization’s expressed desire to create an employee- and ers — hopefully before they infl ict any long-term damage. customer-centric, sustainable enterprise represents nothing Many governing bodies, C-suite executives, and audit more than a wish unless actively supported by the incentives, committees recognize culture’s impact on these and other key policies and procedures, and goals established by manage- organizational factors, including productivity, product and ment. Some of the factors that shape a culture for good or service quality, and the retention and attraction of custom- bad include: ers. No company is successful for long by sheer accident and » Employee workloads. happenstance. Long-term success is achieved only by design » Spans of authority. and intent that is translated into the tangibles found in orga- » Management style. nizational culture. » Ethics policies. » Organizational values. » Relevance and frequency of training. » Recruitment and retention practices. What are the vital signs of » Criteria for employee advancement. 3 a healthy culture? » Compensation plans. The defi nition of a healthy culture is the same for both the » Personnel policies, including work-hour fl exibility private and public sectors. Health is measured by the degree and remote-work options. an organization can sustainably retain committed and capa- » Quality controls over products and services. ble employees to provide cost-effective, competitive goods or » Return policies and product warranties. services that are timely and responsive to customers’ needs. A An organization’s culture is impossible to conceal because it sick culture fails in one or more of these critical areas. can be observed almost everywhere. It shows, for example, in Organizational commitment to the integrity of busi- the level of respect and teamwork among staff members and ness processes and true customer-centric services are readily in the physical work environment. Culture is quantifi able apparent, as they permeate every aspect of the opera- through productivity metrics and by examining compliance tion — from responsiveness to requested information and with both the letter and spirit of rules and regulations. More- the usefulness of procedural manuals to workplace civility over, culture is evident in employee turnover rates, and it is and the inclusiveness of staff in decision-making. Nonethe- undeniably refl ected in the organization’s success with retain- less, the presence of these elements does not necessarily ing repeat customers and garnering their recommendations. indicate a healthy or well-functioning organization — many Culture is profoundly important to an organization’s other factors must be considered. well-being and competitive viability. The factors associated As such, auditors have found that below-market com- with a healthy or an unhealthy culture are the same ingredi- pensation, poorly structured workfl ows, unreasonable spans ents that determine the quality of goods and services it pro- of authority, unrealistic production goals, shortcuts that com- duces, which in turn affect its very survival. promise product and service quality, and absent management are among signs of a dysfunctional culture. Avoiding these defi ciencies requires a deliberate commitment from manage- ment — one that reverberates throughout the organization. 2 Why assess culture? Every organization will experience some “sway” or “drift” between its desired state and actual behavior. With that in mind, internal auditors should help gauge whether manage- What does an assessment ment and staff are acting on values the organization purports 4 of culture involve? to uphold. And while all the components of a culture may The typical assessment includes soliciting employees’ opin- support desired attitudes and behaviors at a point in time, ions on the degree the organization lives up to its desired they must be continually assessed for relevance and com- cultural values. This information is usually obtained through petitiveness for each generation of employee and customer. surveys and personal interviews, and through an examina- What’s more, some managers do a better job embracing tion of pertinent policies and procedures — including codes desired values and instilling them among staff than others. of conduct, compensation policies, and promotional criteria.

APRIL 2020 INTERNAL AUDITOR 51 TO COMMENT on this article, 10 QUESTIONS ON CULTURE EMAIL the author at [email protected]

The finished report typically Survey results often show that presents: both the executive level and manage- » The areas assessed. ment believe company policies and » Employee demographics. practices are more closely aligned » The documents, policies, and with the company’s desired val- procedures examined. ues than the employees rank it to » Responses to each survey ques- be. Such insights are essential to stop tion, along with a summary of the “cultural drift” that typically written comments consolidated occurs over time. into common categories. » A blank copy of the survey questionnaire. Survey reports also frequently include Will management recommendations to address any short- get to preview the 6questions and provide comings noted. Most assessments are completed within two months. a response? Cultural assessments should be a col- laborative effort that involves man- agement and staff throughout the Will the assessors engagement. Both perspectives are 5 rank the culture’s critical in identifying the questions various components? to be asked of survey participants. To The typical assessment scales comments succeed, assessments must receive buy- provided in an interview or survey. in from everyone involved, which Most often, respondents are asked to may involve obtaining their perspec- rank their opinion along a continuum tives in a written response attached to between “strongly disagree” and the report. “strongly agree,” or through a similar rating system. Questions regarding the status of an organization’s or subunit’s culture How can auditors are typically grouped into five or more 7prevent assessments major categories that address values from devolving into a that the board views as its desired complaint session? corporate identity or personality. Culture assessments typically are These can include innovation, leader- designed to avoid being hijacked by a ship, vision and purpose, collabora- small minority of disgruntled employ- tion, customer focus, governance ees. Internal auditors should survey and accountability, organizational a large population that includes a functionality, adaptability and flex- representative cross-section of posi- Q ibility, and employee relations. Results tions, salary ranges, operating units, commonly present the number of ages, and experience levels, as well as respondents for each of the rankings both new and veteran employees. All on the scale, as well as an overall aver- respondents should provide demo- age for each question and category. graphic information, kept anonymous Survey instruments that enable the by the assessors, via a dedicated reader to gauge the rankings by level section in the survey instrument. of employee, length of service, and Obtaining this information helps gender can be helpful in addressing management better assess the validity of training, staffing, and funding needs. the responses.

