Majalah IA Dec2018 PDF

DECEMBER 2018 A PUBLICATION OF THE IIA
INTERNAL AUDITOR
Right-sizing Internal Audit

The Rise of Artificial
DECEMBER 2018
Intelligence and Robotics

Blowing the Whistle
on Corruption
An Innovative Audit Internship
SMALL AUDIT FUNCTIONS
SMALL BUT SAVVY

INTERNALAUDITOR.ORG
Audit functions of limited size

work to get the most out of their technology,
providing maximum value to stakeholders.
Meet your challenges
when they’re still
opportunities.
RSM and our global network of Risk Advisory

consultants specialize in working with middle
market companies. This focus leads to custom
insights designed just for your specific challenges.
Our experience, combined with yours, helps you
move forward with confidence to reach even
higher goals.
rsmus.com/riskadvisory
RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. Visit rsmus.com/aboutus for more information regarding RSM US LLP and
RSM International.
A transforming
moment for
internal audit
Technology and an ever-accelerating
pace of change present internal audit
groups with unprecedented challenges.
These challenges present internal audit teams the
opportunity to transform their place in the organization.
The transformation journey begins with a solid road
map to reimagine, validate, mobilize, and execute.
To learn more, visit crowe.com/iatransform.
Audit / Tax / Advisory / Risk / Performance crowe.com/iatransform
Visit www.crowe.com/disclosure for more information about Crowe LLP, its subsidiaries, and Crowe Global. © 2018 Crowe LLP. RISK-19001-002I
Updated – Aligned – Focused
As the only globally recognized certification for internal audit, the Certified Internal Auditor® (CIA®) is
changing. If you’ve been putting off earning your CIA, it’s time to take a fresh look at this important
step toward validating your knowledge, skills, and ability to carry out professional responsibilities for
any audit, anywhere.
Improve your credibility and proficiency. Learn more.

www.theiia.org/CIA
2018-1608 CERT-CIA Full Page Ad - Dec.indd 1 11/2/18 3:35 PM

DECEMBER   2018   VOLUME LXXV: VI
F E AT U R E S
24 COVER Small But Tech Savvy Audit functions with limited resources are maximizing
stakeholder value by making the most of their technology. BY ARTHUR PIPER
31 6 Steps to Right-size Internal Audit more than $1 billion since 2011.  

With the right benchmarking measures, CAEs BY DANIEL GAYDON AND DOUGLAS M. BOYLE
can effectively size their internal audit depart-
ments. BY STEPHEN SHELTON 51 Breaking Free of Mental Traps Internal
auditors can take steps to avoid overthinking
36 The Rise of Automation Emerging   that can impact audits and service to clients.  
technologies such as AI present a host of risks, BY MURRAY D. WOLFE
and opportunities, for auditors to consider.  
BY MICHAEL ROSE, ETHAN ROJHANI, AND 56 Real-world Education A university and
VIVEK RODRIGUES health-care company partnered to create an
internal audit internship program that equips
43 Penalizing Corruption The U.S. SEC’s students to hit the ground running.  
Whistleblower Program has fined companies BY RINA M. HIRSCH
DOWNLOAD the Ia app on the

App Store and on Google Play!
FOR THE LATEST AUDIT-RELATED HEADLINES visit InternalAuditor.org

The innovation imperative
Forging internal audit’s path
to the future
Internal Audit groups most engaged in innovation are those
most likely to have strong organizational impact and influence.
That’s just one of the insights from our second global survey
of internal audit leaders. Find out what internal audit can do to
stay ahead of disruption and forge a path to the future.
Learn more at www.deloitte.com/globalcaesurvey
.
Copyright © 2018 Deloitte Development LLC. All rights reserved.
DECEMBER   2018   VOLUME LXXV: VI
D E PA R T M E N T S
PRACTICES INSIGHTS
10 Update Leaders missing 60 Governance Perspectives
the mark on strategic threats; Launching a small audit func-
digital initiatives rise to boards’ tion takes patience and focus.
agenda; and directors focused
on what they know. 63 The Mind of Jacka Few
organizations will pay a pre-
14 Back to Basics Aligning mium for internal audit.
R&R audits with objectives.
64 Eye on Business Boards
17 ITAudit Blockchain’s chal- are taking a closer look at
lenges and opportunities. culture.
7 Editor’s Note 20 Risk Watch Auditors 68 In My Opinion Auditors

should assess oversight of should contribute to the collec-
8 Reader Forum transformative projects. tive public good.
67 Calendar 22 Fraud Findings A comp-

troller steals $4 million to
fund a new business venture.
O N L I N E InternalAuditor.org
Crimes of the Century Mining Processes An addi-
Internal Auditor takes a look tion to the toolkit can give
back at some of the most infa- internal auditors a clear pic-
mous corporate frauds of the ture of business processes.
21st century.
An Injection of Fraud A
T.DALLAS / SHUTTERSTOCK.COM; BOTTOM: NITO / SHUTTERSTOCK.COM
Small But Significant health-care CEO pleads guilty

Watch the CAE at a nonprofit to scheming to pay physicians
COVER: ILLUSTRATION BY GARY HOVLAND; THIS PAGE, TOP:
insurance provider explain for unnecessary treatments.

how technology and unique Auditors need to look out for
strategies have helped her medical fraud disguised as
small audit function succeed. legitimate care.
Internal Auditor ISSN 0020-5745 is published in February, April, June, August, October, and December. Yearly subscription rates: $75 in the United States and Canada, and $99 outside North America. No refunds on cancellations.
Editorial and advertising office: 1035 Greenwood Blvd., Suite 401, Lake Mary, FL, 32746, U.S.A. Copyright © 2018 The Institute of Internal Auditors Inc. Change of address notices and subscriptions should be directed to IIA Customer
Service, +1-407-937-1111. Periodicals postage paid in Lake Mary, Fla., and additional offices. POSTMASTER: Please send form 3579 to: Internal Auditor, 1035 Greenwood Blvd., Suite 401, Lake Mary, FL, 32746, U.S.A. CANADA POST
INTERNATIONAL: Publications Mail (Canadian Distribution) Sales Agreement number: 545880; GST registration number: R124590001. Opinions expressed in Internal Auditor may differ from policies and official statements of The
Institute of Internal Auditors and its committees and from opinions endorsed by authors’ employers or the editor of this journal. Internal Auditor does not attest to the originality of authors’ content.
Mission Critical Thinking
EXPLORE IMPERATIVE QUESTIONS, DISCOVER ESSENTIAL ANSWERS.
In this significantly restructured version, Sawyer’s Internal Auditing: Enhancing and Protecting Organizational Value,
7th Edition, 10 internal audit thought leaders tackle the challenges of defining what it takes to fulfill internal audit’s
mission of enhancing and protecting organization value. In short, Sawyer’s is universally considered the single most
important resource to help internal auditors of all levels and sectors think critically about changes in the environment
and business landscape, as well as the evolution of the audit plan and services that internal audit must develop and
deliver. Sawyer’s is critical to delivering the mission of internal audit.
Think critically, then fulfill your mission.

Pre-order Today! * www.theiia.org/Sawyers
* Ships early January 2019.
Editor’s Note
THE SMART, SMALL

INTERNAL AUDIT FUNCTION
A
t an IIA Audit Executive Center CAE roundtable discussion early this
year, some participants shook their heads when asked what it would take
to make their audit functions more innovative. Participants said they
didn’t have the resources to even consider innovating. However, Jim
Pelletier, IIA vice president of Professional Standards and Knowledge and Inter-
nalAuditor.org’s innovation blogger, told them they should not consider lack of
resources a roadblock to innovating, as it only takes one person to think differently
and challenge the status quo.
Approximately one-fourth of North American IIA members are full-time
employees of small (one- to five-person) audit functions, according to The IIA’s
2018 Member Needs Survey. In this month’s cover story, “Small But Tech Savvy”
(page 24), CAEs of small functions discuss how they are using technology cre-
atively, efficiently, and cost effectively. “Through innovative techniques and keen
attention to stakeholder needs, many small audit functions are making the most of
the technology tools at their disposal,” author Arthur Piper writes.
Innovation and flexibility go hand in hand. “With limited resources comes
limited time, but small audit functions must maintain flexibility when events occur
that are outside the scope of the audit plan,” writes Justin Stroud, who was brought
in as Western Reserve Group’s one-person audit department nearly four years ago
(see “Governance Perspectives” on page 60). “Having laser focus and a detailed
game plan can help squeeze in work that can add value to the organization.”
And small audit departments have been known to do great things! In this
month’s “Fraud Findings” (page 22), read how a lone internal auditor worked with
a forensic investigator to uncover a nearly $4 million embezzlement — no small feat.
So, here’s to the small but mighty audit function, the men and women who
work tirelessly to enhance and protect organizational value. These small teams are
succeeding through agility and innovation.
@AMillage on Twitter
DECEMBER 2018 INTERNAL AUDITOR 7

Reader Forum
WE WANT TO HEAR FROM YOU! Let us know what you think of this issue.
Reach us via email at [email protected]. Letters may be edited for clarity and length.
COSO for Technology is a core technology component of

Implementation IT infrastructure that Microsoft uses
Paul Sobel’s article makes The Commit- for the management of users, devices,
tee of Sponsoring Organizations of the sub-domains, etc., and is considered
Treadway Commission’s Enterprise Risk the Microsoft implementation of
Management–Integrating With Strategy Lightweight Directory Access Protocol
and Performance easy to absorb. I agree (LDAP). While organizations use both
that this is the framework in which to AD and LDAP to drive logical access
consider failure risks for IT projects control, it is not directly used for physi-
required to implement corporate strate- cal access controls, unless it is paired
gic direction. Corporate strategy execu- with physical access devices that vali-
tion these days often relies on successful date against it.
technology implementation. So, this is KARIM MERALI comments on Manoj
Renaming the Profession an internal audit and board-level issue. Satnaliwala’s “Don’t Overlook Physical
Access” (October 2018).
I like the idea of internal assurance ser- ROBERT MCKEEMAN comments on
vice, Mike. A few of the departments I Paul Sobel’s “In Any Kind of Weather” Author’s Response: Thanks for high-
(October 2018).
work with use global assurance services, lighting this oversight. The statement was
but I prefer keeping the word “internal” Active Directory vs. HR Database out of context and should have read, “For
in the name. Should we open a can of I found Manoj Satnaliwala’s article a example, many organizations use Active
worms and expand our thinking beyond decent, high-level discussion on the Directory to validate an employee’s access
assurance and consider the other roles topic of physical access. However, credentials in real time.” The idea was to
that internal audit performs for many he made a rather serious misstate- highlight the integration and automation
companies such as compliance, risk ment with his reference to Active of the processes and connect to one source
management, or quality assurance? Directory (AD) as a human resources for a true Active Directory.
RAVEN CATLIN comments on the
database. For one, it should have been
“From the Mind of Jacka” blog post, called Microsoft Active Directory, VISIT InternalAuditor.org
“Internal Audit by Any Other Name” which would likely have prevented the for the latest blogs
(InternalAuditor.org). faux pas. Microsoft Active Directory
CONTRIBUTING EDITORS Jorge Gonzalez, cia, cisa Sonia Thomas, crma CONTA CT INFORMA TION
Wade Cassels, cia, ccsa, crma, cfe Nancy Haig, cia, cfe, ccsa, crma Stephen Tiley, cia ADVERTISING
Kayla Flanders, cia, crma Daniel Helming, cia, cpa Robert Venczel, cia, crma, cisa [email protected]
J. Michael Jacka, cia, cpcu, cfe, cpa Karin L. Hill, cia, cgap, crma Curtis Verschoor, cia, cpa, cfe
Steve Mar, cfsa, cisa
+1-407-937-1109; fax +1-407-937-1101
J. Michael Jacka, cia, cpcu, cfe, cpa David Weiss, cia
Bryant Richards, cia, crma Sandra Kasahara, cia, cpa Scott White, cia, cfsa, crma SUBSCRIPTIONS, CHANGE OF ADDRESS, MISSING ISSUES
DECEMBER 2018 James Roth, phd, cia, ccsa, crma Michael Levy, cia, crma, cisa, cissp Rodney Wright, cia, cpa, cfsa [email protected]
VOLUME LXXV: VI Charlie Wright, cia, cpa, cisa +1-407-937-1111; fax +1-407-937-1101
Merek Lipson, cia Benito Ybarra, cia
EDITOR IN CHIEF Thomas Luccock, cia, cpa EDITORIAL
Anne Millage EDITORIAL ADVISORY BOARD Michael Marinaccio, cia IIA PRESIDENT AND CEO David Salierno, [email protected]
MANAGING EDITOR Dennis Applegate, cia, cpa, cma, cfe Alyssa G. Martin, cpa Richard F. Chambers, cia, +1-407-937-1233; fax +1-407-937-1101
David Salierno Lal Balkaran, cia, fcpa, fcga, fcma Dennis McGuffie, cpa qial, cgap, ccsa, crma PERMISSIONS AND REPRINTS
ASSOCIATE MANAGING Mark Brinkley, cia, cfsa, crma Stephen Minder, cia [email protected]
EDITOR Robin Altia Brown Jack Murray, Jr., cba, crp IIA CHAIRMAN OF THE BOARD +1-407-937-1232; fax +1-407-937-1101
Tim McCollum Adil Buhariwalla, cia, crma, cfe, fca Hans Nieuwlands, cia, ra, ccsa, cgap Naohiro Mouri, cia, cpa WRITER’S GUIDELINES
SENIOR EDITOR Wade Cassels, cia, ccsa, crma, cfe Manish Pathak, ca InternalAuditor.org (click on “Writer’s Guidelines”)
Shannon Steffee Faizal Chaudhury, cpa, cgma Bryant Richards, cia, crma
ART DIRECTION Daniel J. Clemens, cia Jeffrey Ridley, cia, fcis, fiia Authorization to photocopy is granted to users registered with the
Yacinski Design Michael Cox, fiia(nz), at Marshall Romney, phd, cpa, cfe Copyright Clearance Center (CCC) Transactional Reporting Service,
PRODUCTION MANAGER Dominic Daher, jd, llm James Roth, phd, cia, ccsa provided that the current fee is paid directly to CCC, 222 Rosewood
Gretchen Gorfine Haylee Deniston, cpa Katherine Shamai, cia, ca, cfe, crma Dr., Danvers, MA 01923 USA; phone: +1-508-750-8400. Internal Auditor
Kayla Flanders, cia, crma Debora Shelton, cia, crma cannot accept responsibility for claims made by its advertisers, although
James Fox, cia, cfe Laura Soileau, cia, crma PUBLISHED BY THE staff would like to hear from readers who have concerns regarding
Peter Francis, cia Jerry Strawser, phd, cpa INSTITUTE OF INTERNAL advertisements that appear.
Michael Garvey, cia Glenn Sumners, phd, cia, cpa, crma AUDITORS INC.
8 INTERNAL AUDITOR DECEMBER 2018

Featuring
Internal Auditor Blogs
Voices with viewpoints on the profession
In addition to our award-winning publication content, we are proud to feature four thought-
provoking blogs written by audit leaders. Each blog explores relevant topics affecting today’s
internal auditors at every level and area of this vast and varied field.
Chambers on From the Solutions Points of View

the Profession: Mind of Jacka: by Soileau: by Pelletier:
Seasoned Creative Thinking Advice for Insights and

Reflections on for Times Daily Audit Innovations
Relevant Issues of Change Challenges From an Insider
READ ALL OF OUR BLOGS. Visit InternalAuditor.org.
2017-1087 PUB-Ia Blog Generic Mag Ad-FNLcrx.indd 1 1/22/18 3:09 PM

Nations’ money-laundering risks rise… Directors lack innovation focus…
Adopting emerging technology… Boards unprepared for digital challenges.
Update
AUDIT HOT
SPOTS
Chief audit executives are

highly confident in internal
audit’s ability to provide
assurance in five risk areas.
58%
Data privacy
55%
Third parties
53% MISSING THE MARK Many CEOs and board

members are underestimating
Cybersecurity ON STRATEGIC reputation and culture risks in
51% THREATS their organizations.
A
Data governance
lmost all CEO (95 percent) and how threats are interconnected,” explains
45%
Culture
board member (97 percent) respon-
dents to a recent survey expect
Chuck Saia, CEO of Deloitte Risk and
Financial Advisory.
their organizations will face serious Deloitte surveyed 400 CEOs and board
threats or disruptions to growth in the next members from U.S. organizations with
Source: Gartner, 2019 Audit Plan two to three years. Yet, Deloitte’s Illuminat- $1 billion or more in annual revenue about
IMAGES: TOP, T.DALLAS / SHUTTERSTOCK.COM;
Hot Spots Report

LEFT, T VECTOR ICONS / SHUTTERSTOCK.COM
ing a Path Forward on Strategic Risk survey brand and reputation, culture, cyber risk
reports that many are not effectively priori- and technology, and the extended enter-
tizing the strategic planning and investing prise. Respondents say the greatest threats to
needed to address critical risks. growth are new disruptive technologies, cyber
“Leaders know there are threats on the incidents, extended enterprise/third parties,
horizon, but many are not viewing or man- erosion of brand reputation, and weak orga-
aging them strategically or understanding nizational culture.
FOR THE LATEST AUDIT-RELATED HEADLINES follow us on Twitter @TheIIA

Practices/Update
The report notes that CEOs and boards To help determine an organization’s
are focusing on digital transformation and strategic risk preparedness, organizations
disruptive technologies. However, they aren’t should ask questions such as: Is management
as concerned about protecting their brand receiving the information it needs to under-
and reputation. Only half of board members stand and address strategic risk? What steps
and 42 percent of CEOs have discussed are being taken to proactively address these
reputational risk in the last year. risks? — S. STEFFEE
CORRUPTION RISK RUNS

