AUGUST 2017 INTERNALAUDITOR.

ORG
INTERNAL AUDITOR

Managing and Protecting Data

Tech Expectations of
AUGUST 2017

Today’s Internal Auditor

Analytics and the Audit Function
New IIA Global Chairman on
#PurposeServiceImpact
TECHNOLOGY

THE TECHNOLOGY ISSUE

 CAREER
OPPORTUNITIES

CIA is the
Road to More.
Drive Your Career
Forward With the CIA.

As the only globally recognized certification

for internal auditors and The IIA’s premier
designation for more than 40 years,
the CIA sets the standard for excellence
in the profession. The CIA distinguishes
you from your peers and demonstrates
proficiency and professionalism. Plus, CIAs
earn an average of $38,000 more annually
than those without a certification.*

See the tools, training, resources, and steps

ACCELERATE
to get you on the road to opportunity. YOUR PATH!
CIA Learning System
www.LearnCIA.com
Visit www.theiia.org/CIARoadMap

*According to The IIA’s 2017 Internal Audit

Compensation Study (based on U.S. responses.)
2017-0822

www.theiia.org/CIARoadMap

2017-0822 CERT-Integrated Pro Dev_ CIA Roadmap Ia Mag Print Ad.indd 1 7/20/17 12:12 PM
 DEATH OF THE
TICK MARK
(you aren’t still using them, are you?)

ACL EBOOK

Find out why it’s time to abandon the tick mark, with your own copy of
F T H E T IC K MARKF,TER Death of the Tick Mark: “How to overcome the obsolescence of the
DEATH OOF THE SOUGHT-A traditional internal auditor” 
BIRTH NAL AUDITOR Download at acl.com/tick-mark »
INTER
or
nal audit
al inter
tradition
e of the
lescenc
me the obso
overco
How to
 2017
ALL STAR
CONFERENCE IIA members
Oct. 30 - Nov. 1 / Las Vegas, NV register by
Sept. 4, 2017
and SAVE $200!

JOIN US IN LAS VEGAS!

The IIA’s All Star Conference features exciting new keynote speakers and brings back
the top-rated speakers from the previous conference year for an encore engagement!

In its 13th year, this conference features an “all-star” line-up of speakers to spotlight tools,
emerging trends, and strategies for the profession within four educational tracks:

Emerging Trends in Technology & Cybersecurity

Governance, Risk, & Fraud

Professional Development and Improvement

Innovation in Internal Audit

Earn up to 18 CPEs! Great for auditors at all career levels.

Don’t miss this All Star event.

Register today at www.theiia.org/AllStar.

2017-0576
 AUGUST   2017   VOLUME LXXIV: IV

F E AT U R E S
COVER | T E C H N O L O G Y 46 #PurposeServiceImpact  
The IIA’s 2017—2018 Global Chairman of the
26 In Safe Hands Organizations must Board J. Michael Peppers encourages internal
grapple with a host of issues when determin- auditors to unify around the three concepts in
ing how to best store, safeguard, and leverage his powerful hashtag.
their data. BY ARTHUR PIPER
53 The Root of the Matter  
32 Great Tech Expectations As technol- Performing root-cause analysis on engage-
ogy becomes more integrated with business ments requires that auditors recognize com-
processes, auditors must raise their IT skills.   mon myths associated with the process.  
BY RUSSELL A. JACKSON BY JIMMY PARKER

41 Building a Data Analytics Program 60 7 Steps to Transformation  

Six strategies can facilitate progress when Internal auditors can assist management
starting or furthering an analytics program. throughout the many stages of business
BY GORDON BRAUN, ANDREW STRUTHERS- change.  
KENNEDY, AND GREGG WISHNA BY JAMES E. SCHULIEN

DOWNLOAD the Ia app on the

App Store and on Google Play!

FOR THE LATEST AUDIT-RELATED HEADLINES visit InternalAuditor.org

Set Yourself Apart by Four Letters
Apply for the CRMA and CCSA for Free in August.

Earning the Certification in Risk Management Assurance® (CRMA®) or Certification in Control

Self-Assessment® (CCSA®) is the best way to articulate your expertise in these specialized areas
without saying a word. Plan now to begin your application for these distinctive certifications and
save up to $230 per program. Apply between August 1 and 31, 2017 to qualify.

Apply today at www.theiia.org/CRMA-CCSA

2017-0821
 AUGUST   2017   VOLUME LXXIV: IV

D E PA R T M E N T S
PRACTICES 23 Fraud Findings Pressure
and opportunity lead a cashier
11 Update There’s a gap to pocket cash.
between cyber awareness
and readiness; EU establishes INSIGHTS
office to fight cross-border
fraud; and fewer women are 67 The Mind of Jacka Audit
being appointed to boards. report wordsmithing can
prove a disservice.
15 Back to Basics Auditors
need to do more to ensure 68 Eye on Business Add-
compliance audits add value. ing analytics requires careful
change management.
18 ITAudit SQL queries can
7 Editor’s Note uncover greater insights from 72 In My Opinion Audit
organizational data. ratings fail to encourage con-
8 Reader Forum structive behavior.
20 Risk Watch Internal audit
71 Calendar needs to assess its own risks.

O N L I N E InternalAuditor.org
The Internet of Risks The The Costly Parking Lot
rise of connected devices Auditors in Canada raise ques-
through the Internet of Things tions about the inflated price
creates a multitude of organi- of a land deal. Fraud expert
zational exposures. Art Stewart explains why.

Chairman’s Video Watch Repairing the Weakest

IMAGES: COVER, SEAN YATES; TOP, GUVENDEMIR / ISTOCK.COM:

The IIA’s 2017–2018 Global Link A recent survey says

Chairman J. Michael Peppers employee actions are at the
discuss his theme for the heart of most cybersecurity
upcoming year, #PurposeSer- incidents reported to insurers.
viceImpact.
RIGHT, BEEBRIGHT / SHUTTERSTOCK.COM

Internal Auditor ISSN 0020-5745 is published in February, April, June, August, October, and December. Yearly subscription rates: $75 in the United States and Canada, and $99 outside North America. No refunds on cancellations.
Editorial and advertising office: 1035 Greenwood Blvd., Suite 401, Lake Mary, FL, 32746, U.S.A. Copyright © 2017 The Institute of Internal Auditors Inc. Change of address notices and subscriptions should be directed to IIA Customer
Service, +1-407-937-1111. Periodicals postage paid in Lake Mary, Fla., and additional offices. POSTMASTER: Please send form 3579 to: Internal Auditor, 1035 Greenwood Blvd., Suite 401, Lake Mary, FL, 32746, U.S.A. CANADA POST
INTERNATIONAL: Publications Mail (Canadian Distribution) Sales Agreement number: 545880; GST registration number: R124590001. Opinions expressed in Internal Auditor may differ from policies and official statements of The
Institute of Internal Auditors and its committees and from opinions endorsed by authors’ employers or the editor of this journal. Internal Auditor does not attest to the originality of authors’ content.
Meet your challenges
when they’re still
opportunities.

RSM and our global network of Risk Advisory

consultants specialize in working with middle
market companies. This focus leads to custom
insights designed just for your specific challenges.
Our experience, combined with yours, helps you
move forward with confidence to reach even
higher goals.

rsmus.com/riskadvisory

RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. Visit rsmus.com/aboutus for more information regarding RSM US LLP and
RSM International.
 Editor’s Note

A TECHNOLOGY REVOLUTION

T
he technology landscape changes at such speed that most of us have trouble
trying to keep up. Smartphones, apps, and social media often leave our
heads spinning with their constant updates. As soon as you master a newly
launched technology, there’s another one on the horizon. Imagine the dif-
ficulty in wrapping your head around this rapid change at the business level.
Fifty-two percent of business and IT leaders rate their organization’s digital
IQ — a measure of an organization’s capability to get strategic value from technol-
ogy investments — as strong in PricewaterhouseCoopers’ 2017 Digital IQ survey.
This is a significant drop from previous years: 67 percent in 2016 and 66 percent
in 2015.
While businesses see the value in adopting new technologies, many of them
have not adapted quickly enough to keep up with the technology curve. Technology
and business are inseparable, so businesses that neglect to embrace this relationship
are sure to fail. For internal auditors, that means understanding the evolving risk
landscape related to the business and learning to use technology in their work.
“There is no business today that is not driven by data,” says Dominique
Vincenti, Nordstrom’s vice president of Internal Audit and Financial Controls.
In our cover story, “In Safe Hands” (page 26), Vincenti says businesses need to
fundamentally reassess what data means to their organizations going forward. New
laws such as the European Union’s General Data Protection Regulation (going into
effect spring 2018) will require companies to have more control over what data can
be held and how it can be used.
More importantly, the increased risks from ransomware attacks, data breaches,
blockchain adoption, the Internet of Things, use of artificial intelligence, and data
collection and its ethical use — the list goes on and on — beg the question: Are inter-
nal auditors equipped to handle the technology embedded into business practices?
IT expertise among internal auditors is now a general expectation, according
to “Great Tech Expectations” (page 32). Author Russell Jackson says today’s inter-
nal audit new hires who have grown up with smartphones and technology often
have more advanced IT skills on day one than their predecessors. Office Depot’s
Chief Audit Executive Jennifer Goschke stresses that “it’s important to have IT
subject matter experts on your team to provide the technical chops to be able to
go head to head with IT.” But while auditors with IT experience are still in high
demand, they continue to be hard to find, afford, and retain.
Technology will continue to disrupt and change the business landscape at an
increasingly rapid pace — what some futurists call The Fourth Industrial Revolu-
tion. One thing is certain: Organizations that resist that change will not survive.

Shannon Steffee

AUGUST 2017 INTERNAL AUDITOR 7

 Reader Forum
WE WANT TO HEAR FROM YOU! Let us know what you think of this issue.
Reach us via email at editor@theiia.org. Letters may be edited for clarity and length.

strong communication with manage- rather have the auditor identify the prob-
ment, as suggested in the article, we can lem so the organization can address it?
show we support the same goal: effective Or would they like the media and out-
organizational services. siders to find out and crucify the organi-
EMILY KIDD comments on Russell zation? I am willing to bet most would
Jackson’s “Under Siege” (June 2017). choose the auditor option.
FREDRICK LEE comments on Christine
Organizational Watchdogs Hogan Hayes’ “Internal Audit as Police” (“In
My Opinion,” June 2017).  
Unfortunately, it has been pounded into
our heads that we need to change our
image from that of “gotcha” or police Friend or Foe?
to a softer persona. As auditors, we are During my last two positions as a
that last defense in making sure that the chief audit executive, I have reported
A Thankless Job? organization is operating in a way that administratively to the general counsel
It can be a thankless job to ask difficult minimizes risks, safeguards resources, to avoid reporting to the chief financial
questions and deliver unpleasant recom- and protects stakeholders. Sometimes officer, who is responsible for the pri-
mendations in the transparent culture the truth hurts, and senior management mary areas I have audited. Thankfully, I
of public organizations. Add to that mix needs to understand that auditors are have not had any serious disagreements
political retaliation for simply doing one’s there to help keep the organization out with the general counsel on internal
job, which is a sad fact internal auditors of trouble. Given the recent news about audit findings or reports.
are faced with. Audit practitioners in organizations — from government to MICHAEL PEAK comments on the
recent retaliation headlines provide both a the private sector — getting into trouble, Chambers on the Profession blog post,
“For Internal Audit — Is the General Counsel
warning and a level of support for profes- many have asked where the safeguards Friend or Foe?”
sional auditors to maintain an ethical true were. Or, how did this occur without
course. I agree that it is imperative that someone raising questions? This is where
we continue to honor The IIA’s Code of auditors come in — to be that watchdog VISIT InternalAuditor.org
Ethics when performing audit engage- protecting the organization when all for the latest blogs.
ments and hope that by maintaining other defenses fail. After all, would they

CONTRIBUTING EDITORS Daniel Helming, cia, cpa Stephen Tiley, cia CONTA CT INFORMA TION
Mark Brinkley, cia, cfsa, crma Karin L. Hill, cia, cgap, crma Robert Venczel, cia, crma, cisa ADVERTISING
Wade Cassels, cia, ccsa, crma, cfe J. Michael Jacka, cia, cpcu, cfe, cpa Curtis Verschoor, cia, cpa, cfe
J. Michael Jacka, cia, cpcu, cfe, cpa
advertising@theiia.org
Gary Jordan, cia, crma David Weiss, cia
Steve Mar, cfsa, cisa +1-407-937-1109; fax +1-407-937-1101
Sandra Kasahara, cia, cpa Scott White, cia, cfsa, crma
Bryant Richards, cia, crma Michael Levy, cia, crma, cisa, cissp Benito Ybarra, cia SUBSCRIPTIONS, CHANGE OF ADDRESS, MISSING ISSUES
AUGUST 2017 James Roth, phd, cia, ccsa, crma Merek Lipson, cia customerrelations@theiia.org
VOLUME LXX IV: IV
Charlie Wright, cia, cpa, cisa Thomas Luccock, cia, cpa IIA PRESIDENT AND CEO +1-407-937-1111; fax +1-407-937-1101
EDITOR IN CHIEF Michael Marinaccio, cia Richard F. Chambers, cia, EDITORIAL
Anne Millage EDITORIAL ADVISORY BOARD Norman Marks, cpa, crma qial, cgap, ccsa, crma David Salierno, david.salierno@theiia.org
Dennis Applegate, cia, cpa, cma, cfe Alyssa G. Martin, cpa +1-407-937-1233; fax +1-407-937-1101
MANAGING EDITOR Lal Balkaran, cia, cga, fcis, fcma Dennis McGuffie, cpa IIA CHAIRMAN OF THE BOARD PERMISSIONS AND REPRINTS
David Salierno Mark Brinkley, cia, cfsa, crma Stephen Minder, cia J. Michael Peppers, cia, editor@theiia.org
Robin Altia Brown Jack Murray, Jr., cba, crp qial, crma
ASSOCIATE MANAGING +1-407-937-1232; fax +1-407-937-1101
EDITOR Adil Buhariwalla, cia, crma, cfe, fca Hans Nieuwlands, cia, ra, ccsa, cgap
WRITER’S GUIDELINES
Wade Cassels, cia, ccsa, crma, cfe Bryant Richards, cia, crma
Tim McCollum InternalAuditor.org (click on “Writer’s Guidelines”)
Daniel J. Clemens, cia Jeffrey Ridley, cia, fcis, fiia
SENIOR EDITOR Michael Cox, fiia(nz), at Marshall Romney, phd, cpa, cfe
Dominic Daher, jd, llm James Roth, phd, cia, ccsa Authorization to photocopy is granted to users registered with the
Shannon Steffee
Haylee Deniston, cpa Katherine Shamai, cia, ca, cfe, crma Copyright Clearance Center (CCC) Transactional Reporting Service,
ART DIRECTION Kayla Flanders, cia, crma Debora Shelton, cia, crma provided that the current fee is paid directly to CCC, 222 Rosewood
Yacinski Design, LLC James Fox, cia, cfe Laura Soileau, cia, crma Dr., Danvers, MA 01923 USA; phone: +1-508-750-8400. Internal Auditor
Peter Francis, cia Jerry Strawser, phd, cpa PUBLISHED BY THE cannot accept responsibility for claims made by its advertisers, although
PRODUCTION MANAGER INSTITUTE OF INTERNAL staff would like to hear from readers who have concerns regarding
Michael Garvey, cia Glenn Sumners, phd, cia, cpa, crma
Gretchen Gorfine Nancy Haig, cia, cfe, ccsa, crma Sonia Thomas, crma AUDITORS INC. advertisements that appear.

8 INTERNAL AUDITOR AUGUST 2017

 ELEVATE YOUR EHS
AUDIT EXPERTISE

With an ever-evolving environmental, health and safety

landscape, the demand for top talent and acumen in the
EHS audit industry rises. Stay on top of your game and
establish your credibility with The IIA’s suite of resources
for EHS auditors.

Environmental, Health & Safety Exchange

Sept. 11–12 / Hyatt Regency St. Louis / St. Louis, MO

Attend the premier conference dedicated to the practice

of EHS auditing and learn to “Turn Risk Into Readiness.”
Register at www.theiia.org/EHSExchange

Certified Professional Environmental Auditor® (CPEA®)

Apply in September to save $230

Earn one of the four specialty CPEA designations and set

yourself apart from peers by demonstrating your credibility
and commitment to the EHS audit profession.
Apply at www.theiia.org/CPEA

Environmental, Health & Safety Audit Center (EHSAC)

Influential. Impactful. Indispensable.

Join the EHSAC and gain access to exclusive thought

leadership, regulators, industry leaders, and practitioners.
Add the center to your IIA membership at www.theiia.org/EHSAC

Learn more at
2017-0810

www.theiia.org/EHSAC

2017-0810 CERT-2017 EHS Integrated IA Full Page Ad-Aug 2017.indd 1 7/13/17 1:30 PM
 Your Solution to Effective
Internal Audit and Compliance
n Galileo is a comprehensive and fully integrated audit and compliance system
n Used by over 200 organizations in over 80 countries catering for teams from 5 to over 1,000
n System can be installed on customer infrastructure or provided as a SAAS hosted solution
n Works with any standard browser on laptop, PC, iPad/tablet and other smart devices
n Implemented and supported by experienced audit professionals

Over ��� standard reports, charts, dashboards and scorecards are provided. The system includes a drag
and drop end-user reporting tool and comprehensive analysis tools.
Proactively alerts and prompts all stakeholders with the key information required to objectively assess the
effectiveness of the assurance framework.
Integrated
a single integrated system that intelligently combines elements to provide a complete picture

Individual
configured and customized to meet your organization and users’ exact needs

Intuitive
easy to use system, liked by users, which evolves and grows with you

Innovative
At the forefront with techniques to improve your methodology, efficiency, delivery and profile
www.magiquegalileo.com
+1 212 220 6709 (USA) +44 (0)20 3753 5535 (UK)
 EU takes fraud fight across borders… Fewer women named to boards…
Defending against ransomware… Guidance advocates crisis resilience.

Update TOP ELECTRONIC

MESSAGE CONCERNS
Financial firms have height-
ened worries about elec-
tronic communications.

