In the full video interview below, MISTI's Director of Instructional Technologies and Innovation, Shawna Flanders, discusses where internal audit stands today as it relates to cybersecurity, and offers up some tips on increasing collaboration between the audit and information security functions.
It's not only the information security department that needs to stay on top of cybersecurity regulations. Internal audit also plays a big role. In this interview with MISTI's Shawna Flanders, she discusses the regulations internal audit should keep top of mind.
People choose a line of work for a variety of reasons. Sometimes it is because it pays very well, or it is what our parents steered us towards. It could be because it is the only job in town or because it is glamorous. Regardless of the circumstances and career path that brought you to internal audit, an important question begging for an answer is: Why do you stay?
Traditionally, internal auditing was done retroactively. While our methodology has relied on this practice and it has been used widely for a long time, one of the issues with this after-the-event approach is that the actions have already occurred. It is based on auditors focusing on issue detection.
Receiving feedback is an essential element in every internal auditors’ development. In this feature article, MISTI's Dr. Hernan Murdock provides seven key practices that should be part of this process to make it most effective.
There’s a big difference between a few butterflies and paralyzing fear when it comes to public speaking. When it comes to giving a great presentation, it’s not just what you say, it’s not just how you say it, but it’s the combination of those two things along with the experience you provide and the feeling you leave your audience with that creates results.
Those entering the internal audit and compliance professions often wonder what they need to do to succeed in their new careers. There is a lot to learn. In fact, the general advice is to become lifelong learners. But there is also the constant pressure from within the department. Here, MISTI's Dr. Hernan Murdock lists nine skills and actions essential for success.
The work of internal auditors and compliance professionals is filled with frameworks, regulations, and policies and procedures documents that define the path for operational effectiveness. Follow those guidelines, manage risk effectively and the likelihood of success increases. But what about our own success?
Your organization has decided to take the important step of creating an internal audit function, and you’ve been tasked to build it. Building out teams from scratch is always a challenge, but internal audit departments have an especially important role.
Here’s the truth about editing: editing is vital to producing a good audit report. It’s also tricky and time-consuming. Editing includes content changes, proofreading, grammar, wording, format, structure, and multiple revisions.
In part four of this four-part series on internal audit priorities in 2019, Internal Audit Insights caught up with Todd Shaffer, senior vice president and chief risk officer at Johnson Financial Group, who discussed how internal audit leaders are approaching cybersecurity issues today.
In part three of this four-part series on internal audit priorities in 2019, Internal Audit Insights caught up with Patti Puccinelli, vice president of audit advisory services at ManpowerGroup, who discussed why it’s so important for internal audit leaders to continually keep pace with the latest skills and competencies required for the function to achieve its objectives.
In part two of this four-part series on internal audit priorities in 2019, Internal Audit Insights caught up with David Holland, director of internal audit at Modine Manufacturing, who shared his thoughts on the state of resources for the modern-day internal auditor.
In part one of this four-part series on internal audit priorities in 2019, Internal Audit Insights caught up with David Cook, managing director of internal audit at Robert W. Baird, who shared his thoughts and advice on how audit leaders today can realign their resources effectively.
In this feature article, communications expert Jill Schiefelbein provides internal auditors with three simple, important rules to help you communicate in a way that will position you as a more confident communicator within the business.
It’s easy to overlook your own grammar errors. But you’ll be a better writer if you become mindful of your writing and correct your own editing mistakes. Here are five common editing mistakes we all make or might have questions about. Maybe a couple will resonate with you.
Robots are having a growing influence on organizational practices and this dynamic is of great interest to internal auditors and compliance professionals who examine the impact of these technologies on organizational objectives, risks and controls. But they also present a growing concern as the work performed by internal auditors may be replaced by machines.
The work of internal auditors and compliance professionals is complex, challenging and often, unfortunately, under-appreciated by their clients. What makes matters even more stressful for these professionals is that their managers sometimes micro-manage them.
Evidence is something that provides proof and it proves or disproves something. It is presented as verification of the facts at issue and generally includes the testimony of witnesses, and the examination of records, documents, and objects. This feature by MISTI's Dr. Hernan Murdock, examines the qualitative elements to consider when it comes to leveraging high-quality evidence.