HIGH WORLDWIDE
Governance index shows
increased vulnerability to
money laundering. 37 %
OF BUSINESS
M
EXECUTIVES AT
ost countries are making little SMALL AND MID-
progress toward ending cor- SIZED COMPANIES
ruption, according to the Basel say their organization
Institute on Governance’s annual received an email request-
assessment of money-laundering risk. ing payment from someone
pretending to be a senior
The 2018 Basel Anti-Money Laundering manager or vendor.
(AML) Index rated nearly two-thirds of the terms of formal compliance, but in reality
129 countries as having a significant risk of
money laundering and terrorist financing.
neglecting enforcement of laws and mea-
sures to prevent and combat money laun-
47 %
SAY EMPLOYEES
Higher scores on the index, based on dering and related financial crimes,” says RECEIVING SUCH
a 10-point scale, indicate greater vulner- Gretta Fenner, managing director at the EMAIL RESPONDED
ability. More than 40 percent of countries Basel Institute of Governance. BY TRANSFERRING
received higher scores compared to 2017. Low-risk countries share several charac- COMPANY FUNDS.
Failure to implement AML measures teristics, including comprehensive measures “Even companies that have
is at least partly to blame for the worsening for domestic and international cooperation, information security training
scores, according to the institute. “Govern- high levels of press freedom, and high levels and fairly savvy employees
ments may be ticking the right boxes in of transparency and integrity. — D. SALIERNO fall victim to these decep-
tions,” says Timothy Zeilman,
vice president of The Hart-
ford Steam Boiler Inspection
and Insurance Co. (HSB).
INNOVATION CHALLENGED Source: Zogby Analytics for HSB
Directors may not be prepared regulatory environment, and

to address unfamiliar risks. global and domestic com-
IMAGES: TOP, SELIMAKSAN / ISTOCK.COM;
I
petitive threats. The problem
RIGHT, FREIE-KREATION / ISTOCK.COM
n an age of disruptive than one-third of more than may be that innovation and
innovation, boards are 5,000 board members polled technology are not directors’
paying more attention to say innovation is a top-three strong suits. Only 42 percent
what they know, a Har- organizational challenge. rate their board above average
vard Business School survey Indeed, innovation ranks or excellent in these areas.
reports. According to the fifth in the global survey, beh- Nor are boards likely to
Harvard Business Review, less ind finding top talent, the focus more on innovation

Practices/Update
soon. Just 13 percent say

they prioritize technology
expertise when recruiting
DRIVING TECHNOLOGY ADOPTION
new directors. Asif Siddique, head of Global Technology & Privacy Assessments at Oracle
Even so, researchers Corp., says internal audit has a role to play in emerging technologies.
J. Yo-Jud Cheng and Boris
Groysberg say an innovation How can internal audit contribute to the adoption of
focus and board perfor- transformative technologies, such as artificial intel-
mance are correlated. “The ligence and machine learning? As with all emerging tech-
boards with strong innova- nologies, internal audit should be on the forefront, working
tion processes tend to be the with the business to understand key risks and how the com-
ones that are performing pany plans to use them, and ensuring they are appropri-
well on all fronts,” they say. ately evaluated during risk and project planning. When we
Directors’ focus on what identify issues during the audit process, the related action
they know may impede their plans/recommendations can be tailored to encourage the
ability to oversee today’s dis- use of these technologies.
ruptive risks. That’s because These technologies provide internal audit with smart
boards tend to focus more tools to capture risks differently. Because our audits involve a growing list of products con-
on known risks than on risks taining these technologies, they impact our talent model. They are changing the way we plan
that could have a significant, audits and forcing us to reevaluate our resource model and deployment. It also provides an
severe, and often sudden opportunity to perform advanced analytics to get relevant samples based on the emerging
effect on the organization, privacy and security landscape globally. If select testing can be automated using machine
notes a report from the learning and artificial intelligence, internal audit can leverage available resources to cover
National Association of Cor- additional areas and provide deeper insight into the effectiveness of technology controls.
porate Directors’ (NACD’s) And enterprisewide trends and anomalies can be identified and researched more efficiently.
Blue Ribbon Commission
on Adaptive Governance.
“Disruptive risks won’t
wait for boards and manage- BOARDS WEIGH IN ON Many organizations
aren’t prepared for
ment teams to catch up,”
says commission co-chair DIGITAL INITIATIVES cyber challenges.
N
Sue Cole. “Put simply, these
forces have the ability to o longer strictly the domain of IT,
make or break an organiza- digital strategy has risen to the top
tion’s success.” of board agendas, according to a
To strengthen oversight, recent survey by accounting and
the report recommends advisory firm BDO USA. Nonetheless, many
boards improve the content organizations remain unprepared for cyber
and format of reports on risk and other digital challenges.
disruptive risks from man- BDO’s 2018 Cyber Governance Survey,
agement and seek informa- which polled nearly 150 board directors from
tion from outside sources. publicly listed U.S. companies, indicates
PHOTO: LEFT, ZENZEN / SHUTTERSTOCK.COM
Moreover, it advises boards that nearly half of companies have increased transformation strategy in place — nor do
to stay informed about the spending on digital initiatives and 29 percent they foresee developing one in the near
company and its industry, as have hired board members with relevant future. And while 72 percent of directors
well as have deep discussions oversight skills. Moreover, two-thirds of say they are more involved with cybersecu-
with management about respondents say their company has a digital rity now compared to 12 months ago, more
how disruptive risks could transformation strategy or is developing one. than 20 percent admit their organization
impact the organization’s Still, the remaining one-third of has not implemented an incident response
strategy. — T. MCCOLLUM respondents’ companies have not put a plan. — D. SALIERNO

A Gartner 2016 PPM Cool Vendor
for Resource Planning
TM
TM TM
Project Resource Net Capacity in Hours for Option 5 Apply
PERCENT
FEB 17
Sample Model 01 Jan 2014 to 01 Jan 2024 Crusader Phase 8 02 Jun 2015 to 04 Jan 2017
AVAILABILITY
Amy Pullman 35% -48.27

01 JAN 2014 01 JAN 2015 01 JAN 2016 01 JAN 2017
57 possible options where you can start the project Dominic Sutherland 60% 86.85
Consumer Technology Show Phase 17 47 % The earliest Start Date is Nov 16
Daniel Vasquez 55% 176.37
Consumer Technology Show Phase 4 Olivia Freeman 55% 9.69

01 NOV 2016 01 DEC 2016 01 JAN 2017 01 FEB 2017 01 MAR 2017 01 APR 2017
Crusader Phase 8 Option 1 70 % Nov 16 Audrey Collins 60% 30
Option 2 68 % Dec 16 Norma Welch 55% 89.58

Cyclone Phase 19
Option 3 66 % Jan 17
Benjamin Diaz 65% 27.73
Data Warehouse Upgrade Project Phase 5
Option 4 66 % Mar 17
Austin Morris 65% 60.63
dejaVu Phase 16 Option 5 65 % Feb 17
Frances Cook 65% 132.09
Option 6 65 % Apr 17
Sean Price 65% 160.50
Option 7
1
Resources Month Enable interactive update Option 8 Lucas Rivera 75% 65.51
JUN 15 JUL 15 AUG 15 SEP 15 OCT 15 NOV 15 DEC 15

Option 9 Benjamin Rose 55% -3.19
BEFORE AFTER BEFORE AFTER BEFORE AFTER BEFORE AFTER BEFORE AFTER BEFORE AFTER BEFORE
Option 10 Piers Gardner 55% 115.93
Legal 34% 34% 50% 50% 74% 72% 96% 94% 102% 100% 116% 113% 126% Option 11
Gary Hayes 75% 128.66
Option 12
Consultant 33% 33% 49% 49% 71% 69% 87% 84% 96% 93% 102% 99% 103% Cynthia Duncan 60% 136.54
Option 13
Tester 52% 52% 81% 80% 117% 113% 136% 131% 159% 154% 177% 171% 183% Evan Webb 75% 106.86
Option 14
SME 56% 56% 82% 81% 104% 100% 126% 123% 162% 158% 186% 181% 183% Kimberly Snyder 70% 107.32
Option 15
PMO 48% 48% 77% 76% 105% 100% 127% 122% 143% 137% 160% 153% 171% Option 16 Evan Boyd 75% 140.70
Accounting 45% 45% 73% 73% 101% 100% 132% 130% 141% 140% 154% 150% 160% Option 17 Sara Black 70% 134.55
Procurement 53% 53% 82% 81% 117% 113% 147% 142% 169% 164% 189% 183% 195% Option 18
Joshua Abraham 65% 153.05
Option 19
Sales 50% 50% 77% 76% 109% 105% 129% 122% 146% 138% 169% 162% 174% Theresa Bond 65% 143.89
Option 20
Developer 53% 53% 80% 79% 116% 111% 140% 134% 160% 154% 170% 162% 183% Jan Richards 60% 107.11
Option 21
Marketing 62% 62% 92% 91% 142% 138% 165% 161% 194% 189% 202% 197% 215% Kathy Nash 60% 71.03
Option 22
Executive 39% 39% 68% 68% 107% 103% 133% 126% 159% 149% 190% 178% 199% Option 23 Ryan Hemmings 60% 95.40
ProSymmetry LLC. All rights reserved. Version 1.15.0 ProSymmetry LLC. All rights reserved. Version 1.15.0
Find your replacement for spreadsheets. Tempus Resource also provides

Resource modelling capabilities give advanced scenario planning through
you instant visibility over project temperature mapping to better
changes as they happen. visualize your resource allocation.
(+1) 713 - 985 - 9997 prosymmetry.com [email protected]

Back to Basics
BY SHILPA YADAV EDITED BY JAMES ROTH + WADE CASSELS
ADDING VALUE IN R&R AUDITS

Internal auditors
can focus on specific
areas of revenue and
W
receivables audits
to ensure alignment ith an organiza- the organization’s goals. There ensure that the approvals for
tion’s internal are several areas on which pricing structure and nego-
with organizational
controls being internal audit can focus to tiations include exceptions
objectives. tested more help achieve this objective. to the pricing strategy.
than once a year via exter-
nal auditors and regulatory Pricing Strategy Having the
requirements, such as the Internal auditors should Right Customers
U.S. Sarbanes-Oxley Act of interview senior manage- In a business-to-business
2002, what additional value ment to get insight over the model, working with prof-
does an internal auditor assumptions, historical sales itable and creditworthy
bring? Internal auditors can growth analysis, customers’ customers is a sign of sus-
look beyond the financial feedback and forecasts, and tainability and consistent
statement’s accuracy and other resources tapped to growth year over year. When
focus on control reviews to gain the pulse of the mar- reviewing the customer
ensure its alignment with ket. This insight will help selection process, internal
management’s objectives internal auditors assess if the audit should:
and strategies — specifically pricing strategy is moving in ɅɅ Check the existence
in the revenue and receiv- the right direction to help and adequacy of cus-
ables process. the organization achieve its tomer selection poli-
External auditors and goals. If not, internal audit cies approved by the
in-house Sarbanes-Oxley should discuss with manage- appropriate level of
auditors perform test pro- ment how to improve the management.
cedures to validate various analysis and pricing strategy. ɅɅ Ensure adherence to
assertions related to revenue Once satisfied with the these policies.
transactions, receivables pricing strategy, internal ɅɅ Assess the adequacy and
balances, and their presenta- auditors should then evalu- reliability of resources
tion and disclosures in the ate transformation of this used to check custom-
financial statements. Inter- strategy into the actual pric- ers’ credit rating (good
nal auditors can work with ing structure, assess whether credit provides reason-
management to ensure that the framework provided to able assurance over rev-
the revenue and receivables the sales team for negotiat- enue collection).
processes are set up and con- ing with customers aligns ɅɅ Evaluate profitability
trolled effectively to achieve with the pricing strategy, and at a customer level and
SEND BACK TO BASICS ARTICLE IDEAS to James Roth at [email protected]

TO COMMENT on this article,
EMAIL the author at [email protected]
question management on loss-making deals (profitabil- Tracking Receivables and Collection Efforts
ity analysis provides visibility over profitable deals). The receivables aging report is a good source to determine
ɅɅ Review the effectiveness of controls over updating cus- tracking process efficiency. External auditors and Sarbanes-
tomer data in the organization’s customer database to Oxley auditors review the aging report for valuation and to
ensure data validity. reconcile with the financial statements, while internal audi-
tors can assess the effectiveness of its collection efforts. Does
Contractual Obligations follow-up with customers happen with sufficient frequency
This area is more applicable to organizations that provide a and is there a process to escalate problematic dues with senior
complex bundle of services. Such sales need a well-drafted management? Also, are the receivables that are handed over to
contract detailing all performance obligations. Internal collection agencies, either under litigation or from bankrupt
auditors should check for the existence of a control where customers, being tracked to protect the company’s interests?
contracts are reviewed by legal experts, an accounting policy Although write-off approvals are reviewed by external
team, and an operations team, and are approved by the auditors and Sarbanes-Oxley auditors, internal auditors should
appropriate management level to protect the company from analyze write-off data to identify outliers, such as the same
unwanted obligations and commitments. employee writing off certain customers’ dues frequently or the
If a contract template with standard clauses is already same customers’ dues getting written off often. The root causes
developed, the auditor’s job is to focus on any nonstandard of these outliers will help reveal the process control issues.
terms agreed upon by customers and assess their reasonabil-
ity and approval process effectiveness. Internal audit should Recording Cash Receipts
risk-rank the contracts based on their contribution to the Recording cash receipts is vulnerable to misappropriation
organization’s objectives and then develop a testing strategy of cash received from customers and is reviewed by external
to review the reasonableness of key nonstandard terms. The auditors and Sarbanes-Oxley auditors. Cash receipts include
higher the number of nonstandard terms, the greater the electronic fund transfers, checks, credit cards, and physical
challenge for internal auditors. cash receipts. Internal auditors can focus on the timeliness of
recording the collection of cash in addition to the adequacy
Conversion of Orders to Invoices of segregation of duties and sufficient oversight in receiving,
Internal auditors should confirm that a process exists to depositing, and recording cash funds.
capture the goods or services provided to customers and
Performance Metrics
Last but not least are the metrics devel-
Internal auditors should analyze oped by management to measure the
performance of revenue and receivables
write-off data to identify outliers. processes. Internal audit should review
the accuracy of key metrics to ensure
that the data used for metrics calcula-
to invoice them for these goods or services. Prices for tions are correct and current. Internal auditors also can sug-
goods and services sold by the organization should be gest additional metrics that will be useful to management.
updated in the price database, and the revenue system
must capture all goods and services sold to customers for Focus on What Matters
accurate invoicing. By reviewing end-to-end processes and questioning the align-
Usually, internal auditors test these processes on a ment of various policies, procedures, and performance met-
sample basis. To make the sample selection effective, inter- rics with management’s corporate objectives, internal audit
nal auditors should pick up on clues about process gaps, can enhance the work of external and Sarbanes-Oxley audi-
control weaknesses, and system constraints through process tors. Working with management to finalize the objective and
map reviews, data analytics, rework queues, pain points, scope of audits will help auditors focus on the risks that really
and process improvement ideas communicated by manage- matter to management, in addition to reviewing key internal
ment. These areas could reveal missing management over- controls that matter to internal auditors.
sight and potential revenue leakages, such as not invoicing
for services provided or generating invoices with lower- SHILPA YADAV, CPA, CGA, CA (India), is a senior internal
than-negotiated rates. auditor for Canadian Pacific Railway in Calgary.

Audit Management Software
No Gimmicks
No Metaphors
No Ridiculous Claims
No Clichés
Just Brilliant Software.
Find out more at www.mkinsight.com

Trusted by Companies, Governments and Individuals Worldwide.
ITAudit
BY ISRAEL SADU EDITED BY STEVE MAR
AUDITING BLOCKCHAIN
Internal auditors
need to focus on
new risks and
B
opportunities posed
by blockchain usinesses and govern- to assess the internal and Auditors also should provide
ment agencies alike external risks to business assurance on the risks asso-
technologies.
are pursuing block- objectives posed by block- ciated with implementing
chain’s promise chain. One risk is a “51 per- blockchain such as technol-
of greater accuracy, trans- cent,” or “‘majority rule,” ogy interfaces with legacy
parency, and efficiency. attack. In this attack, a user systems and the adequacy of
Accounting firms are invest- introduces false data in the migration strategies.
ing more than $3 billion a blocks to create a fraudulent
year on blockchain technol- transaction that most nodes Testing Systems
ogy, while IBM predicts that on the blockchain accept Unlike traditional databases,
two-thirds of all banks will as true. Hackers also could blockchain applications
have blockchain products by target endpoint vulnerabili- maintain data in blocks,
2020. These organizations ties where people interact also known as a distributed
are attracted to blockchain’s with the blockchain, which ledger. These blocks are
ability to record relevant is when the data is most sus- accessible to all users who
details of every transaction ceptible to attack. are permitted to access them.
in a distributed network. Another risk is individ- Because a blockchain does
Like other new tech- uals in a supply chain who not have a master copy of
nologies, blockchain presents misuse data by manipulating the database controlled by a
challenges and opportunities a blockchain’s transparency database administrator, there
for internal auditors. Block- and traceability features. is no single point of failure in
chain carries the typical IT Legal risks arise from the the event of hacking. Instead,
risks such as unauthorized lack of standards and the ledger is replicated in
access and threats to confi- regulations for monitoring many identical databases,
dentiality, but it also could blockchains in diverse legal each hosted by a different
impact traditional audit pro- jurisdictions worldwide. party. Any change carried out
cedures. Yet, blockchain may Against this backdrop, in one copy will simultane-
enable auditors to be more internal auditors should ously change all the records.
innovative and efficient. review whether their clients Notwithstanding block-
have established appropri- chain’s security features,
The New Risks ate actions to mitigate risks, internal auditors should ask
As with all new technolo- including the timelines and these questions while testing
gies, internal auditors need staff needed to deploy them. the system:
SEND ITAUDIT ARTICLE IDEAS to Steve Mar at [email protected]