52 INTERNAL AUDITOR APRIL 2020 58% of employees and job seekers say company culture is more important than salary when it comes to job satisfaction, according to a 2019 global survey by Glassdoor.

Can fiscal, compliance, areas throughout the organization, control, and auditors can regularly observe how 8performance audits be the tone at the top impacts employ- considered audits of ees and the extent to which it shapes culture? desired behavior. This experience All audits are increasingly viewed as a gives auditors multiple and varied cultural assessment, but only within reference points for comparing best the narrow bandwidth of the audit’s practices, attitudes, and expectations scope. Many managers and auditors that mold a culture for good or bad. view reports from these audits as an It also helps them offer cost-effective, implicit assessment of attitudes and practical recommendations. commitment toward assigned duties in Additionally, auditors are typically light of the organization’s values and well-trained and experienced in assem- mission. When performing reviews, bling evidence and information that auditors may also survey and interview supports sound, defensible conclusions. employees from the audited activity as And they are often granted unrestricted a means of determining whether preva- access to all personnel, books, and lent attitudes and behaviors reflect the records, as well as cooperation from desired culture. all affected parties, which removes the typical organizational turf battles and privacy concerns that can thwart other professionals seeking to conduct this Should the hotline type of assessment. 9 or whistleblower program be assessed? GETTING CULTURE RIGHT Whether or not an organization sup- Every organization has a culture that ports and protects those who speak up affects its daily operations, influenc- when they see suspected misconduct ing nearly every decision and impact- is a critical reflection of its tone at the ing virtually all employees. Periodic top. The support and funding for a reviews of the culture have proven to hotline program, as well as its place- foster employee trust and help keep ment in the organizational hierarchy, organizations healthy and strong by sends a signal to employees about the alerting management to any drift board and CEO’s commitment to from desired cultural values. When an ensuring integrity in every aspect of organization gets culture right, it can the business. Internal auditors should make the difference between just sur- conduct periodic assessments to gauge viving in the marketplace and thriving employees’ perceptions regarding the as an industry leader. hotline program’s value and effective- ness to ensure it continues to promote PETER HUGHES, PHD, CIA, CPA, CFE, and support integrity in the workplace. is the assistant auditor–controller–chief audit executive for Los Angeles County. ROBERT CAMPBELL, CIA, CFE, is the division chief of the Los Angeles County Why are internal Office of County Investigation. auditors well- JOHN LERIAS, CPA, is the managing 10suited to assess culture? partner of GYP in Ontario,A Calif. Internal auditors are typically well- KEN PUN, CPA, managing partner for regarded and trusted as impartial and The Pun Group in Newport Beach, Calif., objective. Given their exposure to contributed to this article.

APRIL 2020 INTERNAL AUDITOR 53 PHOTOS: PATHDOC / SHUTTERSTOCK.COM Auditing Knowledge Management

Israel Sadu

54 INTERNAL AUDITOR APRIL 2020 KNOWLEDGE ASSETS

Knowledge assets’ increased value and contribution to business objectives obliges internal auditors to focus on how they’re safeguarded.

echnological advances are transforming the nature and importance of the orga- nization’s knowledge assets — intellectual property, software, data, technologi- Tcal expertise, organizational know-how, and other intellectual resources. The value of the global knowledge management market was around $2 billion in 2016 and is expected to exceed $1.2 trillion by 2025, according to Zion Market Research. At this worth, organizations should want to know if their knowledge assets are safeguarded. Knowledge assets are vulnerable to loss and can be compromised by internal and external sources. In a 2018 study from the Ponemon Institute and Kilpatrick Townsend & Stockton, 82% of respondents acknowledged that their companies very likely failed to detect a breach involving knowledge assets, up from 74% in 2016. Often, audit of knowledge assets is limited to assessing risks, controls, and value derived from the technologies used in their processing (knowledge flow) and