Performance auditing is the review of a program or process, and the systems supporting it, to determine whether it is achieving the primary goals of efficiency, effectiveness, and economy in its use of available resources. These reviews are often done in government and non-profit entities, but they are equally important in the for-profit sector.
To become trusted advisors to management it would help if we spoke the same language they do. While auditors and compliance professionals often talk in terms of controls, and increasingly in terms of risk, managers and business leaders often talk in terms of costs, benefits, revenue, reputation, and market share.
Internal auditing is a complex field of work that is undergoing significant changes. Today's internal auditors are tasked with managing their careers, so they remain relevant in the short and longer terms. Given this complex environment, it is not surprising that mentoring and coaching have emerged as essential tools to help auditors grow professionally.
Transitions are those juicy, bite-size gourmet words that connect ideas, sentences, paragraphs, and even sections. Too often, we can misuse, overuse, or omit transitions. This article covers how to use transitions to improve clarity in your reports.
Last month in an article about setting the stage for better decision-making we learned about four elements that you should be considering before you even form the words you want to say. This month it’s all about the messaging.
One of the most overlooked, but essential, elements of the persuasive process is establishing a definite need in your to-be-persuaded-audience’s mind. In other words, how does the client know that they need what you have to offer? Here, we explore the topic.
Internal auditors must engage in lifelong learning. They are increasingly participating in webinars, consuming online content, and listening to podcasts. While all of these actions are conducive to learning, there is another learning opportunity that many internal auditors and compliance professionals may not be familiar with: Symposiums.
So, what exactly does an IT auditor do? In this article, we provide a broad breakdown of an IT auditor's responsibilities, the necessary skills to become one, how an IT auditor interacts with other roles throughout their organization, and more.
There are some common communication mistakes that junior auditors make. Lucky for you, this article is going to point these foibles out and show you how you can change the trajectory of your communication to show confidence, not self-consciousness.
In migrating to the cloud, many challenges are present, and perhaps one of the largest challenges is updating an organization’s overall GRC program. Here, we've gathered a number of things that IT auditors should know about IT GRC in the cloud.
Much internal audit work has focused on financial transactions and controls. Now, many auditors are adding supply chain audits to their responsibilities. In this feature article, we've broken down some of the common risks associated with supply chains.
If you work for a global company, chances are your documents are undergoing some sort of language translation – from English to other languages or vice versa. But even if your company doesn’t do any translations, learning how to write for translation can improve your skills as a writer and create sharper audit reports.
The Three Lines of Defense Model provides a framework to clarify the involvement and alignment of multiple assurance providers acting on behalf of their client organizations. It has become increasingly common to have various risk and control professionals working side by side to help their organizations manage risk and increase the likelihood of achieving strategic and operational goals.
As we work toward the thick of the year, we've compiled a list of which cybersecurity regulations could be impactful this year, some of the challenges that they could present, and the reasons behind some of the changes we've highlighted below.
As fraud investigations get folded into the internal audit department, some audit shops are tempted to frame a fraud report in the same format and tone as the audit report. The idea couldn’t be more wrong. Read on for ways to present a full and succinct fraud investigation report using report design, content, and tone.
In internal audit, the methodologies of the past may have made the organization successful, but there is no guarantee that those same procedures will lead to success in the future. In this featured article, MISTI's Dr. Hernan Murdock highlights some examples of ways that innovation can help internal auditors, but most importantly, outlines how they can get started.
Every company has a different way to communicate and a different report format to use. Well, there is no best way – each format has its pros and cons and you have to weigh the benefits of each format for your audience.
Most advice people have regarding decision making is along the line of, “weigh your options”, “get outside advice from a trusted source”, or “look at the cost-benefit or ROI”. That advice is fine and dandy, but it ignores one key fact: If the stage on which the decision is made isn’t set appropriately, the decision may not be the best. Here are four steps to set the stage for productive conversations and more efficient decisions.
Fraud costs organizations millions of dollars each year. Simply Google the phrase “fraud scheme,” and you will discover more news stories than you have time to read. If auditors do not detect and stop a fraud scheme, they have cost their organization real money. So, another question for you: Do you want to explain to your audit committee why your department did not detect a $63 million fraud?
You’ve read a bazillion articles on data analytics theory (ho-hum) in auditing. And we'll be the first to say that we've written a variety on this site. But this time around, let’s focus on how to actually use those data analytics in a single audit area: risk assessments.