Get all the tools and resources to audit more effectively.
Global industry experts at The IIA develop, document, and deliver the standards of the profession,
along with all the tools to understand and apply them. Aligning with the International Standards
for the Professional Practice of Internal Auditing can help internal auditors of all levels and
sectors perform their jobs more effectively.
Practical Tools | Latest Resources | Training Courses
Standards Practice Makes Sense

www.theiia.org/HaveStandards
2018-0691
Practices/ITAudit
ɅɅ How does blockchain allow different parties with dis- treat the acceptance of a transaction into a reliable blockchain
tributed responsibilities in the network to access the as sufficient audit evidence. Likewise, blockchain might legiti-
ledgers when there is no central administrator? matize certain off-ledger transactions or incorrectly classify the
ɅɅ How fast and timely is data available as millions of transactions, providing false assurance.
transactions are written simultaneously? Were availabil- Blockchain may require internal auditors to allocate more
ity risks addressed at the design stage? resources to obtain assurance on the adequacy of controls in
ɅɅ How safe are the authorizations that allow users to read recording transactions. Moreover, auditors will continue to
and write in the blocks? Are these confidentiality risks? focus on issues related to other nonautomated key activities
ɅɅ How adequate are the cryptography arrangements in such as governance, risk management, monitoring, reporting,
place to hide the database in the network to ensure and evaluation. Indeed, value-for-money audits and other
completeness, integrity, and nonrepudiation of data? types of audits may grow as organizations seek to evaluate the
ɅɅ How robust are the validation controls and the roles costs and benefits associated with blockchain applications.
allocated in view of limitations on reversing the transac-
tions? Once blocks in a chain are secured through hash- Opportunities for Audit
ing, they cannot be reversed. Blockchain may not completely redefine the rules of internal
ɅɅ How adequate are the arrangements over the audit trail auditing, but it could provide new opportunities. First, audi-
when there is no centralized database? tors could lobby their clients to involve them during system
ɅɅ How adequate are the controls over the data backup and development either as observers or advisors. This would help
disaster recovery processes considering there are multiple auditors understand the nuances of the blockchain operating
copies of the blockchain and no single point of failure? environment from its inception, including its implementa-
Also, what arrangements are in place to recognize the tion challenges. Moreover, auditors may be able to suggest
node/ledger that could be used for backups? and determine the terms of reference for developing appro-
priate audit modules in blockchain-based systems.
Impact on Procedures Second, blockchain may encourage audit management
Blockchain has implications for financial statement audit pro- to streamline and reorient its staff, while building the depart-
cedures. Because data maintained in blockchains is available ment’s capacity to provide quality services to clients. Staff
in real time, traditional sampling techniques used in financial members will need to be able to work with a range of new
statements may not be required. Internal auditors can provide technologies. Conversely, by automating some tasks, internal
assurance by using data analytics to scan the entire database. audit functions may not need as many auditors as before.
Additionally, conventional reconciliation and validating tasks Third, artificial intelligence may enable auditors to
quickly process, extract, and identify
risks up front using publicly available
Blockchain may render many risks blockchain ledgers. This ability may
make the audits more cost-effective.
related to financial statements obsolete. Also, auditors could use data mining to
identify the highest risks such as frauds,
resulting in more relevant audits.
may not be necessary because there should not be discrepancies
in the financial statements in a shared ledger scenario. Built to Thrive
Indeed, blockchain may render many current risks As blockchain changes the way business is conducted glob-
related to financial statement opinions obsolete. Auditors ally, it presents an opportunity for internal auditors to
should be aware of the new risks and their impact on tradi- migrate to a challenging, new operating environment. To get
tional audit procedures. there, internal audit must evolve its procedures while staying
One example is the risk of auditing transactions cap- focused on the risks that matter most to the organization. By
tured in an immutable blockchain. During a financial audit monitoring blockchain developments, auditors can help the
in a blockchain environment, auditors will be able to assess business thrive in the future.
whether the transactions recognized in the financial statements
have occurred and relate to the entity. However, in doing so, ISRAEL SADU, PHD, CIA, CRMA, CISA, is resident auditor
they might overlook the audit evidence’s relevance, reliability, with the United Nations Office of Internal Oversight Services in
objectivity, and verifiability. This is because auditors could Bonn, Germany.

Risk Watch
BY ASHOK (ASH) KANNAN EDITED BY CHARLIE WRIGHT
A NEW AGE OF IT GOVERNANCE RISK

Internal auditors
need to plan for
assessing oversight
E
of transformative
technology projects. ffective governance of new technology often cre- Governance frameworks
IT is critical to orga- ates new risks ranging from include The Committee of
nizational success specific control weaknesses Sponsoring Organizations of
and can transform to potentially enterprise- the Treadway Commission’s
an organization. While IT- wide disruptions. Helping Internal Control–Integrated
enabled transformation can the organization assess and Framework, ISACA’s COBIT,
bring many rewards, poor address these risks is an and the Balanced Scorecard
governance of those projects opportunity for internal Institute’s Balanced Score-
can cause disruption and auditors to add value. card. Organizations also can
unintended consequences. According to Standard use management frameworks
As an organization 2110-A2 of the International such as ITIL, the U.S.
evaluates different technology Standards for the Professional National Institute of Science
investments, management Practice of Internal Auditing, and Technology’s Cyberse-
must ensure the technology internal audit must assess curity Framework, and the
is aligned and delivered in whether IT governance International Organization
accordance with the organiza- supports the organization’s for Standardization’s ISO/
tion’s strategies and objec- strategies and objectives. IEC 27001: Information
tives. Internal auditors can Consequently, the challenge Security Management, ISO/
help by providing indepen- for internal auditors is to IEC 38500: Information
dent assurance on the appro- help assess numerous risks Technology — Governance of
priateness and effectiveness of associated with governance of IT, and ISO 9000: Quality
the governance structure. enterprise IT. Management. These frame-
works explain risks, controls,
Technology’s Challenge Frameworks and other details that can
IT departments manage Audit programs will be more reduce the time required to
the technology support- useful if they differentiate develop an audit program.
ing business applications, governance risks from risks
disaster recovery, cloud related to the management of Audit Planning
services, and other mission- enterprise IT. Internal audi- Internal auditors should
critical functions. In many tors can leverage a variety become familiar with each
organizations, the IT infra- of frameworks to develop of the governance frame-
structure is the foundation high-quality, tailored audit works so they can scope the
for business operations. Yet, programs for IT governance. audit engagement to focus
SEND RISK WATCH ARTICLE IDEAS to Charlie Wright at [email protected]

on the appropriate risks. Audit programs should identify the can review IT’s level of participation on the organization’s
impact of IT risk to the organization as well as the potential steering committees and internal advisory boards.
for compliance failure. During the risk assessment, auditors
can determine the current state of risk management practices, Risk Management Auditors should evaluate whether IT
assess design gaps, identify improvement opportunities, and risks are included in the enterprise risk management program.
recommend actions. They should consider several areas in their Auditors also can review internal processes that identify, com-
audit program. municate, and manage IT risks. Change controls are a huge
risk in this area, so auditors should review risk management
Strategic Alignment IT strategic alignment continues activities such as communications planning, change manage-
to be a top priority for most organizations and aligning ment, and committee oversight. If the organization has a
technology with business strategies can be challenging for security operations center, auditors should assess how it man-
management. One of the key governance controls auditors ages the IT environment and responds to incidents.
can review is the process and methodology for justifying
and prioritizing IT investments. Auditors can verify that the Project Management Organizations should have a project
organization has a formal and periodic process for identifying management office to provide governance to prioritize IT proj-
business needs. Audit procedures also should validate that the ects according to business need. Auditors should review pro-
IT budget cycle is part of the business operations budgeting gram and project management methodology and ensure the
process. Additionally, auditors can validate corporate objec- organization complies with internal processes to request, evalu-
tives and strategic goal alignment by reviewing the decision ate, and approve IT projects. They should examine a sample of
rights and accountability framework documentation. completed projects to determine whether those initiatives real-
ized stated benefits. Moreover, auditors should review the pro-
Roles and Responsibilities IT executives need to collaborate cess for evaluating and prioritizing projects at the business-unit
with business-unit executives to ensure technology helps shape and enterprisewide levels. Additionally, understanding and
business strategy. Without clearly defined roles and responsi- reviewing key performance metrics, such as planned vs. actual
bilities for IT management, the organization might risk not expenses and requirement backlog would be invaluable.
aligning IT and enterprise operations. To identify the links
between business and IT plans, internal auditors can evaluate Management Activities Without an appropriate focus
the strategic plan for IT-enabled initiatives, policies, presenta- on technology, organizations could mismanage critical IT
tions to the board that highlight the outcomes of a successful resources such as the application environment, data, infra-
implementation, and third-party agreements. Additionally, structure, and people. Auditors should evaluate IT’s involve-
auditors should verify IT’s involvement and responsibilities ment in key projects, the demand forecasting process, and
in the sourcing process. Appropriate involvement by IT can resource management practices. IT’s involvement and assess-
ensure new technology fits the organization’s current environment before engaging software providers and consultants will
ment. Additionally, auditors, IT, and the information security help mitigate the implementation risks associated with large
group can collaborate to evaluate compliance requirements. projects. Robust demand and resource management practices
can provide the bottom-up approach to gain insights into
Organizational Structure To enable better governance, the business requirements, alignment, and priorities. By under-
chief information officer should be part of an executive or standing IT resource commitments, internal audit can assess
senior management team and an active participant in setting the organization’s ability to deliver on key initiatives.
business-unit-level strategy and goals. With the pace of change
in today’s business environment, the IT organization must be Identifying Key Risks
agile and responsive, so auditors should review metrics associ- Every organization’s risk profile is unique and depends on the
ated with the length of projects as well as service satisfaction. organization’s culture, structure, and mission. Governance
Auditors should try to identify unauthorized IT projects and management teams should identify and prioritize key
by business units — known as shadow IT — by reviewing risks for mitigation and formalize risk acceptance. Organiza-
technology acquisition processes, purchasing authority, appli- tions should leverage internal audit’s knowledge of the busi-
cation inventory, and sourcing processes. They should work ness’ environment, IT investments, and internal processes.
with the IT support function to evaluate internet traffic to
external sites that may identify unauthorized subscriptions to ASHOK (ASH) KANNAN, CISA, CISSP, is a senior audit
software as a service applications. Based on a sample, auditors professional at Devon Energy in Oklahoma City.

Fraud Findings
BY FRANK RUDEWICZ + ERICA HEINZ EDITED BY BRYANT RICHARDS
A CASE OF MISPLACED TRUST

A long-time company
employee steals
$4 million to fund
J
her business venture.
ane Dosh was the SID and did not have the and that she would find them
comptroller and a resources to provide a rou- and send them to Dittman.
trusted employee at tine set of reviews aligned However, as days turned into
Smith Interior Design with a regular risk assess- weeks, Dosh did not send
Co. (SID), a small and ment. As part of her annual the records. Dittman sent
close-knit professional ser- plan, Dittman performed numerous follow-up emails
vices firm catering to high a standard review of the and voicemails, which went
net-worth families and indi- accounts payable process. unanswered. After weeks of
viduals, for almost 15 years. The audit program included no response, Dittman went
As comptroller, she man- sampling transactions, to the file room to search for
aged many aspects of SID’s checking support, and ensur- the records, herself, but the
financials — such as paying ing appropriate authoriza- room was empty.
bills, managing payroll, and tions. During her review in Unable to obtain
purchasing supplies for the early 2017, she documented answers from Dosh and
company and clients — with several unsupported and concerned about missing
oversight from Robert unexplained transactions. records, Dittman escalated
Smith, the company’s During the validation her concerns to the CEO
co-founder. Smith was process, Dittman inter- and chief financial officer
responsible for monitoring viewed several employees for and recommended a forensic
the company’s finances. supporting explanations and review. Given Dosh’s control
When he passed away in documents, but they were of the financial processes, it
2011, his financial responsi- unaware of the expenses appeared possible that she
bilities were added to Dosh’s and could not retrieve the had defrauded the company
workload, which meant she records. Having exceptions and was now covering it up.
handled every aspect of the in the validation process Management was concerned
company’s finances with no was a typical event for Ditt- about the extent of the fraud
oversight. She continued in man, but a large number of and the company’s ability
that role for the next few unexplained exceptions was to recoup the money. As a
years until she unexpectedly unusual — plus there was no result, management agreed
resigned on Dec. 31, 2016. supporting documentation. to a forensic review.
Internal Audit Man- Dittman reached out to The forensic review
ager Heather Dittman was Dosh, who insisted that the began with traditional sur-
the sole internal auditor at records must be misplaced veillance of Dosh to uncover
SEND FRAUD FINDINGS ARTICLE IDEAS to Bryant Richards at [email protected]

LESSONS LEARNED
»» No company is immune to fraud. Internal audit needs investment in audit resources. Many of the control
to help the organization prevent and minimize fraud weaknesses in this case would have been uncovered
risks. Small companies that are reluctant to invest during the assessment process.
the money to provide more internal audit coverage »» Internal auditors should include a fraud risk assess-
should consider the return on investment in compari- ment as a standard for their work plans. It applies
son to a $4 million embezzlement. It is imperative for to every company and is the most compelling
companies to set up internal policies and procedures method of educating management about fraud
that separate duties, promote accurate documenta- vulnerabilities. The act of communicating this tool
tion, and systematically evaluate and counter all throughout management is sometimes enough to
potential risk. prevent fraud.
»» Internal audit should perform a fraud risk assessment »» Internal audit needs to know when to involve a foren-
to help leadership in small companies understand the sic investigator. Forensic experts can provide differ-
extent of their vulnerability to fraud. Significant pro- ent tools, such as recovering erased hard drives and
cedural or segregation of duties gaps can be identi- surveillance, and will preserve the chain of evidence
fied during the process without requiring substantial in a fraud case.
the facts necessary to figure out the fraud. During lunch on SID and the investigators turned the case over to federal
the second day of surveillance, Dosh went to a local boutique. law enforcement. Dosh pleaded guilty and is awaiting sen-
This piece let the investigators assemble the rest of the puzzle. tencing for charges related to identify theft and fraud. SID
Dosh wanted to be an entrepreneur, but she lacked implemented several policies and procedures to prevent the
funding. When Smith died, another employee, Helen company from getting defrauded again, including:
Brown, was granted a company credit card, and Dosh saw »» Dispersing cash only after appropriate management
her chance. She had access to the new card’s information and authorization and only with dual approvals over
knew nobody would be monitoring the credit card activ- certain threshold amounts to ensure company funds
ity but her. Dosh then contacted Alexandra Johnson, an were being spent for approved business purposes.
acquaintance who worked at a luxury clothing store nearby, »» Reviewing all cash receipts and disbursements as part
and the two began a joint business venture. Dosh went to the of a monthly bank reconciliation.
store where Johnson worked, and they set up a store account »» Separating financial duties so no one person would
using Brown’s company credit card. Johnson later quit her handle all of the responsibilities.
job at the boutique and got a job at another clothing store. »» Backing up all financial transaction source documents
There, she set up another account with Dosh using Brown’s to multiple locations so the documents would not be
credit card. Dosh also bought expensive jewelry and cloth- lost if any one location was compromised.
ing from other boutiques on the card. She would pay off »» Developing a risk assessment program to allow inter-
her purchases on the company card every month from SID’s nal audit to review, assess, and identify weaknesses in
checking accounts. the internal controls and point out areas of high risk
When forensic investigators recovered the contents of concerning fraud.
Dosh’s company computer hard drive, they found detailed SID realized that internal controls do not have to be an
plans for a boutique clothing and accessory business owned impediment that slows down work processes. While there is
by Dosh and Johnson. Private investigators followed Dosh no such thing as a one-size-fits-all system of internal controls,
for weeks to locate where she was storing the fraudulent getting the focus of their internal controls right helped safe-
purchases. She also forged the signature of the second com- guard and develop their business.
pany co-founder on multiple fraudulent checks to purchase
personal goods and services, including payments to family- FRANK RUDEWICZ, ESQ., CAMS, is partner in charge, forensic
owned businesses. Investigators went through years of com- services, at Marcum LLP in Boston.
pany financial documents to find that she had embezzled ERICA HEINZ is a paraprofessional in the forensic services group
more than $4 million from the company in just five years. at Marcum LLP.

SMALL AUDIT FUNCTIONS
Small but tech s

h savvy
Audit functions
with limited
resources are
making the
most of their
technology.
T
echnologies such as artificial intelligence (AI) and robotic process auto-
mation (RPA) seem a sure way of revolutionizing the value that internal auditors
can add to their organizations. But for auditors working in small departments, the
budgets to implement such programs are often out of reach.
Does that mean the days of the small audit function are numbered? Will
businesses outsource their audit departments to more technologically enabled
consultants to enhance returns on their audit investment? Anecdotally, that
seems unlikely — the small audit approach is thriving. Its practitioners are vigor-
ous innovators often working within tight budgets. Squeezing every dollar out of
their IT programs is critical, so team members use each application to its maxi-
Arthur Piper mum capacity. There has to be a rock-solid business case for investing both time
and money into new audit technologies — and, if there is, audit committees are
Illustrations by Gary Hovland supportive. Through innovative techniques and keen attention to stakeholder
needs, many small audit functions are making the most of the technology tools
at their disposal.
TAILORED INNOVATION
“Small audit shops generally innovate within tight constraints,” says Ross Wescott,
principal at consultancy Wescott & Associates in Portland, Ore. “They do so by
using what they have differently and, if necessary, bringing some new processes
to the table. Every new audit innovation should add value to the business while
enhancing the audit process itself.”
Wescott says innovation is a mindset that all auditors would do well to
adopt — in both small and large teams. Giving themselves permission to innovate
is often the biggest step internal auditors need to take — as well as accepting that
some initiatives will fail. To be effective, innovation needs to be closely tied to
both the needs of the business and to the technological environment the auditor is
working in.
“You would perhaps be surprised, but most IT shops and companies are
not very technologically advanced — that is, they are not on the leading edge
of technological innovation.” Wescott says. “In the majority of companies, IT

SMALL BUT TECH SAVVY
lags behind the business’ strategy. The and she is establishing links with the
success of an auditor’s IT processes best people in the business with such
depends on how well they fit their cli- IT knowledge.
ents’ own infrastructure.” She expects all internal audit staff
members to be able to test IT controls
BEST FIT and to be tech savvy. But for specialist
That does not mean audit functions reviews, such as on cyber risk, and for
in all highly digitalized businesses auditing complex financial applica-
need to adopt the latest technology tions, Cooper has built a co-sourcing
trends. Wendy Cooper arrived at the relationship with a consulting firm.
U.K. FTSE 250-listed company Sanne She says that if the need for specific
Group plc, London, in January as its IT audit skills increases, she would
internal audit director. Sanne Group consider adding a more specialized IT
“
is investing in internal audit by devel- auditor to the team.
oping best practices and growing the
You would team from three members to six. But AUDITING WITH PURPOSE
perhaps be Cooper is not investing heavily in the David Givans is the one-person
surprised, latest audit technology. audit function at Deschutes County
but most IT Cooper says Microsoft Office Administration in Bend, Ore. The
shops and products such as templates in Word and county’s data is spread across the orga-
companies Excel are adequate tools for most small nization, usually in discreet silos, and
internal audit functions. The former she like Cooper, he has to work with busi-
are not very uses for planning and drafting reports; ness managers to access and analyze
technologically the latter for the audit team’s risk and data from disparate programs. He says
advanced.” control matrix work and for tracking auditors in small functions need to
“
management actions on the team’s have a “very strong charter” to ensure
Ross Wescott
recommendations. Having worked at they have the authority to access the
You have to the global Lloyds Banking Group, she data they need.
build up good has used custom audit tools and under- As county internal auditor, he
stands they can be useful in coordinat- deals with a wide range of government
relationships ing the work of dozens of audit teams departments. In 2018, internal audits
and remain in multiple locations. But she thinks it have included, for example, a health
independent is overkill for a small team — not least report on the inmates of the county’s
at the same because it requires hours of audit time jails, a controls audit over $10 million
time.” to keep them up to date. of revenue from solid waste disposal
In addition to her chosen tools, franchises, and a follow-up report on
Wendy Cooper Cooper uses the business’ IT systems its recommendations to the Fairs and
to download data and select samples Expo team at the county.
to be audited. Those systems may Givans uses a mix of data mining
be off-the-shelf packages or custom tools and Excel to perform his audits,
in-house IT systems. Both depend on but understanding what he wants the
people within the business helping the technology to do is paramount. “I
audit team. don’t let the technology drive what I
“You have to build up good rela- want to do,” he says. “I have a per-
tionships and remain independent sonal passion for data and analysis,
at the same time,” she says. That and I’ve been pretty resourceful with
can mean audit staff sitting with the the data mining tools I have. But it
IT expert when requesting data and has to be used for a purpose. I want it
being there when it is collated. The to help me tell a compelling story in
approach has worked well for Cooper, my audit reports.”