Non-email
channels

54% 35%
in 2017 in 2016
Understand-
ing new and
changing
regulations

50% 30%
in 2017 in 2016
THE CYBER Organizations may not be
prepared for the attacks Mobile com-
READINESS GAP they’re expecting. munications

T
devices

50% 23%
he one-two punch of this year’s controls routinely, and 13 percent don’t test
WannaCry and Petya ransomware them at all. Only 53 percent have a plan in
attacks hit businesses around the place to address ransomware attacks. in 2017 in 2016
world hard before many had their “There is a significant and concerning
guard up. The emergence of ransomware is gap between the threats an organization faces Inefficient
a big reason 53 percent of security profes- and its readiness to address those threats in supervision
sionals surveyed report a rise in cyberattacks a timely or effective manner,” says Christos process

46% 28%
last year, according to the second installment Dimitriadis, group head of information secu-
of ISACA’s 2017 State of Cyber Security rity at INTRALOT in Athens, Greece.
RIGHT, BROTHERS GOOD / SHUTTERSTOCK.COM

Study. The 633 respondents to the global Next to phishing schemes, malicious in 2017 in 2016
IMAGES: TOP, GUVENDEMIR / ISTOCK.COM:

survey expect things to get worse this year, code attacks such as ransomware are the most
with 80 percent saying their organization is common threat type, respondents report. Source: Smarsh, 2017 Electronic
likely to experience a cyberattack. Sixty-two percent say their organization expe- Communications Compliance Survey Report
Knowing the threats is one thing — read- rienced a ransomware attack in 2016.
iness is another. Just 31 percent of respon- Meanwhile, the Internet of Things
dents say their organization tests its security (IoT) has supplanted mobile devices as

FOR THE LATEST AUDIT-RELATED HEADLINES follow us on Twitter @IaMag_IIA

AUGUST 2017 INTERNAL AUDITOR 11

 Practices/Update

a primary focus of respondent organiza- IoT technologies that are deployed in their
tions’ defenses, with nearly 60 percent of organization compared to past surveys.
respondents saying they are concerned Organizations may be fighting more
about attacks on IoT devices. In part, this threats without more resources, the report
shift is because most organizations are using notes. Growth in cybersecurity spending
encryption to protect mobile device data is slowing, with only half of respondents
in the event they are lost or stolen. Also, reporting their budget will increase this
respondents report they are more aware of year. — T. MCCOLLUM

EU TO FIGHT CROSS-BORDER FRAUD

A new office will address respond quickly across national borders,
62
OF U.S. FINANCE
% corruption across national without the need for lengthy judicial coop-
eration proceedings. It will bring actions
boundaries.

E
EXECUTIVES SAY THE against criminals directly in front of national
NUMBER AND DOLLAR uropean Union (EU) justice minis- courts, streamlining investigation and infor-
AMOUNT OF CREDIT ters have agreed to establish an inde- mation-sharing. The European Commission
CARD CHARGEBACKS pendent public prosecutor’s office to says cross-border fraud costs EU member
HAVE INCREASED investigate and prosecute criminal states an estimated 50 billion euros ($57 bil-
SINCE CHIP CARD
TECHNOLOGY WAS cases affecting the EU budget, including lion) in VAT revenue annually.
INTRODUCED IN corruption or fraud with EU funds and Currently, only national authorities
THE U.S. cross-border can inves-

64
value-added tigate and
% tax (VAT) prosecute
SAY THE NUMBER AND fraud. Twenty EU fraud,
DOLLAR AMOUNT OF of the EU’s 28 and existing
CARD-NOT-PRESENT member states EU bodies
(CNP) CHARGEBACKS will work with do not have
HAVE INCREASED
SINCE THAT TIME. the new office. the authority
The Luxem- to conduct
“As merchants have bourg-based criminal
upgraded in-store payment prosecutor’s investiga-
security measures, fraud- office will have tions. — D.
sters have flocked to CNP the ability to SALIERNO
channels — online, mobile,
and elsewhere — with stolen
payment credentials,” says
Tom Byrnes, chief marketing WOMEN LOSING Fewer women were appointed
to U.S. boards in 2016 in a
officer at Vesta Corp.
GROUND
IMAGES: TOP, SASHKIN / SHUTTERSTOCK.COM:

setback for gender parity.

LEFT, ROBSONPHOTO / SHUTTERSTOCK.COM

Source: Vesta Corp. and CFO

F
Research, Managing the Risk
of Fraud: The View From emale directors lost firm Heidrick & Struggles. “It is disappointing to
Corporate Finance ground for the first Women accounted for see that more progress wasn’t
time in seven years, 28 percent of new director achieved to move closer to
according to Board appointments at Fortune gender parity in corporate
Monitor: Board Diversity at 500 companies in 2016, boardrooms in 2016,” says
an Impasse?, the latest annual down 2 percent from the Bonnie Gwin, vice chairman
study from executive search previous year. and co-managing partner of

12 INTERNAL AUDITOR AUGUST 2017

 Practices/Update

GUARDING AGAINST RANSOMWARE

the company’s global CEO
& Board Practice.
Fortune 500 boards
Internal audit can help scrutinize cybersecurity practices and plans,
filled a record 421 seats in
2016. Of those new direc- says Soo-young Lee, lead internal auditor at Songwon Group.
tors, almost 75 percent had What should internal auditors ask to assess the orga-
previous board experience. nization’s protections from ransomware attacks?
Yet when companies place Now is a time of unprecedented state-on-state ransomware
more value on a candidate’s attacks. To protect an organization from these attacks, inter-
unique skills and experiences nal auditors should question whether senior executives and
vs. board experience, women the board support designing a holistic approach for people,
and people from other process, and technology to make a defense strategy success-
underrepresented groups ful. Does IT security governance include the human factor in
gain greater representation its corporate risk analysis and assessment? Is there a business
in the boardroom, Gwin continuity/disaster recovery cyber breach program that origi-
says. Women accounted for nated from a business impact analysis that includes vulner-
37 percent of new board ability assessment and ethical hacking?
appointees who are serving
on boards for the first time. What is the most important deterrent to mitigate the risk of an attack? Employees
One industry where are an organization’s greatest asset, but also its greatest security risk. As new types of
women made big gains is cyberattacks grow, organizations must do people “patching” — training employees on how to
the technology sector, where recognize, analyze, and respond to vulnerabilities. Those vulnerabilities include out-of-date
board diversity has lagged operating systems and software, and suspicious emails and attachments. Also, IT should
behind other sectors. Women make sure antivirus programs are installed and that files are backed up daily somewhere
accounted for 40 percent of not connected to the internet.
newly filled board seats, up
13 percent from 2015. Gwin
notes board diversity at tech
companies has increased fol-
lowing the Hewlett-Packard
CULTURE OF RESILIENCE
and Hewlett-Packard Enter- New guidance offers keys to
prise split in 2015, when addressing organizational crises.

A
four women and two people
of color were placed on each new IIA report examines how inter-
new board. nal auditors can help organizations
Hispanic director progress from mere “crisis awareness”
appointments rose sharply to a culture of “crisis resilience.”
from 4 percent in 2015 to Organizations that achieve this transformation
6.4 percent in 2016. “This can better resist, react to, and recover from
increase is due to more major disruptive events, according to Global
boards focusing on inclusion, Perspectives and Insights: Crisis Resilience.
PHOTO: RIGHT, OATAWA / SHUTTERSTOCK.COM

and an effort to have com- Responding to a crisis can involve much provide assurance over readiness, and help
panies’ boardrooms better more than just restoring operations, the report instill a crisis-resilient culture,” the report says.
reflect their customer base notes, especially when lives are lost, customer Crisis Resilience also points to the role
and employee population,” data is compromised, or a CEO is humiliated. of internal audit in post-crisis activities,
says Jeff Sanders, vice chair- Internal auditors can expand their roles and responding to lessons learned. Participat-
man and co-managing part- step back to consider the big picture — the ing in this process provides an opportunity
ner of Heidrick & Struggles’ broad organizational objectives and corre- for auditors to move from a supportive to a
global CEO & Board Prac- sponding risks. “They can help prepare their front-seat role in the organization, the report
tice. — S. STEFFEE boards, executives, and employees for a crisis, concludes. — D. SALIERNO

AUGUST 2017 INTERNAL AUDITOR 13

 CIA EXAM PREP FROM
®

THE CIA EXPERTS

Achieve exam day excellence with The IIA’s CIA Learning System®
• New version aligns with the 2017 • Mobile-optimized study tools make • Flexible course options allow you to
IPPF and teaches the entire CIA it easy to study where you want and study your way: self-study, online,
exam syllabus. when you have time. or in-person facilitator-led courses,
or corporate training.

For more information or to try a free demo,

visit www.LearnCIA.com.

2017-0017-CIALS

2017_IIA_IA_Aug_ad_8x10_875_2017-0017-CIALS.indd 1 6/19/17 11:54 AM

Back to Basics
BY BRIAN AIKEN + DAVID CODERRE EDITED BY JAMES ROTH + WADE CASSELS

MORE THAN COMPLIANCE WITH “A”

Transforming a
compliance program
into a value-adding

I
activity starts with
internal audit. t is difficult to argue that real assurance to senior man- provides the independent
compliance audits are agement and add value. assessment over risk as the
not an important internal third line of defense.
audit product. Noncom- Do the Right Thing Internal audit provides
pliance with, for example, Internal auditors can add assurance on the effectiveness
anti-money laundering value to compliance audits of governance, risk man-
legislation can have serious by doing the right audit and agement, and compliance,
consequences. In one recent doing it correctly. Doing the including the way in which
example, Deutsche Bank right audit means examining the first and second lines of
was fined $425 million by why there is a compliance defense achieve risk manage-
the New York State Depart- requirement in the first place. ment and control objectives.
ment of Financial Services Typically, it’s for legal, regula- This assurance covers a broad
and $204 million by the tory, operational, or ethical range of objectives, including
U.K. Financial Conduct reasons. But behind “you compliance with laws, regu-
Authority for failing to con- must do ‘A,’” there is a serious lations, policies, procedures,
duct basic money launder- enough risk for management and contracts. But it should
ing due diligence. or regulatory/legal authori- not be compliance simply
Despite the seriousness ties to put in a compliance for compliance sake. Internal
of noncompliance, many requirement. However, risk audit should consider the
managers do not see compli- shifts quickly, and speed overarching business objec-
ance audits to be of value, of change is a critical suc- tive and the controls that
possibly because they often cess factor of business. Risk help mitigate risk to the
look like this: morphs rapidly in a world achievement of the objec-
ɅɅ Objective: Verify com- where globalization and tive — even when examining
pliance with “A.” automation affect strategic compliance-related controls.
ɅɅ Criterion: Client and operational initiatives of Deconstructing the
should do “A.” global enterprises. Changing top-level strategy into key
ɅɅ Condition: Client is risks can affect not only the objectives will identify the
not doing “A.” need for compliance controls enterprise-level risks that
ɅɅ Recommendation: but also their adequacy. In threaten achieving those
Do “A.” addition, while the compli- goals, the process-level
Auditors need to ensure that ance function monitors non- control objectives that miti-
compliance audits provide compliance, internal audit gate enterprise risks, and

SEND BACK TO BASICS ARTICLE IDEAS to James Roth at jamesroth@audittrends.com

AUGUST 2017 INTERNAL AUDITOR 15

 Practices/Back to Basics
TO COMMENT on this article,
EMAIL the author at brian.aiken@theiia.org

process-level risks and controls. The compliance activities compensating controls that have been implemented? Asking
will likely be closely related to these process-level risks and why (usually several times) is often sufficient to determine the
controls, which should be assessed. cause of noncompliance.
Internal auditors also should determine the impact of
Start With the Objective noncompliance. Then instead of saying, “Do ‘A,’” audit can
Virtually every company will have a set of policies and pro- provide a rationale and make a recommendation that assists
cedures that must be followed to protect it from lawsuits, management in complying.
prosecution, and reputational and other risks. These are the Next, the audit should be done right. This means maxi-
areas with compliance requirements and where audit performs mizing use of resources and analytics. Data analytics includes
compliance audits. For example, companies with manufactur- the application of analysis techniques to understand business
ing plants must comply with environmental regulations, and processes; identify and assess risks; test controls; assess effi-
U.S. publically traded companies have to comply with the ciency and effectiveness; and prevent, detect, and investigate
U.S. Sarbanes-Oxley Act of 2002 and other financial and legal fraud. Data analytics techniques can assist organizations in
rules and regulations. focusing their risk responses in the areas in which there is a
Transforming a compliance audit into a value-adding higher risk — including compliance risk.
activity starts with the audit objective. This defines what the Existing levels of risk can be assessed and trends identi-
audit seeks to accomplish and drives the scope, criteria, work fied to determine whether the risk is increasing or decreasing.
plan, and final results. If the objective is simply to verify For example, environmental compliance could examine spills
compliance with “A,” then one will fall into the trap of con- (number and quantity), clean-up costs, and lawsuits (quan-
cluding “You are not doing ‘A’” and recommending “Do ‘A.’” tity and value); while production compliance could examine
However, if the objective is “To verify the need for, existence material, personnel, maintenance, and operational costs. By
of, and adequacy of compliance with ‘A,’” it will be better examining measures over several months or years, trends can
positioned to address governance and risk management issues be produced to assess the effectiveness of mitigation efforts
and compliance. and identify emerging risks.
In this type of audit objective, one of the first steps would The effectiveness of controls also can be tested with
be to determine if the original risks and compliance require- analytics. For example, environmental compliance can
ments still exist. They may have been eliminated by a change examine the control over the purchasing of hazardous materi-
in operations (e.g., the company is no longer making that als — ensuring that the purchase quantities match require-
product) or transferred to someone else (e.g., subcontracted ments — thereby avoiding environmental compliance issues
out); the company is no longer using that manufacturing pro- around disposal. Compliance with hiring practices could
cess; or business process re-engineering, changes in location, or review staffing methods and staffing rates (by gender, race,
retooling may have eliminated, transferred, or lessened the risk. etc.) to ensure procedures are being followed and address
In these cases, the value add might be the elimination of the employment equity requirements before they become non-
requirement. No risk = no compliance requirement. compliance issues.
With a good understanding of the current level and
sources of risk, the next step is to look at the requirement for, Remove the Stigma
and the adequacy and effectiveness of, the mitigating control. Sometimes compliance with a poor control can increase risk
This requires an understanding of the cause and source of and dysfunctional behavior, and cultural issues can make
the risk and the operation of the control. Is the control still enterprisewide compliance difficult for global companies and
required? Does it address the root cause? Are there better increase risk. Doing the right compliance audit — not simply
ways to mitigate the risk? By answering these questions, the “did we do ‘A?’” — and doing it effectively can result in sig-
audit may identify unnecessary, ineffective, or better controls, nificant value to the organization and remove the “gotcha’”
which may reduce the cost of compliance while improving stigma of compliance audits. However, it requires auditors to
risk mitigation. The next step would be to verify that the re-look at the compliance-related risk and controls and use
control activities are being performed (i.e., compliance). analytics. By doing so, it will add value and provide assurance
However, if one finds noncompliance, it is not sufficient to senior management about compliance-related risks.
to recommend “Do ‘A.’” Audit recommendations should
address the root cause, including determining why man- BRIAN AIKEN, CIA, CFE, is the former assistant comptroller
agement is not complying. Was management aware of the general of Canada in Ottawa, Ontario.
requirement? Is management capable of complying? Are there DAVID CODERRE, ACDA, is president of CAATS in Ottawa, Ontario.

16 INTERNAL AUDITOR AUGUST 2017

 The Society of Corporate Compliance & Ethics 16th Annual

Compliance &
Ethics Institute
October 15-18, 2017 · Caesars Palace · Las Vegas, NV

Join us in LasVegas!
Follow a track: · Risk · Ethics · Compliance Lawyer
· Case Studies · General Compliance/Hot Topics
· Multinational/International · Investigations Workshop
· IT compliance · Advanced Discussion Groups

150+
SPEAKERS
8LEARNING
TRACKS
100+
SESSIONS

Learn more and register at complianceethicsinstitute.org

scce-2017-cei-july-ad-IA.indd 1 6/8/17 11:28 AM

 ITAudit
BY KEN GUO + WEI JIANG EDITED BY STEVE MAR

STOP CLICKING, START CODING

SQL queries can
enable internal
auditors to uncover

A
greater insights from
organizational data. s data grows in vol- procedures for transforming constrained to using a spe-
ume and complex- data into useful information cific software tool.
ity, the effective use requires a good understand-
of it is critical for ing of data structure and Asking Questions of Data
making better, faster, and the logic of how a system Internal auditors can write
more informed decisions. works. Such understanding and refine SQL codes in a
Organizations increasingly is particularly important for relational database to arrive
are seeking internal auditors internal auditors when they at incrementally better
who can analyze data and work with large volumes of solutions until the desired
generate insights that bring data in today’s complex busi- outcome is achieved. Con-
new value to the business. ness environment. From the sider the example of an
While internal audi- learning perspective, logical Employees table that con-
tors typically perform data thinking and reasoning inher- tains data such as employee
analysis using specialized ent in the SQL coding pro- ID, first name, last name,
audit software packages or cess helps internal auditors birth date, and hire date.
a general spreadsheet appli- develop the critical thinking Auditors can ask many
cation, there is a growing and problem-solving skills interesting questions about
need for auditors to develop desired by the profession. this data, such as whether
technical skills beyond those Moreover, SQL-based the company has complied
tools. For example, Fortune analysis has gained increas- with all employment regula-
500 firms such as Google ing importance with the tions. In the context of The
and Verizon have made pro- advent of big data. SQL Committee of Sponsoring
ficiency in structured query tools enable fast access to Organizations of the Tread-
language (SQL) part of their relational databases that way Commission’s Enterprise
job requirements for hiring store vast amounts of data, Risk Management–Integrated
internal auditors. offer flexibility in develop- Framework, this inquiry
SQL is a special-purpose ing ad hoc queries on an addresses the company’s con-
programming language as-needed basis, and can formance with its compli-
designed for managing data be tailored to the specific ance objectives.
held in database management needs of auditing. Fur- To check compliance
systems that support widely thermore, because SQL is with child labor laws, inter-
used enterprise resource plan- an international standard, nal auditors can query the
ning systems. Designing SQL internal auditors are not data to determine whether

SEND ITAUDIT ARTICLE IDEAS to Steve Mar at steve_mar2003@msn.com

18 INTERNAL AUDITOR AUGUST 2017

 TO COMMENT on this article,
EMAIL the authors at ken.guo@theiia.org

any employees were underage at the time of their hiring. two suspicious employees who were under 18 at the time of
For example, the minimum age for employment in the U.S. their hiring.
is 14; and there are specific requirements for the age group However, there is something missing from the report.
between 14 and 18. Auditors can begin answering this ques- The first query uncovered two additional suspicious employ-
tion using this code: ees without any age information. Further examination of the
Employees table reveals that birth and hiring dates are not
SELECT EmployeeID, FirstName, LastName, available for these two employees. While only a conjecture,
(HireDate-BirthDate)/365 these two individuals may have been “ghost employees” as
FROM Employees; the result of payroll frauds. Internal auditors should include
these two suspicious employees in the report, as well.
The SELECT statement in the code retrieves all of the values To find this information, internal auditors can amend
in the EmployeeID, FirstName, and LastName columns, and the SQL query:
calculates the age of the employee at the time of hiring as the
difference between the HireDate and BirthDate divided by SELECT
365 days. The FROM clause specifies the tables from which EmployeeID, FirstName, LastName
the data are selected. ROUND((HireDate-BirthDate)/365, 1)
The query returns a total of 11 employees. Of these AS AgeAtHire
employees, the results identify four questionable employees: FROM Employees
two are under 18 and the other two have no age informa- WHERE (HireDate-BirthDate)/365 < 18
tion. At first glance, the design of the query seems to answer OR (HireDate-BirthDate) IS NULL;
the question, but this solution only works well for small
organizations. Imagine a large company that has thousands In this solution, auditors add another condition “(HireDate-
of employees. In such a situation, auditors would have to sift BirthDate ) IS NULL” in the WHERE clause with the OR
through a long list of employees to identify those with age operator. The OR operator performs a logical comparison
problems. An additional issue is that the system-generated and specifies that an employee should be included in the
title of the column for the age data, “Expr1003,” is not report if either of the two conditions is met: age at the time
of hiring is less than 18, or age data
for this employee is NULL (i.e., left
SQL and other audit software can form blank). Now the report shows all four
suspicious employees.
a powerful set of analytical tools. This is not the end of the data
analysis, however. Based on this result,
internal auditors would need to investi-
descriptive, and the data, itself, has 10 decimal places. To gate further to determine why the age information is missing
address these drawbacks, internal auditors can improve the for two employees and how the two underage employees
SQL statement: were hired in the first place.

