It also creates this false dichotomy with external audit that really doesn’t exist. Within the IA context, the audit of financial statements is supplemental and focused on only one risk: reporting risk. Granted, reporting risk holds a special place in the pantheon of enterprise risks, critical to obtaining and maintaining financing, but still.

Why is internal audit content with naming itself only in terms of where its practitioners reside in relation to the organization under audit? Seems quite narrow and vague. Given that IA concerns itself with all enterprise risks, it makes more sense to me to called it Enterprise Audit. This would also dovetail nicely with Enterprise Risk Management. ERM and EA, two sides of the governance coin.

Better branding in this manner would attract more and higher quality people to the profession as well. It sounds far more interesting and rewarding to be in the business of enterprise auditing than internal auditing.

What do you think? Is it too late in the game to make a change like this? Does it matter, so long as those in business understand the role and responsibilities of the auditors?

This is one of the bigger differences between my previous gig in internal audit for a global building materials manufacturer and my current one with a national retailer. Before, I was doing a lot of traveling to various plants and subsidiary offices to conduct audits, and meeting face-to-face was much more important to getting work done. There were phone calls during the planning phase and weekly conference call updates on any issues that arose, but the majority of the time we were sitting across a table from each other.

Phone calls (and voice mail) are much more important in my current environment. Schedules are more structured, especially those of senior management. I’ve had to adapt to this by getting better at gathering information via phone calls and leaving voice mails that are more likely to get results.

Some of the highlights of the article as I see them:

Never have a business conversation, especially on the phone, without knowing exactly what you’re trying to accomplish.

Absolutely the most important point is to know why you’re calling and have an idea of how you want to get there. I’ll make notes beforehand in a Word doc and have it on screen when I make the call. I’ll even incorporate if-then conditional statements based on my questions and the possible answers I expect to get. They get thrown out the window if the answer is not one that I’d expected, but like a boy scout at least I’ve prepared.

It takes a bit of practice, but what you need to do is suspend your “what do I say next?” until after the other person is done speaking.

This is something I’m going to try to keep in mind in the future, more to assess whether I’m doing this already (the default assumption for most of us, I think) or not. Really consciously focus on listening and processing when my audit clients are speaking, which segues nicely to the next item…

When you pause before responding, the other person knows that you’ve listened.

If I’m speaking to someone for the first time and we’ve never met face-to-face, I want them to feel fully comfortable sharing information with me. For someone who maybe isn’t used to dealing with auditors, which will happen if it’s an area that doesn’t get audited often or hasn’t been audited at all, this is critical. This tip is going to be useful in achieving that level of comfort, and that should give me better results.

As you speak, gradually take on the least obvious elements of other person’s voice.

This is a subconscious rapport builder, and will work if it is subtle. If it’s not, it’s going to come off as disingenuous and have the opposite effect. So it’s a gamble.

In my previous job, I worked day-to-day with people from Ireland and the (US) South, and I found it impossible not to lightly pick up those accents when I was with them so much. (The company was headquartered in Ireland and the North American corporate office was in Atlanta, so most of the internal auditors were from those areas.) The combination is a bizarre one, especially peppered with Canadian “eh”s as well!

I’ve found it’s also useful to check people’s schedules prior to making the phone call, to anticipate whether they will be there to pick up or whether it’s likely to go to voice mail. If I need to call someone and they’re in meetings all day, I’ll draft the voice mail message before I call so I can be succinct and not forget anything.

My preference is to have a face-to-face instead of a phone call, because in-person meetings allow for body language and they just feel easier to make a connection with the client. Email is useful because it provides a record of the discussion that can be referred back to if needed. But for situations where immediate attention is best, the phone call reigns supreme.

Please share in the comments how you get the most from your phone-based interactions!

The most important attribute is referred to as business acumen, but the description that accompanies it has more to do with having an in-depth knowledge of the business the auditor works for. Splitting hairs I guess, but acumen is the ability to make good decisions and exercise sound judgment. A strong understanding of what is driving the success of the business is important to cultivate, as is staying on top of developments within the industry in which it operates. I think both are important, but one is easier to develop than the other.

Communication skills come next, and I would broaden that to be people skills in general. The ability to read people and adapt to any given situation and personality is very helpful, so both the outward skills like communicating clearly and succinctly and the inward skills like listening actively and processing information quickly will come in handy when dealing with people within the organization.