Internal Audit Insights catches up with Nancy Luquette, senior vice president and chief risk and audit executive at S&P Global, who shares her take on the state of women in internal audit in 2019 and the challenges many female practitioners face, but more importantly, how they can overcome them.
Internal Audit Insights caught up with Jami Shine, corporate and IT audit manager at Quiktrip Corp, who shared some proven advice on how non-technical auditors can overcome some of the challenges associated with IT risks.
And just like that, another year has gone by. We've had a blast providing you with insights all throughout the year, covering audit report writing, project management, and coverage on emerging technology. Here we've compiled a list of the most read articles.
Effectively closing the audit plan and landing on specific action items to pursue can be a challenge. In this contributed article, Workiva's Ernest Anunciacion provides three steps to close this year's audit plan and prepare for next year.
Communication's expert Jill Schiefelbein chats with Internal Audit Insights and offers up her take on what makes audit interviews so difficult for the modern-day internal auditor, and also offers up specific advise you can use during your next audit interview to ensure you're navigating those encounters effectively.
In this edition of the Audit Writer's Hub, we specifically tackle some of the pesky nothings – unimportant sentences, filler phrases, and negative phrasing – that creep into our writing and how to get rid of them.
Professional skepticism is a critical component of an internal auditor's duty of care that applies throughout any engagement. It's an attitude that includes a questioning mind and a critical assessment of the appropriateness and sufficiency of audit evidence. Here are the three key elements of skepticism you should know.
In this video interview with Internal Audit Insights, Constance Snelling, director of IT risk at Jackson National Life, offers up the essential skills that are needed to be a successful IT auditor today and how this ties into performing an integrated audit.
There tends to be a fair amount of confusion when it comes to a fraud risk identification approach versus an experience-based approach but here we set out to create a list of universal definitions intended to clarify how and why you might use this approach.
As auditors, we all know that internal audit is uniquely positioned to understand where risks lay within an organization. But sometimes audit doesn’t get the opportunity to communicate the company’s risks to a broader audience. Here, we share a few ideas to help internal audit build bridges between knowing, communicating, and fixing risk in a company.
Many internal audit teams are not using video conferencing and virtual meetings to their advantage. When they're set up for success, research shows that virtual teams can be more effective in solving quick, simple problems than face-to-face teams.
With increased access to cost-effective and user-efficient digital communication technologies that allow people to intentionally or spontaneously connect from any place, at any time, we have opportunities to collaborate like never before.
A great deal has changed over the years when it comes to risk, including the willingness and interest of CAE’s, Audit Committees and Boards to talk about risk. As part of the increase in dialogue relating to risk and risks on the horizon much has been written and discussed. Here, Experis's Alec Arons consolidates that information.
As an internal auditor, it’s not just your words, it’s the absence of words or untimely words that could still convey a message to an audit client. It’s not only your actions, but it’s also the lack of action. All of these aspects result in communication. Communications expert Jill Schiefelbein explains more.
Histograms are a very powerful tool to analyze data because they show the distribution of a continuous variable in a diagram and their appearance is similar to bar graphs. In this feature article, MISTI's Dr. Hernan Murdock explains how internal auditors can leverage them.
Persuasion is an important aspect of internal auditing that doesn’t receive enough attention or coverage. Internal audit's job is to verify that conditions and practices are as expected, and to identify opportunities for improvement within organizations. But how does persuasion play into this?
Is serving as an advisor and maintaining internal audit’s essential responsibility of objectivity, free of management influence, possible? Spoiler alert: Yes. And it’s both necessary and crucial to the internal audit profession’s standing in any organization.
In a perfect world, the client is receptive, understands each recommendation, and takes immediate corrective action. But we all know that perfect world doesn’t exist. In this informative feature, communications expert Jill Schiefelbein explains what internal auditors can do to make audit clients more receptive to their communication.
Internal Audit Insights catches up with Yulia Gurman, Director of Internal Audit and Corporate Security at the Packaging Corporation of America on the common questions that audit committee members have tied to cybersecurity, and what IT auditors should prepare for.
In audit report writing, we’re all pretty well tethered to writing the 5C’s of an audit issue, namely the criteria, condition, cause, consequence, and corrective action. In this edition of the Audit Writer's Hub, MISTI instructor Sarah Swanson focuses on criteria.
