The Clear Choice

JUNE 2019 A PUBLICATION OF THE IIA
INTERNAL AUDITOR
A Risk Management Case Study

North American Board Chair:
JUNE 2019
It's Time to Step Forward

Thwarting Bias in AI
The Audit Committee
Ethics Expert
THE CLEAR CHOICE

Mounting evidence shows better business performance
ETHICS
for organizations that choose an ethical path.

INTERNALAUDITOR.ORG
Aug. 12-14 | Ft. Lauderdale, FL, USA
GRC 2019 Program Is

Aligning for Impact
The IIA and ISACA are excited to once again partner to bring you “THE” event
for governance, risk, and control! This year will feature two thought-provoking
professional leaders to open and close the conference:
Patrick Schwerdtfeger
Business Futurist
Embracing Disruptive Innovation
Simon T. Bailey
Executive Advisor, Career Mentor, Author
Shift Your Brilliance — Leading Amidst
Change and Uncertainty
GRC 2018 sold out, so don’t wait —

register now for GRC 2019 and save $200!
www.theiia.org/GRC
HighBond
by Galvanize.
The powerful, easy-to-use software platform to

efficiently manage your entire audit workflow.
Visit us at booth 406 at the 2019 IIA International Conference.

weGalvanize.com
Blockchain
Innovative technology for
healthcare revenue cycle
Trust – or the lack thereof – remains a fundamental
issue among stakeholders in the healthcare
revenue cycle. Additionally, many of the critical
processes are still performed manually.
Providers and payers can benefit from innovative

technologies such as blockchain, which can:
• Verify that transactions on the network are real

• Improve trust and transparency – once a transaction
is written onto a blockchain, it cannot be removed
• Authenticate transaction origination to confirm
actual account owner and help avoid fraud
Learn more about our patent-pending blockchain

solution at crowe.com/hcblockchain-ebook.
David Uhryniak Eric Boggs

Blockchain Services Leader Principal
+1 312 632 6573 +1 615 360 5522
david.uhryniak@crowe.com eric.boggs@crowe.com
Visit www.crowe.com/disclosure for more information about Crowe LLP,

its subsidiaries, and Crowe Global. © 2019 Crowe LLP. CC2015-001A
JUNE 2019 VOLUME LXXVI: III
F E AT U R E S
24 COVER The Right Path With help from internal auditors, organizations can reap the perfor-
mance benefits of ethical decision-making. BY RUSSELL A. JACKSON
30 In Line With Risk Implementing a risk 47 Areas of Deficiency To inform the audit
management program can better align an orga- committee on external audit quality, internal
nization’s risk profile. auditors need to be familiar with the PCAOB
BY DORINA HAMZO inspection process and recurring findings.
BY ELENA ISAACSON, HEATHER LOSI, AND
36 Step Forward IIA’s 2019–2020 North DOUGLAS M. BOYLE
American Board chair, BENITO YBARRA, says
internal auditors can do more to enhance and 52 Don’t Manage Risk — Manage Value
protect organizational value. Changing risk standards pave the way for orga-
nizations to bring their experts together to both
42 Bias in the Machine Organizations that pursue opportunities and cope with threats.
depend on artificial intelligence models must BY MARINUS DE POOTER
control for factors that could expose them to
discrimination risk. BY ALLAN SAMMY
DOWNLOAD the Ia app on the

App Store and on Google Play!
FOR THE LATEST AUDIT-RELATED HEADLINES visit InternalAuditor.org

Trust Your Quality to the Experts
Leverage an External Quality Assessment in 2019
Build confidence with your stakeholders through a solid Quality Assurance and Improvement
Program (QAIP). Look to IIA Quality Services’ expert practitioners to provide:
■ Insightful external quality assessment services.

■ On-time solutions and successful practice suggestions based on extensive field experience.
■ Enhanced credibility with a future-focused QAIP.
IIA Quality Services, LLC, provides you the tools,

2018-0961
expertise, and services to support your QAIP.

Learn more at www.theiia.org/Quality
2018-0961 QAL-Quality Ia Mag Ad-Aug.indd 1 6/22/18 8:50 AM

JUNE 2019 VOLUME LXXVI: III
D E PA R T M E N T S
PRACTICES INSIGHTS
10 Update Privacy compli- 56 Board Perspectives
ance identified as a top risk; Boards could benefit from
AI may reduce environmental more ethics expertise.
impacts; and executives seek
ethical improvements. 59 The Mind of Jacka Audi-
tors need to turn audit tech-
14 Back to Basics Auditors niques on themselves.
can help ensure the accuracy of
data used for decision-making. 60 Eye on Business CAEs
are being asked to report on
17 ITAudit Internal audit the organization’s culture.
shouldn’t drive IT strategy.
64 In My Opinion Internal
7 Editor’s Note 20 Risk Watch Auditors auditors should quantify their
should assess compliance with recommendations.
8 Reader Forum social media policies.
63 Calendar 22 Fraud Findings A new

auditor uncovers a CFO’s fraud.
O N L I N E InternalAuditor.org
Getting a Handle on Crime’s Digital Trans-
Harassment What’s consid- formation Fraudsters and
ered appropriate behavior in cybercriminals are bringing
the workplace is continuing to innovation to wrongdoing,
evolve. Organizations need to harnessing mobile digital
TOP: ALEXDNDZ / SHUTTERSTOCK.COM, BOTTOM: BAONA / I-STOCK.COM
respond to the changes and platforms and advanced

PHOTOGRAPH BY KONSTANTTIN / SHUTTERSTOCK.COM; THIS PAGE,
COVER AND PREVIOUS PAGE: ILLUSTRATION BY SEAN YATES, BASE
ensure employee protection. techologies to commit disrup-

tive crimes.
Assessing AI Initiatives In
our latest video series, Brian Fuel for Fraud A recent
Foster, Microsoft general case underscores ongoing
manager, Internal Audit, walks fraudulent activity in biofuel
through the challenges of subsidy and compliance
auditing AI. credit programs.
Internal Auditor ISSN 0020-5745 is published in February, April, June, August, October, and December. Yearly subscription rates: $75 in the United States and Canada, and $99 outside North America. No refunds on cancellations.
Editorial and advertising office: 1035 Greenwood Blvd., Suite 401, Lake Mary, FL, 32746, U.S.A. Copyright © 2019 The Institute of Internal Auditors Inc. Change of address notices and subscriptions should be directed to IIA Customer
Service, +1-407-937-1111. Periodicals postage paid in Lake Mary, Fla., and additional offices. POSTMASTER: Please send form 3579 to: Internal Auditor, 1035 Greenwood Blvd., Suite 401, Lake Mary, FL, 32746, U.S.A. CANADA POST
INTERNATIONAL: Publications Mail (Canadian Distribution) Sales Agreement number: 545880; GST registration number: R124590001. Opinions expressed in Internal Auditor may differ from policies and official statements of The
Institute of Internal Auditors and its committees and from opinions endorsed by authors’ employers or the editor of this journal. Internal Auditor does not attest to the originality of authors’ content.
Are you ready to challenge the
diverse risks of a cyber world?
Assure. Advise. Anticipate.
As cyber risks continue to grow in frequency, variety, and the potential harm
they can cause, a static approach to auditing isn’t sufficient to address the
emerging risk and threats in the digital world. Internal audit has a critical role
in helping organizations in the ongoing battle of managing cyber threats. Learn
more about how Deloitte is helping organizations meet the expectations of
boards and audit committees today to deliver greater assurance, advise on
critical business issues, and anticipate risk. Are you ready?
Visit www.deloitte.com/us/CyberIA
Copyright © 2019 Deloitte Development LLC. All rights reserved.

Editor’s Note
CULTURE, ENGAGEMENT,
AND BUSINESS SUCCESS
I
n a recent article on Gallup’s website, “3 Daily Actions That Set the Tone for
Workplace Culture,” author Craig Kamins writes, “Some workplace cultures
motivate employees and fuel performance.” Others, he says, “drain employees’
motivation and make employees feel as though they have no control over their
environment nor an incentive to perform.”
According to Kamins, employees’ perceptions about their work culture hinge
on their leaders’ words and actions. Three daily behaviors that set the tone for the
workplace culture, he writes, and lay the “groundwork for exceptional engage-
ment,” are:
1. Be respectful toward employees.
2. Communicate what is happening in the organization.
3. Promote accountability and fairness.
A few years ago, The IIA’s chief marketing officer, Monica Griffin, took on the
responsibility of addressing The Institute’s corporate culture. As the organization
grew and evolved, it was a task that was long overdue. She and her working group,
of which internal audit was a part, identified cultural challenges and developed
The IIA’s core values:
»» Put Our Members First
»» Do the Right Thing
»» Commit to Shared Success
»» Work Smart
Today, staff — from the top down — are measured by how well we adopt these
values. They are part of our annual performance review, and we are recognized
for exhibiting them. After all, by engaging in these behaviors we better serve our
members, which enhances The IIA’s reputation and business performance.
In this issue of Internal Auditor, we examine organizational culture from mul-
tiple angles and consider internal audit’s role in helping ensure it remains healthy.
Our cover story, “The Right Path” (on page 24), considers how an organization’s
ethical culture affects its bottom line. The new IIA North American Board chair,
Benito Ybarra, says it is part of internal audit’s job to help drive an effective corpo-
rate culture (see “Step Forward” on page 36). In “Board Perspectives” (on page 56),
author Matt Kelly asks, “If society wants corporations to exercise a sharper sense
of ethics and moral responsibility, do we need more ethics and compliance officers
serving on boards?” Plus “Eye on Business” (on page 60) considers what it takes to
assess, monitor, and report on the organization’s culture. And don’t forget to visit
InternalAuditor.org and read Jim Roth’s ongoing series on culture.
When it comes to organizational culture, we’ve got you covered.
@AMillage on Twitter
JUNE 2019 INTERNAL AUDITOR 7

Reader Forum
WE WANT TO HEAR FROM YOU! Let us know what you think of this issue.
Reach us via email at editor@theiia.org. Letters may be edited for clarity and length.
monitoring their risk landscape and universities just get the test scores. It
giving that comfort to the board. In is ACT’s and SAT’s responsibility to
fact, sharing a risk insight might be check a student’s proof of identification.
appreciated and more impressive to the ANONYMOUS comments on Art Stewart’s
board than sweeping it under the rug. “Big Scam on Campus” (InternalAuditor.org).
I guess culture eats risk management

for lunch! Maintain Independence
MICHAEL LYNN comments on “Anticipating The risk management function must be
Surprises” (“Update,” April 2019) on LinkedIn. an integral part of any transformation
project. However, the internal audit
Outside of College Control function should only be involved to the
College admissions is a very compli- extent the principle of independence is
cated process with many moving parts. not compromised.
Proactively Address Risk Art Stewart’s lesson learned about set- MANU VARGHESE comments on Tim
What I have found in my experience ting, monitoring, and enforcing clear McCollum’s “Fit for Digital” (InternalAuditor.
org) on LinkedIn.
on risk committees is that executive standards for the role of admissions
managers are often hesitant to report consultant and essay-writing services
emerging risks not clearly affecting is outside the control of a school’s Audit Report Attention
their company today, unless they can admission department. We have no Thanks for bringing to our attention
show proactive actions or treatments. control over parents hiring admission the audit report errors. Most of the
For many executives, merely saying consultants and have no way to enforce time we are focused only on fulfilling
they are monitoring the trend or direc- it. Also, his lesson learned about a requirements and sometimes we make
tion of the potential event or risk is not review of how applicant documentation mistakes. It is helpful to recognize
enough, and they defer discussions at and testing is conducted is also partially where we should pay twice the amount
the board or audit committee levels. outside the control of the college or of attention in our reporting.
I find this fear limits the value of university. The colleges/universities are ALBANA GJINOPULLI comments on the
risk governance and diminishes the real not the ones administering or proctor- video, “Common Audit Reporting Mistakes”
need for management to be constantly ing the ACT or SAT — the colleges/ (InternalAuditor.org), on LinkedIn.
CONTRIBUTING EDITORS Karin L. Hill, cia, cgap, crma Rodney Wright, cia, cpa, cfsa CONTA CT INFORMA TION
Wade Cassels, cia, ccsa, crma, cfe J. Michael Jacka, cia, cpcu, cfe, cpa Benito Ybarra, cia ADVERTISING
J. Michael Jacka, cia, cpcu, cfe, cpa Sandra Kasahara, cia, cpa sales@theiia.org
Steve Mar, cfsa, cisa Michael Levy, cia, crma, cisa, cissp IIA PRESIDENT AND CEO
Bryant Richards, cia, crma
+1-407-937-1388; fax +1-407-937-1101
Merek Lipson, cia Richard F. Chambers, cia,
James Roth, phd, cia, ccsa, crma Thomas Luccock, cia, cpa qial, cgap, ccsa, crma SUBSCRIPTIONS, CHANGE OF ADDRESS, MISSING ISSUES
JUNE 2019 Charlie Wright, cia, cpa, cisa Michael Marinaccio, cia customerrelations@theiia.org
VOLUME LXXVI: III +1-407-937-1111; fax +1-407-937-1101
Alyssa G. Martin, cpa IIA CHAIRMAN OF THE BOARD
EDITOR IN CHIEF EDITORIAL ADVISORY BOARD Dennis McGuffie, cpa Naohiro Mouri, cia, cpa EDITORIAL
Anne Millage Dennis Applegate, cia, cpa, cma, cfe Stephen Minder, cia David Salierno, david.salierno@theiia.org
MANAGING EDITOR Lal Balkaran, cia, fcpa, fcga, fcma Rick Neisser, cia, cisa, clu, cpcu +1-407-937-1233; fax +1-407-937-1101
David Salierno Andrew Bowman, cpa, cfe, cisa Hans Nieuwlands, cia, ra, ccsa, cgap PERMISSIONS AND REPRINTS
ASSOCIATE MANAGING Mark Brinkley, cia, cfsa, crma Manish Pathak, ca editor@theiia.org
EDITOR Robin Altia Brown Bryant Richards, cia, crma +1-407-937-1232; fax +1-407-937-1101
Tim McCollum Adil Buhariwalla, cia, crma, cfe, fca Jeffrey Ridley, cia, fcis, fiia WRITER’S GUIDELINES
SENIOR EDITOR Wade Cassels, cia, ccsa, crma, cfe James Roth, phd, cia, ccsa InternalAuditor.org (click on “Writer’s Guidelines”)
Shannon Steffee Faizal Chaudhury, cpa, cgma Katherine Shamai, cia, ca, cfe, crma
ART DIRECTION Michael Cox, fiia(nz), at Debora Shelton, cia, crma Authorization to photocopy is granted to users registered with the
Yacinski Design Haylee Deniston, cpa Laura Soileau, cia, crma Copyright Clearance Center (CCC) Transactional Reporting Service,
PRODUCTION MANAGER Kayla Flanders, cia, crma Jerry Strawser, phd, cpa provided that the current fee is paid directly to CCC, 222 Rosewood
Gretchen Gorfine James Fox, cia, cfe Glenn Sumners, phd, cia, cpa, crma Dr., Danvers, MA 01923 USA; phone: +1-508-750-8400. Internal Auditor
Michael Garvey, cia Stephen Tiley, cia cannot accept responsibility for claims made by its advertisers, although
Jorge Gonzalez, cia, cisa Robert Venczel, cia, crma, cisa PUBLISHED BY THE staff would like to hear from readers who have concerns regarding
Nancy Haig, cia, cfe, ccsa, crma David Weiss, cia INSTITUTE OF INTERNAL advertisements that appear.
Daniel Helming, cia, cpa Scott White, cia, cfsa, crma AUDITORS INC.
8 INTERNAL AUDITOR JUNE 2019

2019 ENVIRONMENTAL,
HEALTH & SAFETY
EXCHANGE
Connect. Collaborate. Evolve.
SEPT. 16–17, 2019 / Washington, D.C.
Early Registration Savings

The Environmental, Health & Safety (EHS) Exchange is
the premier conference dedicated to the development and
professional practice of environmental, health and safety
auditing. The landscape of this industry is shifting and
EHS auditors need to be prepared. Benefits of attending:
• Improved performance in the leadership of EHS

practices and EHS auditing.
• Leading practices, data-driven insights, and trends

that will position you as a seasoned professional and
strengthen your organization’s competitive advantage in
an increasingly globalized world.
• Expanded EHS peer network and new connections

you can turn to for sustainable ideas and strategic
insights to serve you for years to come.
• Perspectives from some of the world’s leading authorities

within and outside of the EHS audit field.
Register by July 22 to save $125.

www.theiia.org/EHSE.
2019-2589
2019-2589 CON-EHS Full Page Ad - June IA.indd 1 4/16/19 3:22 PM

Reviewing the three lines of defense… AI’s positive environmental impact…
The CIA exam gets an upgrade… Organizations enhance ethics safeguards.
Update
FRAUGHT WITH
CORRUPTION
In a worldwide ranking, three
industries presented the high-
est levels of corruption risk.
1
Construction and
development PRIVACY COMPLIANCE A TOP RISK
Global privacy regulations are regulations is more complex and costly than
2 creating a complicated path for first anticipated,” says Matt Shinkman,
managing vice president and risk practice
Infrastructure organizations.
A
leader at Gartner, a global research firm.
ccelerating privacy regulation has Adding another layer of complexity for
3 surpassed talent shortages as the
top emerging risk in Gartner Inc.’s
companies to navigate privacy regulation is
the California Consumer Privacy Act, set to
Oil and gas 2019 Q1 Emerging Risks Moni- take effect in 2020.
tor Report. The global survey notes privacy Accelerating privacy regulation also is
regulation was a top risk for at least 70% of a “very rapid velocity” risk that will have
IMAGES: TOP, ALEXDNDZ / SHUTTERSTOCK.COM;
Source: The Risk Advisory Group,