SELECT Powerful Analytical Tools

EmployeeID, FirstName, LastName The underage employee example demonstrates how SQL can
ROUND((HireDate-BirthDate)/365, 1) be a useful database tool for solving audit-related problems.
AS AgeAtHire However, it has only scratched the surface of the capabilities
FROM Employees of SQL-based data analysis. Indeed, SQL and other audit
WHERE (HireDate-BirthDate)/365 < 18; software can form a powerful set of analytical tools for internal
auditors, particularly in the context of ever-growing volumes
This revision aims to filter out unnecessary data and improve of data available for business use.
the readability of the report. Adding the WHERE clause
restricts the result to employees under age 18. The ROUND KEN GUO, PHD, CPA/CMA (CANADA), is an assistant professor
function rounds the age number off to one decimal place. at California State University, Fullerton.
The heading of the column containing the age data is also WEI JIANG, PHD, is a professor of accounting at California State
renamed to AgeAtHire. The query result now contains only University, Fullerton.

AUGUST 2017 INTERNAL AUDITOR 19

 Risk Watch
BY KEVIN SHEN EDITED BY CHARLIE WRIGHT

INTERNAL AUDIT NEEDS

RISK MANAGEMENT, TOO
Managing its own
risks can improve
the audit function’s

P
performance and
demonstrate that art of an internal condition that, if it occurs, whether the audit team has
audit department’s has an effect on at least one the right personnel.
it practices what it
mission is to ensure internal audit objective. As Strategic risk also could
preaches. that the organization such, internal audit should arise when audit strategy
has effective governance start by examining its mission does not align with the orga-
and management around its and objectives, which are typ- nization’s overall strategy. For
risks. But what about inter- ically defined in the internal example, this can happen in
nal audit, itself? audit charter approved by the an organization that is plan-
Audit departments face organization’s board of direc- ning to expand into emerg-
similar risks to other cor- tors or audit committee. By ing markets when internal
porate functions. If internal understanding internal audit’s audit is not equipped to
auditors cannot manage key objectives, auditors can cover anti-bribery and
their own risks appropriately, then identify the risks that foreign corruption risks
it is hard for them to educate can prevent them from associated with the expan-
others about the need to achieving those objectives. sion. Every organization
manage their risks effectively. is different, but the chief
Auditors should practice Strategic Risk audit executive (CAE) can
what they preach. One of the most significant generally manage this risk by
Internal audit’s risk risks is strategic risk. For refining the internal audit
management program should internal audit, one risk is charter; interacting with the
result in risks being managed whether the department board, senior management,
like in any other competent is strategically positioned and other stakeholders; and
risk management program. within the organization to ensuring risk assessments and
The audit function needs to achieve its objectives. Other audit plans are up to date.
identify all relevant risks; per- considerations include
form risk assessments; set its whether the department Reputation Risk
risk appetite; mitigate, man- has the authority, indepen- Credibility is the most
age, avoid, transfer, or accept dence, and objectivity to important asset of any audit
the risks; and continuously provide assurance and help function. Reputation risk is
monitor the risks. the organization improve its the potential that negative
Risk in the context of risk management; whether publicity regarding internal
internal audit can be defined it is focused on assurance audit’s practices will cause
as an uncertain event or or financial recoveries; and a decline in trust in the

SEND RISK WATCH ARTICLE IDEAS to Charlie Wright at charliewright.audit@gmail.com

20 INTERNAL AUDITOR AUGUST 2017

 TO COMMENT on this article,
EMAIL the author at kevin.shen@theiia.org

department. Misconceptions about internal audit can dam- timely completion of the audit plan, it may be helpful to
age its ability to achieve its objectives. Also, reputation risks closely monitor audit start, fieldwork completion, and report
can arise from operational or compliance risk. dates. A dashboard stratified by teams may help manage each
This risk can be managed by maintaining timely and team’s execution risks. A graph about quality assurance review
efficient communications among stakeholders, reinforcing results by team also may enable the CAE to identify teams
ethics, creating awareness at all staff levels, developing a com- that have issues with executing audits and provide training to
prehensive audit methodology, focusing on risk and built-in remedy the risk.
controls, responding promptly and accurately to stakeholders, Once identified and defined, internal audit should
and establishing a quick response team in the event there is a establish thresholds to monitor and mitigate the risks. Color
significant action that may trigger a negative impact on the codes could highlight areas of focus. For example, if more
function. A strategically positioned internal audit function than 20 percent of the audits in progress are delayed more
also may be better prepared to defend its own reputation. than 30 days, a red status may indicate the risks to timely
completion of the audit plan. If one team’s turnover ratio is
Compliance Risk more than 20 percent, it may be time to highlight the risk as
Compliance risk is becoming important for internal auditors, red for action.
particularly in highly regulated industries such as large banks. The thresholds are dependent on the CAE’s risk appetite,
For example, the U.S. Office of the Comptroller of the Cur- but they also should consider input from key stakeholders.
rency created Heightened Standards that includes guidelines For example, the CAE may want to specify that no more than
about the roles and responsibilities of internal audit. The Fed- 5 percent of the audit plan may be carried over into the next
eral Reserve Bank has issued a Supplemental Policy Statement calendar year. If that target appears to be at risk, then the CAE
on the Internal Audit Function and its Outsourcing. should take action to mitigate risks. For example, if turnover
As audit departments get deeper into data analytics, around a certain time of the year is elevated, a prenegotiated
compliance with consumer data and cross-border privacy cosourcing arrangement may help mitigate the risk of not
laws could become a concern. The key to managing the risk completing the audit plan.
is to thoroughly evaluate the laws and regulations and address Furthermore, internal audit should apply the organiza-
them through internal audit’s own policies and procedures tion’s enterprise risk management polices where relevant, at
least in principle. For example, when
operational incidents such as near
One of the most relevant risk categories misses — incidents that almost hap-
pened — occur in internal audit activi-
to internal audit is operational risk. ties, internal audit should file internal
incident reports, analyze root causes,
and prevent similar events in the future.
as well as ensuring the ability to demonstrate compliance
with the rules. Internal reviews performed by an independent Better Risk Assurance
quality assurance team can help identify potential issues and In addition to risk indicators, thresholds, and incident track-
prevent noncompliance incidents. ing, other useful tools exist. For example, internal audit can use
a risk control matrix to perform a risk control self-assessment
Operational Risk that evaluates the adequacy of internal controls in place within
Apart from the previous risks, the category most relevant to the department. By creating a library of risks and correspond-
internal audit’s day-to-day activities is operational risk, which ing controls and self-evaluating periodically, internal audit
consists of risks that arise from deficiencies in people, pro- departments can have better assurance about their own risks.
cess, or technology. Like other departments, internal audit A holistic approach to managing internal audit’s strate-
has specific operational goals such as completing the annual gic, reputation, compliance, operational, and other risks can
audit plan, validating audit-identified issues, maintaining costs bring more consistent performance. Moreover, it can better
within a defined budget, and developing a skilled workforce. position the department to help the organization improve its
A systemic approach should be taken to manage the risk management process.
operational risks, including creating operational risk appetite,
developing key performance and risk indicators, monitoring, KEVIN SHEN, CFA, CPA, is vice president, Internal Audit, at
and taking actions to mitigate the risks. For example, to ensure HSBC USA in New York.

AUGUST 2017 INTERNAL AUDITOR 21

Relevant. Reliable. Responsive.

As the award-winning, multi-platform, always-available resource

for internal auditors everywhere, Internal Auditor provides
insightful content, optimized functionality, and interactive
connections to sharpen your focus.

Print | Online | Mobile | Social

+GET it all InternalAuditor.org

2017-0409
Fraud Findings
BY JAMIE HOELSCHER EDITED BY BRYANT RICHARDS

THE CASHIER CASH THIEF

Mounting family
pressures and
opportunity cause

J
a trusted warranty
clerk to pocket ames Audette was a and his family. In addition, he would clean the sched-
cashier and warranty his son struggled with drug ules each month by credit-
payments from
clerk for a car service addiction, and he and his ing accounts receivable and
customers. repair shop. His main wife were continually try- debiting labor (a cost of
responsibilities were submit- ing to help him. On several sale account), but would
ting warranty claims and occasions, Audette had provide no journal entries
accepting payments from taken out personal loans for these “write offs,” thus
customers in the form of from the company, but he making the general ledger
cash, check, or credit card. always repaid them on time. balance appear to reconcile
Audette quickly learned the Audette rarely missed work with the journal entries
ins and outs of handling and was always eager to provided to the controller
customer payments and work overtime, often stay- for his review and reducing
discovered that no receipt ing late and volunteering the physical audit trail. This
of payment was generated to work weekends to satisfy activity continued for sev-
for service tickets that were his debts. eral months, with the thefts
covered by the customer’s Audette was a loyal becoming larger over time
extended warranty. Instead, employee. One day, how- until Audette was promoted
those tickets were closed ever, mounting family pres- to a new department within
to accounts receivable sures led Audette to pocket the company.
(warranty companies). In a customer’s cash payment Lauren Simpson was
addition to submitting war- and record the ticket as hired to replace Audette as
ranty claims and accepting warranty work. By classify- warranty clerk and cashier,
customer payments, Audette ing the ticket this way and but Audette maintained his
also was responsible for establishing the receivable, old duties to conceal his
creating the journal entries the customer would not be previous thefts and continue
and posting to the general billed at a later date and the to write off the receivables
ledger. On a monthly basis, customer’s account balance he created to avoid further
the controller would review would be accurate. Audette detection. Simpson com-
the journal entries and gen- began to routinely close plained about Audette’s
eral ledger account to ensure customer tickets as warranty continued involvement in
everything balanced. work and pocket the money his old role so the controller
It was known that when customers paid in restricted his access login
money was tight for Audette cash. To conceal the fraud, and alerted Russell Perez,

SEND FRAUD FINDINGS ARTICLE IDEAS to Bryant Richards at bryant_richards@yahoo.com

AUGUST 2017 INTERNAL AUDITOR 23

 IA Magazine-en-version1.pdf 1 6/2/17 10:13 AM

CM

MY

CY

CMY

K
 Practices/Fraud Findings
TO COMMENT on this article,
EMAIL the author at jamie.hoelscher@theiia.org

LESSONS LEARNED
»» Internal auditors must emphasize the importance »» An audit of a small sample of warranty claims would
of segregation of duties and closely monitor any have revealed those tickets had previously been paid
possible exceptions. In this example, having one indi- in cash.
vidual responsible for the collection of cash receipts »» Routine audits are vital for all cash processes. Even
and the subsequent recording (journalizing and post- the knowledge of a potential audit can help mitigate
ing) leaves an organization susceptible to the theft the perceived opportunity to engage in fraudulent
of cash. activities. Routine execution of the audit enhances
»» Internal auditors must not assume that accounts the ability to detect existing abnormalities quicker,
that are in balance preclude the possibility of errors, thus mitigating the impact of any existing fraud.
omissions, or thefts. »» Mandatory vacations and rotation of duties could
»» Access controls should be immediately updated fol- have prevented the fraud from happening, or
lowing an employee’s promotion, termination, or brought it to light sooner. Internal audit should be
changing of job responsibilities. Internal audit should at the forefront of ensuring policies and procedures
be at the forefront of ensuring policies and proce- are in place that require mandatory vacations
dures are in place to limit logical access controls and that those policies and procedures are being
and that such policies are being enforced, including enforced. Basic queries can easily identify employ-
annual reviews. ees not abiding by this policy, creating another sim-
»» Trend analysis would allow an organization to detect ple, yet effective foundation to any data analytics/
such fraud more timely, as the percentage of cash fraud detection program.
payments drastically increased, while the percentage »» The most well-liked and loyal employees are capable
of warranty service drastically decreased, over the of fraud, and often have the most opportunity to mis-
period. Even basic analytics can aid in the foundation appropriate assets. Internal auditors must continually
of an effective analytics program, while also limiting exhibit objectivity and maintain professional skepti-
the perceived opportunity for fraud. cism through all aspects of their job.

the company’s internal auditor. Perez requested that Simp- knowledge of the fraud and stated that he did not want
son run the accounts receivable schedules older than 90 to work for a company that did not trust him and would
days that were not paid. She pulled the tickets, which were accuse him of such actions.
stamped “paid in cash.” To confirm, the general manager Internal auditors worked closely with management fol-
called the customers on those tickets and inquired about lowing the detection of the fraud, performing a complete
their service and ease of use of the “new credit card reader.” review of internal controls in the cash receipts function and
Each customer whose ticket was in question promptly other functions, as well. The comprehensive review served
responded by saying he or she had paid in cash and had not to not only decrease the perceived opportunity to engage
used the new credit card reader, thus confirming the theft in fraudulent activities among other employees, but also to
of cash payments. Perez then examined the entire popula- detect any other abnormalities existing in other areas of the
tion of tickets closed out by Audette, going back several business. Internal auditors also emphasized the importance
months, and uncovered additional tickets closed as war- of more routine reviews of processes and key controls.
ranty work that were actually paid in cash and later written Audette’s employer did not want to consume com-
off. Perez met with company management to discuss the pany resources and effort with litigation so he was never
likely magnitude and nature of the fraud. prosecuted. The fraud totaled $5,000 but was likely much
Employees were alerted of the potential fraud and asked larger, as the audit only went back a few months to the
to come forward with information. Ironically, Audette came beginning of the fiscal year and further investigation did
forward with his suspicions of a fellow employee. Consistent not ensue.
with company policy, employees were told they were going
to be subject to a lie detector test. Audette never returned JAMIE HOELSCHER, PHD, CIA, CFE, is an assistant professor
to work. When the company contacted him, he denied any of accounting at Southern Illinois University–Edwardsville.

AUGUST 2017 INTERNAL AUDITOR 25

“
 the technology issue IT SECURITY

Arthur Piper

Illustration by Sean Yates

In Safe Hands Organizations must grapple with

a host of issues when determining
how to best protect their data
and manage the way it’s used.
detailed control over what data can
be held and how it can be used — the
General Data Protection Regula-

T
tion (GDPR) that goes into effect in
Europe in spring 2018. Add to that
data processing developments in data

“
analytics, robotics, and artificial intel-
ligence, and organizations that are
unable to leverage their most business-
critical asset effectively are in danger of
here is no business today that is not being left behind, or worse.
driven by data,” Dominique Vincenti, “There needs to be a huge wake-up
vice president, Internal Audit and call,” Vincenti says. “Businesses need a
Financial Controls, at Nordstrom in clear answer to the question, what does
Seattle, says. “The continuous high- data mean to the success of our com-
speed evolution of technology is the pany both today and tomorrow?”
No. 1 challenge for businesses and The conjunction of GDPR and
internal auditors today. There is not an advanced data processing technolo-
hour you can rest.” gies is pushing organizations into new
Vincenti says that businesses need ground. For businesses operating in
to fundamentally reassess what data Europe, or any business using or hold-
means to the success of their organiza- ing data on European citizens, for
tions going forward. Not only must example, the tougher new data laws will
they be able to successfully protect substantially alter the way that organi-
their data from external threats, but a zations need to seek consent and keep
new law is sparking a trend that will data records (see “Main Provisions of
require many to have much more GDPR” on page 29). “GDPR is a more

AUGUST 2017 INTERNAL AUDITOR 27

 FOR MORE INFORMATION on protecting organizational
data, see the IIA Practice Guide: Auditing Privacy Risks,
IN SAFE HANDS 2nd Edition.” http://bit.ly/2tnIf5i

stringent regime than those it replaces, to deal with this ethically sensitive area.
and has a low risk appetite built into In fact, many are arguing that success-
it,” Vincenti says. “Since Europe tends fully handling the new data landscape
to lead the way in legislation, it would will require auditors to develop ethical
be wise for U.S. businesses that are not principles and soft skills that have been
affected today to at least consider how undervalued in this area.
they might meet those requirements in
the future.” THE CHALLENGE OF CONSENT
GDPR’s heavy fines have caught “If you don’t know what you are going
the media’s attention — the maximum to discover from a big data project,
is 4 percent of the organization’s global how can you possibly explain to the
revenues. For example, telecom and data subject how you will use it and get
broadband provider TalkTalk’s 2016 consent?” Henry Chang, an adjunct

“
fine of £400,000 from the U.K.’s associate professor at the Department
Information Commissioner’s Office for of Law at the University of Hong Respecting
security failings that allowed hackers to Kong, says. Chang is one of several
access customer data could have rock- academics and business organizations
someone’s
eted to £59 million under GDPR. arguing that new regulations such as privacy rights
Yet having the right controls GDPR coupled with new technolo- is actually a
over how data is used and retained gies require a paradigm shift when it soft skill and
will present a challenge. For example, comes to personal data use and protec- needs a soft
businesses will no longer be able to tion. Chang and Vincenti agree, for approach.”
request a blanket consent to use data example, that organizations pursuing
collected from individuals in any way a compliance-based approach to data Henry Chang
they choose. Consent will need to be privacy and protection are going to run
obtained for a specific and detailed into a brick wall when trying to lever-
use — otherwise fresh consent will be age their data innovatively.
required. This provision is diametrically “When you look at a compliance-
opposed to how data can be lever- based approach, you have to decide
aged by artificial intelligence and data where the pass-mark is legally,” he says.
analytics programs. Such programs are “That tends to cause businesses to aim
best used to find new patterns in data low and achieve low, and businesses
and novel applications of informa- can spend a lot of time on trivial areas
tion to improve the business’ products because they think they need to comply
and services. Without free license to in every part of their business equally,

“
experiment with customer data on the rather than where they are most at risk.”
business’ servers, it may not be possible He says what is required instead is
to achieve the full potential these tech-
GDPR is a a more holistic, accountable approach
nologies promise. more stringent that has privacy controls engineered into
For internal auditors, these pres- regime than business processes, which themselves are
sures could mean going back to the those it underpinned by ethical principles. While
drawing board on the controls needed replaces, and there is no magic solution, he urges orga-
to strike the right balance between has a low risk nizations to try a cocktail of approaches
delivering value to stakeholders from to see what works best. For example,
these new technological possibilities
appetite built he says that data privacy is built on the
and protecting the enhanced rights into it.” notion that one has respect for the indi-
many customers will enjoy under Dominique Vincenti
vidual’s right to have a say over how that
GDPR. A compliance-based approach information is used. Compliance cannot
may no longer be feasible because it is address how those rights might change
unlikely to capture the nuances needed over time if the systems used to comply

28 INTERNAL AUDITOR AUGUST 2017

Only 9% of U.S. companies responding to a recent Experian survey report that
they are ready to comply with the GDPR; 59% do not know what they need to do to comply.

