عرض العناصر حسب علامة : التدقيق الداخلي
الإثنين, 03 أكتوبر 2022 13:27
أدوات التحويل الحاكمة
مع اعتماد المزيد من المؤسسات للتحليلات والأتمتة، يمكن للمدققين الداخليين المساعدة في تقييم المخاطر وإنشاء إطار عمل للحوكمة.
معلومات إضافية
-
المحتوى بالإنجليزية
Governing Transformative Tools
As more organizations adopt analytics and automation, internal auditors can assist in assessing risks and establishing a governance framework.
Gregory Kogan, Daniel Gaydon, and Douglas M. BoyleOctober 14, 2021Comments
Competitive excellence demands the implementation of data analytics and automation technologies, such as robotic process automation (RPA) and self-service data analytics. These technologies allow organizations to collate and analyze data from massive data sets that are too large to compile in database and spreadsheet applications. In some cases, they can download a trial version and quickly build databases.
Applications like this have driven global organizations to increase their investments in data analytics and automation technologies to streamline repetitive manual processes into powerful and effective automated processes. Annual worldwide spending on RPA technology is projected to grow from $3.6 billion to $42 billion over the next five years, according to Zinnov, a global management consulting company based in Bangalore, India.
Yet, while intelligent automation can provide significant financial and operational benefits, it also can cause considerable reputational, regulatory, financial, and operational damage when it goes wrong. For example, if automation is left unattended, it could lead to errors in critical processes that affect accounting and financial reporting outputs. Internal audit can assist executives and the board in assessing these risks and establishing a governance framework in anticipation of exponential organizationwide adoption of automation and analytics applications.
MEASURING ROI
The driving force behind investments in process automation lies in the potential for realizing large annual cost savings, especially when these technologies are scaled throughout the organization. “For a mid-table Fortune 1000 organization with around $20 billion in revenue and 50,000 employees, automating 20% of estimated addressable activity through RPA could result in $30 million of bottom-line impact each year,” Deloitte reports in The Robots Are Ready. Are You?
C-level executives responding to a 2020 Protiviti survey say the biggest benefits of process automation include increased productivity, better quality, stronger competitive market position, higher customer satisfaction, greater speed, and employee satisfaction from elimination of mundane tasks. However, respondents report encountering obstacles such as inability to prioritize potential RPA initiatives, concerns about cybersecurity and data privacy, high implementation costs, difficulty in scaling applications, and making a convincing business case.
While the development time of RPA projects typically ranges from several weeks to a few months, self-service data analytics projects can be deployed even faster. Simple processes can be automated within a few hours or a few days.
Traditionally, return on investment (ROI) on automation is measured by how many hours are saved. Both RPA and self-service analytics have demonstrated high ROI, when comparing resources invested in the automation projects to the value returned through capacity creation and efficiency. Value is realized by redeploying employee hours saved elsewhere, contributing to organizational productivity (see “Capabilities of RPA and Self-service Data Analytics” below).
ASSESSING RISK
To maintain risk transparency, it is essential for internal audit to create a risk-scoring mechanism that assesses each automation project based on applicable risk dimensions. Starting with the model risk methodology Allan Sammy describes in his June 2018 Internal Auditor article, “Auditing Analytic Models,” his scorecard can be expanded to include key metrics specifically pointed toward automated accounting and finance processes:
Complexity. If the automation deployment is more complex in terms of processing steps, technologically, or is specialized/customized in a way that makes it more intricate, these deployments score higher on the complexity scale.
Economic loss. An increased level of precision is required when failure could result in a direct or explicit economic loss to a client or counterparty.
Consumer. Regulatory risk will be higher if the automation deployment produces outputs for reports that are intended for external regulators and will be audited
or examined.
Success rate. A historical computation compiles the success rate of the automation run over a prescribed reporting period, such as a month, quarter, or year.
Dependency. When automation deployments produce outputs that serve as inputs into other automation deployments, dependency is higher, because an error in this type of automation will permeate other processes.
“Risk Assessment of an Automated Process” (below) is an example of how a scorecard can be applied in an accounting or finance department. Each unique automation deployment risk is scored according to five dimensions unique to the automation environment of those functions. Internal auditors can use this method to assess the risk of each individual automation project deployment, which is usually related to a specific process such as a bank reconciliation.
Because each automation deployment has a different degree of risk related to complexity, economic loss, ultimate consumer, success rate, and dependency, each project will carry a risk score across these five dimensions. By documenting the total risk of individual projects and their related processes, internal auditors can provide management with risk transparency over the automation portfolio and design risk responses strategically.