Internal auditors do not always come into the profession knowing how to write well. That's why there's so much material available on writing clearly. Internal auditors do not always come into the profession knowing how to write well. But what if there was a way to transform an internal auditor's written and spoken communication?
Rapidly accelerating pressures are fueling the need for the internal audit profession to transform its thinking from being financial controls-centric to shareholder value-centric. Here's how internal auditors can adapt to this "new normal."
We’ve provided tips on how internal auditors can become better presenters, but in this feature article communication’s expert Jill Schiefelbein highlights some visual cues internal auditors should take note of; from physical gestures to furniture placement.
The balanced scorecard is a system used for planning and management to make sure business operations are aligned with the organization’s mission, vision, and strategy. In this featured article, MISTI's Dr. Hernan Murdock explains how you can use it to your advantage.
As the business world changes at an accelerating rate, auditors need to keep up or risk becoming irrelevant and unable to provide the insight that will allow their organizations to succeed. That means they’ll need to continually add to their skills and knowledge.
By Terry Hatherell, Deloitte Global Internal Audit Leader
August 14, 2018
As organizations continue to evolve and innovate, new risks arise. Meanwhile, the larger business environment continues to change, often rapidly and in unexpected ways. This places new demands on the internal audit function.
With distributed workforces and flexible workstyles, virtual team meetings are becoming commonplace in the internal audit function. Many times, though, virtual meetings aren’t taken with the same level of seriousness as in-person meetings are.
If you’ve ever read or written a sentence along the lines of “Financial misstatement could lead to financial loss,” or “Non-compliance with policies” (what does that even mean anyway?), then read on for some tips to improve the risk statement.
The value of a strong "tone at the top" cannot be underestimated as it can improve a company's performance. The benefits of a strong tone at the top should be of interest to leaders in all departments within every organization. Here's what you can do to evaluate it.
Scatter diagrams can help find the answer to many questions. Internal auditors can leverage them to analyze pairs of numerical data and show the relationship between two variables. In this feature write-up, MISTI's Dr. Hernan Murdock highlights their benefits.
The European Union’s GDPR is officially in effect, but that’s likely not the last regulation that will be implemented that has an impact on the internal audit function. Here’s what you should consider five years from now.
Creativity is the use of imagination or original ideas, but it's not that important for internal auditing. Given that reporting rules and regulations are non-negotiable, there is little room for creativity and original ideas, right? Wrong! Here's what you can do to be creative while conducting audits.
The presentation skills that you were likely taught in high school and college in no way prepared you for the reality of delivering reports in front of boards and audit committees. This article is your crash-course in small group presentations and gives you two key areas to consider.
Rotational auditing has been a fishing hole for years. The pros and cons have been fished around too. And then fished around some more. Auditors have a way of fishing. But paddling deeper into audit's consulting water, rotational auditing could provide a venue for teaching risk awareness.
After 25 years in internal audit, I have come to the conclusion that excellent audit planning is essential to ensuring an effective audit. What is a successful audit? A good measure is whether both audit management and the auditee feel good about the end results.
Fastpath’s Keith Goldschmidt discusses who the real owners of risk are within the enterprise, but also offers up insight on what IT audit can do to help streamline communication and do their part in creating a “risk culture” within the business.
Numbers and fancy charts are only able to tell part of the story for internal auditors. If you want your reports and your data to come alive for your clients, you need to make your words matter. Words, when it comes to driving action, are your most valuable currency. Here's why.
Internal auditors have been working toward shedding the "corporate cop" label given to them within the enterprise. But what is a trusted advisor? What do they do and what behaviors are necessary to become a trusted advisor?
The Sarbanes-Oxley Act of 2002 Section 301 requires publicly-traded companies to have a whistleblowing program. But, how do we know if the program is effective? This article should help get you on your way.
When salary is fixed and the perks are what a Gen Xer would like but maybe not a millennial (i.e., catered lunches, unlimited paid time off, yoga hour), how does an audit shop change their philosophy to cater to the younger crew? Below we explore different ways to motivate a millennial auditor.
To continually operate more efficiently and add greater value to the business, internal audit has to boost its performance throughout each stage of the audit cycle. The guidelines below can help you improve the risk assessment, planning, execution, and reporting stages of the audit cycle.