Corruption Challenges Index 2019 senior audit, compliance, finance, and risk high organizational impact if it materializes.
executives in four sectors: banking, financial Executives view it as a concrete threat to
LEFT, MALERAPASO / I-STOCK.COM
services, technology and telecommunica- their organizations, ranking it the highest-

tions, and food/beverage/consumer goods. probability risk of any of the top 10 in the
“With the General Data Protection report. Executives’ GDPR-specific concerns
Regulation (GDPR) now in effect, execu- are evolving into “a broader recognition that
tives realize that complying with privacy their organizations need to overhaul their
FOR THE LATEST AUDIT-RELATED HEADLINES follow us on Twitter @TheIIA

Practices/Update
entire data security governance strategies,” four in 10 are confident in their current abili-
Shinkman says. ties to keep pace with new requirements.
In line with the results of the Emerging Establishing a privacy strategy to support
Risks Monitoring Report, Gartner’s 2019 Pri- digital transformation and implementing
vacy Program Priorities survey found that the an effective third-party risk management
top priority of privacy executives is adapting program are the No. 2 and No. 3 priorities,
to a volatile regulatory environment. About respectively. — S. STEFFEE
3 LINES IN The IIA reviews the

relevance of the risk
REVISION management model.
T
NEARLY
he IIA is reviewing the widely
accepted Three Lines of Defense
model with the aim of ensuring
allocate and structure their resources and
responsibilities by using the Three Lines of
Defense to their advantage,” he says.
75 %
OF ASIA-PACIFIC
the guidance is more applicable to To that end, the review is consider- (APAC) BANKS
expect fraud cases in their
today’s changing organizational environ- ing both a reactive and proactive approach country to increase moder-
ment. The review seeks to clarify essential to fulfilling an organization’s purpose and ately or significantly in 2019.
responsibilities in governance, risk man- value creation. Moreover, the task force is
agement, and control. The Institute will evaluating how the model can be scaled for MORE THAN
be seeking public comment on its website.
The IIA’s Three Lines of Defense task
organizations of different sizes.
Additionally, the task force is consider- 50 %
OF APAC BANKS
force seeks to “breathe new life” into the ing how internal audit functions should
PRIORITIZE RISK
model by focusing on organizational success address the “blurring of the lines” when management over customer
and embracing governance processes. IIA they are asked to take on responsibili- service, blocking cards on the
Global Chairman Naohiro Mouri explains ties within areas of the organization. The first fraud alert.
that The IIA recognizes that risk “goes objective is to stress flexibility among the
beyond ‘defense’” and can create opportu- lines. Check for updates at www.theiia. “While protection against
fraud is important, some
nity. “We want to ensure organizations can org/3LOD — T. MCCOLLUM banks are still struggling
to balance prevention with
customer convenience,” says
Dan McConaghy, president of
CAN ARTIFICIAL Research suggests AI could
FICO in Asia Pacific.
INTELLIGENCE reduce environmental

impacts and raise
Source: FICO 2019 Asia Pacific Fraud
Forum survey
SAVE THE WORLD? economic growth.
H
ere is some good Doing so may be good
news about artificial for the economy, too. Envi-
IMAGES: TOP, MEHMETBUMA / ISTOCK.COM;
intelligence (AI): It ronmental applications of AI

might help save the could add $5.2 trillion to the
environment. A PwC report global economy by 2030 and
RIGHT, YUUJI / ISTOCK.COM
forecasts that applying AI to create more than 38 million

environmental management new jobs, according to the
could reduce global green- Microsoft-sponsored report. potential benefits of AI-
house gas (GHG) emissions Researchers used based environmental appli-
by as much as 4% in 2030. modeling to compare the cations versus continuing

Practices/Update
with current practices. “The

research shows the potential
of emerging technology to
THE EVOLVING CIA
directly support decoupling Certified Internal Auditor exam upgrades align it with current internal
economic growth from audit practices, says Lily Bi, IIA vice president of Global Certifications.
greenhouse gas emissions
in the near and long term,” How is the 2019 Certified Internal Auditor (CIA)
says Celine Herweijer, global exam different from previous exams? The CIA exam
innovation and sustainability remains the foundation for all internal audit services — oper-
leader at PwC UK. ations, finance, and IT audit. The most extensive changes
How? By applying AI were made to Part Three: Business Knowledge for Internal
and other emerging digital Auditing, which has always been the most challenging
technologies in four sectors because the scope was massive. It is now streamlined to
that currently represent 60% focus on four areas most critical for internal auditors: busi-
of GHG emissions: agricul- ness acumen, information security, IT, and financial man-
ture, energy, transport, and agement. Almost half of Part Three focuses on advanced
water resources. technology knowledge, such as data privacy and cybersecu-
For example, the agri- rity, an essential for today’s internal auditor.
cultural sector could use AI Part One: Essentials of Internal Auditing and Part Two: Practice of Internal Auditing have
to better monitor environ- been revised to more closely align with the International Standards for the Professional
mental conditions and crop Practice of Internal Auditing. The new Part One exam assesses Attribute Standards such as
yields. Meanwhile, intel- the foundations of internal auditing — fraud, governance, risk management, and controls.
ligent grid systems could The nature of internal audit’s work is evaluating and contributing to the improvement of
predict and manage energy those areas. The new Part Two exam focuses on Performance Standards, such as managing
demand and supply, the the internal audit activity and performing internal audits.
report notes. AI-based traffic
prediction and autonomous
vehicles could transport
people and cargo more effi-
ciently and sustainably.
COMPANIES Rising scrutiny is driving
Regions such as East SEEK ETHICAL compliance executives
to tackle misconduct
Asia, Europe, and North
America stand to see the ENHANCEMENTS companywide.
A
biggest reductions in GHGs
and greatest economic gains, cross industries, data analytics and regulatory ethical behavior has elevated
the report predicts. This is organizations want change management. the need for ethics and
because those regions have to get better at pre- The report, based on compliance leadership. It
greater digital readiness, venting and detect- a survey of 220 U.S.-based points to recent technology
technology adoption, and ing ethical misconduct by CCOs, says heightened pub- advances and digitization as
environmental policies than enhancing key compliance lic and regulatory focus on catalysts for increased public
other regions. areas, according to KPMG’s awareness of events such as
Despite AI’s potential, 2019 CCO Survey. Nearly data breaches and organiza-
PHOTO: LEFT, DANE_MARK / I-STOCK.COM
the report cautions that AI two-thirds of the survey’s tional misconduct.

risks surrounding bias, con- chief ethics and compliance In light of these chal-
trol, and security could pose officer (CCO) respondents lenges, the report suggests
risks to the environment. identified investigations and auditors advise organizations
Similarly, each of the four monitoring and testing as on revamping investigation
sectors must overcome exist- capabilities that they most processes, case management,
ing barriers to realize AI’s full want to improve. Other reporting, and communica-
benefits. — T. MCCOLLUM areas for improvement are tion. — D. SALIERNO

Help Us
Keep a Finger
on the Pulse
of Internal Audit
What challenges do you face
in internal audit, risk, and compliance?
How do you collaborate?
Are you confident in your work?
We want to know.
Complete this short survey before June 30, 2019,

and you'll be entered to win an Apple Watch.®
workiva.com/iia-survey
Apple Watch is a registered trademark of Apple Inc.

Back to Basics
BY DANNY FRIDMAN, DROR BAR MOSHE + DAVID GABRA EDITED BY JAMES ROTH + WADE CASSELS
ASSESSING DATA RELIABILITY

Internal auditors can
follow practical steps
to ensure reports
R
are complete and
accurate. eports from extracted business initiatives failing to which reports should be
data can sometimes achieve their targeted goals. subject to evaluation. This
be misleading, which Unreliable reports can impact: should include an assess-
can be a problem ɅɅ Strategic Decisions — per- ment of the report type,
when organizations rely forming mergers and impact of the report for
on them to make critical acquisitions, changing decision-making, key control
business decisions. This is organizational structure, considerations, change man-
especially important for orga- expanding to new loca- agement procedures, and
nizations subject to the U.S. tions, or developing new access restriction.
Sarbanes-Oxley Act of 2002 product portfolios. Reports can be cat-
as part of the testing process. ɅɅ Operational Deci- egorized into three main
The U.S. Public Com- sions — costing and types — canned, customized,
pany Accounting Oversight pricing of projects, and manual. Canned reports
Board warns that having budget-related decisions are generated from a system
inaccurate reports might and priorities, sales fore- where no changes have been
lead to key controls deficien- casts, production and made. Those reports usu-
cies, so organizations should inventory needs, and ally represent low risk for
ensure that reports used in resource requirements. completeness and accuracy.
assessing the operation of key ɅɅ Financial Decisions — Customized reports are
controls are complete and financial reporting, developed based on user
accurate. Internal auditors credits and loans, needs and represent higher
can easily apply tools and invoicing, collection, risk for completeness and
techniques to ensure that and investments. accuracy. Manual reports
reports and data used for ɅɅ Regulation and Compli- are created by an end user
decision-making are reliable. ance — employment and have not passed a for-
labor laws, intellectual mal change management
The Impact of Bad Data property, data privacy, process for report testing.
Poor data quality is respon- and software licensing. They usually represent the
sible for an average of $15 highest risk.
million per year in financial Start With a As each report type
losses, according to recent Risk Assessment represents a different inher-
Gartner research. It also is a The first step is to perform a ent risk level, identifying
primary reason for 40% of all risk assessment to determine the report type is crucial for
SEND BACK TO BASICS ARTICLE IDEAS to James Roth at jamesroth@audittrends.com

TO COMMENT on this article,
EMAIL the authors at danny.fridman@theiia.org
the reliability assessment, and should lead to different vali- ɅɅ Verify if any manual checks or system validations prevent
dation activities. duplicate records. To identify such occurrences, perform
Other factors that should be considered when determin- a simple but effective duplication test for a sample of
ing reports for testing include: data fields.
ɅɅ Data Usage. Does the report and underlying data relate to ɅɅ Review blank data fields. Missing data is a good indica-
strategic, financial, operational, or regulatory decisions? tor that additional checks need to be performed.
ɅɅ Impact of the Report. Would a mistake in the report ɅɅ When using a reporting tool, such as a business intel-
pose a potential strategic, financial, operational, or ligence application, ensure that the latest version is being
regulatory risk to the organization? used. Upgrades usually solve technical defects, and
ɅɅ Control Considerations. Is the report used in the execu- data-warehouse interfaces can be different.
tion of key controls to mitigate significant risks?
ɅɅ Change Management Procedures. How effective are the Test Data Accuracy
change management controls for report creation? In testing accuracy, internal auditors need to understand
ɅɅ Access Restrictions. What access restriction mechanisms — which data capture method was used, as each method has a
such as password or permissions — are in place? different level of risk for data reliability: on a paper form, by
users directly entering data, or by a system. It’s also impor-
Test for Completeness tant that auditors recognize the type of controls over system
Internal auditors need to verify the report type and under- data entry and system data input validations, such as double
stand the parameters used to generate it. Just one incorrect keying and upper and lower limits.
parameter can severely impact report reliability. Because Other items that should be assessed by internal auditors
several parameters typically are used to generate a report, the in the testing of data accuracy include:
internal auditor should spend time with the report owner to ɅɅ The meaning of a data field. Internal auditors should
understand if the parameters were correctly selected. never assume, based on the column descriptions, that
Next, internal auditors should check whether any exclu- they understand what the data item is.
sions have been set up at either the application user-interface ɅɅ The source data for key data fields. This can be done by
level or the code level. If it’s the latter, assistance from devel- tracing back to identify the source data repository.
opers may be needed. Auditors also should be careful not to ɅɅ Reasonableness. For example, is it reasonable that a car
be fooled by the report name. A procurement report named was rented for $2,000 a night?
“Total Expense for Vendors” may only show expenses that are ɅɅ Date fields. Dual date format issues might adversely
procurement-related, but not all expenses. impact any date analysis. For example, a date in a
Internal auditors should review several areas when test- report such as 03/05/2019 might be displayed as either
ing reports for completeness. March 5, 2019, or May 3, 2019, depending on the end
ɅɅ Look at when the report was last modified. Checking the user’s regional setting.
last modification date can highlight whether report
changes occurred. Blind Trust
ɅɅ Common practice is to limit what data a user can see Unreliable data can negatively impact key decisions. In
based on user access rights profiles, which should be in many cases, organizations are unaware of unreliable reports,
line with job responsibilities. It is critical to verify that resulting in stakeholders grappling with flawed data that,
the user generating the report provides a complete ultimately, might lead to wrong or nonoptimal choices.
report. In many cases, the end user may be indifferent Unfortunately, this lack of awareness may lead many organi-
or unaware of this, so it is always advisable to approach zations to blindly trust their data, which can mean disaster.
the system owner. Organizations are data driven, so internal auditors must
ɅɅ Compare different reports that should show the same data. ensure that decisions are made based on complete and accu-
Because each report is built with different logic, this is a rate reports.
good way to test report completeness. Compare the same
information from different sources and ask different DANNY FRIDMAN, CIA, CISA, CRISC, is head of internal audit
stakeholders to opine on the reasonability of the data. at AMDOCS in Ra’anana, Israel.
ɅɅ Use the “full and false inclusion” method. Take a sample DROR BAR MOSHE, CIA, CPA, CFE, CISA, is deputy head of
of transactions that should or should not be in the internal audit at AMDOCS.
report, and verify accordingly. DAVID GABRA, CISA, is an internal auditor at AMDOCS.

Accelerate Your Success
The IIA Congratulates the 2018 CIA Exam Award Winners!

Professionals with the Certified Internal Auditor® (CIA®) credential enjoy greater credibility and earn more
respect, promotions, and money* than their peers without a certification.
William S. Smith Award – Gold Dr. Glenn Sumners Award – Student

(Highest Scoring Candidate) (Highest Scoring Student Candidate)
Alexandra Elena Staeben, CIA USA Gannon Burleigh, CIA USA
A.J. Hans Spoel Award – Silver Kurt Riedener Award – Bronze

(2nd Highest Scoring Candidate) (3rd Highest Scoring Candidate)
Ching Nam Leung, CIA China Emilie McRoberts, CIA USA
Visit www.theiia.org/TopScoreWinners for a complete list of top score winners for all 2018 IIA certifications.
*Earn on average $38,000 more annually than those without a certification, according to The IIA’s 2017 Internal Audit Compensation Study (based on U.S. responses).
Begin your journey toward the only globally recognized

certification for internal auditors today.
Apply today at www.theiia.org/CIA.

2019-2130
2019-2130 CERT-Top Exam Scores-Ia Full Page Ad-June.indd 1 5/2/19 9:34 AM

ITAudit
BY BILL BONNEY EDITED BY STEVE MAR
PEACE IN OUR TIME

Audit results
shouldn’t drive the IT
department’s strategy
T
and priorities.
oo many organiza- which any desired project In another example,
tions use internal was wrapped to secure new a large financial services
audit results to funding. Step one: Hold IT company purchased a much
drive priorities for accountable for not patching smaller company in an adja-
the IT function, which can that system. Step two: Secure cent but highly regulated
have a devastating effect on funding to “fix IT’s mess.” space. As is often the case,
morale. This approach sets Allowing audits to the smaller company had
an example for the entire drive strategy wastes time a much lower profile than
organization about how to and money, and robs man- the larger company, but that
get systems-related objec- agement of the audit’s real changed once it was part of
tives met. Initially, this can value — helping management a larger organization. The
be benign as leaders try to validate that it is appro- new management, lacking
do the right thing and help priately addressing risks to experience as a highly regu-
uncover systems issues that business processes. When lated entity, began to ramp
need attention. Eventually, the audit becomes the key up audits to get ahead of the
pointing the auditors to real objective, performing audits regulators. As operational
or suspected issues allows becomes an essential business requirements competed with
them to elevate any proj- process on its own. This mis- audit requests, “just get it
ect to the highest priority, take creates the potential for done” replaced “do it right.”
whether it is strategic or not. a wildly inappropriate scope At some point in this dys-
For example, a software that gives the IT staff the functional downward spiral,
company starved back-office sense that audits are never- “do whatever the auditor says
systems in favor of product ending and self-serving. to get this over with” became
development. As a result, the strategy to end the pain.
IT fell seriously behind in Fear and Loathing This example provides
patching internal production These issues can lead to context for the skepticism,
systems. Because the organi- audit fatigue and poorly exe- distrust, and outright fear
zation was audit-driven, at cuted audit activities. Before senior executives and IT staff
the next opportunity, man- long, management is spend- members have about audits.
agement pointed auditors at ing its time and attention Some worry about getting in
patching, and the inevitable fixing problems with audits trouble for doing something
findings in patch manage- instead of fixing problems wrong. Many view the time
ment became the flag around found by audits. spent on audit requests as
SEND ITAUDIT ARTICLE IDEAS to Steve Mar at steve_mar2003@msn.com

Create business impact.
Sharpen critical skil s.
Internal audit can play a significant role
as organizations transform.
Combining an enterprise-wide view with a

data-driven approach, internal audit can add
new value to your business transformation.
At KPMG, we provide the strategic insights,
data-informed business recommendations
and enhanced dashboard reporting needed
to drive impact and innovation. Learn more
at 1.kpmg.us/internalaudit
Anticipate tomorrow. Deliver today.
©2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the
KPMG network of independent member firms affiliated with KPMG International Cooperative
(“KPMG International”), a Swiss entity. Some of the services or offerings provided by
KPMG LLP are not permissible for its audit clients and affiliates or related entities. 180505
180505AD Internal Audit vF4.indd 1 8/20/18 5:21 PM

