OCTOBER 2019 INTERNAL AUDITOR 7 Reader Forum WE WANT TOHEAR from YOU! Let Us Know What You Think of This Issue

OCTOBER 2019 A PUBLICATION O F THE IIA

The Effect of Cognitive Biases on Professional Skepticism The Weakest Links in S upply Chains Six Myths of Business Ethics Governing S ocial Media

EMERGING LEADERS These professionals are eager to expand internal audit’s 2019 influence into new areas of collaboration with leadership. TeamMate Leading Audit Evolution

New OnDemand Demos

TeamMate+ Audit Get a comprehensive look at the latest version of TeamMate+ Audit, its most powerful benefits, and see how TeamMate is leading audit evolution.

TeamMate+ for Combined Assurance Experience TeamMate+ first hand and see how it drives the critical coordination between your lines of defense.

TeamMate+ for Strategic Audit Planning Watch how TeamMate+ can help elevate the audit function and its value to key stakeholders.

and more...

View a Demo today at TeamMateSolutions.com/Demo

In this significantly restructured version, Sawyer’s Internal Auditing: Enhancing and Protecting Organizational Value, 7th Edition, 10 internal audit thought leaders tackle the challenges of defining what it takes to fulfill internal audit’s mission of enhancing and protecting organization value. In short, Sawyer’s is universally considered the single most important resource to help internal auditors of all levels and sectors think critically about changes in the environment and business landscape, as well as the evolution of the audit plan and services that internal audit must develop and deliver. Sawyer’s is critical to delivering the mission of internal audit.

ThiOrdernkToday!critically, then fulfill yourmission. OrderToday! www.theiia.org/Sawyers “MyCIAproves I am committed to providing value to myorganization.”

Emiko Tai, CIA, CCSA Japan CIA Since 2003

CIA Proves Credibility and Proficiency. Get started today at www.theiia.org/CIA. OCTOBER 2019 VOLUME LXXVI: V

F E A T U R E S

22 COVER Emerging Leaders 2019 This year’s honorees are driving change in their audit functions and setting an example for the profession. BY RUSSELL A. JACKSON 35 The Auditor’s Mindset Critical informa- 46 6 Myths of Business Ethics Internal tion may be missed in audit interviews when auditors should examine several “tacit truths” cognitive biases affect professional skepticism. that often hinder organizational ethics. BY CHIH-CHEN LEE, MARK RILEY, AND REBECCA BY MATEJ DRAŠ EK TOPPE SHORTRIDGE 50 Social Media Governance Internal audit 40 The Risks in Supply Chains A supply can make an impact by looking at how the chain is only as strong as the business with the board, executives, and three lines of defense weakest controls. BY ARTHUR PIPER address social initiatives. BY J. MICHAEL JACKA AND PETER R. SCOTT

DOWNLOAD the Ia app on the App Store and on Google Play!

FOR THE LATEST AUDIT-RELATED HEADLINES visit InternalAuditor.org How do you turn trust to your competitive advantage? . e Non ed. ED v er es R s ht ig R l Al ed. t Limi YGM E 201 9 © OCTOBER 2019 VOLUME LXXVI: V

D E P A R T M E N T S

PRACTICES 20 Fraud Findings An employee exploits his knowledge 10 Update TheBusiness of a legacysystem. Roundtablereleases Statement on the Purposeof aCorpora- INSIGHTS tion; CISOsforeseeincreased hacking; andNISTreleasesplan 56 Board Perspectives for developing AI. Growing case law affirms board liability. 14 Back to Basics There are three key communication 59 The Mind of Jacka skills for new senior auditors Auditorsoften forget two rules to master. pertaining to successmeasures.

7 Editor’s Note 16 ITAudit Internal audit 60 Eye on Business Two past processesneed to transform Emerging Leaders share lessons 8 Reader Forum with the organization. for career advancement.

63 Calendar 18 Risk Watch Auditorscan 64 In My Opinion Isinternal help their organizations con- audit really underperforming? front climate change risks.

O N L I N E InternalAuditor.org Auditing With Grit Persis- The Business of Ethical tence, courage, and character AI Research finds that most are key differentiatorsfor employers aren’t concerned achievingsuccess. Do you about artificial intelligence have what it takesto be a (AI) ethics and haven’t created gritty internal auditor? policies for ethical useof AI.

Emerging With Insight In Protecting the Protec- our latest video series, some tors Military personnel are of this year’sEmerging Lead- a prime target for identity ersshareimportant lessons thieves, so military organiza- N from their careersand offer tions need to restrict access

JULIA advice for those just entering to service members’ personal : the audit profession. information. / W

SHUTTERSTOCK.COM Internal Auditor ISSN 0020-5745 is published in February, April, June, August,October, and December. Yearly subscription rates: $75 in the United States and Canada, and $99 outside North America. No refunds on cancellations. Editorial / and advertising office: 1035 Greenwood Blvd., Suite 401, LakeMary, FL, 32746, U.S.A. Copyright ©2019 The Institute of Internal Auditors Inc. Change of address notices and subscriptions should be directed to IIA Customer Service, +1-407- N 937-1111. Periodicals postage paid in LakeMary, Fla., and additional offices. POSTMASTER: Please send form 3579 to: Internal Auditor, 1035 Greenwood Blvd., Suite 401, LakeMary, FL, 32746, U.S.A. CANADA POSTINTERNATIONAL: Publications Mail (Canadian Distribution) Sales Agreement number: 545880; GST registration number: R124590001. Opinionsexpressed in Internal Auditor may differ frompolicies andofficial statementsof The Institute of Internal Auditors and ANASTASIIA_NE

: its committees andfromopinionsendorsedby authors’ employers or the editor of this journal. Internal Auditor doesnot attest to the originality of authors’ content. TOP ISTOCKPHOTO.COM, BOTTOM WISKEMAN Trust Your Quality to the Experts Leverage an External Quality Assessment in 2019 Build confidence with your stakeholders through a solid Quality Assurance and Improvement Program (QAIP). Look to IIA Quality Services’ expert practitioners to provide:

■ Insightful external quality assessment services. ■ On-time solutions and successful practice suggestions based on extensive field experience. ■ Enhanced credibility with a future-focused QAIP.

IIA Quality Services, LLC, provides you the tools, expertise, and services to support your QAIP. Learn more at www.theiia.org/Quality 2018 - 0961 Editor’s Note

INTERNALAUDIT’S EMERGINGSTARS

his marks the seventh year Internal Auditor has recognized emerging leaders in the internal audit profession. Our 2019 Emerging Leaders (see page 22) join 100 other young professionals who have been recognized Tsince 2013. Past honorees have not rested on their laurels, but instead, as expected, continue to achieve great things. For example: » At the time they were named Emerging Leaders, 74 had their Certified Internal Auditor (CIA) designation. Today, 89 are CIAs. » Since being named an Emerging Leader, 71 have new job titles or have moved to new companies. » Three Emerging Leaders have served on The IIA’s North American Board and Global Board of Directors. Seventeen leaders have served on one or more of The IIA’s committees. » Emerging Leaders have written 88 blog posts/articles for the magazine, and 46 leaders have been interviewed for Internal Auditor articles. Two former Emerging Leaders, Leslie Bordelon (2014) and Alex Rusate (2017) share how their careers have progressed since their recognition in this issue’s “Eye on Busi- ness” (see page 60). Rusate, for example, has obtained three new certifications since 2017. Bordelon and Rusate offer up-and-coming internal auditors advice on how to advance in the profession and explain why they stay in internal auditing. Bordelon says she’s excited about the future of the profession. “As companies start to embrace new technologies such as machine learning and robotic process automation, internal audit teams have to really rethink how they approach their work,” she says. Technology is a theme throughout the “Emerging Leaders 2019” article. “In fact, emphasizing analytics seems almost old-fashioned to the 2019 honorees; they assume analytics are key to internal audit and continually expand their skills—often on their own time,” writes author Russell Jackson. This year’s leaders recognize that this expertise can open doors for internal auditors, and they’re eager to be meaningful players in their organization’s success, Jackson says. On another note, when you’re Wright, you’re Wright. With this issue, we wish “Risk Watch” contributing editor Charlie Wright a fond farewell and introduce Rick Wright (no relation) as the new contributing editor. A big thank you to Charlie for his time and effort, and for the outstanding contributions he’s made to this department. We are fortunate to have Rick as Charlie’s replacement beginning in Decem- ber. Rick is the director of internal audit and enterprise risk management for YRC Worldwide. He is also the author of The Internal Auditor’sGuide to Risk Assessment and Internal Auditing: Uncover the Myths, Discover theValue. Welcome, Rick!

@AMillage on Twitter

OCTOBER 2019 INTERNAL AUDITOR 7 Reader Forum WE WANT TOHEAR FROM YOU! Let us know what you think of this issue. Reach us via email at [email protected]. Letters may be edited for clarity and length.

Measuring Culture Author’s Response: I don’t disagree I agree culture is really important, and with anything you say. In my own train- it’s good to contribute, but I’m con- ing programs, I emphasize that the objec- cerned where you are taking this for tive of culture auditing is not to reach a internal auditors who are new to this firm conclusion about the overall culture area. It would be easy to do work here or the subculture of an area. It is to con- and be detached from The IIA’s Inter- tinually enrich stakeholders’ understand- national Standards for the Professional ing of the culture through a combination Practice of Internal Auditing. What is of qualitative and quantitative evidence. the key risk concerning culture/behav- No single tool, technique, or approach ior that you are looking at? Who is should be relied on, and we must be managing the risk of problems in lines careful not to give false assurance. Nor one and two and with what metrics? should internal audit see itself as the sole Getting Up to Speed By what criteria is internal audit going provider of cultural assurance. Thank you for your great “Back to to judge management’s approach? What I am trying to do in this Basics” department. I have nearly a What insight is internal audit plan- series of articles is give readers a variety decade of public accounting audit ning to give? of approaches in enough concrete detail experience but stepped into the internal I continue to fear false assurance that they can consider what may or may audit world just over a year ago. While by internal audit teams in this area by not work in their own organizations. there is a lot of overlap between inter- thinking culture is a thing that can It goes without saying that we must be nal and external auditing, there is still a be measured and managed and, quite risk-based, conform to all our Stan- lot to learn. The department, especially possibly, missing a subculture prob- dards, and tailor what we do to our August 2019’s “Expand Your Role in lem or a behavioral/political problem own organizations. Internal Audit,” is a great resource to concerning a key risk (especially get me up to speed. beyond compliance). STEVE LOFLIN comments on Alex Rusate’s J. PATERSON comments on Jim Roth’s VISIT InternalAuditor.org “Expand Your Role in Internal Audit” (“Back online series, “Auditing Culture: Observation for the latest blogs to Basics,” August 2019). and Data” (InternalAuditor.org).

CONTRIBUTING EDITORS Jorge Gonzalez, cia, cisa Jerry Strawser, phd, cpa CONTACT INFORMATION Wade Cassels, cia, ccsa, cr ma, cf e Nancy Haig, cia, cf e, ccsa, cr ma Glenn Sumners, phd, cia, cpa, cr ma ADVERTISING J. Michael Jacka, cia, cpcu, cf e, cpa Sonja Heath, cia Robert Taft, cia, ccsa, cr ma [email protected] Steve Mar, cf sa, cisa Kyle Hebert, cia Brandon Tanous, cia, cgap, cr ma +1-407-937-1388; fax +1-407-937-1101 Bryant Richards, cia, cr ma Daniel Helming, cia, cpa Stephen Tiley, cia James Roth, phd, cia, ccsa, cr ma Karin L. Hill, cia, cgap, cr ma Robert Venczel, cia, cr ma, cisa SUBSCRIPTIONS, CHANGE OF ADDRESS, MISSING ISSUES OCTOBER 2019 Charlie Wright, cia, cpa, cisa J. Michael Jacka, cia, cpcu, cf e, cpa David Weiss, cia [email protected] VOLUME LXXVI:V Sandra Kasahara, cia, cpa Michael Scott White, cia, cf sa, cr ma +1-407-937-1111; fax +1-407-937-1101 EDITORIAL ADVISORY BOARD EDITOR IN CHIEF Levy, cia, cr ma, cisa, cissp Merek Rick Wright, cia Jennifer Bernard Allen, cia Dennis EDITORIAL Anne Millage Lipson, cia Rodney Wright, cia, cpa, cf sa Applegate, cia, cpa, cma, cf e Lal David Salierno, [email protected] MANAGING EDITOR Thomas Luccock, cia, cpa Benito Ybarra, cia Balkaran, cia, f cpa, f cga, f cma +1-407-937-1233; fax +1-407-937-1101 David Salierno Michael Marinaccio, cia Andrew Bowman, cpa, cf e, cisa IIA PRESIDENT AND CEO PERMISSIONS AND REPRINTS ASSOCIATE MANAGING Alyssa G. Martin, cpa EDITOR Mark Brinkley, cia, cf sa, cr ma [email protected] Joe Martins, cia, cr ma Richard F. Chambers, cia, Tim McCollum Robin Altia Brown +1-407-937-1232; fax +1-407-937-1101 Dennis McGuffie, cpa qial , cgap, ccsa, cr ma SENIOR EDITOR Adil Buhariwalla, cia, cr ma, cf e, f ca Stephen Minder, cia WRITER’S GUIDELINES Shannon Steffee Wade Cassels, cia, ccsa, cr ma, cf e IIA CHAIRMAN OF THE BOARD Rick Neisser, cia, cisa, cl u, cpcu InternalAuditor.org (click on “ Writer’s Guidelines” ) ART DIRECTION Stefanie Chambers J. Michael Joyce, Jr., cia, Hans Nieuwlands, cia, r a, ccsa, cgap Authorization to photocopy is granted to users registered with the Faizal Chaudhury, cpa, cgma cpa cr ma Yacinski Design Manish Pathak, ca , Michael Cox, f iia(nz), at Copyright Clearance Center (CCC) Transactional Reporting Service, PRODUCTION MANAGER Bryant Richards, cia, cr ma provided that the current fee is paid directly to CCC, 222 Rosewood Haylee Deniston, cpa Gretchen Gorfine Jeffrey Ridley, cia, f cis, fiia Dr., Danvers, MA 01923 USA; phone: +1-508-750-8400. Internal Auditor Kayla Flanders, cia, cr ma James Roth, phd, cia, ccsa cannot accept responsibility for claims made by its advertisers, although James Fox, cia, cf e Katherine Shamai, cia, ca, cf e, cr ma staff would like to hear from readers who have concerns regarding James Gager PUBLISHED BY THE Debora Shelton, cia, cr ma INSTITUTE OF INTERNAL advertisements that appear. Michael Garvey, cia Laura Soileau, cia, cr ma AUDITORS INC.

8 INTERNAL AUDITOR OCTOBER 2019 Audit Your Spend When was the last time your organization audited travel, entertainment and other business expenses?

Lyndon Group’s audit services focus on:

OPERATIONS REPORTING COMPLIANCE Efficiency Allocations Contracts Savings Analytics Policies Usability Reconciliations Regulatory

Visit us at www.lyndon-group.com/auditservices

Follow us @Lyndon-Group Hackers outpacing security defenses… Assessing third parties continually… Internal audit becoming cybersecurity ally… NIST releases AI standards plan. Update

MODERNDATA HURDLES

Avariety of obstacleshave kept nearlytwo-thirds of businesses from fully imple- mentingdatamodernization. 55% Budget/cost Lackof under- % standingof 44 technology THEPURPOSE Companies should focus on Lackof con- stakeholders and values, sensusamong OFBUSINESS Business Roundtable says. % decision-makers 41 he purpose of a company is to serve ethically with suppliers, supporting their communities, and generating long-term % Lackof clarity stakeholders—not just earn money onmetrics for shareholders —according to a value for shareholders. “These modernized 40 principles reflect the business community’s table. Thestatemenrevisedt froStatemenm the Businest on thes PurposeRound- unwavering commitment to continue to Source: Deloitte, Data Modernization Tof a Corporation was signed by 181 CEOs push for an economy that serves all Ameri- and the Cloud: Which Trend Is Driving the Other? of the largest companies and reverses the cans,” says Jamie Dimon, chairman and Washington, D.C.-based business lobbying CEO of JPMorgan Chase & Co. and chair- / U

group’s long-standing position. man of the Business Roundtable. / “Businesses play a vital role in the econ- The Business Roundtable’s change W DOOM omy by creating jobs, fostering innovation, of position is being met with skepticism, , LEFT

and providing essential goods and services,” though, with some critics decrying the shift ; the statement notes. The co-signing CEOs away from a traditional shareholder-centric ANASTASIIA_NE commit to delivering value to customers, purpose. Others note the statement doesn’t ,

investing in employees, dealing fairly and reflect today’s purpose-driven workforce. TOP FOR THE LATEST AUDIT-RELATED HEADLINES follow us on Twitter @TheIIA SHUTTERSTOCK.COM ISTOCKPHOTO.COM IMAGES :

10 INTERNAL AUDITOR OCTOBER 2019 Practices/Update

“These five things, you’re supposed to be actions are consistent with its stated values. doing now,” said Gallup Chairman and CEO During a CAE Podcast from The IIA’s Audit Jim Clifton in a Gallup podcast. Executive Center, Silverman advised looking Harold Silverman, IIA managing director at these values by reviewing internal controls. of CAE Services, said the Business Roundtable “It sets an expectation that organizationally, statement is an opportunity for internal audit the truth matters in all types of external report- to provide assurance that the organization’s ing,” he said.—T. MCCOLLUM

SECURITYLEADERS ANTICIPATEMOREATTACKS

CISOs foresee increased hacking, cite preparedness concerns. % ore than 80% of chief informa- OFCFO82SSAYTHEY tion security officers (CISOs) say COLLABORATEWITH they expect the risk of cyberat- THEIRCOMPANY’S tacks to increase, according to a CIOMORE NOW THANTHREE global survey of more than 200 CISOs by YEARS AGO. MForbes Insight and cybersecurity firm Forti- net. The Making Tough Choices research impediment to security efforts, prompting % also shows that nearly one-fourth of respon- CISOs to pay increased attention to edu- OFCFO56SANDCIOS dents say attackers’ capabilities are outpac- cating their own employees and building ARECOLLABORAT- ing their ability to defend the organization. cybersecurity awareness organizationwide. INGONTECHNOLOGY In their efforts to stave off breaches, Safeguarding customer data represents INVESTMENTS, security leaders say they are allocating, a top priority for survey respondents, with and 52%are working on average, more than one-third of their 36% citing it as their main security focus, together on business systemchanges. security budget to response. But ideally, the followed by protecting the organization’s CISOs point out, they would like to see that brand. Most respondents also say pro- “Providing opportunities for percentage increase. Moreover, they cite tal- tecting intellectual property is an area of the [finance and IT] teams to ent and training constraints as a significant focus. —D. SALIERNO collaborate builds awareness of operational challengesand needs, which often leadsto moreastute insights onbest practicesandsolutions,” says ITERATIONISTHE Rapid change necessitates JohnReed, anexecutivevice continual third-party president for Robert Half. NEWIMPERATIVE assessments. Source: Robert Half,Survey of 1,000 U.S.-companyCFOs. , he standard point-in- Inc. asserts. With an increas- The report, Stay Ahead time approach to risk ing number of third parties of Growing Third-party / I management is no performing new and dif- Risk, surveyed more than /