GOVERNING THE DIGITAL ENVIRONMENT
As companies deploy automation and analytics to accelerate routine processes and create efficiency, the biggest threat to success in scaling these programs is the lack of governance over the risks and controls in this new digital environment. Many organizations that have embraced digital transformation may still be operating under fragmented legacy governance structures that have failed to keep pace with the growth in data analytics tools. Worse yet, governance may be an afterthought, even as build after build propagates dependency after dependency, incrementally adding risk to the data analytics portfolio.
This governance vacuum is compounded by a regulatory gap. For example, in the highly regulated world of accounting and finance, currently there is a lack of specific regulations or guidance on how to establish stable governance and internal controls for automated processes.
Companies are subject to a variety of regulations and governance frameworks such as Section 404 of the U.S. Sarbanes-Oxley Act of 2002, The Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control–Integrated Framework and Enterprise Risk Management–Integrating
With Strategy and Performance, and the U.S. Federal Reserve Data/Model Governance framework. Each mandates that internal controls be effective, risks be managed, and quality of data inputs be high. However, existing laws and frameworks fall short of offering specific guidelines on how to assess the added risks that arise from operating in this new, automated processing environment. Internal audit can lead the governance effort over analytics and automation programs by focusing on three areas.
Training on Analytics and Automation Capabilities Internal audit can contribute to effectively auditing and mitigating risks in the automation and analytics environment by understanding these tools and their capabilities. This includes ensuring that training and development in this area are available throughout the organization.
Leading Through the Analytics and Automation Governance Committee The governance of analytics and automation programs usually occurs through an automation center of excellence or multidisciplinary governance committee. Internal audit should interface with these functions and take a leadership role in overseeing deployments of these technologies. This can enable internal audit to ensure that appropriate internal controls and end-to-end process assurance are embedded into the deployments from the onset.
Identifying High-ROI Analytics and Automation Opportunities Internal auditors can leverage their deep knowledge of organizational processes to advise management by identifying high-ROI analytics and automation opportunities throughout the organization, which can be challenging to find. By taking this proactive role, internal audit can contribute to the success of scaling the analytics and automation.
نشر في
تكنولوجيا المعلومات
موسومة تحت
الثلاثاء, 05 أكتوبر 2021 21:21
توظيف الأفضل لمستقبل التدقيق الداخلي
منذ عام 2013، مجلة المدقق الداخلي تعرض القادة الناشئين في المهنة. أولئك الذين يتم اختيارهم لهذا التميز كل عام هم الرواد الذين تقل أعمارهم عن 30 عامًا والذين يقومون بتشكيل المهنة وتنميتها من خلال الابتكار والمهارات التكنولوجية والإبداع والعمل الجاد.
معلومات إضافية
-
المحتوى بالإنجليزية
Since 2013, Internal Auditor magazine has been showcasing emerging leaders in the profession. Those chosen for this distinction each year are the 30-and-under trailblazers who are shaping and growing the profession through innovation, technology skills, ingenuity, and hard work.
The IIA’s celebration of youthful talent in the profession could be short-lived without a thoughtful approach to recruiting and serving the needs and expectations of even younger potential members.
The IIA’s Internal Audit Education Partnership program supports development of internal audit curricula at participating colleges and universities. The program helps ensure graduates have the skills to conduct basic internal audits and prepares them to achieve the Certified Internal Auditor designation. However, it is not designed to inspire young people to become internal auditors.
The changing dynamics of modern business demand that we do more. Change is occurring at lightning speed, and disruption driven by technology is part of the new normal. The next generation of internal auditors must possess innately agile, curious, and innovative minds, and encouraging young people who exhibit such drive to consider a career in internal auditing begins at the high school level. The IIA’s new strategic plan speaks directly to addressing this.
Data from the 2020 Career Interest Survey by the National Society of High School Scholars suggest we have some work to do. It finds medicine and health-related careers (37%) the top choice of the more than 14,000 respondents. Another 17% chose business/corporate as an expected career path, which tied for second with sciences and biology/biotechnology. More traditional career paths for internal auditors — accounting/tax and finance/fintech — ranked considerably lower at 4%.
In the coming months, we will explore new and creative ways to reach Generation Z and will develop strategies, tactics, and resources to address our opportunity as a profession. This must include supporting diversity, equity, and inclusion (DEI) efforts at all levels. I’ve noted before that beyond being the right thing to do, supporting DEI is as much a business decision as an ethical one.
With the guidance and support of our North American chapters and affiliates around the world, we hope to soon reach out to high school guidance counselors or their equivalents to boost knowledge of the profession, dispel negative stereotypes, and encourage the best and brightest to consider internal auditing as a career.
As you read about the impressive group of emerging leaders featured in this issue, I hope you’ll join me in seeking new ways to mentor and nurture the next generation. The IIA understands this begins at the local level, and we will work diligently with our members to build a pipeline of future-ready auditors.
