Top traits of an effective internal auditor

The President of the IIA shares what he sees as the top seven attributes of an effective internal auditor, and in general I agree, with a few distinctions.

The most important attribute is referred to as business acumen, but the description that accompanies it has more to do with having an in-depth knowledge of the business the auditor works for. Splitting hairs I guess, but acumen is the ability to make good decisions and exercise sound judgment. A strong understanding of what is driving the success of the business is important to cultivate, as is staying on top of developments within the industry in which it operates. I think both are important, but one is easier to develop than the other.

Communication skills come next, and I would broaden that to be people skills in general. The ability to read people and adapt to any given situation and personality is very helpful, so both the outward skills like communicating clearly and succinctly and the inward skills like listening actively and processing information quickly will come in handy when dealing with people within the organization.

Integrity comes in at 3rd, and is critical to establishing and maintaining your reputation as a professional. Being consistently honest and forthright in your interactions with your “customers” will allow you to build strong working relationships across the business.

Experience is next, and it’s not a subject I feel especially qualified to discuss, since I’m only in my third year as an internal auditor, sixth as an auditor. What I will say is that each day I strive to learn and get better at my job, and working with staff that have, among them, decades more experience than I provides a constant reminder of the value of that experience.

Number five on the list is a solid grasp of business risks, which to me means the exact same thing as the first item. Let’s just put them both together at the top and shorten the list to six, shall we? After that is talent development skills, which is important to have once you reach a certain level and have people reporting up to you. I could make the case that this is essentially a subset of people skills.

Last (but not least in my opinion) is courage and that’s important for auditors whether they’re external or internal. Part of the job is being the bearer of bad news and you’ve got have the stones to deliver it straight!

IIA and ISACA pool resources and expertise

At the end of September the IIA and ISACA announced they had reached an agreement to “create a basis for cooperation and collaboration” between the organizations.

The agreement is formalized in a Memo of Understanding that has been signed by both parties. The MoU lists a few areas where this agreement makes cooperation possible:

  • Speaking and exhibiting at each other’s conferences, seminars and events
  • Conducting jointly sponsored events
  • Mutually recognizing, where appropriate, each other’s continuing education programs for continuing education credits to satisfy requisite certification requirements
  • Participating in training and educational programs offered by either association where such collaboration benefits the attendees
  • Encouraging similar cooperation and collaboration among local chapters of ISACA and The IIA (an activity that already thrives in many places throughout the world)
  • Identifying opportunities for joint projects that advance the global internal audit profession and the professional standing of its members
  • Engaging in periodic discussions on matters of public policy that impact the internal auditing profession
  • Where appropriate, coordinating and promoting unified messages and responses to standards setters, regulators, and legislators globally, and providing them with information regarding best professional practices

In order of value to each organization’s members, the top 3 in my mind are:

  1. Joint projects to advance the internal audit profession

    2. To me this is going to have the biggest impact on stakeholders because the combined knowledge and experience in both groups should lead to higher quality standards and improved best practices. Perhaps a combined set of standards down the road?

  2. Recognizing each other’s continuing education

    3. For members of both organizations this is huge. Program content frequently overlaps (e.g. the IIA’s GTAGs) and internal audit departments generally have staff with CIA and CISA designations (as well as CA and CPA, and others), so significant cost savings may be realizable.

  3. Collaborating on continuing education

    4. This could open up each organization’s continuing education programs to the other one’s members, which immediately introduces fresh topics and facilitators to both groups. Synergy here will allow members to broaden their training, and provide an easier transition from one to both certifications.

The agreement should work out to be a win-win-win — for the organizations, members, and stakeholders. What do you think?

CA ad campaign: Decisions Matter

Got an email last week about an update to the Decisions Matter ad campaign the CICA has been running for the designation:

The Decisions Matter ad campaign is aimed at shifting the traditional perception of the CA designation and promoting CAs as business leaders and key decision-makers in every organization. The campaign is very different from what we’ve done in the past. It is more assertive in establishing CAs as the leading business professionals and, in its originality, has been specifically designed to break through the media clutter.

I like the direction in which this strategy is taking us. For one, it is vocation agnostic, in that it doesn’t focus on CAs in public practice more than those in industry. And I like the attention that “decisions” are receiving, but I think that execution needs to be emphasized as well. Making the right decision is great, but acting on it is critical.