VISIT OUR Mobile App to see a video
on strategies for small audit functions.
He has recently been adding info- the central office in the state. He
graphics to help him synthesize the data describes the audit tools that it uses as
and bolster the arguments that he needs being “well along the maturity scale”
to make. Using such tools is not only because of the continuous resources
an effective way to communicate his and commitment the team has dedi-
findings, but it underlines to the audit cated to its model. “You have to put
committee and to management the ben- the time and resources into the tools
efit those audit technologies provide. In you have chosen to make sure you get
fact, some of the county’s departments
are keen to use Givans’ analytics tools.
“That’s the perfect outcome,” he says.
KNOWLEDGE AND MATURITY

Auditors need to know their tools
inside and out to be able to focus on
the questions they want to ask. “The
challenge in applying a technology
tool is to get to a point where you can
do critical thinking with it,” Givans
says. Training courses are effective for
learning the nuts and bolts of specific
systems, but often do not address how
to use those programs in the audi-
tor’s own environment. “A tool can
help you ask questions you feel need
addressing, but you must understand
how it can be used to come up with an
answer for your organization,” he says.
Using a limited number of audit
applications can be a virtue. Taking a
deeper dive into existing technologies
can prove more effective than adding
new software programs, which often
have a steep learning curve associated the objectives you defined when you
with them, Givans says. “If you have decided to increase your IT capabili-
a week’s training course on a software ties,” he says.
package, you need to use that knowl- The team is heavily involved in
edge — otherwise, you will lose it,” he using data analytics and the automa-
adds. Givans aims to apply the tools tion of internal audit processes, such
he has on every audit so they provide as workpapers, time keeping, and risk
maximum value to both the audit ranking. As is typical for a smaller func-
function and the administration. tion, it has not dipped its toe in the
But how do small functions know water with more experimental technolo-
whether they are keeping pace with gies, such as AI. Houle prefers not to.
how they should be using technol- When he meets other audit executives
ogy? It is not easy, says Grant Houle, who have invested in such technolo-
director of audit at the Mohegan gies, he often discovers that they are
Tribe, which owns Mohegan Gaming underused if the company has made
and Entertainment in Connecticut. the financial investment but has under-
Houle’s seven-person audit team serves estimated the time commitment to see

SMALL BUT TECH SAVVY EMAIL the author at [email protected]
it through. Even electronic workpaper corroborates the red flag incidents with
solutions, which have been around for visual evidence to assess whether there
decades, will be little more than reposi- has been genuine gaming errors or
tories if the time is not invested in the potential fraud.
core process and behavior changes to get “Our job is to make sure we focus
value from the technology. on the most valuable red flag incidents,
Keeping the team’s capability because the surveillance team needs to
mature is a “work in progress,” he physically watch the video material in
says, because the business is expanding real time for each one — and there may
rapidly. Mohegan Gaming and Enter- be 200 in a single day,” Houle says. He
“
tainment has centers in Pennsylvania, estimates the continuous monitoring
Washington state, Louisiana, and software cost as only about 10 percent
New Jersey; a second flagship property The challenge of the total project budget — the rest is
under development in Seoul, South in applying a allocated to the time his team has spent
Korea; and a new development it is technology in making sure they get the appropriate
adding next year in Niagara, Ontario. tool is to get to value from the objectives they have set.
Houle assesses the maturity and fitness a point where With such a success under his belt,
of any audit capabilities and tools at Houle is seeking to take the model his
each of the new properties that comes
you can do team developed on the gaming tables
on board. That can mean either setting critical thinking and to innovate audit processes in
up audit from scratch, or enhancing with it.” other parts of the business. Moreover,
existing tools, if needed. So far, there like Cooper, he is continually keeping
David Givans
are three additional auditors based abreast of developments in the orga-
outside of Connecticut in the wider nization itself to understand if those
team — but that is likely to grow. systems can be better exploited by the
audit team.
SECOND-LINE PARTNERSHIPS “I don’t just want to see what is
“
Houle has been innovating his audit happening on the shop floor,” he says.
capability by finding ways to work with “I want to be plugged in earlier than
the second line of defense. Although Our job is to that — where are we transitioning to the
his team has done whole population make sure we cloud, for instance, and what does that
testing with its analytics software, focus on the mean for us?” For example, so-called
a key focus that has paid dividends most valuable stadium gaming is becoming popular.
recently is continuous monitoring A physical dealer remains present, but
with automated processes. Under the
red flag up to 70 people can play the game and
group’s loyalty scheme, players can earn incidents.” place bets via live video links to the
“
points. On the gaming tables, the way Grant Houle
internet. Houle says the process is less
patrons earn these points has a manual risky for the casino because, for exam-
side to it — handling playing cards We have to be ple, the risk of marking cards or stealing
and tracking play for the purposes of professionals chips is minimal. On the other hand,
earning points. But a lot of data is also who can IT security risks may increase. Houle
collected from real time play, such as facilitate makes sure he is at those early meetings
from security cameras. The audit team to understand the new processes and
extracts the tracking data files and the
change in the how his team may be able to help.
scripts they have developed analyzes organization
them for what may be considered red and not just BUSINESS CULTURE
flag incidents on the tables and passes manipulate Michael Levy is the director of internal
the results of that analysis on to the data.” audit for Student Transportation in
second line of defense surveillance Wall, N.J., a multinational school bus
group. The surveillance team then Michael Levy contractor. While keeping a close eye

37% of organizations worldwide have deployed artificial intelligence or are planning
to in the near future, according to chief information officers polled for the 2019 Gartner CIO Agenda survey.
on changing processes at his company, PRACTICAL TOOLS

his team of five uses a variety of tools As technologies such as AI and RPA
including data analytics, visualization, become mainstream, small audit
project management tools, cloud docu- functions will most likely use them
ment repositories, and collaboration where the business case is strongest.
tools. “It is great to have the ability to Audit committees and management
use data visualization and analytics, are likely to support those efforts
but we as a profession need to make because returns will be demon-
sure we are speaking to our audience strable. As Levy notes: “There is no
and using their language,” he says. point in over-engineering something
“Depending on the project, it some-
times can be better to have those tools
used in the background — otherwise
you can alienate people.” In addition,
he says audit teams need to consider
organizational maturity levels to ensure
that they do not too far exceed the
cultural norms of their organizations.
“If we get too far ahead, that could be
perceived as a negative,” he says. “We
want to be sure as auditors that we do
not head down a path that the organi-
zation will not perceive value from.”
Although he expects all team
members to be conversant with data
analytics — someone should be the
champion — Levy says that interper-
sonal skills are also critical for success.
“To be successful, we have to be pro-
fessionals who can facilitate change
in the organization and not just
manipulate data,” he explains. “That
requires relationship building and
social skills.” Daily interaction with
management helps his team members
keep their fingers on the pulse of
the organization and be proactive in
delivering meaningful change, which that doesn’t need it. That being
data analytics can often help do. said, if we can make recommenda-
He says he values the efficiencies tions to automate business processes,
that the effective use of audit technol- or parts of the audit, that is an intel-
ogies can bring. Automating workpa- ligent and efficient way of using
pers, for example, and the process for our resources.” There are lessons
sending out audit requests has saved for all on how small functions maxi-
his team many hours. However, when mize the return on investment from
he is attending conferences and net- audit technologies.
working events, he is on a constant
lookout for how to use both new ARTHUR PIPER is a writer who specializ-
and existing tools more intelligently es in corporate governance, internal audit,
and strategically. risk management, and technology.

Small Audit Shops Need
to Leverage Technology
More than Anyone
Wolters Kluwer TeamMate streamlines the audit process for
more than a thousand small audit departments with ten
or fewer staff auditors. Small departments face the same
challenges as large audit shops, but with fewer resources.
Leveraging powerful audit tools can provide you with the
efficiency, organization, and quality assurance you need.
Learn more at www.TeamMateSolutions.com/Plus
Copyright © 2018 Wolters Kluwer Financial Services, Inc. 15717

6
RESOURCE MANAGEMENT
STEPS
to right-size
internal audit
With the right

benchmarking
measures, chief
audit executives
can effectively size
A t some point in almost every chief
audit executive’s (CAE’s) career, he or
she is asked to assess and justify the
organization’s level of internal audit
resources. The number of variables and organization-specific
considerations can make this a formidable task because there
is no rule or standard to determine the appropriate amount
of audit spending. Because judgment and subjectivity are
required, CAEs run the risk of being seen as self-serving if
the benchmarking exercise is used to advocate increased head
their internal audit count or spending, or to resist internal audit budget reduc-
departments. tions in conjunction with broader cost-cutting initiatives.
Considerable judgment is left to the CAE to ensure the
audit plan covers the appropriate level of risk. In actual prac-
tice, audit committees frequently ask CAEs whether internal
Stephen Shelton audit is sufficiently staffed with respect to number of people
and skill. The starting point then, to facilitate “right-sizing”
the internal audit function, is to clearly establish and under-
stand internal audit responsibilities, scope, and coverage, as
well as stakeholder expectations. To aid this assessment, inter-
nal auditors can follow a six-step benchmarking approach

6 STEPS TO RIGHT-SIZE INTERNAL AUDIT
aimed at answering the age-old ques- provided compared to other organiza-

tion: How much is enough? tions in the same industry.
1
STEP
Establish the
Purpose for
Benchmarking
When internal audit is asked to rational-

ize budget and head count, stakehold-
ers should consider the current state of
2
STEP
Inventory Internal
Audit’s Principal
Activities
Next, the CAE should inventory

the principal activities performed by
internal audit that may be handled
the organization and its risk appetite. differently within other organizations.
During times of economic stress, some For example, does internal audit run
organizations may be tempted to reduce the U.S. Sarbanes-Oxley Act of 2002
centralized overhead functions and project management office or perform
the corresponding semi-independent independent testing to support required
oversight of risk, internal control, and management Section 404 assertions?
business processes. Downsizing also may Does the internal audit function
eliminate administrative and control provide direct support to external
processes, increase workload, and cur- auditing, including substantive test-
tail oversight functions while expanding not required for the organization’s
ing autonomy and levels of authority. Sarbanes-Oxley assessment on internal
Unfortunately, intense revenue pressure control? Does the organization operate
and cost cutting can heighten the risk in a heavily regulated environment with
of inappropriate behavior and short- prescriptive requirements for the inter-
cuts in controls and business processes. nal audit function?
Internal audit is regarded as an
organization’s third line of defense,
Benchmarking should encompass the responsible for providing independent
assurance. The three lines of defense
resources required to meet stakeholder model establishes responsibility for
internal controls and how organizations
and regulatory expectations. can best establish and coordinate duties
related to risk and control. It also states
that the individual lines of defense
Consequently, right-sizing internal audit should not be combined in a way that
should go beyond arbitrary across-the- reduces effectiveness. Coordination
board reductions. That is why bench- helps minimize gaps and eliminate
marking should encompass the resources duplication of assigned duties. Under-
required to meet stakeholder and regula- standing the makeup of responsibilities
tory expectations, within the agreed- within the three lines of defense is an
upon risk appetite for the organization. important first step in benchmarking
Other reasons for benchmarking the internal audit function.
the internal audit function may be When inventorying an internal
to examine use of outsourced vs. in- audit department’s activities, CAEs
house resources, centralized vs. decen- should include all discrete activities
tralized audit resources, career vs. that require 10 percent or more of
rotational audit staffing, and frequency total available internal audit resources.
of audit coverage, as well as to identify Getting too granular makes effective
differences in the level of audit services benchmarking difficult.

Adding value to the business is the top audit challenge of small and
mid-size enterprises, according to MetricStream’s State of Internal Audit 2018 — Impact and Opportunities.
3 4
Once internal audit and the CAE
Know and Identify make their benchmark metrics selec-
STEP Define the STEP Benchmarking tions, the Audit Intelligence Suite
Industry Alternatives compares the audit activity against
comparable departments and creates a
For some organizations this is relatively There are numerous approaches to tailored benchmark report. Principal
straightforward. For others it may be benchmarking the internal audit depart- limitations are the fee and whether
more difficult, particularly if the orga- ment. Each of these has advantages and sufficient representation exists with
nization is engaged in disparate lines disadvantages, and some are easier than companies of the same size and char-
of business. For example, a technol- others to develop and execute. acteristics within the same industry.
ogy manufacturing company may also
own broadcast media. Auditors should Simple Approach The most common Private Benchmark Survey Industry-
choose the most representative industry and easiest approach is to use a basic focused and private benchmark surveys
or consider benchmarking against two metric such as total revenue per auditor also provide relevance and credibility.
or more separate industries if this seems or number of employees per auditor. An alternative is to use the peer group
more appropriate. Next, they should Generally, the numerator in the ratio of organizations cited in most proxy
identify key competitors and industry is publicly available (for public compa- statements for U.S. publicly listed
trends that may impact the benchmark- nies) and requires only determining the companies. For example, the 2018
ing exercise. number of auditors in an organization Fluor Corp. proxy listed 22 compa-
One of the best means of under- to complete the benchmark ratio. It’s nies considered direct competitors
standing industry culture is through a quick and easy way to approximate and other peers in the engineering
industry-specific benchmarking groups. audit coverage with others. Com- and construction industry. This is the
Formal and informal groups focused parisons in this basic approach also perfect group to enlist for a private
on internal audit and Sarbanes-Oxley are included in other benchmark benchmark survey. To preserve ano-
benchmarking exist in several indus- approaches with richer data. Usefulness nymity and confidentiality, it may be
tries, including aviation, engineering is relatively limited, however, as dif- useful to mask specific organization
and construction, financial services, ferences in audit coverage or business responses. An independent third party
manufacturing, news media, and retail. operations are not identified. At best, can facilitate collection and dissemina-
Participation in networking groups and it can serve as a minimum guideline tion of results; specific categories can
reading industry-specific publications in establishing a base level of resources be banded to preserve confidentiality
provides insight to the organization’s compared to other companies. of individual responses.
industry and its culture. This is valuable Revenue can be grouped in broad
to understand commonalities and dif- Internal Audit Benchmarking categories and a similar approach
ferences to be considered in the bench- Report The IIA’s benchmarking tool can be used for internal audit budget
marking exercise. For example, are most compares audit department size, expe- amounts, number of employees, and
competitors privately held when the rience, and other metrics against the other benchmark data. Audit com-
organization is publicly traded? Does averages of similar organizations in mittee members and executive man-
the organization operate internationally chosen peer groups. Benchmark metrics agement tend to view peer surveys
compared to competitors that operate include employee compensation; orga- as the most relevant as they compare
primarily in the U.S. and Canada? Is nizational statistics; department staffing companies with much of the same
the organization’s industry expanding or and costs; oversight, including audit risks, industry constraints, culture, and
contracting or deploying administrative committee information; operational regulatory requirements. The approach
functions off shore? What is the cultural measures, including audit life cycles; takes effort to execute and typically
expectation for internal audit? Does the performance measures; and risk assess- requires assistance from an indepen-
industry see internal audit as a policing ment and audit planning information. dent third party to facilitate. Conse-
activity or the function that runs the Data is confidential and reported quently, this benchmark exercise often
Sarbanes-Oxley program? Is internal only in aggregate form. Identifying takes longer than other approaches.
audit viewed as a source of talent and a information is not publicly disclosed,
business partner or a necessary evil and although a list of participating compa- Third-party Surveys Most of the Big
corporate overhead? nies within each industry is provided. Four accounting firms, professional

6 STEPS TO RIGHT-SIZE INTERNAL AUDIT
service providers, and recruiters pub- the organization provides three full-
lish annual or periodic surveys cover- time exempt (FTE) employees, the
ing internal auditing. It is worthwhile CAE should subtract three FTEs
to research current publications and from the head count comparisons in
consider whether these can be used to the benchmark survey, along with
benchmark the organization’s internal appropriate footnotes. This approach
audit function. However, it is some- recognizes unique differences in audit
times difficult to apply broad surveys services and attempts to provide a
to satisfy the data requirements for balanced, apples-to-apples compari-
a specific benchmarking exercise. In son. It requires judgment and data to
addition, third-party surveys often are execute and can be subject to criti-
thematic in focus, and do not pro- cism by stakeholders if additions or
vide sufficient demographic detail or subtractions appear arbitrary or not
include the necessary data to facilitate well-supported.
benchmarking internal audit resources
and head count. External Audit Fee Comparison
There also is no standard to determine
the appropriate amount to spend on
It is sometimes difficult to apply broad external audit fees. These fees vary
widely among organizations of equal
surveys to satisfy the data requirements size and are driven by the same orga-
nization control environment charac-
for a specific benchmarking exercise. teristics applicable to internal audit.
This relationship holds true when
external audit fees are market-driven
Appraisal Approach The appraisal (based on hours to complete the
(or market adjusted) approach starts audit), which reflects complexities in
with basic survey data from another the availability, quality, and reliability
benchmark survey. Adjustments are of data and the organization’s control
then made to account for differ- environment. Consequently, internal
ences in the organization’s inventory audit fees compared to external audit
of audit services compared to others fees can be extrapolated across peer
included in the basic survey. This con- organizations to develop a range of
cept is similar to the technique used expected internal audit spending for
by real estate appraisers where the the organization.
individual property value is appraised This approach provides the most
based on the comparable value of useful metric that reflects the unique
nearby existing homes and adjusted characteristics and differences in orga-
upward or downward for such things nization control environments. Exter-
as a pool, finished patio, and high nal audit fees, along with organization
street traffic. revenue information, are available
When conducting an appraisal from U.S. publicly listed companies.
approach survey, CAEs should try Completion of this benchmark analy-
to accumulate data on services that sis requires obtaining the cost or head
may not be comparable based on count for the internal audit function.
their knowledge of the industry, Audit committees tend to like this
competitors, or the uniqueness of comparison because it provides a
their organization. For example, if snapshot of both internal and external
other organizations do not provide audit fees, particularly if focused on
external audit direct assistance and organizations in the same industry.