نشر في
موضوعات متنوعة
موسومة تحت
الخميس, 22 سبتمبر 2022 08:33
استبيان مشاركة التدقيق الداخلي في البرامج البيئية والاجتماعية والحوكمة ESG
الغرض من هذا البحث هو جمع معلومات حول مشاركة التدقيق الداخلي في البرامج البيئية والاجتماعية والحوكمة (ESG) داخل مؤسساتهم.
معلومات إضافية
-
المحتوى بالإنجليزية
Thank you for your interest and willingness to participate in this survey. It will take approximately 10 minutes to complete. The purpose of this research is to gather information on internal audit’s involvement in Environmental, Social, and Governance (ESG) programs within their organizations.
The outcome of this research will be shared with practitioners, academics, and stakeholders. Please note that your responses are anonymous. In addition, information will only be reported in aggregate and we will only disclose general information about respondents. Again, thank you very much in advance for your perspective and participation!
نشر في
موضوعات متنوعة
موسومة تحت
الأربعاء, 22 سبتمبر 2021 21:17
العديد من جوانب الاحتيال في المشتريات
المشتريات هي واحدة من أهم وظائف الأعمال، والتأثير على الإستراتيجية والأداء التشغيلي وإدارة المخاطر. المدققون الداخليون هم لاعبون أساسيون في هذه العملية، حيث يوفرون ضمانًا بأن ممارسات الشراء تعزز الوصول والمنافسة والإنصاف.
معلومات إضافية
-
المحتوى بالإنجليزية
Procurement is one of the most important functions of business, impacting strategy, operational performance, and risk management. Internal auditors are key players in the process, providing assurance that procurement practices foster access, competition, and fairness.
Internal auditors also have a responsibility to promptly identify and report deceptive activity, and provide recommendations that strengthen internal controls. Internal auditors must be alert to red flags for dishonest conduct in procurement activities that can lead to significant financial losses for the organization. Red flags can alert internal auditors to four common methods of procurement fraud and give them the foresight to make recommendations that prevent it in the future.
Contractor Collusion
To avoid competing with one another, or to inflate the price of goods and services, contractors in the same market will work together to circumvent a transparent and ethical bidding process. As a result, the procurement entity loses its right to fair, ethical, and competitive prices. Internal auditors should be aware of several types of collusion among contractors.
Complementary Bidding In an effort to influence the contract price and who it is awarded to, contractors intentionally submit false token bids in the procurement process that appear to be genuine. Token bids typically are too high to be accepted, appear to be competitive but do not meet other bidding requirements, or contain special terms and conditions known to be unacceptable to a potential buyer.
Bid Rotation Instead of bidding competitively, two or more contractors tacitly agree to submit tailored bids and conspire to alternate the business among themselves. Each contractor wins a portion of the total business.
For example, Suppliers A, B, and C are bidding on three separate contracts. They agree that A's bid will be the lowest on the first contract, B's will be the lowest on the second, and C's on the third. So, no one gets all three contracts, but each gets a share. Meanwhile, they may also plan their bids to raise the contract price artificially. Often, losing bidders are appointed as subcontractors by the winning contractor to tide over their cash flow while they wait for their winning bid.
Bid Suppression Bids are suppressed when two or more contractors enter into an unlawful agreement, and one or more conspirators abstain from bidding on proposals. They also may withdraw a previously submitted bid with the goal of getting the desired bid accepted.
Market Division Colluding contractors may divide the market according to various criteria, such as geographic area or different segments. Firms that meet the same criteria will not bid against each other, may submit complementary bids, or may rotate bids. Market division also can happen via shell companies used to submit fictitious bids. This allows the real companies to inflate prices because the fraudulent bids are designed to validate the higher price quoted by the real bidder.
When trying to determine this type of collusion, internal auditors may notice peculiar behavior from contractors, such as unqualified contractors consistently bidding high on each project while qualified contractors don't submit bids at all. The winning bidder uses the losing bidder as a subcontractor and losing bids are poorly prepared and designed to fail. In addition, prices fall when a new contractor enters the competition and there may be a pattern of conduct whereby the last party to submit a bid wins the contract.
Collusion Between Contractors and Buyer's Employees
A contractor or supplier may attempt to get an advantage in the bidding process by influencing the procuring company's staff with bribes, gifts, and hospitality. This results in a higher cost to the buyer through various inside schemes.
Need Recognition A procuring company employee who is in on the scheme may overestimate — quantitatively or qualitatively — the actual need of the product/service and convince his or her supervisor of the excessive need to get the procurement authorized.