R longer effective in ferent types of services, the 250 legal and compliance BSWE , today’s fast-paced, rapidly research says, organizations leaders in the U.S. Among TOP Tchanging business land- can’t always identify mate- respondents whose organiza- scape, a report from research rial risks before starting a tions engage third parties for IMAGES : RIGHT SHUTTERSTOCK.COM; FOTOGESTOEBE SHUTTERSTOCK.COM and advisory firm Gartner business relationship. business services, 83% say

OCTOBER 2019 INTERNAL AUDITOR 11 Practices/Update VISIT InternalAuditor.org to read an extended interviewwith DaMon Ross Sr.

they identified third-party risks after conducting due diligence and before recer- CYBERSECURITY’SKEYALLY tification. Moreover, 31% Internal audit should be a strong cybersecurity advocate, says DaMon of those risks had a material Ross Sr., senior vice president and head of Cybersecurity Operations impact on the business. for SunTrust. Modern risk management, the report states, What is the relationship between IT and internal must account for ongoing audit in cybersecurity and preparedness? IT is changes in third-party rela- essentially the assets that cybersecurity is supposed to be tionships and mitigate risks protecting. Internal audit should ensure technical and non- in an iterative way—that technical controls are in place and operating effectively. is, continually, rather than Internal audit personnel must become intimately familiar at specified intervals. “Our with cybersecurity and how to test the effectiveness of research shows an iterative cyber controls. Too often, internal auditors are not tech- approach to third-party risk nical enough to assess whether an organization’s cyber management is the new controls are adequate to protect the assets they were put imperative for meeting busi- in place to protect. ness demands for speed and Internal audit’s most valuable role is ensuring cybersecurity functions have the stakeholder demands for risk resources necessary to protect the organization effectively. Whether those resources be mitigation,” says Chris funding, staffing, or data from the organization’s IT systems, internal audit should be a Audet, research director for strong advocate for the cybersecurity function by raising awareness around the organiza- Gartner’s Legal & Compli- tion’s cybersecurity needs. Internal audit assessment results should be a major topic in ance practice. C-suite briefings to ensure the cybersecurity function receives the support necessary to The report cites sev- protect the organization. eral factors to help explain the changing nature of third-party risk and its increased importance as U.S. NIST has a plan for developing an area of organizational UNCHARTED AI artificial intelligence standards. focus. For example, 80% of respondents use third rtificial intelligence (AI) standards parties, including startups Aneed to be flexible enough to stimu- and business model innova- late innovation and adapt to new tors, rather than incumbent technologies, according to a U.S. service providers, to provide National Institute of Standards and Technol- new-in-kind technology ser- ogy (NIST) plan. Such standards also must vices at their organizations. minimize bias and protect privacy, notes the Two-thirds say third parties U.S. Leadership in AI document. are providing services out- “This plan provides a path to ensure the side of the company’s core federal government supports AI standards business model. Gartner that are flexible and inclusive,” says Walter It also calls for the U.S. government also notes third parties now Copan, undersecretary of commerce for Stan- to bolster AI standards-related knowledge, have greater access to orga- dards and Technology and NIST director. leadership, and coordination among federal

nizational data, and they are Along those lines, the plan identifies agencies and promotes research that explores / working with an increasing nine focus areas: concepts and terminology, how trustworthiness can be added to stan- 8 VS14 number of their own pro- data and knowledge, human interactions, dards and standards-related tools. Moreover, ,

viders— spawning fourth metrics, networking, performance testing the plan advocates developing AI standards LEFT : and fifth parties. and reporting methodology, safety, risk man- through expanded public-private partner- SHUTTERSTOCK.COM —D. SALIERNO agement, and trustworthiness. ships. —S. STEFFEE PHOTO

12 INTERNAL AUDITOR OCTOBER 2019 ... :-= ""....:= Back toBasics

BY CHRISTINE HOGAN HAYES EDITED BY JAMES ROTH + WADE CASSELS

COMMUNICATION SKILLS FOR SUCCESS Newly promoted senior auditors need to master the skills that help develop less experienced fter gaining years might not possess the skills make a tremendous differ- auditors. of internal audit that help develop a well- ence in the effectiveness of experience, associ- rounded associate auditor. communication. One area in ate internal audi- Therefore, it is the senior particular is providing tors may be promoted to auditor’s responsibility to constructive feedback. Such Asenior internal auditor. not only understand what feedback, while both well- Internal audit management promotes the professional intentioned and important, may recognize the auditor’s growth of associate auditors, may not be well-received professional growth and but also the strategies for because of the inflection and want to encourage contin- effectively teaching the skills tone of voice. Some associ- ued development. that ensure success. How the ates may be able to hear the Senior internal auditors skills are taught often message through the inflec- are responsible for leading impacts the ability to grasp tion and tone, but others audits across the organization new internal audit concepts may focus solely on it, and while working with associate and processes. completely miss the objec- internal auditors on vari- Three key communica- tive of the message. ous audit projects. Through tion skills for new senior To assess the associate many years’ experience, auditors to master are lan- auditor’s understanding senior auditors have had guage selection and usage when explaining an internal extensive opportunities to that encourages learning and audit concept, the senior hone internal audit-specific growth, demonstrating auditor might ask, “Does skills, such as testing, work- strong communication skills that make sense?” versus paper execution, and audit to strengthen the skills of the “Are we okay?” or “Are we report writing. team, and facilitating strate- good?” This makes a dif- New senior auditors gic communications through ference in determining may not have experience business partnerships. These progress and encouraging in the area of developing skills cover the various inter- discussion. While it may be and coaching the individu- actions internal auditors well-meaning, “Does that als on their audit project experience daily. make sense?” is phrased in team. And while senior such a way that might not auditors may have strategies 1. Language Selection permit feedback (and if for teaching internal audit A senior auditor’s word selec- it does, is focused on the practices and processes, they tion, tone, and inflection can topic being taught). “Are we SEND BACK TO BASICS ARTICLE IDEAS to James Roth at [email protected]

14 INTERNAL AUDITOR OCTOBER 2019 TO COMMENT on this article, EMAIL the author at [email protected]

okay?” can open dialogue for the associate auditor to ask the opening meeting? The associate may be successful, but questions, as well as voice concerns. Using “we” indicates chances are, without experience, he or she will flounder. that the learning process involves both the internal audit Such unplanned approaches to training decrease team senior and associate. This phrasing can sometimes encour- morale, and send a message to the audit client that internal age a broader conversation, rather than solely confirming a audit is not a supportive and growth-focused department. successful transfer of knowledge. A planned and intentional approach to communication Simple changes in wording can have a huge impact on training sends a message that the senior auditor cares not the team’s morale and skill development, especially because only about the success of the audit, but the associates, too. associate auditors may have varying professional backgrounds and different learning styles. Word choice, tone, and 3. Strategic Communication inflection can help reinforce the meaning of one’s message Strong business partnering relationships are often built in and encourages professional and productive discussions. informal ways, whether that be a walk around the office during lunch, a short coffee break, or by dropping by 2. Demonstrating Communication Skills someone’s office. Chances are that at one time or another, When a senior auditor thoughtfully considers language, and a leader within the internal audit department has included makes necessary changes in phrasing and tone to best sup- the recently promoted senior auditor in such opportunities. port the team, it is appropriate to then demonstrate his or By including associates in such interactions, it helps them her communication skills. As senior auditors work with a build their own network and demonstrates the way in which variety of stakeholders, they should consider their written to build their own relationships with leaders throughout the and oral communications. enterprise. This can help improve the image and reputation of the internal audit department within the organization. Written Communication New associate auditors who Senior auditors also can help facilitate opportunities for are learning the internal audit department culture will communication skill improvement among associate audi- undoubtedly copy the communication style of their leaders; tors through the presentation of technical skills. Associate therefore, it is critical to reflect upon one’s own written com- auditors may have professional and educational backgrounds munication and replace bad communication habits with a in areas outside of the department under review, but possess specialized skills in subjects such as predictive modeling and project Careful planning is necessary to set up management. These skills are not only the individual and team for success. valuable in their application within the internal audit role, but they are also useful across the enterprise. When appropriate, senior auditors can initi- strong communication style. After all, one cannot hold asso- ate the conversation among business management about ciate auditors to a high communication standard if senior the possibility of a workshop or webinar, for example, and auditors are not modeling appropriate communication skills, encourage the associate auditor to share his or her expertise themselves. From time to time, jargon is used in memoran- with audit clients. dums and emails are sent lacking punctuation, grammar, or spelling. Associate auditors are included in correspondence, Fostering Success so professional language and communication should be Being promoted from associate internal auditor to senior used in all interactions. Even if it takes a few extra minutes, internal auditor is reason to celebrate one’s professional senior auditors should proofread written communication. accomplishments. However, with such promotion comes increased responsibility. And to foster further success, it is Oral Communication Exposing associates to various learn- necessary to implement the communication skills that will ing experiences is important; however, careful planning progress one’s own professional development, as well as by the senior auditor is necessary to set up the individual help improve the skills of emerging talent within the inter- and team for success. For example, if an associate audi- nal audit department. tor has never presented in front of audit client management, why have him or her present for the first time at CHRISTINE HOGAN HAYES is an internal audit supervisor at the closing meeting, which may be more sensitive than Plymouth Rock Management Co.of New Jersey in Woodbridge.

OCTOBER 2019 INTERNAL AUDITOR 15 ITAudit

BY SEYYED MOHSEN HASHEMI EDITED BY STEVE MAR

TOP CHALLENGES OF AUTOMATING AUDIT Internal audit must transform its own processes to keep pace with the business transformation rganizations are rap- consolidate, and integrate audit can prioritize based on occurring in the idly adopting the planning, performance, its stakeholders’ needs. technologies such as and response steps of the organization. audit process into a holis- 1. Syncing the IT Audit robotic procesclouds computing,automation tic approach. The process Process With IT Project O(RPA), machine learning, should present audit recom- Planning blockchain, and cognitive mendations in a way that Problem: IT audit teams computing to create tomor- is dynamically sustainable need a way to link, tailor, row’s business in today’s within the organization’s and update audit findings market. Internal audit needs integrated action plans. and recommendations for to transform its processes Since 2012, many ongoing IT projects and to keep pace with these standards and frameworks action plans. This will be changes, and IT audit pro- have changed their models, necessary for auditors to cesses are an excellent place procedures, and guidelines to follow up on findings and to start this transformation. elaborate on the role of the identify who is responsible Organizations that still IT governance process. for carrying out audit rec- perform most internal audit Accordingly, internal audit ommendations. tasks manually complicate IT should redesign its proces- Solution: An automated IT governance. In this manual ses to coincide with new, audit system would break IT model, auditors have adopted streamlined IT processes and audit work into two levels— many compliance laws, poli- related roles. Meanwhile, findings’ recommendations cies, procedures, guidelines, IT audit specialists should and their final conditions — and standards, along with understand the interoper- encompassing all preventive, their related control objec- ability among the conceptual detective, and corrective tives. Moreover, internal audit models of IT management, controls. The rec- manages audit process governance, standards, ommended actions reported elements such as training, events, audits, and planning. in audit findings should standards, risk, planning, Transforming audit pro- be linked, integrated, and documentation, interviews, cesses comes with challenges, synced by their related IT and findings separately. though. Each of these chal- project’s nondisclosure An automated internal lenges can be encapsulated in agreements, service-level audit process can enable a pattern of a problem and agreements, and contracts. the audit function to link, a solution, which internal Then, the automated IT SEND ITAUDIT ARTICLE IDEAS to Steve Mar at [email protected]

16 INTERNAL AUDITOR OCTOBER 2019 TO COMMENT on this article, EMAIL the author at [email protected]

audit system should confirm that management addressed to metadata. For example, an auditor could set up a software the recommendation. robot to collect evidence about risks related to vendor lock-in, changes in vendors, and data conversion. Similarly, gathering 2. Letting IT Governance Direct the IT Audit Process cloud provider metadata through RPA can enable internal Problem: The role of the IT audit team in corporate gov- audit to respond to other cloud-based risks. ernance is important because the function can help bridge Generally the business model must be clear, well- the gap between the business and IT in organizations. IT defined, mature, and well-documented when any kind of governance is a key part of corporate governance, which business, especially IT audit, wants to migrate to the cloud. directs and monitors the finance, quality, operations, and The IT audit process also will be streamlining and maturing IT functions. Three of these functions —finance, quality, in the cloud as a system. Thus, the cloud and robotic process and operations—are being transformed by innovative, automation can bring an iterative business model in which technology-based processes. Thus, the problems are how the the IT audit process is transformed into a cognitive comput- board and executives will design and implement a corporate ing system. This system could result in more affordable audit governance system and how the IT governance process will costs and enable IT auditors to perform more engagements be automated. each year based on automated best practices. Solution: Automating the IT governance process should be comprehensive and agile. In other words, the IT gover- 4. Mitigating IT Standards’ Side Effects nance, risk, and control mapping and cascading of goals and Problem: Applying some IT standards is analogous to a drug indicators among all levels of the organization must be user- interfering with other drugs and having adverse effects on a friendly. To have an agile audit function, though, these maps body. Without a unified medicine solution, a prescription and cascades should be tailored based on the types of gover- may not provide the greatest benefits and the fewest negative nance roles such as the board, executives, internal auditors, effects. Likewise, internal audit should ensure the side effects chief information officer, and IT manager. of IT standards do not cause problems such as increasing The internal audit function also should map key perfor- compliance costs. Auditors must address two issues: mance indicators based on the control objectives of various » Deciding which sections of IT-related standards such regulations, standards, and frameworks into its goals. These as COBIT 5, ISO 2700, and NIST Special Publica- governance requirements include frameworks from The tion 800-30 best conform with the organization’s risk Committee of Sponsoring Organizations of the Treadway management framework. Commission and the U.S. National Institute of Standards » Addressing conflicts and duplications among the and Technology (NIST), industry requirements such as the various standards that might result in duplicate con- Payment Card Industry Data Security Standard, and regula- trol objectives. tions such as the European Union’s General Data Protection Solution: An automated IT audit system should use machine Regulation and the U.S. Sarbanes-Oxley Act of 2002. learning and recommendation systems to remove the similar or contradictory control objectives of IT standards. This way, 3. Transforming IT Audit Processes to a DevOps Review the audit system can control the duplications among all of the Problem: Nowadays, some nonfunctional requirements such standards’ segments and use artificial intelligence to recom- as cybersecurity, machine learning, and blockchain are being mend an efficient and customized set of controls. inherently changed to functional requirements. This change will have fundamental effects on the IT audit process. For Transforming the Auditor example, IT auditors will need to assess cybersecurity or block- For automation to overcome these challenges, internal auditors chain requirements during the organization’s system develop- must transform themselves, as well. This is an area in which ment operations (DevOps) process and change their audit IT audit specialists can help organizations find, prioritize, and program schedule to fit the DevOps schedule. This change can invest in the right innovations to automate IT, internal audit, be a real challenge, especially for small and medium-sized audit and cybersecurity processes. Moreover, by identifying ways to teams that lack skills and experience with DevOps. automate IT governance, risk, and controls, internal audit can Solution: Internal audit could solve this problem by mov- help the IT function align its operations with the organiza- ing to an “IT audit as an embedded DevOps review service” tion’s governance and transformation processes. model. As a result, the review processes for IT governance, risk, and controls must be embedded into the DevOps life cycle. As SEYYED MOHSEN HASHEMI, PHD, is a research scholar at part of this process, an automated system may provide access Ontario Tech University in Oshawa, Ontario.