40% of chief audit executives say internal audit has strong
organizational impact and influence, according to Deloitte’s 2018 survey, The Innovation Imperative.
5
overlooked. Invariably, audit commit-
Summarize tees also will ask the external auditor for
STEP and Interpret input, so he or she should be included
Results in the vetting process.
The benchmark report from the
Once data has been collected, CAEs CAE should describe the objectives of
should summarize and apply results for the exercise and the survey approaches
the organization to the external bench- used, along with any assumptions and
mark survey. Stakeholders appreciate exclusions. Transparency is imperative
the insight of multiple perspectives that for the report to be viewed as objective
add credibility to the thoroughness of and credible. CAEs should summarize
the exercise. Accordingly, CAEs should relevant industry trends, cultural dif-
use as many approaches for obtaining ferences, variations in audit services
benchmarking data as possible. This will provided by their function compared
provide a comprehensive snapshot of to others, and other data points stake-
the organization’s internal audit func- holders should be aware of. They
tion and resources compared to others. should conclude with recommended
Stakeholders can compare spending changes based on benchmark data in
in the organization’s industry to other line with stakeholder expectations for
industries or organizations with similar internal audit.
revenue, and see differences in external Frequently, the survey supports TO COMMENT
on this article,
audit fees and the categories of services the current level of resources and head EMAIL the
provided by internal audit functions. count without the need for substantive author at
CAEs also can consolidate indi- changes. Such a conclusion also pro- stephen.shelton
vidual surveys to establish a range of vides value to the audit committee by @theiia.org
acceptable internal audit resources and independently corroborating the appro-
coverage that facilitates flexibility and priateness of resources. Finally, CAEs
judgment for making resource or staff- should summarize survey results and
ing decisions. If the internal audit func- disseminate them to other participants
tion is well above or below the range if industry or private benchmark surveys
established by triangulating multiple were conducted.
surveys, compelling data now exists for
recommending specific changes. OPPORTUNITY FOR DIALOGUE
6
All CAEs should right-size the internal
Report audit function periodically to satisfy IIA
Benchmark Standard 2030: Resource Management.
STEP Results to Benchmarking and comparison with
Stakeholders other organizations also helps ensure the
function provides reasonable value and
The CAE should approach reporting coverage for the industry and company
the results of a benchmark analysis with risk profile. It also affords an opportu-
the same objectivity and rigor applied nity for insight and dialogue with the
to internal audit reports. It’s important audit committee and management to
to consider the assessment from the per- sustain and grow investment in internal
spective of recipients, stakeholders, and audit resources.
decision-makers on the audit committee
and in executive management. After the STEPHEN SHELTON, CPA, CISA, CCEP,
study is prepared, the preliminary results is senior vice president, internal audit, at
should be vetted with stakeholders to Mr. Cooper Group (Nationstar Mortgage)
ensure key perspectives have not been in Coppell, Texas.

TECHNOLOGY
Emerging technologies
such as AI present
a host of risks, and
opportunities, for
auditors to consider.
Michael Rose, Ethan Rojhani,

and Vivek Rodrigues
Illustration by Sean Yates
T
he “big” in big data hardly seems adequate to describe the
scope of today’s digital information. Each day, the world pro-
duces 2.5 quintillion bytes of new data, according to a 2016
IBM Marketing Cloud report. In fact, 90 percent of data cre-
ated over the history of the human race was generated in the
past two years alone, the report says.
Increasingly, competitive advantage is driven by orga-
the
nizations’ ability to access, collect, synthesize, analyze,
and exploit insights from that data. But the scope of this
undertaking swamps traditional practices and capabilities.
Tackling it effectively requires mastering emerging technolo-
RISE o
gies, such as artificial intelligence (AI) and robotic process
automation (RPA).
For internal auditors, these technologies present a
challenge and an opportunity. The challenge? How can
they help their businesses understand, codify, and develop
appropriate controls around the new risks presented by
RPA, AI, and other technologies? The opportunity? Where,
within the internal audit function itself, can these tools be
36 INTERNAL AUDITOR APRIL 2018

E of Automation
APRIL 2018 INTERNAL AUDITOR 37
THE RISE OF AUTOMATION EMAIL the author at [email protected]
leveraged to provide deeper insights and deployment controls,

with greater efficiency? addressing issues such as how
and when new processes are
EMERGING TECHNOLOGY RISK tested and updated?
AI and RPA have great potential »» Who is accountable for ensur-
to increase efficiency, but they also ing that use of the technologies
can help reduce organizational risk. complies with corporate poli-
Processes handled by these technolo- cies, as well as applicable laws
gies are performed quickly and with and regulations?
absolute consistency; humans make »» Are these processes being
mistakes or skip steps, robots do not. considered holistically to
But that speed and consistency car- address change management,
ries its own risk. If a faulty algorithm human resources, and other
exists, if the tools access incorrect or related concerns?
incomplete data, if someone tampers Additionally, internal auditors should
with the process, or if RPA does not determine what the organization is
adjust to changing business or eco- doing to ensure effective governance
nomic conditions, then the organiza- of its technology (see also “A New Age
tion’s automated processes can magnify of IT Governance Risk” on page 20).
human errors. Consequently, signifi- Audit leaders need to work with orga-
cant follow-up work may be required nizational leadership to help develop
to unwind the errors. an appropriate governance strategy for
Internal auditors should ask several managing these technologies — and
questions when assessing risks associ- also to help unlock their potential.
ated with emerging technologies: Internal auditing should be involved
as part of the design or launch process
so key risk indicators can be identified
and appropriate controls embedded.
Internal auditors should determine This approach is far more effective
what the organization is doing to ensure than trying to append controls as an

afterthought. Audit leadership can aid
effective governance of its technology. the chief technology officer and chief
information officer in the development
of a strong governance plan. Numerous
available frameworks, such as COBIT
»» Has the organization estab- and ITIL, can serve as guides. Also,
lished programs to take advan- guidance from the chief legal coun-
tage of these technologies? Are sel and compliance department may
foundational programs in place, provide additional support. The gover-
such as data management and nance structure or plan over technol-
governance, as well as user- ogy should be periodically reviewed for
access controls? modifications that may be needed.
»» Who is responsible for deter-
mining whether and how such THREE LINES OF DEFENSE
tools can access the organiza- One of the challenges of today’s rap-
tion’s data? Has clear account- idly changing business technology
ability been established? Are involves working effectively across
appropriate safeguards in place? the first and second lines of defense,
»» Has the organization imple- while maintaining internal audit
mented appropriate development objectivity. The traditional audit

More than 90% of managers and analysts globally expect new business value at their company
from artificial intelligence in the coming five years, according to a recent MIT Sloan Management Review survey.
AI AND RPA DEFINED
D
efinitions of AI vary. The English Oxford Living Dictionary defines it broadly as: “The
theory and development of computer systems able to perform tasks normally requiring
human intelligence, such as visual perception, speech recognition, decision-making, and
translation between languages.” RPA, on the other hand, involves the use of software with
AI and machine learning capabilities to handle high-volume, repeatable tasks that previously
required humans to perform. These tasks can include queries, calculations, and maintenance of
records and transactions.
Consider the challenge of wading through potentially thousands of contracts that may
contain embedded leases, in an effort to comply with the Financial Accounting Standards
Board’s new lease accounting rules. Organizations currently use AI technologies such as text
recognition and natural language processing to scan contracts for language that indicates an
embedded lease may exist, and to flag those contracts for review. RPA is often coupled with
this process to route flagged contracts to appropriate parties, ensuring decisions on embedded
leases are made timely. Subsequently, RPA is also often used to follow up on, and to confirm,
a decision has been made on those contracts. Beyond this narrow example, a variety of stud-
ies indicate that as much as 45 percent of the work performed in businesses every day could
eventually be replaced by RPA.
approach incorporated relatively control testing through the use of RPA

static, periodic risk assessments and can enable organizations to spot anom-
statistical sampling of data from alies earlier.
past transactions to identify control An organization’s risk posture can
issues. Auditors often identified issues be greatly improved by helping man-
months or more after they arose, agement understand the best uses of
making remediation untimely and these tools and by working to deploy
allowing losses or other issues to com- them in real time. The technology
pound. With today’s tools, internal can help identify control deficiencies
audit functions can test most or even much sooner, enable testing of entire
all transactional data and can do so in populations, and correct deficiencies
close to real time. immediately upon identification. As
The acceleration toward real-time the third line of defense, however,
auditing and the associated need to internal audit needs to maintain its
help identify and manage risks around independence. Internal auditors may
emerging technologies means that assist the first and second lines in
internal auditors find themselves work- establishing the use of these tech-
ing more closely and more often with nologies by providing advice, but they
those in the first and second lines of must also ensure audit independence
defense. One of the benefits of real- remains adequate to provide the addi-
time auditing involves pushing risk tional layer of review.
management down to the first line of
defense wherever possible. Internal LEVERAGING THE TECHNOLOGY
audit can play a key role in investigat- When examining RPA and AI, internal
ing how AI and RPA can be used to audit shouldn’t limit its focus to the
augment, and in many cases replace, business’s use of these technologies.
current manual transaction testing and The audit function itself offers ample
other risk-testing processes. Automating opportunities to leverage RPA and AI

Trust Your Quality to the Experts
Leverage an External Quality Assessment in 2019
Build confidence with your stakeholders through a solid Quality Assurance and Improvement
Program (QAIP). Look to IIA Quality Services’ expert practitioners to provide:
■ Insightful external quality assessment services.

■ On-time solutions and successful practice suggestions based on extensive field experience.
■ Enhanced credibility with a future-focused QAIP.
IIA Quality Services, LLC, provides you the tools,

2018-0961
expertise, and services to support your QAIP.

Learn more at www.theiia.org/Quality
2018-0961 QAL-Quality Ia Mag Ad-Aug.indd 1 6/22/18 8:50 AM

The robotic process automation market is forecast to increase by
nearly 110% in 2019, according to Forrester Research’s Predictions 2019: Automation.
to achieve efficiencies and improve audit function will, of course, be partly team to best understand and address
results. Auditors should consider several determined by the circumstances of emerging technology risk, but audit
potential applications: each organization. By seizing those functions considered leaders in these
»» Controls testing is a vital but opportunities where they exist, audit areas may be seen as more attractive to
time-consuming internal audit leaders can free up their professionals top talent.
function, requiring consistent, to focus on the critical thinking neces-
repetitive application to be sary to provide real strategic insights PARTNERS IN TRANSFORMATION
effective — just the sort of for the business. The emergence of AI, RPA, and simi-
process that is ideally suited for Delivering those insights and lar technologies is much like that of
RPA. In some cases, controls managing the risks of emerging tech- spreadsheet applications in the mid-
or testing processes will need nologies also requires expanded 1980s. Spreadsheets at that time were
to be modified to allow for skills — internal audit leaders should innovative and useful, but not yet
RPA, but once it is in place, keep those needs in mind as they hire widely adopted. Within 10 years, they
automation can produce accu- and train staff. Although technology became ubiquitous and revolutionized
rate, consistent, and timely can fuel significant improvements and work, not only within internal audit
results. For example, ensuring efficiencies, deploying the right peo- but across the business world.
the usefulness of data con- ple, skills, and approach ultimately Likewise, AI and RPA are trans-
sumed from multiple sources enables the technology to work as forming businesses and their internal
historically would often require intended. Of course, a solid account- audit functions. And while the new
someone from the audit team ing and audit background remains technologies present new risks, these
to spend significant time
stitching the data together.
Today an RPA automation
can quickly replicate all of Effectively managing emerging
those tasks with a higher level
of accuracy. technology risks while also leveraging
»» Internal audit work requires a
significant amount of routine,
AI and RPA tools are key challenges.
repetitive communication. For
example, auditors often need to
request information and then vital, but more and more skills risks can be managed. The greater
follow up on those requests, around data science and IT must be risk is failing to capitalize on the
many of which are triggered by part of the internal audit group. And power and utility AI and RPA tools
specific due dates. These pro- the central mission of internal audit- offer. Effectively managing emerging
cesses offer key opportunities ing — to enhance and protect organi- technology risks while also leverag-
for automation. zational value by providing risk-based ing these tools are key challenges
»» Scorecard population, audit and objective assurance, advice, and for today’s internal audit leaders. By
committee reporting, and other insight — remains the same. But doing so, however, they can become
predictable documentation tools like AI and RPA require audi- true strategic partners in their organi-
demands often can be fully tors to possess broader technologi- zation’s success.
or partially automated. Dash- cal skills, strong data management
boards can be fully automated capabilities, and familiarity with MICHAEL ROSE, CIA, CPA, CISA, CISM,
for management and the board mathematics — such as linear algebra is a Business Risk Services partner at
of directors. Using RPA with and statistics, which drive algorithm Grant Thornton LLP in New York.
a visualization tool can enable development. A background in cod- ETHAN ROJHANI, CISSP, CPA, CFE,
automated generation of dash- ing also can be valuable. CGFM, is a Business Risk Services partner
board information for these key Hiring professionals with these at Grant Thornton in Denver.
stakeholder groups. skills and training those already in the VIVEK RODRIGUES is a Digital Transfor-
The specific opportunities to apply internal audit function is essential. mation and Management senior manager
emerging technology to the internal Not only will it position the audit at Grant Thornton in New York.

S TAT U S Q U O I S O N E O F M A N Y.
Status Go ™
IS ONE-ON-ONE.
Ready for an approach that’s as

unique as it is personal?
Welcome to Status Go.
gt.com/statusgo
“Grant Thornton” refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL), and/or refers to the brand under which the independent network of GTIL member
firms provide services to their clients, as the context requires. GTIL and each of its member firms are not a worldwide partnership and are not liable for one another’s acts or omissions. In the
United States, visit grantthornton.com for details. © 2017 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd
WHISTLEBLOWERS
Penalizing
Corruption
The U.S. Securities and Exchange
Commission’s Whistleblower Program
has fined companies more than
$1 billion since 2011.
Daniel Gaydon
Douglas M. Boyle
S ince its inception, the U.S. Securities and Exchange Commission (SEC) Whis-
tleblower Program has fined wrongdoers more than $1.7 billion. “Whistleblow-
ers have played a crucial role in the progression of many investigations and the
success of enforcement actions,” said Jane Norberg, SEC chief of the Whistle-
blower Program, following the $16 million payout to two whistleblowers in
November 2017.
The SEC’s 2017 Annual Report to Congress on the Whistleblower
Program provides insights for internal auditors and audit committees into
the program’s scope, focus, and results. In 2017, the SEC awarded approxi-
mately $50 million to 12 individuals for various whistleblower actions.
These reports included providing information about a fraud arrangement
that was difficult to detect, disrupting investment schemes that targeted
unsophisticated investors, and supplying industry-specific information. Nor-
berg stressed the three key features of the program are monetary rewards for
information that leads to successful enforced actions, anti-retaliation protec-
tions, and confidentiality safeguards.
Given the growing impact of the SEC Whistleblower Program, internal
auditors should encourage executives and directors who oversee governance to
understand the key elements of the program. Moreover, auditors should ensure

PENALIZING CORRUPTION EMAIL the author at [email protected]
internal processes and controls are in 49 percent since 2012, reaching an

place to effectively resolve whistleblower all-time high in 2017. The categories
concerns and build employee trust. that have remained the highest over the
life of the program include corporate
WHISTLEBLOWER INCENTIVES disclosure, offering fraud, and manipu-
The SEC Whistleblower Program lation (see “Whistleblower Allegation
was created in 2011, as directed by Types” on page 46).
Section 922 of the U.S. Dodd-Frank Approximately 68 percent of
Wall Street Reform and Consumer TCRs submitted in 2017 came from
Protection Act, to provide incentives to the U.S., 20 percent from international
whistleblowers to report federal securi- locations, and 12 percent from a loca-
ties law violations. Section 21F allows tion not disclosed. The annual number
rewards for individuals who provide of TCRs submitted internationally has
information that leads to a success- grown 75 percent since 2012.
ful SEC enforcement action resulting Although the Dodd-Frank Act
prohibits the SEC from disclosing the
identity of the whistleblower, the com-
The SEC has received more than 22,000 mission does publish the roles in which
the whistleblowers served in aggre-
tips, complaints, and referrals. gate. In 2017, most award recipients
were current (30 percent) or former
employees (25 percent). The remaining
in sanctions greater than $1 million. recipients included harmed investors
Whistleblowers may be an employee, (19 percent), outsiders (15 percent),
an insider such as a consultant, or an other insiders (7 percent), and industry
outsider of the company. professionals (4 percent).
Whistleblowers are eligible for Not only are the TCRs up, the
payments of 10 percent to 30 percent amount paid to whistleblowers from
of the monetary sanctions collected. the Investor Protection Fund also has
To receive payment, the whistleblower been increasing. The SEC has awarded
must complete the award applica- more than $60 million to whistleblow-
tion within 90 days of when the SEC ers since 2012 (see “The Top Whistle-
Notice of Covered Action is posted. blower Awards” on page 47).
Factors that could increase the payment
amount include how vital the infor- PROTECTING WHISTLEBLOWERS
mation is to the SEC action, higher With the monetary awards and pay-
level of cooperation, and evidence the outs growing each year, the SEC has
violation was first reported through the emphasized whistleblower protection
company’s internal network. Inversely, since 2017. In separate instances, the
factors that could decrease payment SEC levied $2.4 million in penalties
include the whistleblower’s involvement against publicly listed companies that
in the violation and significant delay in retaliated against or hindered employ-
reporting the violation. ees’ ability to report potential viola-
tions to the commission.
PROGRAM GROWTH Specifically, Section 21F(h)(1) of
Since the whistleblower rules took the Dodd-Frank Act provides whistle-
effect in 2011, the SEC has received blowers with protection against retali-
more than 22,000 tips, complaints, and ation. In addition, Exchange Act Rule
referrals (TCRs). “Whistleblower Tips” 21F-17(a) forbids employers from not
on page 45 shows that TCRs have risen allowing employees to report securities