Internal audit should be alert to some common red flags to identify likely collusion. For example, the needs assessment may be inadequately developed or inaccurately documented. It also is likely that no alternative supplier has been identified, resulting in continuous procurement from a single source. Specifications may be drawn up in a way that only particular suppliers or contractors can deliver, and purchases may be made without receiving reports. Auditors also may come across excessive inventory levels or large write-offs to justify excessive purchases.
Bid Tailoring In this situation, the corrupt employee manipulates specifications to suit a preferred contractor or supplier and eliminate competitors. Specifications may be too narrow to accommodate the preferred supplier, too broad so that an otherwise unqualified contractor is qualified, or vague so that bid specifications are omitted to allow the preferred contractor to raise the price through contract amendments.
Some red flags include weak control over the bidding process, one or few bid responses to invitations, a contract not being rebid despite fewer than the minimum bidders, or a high number of competitive awards going to one supplier. It also is likely that the request for bid submissions does not provide clear submission information, or the specifications for the type of goods/services being procured are too narrow or broad. Bid tailoring often is accompanied by a large number of change orders or variations after the order is placed.
Manipulating Bids Corrupt employees may tamper with bids to favor particular contractors or suppliers by using obscure publications to publish bid solicitations, opening bids prematurely, extending bid opening dates without justification, discarding or losing a bid, accepting delayed bids, falsifying bid registers, or altering bids received. Often, they limit the time for submitting bids so that only those with advance notice have time to prepare and submit. Unethical employees may even void bids for unsubstantiated, frivolous errors in specification or for other false, arbitrary, or personal reasons.
Bid Splitting In this case, employees break a large project into several small projects that fall below the mandatory bidding threshold and award some or all of the component jobs to a contractor or supplier with whom they are conspiring. Internal auditors should be alert for multiple, similar, or identical procurement from the same party, unjustified split procurements in amounts that are just under the upper-level review or competitive bidding threshold, or sequential procurements just under the upper-level review or competitive bidding threshold. This may be followed by change order abuse.
Unjustified Sole-source Procurements Dishonest employees may use noncompetitive procurement to exclude competition and steer contracts toward particular vendors. Justification for sole-source contracting occurs when the product is available from only the single source, when exigent circumstances preclude competitive solicitation, or when solicitation is deemed inadequate after a reasonable search.
Telltale signs of this collusion include frequent use of sole-source procurement contracts — often to the same supplier — or requests for sole-source procurements when there is an available pool of contractors to compete for the project. Often, the procuring staff does not keep accurate minutes of pre-bid meetings or does not obtain the required review for sole source justification. Again, false statements may be made to justify noncompetitive procurements or justifications may be approved by employees without authority.
Negotiated Contract Pricing Schemes
Negotiated contracts are more common in circumstances where conditions are not conducive to competitive, sealed bidding. It is a contracting method that permits negotiations between the procurement entity and potential contractors. In negotiated contracting, potential contractors submit cost or pricing data, such as vendor quotes or already-attained discounts. Unethical contractors will intentionally use inaccurate cost or pricing data to inflate costs in negotiated contracts.
Internal auditors should look for inaccurate or incomplete documentation provided by the contractor to support cost proposals. Sometimes, the contractor may delay providing supporting documentation for cost or pricing data, which may be inconsistent with actual prices or out-of-date pricing. It also is possible that the contractor does not include its negotiated discounts or rebates, or includes an unrealistic profit margin in pricing. Sometimes, contractors use different vendors and subcontractors during contract performance than the ones named in the original proposal. It is also possible that materials and components used are different than the ones included in the original proposal.
Post-contract Schemes
Fraud in the post-contract phase mainly focuses on contract management and payments made on contracts. Most organizations use an electronic accounts payable system with key controls around separation of duties between requisition, ordering, checking receipts of goods/services, and authorizing payments. Schemes are designed, often in collusion with in-house staff, to bypass these controls.
Nonconforming Goods or Services Here, the supplier intentionally delivers goods or services that do not conform to agreed specifications, substituting cheaper or inferior products. One red flag for internal auditors is a high percentage of returns or defects for noncompliance with specifications. Another red flag could be missing, altered, or modified product compliance certificates or compliance certificates signed by employees with no quality assurance responsibilities. Contractors and suppliers should not be allowed to select the sample of goods to be tested for quality assurance, prepare it for testing, or perform their own testing using their personnel and facilities.
Change Order Abuse Change orders and variations are written agreements between the procuring entity and the contractor to make changes to the finalized contract. This is a scheme whereby colluding parties — the contractor and the procuring staff — submit and accept a lower bid to win/award a contract and later bump up the cost via change orders or variations. These typically receive less scrutiny than the usual procurement contracts, which makes them vulnerable to dishonest contractors and employees looking to misuse and abuse established procurement processes for their own gain.