MAIN PROVISIONS OF GDPR

Article 5 of the General Data Protection Regulation requires that personal data shall be:
(a) Processed lawfully, fairly, and in a transparent manner in relation to individuals.
(b) Collected for specified, explicit, and legitimate purposes and not further processed in a
manner that is incompatible with those purposes; further processing for archiving purposes in
the public interest, scientific or historical research purposes or statistical purposes shall not be
considered to be incompatible with the initial purposes.
(c) Adequate, relevant, and limited to what is necessary in relation to the purposes for which
they are processed.
(d) Accurate and, where necessary, kept up to date; every reasonable step must be taken
to ensure that personal data that are inaccurate, having regard to the purposes for which they
are processed, are erased or rectified without delay.
(e) Kept in a form that permits identification of data subjects for no longer than is neces-
sary for the purposes for which the personal data are processed; personal data may be stored
for longer periods insofar as the personal data will be processed solely for archiving purposes
in the public interest, scientific, or historical research purposes, or statistical purposes subject
to implementation of the appropriate technical and organizational measures required by the
GDPR in order to safeguard the rights and freedoms of individuals.
(f) Processed in a manner that ensures appropriate security of the personal data, including
protection against unauthorized or unlawful processing and against accidental loss, destruc-
tion, or damage, using appropriate technical or organizational measures.
Article 5(2) requires that “the controller shall be responsible for, and be able to demon-
strate, compliance with the principles.”

Source: U.K. Information Commissioner’s Office

with regulations do not have some elas- board, but you can ensure that the But such exemptions tend to be limited,
ticity built into them. board has the opportunity to think unclear, or outdated, and those legiti-
“Respecting someone’s privacy ethically about personal data.” mate interests require a balancing proce-
rights is actually a soft skill and needs a dure that has yet to be developed.
soft approach,” he says. “Putting in an A BALANCING ACT “Companies are meant to balance
ethical boundary as an extra element While obtaining consent for the use of the legitimate interests of individuals,
into your compliance processes could data may seem reasonable, what hap- organizations, and shareholders,” Martin
help deal with shifts in the way that per- pens if the potential uses are beyond Abrams, executive director of IAF in
sonal data can be analyzed and used.” the understanding of the individuals Plano, Texas, says. “That means not only
In practice, that could mean involved? According to the Informa- looking at the potential negative impacts
that if a company is using automated tion Accountability Foundation (IAF), on individuals, but on stakeholders, too,
processes, some part of those systems a global research nonprofit, there is a if you do not process that data.”
could include a right for decisions to be growing agreement that consent is not For example, Abrams says, next-
made by a human. Or where mistakes fully effective in governing such data generation clinical research by phar-
are made with the use of data, there is and use. Many national laws include maceutical companies could draw data
a human at the end of the process and limited exemptions for processing when from multiple devices — smartphones
effective redress mechanisms in place. consent is unavailable, while others, and watches, genomics, location-
“The head of audit’s role could be notably European law, provide legal jus- sensitive information, and clicks on
to bring these debates to the attention tification based on the legitimate interest webpages — into the data pool in a
of the board,” he says. “You obviously of an organization when it is not over- way that could be difficult to describe
cannot prescribe a set of ethics to the ridden by the interest of the individuals. to people who are asked to consent

AUGUST 2017 INTERNAL AUDITOR 29

 TO COMMENT on this article,
IN SAFE HANDS EMAIL the author at arthur.piper@theiia.org

because it is unclear how the various Not everyone will align with a
interests at play can be balanced. If story. Lee says that people often have
some of that data is European, a diffi- different tolerances to technology
cult problem could become intractable. notifications, for example, and what
“It’s not clear how one could do data one person would find useful, another
analytics under GDPR,” he says. might find intrusive. Business units
The IAF has been working with need to have thought through those
the Canadian government to test an issues and communicate how they
ethical assessment framework it has approach such risks and what the con-
created to help organizations develop trols are for doing so. She says Google
accountability processes that go beyond sets the tone for its values from the
the consent model. It aims to provide a top of the company and those values

“
common framework for developing sys- inform its protocols, how it operates,
tems of accountability and for ranking and how it attempts to manage risks.
the importance of potentially conflict- This approach impacts how inter- One of the
ing interests for each project. nal audit works. “Internal audit has to
Internal auditors, he says, should have a very in-depth grasp of the busi-
biggest
be asking their boards to think about ness,” she says. Unlike organizations that challenges
how the business is balancing the vari- tend to pool auditors into one team, when it comes
ous interests at stake in its use of data. Google has some dedicated audit teams to data is
How those decisions and processes are attached to particular areas — such as knowing what
documented and assessed, and whether data security and privacy — where a deep you have.”
the business has the right skill sets to understanding of the systems is neces-
implement such an approach, could all sary. In addition, auditors focus on what Shannon Urban
be the topic of audit assignments. the business objectives of the product
or service are during an audit and spend
TRANSPARENCY AND time listening to how the business is
COMMUNICATION attempting to approach risk and control.
One approach to addressing data con- “We work in a very dynamic envi-
cerns is for businesses to become as ronment and need to keep an open mind
transparent as possible about their aims when we are thinking about controls and
and objectives and how those interests their impact or effectiveness,” she says.
are balanced. “It is very important for
the business to tell a clear story about GRASPING THE DATA
what its intentions are, how it is going Few companies are as advanced in their
to use the data, and how that will be handling of data as Google. One of the

“
for the betterment of society,” says Lisa most common problems organizations
Lee, vice president, Audit, at Google in face is that they do not know where
Mountain View, Calif. We work in a their data comes from, how it is used,
She says that innovation requires very dynamic and in many cases, what data they hold.
research and having too many rules environment Mark Brown, vice president of Soft-
around how data can be used could stifle ware Solutions and Services at the risk
developments that could benefit the
and need management software company Sword
community. Too many checklist-style to keep an Active Risk in Maidenhead, U.K.,
controls are unlikely to keep pace with open mind recently estimated that only about 1
the speed at which technology is develop- when we are percent of businesses could pull in and
ing. That is why Lee says that companies thinking about analyze internal and external data in a
need to engage people in dialogue about controls. ...” meaningful way.
their ethics and articulate the benefits to “One of the biggest challenges
society they are attempting to deliver. Lisa Lee when it comes to data is knowing

30 INTERNAL AUDITOR AUGUST 2017

Approximately two-thirds of U.S. businesses say that the GDPR
will require them to
rethink their strategy in Europe, according to a report from research and consulting firm Ovum Ltd.

what you have,” says Shannon Urban, but spend less time on whether it is these new challenges about the nature
executive director with EY in Boston appropriately sourced and accessed. of data and technological innovations
and 2017–2018 chairman of The IIA’s That could mean rethinking our audit in data processing. “Internal auditors
North American Board. “As businesses plan and checking that we properly need to be well-versed in these develop-
have grown through expansion and source the competencies to deal with ments and be able to educate manage-
acquisition, they have continued to these issues,” she adds. ment through our audits,” Nordstrom’s
accumulate data with no formal inven- Urban says it is important not to Vincenti says. She says internal audi-
tory.” In addition, is it easy for data get overwhelmed. If auditors find their tors should make their function a cen-
to move around the organization via organization’s data is unstructured, ter of excellence not only in both data
enterprise resource planning systems, she advises them to take a risk-based protection and privacy practices but
email, and mobile devices, making approach and start with the informa- also in data governance and rapidly
it possible for it to be used in unin- tion that is most critical to the busi- evolving enterprise information
tended ways. ness, including intellectual property, management approaches and capa-
“If you don’t have an identifica- employee, and customer data. “It is com- bilities. “Internal audit can be a role
tion and classification process that can pletely within internal audit’s purview to model. Let’s show the business how we
identify what is sensitive, then using connect the dots and think about data are using data in innovative and ethical
it effectively, never mind ethically, is across business lines,” she says. ways,” she says.
going to be impossible,” she says. “The
models internal auditors use can some- CENTER OF EXCELLENCE ARTHUR PIPER is a U.K.-based writer who
times be a bit upside down — we make Internal audit can take a lead in bring- specializes in corporate governance, inter-
sure the data is accurate and complete, ing their organization up to speed with nal audit, risk management, and technology.

NEW - IA BEST PRACTICE

STRATEGY GUIDES

Maximising internal Minimising internal Maximising internal

audit added value at audit risks to achieving audit added value at
the internal audit internal audit strategies the internal audit
function level and objectives engagement level
ISBN 9783906861135 ISBN 9783906861159 ISBN 9783906861180
Available in Print and EBook, at the IIA Bookstore, www.theiia.org/Bookstore
or Amazon, Lulu, iBook Store, Barnes Noble, Ingram

AUGUST 2017 INTERNAL AUDITOR 31

 As technology becomes more
integrated with business processes,
auditors must raise their IT skills.

Great tech
Expectations
the technology issue IT SKILLS

I
Russell A. Jackson

Illustration by Sean Yates

that may not have existed just a few

years ago.

THE BASICS
“It’s hard to succeed in any audit role
today without some basic technol-
ogy skills,” says Steve Sanders, vice
nternal auditors president of internal audit at Com-
have always needed basic IT skills, a puter Services Inc. in Paducah, Ky.
working knowledge of common audit That includes both hard and soft
tools, and a functional understanding skills — the latter an area in which
of their organizations’ data processes some of the cleverest IT hands aren’t
and infrastructure. What has changed adept. The basic software skills, like
in recent years as technology advances, word processing, spreadsheets, and
and what will change in the future calendar and scheduling functions,
as it continues to, is what constitutes should be assumed, Sanders adds.
“basic,” “working knowledge,” “com- And he says, “auditors who have other
mon,” and “functional.” software experience, such as electronic
Some internal audit leaders note workpapers and, especially, data ana-
that new hires generally have better IT lytics, will have an advantage over
skills on day one than many veterans those who do not have it.”
possess. That’s not surprising for a gen- Moreover, experience with audit-
eration of practitioners raised on smart- specific software is always a plus, “but
phones and entering the workforce these applications can be learned on the
in an age of wearable devices. These job,” notes Jennifer Goschke, vice presi-
auditors want to use their IT skills on dent and CAE at Office Depot in Boca
the job as often as possible, blurring the Raton, Fla. That also helps keep prac-
line between internal auditors and IT titioners from becoming proficient in
audit specialists. the wrong kind of IT, developing skills
But that fuzzy border is also the on a particular brand of software at a
product of a shortage of people with previous job, for example, that don’t
exceptional IT skills who want to be translate to what’s used by the auditor’s
internal auditors. Those IT special- current employer.
ists will be as much in demand in the Outside the internal audit depart-
future as they are now. For chief audit ment, auditors need a big picture view
executives (CAEs), that means balanc- of the IT landscape. In Goschke’s
ing the need for core audit skills with department, “having a high-level und-
the mandate for IT expertise in areas erstanding of the company’s overall IT

INTERNAL AUDITOR 33
GREAT TECH EXPECTATIONS

infrastructure and applications used” is what was tested and “how to convey that
foundational. In addition, every inter- to other stakeholders.”
nal auditor should be familiar with IT
general controls and the broad risks SPECIALISTS STILL IN DEMAND
they were designed to help mitigate, she Even if the rising level of IT expertise
says. It’s also important to understand that internal auditors generally bring to
key data security concepts — the prin- the table isn’t necessarily sufficient to
ciple of least privilege, passwords, and get the job done without additional soft
authentication — although it may not skills, the new auditors’ computer skills
be necessary to have detailed knowledge are definitely changing the distinctions
of the IT used in specific departments. between internal auditors and IT audi-
In addition, auditors should tors. “We’re not asking our auditors to
understand how data is integrated into be IT technical specialists,” Robinson

“
business processes, says Kathy Robin- explains, “and we’re not asking people to
son, CAE at ADP in Roseland, N.J. do what they’re not technically trained
“Regardless of the auditor’s focus, he to do, because we have auditors with Younger
or she certainly needs to know where specific skills. But we are asking people auditors
data resides, how it flows, and how it is to have a good understanding of data need the
accessed,” she explains. That knowledge flow, controls, and governance.” more mature
comes from the training she provides, as Because IT audit personnel can
does a working understanding of data be difficult to find, afford, and retain,
practitioners
analytics. Some of ADP’s auditors have it may be more cost-effective to cross- to help them
become subject matter experts in data train the existing audit staff on IT risks communicate
mining, in fact, and all of them can than to hire a group of IT auditors. But the risks and
develop specifications for a project. even then, Goschke emphasizes, “it’s other issues to
Controls are a good starting place important to have IT subject matter upper man-
for ensuring the audit staff is adequately experts on your team to provide the
versed in IT. Although new auditors are technical chops to be able to go head to
agement.”
starting out with better IT skills, “they head with IT.” Jennifer Goschke
still need an understanding of controls,” That’s one reason why IT audit
Sanders points out, “and new hires do specialists still are in high demand. “An
not necessarily have a better under- auditor with some technology back-
standing of controls than experienced ground and a good understanding of
auditors possessed 10 years ago.” controls might be able to do a basic IT
Often, the auditors who excel in audit,” Sanders explains, “but in-depth

“
technical areas don’t excel in soft skills, IT audits need auditors who understand
such as communications, empathy, and those areas well enough to speak the
relationship building. New hires’ tech- In-depth IT language of the folks doing the job.”
savvy “doesn’t necessarily translate into audits need He notes that he’s aware of several audit
their understanding of IT risk,” Goschke auditors who departments that use all auditors for IT
comments. That lack of understanding understand audits. “The quality of work suffers just
can impede their ability to interact effec- those areas as it would if you assigned trained IT
tively with engagement clients. “Younger auditors to conduct financial audits,”
auditors need the more mature practitio-
well enough he says. “They might be able to do it,
ners to help them communicate the risks to speak the but they’ll miss key things experienced
and other issues to upper management,” language of financial auditors wouldn’t miss. I’ve
she says. Younger team members, she the folks doing met some auditors who really don’t have
adds, “tend to favor short, digital con- the job.” a good understanding of what they’re
versations.” Sanders notes that a well- looking at. They’re not providing the
qualified candidate should understand Steve Sanders value they need to provide.”

34 INTERNAL AUDITOR AUGUST 2017

38% of CAEs rate general IT skills among their most desired qualifications for internal
audit jobs, and 31% seek data analytics skills, according to The IIA’s Top 7 Skills CAEs Want report.