APRIL 2020 INTERNAL AUDITOR 55 TO COMMENT on this article, AUDITING KNOWLEDGE MANAGEMENT EMAIL the author at [email protected]

and the digital records maintained that tends to be a high-risk activity for focus on effective document manage- most organizations. Risks to knowl- ment. This is only a part of knowledge edge assets are any loss that may management auditing in the true sense. decrease the potential to effectively It does not get to the core issues of the pursue an organization’s business effectiveness of their protection, how objectives. Key risk indicators in a they promote business objectives, and typical knowledge-based organization the new opportunities they exploit. include uncertainties about critical What has been missing is a struc- knowledge needs, potential business tured approach to assess the interplay opportunities lost in their absence, between strategic and operational risks and their impact on business objec- and controls in enterprisewide knowl- tives. Other indicators may be process edge assets management. Unfortunately, related, such as multiple repositories there are no comprehensive professional of information in IT-based systems such as an intranet, collaboration plat- form, or emails that are not integrated. These indicators can lead to wasted Auditors must reorient their resources and inefficiencies and weak- methodologies and practices to nesses in access restrictions to intellec- tual property. recognize the role of knowledge assets Attrition is a common risk involv- in achieving business objectives. ing significant replacement costs that

guidelines to assess the adequacy of can destabilize even the most successful risks confronting knowledge assets, par- and steady organizations. It is estimated ticularly living knowledge assets held that the average cost of turnover is by individuals. Internal auditors must 1.5 times the annual salary of the job. adapt to the evolving risk landscape in Internal auditors also should be vigilant knowledge management by reorienting about risks specific to tacit knowledge their methodologies and practices to assets management, which include a recognize the role of knowledge assets high tacit-to-explicit knowledge ratio, in achieving business objectives. high staff turnover, a high percentage of core knowledge held by people nearing LOOK FOR RISK INDICATORS retirement, and high market demand With disruptive technologies at the for key personnel. It is likely in such forefront, knowledge management cases that these assets will be lost.

56 INTERNAL AUDITOR APRIL 2020 The passing on of tacit knowledge could be impeded by the communication skills gap of many Gen Z professionals, according to Deloitte Insights’ Generation Z Enters the Workforce.

to support the provision of public EXPLICIT AND TACIT KNOWLEDGE COMPARISON services such as water, transportation, here are two types of knowledge defined in business. The first, and healthcare. There may not be well- explicit knowledge, is easy to codify, store, and share. It includes defined standards and methodologies Ttextbooks, journals, white papers, patents, literature, audio-visual for estimating the social, economic, and media, software, and database access. The second, tacit knowledge, financial value derived from the assets comes from personal experience and is not easily replicable or transfer- as they don’t have market-determined rable, such as know-how, methodologies, training algorithms, and profes- equity value. sional skepticism. Within tacit knowledge, there are two dimensions: technical and ASSESS OPERATIONAL RISKS cognitive. The highly subjective and personal insights, intuitions, and Employees spend almost one-fourth of inspirations derived from an individual’s experience fall under the first their time searching for information, category. The second category consists of beliefs, perceptions, values, according to a survey from The Econo- and emotions ingrained in individuals over years. Some argue that tacit mist Intelligence Unit. Unclear data knowledge accounts for about 80% to 90% of the knowledge held in a definitions, ineffective data governance, typical organization. Knowledge assets are created at the intersection of, and poor search engine performance and interaction between, explicit and tacit knowledge. lead to barriers requiring analysts and developers to resolve them. The root cause of most operational risks in managing knowledge assets is lack of ASSESS STRATEGIC RISKS paying attention to the risks of loss of alignment between the strategy and the Strategy-related risks in knowledge knowledge when core capabilities are processes built around it. management typically include the outsourced. The instances of high staff To start, internal auditors should absence of, or a weak, knowledge man- turnover and poor knowledge retention review the accuracy and reliability of agement strategy; lack of involvement among outsourced providers could ham- the knowledge assets inventory and from senior management in knowledge per service quality, involving potential the core processes they support, and management activities; and lack of legal risks. the responsibilities of the people who alignment between key processes and A robust knowledge management manage them. The review results will knowledge assets in place. strategy should focus on capturing help identify weaknesses in data gover- If knowledge is a key driver for the knowledge assets that are critical to suc- nance — such as data silos where data business or is one of the main products cess and that underpin performance to is divided across various databases and of the business entity audited, such as a create growth and a competitive advan- divisions accentuating memory loss and consulting firm or an educational insti- tage. Are there sound human resources poor internal coordination of informa- tute, internal auditors should ask: policies and succession planning strate- tion. The starting point for the review E What is the critical knowledge at gies for mentor and peer support before, is identifying and using performance risk and who determines it? during, and after key staff with the best criteria for key activities approved by E What are the core activities? situational awareness leave the organi- management. While doing so, internal E How does information flow zation? Are there processes to capture auditors must be able to determine how through those activities? results of lessons-learned exercises, par- the key activities are aligned with key E Is there a knowledge manage- ticularly with lawyers, consultants, and stages of knowledge management in ment strategy? accountants’ knowledge and experience the organization, such as needs identi- Next, internal auditors should remap that is incorporated into organizational fication; acquisition; storage, retrieval, the business’ critical processes to iden- knowledge and change processes? The and dissemination; archiving; and tify what information is needed to run knowledge lost in such cases could be performance management. If they do them. If these needs are not being met, costly to replace and may require inten- not align, that is a strong indicator that they should determine who needs the sive corrective training or retraining. these assets are not generating a tan- missing knowledge. Practitioners should In public sector audits, practi- gible return. review the enterprisewide risk register tioners should pay attention to the Intellectual property in the form of to assess whether knowledge man- procedures followed for valuation of formulae, practices, processes, designs, agement-related risks are recognized, investments in knowledge assets used instruments, patterns, commercial

APRIL 2020 INTERNAL AUDITOR 57 “My CIA proves I am committed to providing value to my organization.”