Change order misuse often is characterized by poor internal controls, making it difficult for management to ensure that all change orders are really necessary for work that was unknown at the time the contract was awarded. Usually, procurement employees act out of scope and numerous change orders are justified on a variety of grounds, including the need to substitute more expensive alternatives, unavailability of material or equipment, change in price, and inflation. There is, usually, a repeated pattern of change orders that increases the price, scope, or agreement period. Internal auditors may also find questionable change orders favoring particular contractors.
Cost Mischarging Here, the contractor charges the procuring entity for costs that are unreasonable or unallowable. They also may charge costs that cannot be allocated directly or indirectly to the contract, or may mischarge for accounting, labor, or materials. Internal auditors should be alert to inadequate or absent audit trails supporting the costs charged. Sometimes cost estimates are inconsistent with prices charged or the contractor may even use outdated standards.
Mitigating Fraud
Internal auditors should be alert to distorted rationalizations used by staff and managers to justify noncompliance with established policies, procedures, and practices. Ultimately, it is management's responsibility to take appropriate steps to prevent fraud and minimize procurement risks. This is done through data analytics implementation, strengthening the first two lines in the internal control structure, and staff awareness and training to identify vulnerabilities in the procurement process. The overarching requirement is to improve organizational culture, whereby ethical breaches are identified and reported by employees early and rectified promptly.
نشر في
موضوعات متنوعة
موسومة تحت
الخميس, 16 سبتمبر 2021 10:14
تعليقات معهد المدققين الداخليين إلى لجنة الأوراق المالية والبورصات على الإفصاح عن تغير المناخ
انضم إلى IIA في معالجة قضايا ESG على المستوى العالمي والدعوة إلى تأكيد داخلي مستقل من خلال دعوة SEC في إنشاء إطار إفصاح واحد للإفصاح عن تغير المناخ
معلومات إضافية
-
المحتوى بالإنجليزية
IIA Comments to SEC on Climate Change Disclosure
Support greater attention on the important issue of sustainability, The Institute of Internal Auditors (IIA) on Friday delivered a message to U.S. Securities and Exchange Commission Chair Gary Gensler, encouraging uniform climate disclosure by corporations and recognition of the role internal audit plays in providing assurance around complete, accurate, and reliable information.
The IIA, a member of the International Integrated Reporting Council, is committed to addressing environmental, social and governance (ESG) issues on a global level and advocating for independent internal assurance. Internal audit, because of its holistic understanding of risks, is uniquely positioned to provide assurance on effective governance structures and systems of internal controls.
“Business performance is no longer judged purely on short-term financial returns. ESG issues represent a broad range of risks, including to external supply chains, internal operations, third parties, general control weaknesses, data accuracy, human capital, and more,” writes IIA President and CEO Anthony J. Pugliese, CPA, CGMA, CITP. “A single system of climate disclosures would provide an opportunity for comparability among corporations and investors and allow for more informed business decisions that consider ESG impacts. This also would enable long-term organizational resilience.”
Pugliese said internal audit, because of its holistic understanding of risks, is crucial to reliable and accurate disclosures and “would provide objective assurance, independent from management, that established control activities are properly designed and operating effectively, thus providing confidence and trust to stakeholders.”
“Listed companies that publish climate-related disclosures,” he said, “should acknowledge to shareholders whether they have an internal audit function that is sufficiently independent from management. This would contribute to confidence in the markets.”
Read the complete letter to SEC Chair Gary Gensler
نشر في
موضوعات متنوعة
الأربعاء, 21 سبتمبر 2022 15:01
ما الذي يميز المدقق الداخلي الاستثنائي ومن يمثل مستقبل المهنة؟
البحث عن قادة التدقيق الداخلي غدًا قيد التشغيل
معلومات إضافية
-
المحتوى بالإنجليزية
Internal Auditor's Emerging Leaders
What defines an extraordinary internal auditor, and who represents the future of the profession?
The search for tomorrow’s internal audit leaders is on. Internal Auditor magazine will recognize up-and-coming internal audit professionals in its October 2021 issue. What defines an extraordinary internal auditor? Innovation, integrity, business acumen, passion? Do you know a high-performing internal auditor who possesses the qualities to become a thought leader in the industry?
Nominees must be members of The IIA and have, or be working toward, The IIA’s Certified Internal Auditor® (CIA®) certification. The magazine will not feature more than one emerging leader from the same company. Self nominations will not be accepted. All nominees must be age 30 or younger as of Dec. 31, 2021.
Nominators will be asked to fill out a brief questionnaire and provide statements about their nominee’s performance in the areas of business acumen/leadership, service to the profession, community service, and innovative thinking.