The SEC Whistleblower Program has recovered $671 million in ill-gotten gains
and interest since 2011, most of which has, or will be, returned to harmed investors, the SEC says.
WHISTLEBLOWER TIPS
4,484
4,218
3,923
3,620
3,238
3,001
FY2012 FY2013 FY2014 FY2015 FY2016 FY2017
Source: SEC’s 2017 Annual Report to Congress on the Whistleblower Program
violations to the SEC. The act states 2017, BlackRock Inc. agreed to pay a
that “no person may take any action $340,000 penalty for including inap-
to impede an individual from commu- propriate language in its separation
nicating directly with the commission contracts. In exchange for monetary pay-
staff about a possible securities viola- ments, more than 1,000 former employ- For more
information about
tion, including enforcing, or threatening ees signed agreements waiving “any right
the SEC Office of
to enforce, a confidentiality agreement to recovery of incentives for reporting the Whistleblower
… with respect to such communica- misconduct, including, without limita- Program, VISIT
tions.” The SEC can take legal action tion, under the Dodd-Frank Wall Street www.sec.gov/
against employers that retaliate against Reform and Consumer Protection Act.” whistleblower
employees for reporting federal securi- In another example, the SEC
ties law violations. found Oklahoma energy company
In 2017, the SEC found numerous SandRidge Energy Inc. had violated
violations of Rule 21F-17(a). For exam-
ple, Washington, D.C.-based financial
service firm Homestreet Inc. agreed to
pay a $500,000 penalty for attempting
The SEC can act against employers that
to identify a whistleblower follow-
ing an SEC inquiry into accounting
retaliate against employees.
violations. Moreover, the SEC found
that Homestreet employees were only both Rule 21F-17(a) and the whistle-
eligible for severance benefits if they blower anti-retaliation provisions of
signed an agreement waiving potential Section 21F(h). SandRidge terminated
whistleblower rewards. an employee after the whistleblower
The SEC also brought actions expressed concerns regarding a reserve
against companies for implementing calculation. In addition, more than 500
restrictive covenants in their severance former SandRidge employees signed
and termination agreements. In January separation agreements from August

PENALIZING CORRUPTION
WHISTLEBLOWER ALLEGATION TYPES
Other 36%
Foreign Corrupt Corporate

Practices Act 5% Disclosure and
Financials 19%
Trading and
Pricing 5%
Insider Offering
Trading 6% Manipulation Fraud 16%
13%
Source: SEC’s 2012–2017 Annual Reports to Congress on the Whistleblower Program.
2011 to April 2015 that prevented them Moreover, these penalties could result
from disclosing information to any gov- in a scandal that causes reputational
ernmental agency regarding company damage to the companies involved. In
investigations. SandRidge agreed to pay an August 2014 press release, former
$1.4 million in penalties. SEC Whistleblower Office Chief Sean
Internal auditors may help the orga- McKessy stressed the importance of
nization define, monitor, and manage internal auditors. “Individuals who per-
elements of the whistleblower process form internal audit, compliance, and
to ensure an effective and appropriate legal functions for companies are on the
front lines in the battle against fraud
and corruption,” he said. “They often
Auditors can review whether claims are privy to the very kinds of specific,
timely, and credible information that
were resolved appropriately. can prevent an imminent fraud or stop
an ongoing one.”
In some cases, internal auditors,
avenue is provided to report claims. themselves, may be whistleblowers.
Auditors also can review whether claims In 2014 and 2015, the SEC awarded
were resolved appropriately. whistleblower rewards to employees
within compliance and internal audit
INTERNAL AUDIT IMPLICATIONS functions. According to Section 21F-4,
With more than $1 billion in penal- if internal auditors come across a viola-
ties levied so far against companies, the tion, they should first report it inter-
SEC Whistleblower Program is having nally to the appropriate officer or board
a significant impact in monetary terms. member. If action is not taken within

The SEC took 2+ years on average to make decisions
on whistleblower claims from 2014
to 2017, compared to one year in 2012 and 2013, according to a Wall Street Journal analysis of SEC releases.
THE TOP WHISTLEBLOWER AWARDS

Below are the largest whistleblower rewards issued by the SEC since the whistleblower program’s inception. Nine of
the top rewards occurred during 2016 to 2018.
RELEASE DATE AWARD AMOUNT SEC QUOTE
March 19, 2018 $49 million The whistleblowers “provided critical information that advanced
the first investigation, including the identification of potentially
relevant documents and key witnesses.”
Sept. 6, 2018 $39 million The whistleblower “voluntarily provided original information to the com-
mission that led to the successful enforcement of the covered action.”
March 19, 2018 $33 million “The information was previously unknown to the staff handling the
investigation that resulted in the covered action.”
Sept. 22, 2014 $30 million “The whistleblower came to us with information about an ongoing
fraud that would have been very difficult to detect.”
Aug. 30, 2016 $22 million “Whistleblower whose detailed tip and extensive assistance helped
the agency halt a well-hidden fraud at the company where the
whistleblower worked.”
Nov. 14, 2016 $20 million “This whistleblower alerted us with a valuable tip that led to a near
total recovery of investor funds.”
June 9, 2016 $17 million “The information and assistance provided by this whistleblower
enabled our enforcement staff to conserve time and resources
and gather strong evidence supporting our case.”
Sept. 6, 2018 $15 million The whistleblower “appeared before the agency for an investiga-
tive interview.”
Oct. 1, 2013 $14 million “The whistleblower(s)’ information led to SEC enforcement action
that recovered substantial investor funds.”
Nov. 30, 2017 $8 million “The whistleblower alerted SEC enforcement staff of the par-
ticular misconduct that would become the focus of the staff’s
investigation and the cornerstone of the agency’s subsequent
enforcement action.”
Nov. 30, 2017 $8 million “The whistleblower provided additional significant information and
ongoing cooperation to the staff during the investigation that
saved a substantial amount of time and agency resources.”
Sources: SEC orders and press releases related to the whistleblower program

A New Look
at Internal Auditing.
Audit Intelligence Suite

Benchmark | Assess | Survey
Benchmark your audit function, assess your team, and survey your key stakeholders. Once you know the results,
you will be in a better position to improve your audit function.
Learn More
www.theiia.org/AIS
In June, the SEC proposed a rule
that would reduce
whistleblower awards
that are based
on penalties of $100 million or more to “more appropriately and expeditiously” reward whistleblowers.
120 days, the internal auditor becomes »» Consider all sources, including With the monetary rewards increasing,
eligible for an award and may begin hotlines, anonymous email, reports to the SEC’s Whistleblower
the whistleblower process by reporting lawsuits, exit interviews, and Program are likely to grow. Against
either through the SEC’s online ques- social media. this backdrop, internal auditors can
tionnaire or by completing a hard copy »» Ensure adequate triage of the help their organization’s whistleblower
Form-TCR. report based on understand- program through education, com-
Because more than half of whistle- ing the legal and accounting munication, and monitoring. Given
blower reports come from company implications. their knowledge of the organization’s
insiders, chief audit executives (CAEs) »» Enlist internal audit in manag- governance, policies, and procedures,
should work closely with the audit ing the whistleblower process, internal audit’s involvement can add
committee to ensure the appropriate managing the investigative credibility to the whistleblower pro-
tone, policies, and diligence are in process, or reviewing whistle- gram. However, auditors should remain
place to support a whistleblower who blower activities. objective and leave decision-making
first reports internally. In “Whistle- »» Understand the entire whistle- responsibility about specific whistle-
blowers: What the Board Needs to blower program process. blower cases to management.
Know,” The IIA’s Tone at the Top »» Remain vigilant by continu-
newsletter lists six steps that boards and ally reviewing and updating DANIEL GAYDON is a doctorate student at
CAEs should take to oversee a whistle- whistleblower policies. the University of Scranton in Pennsylvania.
blower program: The SEC Whistleblower Program DOUGLAS M. BOYLE, DBA, CPA, CMA,
»» Build employee trust of int- has resulted in increased tips, fines, is accounting department chair and associ-
ernal policies. awards, and whistleblower protections. ate professor at the University of Scranton.
YOU Are INVITED

Join a select group of C-level executives on a three-day immersive experience
to prepare for the highest rank of the internal audit profession.
UPCOMING 2019 VISION UNIVERSITY SESSIONS:
Orlando, FL Boston, MA San Diego, CA Chicago, IL

Feb. 26–March 1 June 24–27 Sept. 9–12 Nov. 19–22
www.theiia.org/VisionU
CAE Success in a Class All Its Own
2018-1402

2018-1402 TRN-2018 Vision U Half Page Ad.indd 1 11/6/18 3:49 PM
Relevant. Reliable. Responsive.
As the award-winning, multi-platform, always-available resource

for internal auditors everywhere, Internal Auditor provides
insightful content, optimized functionality, and interactive
connections to sharpen your focus.
Print | Online | Mobile | Social
+GET it all InternalAuditor.org
2017-0409
SOFT SKILLS
Breaking free
of mental traps
Internal auditors can take
steps to avoid overthinking
that can affect audits and
service to clients.
AMPLIFICATION
Murray D. Wolfe PERSISTENCE
ANTICIPATION FIXATION
F
REVERSION
PROCRASTINATION RESISTANCE
eeling caught in a
DIVISION
mental trap? Over-
thinking can inhibit
ACCELERATION
internal audi-
tors’ service
to clients.
“Mental
traps are habitual modes of
thinking that disturb our ease, take
up enormous amounts of our time,
and deplete our energy, without
accomplishing anything of value,” for-
mer University of Toronto philosophy
VECTORHAPPY / SHUTTERSTOCK.COM
and psychology professor André Kukla

writes in Mental Traps: The Overthinker’s
Guide to a Happier Life.
Auditors can unwittingly fall into many mental
traps and “spin” at any point in the engagement

BREAKING FREE OF MENTAL TRAPS
life cycle. Being aware of these traps It is important to remember, how-

and learning how to overcome them ever, that there is a difference between
can help auditors become better at their persistence and perseverance. While
jobs, reduce the effort required to finish persistence is a mental trap that leads to
their work, and deliver greater value to a dead end, perseverance is a laudable
their clients. trait in which one steadfastly pursues a
Among the mental traps that the goal despite encountering obstacles.
book covers, nine are most relevant
for internal auditors: persistence, AMPLIFICATION Working harder than
amplification, fixation, reversion, necessary to achieve one’s aims and
TO COMMENT anticipation, procrastination, accel- doing too much is amplification. For
on this article,
eration, resistance, and division. internal auditors, amplification occurs
EMAIL the
author at murray. According to Kukla, each of these in a few common situations. The first is
[email protected] traps relates to four cardinal errors when they continue testing to prove an
pertaining to undertaking tasks or observation for which they have already
projects: Individuals either do too collected sufficient evidence. After all,
much or too little, or they start or if some evidence is good, more must be
finish a task too soon or too late. better, right?
Internal auditors should be mindful Auditors can avoid this by apply-
of these traps and errors and take pro- ing a rule of thumb: Only gather
active steps to manage them. enough evidence to convince the
intended audience to take action. Once
PERSISTENCE The first trap involves the threshold is reached, quit digging.
continuing to work on tasks that have Engaging in “analysis paralysis”
lost their value. This results in people is another example. This occurs when
doing too much. internal auditors continue to analyze
As Kukla points out, North a situation beyond what is required in
American culture teaches people to the belief that it will help make the case
for change.
Internal auditors also can spend
inordinate time polishing reports
While persistence is a mental trap that because they believe the reports are not
leads to a dead end, perseverance is a ready. Auditors face the law of dimin-
ishing returns and at some point need
laudable trait in which one pursues a to stop the work and issue the report.
They don’t need to be perfect. Setting
goal despite encountering obstacles. relatively firm deadlines can help audi-
tors deal with this mental trap.
FIXATION Related to amplification,

regard persistence as a virtue. This fixation occurs when progress toward
is a form of mental inertia — having finishing an engagement or task is
begun an activity, people keep moving blocked. This often occurs when
in the same psychological direction internal auditors require additional
until they reach the end. This inertia information from a stakeholder
tips the scale in favor of continuing such as an executive who happens
the task even if it no longer has merit. to be unavailable.
The individual promised to complete Instead of using the time to do
it, so he or she will doggedly carry on something else that will help complete
to the end. the engagement, auditors may waste

“Mental traps are identified not by the content of our ideas but by their form,”
according to Mental Traps: The Overthinker’s Guide to a Happy Life, by André Kukla.
time by devoting efforts to activities so much planning that they delay get- the engagement report the moment
that add no value or repeating what’s ting started. fieldwork begins. Doing so promotes
already been done. Neither of these refining and testing observations and
actions ultimately adds any value. As a PROCRASTINATION One of the most conclusions as the engagement pro-
result, auditors expend too much effort prevalent mental traps, procrastina- gresses rather than waiting until the end.
on the current task and don’t begin the tion involves performing small, Although related to amplification,
next task soon enough. Auditors can relatively meaningless tasks that performing more tests than required
avoid this situation by effectively plan- take the place of actually devoting during fieldwork can be another form
ning for the future and considering the time to required or appointed tasks of procrastinating. This can be the
schedules of key stakeholders. that will add value. Engaging in case when additional testing is done
procrastination, internal auditors end to avoid getting to the next phase of
REVERSION A bit more complex, a current task too late and do not start the engagement.
reversion happens when people have the next task soon enough.
set out to accomplish a task and have One common way of procrastinat- ACCELERATION The flip side of
failed at it. Rather than let it go, they ing is to postpone starting fieldwork by procrastination is acceleration. Rather
continue to focus their thoughts on over-planning. Auditors can avoid this than being slow to start, acceleration
attaining the missed goal. Kukla states
that “reversion is the temporal opposite
of fixation,” but rather than working to
hasten an immovable future when a task Anticipation involves starting a task
is blocked, people try to change the
immutable past. too soon. Internal auditors can suffer
Fixation and reversion share a
common problem in that people con- from this trap by not planning enough
tinue to work on a task when there is
nothing more to be done. With rever-
before they begin fieldwork.
sion, auditors need to accept their
failure; get over the feelings of guilt,
regret, or shame; and move on to the by establishing deadlines and allocated occurs when people don’t give a task
next project. efforts for each phase of the audit and the necessary time and attention and
holding to them as much as possible. end up finishing it too soon. Often,
ANTICIPATION Auditors can suffer Some flexibility is needed, of course, procrastinating at the beginning of a
from anticipation by starting a task too but an audit is a small project and project or task can result in acceleration
soon — for example, by not planning should be treated like one. at the end.
enough before they begin fieldwork. Another way to procrastinate is to For example, internal auditors may
Inexperienced internal auditors delay contacting stakeholders to avoid rush through planning, ultimately not
are prone to the anticipation trap by confrontation or a potentially unpleas- delivering what clients and stakeholders
being anxious to start fieldwork before ant discussion. Auditors may delay for wanted. As a result, they may have to go
they understand why the engagement a day or two, only to find out that the back and perform more unplanned field-
is being undertaken, what is the most stakeholder is not available for the next work. Failing to take time to ensure tests
effective way of obtaining evidence, week. If this happens enough times, the are designed appropriately and executed
and how the engagement should be engagement timeline can be delayed by correctly may yield faulty evidence from
executed to meet the clients’ needs. several weeks. rushed and sloppy work. Auditors also
This is evident when auditors begin Internal auditors also procrastinate may have to repeatedly revise reports
detailed testing of transactions before by not writing their audit report because because they rushed to write a first draft
exploring other, less labor-intensive they know writing, editing, and finaliz- without adequately thinking through
options, such as interviews or walk- ing it will open themselves to challenge what they want to report on and how
throughs, to get evidence. Internal and criticism from their supervisors they want to report it.
auditors need to plan adequately and clients. Audit departments can Internal auditors can avoid
before beginning fieldwork, yet not do address this trap by beginning to draft acceleration by devoting time to

Learn
From The Leader.
IIA TRAINING – ALL PLATFORMS OPEN
As an internal auditor, you’ll always find there’s more to discover. And while on the job training is par for the course,
sometimes learning the latest lessons from the industry leader is the best course of action. The IIA delivers innovative,
quality, and convenient internal audit training and development for all skill levels. The flexible training platforms focus
on individual auditor training needs, as well as existing and emerging issues to ensure that internal auditors receive the
knowledge and proficiency required to provide the highest level of auditing assurance, insight, and objectivity possible.
Schedule training on a platform perfect for your station www.theiia.org/Training
ONDEMAND / ON-SITE / IN-PERSON / ONLINE

Verbal and written communications, critical thinking , knowledge of the business, and ability
to get things done are the most desired skills for audit seniors/managers, according to a 2017 MISTI survey.
perform each phase of audit work between tasks actually takes more time
effectively through appropriate plan- and effort than concentrating on one
ning and continually monitoring task at a time. When people drop one
their progress throughout the engage- task and return to it later, they don’t
ment. Frequently referring to the pick up at the spot where they left off.
scoping document throughout the They have to spend time picking up
audit — especially when writing the the threads of the task.
report — can help keep internal audi- To manage their time better,
tors on track and focused on the goal internal auditors should devote seg-
of the engagement. ments of time to specific tasks. They
should take steps to avoid unnecessary
RESISTANCE When people who
are busily involved in a task that
is going well are presented with a
valid emergency, opportunity, or By being mindful of mental traps and
interruption that requires their
attention, resistance occurs. This taking steps to break free of them,
could include a client request for an
urgent, high priority, and inconvenient internal auditors can better enjoy their
assignment while auditors are in
the middle of another engagement.
work and be more effective.
An example could be an unplanned
investigation into a fraud at a remote
location that will require significant distractions such as emails, telephone
travel and time away from home. To calls, and interruptions by direct
address this trap, auditors can apply reports or other employees. As Kukla
a general rule proposed by Kukla: “It notes, there is always something that
is pointless to let opportunity slip can take a person’s attention away
away when the present task can be from the task at hand.
postponed without cost.”
A VIRTUOUS HABIT
DIVISION The division trap happens By being mindful of mental traps and
when individuals try to concentrate on taking steps to break free of them,
two things at once. This trap involves internal auditors can better enjoy their
the mistaken assumption that people work and be more effective in their
can be effective multitaskers. roles. The aim is to devote less time
Kukla points out that people can- and effort to producing consistently
not consciously attend to two things good results. Being mindful of mental
at once because attention is indivisible. traps is an ongoing discipline that can
When individuals think they are multi- become a virtuous habit incorporated
tasking, they are either “fast-switching” into auditors’ day-to-day work. It can
their consciousness between two activi- supplement the well-developed tech-
ties, or they have relegated one of the nical skills and knowledge auditors
activities to an unconscious, automatic already possess, helping to make them
mode of operation. more successful as individuals and as
Internal auditors, especially those team members.
at a senior level, often need to juggle
many tasks. They rarely have the luxury MURRAY D. WOLFE, CRMA, CPA, CA, is
of focusing on only one thing at a time. director, Internal Audit, at a large agricul-
The problem is that dividing attention tural cooperative in Calgary, Alberta.