Practices/ITAudit
EMAIL the author at bill.bonney@theiia.org
wasted time or busy work. The fear and distrust for audits is This is particularly important as it pertains to audit
naturally extended to the auditors, and this leads to an “us scope. For example, it’s not helpful to have nonregu-
versus them” mentality. Both sides dig in and spend more lated businesses examined by regulators. It wastes time
time protecting their flank than solving their problems. and exposes the organization to inappropriate jeopardy.
Some IT departments assign auditors “handlers” to Auditors should make sure all parties agree to the scope
choreograph activity, coach process owners to provide before the audit starts.
guarded answers, and quickly escalate issues, causing a ɅɅ Agree up front on the criteria for identifying the required
bottleneck within leadership. Inexperienced auditors bring evidence. These criteria include sample selection criteria,
poor time management skills, poorly thought-out evidence the duration of the assessment, and the amount of evi-
requests, and negative attitudes to audits that put everyone dence required to validate each test objective.
on guard. Auditors then spend extra time gathering over- ɅɅ Agree on the process and tools to be used for requesting and
whelming evidence of control failure, and IT staff fabricates receiving the evidence. Agree on how quickly evidence is
control evidence. to be gathered once requested.
In addition to driving poor decision-making when used
unwisely, audits often veer off track. In such cases, people too Management IT management can demonstrate transpar-
close to the situation sometimes focus on the audit as the key ency and respect for the audit process by:
objective rather than managing the business process under ɅɅ Avoiding assigning junior people to handle examiners
audit. Besides these strategic mistakes, scope creep, poor or auditors. When management tries to offload audit
communication, distrust among teams, and inexperience can responsibility to the least useful resource, it almost
plague any project and amplify any problems with an audit always has a negative impact.
because of the extra scrutiny on the outcome. ɅɅ Not coaching employees on how to be coy with auditors.
In some organizations, IT may be severely underfunded Internal auditors are trained to spot inconsistency and
and so far behind in resolving previous audit findings that lack of transparency. Trying to hide details from audi-
the department gets accustomed to adding the next set to its tors is unprofessional and causes them to dig deeper in
ever-expanding project list. This forces leadership to spend that area.
so much time prioritizing and re-prioritizing work that
audit failure becomes the de facto driver for funding. This, Employees IT staff members who are asked to support audit
more than control failures, may be the finding that the audit activities can establish trust by taking these steps:
should reveal. ɅɅ Don’t assume your competence is being questioned. “I
don’t know, but let me find out for you” is a better
The Path to Peace answer than guessing.
It doesn’t have to be like this. When used appropriately to ɅɅ Don’t try to sound like a lawyer. The best way to be
validate assumptions and uncover blind spots, the audit pro- understood is for employees to use the language and
gram is a crucial asset for management and plays an essential style that is comfortable to them. The surest way to get
role in governance. Here are 10 tips to help internal auditors, management’s attention — and not in a good way — is
management, and IT employees get on the right track. to call a minor testing deviation a “material weakness.”
ɅɅ The auditor is not a whistleblower hotline. Managers
Audit team The audit team can become better partners to should remind employees to bring internal issues to their
IT by taking these steps: manager or a neutral member of the management team.
ɅɅ Agree with senior leadership on the strategy and priorities
of the audit program. Establish priorities and understand Look in the Mirror
where to focus audits based on the risks presented by Internal auditors should ensure their organization doesn’t take
the critical business processes. a dysfunctional audit approach. They should review their
ɅɅ Ensure each audit focuses on making the business process audit strategy to make sure it addresses business process risk,
better, not finding problems. Internal audit should keep provides the necessary governance assistance to management
this goal in mind as it sets audit objectives, determines and the board, and addresses the organization’s regulatory
scope, and frames findings. Always solicit recommenda- requirements. They shouldn’t let audits drive the business.
tions for improvement from management.
ɅɅ Help the organization navigate audits and examinations by BILL BONNEY is a security evangelist, author, and consultant in
external organizations (within the limits of independence). San Diego, Calif. and co-founder of CISO DRG Inc.

Risk Watch
BY MAJA MILOSAVLJEVIC EDITED BY CHARLIE WRIGHT
HOW TO AUDIT SOCIAL MEDIA

By reviewing
compliance with
social policies,
I
internal auditors
can help their n today’s business world, media presence is being also should contain the goals
practically every organi- managed. Organizations the organization aims to
organizations
zation has a presence on must develop policies cov- achieve from a long-term
assess risks. social media, enabling ering aspects such as who strategic perspective, thus set-
them to reach huge num- in the organization has ting the foundation for social
bers of customers and the authority to use social media implementation.
stakeholders globally. While media, what gets commu- Another important stra-
enhancing sales might be nicated, and which of its tegic component that inter-
the primary driver for creat- stakeholders should receive nal auditors should evaluate
ing a social media presence, the communications. is the specific channels that
social media has a much Consequently, inter- influence the organization,
broader scope. It builds new nal auditors should invest including validation of
relationships with custom- resources to audit compliance links, social handles, profile
ers, employees, and other with social media policies and and account information,
stakeholders, expanding guidelines. To do so, auditors mission statement for the
awareness about the orga- need to build an adequate account, and key demo-
nization and its brand. It audit approach for the still- graphics. Moreover, auditors
influences customer edu- developing area of social should assess whether orga-
cation, engagement, and media-related engagements. nizational and social media
feedback. And it heightens goals are aligned.
the organization’s attractive- Social Media Strategy
ness as an employer and A good starting point for Policies and Procedures
strengthens its reputation. auditing social media is the After dealing with the
With that broader organization’s social media organization’s strategic
reach comes new and dif- strategy. Actually, the first approach, the next step
ferent types of risks for question auditors should ask is to check that the social
organizations and their is whether the organization media strategy has been
employees, such as repu- has such a document at all. written into relevant poli-
tational, dark web, and A social media strategy can cies, procedures, guidelines,
data protection risks. For help establish the general and instructions. Starting
internal auditors, the most basis of the organization’s with the regulatory frame-
relevant questions relate to governance, use, oversight, work that is relevant for
aspects of how the social and approach. The strategy the organization’s industry,
SEND RISK WATCH ARTICLE IDEAS to editor@theiia.org

EMAIL the author at maja.milosavljevic@theiia.org
internal auditors should evaluate whether policies and pro- the organization at the same time and without any align-
cedures comply with state, local, and national labor laws ment. Likewise, it would be confusing if any employee
and protected free speech rights. Ensure that relevant doc- could provide requested feedback or reply to a comment
uments are reviewed for consistency and approved by the on social media.
appropriate experts from different parts of the organization These issues challenge internal auditors to validate that
such as senior management and the legal, risk manage- the roles and responsibilities are documented and are clear
ment, and internal audit functions. Finally, the assessment to all employees. When it comes to security, auditors should
should seek the perspective of the organization’s employees, evaluate owners of each account and review security protec-
including those responsible for social media. One concern tion measures in place such as tools for controlling passwords.
is whether employees have documented style guides to fol-
low for social media posts. Internal Communication and Training
Considering that social media can significantly impact the
Dedicated Resources organization if not managed well, organizations need relevant
Another important aspect of auditing social media is internal communication and training programs. Employees
assessing whether it has adequate resources. Once the need to know the rules for representing the organization on
organization decides to have a social media presence, the social media to avoid potentially negative consequences. For
organization needs to dedicate employees to manage its these reasons, internal auditors should review social media-
presence and establish tools for monitoring it. Appropri- related communication to employees as well as the frequency
ate management of social media should include using of training provided.
tools that provide information such as mentions of the
organization’s name, relevant post reviews, and audience Crisis Scenarios
behavioral patterns. Another important aspect of auditing social media is
To get an understanding of the organization’s social reviewing whether the organization has developed crisis
media activities, internal auditors should search the web to scenarios and assessing how the crisis would be communi-
cated on social media channels. Gen-
erally, a crisis creates opportunities for
Identifying key metrics can give a wide range of miscommunication
throughout the organization. Internal
internal auditors a basis for evaluating auditors should make sure managers
and social media employees are aware
the performance of social media. that such situations might happen
and have a clear plan for managing
those situations.
identify where the organization has a presence. Additionally,
identifying some of the best posts and evaluating the themes Room for Improvement
that make them popular — such as the topic, pictures, and Internal auditors can provide an independent perspective
people focus — can inform management about the relevance and good insight for management to consider. However, to
of those posts to customers and stakeholders. keep up with the dynamics of social media, the organiza-
Identifying key metrics can give internal auditors a basis tion always should look for opportunities to improve social
for evaluating the performance of the current social media. media channels as well as the controls around their use.
This not only includes assessing the current metrics in place, Employees who manage social media should coordinate
but also whether there should be other or different metrics. with other departments within the organization and con-
Various social media analytics tools can help auditors sim- stantly evaluate new developments and topics of interest in
plify this step. their industry, region, and community. Internal auditors
can help those employees make improvements to the struc-
Roles and Responsibilities ture and design of the organization’s social media approach
The wide scope of influence social media could have on that can enhance its performance.
the organization creates the necessity to establish appropri-
ate roles and responsibilities. It would be confusing to have MAJA MILOSAVLJEVIC, CIA, CRMA, is an internal auditor at
all the departments posting on social media on behalf of Borealis AG in Vienna, Austria.

Fraud Findings
BY BRYANT RICHARDS
THE OPPORTUNISTIC CFO

When a small, growing
company hires an
internal auditor, it
I
discovers the chief
financial officer n 2009, LeBarge Inc., an and evidence of inflation. timeliness, support, and
oil rig company, was None of this made sense authorization. And finally,
embezzling profits.
growing beyond the size to Smith, as his intuition the plan included getting
of a typical small busi- suggested profits should administrative access to
ness. The owner and CEO, be up $200,000 annually. QuickBooks through IT
Lou Smith, decided to hire In 2014, Smith reluctantly and viewing roles and rights
an accounting firm, which agreed to hire veteran inter- within the system.
recommended that he add nal auditor Corey Ortiz. Ortiz wanted to get
an internal auditor to the Ortiz joined the com- off to a strong start and
team to ensure his control pany and quickly scoped help the organization
environment kept up with out his first review of understand the internal
the expanding needs of the the highest risk area, the audit process. He spent
business. Concerned about financial ledger, which two weeks creating an audit
the cost of hiring a full-time was in QuickBooks. Ortiz program, scoping memos
person with salary and ben- prepared a standard audit and other official commu-
efits, Smith decided to forgo program that focused on nications. He communi-
the recommendation. journal entry and recon- cated with his stakeholders
Each year for the next ciliation controls, system in polite and professional
five years, the accounting access rights, and segrega- emails, requesting samples
firm again recommended tion of duties. The program and employee interviews.
that Smith hire an internal included walkthroughs of The fieldwork began
auditor. LeBarge continued journal entries to evidence on the first day of week
to grow, but profits were support and authority for three. Samples were pulled
shrinking. Smith could the recording processes. and Ortiz started with
not understand why. Costs Bank reconciliation testing the IT manager, who was
should be going up, but was included to understand prepared to show him
they were growing faster the process and follow trans- around the QuickBooks
than revenues. The com- actions from the ledger to program. At 11:00 a.m.,
pany’s chief financial officer the reconciliation. The pro- Ortiz stopped the audit and
(CFO) and Smith’s long- gram included pulling and contacted the CEO for an
time friend, Jennifer Hagan, reviewing samples of journal immediate meeting.
offered reports showing entries and reconciliations Ortiz explained to
increased vendor costs to check for completeness, Smith that while reviewing
SEND FRAUD FINDINGS ARTICLE IDEAS to Bryant Richards at bryant_richards@yahoo.com

EMAIL the author at bryant.richards@theiia.org
LESSONS LEARNED
»» Companies that expand, whether large or small, resources focused on identifying, preventing, and
are exposed to new risks. Controls designed for managing these risks.
the business often stretch and break. In small »» Start with the ledger and work outward. Access con-
companies, daily supervision and involvement trols and segregation of duties within the financial
by the owners often provides significant control systems are the cause of many frauds. Trusting one
value. Decreased supervision in a growing business person to manage the financial resources of any
causes normal control weaknesses, such as segre- company is a dangerous strategy and should always
gation of duties, to become glaring opportunities be top of mind for any internal auditor and the first
for waste or abuse. place to look.
»» Owners of small companies are not risk profes- »» Know the financial system’s logging and report-
sionals. Growing companies are rarely prepared to ing features, as small systems sometimes don’t
identify and mitigate the expensive risks associated have robust controls. Reviewing reports on various
with their new success. Internal auditors are trained changes, such as mailing addresses, employee name,
risk professionals and provide organizations with and vendor name, can lead to early fraud detection.
the system administrative rights in QuickBooks, he found year. He then contacted each vendor and asked them to pro-
that the CFO, Hagan, was the only person with access vide an updated billing summary for that time period. When
to the system. This meant that she could create entries, Ortiz compared the reports, he found a $250,000 discrep-
make payments, and edit all data within the system with ancy for the past 12 months.
no checks and balances. It was not surprising to Ortiz By the end of the day, Ortiz, Smith, and the human
that a small company with recent growth had such glar- resources manager confronted Hagan with this informa-
ing segregation of duties issues within its ledger. However, tion. For 15 minutes, she acted surprised and hurt at the
a quick review of the system audit logs for the previous accusation. Smith suspended Hagan without pay while the
month showed numerous changes to payment fields, investigation continued. Law enforcement was notified the
which is unusual in the normal course of business. He next day.
then checked the names of the vendors before they were In 2017, Hagan was tried and convicted of embezzling
changed in QuickBooks. more than $800,000. For five years, she used the com-
After the meeting with Smith, Ortiz spent the rest of the pany’s financial ledger as her personal checkbook to pay
day working with the IT manager to identify vendor name bills and purchase items. She would later change the ven-
dor name in the payment information
fields to a business-related vendor. By
slowly increasing her theft as the busi-
She used the company’s financial ness grew, she was able to convince
management that the expenses were
ledger as her personal checkbook to related to challenges associated with
pay bills and purchase items. normal business growth.

Hagan pleaded guilty to a felony
charge of aggregated theft. Before her
plea agreement, she paid back half of
changes that occurred over the past year. The next morning, the money she stole and agreed to pay the rest when her
Ortiz and Smith called a meeting with Hagan. Ortiz asked six-month jail sentence concluded. LeBarge has recovered
her to explain each vendor name change. Hagan was clearly its status of profitability.
uncomfortable, but offered an excuse about how the system
has errors that need to be fixed sometimes. BRYANT RICHARDS, CIA, CRMA, CMA, is an associate
Skeptical about the explanation, Ortiz started the next professor of accounting and finance at Nichols College in
day by requesting a vendor spending report for the previous Dudley, Mass.

ETHICS
With help from internal

auditors, organizations The
Right
can reap the performance
benefits of ethical
decision-making.
Russell A. Jackson
Illustration by Sean Yates

Base photograph by Konstanttin/Shutterstock.com Path

T
here are vivid examples of the link between organizations’ ethical behav-
ior and their bottom lines. At press time, Kraft Heinz Co. announced
restated earnings involving irregularities in its accounting procedures
and internal controls; the initial report of the U.S. Securities and
Exchange Commission’s (SEC’s) related subpoena contributed to an
almost 20% single-day drop in the company’s stock price. Similarly,
cryptocurrency company Longfin’s shares plunged 30% when it dis-
closed an SEC investigation last year. And following the news of Volk-
swagen’s now infamous emissions scandal, its stock, too, experienced a
30% decline.
As evidence mounts that ethical business behavior leads to better business performance — boost-
ing stock price performance by almost 15%, according to one estimate — internal auditors need to
sharpen their people skills, listen better, and share what they learn with more moving parts in their

THE RIGHT PATH
organizations’ ethics infrastructures. companies that show a commitment to

And they need to step up, state their business integrity.”
case, and start getting the credit they Of the elements Ethisphere says
deserve for doing so. undergird an entity’s ethical behavior,
Stakeholders may understand that the one that contributes most to busi-
internal audit plays a role in ethics, ness performance is culture, Brady
though they may not fully appreciate says. “It has to be,” she stresses. “The
the breadth of contributions practitio- whole thing starts with culture. If
ners can make. Now internal auditors you don’t have that tone at the top,
have numbers to show how much value the organization isn’t going to be
the function actually adds. committed to good governance or
good citizenship.” Indeed, organiza-
REPUTATION AND CULTURE tions with a culture that encourages
The Ethisphere Institute, a global eth- concealment of compliance or other
“
ics rating and advocacy firm, names issues, she says, risk severe damage to
its World’s Most Ethical Companies their reputations.
If there’s an each year, based on the quality of Jane Keller-Allen, vice president of
ethical issue their ethics and compliance programs, Internal Audit, Compliance, and Risk
in an area, organizational culture, corporate at WPS Health Solutions in Madison,
you can bet citizenship and responsibility, gover- Wisc., also stresses culture’s influence
there’s going to nance and leadership, and reputation. on the bottom line, and she agrees that
Ethisphere’s belief that “financial tone at the top is key. “All aspects of an
be a business performance and ethics go hand- ethics infrastructure are important, but
concern—fraud, in-hand” is validated, it says, by its culture contributes the most to business
noncompliance, “Ethics Premium.” The organization performance,” she says. “The culture of
“
or weak tracks the stock prices of its publicly an organization is usually driven by its
All aspects controls—too.” traded honorees and compares them leaders. If leadership believes in doing
to a large cap index — and it says those things the right way, then compliance
of an ethics Karen Brady companies outperformed the index by programs and corporate citizenship will
infrastructure 14% over five years and by nearly 11% naturally flourish under that direction.”
are important, over three years. Keller-Allen adds that if the orga-
but culture Is the connection really cause– nization’s leaders help establish a culture
contributes effect? Does ethical behavior lead that fosters trust, then employees will
directly to better business performance? be more inclined to report potential
the most “I firmly believe it does,” says Karen compliance issues. And that, in turn,
to business Brady, corporate vice president of enables the organization to resolve any
performance.” audit and chief compliance officer issues more quickly.
at Baptist Health South Florida, in At Baptist Health South Florida,
Jane Keller-Allen
Coral Gables — a nine-time Ethisphere internal audit contributes to ensuring
honoree. She notes that Ethisphere’s that ethical behavior begets profits
reputation criterion is based in part on in several ways. “From time to time,
a Google search of the organization, we audit each of the Ethisphere
adding: “Having a good reputation will criteria,” Brady says; that includes
get you better business. That’s a pretty- informal surveys in the departments
well-known fact.” Ethisphere also cites and locations they audit. And, she
studies showing that millennials want to says, “ethics is huge when we assess
do business with companies that have risks,” citing trends in hotline calls
solid ethical reputations, and its CEO and human resources (HR) statistics
Timothy Erblich adds that “employ- as potential red flags. She adds: “If
ees, consumers, and stakeholders value there’s an ethical issue in an area, you