We recently discussed the intersection of emotional intelligence and strategic intelligence. Here are some more common strategic areas to look at. One of these may be similar to your company, or maybe you have some additional strategic areas too. We’d love to hear about them.
Infusing an audit with strategic intelligence can be a little uncomfortable. But a little stretch does an auditor (and the company) good. Here, we've provided a few tips to articulate the big picture to your team and your auditee.
If continuous auditing doesn’t strictly mean automated data analytics or fancy software, then it means a larger group of internal audit shops can employ continuous auditing. This article highlights five ways you can continuously audit your business without all the software and by just using your brain.
As an Internal Auditor what you do is NOT your title. It's NOT your longevity in the field. It's NOT a credential. However, as an internal auditor the question "What do you do?" typically doesn't receive a straightforward answer. Here we provide you with an activity that will get you thinking about what you DO, and help you communicate it effectively.
In this feature article, we caught up with some top subject matter experts that shared their best advice on how internal auditors can develop stronger relationships with their colleagues in the functions that make up the second line of defense.
Even if you’re a dollar-menu writer now, that does not mean you always will be. Anyone can become a gourmet audit report writer. Over the next few weeks, Audit Writer’s Hub articles will focus on specific writing tips to help you begin crafting your gourmet issues. This week, we look at passive voice.
Developing a strong working relationship with audit clients goes a long way, but that can be a lot easier said than done. In this post, we examine 7 areas that internal auditors can focus on that will help them improve their relationships with audit clients.
By improving the tone of the audit report, auditors maintained – if not, increased – the integrity of findings and developed better relationships with their clients. Rather than brutal honesty, auditors became humanely honest. Here are four strategies to improve tone in your audit reports.
If internal auditors are auditing people, then they need to have a humane approach. And to audit humanely, they need to show a degree of emotional intelligence. Here are five skills that can get you on your way.
Small internal audit team, small budget. Large internal audit team, still small budget. What do you do to make sure you get the most out of your internal audit dollars? Here are some ideas to consider when making every dollar count.
Performance reviews are often viewed as arduous, time-consuming tasks. But they don’t have to be. Business communication expert Jill Schiefelbein dissects the two different aspects of evaluating one's audit team.
A quick ask on social media about pet peeves in email etiquette unleashed a tirade of email annoyances from friends and acquaintances. The list of email frustrations is enough to make anyone self-conscious, because we’ve all committed email blunders of our own. This week, we review email etiquette for auditors.
If you're an internal auditor and are in the midst of creating a quarterly summary right now, we have people here who have created and delivered plenty of quarterly summaries to audit committees. Here are some of the ideas they shared that you should follow.
In this recent video shot at MISTI’s ITAC Conference, INARMA's Jason Claycomb gives his take on the state of auditing social media in the enterprise, and what steps internal auditors can take to monitor the risks associated with the technology.
Since the cards might feel a little stacked against the auditor at the cybersecurity table, let’s define a few Aces in the hand that you can use when you’re auditing cybersecurity and communicate helpful root causes and risks.
If done well and communicated properly, reporting the root cause can be the glue your report needs to tie findings to the overall health of the company and create significant change for the business. This article provides some strategies to use in writing and communicating root cause in audit findings.
Given the talents and skills that auditors possess (analyzing data, spotting trends, forming conclusions), auditors are in a perfect position in a company to be part of data analytic innovation. This article proposes a plan to fill in the gaps and implement data analytics in the business.
At times, internal auditors don't explain to their clients that processes should be built to operate error-free. Even when controls detect errors, customers report gaffes, or sheer luck saves the day, these events often cause re-work. Here's what you can do to help your clients prevent mistakes.
You picked them! Here's a look at the most read articles published on Internal Audit Insights in 2018. From building great audit teams to writing an audit report that gets results, you'll find a unique mix of some engaging content that answers some of your pressing questions.
Raytheon's Thomas Sanglier discusses the positive impact that the internal audit function can make when it comes to handling outside audits, the challenges this task can present, and how to overcome them.
For those that do integrated audits, the concept is a no-brainer. Integrated audits are an efficient, holistic approach to the business. But, if the idea of integrated auditing is untapped, then it’s a brave new world to check out. Below are some points to get the conversation started in your company.
Forrester Research's Robert Stroud discusses the current state of the enterprise as it relates to IT auditors and why it’s important to bridge the gaps between audit, IT audit, compliance, and security within organizations.