Emiko Tai, CIA, CCSA Japan CIA Since 2003

CIA Proves Credibility and Proficiency. Get started today at www.theiia.org/CIA. An organization of 1,000 knowledge workers wastes $5.7 million annually by searching for but not finding information, estimates International Data Corp.

methods, or compilations of informa- tion can be subject to loss or compro- mised by internal or external sources. Internal auditors should assess that the owners of the intellectual property assets have appropriate controls to prevent cyberattacks that could lead to infringe- ments and inappropriate access.

INTERNAL AUDIT’S STRATEGY Auditing knowledge assets requires specific strategies and skills. Each orga- nization’s knowledge needs are unique. As internal audit leaders prepare their audit plans beyond 2020, they should have a multipronged strategy to audit Identify and map their clients’ knowledge assets from a value-for-money perspective: the knowledge E Retain the best internal audit tal- ent through valuing and investing held in the audit in the tacit knowledge asset held in the internal audit function. processes used in tacit knowledge department to E Develop and maintain a risk-based assets management. audit universe of clients’ business E Review the adequacy of audit capture and operations with significant invest- programs used for knowledge ments in knowledge assets. This management audits. Strengthen use the tacit should provide a basis for identi- them by focusing on strategic and knowledge held, fying areas of audit engagement operational aspects of the pro- related to knowledge management. cesses in place to highlight risks of particularly E Identify and map the knowledge inefficient use of knowledge assets. held in the audit department to E Focus on the value-for-money related to capture and use the tacit knowl- aspect of the engagement. Do not edge held, particularly related to get distracted by the technologies complex audit complex audit engagements. This and processes used to manage information could be used to knowledge assets, particularly in engagements. develop an appropriate knowledge engagements involving significant management strategy and system investments in them. to facilitate collaboration within business performance, knowledge assets the audit team. CLOSING THE GAP are not traditionally audited with a E Empower audit teams to recog- The five most valuable companies focus on how organizations safeguard nize the strategic importance of in the world report just £172 billion them to retain their competitive posi- knowledge assets to the business. ($223.2 billion) of tangible assets on tion and how they contribute to busi- This will allow them to provide their balance sheets, though their total ness performance. As key partners in assurance on legal, commercial, worth is £3.5 trillion ($454.2 billion). the assurance process, internal auditors technical, social, and financial Almost all of their value is in the form can take a strategic approach to bridge aspects of the knowledge assets of intangible assets, including intel- this gap and maximize its influence. and the relevant risk indicators. lectual property, data, and other knowl- For example, develop a bank of edge assets, according to a 2018 budget ISRAEL SADU, PHD, CIA, CRMA, CISA, risk indicators — quantitative and report from Her Majesty’s Treasury in is an auditor with an international organi- qualitative — for assessing the the U.K. Despite their critical role in zation in Geneva.

APRIL 2020 INTERNAL AUDITOR 59 Board Perspectives

BY MATT KELLY

CAMs AND THE AUDIT REPORT: BRACE FOR IMPACT Internal audit can help assure a smooth approach for critical audit matters.

nternal and external audit CAMs, starting with compa- Tremblay’s observation teams alike have entered nies whose fiscal years ended gets at a subtle but impor- a brave new world in the on or after June 30, 2019. All tant point: what the word Ilast year or so, as criti- other companies will imple- “critical” really means here. cal audit matters (CAMs) ment CAMs starting at the It does not mean that some arrived as items to be end of this year. accounting process is deeply included in the external One school of thought amiss, like a patient in the auditor’s report. Now comes is that despite all the angst critical care unit. It only a crucial question: Will that surrounded the devel- means that the accounting BRIAN TREMBLAY CAMs be an asteroid that opment of CAM require- issue is important, in the slams into the annual audit ments in the 2010s, the way that a solid foundation process — or just a meteor inclusion of CAMs in the is critical to a whole house. shower that breaks up in the audit report won’t do much Now, can that founda- atmosphere? more than memorialize the tion be a rickety mess that CAMs are disclosures same conversations that threatens the whole struc- audit firms make in their audit firms and internal ture? Sure. So conversations audit report, to tell investors audit functions have had for ensue about how to repair what the audit firm deems years. But will the process the foundation as necessary. the most important account- to reach those decisions be Conversations with audit JAN BABIAK ing issues at the company. substantively different? firms about significant defi- CAMs involve line items “No, not at all,” says ciencies or material weak- material to the business, and Brian Tremblay, until nesses are no different. typically their issues will fall recently the head of internal “If we were not into one of two categories. audit at Acacia Communi- discussing those things Either the CAM will have cations in suburban Boston. before, we would have been weak controls that need Critical audit matters, he incompetent in our jobs,” attention; or it will be an says, are simply where audit says Jan Babiak, chair of item that involves subjec- firms devote most of their the audit committee at MANU VARGHESE tive, complex judgment no time and attention dur- Walgreens Boots Alliance. matter how good or bad the ing the audit. That won’t She has served on boards controls are. change just because those where CAMs have come So far, only large acceler- issues are now written into into force both in North ated filers have implemented the audit report. America and Europe, and READ MORE ON STAKEHOLDER RELATIONS visit InternalAuditor.org