CAES FACE HIGHER IT BAR

N
obody thinks every CAE should excel at IT, but expectations are pretty high. The bottom
line: CAEs need to conceptually understand IT risk and hold their own in a conversation
about strategic IT questions, even if they don’t understand “the OSI model” or “Active
Directory administration” — except, perhaps, in technology-focused companies. Citigroup’s Mark
Carawan puts it this way: “The CAE is responsible for ensuring the internal audit function stays
relevant and nimbly adjusts to emerging risks and solutions. But the CAE is not responsible for
being the fount of all knowledge.”
CAEs should know the IT risks the organization faces — privacy, security, data management,
and maintenance — and how management is or isn’t addressing them. Although they needn’t be
able to answer every IT question that comes up in day-to-day engagements, CAEs should be
able to ask good questions. They should augment their staff with a strong IT audit manager or
director. Says ADP’s Kathy Robinson: “There’s nothing wrong with ‘old school’ CAEs, as long as

“
their thought processes are ahead of the curve. If not, they really need to step aside. The topics
are that critical.”
We are asking
people to
have a good
In Sanders’ experience, however, it systems used,” notes Mark Carawan,
can be difficult to find someone with chief compliance officer with Citigroup
understanding
working IT knowledge who wants to be in New York. “The larger and more of data flow,
an auditor. “Many entry-level auditors complex the organization, the more controls, and
have a desire to learn IT, or they have likely it is that there will be a need for governance.”
an IT background but no audit experi- specialist skills to complement the deep
ence,” he says, blaming, at least partly, business and product knowledge of the Kathy Robinson
“a failure to sell the important role an internal auditors following the end-to-
IT auditor plays.” end business processes.”
If the in-house expertise is lacking, The CAE, in consultation with
cosourcing may be a better option than senior business management and the
assigning technical audits to unpre- audit committee chairman, should
pared practitioners. Robinson contracts make that call. “The CAE should
with outside firms for expertise that she
doesn’t need — or can’t afford — to have
on staff full time.
Maintaining the right mix of generalists
BUILDING IT CAPABILITY
Indeed, issues around staffing an inter-
and specialists is a key IT challenge.
nal audit department and maintaining
the right mix of generalists and special- be working with management to
ists is one of a CAE’s key IT challenges. understand the complexities of the
Here is what internal audit leaders business — such as robotics, process
suggest for making sure every audit outsourcing, and cloud-based comput-
department has the IT know-how to ing — and how customers use technol-
get the job done. ogy,” Carawan says, “so the internal
audit department can identify the risks
Determine the Specialty Skills to the business as a result.”
Needed “The desired IT skill set There will be a point as IT evolves,
depends on the nature of the business he adds, where someone is likely to
one is auditing and the complexity of say, “I’m not sure how this works. The

AUGUST 2017 INTERNAL AUDITOR 35

 TO COMMENT on this article,
GREAT TECH EXPECTATIONS EMAIL the author at russell.jackson@theiia.org

PREDICTIVE ANALYTICS

O
ne specialist skill that increasingly is being used in audits is predictive analytics, which is
mining data for meaningful patterns that can predict future trends and inform strategic
planning, operations, and risk management. Already, internal audit departments use
predictive analytics to strengthen audit coverage by quantifying issues to better understand
the risks they are dealing with. There’s no single solution; indeed, an analytics “toolbox” may
be necessary for some large, complex organizations.
Predictive analytics is one of the reasons the audit team needs to be computer literate, says
Citigroup’s Mark Carawan. “The most successful auditors will know enough to say, ‘This is an
opportunity for predictive analytics and data mining to deliver control-enhancing assurance.
Where am I going to have the greatest likelihood of a breach of policy, fraud losses, mispricing,

“
or shortfalls in inventory?’” he explains. Carawan adds that it’s important to have data analyt-
ics experts who are familiar with the latest tools and can interpret the results they produce.
The desired
IT skill set
audit department needs someone to members should seek out IT train- depends on
explain that, as well as what the risks are ing, such as a seminar or conference, the nature of
and how we mitigate them.” Be aware, to build basic, solid skills, he advises, the business
though, that executives “may be reluc- then start to specialize in a few spe- one is auditing
tant to invest in adding more IT special- cific areas over time. and the
ists to the third line of defense, beyond Sanders recommends informa-
those already in the first and second tion sharing after every training event,
complexity
lines,” he says. “typically in the form of a summary pre- of systems
sentation at an all-hands departmental used.”
Make Adequate Education Avail- meeting.” He also maintains a spread-
Mark Carawan
able “Every audit department should sheet in his department to track training
have a formal training program to make hours. Although it may seem like IT
sure the team is up to speed on both skills get a lot of attention and require a
changes in IT risk and controls and lot of CAE input, it’s unlikely any audit
changes in their company’s IT land- department is focusing too much on
scape,” Goschke recommends. Sanders expensive IT expertise. “My audit shop
has traditionally
been heavy in IT
Auditors should seek out IT training to auditors, but also
heavy in IT risk,”
build basic, solid skills. he notes. Indeed,
there are many
situations that
agrees, noting that it’s the CAE’s job to demand the investment required to field
“ensure adequate training is in place for a squad of IT experts.
auditors to stay current on IT trends
and developments.” Go Outside the Organization for
The basics should do it, Sand- Assistance “Auditors typically do not
ers says. “I don’t expect every audi- handle IT audits on their own, but they
tor to have in-depth knowledge,” he could supplement the IT audit team
explains, “just as I don’t expect my as additional arms and legs,” Goschke
IT auditors to understand the latest comments. “Using an outside firm to
accounting pronouncements.” Team come in for a day to train the team a

36 INTERNAL AUDITOR AUGUST 2017

GREAT TECH EXPECTATIONS

THE AUTOMATED FUTURE

T
he precise menu of IT skills internal audit practitioners will need 10 years from now is
anyone’s guess. But it will likely refer to process automation. “Robotics and artificial
intelligence will likely be much more prevalent in accounting and finance functions,”
Office Depot’s Jennifer Goschke says. Some companies use “bots” to reconcile accounts, pre-
senting audit challenges that don’t exist with humans. “I can’t go ask the bot a question about
its process,” she notes. “And how secure is it to have bots performing processes on sensitive
data?” Citigroup’s Mark Carawan adds: “Stakeholders and the businesses for which they are
responsible will continue to seek automated solutions to achieve improved customer service
and efficiency, enhanced risk management and control, and speedier execution.”

few times a year is very cost-effective.” is responsible for homing in on the

Consulting firms also offer IT consult- things that are most impactful.”
ing and audit services on an hourly or
project basis, she adds. Although this COMPLETING THE JOB
may be expensive, hiring someone full Building IT knowledge and skills is
time with the same skills would cost a big job, but one that most internal
even more. “Once my audit plan is audit departments should be able to
determined for the year,” she says, “I accomplish. “It’s challenging due to staff
can decide which audit projects I’ll per- turnover and the ever-changing IT land-
form with my internal team and which scape,” Goschke notes. “But the training
is out there. You
just need a plan.”
Audit departments probably won’t be But be careful

focused on the same issues three years about the “best

laid schemes.”
from now, let alone 10. Robinson says
she is reluctant to
guess what basic
projects require specialized knowledge IT skills will look like 10 years from
for which I should use an outside firm.” now. If she had tried 10 years ago, she
would have been way off the mark. The
Provide Big Picture Guidance and iPhone was just being introduced in
Clear Marching Orders “Overall, 2007, she explains, and “there’s no way
it’s really a CAE’s job to articulate the I’d have said we’d have a mobile app in
things that can impact the company’s 2017 that would be downloaded 11 mil-
ability to execute strategy,” Robinson lion times — and that we’d have to audit
states, “and to help make sure that mobile technology.”
the underlying IT infrastructure is Indeed, audit departments proba-
adequate and operational by auditing bly won’t be focused on the same issues
for security, processing, and recovery, three years from now, let alone 10.
and providing that output to stake- “Basic” will always be “basic,” but the
holders.” And although there is always skills that audit leaders consider “basic”
some IT involved in their audits, will always evolve.
she adds, “We could get lost in data
analytics because there is so much we RUSSELL A. JACKSON is a freelance
could do with it. My leadership team writer based in West Hollywood, Calif.

38 INTERNAL AUDITOR AUGUST 2017

 Advertisement

1.

2.

3.

IDEA Spotlight -Robert Berry-print ready.indd 1 6/13/2017 10:14:32 AM

 Internal auditors are not just a bunch of rule followers.
We’re solution-focused and principle-minded. Standards-driven, framework-followers.
As a matter of fact, global industry experts at The IIA develop, document, and deliver
the standards of the profession. The International Standards for the Professional
Practice of Internal Auditing help all internal auditors be more effective.

You won’t believe how helpful it is to have standards.

Standards Practice Makes Sense

www.theiia.org/WeHaveStandards

2017-0470
the technology issue
the technology issue DATA ANALYTICS

Six strategies can

facilitate progress

Building
when starting
or furthering an
analytics program.

a data analytics program

Gordon Braun,
Andrew Struthers-Kennedy,
and Gregg Wishna

Illustration by Sean Yates

I n today’s data-hungry world, an

analytics-capable audit function is a
necessity. However, relatively few audit
teams have developed sophisticated
analytics capabilities and an embedded,
integrated approach to analytics. So
how can internal audit functions initi-
ate and advance their analytics capabil-
ities? Internal audit functions that have
successfully implemented sustainable
analytics activities have not only been
able to clearly visualize and articulate
the value analytics can deliver to their
functions and the broader business, but
also have started to realize that value in
enhanced efficiency, effectiveness, and
risk awareness.
Along the way, many functions
have experienced missteps and setbacks.
The lessons they have learned should
benefit internal audit departments
embarking on their own analytics jour-
neys or those attempting to overcome
false starts of the past. Some of these
hard-earned insights are what one might
expect. Difficult access to enterprise
data stores marks a widespread pitfall,
as does insufficient planning. Other
data analytics lessons will surprise the
uninitiated. Investing in robust techni-
cal skills training and analytics tools

AUGUST 2017 INTERNAL AUDITOR 41

BUILDING A DATA ANALYTICS PROGRAM

implementation often can be a distrac- right kind of thinking among the inter- Dedicated analytics functions and
tion to getting an analytics program off nal audit team. externally hired analytics experts are
the ground. By knowing what to avoid, When an internal audit function common hallmarks of top-performing
internal audit departments can keep a decides to reassign a technical resource analytics capabilities; however, neither
data analytics program on track to reach as the team’s analytics champion, of these elements should be used in
its full potential. problems often ensue. Creating this place of the initial establishment of the
type of structure too soon can cause right analytics mindset throughout the
TOOLS FOR SUCCESS the rest of internal audit, as well as the internal audit function.
When internal audit leaders commit to business, to view audit analytics as a
introducing or furthering a data analyt-
ics program, there are six strategies that
purely technical exercise as opposed to
an integrated component of internal 2 Understand the data before
investing in a tool
can positively impact these initiatives. audit’s culture, strategy, and activities. One of the most common start-up
Insight from analytics are the result lessons involves resisting the desire to

1 Create awareness rather

than a silo
of the intersection between business
awareness and the application of ana-
acquire the latest and greatest analytical
tool. Given the impressive power, look,
Internal audit leaders should resist the lytics tools and methodologies. These and feel of analytics tools, it’s difficult to
inclination to start by creating a data are two sides of the same coin and both not be sold on a new piece of software
analytics silo within the larger func- must be present for success. with the promise that, within hours,
tion. While dedicated analytics func- Internal audit leaders also should internal audit will be generating a flurry
tions are present within many internal reflect on how they source their analyt- of queries and new intelligence insights.
audit functions with advanced analyt- ics talent. While there is no one way to Rather than a first step, however,
ics capabilities, this structure should do this, leaders should recognize that implementing an analytics tool should
more appropriately be treated as a hiring analytics professionals or repur- be a more deliberate step in the rollout
long-term goal or possible target state posing technical resources can pose of an analytics program. A rush to start
using these tools, without establishing
a plan and set of initial, high-value use
cases, often leads to results that lack
Building a more pervasive analytics business impact, which can be detri-
mindset is critical. mental for a start-up analytics activity.
Before using a tool, internal audi-
tors should carefully evaluate a high-
value area to target, understand the data
than an immediate to-do item when risks to the development of an analytics source, validate it, and identify how
getting started. mindset throughout the entire internal the results will be evaluated and shared.
While it is necessary to have the audit team. It takes time to understand When it comes to analytics tools, it is
appropriate technical competence business processes and what valuable helpful to adhere to the 80/20 rule: 80
within the team, creating a silo struc- information can be gleaned from the percent of the analytics team’s work
ture from the start can reduce focus systems and data that underpin them. should consist of understanding the
on a more important driver of success: Building a more pervasive analyt- data, the business process it supports,
data and analytics awareness. This ics mindset across the internal audit and the activities and decision-making
mindset helps internal auditors under- department is critical. The most effec- that it drives, along with the business
stand how data is created, processed, tive audit analytics programs operate value the analysis is designed to deliver;
and consumed as it flows throughout in a tightly coordinated — if not seam- 20 percent of the effort should focus
the organization, the key systems less — manner with all other parts of on the technical aspects of the analysis,
where it resides, and the key business the audit team. All members of the including the audit tool.
processes and decisions that it sup- team think about the data that exists
ports. This understanding represents
a business-centric view of analytics as
in the environment, its business rel-
evance, and the stories it can tell. The 3 Plan
sufficiently
opposed to a technology-only view, a analytics teams then layer in their view Too many analytics initiatives suffer
critical distinction in developing the and capabilities. from too little planning. Plunging into

42 INTERNAL AUDITOR AUGUST 2017

Two-thirds of internal audit functions are using data analytics
as part of their audit process, according to Protiviti’s 2017 Embracing Analytics in Auditing survey.

INSIGHT, EFFICIENCY, AND VALUE

T
he growing demand for internal audit’s data analytics services stems, in large part, from
the benefits these offerings have delivered. Analytics help internal auditors execute the
audit plan more efficiently, allow them to quantify and more effectively communicate the
impact of findings, generate additional insights concerning risks, and identify new opportuni-
ties to drive business value. Internal audit teams that invest appropriately are using analytics
to proactively identify fraud, waste, abuse, performance variances outside acceptable boundar-
ies, previously unidentified risky behaviors, data quality issues, unauthorized access, and a host
of other items for management’s consideration. Some internal audit functions even hand off
analytics solutions to business partners who are eager to incorporate them into their own pro-
cesses to monitor for key performance and risk indicators.

data analytics does not mean that inter- real examples that demonstrate how
nal audit functions should give short analytics enhance the efficiency, effec-
shrift to key planning considerations. tiveness, or risk awareness of the inter-
The most effective and sustainable nal audit function and the broader
analytics programs tend to begin with a organization (i.e., how data can be
planning effort that includes: turned into information that provides
»» Understanding the system and risk and business insights).
data landscape; how data is cre-
ated, processed, and consumed;
and how it drives business 4 Think big
picture
activities and decision-making. The expansive reach of audit analytics
»» Educating internal auditors on has, oddly enough, resulted in narrow
the power, benefits, and appli- thinking about its application. For
cations of audit analytics (the years, internal audit professionals and
analytics mindset). experts have marveled at the way ana-
»» Laying out how analytical tal- lytics and continuous auditing tech- Visit our
ent will be trained or hired Mobile app +
niques can be deployed to test massive
InternalAuditor.
and retained. populations of transactions. This capa- org to watch
»» Seeking business partners’ bility is rightly trumpeted as a mas- a video on
input on areas of their sive improvement over the traditional enhancing
domains that might benefit approach of manually sampling large internal audit
from audit analytics. with data
data sets, often months after the associ-
analytics.
»» Carefully identifying which ini- ated activity has occurred, to identify
tial analytics are likely to yield problems. While accurate, this view of
the most valuable results — and, analytics is severely limited.
as a result, support from busi- Leading internal audit functions
ness partners. now use analytics throughout the
Neglecting any one of these items audit life cycle to support dynamic risk
can lead to initial results that are low assessments; monitor trends, fraud, and
impact or miss the mark entirely. risk and performance indicators, or
When educating internal audit deviations from acceptable performance
team members about the use of data levels; and model business outcomes.
analytics, it is helpful to steer the focus These functions tend to view analytics
away from the technical inner work- as a way to interpret data that helps tell
ings of the capability by presenting a story to the business that may not

AUGUST 2017 INTERNAL AUDITOR 43

 TO COMMENT on this article,
EMAIL the author at gordon.braun@theiia.org
BUILDING A DATA ANALYTICS PROGRAM

have been told before. To be successful this marks a common goal, it takes
here, there has to be an acute under- time, effort, and coordination to get
standing of the data that is created, there. Auditors should consider dis-
processed, and consumed within — and cussing how to decide which data ele-
across — the organization and how it ments should be created and captured,
is used to drive business activity and the business rationale for doing so,
decision-making. and how internal audit and business
partners will use the information that

5 Partner
with IT
analytics produce.
Thanks to recent advancements,
Given that data typically exists in current analytical tools more easily
a multitude of different systems integrate with other enterprise systems.
throughout organizations as well Internal audit functions’ growing ten-
as within third-party (e.g., cloud) dency to use dedicated data warehouses
environments, internal audit fre- also helps address data access and
quently encounters difficulties when quality challenges, which can reduce
attempting to access data for analyt- stress on business production systems
ics. This problem relates not only by giving internal auditors their own
to accessibility (the protracted data sandbox to play with data. However,
request process with IT), but also to there are risks with this approach, par-
ticularly with regard to security and
privacy. Ultimately, establishing a dedi-
cated data warehouse requires a sound
A picture is worth a thousand words. business case that, among other things,

The same principle applies to the addresses these risks.

Other, less technical qualities and
presentation of the analytics results. practices also come in handy. Internal
audit functions that have earned a
reputation for collaborating with the
business consistently encounter fewer
completeness, accuracy, and validity data management obstacles when
of the data. Without understanding deploying data analytics. Their success
the specifics of what they are asking stems partly from the fact that col-
for, internal auditors cannot reason- laborative internal auditors are more
ably expect to get what they need — at apt to learn about, and apply, data
least, not the first time around. In governance standards and practices
some cases, lengthy and ineffective from their IT colleagues, which can
data request back-and-forth between help ease access to quality data resid-
internal audit and IT departments ing in systems scattered throughout
results in data integrity issues (at best, the organization.
perhaps) or the planned analytic being
canceled entirely.
To succeed, audit analytics teams 6

Take advantage of
visualization tools for
inspired reporting

need to partner with IT departments
to develop a robust process for data A picture is worth a thousand words.
acquisition — either through specific The same principle applies to the pre-
and easily understood data requests sentation — or visualization — of the
or through direct connections to data analytics results. Tabular formats and
repositories. This all starts by under- simple charts are a thing of the past.
standing the data environment. While Analytics reporting packages should

44 INTERNAL AUDITOR AUGUST 2017

58% of respondents who regularly use data analytics report that poor data analytics design
caused extra work, according to the Audit Executive Center’s 2017 North American Pulse of Internal Audit Report.

be making use of widely available rely heavily on manual procedures. For

visualization tools. These tools allow example, focus on ways to:
for the dynamic presentation of results »» Pull business insight from the
(e.g., a country map that shows the top data-heavy areas (and show
locations where purchase card spend- management a story they have
ing occurs) and real time, drill-down not seen before).
capability that represents a far cry from »» Work with management to
the static analytics presentations of the convert audit analytics into
past. Visually compelling, high-impact reports that can be used in
reports can help internal audit’s clients place of time-intensive proce-
quickly draw insights from the data. dures (e.g., “real time” monitor-
ing of large, disparate data sets
A FUNDAMENTAL SHIFT for key fraud indicators).
At present, data is being created and »» Quantify the impact of find-
collected at a pace that is far beyond ings and deliver more insight
anything seen before. While there is through audit reports.
always some risk in undertaking a new These are some of the ways that
program — and a desire to prove the internal audit functions are able to
return on investment — the bigger quickly demonstrate and communi-
risk is doing nothing. It is simply not cate value in their investment in, and
an approach that internal audit func- use of, analytics. Ultimately, however,
tions can afford to take if they want stakeholders must recognize that there
to keep up with the business, stay rel- is a fundamental shift in how business
evant, and deliver value and insight. is being conducted, and as such audi-
The most innovative companies tors must match that with a funda-
are looking at ways to capture and mental shift in how they audit.
use data to transform their business
operations as part of digitalization ini- EACH JOURNEY IS UNIQUE
tiatives. Internal audit must be equally Establishing a robust analytics pro-
innovative and embracing of the need gram may take several years to mature. For additional
and value to make the company’s data The process for developing a data guidance,
work for them. analytics capability tends to be unique VISIT
http://bit.
A key method to overcome com- for each internal audit function. Some ly/2u6iVQv to
mon time and resource constraints standard general assessments exist download GTAG:
with setting up a discrete analytics and can help, but each internal audit Understanding
group within internal audit is by focus- leader should chart a path forward that and Auditing
ing on an “analytics mindset.” Further, reflects the unique qualities and needs Big Data.
internal audit functions are encour- of his or her function and the unique
aged to work with business partners to characteristics of the industry, the
identify areas where analytics can have organization, and the team’s relation-
high impact and high value, provide ships with business partners.
real business insight, and help address
business challenges (rather than focus GORDON BRAUN, CIA, CISA, CGEIT, is a
on a return on investment calculation). managing director at Protiviti in Minne-
The value delivered in these initial ana- apolis, Minn.
lytics projects will set the stage for the ANDREW STRUTHERS-KENNEDY,
program. Internal audit should look CISA, is a managing director and global
for parts of the business that are par- lead of IT Audit at Protiviti in Baltimore.
ticularly data dense, or that have high GREGG WISHNA, CISA, is an associate
volumes of data processing but still director at Protiviti in Atlanta.