16% of employees experienced pressure to compromise ethical standards , a 23%
increase since 2013, according to the Ethics & Compliance Initiative’s 2018 Global Business Ethics Survey.
ETHICS TECH
T
echnology that enables compliance and ethics-related information-sharing, including
input from internal audit, is becoming increasingly sophisticated, says OCEG President
Carole Switzer — and the best may be yet to come. “Technology that incorporates internal
audit findings that flag issues — and that sets a process for notifying relevant parties so that
they can address deficiencies and respond to the concerns raised — is hugely helpful,” she says.
The opportunity for business operations to input their information into the same system as
risk, internal audit, and human resources is, she adds, “a bit of a game changer.”
Recent technological advances have enabled central hubs that pull in data from
multiple systems inside and outside an organization and make it available across the
enterprise, she explains. “That combined with advanced machine learning, other types
of artificial intelligence, natural language processing, and predictive analytics,” she says,
“represents the real revolution.”
The revolution “benefits internal audit’s ability to really dig in and understand what’s being
done to address risk on a completely different level,” Switzer adds. “Internal audit can help
other stakeholders use those capabilities to create a living, strategic planning process.”
can bet there’s going to be a business allows internal audit to “ask clarifying
concern — fraud, noncompliance, or questions that provide accurate infor-
weak controls — too.” mation and valuable insight to help
Jeff Dougher, internal audit direc- management understand their site
tor at Intel in Portland, Ore., agrees cultures,” he adds. Teamwork matters,
that the profession has an important too. “We partner with the Ethics and
role in effective assessment of business Legal Compliance (ELC) program for
performance as it relates to ethics — by selected audits,” Dougher explains,
virtue of being an independent advisor. “helping ensure management has
“That could be as simple as spending established appropriate ELC programs
time with first-level managers and staff throughout their business groups and
to see how they would raise issues, and site programs.”
teaching individuals how and where to Gerry Zack, CEO at the Society of TO COMMENT
on this article,
report issues,” he says. Internal audit Corporate Compliance & Ethics and EMAIL the
can help management understand the the Health Care Compliance Associa- author at russell.
types of messages business managers tion in Minneapolis, recognizes the jackson@theiia.org
proliferate throughout an organiza- value of such practices. He says high
tion, he adds, and can help “ensure performing organizations “have part-
the culture of ethics and compliance nerships between compliance and inter-
is consistently understood throughout nal audit and between internal audit
each particular group or team.” Intel and other entities in the enterprise that
has been recognized on the Ethisphere directly affect culture and ethics.” HR
list seven times. is one of them; so is senior manage-
ment. Zack says this is often part of
TEAMWORK AND PARTNERSHIPS internal audit’s advisory role.
In fact, internal audit has all kinds Carole Switzer, co-founder and
of ways to help drive and assess a president of OCEG (formerly the
company’s ethical behavior, Dougher Open Compliance & Ethics Group) in
says. Being independent and keeping Phoenix, also cites the value of cross-
individuals’ interviews anonymous functional partnerships. She suggests

THE RIGHT PATH
rotating internal auditors through roles that begins with, ‘How are things
in risk management and compliance to going?’ can lead to amazing insights if
afford them a bigger picture perspective you let it.”
on an integrated governance, risk, and That’s true for small companies,
compliance process structure. “The key too, Brady points out. “For internal
thing to recognize is any of the moving audit to have a sense of the organization’s
parts of the ‘ethics infrastructure’ can be culture, you have to do site visits,” she
the cause of failure,” she says. “You can- says, “even if that’s a ‘department’ visit.”
not establish strong culture, for exam- And that’s what Ethisphere’s
ple, if you don’t have strong leadership World’s Most Ethical Companies are
with clear vision and commitment.” doing; the percentage of those compa-
The key to taking a company’s nies conducting site visits jumped 28
ethical temperature is finding out what points from 2016 to 2018, reflecting
its stakeholders think. Ethisphere says what the organization calls “a growing
its World’s Most Ethical Companies relationship between the compliance
“cultivate a culture of integrity” — by function and other control functions,
measuring employees’ comfort with like internal audit, that are regularly
“
speaking up, for example, and their in the field.” Indeed, the report that
views of leadership’s trustworthiness, accompanies the Ethisphere listing
Whether it and by “leveraging a broad array of notes that “more companies arm inter-
is asking a tools and techniques to get a sense of nal audit with questions to ask during
site-specific their internal ethical cultures.” site visits, collaborating more closely
question or Some companies use a dedicated with HR and safety.”
evaluating ethics survey process, Ethisphere says, As part of Intel’s annual plan,
adding that “pulse-type surveys to Dougher’s team evaluates interna-
a particular capture small, but frequent, readings tional site coverage to ensure it has
area, we want of ethical temperatures across the orga- the right balance of audits. “The
to ensure all nization are oft-discussed, but rarely audit program evaluates specific risk
parties are used.” Employee engagement surveys indicators — including factors such as
aligned ahead are the most popular ethical thermom- growth, location, and spending — to
of time.” eters, Ethisphere reports; the percentage understand any changes to the site to
using them rose 12 points from 2017 better understand if an audit should
Jeff Dougher to 2018. Ethisphere adds that such be performed,” Dougher says. The site
surveys are driven primarily by the HR audit program includes interviews with
function, with regular frequency and all levels, he adds, “to help understand
broad distribution. how ethics is interpreted and help man-
agement understand the site’s culture.”
AUDITING BY WALKING AROUND His team also has used site-level sur-
Surveys themselves won’t provide all the veys — working with HR and legal on
information internal audit needs. In wording — to reinforce messaging, as
fact, using annual queries in isolation well as open forums and workshops.
to get a feel for ethical culture is not
very useful, Switzer says. “If you have a ON THE SAME PAGE
huge problem, you may find it, but you To help standardize information,
won’t find the more subtle or compli- Dougher says he partners with Intel’s
cated things.” ELC program to ensure all parties
That more nuanced insight are aware of each other’s coverage.
requires what Zack calls “the walking “Whether it is asking a site-specific
around approach, talking with people.” question or evaluating a particular
He adds: “The casual conversation area, we want to ensure all parties are

Only 38% of ethics, compliance, and legal professionals say senior leaders at their firms
support disciplinary action against high performers guilty of misconduct, according to a 2019 LRN Corp. survey.
aligned ahead of time,” he explains. Zack adds: “Talking to people is an

To that end, Dougher says Intel has auditing and monitoring step that can
developed a standard test program be institutionalized. But there’s also a
and a standard set of questions inter- certain percentage of using the informa-
nal auditors use to identify trends and tion that’s seat of the pants, what your
talk about key points with manage- gut tells you.”
ment. The critical factor from his
perspective is “ensuring the template MAKE THE CONNECTION
is being used across each audit pro- Too often, what the gut says is, “mind
gram and documented within our your own business,” Brady says. “I hear
audit methodology.” from a lot of internal auditors who say
“
Brady adds: “We all are interdepen- they’d never start a conversation about
dent.” Part of risk assessment is looking culture or diversity or corporate respon-
at trends, she explains; internal auditors sibility with their stakeholders because The key thing
evaluate hotline data they receive from that’s not their stakeholders’ expectation to recognize
compliance and may ask why they keep of internal audit.” Too many inter- is any of the
hearing about conflicts of interest, or nal audit functions, she adds, remain moving parts
about a particular compliance issue. “focused on ‘check the box’ compliance of the ‘ethics
“Internal audit needs to make sure the or financial audits, and don’t realize
issues are escalated,” she comments, “and that the important thing is to make
infrastructure’
thoroughly investigated when necessary.” sure their stakeholders are aware of all can be the
Moreover, trends in turnover statis- risks — not just the traditional ones.” cause of
tics may prompt a conversation about a Stakeholder underestimation failure.”
department — or an audit may reveal a needs to change, and the profession
potential HR concern — and the same needs to change it. “It could be a good Carole Switzer
applies to quality improvement. “We approach to link elements of audited
“
give feedback to HR, compliance, qual- programs to strategic objectives of
ity, and other functions when we iden- the organization, including business
tify trends or issues that affect them,” performance,” Zack suggests. When The casual
Brady says. “That happens routinely.” the compliance program is audited, conversation
Sometimes the ethics-related feed- for example, each underlying activ-
back is especially sensitive. A casual ity — training in a particular area, for
that begins
interview in an audit may turn up example — could be sized up in part with, ‘How are
comments about, for example, sexual by asking, “How does that help the things going?’
harassment, raising the question of how business? How does it contribute to the can lead to
to appropriately use casual comments, performance of the organization?” amazing
body language, and other signals as Those links then need to be pro- insights if you
data for assessing a situation and rec- moted. “We absolutely should talk about
ommending responses. it more,” Brady emphasizes, pointing
let it.”
“It comes down to people skills,” again to the connection between busi- Gerry Zack
Brady states. “We do our best to train ness ethics and performance. “Stakehold-
auditors that when they hear something ers need to understand how important
like that in an interview they should ask that is and, as chief audit executives, we
the next question: ‘What do you mean need to make sure they understand that
by that?’” If that individual doesn’t internal audit has a much broader per-
reveal anything else, she suggests asking spective,” she says. “We need to do more
others in the department if they have to get that point across.”
any concerns. “It’s the best you can do,”
she says. “Ninety-five percent of the RUSSELL A. JACKSON is a freelance
time, it’s successful.” writer based in West Hollywood, Calif.

RISK MANAGEMENT
IN LINE WITH
Implementing a risk management
program can better align an
organization’s risk profile with its
overall strategy.
Dorina Hamzo

TH RISK
R
isk management has evolved and
grown since its inception in the mid-
20th century, as evidenced by the
introduction of methodologies such
as The Committee of Sponsoring
Organizations of the Treadway Com-
mission’s (COSO’s) Enterprise Risk
Management –Integrating With Strategy
and Performance, the International
Organization for Standardization’s
ISO 31000, and the Basel Accords.
Yet, only 23% of respondents describe
their risk management program as
it is because organizations do not know
how to develop a program or because
they do not embrace risk management.
The current way of thinking
about this practice can be challenged
to discover new ways of evolving it
to more effectively manage strategic
risk. My former organization devel-
oped and successfully implemented
an ERM function, and I am currently
using the same strategic program
to build a function at Covetrus, an
animal-health technology and ser-
mature in the American Institute of vices company. Building a systematic
Certified Professional Accountants’ and strategic program at my former
2019 The State of Risk Oversight, company was educational and reward-
conducted jointly with North Carolina ing, as it allowed my team and me
State’s ERM Initiative. Additionally, to familiarize ourselves with many
the perceived level of maturity has aspects of the organization.
declined over the past two years, and
most organizations struggle to inte- WHERE TO BEGIN
TURGAYGUNDOGDU / SHUTTERSTOCK.COM
grate their enterprise risk management Before establishing the program, my

(ERM) program with the strategy and team and I identified key points of
objective-setting process. concern that needed to be addressed
Understanding and managing risk during implementation:
has tremendous benefits, as it helps orga- »» Risks were too generic to create
nizations better prepare for the future. measurable plans.
So why aren’t ERM programs more »» Issues and controls were not
mature and better accepted? Most likely systematically mapped to risks.

IN LINE WITH RISK
»» It was difficult to quantify organization’s life cycle (see “Enterprise

and qualify the impact to Risk Areas” on page 33).
the organization. Underneath each enterprise risk
»» Progress tracking of risk reme- area, there are intermediate risks that
diation plans was not well- represent the subfunctions of that
documented. risk area. Within each intermediate
The program implementation was then risk, there are individual risks that are
divided into three phases spanning sev- potential events that can impact that
eral years. business area. The individual risks are
linked to processes, objectives, key risk
PHASE 1: PILOT indicators, financial losses, mitigating
During this phase, the team developed controls, incidents, and findings (see
a detailed risk library and hierarchy “Risks, Controls, Issues, and Remedia-
that aligned with the organization’s life tion Mapping” on page 35).
cycle, mapped issues and controls to Mapping the more than 900 inter-
risks providing a real-time picture of nal controls and issues to each indi- TO COMMENT
the organization’s risk profile, devel- vidual risk took the most time, but it on this article,
oped measurable remediation plans for was the most important step. Mapping EMAIL the
the top risks, and implemented central- processes provided further insight into author at dorina.
hamzo@theiia.org
ized reporting. the ratings, which often are subjective.
Participation in the risk program More specifically, the occurrence of an
initially was limited to the internal issue increased the likelihood, while the
audit, vendor due diligence, and com- presence of compliant internal controls
pliance teams. Some of the key steps decreased the likelihood, of one or
taken to complete this phase included: more risks occurring.
»» Selecting an ERM standard. We After the completion of this phase,
decided on COSO’s updated we realized that we tried to accom-
ERM framework. plish too much in too short a time.
»» Defining purpose, scope, roles, For example, we defined the end-to-
and responsibilities. end risk process while simultaneously
»» Formalizing a risk-rating automating it via our risk management
methodology. system. Looking back, we should have
»» Developing a master risk library. operationalized the process before
»» Documenting a process for introducing a tool.
identifying risks, assessing sever-
ity, implementing responses, PHASE 2: IMPLEMENT
tracking, and reporting. THE PROGRAM
»» Conducting initial risk assess- During phase 2, my team and I devel-
ments with critical areas. oped a formal risk management policy,
The development of the risk library fine-tuned the process, expanded risk
was vital, as it defined the program assessments across all divisions, and
foundation and provided common established a governance committee.
terminology for all of the program par- The team also incorporated other key
ticipants. Over time, the team updated risk management functions under
the library based on management the umbrella of the ERM program to
feedback to customize it to the type of include business continuity, information
risks inherent to the organization. The security, legal, and patient safety teams.
team organized risks into a three-tiered The individual teams had their
hierarchy. At the top were the key own governance committees, which
enterprise risk areas, which follow the were consolidated into a single

83% of financial organizations have an ERM program in place, up from 73% in
2017, according to Deloitte’s 2019 Global Risk Management Survey.
ENTERPRISE RISK AREAS

Governance Strategy & Planning
»» Corporate Governance »» Corporate Responsibility »» Planning
»» Ethics & Sustainability »» Strategy
»» External Factors »» Mergers/Acquisitions/
Divestitures
Infrastructure
Reporting »» Corporate Assets
»» Finance
»» Human Resources
»» IT
Compliance »» Legal
Operations Innovation & Growth

»» Intellectual Property »» Outsourcing »» Innovation, Research,
Management »» Offshoring and Development
»» Product Life Cycle »» Supply Chain »» Product Development
Management »» Customer Contract »» Sales, Marketing, and
»» System Development Life Management Communications
Cycle Management »» Customer Support
governance, risk, and compliance any new issues to the risk management statements for each of the company
team comprising executive leadership. team for approval. We used the review objectives. For example:
This team met several times a year as a learning opportunity for both »» Objective: Develop new prod-
to discuss top risks and the status of our team and the business where once ucts and attract new customers.
remediation plans, and to escalate a month we reviewed issues, related »» Risk Appetite: An organization
critical issues, as necessary. root causes, remediation plans, and will not make decisions that
Issue tracking from these key func- impacted risks. compromise its reputation by
tions was consolidated into one consis- using defective new products
tent process and tool. This effort took PHASE 3: INTEGRATE ERM WITH that introduce security vulner-
one year, and we followed the same THE STRATEGY abilities and cause customer
process for each team: Early in our process, we learned that data breach.
»» Conduct current state analysis a successful integration is dependent Next, the leadership team identified
of processes, people, and tools. on the organization having a strategic projects or initiatives that supported
»» Normalize rating methodologies. approach for identifying, managing, the organization’s objectives and
»» Migrate all open issues and and reporting on the strategy and strategy and included information
implement a process for identify- objectives. Integration with the ERM such as opportunities, dependen-
ing and tracking issues and reme- program becomes just one of the steps cies, resources, budget, and timeline.
diation plans in the ERM system. in that process. Coordination with the general and
To ensure accurate risk tagging for these The integration process started administration functions to discuss
issues, we configured the tool to route with the definition of our risk appetite resource and budget needs, as well as

Customize Your Membership
with a Specialty Audit Center
INFLUENTIAL. IMPACTFUL. INDISPENSABLE.
The IIA’s Specialty Audit Centers provide targeted resources focused

on issues that matter most to you and your stakeholders — to keep
you influential, impactful, and indispensable.
Learn more at www.theiia.org/SpecialtyCenters

2017-0766
• GOVERNMENT • FINANCIAL SERVICES • ENVIRONMENTAL, HEALTH & SAFETY
2017-0766 Specialty Audit Print Ad.indd 2 11/28/17 11:57 AM

Collaborating and aligning to provide a consolidated view of risks is a habit of
risk functions that fuel smarter risk taking, says PwC’s 2019 Risk in Review study.
RISKS, CONTROLS, ISSUES, AND REMEDIATION MAPPING

Enterprise Risk
Areas
(Example: Human
Resources)
Intermediate Level Intermediate Level Intermediate Level

Risks Risks Risks
(Example: Benefits) (Example: Culture) (Example: Recruitment)
Risk Register Risk Register Risk Register

Level Risks Level Risks Level Risks
(Example: Change (Example: Communica- (Example: Employee
management) tion from management) morale)
Controls
Audit, Information
Control Security, Compli-
Exception ance, and Patient
Safety Issues
Remediation Exception Remediation Exception

Plans Requests Plans Requests
any regulatory and compliance impli- emerging risks that surface throughout understand business and risks from the
cations as a result of these projects, the year. organization’s perspective. Collectively,
was necessary, as these dependencies the organization became more aligned
could become risks to the objectives. ORGANIZATIONAL ALIGNMENT with its risk profile.
This included human resources, legal, Throughout this program, the team Internal auditors can make a dif-
audit, and finance planning and fore- learned to work more productively with ference if organizations overcome their
casting teams. the organization in order to be met with giving-up point. By giving risk manage-
The ERM team, partnering with less resistance. From the start, we learned ment a try and not waiting for a big
leaders, identified additional risks that discussions about risk without the event to happen that forces internal
at the project level. These risks were right approach can be perceived as an auditors to adopt risk management
rated using the rating methodology attack and critical of the business. haphazardly, they are doing right by
and rolled up to the enterprise level. As a result of this project, the their organizations. Progress cannot be
The prioritization and responses to the team embraced a teaching and learn- made through fear.
risks were aligned to the risk appetite ing approach where we spend more
statements. These statements also will time educating the organization about DORINA HAMZO, CISO, is vice president of
guide the organization’s response to risk principles, which helped us better internal audit at Covetrus in Portland, Maine.