60 INTERNAL AUDITOR APRIL 2020 TO COMMENT on this article, EMAIL the author at [email protected]

says the experience should not catch anyone — audit com- of the first companies disclosing CAMs, the most common mittee, management, or audit firm — by surprise. subjects were goodwill impairment, tax contingencies, and Babiak gave the example of the corporate tax cut enacted revenue recognition. by Congress in 2017. Audit committees were discussing the Those CAMs are not necessarily bad; they’re simply implications of that tax cut with management and auditors important to the financial statements, even if management is before the legislation was even final, let alone enacted. “By rock-solid confident in its judgment about them. “There are the time you get to something being in the opinion, it’s really things that exist in every auditor’s file regardless of the ‘real’ old news — if you’re competent in what you do.” risk,” Tremblay says. “Those things are just there because OK, so successful implementation of CAMs depends they’re judgments and estimates, and that’s the lay of the land.” on clear communication with the audit firm about difficult Varghese puts an even more philosophical spin on such accounting issues. What should that look like for the legions of CAMs. “We need to understand the risk and ask, ‘Can we companies adopting CAMs for the first time this year? live with it?’” he says. “If it’s wrong, we fix it. But if it’s just complex — I can live with complex.” The Contours of CAMs One critical step will be a well-defined process to handle Whither the Audit Committee significant control deficiencies. A significant deficiency is not A fair question to ask at this juncture is exactly what the automatically a CAM unto itself — although it can be, or it audit committee’s role should be in CAMs. For example, the can make a CAM much more likely. So resolving significant U.S. Securities and Exchange Commission (SEC) published deficiencies in a consistent, productive way is crucial. a statement in December encouraging audit committees “to Manu Varghese, chief audit executive of Hira Indus- engage in a substantive dialogue with the auditor” about tries in Dubai and previously controller at a Big Three U.S. CAMs and how the external auditor planned to describe automaker as it adopted CAMs, used a materiality threshold them. That’s fine advice, but really the SEC is just advising to grade the severity of control deficiencies. Anything that audit committees to maintain good diplomatic relations with would affect the income statement by less than $3 million their auditor. was minor; any effect from $3 million to $10 million was The Public Company Accounting Oversight Board major. Any deficiency that had an effect of more than $10 (PCAOB) spent much of 2019 interviewing audit commit- million was classified as a significant deficiency, or a CAM, tee chairs, and it found that most chairs already are satisfied “and then management would have to fix it immediately.” with the relationship they have with their audit firms. It’s not In Varghese’s case, “immediately” was within six months. like audit committee chairs are straining to dump their audit The internal audit team created an action plan with manage- firms or encouraging investors to deride the audit report at ment, which was presented to the external auditor and then the annual shareholder meeting. to the audit committee. One could argue that all the SEC and PCAOB attention What internal audit teams don’t want are disputes about to audit committees is a charm offensive intended to escort significant deficiencies unfolding in front of the audit commit- board directors past this truth: The audit firm decides what tee. “If that happens, you’re doing it wrong,” Tremblay says. a CAM is — not management, not the audit committee. To Then again, that’s always been the case: Internal a certain extent, audit committees are bystanders here. Sure, audit, management, and the external auditor should have they’re bystanders who can protest loudly if CAMs start com- a method to resolve tensions about internal control issues plicating the message that the board and management want before going in front of the audit committee. So to that to convey to investors. They are still relatively powerless to extent, CAMs won’t cause any Big Bang change in how stop an audit firm determined to call an issue a CAM. financial audits get done. So the more internal audit and management can work There’s another type of critical audit matter, too. At with the audit firm to ensure a smooth, consensus-driven least some CAMs will exist simply because they are mate- process to handle CAMs, the better. And let’s remember, rial to the financial statement and involve, as the audit ultimately CAMs are there to help the investor under- standard says, “especially challenging, subjective, or com- stand the risks of the company. plex auditor judgment” — even without any significant “Sometimes people fall asleep reading [audit reports],” control deficiency. Varghese quips. “The CAMs section will probably help focus That would be something like assessment of goodwill, the attention of the reader, and that’s great.” contingencies for uncertain tax positions, or reserves for war- ranties. And sure enough, according to preliminary research MATT KELLY is editor and CEO of Radical Compliance in Boston.