All nomination material becomes the property of Internal Auditor magazine. By submitting a nomination, you grant The IIA a license to publish the nomination material in Internal Auditor magazine. Those chosen as emerging leaders will be interviewed for the article. By agreeing to be interviewed, nominees grant The IIA permission to use their quotes in other materials. The emerging leaders will be asked to participate in various IIA initiatives throughout the following year to help bring forth the voice of The IIA's young professionals.
Nominations are open April 1 through May 14, 2021
نشر في
موضوعات متنوعة
الأربعاء, 25 أغسطس 2021 17:57
التوظيف من أجل النجاح
حفز الدور الرئيسي للتدقيق الداخلي في معالجة التهديدات الرقمية الحاجة إلى خبرة في مجال الأمن السيبراني في فريق التدقيق.
معلومات إضافية
-
المحتوى بالإنجليزية
Internal audit's key role in addressing digital threats has spurred the need for cybersecurity expertise on the audit team.
Geoffrey NordhoffAugust 24, 2021Comments
Organizations are moving gingerly into the post-pandemic world with a heightened focus on cybersecurity, with overall cybersecurity spending projected to grow as much as 10% this year, according to IT research firm Canalys. Regulators — already concerned about cybersecurity — have ratcheted up their oversight, vividly illustrated by the U.S. Office of the Comptroller of the Currency's $80 million fine against Capital One last year (see "Capital One Data Breach" below). In fact, cybersecurity was one of the top-ranked risks identified by board members, management, and chief audit executives (CAEs) in The IIA's OnRisk 2021 report.
In this environment, internal audit, as part of its oversight function, has a critical role of helping organizations manage cyber threats by evaluating risks and providing an independent assessment of controls. In turn, this role has spurred the need for cybersecurity skills in internal audit functions.
The heightened concern around cybersecurity has inevitably increased the demand for suitably experienced auditors, says Jamie Burbidge, founder of Bickham Montgomery, a London-based internal audit recruiting firm. "Due to cybersecurity being a relatively recent concern for business leaders, the number of internal auditors at the senior level with relevant experience is quite small," he noted. At present, potential internal audit hires who have the experience and a good grasp of cybersecurity likely are coming from the Big Four accounting firms at slightly more junior levels.
Regardless of the talent source, experts point to several skills and qualifications to look for when hiring. They also cite the importance of soft competencies, the need to plan ahead for resource needs, and the advantages of developing skills internally.
The Right Expertise
Shawna Flanders, director, IT Curriculum Development, at The IIA, says two general skills are important for internal auditors who will be involved in cybersecurity audits: data analysis capabilities and critical thinking. "Deploying critical thinking skills gives auditors the ability to determine how a cyber threat in the wild could impact their organization," Flanders says. Plus, they need to be able to use data to discover unusual activity, inappropriate access, and fraud, and possess a broad understanding of IT general controls as well as application, network, and information security controls, she adds.
In addition, practitioners need to have a deep understanding of relevant threats, such as malware, ransomware or spyware, denials of service, phishing, and password attacks. Given the demands, internal audit functions should consider building dedicated expertise on their team, says Jim Enstrom, senior vice president and CAE at Cboe Global Markets of Chicago. The type of person who can fill this role probably has come up through a technology, cybersecurity, or consulting background, rather than internal audit, he adds.
Ongoing training and an emphasis on more technical cybersecurity-related certifications should also be a focus area, Enstrom says. Certifications demonstrate a basic level of aptitude and indicate that a person is motivated for self-improvement and self-learning. The IIA offers several seminars on IT topics, including cybersecurity, as well as more than a dozen IT courses on-demand. In mid-July, The Institute launched its IT General Controls Certificate, demonstrating the certificate holder's ability to assess IT risks and controls.
In addition, more universities are offering advanced degrees in cybersecurity, in which students also are learning the principles of assurance, as well as how to evaluate controls and risk. For example, the University of Central Florida in Orlando, which offers a certificate in cybersecurity, will begin offering a master's degree in cybersecurity and privacy this fall that will include a technical track covering topics such as hardware, software, and security, and an interdisciplinary track that addresses the human aspects of cyberattacks. These types of programs are an opportunity for recruiting, Enstrom says.
Robert Berry, former executive director of internal audit at the University of South Alabama and now president of consulting firm That Audit Guy, says hands-on experience in cybersecurity is important in considering a hire. Berry says he would look for someone experienced in technology, especially with experience in how networks operate and are secured. "You want to look for somebody who is actively engaged and involved in the craft," he adds — the kind of person who builds his or her own network and tinkers with it, and who is active in chat rooms and forums.