THIS IS THE SLUG LINE

IIA NORTH AMERICAN BOARD CHAIR
T
IIA’s 2019–2020
North American
Board chair,
BENITO YBARRA,
hroughout my 20 years as a student and
practitioner of internal auditing, I have seen
the profession make strides toward achiev-
ing its full potential. However, there is still
more to do. If the full scope of internal audit’s
work today is seen as ensuring the accuracy
and reliability of information, opportunities
to make a bigger difference and reach our
potential are being squandered. Contemporary
internal auditors must contribute to advancing
the strategies and business practices of their
organizations. Today’s internal auditors also
must be an example of integrity and a force
that drives the kind of good, sound culture
says internal that is the foundation of successful enterprises
auditors can (see “The Right Path” on page 24). In short, to
do more to operate at the highest levels of the business,
enhance internal audit must “Step Forward” — my theme
and protect
Step
organizational
value.
forward Photographs by Darren Carroll

STEP FORWARD
for my year as chair of The IIA’s North to elevate the focus on holding ourselves
American Board. accountable, being transparent, and
Three areas of opportunity for examining how and with whom the
internal auditors to step forward fall organization conducted its work.
under the headings of culture, courage, One of the first steps, an external
and conflict. There are still those prac- audit, identified noncompliance as well
titioners who do not fully understand as some impropriety at an entity that did
what the role of an internal auditor business with TxDOT. It would have
entails — or, if they do, they are unwill- been easy to call out the noncompliance,
ing or unable to take the necessary steps
toward fulfilling that role. First, setting
issue a report with recommendations,
and be done with it. However, it was It was uncharted
the right tone by conducting oneself
with professionalism and competence
an opportunity to demonstrate that
TxDOT was serious about its steward-
territory, but we
is key — own the role unapologetically
and without reservations. Second, some
ship role. I positioned this to my audit
committee chair as a chance for the
knew it was the
internal auditors lack the courage to
make disruptive and strategic recom-
organization to demonstrate that it was
focused on driving honesty, integrity,
right thing to do,
mendations for improvement to man- and trust in its business relationships. and we did it.
agement and the board. And, finally, Internal audit aligned with the board
some auditors are simply uncomfortable and executive leadership in formulating
with conflict. They fail to understand a strategy to anticipate and get ahead of
that embracing conflict can help them any pushback from the entity’s officials.
produce better, more robust work. In addition to meeting with the entity’s
I urge internal auditors who leaders, I met with local officials and
struggle in these areas at any level of the equipped TxDOT’s board and execu-
profession and in any type of organiza- tives with information to share with our
tion to step forward and begin making a state officials. It was uncharted territory,
bigger difference for themselves, those but we knew it was the right thing to
they serve, and the profession. do, and we did it. It was the beginning
of improving the profile of the audit
CULTURE: DO WHAT’S RIGHT department and the organization.
It is part of internal audit’s job to help To set course on such initiatives,
drive a prevailing culture within the internal auditors must be able to work
organization that is fair, healthy, effec- strategically and operationally at all
tive, and focused on serving custom- levels of the organization. That entails
ers — an organization that one can trust. evaluating the business to understand
Securing a position of trust is not easy. how it could do things differently to bet-
When I accepted my current role as ter serve customers — how it can achieve
chief audit and compliance officer at the goals at the same time as building trust
Texas Department for Transportation and a more sustainable culture. Recom-
(TxDOT) in 2011, I was called on to mendations must be relevant and practi-
improve the profile of the audit depart- cal. Internal audit’s oversight role puts it
ment and the organization. Immediately, in a unique position to help the business
my defense mechanism kicked in: Yes, in these ways.
I was responsible for how the audit Chief audit executives (CAEs) must
department was perceived; no, I couldn’t engage their boards and advocate for
own responsibility for the organiza- internal audit by explaining its value to
tion’s profile. In the end, I took on the the organization. It is not always under-
challenge and, in partnership with my stood, for example, that internal audit is
commission (board), initiated a program here to make things better. Even where

FROM THEN TO NOW
A
fter graduating from the University of Texas in 1993, I audit department and help it drive change in the busi-
expected to pursue a career in law. Instead, I decided ness. Today, I oversee TxDOT’s internal audit and
to take a break from school and accepted a job col- compliance divisions, which are aimed at improving
lecting student loan payments at the Texas Guaranteed stewardship, risk management, accountability, and gov-
Student Loan Corp. I worked my way up to investigator and, ernance through value-driven audits, evaluations, inves-
eventually, to internal auditor. The investigator job reported tigations, and advisory services engagements.
to the internal auditor, who allowed me to work on an audit. During my more than 20-year career, I have served
I really loved that, especially interviewing people and learn- in various positions with the IIA–Austin Chapter, includ-
ing about things that were considered confidential. It was so ing as the 2006 president. I have been a member of The
interesting to me being in that environment. IIA’s Professional Issues Committee, Publications Advi-
In 2006, I joined the technology solutions business Dell sory Committee, and Public Sector Advisory Committee.
Inc., which had been focusing on improving its culture by I’ve served as vice chair of both content and profes-
“Winning With Integrity.” Dell was using the internal audit sional development and as senior vice chair on the North
department to drive change across the business. I was American Board. Now, as chair of the North American
assigned to assist with the organization’s first external Board, I also have a seat on The IIA’s Global Board. I am a
quality assessment, including working on its first internal member of the American Center for
audit charter. It was a great learning experience to under- Government Auditing, American Asso-
stand how a Fortune 50 company could rally around an ciation of State Highway and Trans-
internal audit initiative. Dell really did implement a world- TO portation Officials, and several other
class audit function, and I learned so much from that orga- COMMENT professional organizations. I am past
nization. I’d be remiss if I didn’t mention Mike DeCaro, vice on this chair of the Texas State Agency Internal
president of Corporate Audit at the time, who challenged article, Audit Forum. I have earned the Certified
EMAIL the
me and everyone to be more than technically adequate, Internal Auditor, Certified Information
author at
and to step forward and strive for excellence. benito. Systems Auditor, Certified Fraud Exam-
Joining the Texas Department of Transportation (TxDOT) ybarra@ iner, and Certified Compliance and Eth-
in 2011 was an opportunity for me to help modernize an theiia.org ics Professional designations.
LEFT: WILLIAM VAN OVERBEEK, RIGHT: DARREN CARROLL

STEP FORWARD
a good relationship exists, there may be

opportunities to extend internal audit’s
reach. For example, recently numerous
accounts of harassment in the workplace
have been brought to light. Few would
instinctively think of internal audit as MY YEAR AS CHAIR
D
ideally positioned to help address such uring my year as IIA North American Board chair, my focus will be
an important, culturally explosive issue. encouraging a renewed emphasis on helping internal auditors real-
Instead, they would reach out to human ize and appreciate that they are part of an indispensable profes-
resources or the legal department. But sion. That entails providing IIA members with the tools they need to step
internal audit can act as the eyes and ears forward in their organizations — to help them balance their often deep
of the board on such sensitive issues and technical proficiency with the ability to instill confidence in their stake-
help gauge the culture in different parts holders that internal audit can make a difference at a strategic level and
of the enterprise. Every audit opens the provide leadership.
door to understanding how business is In addition, in North America and globally, The IIA is striving to achieve
conducted, but it also is an opportunity concrete results from its advocacy work. We have been advocating, for
to understand the culture of those per- example, for the U.S. Securities and Exchange Commission to require
forming the work. Internal audit needs publicly traded companies to disclose whether they have an internal audit
to step forward and ask questions to function. This is the first of many steps required to provide The IIA with the
ensure it feels good about the organiza- impetus to go further and begin a public discussion about what it means to
tion’s health. be a professional internal auditor who follows the International Standards
for the Professional Practice of Internal Auditing and the criticality of hold-
IT TAKES COURAGE ing a Certified Internal Auditor designation.
During my career, I’ve conducted many I am also chairing an IIA group that is reviewing the committees of the
external quality assessments. Invariably, North American Board to ensure our professional body is streamlined and
I request time with each member of the fit-for-purpose. We are assessing whether each committee is still adding
board to understand his or her knowl- the value that we initially envisaged. The review most likely will lead to
edge of the CAE’s role. Their feedback restructuring, change, and spirited discussions. When people are passion-
often includes: CAEs do not commu- ate about what they do, it is crucial that those involved can see the bigger
nicate effectively; CAEs do not focus picture and bring their considerable skills and talents to bear on the most
on matters that are important enough relevant and strategic issues. So, we are looking at the North American
to rise to the board level; and the time committees as well as the relationships between that body and global
CAEs have with the audit committee committees under the One IIA initiative, which is aimed at achieving better
and their reporting executive manager is uniformity of internal audit quality globally.
insufficient. These are indications CAEs
are not stepping forward to make their
value known, and their work is not per-
ceived to be informing or advancing the courage to step forward. In the mean- speak to CAEs for those just begin-
success of the organization. Perhaps they time, CAEs can take it upon them- ning their careers, but it will be worth
do not understand their organizations as selves to get to know individual board the effort. Junior staff also should get
well as they should, or they are not fully members and executives. CAEs need to involved with their professional organi-
engaged with how their organization’s understand the priorities of the entire zations — The IIA has many local chap-
leadership plans aim to achieve its strate- board, not just the audit committee. It ters and special interest groups. If these
gic goals — issues that come up time and takes courage to ask for time with the auditors are only learning from their
again in IIA research and surveys. board, but the context and perspective companies, they are missing out on great
The North American Board has obtained from those conversations help ideas they can bring back to their teams.
asked The IIA to focus on advocating make internal audit’s work meaningful.
for the internal audit/board relation- More junior staff can step forward EMBRACE CONFLICT
ship through the creation of tools and by spending constructive time with While it may sound counterintuitive,
content that will help CAEs have the senior auditors. It can take courage to internal auditors should treat every

I want auditors to
understand that
internal auditing
is a noble and
indispensable
profession.
We have such meetings at the plan-

ning, fieldwork, and reporting phases of
each audit. This process prepares staff
members to sell their ideas and value to
our business partners — it helps every-
one in the organization. It can be tough
going through this process, but we
remind our team that it is a safe environ-
ment, and it is orchestrated to help them
deal with the conflict they will some-
times face out in the field. It would be a
disservice to my team not to do so.
ENHANCING VALUE
I accept that a year is not a long time
to effect all of the changes mentioned
herein. At a minimum, I would like to
hear more stories about internal auditors
engagement as an opportunity to deal and it can identify gaps and weaknesses stepping forward and adding value to
with potential conflict. At TxDOT, for to help make the audit work stronger. their organizations. I want to continue
example, we deliberately include conflict It also pushes the management team to to push for a shift in the way publicly
in our audit processes and find it to be put itself in the business owners’ shoes, traded companies view and talk about
a powerful tool. For instance, when our which requires deep knowledge of the the profession. But, most of all, I want
audit teams explain their recommenda- business and its leaders to be effective. auditors to understand that internal
tions regarding an audit’s scope of work, My role is to challenge the manage- auditing is a noble and indispensable
or what testing they are planning, the ment team by bringing a board and profession, and I urge them to have the
internal audit management team is executive management perspective to the courage to act accordingly.
charged with challenging it. That puts forefront. I ensure that the message we
the teams through a level of conflict that are delivering will matter, and that we BENITO YBARRA, CIA, is chief audit and
helps them support the work they want account for potential organizational and compliance officer at the Texas Department
to do and the reasons they want to do it; political considerations. of Transportation in Austin.

ARTIFICIAL INTELLIGENCE
Bias in the Machine
C
an artificial intelligence (AI) discriminate? That is what
Facebook’s AI is accused of doing. In March, the U.S.
Department of Housing and Urban Development (HUD)
announced it was suing the social media company for vio-
lating the Fair Housing Act. HUD alleges that Facebook’s
advertising system allowed advertisers to limit housing ads
based on race, gender, and other characteristics. The agency
also claims Facebook’s ad system discriminates against users
even when advertisers did not choose to do so.
Although it has yet to be proven whether Facebook
committed any deliberate discrimination, the result is still the
same. “Using a computer to limit a person’s housing choices
can be just as discriminatory as slamming a door in some-
one’s face,” HUD Secretary Ben Carson said in announcing
Organizations that the lawsuit.
depend on artificial Each day, machine learning and AI (ML/AI) models
make decisions that affect the lives of millions of people. As
intelligence models must these models become more integrated with everyday decision-
control for factors that making, organizations need to be increasingly vigilant of the
risk created by potentially discriminatory algorithms.
could expose them to But who within those organizations is responsible for
discrimination risk.
ensuring the ML/AI model is making fair, unbiased deci-
sions? The model developer should not be responsible,
because internal control principles dictate that the persons
who create a system cannot be impartial evaluators of that
Allan Sammy
same system. The model’s users also should not be respon-
Illustration by Sandra Dionisi
sible, because they typically lack the expertise to evaluate an
ML/AI model. Users also may not question a model that

THIS IS THE SLUG LINE
“ RESEARCHERS RAISE ALARM OVER USE OF

ARTIFICIAL INTELLIGENCE IN IMMIGRATION
AND REFUGEE DECISION-MAKING.”
— Toronto Star, September 2018

VISIT our mobile app + InternalAuditor.org to view
a video series on auditing artificial intelligence.
BIAS IN THE MACHINE
seems to be performing well. For exam- how a decision today can create mul-
ple, if a predictive policing model leads tiple future scenarios.
to more arrests and less crime, users are ML/AI models need to be fair
not likely to question whether that sys- and nondiscriminatory because the
tem unfairly targets a particular group. decisions they support can expose orga-
Internal audit may be best suited nizations to substantial risk if the clas-
to provide assurance to the board and sification criteria they use are unethical,
senior management that the organiza- illegal, or publicly unacceptable. Such
tion is mitigating the reputational, criteria are referred to as inappropri-
financial, and legal risks of implement- ate classification criteria (ICCs) and
ing a biased ML/AI model. However, include race, gender, religion, sexual
because this is a new assurance domain orientation, and age.
for the profession, auditors need a In assurance engagements regard-
methodology for auditing the fairness ing bias, internal auditors primarily
of these models. will be concerned with a type of pre-
dictive model known as a classification
WHY MODELS NEED TO BE FAIR model. This model is used to separate
An ML/AI model is a mathematical people into groups based on certain
TO COMMENT equation that uses data to produce attributes that an organization can use
on this article,
EMAIL the
a calculation such as a score, rank- to support decisions. Examples of these
author at allan. ing, classification, or prediction. It is attributes include:
sammy@theiia. a specific set of instructions on how »» Identifying borrowers who are
org to analyze data to deliver a particular most likely to default on a loan.
result — behavior, decision, action, or »» Classifying employees as future
cause — to support a business process. high performers.
There are three main categories »» Selecting persons who are least
of analytic models. Descriptive models likely to commit further crimes
if granted probation.
»» Targeting consumers to
receive special promotions or
opportunities. In one case,
“ OUR MACHINES ARE LEARNING FROM the Communications Work-
ers of America sued T-Mobile,
THIS DATA. THEY ARE BEING TAUGHT Facebook, and a host of other
THROUGH AI SYSTEMS THAT IN FACT companies, alleging that those
companies discriminated by
‘BÉLANGERS’ ARE MORE QUALIFIED excluding older workers from
seeing their job ads.
THAN ‘BEN SAÏDS.’” To provide assurance to management
— Montreal Gazette, December 2017 and the audit committee that the
organization’s ML/AI model does not
discriminate, auditors need to assess
summarize large amounts of data into two things: 1) That the model does not
small bits of information that are easier benefit or penalize a certain classifica-
for organizations to analyze and work tion of people; and 2) if a classification
with. Predictive models are more com- is removed from the model, it still pro-
plex models used to identify patterns vides useful results.
and correlations in data that can be Internal auditors can test for bias
used to predict future results. Prescrip- using a model fairness review method-
tive models enable data analysts to see ology. This methodology comprises:

Automated decision systems could be regulated by the U.S. Federal Trade
Commission to identify bias and privacy risks under a new Senate bill, the Algorithmic Accountability Act.
CONTROLLING FOR EXOGENOUS VARIABLES
O
ften, despite the best efforts to eliminate it, discrimination creeps into an organiza-
tion’s analytic models through external data that has a systemic bias, thus exposing the
organization to risk. Appropriate exogenous variables (AEV) are variables that provide
appropriate classification criteria but have been subject to external systemic bias that has not
been detected. An example of AEVs would be the credit score for individuals from minority
communities or salary information for women.
Fortunately, analytic models can be used to control for this bias. For example, after con-
trolling for gender differences in industry, occupation, education, age, job tenure, province of
residence, marital status, and union status, an 8% wage gap persists between men and women
in Canada, according to a February 2018 Maclean’s article. It is a relatively simple exercise to
adjust the salary variable in a classification model by +8% for female subjects.
1. Understanding the model’s half men. Management wanted assur-

business purpose. ance that this model was not exposing
2. Working with the audit cli- the organization to potential liability by
ent to determine and identify discriminating against either group.
ICCs. In this step, auditors also Internal audit met with Marketing
may discuss possible appropri- and confirmed that it used the model
ate exogenous variables (see “ SOFTWARE to select customers for preferred rates.
“Controlling for Exogenous PROGRAMS THAT These preferred rates are substantially
Variables” on this page). lower than the rates offered to custom-
3. Selecting a large sample — or USE POLICE ers in general. After reviewing the infor-
the entire data set — of input mation used by the model, internal
data and classification results. RECORDS TO audit noted these variables:
4. Conducting statistical analysis PREDICT CRIME »» Customer ID (metadata — not
of the results to determine used as a variable).
whether distribution of ICCs is HOT SPOTS »» Surname (ICC).
within acceptable parameters. »» Credit score.
5. Discussing initial results with MAY RESULT IN »» Geography (ICC).
the client. POLICE UNFAIRLY »» Gender (ICC).
6. Removing ICCs and re-running »» Age (ICC).
the classification model. Audi- TARGETING »» Tenure.
tors also can replace ICCs with »» Balance.
uniform values depending on LOW-INCOME »» Number of products.
the nature of the model. AND MINORITY »» Has credit card.
7. Comparing distribution of »» Estimated salary.
ICCs before and after removal. COMMUNITIES, In some cases, a variable may be an
ICC for one type of model but not
A BIAS AUDIT A NEW STUDY for another. For example, gender is an
As an example of how internal auditors SHOWS.” appropriate classification criterion for a
can use this methodology, consider a clothing company promotion but not
marketing department at a credit card — Science News, March 2017 for a loan approval. Age may be appro-
company that used a classification priate in a health-care model but not in
model to determine which customers an applicant screening.
should be given a discount. The data In the marketing example, internal
used for the model is half women and audit analyzed the initial results of the

BIAS IN THE MACHINE
classification model and observed that In reporting the results to Market- NEW MODELS, OLD RISKS
35% of customers were classified as ing, internal audit noted the model Although the subject of bias in analytic
good candidates. However: was producing useful results. The models may be unfamiliar to internal
»» 50% of men and 20% of results showed that 45% of customers auditors, their risk management role
women were classified as good were classified as good candidates, a in this domain is crucial. Bias intro-
candidates. finding with which Marketing con- duces an unacceptable risk to any
»» 6% of customers over 50 were curred. However: organization regardless of where that
classified as good candidates. »» 50% of men and 40% of bias originates. A decision made by an
»» 1% of women over 50 were women were classified as organization’s analytic model is a deci-
classified as good candidates. good candidates. sion made by that entity’s senior man-
Internal audit discussed the initial »» 21% of customers over 50 were agement team. Internal audit can help
classification results with the market- classified as good candidates. management by providing risk-based
ing department to determine whether »» 10% of women over 50 were and objective assurance, advice, and
there are business reasons for the classified as good candidates. insight. As such, auditors should learn
observed result and if those reasons are Internal auditors noted that the model and adapt their methods to meet the
valid, defensible, and nondiscrimina- appears to be biased against groups challenges organizations face in adopt-
tory to mitigate the risk of legal liabil- such as women and people over 50, ing AI.
ity. Based on this discussion, internal which is likely the result of exogenous
audit removed the identified ICC from variables. Auditors recommended that ALLAN SAMMY, CIA, CPA, is the direc-
the input data and re-ran the classifica- Marketing adjust its model to compen- tor, Data Science and Audit Analytics, at
tion model. sate for these variables. Canada Post in Ottawa.
Join a select group of rising

and distinguished internal audit
professionals for a three-and-a-
half-day, immersive executive
development experience.
2019
Vision University Sessions
Executive Development
Boston, MA June 24-27
An Exclusive
Omni Parker House
San Diego, CA Sept. 9-12

Kimpton Solamar Hotel
Opportunity Chicago, IL Nov. 18-21

Kimpton Hotel Palomar
Your Success Starts Here
www.theiia.org /VisionU

2019-1879 TRN-VU Half-page Ad Ia Magazine-FNLcrx.indd 1 3/7/19 4:15 PM
PCAOB INSPECTIONS
Areas of
Deficiency
To inform the
audit committee
on external audit
quality, internal
auditors need to
be familiar with the
PCAOB inspection
T
he U.S. Public Company Accounting Oversight Board
(PCAOB) is responding to audit committee requests for
more information about PCAOB audit focus areas, stated
board member Duane DesParte at the 2018 AICPA Confer-
ence on Current SEC and PCAOB Developments in Wash-
ington, D.C. Internal auditors are in a unique position to
support audit committees in understanding and monitoring
these key areas. Internal auditors with a solid understand-
ing of PCAOB expectations and findings can advise audit
committees, which have primary oversight responsibility for
process and external audit quality and ensuring the independence and
objectivity of the audit firm.
recurring findings.
THE PCAOB INSPECTION PROCESS
The U.S. Sarbanes-Oxley Act of 2002 formed the PCAOB,
creating an independent auditor oversight institution to pro-
tect investors, provide reliable financial reporting, and improve
Elena Isaacson audit quality. The PCAOB performs annual inspections of
Heather Losi large audit firms and triennial inspections of small audit firms.
Douglas M. Boyle A report is issued after every inspection that includes a public
portion and, if required, a nonpublic portion.
The public portion describes any significant audit defi-
ciencies and is published on the PCAOB website. Examples

AREAS OF DEFICIENCY
of significant audit deficiencies include to perform, and how to assess a firm’s

failure to perform required audit proce- quality control system and culture, as
dures, failure to recognize and address well as changing the nature, timing,
generally accepted accounting principles and extent of inspection procedures.
misapplications, and insufficient testing In addition, the PCAOB will focus
of the design and operating effectiveness on timeliness and relevance of inspec-
of selected controls. After an inspection, tions reports, which will aid investor
an audit firm may have to modify its and audit committee decision-making.
audit opinion or prompt the company Some changes will be implemented as
to issue restated financial statements. early as the 2019 inspection cycle, said
The nonpublic portion of the George Botic, PCAOB director of the
report addresses deficiencies in the sys- Division of Registration and Inspec-
tem of quality control. It may include tions, during a Dec. 12, 2018, speech.
the firm’s procedures for assuring
independence, the tone at the top, or INSPECTION FINDINGS
the firm’s internal inspection program. The three most frequently recurring
The nonpublic portion of the inspec- audit deficiency areas are assessing and
tion report becomes public if an audit responding to risks of material misstate-
firm fails to remedy the required quality ment, auditing internal control over
control deficiencies within 12 months financial reporting (ICFR), and audit-
of the report being issued. Accord- ing accounting estimates, including
ing to the Center for Audit Quality’s fair value measurements (see “PCAOB
Audit Deficiency Examples” on page
49), Botic said. The PCAOB high-
Remediation steps that a firm takes lighted these deficiencies in its 2018
Staff Inspection Brief, Staff Preview of
depend on the type of underlying 2018 Inspection Observations, released
in May 2019.
quality control issues. Key Deficiency 1 — Assessing and
Responding to Risks of Material Mis-
statement Deficiencies related to assess-
(CAQ’s) Guide to PCAOB Inspec- ing and responding to risks of material
tions, the remediation steps that a firm misstatement result in noncompliance
takes depend on the type of underlying with PCAOB Audit Standard (AS) 2301:
quality control issues identified by the The Auditor’s Responses to the Risks of
PCAOB. Remediation examples include Material Misstatement and AS 2810:
changing the firm’s audit procedure Evaluating Audit Results. The PCAOB’s
manuals and additional training. The 2017 Staff Inspection Brief, Preview of
PCAOB expects larger firms with com- Observations from 2016 Inspections
plex audits to conduct an analysis of of Auditors of Issuers, notes that some
the causes of any identified issues, and selected firms were not performing
adapt its remediation measures to the substantive tests robust enough to thor-
results of that examination. The CAQ oughly assess fraud risk and other risk
Guide can be helpful to internal audi- factors. The 2017 Inspection Brief spe-
tors by providing guidance on remedia- cifically mentions risk regarding revenue
tion steps and root cause analyses. recognition. The 2018 Inspection Brief
The PCAOB currently is revis- highlights the need to test the entire rev-
ing the risk-based selection process of enue transaction, including comparing
audit engagements, which procedures company-prepared invoices with related

PCAOB enforcements involving auditors and audit firms declined 63% in 2018 compared to
2017, the lowest since 2013, according to Cornerstone Research’s Regulatory Actions Involving Accountants.
PCAOB AUDIT DEFICIENCY EXAMPLES

AUDIT DEFICIENCY NONCOMPLIANCE
AREA WITH AUDIT DEFICIENCY EXAMPLES
Assessing and »» AS 2301: The »» The auditor did not perform substantive procedures, including
responding to Auditor’s tests of details that were responsive to the assessed fraud and
risks of material Responses to the other significant risks.
misstatement Risks of Material »» The auditor did not consider relevant audit evidence that seemed
Misstatement to contradict certain assertions in the financial statements.
»» AS 2810: Evaluat- »» The auditor did not sufficiently evaluate the presentation of the
ing Audit Results financial statements, including the accuracy and completeness of
the disclosures.
Auditing internal »» AS 2201: An »» Some auditors did not assess the nature and relevance of the
control over Audit of Internal procedures performed by management during the review.
financial reporting Control Over »» Some auditors did not appropriately exercise professional
Financial skepticism when testing controls, placing reliance on manage-
Reporting That ment inquiry.
Is Integrated »» The auditor did not attain a sufficient understanding of potential
With an Audit misstatement sources.
of Financial »» Some auditors did not adequately examine the controls over
Statements completeness and accuracy of system-generated data or reports
used in the operation of those controls.
Auditing accounting »» AS 2501: Auditing »» Some auditors did not fully understand how estimates
estimates, including Accounting were established.
fair value Estimates »» Some auditors did not adequately test the significant inputs and
measurements assess the significant assumptions used by management.
contractual obligations and product/ser- the likelihood and magnitude whether it appears to corroborate or to
vice delivery and testing invoice amounts of potential misstatement. contradict the assertions in the financial
to revenue recognition. Firms should »» In an integrated audit, plan the statements when forming an opinion
presume there is fraud risk associated testing of controls to accom- on the fairness of financial statements.
with revenue and evaluate accordingly. plish the objectives of both Internal auditors should work closely
Audit procedures should be designed and audits simultaneously to obtain with audit committee members to address
performed to address the assessed risks of sufficient evidence to support recurring audit deficiencies by creating
material misstatement for each relevant the auditor’s control risk assess- and monitoring procedures to ensure
assertion of each significant account and ments for purposes of the audit appropriate tone at the top, auditor inde-
disclosure (AS 2301.08). AS 2301.09 of financial statements and to pendence, risk assessment of material mis-
emphasizes that when designing the support the auditor’s opinion statement, and accounting estimates.
audit procedures, the auditor should: on ICFR as of year-end.
»» Acquire more persuasive audit Some inspections yielded cases where Key Deficiency 2 — Auditing
evidence the higher the audi- the presentation of the financial state- ICFR Deficiencies in this area result
tor’s assessment of risk. ments and completeness of disclosures in noncompliance with AS 2201: An
»» Consider the types of potential were not fully evaluated. AS 2810.03 Audit of Internal Control Over Financial
misstatements that could result requires external auditors to consider Reporting That Is Integrated With an
from the identified risks and all relevant audit evidence, regardless of Audit of Financial Statements. They stem

AREAS OF DEFICIENCY EMAIL the authors at elena.isaacson@theiia.org
from insufficient testing of estimates Control Over Financial Reporting pres-

related to revenue, business combina- ents the application of certain require-
tions, asset impairments, and reserves. ments of AS 2201 and PCAOB standards
External auditors need to exercise an to audits of internal control. This alert
appropriate amount of skepticism as the offers guidance on the topics of:
2017 Inspection Brief notes that firms »» External auditors’ risk assessment
tend to rely too much on management and the audit of internal control.
explanation, exhibit bias toward controls »» Selecting controls to test.
being effective, and incorrectly match »» Requirements for testing man-
control testing with control objectives. agement review controls.
»» IT considerations, such as
system-generated data.
»» Roll-forward of control testing
The 2018 Inspection Brief describes performed at an interim date.
instances where external auditors’ »» Using the work of others.
»» Evaluating control deficiencies.
control testing was inadequate. Internal auditors possess overall knowl-
edge and understanding of an organiza-
tion’s policies and procedures and are a
resource for external audit engagement
The 2018 Inspection Brief describes teams. Internal auditors can assist
instances where external auditors inad- external auditors in gaining an in-depth
equately tested the design and operating understanding of organization pro-
effectiveness of controls, or did not select cesses, transactions, and controls.
controls for testing that addressed the spe-
cific risks of material misstatement. Key Deficiency 3 — Auditing
AS 2201 establishes a risk-based Accounting Estimates, Including
approach to the audit of internal control. Fair Value Measurements Deficien-
The auditing standard is intended to cies related to auditing accounting esti-
emphasize the most important matters mates result in noncompliance with
in the audit of internal control and avoid AS 2501: Auditing Accounting Esti-
procedures that are unnecessary to an mates. These deficiencies are generally
effective audit. When choosing controls associated with evaluating impair-
for testing, the external auditor should ment analyses for goodwill and other
investigate controls that are imperative to long-lived assets, and the valuations of
his or her conclusion about whether the assets and liabilities attained in busi-
company’s controls appropriately convey ness combinations. Other instances
the assessed risk of misstatement to each of auditing deficiencies observed in
relevant assertion (AS 2201.39). In addi- the 2017 and 2018 Inspection Briefs
tion, AS 2201.42 recommends examin- include revenue-related estimates and
ing the design effectiveness of controls reserves, allowance for loan and lease
by verifying whether the company’s losses, inventory reserves, and financial
controls satisfy the control objectives and instruments. The findings demonstrate
can effectively prevent or detect errors or that the external auditors did not fully
fraud. The external auditor should obtain understand how estimates were estab-
persuasive evidence that demonstrates lished or did not adequately test the
control effectiveness. As risk increases, so significant inputs and assess the signifi-
should the obtained evidence. cant assumptions used by management.
Staff Audit Practice Alert No. 11: The 2018 Inspection Brief recognizes
Considerations for Audits of Internal that developing these estimates involves

In 2018, more than two in three final PCAOB enforcement actions involved
engagement quality reviews, according to Cornerstone Research’s Regulatory Actions Involving Accountants.
unobservable inputs, complex valua- »» Determine that the account- by testing controls related to other
tion models, and subjective judgments; ing estimate is presented in controls, gaining an understanding of
therefore, external auditors should exer- conformity with applicable the basis of client estimates, and using
cise professional skepticism and involve accounting principles and that professional skepticism.
senior members of the team through- disclosure is adequate. The 2018 Inspection Brief also
out the audit engagement. According to the PCAOB Inspec- reports that some audit firms failed to
AS 2501: Auditing Accounting tions Outlook for 2019, inspectors are communicate to audit committees sig-
Estimates offers guidance on obtaining focusing on the design and operating nificant risks and changes to those risks.
and evaluating appropriate evidence to effectiveness of firms’ systems of qual- Strong communication with external
support significant accounting estimates ity control, assessing and monitor- auditors can help audit committee
in financial statements. AS 2501.03 ing compliance with independence members recognize “the external and
highlights management’s responsibility requirements, and evaluating the audit company-specific factors considered
to make the accounting estimates based procedures firms use to identify cyber by the auditor in assessing whether all
on subjective and objective factors. risks. In 2019, the PCAOB will look at significant risks have been identified,”
Subsequently, management’s judgment the use and development of firm soft- as well as assist audit committees in
is required for accounting estimates. ware audit tools to consider whether exercising their oversight roles. Internal
This judgment depends on knowledge firms are using these tools effectively auditors should take part in commu-
and experience, as well as assumptions and applying due care, including pro- nication with the audit committee, as
about current and future conditions fessional skepticism. It also will assess well as external auditors, on any iden-
and courses of action. AS 2501.05 auditors’ responses to risks associated tified PCAOB deficiencies to ensure
holds management accountable for cre- with digital assets, such as cryptocur- that all parties involved in the audit
ating a process for preparing accounting rencies, initial coin offerings, and use engagement have a clear understanding
estimates. While the process may not be of distributed ledger technology. In regarding remediation actions.
documented or formally applied, cer- addition, the PCAOB will focus on cli-
tain steps should be considered: ent acceptance and retention decisions, INTERNAL AUDITOR AS ADVISOR
»» Recognize when accounting resource management, and planned The audit committee has a joint over-
estimates are required. audit procedures. sight role with the PCAOB when it
comes to audit quality and engaging
in dialogue concerning deficiencies
and the PCAOB inspection process.
Business combinations also are a It needs to understand the PCAOB’s
recurring item appearing under recurring audit deficiency findings

when fulfilling its supervision respon-
internal control testing deficiencies. sibility for audit quality and ensure the
independence and objectivity of the
external audit firm. Internal auditors
with sound knowledge of this process
»» Identify factors that may affect Revenue recognition is identified can inform and advise the audit com-
the accounting estimate. as an area of concern in all deficiency mittee in this area so it can better fulfill
»» Accumulate relevant, sufficient, areas, so firms need to pay particular this role.
and reliable data on which to attention to assessing risk related to
base the estimate. revenue, designing tests of revenue ELENA ISAACSON, is an accounting
»» Develop assumptions that rep- control, and evaluating revenue esti- instructor at Siena College in Loudonville, N.Y.
resent management’s judgment mates. Business combinations also HEATHER LOSI, CPA, is visiting assis-
of the most likely conditions are a recurring item appearing under tant professor at the State University of
and events with respect to rel- internal control testing deficiencies as New York at Oswego.
evant factors. an area affected by economic risk and a DOUGLAS M. BOYLE, DBA, CPA, CMA,
»» Calculate the estimated amount financial reporting concern. The 2017 is accounting department chair and associ-
based on the assumptions and Inspection Brief says that firms need ate professor at the University of Scranton
other relevant factors. to go beyond management inquiry in Penn.