APRIL 2020 INTERNAL AUDITOR 61 YOUR AD HERE

Put your message in front of your market with targeted print, online, and digital advertising packages as unique as our 80,000 subscribers in 59 countries.

Contact +1-407-937-1388 or [email protected] for details. InternalAuditor.org/Advertise

2019-1723 Insights/The Mind of Jacka TO COMMENT on this article, EMAIL the author at [email protected]

BY J. MICHAEL JACKA

THREE RULES TO AUDIT BY

Practitioners uccess as an internal and align our objectives are doing — you cannot should keep in audit professional with those needs. Through do your best work. In fact, mind these key starts with under- that alignment, we need to you probably can’t even do standing the basics: ensure everyone is work- good work. Not every min- recommendations S risk, controls, planning, ing toward the same suc- ute must be rainbows and for audit success. testing, interviewing, docu- cesses. And an important unicorns. But every task, mentation, reporting, etc. corollary: If we do not care project, and opportunity It also requires soft skills about our product, organi- should contain at least a such as communication, zation, or department, then glimmer of possibilities, business acumen, critical we will fail. How is the cli- of excitement — of fun. If thinking, and emotional ent supposed to care when we cannot do that, it does intelligence. But for the we don’t? not make us bad people, internal auditor who is but it probably makes us looking to provide real Be a Marketer. Every inter- bad auditors. added value and make a nal auditor is in marketing. positive impact, those are We are selling the audit, the And one final note — these only table stakes — the bare issues, the report, the need recommendations are minimum for getting into for time with us, the value for every single internal the game without being of our department, and auditor, from those crack- ignored, dismissed, or ourselves. Everything we do ing open their first audit pigeon-holed as the kind must include a focus on how program to those who of auditor no one wants we promote our services, the remember working with to know. profession, the department, cuneiform characters on Any internal auditor and us, the professional clay tablets. We need to who wants to be a part of a internal auditors. know them when we’re successful audit future — as first starting out, and we well as the future of his or Have Fun. Enjoying the need to be reminded of her organization — would work should be our No. 1 them every day we work do well to follow three priority. I have seen too in the profession. We are rules, listed in reverse order many internal audi- at our best when we care, of importance. tors — skilled, talented, when we market, and when effective internal audi- we have fun. Make Them Care. We tors — who fail because often believe the value of they have lost their internal J. MICHAEL JACKA, CIA, our work is self-evident. audit joie de vivre (or per- CPCU, CFE, CPA, is That does not mean our haps it’s joie de l’audit). cofounder and chief creative clients understand or agree. If you are not having pilot for Flying Pig Audit, It is our responsibility to fun — if you cannot be Consulting, and Training learn what they care about excited about what you Services in Phoenix. READ MIKE JACKA’S BLOG visit InternalAuditor.org/mike-jacka

APRIL 2020 INTERNAL AUDITOR 63 Eye on Business

CLOUD CONTROL Cloud computing services are an attractive option, but they come with a multitude of risk and compliance challenges.

Why is it important to security, reliability, agility, and organizations typically per- have an inventory of all compliance of their clouds. form due diligence when cloud solutions in use? choosing a provider, the eval- FURR An inventory of How often should internal uation often does not address all cloud solutions in use audit evaluate solutions? how the platform and within the organization is a LOVELL Audit frequency individual services develop critical foundational step in should be based on risk. In a and are monitored and establishing a cloud risk and mature organization, internal managed over time. Orga- governance program. The audit should focus on major nizations should perform a inventory can be a useful cloud projects and migra- cloud computing assessment tool for understanding the tions, with governance-type before completing an audit. aggregate level of risk to the audits occurring periodically Performing an assessment CARRIE FURR organization by identifying after the first annual cycle. For first enables internal audit Director, Technology the data and the number and an organization just embrac- to build relationships and Risk Consulting RSM US LLP types of cloud computing ing the cloud, internal audit’s educate stakeholders on the technologies being used. The governance-related reviews policies, procedures, and inventory also can be used should occur more often. For controls necessary to mitigate to manage regular reviews of organizations with multiple cloud computing risks. Audit cloud computing solutions to significant applications in the frequency depends on the reduce risk and ensure ongo- cloud, I would expect some maturity level, complexity, ing compliance. aspect of cloud is covered and use of cloud solutions. LOVELL Having a complete every year, via project audits, As the maturity level of the inventory is the first step in application audits, integrated cloud risk and governance managing the cloud control audits of functions that use program increases, evaluation ERIC LOVELL Practice Director, environment. Armed with cloud services, infrastructure frequency can be reduced but IT Internal Audit this information, organiza- audits, and those focused on should be annual until then. Solutions tions can better understand cybersecurity. Importantly, PwC the risks associated with their the cloud should be audited How can internal audit cloud services; drive clarity where it supports critical busi- gain assurance around regarding roles and respon- ness activities that also are cloud solutions? sibilities between vendor under audit. FURR The first step is to and customer; and validate FURR Cloud solutions understand the maturity that controls are in place for evolve quickly, and while level of the organization’s READ MORE ON TODAY’S BUSINESS ISSUES follow us on Twitter @TheIIA