OCTOBER 2019 INTERNAL AUDITOR 17 Risk Watch

BY ISRAEL SADU EDITED BY CHARLIE WRIGHT

CONFRONTINGCLIMATECHANGE As more organizations recognize the economic risk posed by a warming planet, internal audit can he adverse impacts of a result, organizations may characteristics described in serve as a change rising global temper- incur increased production The IIA’s Core Principles for atures and extreme costs, decreased demand, and the Professional Practice of agent. delayed delivery of goods and Internal Auditing. are becominweatheg ar frontconditions-line services to their customers. Internal audit functions Trisk for businesses. A 2015 The growing stakeholder that conform to the Interna- Economist Intelligence Unit concern about climate change tional Professional Practices study estimated that the risks is creating demand for Framework should be quali- value of global manageable climate-competent auditors fied to audit climate change assets at risk due to climate to help analyze the threats risks. To supplement their change could be as much as and recommend remedies. knowledge, The IIA has pub- $4.2 trillion between now Such practitioners can help lished the Practice Guide on and 2100 in discounted, their organization address Evaluating Corporate Social present-value terms. That financial, process, and gover- Responsibility/Sustainable is roughly on par with the nance implications. Through Development. total value of all the world’s a multipronged approach Yet, a worrying trend listed oil and gas companies. encompassing both strategic in audit reports is that many Meanwhile, increased regu- and tactical activities, internal auditors do not see climate lation to confront climate audit can assist organiza- change risks beyond change is gaining momen- tions in confronting climate financial risks to the busi- tum around the world. change risks. ness. Some internal audit These trends are functions may not include leading boards and execu- Being Climate-competent climate change risks in the tives to realize that today’s Today, audit stakeholders are audit plan because they are climate-related decisions seeking answers to the basic not considered a principal may dramatically impact questions about what climate risk to the business. For their organizations in the change risks might impact example, according to the future. Leaders are recogniz- them and the arrangements KPMG Survey of Corpo- ing that the magnitude of in place to mitigate them. rate Social Responsibility climate change risks warrants Internal audit must adapt to Reporting 2017, 72% of a collective action as their these expectations and dem- large and midcap companies impacts are widespread and onstrate the “insightful, pro- did not acknowledge the not just a future threat. As active, and future-focused” financial risks of climate SEND RISK WATCH ARTICLE IDEAS to Rick Wright at [email protected]

18 INTERNAL AUDITOR OCTOBER 2019 TO COMMENT on this article, EMAIL the author at [email protected]

change. This could be because boards, executives, and inter- Where management is reluctant to consider climate nal audit lack understanding of climate change risks and change risks, internal audit can help change executives’ atti- their implications. tudes by enhancing their knowledge of the risks and demon- In other cases, although internal auditors may consider strating how to assess and predict their impacts. In addition, climate change risks in the audit plan, they may not internal auditors who have assisted other organizations in understand the assumptions and estimates used in prepar- addressing climate change risks can share information and ing the financial statements. Likewise, auditors may not analysis of their experiences and promote the use of tools and comprehend the implications of climate change risks when systems for these purposes. applying existing accounting treatments and audit standards. Additionally, standard audit programs may not be help- The Way Forward ful in assessing climate change risks, control criteria, and The audit function should understand the climate change their potential impact. Finally, the audit team may not have risks affecting the organization and be able to add value climate-change risk specialists to assist the teams in focusing proactively, timely, and effectively. It is important to assess on key areas of concern. whether the organization fully grasps the implications of climate change risks. To move forward, internal audit should: Strategy and Risk Management Insight » Develop a consensus with the board and senior man- Those internal audit functions can’t ignore climate change agement about internal audit’s role. for long. With these risks looming on the near-horizon, audi- » Champion a focus on climate change-related risks tors can advise the board and management by promoting by participating in the risk analysis process and edu- accountability in addressing climate change risks. cating management on the best practices in climate Internal audit can help ensure the organization is iden- change-related governance, risks, and controls. tifying, prioritizing, and remedying key climate change risks » Ensure the audit function has the appropriate skills appropriately. For example, internal audit can advise on strat- to evaluate climate change risks and execute related egies for developing a process to define, monitor, and assess audit engagements. climate change risks. Auditors can ask management about the » Empower audit teams by developing appropriate organization’s resilience and sustainability, as well as audit the tools and procedures for assessing climate change organization’s sustainability report. Another way internal audit can provide value is reviewing whether the busi- The CAE should embed climate change ness strategy aligns with the applicable risks in each audit engagement. regulatory environment. Auditors can facilitate root-cause analysis of potential regulatory noncompliance. Coordinat- ing control self-assessment workshops can identify the areas risks, capacity building through mentoring and effec- where the organization’s climate-change response strategy tive onboarding, and including climate experts in the does not align with its business processes. audit teams. Internal auditors also should evaluate the financial and » Incorporate climate change risks into the organiza- strategic implications of climate change risks. While the tion’s risk register and ensure appropriate audit units changes to carbon-free or low-carbon technology could pose are contained in the audit universe. The chief audit potential financial risks, they also could result in opportuni- executive should ensure that the identified risks are ties such as alternative technologies, business processes, ser- embedded in each audit engagement. vices, and products. Climate change risks impact all of humanity. Consequently, Internal audit should ensure the organization’s enter- there is much work to be done. The responsibilities of inter- prise risk management process includes an appropriate focus nal audit and the required skills are changing quickly. As a on climate change risks. Auditors can assist in developing a partner in a good governance process, the modern internal granular view of risks that can enable management to create audit function can be pivotal in addressing climate change by appropriate risk management strategies. In addition, they positioning itself as an agent of change. should evaluate whether management has established bench- marks, metrics, success criteria, key performance indicators, ISRAEL SADU, PHD, CIA, CRMA, CISA, is resident auditor with and leading practices. an international organization in Bonn, Germany.

OCTOBER 2019 INTERNAL AUDITOR 19 FraudFindings

BY EMILY E. KIDD EDITED BY BRYANT RICHARDS

MUNICIPALMISAPPROPRIATION By exploiting legacy system knowledge, a key finance employee siphons county funds to his personal avier County billed personnel asked to supple- accepted this diversity of per- account. its residents monthly ment controls, they were told sonnel providing customer for their utility use that the software could not contact as a satisfactory level through its finance produce the reports they of segregation of duties. A division using in-house were asking for nor could few functions, however, were Xlegacy software, which was they implement the addi- handled by Jeff Neeley, the not up to the rigors of mod- tional controls requested. At most senior staff member in ern billing and reconciliation this point, the internal audit the division, who was famil- processes. Unfortunately, the department became aware of iar with the legacy software county had a “We have the software’s reporting con- and the most effective at always done it this way” straints and initiated a soft- resolving those requests. mindset, so there were no monitoring project regarding The division needed plans to upgrade the system. the internal controls of the institutional knowledge so The county was collecting an billing and payment process. much that many weekends, average of $1.3 million each Because the software when customer needs were month in accounts receiv- was incompatible with mod- high, he would come into ables for the utility, cranking ern online processes, certain the office and process those out manual receipts upon account activities could not payments needing adjust- request and patching the sys- be completed online. Instead, ment. It was during this tem as needed to limp along customers were encouraged time, without supervisory to the next billing cycle. to call the division with oversight, that Neeley con- The IT employee who account concerns and other ducted inappropriate trans- set up the legacy platform matters. The customer ser- actions, feeling empowered and managed it for decades vice line was shared by sev- by the lack of physical man- had retired, and back-of- eral employees in the finance agement review. the-house adjustments were division who were involved The fraud, itself, much more difficult to in the billing and payment included a few adjustments achieve without his insti- process. The employees to the financial software and tutional knowledge. When would take customer calls a bit of manual tracking. new executive management and process payments and When a customer paid using at the county requested adjustments within the sys- a credit card over the phone additional reporting from tem, as needed. Financial with Neeley, he would tally the system and management and county management the payment amount in a SEND FRAUD FINDINGS ARTICLE IDEAS to Bryant Richards at [email protected]

20 INTERNAL AUDITOR OCTOBER 2019 TO COMMENT on this article, EMAIL the author at [email protected]

when internal auditors cautioned against this untested trust, LESSONS LEARNED they were told it was important not to upset employees » Internal controls should be respected in all organi- because they were still skeptical of the county after layoffs zational cultures. Creating a baseline for oversight during the Great Recession. Those who remained were ter- and applying management reviews consistently for ritorial regarding their responsibilities and did not see the all employees is recommended. value of cross-training. » Key employees are great additions to organiza- The utility’s legacy system led to the practice of a few key tions and are often the most trusted employees. employees handling adjustments every time one was needed. They can provide institutional knowledge that can The work became so specialized that certain customer compel fact-driven decision-making. However, account adjustments were put on hold until Neeley returned trust is not an internal control and all employees to work. It wasn’t until he was out on unscheduled medical require oversight. leave that another person within the department had to » Succession planning and work-task rotations handle his transactions for waiting customers. That’s when could have been key in preventing the fraud from personnel noticed unusual adjustments within the system. occurring at the level it did. Adjustments within the monthly journal were paid via » By not requiring Neeley to attend staff training the accounts payable process to a fictitious service vendor and enabling special working conditions, manage- account Neeley set up many years before that appeared to be a ment created an environment where the employee legitimate cost of service as payment lockbox service fees. This felt outside of the system and its authority. service fee was one of two that the county paid—because the » Physical security of a work area is important to fee amounts were consistent, without material variances, and instill a sense of oversight and supervisory review of a nominal amount, no one thought to ask why there were for employees. Working outside of normal busi- two separate payments for the lockbox service fee. ness hours is not recommended. Once the fraud was identified, internal audit asked the » Segregation of duties within the financial system employees who reviewed Neeley’s summary reports why the is key to ensuring appropriate reviews. If one fictitious vendor account wasn’t flagged or reviewed further. employee has two separate logins for staff trans- They explained that it did not receive any attention because actions and supervisory/review transactions, this the fee was nominal considering the large amounts that were built-in internal control is no longer effective. being processed monthly. The fraud investigation deter- mined that those nominal fees siphoned to Neeley’s personal account added up to nearly $91,000 and, because the system did not retain records more than 10 years back, the true dol- workbook on his desktop computer. During month-end close- lar amount lost by the county was estimated to be greater. out procedures, he would take the running tally amount in the The department was informed of the suspected fraud, workbook, create a journal entry, and move that amount from and a vendor service company conducted a financial investi- accounts receivable revenues to accounts payable. This entry gation. Still out on medical leave, Neeley hastily completed was processed within the financial system without additional retirement paperwork with human resources and did not review as Neeley had both a staff-level login and a supervisory- return to work. The investigation resulted in multiple recom- level login, presumably to perform different roles for different mendations that brought the division back up to an appro- duties, as assigned. A phony invoice was then created for a fic- priate level of internal control. The county later submitted titious vendor and included in the backup documentation for the case to the local district attorney’s office for prosecution, that journal entry. The fictitious services amounted to the total which is currently in process. of all individual accounts that were manipulated during the The impact to the county was perhaps greater than the month. The vendor was paid via the standard accounts payable monetary loss of the fraud. It became a local media topic, process within the county. The vendor verification process had drawing many concerned citizens to the county’s public been completed by Neeley many years before. meetings to voice their disproval of the situation and the Through multiple inquiries during performance audits county. The level of trust in the community has been eroded throughout the organization, internal audit identified a and it will take time to mend. weakened internal control structure due to the level of trust within the county. Internal audit discussed the risks multiple EMILY E. KIDD, CIA, CGAP, is director of internal audit for the times with executive management, with no change. In fact, City of Reno, Nev.

OCTOBER 2019 INTERNAL AUDITOR 21 EMERGING

22 INTERNAL AUDITOR OCTOBER 2019 LEADERSHIP

This year’s honorees are driving change in their audit functions and setting an example for the profession. LEADERS 2019 Russell A. Jackson

ach year’s Emerging Leaders talk less about the profession pivoting to a trusted advisor role and more about actually performing that role—and how excited they are to expand internal audit’s influence into new areas. Indeed, the 2019 Emerging Leaders’ diversity shows partly in the variety of experiences they’ve had in an advisory capacity and their specific goals for expanding the profession’s profile. And as in previous years, the 2019 Emerging Leaders are a diverse, multinational group. Since the first crop of honorees in 2013, 14 countries have been represented; this year’s professionals hail from The Republic of Belarus, Canada, the U.S., and Zambia. Just under half since the beginning are women, just over half are men—many of whom have advanced to positions of greater leadership and gone on to volunteer in key IIA governance and advisory positions. As a group, this year’s Emerging Leaders are enthusiastic about talking up internal auditing —to schools, business groups, and their colleagues —and about supporting the profession through expanded participation in local professional organizations. Technology, as always, is what these high-performing practitioners want to talk about. Automation and data analytics are familiar. In fact, emphasizing analytics seems almost old-fashioned to the 2019 honorees; they Eassume analytics are key to internal auditing and continually expand their skills —often on their own time. That expertise opens doors to more internal auditor interaction with organizations’ executives, and this year’s Emerging Leaders are eager to take advantage of the opportunities they see ahead to be meaningful players in their enterprises’ success.

OCTOBER 2019 INTERNAL AUDITOR 23 EMERGING LEADERS2019

monetary benefit of more manages the city’s whistle- JORDAN than $15.2 million dollars,” blower hotline for reporting SWEENEY reports Sweeney’s supervisor, fraud, waste, or abuse, and CFE Sacramento Assistant City so far has resolved more 28 Auditor Lynn Bashaw. “She than 80 cases. Sweeney, who SENIOR AUDITOR continues to work with the holds a master’s degree in CITY OF SACRAMENTO, department to implement civil engineering, came to CALIF. recommendations made in the profession after learning her audits,” Bashaw adds, about it at home—her hus- “as well as recommendations band is a premium auditor made in previous audits.” for an insurance company. Sweeney says providing The work seemed challeng- informal audit training to ing yet fun, she explains, are implemented. From day DOU staff members respon- and used many of the same one, the University of Cali- sible for the recommendation data analysis and problem- fornia at Davis graduate was follow-up efforts helps them solving skills an engineering given sole responsibility for understand what internal education requires. Sweeney JORDAN SWEENEY con- auditing the city’s Depart- audit is looking for and com- adds: “I felt it would be very ducts “impactful audits,” as ment of Utilities (DOU). municate that to other staff, rewarding to be a part of one colleague puts it, and As a result of her consistent thereby reducing the number something with such a big she is hailed for following up follow-up efforts, the DOU of documentation requests impact on how the govern- to ensure recommendations has achieved “a realized she has to submit. She also ment operates.”

opportunity,” he says. One early challenge was how dependent CHENG CHENG consulting is on experience and industry knowledge, which he CIA lacked at the time. “I forced myself out of my comfort zone,” 28 he says. “I told myself, ‘Don’t’ be afraid to ask questions.’” And CONSULTANT, having tapped his mentor’s experience to great effect, he advises ENTERPRISE RISK those working with professionals who have extensive SERVICE knowledge in the field to observe how they work. Cheng’s own MNP LLP work encompasses internal controls over financial reporting, TORONTO payroll audits, external quality assessment, and risk-based operational and compliance audits, notes MNP colleague Jim Barbour, who cites another challenge Cheng has overcome. “A recent client required him to reconstruct multiple years’ payroll reporting to tax authorities,” Barbour says. “He used document capture and data analytics tools to prepare and evaluate the source data for the required deliverables.” Cheng points to This is how CHENG CHENG characterizes his profession: “I the value of communication skills as key to explaining deliver- selected internal auditing because it’s challenging, nonroutine, ables to clients. “No matter how technology evolves,” he says, and fun.” The University of Toronto graduate started out with “we will always need to build relationships with people.” Out- a degree in commerce and a master’s degree in accounting; side internal audit, pick-up basketball games most weekends early in his career, Cheng worked on finance, assurance, and constitute Cheng’s No. 1 hobby. He’s also an active volunteer internal audit-related jobs, ultimately opting for the latter as his in MNP’s Community Activity Project and Education pro- main focus. “Every day is a new challenge and learning gram and serves as treasurer for IIA–Toronto.

I’M REALLY CONFIDENT OUR PROFESSION IS IN GREAT HANDS WITH SO MANY INTELLIGENT AND SOCIALLY CONSCIOUS YOUNG PROFESSIONALS. —Sally-Anne Pitt, Emerging Leaders judge “24 INTERNAL AUDITOR ” MELISSA MORLAN DON- management reporting, NER prefers people to face including presentations sum- forward in their approach to marizing audit results, issue internal auditing. “If ‘well, status, and audit department that’s how we did it last year’ performance to the orga- BLAINE FRITZ is the only rationale you nization’s highest govern- CIA have for something,” she ing bodies, Jarnagin says. 29 says, “there’s probably Within months of starting GOVERNANCE & a way to improve it.” That at Bank of America, Don- OPERATIONSMANAGER/ often involves automation ner designed a new monthly CHIEF OF STAFF and, especially, being able to business review for the chief GSK understand what it’s doing. audit executive (CAE) to RESEARCHTRIANGLE Already, the University of oversee department opera- PARK, N.C. Florida graduate notes, a key tions and revamped the issue skill for internal auditors is management report for the “the ability to understand CEO’s management team. how automation can be Donner says that’s a good BLAINE FRITZ became an internal auditor to understand applied.” Writing code is a example of the trusted how companies work from the inside out. He hit the pro- plus for anyone to possess, advisor role internal audit fessional jackpot: The Michigan State University graduate she says. “But more impor- is taking on, and she adds has led global audit teams and conducted engagements tant is being able to clearly that data visualization is an across multiple risks— commercial practices, anti-bribery articulate what you think an increasingly important part and corruption, financial controls and reporting, and sup- automated process would of it. Reporting a 1% to 2% ply chain, to name a few. His work has spanned multiple look like and have a grasp month-over-month increase functions, cultures, and geographies, including North and of what is possible before via text or a slide may not South America, Europe, and Asia. The former audit working with an automation raise red flags, she explains. manager, who’s since moved into Managed Markets and expert to get it done.” Don- But seeing a line chart span- Government Affairs, has also led multiple initiatives to ner built her audit skills ana- ning six months that shows a improve the internal audit function at GSK, notes his lyzing and testing controls 10%-plus increase—with a manager, John Boone, vice president, Contract Manage- across various industries as a six-month projection if ment and Operations. “He’s gathering observations on the consultant, while also project nothing happens—“can impact of an audit from a business perspective,” Boone managing the day-to-day really serve as a call to says, “and will feed these observations back into the inter- activities of those engage- action,” she says. Donner is nal audit function to improve efficiency and effectiveness ments, reports current super- a member of The IIA’s Chi- and minimize business disruption in future audits.” Other visor Janet Jarnagin, an audit cago chapter and volunteers projects include leading the Audit Ways of Working Align- director at Bank of America. at TutorMate, an online pro- ment Project, which identified differences in approach Now Donner is responsible gram that helps kids improve between regions and among risk areas, and facilitating for board and executive their reading skills. training on audit process and third-party oversight. The people part of the equation, Fritz says, is key. “My work provides an opportunity to gain a global perspective and MELISSA MORLAN cultural awareness through the people I meet around the DONNER world,” he says. Fritz focuses on internal audit’s evolving CIA role, noting that use of the audit function as a resource for 26 insights gained through sharing of good practices across the AUDIT SUPERVISOR business represents an important change for the profes- BANKOF AMERICA sion. “Auditors can share an enterprise view gained from CHICAGO experiences in different risks and parts of the business,” he comments. Outside the office, the soccer player and youth team coach also serves as an Early Talent Mentor for GSK’s Future Leaders Program and as a member of GSK’s Orange Day Volunteer Committee; each year, employees spend Orange Day off-site, volunteering at a charity of their choosing.

INTERNAL AUDITOR OCTOBER 2019 25 CONGRATS MEGAN BEESTON 2019 EMERGING LEADER

Megan Beeston earned her IAEP at the KSU in 2016, where now she volunteer teaches IA.

Megan Beeston takes her place among the leaders of the Megan Beeston (far right) is leader of the Young Professionals IIA Atlanta Chapter by winning the Chapter’s Mulcahy Leadership training session at The IIA Atlanta Conference. Shown Award. Shown here with other 2019 MLA winners John Greene, here with her expert panel of Young Professional Leaders, Michelle Chelemer (also a 2018 IA Magazine Emerging Leader), Emil Delores White, Chair of the Chapter’s mentorship program, Tzanov, and Delores White. Also shown Bill Mulcahy, IIA Atlanta Stefanie Chambers, Member of an IIA Global Commi�ee, and Chapter President and IIA NA Chair Karen Brady. Thomas Sherrill, 2018 IA Magazine Emerging Leader. The IIA Atlanta Chapter’s mission is to be the premier professional associa�on dedicated to the promo�on, advocacy, and development of the prac�ce of internal TheaudiIIA Atlanta�ng in theChapter’sGreater missionAtlantais Me to tberopolitanthe pre mierArea.professionalThis shall incl associaude, �butonisd notedicatedlimited to to,the t hepromofollowing:�on, advocacy,Professionaland dedevelvelopmopment,ent ofpromo the �pracon�ofce IIAof intcer��ernalca� audi�ons,ng ininternal the Greater audit Atlantaresearch Me antropolitand informa �Area.on sharing,This shall and inclworkude,ing butwithis notuniversilimited�es to,to tpromotehe following:internalProfessional audit educa de�velopmon. Theent,IIA promoAtlanta� onChapterof IIA cerworked��ca�with �ons,Kenninternalesaw auditState researchUniversity a nandd informaGeorg�iaonStatesharing, Univers anditywork to estaingbwithlish IIAuniversiInternal�es Auditto promote Educa�internalonal Programs audit ed(IAEP)uca� on.at bothThe univIIA Atlantaersi�es. Chapter worked with Kennesaw State University and Georgia State University to establish IIA Internal Audit Educa�onal Programs (IAEP) at both universi�es. VISIT ourMOBILEAPP + INTERNALAUDITOR.ORGtowatcha series of videos featuringsomeof thisyear’s EmergingLeaders honorees.