EDUCATION
A university and health-care

company partnered to create an
internal audit internship program
that equips students to hit the
ground running.
Real-world E
B
usiness schools across the to attract candidates to the internal
country emphasize the impor- audit profession. More specifically, the
tance of hands-on learning objective of the internship program
experiences via internship pro- was to give students an opportunity to
grams. Internal audit intern- gain experience in the internal audit
ships can provide students department of a large health-care com-
with an understanding of the pany and refine their critical thinking
business as a whole, allowing skills as they relate to compliance and
interns to get a clearer idea of internal auditing. Unlike other intern-
areas that interest them. Addi- ships that give detailed instructions
tionally, internships in inter- on each task to be performed, this
nal auditing expose students program was intended to give interns
to various functional areas within a considerable autonomy.
company so they can experience differ- As part of the program, PPT
ent career paths outside of their degree wanted the interns to develop
or major. department-specific audit tools for
With an ambitious timeline for human resources, marketing, busi-
developing internal audit programs ness relations/sales, and finance and
for multiple departments, Profes- accounting that were statistically
sional Physical Therapy (PPT) — an viable and measured the overall per-
outpatient therapy provider in the formance, functional task compliance,
U.S. — first collaborated with Hofstra and inherent risk associated with each
University in Hempstead, N.Y., to department. Other objectives were to
offer a summer internship program determine functional variability and
in 2017. The goal of the intern- level of error or noncompliance with
ship program was not only to attract legal, regulatory, operational, industry,
high-quality graduates to PPT, but and firm standards.

d Education
SELECTION AND ONBOARDING departmental internal audit teams and
Hofstra faculty chose eight high- provided work stations.
quality undergraduate and graduate Next, interns were assigned to
student internship prospects. After project managers/mentors from the
interviewing with PPT’s director of legal and compliance department in
internal audit and chief compliance teams of two. Because the internship
officer (CCO), all eight students were program took place in the health-care
offered paid internship positions. The sector, interns were also provided with
interns comprised four graduate stu- an overview of the U.S. Health Insur- Rina M. Hirsch
dents and four undergraduate students ance Portability Accountability Act.
with majors in accounting, legal studies Then they were trained on how to
in business, biology, and marketing. develop internal audit tools and given
In the first week, interns partici- goals and deadlines for deliverables.
pated in an orientation training boot Guidance was given on how
camp. They were introduced to PPT interns could access relevant informa-
staff and provided with an overview of tion to achieve their objectives. For
the program, health-care internal audit example, they were given job descrip-
best practices, and the organizational tions of individuals in the departments
charts of the four departments to be to be audited, relevant forms and poli-
ANDREY ARKUSHA / SHUTTERSTOCK.COM
audited. To help the interns under- cies, and the necessary steps to develop
stand what an audit looks like, they an audit tool. Also, interns were told
were provided with an overview of the they would be interviewing staff in the
PPT clinic and revenue cycle opera- various departments to learn about
tion audits (i.e., how they were devel- departmental processes and role-specific
oped, scoring, performance, reports, job requirements. The legal and compli-
and corrective actions). Interns were ance team explained legal issues relevant
then assigned to one of the four to health care and the audit process

REAL-WORLD EDUCATION
using an actual clinic audit, sample audit tools, which consisted of binary
audit report, and corrective actions. questions that could easily be scored
Finally, each audit team developed and weighted. Audit tool question
a 60-day plan that was reviewed by a development went through multiple
mentor, conducted mock staff inter- steps of evaluation over a four-week
views to illustrate how interns should period. First, the audit tools were
interview PPT staff, and learned how approved by the project manager/
to research industry standards and mentor. Next, they were approved
best practices. Interns met with their by the director of internal audit and
mentors, who gave an overview of the then the CCO. Once a team received
timeline for internship components, final approval, the interns conducted
including research, interviews, policy an audit using their newly developed
review, document review, internal audit audit tool. Based on those findings, the
tool development, testing, measurement teams created key performance indica-
and weighting, and audit performance. tors (KPIs) and a KPI dashboard for
each department audited.
AUDIT TOOL DEVELOPMENT With results from the audit and
Teams were assigned to specific depart- KPI information in hand, the interns
ments based on interns’ educational prepared an audit report summarizing
backgrounds and interests. The goal of their findings. Interns also conducted
having two-person teams was multifac- a gap analysis and provided an action
eted. The interns were able to work as plan based on its results. Finally, each
autonomous teams, while mentors pro- team prepared a presentation of its
vided guidance as needed. However, the audit findings and presented them to
interns relied on each other’s strengths PPT’s executive board.
to a great extent to achieve objectives
before resorting to their mentor for COMPANY BENEFITS
guidance. This helped build interns’ The program allowed for an ambitious
self-confidence and reduced heavy reli- project of developing audit tools for
ance on mentors in the program. continued use for four departments,
and it was completed in a relatively
short time frame. Furthermore, the
The review process in place ensured review process in place (i.e., by men-
tors, the director of internal audit, and
that the output of the program was of the CCO) ensured that the output
of the program was of high quality.
high quality. Because interns were responsible for
the development of each department
audit tool from start to finish, the proj-
The interns’ first task was to gather ect cost much less than it would have
research by reviewing industry and firm cost had it been performed by legal
standards, firm policies and procedures, and compliance personnel.
and relevant laws and regulations, and The PPT internship program
by interviewing respective department was such a positive experience for the
personnel. Each team’s mentor reviewed members of the legal and compliance
the information and aided or provided departmenets that PPT decided to
feedback to the interns as needed hire one of the interns in a full-time
through the research process. capacity. Due to the success of this
Once the research process was internship program, PPT’s director
complete, the teams developed the of internal audit and CCO indicated

The average conversion rate of intern to full-time hire is 45.6%
, according to the
National Association of Colleges and Employers’ 2018 Internship & Co-op Survey Report.
interest in pursuing additional intern- about areas in which they had very
ships in the future. little previous knowledge, identified
The internship program increased technical and presentation skills as
exposure to, and promotion of, the being enhanced, and expressed that
company through the interns. By pro- their communication skills improved.
viding a positive and satisfying learning While several interns were frustrated
experience for the interns, the company with the real-world phenomenon of
receives positive publicity spread by the
interns to their peers.
STUDENT BENEFITS Internal audit internships can create

Because each team was responsible for
a project from start to finish, they were
positive experiences and enhance the
able to improve their critical thinking
skills considerably by way of firsthand
perception of the profession.
learning. By providing each intern
with autonomy — and another intern different expectations from different
to work closely with — they were able supervisors, they learned to cope with
to bounce ideas off of one another these sometimes-contradictory expec-
to solve problems and achieve their tations. This reflects a clear acknowl-
objectives. Interns used critical think- edgement of improvement in soft skills
ing skills at every stage of the intern- in the workplace.
ship program: research, development, The interns also identified gain-
execution, reporting, and presentation. ing work experience in the health-care
In addition to improved critical think- industry, working independently and
ing skills, interns also refined their within a team, and being responsible
technical skills by using Excel tools and and accountable for work performed
learned a great deal about health-care as additional benefits of the program.
industry standards, departmental com- After presenting their findings to the
pany standards, and best practices. executive board, interns indicated they
However, one of the greatest felt a great sense of accomplishment TO COMMENT
on this article,
outcomes of the program was the and self-satisfaction. EMAIL the
opportunity for the interns to develop author at rina.
their communication and soft skills by CHANGING PERCEPTIONS [email protected]
placing them in real-world situations. Internship opportunities in internal
Interns learned how to develop good auditing that create positive experiences
rapport with company personnel, work for the interns and the organization
efficiently as a team, capitalize on each can work to enhance perceptions of the
other’s strengths, and work under pres- internal audit profession. Students share
sure. Feedback provided to the interns their experiences with peers, which can
from mentors resulted in significant translate to increased interest from stu-
improvement in these areas. As a result, dents looking to learn more about inter-
this internship program created much nal auditing. Additionally, organizations
more desirable job candidates. may see an increase in high-quality can-
Interns in the program completed didates who may have never considered
a mid-internship self-performance a career in internal auditing.
appraisal form where many indicated
they were able to apply knowledge RINA M. HIRSCH, PHD, CPA, is an
from their university studies to a real- assistant professor of accounting at Hof-
world setting, learned a great deal stra University in Hempstead, N.Y.

Governance Perspectives
BY JUSTIN STROUD EDITED BY KAYLA FLANDERS
STARTING SMALL
Launching a
one-person audit
function takes
S
patience, focus, and
relationship building. everal years ago, my wholesale changes to an the organization. The sup-
employer, Western already successful company port of the audit committee
Reserve Group, a would not be the best way and CEO is vital in show-
property and casualty to gain support for internal ing internal audit can be
insurer based in Wooster, audit. Instead, I garnered used as a valuable tool and
Ohio, was contemplating the support by listening to and resource, in addition to pro-
best way to launch an internal observing the business units, viding the typical assurances
audit department — either while gaining some early required. Since the first day,
in-house or outsourced. With wins by updating governance the continued support I have
continued growth of the items, such as the internal received has allowed internal
company expected, it made audit charter and manual. audit to develop and grow. As
sense to enhance its focus on Absorbing knowledge Western Reserve’s president
internal auditing. from the business units and CEO Kevin Day puts
The company chose helped expand my awareness it, “Strong corporate gover-
to outsource internal audit of the organization and pro- nance starts at the top of our
to third-party consultants. vided valuable insight down organization with a focus on
The consultants completed, the road. Reviewing each of providing an ethical climate
on average, three to four the audit reports completed based upon our strong core
audits per year, until about by the prior consultants also values. It was vital when
four years ago when senior was valuable. Likewise, read- bringing an internal auditor
management and the audit ing the external auditors’ and on board that the entire com-
committee determined that regulators’ reports provided pany was aware the internal
having an internal auditor useful information in gaining audit function was fully sup-
on site to manage the inter- a foundational knowledge of ported by the CEO and the
nal audit function, using a the organization. board. We succeeded in this
cosourcing model for techni- Most important to through transparency and
cal expertise, was the best fit developing an effective inter- communication throughout
for the company. nal audit function is having not only the management
I was brought on as that a strong tone at the top that team, but also through all
internal audit manager. As governance and internal levels of the organization.”
a one-person department, audit go hand-in-hand in A saying I like to use
getting a positive start was establishing the values and is: “Look back to move for-
a must. Recommending ethical behavior that guide ward.” I saw where internal
READ MORE ON GOVERNANCE Visit InternalAuditor.org/governance

audit was and then determined ways to improve the cycle It is human nature to overestimate what can be completed in
time between audits of the core business areas and ensure one year or less, but people often greatly underestimate what
high-risk areas were covered. Creating a function that adheres they can complete in five years. Internal audit should start with
to the International Standards for the Professional Practice of a long-term road map that it frequently adjusts and reviews.
Internal Auditing was a focal point. With limited resources comes limited time, but small
Just determining each auditable function and the con- audit functions must maintain flexibility when events occur
trols surrounding those areas can take considerable time and that are outside the scope of the audit plan. Having laser
resources. The key is to be patient while continually moving focus and a detailed game plan can help squeeze in work that
forward in building an audit universe. From there, a risk- can add value to the organization.
based audit plan can be formed while gathering trends and Whether it is gaining certifications, frequently attend-
hot topics by interviewing key members of senior manage- ing training events, or reading articles about the industry or
ment to gain an overall picture of the organization. Blending profession, continuous learning also is important with the
that with industry-specific needs and audit focal points can ever-changing risk environments of most organizations today
help form a solid audit plan. and cannot be minimized in a small audit department.
Internal audit must work as a strategic partner with It should be a goal of all internal audit functions, regard-
management and should interact with all levels of the orga- less of size, to ensure adequate coverage across the organiza-
nization to gain support and show that it can be a trusted tion’s audit universe. But internal audit must first understand
advisor. This cannot be accomplished in days or weeks, but where all the risks and their respective control points occur.
rather in months and years, as trust will be built over time.
At times, it can feel like internal audit is spinning its JUSTIN STROUD, CIA, CRMA, CPA, CPCU, is an internal audit
wheels or going in many different directions at the same time. manager at Western Reserve Group.
STATEMENT OF OWNERSHIP, MANAGEMENT, & CIRCULATION

Average Publication Title: Internal Auditor
No. Copies Actual Publication Number: 0020-5745
(October 2017– No. Copies
Extent and Nature of Circulation August 2018) (August 2018) Filing Date: 9-26-18
Issue Frequency: Bi-monthly
Total Number of Copies 76,074 75,626
Number of Issues Published Annually: 6
Paid Circulation Mailed Outside-County Paid Sub- Annual Subscription Price: $75.00
scription 58,161 58,165
Mailing Address of Known Office of
Paid Distribution Outside the Mails Including Sales, Publication: 1035 Greenwood Blvd., Suite
Through Dealers and Carriers, Street Vendors, 401, Lake Mary, Seminole County,FL 32746
Counter Sales, and Other Paid Distribution Outside Address of Headquarters: The Institute of
USPS 15,777 14,852 Internal Auditors, 1035 Greenwood Blvd.,
Suite 401, Lake Mary, FL 32746
Total Paid Distribution 73,938 73,017
Contact Person: Gretchen Gorfine
Free or Nominal Rate Copies Mailed at Other Telephone: 407-937-1232
Classes Through the USPS 63 58
Publisher: Monica Griffin, Sr. VP, CMO, The
Free or Nominal Rate Distribution Outside the Mail Institute of Internal Auditors, 1035 Greenwood
(Carriers or other means) 640 649 Blvd., Suite 401, Lake Mary, FL 32746
Total Free or Nominal Rate Distribution 703 707 Editor: Anne Millage, Editor-in-chief, The
Institute of Internal Auditors, 1035 Greenwood
Total Distribution 74,641 73,724 Blvd., Suite 401, Lake Mary, FL 32746
Copies Not Distributed 753 980 Managing Editor: David Salierno, The Institute
of Internal Auditors, 1035 Greenwood Blvd.,
Total 75,394 74,704 Suite 401, Lake Mary, FL 32746
Percent Paid 99.06% 99.04% Owner: The Institute of Internal Auditors, Inc.,
1035 Greenwood Blvd., Suite 401, Lake
Paid Electronic Copies 17 16
Mary, FL 32746
Total Paid Print Copies + Paid Electronic Copies 73,955 73,033 Issue Date for Circulation Data: October
Total Print Distribution + Paid Electronic Copies 74,658 73,740
2017 - August 2018 / August 2018
Signature and Title: Gretchen Gorfine,
Percent Paid – Both Print & Electronic Copies 99.06% 99.04% Production Manager, 9-26-18

ENGAGE AND CONNECT GLOBALLY
Gain a competitive edge with unique IIA advertising and sponsorship opportunities as
diverse as the 190,000 plus members from more than 170 plus countries and territories.
Contact +1-407-937-1388 or [email protected] for more information.
www.theiia.org/advertise
2016-1116
2016-1116 MKT-Adv Sponsorship Oct IA Ad-Full.indd 1 8/23/16 9:01 AM

Insights/The Mind of Jacka
BY J. MICHAEL JACKA
PRICE VERSUS VALUE
Y
The only thing ou are sitting in and status. The exorbitant mercenary in nature,
internal auditors your annual budget price of any item at Tif- focusing narrowly on how
meeting, having fany’s is as much about much money the depart-
should be selling
provided an esti- the blue box as it is the ment will spend, how
is the value mate of internal audit’s bauble within that box. much it will be given, and
they provide. expenses for the coming But of course not all buy- how much will be taken
year. Those responsible for ers need the fancy name away. And if internal audit
ensuring the appropriate cachet — for some, a gem sits in those meetings and
use of organizational capital from Discount Dave’s Dia- argues price, it will almost
review your proposal with monds, Dinnerware, and certainly not succeed. Sure,
intense scrutiny. An impas- Dinettes will suffice. it may win that particular
sioned discussion follows When it comes to battle, but it will lose the
in which the great and internal audit services, few long-term war of defining
powerful budget wizards (if any) organizations will and defending internal
look for ways to reduce pay the extra premium for audit’s value.
spending while you argue the Tiffany’s of internal Budget time is the
for the resources necessary audit. (This is not quite ultimate moment of truth
to accomplish your mis- as true when it comes to for any internal audit
sion. In the heat of this external audit providers, department. It is when the
battle, do you understand but that is a discussion dialogue must change. Even
you are not arguing about for another time.) None- as other departments argue
the price of internal audit, theless, if those stakehold- dollars and cents, internal
but rather about internal ers have even a smidgen audit must focus the dia-
audit’s value? of understanding about logue on internal audit’s
When it comes to internal audit, neither will value, followed by what
selling something, even they want the equivalent the stakeholders, clients,
internal audit’s services, of a purchase from Dis- and customers are willing
price is an important fac- count Dave’s. to pay.
tor in the final buying This reality brings to We cannot sell on
decision. But focusing on mind a fundamental truth being low-priced; instead,
price alone obscures the about the marketing of we have to sell on being the
real consideration behind internal audit: The only best value.
the buying decision — the commodity we should be
perceived value received for selling is the value we pro- J. MICHAEL JACKA, CIA,
that price. vide. And one of the most CPCU, CFE, CPA, is
Take, for example, the telling moments related cofounder and chief creative
purchase of a diamond. to the success of that sales pilot for Flying Pig Audit,
Beyond issues of quality, pitch is budget time. Bud- Consulting, and Training
some buyers value brand get discussions can become Services in Phoenix.
READ MIKE JACKA’S BLOG visit InternalAuditor.org/mike-jacka