64 INTERNAL AUDITOR APRIL 2020 TO COMMENT on this article, EMAIL the author at [email protected]

A FOCUS ON CONTROLS here are several general policies and controls across the enterprise, meet business requirements, organizations can implement in regard to provide a return on investment, and are within the Tcloud solutions. At a minimum, RSM’s Carrie company’s risk tolerance. Furr says, cloud computing requires policies, proce- 2. Solution development. Whether it’s an in-house dures, and controls around high-risk cloud controls development team using a DevOps approach to domains, as defined by the Cloud Security Alliance deploy and manage applications in cloud infrastruc- Cloud Controls Matrix: ture, or taking advantage of the many enterprise class » Data security and information life-cycle man- applications provided as a service, specialists should agement. be involved throughout to make sure adequate con- » Encryption and key management. trols are in place for the production environment. » Identity and virtualization. 3. Training and awareness. Both end users and tech- » Interoperability and portability. nologists need to be trained on the cloud and how » Supply chain management, transparency, and to leverage those services to the advantage of the accountability. organization while managing risk. In addition, PwC’s Eric Lovell offers four foundational 4. Controls related to inventory management. Orga- areas of focus: nizations need an accurate inventory of all cloud 1. Controls related to strategy and governance. Orga- services along with sufficient information about nizations must determine when and how they move each to make informed risk-based decisions. And, to the cloud, and should develop an architectural ref- organizations need to control the use of unauthor- erence model to help ensure decisions are consistent ized cloud services.

cloud risk and governance model. Next is understand- What are some tips for determining whether the audit ing the current aggregate cloud computing environment. function is capable of assessing cloud solutions? The final step is understanding the plan to expand cloud- LOVELL The collective team must understand the tech- computing solutions. By understanding these three compo- nology as well as the business. Look at the current IT nents, internal audit can better identify and help manage audit plan. If the last three years have seen significant and monitor the cloud environment. It should ensure the coverage of IT infrastructure, cybersecurity, and IT con- organization is building its cloud strategy with compliance trols that touch application life-cycle management pro- and risk in mind. The organization should follow a holistic, cesses, you likely have in-house staff who can learn and robust cloud standard. cover basic cloud governance, security, and operations- LOVELL First, internal audit should test key controls related cloud audits for medium-risk cloud services. related to the procurement and deployment of new cloud However, for any cloud services that support critical services. Validate that decisions to move a service into the business processes or house sensitive data or regulatory cloud are based on an established architecture and informa- compliance-related services or data, supplement audits tion security standards to which all parties have committed. with subject-matter specialists. Conversely, if the audit Also, validate that standard terms and conditions, as well as plan has historically been focused on IT general controls service-level agreements, are in line with corporate policy. or application controls, seek outside assistance in general Second, internal audit should audit the vendor manage- for cloud-related engagements. ment program. Vendor monitoring should be based on risk FURR At my company, we frequently work in partnership and could include review of third-party trust reports, con- with internal audit resources and other key stakeholders to trol questionnaires, and on-site visits. Third, internal audit “teach them to fish.” Most internal audit teams have little should test controls to identify and limit unauthorized to no cloud computing experience in identifying and man- cloud services. Finally, internal audit should get involved in aging cloud risk and compliance challenges. This model cloud projects and validate controls are in place to ensure allows experienced advisors to train their staffs during ini- the security, compliance, agility, and reliability of the orga- tial assessments/audits, so they can conduct future cloud nization’s clouds. computing assessments and audits.

APRIL 2020 INTERNAL AUDITOR 65 Relevant. Reliable. Responsive.