MADDIE COOK is in the our profession,” she com- enviable position of work- ments. To assess controls ing in a role that requires her around that technology, to indulge in one of her internal auditors will need KENSON favorite pastimes. The job a robust understanding MUNSHYA requires travel, and Cook of how it functions, the says, “I really enjoy learning associated risks, and the CIA, CISA about the cultures that are organization’s strategy for 29 AUDIT MANAGER new to me and sampling integrating the technology STANBIC BANKZAMBIA local cuisine.” And her trav- into its business processes. LUSAKA els provide valuable insights “The more knowledge we for her global client work, have, the better we will be notes Pamela Hrubey, a able to assist, review, and Crowe managing director potentially advise manage- and Cook’s career coach. ment on implementation “She leverages the business in the future,” Cook says. experience she has gained She also points to significant from working in Canada opportunity to use these and the United States to technologies in audit work. support a variety of clients Companies are making with offices around the the move to blockchain globe,” Hrubey says, “bring- and other technologies to KENSON MUNSHYA first saw internal audit from the out- ing a balanced business advance their businesses, she side, and found himself impressed by practitioners’ insights perspective along with her notes. “Internal auditors will and deep understanding of the organizations he was audit- deep knowledge of internal need to adapt our ing externally. “Over time,” the Rusangu University Zambia controls.” The University of methodologies to maximize graduate says, “I started looking at the internal auditors’ Western Ontario graduate the associated benefits of the reports as one of the reference points to gain an understand- is also part of an innovation new tools by developing ing of clients.” Then he joined them—and started spreading team considering ways to audit programs that increase the word about internal auditing. “He has a mission to make leverage blockchain technol- organizations’ confidence in a difference in the profession,” says colleague Chuma Silu- ogy to create internal audit their use.” Outside the pro- tongwe. He adds that Munshya was instrumental in helping efficiencies, and she’s been fession, Cook has donated parent company Standard Bank Group’s Africa regions team researching the potential of her time to the Boys & Girls win the firm’s 2018 Group Internal Audit Mark of Excel- robotic process automation Club of America, a lence Award for enhancing the use of data analytics and audit and AI. “Clearly we will see, community food bank, and automation. Plus, he’s supported teams from Namibia, over time, these technologies an organization that builds Malawi, Botswana, and Mauritius in providing key insight playing a large role within bikes for kids. on IT-related engagements, such as cybersecurity and business continuity audits. Munshya says practitioners need to prepare for the future by improving their skills in data analytics, machine learning, and artificial intelligence (AI); he MADDIE COOK is piloting the automation of the company’s audit process using those very skills. Still, he adds, “ultimately, it comes CPA 30 down to one’s people skills to manage change and influence SENIOR MANAGER, decisions.” Internal auditing often involves negotiating with CONSULTING management, so a firm grasp of the disruptive technologies combined with people skills is key, Munshya stresses. “I’m CROWE LLP amazed at internal audit’s ability to influence an organization LOS ANGELES and be a change agent around strategy and operations, as well as around governance, risk, and internal controls,” he says. Outside of internal audit, Munshya enjoys decidedly low- tech pastimes, including chess, jogging, and reading. He also volunteers for outreach programs through his church and is an active member of IIA–Zambia.

OCTOBER 2019 INTERNAL AUDITOR 27 EMERGING LEADERS2019

ideas, and recommendations perform audits,” Wang says. almost every day to help Already, she has designed and add value to our organiza- built several data analytics tions.” Wang accomplishes programs to support internal JIAHUI “BELLA” that with a firm foundation audit’s objective of executing WANG of technical knowledge, more effective testing, Wind- CIA says her supervisor, Charles eknecht notes. Wang says her 28 SENIOR INTERNAL Windeknecht, Atlas Air’s vice department uses analytics AUDITOR, COMPUTER president, Internal Audit. routines during annual fraud INFORMATIONANALYST “She consistently exhibits a assessments to help manage- deep understanding of the ment isolate higher risk trans- ATLAS AIR INC. risk and control consider- actions. “Senior management PURCHASE, N.Y. ations she is assessing,” he is coming to us with more says, “by asking challenging requests to help them identify questions in a relevant and process improvement oppor- BELLA WANG was surprised be effective,” the St. John’s meaningful manner.” The tunities,” she says. Wang is to learn how much soft University graduate explains. questions change, of course, also active with the youth skills support the technical In particular, Wang says that as the technology that pow- education nonprofit Junior aspects of internal audit- recognizing the importance ers the profession changes. Achievement and often speaks ing. “I didn’t understand of sales skills was a profes- “Technology and automa- at area college and university the diversity of attributes a sional “aha!” moment. “We tion will make changes in events about the benefits of practitioner needs to have to are selling our expertise, how, where, and when we internal auditing.

Stephen Brown, CAE at PRGX Global, recalls the time MEGAN BEESTON was working on an IT project for his MEGAN BEESTON company as part of a co-sourced team when her supervisor was injured and unavailable for an extended period. CFE 29 “Megan stepped up and successfully managed the project PRG SENIOR ASSOCIATE with minimal oversight, and exceeded expectations in every way,” Brown says. The Kennesaw State University graduate FRAZIER &DEETER LLC says the experience provided her tremendous opportunity ATLANTA for learning and growth. “Working in public accounting constantly involves quickly and seamlessly adapting to unex- pected situations to avoid delays in projects and deadlines,” she says. She benefitted from having built good relationships with clients—and having the ear of her company’s managers. Early on, she says, she stepped back and realized that which she saw as a perfect fit. Her internship exposed her to internal audit has long used data analytics. But the progress a variety of roles and projects, piquing her interest even fur- underway now is even more exciting, she adds, as technol- ther. “The ability to wear many hats—as an extension of an ogy increasingly enables internal auditors to expand their organization as its internal audit function, as a service audi- capabilities past current roles. “Integrating IT concepts into tor, or consulting through process improvements and security our strategies will allow us to provide the most value-add to assessments—challenges me technically and as a person,” our organizations,” she says. “Any initiative for research or she says. Outside internal audit, Beeston plays tennis and training in technology and how we can apply systems to be watches college football. She also fundraises for the Leukemia more efficient is an important step for us.” Beeston came to & Lymphoma Society through her company, volunteers on the profession when a professor presented it in a compelling select weekends with the pediatric grief counseling organiza- way—making her realize she could use people skills to make tion Kate’s Club, and co-chairs the mentor–mentee program her role more successful and help people solve problems, at her local IIA chapter.

28 INTERNAL AUDITOR OCTOBER 2019 After a stint in external audit, work with student interns. In MARILYN CARNEVALE has fact, she was so effective that been happily surprised by she soon earned the title of how gratifying she’s found her internship program supervi- internal audit career—par- sor. Carnevale remembers ticularly the newness of each people leaving her former AIDAR assignment. “Internal audit public accounting firm for ORUNKHANOV procedures often have to be internal audit positions, but 29 developed from scratch to adds now: “Honestly, I did SOLUTIONSDIRECTOR meet the unique needs of an not even know if I would TAMR organization,” she says. “It’s be any good at it.” Her ties CAMBRIDGE, MASS. exceptionally challenging, to the university moved her but completely rewarding to pursue the position she’s when our recommendations in. “The fact that I’d never come to fruition.” At Rutgers, heard of internal auditing her alma mater, Carnevale was until about four years into assigned to assist on “a major, my career is partially why I multi-phased project,” reports believe in advocating for the her supervisor, Marion profession,” she says. That AIDAR ORUNKHANOV approaches internal audit from a Candrea, manager, Audit and includes educating students different perspective. The University of Illinois at Urbana– Advisory Services. “It was part about options beyond public Champaign graduate started out in data analytics and came of a highly regulated area that accounting. In her free time, across internal auditing by chance. But he noticed that the required a rigorous learning Carnevale volunteers at The profession was beginning to implement data-driven meth- curve that she easily over- IIA’s Central Jersey Chapter, odologies and saw the potential to implement analytics. came,” Candrea says, adding attends Rutgers athletics He’s now back in data analytics, at a start-up that applies that Carnevale started taking events, donates her hair to machine learning to data unification, but comments that the on lead auditor tasks right Locks of Love and Pantene massive amounts of data produced by new technology will away. With that responsibil- Beautiful Lengths—and propel internal auditing toward near-real-time functional- ity ity came the opportunity to plays the piano. and other elements of automation, raising some worries about technology replacing humans. But he says the technology can’t replace humans completely: “I’d call it ‘using new MARILYN tools’ rather than ‘managing robotic assets.’ Robotic process CARNEVALE automation [RPA] is an ideal solution to frequently repeated CIA, CPA rule-based processes.” RPA, in fact, should free up time for 30 more creative and exciting work, he says. One example: He SENIOR AUDITOR RUTGERS, led development of an automated dashboard at a former THE STATE UNIVERSITY OF employer that provides auditors with timely changes to risk NEW JERSEY PISCATAWAY, profiles and data-enabled outliers for testing purposes. He also N.J. co-led a hands-on data analytics training program for 200 colleagues. In addition, Orunkhanov lectures at Boston Univer- sity, teaching a graduate-level course in business analytics. On weekends, he enjoys travel photography. “The gear I carry has grown exponentially,” he says,” but an incredible Instagram picture is worth it all.” Orunkhanov also volunteers at a local food bank and helps families file their tax returns.

THIS YEAR’S HONOREES ARE MOTIVATED INDIVIDUALS WHO UNDERSTAND THE VALUE OF THE CIA CERTIFICATION AND THE COMMITMENT TO MAKE A DIFFERENCE IN THEIR ORGANIZATIONS

THROUGH THIS GREAT PROFESSION.—Michael Fucilli, Emerging Leaders judge OCTOBER“2019 INTERNAL AUDITOR 29” EMERGING LEADERS2019

any questions or observations, regardless of the business partner. Education helps. Ballweg started at American Financial Group right out of college, notes former colleague Brian McNalley, IT audit manager at Macy’s and a 2018 Emerg- ing CHRISTOPHER Leader. Since then, he has received two key professional BALLWEG certifications and an MBA from Mount St. Joseph University. CIA, CISA On the job, Ballweg has been a team leader for engagements 28 involving cybersecurity, disaster recovery, business continuity, IT AUDIT SUPERVISOR the Payment Card Industry Data Security Standard, and U.S. AMERICANFINANCIAL Sarbanes-Oxley Act of 2002 compliance. “A key challenge is GROUP INC. ensuring that our work is adding value to our various stake- CINCINNATI holders,” Ballweg says. Practitioners who want to be seen as trusted advisors, he adds, must know stakeholders’ goals and ensure that engagements are focused on delivering value. That, No matter how much internal audit technology advances, suc- he says, requires flexibility. “Continuous change is the aspect of cess in the profession will always rely on people skills, accord- the profession I enjoy most,” he says. When he started, cyber- ing to CHRISTOPHER BALLWEG. With a primary focus on security audits and the U.S. National Institute of Standards and IT audits, he sees technological advancements as key to driv- Technology Cybersecurity Framework were “still in their ing change—but the University of Kentucky graduate also infancy,” he says. “Now they’re on the mind of nearly every stresses that “relationship-building, clear communication, and stakeholder in an organization.” Ballweg has been active in The adaptability” are a practitioners’ most important competencies. IIA’s Cincinnati Chapter since 2013, and is a board member of Indeed, he says, auditors must be able to clearly communicate his local American Cancer Society Young Professionals group.

Melissa Morlan Donner — we’re proud of you!

Congratulations to our Bank of America teammate Melissa Morlan Donner for being recognized as a 2019 IIA Emerging Leader

30 INTERNAL AUDITOR OCTOBER 2019 TO COMMENT on this article, EMAIL the author at [email protected]

having served on the IIA–Las execution of compliance, Vegas board as secretary, vice financial, and operational CHRISTIANE president of Programs, and audits of business operations DOLORES now vice president, notes her at casino properties in 29 supervisor, Victor Echenique, multiple states, and she’s a INTERNAL AUDIT Caesars’ internal audit direc- leader in the department’s MANAGER tor. Dolores led an awareness philanthropy efforts. Dolo- CAESARS ENTERTAINMENT initiative about the services res didn’t set out to be an CORP. internal audit provides and internal auditor, starting her LAS VEGAS created a brochure for Inter- career in Accounts Receiv- nal Audit Awareness Month able and moving around the that was distributed to 145 enterprise to learn several colleagues throughout the different accounting func- Caesars organization. She tions in the organization’s excels at her job, Echenique nongaming enterprises. “I Today’s students at the Uni- students and engage them in says, winning the “Audit had no intention of working versity of Nevada Las Vegas the internal audit commu- Ninja” title as internal audit’s for internal audit,” she says. have access to a career insight nity, she says, because most Employee of the Quarter Then, conversations with a that CHRISTIANE DOLO- of her time as a student was and Employee of the Year colleague helped change her RES didn’t. The alumna spent learning about external six times in a department of mind. Now she calls it “prob- makes a point to attend auditing. She’s become deeply more than 80 practitioners. ably the best decision I’ve events on campus to meet involved in the profession, She manages planning and made for myself.”

Congratulations Cheng Cheng MNP commends Cheng Cheng, CIA, on being chosen for the prestigious Institute of Internal Auditors’ Emerging Leaders recognition program. Aconsultant withthefirm’sEnterpriseRiskServices teaminToronto,Chengisoneof 15 internal audit professionals aroundtheworldto benamedfortheaward.Weapplaud his outstanding achievement! MNP is a leading internal audit services provider inCanada and an independent memberof Praxity, AISBL,the seventh largest global alliance of independent accounting firms around the world. We are proud to be a Platinum Sponsor of the2019 IIACanada NationalConference.

OCTOBER 2019 INTERNAL AUDITOR 31 EMERGING LEADERS2019

I WAS IMPRESSED BY THE LEVEL OF COMMITMENT THESE EARLY CAREER HONOREES HAVE TO THE INTERNAL AUDIT PROFESSION, DEMONSTRATED BY ACTIVE IIA INVOLVEMENT AND INVESTMENT IN

THEIR RESPECTIVE TEAMS.—Thomas Sanglier, Emerging Leaders judge

KATSIARYNA PRANOV- CAE at JSC MTBank. “She constantly expands her professional skills by attending STEVE SPITTLER “ICH has learned the value of seminars and conferences,” CPA,CISA listening. Early on, she found he says, “which allows her to ” 28 communicating with internal maintain professional rela- SENIOR IT INTERNAL clients to be “the most labori- tions with internal auditors at AUDITOR ous, difficult aspect of the similar companies here and LPL FINANCIAL job.” But then she learned to in neighboring countries.” FORT MILL, S.C. listen more attentively to her Indeed, Varyvonchyk adds, colleagues, she says, to focus Pranovich is a two-time better on what they need winner of the firm’s Best from her. “That, plus gain- Employee Award. One reason ing experience and exercising is her involvement in a proj- patience allowed me to adjust ect examining data mining for my style of communica- automated internal auditing, tion,” she explains. Pranovich which aims for continuous sharpens her people and monitoring of key depart- STEVE SPITTLER is a technology enthusiast with strong public speaking skills with mental indicators of possible people skills—two important assets for an internal audi- stand-up performances of process violations. Another tor specializing in IT engagements. “As companies move to her own comedy material in project Pranovich heads up the cloud and increase use of third-party vendors,” says the local clubs and cafes. One of is creating automated work- Bentley University graduate, “even practitioners who mainly her favorite parts of the job, papers and options for man- perform business or compliance audits need to understand the Belarusian State Technical agement decision-making the implications cybersecurity could have on their engage- University graduate empha- following audits. Pranovich is, ments.” Nearly every audit his team performs has cyberse- sizes, is helping colleagues deal in fact, lauded for her meth- curity considerations, he notes. A recent challenge involved with difficult situations. odologically accurate docu- leading both the Vendor SOC1 testing program and the Another is the opportunity to ments. “The devil is in cybersecurity audit for the enterprise, reports co-worker and “engage in different areas of the details,” she says, “espe- unofficial mentee Anja Erlandson, senior analyst, risk man- the organization’s activities.” cially with the increasing agement, at LPL. “He not only completed the tasks,” she Pranovich extends her speed of work and changes in says, “he assisted the business in creating new internal con- internal audit interactions business processes.” trols, making recommendations consistent with industry best outside the enterprise as well, practices.” He also has added visual analytics to audit reports, notes Pavel Varyvonchyk, analyzed large data sets to identify discrepancies, and tested KATSIARYNA the effectiveness of department policies and procedures. PRANOVICH The first few years of Spittler’s career were spent as a public 29 accountant conducting external financial audits; he says the CHIEF AUDITOR move to his current post represented an opportunity to grow JSC MTBANK his skills. His social network also has expanded. Spittler says: MINSK REPUBLIC OF “What I love about my job is the level of collaboration and BELARUS the people.” Most of his engagements are integrated, with the business audit and IT audit teams working together, he notes, citing the value of building relationships with clients. Practitioners often can see firsthand the improvements made because of their recommendations, he adds. Off the clock, Spittler volunteers at the Humane Society, the Metrolina Food Bank, and the Boys & Girls Club of America.

32 INTERNAL AUDITOR OCTOBER 2019 Meet the Judges ccording to this year’s judges, the 2019 Emerging their audit functions,” as one judge put it. The distinguished Leaders deserve recognition for their innovative group of judges, who hail from a range of organizations and thinking, service to the profession, and considerable backgrounds, also point to the honorees’ impressive array AIT expertise. Many, in fact, are “driving digital change in of business, audit, and communication skills.