AUGUST 2017 INTERNAL AUDITOR 45

 A
GLOBAL CHAIRMAN OF THE BOARD

s ubiquitous as social
media is today, it is hard to recall a time when we were not glued to our Face-
book, Twitter, or Instagram accounts. Indeed, it is rare to read about a cause or
event without running into at least one hashtag. This article is no exception.
As the 2017-2018 global chairman of The IIA Board of Directors — a privi-
llegeege I am humbled and honored to experience — one of my first assignments was
ttoo develop a theme for my term. Coming up with the basics was easy: Purpose,
sservice,
ervice, and impact are three concepts that are very important to me. But when
I looked at those words on their own, they seemed somehow incomplete. Then,
aass I was bouncing ideas off my team, the hashtag treatment was suggested. Thus,
myy theme became #PurposeServiceImpact.
m
Wee have become so accustomed to the hashtag, we often forget what it is
W
intended to convey. It’s a useful, shorthand way to say, “pay attention,” “join
the discussion,” and “pass it along” — reactions I hope IIA members have to
the concepts of purpose, service, and impact as we go through the year, because I
believe they have a very real place in our personal and professional lives.

#PURPOSE
Purpose is fairly straightforward. We all have a sense of purpose about our careers
and our lives. It is the “why” of what we are doing, our mission, the reason we want
to make a difference. As individuals, we need to know that all of the effort, focus,
and sacrifice we have invested over time will pay off in achieving a goal.
As internal auditors, our mission is clearly laid out for us in The IIA’s Inter-
national Professional Practices Framework: “Enhance and protect organizational
value by providing risk-based and objective assurance, advice, and insight.” How
we enhance and protect organizational value is different for each of us based on
our organization’s business. Is it market share? New products? Students educated?
Patients served? Perception of reputation? Earnings per share? Whatever it is, inter-
nal auditors, at the very least, help management maintain that value, but, ideally,
we enhance and increase it through the work we do.
As individuals and as internal auditors, we do not operate in a vacuum. We
function within some sort of larger construct. As individuals, that may be a family,
a community, a club — even an organization such as The IIA. As internal auditors,
it is where we work. We must clearly understand the purpose of our organization
and be certain that our personal sense of purpose aligns with it. Generally, every
organization has a mission statement, but studying other indicators such as culture,
strategy, and reputation can provide useful information, as well. Then we must
determine how we can help the organization realize its mission.
A practical application can be found in the way some auditors are evolving
the traditional risk-based audit approach — which is still very valuable — with

46 INTERNAL AUDITOR AUGUST 2017

 #PurposeServiceImpact
The IIA’s
2017-2018
Global
Chairman of
the Board
J. MICHAEL
PEPPERS
encourages
internal
auditors to
unify around
the three
concepts in
his powerful
hashtag.

Photographs by
Darren Carroll

AUGUST 2017
#PURPOSESERVICEIMPACT

more strategic elements. Start with the I became aware that a health-care change agent; be brave enough, even
big-picture objectives of the organiza- administrator certification was valued in the face of professional or personal
tion and take the risk assessment from by many of the hospital leaders, so I danger, to do the right thing; avoid
there. This helps ensure that what decided to prepare for and take the cer- viewing the world in black and white;
internal auditors do is more strategic tification exam. It demonstrated to my develop strong relationships with
and supports the goals of the organi- colleagues that I knew and cared about stakeholders; build interpersonal skills;
zation — its purpose. For example, I our business, and was willing to “walk and continue to develop competencies.
once audited an area that had won- the walk” to make us successful. This list goes well beyond what we are
derful ideas, plans, and goals, but Internal auditors certainly do not expected to do. It outlines expectations
lacked good project management to lack opportunities to serve. Almost for how we do it, as well.
address those plans in a systematic and daily, we encounter areas where unsur- It’s no wonder we sometimes feel
metrics-driven way. I provided recom- passed service is required or expected. like we are on a tightrope stretched
mendations about managing projects. According to the stakeholders rep- across a gaping canyon. We know
This was not a typical risk audit, but it resented in The IIA’s 2017 North we must perfect our balancing act to
provided value: The department recog- American Pulse of Internal Audit, we face the risks and service expectations
nized that adding this element would must embrace our role as educator and ahead — not only at work, but also at
help in achieving departmental goals.
For almost 10 years, I worked on
a university campus, and nearly every
day I would walk on the sidewalks
with the students we were educating.
For another 15 years, I worked at two
of our academic medical centers where
I would walk the halls and see the
patients we were serving. I came face to
face with real stakeholders — the peo-
ple who are counting on the organiza-
tion — and that connection has always
given me the drive to do all I can as an
internal auditor to help my institutions
succeed in their missions.

#SERVICE
Service is purpose put into action.
It is doing things to meet the goals
expressed in mission statements, tran-
sitioning purpose from concept to real-
ity. Consequently, it can be the hardest
part of the #PurposeServiceImpact
trilogy. Purpose identifies noble goals
and impact represents the outcomes
of actions completed to achieve those
goals. Service is the link between the
two; it is “walking the walk.”
It is often said that internal audi-
tors should “know the business” to be
as effective as possible, and there is no
question it is important to establish
credibility with clients. At one point
in my work at a health institution,

48 INTERNAL AUDITOR AUGUST 2017

 #BoardPriorities
During the coming year, I anticipate deploying the #PurposeServiceImpact phi-
losophy as I lead The IIA’s Global Board of Directors in several initiatives:
»» Addressing the recommendations of a special Governance Task Force
that has studied The IIA’s governance structure and processes. Significant
changes are being proposed to the board and membership.
»» Completing the triennial refresh of The IIA’s global strategic plan. A new
approach to gather input from multiple regional sessions is underway.
home, with friends, and in our out- »» Advancing the recent Guiding Principles of Effective Affiliate Governance,
side activities. which is intended to help affiliates serve their stakeholders and more than
It is in those optional activities 190,000 members worldwide.
where many of us find another way »» Studying laws, regulations, and questions related to licensing the internal
to serve: volunteering. I believe vol- audit profession. A global steering committee is working on this project.
unteering is one of the most power- »» Considering ways to increase the level of conformance with the Interna-
ful manifestations of service because tional Standards for the Professional Practice of Internal Auditing.
there is nothing that makes us do it. »» Assessing The IIA’s portfolio of certifications to ensure it meets stake-
We do it freely and willingly. holder expectations and is positioned for sustained success.
There are many reasons to vol-
unteer. We want to get to know a
community, gain leadership skills, feel team, test ourselves, build our resume, of understanding the enterprise end to
needed, do our civic duty, learn some- give back, or feel good. end. To gain that understanding, we
thing new, be challenged, do some- Volunteering helps us in our have to raise our heads up from our
thing different from what we do at profession, as well. Well-rounded desks and see what is happening on a
work, make new friends, be part of a internal auditors recognize the benefits broader basis. We need to get out of

“ The best and most successful internal auditors I know

understand that internal auditing is more than just a job;
it is a sincere effort to improve the lot of others, whether
organizations or individuals.”
AUGUST 2017 INTERNAL AUDITOR 49
 VISIT our Mobile app + InternalAuditor.org to
watch a video of J. Michael Peppers discussing
#PURPOSESERVICEIMPACT his chairman’s theme, “#PurposeServiceImpact.”

our offices — and our comfort zones. than the rule. Life is short. When you staff in 2017. This is a ripple effect of
Volunteering provides that opportunity. have the choice, choose to make a dif- the impact of internal audit. Today’s
Those who are new to volunteer- ference in things that matter to you. cost-conscious boards and executives
ing can start small. My long history of would not spend substantially more on
volunteering with The IIA began with #IMPACT risk, control, and governance processes
being a greeter at meetings. I did it to And now we arrive at impact — the unless they were realizing value. We are
help my local chapter, but that was destination of the journey, the reason making an impact.
only part of the reason. I also wanted we provided service, and the realization We have to choose where we will
to help myself advance both personally of our purpose. The best and most suc- make an impact. Given our time, ener-
and professionally. That position made cessful internal auditors I know under- gies, and resources, we need to focus
it easy for me to expand my network. stand that internal auditing is more on areas that enable us to influence
Small steps can lead to big destina- than just a job; it is a sincere effort things that are important to us and
tions; I am a case in point. to improve the lot of others, whether that we will look back on with pride.
Of course, sometimes our services organizations or individuals. But it is For me, it is always education.
are needed in positions that may not not an activity that provides immedi- Being in the higher education system,
be our first choice. When that hap- ate, easily seen impacts. We often have a financial supporter of The IIA’s Inter-
pens, we can take a longer-term view. to examine the ripple effects our efforts nal Auditing Education Partnership
Fortunately, we can usually learn from leave behind. Take for example two program, and a regular speaker in pro-
any situation and gain the satisfaction statistics from The IIA’s Pulse report: fessional and college programs, I am a
of contributing to the greater good. In 2016, 29 percent of respondents believer in the value and importance
Hopefully, those less-than-perfect reported an increase in internal audit of education. Several years ago, in the
volunteer roles are the exception rather staff, and 30 percent expected to add early days of data analytics, I had an

“For me, it is always education.”

#HigherEdFocus

I
n my position as chief audit executive (CAE), I support
the Board of Regents and executive management at
the expansive University of Texas System. The System
has more than 120 internal auditors at its 14 academic
and health science institutions, consisting of more than
220,000 students, 100,000 faculty and staff, and an operating budget of almost $18 billion.
My career-long focus in higher education started in graduate school at the University of South Florida where I was
the student internal audit intern. After earning a Master of Accountancy, I spent time in public accounting before
returning to the university to lead that same internal audit department for almost 10 years. In 1999, I moved to Texas
and was the CAE at UT Medical Branch in Galveston and UT MD Anderson Cancer Center in Houston before arriving at
UT System Administration in 2013.
I proudly admit to being a “career internal auditor.” I can probably count on one hand the times I’ve done what
would be considered a “repeat” audit. Because our organizations continually change, so do our audits. There’s nothing
routine, cyclical, or boring about what we do.

50 INTERNAL AUDITOR AUGUST 2017

 TO COMMENT on this article, EMAIL the
author at michael.peppers@theiia.org

audit manager who was particularly

good at analytics, which we used to #FaithFamilyFlowers

O
achieve real wins in audit engagements. utside my professional life, I have three priorities that keep me
But we had a vision for even greater grounded and rounded: faith, family, and flowers. Faith is the most
impact. Because we worked in a uni- important aspect of my life, providing the foundation for actions and
versity setting, we were regular guest decisions both personal and professional. It is also a constant footing for me
speakers in the audit classes and we as I assess my own purpose, service, and impact. Next comes family: I have
knew that students were not getting two adult daughters and two granddaughters who are never far from my
exposure to data analytics tools. So, we thoughts, even if a bit too far away physically for my liking. I rely on video
convinced audit faculty that the curric- technology to “see” them as much as possible.
ulum needed to include this important My family may, however, quip that they compete for my attention with
aspect of practical auditing, and we another of my loves: my daylilies. As an internal auditor, I have not been afraid
engaged a software provider to make to dig deep and get my hands dirty, and the same goes for my garden. When I
its tool available for this academic moved to Texas in 1999, a co-worker introduced me to daylilies. I started with 10
purpose. Since then, other auditors, plants and grew to as many as 500 varieties in my yard at one time. In my new
faculty, and vendors have done the Austin garden, I’m down to only about 200 varieties. My passion goes beyond
same, truly impacting the preparation weekend gardening; I have won competitive flower shows, and my garden
of students for the audit workplace. recently was designated by the Ameri-
can Hemerocallis Society as an official
PUTTING IT ALL TOGETHER display garden. In addition, the garden
Our lives have a lot of distractions, was recently a stop on three different
but I have an easy way to keep our garden and pond tours.
eyes on the goal of creating appropri- I have a shirt that states, “Garden-
ate impact. Think of the process as an ing… it’s cheaper than therapy.” While
equation — a simple set of steps: I admit that outdoor work is a source
1. If we understand the purpose of the of therapy for me, I do not concede
organization or profession… that it’s less expensive!
2. And our own purpose within that
group…
3. And those purposes are aligned…
4. And if we commit to providing excel-
“Gardening… it’s cheaper than therapy.”
lent, competent, ethical service…
5. We will have an impact. We will
make a difference.
The #PurposeServiceImpact hashtag
has a specific use, one I hope will reso-
nate with IIA members. It says I would
like you to think about these three con-
cepts, identify with them, unify around
them, and connect them with your own
thoughts or activities. Twitter has shown
the world how powerful the hashtag can
PHOTOS (2): COURTESY OF MIKE PEPPERS

be as a means to rally people around

specific goals. I would like to think we
can do the same within The IIA.

J. MICHAEL PEPPERS, CIA, QIAL,

CRMA, is the chief audit executive of
The University of Texas System in Austin.

AUGUST 2017 INTERNAL AUDITOR 51

 AUDIT TECHNIQUES

Performing root-cause
analysis requires that
auditors recognize
common myths associated
with the process.

The Root of the Matter

Jimmy Parker

M
ost internal audi- Root cause analysis enables audi-
tors would likely tors to produce deeper, more thorough
agree that audit reporting by providing an objective,
findings can best be structured approach to identifying
resolved by address- and determining the most probable
ing, correcting, or underlying causes of a problem or
eliminating the root undesired event within an organization.
cause as opposed It considers factors that result in the
to merely address- nature, magnitude, location, or timing
ing symptoms, and of harmful outcomes (consequences)
that directing corrective measures at stemming from past risk events, or
the root cause reduces the probability factors that may lie behind future risk
of recurrence. In fact, auditors whose events. The auditor uses this informa-
reporting only recommends that tion to identify what behaviors, actions,
ROLANDTOPOR / SHUTTERSTOCK.COM

management fix the issue — and not inactions, or conditions need to be

the underlying reason that caused the addressed to prevent recurrence of
issue — could be failing to add insights similar harmful outcomes.
that improve the longer-term effective- Complex, serious, or pervasive
ness and efficiency of business pro- problems are rarely the result of a
cesses, and thus the overall governance, singular event or failure. Frequently, a
risk, and control environment. “perfect storm” of several causes forms

AUGUST 2017 INTERNAL AUDITOR 53

THE ROOT OF THE MATTER

to create an ideal environment for IIA’s Implementation Guide 2320: The process can result in multiple
the failure to occur. Moreover, simply Analysis and Evaluation illustrates this opportunities to mitigate risk and
getting to the root cause to prevent technique: “The worker fell. Why? prevent problems from occurring. It
it from happening again may not be Because oil was on the floor. Why? is also helpful for auditors to think
enough — the consequences have to Because a part was leaking. Why? about root cause analysis in terms of
be addressed. Because the part keeps failing. Why? three stages: identification, measure-
To better understand root cause Because the quality standards for sup- ment, and prioritization. Using this
analysis, two general myths need to be pliers are insufficient.” By the fifth approach, the structure of root cause
dispelled — the myth of the single root
cause, and the myth that fixing the root
cause alone fixes the problem. Upon
recognizing these false notions, internal Focusing on a single root cause can
auditors can use several methods to
perform root cause analysis more effec- limit the solutions set.
tively on their engagements.

MULTIPLE ROOT CAUSES “why,” the internal auditor should analysis is analogous to the structure
Many organizations mistakenly use have identified or be close to identify- of a risk assessment (see “ERM vs.
the term root cause to identify one ing the root cause. Root Cause” on this page).
main cause. However, focusing on a Although this technique can be
single cause can limit the solutions useful, some experts contend that Identification The cause-and-effect
set, resulting in the exclusion of using the Five Whys leads auditors to diagram represents a preferred tool for
viable solutions. mistakenly believe that only one true identifying multiple root causes. Also
Internal auditors commonly use root cause to an issue exists — and that called a fishbone diagram — because its
the Five Whys technique to explore if they are successful in finding that shape is similar to the side view of a fish
the cause–effect relationships underly- root cause they will permanently solve skeleton — this method enables users
ing audit issues, with the goal of deter- the problem. In reality, several related to visually display the many potential
mining the root cause of a defect or or unrelated root causes are frequently causes of a problem or an effect, help-
problem. By asking successive “why” responsible for the findings that audi- ing reveal key relationships among
questions, the nature of the problem tors identify. causes and provide additional insight
as well as its solution usually become Rather than assuming the pres- into process behavior. It uses a graphi-
clearer. Asking “why” helps iden- ence of just one root cause, internal cal description of the process elements
tify the causes associated with each auditors should brainstorm with a to analyze potential sources of process
sequential step of the defined prob- team to identify all the potential variation (see “Fishbone Diagram” on
lem or event. An example from The causes that contribute to a problem. page 55).