As the award-winning, multi-platform, always-available resource for internal auditors everywhere, Internal Auditor provides insightful content, optimized functionality, and interactive connections to sharpen your focus. Print | Online | Mobile | Social

+GET it all InternalAuditor.org

2017-0409 IIA Calendar

NOV. 2–4 JUNE 1–12 JUNE 23–26 IIA All Star Conference CIA Exam Preparation — Multiple Courses CONFERENCES MGM Grand Part 1: Essentials of Philadelphia Las Vegas Internal Auditing www.theiia.org/ Online JUNE 23–26 conferences IIA Tools & Techniques I: JUNE 2–5 New Internal Auditor JULY 20–22 TRAINING Multiple Courses Boise, ID International Conference www.theiia.org/training San Francisco Miami Beach Convention JULY 7–10 Center JUNE 2–11 Multiple Courses Miami Critical Thinking in the Denver MAY 12–15 Audit Process AUG. 17–19 Multiple Courses Online JULY 7–16 Governance, Risk & Minneapolis Audit Report Writing Control Conference JUNE 9–12 Online JW Marriott Austin MAY 12–15 Multiple Courses Austin, TX Multiple Courses Houston JULY 13–22 Washington, DC Cybersecurity Auditing SEPT. 11–13 JUNE 15–26 in an Unsecure World IIA Canada National MAY 18–20 CIA Exam Preparation — Online Conference IT General Controls Part 3: Business TELUS Convention Centre Online Knowledge for Internal JULY 14–22 Calgary, Alberta Auditing Multiple Courses MAY 19–22 Online Lake Mary, FL SEPT. 14–15 Multiple Courses Financial Services Chicago JUNE 16–19 JULY 14–23 Exchange Multiple Courses Root Cause Analysis for Omni Shoreham MAY 19–28 Orlando, FL Internal Auditors Washington, DC Fundamentals of Risk- Online based Auditing JUNE 23–25 SEPT. 16–17 Online IT General Controls Women in Internal Audit Online Leadership MAY 27 Omni Shoreham Fundamentals of Internal

R Washington, DC Auditing Online SHUTTE / PIXEL.COM / SHUTTE WPIXEL.COM A A / Y N THE IIA OFFERS many learning opportunities throughout the year. For complete listings visit: www.theiia.org/events PHOTO: RAWPIXEL.COM / SHUTTERSTOCK.COM

APRIL 2020 INTERNAL AUDITOR 67 Insights/In My Opinion TO COMMENT on this article, EMAIL the author at [email protected]

BY AYSHA AL SHAMSI

DIVIDED BOARD LOYALTIES

Internal audit n organization’s possibility of ethical lapses pressure to increase profits, independence can board of directors and other wrongdoing. potentially at the expense of suffer when board is essential to good Of course, effective following regulations or com- governance. It can oversight — and internal pany policies. And if internal directors’ priorities A provide an independent, audit — requires a quali- audit’s reporting might nega- are split in two. authoritative voice on key fied audit committee. In tively impact those priorities, decision-making, help guide part, the committee should then the risk of its findings strategic thinking, and con- help ensure that internal being discarded or ignored tribute to organizational auditing is not influenced are heightened. That risk is integrity. But lack of true by top management. And further exacerbated with audit independence can dampen according to IIA Standard committee members also that support. Board priorities 1110, internal audit achieves serving on the full board, as may teeter between what’s organizational independence they may be more inclined to good for the organization effectively “when the chief agree with boards or execu- and what executive manage- audit executive reports func- tives who deprioritize the ment or shareholders would tionally to the board.” But need for effective governance. prefer, which often may be at given its positioning as a Still, many organiza- odds. Divided board loyalties sub-unit of the board, and tions — particularly in the can be detrimental to orga- the board’s responsibility for public sector — do not have nizational governance, and appointing audit committee audit committees or the particularly to the internal members, the committee equivalent of a board-level audit function. may still show allegiance to presence. Oversight struc- In a worst-case scenario, executive priorities — even tures that include a board the board of directors may when they conflict with and audit committee, while try to influence internal effective governance prac- flawed, at least provide a mea- auditors’ activity indirectly tices. If the board’s support of sure of governance assurance or steer policies to best internal auditing is weak, the and support for internal audit match shareholders’ inter- audit committee’s support, in independence. But auditors ests, resulting in a loss or turn, may also fall short. need to be aware that the weakening of internal audit Boards of directors potential for divided board value and independence. focused exclusively on share- loyalties is a risk in nearly Moreover, because the orga- holder interests, emphasizing every organization, and the nization’s top management share price and profit genera- possibility of compromised answers to the board, inter- tion, may believe their only oversight is a very real one. nal audit’s independence responsibility is to increase could be further impaired in the organization’s value. In AYSHA AL SHAMSI is an situations where the CEO fact, with today’s hyper-com- internal auditor at Ajman also serves as a board mem- petitive global market, com- Tourism Department in the ber. It also introduces the panies face more and more United Arab Emirates. READ MORE OPINIONS ON THE PROFESSION visit our Voices section at InternalAuditor.org

68 INTERNAL AUDITOR APRIL 2020 Specialty Audit Centers Now Included With Membership

Your IIA membership now includes full access to our Specialty Audit Center resources at no additional cost. Discover a vast network of industry-specific content you can’t find anywhere else, created and aggregated to keep you influential, impactful, and indispensable.

Learn more. www.theiia.org/SpecialtyCenters