MICHAEL SALLY-ANNE THOMAS JULIE WADE KARIN HILL, FUCILLI, CIA, PITT, CIA, SANGLIER, CIA, LATHROP, CIA, CASSELS, CIA, CIA, CGAP, QIAL, CGAP, CGAP, manag- CRMA, CPA, CRMA, CPA, CCSA, CRMA, CRMA, former CRMA, audi- ing director, Pitt internal audit North American senior IT auditor, director of tor general, Group Pty Ltd., director, Raytheon controller, HP Inc., Nielsen, Lakeland, Internal Audit, Metropolitan Richmond, Vic- Co., Waltham, Houston; direc- Fla.; member, IIA Texas Health Transportation toria, Australia; Mass.; vice chair- tor, Professional Publications Advi- and Human Authority, New director, Profes- man, Specialty Certifications, IIA sory Committee Services Com- York; director, sional Practices, Groups, IIA North Global Board of mission, Austin, Research, IIA IIA Global Board American Board of Directors; vice Texas; member, Global Board of of Directors Directors chair, Finance, IIA IIA Publications Directors North American Advisory Board of Directors Committee

Augusta University account- tension during engagements ing lecturer and current col- by checking clients’ work SARAH MURRAY league Steve Loflin, principal spaces for cluestoa favorite CIA internal auditor at Savannah football team or new grand- 27 River Nuclear Solutions, children. “I get them talking SENIOR AUDITOR says Murray’s skills in analyt- about those things to loosen SAVANNAH RIVER NUCLEAR ical and substantive testing them up,” she notes, “and SOLUTIONS are exceptionally advanced. see audit as a function that AIKEN, S.C. “As much as she impressed is truly there to help.” Mur- me as a student,” he com- ray also volunteers with local ments, “I’ve been even more youth ministries, and with impressed by her abilities as the River of Life, which pro- an internal auditor.” Loflin vides exterior home repairs For SARAH MURRAY, early enjoyed it enough to apply adds that Murray is known and improvements to local career inspiration came from for an internal audit intern- for her timely and effective community members. In an audit class project that ship and ended up “falling in auditing and her ability to addition, she’s active in, and involved creating flowcharts love with the work and the build relationships. Murray a former officer of, The IIA’s and identifying control defi- variety of people that you get does have an agenda: She’s Central Savannah River ciencies. “It was totally dif- to meet.” One part of out to end the “gotcha” and Area Chapter. ferent than anything I had the job she’s especially fond “take no prisoners” stereo- done in my accounting stud- of is working with data. “It types of internal auditors. RUSSELL A. JACKSON is a ies thus far,” she says. The always has a story to tell She makes a point to find freelance writer based in West Augusta University graduate you,” she notes. Former ways to minimize nervous Hollywood, Calif.

OCTOBER 2019 INTERNAL AUDITOR 33 Congratulations! To our own Maddie Cook, a senior manager in our consulting group. Maddie has been recognized as an emerging leader by her coworkers and by the Institute of Internal Auditors. Maddie’s smart decisions today provide lasting value to clients and coworkers.

crowe.com

The auditor’s mindset

Critical information may be missed in audit interviews when cognitive biases affect professional skepticism. Chih-Chen Lee Mark Riley Rebecca Toppe Shortridge

ognitive biases can threaten any individual’s capacity to make good decisions. For internal auditors, audit interviews pose unique settings in which cognitive biases can /

S threaten their professional skepti- /

D cism. Interviews are conducted to obtain important information in a variety of contexts, GODSEN

, including operational audits, compliance testing, and IT

METAMORWORK C audits. Although interviews rarely, if ever, constitute suffi- IMAGES)

L cient audit evidence on which to base a conclusion, it is still

(AL important that internal auditors maintain their professional D skepticism while conducting them. If an internal auditor allows a cognitive bias to impede his or her sense of profes-

BACKGROUN sional skepticism in an interview, the quality of planning : and of subsequent audit procedures is reduced. As a result, SHUTTERSTOCK.COM; PORTRAIT , SHUTTERSTOCK.COM; IMAGES SHUTTERSTOCK.COM extra time is spent following up on unreliable information

OCTOBER 2019 INTERNAL AUDITOR 35 THE AUDITOR’S MINDSET

The assumption of truthfulness is a DESCRIPTION AS TRUTH common bias that may impede effec- uring an internal audit team’s first day on site at a parts distribution tive decision-making and, by extension, center, it requests a walk-through of the facility to gain an under- professional skepticism. To combat truth bias, internal standing of the intake, storage, inventory, and shipment of parts. DA floor manager walks the team members through the facility explaining auditors should remain aware that the and answering their questions about each process. Based on the floor profession requires a questioning mind. manager’s explanations and answers, the team identifies the high-risk pro- By definition, truth bias involves a defi- cesses and develops testing procedures for those processes. On the third cient use of questions and additional day of the visit, the auditors begin testing the inventory process and note procedures just when they are needed that each test is failing. During the results validation meeting with the most. When relying on information general manager, the team learns the inventory processes described by obtained in an interview, it is impera- the floor manager were incorrect. Because the auditors accepted the floor tive that internal auditors ask them- manager’s description as the truth, they had to recreate and reperform the selves whether they employed a critical inventory testing. In hindsight, professional skepticism would dictate that mindset in assessing the information the internal audit team had no basis on which to trust the floor manager’s they received, in posing follow-up explanations as credible. Before identifying high-risk processes and questions, and in obtaining corrobo- designing and carrying out tests, the team should have taken additional rating information. If not, then truth steps, such as corroborating the explanations with documented evidence bias may have impeded professional of transactions. Asking themselves if they were comfortable basing sev- skepticism (see “Description as Truth” eral days of work solely on the explanations of one person who they had on this page). The findings in Norah just met could have saved the team significant time and effort. Dunbar’s, Artemio Ramirez Jr.’s, and Judee Burgoon’s Winter 2003 Com- munication Reports article, “The Effects of Participation on the Ability to Judge or, worse, important information is Deceit,” suggest that interviewers missed. Three biases, in particular, may should work in pairs, with one inter- affect internal auditors’ professional viewer performing the questioning, skepticism: truth bias, confirmation while the other member of the team bias, and the halo effect. observes. Dunbar and her co-authors find that the observer in such scenarios TRUTH BIAS is better able to judge deceit on the part The assumption that others are telling of the interviewee. the truth is necessary on a day-to-day basis to facilitate routine social interac- CONFIRMATION BIAS tion. If one tried to verify the truthful- When one seeks out or gives too much ness of every statement made by others, weight to information consistent with routine communication would grind to a specific belief, that is confirmation a halt. However, the tendency to believe bias at work. It may influence ques- others are providing truthful informa- tions asked and how the answers tion may prevent internal auditors received during an interview are pro- from employing appropriate levels of cessed. Internal auditors conducting professional skepticism, which entails, interviews can certainly fall victim to at a minimum, a belief that sources of confirmation bias by seeking out infor- information are neither truthful nor mation consistent with a specific belief untruthful. Truth bias has been docu- during those interviews. Often, this mented repeatedly in deception detec- involves seeking out information that /

tion research and seems to be a major processes are operating as they should. M factor limiting people’s ability to detect Confirmation bias has the potential

false statements in a variety of settings. to compromise an internal auditor’s ALEXY_ SHUTTERSTOCK.COM

36 INTERNAL AUDITOR OCTOBER 2019 Skepticism is about quality, not quantity—asking the right questions, according to The Institute of Chartered Accountants in England and Wales’ Skepticism: The Practitioner’s Take.

professional skepticism by steering the auditor toward a particular conclusion, SEEKING INFORMATION AS CONFIRMATION regardless of the facts. n inexperienced internal auditor meets with a business finance In their June 2011 Harvard Busi- manager to understand how payments are received from ness Review article, “The Big Idea: clients and processed. In preparation for the interview, the Before You Make That Big Decision…” Aauditor creates an agenda containing a list of questions. During the Daniel Kahneman, Dan Lovallo, and interview the auditor asks, “What do you do with checks you receive Olivier Sibony suggest managers com- from clients?” The business finance manager replies, “I deposit most bat confirmation bias by asking teams of the checks into the company account.” Without hesitation, the that are making recommendations auditor asks the next question on the agenda. She likely has a bias whether credible alternatives to their toward finding that the checks are all deposited in the correct bank recommendations have been consid- account. By ignoring the phrase “most of the checks,” the auditor fails ered. Interviewers should engage in a to detect that the business finance manager is depositing some similar process. checks in inappropriate accounts. In fact, during the course of the To combat confirmation bias in audit, it becomes apparent that the finance manager and other per- an interview setting, internal auditors sons are depositing some of the checks in their manager’s personal should enter with a conscious open- account for department parties and outings. The account owner and ness to learning about or uncovering the persons making the deposits are ultimately terminated. By seek- information that is inconsistent with ing out information consistent with what she knew should happen, the their prior beliefs. After the interview, internal auditor who conducted the interview initially missed the fact they should ask themselves whether that some checks were processed inappropriately, increasing the they learned anything that was contrary possibility that the audit could have missed this fact entirely. to their prior beliefs and whether they missed any opportunities to ask follow- up questions that would have uncov- ered such information. In other words, should. On the other hand, if they do as Kahneman and his co-authors rec- not like a person, they may have a bias ommend, consider credible alternatives. in the opposite direction. Either way, Such an approach is consistent with they are checking their professional professional skepticism. If the auditor in skepticism at the door. the “Seeking Information as Con- Kahneman suggests fighting the firmation” example on this page had biases created by the halo effect by entered, conducted, and reflected upon her interview with such an attitude, she would have been more likely to focus Considering credible alternatives is on the exception that was apparent in consistent with professional skepticism. the business finance manager’s response.

THE HALO EFFECT In the book Thinking Fast and Slow, verifying information using inde- author Daniel Kahneman describes pendent sources. In “The Weight of the halo effect as the “tendency to like Credentials” example on page 38, (or dislike) everything about a per- had the halo effect not compromised son —including things you have not the auditors’ professional skepticism, observed.” Internal auditors should be they might have been able to corrobo- aware of the biases created by the halo rate the information provided by the effect. If they like someone or view gemologist with independent sources. him or her favorably, they might tend Such sources should have included to weigh their opinions and estimates additional interviews, as well as docu- on all topics more heavily than they mentation. By taking such steps, they

OCTOBER 2019 INTERNAL AUDITOR 37 THE AUDITOR’S MINDSET

THE WEIGHT OF CREDENTIALS n internal audit team was auditing the jewelry return process at a merchandise return center. When the team inquired about the smelting and gemstone procedures, it was referred to the director of jewelry,

who also was a licensed gemologist. During the interview, the gemologist was knowledgeable, friendly, Aand eager to share everything that was working well and everything needing to be improved. As a result, the team viewed him quite favorably. Although some of his process descriptions did not make sense, the team members took the gemologist’s descriptions as accurate because he appeared happy they were there to help him fix all of his processes and, after all, he was a licensed gemologist. Nine months after the audit, the gemologist was arrested for selling gemstones to overseas buyers and depositing the money into his personal account. The auditors should have gathered additional evidence to corroborate the gemologist’s explanations about the jewelry return process, but they were blinded by his credentials and knowledge of jewels. They fell prey to the halo effect.

could have identified the error instead by walking through transaction pro- of relying on the statements from cesses or by testing transactions using someone perceived as having a halo. documented evidence. There were likely others involved in Professional skepticism is vital to the processes described by the gemolo- an internal auditor’s mindset, whether TO COMMENT on this article, EMAIL gist who could have discredited his he or she is gathering initial the authors at statements. Although there is no guar- information to plan an audit or con- chih-chen.lee@ antee the auditors would have detected cluding on audit findings. Cognitive theiia.org the gemologist’s scheme if they had biases — such as truth bias, confirma- sought out independent sources, they tion bias, and the halo effect— can certainly would have increased their compromise an internal auditor’s chances of detecting information that professional skepticism. When this would have prompted them to take happens, it can lead to an overreliance additional steps to further investigate on oral evidence, misinterpretation of the processes. answers received during audit interviews, and failed audits. Being aware KNOWLEDGE IS POWER of cognitive biases and the impor- There are several concrete steps audi- tance of professional skepticism can tors can take to fight the negative help internal auditors guard against effects cognitive biases have on audit these outcomes. interviews. In addition to conducting interviews in pairs, auditors should CHIH-CHEN LEE, PHD, CPA, CFE, is ask follow-up questions. This can help a professor of accountancy at Northern auditors gain valuable information Illinois University in DeKalb. during interviews. Next, they should MARK RILEY, PHD, CPA, is dean and obtain corroborating interview professor of accountancy at Northern evidence by speaking to multiple indi- Illinois University. viduals separately, rather than relying REBECCA TOPPE SHORTRIDGE, PHD, on the sole verbal representations of is chair in accountancy at Northern Illinois University. / one person. Finally, and most impor- S tantly, auditors should not rely only CLIFF NUXOLL, CIA, CFE, ACDA, inter- on evidence gained from interviews nal audit manager at Arthur J.Gallagher during audit planning or testing. They and Co.in Rolling Meadow, Ill., contributed SHUTTERSTOCK.COM METAMORWORK should obtain corroborating evidence to this article.

38 INTERNAL AUDITOR OCTOBER 2019 Automated Cross-Platform Access Controls

The Fastpath Assure® suite is a cloud-based security monitoring, SoD, and compliance platform that can track, review, approve, and mitigate access risks across multiple systems from a single dashboard.

Segregation Access AuditTrail/ User Emergency of Duties Certifications Change Provisioning Access Analysis Tracking

Visit gofastpath.com/iia2 THIRD-PARTY RISK the RISKS in supply chains

ver the last couple of years, supply chain risk has become a key concern for the U.S. government. In December last year, for example, the U.S. Senate passed the Federal Acquisition Supply Chain Security Act of 2018, which contains powers to establish a security council specifically charged with supply chain risk. Further legislation with ramifications for supply chain management —such as the Manu- facturing, Investment, and Controls Review for Computer Hardware, Intellec- tual Property, and Supply Act—has been tabled at a federal level. The hazards are many, but all point to a recognition that with increasing globalization and Odigitalization, supply chains have become longer, less transparent, and open to a range of threats. That means a business anywhere in the chain with weak security and controls is a potential target. “Supply chain risk is a huge issue in the U.S. right now,” says Dan Shoe- maker, director of the Master of Science in Information Assurance Program at the University of Detroit Mercy Center for Cyber Security and Intelligence Studies. He says it came to the attention of the U.S. government over fears that Chinese malware was turning up in U.S. military equipment. The risk with purchasing software is that vendors never give buyers the source code because of their need to protect intellectual property. So, companies effectively buy most software blind. Shoemaker says this exposes organizations that build and use complex systems to two key risks: 1) malware can be injected into components at the bottom of the supply chain where transparency tends to be lowest; and 2) poor-quality counterfeit products can slip into a system because of cost-cutting pressures. “This is the frontier in supply chain risk — we have systems built on top of systems that have all been built by mysterious people, and we have no idea who

40 INTERNAL OCTOBER 2019 AUDITOR A supply chain is only as strong as the business with the weakest controls. Arthur Piper / A SHUTTERSTOCK.COM TARAPATT

OCTOBER 2019 INTERNAL AUDITOR 41 THE RISKS IN SUPPLY CHAINS

they are, and we often have no idea Complex supply chains that entail huge, of how secure they are,” Shoemaker ongoing projects subject to multiple says. He adds, half-jokingly, if he were amendments can be daunting. But a country that wanted to take over internal auditors typically can get to the world, he would set up shop as a grips with the structure of their supply cut-price programming shop. “Every- chains by mapping what it looks like. thing I sent up the process ladder That will help flush out conflicts of would have a killer piece of software in interest between related-party compa- it that basically said, ‘When I push the nies, directors, and shareholders who button, I’ll take over the world,’” he may sit on both sides of a procurement says. “That would be easy to do deal, as well as reduce the risk of com- because unlike other things, we just pounding overhead costs, for instance, buy software without carefully looking within the project. Installing a at the ingredients.” Contract agreements can be volu- standards- Internal auditors can suggest pro- minous and take effort to digest, so based process cesses to reduce such supply chain risk, internal auditors who put in the hours wil“l help you he says, and insist their organizations have a fighting chance of helping their understand follow procedures established by the organizations manage them because what you U.S. National Institute of Standards each contract effectively builds its own and Technology (NIST), such as NIST distinctive rules around costs, profits, are buying, 800-161 that deals specifically with IT and target parameters, Kelly says. Fail- because you procurement and supply chain man- ing to understand the contractural can demand to agement, and also International Orga- intricacies is the No. 1 mistake inter- seeeverything When the nization for Standardization (ISO) nal auditors make, he adds. Internal that is going standards such as ISO 27000 dealing auditors trained in financial account- internal with information security. ing, for instance, cannot assume that on at any level auditor does of the supply “Installing a standards-based pro- they will be able to apply Generally his“or her job cess will help you understand what you Accepted Accounting Principles to any chain.” well, the cost are buying, because you can demand to items of expenditure. IT costs allow- recoveries are see everything that is going on at any able under the contract as a direct cost, Dan Shoemaker amazing.” level of the supply chain,” he explains. for example, may already be included “It will be documentation — not a in the overhead rate. Accruals may or Christopher Kelly physical examination of the actual may not be allowed. Only the activity—but that documentation will contract’s terms will make the correct not be available otherwise.” treatments clear. If the organization and its internal COMPLEX CONTRACTS auditors are on top of their contracts, In fact, supply chain documentation is however, data mining and analytics often ignored or badly managed by the become a powerful way of validating purchasing organization. Without a solid the costs charged against those allowed understanding of the contracts upon under the contract. That requires atten- which agreements to buy are based, tion to detail. Keyword searches for organizations run the risk of being arbi- entertainment, gifts, parties, or rework trarily overcharged by suppliers. because of the supplier’s mistakes can “Once signed, a shrewd supplier expose multiple errors, duplications, will hand the contract to their com- and advance charges, for instance. Cost mercial department to start drafting analysis also reduces the risk of organi- claims against you while the ink is still zations being charged up front by the wet,” Christopher Kelly, partner at Kelly supplier for work not yet completed and & Yang in Melbourne, Australia, says. then the supplier going out of business.

42 INTERNAL AUDITOR OCTOBER 2019 56% of health-care organizations have experienced a data breach introduced by one or more third-party vendors in the last two years, according to research from Censinet and the Ponemon Institute.

2019 SUPPLY CHAIN TRENDS The five themes impacting supply chains most in 2019: » Revision of the Minimum Security Criteria under the U.S. Border Protection’s Customs- Trade Partnership Against Terrorism (CTPAT). » Supply chain growth in Africa, which increases exposure to risks. » Ongoing mass migration, which poses both security and corporate social responsibility risks. » Dramatic shifts in politics, such as elections in Brazil, the U.S.-China trade dispute, and uncertainty over Great Britain’s departure from the European Union. » The continued threat to supply chains posed by cybersecurity issues. Source: BSI’s Supply Chain Risk Insights 2019 report.