Capital One Data Breach
The U.S. federal government's enforcement actions against Capital One in August 2020, which included an $80 million fine from the Office of the Comptroller of the Currency (OCC), illustrates its increased oversight of cybersecurity issues. The actions stemmed from a 2019 cyberattack that stole the personal information of about 100 million individuals. The OCC fine was the first significant penalty against a bank in connection with a data breach or alleged failure to comply with OCC guidelines. The OCC specifically called out Capitol One's internal audit function, saying it failed to identify numerous control weaknesses and gaps and did not effectively report them to the audit committee.
Training, Sourcing, and Collaboration
Rather than hiring from outside, developing skills internally is sometimes a better option, especially in small- to moderate-size departments, Berry says. That way, the auditor is already familiar with the organization and with the procedures involved in conducting engagements, he explains. This approach also might be advantageous for a small department in an industry that does not pay well, which likely will have a hard time recruiting cybersecurity expertise, Berry adds.
In a midsize department or a midsize organization with a small audit department, audit staff might not have the necessary IT knowledge. Keeping in mind The IIA's International Standards for the Professional Practice of Internal Auditing, the organization might consider a co-source provider, Enstrom says, adding that training, skill building, and certifications also are important for these departments. In addition, where the Standards allow, internal audit should consider collaboration with the organization's information security department, he says. Standard 1210: Proficiency, and Standard 2050: Coordination and Reliance, provide guidance in these areas.
Seek Out Soft Skills
"Curiosity is the cornerstone of internal audit," Berry says. "If you can't be curious and ask really good questions, you will fail in your career in audit." Soft skills are probably the most important skills, he says, because a person who possesses them can be taught audit skills. Critical thinking and other soft skills give internal auditors, especially those dealing in a technical area such as cybersecurity, the ability to communicate outside their area and to understand how a cyber threat could affect the organization.
When he started Bickham Montgomery about 10 years ago, Burbidge found that technical proficiency was by far the most sought-after trait for companies when hiring internal auditors. Now, he sees more emphasis on communication skills as part of an internal auditor's role. "You need to be able to communicate, need to be able to persuade, need to be able to partner with the business," he says.
Jeannie Alday, director of Internal Audit for Chatham County, Ga., says in hiring someone with an IT background, she wants to determine whether the candidate will be able to communicate with IT staff, and IT management, but also with county management and others who may have limited background in IT. "Those soft skills are huge, and they're not always easy to spot in the limited interview process," Alday says.
Looking Ahead on Hiring
Given the rapidly changing environment, cyber awareness is fundamental to the execution of an organization's strategy. "In any organization today, cybersecurity is one of the top risks," Enstrom says. In the present environment, boards, management, and other stakeholders need to focus continually on cyber risk and whether their organization has the right skills and resource strategy, he says. Importantly, organizations need to make necessary investments in skills and resources.
Post-pandemic, hiring likely will become more challenging because of pent-up demand, Enstrom says, and demand already exceeds the number of candidates. As a result, audit hiring managers should think more creatively about compensation and other job benefits. He also notes that many cybersecurity professional have had limited exposure to internal auditing and assurance, may see auditing as having limited opportunity for advancement, and might not consider going into the field.
This perception underscores the necessity of selling the opportunities and value proposition of the profession to prospective job candidates. Compared with going directly into information security, internal audit offers the potential for greater diversity of experience and breadth of opportunity — working with senior executives and board members — and exposure to different projects, Enstrom says. Moreover, because of the importance of good communication skills, time spent in internal audit can be a great learning opportunity for someone who is less comfortable in this area.
"Early in a person's career, working in internal audit really represents a great learning opportunity because you have so many different projects you can work on," Enstrom says. "I think we don't sell that enough as a profession."
As another area of focus for hiring, Enstrom emphasized the importance of partnering with outside firms, or organizations that can help with the candidate sourcing process. He highlights one example — the Greenwood Project. "The Greenwood Project is a nonprofit organization dedicated to introducing Black and Latinx students to careers within the financial industry," he says. "We've had success working with Greenwood Project and we continue to look for ways to strengthen our relationship and promote the profession of internal auditing to Greenwood students and diversity candidates. In addition to accounting and business students interested in financial services, we have been working with Greenwood to promote an interest in IT audit, data analytics, and cybersecurity roles in the internal audit profession."
Meanwhile, when recruiting through universities, internal audit functions need to look beyond the accounting and finance departments and build relationships with computer science and cybersecurity programs. "In my experience, many students in computer science or other IT disciplines are unaware of job opportunities in the internal audit profession," Enstrom says. "Given this, it's really important for the company and recruiter to understand and have relationships with faculty and staff in these colleges, not just the business schools."
The bottom line? "You have to offer competitive salaries, and you have to be very clear and crisp in your value proposition — how internal audit will benefit them in their career," Enstrom says. Moreover, companies recruiting in the post-COVID-19 marketplace will need to think more broadly and consider hiring candidates from outside their geographic area.