Eye on Business
DOING THE RIGHT THING

Today’s boards are taking a
closer look at corporate culture.
In light of recent, well- safety personnel, as well as they will be heard, and have
publicized corporate cul- other independent second their concerns investigated?
ture failings, what are line-of-defense functions.
boards doing to address Boards also expect internal What do boards need to
culture? audit to weigh in as the third- understand about their
CHRISTENSEN We defi- line assurance provider. role in overseeing culture?
nitely see the concept of cul- KEELE Boards are asking KEELE Most boards now
ture gaining traction in the more directed questions: understand that culture is
boardroom. More than ever, What is the risk of this hap- important, but determining
directors are acutely aware pening in our company? what to do about it is another
that culture plays a role in What steps have we taken to matter. Like management,
delivering outcomes — both prevent/detect this type of boards are not entirely sure
BRIAN CHRISTENSEN good and bad — for the com- misconduct? Do we apply how to confirm whether
Executive Vice
President – Global panies they serve. Because our processes consistently? the culture they want is the
Internal Audit culture can break down How does the organiza- culture they have. Because
Protiviti anywhere in the company, it tion respond to a finding of measuring and overseeing
is important for directors to inappropriate or unethical culture isn’t easy, there is a
experience firsthand the real- behavior — is everyone held risk of defaulting to seem-
world culture in the organiza- accountable, or are certain ingly simple, check-the-box
tion, rather than rely solely individuals given a pass? Do solutions. Further, there is a
on boardroom discussions we have a crisis management risk of over-relying on hard
and management reports. plan to respond to an event? controls — policies, train-
One way to accomplish this Boards also should be con- ing, and systems that only
is by engaging directly with sistently asking the broader provide a partial view of risk
TRACEY KEELE
operating personnel through questions that get at the cur- management. Understanding
Partner, Internal Audit site visits. Directors also rent state of the organization’s the drivers of conduct — soft
and Enterprise Risk should insist on observa- culture: Are expectations controls — and whether the
Services
KPMG LLP
tions regarding culture from for what constitutes unac- “walk” matches the “talk” is
the chief risk officer, chief ceptable behavior clear and fundamental to understand-
compliance officer, chief understood? Is the workplace ing culture and risk.
information security officer, safe and respectful? Do indi- Boards also should
and human resources and viduals feel they can speak up guard against focusing on
environment, health, and without retaliation, expect today’s expectations, without
READ MORE ON TODAY’S BUSINESS ISSUES follow us on Twitter @TheIIA

considering how they may differ tomorrow. Technological,

social, economic, regulatory, and political changes are occurring CULTURAL MISALIGNMENT
faster than ever. How do organizations evolve quickly, focus on Christensen and Keele say these red flags may indi-
both the spirit and the letter of the law, and anticipate change cate that the tone in the middle isn’t aligned with the
to enhance resiliency, grow, and build trust with stakeholders? tone at the top.
CHRISTENSEN Culture is a vital enterprise asset that must »» Nobody is talking about culture.
be cultivated, nurtured, and maintained. Directors need to be »» Controversial deals and encouragement of risk
curious enough to probe on culture issues. First and foremost, taking to hit short-term targets.
the board must want to know whether there are any concerns »» Complex and unclear legal and reporting struc-
pertaining to culture warranting its attention. Board members tures that obscure transparency.
must address two fundamental questions: How do we know »» Poorly executed takeovers that allow pockets of
what we need to know regarding culture? Is our understanding bad behavior to thrive.
representative of the entire organization or just certain areas? »» Lack of financial discipline.
No director wants to be on a board that ends up asking itself: »» Employees constantly fear being fired.
How did this happen and why didn’t we know? »» Employees execute projects without a clear vision
from company leaders.
What can internal audit do to inform the board about »» Lack of knowledge sharing among employees.
the organization’s culture? »» A focus on blame or covering for each other
CHRISTENSEN Internal audit, the third line of defense, is rather than fixing the problem.
well-positioned to perform a culture audit, evaluating the »» A perceived disconnect between words and action.
processes used across the entity by first- and second-line per- »» A focus on the letter rather than the spirit of the
sonnel to assess culture. Ironically, it is internal audit — the law and regulations.
objective eye of the organization — that is uniquely qualified »» Risk management and controls are regarded as an
to bring “a systematic, disciplined approach” to a potentially inconvenience.
subjective process like measuring culture. Internal auditors »» Lack of prompt follow through on commitments.
should “connect the dots,” considering the findings and gra- »» Failure to escalate identified issues and active
tuitous observations from multiple audits to ascertain whether concealment of problems.
any meaningful patterns exist. With everyone having a stake »» Dress rehearsals for leadership visits that are
in evaluating the enterprise’s culture, the board should be focused on appearance.
privy to the results of all evaluations — particularly from inde-
pendent second-line functions and internal audit.
KEELE Internal auditors can play a critical role in under-
standing and enhancing culture. Internal audit can act as “the Internal audit should think expansively about data that exists
eyes and ears” of the organization, helping the board deepen within and outside the organization to support improved risk
its understanding of culture to better fulfill its culture over- assessment and audit execution. Procedures should be tailored
sight responsibilities. Evaluating and evolving audit skills and based on the organization’s culture maturity and appetite for
capabilities, initiating and promoting dialogue within the improvement, and internal audit’s capability and ambition.
organization, garnering organizational permissions and sup- CHRISTENSEN Survey results can validate themes from
port, and understanding the organization’s culture expecta- stakeholder interactions to gauge consistency of views regard-
tions, initiatives, and current state are important first steps for ing the company’s culture. Relevant data metrics should
establishing internal audit’s role in culture. supplement insights from surveys and direct interactions with
stakeholders. These include risk metrics, conduct-related
What tools and techniques should internal audit use compliance data, issue escalation and resolution data, human
to audit culture? resources data and reports, whistleblower reports, turnover
KEELE The tools and techniques used in traditional audits data, ethics hotline reports, unstructured social media data,
also are relevant to culture audits — interviews, data review and and employee demographic data. These and other metrics
analysis, and walk-throughs. Also, the use of surveys, facilitated should be used as supplements to performance measures
workshops, focus groups, and advanced analytical techniques linked to the strategy to drive the type of organizational culture
like sentiment analysis can be extremely valuable, deepening that management and the board would like stakeholders to
the understanding of employee experiences and perceptions. experience when they interact with it.

THE IIA’s
CIA
LEARNING SYSTEM ®
A System for Success.

Now Aligned With the 2019 CIA Exam!
The IIA’s CIA Learning System is an interactive
review program, combining reading materials and
online study tools to teach and reinforce all three
parts of the CIA exam. It’s updated to align with the
latest industry standards, including the International
Professional Practices Framework (IPPF) and the IIA’s
International Standards for the Professional Practice
of Internal Auditing.
Prepare to Pass. www.LearnCIA.com

2018-1529
Take a Guided Tour | Read Sample Pages | Try Free Questions | Get Exam Tips
2018-1529 CIALS-CIA LS Ia Mag Ad-Dec_FNL.indd 1 10/30/18 2:30 PM

IIA Calendar
SEPT. 16–17 DEC. 4–5 DEC. 11–14

IIA Financial Services COSO Enterprise Risk Multiple Courses
CONFERENCES Exchange
Washington Hilton
Management Certificate
Program
New York
www.theiia.org/
conferences
Washington, DC Dallas DEC. 14
Fundamentals of Internal
SEPT. 18 DEC. 4–7 Auditing
MARCH 11–13, 2019 Women in Internal Audit Multiple Courses Online
General Audit Leadership Orlando
Management Conference Washington Hilton DEC. 18–19
Gaylord Texan Washington, DC DEC. 4–13 Data Analysis for Internal
Dallas/Ft. Worth Fundamentals of IT Auditors
OCT. 21–23 Auditing Online
APRIL 29–30 All Star Conference Online
Leadership Academy MGM Grand DEC. 18–20
Disney’s Yacht Club Resort Las Vegas DEC. 4–13 IT General Controls
Orlando NEW! Fundamentals of Online
Risk-based Auditing
JULY 7–10
International Conference
IIA Online JAN. 7–25, 2019
CIA Learning System
Anaheim Convention TRAINING DEC. 4–13 Comprehensive
Center www.theiia.org/training Root Cause Analysis for Instructor-led
Anaheim, CA Internal Auditors Course — Part 1
Online Online
AUG. 12–14
Governance, Risk, & NEW! Auditing IT DEC. 6–7 JAN. 15–25
Control Conference Governance COSO Enterprise Risk NEW! Fundamentals of
The Diplomat On Demand Management Certificate Risk-based Auditing
Fort Lauderdale, FL Program Online
DEC. 3–12 Boston
SEPT. 16–17 Advanced Risk-based JAN. 22–31
Environmental, Health & Auditing DEC. 10–19 Audit Report Writing
Safety Exchange Online Performing an Effective Online
PHOTO: RAWPIXEL.COM / SHUTTERSTOCK.COM
Washington Hilton Quality Assessment

Washington, DC Online
DECEMBER/JANUARY/F THE IIA OFFERS many learning opportunities throughout the year. For complete listings visit: www.theiia.org/events

Insights/In My Opinion
BY JEFFREY RIDLEY
CREATING A BETTER SOCIETY
T
Internal auditors he U.K. government’s Internal auditors all have Goals by its target of 2030 is
should contribute recent launch of its a responsibility to make social just one aspect of this process.
Civil Society Strategy auditing happen. Recent Today’s responses by organi-
to the collective
recognizes the social ventures into auditing culture zations to the development
public good. responsibility government and a new appreciation for and growth of integrated and
and internal auditors have culture’s role in establishing strategic reporting will have
for creating the society we effective governance prac- a strong influence on the
want to live in. Civil society tices have touched on the future of environmental and
in the U.K. today is not just importance of organizational social responsibility declara-
about the well-being of the stewardship and stakeholder tions by organizations and
nation and everyone who lives engagement. Culture is not the assurances they give and
there — it reflects the contri- just about an organization’s require. Internal auditors will
butions we all make through values and how it performs. It always have a part to play to
our values to well-being in also is about how the organi- make this happen in their
other civil societies across the zation impacts the civil soci- own organizations, across all
globe. Those values are inter- eties in which it operates. sectors. The U.K.’s Chartered
nal auditors’ greatest asset and Many institutional inves- Institute of Internal Audi-
resource. They also are what tors have signed on to the tors has links into voluntary
internal auditing is based on United Nations Principles of networks of internal auditors
and should be all about. Responsible Investment with working in the charity, social
The strategy’s aims are an environmental, social, housing, and higher educa-
fourfold: Support people and governance (ESG) duty: tion sectors. Their messages
to play an active role in “To act in the best long-term and progress are an excellent
building a stronger society, interests of our beneficiaries. example of how professional
unlock the full potential of In this fiduciary role, we internal auditing is already
the private and public sectors believe that [ESG] issues can enhancing well-being in the
to support social good, help affect the performance of U.K. and across the globe.
improve communities to investment portfolios.” ESG
make them better places to as a performance measure will JEFFREY RIDLEY, CIA, FIIA,
live and work in, and build continue to grow in impor- is visiting professor at
stronger public services. I can tance for governments, inves- Birmingham City University,
think of no internal audit tors, and organizations. It University of Lincoln, and
plan or program in any orga- should also do so for all inter- London South Bank University.
nization or sector that these nal auditors in every country.
aims and their achievement Good governance A version of this article first
could not improve in terms embraces environmental and appeared on Audit & Risk
of objectives, risk planning, social responsibilities in many magazine’s website, www.
engagement, results, find- ways. Achievement of the U.N. auditandrisk.org.uk. Repro-
ings, and follow-up. Sustainable Development duced with permission.
READ MORE OPINIONS ON THE PROFESSION visit our Voices section at InternalAuditor.org

James Anderson
September 29 MD Consent
ACTION OF THE MANAGING DIRECTORS OF
WORKIVA LLC
BY UNANIMOUS WRITTEN CONSENT
The undersigned, constituting all of the Managing Directors

(the “Board”) of Workiva LLC, a Delaware limited liability company (the
“Company”), in accordance with Section 5.1.6 of the Operating Agreement
of Workiva LLC dated September 17, 2014 (the “Operating Agreement”)
and Section 18-404(d) of the Delaware Limited Liability Company Act, by
unanimous written consent, as evidenced by the signatures set forth
below, do hereby consent in writing that the resolutions set forth in Appen-
dix A hereto are hereby ratified, confirmed and approved. It is each of the
undersigned’s intent that this consent be executed in lieu of, and consti-
tutes, a meeting of the Managing Directors pursuant to Section 5.1.6 of
the Operating Agreement, which consent shall be filed by the Secretary of
the Company with the minutes of the meetings of the Board. All terms not
defined herein shall have the meanings ascribed to them in the Operating
Agreement.
I hereby confirm that I have read and understand the resolutions set
forth in Appendix A hereto.
Yes No
I hereby consent to the adoption of the resolutions set forth in Appendix

A hereto.
Yes No
PDF Attachment: Workiva S-1.PDF
Matt
Date
Make 2019
Your Best Year Yet
Closing this year's audit plan is the optimal time to reevaluate
processes and tools that may be slowing you down.
Wdesk for Internal Audit Management is a streamlined, collaborative

platform that saves you valuable time. Focus on strategic areas that
position you for success in the months—and years—to come.
See how Wdesk works at workiva.com/ IIA-video

The IIA’s 2019 International Conference
is coming to Southern California.
Registration now open. ic.globaliia.org
SOUTHERN CALIFORNIA, USA / 7-10 JULY 2019

Majalah IA Dec2018 PDF

Uploaded by

Copyright:

Available Formats

Majalah IA Dec2018 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Majalah IA Dec2018 PDF

Uploaded by

Copyright:

Available Formats

DECEMBER 2018 A PUBLICATION OF THE IIA

Right-sizing Internal Audit

Intelligence and Robotics

SMALL BUT SAVVY

Audit functions of limited size

RSM and our global network of Risk Advisory

Improve your credibility and proficiency. Learn more.

2018-1608 CERT-CIA Full Page Ad - Dec.indd 1 11/2/18 3:35 PM

31 6 Steps to Right-size Internal Audit more than $1 billion since 2011.

DOWNLOAD the Ia app on the

FOR THE LATEST AUDIT-RELATED HEADLINES visit InternalAuditor.org

Learn more at www.deloitte.com/globalcaesurvey

7 Editor’s Note 20 Risk Watch Auditors 68 In My Opinion Auditors

67 Calendar 22 Fraud Findings A comp-

Small But Significant health-care CEO pleads guilty

insurance provider explain for unnecessary treatments.

Think critically, then fulfill your mission.

THE SMART, SMALL

DECEMBER 2018 INTERNAL AUDITOR 7

COSO for Technology is a core technology component of

8 INTERNAL AUDITOR DECEMBER 2018

Chambers on From the Solutions Points of View

Seasoned Creative Thinking Advice for Insights and

READ ALL OF OUR BLOGS. Visit InternalAuditor.org.

2017-1087 PUB-Ia Blog Generic Mag Ad-FNLcrx.indd 1 1/22/18 3:09 PM

Chief audit executives are

53% MISSING THE MARK Many CEOs and board

51% THREATS their organizations.

Hot Spots Report

FOR THE LATEST AUDIT-RELATED HEADLINES follow us on Twitter @TheIIA

10 INTERNAL AUDITOR DECEMBER 2018

CORRUPTION RISK RUNS

Directors may not be prepared regulatory environment, and

DECEMBER 2018 INTERNAL AUDITOR 11

soon. Just 13 percent say

12 INTERNAL AUDITOR DECEMBER 2018

Project Resource Net Capacity in Hours for Option 5 Apply

Amy Pullman 35% -48.27

Consumer Technology Show Phase 4 Olivia Freeman 55% 9.69

Crusader Phase 8 Option 1 70 % Nov 16 Audrey Collins 60% 30

Option 2 68 % Dec 16 Norma Welch 55% 89.58

JUN 15 JUL 15 AUG 15 SEP 15 OCT 15 NOV 15 DEC 15

Find your replacement for spreadsheets. Tempus Resource also provides

(+1) 713 - 985 - 9997 prosymmetry.com [email protected]

ADDING VALUE IN R&R AUDITS

SEND BACK TO BASICS ARTICLE IDEAS to James Roth at [email protected]

14 INTERNAL AUDITOR DECEMBER 2018

DECEMBER 2018 INTERNAL AUDITOR 15

Just Brilliant Software.

Find out more at www.mkinsight.com

SEND ITAUDIT ARTICLE IDEAS to Steve Mar at [email protected]

DECEMBER 2018 INTERNAL AUDITOR 17

Practical Tools | Latest Resources | Training Courses

Standards Practice Makes Sense

DECEMBER 2018 INTERNAL AUDITOR 19

A NEW AGE OF IT GOVERNANCE RISK

SEND RISK WATCH ARTICLE IDEAS to Charlie Wright at [email protected]

20 INTERNAL AUDITOR DECEMBER 2018

DECEMBER 2018 INTERNAL AUDITOR 21

31 6 Steps to Right-size Internal Audit more than $1 billion since 2011.  