“When the internal auditor does Chinese companies moving operations his or her job well, the cost recoveries to Africa, for example, or the U.S. are amazing,” Kelly says. The biggest sourcing goods from other Southeast recovery he achieved was about $9 mil- Asian nations—major implications will lion. “I didn’t get a bonus, but it got also evolve.” me noticed,” he says. “And as an audi- Rapid change requires a flexible tor wanting to advance in his or her strategy from internal audit teams. “It career, that’s not a bad thing.” is important to look at the supply Outside of the contract terms, chain through the lens of risk and changing the manager on the buyer resilience,” Jonathan Eaton, practice side of the contract can be disastrous. leader in Grant Thornton’s National On one audit, Kelly found that while Supply Chain Practice in Charlotte, the supplier had used the same man- N.C., says. “That means digging into ager on the project for 10 years, there the operating model to identify the were frequent changes to management potential failure points.” personnel at the buying business. “The Internal auditors can do that by contractor was running rings around using a Six Sigma tool called failure the buyer with unbudgeted charges, mode and effects analysis (FMEA), and when I asked for the contract, I for instance, or a host of other tools. was shown a heap of boxes and told, ‘We think it’s in there,’” he recalls. “It’s vital to keep continuity of knowledge The supply chain should be looked at when managing large-scale projects.” through the lens of risk and resilience. BUILDING RESILIENCE New supply chain risks are not as easy to detect and deal with. “We’re seeing But, he says, the question they need key shifts to global supply chains this to address is, “In your unique busi- year, driven by quite dramatic changes ness model and industry, what are the in the geopolitical landscape,” said Jim failure modes within your supply chain Yarbrough, global intelligence program that can hurt your business?” Eaton manager at BSI, the business standards says that’s something audit leadership company, at the launch of a new report will ultimately need to determine. “The this year (see “2019 Supply Chain buck stops with the chief internal audit Trends” on this page). “The concern executive on this,” he says. “If is that as supply chains change —with he or she knows that a business could

OCTOBER 2019 INTERNAL AUDITOR 43 THE RISKS IN SUPPLY CHAINS

be vulnerable within the supply chain, continually scan supply chain transac- but does not know where, when, or tions in real time and be programmed why, then he or she must take action to to alert for weaknesses and red-flag find out. A deep dive into the processes events. He says too few businesses have using FMEA is a great place to start.” made this move. “Internal auditors can Internal audit leaders need to introduce thought leadership into an ensure they are positioned as a trusted organization in this area by bringing in advisor to the business; otherwise, help- these advanced technologies to miti- ing the business deal with supply chain gate the risk and build supply chain risk is going to be virtually impossible. resilience,” he adds. But he also warns “You have to be able to proactively that an overdependence on technology track, manage, and measure risk,” he and analytics can equally make inter- says. “But nobody has a silver bullet that nal audit blind to the more complex Ifpeople is going to deal with all of the possible interrelated risks in the supply chain. wanttoevade combinations of risk that can arise. For supply chain technology to work sanctions, That is why having a good rela- well, it needs to be aligned strategically the“ywilllie— tionship with the business is important with the business’ objectives for supply whichiswhere for internal auditors, because the people chain risk management. sanctionrisk who manage the supply chain have to be forthright with internal audit about PREVENTING CRIME crossesover what the risks are and the triggers that Supply chains are also open to bribery, intopotential make them real.” corruption, money laundering, and fraud.” This task recently has become more human trafficking risks. More recently, difficult. Many companies have sanctions have become a pressing issue SamarPratt expanded their business and sales as the trade war between China and through the use of multiple sales chan- the U.S. gathers pace, and the Trump Thepeople nels, and they often have not reconfig- Administration applies pressure on its ured their supply chains to deal with the allies to keep its sanctions against Iran whomanage range of new platforms or delivery effective, for instance. The Office of thesupply requirements that are in play. Managing Foreign Assets Control, the U.S. sanc- chai“nhaveto risk in the supply chain in this scenario tions watchdog of the Department of beforthright becomes a way of protecting against the the Treasury, has been increasing its withinternal potential erosion of profitability, says activity in this area. auditabout Eaton, and internal audit needs to have “Corporations need to make sure whattherisks an in-depth knowledge of the business’ they understand the risk in their sup- operations to be able to truly assist the ply chain if they want to avoid being areandthe organization in this area. caught in the crosshairs,” says Samar triggers that He sees the ability to track, man- Pratt, managing director of Exiger, a makethem age, and measure risk as internal audit’s global governance, risk, and compli- real.” central role when it comes to supply ance business in London. But she chain resilience— particularly because warns that the boundaries between Jonathan Eaton those processes should be aligned to the different types of risks can be porous. biggest financial supply chain risks the “If people want to evade sanctions, business faces. Eaton describes robotic they will lie — which is where sanc- process automation (RPA) as tion risk crosses over into potential a brilliant tool once audit understands fraud,” she says. the business’ failure modes and its Internal auditors should expect strategy for tracking, managing, and their organizations to do solid due dili- measuring risk. RPA deals with high- gence checks, she says. “While there is volume, repetitive processes, so it can only so much a firm can do, as long as

44 INTERNAL AUDITOR OCTOBER 2019 TO COMMENT on this article, EMAIL the author at [email protected]

it can demonstrate it is taking a risk- in the supply chain, IIA standards geopolitical risk increases and digita- based approach to its due diligence, it require them to look for fraud indica- lization gathers speed, supply chain will help the organization demonstrate tors. If found, internal audit is likely resilience is likely to become even to internal audit it is taking appropriate to refer those issues to the organiza- more important. It is a difficult area steps. As part of this process, organization’s fraud or financial crime team for internal auditors to master. Doing tions are increasingly using artificial and possibly the legal team. Pratt so requires wide-ranging knowledge intelligence-powered, automated due says internal audit’s follow-up role is of different types of contracts, the diligence technology to detect red flags frequently overlooked. That involves business, and its supply chain struc- while onboarding new suppliers, or to coming back in post-investigation to ture— as well as keeping up to date monitor third parties on an ongoing examine what went wrong in the sup- with fast-changing threats. But the basis.” Other methods include looking ply chain and add significant value rewards can be great. Internal audi- at the countries where raw materials to the business by focusing on the tors who can play a central role in are coming from, for instance, and, lessons learned and whether controls helping their organizations build potentially, where the risk warrants it, need to be strengthened. robust supply chains will enable them sending people to those countries to ask to compete globally and successfully questions on the ground. MAKING AN IMPACT integrate new products and services “The due diligence needs to be While the direct impact of mishan- into their offerings. proportionate to the risk and reflect dling a contract or breaking a govern- the risk appetite of the organization,” ment sanction can be significant, the ARTHUR PIPER is a writer who special- she adds. While internal auditors are reputational damage can be equally izes in corporate governance, internal not specialists in investigating fraud long-lasting and harmful. And as audit, risk management, and technology.

Join a select group of rising and distinguished internal audit professionals for a three-and-a- half-day, immersive executive development experience.

2019–20 Vision University Sessions Executive Development Chicago, IL Nov. 18–21, 2019 Kimpton Hotel Palomar Boston, MA June 15–18, 2020 Omni Parker House An Exclusive San Diego, CA Sept. 14–17, 2020 Kimpton Solamar Hotel Chicago, IL Nov. 2–5, 2020 Opportunity Kimpton Hotel Palomar Your Success Starts Here

www.theiia.org/VisionU

OCTOBER 2019 INTERNAL AUDITOR 45 ETHICS

Internal auditors should examine several “tacit truths” that often hinder organizational ethics. 6 Myths of Business Ethics Matej Draš ek

ecent corporate scandals at companies such as Nike, Volkswagen, and Wells Fargo have spotlighted the negative impact of poor ethical cultures. Meanwhile, public trust in business and government is low. Ethics is a key part of corporate governance. The past three decades have seen several moves to improve business governance and ethics: The Committee of Spon- soring Organizations of the Treadway Commission’s Internal Control–Integrated Framework, the U.S. Sentencing Reform Act, and the U.S. Sarbanes-Oxley Act of 2002 and similar legislation in other countries. Ethics is a cornerstone of internal auditing, as well, both in terms of the ethics of practitioners and the profession’s role in providing assurance of organizations’ ethical practices. The International Standards for the Professional Practice of Internal Auditing Standard 2110: Governance calls on the internal audit function to assess the organization’s ethical climate, and The IIA’s Practice Guide on Evalu- ating Ethics-related Programs and Activities describes procedures to help auditors review organizational ethics. Yet, in addressing ethics, organizations and internal audit often are hindered by several myths. Internal auditors should step back and assess whether these “tacit truths” about ethics are actually helping organizations become more ethical. /

R A DAVOOD SHUTTERSTOCK.COM

46 INTERNAL OCTOBER 2019 AUDITOR Myth 1 The Code of Conduct Supports Ethical Behavior he first step in planning an audit of ethics is to check whether the organization has a code of ethics or conduct designed to help the organization and its stakeholders behave ethi-

a codecallinyplace.. In fact, most publicly traded companies around the world are legally required to have THowever, the main risk is not whether the code of conduct exists, but how it is used in the organization. There is mixed evidence that conduct codes actually help improve the ethical climate. Implementing a code of conduct could reduce ethical behavior, according to a 2011 study published in Decision Sciences Journal. A 2005 Harvard Business School study shows that the main goal of such codes is not to improve an organization’s ethical climate but to reduce possible legal fines in case of prosecution. Moreover, a 2018 Harvard Business Review study conducted by Hui Chen and Eugene Soltes found that a code of ethics has no impact on ethical decision-making.

How to address this myth Internal auditors should examine the actual practices of their organization’s code of conduct. Employees annually signing the code, checking for specific compliance policies in place to support and provide additional guidance on key components of the code, and conducting focus groups or surveys to assess the code of conduct are not enough. Based on various behavior experiments, the best practice is to require decision-makers to read and sign a statement that they are complying with the code before making every major decision, according to the book The Honest Truth About Dishonesty by Dan Ariely.

he average multinational company spends several million dollars a year on compli- Myth 2 ance, which can be even greater in highly regulated industries such as finance and The Despitdefensee such ,spendingaccordin,gextoecutithev201es complai8 Harvanrdtha BtusinescompliancsRevieewdoearticls noe btyoffeCher ann any tangibled Soltes. Tethical benefits. Putting these two trends together, executives are struggling to see how Compliance compliance can help improve ethics in the organization. Compliance programs are caught in the same dilemma as ethics codes: The pri- Program mary goal is to satisfy regulatory requirements or reduce penalties, rather than actu- Helps the ally help the organization become more ethical. Internal auditors also should keep in mind that compliance issues are not the same as ethical issues — what is legal is not

/ Organization the same as what is ethical and vice versa. V / ) ALIYE Become More How to address this myth

N For compliance programs to have a meaningful impact, internal auditors need to test what works and what doesn’t. The compli- (HANDS SHAHI Ethical , V ance program should experiment and innovate. One way is to test assumptions about how people actually behave versus what they say they do. Compliance should test which programs or internal controls work —using hypothesis testing FEOKTISTO

N or control and testing groups —to see why people do not follow the rules and IVA

, how rules should be presented to them. For example, some people respond more TOP

: to visual information, so for them, rules should be presented in a different form than for those who respond more to audio. SHUTTERSTOCK.COM: BOTTOM SHUTTERSTOCK.COM: SHUTTERSTOCK.COM IMAGES

OCTOBER 2019 INTERNAL AUDITOR 47 TO COMMENT on this article, EMAIL the author at [email protected] 6 MYTHS OF BUSINESS ETHICS

Myth 3 Whistleblowing Tools Reduce the Risks of

Unherecenthit casceaoflNikeB,ehwhichafaceviors gender discrimination lawsuits despite taking steps to alter its culture, shows that sometimes, even if the tools of enhancing ethics in an organization are enforced and communicated, unethical behavior may persist. EY’s 14th Global Fraud Survey Tfinds that people do not want to report wrongdoing and that reporting comes with significant risk. Challenging the status quo in any organization threatens people’s status and relationships with their supervisors and colleagues. Moreover, whistleblowing can be a self-serving tool when combined with the bystander effect—when a person is in trouble, others who are present often fail to intervene because they assume other people will do so or because they think it’s not their place to act.

How to address this myth The objective of whistleblowing should be to detect wrongdoing more timely. There are several ways whistleblowing can achieve this goal: Ʌ Establish legal protection for whistleblowing at the national, industry, organizational, and labor contract levels. Ʌ Offer financial benefits to whistleblowers. Ʌ Test whether the hotline works and is confidential— for example, by using “mystery tester” reports. Ʌ Conduct a mock performance of unethical behavior, such as deliberately backdating and signing a document in front of employees or staging an act of employee harassment, to test whether anyone reports it.

Myth 4 More Training in Ethics Myth 5 Is Bhe commoettern way to measure ethical training programs Individual is with completion rates, which are normally between Unethical 90% and 95%, according to Deloitte and Compliance TWeek’s 2016 Compliance Trends Survey. The problem is that this metric shows neither the quality of the training Character Can nor its effectiveness. Research by Carmel Herington and Be Curbed Scott Weaven shows that more training in ethics is not better and can sometimes reduce the engagement of employ- With the Right ees. However, training programs are easy to measure, and managers therefore encourage using them. Internal R FA

ne out- ;

Controls , How to address this myth The organization should strive for the come of LEFT

quality or customization of training for each employee. Ethical behavior is the 2008 ; not something that is the result of policies but is a practice that, as Aristotle Ofinancial crisis is says, becomes part of the person when in use. Organizations should tailor that it provided ethics programs to the individual’s specific need, moral development, and evidence that the SHUTTERSTOCK.COM /

character. At the very least, customization should be based on functions and character of exec- E corporate hierarchy, followed by measurement of employees’ moral utives was a contributing factor to the SHUTTERSTOCK.COM /

development, with subsequent training sessions grouped based on the worldwide crisis. For auditors, it should S SHUTTERSTOCK.COM PICONSM / ,

results. Ideally, training should be conducted in person rather than online be clear that personality and character II I R WORK TOP

and use real examples from people and organizations — especially ethical are not the same. The main difference is N H dilemmas that do not have an easy fix. that personality may change over time, , LEFT IMAGES : but character remains the same. ALEXAND

48 INTERNAL AUDITOR OCTOBER 2019 Favorable ethics outcomes rise 11fold when employees are encouraged to base decisions on organizational values and standards, according to ECI’s 2018 Global Business Ethics Survey.

Also, personality is the range of distinctive personal qualities and traits of an individual, but character refers to a set of morals and beliefs that defines how the individual treats others or behaves with others and himself. Changing character is not possible, though organizations are spending millions of dollars on these kinds of programs.

How to address this myth When an employee is already in the organization, it is fruitless to try to change his or her character to become more ethical. The root cause lies in the hiring process. Human resources practices are normally good at testing or examining the technical competencies of candidates as well as evaluating personal traits. When it comes to testing the ethical character of the candidates, most organizations fall flat. Internal auditors should check whether the organization’s hiring practices examine job candidates’ moral development. One well-established test is the Heinz dilemma, a thought experiment developed by psychologist Lawrence Kohlberg to assess moral reasoning skills, which ranks participants along six stages ranging from obedience to universal ethical principles.

Myth 6 BEING COURAGEOUS Goals Related to Ethics n letting go of these well-intentioned but misguided myths about ethics, or Compliance Help internal auditors should use criti- Ical thinking to challenge principles or Organizations and practices that seem to be great at first, Individuals Behave but actually could only be fads. The foundations of critical thinking are hen Enron went Mobankrupt,rebothEindependentthically investigators and company Socratic questioning of evidence, closely officials were clear: Enron’s goal-setting practices, which involved setting examining reasoning and assumptions, difficult and specific performance goals for employees, were at the heart analyzing basic concepts, and tracing Wof the misconduct. In fact, many of the goals were connected directly to compli- implications both of what is said and of ance and ethics, such as ethics training completion rates and regulatory fines paid. what is done. Especially where business Moreover, a growing body of academic research demonstrates that giving people ethics has challenges and old ways of specific, challenging performance goals can cause them to cheat on tasks or mis- doing things that do not work anymore, represent their performance. In addition, pressures that companies face striving for critical thinking becomes essential. quarterly earnings targets or personal goals in employees’ annual appraisal Courage is another integral part of interviews can contribute to unethical behaviors. auditing ethics. To speak up and show where the ethical risks lie sometimes How to address this myth If goals can lead to unethical behavior, involves going beyond the limits of the following the organization’s purpose can help build ethical behavior, organization. Internal auditors should according to Nine Lies About Work by Marcus Buckingham and Ashley have the courage to go further and not Goodall. When the organization has a purpose beyond maximizing value be afraid. or profit, employees develop a sense of belonging and behave more ethi- Ethics is a struggle against human cally no matter the specified goals. Moreover, strides in ethical behavior nature. New threats lie everywhere, and result from practice and repetition, which should be integral to the orga- sometimes people test the boundaries. It nization’s approach. is the auditor’s role to gather his or her Reflective thinking can help with this process. Reflective thinking is the courage and say “no” to these tempta- critical-thinking process that refers specifically to analyzing and making tions, and to believe that sometimes it judgments about what has happened. Reading clubs that feature books that takes just one individual to change the deal with ethical issues, regular meetings about ethical decision-making, and way people and organizations behave. /

II I ethics “hackathons” — exercises that examine the ethical implications of a R particular technology — are some methods to foster reflective thinking in the MATEJ DRAŠ EK, CIA, CRMA, is chief organization. audit officer at LON Bank d.d., based in SHUTTERSTOCK.COM ALEXAND Domžale,Slovenia.