Don’t manage RISK—
Manage VALUE
R
isk management’s traditional focus on adversity is changing.
The Committee of Sponsoring Organizations of the Treadway
Commission’s (COSO’s) 2017 Enterprise Risk Management
(ERM)–Integrating With Strategy and Performance framework
now refers to risk holistically as “the possibility that events
will occur and affect the achievement of strategy and business
objectives.” With “adversely” removed from the definition, a
risk is no longer something that must be prevented from hap-
pening. In addition, the framework no longer speaks of risk
management as a separate process, but defines it in terms of
“culture, capabilities, and practices.”
The updated COSO ERM framework and the Interna-
tional Organization for Standardization’s ISO 31000: Risk
Marinus de Pooter Management standard present great opportunities to replace
the term risk management with value management. According
to both standards, managing risk is all about creating and pro-
BILLION PHOTOS / SHUTTERSTOCK.COM
tecting value. However, they retain the term risk management.

Business activities always involve uncertainty. To increase
success, leadership teams have to take advantage of opportu-
nities and limit threats. Ultimately, they want to increase the
certainty they will achieve their objectives and will not get
what they do not want. For that reason, organizations need a

RISK MANAGEMENT
Changing risk standards pave

the way for organizations to
bring their experts together
to pursue opportunities
and cope with threats.
pragmatic approach to keep key stakeholders satis-
fied by realizing value for them.
The value management approach offers intrigu-
ing opportunities for internal auditors because it
focuses on the quality of decision-making within the
organization. Internal audit can help the organization
by assessing to what extent decision-makers possess
the right competence and integrity to reconcile dilem-
mas caused by the conflicting interests of stakeholders.
BECOMING FUTURE-PROOF
Being future-proof requires an organization to con-
tinually create and protect value for its core stake-
holders. However, terms such as value, result, success,
and improvement only gain substance through the
meaning that stakeholders attach to them. Stakehold-
ers look at an organization from their own perspec-
tive. Based on their interests, they find certain things
valuable such as innovation, punctuality, privacy, safety,
compliance, integrity, efficiency, and continuity.
Future viability is about anticipating what might
happen. The leadership team wants to know where the

DON’T MANAGE RISK — MANAGE VALUE EMAIL the author at marinus.depooter@theiia.org
organization is expected to end up and five key questions. These basic business What Do We Do? Each leadership
to what extent this differs from what the questions are the building blocks for the team benefits from having an integrated
organization’s core stakeholders expect. practical analyses that leaders can carry overview of the clustered activities of
Is the organization on the right track? out for a separate business process, proj- everyone involved within their entity.
Or is there a real chance that it will not ect, department, branch, division, value This structured summary of current
achieve its objectives? In that case, is the chain, or the entire organization. tasks shows the organization’s common
organization taking appropriate mea- Answering each of these ques- playing field. The overview of manage-
sures? Conversely, the organization may tions requires making choices and rial, primary, and supporting processes
be exceeding expectations, because it is balancing opportunities and threats. provides insight into all relevant transac-
able to deal well with uncertainty. For example, implementing extensive tion flows and volumes. It also forms the
control frameworks (part of the “how” basis for the IT application landscape for
BRINGING EXPERTS TOGETHER question) may send the message to processing the transactions. Hence, it is
Strategic, tactical, and operational deci- those involved that they have flawed the foundation for information manage-
sions imply making choices and balanc- judgment or lack integrity. Internal ment, business intelligence, and forecast-
ing potential pros and cons. Working audit should independently assess to ing. Do those in charge have the right
standards and methods are intended to what extent leaders answer the ques- information for making balanced deci-
guide the decision-makers in the right tions satisfactorily. sions? The advantages of better insight
into who does what are evident in initia-
tives such as integration projects.
Value management hinges on the Why Do We Do What We Do? The
effectiveness of governance. organization’s success is determined by
the extent to which its core stakeholders
are satisfied. They are primarily inter-
direction. Determining these rules is Who Can Decide? Value manage- ested in how the leadership team’s per-
the domain of specialized departments ment hinges on the effectiveness of formance affects their interests. That is
such as business continuity, compliance, governance: Who is authorized to make why the stakeholder analysis is essential.
control, information security, privacy, which choices? This applies to allocat- If all goes well, the team’s ambitions fit
quality, and safety. Typically, all these ing resources both to daily operations in with the value that the organization
functions conduct risk assessments, and continuous transformation. The wants to create and protect for specific
build control frameworks, and produce individual responsible for achieving for- stakeholders. This value is expressed in
management reports, which easily mulated objectives also should be able the organization’s mission, vision, and
can lead to functional silos and value to decide how best to deal with relevant strategy, and is translated into concrete
destruction in practice. opportunities and threats. This can be success factors, objectives, and indica-
Conventional risk management is done by optimizing the associated busi- tors. Using clear tolerances for the key
a flawed concept (see “Value Manage- ness processes and controls. indicators and preparing regular forecasts
ment and Internal Audit” on page 55). A prominent and practical issue provide ample input for timely adjust-
Instead of having a separate program, concerns the mandate of the experts ment. If the estimated outcomes are not
function, or committee for managing in the organization’s staff departments. within the bandwidths, the two options
risks, organizations should focus on To what extent are they allowed to are to adjust the controls or to inform
connecting the functional experts. Gen- prescribe working standards to their key stakeholders that they must accept
erating and preserving value is depen- colleagues or are they only expected to revised tolerances.
dent on these specialists collaborating provide advice? How does the leader-
to assist decision-makers at all levels ship team ensure that the staff specialists How Do We Do What We Do? To
with seizing opportunities and limit- keep the line managers in focus? On apply judgment, decision-makers need
ing threats. As an independent advisor, the other hand, how can leaders prevent a framework and rules such as working
internal audit can help reduce organiza- the experts from exaggeration caused standards and methods. The practical
tional complexity and silo-thinking. by enthusiasm? An example is informa- details of these rules are laid down in
To connect the experts effectively, tion security specialists who produce the charters, policies, guidelines, proce-
leadership teams should seek answers to unworkable policies and procedures. dures, protocols, and work instructions.

59% of finance executives say the volume and complexity of risks have mostly
changed over the past five years, reports The State of Risk Oversight survey by AICPA and the ERM Initiative.
VALUE MANAGEMENT AND INTERNAL AUDIT

Embracing the value management approach is different from advocating conventional risk
management practices. Here are examples of what will change for internal auditors:
»» Instead of focusing on the organization’s biggest vulnerabilities, internal audit holistically
focuses on assessing the quality of management. Decisions made when planning, executing,
monitoring, and improving business activities always have potential positive and negative
effects on the interests of key stakeholders.
»» Instead of believing the organization should have a separate risk management process,
function, or system, internal audit focuses on the organization’s capabilities to become
future-proof. Propagating lots of separate risk terms, such as risk manager, risk culture, risk
appetite, and risk report, may not lead to the realization of business objectives.
»» Instead of seeking to assess whether what COSO’s 2017 ERM framework calls the second
line of accountability fulfills its responsibilities for overseeing performance and confor-
mance, internal audit assesses the competence and integrity of decision-makers at all levels
of the organization.
»» Instead of unilaterally focusing on money, internal audit recognizes that value implies more
than cash, profit, stock price, and dividend. Key stakeholders have different interests and
attach value to divergent matters.
»» Instead of embracing in-control statements oriented to the past, internal audit realizes that
the key question is to what extent decision-makers at all levels of the organization are capa-
ble of creating and preserving value for key stakeholders in the future.
»» Instead of assuming that the future is makeable and perfectible through risk analyses, risk
and control matrices, and control testing, internal audit acknowledges that the world is
volatile, unpredictable, complex, and ambiguous, requiring a considerable degree of agility
and flexibility.
»» Instead of assuming that risk management should be a separate item on the agenda for
team meetings, internal audit emphasizes that each of the items is about effectively dealing
with opportunities and threats.
Clear working arrangements streamline When asked about the “best improve- employees feel free to report issues, the
decision-making, facilitate work hand- ments,” people typically mention situ- sooner trends can be identified.
off among colleagues, and provide a clear ations where the risk exposure is bigger
reference for audits. The “how” question or the chance taking is smaller than VALUE FOR STAKEHOLDERS
is about autonomy. For example, to what desired. The necessary improvements Conventional risk management can
extent are subsidiaries allowed to make are usually about better designing, easily turn into a separate, illusory, and
their own rules? implementing, applying, and monitor- compliance-driven system. Alternatively,
The decisive factor in the “how” is ing the organization’s working methods value management is an integrated
the organization’s culture. Is it character- and standards. These renovations explic- approach that can give leadership teams
ized by managers setting the examples? itly deal with the competencies of those a single platform for all common types
Are decision-makers willing to face the involved — not only their professional of management. It can help decision-
possible consequences of their choices? knowledge and skills, but especially makers identify, prioritize, and realize
Is it acceptable to challenge the assump- their personal leadership qualities. relevant improvements that are needed
tions in overly ambitious plans? A continuous improvement pro- to satisfy their core stakeholders.
gram can enable the team to identify,
What Can We Improve? A continuous prioritize, and realize improvement MARINUS DE POOTER, CIA, CMA, CFM,
improvement program helps the leader- initiatives. The better the informa- CRMA, is owner of MdP | Management, Con-
ship team focus on what really matters. tion management is and the more that sulting & Training in Deurne, Netherlands.

Board Perspectives
BY MATT KELLY
BOARD PROBLEMS
With stakeholders’ growing emphasis
on corporate culture, boards could
benefit from ethics expertise.
A
udit committees says, and the consequences of unquestionably the right
have a problem: it are deepening. “Put those thing to do. Still, confession
They have too many two things together, and it’s is a big request — especially
problems. More a recipe for needing more of when doing so invites
precisely, they have too many that experience.” potentially serious legal and
types of problem — too many A recent regulatory financial consequences, such
types of corporate miscon- enforcement example dem- as monetary penalties or a
duct to consider these days, onstrates the point. Cog- corporate criminal charge.
because the definition of nizant Technologies, an IT So Cognizant’s decision to
DAVID GREENBERG misconduct has expanded dra- outsourcing firm, had been disclose its trouble immedi-
matically in the last 15 years. accused of violating the U.S. ately, without any certainty
That raises questions Foreign Corrupt Practices Act of favorable treatment, is all
about the expertise audit when two of its senior the more impressive.
committees need, and executives orchestrated a Where did that ethical
whether corporate boards US$2 million bribe to gov- commitment come from?
have enough of it. Quite ernment officials in India. It’s worth noting that Cog-
simply, if society wants cor- The involvement of two nizant’s audit committee
porations to exercise a sharper senior executives would typi- chair at the time was Mau-
OWEN BAILITZ sense of ethics and moral cally leave Cognizant unable reen Breakiron-Evans, who
responsibility, do we need to avoid criminal pros- worked as general auditor
more ethics and compliance ecution, according to U.S. of Cigna in the 2000s. Also
officers serving on boards? Department of Justice (DOJ) on the committee was Leo
“It’s undeniably true,” policy. Yet when regulators Mackay, head of ethics and
says David Greenberg, settled the case in February, internal audit at Lockheed
former chief compliance the DOJ did decline to bring Martin. Both still serve on
officer (CCO) at tobacco any criminal charges. Pros- Cognizant’s board.
manufacturer Altria and an ecutors later said why: “The
audit committee member of company voluntarily self- Beyond Financial
TRACY ATKINSON International Seaways, a New disclosed the conduct within Expertise
York Stock Exchange-traded two weeks of when the com- Under the U.S. Sarbanes-
oil and gas tanker business. pany’s board learned of it.” Oxley Act of 2002, the audit
The definitions of corporate Confessing egregious committee of a publicly
misconduct are expanding, he corporate misconduct is traded firm needs at least
READ MORE ON STAKEHOLDER RELATIONS visit InternalAuditor.org

EMAIL the author at matt.kelly@theiia.org
one designated “financial expert” to help the audit commit- had been asked to suppress unwanted findings during their
tee police against financial fraud. When the act was passed, career. That tells us two things. First, that internal audit execu-
that might have been enough of a kick in the corporate rear tives are well-acquainted with the threats of bad ethical culture;
to take internal control more seriously. Today, a strong control and second, that CAEs would be well-suited to serve on boards
environment has become much more important, to address someday — because they (like CCOs) have seen poor ethical
all sorts of issues. Regulators don’t just want swift corrective behavior up close, and it’s their job to uncover and eradicate
action; they want strong preventive action. Customers, business bad behavior anyway, whatever the consequences.
partners, or even self-appointed social justice warriors prowling That skill, of identifying the ethically correct step, tak-
Twitter — all want to see ethical culture taken seriously, trans- ing it, and defending it, will only become more important. As
lated into tangible policies, controls, and actions. Greenberg says, questions about disclosing misconduct, and
“A true auditor on the board, or a true employee rela- whether voluntary disclosure is worth it, can be quite difficult.
tions or corporate compliance person, is important because “You need people with some experience to overcome that.”
what’s falling to the audit committee to investigate — it’s
gone way beyond what audit committee charters originally Meanwhile, the Reality
said,” says Owen Bailitz, a former risk management and As desirable as ethics, audit, and compliance perspective on the
audit quality partner with RSM, who now serves on the board might be, practical limitations abound. Boards are still
audit committee of the American Board of Medical Special- desperate to recruit women and minorities; some jurisdictions
ties. “You’re basically expanding the definition of risk.” now require specific quotas for female directors. Boards also
Audit executives could perceive all of this as a virtuous are desperate for cybersecurity expertise. And yes, foremost,
circle. Yes, data analytics captures data about business pro- boards want to recruit current or former CEOs, chief financial
cess outputs, to identify anomalous events or excessive risks. officers, and chief operations officers — people who under-
Those insights let directors draw conclusions about how the stand the intersection of strategy, operations, and finance.
enterprise is working. We still need the other half of the circle: That leaves few open seats for other governance expertise.
using those insights to change policy, procedure, and culture, So boards might not rush to the idea of recruiting CAEs or
so business processes can stay within ethical parameters more CCOs, unless they’re particularly committed to foresight. As
easily. That’s the improvement society wants to see. Bailitz put it: “You need to have a change of mindset among
“Across stakeholders, there’s been more engagement the chairpersons of these boards, to say, ‘We lack this expertise,
with boards on this discussion. Ethics and culture are topics and it’s something we need.’”
that are relevant to the full board and every committee of The push for cybersecurity expertise is a good parallel.
the board,” says Tracy Atkinson, audit committee chair of Most executives, audit committees members included, under-
defense and aerospace systems provider Raytheon Co. “Hav- stand cybersecurity at a reasonable level — what it is, why it’s
ing someone who lives and breathes this on the board adds important, and what it should achieve. But they don’t under-
to the dialogue in a new way.” Atkinson would know; she is stand how to assess it, improve it, or weave it through all of an
executive vice president and CCO at financial services com- organization’s operations. Only a cybersecurity expert does.
pany State Street Corp. Ethical culture is a lot like that, Atkinson says. Boards
We see that increased engagement in various ways. For might believe they can master ethics and culture because it
example, the Edelman Trust Barometer, which surveys more seems like a nontechnical issue, but introducing an audit or
than 33,000 people worldwide about their trust in institutions, compliance executive can sharpen the board’s perspective in
recently found that 76% say their employers should “take new ways. “It’s a mindset,” she says. “Having compliance and
the lead on change” for issues such as sexual harassment, the ethics as your subject matter domain, and bringing that to the
environment, and discrimination. And 71% said it’s critical for board, further serves to emphasize” where ethics and the con-
their CEO to respond to challenging issues. trol environment might need attention.
Then there are regulatory pressures. For example, a board So will boards put more audit and compliance profession-
might find itself saddled with a corporate integrity agreement als on the audit committee or even some other board commit-
where the audit or risk committee has to certify compliance tee? Will recruiters start calling CAEs and CCOs? That’s hard
with the terms. Having a compliance or internal control to say, but it’s not just self-interest for CAEs to want that to
expert on the board would make that an easier exercise. happen. This is what the future of boardroom problems looks
Those are examples at the macro level. At the micro level, like, and the future has a habit of arriving eventually.
chief audit executives (CAEs) have this: The Politics of Internal
Auditing, a 2016 IIA study, found that 55% of audit executives MATT KELLY is editor and CEO of Radical Compliance in Boston.