ERM VS. ROOT CAUSE

ERM ROOT CAUSE ANALYSIS

1. Objective 1. Problem

2. Risk(s) 2. Root Cause(s)

a) Identification a) Identification
b) Measurement b) Measurement
c) Prioritization c) Prioritization

3. Risk Response 3. Recommendation/Management Action Plan

54 INTERNAL AUDITOR AUGUST 2017

“Root cause-based action plans are ideal, as they mitigate the underlying cause of
the condition that triggered the observation.” — IIA PRACTICE GUIDE: AUDIT REPORTS

FISHBONE DIAGRAM
CAUSE EFFECT

Machine Method Man

PROBLEM

Materials Mother Nature Measurements

When using a team approach to »» Materials (inputs) — raw materi-

problem solving, differing opinions als, parts, documents, data, etc.
often arise as to the problem’s root used to produce the final prod-
cause. The fishbone diagram helps uct or output of the process.
capture these ideas and stimulate team »» Mother Nature (environ-
brainstorming. It also can be used to ment) — the conditions, such
structure the brainstorming session, as as location, time, and tempera-
the diagram not only helps identify the ture, in which the process oper-
many possible causes for an effect or ates, as well as external factors
problem, but also enables users to sort that are not associated with the
these ideas into useful categories: natural environment, including
»» Man (people) — anyone laws, regulations, and culture.
involved with the process. Causes derived from the brainstorming
»» Machine (equipment/technol- effort are grouped into these categories
ogy) — any equipment, soft- and then traced back to the root causes,
VISIT
ware, hardware, tools, supplies, which can be performed using the Five InternalAuditor.
etc. required to accomplish Whys technique in conjunction with org for additional
the job. the fishbone diagram. Because people resources,
»» Measurements (manage- by nature often like to start working on including a
ment) — data generated from a problem as quickly as possible, this variant of the Five
Whys technique
the process and metrics used to approach can help yield a more efficient that better
evaluate its quality, efficiency, and thorough exploration of the issues accommodates
and effectiveness. behind the problem, which in turn will multiple root
»» Method (process) — how the lead to a more robust solution. causes.
process is performed and the
specific requirements for doing Measurement and Prioritization
it, such as policies, procedures, For the measurement and prioritization
and rules. phases, the team can numerically confirm

AUGUST 2017 INTERNAL AUDITOR 55

THE ROOT OF THE MATTER

the proportion of each root cause’s impact reducing, or eliminating a problem.

on the problem and rank them accord- This approach can be particularly help-
ingly. Two root cause analysis tools can ful when the team is:
be especially useful in this process — the »» Analyzing data about potential
Pareto chart and the scatter diagram. root causes or the frequency
The Pareto chart illustrates the of problems.
Pareto principle, frequently referred to »» Dealing with many different
as the 80/20 rule, which states that problems and causes but look-
ing to focus on the most signifi-
cant ones.
Scatter diagrams pair causes and »» Analyzing wide-reaching causes
by zeroing in on their indi-
effects to look for relationships. vidual components.
Scatter diagrams pair causes and effects,
with one variable on each axis, to look
20 percent of the population accounts for a relationship between them. It
for 80 percent of the phenomenon. The could depict the relationship between a
chart’s purpose is to highlight the set of cause and an effect, between one cause
factors or activities that most contribute and another, or even between one cause
to a problem or opportunity (see “Pareto and two others. If the diagram reveals a
Chart — Types of Errors” on this page). relationship, then the possibility arises
By categorizing and displaying the that one variable may be controlled by
supporting data for multiple causes, varying the other variable, or that two
the Pareto chart can focus attention on effects that appear related share the same
the causes most important to resolving, cause. During root cause analysis, scatter

PARETO CHART — TYPES OF ERRORS

Height of the vertical axis Height of bars shows relative Cumulative % of
should represent the sum importance, in descending contribution line
of all occurrences order from left to right

1600 100%
1400 80% Line
Significant 80%
1200 Few Insignifiant Many
1000
PERCENT

Units 60%
COUNT

labeled 800
600 40%

Data divided 400

20%
into categories 200
(horizontal 0 0
axis) Syntax Logic Run Time Arithmetic Other “Other”
Count 950 365 125 60 30 always last,
Cumulative % 62.1% 85.9% 94.1% 98.0% 100.0% even if not
% 62.1% 23.9% 8.2% 3.9% 2.0% the shortest

56 INTERNAL AUDITOR AUGUST 2017

“When conducting a root cause analysis, internal auditors must exercise
due professional care
by considering effort in relation to the potential benefits.” — IIA IMPLEMENTATION GUIDE 2320: ANALYSIS AND EVALUATION

SCATTER DIAGRAM — REVENUE VS. SALES

SALES REVENUE
PER DAY PER DAY 2500
23 1312
REVENUE PER DAY

24 1205
25 1455 2000
28 1513
33 1678
38 1691 1500
41 1739
42 1852
50 2015 1000
55 2294 20 30 40 50 60
60 2413
SALES PER DAY

diagrams can be useful for displaying and root causes of a problem, thus helping are described in the IIA Practice Guide,
analyzing the relationship or correlation to ensure the condition will not recur. Audit Reports: Communicating Assur-
between cause and effect variables, which Because recommendations must resolve ance Engagement Results”:
can help point to the true root causes both the condition and the cause, the »» Condition-based recommen-
of problems as well as facilitate ranking terminology used in the recommenda- dations — provide an interim
those causes in order of importance by tion often mirrors or matches the termi- solution for correcting the cur-
strength of relationship (see “Scatter Dia- nology in the condition and the cause. rent condition (e.g., removing
gram — Revenue vs. Sales” on this page). Moreover, the recommendation must inappropriate access).
identify the action necessary to bring »» Cause-based recommenda-
FIXING THE PROBLEM the condition in line with the criteria. tions — actions needed to pre-
Once internal auditors have identified a Irrespective of the reporting for- vent the condition/observation
root cause, or multiple root causes, they mat an audit function uses, these ele- from occurring again. Root
must be able to offer meaningful rec- ments should generally be included in cause-based recommendations
ommendations or management action some form in each finding to address are typically longer term solu-
plans to address the issue. But contrary and report audit issues effectively. For tions and may involve more time
to a common misconception, fixing the root cause analysis, auditors need to (e.g., creating and implementing
root cause alone does not necessarily fix drill down a little further on the last an access review policy).
the problem — auditors must also help two components — consequence and A third type of recommendation/action
address the damage or difficulties that corrective action plans/recommenda- plan must be considered when the root
emerged as a result. To better under- tions — to ensure they add value. cause has created a consequence whose
stand this idea, practitioners can benefit When noting a condition’s busi- damaging effects must be remediated
from reviewing a key foundational con- ness impact in an audit finding, one of before business continues:
cept in audit report writing, informally four levels may apply: »» Recovery-focused — address the
referred to as the Five C’s: »» Direct, one-time effect on consequences of the condition
»» Condition (what is). the process. and describe what will be done
»» Criteria (what should be). »» Cumulative effect on the process. to correct errors caused by it.
»» Cause (why). »» Cumulative effect on the orga- As illustrated by disasters such as the
»» Consequence [Effect] (so what). nization. Deepwater Horizon oil drilling accident,
»» Corrective action plans and rec- »» High-level, systemic effect. which resulted in 11 deaths and caused
ommendations (what’s to be done). In response to these levels, three impor- the largest oil spill in U.S. history, iden-
Well-written audit reports provide recom- tant types of recommendations/action tifying the root cause to prevent such a
mendations that address the underlying plans can be considered. The first two catastrophe from recurring is only one

AUGUST 2017 INTERNAL AUDITOR 57

Audit Management Software

No Gimmicks

No Metaphors

No Ridiculous Claims

No Clichés

Just Brilliant Software.

Find out more at www.mkinsight.com

Trusted by Companies, Governments and Individuals Worldwide.
 TO COMMENT on this article,
EMAIL the author at jimmy.parker@theiia.org

part of the solution — someone also has »» High-level, systemic effect analysis for more complex issues, internal
to clean up the oil. So, in addition to a (recovery-focused recommenda- auditors should bear in mind that addi-
recovery-focused root cause analysis effort tion and action plan). tional time may be required to analyze
to get to the root cause of the spill’s con- As noted in Audit Reports: Com- the processes, personnel, technology, and
sequences, a recovery-focused recommen- municating Assurance Engagement data necessary to generate agreed-upon
dation and action plan would be needed Results, “Action plans are effective corrective action plans that eliminate, or
to address the environmental damage. when designed and executed in a way at least significantly mitigate, the root
Internal auditors should consider that addresses the root cause.” In that causes. An effective action plan brings
that the level of the effect will drive regard, root-cause analysis has the aim the condition in line with the criteria and
the nature of the root cause analysis of generating and formulating agreed- addresses the potential or existing harm-
and the type of recommendation and upon corrective actions to eliminate, or ful outcomes stated in the effect. In the
action plan: at least mitigate, those causes to produce end, this approach will allow the auditor,
»» Direct, one-time effect on the significant long-term performance audit client, and organization to reap the
process (condition-based recom- improvement in addition to promoting full benefits that a well-executed root-
mendation and action plan). the achievement of better consequences. cause analysis effort can provide.
»» Cumulative effect on the pro-
cess (cause-based recommenda- REAP THE BENEFITS JIMMY PARKER, CPA, CIA, is senior
tion and action plan). The resources spent on root cause analy- manager, internal audit, at Verizon in Lake
»» Cumulative effect on the orga- sis should be commensurate with the Mary, Fla., and instructor for the IIA seminar,
nization (recovery-focused rec- impact of the issue or potential future “Root-cause Analysis for Internal Auditors”
ommendation and action plan). issues and risks. Before starting root-cause (see “Calendar” on page 71).

A COLLAPSE IN IT SECURITY ISN’T JUST A LEAK...

IT’S A FLOOD

IT RISK ASSESSMENT IT SECURITY COMPLIANCE PEACE OF MIND

SECURANCECONSULTING.COM 877.578.0215

AUGUST 2017 INTERNAL AUDITOR 59

 Steps to
Transformation
Internal auditors can assist
management throughout the many
stages of business change.

James E. Schulien

60 INTERNAL AUDITOR AUGUST 2017

 BUSINESS TRANSFORMATION

G
lobalization, disruption, innovation,
and continually evolving technology
are driving a wave of business trans-
formations. Such transformations
involve making fundamental changes
to how business is conducted to help
cope with a shifting market environ-
ment, gain a competitive advan-
tage, or reinvent the organization.
These changes are frequently facilitated by implementing or
upgrading IT systems such as core business applications.
Yet according to consulting firm McKinsey, 70 percent
of business transformations fail. Many efforts to understand
this result have focused on failures in change management and
establishing a vision. Although these are critical elements in
any business transformation, there are many common pitfalls
that can derail these initiatives, including failing to manage
change and communicate management’s vision. These pitfalls
are process, project, and control risks that fall squarely within
the core competencies of the internal auditors. By inserting
itself at seven steps of the transformation process and address-
ing these risks, internal audit can assist management in beating
the odds and achieving a successful transformation.

1. PRE-IMPLEMENTATION REVIEWS
A pre-implementation review can help management identify
problems in the planning stage — before they develop into
costly missteps. An ideal pre-implementation project asks
the question: What is the best practice model that should be
applied to this transformation or new system implementation?
Pre-implementation projects identify the gaps between
the best practice approach and the current planned approach
for the transformation. For example, an aerospace manu-
facturer and integrator had processes and systems that were
AUGUST 2017 INTERNAL AUDITOR 61
7 STEPS TO TRANSFORMATION

several generations behind the current Leveraging the power of the latest misconduct are most common in orga-
state of the art. The company sought to software and achieving the transforma- nizations undergoing change.
modernize them by implementing the tion’s goals come from an equal focus Internal audit reviews performed
latest enterprise resource planning (ERP) on both system functionality and during the transformation project, rather
suite and changing its processes to take processes and controls. This is an area than at the beginning or end, can assist
advantage of the efficiencies the software where internal audit can advise process management in assessing whether a proj-
provided. The company’s internal audit owners on how to structure processes ect is on track to achieve its objectives.
function began a pre-implementation and controls to take advantage of the These in-flight reviews can address the
review by asking, what is the best prac- new application and make the organi- same areas as the pre-implementation
tice project model for the implementa- zation’s new controls efficient. review, such as project management risk,
tion of complex ERP packages? The In some transformations, audi- stakeholder commitment, and func-
answer was a model that assessed project tors provide this process and controls tional risks. It also can concentrate on
management risk, stakeholder commit- advisory assistance directly to the specific areas of concern such as whether
ment, functional risks such as defining project team. In other transformations, the project is on track to achieve a spe-
requirements, change management risk, internal audit becomes a controls team cific goal.

4. IT AND USER
Ideally, a major business transformation ACCEPTANCE TESTING
When projects fall behind, leaders natu-
will include a controls team. rally look for ways to get the project
back on schedule. Shortening the IT
and user acceptance testing cycle is one
resource risk, and technical risks such champion. Ideally, the organization method used to make up time. Although
as the IT controls testing methodology. and staffing for a major business trans- taking systems and user acceptance test-
This pre-implementation review identi- formation will include a controls team. ing shortcuts may create the illusion
fied issues with business owner approvals The controls team works full time of saving time, cutting corners almost
of process designs and acceptance of as part of the project team to assist always results in additional challenges
the benefits realization plan, the aggres- process owners in reengineering their that further delay the project. This pro-
sive project timetable, and planning for processes and controls to fit the new duces the classic paradigm: “We did not
regulatory compliance. Identifying these business structure. have time to do it right the first time, so
issues early allowed management to we ended up having to redo the effort.”
address them during the project. 3. IN-FLIGHT REVIEWS Internal audit can contribute to IT
“Top Transformation Pitfalls” on One of the biggest challenges in a large and user acceptance testing by assessing
page 63 summarizes the most com- transformation or system implementa- the project’s overall compliance with the
mon transformation process, project, tion effort is getting accurate data on company’s full set of system develop-
and control risks, and describes how the progress of systems development ment life cycle policies, or by assessing
internal audit can address these risks work and the quality of the modules just the IT or testing processes. Auditors
through pre-implementation reviews being produced. Sometimes, project also can assist in user acceptance testing
and other projects. team members are reluctant to admit by advising process owners on testing
when objectives are not being achieved methodology or by assisting in perform-
2. PROCESS/CONTROLS ANALYSIS and communicate this bad news up the ing the testing in certain situations.
During a business transformation, it is chain of command. As a result, project
easy for the project leaders to focus solely teams and project managers frequently 5. OUTPUT/RESULTS TESTING
on the steps required to make a new report that a transformation project is Once the new processes and system
application function appropriately. The on track when, in fact, it is far behind are live and producing information for
real key to success with new systems is schedule. Moreover, the Ethics & management’s use, the output should
to take maximum advantage of the tools Compliance Initiative’s 2016 Global be tested. While user acceptance testing
provided by the software to make the Business Ethics Survey of more than is usually performed at the individual
organization’s processes more effective in 13,000 employees notes that pressure process level, testing of higher-level
meeting business objectives. to compromise standards and observed management accounting and operational

62 INTERNAL AUDITOR AUGUST 2017

 41% of business leaders surveyed say digital transformation has increased their
organization’s market share, according to Altimeter’s 2016 State of Digital Transformation survey.

TOP TRANSFORMATION PITFALLS

A
pre-implementation review can help management identify and prevent the 10 most
common transformation pitfalls. Internal audit also can address risks at one of the
other steps of transformation projects. The table below indicates how internal audit
can address each risk.

Risk How Internal Audit Can Address the Risk

Losing focus on the benefits Address in the project management risk phase of a pre-
1 to be achieved. implementation review and during in-flight reviews.
Failing to plan from beginning to Address in the project management, requirements
2 end, and not including milestone definition, and legacy system integration phases of a
goals and stages for the business. pre-implementation review, and during in-flight reviews.
Insufficient investment in Address in the change management risk phase of a pre-
3 communications and change implementation review and during in-flight reviews.
management.
Not anticipating challenges and Address in the project management risk and resource
4 road blocks. Building a plan that risk phases of a pre-implementation review, and during
has no room for problems. in-flight reviews.
Failing to focus on processes Address in the requirements definition and legacy sys-
5 and controls. tem integration phases of a pre-implementation review,
and during process and controls advisory analysis and
assistance.
Taking system development Address in the IT controls testing methodology phase
6 life cycle shortcuts resulting in of a pre-implementation review and during IT and user
deployment of flawed software. acceptance testing assessments.
Failing to begin with a pilot Address in the project management risk, legacy system TO COMMENT
7 project, such as a test location integration, and stakeholder commitment phases of a on this article,
or business unit, or proceeding pre-implementation review, and during in-flight reviews. EMAIL the
before having success with a pilot. author at
james.schulien@
Retiring a legacy system too Address in the legacy system integration and IT controls theiia.org
8 soon, and failing to run the testing methodology phases of a pre-implementation
legacy system in parallel with the review, and during IT and user acceptance testing.
new system.
Failing to monitor progress and Address in the change management and project man-
9 assess whether the project is still agement risk phases of a pre-implementation review,
on track to achieve the benefits of during in-flight reviews, and during output/results test-
the investments. Failing to obtain ing reviews.
accurate information on progress.
Not celebrating successes Address in the change management phase of a pre-
10 throughout the project, and not implementation review and during in-flight reviews.
rewarding and encouraging the
project’s champions.