نشر في
تكنولوجيا المعلومات
الأربعاء, 18 أغسطس 2021 11:06
المدققون الداخليون يتجهون نحو السحابة
يعتزم ما يقرب من ربع فرق التدقيق الداخلي تنفيذ إدارة التدقيق المستندة إلى السحابة أو برامج الحوكمة والمخاطر والامتثال هذا العام، وفقًا لمسح جديد.
معلومات إضافية
-
المحتوى بالإنجليزية
Nearly a quarter of internal audit teams intend to implement cloud-based audit management or governance, risk and compliance software this year, according to a new survey.
The report, by the Institute of Internal Auditors’ Internal Audit Foundation and the audit, risk and compliance software developer AuditBoard, surveyed 134 internal audit leaders and found that 22 percent of the respondents indicated they intend to implement cloud-based technology this year, resulting in a majority of internal audit teams using a cloud-based audit management or GRC software for the first time.
The findings come as more auditors implement cloud-based technology, especially during the pandemic when many organizations have shifted much of their workforce to remote work from home arrangements. Hesitancy over adoption of cloud technology is giving way to practical necessity.
“While automation of administrative functions offers clear and immediate benefits, internal audit is discovering the technology’s potential to drive departmental and business value,” said IIA COO William Michalisin in a statement last month. “This survey shows a positive step forward, with 22 percent of respondents saying they plan to implement cloud-based technology this year. As this report suggests, technology doesn’t merely complement the internal audit function, it’s crucial to more effective practices, allowing us to focus where it matters most and to elevate our value to stakeholders.”
Managing Your Firm in a Post-COVID World
Think beyond the pandemic with exclusive resources to help you build a thriving virtual practice.
SPONSORED BY INTUIT ACCOUNTANTS
Plans for greater use of cloud technology indicates that internal audit departments are moving nearer to the cloud technology adoption rates of other business functions like the IT department. Internal auditors cited a number of challenges they encountered last year. A 52 percent majority of the respondents said identifying and evaluating new and emerging risks was their top challenge in 2020, while 43 percent cited the need to collaborate remotely with internal and external audit stakeholders. Communication and follow-up with business owners was considered a top concern by 38 percent of the internal auditors who responded to the survey.
The top uses for audit management software cited by the survey respondents were document management, issue and action plan management, and testing and work reviews. One respondent indicated that internal auditors have more time for strategic activities when their administrative activities are automated.
“Many internal audit teams that have not yet shifted to a cloud approach are now set to reap the benefits of modernization — including gaining greater bandwidth for strategic, value-add activities — and will be better positioned to protect their organizations from new and emerging risks,” said AuditBoard chief marketing officer John Reese in a statement. “They'll also get to equal footing with other functions within their organization who have already made the move to cloud-based solutions.”
The report points to some of the advantages of cloud-based solutions compared to other technologies in that they are often more secure than manual solutions and are easier to implement and administer than on-premise systems. Cloud-based systems are typically offered as a service, reducing the cost of maintenance and offering increasing value over time, as new features and improvements are added to benefit older and newer customers. Cloud-based investments are considered operational expenses, which are often favored by CFOs and may have a streamlined purchase process compared to on-premise investments, which are considered capital expenses, often subject to extra scrutiny. When choosing which approach to take, chief audit executives should familiarize themselves with the organization’s operational expense and capital expense approval processes, the report advises.
Separately, former IIA president and CEO Richard Chambers, who recently left the IIA after running the organization for 12 years, has joined the board of SWAP Internal Audit Services, a company in the U.K., as its first independent non-executive director, starting April 1. He also recently formed his own firm, Richard F. Chambers and Associates LLC, with the mission of informing and inspiring internal auditors and illuminating the potential of the profession globally.
نشر في
تكنولوجيا المعلومات
الثلاثاء, 17 أغسطس 2021 15:02
الدورة التدريبية: دليل التدقيق الداخلي لبرامج الفدية
معلومات إضافية
- البلد عالمي
- نوع الفعالية برسوم
- بداية الفعالية الأربعاء, 25 أغسطس 2021
- نهاية الفعالية الجمعة, 10 ديسمبر 2021
- التخصص تكنولوجيا
- مكان الفعالية أونلاين
نشر في
فعاليات مهنية
موسومة تحت
الثلاثاء, 24 مايو 2022 08:27
اختبار تجريبي لـشهادة ضمان إدارة المخاطر المعتمدة CRMA الجديد
اختبار تجريبي لـشهادة ضمان إدارة المخاطر المعتمدة CRMA الجديد
نشر في
شهادات مهنية