Integrity comes in at 3rd, and is critical to establishing and maintaining your reputation as a professional. Being consistently honest and forthright in your interactions with your “customers” will allow you to build strong working relationships across the business.

Experience is next, and it’s not a subject I feel especially qualified to discuss, since I’m only in my third year as an internal auditor, sixth as an auditor. What I will say is that each day I strive to learn and get better at my job, and working with staff that have, among them, decades more experience than I provides a constant reminder of the value of that experience.

Number five on the list is a solid grasp of business risks, which to me means the exact same thing as the first item. Let’s just put them both together at the top and shorten the list to six, shall we? After that is talent development skills, which is important to have once you reach a certain level and have people reporting up to you. I could make the case that this is essentially a subset of people skills.

Last (but not least in my opinion) is courage and that’s important for auditors whether they’re external or internal. Part of the job is being the bearer of bad news and you’ve got have the stones to deliver it straight!

The agreement is formalized in a Memo of Understanding that has been signed by both parties. The MoU lists a few areas where this agreement makes cooperation possible:

• Speaking and exhibiting at each other’s conferences, seminars and events
• Conducting jointly sponsored events
• Mutually recognizing, where appropriate, each other’s continuing education programs for continuing education credits to satisfy requisite certification requirements
• Participating in training and educational programs offered by either association where such collaboration benefits the attendees
• Encouraging similar cooperation and collaboration among local chapters of ISACA and The IIA (an activity that already thrives in many places throughout the world)
• Identifying opportunities for joint projects that advance the global internal audit profession and the professional standing of its members
• Engaging in periodic discussions on matters of public policy that impact the internal auditing profession
• Where appropriate, coordinating and promoting unified messages and responses to standards setters, regulators, and legislators globally, and providing them with information regarding best professional practices

In order of value to each organization’s members, the top 3 in my mind are:

1. Joint projects to advance the internal audit profession

To me this is going to have the biggest impact on stakeholders because the combined knowledge and experience in both groups should lead to higher quality standards and improved best practices. Perhaps a combined set of standards down the road?

2. Recognizing each other’s continuing education

For members of both organizations this is huge. Program content frequently overlaps (e.g. the IIA’s GTAGs) and internal audit departments generally have staff with CIA and CISA designations (as well as CA and CPA, and others), so significant cost savings may be realizable.

3. Collaborating on continuing education

This could open up each organization’s continuing education programs to the other one’s members, which immediately introduces fresh topics and facilitators to both groups. Synergy here will allow members to broaden their training, and provide an easier transition from one to both certifications.

The agreement should work out to be a win-win-win — for the organizations, members, and stakeholders. What do you think?

If you follow me on Twitter, you might have seen this:

@neilmcintyre: IT problems for Audit Director Roundtable delay the start of the Enterprise Risk Audit Planning webinar

The problem was that the large group attempting to log in to the presentation were jamming the conferencing phone system. It was sorted out within 10 minutes of the scheduled start time. Good problem to have, really.

I was introduced to ADR when I joined the world of internal audit in May 2008 and have been taking advantage of the site’s features ever since, such as case studies, internal control questionnaire (ICQ) templates, audit department benchmarking tools and example audit work plans.

Today’s webinar was valuable to me because it focused on how five companies’ internal audit groups are dealing with the challenge of providing assurance over strategic risk. This is a topic that I have championed in my capacity as an internal auditor, and the companies in the webinar were actually walking the walk.

Some of the highlights:

• One group enabled management to better identify and assess complete risk information by developing a tool that required them to drill down from higher level risks to their lower level components. What I liked in particular about the tool was that it discouraged the tendency to choose medium likelihood and medium impact (what they called “midpointing” although I’d never heard the term) by making those assessments lead to a “signficant” rating.
• Another group credited management for its efforts in identifying processes which were well-controlled versus those that were less well-controlled, by tailoring the assurance strategy to the former. Simply the act of identifying a poorly-controlled process would spur management to implement the necessary controls, at which point the process would migrate to the well-controlled side.
• Yet another group maps the principal risks identified at a high level to each applicable business process to ensure adequate coverage. Internal audit focuses on the processes involved in executing on the strategic priorities, to provide assurance that those risks are well-controlled.

I enjoyed the webinar because it took what can be a challenging theoretical problem and showed examples where leading internal audit groups are concretely addressing the concerns of management over the key risks driving the performance of the business.