Announcing the Latest Industry Report
from Wolters Kluwer TeamMate:
Strategic Planning for Internal Audit

A CAE’s Guide to Driving Value Creation
Internal audit groups around the world are being challenged to

keep pace with the strategies of their organizations while seeking
to develop appropriate strategies for their own internal audit
activities. Given the broad scope of these strategic considerations,
and their increasing importance to the global internal audit
community, our latest report focuses on internal audit practices
and processes relating to strategic planning for internal audit.
Get the Free Report at TeamMateSolutions.com/Planning
Copyright © 2019 Wolters Kluwer Financial Services, Inc. 10353
TM-19-10353-MK-Strategic Planning for Internal Audit-PAD-EN.indd 1 4/19/19 11:18 AM

Insights/The Mind of Jacka
EMAIL the author at michael.jacka@theiia.org
BY J. MICHAEL JACKA
AUDITOR, AUDIT THYSELF
H
Practitioners need ow many times have taking a good, hard look their rose-colored percep-
to turn audit you heard someone at the culture within the tion of the department’s
ask, “Who audits department. Organizational culture is real. If they con-
techniques on
the auditors?” It’s a culture is a major topic for duct employee satisfaction
themselves and question frequently posed to board members, executives, surveys, the results should
examine their practitioners, and for many and other stakeholders — it be taken seriously, not dis-
department’s culture. of us there is a ready answer: is the foundation for success missed as the feedback of a
“We go through an external and at the root of almost few malcontents. Human
assessment every five years to anything that goes wrong. resources should be used as
attest that we conform with Internal audit is not a partner to better under-
the International Standards immune. Success for an stand what is really going
for the Professional Practice of internal audit department on in the department. But
Internal Auditing.” relies on any number of ele- most importantly, leader-
That’s all well and good, ments, but foundationally ship should be willing to
and worthy of the associated sustained success cannot be talk with the staff. If audit
bragging rights. But the audit achieved without the hall- leaders think such discus-
department that assumes the marks of a healthy culture, sions will not provide real
pursuit of audit quality ends including honesty, open information, or if they are
with conformance is fooling communication, accountabil- convinced it is a waste of
itself, its audit staff, and its ity (at all levels), and trust. time, then, yes, there is
organization. Conformance I have worked with a problem.
with the Standards should audit departments that And one final note. If
be considered a given — the bragged about having you are not in a position of
audit department that wants “passed” their external authority but find yourself
to be seen as a trusted advisor quality assessment review, in a toxic culture, you can
and an invaluable stakeholder but subsequently learned choose to live in pain or
resource must hold itself to through private conversa- just escape. However, the
an even higher standard. The tions about the auditors’ more courageous tact may
best way to achieve that is to discontent, disaffection, and be to step forward, point-
turn audit techniques on our distrust. The auditors reveal ing out the deadly practices
own operations — review our they don’t get the support potentially destroying
efficiencies and effectiveness; they need, they cannot be the department.
ensure we understand the honest with those in charge,
risks to our objectives; and they work in an atmosphere J. MICHAEL JACKA, CIA,
evaluate how well our strate- of negative competition, and, CPCU, CFE, CPA, is
gies, objectives, and controls overall, they are working in cofounder and chief creative
work together toward success. an unhealthy environment. pilot for Flying Pig Audit,
There may be no more Internal audit leaders Consulting, and Training
impactful place to start than should take steps to ensure Services in Phoenix.
READ MIKE JACKA’S BLOG visit InternalAuditor.org/mike-jacka

Eye on Business
THE HEALTHY CORPORATE CULTURE

CAEs increasingly are being asked to
assess, monitor, and report on the
health of the organization’s culture.
How does an organization is a) connected to the com- lines of defense and guides
develop and maintain a pany’s purpose and strategy; how leadership monitors and
healthy corporate culture? b) positive, inspiring, and responds to cultural stress
SIMMONS Implementing a engaging for employees and the risks of an unhealthy
clear mission and company who live it, customers who culture. Risks relating to
values sets the tone and experience it, and sharehold- corporate culture include a
messaging from the top, ers who realize returns from degraded tone at the top, lack
and specifying the organiza- it; and c) strong, consistent of accountability, and mini-
tion’s desired risk culture in around the world, and mized transparency. Cultural
a way that aligns with these not overly dependent on stress often takes the form of
values helps solidify the the effectiveness of a local compliance issues, control
corporate culture. Establish- leader. Developing a healthy failures, audit issues, or poor
CHARMIAN SIMMONS ing a collaborative, open corporate culture takes time, employee performance, and
Risk Market communication approach focus, and direction from the typical root cause is often
Development Manager
Refinitiv creates a comfortable work leadership, as well as level a breakdown in trust. Trust
environment and is the best support from key func- can be the biggest risk or
way to maintain a culture tions to help champion that asset to a healthy corporate
where people feel valued, desired culture. A top-down culture, and the erosion of
respected, and empowered and bottom-up approach is trust can be hard to control
to offer ideas and make good key in not only the develop- and even harder to earn back.
decisions. Having a leader- ment of a healthy culture, By aligning the corporate cul-
ship team that believes in but also in sustaining and ture and pulling certain cul-
this approach, lives the mis- fostering changes in it. tural levers, trust can become
sion/values, and knows what the driving force for creating
ESI AKINOSHO
Principal, Global employees value contributes What are the top risks a shared vision and turning
Advisory Internal to an atmosphere where ideas to a healthy corporate that vision into value.
Audit Leader are celebrated and rewarded, culture? SIMMONS First and fore-
Ernst & Young LLP
which can lead to a more AKINOSHO Risk culture most is culture risk, itself.
efficient and productive connects the overall organi- Well-known corporate scan-
organization. zational culture to specific dals related to harassment,
AKINOSHO First, we need behaviors set along a defined fake accounts, accounting
to define a healthy culture. risk framework. It speaks to errors, and misconduct often
A healthy corporate culture culture in terms of the three are symptoms of culture
READ MORE ON TODAY’S BUSINESS ISSUES follow us on Twitter @TheIIA

EMAIL the author at editor@theiia.org
issues and heighten the profile of culture risk as a growing first line implementing the mechanisms to drive culture, the
liability for organizations. Culture risk management should second line taking responsibility for defining the risk culture
be treated as an integrated process of oversight and monitor- framework and monitoring effectiveness, and the third line
ing that addresses strategy, performance, and risk, and aligns performing independent culture assessments to monitor cul-
company values, goals, behaviors, and systems with favorable ture throughout the execution of the audit plan.
impacts both internally and externally. Other top risks that can SIMMONS Recent incidents and news headlines linked
affect a healthy corporate culture include financial, operational, to “problematic culture” lead me to say there is no one-
market, and reputation risks. The particulars of each risk, such size-fits-all program; however, a culture risk management
as ranking, priority, and specific factors, will vary by company/ framework should comprise certain key elements that cover
industry/geography and by the awareness level of underlying all aspects of culture and can be improved and measured
problems, mitigations, and ongoing monitoring. Some symp- over time. First, governance — the mission, values, ethics,
toms and behaviors that influence these risks include financial policy, board, leadership, strategy, behaviors, and a com-
underperformance, inconsistencies in business/personnel mon understanding of what’s expected. Second, relation-
performance, communication that leads to misunderstanding, ships — transparent, honest, and nonthreatening leadership,
unhealthy comparisons and gossip, demoralized employees, communications, collaborations, and accountability. Third,
customer backlash, and the feeling of destroyed value. environment — the workplace provides for comfortable,
productive, inspired, responsive, innovative, rewarded,
What are the indicators of a weak or failing trusted, engaged employees and supports organizational
corporate culture? effectiveness. Fourth, motivation — a fair values system
SIMMONS Indicators can be broadly classified into top-down exists surrounding performance, incentive, reward, continu-
and bottom-up. Indicators from a top-down business perspec- ous learning, and clarity of purpose.
tive include inconsistent financial and operational success and
being perceived by the public and personnel as not conduct- How does a dynamic, agile workplace affect
ing business activities with honesty and integrity. From a corporate culture?
bottom-up personnel perspective, indicators may include lack SIMMONS One affects the other and impacts the success
of motivation; overwhelming frustration, such as fear of retali- of both. Many organizations want to be more agile to
ation in speaking out, not being listened to, or pressured to respond to the demands of customers, the digital econ-
meet unrealistic internal deadlines; poor customer relations; omy, and rapidly changing marketplaces; however, most
pending investigations; lack of efficiency or ideas; and lack of don’t appear to have the culture to support this. Being
innovation. These indicators may be noticed by management, dynamic and agile means being able to quickly and easily
personnel, and internal audit, though one must be open and adapt to constant change. A workplace environment like
conditioned to seeing the signs to be receptive to raising the this needs to balance the mindset of change with tools,
matter and taking active and visible action. systems, and processes that support an agile approach
AKINOSHO A weak culture can be characterized by inconsis- and allow the four key culture elements mentioned previ-
tent programs that deviate from the common goal and vision. ously to thrive and positively influence behaviors around
Functional groups, including internal audit, that have dif- cooperation, fast decision-making, experimentation, inno-
ferent strategic objectives or have pockets of opposing forces vation, empowerment, sustainability, and effective cross-
will create stress within an organization’s operating model and functional teamwork.
increase the risk of compliance issues, failure to adhere to pol- AKINOSHO As companies adopt more dynamic and agile
icies, and internal control breakdowns. Lack of leadership or approaches and workplaces, they must be aware that the
misaligned tone at the top can hold an organization back and shifting operating models and transient nature of the work-
put it at risk for cultural issues. Today, many of these issues are force will have an impact on culture and can even present
coming to light in very public settings, which is why boards new risks. When unsuccessfully implemented, an agile
and audit committees are turning to internal auditors, the operating model can cause a lack of vision or uncertainty
third line of defense for culture risk management, for insight. in objectives for employees. This cultural stress will work
against the achievement of objectives and strategy. Alterna-
What should a formal culture risk management tively, an agile workplace can strengthen and foster an exist-
program look like? ing healthy culture and better advance the people agenda in
AKINOSHO A formal culture risk management program areas such as development, employee retention, and work-
is embedded throughout all three lines of defense, with the force management.

THE IIA’s
CIA
LEARNING SYSTEM ®
A System for Success.

Now Aligned With the 2019 CIA Exam!
The IIA’s CIA Learning System is an interactive
review program, combining reading materials and
online study tools to teach and reinforce all three
parts of the CIA exam. It’s updated to align with the
latest industry standards, including the International
Professional Practices Framework (IPPF) and the IIA’s
International Standards for the Professional Practice
of Internal Auditing.
Prepare to Pass. www.LearnCIA.com

2018-1529
Take a Guided Tour | Read Sample Pages | Try Free Questions | Get Exam Tips
2018-1529 CIALS-CIA LS Ia Mag Ad-Dec_FNL.indd 1 10/30/18 2:30 PM

IIA Calendar
SEPT. 20–22 JUNE 17–26 JULY 30–AUG. 2

IIA Internal Audit Student Building a Sustainable Multiple Courses
CONFERENCES Exchange
Rosen Centre Hotel
Quality Program
Online
Denver
www.theiia.org/
conferences
Orlando, FL AUG. 6–9
JUNE 18–21 Multiple Courses
OCT. 21–23 Tools & Techniques III: Los Angeles
JULY 7–10 All Star Conference Audit Manager
International Conference MGM Grand St. Louis AUG. 6–15
Anaheim Convention Las Vegas Enterprise Risk
Center JUNE 18–26 Management: A Driver for
Anaheim, CA CIA Exam Preparation — Organizational Success
IIA Parts 1, 2, & 3 Online
AUG. 12–14
Governance, Risk &
TRAINING Lake Mary, FL
AUG. 12–21
www.theiia.org/training
Control Conference JUNE 24–27 Audit Report Writing
The Diplomat Vision University Online
Fort Lauderdale, FL Boston
JUNE 3–12 AUG. 13–16
SEPT. 16–17 Critical Thinking in the JULY 8–19 Multiple Courses
Environmental, Health Audit Process CIA Exam Preparation — Chicago
& Safety Exchange Online Part 3: Business
Washington Hilton Knowledge for Internal AUG. 13–22
Washington, DC JUNE 3–14 Auditing Operational Auditing:
CIA Exam Online Influencing Positive
SEPT. 16–17 Preparation — Part 1: Change
Financial Services Essentials of Internal JULY 15–24 Online
Exchange Auditing Cybersecurity Auditing
Washington Hilton Online in an Unsecure World AUG. 19–28
Washington, DC Online Critical Thinking in the
JUNE 4–7 Audit Process
SEPT. 18 Multiple Courses JULY 16–19 Online
Women in Internal Audit New Orleans Multiple Courses
PHOTO: RAWPIXEL.COM / SHUTTERSTOCK.COM
Leadership Forum Orlando

Washington Hilton
JUNE/JULY/AUGUST//SEP
JUNE/JULY/AUGUST /SEP
Washington, DC
THE IIA OFFERS many learning opportunities throughout the year. For complete listings visit: www.theiia.org/events

Insights/In My Opinion
EMAIL the author at solomon.simutowe@theiia.org
BY SOLOMON CHIEF SIMUTOWE
VALUE THROUGH QUANTIFICATION
A
Showing the review of publicly example, consider a recom- recommendations may
net benefits of available internal mendation intended to involve changes in areas that
audit reports shows improve transaction pro- are unfamiliar to the client,
implementing audit
that most include cessing efficiency through a such as new business pro-
recommendations qualitative assessments of system enhancement. On the cesses or initiatives. Gaining
can be a great value addition, even where surface, such a recommenda- reliable insight into the real
service to clients. quantitative assessments seem tion would appear to create net benefits can be difficult
possible or advantageous. In value. But what if over the using only qualitative assess-
fact, some audit reports show lifetime of the system, esti- ments, making quantitative
that an assessment of the audit mates of benefits associated data in such instances a
recommendations’ net ben- with processing-time savings near imperative.
efits had not been performed totaled less than the cost of Lastly, with quanti-
at all. Without a quantitative implementing and maintain- fied net benefits of their
assessment, in many instances ing the enhancement? This recommendations, auditors
auditors cannot be certain drawback would not be can better demonstrate the
their recommendations add apparent without quantifica- value of their work by track-
rather than destroy value. tion of net benefits. ing benefits realized post-
While qualitative assess- Quantification also implementation. Auditors
ments are useful for analyz- provides an effective way of could harvest the quantified
ing simple issues, they could getting buy-in from audit data showing the individual
be misleading if used for clients. Often, client inertia or aggregated impacts of
complex, high-risk, or novel or resistance increases if their recommendations on
situations. Internal auditors recommendations provide processes, functional areas, or
should quantify recommenda- questionable or unconvincing whole entities.
tions applied to these types of value. Clients may raise legiti- Under the right circum-
areas — especially when aimed mate concerns about why stances, a strong case exists for
at improving processes or they should dedicate scarce demonstrating the value of
aligning with best practices. resources to recommenda- audit recommendations quan-
Without quantification, tions whose value is unclear. titatively. When used appro-
auditors run the risk that By demonstrating quantita- priately, quantification can
seemingly beneficial audit rec- tively that the value addition shine a bright light on audit
ommendations may in fact be is positive, audit client buy-in benefits, rather than leaving
ill-advised. By using a qualita- would be more forthcoming. clients in the dark.
tive assessment, especially one Additionally, quanti-
that is not adequately docu- fication can help auditors SOLOMON CHIEF SIMUTOWE,
mented, an auditor could provide assurance when CIA, CRMA, CISA, FCCA, is
miss interdependencies and recommendations involve a senior internal auditor at an
ignore relevant costs, thereby unchartered waters for cli- international organization in
overstating net benefits. For ents. In other words, audit The Hague, Netherlands.
READ MORE OPINIONS ON THE PROFESSION visit our Voices section at InternalAuditor.org

Automated Cross-Platform
Access Controls
The Fastpath Assure® suite is a cloud-based audit platform

that can track, review, approve, and mitigate access
risks across multiple systems from a single dashboard.
A perfect fit for your 2019 audit strategy.
Segregation Access Audit Trail/ User Emergency

of Duties Certifications Change Provisioning Access
Analysis Tracking
Stop by the Fastpath Booth #613 at the IIA International Conference

Visit gofastpath.com/iia
2019 FINANCIAL SERVICES
EXCHANGE
Connect. Collaborate. Evolve.
Early Registration Savings

Save the date, and $125, for the 2019 Financial Services Exchange, Sept. 16-17, in Washington, D.C.
Come see for yourself why it not only sold out in 2018, but was the highest rated IIA conference of the year
based on attendee survey results. Also if you are attending FSE and register for the Women in Internal Audit
Leadership Forum, you can save an additional $100 by using discount code FSEWIL19 when checking out.
Nearly 100% satisfaction ratings / Customized learning experience

Engage with industry leaders / Latest knowledge & skills / Earn valuable CPEs
Register by July 22 to save $125.

2019-2577
www.theiia.org/FSE
2019-2577 CON-FSE Full Page Ad - June IA.indd 1 4/24/19 10:23 AM

The Clear Choice

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

The Clear Choice

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The Clear Choice

Uploaded by

Copyright:

Available Formats

JUNE 2019 A PUBLICATION OF THE IIA

A Risk Management Case Study

It's Time to Step Forward

THE CLEAR CHOICE

for organizations that choose an ethical path.

GRC 2019 Program Is

GRC 2018 sold out, so don’t wait —

The powerful, easy-to-use software platform to

Visit us at booth 406 at the 2019 IIA International Conference.

Providers and payers can benefit from innovative

• Verify that transactions on the network are real

Learn more about our patent-pending blockchain

David Uhryniak Eric Boggs

Visit www.crowe.com/disclosure for more information about Crowe LLP,

DOWNLOAD the Ia app on the

FOR THE LATEST AUDIT-RELATED HEADLINES visit InternalAuditor.org

■ Insightful external quality assessment services.

IIA Quality Services, LLC, provides you the tools,

expertise, and services to support your QAIP.

2018-0961 QAL-Quality Ia Mag Ad-Aug.indd 1 6/22/18 8:50 AM

63 Calendar 22 Fraud Findings A new

respond to the changes and platforms and advanced

ensure employee protection. techologies to commit disrup-

Copyright © 2019 Deloitte Development LLC. All rights reserved.

JUNE 2019 INTERNAL AUDITOR 7

I guess culture eats risk management

8 INTERNAL AUDITOR JUNE 2019

SEPT. 16–17, 2019 / Washington, D.C.

Early Registration Savings

• Improved performance in the leadership of EHS

• Leading practices, data-driven insights, and trends

• Expanded EHS peer network and new connections

• Perspectives from some of the world’s leading authorities

Register by July 22 to save $125.

2019-2589 CON-EHS Full Page Ad - June IA.indd 1 4/16/19 3:22 PM

Source: The Risk Advisory Group,

services, technology and telecommunica- their organizations, ranking it the highest-

FOR THE LATEST AUDIT-RELATED HEADLINES follow us on Twitter @TheIIA

10 INTERNAL AUDITOR JUNE 2019

3 LINES IN The IIA reviews the

INTELLIGENCE reduce environmental

SAVE THE WORLD? economic growth.

intelligence (AI): It ronmental applications of AI

forecasts that applying AI to create more than 38 million

JUNE 2019 INTERNAL AUDITOR 11

with current practices. “The

the report cautions that AI two-thirds of the survey’s tional misconduct.

12 INTERNAL AUDITOR JUNE 2019

How do you collaborate?

Are you confident in your work?

Complete this short survey before June 30, 2019,

Apple Watch is a registered trademark of Apple Inc.

ASSESSING DATA RELIABILITY

SEND BACK TO BASICS ARTICLE IDEAS to James Roth at jamesroth@audittrends.com

14 INTERNAL AUDITOR JUNE 2019

JUNE 2019 INTERNAL AUDITOR 15

The IIA Congratulates the 2018 CIA Exam Award Winners!

William S. Smith Award – Gold Dr. Glenn Sumners Award – Student

A.J. Hans Spoel Award – Silver Kurt Riedener Award – Bronze