OCTOBER 2019 INTERNAL AUDITOR 49 GOVERNANCE

ocial media’s strategic role within orga- boards to focus on the latest YouTube debacle or Twitter mis- nizations has grown exponentially as it take, rather than understanding the broader risks. Therefore, has become a ubiquitous juggernaut of internal audit should ensure board members fully understand nonstop information of varying degrees the risks and opportunities related to social media, as well as of accuracy and relevance. But its risks to the organization’s activities. the organization have accelerated, as well. To keep up, organizations need a strong Training Internal audit should ensure the board has been governance structure that specifically trained appropriately on new and emerging social media emphasizes social media. technologies, how they are used, the risks to the organization Similarly, social media’s high impact and its industry, and how competitors are using social media. and high risks mean internal audit should look closely at all Such training will help the board understand how the organi- related activities. Perhaps the most important of these activi- zation developed its strategic approach and what it needs to ties for internal audit is ensuring the organization’s social be successful. media governance is effective. S Communication Internal audit should ensure communication IT STARTS AT THE TOP channels allow the board unfettered and timely access to the Any aspect of governance starts with the board. As part of its information it needs about social media. In addition to infor- assurance efforts, internal audit should ensure the board mation from executives, this communication should come understands the broad scope of risks related to social media, from committees responsible for social media, departments as well as the board’s role in establishing an appropriate gov- involved in developing and communicating through social ernance structure. media, and front-line personnel who are dealing with day-to- Foundationally, the organization already should have an day issues that can quickly grow into organizational disasters. effective governance structure in place. But the fast pace of Internal audit can provide assurance that board mem- change related to social media means the board should take a bers are prepared by examining activities at the highest levels more active role in ensuring the organization’s governance of the organization. The best way is for auditors to speak structure addresses unique social media issues effectively. directly with board members to gain assurance that direc- This not only helps the organization successfully achieve tors are providing the best oversight possible. Additionally, these objectives, but also further ensures the organization will auditors should review correspondence and minutes of board not be broadsided by change, irrelevance, and damaging meetings, as well as the information received by the board, reputation issues. to ensure that it has been kept in the loop. They also should The board must understand the changing landscape of social media, as well as the current and evolving risks. Further, directors must understand the organization’s social media strategies—both the strategies specific to social media and those using social media to better achieve objectives. This includes understanding how the strategies were developed and how they support the organization’s overall mission. Finally, the board should understand how the organization will address emerging issues, potential crises, and the overall changes in the social media environment. Ultimately, board members must be able to lead conversations that get to the heart of the organization’s approach (see “Questions the Board Should Ask” on page 55). To Socia ensure the board is prepared to successfully oversee social l media activities, internal audit should focus on three areas: knowledge, training, and communication.

Knowledge The constant press coverage related to social media “fails” has resulted in boards becoming more aware of social media’s risks and pitfalls. But it also has led many Media

50 INTERNAL OCTOBER 2019 AUDITOR review training materials to ensure materials cover all appropriate areas and that all board members have participated.

EXECUTIVE OVERSIGHT At the next layer of governance, the executive level is responsible for developing and implementing the organization’s social media strategies and objectives, as well as ensuring they align with the organization’s other strategies and objectives. Like the board, executives should obtain assurance that social media projects are advancing as expected, the projects are aligned with other strategies, the objectives are being met, significant risks and issues are communicated, and all other necessary information is brought to executives’ attention timely. Best practice is to assign a social media champion at the executive level to oversee social media activities organizationwide and be responsible for their success. The executive should fully understand and believe in the value of social media to the organization, while also understanding the associated risks. This individual also should have the status to freely communicate potential issues and concerns to fellow executives. Otherwise, social media activities may fail because of lack of interest. It also is best practice to establish a social media oversight committee to handle responsibilities at a more granular level. The committee should encompass all departments with a role in social media and include individuals with the authority to initiate changes. The committee will be responsible for ensuring the alignment and success of all social media strategies, objectives, and plans; monitoring project progress; and communicating potential issues. The executive

Internal audit can make an impact by looking at how the board, executives, and three lines of defense address Governance social initiatives.

J. Michael Jacka and Peter R. Scott / S NIVEN SHUTTERSTOCK.COM Y SERGE

OCTOBER 2019 INTERNAL AUDITOR 51 TO COMMENT on this article, EMAIL the author at [email protected] SOCIAL MEDIA GOVERNANCE

champion should be an active member and internal audit—to understand the of this committee, providing guidance specific risks and responses that apply to and ensuring necessary communication their functions. between the committee and executives. The first of these lines, operational Much of internal audit’s review of management, owns and manages the executive oversight is similar to that out- risk. These are the operational manag- lined for the board—just more detailed. ers responsible for maintaining effective This includes obtaining assurance that internal controls and executing ongoing executives receive ongoing training that risk and control procedures. Each oper- allows them to understand how social ational function must understand the media can best be used, and that execu- impact of social media on its responsi- tives are adequately updated on social bilities, as well as the function’s role in media. In addition, internal audit should the organization’s social media presence. determine whether executives are actively Although their roles and responsibilities ensuring their individual departments are can vary from one organization to the using social media appropriately, next, the following are functions that and that those activities are aligned with could be involved with social media. other departments and functions. Interviews with executives are the MarketingThis function is responsible best way for auditors to obtain this for marketing through social media information. And, while social media- channels, including brand management. focused interviews can be an important Responsibilities include ensuring social part of the review, an effective alterna- media delivers a consistent message to tive is to discuss the topic in meetings the right customers, brand integrity and standards are maintained in all social The executive champion can be a media channels—including the activities of agencies and third-party vendors significant source of information about —and the message being delivered the status and growth of social media. matches organizational objectives. Sales The sales function’s responsibilities include ensuring sales efforts on social media match marketing’s mes- about departmental risks, concerns, and sage, delivery of products and services upcoming initiatives. Special attention sold through social media is accurate should be paid to the executive cham- and timely, and follow-up is taken pion, who can be a significant source of on leads generated through social information about the status and growth media. The department also must keep of social media. If the relationship is cul- online sales information updated and tivated appropriately, the champion can accurate, and use social media data to be a source for potential areas of review. analyze trends related to leads, sales, and returns. Ultimately, the function THE FIRST LINE OF DEFENSE should ensure social media improves A challenge in any governance structure sales efficiencies and costs. is ensuring coordination among the teams that manage the various aspects Customer Service This function of risk. Effective social media gover- ensures complaints received through nance requires each of the three lines of social media are handled efficiently, defense—operational management, risk customer satisfaction in the online sales management and compliance functions, process is maintained at the desired

52 INTERNAL AUDITOR OCTOBER 2019 59% of companies say social media is very important to their marketing strategy, but just 30% say it has been very effective, according to Buffer’s State of Social Report 2019.

SOCIAL MEDIA GOVERNANCE AT A GLANCE

EXECUTIVE THREE LINES BOARD MANAGEMENT OF DEFENSE

RISK, CONTROL, OPERATIONAL + INTERNAL MANAGEMENT COMPLIANCE AUDIT FUNCTIONS

CUSTOMER PUBLIC HUMAN MARKETING SERVICE RELATIONS SALES IT RESOURCES

RISK MANAGEMENT COMPLIANCE SECURITY QUALITY

levels, and customers are referred to the IT This function develops and maintains and the organization’s other policies, and appropriate goods and services. Cus- hardware and software used for social monitor employee satisfaction through tomer service also makes sure all online media. IT’s responsibilities include external comment boards and websites. communications maintain the appro- ensuring customers have a seamless priate tone and social media is used to experience while using social media and THE SECOND LINE accurately measure customer satisfaction. maintaining sufficient backups to reduce The second line of defense com- or eliminate downtimes. This function prises those functions that ensure first Public Relations Also known as cor- implements technology to achieve the line of defense controls are designed porate communications or community organization’s social media objectives and appropriately, in place, and operating relations, public relations manages how ensures access to the organization’s social as intended. Spanning the organiza- the public perceives the organization. media sites is controlled. tion, these functions provide assurance Its responsibilities include ensuring related to their field of expertise. Second social media messages related to public Human Resources This function uses line functions need to keep abreast of relations match the overall messaging social media to recruit new employ- changes in social media with a particu- strategy and monitoring exists to iden- ees and potentially uses social media lar emphasis on issues impacting the tify, avert, and mitigate crisis situations. to deliver training. Human resources areas they oversee. As with the first line of Public relations also should have an should ensure that training on the use of defense, the specific structure and effective crisis management plan that social media includes all employees and responsibilities of second-line functions includes responding to social media all facets of social media use. It should differs among organizations. In review- issues and using social media as part of ensure a social media policy is developed ing governance, internal audit should the crisis management process. that complies with existing regulations ensure that the organization is addressing

OCTOBER 2019 INTERNAL AUDITOR 53 SOCIAL MEDIA GOVERNANCE

all of the potential social media oversight function should ensure all employees roles these functions perform. understand the risks related to inappropriate use of social media. Risk Management This function ensures social media risks are under- Quality This function is responsible for stood throughout the organization and ensuring the organization’s use of social included in risk assessment processes. media complies with standards related Responsibilities include ensuring all to brand and image. Its responsibilities risk assessments consider social media, include ensuring branding and imag- departments keep abreast of emerging ing within social media accounts match established standards, and making sure overall quality and professionalism of Auditors should consider providing social media interactions match the an overview of organizationwide desired level. The quality function also should ensure information reported responses to social media risks. through social media channels is accurate, and the organization takes effective corrective action on identified issues.

issues and risks related to social media, THE THIRD LINE and those issues and risks are commu- Internal audit provides the board and nicated timely. The risk function also senior management with independent must ensure all departments’ risk assess- and objective assurance of the other two ment and management procedures lines’ efficiency and effectiveness. To that address social media risks appropriately. end, auditors should ensure that all enti- ties in the three lines understand social Compliance The compliance function media risks as well as their responsibilities is responsible for ensuring existing reg- for those risks. Internal audit can use two ulations are reviewed for reinterpreta- approaches to provide this assurance. tions that may impact social media and The first is to conduct an overall that new and changing regulations are review of social media, focusing on the monitored. It must advise all depart- functions where the greatest risk may ments of regulations that will impact reside. This review may entail separate their use of social media and ensure audits of social media for each function that potential noncompliance issues are —which will provide detail on how the reported and acted upon. function is performing —or a review of social media risks, adding focus on Security The security function must potential gaps among departments. ensure appropriate access to and control The second approach is to include over social media activities. It ensures social media as a risk area in all audits general IT security controls such as planned for the year. The results should password, antivirus, anti-malware, and be included in the individual reports, firewalls have been established and are but auditors also should consider pro- being used effectively. It also makes sure viding an overview of organizationwide that access to the organization’s social responses to social media risks. media accounts is restricted appropriately, all accounts are monitored for AUDIT’S SOCIAL IMPACT suspicious activity, and accounts that are Social media has become an integral no longer in use have been decom- part of any organization’s success and an missioned. Additionally, the security area that internal audit functions ignore

54 INTERNAL AUDITOR OCTOBER 2019 71% of consumers who have a positive social media experience with a brand are likely to recommend that brand to their family and friends, Lyfe Marketing reports.

QUESTIONS THE BOARD SHOULD ASK well-informed board is equipped to ask the impor- How are we monitoring social media activity tant questions about the organization’s use of for potential negative issues? Does this include plaintiff, activist, regulator, and vendor social social media. To ensure the organization under- Astands its social media strategies and direction, here are media activity? some questions board members should be prepared to Monitoring is an important part of the organization’s ask and the organization should be able to answer. social media risk management process. Almost every How are we using social media to engage with social media fail could have been better controlled our customers, open new markets, and recruit had the organization monitored and responded to top talent? social media conversations appropriately. Monitor- These three areas are only a small part of how the ing can provide early warning about public relations, organization is using social media. But they provide a brand, regulatory, or legal issues before they get out good foundation to ensure the organization under- of hand. stands the impact of social media, and they may help How are we interacting with the organization’s the organization explore how best to use it. followers, friends, etc.? How are our competitors using social media? The board needs to understand how success is mea- Social media is a competitive advantage. Without under- sured related to the investment in social media. The standing how the competition is involved, the organiza- important aspect of this question relates to how any tion cannot know if it is ahead of or behind the curve. measures of success will be used to positively impact Understanding the competition’s use of social media organizational objectives. Board members should be also provides lessons learned without actually taking asking for a direct link between social media metrics the risks. In addition, following competitors on social and broader organizational success. media provides insights into their strategies and plans What do board members need to do to ensure they beyond social media. keep out of trouble? How are our employees and other stakeholders First, the board must be assured that it has the using social media? What do we allow? information necessary to understand and respond This question generally will lead to a discussion about to relevant social media risks. Second, board existing social media policies. But the primary purpose members must understand how their use of social is to provide assurance that the organization is aware media —whether as a representative of the orga- of the risks related to employee and stakeholder use of nization or as a private citizen—can impact the social media, is monitoring those activities, and is pre- organization. While these are questions that should pared to respond quickly to potential issues. be asked by board members, they also are excel- What regulations regarding social media does our lent questions for internal audit to use during its organization need to be aware of? reviews, particularly at a governance level. The Board members need assurance that the organization questions dig deeply into the knowledge and aware- understands the impact of regulators on the organiza- ness of all social media participants. tion’s use of social media, monitors compliance with those regulations and regulatory changes, and takes Adapted from “Critical Social Media Questions for the Board appropriate actions. Room” by Richard S. Levick, Fast Company, 11/27/12.

at their own peril. In providing assur- understanding of, and assurance work PETER R. SCOTT, CAE, APR, is CEO at ance regarding social media, governance related to, social media. the American Academy of Optometry in can be one of the most impactful areas Orlando, Fla. in which internal audit can provide J. MICHAEL JACKA, CIA, CPA, CPCU, Jacka and Scott are the authors of value. Moreover, reviewing governance CLU, is chief creative pilot at Flying Pig Auditing Social Media, Second Edition, establishes a foundation upon which Audit, Consulting, and Training Services published in August by The IIA’s Internal internal audit can begin to build its in Phoenix. Audit Foundation.

OCTOBER 2019 INTERNAL AUDITOR 55 BoardPerspectives

BY JIM PELLETIER

BLUE BELL BLUES Growing case law affirms board liability.

nvestor lawsuits seeking to disregarded warnings about of care by failing to put in hold directors liable for contamination risks and kept place adequate internal con- failures in their oversight the board in the dark about trol systems. The Caremark duties were bolstered in the issue. Rule that came from the June by a case involving Blue From 2009 through case, and set a precedent IBell Creameries. Marchand 2014, regulators identified for future director liability v. Barnhill did not signal numerous health safety com- claims, states, “a director’s a change in law, but it did pliance failures. Yet, even obligations includes a duty affirm a legal standard that though several positive tests to attempt in good faith boards that fail to make a showed the presence of liste- to assure that a corporate good faith effort to oversee ria, including one test from compliance information and a material risk area breach an independent lab, board reporting system, which the their “duty of loyalty.” minutes reflected “no board- board concludes is adequate, Legalese aside, the Blue level discussion of listeria.” exists, and that failure to Bell case provides a compel- Despite what would do so under some circum- ling example for directors appear to be a glaring lack of stances may, in theory at to examine. While legal board oversight, the Delaware least, render a director liable standards set a high bar, Court of Chancery dismissed for losses caused by non- Marchand demonstrates that, the case in fall 2018, ruling compliance with applicable in certain circumstances, the plaintiff failed to show legal standards.” ignorance about poor risk that directors had breached Cutting through the management is not a defense their “Caremark duties.” legalese again, Caremark against board liability. establishes an obligation The details around the What Are Caremark for directors to at least try lawsuit are well-established. Duties? to make sure “a reasonable A 2015 listeria outbreak Caremark duties are the board-level system of moni- linked to three deaths caused result of a 1996 Delaware toring and compliance” is in Blue Bell Creameries to shut Chancery Court decision in place. Failing to do so could down production, recall all the derivative action case make directors liable for products, and later reduce brought by shareholders losses relating to com- its workforce by more than of Caremark International pliance failures. one-third. An investor suit Inc., alleging the board of In Marchand, the alleged senior management directors breached its duty Delaware Supreme Court READ MORE ON STAKEHOLDER RELATIONS visit InternalAuditor.org

56 INTERNAL AUDITOR OCTOBER 2019 TO COMMENT on this article, EMAIL the editor at [email protected]

overturned the lower court’s dismissal, concluding “the com- reflect official board actions. In Blue Bell’s case, this strategy plaint supports an inference that no system of board level backfired in that the official account of business reflected that compliance monitoring and reporting existed at Blue Bell.” no time was spent discussing mission-critical issues. The court noted the board failed to establish a committee to monitor food safety or devote time in meetings to discuss What’s Next? food safety compliance. Of significance is the court’s opinion The Marchand case and its relevant Caremark implications that “... food safety was essential and mission critical.” are but one of a growing number of pressure points on boards relating to oversight duties. As the list of governance failures Protecting Against Caremark Failures and scandals grows, regulators, investors, and the general pub- Reasonable and informed directors typically should not have lic are demanding more oversight and more accountability. to worry about Caremark failures. As the Delaware Supreme A February article in Business Law Today eloquently Court made clear, boards get into trouble when they ignore articulates the need for a fundamental change in how board their oversight responsibilities. directors approach their jobs: There are valuable lessons in the court’s findings in “A substantive checks and balances approach Marchand that can help protect boards and head off behaviors addresses the roles, responsibilities, and relationships that make them vulnerable to successful Caremark claims. It is among the key elements and players in a firm’s gov- important to note that the court’s findings that follow center ernance, controls, and oversight system. Institutional on the Blue Bell board’s failure to understand its “mission- investors, individual investors, and other market and critical” risk: food safety. regulatory interests increasingly demand that those involved in corporate governance recognize their Blue Bell had no board committee that addressed food responsibilities and are held accountable in address- safety. Boards must understand what is mission critical for ing these responsibilities. An additional emerging their organization, whether it’s food safety at Blue Bell or data expectation is that senior leaders in an organization, protection at Facebook, and assure that it has systems in place both board and management, recognize that a lead- to monitor compliance with mission-critical regulations. er’s role is one of service rather than entitlement.” The article goes on to say that governing structures that con- Blue Bell management was not required to keep the solidate power and authority into fewer hands often fail if indi- board informed about food safety compliance practices. viduals in power feel entitled to do as they please. It adds that Boards cannot assume management will bring all problems to boards must be involved in formulating checks and balances their attention, and, therefore, must be proactive in seeking and take active roles in executing them. “Carrying out these out information about compliance with mission-critical risks. active roles will necessarily lead to regular interaction with the CEO and others in senior management as well as with a Blue Bell had no regularly scheduled discussions about company’s internal and external auditors,” the authors write. food safety. Mission-critical risks must be discussed and “While tone at the top may sometimes remain only as words assessed on a routine basis by the board. that do not actually affect behavior, the institution of checks and balances can exert considerable influence.” Blue Bell’s board received favorable information about These fundamental changes won’t happen overnight, food safety but negative information was not shared. especially in organizations with entrenched systems and Boards cannot assume that management will willingly present practices. But clearly the era of boards providing obsequious the bad along with the good. It must establish processes to approval to management is over. To continue to do so is not discover all relevant information from management and seek just counter to prevailing investor sentiment, it also makes additional reliable sources of information, including turning boards increasingly susceptible, as demonstrated in Marchand. to internal audit to provide independent assurance on the Such a transition cannot happen without a system of accuracy, completeness, and timeliness of the information the effective checks and balances, as described in the Business Law board receives, particularly around mission-critical risks. Today article. Given this current environment of increased exposure, boards would do well to seek internal audit’s inde- Blue Bell board minutes reflect meetings were “devoid of pendent assurance and advice on critical issues. any suggestion that there was any regular discussion of food safety issues.” Traditional approaches to protecting the JIM PELLETIER, CIA, is vice president, Standards and board include limiting details in minutes, which often only Professional Knowledge, at The IIA in Lake Mary, Fla.