How are you implementing practices like these to provide assurance over the risks that primarily drive enterprise value?

Protiviti’s take is that due to increased expectations of the assurance Internal Audit can provide on an ever-widening spectrum of enterprise risks, auditors feel under-resourced. Sukhdev Bal, Director of Protiviti says:

This survey is a clear indication that internal auditors themselves believe that prior to the recession, they were not fit for purpose in terms of focus, skills and capabilities. Audit committees, Internal Audit leaders and management need to work more closely and collectively to agree the role of audit, objectives, criteria for audit and the overall approach of the internal audit function required to meet current and future evolving needs. Importantly, having agreed these, they need to ensure that the function is staffed with the right skills, capabilities and experience to meet these objectives.

There is evidence that spending on governance, risk and compliance didn’t decrease in 2009 compared to 2008, so I think Protiviti is correct with its assessment. IA is being asked to expand their risk coverage beyond traditional areas of expertise. It’s only natural to feel a little overwhelmed by the expectations. The key to adapting in my opinion (and experience) will be support for training in non-traditional areas.

The survey is available on Protiviti’s website (if you give them some personal information first).

Continuous auditing is generally held to be an automated approach. Increasingly it is assumed to mean examining all data relevant to the audit being performed, rather than the historical norm of examining supposedly representative samples.

On top of this, the IIA defines it as “any method used to perform audit-related activities on a more continuous or continual basis.”

Rutgers University professor Miklos Vasarhelyi, calls it “an audit that happens immediately after or closely after a particular event.”

The article describes some examples of companies which have attempted to implement continuous auditing. The conclusion one reaches is that no one really audits continuously, but a few companies have managed to put in place some automatic testing using software like ACL that can reduce the work they have to perform on those transactions when they perform their “non-continuous” audits or highlight areas to investigate further.

This, I think, is good enough and valuable in its own right. Letting machines handle the menial tasks and freeing up audit staff to focus on bigger issues is a pattern as old as the industrial revolution.

I work in internal audit of a large corporation in the Southwestern United States. That’s all I will reveal of my identity for obvious reasons.

The “obvious reasons” are that he’s about to trash every element of this opportunity he’s been given to work at a large corporation in the Southwest US (during a massive recession when people much more experienced than him are losing their jobs, and in one of the hardest hit parts of the country to boot) despite having only two years of university level accounting studies to his credit.

I’m reminded of a recent column by Maureen Dowd on the use of anonymity online:

In this infinite realm of truth-telling, many want to hide. Who are these people prepared to tell you what they think, but not who they are? … Pseudonyms have a noble history… But on the Internet, it’s often less about being constructive and more about being cowardly.

One of the best uses for constructive anonymity is that of the whistleblower. Most companies have set up whistleblower channels by now which allow employees at all levels to safely make public or report to an independent body abuses they have observed at work. The post in question is not an example of constructive anonymity.

With that out of the way:

So you ask yourself, why go into internal audit? Well I’ve been asking myself the same question. I’ve been here almost three months and still have yet to see any meaningfulness in this work. … Granted, without this deterrent could be rampant fraud and waste, etc, but that’s beside the point.

I thought the point was that audit is meaningless. So, factors which make audit worthwhile are beside it? I guess if you ignore the potential for rampant fraud and waste, the job would be basically meaningless. I think it’s safe to assume he’s been so busy mindlessly ticking and tying his POs that he wouldn’t see an opportunity to address waste or fraud if it presented itself.

And with that, I’m reminded of a recent post by Penelope Trunk on creativity:

It’s as misguided to divide the world into creative and non-creative jobs as it is to divide the world into creative and non-creative people. All jobs have opportunities for creativity. Some have more and some have less, but you usually get more opportunities to be creative by demonstrating that you are a creative problem solver over and over again.

IA jobs can be rewarding and meaningful, but oftentimes only as much as you make them. The key point is that the onus is on you to push your job into creative territory. Not at the expense of your required duties, but going above and beyond what’s expected of you. You have to want to make the work meaningful and strive to do so. Especially in an entry-level internship, as this is a great opportunity to show your superiors that you’re a top performer. If you ruffle too many feathers (and the problem here may indeed be the work environment he’s found himself in), you’re back in school before you know it anyway for third year.

Continuing on:

The thing you have to keep in mind with internal audit is that you are working with the same documents, same departments, and same procedures year after year with the rare addition or removal of a department.