As a CA you have an important role to play in supporting this campaign. You can promote the CAs’ reputation as business leaders with a few simple steps:

  • Include your CA designation on business cards and other communications;
  • Ensure your professional network knows you are a CA. This includes the organizations you volunteer with;
  • When making presentations, discuss how your CA training has powered your achievements;
  • In interviews, introduce yourself as a CA; and
  • Talk about the Decisions Matter campaign with your family, friends and business contacts.

No mention of starting a blog and establishing your online brand in concert with the CA designation, but you can’t win ’em all I guess. If there’s one area that the CICA has thus far completely ignored it’s the social media space. Excuse me though, it’s time to ring the family and discuss this campaign with them, that’ll really promote our reputation!

My recommendation is to follow up the Decisions Matter campaign with something more focused on executing great ideas/decisions. Advising is valuable, deciding is important, but executing is key. What do you think of the campaign’s message and how it’s positioning CAs?

Enterprise risk audit planning

Earlier this week I watched a webinar put on by the Audit Director Roundtable, a great resource for internal auditors, titled Enterprise Risk Audit Planning.

If you follow me on Twitter, you might have seen this:

@neilmcintyre: IT problems for Audit Director Roundtable delay the start of the Enterprise Risk Audit Planning webinar

The problem was that the large group attempting to log in to the presentation were jamming the conferencing phone system. It was sorted out within 10 minutes of the scheduled start time. Good problem to have, really.

I was introduced to ADR when I joined the world of internal audit in May 2008 and have been taking advantage of the site’s features ever since, such as case studies, internal control questionnaire (ICQ) templates, audit department benchmarking tools and example audit work plans.

Today’s webinar was valuable to me because it focused on how five companies’ internal audit groups are dealing with the challenge of providing assurance over strategic risk. This is a topic that I have championed in my capacity as an internal auditor, and the companies in the webinar were actually walking the walk.

Some of the highlights:

  • One group enabled management to better identify and assess complete risk information by developing a tool that required them to drill down from higher level risks to their lower level components. What I liked in particular about the tool was that it discouraged the tendency to choose medium likelihood and medium impact (what they called “midpointing” although I’d never heard the term) by making those assessments lead to a “signficant” rating.
  • Another group credited management for its efforts in identifying processes which were well-controlled versus those that were less well-controlled, by tailoring the assurance strategy to the former. Simply the act of identifying a poorly-controlled process would spur management to implement the necessary controls, at which point the process would migrate to the well-controlled side.
  • Yet another group maps the principal risks identified at a high level to each applicable business process to ensure adequate coverage. Internal audit focuses on the processes involved in executing on the strategic priorities, to provide assurance that those risks are well-controlled.

I enjoyed the webinar because it took what can be a challenging theoretical problem and showed examples where leading internal audit groups are concretely addressing the concerns of management over the key risks driving the performance of the business.

How are you implementing practices like these to provide assurance over the risks that primarily drive enterprise value?

Outsource internal audit for greater objectivity

That’s the recommendation from the Institute of Chartered Accountants of India (ICAI), as reported by The India Express:

“In the high-powered committee report on Satyam scam, we have proposed that internal audit should be outsourced and not be in house so that there is more independence. If the auditor is from the organisation, it is as good as being an employee of the organisation and the chances of remaining unbiased decline. Market regulator Sebi through clause 49 and the corporate affairs ministry through the Companies Law should make it mandatory that the internal auditor should be from outside the organisation,” ICAI president Amarjit Chopra told The Indian Express.

I can’t really argue with the logic, but the feasibility of the idea is fair game. The logistics of putting this into place is giving me a headache, and it does seem like an overreaction to a single instance of fraud.

The voice of reason comes from the director of KPMG in India:

“More important [than outsourcing] is the communication between head the of internal audit and CEO or chairman of audit committee. The success depends more on how freely and directly the internal auditor can discuss the shortcomings in a firm with the CEO of audit committee.”

Boards should be ensuring that the lines of communication between the Chief Audit Executive and the Audit Committee are direct and communications frequent and frank. That applies even if IA is outsourced as well.

I blogged a while ago about the Satyam scandal.