OCTOBER 2019 INTERNAL AUDITOR 57 Customize Your Membership with a Specialty Audit Center

INFLUENTIAL. IMPACTFUL. INDISPENSABLE.

The IIA’s Specialty Audit Centers provide targeted resources focused on issues that matter most to you and your stakeholders — to keep you influential, impactful, and indispensable. Learn more at www.theiia.org/SpecialtyCenters

GOVERNMENT FINANCIAL SERVICES ENVIRONMENTAL, HEALTH & SAFETY 2017 - 0766 Insights/The Mind of Jacka TO COMMENT on this article, EMAIL the author at [email protected]

BY J. MICHAEL JACKA

DON’T JUST MEASURE IT, DO SOMETHING!

Auditors should ow do you measure should be developed in sup- to get better. At most, if make sure they’re the success of your port of the audit department’s they are not meeting the measuring the right internal audit mission. If the department criteria promised to the audit department? The cannot demonstrate how committee, there will be things—and using subject comes up repeatedly the measures support that much wailing and gnashing results the right way. Hin conferences, articles, mission, then they become of teeth as the chief audit research, and chapter meet- vanity measures serving no executive promises improve- ings. It is obviously an issue purpose other than saying, ments. Then the failures that plagues and perplexes “Look at us!” Note also the are merely used as a blunt audit departments every- assumptions built into this instrument to bludgeon where, and finding the rule—internal audit has a members of the audit depart- answer seems to be a holy mission statement, that mis- ment into doing better. grail quest for the profession. sion is in alignment with the Internal audit functions The challenge certainly organization’s mission, and rarely analyze their shortfalls doesn’t come from a lack every auditor knows and can against success measures to of possibilities. Everything recite the mission statement. determine the root cause. from audits completed to Missing any of these elements Too often their response is a use of available audit hours results in ineffective measures. simple, “We didn’t meet the to requests for audits to However, most impor- measures of success this year customer satisfaction to cor- tant is rule No. 2: At the end so, honest, we’ll work harder rective actions completed of the day, have a plan for next time.” This is a response to efficiency improvements how all those measures will we wouldn’t accept from a identified to certifications be used. Author and market- client, and one we cannot achieved to the number of ing guru Seth Godin once accept from ourselves. auditors who can dance on stated, “Don’t measure any- Make sure you are the head of a pin have been thing unless the data helps measuring the right things. suggested, adopted, and you make a better decision or Make sure you are meticu- rejected. But we all con- change your actions.” And lously ensuring the cred- tinue to search for internal unless an audit department ibility of the resulting data. audit’s success-measurement uses its measures to improve And then make sure you are El Dorado. internal audit’s choices, do using the results to effect The reason our search better work, or make the positive change. continues to fail, even with department more effective, this unending supply of pos- then collecting the associ- J. MICHAEL JACKA, CIA, sibilities, is that audit depart- ated data is just a waste of CPCU, CFE, CPA, is ments forget two important resources, time, and effort. cofounder and chief creative rules pertaining to the devel- Many audit functions pilot for Flying Pig Audit, opment of success measures. measure, but I have seen very Consulting, and Training Rule No. 1: The measures few that use those measures Services in Phoenix. READ MIKE JACKA’S BLOG visit InternalAuditor.org/mike-jacka

OCTOBER 2019 INTERNAL AUDITOR 59 Eye onBusiness

FROM EMERGINGTOLEADER Past Internal Auditor Emerging Leaders share how their careers have progressed since they were recognized.

How has your career while working alongside being friendly and respect- advanced since becoming industry experts, in an ful, asking questions, hav- an Emerging Leader? environment that openly ing a strong work ethic, BORDELON Since being promotes and rewards etc. You can learn the hard recognized as an Emerg- individuals for professional skills through research and ing Leader in 2014, I have development. on-the-job training, but received multiple promo- you often cannot teach soft tions. I’m now an associate What is your advice for skills. These are usually the director at my firm. I’m new internal auditors? distinguishing characteristics still at the same great firm RUSATE Never stop learn- between leaders and the sta- 14 years after starting as an ing. You can always obtain tus quo. intern in 2005. I also have more knowledge through LESLIE BORDELON expanded my family and certifications, internal busi- What skills have helped ness processes, industry level you most in your career? Associate Director have a four-year-old son and Protiviti a two-year-old daughter. Try- knowledge, etc. I have BORDELON Maintaining ing to set a good example for pursued a variety of internal a positive outlook/disposi- them and show them that audit skill sets because I tion regardless of the project, I have a job that I love and expect that the internal audi- client temperament, loca- can excel at while also being tor of the future will need tion —travel or not —or present and visible for them to have a strong background circumstance has been is a daily goal. in financial, operational, IT, an essential skill that has RUSATE Since 2017, I and regulatory matters to helped me in my career. I have further developed keep relevant in the evolv- try to look at all situations ALEX RUSATE myself professionally by ing business landscape. New in a positive light and see all Senior Associate obtaining my Certified technology, such as intel- projects as an opportunity Risk Consulting, IT Internal Auditor, Certifica- ligent automation, will help to add one more arrow to Audit and Assurance KPMG tion in Risk Management scale down the tedious tasks my quiver of skills. Having Assurance, and Certified that consume auditors’ time this outlook has helped me Information Systems Audi- and allow them to work on when deadlines are tough tor designations. Working more sophisticated matters or I’m traveling away from for my current employer that require a higher skill set. my family. Another skill that has given me the opportu- BORDELON Don’t overlook has helped me is flexibility. nity to advance my skills, the soft skills of listening, I’m a planner by nature and READ MORE ON TODAY’S BUSINESS ISSUES follow us on Twitter @TheIIA

60 INTERNAL AUDITOR OCTOBER 2019 TO COMMENT on this article, EMAIL the author at [email protected]

love to know what I’m working on for the next week, year, or What frustrates you most in your work? even five years. Being a consultant in internal audit has chal- BORDELON I get frustrated with the negative connotation lenged me in that area as my schedule/work commitments some people have regarding Sarbanes-Oxley work. I think change almost daily. Trying to go with the flow and be flex- that work is a fantastic way to learn all aspects of a company, ible has been a skill that I’ve had to develop over time, but build relationships with clients, and expand your knowledge one that has served me well in my career. of an industry. Sarbanes-Oxley work has been invaluable in RUSATE Thinking critically and taking on new challenges my career and has afforded me the ability to work on both with enthusiasm are two traits that have helped me most in my hard and soft skills. my career. Thinking critically has helped me when I have RUSATE A challenge in the profession is working with identified opportunities for improvement for unaddressed engagement contacts to make sure you maintain a good risks during walkthroughs and testing, and not simply taking balance between achieving audit deliverable dates while management’s explanation at face value. Typically, manage- still being cognizant of their day-to-day responsibilities. ment will know significantly more about a process than you; Maintaining a mutually respectful relationship with the however, when you combine critical thinking with your engagement contacts will help ensure the audit is received in holistic knowledge of the company, you can identify risks and a positive manner and ensure the sustainability of effective opportunities for improvement. Taking on new challenges, audits going forward. such as auditing areas not traditionally reviewed or subject matter that I do not have experience with, has helped to Why do you stay in the profession? enhance my career. When encountering these situations, I RUSATE I stay in the profession because of the diversity of make sure that I have or develop the skills needed to conduct the subject matter, growth opportunities, and the ability to the engagement before accepting it in accordance with IIA add value across the entire organization. This profession Standard 1210: Proficiency. When you have the ability to allows me to gain exposure to functions across businesses, identify risks, discover process improvements, and step up which then enables me to more accurately identify key risks to address engagements that are important to the chief audit within processes. Furthermore, internal auditing is growing executive, management, or the board, it helps make you a faster than most other professions, according to the U.S. trusted advisor. Bureau of Labor Statistics. As reported in the last issuance of the bureau’s Occupational Outlook Handbook, employment What has been your most satisfying moment as an for internal audit professionals will grow 10% from 2016 to internal auditor? 2026, faster than the 7% national projected average for all RUSATE My most satisfying moment was when the global occupations. The main reason I stay in the profession is to controller reached out to the internal audit team to ask that add value to the organization. Whether it be through identi- we help at an advisory level to investigate a potential fying risk and working with management to mitigate it down accounting issue at a manufacturing plant. The figures were to an acceptable level or identifying process improvement not consistent with management’s expectation or the fiscal opportunities that drive revenue or cut costs, those are some performance of the other manufacturing plants, and man- of the most rewarding aspects of the profession. agement did not have resources available to look into the BORDELON I stay in the profession because I enjoy the irregularity. I was assigned to the engagement and was able to mentoring that my job enables me to participate in and determine the root cause of the issue —the implementation being able to help my clients solve problems and achieve of a new ERP system the previous year. Identifying the root their goals. My colleagues, teams, and mentors are an exten- cause enabled management to implement corrective actions sion of my family, and I truly feel valued and appreciated in that led to the company having increased profitability from my company and by my clients. that plant on a consistent basis. I’m also excited about the future of internal auditing. BORDELON I worked on a project last year with a very As companies start to embrace new technologies such as tight deadline, a mountain of work, and a good bit of machine learning and robotic process automation, internal travel. I had a team of all stars, and we worked together to audit teams have to really rethink how they approach their accomplish more than anyone thought possible in such a work. Adopting more agile practices and understanding both short period. In fact, we not only completed the project on the opportunities and the risks presented by these technolo- time, but delivered extra value in many ways and built some gies will put next-generation auditing in a great position to great friendships and bonds along the way. It’s a project that help companies transform their businesses. I’m really looking I won’t soon forget. forward to being a part of that process.

OCTOBER 2019 INTERNAL AUDITOR 61 Next-GenInternalAudit— AreYouReady?

Discover what internal audit teams are doing with data and technology to provide effective risk management more efficiently and more predictively.

Download Internal Auditing Around the World, Volume 15 at protiviti.com/iaworld

protiviti.com

NOV. 4–13 NOV. 12–21 DEC. 3–12 IIA Audit Report Writing Cybersecurity Auditing in Operational Auditing: CONFERENCES Online an Unsecure World Influence and Positive www.theiia.org/ Online Change conferences NOV. 5–8 Online Tools & Techniques II: NOV. 18–21 L ead Auditor Vision University DEC. 9–12 OCT. 21–23 Online Chicago Multiple Courses All S tar Conference Orlando MGM Grand NOV. 5–14 DEC. 2–4 Las Vegas Critical Thinking in the IT General Controls DEC. 9–18 Audit Process Online Building a S ustainable 2020 Online Quality Program DEC. 2–13 Online MARCH 16–18 NOV. 6–15 CIA E xam General Audit Fundamentals of Risk- Preparation —Part 2: DEC. 10–12 Management Conference based Auditing (NEW) Practice of Internal COS O Internal Control ARIA Resort Online Auditing Certificate Las Vegas Online Dallas NOV. 11–20 JULY 20–22 Performing an E ffective DEC. 3–6 DEC. 11–12 IIA International Quality A ssessment Multiple Courses Data Analysis for Internal Conference Online New York Auditors Miami Beach Convention Online Center NOV. 12–15 DEC. 3–6 Miami Multiple Courses Multiple Courses DEC. 16–19 Las Vegas Princeton, NJ S tatistical S ampling for IIA Internal Auditors NOV. 12–20 DEC. 3–12 Online TRAINING CIA E xam Preparation — Fundamentals of IT www.theiia.org/training Parts 1, 2, & 3 Auditing DEC. 17 Lake Mary, FL Online Fundamentals of Internal Auditing Online NOV. 4–7 Multiple Courses /

M San Antonio, TX RAWPIXEL.CO : THE IIA OFFERS many learning opportunities throughout the year. For complete listings visit: www.theiia.org/events

BPHOTO ESHUTTERSTOCK.COM R/NOVEMBER/DEC

OCTOBER 2019 INTERNAL AUDITOR 63 Insights/In My Opinion TO COMMENT on this article, EMAIL the author at [email protected]

BY CHRIS DOGAS

WELL-DESERVED CRITICISM?

Internal auditors have uring the last few operating budget, which the chief audit executive taken heat from years, internal audit- limits the function’s ability to reports administratively to numerous reports, ing has faced signifi- cover organizational risks. the chief financial officer cant criticism from Not surprisingly, many (CFO) and functionally to though many don’t both stakeholders and prac- surveys of the profession reveal the audit committee. show the full picture Dtitioners. Much of it centers that internal audit struggles to This configuration risks the of the profession. around audit effectiveness attract and retain talent, is CFO providing insufficient and the profession’s ability mostly underfunded, and budget and other resources to identify and report risks lacks resources, including and using internal audit to and failures, as highlighted technology. Gartner’s 2018 complete projects and tasks in research from professional Audit State of the Function not included in the audit service firms. The IIA’s own report projected budgets plan—activities that might 2019 North American Pulse increasing only slightly in ordinarily fall on other CFO of Internal Audit points 2019 and flat head count for functions —thereby detract- to audit communication 2019, consistent with prior ing from internal audit’s deficiencies and potential years. And among respon- ability to conduct risk-based misalignment with corporate dents to Deloitte’s 2018 audits or complete its plan. boards on risk areas. But Global Chief Audit Executive Given its limited bud- does the profession deserve survey, more than 40% said gets, inadequate technology all of this criticism? Is it truly their audit functions lacked resources, understaffing, and underperforming? skills and talent; plus, only lack of autonomy, the profes- In my experience, senior 21% used advanced analyt- sion does not deserve much management at publicly ics. How can the profession of the harsh criticism it has listed companies mostly views proactively identify and man- received. Only when the internal audit as a necessary age cutting-edge risks in areas audit function is truly inde- evil—a nonessential service such as blockchain, cyberse- pendent and empowered will function that is either curity, and fraud when it does it be able to provide effective required by a listing exchange not have appropriate capital support to management and or by corporate boards. Oth- and technology? the board, sit at the forefront erwise, there is no general But limited budgets and of risk management, and be appetite to maintain an inter- resources are not the able to proactively identify nal audit function unless the profession’s only impedi- and help remedy corporate senior executive team, or the ments—lack of control over misconduct and fraud. board, recognizes the value internal audit’s activities internal audit adds in provid- and purview, as manifested CHRIS DOGAS, CRMA, ing assurance and improve- through our organizational CPA, CFE, is vice president ment opportunities. Because reporting relationships, also of Internal Audit at a large internal audit is not valued, presents a problem. At most technology company in the it is not granted sufficient U.S. publicly listed firms, New York metropolitan area. READ MORE OPINIONS ON THE PROFESSION visit our Voices section at InternalAuditor.org

64 INTERNAL AUDITOR OCTOBER 2019 The IIA Congratulates the 2018 Certified Internal Auditor® (CIA®)* Award Winners!

William S. Smith Award – Gold Kurt Riedener Award – Bronze (Highest Scoring Candidate) (Third Highest Scoring Candidate) Alexandra Elena Staeben, CIA USA Gannon Burleigh, CIA USA A.J. Hans Spoel Award – Silver Dr. Glenn E. Sumners Award – Student (Second Highest Scoring Candidate) (Highest Scoring Student Candidate) Ching Nam Leung, CIA Hong Kong, China Emilie McRoberts, CIA USA

The IIA also recognizes the Certificate of Excellence (Next 10 Highest Scoring Individuals) and Certificate of Honor (Next 50 Highest Scoring Individuals) recipients including, but not limited to:

Certificate of Excellence:* Airish Ebreo, CIA Philippines Jennifer Lusa, CIA USA Scott Stepanek, CIA USA John Gentry, CIA USA Matthew Owens, CIA USA Onur Tuzenli, CIA Turkey Jennifer Hurley, CIA Ireland Brian Reny, CIA Canada Ng Peng Keong, CIA Malaysia Dean Rogers, CIA USA

Certificate of Honor:* Karla Angeline Andrade, CIA Justin Gibert, CIA USA Craig McMeechan, CIA USA Philippines Li Hwi Goh, CIA Hong Kong, China Vincenzo Mongio, CIA USA Jeselle Baldomero, CIA Philippines Darlene Harris, CIA USA Percy Mupita, CIA United Kingdom Natasha Bhatia, CIA Canada Erin Hayes, CIA Canada Marta Nieszporowska, CIA Poland Tessalonica Cabeliza, CIA Philippines Rochelle Hersley, CIA USA Jorge Orozco, CIA USA Reeva Calapatia, CIA Philippines Benedikt Hintze, CIA Germany Hinrik Pálsson, CIA Iceland Savio Frederico Ceita, CIA Brazil Michael Hostinsky, CIA USA Adam Polywka, CIA USA Christine Croskey, CIA USA Anna Lawrence, CIA USA Jennifer Salisbury, CIA USA Jean-Luc Cueni, CIA Switzerland Janet Lee, CIA Canada Sherazade Shafiq, CIA Austria Michaël Delaet, CIA Belgium Joonchul Lee, CIA Korea Tomas Slaninka, CIA Slovakia Matej Drascek, CIA Slovenia Yan Yin Ian Lee, CIA Hong Kong, China Liam Smith, CIA Canada Matthias Dunkel, CIA Germany Benjamin Lessard, CIA Canada Nancy Tieu, CIA Canada Sonja Erickson, CIA USA Sandra Loh, CIA Singapore Daniel Washburn, CIA USA Andreas Friedrich, CIA Germany Leroy Loomis, CIA USA Yan Wu, CIA Canada Miguel Ángel Arévalo Galán, CIA Jason McGowan, CIA USA Han Zhang, CIA USA Spain Kathryn Downs McGuire, CIA Canada Mark Galley, CIA Canada

Join us in congratulating the following individuals for highest achievement on specialty certification exams:

Certification in Control Self-Assessment® (CCSA®) Certified Government Audit Professional® (CGAP®) Joseph Andrew Cox, CIA, CCSA, CGAP, CRMA USA Wendy Magno, CIA, CGAP USA Certified Financial Services Auditor® (CFSA®) Miguel Ángel Arévalo Galán, CIA, CCSA, CFSA, CRMA Spain

The IIA congratulates all award winners. It is their dedication to their profession and understanding of the benefits and importance of certification that has led each to achieve these honors.

*Awards are based on individual performance on the core CIA exam parts 1, 2, and 3. With year-round testing, award recipients must pass each segment of the exam on their first attempt within one year of beginning the testing process.

2019-3292 March 16–18, 2020 ARIA RESORT &CASINO | LAS VEGAS, NV

SAVEtheDATE! www.theiia.org/ GAM