This really depends on the type of organization you’re working for. There are companies that own various subsidiaries in related industries that will provide variety. I know in my position I see many different types of businesses that fall under the broad building materials category, including heavy industry, manufacturing and pure distribution/wholesale. Newly acquired companies are a source of variety as well, and there is a smorgasbord of accounting systems in use providing challenge and an opportunity to learn and develop.

Oh, and the other thing about internal audit is you don’t get to travel nearly as much as external auditors, because everything you’re auditing is in the same building. The hours are also a lot more manageable. Nobody here goes over 40 hours a week.

Again, depends on the company. I left public accounting because my current position offered the chance to travel extensively. Since starting the job last May, I’ve worked in Switzerland, Ireland, the US, and Canada. The lion’s share of traveling for me is to the US. I just got back from Phoenix (third time this year), and before that spent three weeks in the Seattle-Tacoma area. (Gorgeous country!)

As far as the hours go, when I’m back in town (which I am for the next three weeks!) it’s pretty accurate to say we work a solid 40 hours only. On weeks where I’m on the road, the days are longer (10 hours usually) and Monday mornings are brutal. Think getting up at 3:30am EDT for a flight and working till 6pm Pacific! The bottom line is that the work that needs to get done, gets done on time no matter how long it takes, and this is generally true no matter where you work.

If you don’t have much of an imagination, enjoy working by yourself a lot, don’t mind monotonous work, have attention to detail, enjoys following instructions, don’t mind doing work that seems pointless (in your mind), and wants a steady paycheck, then I’d say auditing is for you.

Yeah this pretty much sums up the whole snarky episode. I see the proposition of IA a bit differently:

If you have a creative mind, enjoy working in small groups and meeting tons of new people every week, love challenging work, can both devise and follow instructions (and occasionally throw them out the window), don’t mind work that is critically important to the continued growth of your organization, and want a healthy and steady paycheck, good benefits and job security, then I’d say auditing is for you.

Auditing 101: Never extrapolate from a sample of one across a large, heterogeneous population.

Under the arrangement KPMG would undertake all the statutory responsibilities associated with an external audit, while also ‘delving deeper’ and offering advice on internal audit issues.

Not only that, but the audit will cost 30% less than what PwC was charging. I wonder if the company will end up losing more than they’ve saved if the market punishes them for the perception of having a less independent opinion. The director of the Professional Oversight Board, the UK body responsible for monitoring the UK’s ethical standards, declined to state whether the deal would be investigated. For their part, KPMG says they are confident they can address the threats to their independence.

Some observers say the arrangement would not be a viable option for companies with a dual listing in the US, owing to strict independence guidelines or ‘bright lines’ set down by the Securities and Exchange Commission.

It may not help shave costs during a time of economic difficulty, but I firmly believe keeping internal audit service providers separate from external auditors is critical to preserving the independence required for a financial statement opinion and is just best practice in general. I would’ve thought 7 years after SOX we’d have this down pat.

Pseudocode is called that because it’s not really code. It looks similar to code but it’s written in plain English rather than something the computer can understand. The point of it is to develop the logic of a program first before getting into the nitty-gritty of actually creating something workable. You’ll be better able to see and fix high-level problems at this stage than you would be when you’re wading through a morass of source code.

This to me is a lot like documenting a transaction cycle from scratch. You start at a high level and just get the bare bones down on paper to understand it from that perspective. You have discussions with the staff involved at each stage and understand from their point of view the role they play. As you have these discussions you’re getting deeper into the step-by-step procedures involved. You’re fleshing out the documentation and starting to identify the key controls.

Customer order received (on account)
If customer exists in system
	If customer is below credit limit
		Enter order
	Else
		Return to customer account manager
Else
	Send credit application to customer
	Receive complete application
	If customer credit history is good
		Set up customer in system
	Else
		Reject customer order

From there you delve a little more into the details. How are orders received? Who receives them? Who sets up the customer in the system? How is credit checked and by whom? Answering those questions will illuminate the controls and the segregation of duties within the process, and in a way you start to move from pseudocode to source code. You can’t test a transaction if it’s in pseudocode stage like you can’t run pseudocode in the development process. Once you have a testable, documented process it’s good to go.

So there you have it. There is a connection between the type of thinking required of a programmer and that of an auditor. This must be why I was able to make the transition from the Computer Science program into the Accounting program at university!