AUGUST 2017 INTERNAL AUDITOR 63

7 STEPS TO TRANSFORMATION

reporting output is needed to ensure when the transformation project began.

this information is reliable. At this stage, As with designing good processes and
internal audit can provide assurance controls into the project, addressing the
that the new system produces accurate control issues that develop later in the
management information on operations, transformation life cycle can help pre-
production status, costs, and profit. vent operational challenges and finan-
Likewise, financial reporting infor- cial reporting issues from appearing
mation must be reliable. Testing finan- after the organization has begun relying
cial reporting information produced by on the new processes and system.
the new system is a critical part of the
organization’s assessment of internal 7. COMPARISON TO PROJECT
control over financial reporting before MANAGEMENT REVIEWS
the new system goes live. Internal audit In some respects, transformation
should assess how the new processes projects are like any other project man-
and system will impact the design of agement review. Internal auditors are
assessing whether the project is achiev-
ing the objectives that were the basis for
The high level of risk is why internal its approval by management. The dif-
ference is that business transformations,
audit should participate. by their very nature, are larger in scope
and complexity than individual capital
projects or investment initiatives.
internal controls of financial reporting Transformations involve most, if
and determine whether appropriate not all, of the key management and
control design changes are being made board stakeholders in a business, and
as part of the transformation. cross many functional and operational
lines. Frequently, the future success of
6. POST-IMPLEMENTATION the business depends on the success of
REVIEWS the transformation. This high level of
For nearly all new system implemen- risk to the business is the reason that
tations, there is a time after the new internal audit should actively partici-
system goes live when there is a high pate in its organization’s business trans-
level of system change and correction formation initiatives.
requests. Post-implementation reviews
can help management understand and ORGANIZATION TRANSFORMED
prioritize corrections and changes to Achieving success with a large trans-
best align the corrective actions with formation is a daunting challenge for
the project’s objectives. Ideally, a post- management. Internal audit’s involve-
implementation review would be scoped ment can help management avoid the
to assist management in understanding most common pitfalls and provide
how well the planned objectives have advice for building processes and con-
been met. trols that allow the organization to
Post-implementation reviews also realize the benefits of its investment.
can help management understand what In turn, these efforts can transform
process and control issues remain to be internal audit’s reputation as a business
addressed. Not all of these issues can be partner and strategic contributor.
anticipated. Addressing the issues that
are identified once the system comes JAMES E. SCHULIEN, CIA, CPA, is
online is another critical element in president of Schulien Advisory Services in
achieving the benefits originally sought Fort Worth, Texas.

64 INTERNAL AUDITOR AUGUST 2017

 I N T E R N A L AU D I TO R

BE THE
FUTURE
Win a US$1,000 Scholarship

Internal Auditor magazine wants to help with your education.

We are offering six US$1,000 scholarships throughout the year to undergraduate and
graduate students around the world. Download the scholarship application and apply
today at www.InternalAuditor.org/Scholarships

2016-0443
Insights/The Mind of Jacka
TO COMMENT on this article,
EMAIL the author at michael.jacka@theiia.org

BY J. MICHAEL JACKA

IT’S ONLY ONE WORD

I
Excessive audit t’s so easy to change a make changes to audit why that change is nec-
report wordsmithing single word … and so easy reports, far too often altering essary. Otherwise, you
for that simple change those reports without ensur- are just changing for
is often a disservice
to impact a sentence, a ing that the change is neces- personal preference.
to the client — and paragraph, or an idea. Rock sary or appropriate. Words ɅɅ Always explain the rea-
the audit function. musician Warren Zevon are precise, and when audit sons for any change to
wrote an amazing song titled management assigns auditors the person who wrote
“Carmelita,” which includes to write those reports, man- the original drafts.
the line, “I pawned my agement should expect the Only by understand-
Smith Corona. …” For those auditors to use the precise ing the reason for the
who don’t know, a Smith words that mean precisely changes will that indi-
Corona is a typewriter: a tool what they mean to say. vidual ever learn how to
that, before the proliferation Yet many audit report do a better job.
of computing power, was review processes seem However, there is a fourth
widely used by writers every- designed to take away the and just as important les-
where — even internal audi- auditor’s responsibility for son that seems counterintu-
tors. In that simple phrase, that precision. Far too often, itive in a discussion about
Zevon describes a man who the lead, manager, chief audit the preciseness of words.
has reached the end of his executive, etc. doesn’t like Don’t dither.
rope, pawning a valuable tool what is written (“I can’t say Internal auditors work
of his trade. why; I just don’t like it”) and hard to find the exact word-
American pop singer starts editing. The process ing when something close
Linda Ronstadt, in a typi- often results in a report the will do. And our focus on
cally incredible performance, auditor no longer recognizes that unnecessary preci-
covered the song. However, and, in the worst situations, sion results in a deluge of
she made a small but sig- it says something the auditor rewrites, delays, and frus-
nificant change — “I pawned never intended it to say. trations. Get it right, but
my Smith & Wesson. …” Report reviewers every- don’t worry about being
Again, for those who don’t where, here are three lessons perfect. And when all is
know, Smith & Wesson is a you should take to heart: said and done, make sure
brand of firearms. Ronstadt’s ɅɅ Do not change anything you haven’t turned a type-
alteration seems minor, yet without ensuring those writer into a gun.
it changes everything about who actually did the
the lyric, its impact, and the work have a say in those J. MICHAEL JACKA, CIA,
story told by the song. It sig- changes. That is the CPCU, CFE, CPA, is
nificantly modifies what was only way to ensure the cofounder and chief creative
originally written. report is still accurate. pilot for Flying Pig Audit,
And it is with no less ɅɅ Never make a change Consulting, and Training
impact that some reviewers unless you can explain Services in Phoenix.

READ MIKE JACKA’S BLOG visit InternalAuditor.org/mike-jacka

AUGUST 2017 INTERNAL AUDITOR 67

 Eye on Business

THE DATA ANALYTICS STRATEGY

Adding analytics to the audit
methodology requires careful
change management.

What are the key compo- and demonstrated return performing at least one ana-
nents of an effective data on investment. lytics test.
analytics strategy? DAVIS The key component
CERNAUTAN Successful for developing an effec- What do CAEs need to
data analytics strategies tive data analytics strategy know before jumping in?
should start by building an involves changing the DAVIS Changing from
internal business case, as way you think about your traditional audit techniques
these programs often lose work. Start with defining to incorporating analytics
momentum and fail if their the objectives you are try- is not always an easy exer-
value is not appropriately ing to achieve either for cise. Including analytics
“sold” within the organi- your audit team or your is a significant change in
zation. Next, address the audit cycle. Then plan and methodology, especially for
STEFAN DAVIS knowledge and skill gaps execute a vision for using experienced auditors, and it
Product Owner, by allocating funding to data analytics to achieve requires careful change man-
TeamMate Analytics
Wolters Kluwer resource and train the audit your objectives. You’ll need agement. The chief audit
teams. When it comes time strong support from senior executive (CAE) needs to set
to buy, invest in modern management and buy-in expectations for the analytics
technologies that are easy from the audit staff to gain effort, making it clear to the
to use and implement. For efficiencies in meeting your auditors that analytics is a
maximum impact, integrate objectives. Tools that are easy priority for the department
data analytics requirements to use, train on, and deploy to gain efficiencies in meet-
into the audit methodol- will lead to quick wins and ing audit and department
ogy. Make the use of ana- help with buy-in and boost objectives. Knowing when to
lytics required rather than the data analytics strat- apply analytics and identify-
SERGIU CERNAUTAN, optional. Aim for quick egy momentum for more ing opportunities for effi-
CPA, CISA
Director, GRC Strategy wins that will naturally advanced analytical strategies ciency gains with analytics
ACL progress to larger successes down the road. An analytics are critical to implementing
by phasing the program in lead or champion should be a strategy.
with an agile methodology. responsible for executing the CERNAUTAN Over the
By focusing on automating strategy. To track progress, past 20 years, the CAEs I’ve
routine audit areas, teams set targets and monitor key worked with who struggle to
can self-fund the program performance indicators such implement a successful ana-
through efficiency gains as the percentage of audits lytics program all cite at least

READ MORE ON TODAY’S BUSINESS ISSUES follow @IaMag_IIA on Twitter

68 INTERNAL AUDITOR AUGUST 2017

 TO COMMENT on this article,
EMAIL the author at editor@theiia.org

one of three factors: 1) difficulty in accessing data; 2) lack of reporting issues, deeper insights can be supported by tan-
data analytics skills; and 3) the high costs to implement. This gible, measurable valuations. Rather than saying “we tested
may have been true years ago, but in today’s world it is sim- 30 purchases and found two without authorized purchase
ply not the case: Data is easier to access; analytic tools are orders,” analytics allows you to say “we tested the full popula-
powerful, flexible, and easy to use; and the cost of not imple- tion of purchasing transactions, and found $84,234 in pur-
menting vastly outweighs the cost to implement. To remain chases with unauthorized purchase orders.” When they can
relevant, internal audit must adopt analytics literacy as a see the dollars involved, management has a reason to follow
basic requirement. In today’s world of big data, social media, or correct a control.
and increasing risk velocity, it is impossible to fulfill the CERNAUTAN One cannot truly achieve a risk-based audit
internal audit mandates of “adding value and improving an approach and add value without being data driven through-
organization’s operations” and “improving the effectiveness of out. From the initial risk assessment, to scoping and plan-
risk management, control, and governance processes” using ning, to executing fieldwork, to raising issues, and all the way
antiquated manual audit processes that focus solely on post- to preparing the final audit report — the nature, timing, and
detection techniques.   extent of procedures to be performed are largely driven by
the magnitude of the risks. What better way to quantify the
How can data analytics be leveraged to strengthen risks, rationalize your audit effort, and support your results
risk assessments and the audit plan? with evidence than by analyzing actual data? 
CERNAUTAN The greatest risk is the unknown. Integrating What’s more, executives constantly ask “so what?” to
analytics into risk assessments confirms the completeness of challenge the value of audit findings. Transform that
identified risks, and assumptions made about them, while response by supporting findings with objectively quantifi-
illuminating potential gaps. By applying data analytics to able data and key performance metrics. Consider a pro-
support your risk assessments, the resulting audit plans will cess recommendation to “take advantage of procurement
be better informed and developed from objective measures discounts by accelerating net payment terms,” subjectively
rather than subjective ones, which are prone to error. For- rated as high impact. Consider the same recommendation,
rester analyst Nick Hayes puts it this way: “Your assumptions objectively supported by data. “If we had taken advantage
about risk are deeply flawed without analysis of actual trans- of the procurement discounts offered over the last year, we
actional data.”  could have avoided $10 million in costs.” Which is more
DAVIS In the past, analytics have been primarily focused compelling and relevant to the organization? 
on fieldwork, but they can add huge value to risk assessment
and planning. In audit planning, data analytics allow audit How can auditors use data visualization to communi-
departments to gather company, industry, and prior audit cate audit results?
results to help drive the audit plan. Visualization and sum- CERNAUTAN To be effective, visualizations must be social,
marization, along with regression and trend analysis, can interactive, and actionable. In an increasingly technologi-
highlight changing and emerging risks as well as issues to cal and social world, auditors can communicate visualiza-
target and explain current and future audit coverage. tions more effectively using social media tools such as virtual
storyboards. Incorporating elements of interaction further
How can data analytics be leveraged to strengthen increases stakeholder engagement by allowing recipients to
individual audit engagements? pull relevant information and trigger responses or actions
DAVIS Starting with engagement planning, auditors should based on what they see.
consider opportunities to incorporate data analytics. If an DAVIS Presenting data visually makes it easier to digest.
audit is repeated, revisit audit programs to see where analyt- You need to start with the message that you are trying to
ics will add value, rather than repeating manual tests. Get- communicate, which in the case of audit results can be
ting data relevant to the audit objectives before fieldwork complex. Through the use of visualization, you can com-
begins will allow preliminary analytics to identify risks that municate a single message and answer detailed questions in
may influence audit scope. In fieldwork, data analytics will a single image. For example, you can show the highest risk
strengthen an audit through the ability to analyze complete category over the last year by location from one visual as
data sets, rather than sampling. Complete testing leads to opposed to reviewing pages of detail. Visualizations do not
deeper insights into processes and procedures. Testing every need to be complicated. The key is to keep it simple with
instance of a control provides more robust audit evidence line charts showing trends over time and bar charts for
and increased coverage provides greater assurance. When non-time-based information.

AUGUST 2017 INTERNAL AUDITOR 69

 TeamMate
Analytics
The power tool that provides
you with the When as well as the
How of analytics execution.

Find out how you can get a free license at

TeamMateSolutions.com/License

Copyright © 2017 Wolters Kluwer Financial Services, Inc. 10209

Copyright © 2017 Wolters Kluwer Financial Services, Inc. 10209

TM-17-10209-MK-IA Aug-TeamMate Analytics-PAD-EN.indd 1 6/23/17 3:38 PM

 IIA Calendar

AUG. 28–31 SEPT. 19–20

IIA IIA Various Courses Data Analysis for Internal
CONFERENCES TRAINING Palm Beach, FL Auditors
www.theiia.org/ www.theiia.org/training Online
conferences AUG. 29–30
Root-cause Analysis SEPT. 19–22
(pilot course, discounts Various Courses
AUG. 16–18 AUG. 7–9 available) Boston
Governance, Risk, and Auditor-in-charge Tools Lake Mary, FL
Control Conference and Techniques SEPT. 21
Gaylord Texan Data Analysis and SEPT. 5–14 Fundamentals of Internal
Dallas–Fort Worth Sampling Cybersecurity: Auditing Auditing
Cleveland in an Unsecure World Online
SEPT. 11–12 Online
Environmental, Health & AUG. 8–11 SEPT. 25–28
Safety Exchange Various Courses SEPT. 6–15 Statistical Sampling for
Hyatt Regency St. Louis Chicago Risk-based Auditing: A Internal Auditors
St. Louis Value Add Proposition Online
AUG. 15–17 Online
SEPT. 18–19 Auditor-in-charge Tools OCT. 2–11
Financial Services and Techniques SEPT. 10, 13–14 Fundamentals of IT
Exchange Beginning Auditor Tools Various Courses Auditing
Renaissance Downtown and Techniques St. Louis Online
Hotel Seattle
Washington, D.C. SEPT. 11–13 OCT. 2–18
AUG. 15–24 Vision University CIA Learning System
SEPT. 18–20 Assessing Risk: Ensuring San Diego Comprehensive
Southern Regional Internal Audit’s Value Instructor-led Course;
Conference Online SEPT. 11–20 Part 2
Hilton Austin ERM: Elements of the Online
Austin, TX AUG. 21–30 Process
Performing an Effective Online OCT. 3–12
OCT. 29–NOV. 1 Quality Assessment Lean Six Sigma Tools for
PHOTO: RAWPIXEL.COM / SHUTTERSTOCK.COM

All Star Conference Online SEPT. 12–15 Internal Audit Fieldwork

Bellagio Hotel Various Courses Online

GUST/SEPTEMBER/OCTO
GUST/
/SEPTEMBER/OCTO
Las Vegas AUG. 22–25 New York
Various Courses OCT. 23–27
Dallas Various Courses
San Diego

THE IIA OFFERS many learning opportunities throughout the year. For complete listings visit: www.theiia.org/events

AUGUST 2017 INTERNAL AUDITOR 71

 Insights/In My Opinion
TO COMMENT on this article,
EMAIL the author at jpelletier@theiia.org

BY JIM PELLETIER

FROM RATINGS TO
RECOMMENDATIONS

A
Behavioral udit ratings may be job. They often think the cli- found that while negative
psychology suggests the most misused ent should be mature enough reinforcement can be effec-
tool in the auditor’s to not take being audited tive, the impact is often tem-
internal auditors’
tool belt. Instead of personally. But when you are porary and can incentivize
approach could motivating management to the subject of an audit that undesirable behavior.
benefit from more fix problems, ratings more could potentially expose your Instead of rating audit
carrot and less stick. often serve as a demotiva- weaknesses all the way up findings, internal auditors
tor, answering the question, through the C-suite to the should prioritize recom-
“How bad is it?” This is board, it’s unavoidably per- mendations. In other words,
the wrong question, and it sonal. Add to that the audit don’t focus on what is
erroneously imposes a “stick” ratings — essentially bright wrong — bring attention to
mentality. While ratings may flashing arrows pointing out the most important actions
get the attention auditors are problems — and you have the required to manage risks. The
looking for, they undermine makings of a difficult rela- chief audit executive for the
any attempt to build strong, tionship with management. County of Los Angeles, Peter
professional relationships and How can auditors transform Hughes, explained at the
fail to encourage constructive this stick into a carrot? To recent IIA Western Regional
behavior. If we believe in our begin, it helps to understand Conference that he uses this
mission as stated in The IIA’s a few basics on motivation. strategy to great effect. Bril-
International Professional What truly motivates liant in its simplicity, the
Practices Framework — “to people has been studied for approach is future focused on
enhance and protect organiza- years by University of Roch- solutions rather than looking
tional value” — then the goal ester researchers Edward Deci backward at past mistakes.
of any audit is not to dem- and Richard Ryan. Their Most importantly, as SDT
onstrate just how bad things research has culminated points out, by focusing on
are, but to encourage positive in what they call the self- developing common goals via
action in support of the orga- determination theory (SDT), prioritized recommendations,
nization’s goals. which posits that human management will be far more
Many internal audi- motivation is optimized motivated to take ownership.
tors report long lists of open when three basic needs are Instead of grading their level
audit recommendations and met: developing one’s skills of incompetence, give them
management’s resistance to (competency), exercising free the opportunity to imple-
implementing them, ranging will (autonomy), and feeling ment solutions and dem-
from passive-aggressiveness connected with others (relat- onstrate their competence,
(ignoring the recommenda- edness). According to SDT, autonomy, and relatedness.
tions) to outright denial that motivation through common
any problems exist. Auditors meaningful goals will trump JIM PELLETIER, CIA, CGAP,
will say that it’s not personal, negative reinforcement every is vice president, Professional
that they are just doing their time. The researchers also Solutions, at The IIA.

READ MORE OPINIONS ON THE PROFESSION visit our Voices section at InternalAuditor.org

72 INTERNAL AUDITOR AUGUST 2017

 Our Chief Priority Is You.
THE IIA’S AUDIT EXECUTIVE CENTER

Customized solutions for today’s leaders.

As a chief audit executive (CAE), you have to anticipate the unforeseen. To sharpen your focus, look to the all-new
Audit Executive Center ® (AEC ®). The AEC is an exclusive membership-based resource developed to support CAEs
in answering the demands of their evolving roles. It empowers members to perform by delivering unparalleled
access to robust content, an engaged peer network, exclusive thought leadership, and benchmarking tools.
Be at the center of everything we do. www.theiia.org/AEC
 TeamMate+
So configurable, you’ll think it
was custom built for you.

Better tools. Better team. Better audit.

Register
Register for a demo at for your Demo Today at: more at
Learn
TeamMateSolutions.com/Demo TeamMateSolutions.com/Plus
TeamMateSolutions.com/Custom

Copyright © 2017 Wolters Kluwer Financial Services, Inc. 10210

TM-17-10210-MK-IA Aug-TeamMate+ General-PAD-EN.indd 1 6/23/17 3:37 PM