Today, we’ll be cleaning out the metaphorical “auditor’s closet.” The auditor’s closet comes stashed with a variety of documents that identify, document, record, and communicate specific controls for both you and whoever needs to review these controls in the future.
Change is hard no matter what. We’re more apt to change when we’ve made the rules. When we’re forced to change – like being subjected to an audit – that’s a large horse pill to swallow. But there are things that auditors can do to make that horse pill go down smoother.
Fraud and corruption are all around us. As internal auditors, if we're so heavy handed with the few “sinners” we catch, won’t the large majority who didn't get caught breath a huge sigh of relief and just try even harder to stay hidden?
As internal auditors apply risk-based auditing techniques to their reviews and increase their focus on the needs of customers to achieve organizational aims, it is essential to gain a panoramic understanding of the process. The SIPOC diagram can help.
As an internal auditor, there's nothing wrong with having passion for what you do. Passion supports the search of truth and ensures objective momentum to a conclusion. But it's important to know that emotion, on the other hand, is not passion.
Believe it or not, some orchestral tunes offer up important bits of wisdom that can easily apply to the internal audit function. In part one of this two-part series, Dan Clark describes what internal auditors can learn from Joseph-Maurice Revel's "Bolero."
When is the last time you looked for your name on the internet? Which of the links and images are tied to you? More importantly, where does all this information come from? Here are 13 important tips to leverage at your organization to ensure online privacy.
Where companies may do some variation of a rotational program, perhaps using rotational auditors is an untapped resource in your company. If rotational auditing sounds like something you’d like to try – do it. We put together a few steps to get going in that direction.
The cyber threat landscape is evolving and as an internal auditor it's important to become familiar the risks the organization is facing. Here are 11 helpful tips you can leverage to make sure your company steers clear of known exploits.
As the audit quarterback, you get to work with the entire team to overcome these fears and crush the meeting (in a good way). Here are some points to consider as you huddle up and plan for a successful audit.
Just because a company has a robust risk management system in place doesn't guarantee that it will actually manage risk well. An ineffective manager will mismanage risks, no matter how strong the risk management system is.
Internal audit can provide assurance to their board and executive team whether or not a process is in place to manage risks of third parties maintaining critical data, and that third parties have their data protection controls in place.
Good content is necessary, but ensuring that good content is written well is another experience on its own. Here, we dive into three areas that improve sentence flow: topic sentences, transitions, and filler phrases.
The following seven CAE best practices may help you both better position your team to improve the performance during each of their projects and better position internal audit as a go-to resource for business leaders.
Study after study has shown that data analytics is effective and efficient at detecting risk and identifying control weaknesses, non-compliance, and inefficient business processes. So why have some internal audit departments still not embraced it?
Most companies that have embarked on an enterprise risk management (ERM) initiative are still in the earliest stages or have struggled to demonstrate benefits. Here are five opportunities to enhance ERM and add value.
Data reveals that compliance modernization seems to be eluding most companies due to a host of reasons, and internal audit can play an important role in identifying areas of improvement. Here are five signs the compliance function needs fixing.
According to a recent MISTI survey, internal auditors say their internal audit seniors and managers most lack data analytic skills, understanding of IT auditing concepts, and ability to influence and persuade.
Internal auditor spotlight with Tony Redlinger of IHS Markit: We recently sat down with Tony to talk about the challenges of being an IT auditor, what's next for cybersecurity, integrated auditing, and more.
The high-publicity WannaCry attack has many companies reviewing their protections against ransomware and other cybersecurity attacks. Here we provide five preventative controls that IT auditors should ensure are functioning properly.
It's safe to say that popular culture hasn't been kind to internal auditors. The few references to the profession in television, movies, and books either confuse them with accountants or portray them as disliked corporate stooges or nerdy paper-pushers.
By now, we've probably all heard as much as we care to about the need for internal audit to move from acting as a policing function to that of a trusted business partner. Indeed, many have moved in this direction during the last several years.
We love our national holidays and, with a little help from Twitter, those lesser known, quirky commemoratives like national doughnut day, national left-handers day, and national roller-coaster day are making their way into our collective awareness.
As IT auditors, we've audited mainframes, servers, applications, and many other IT devices and systems for years and have become proficient in determining the reasonable effectiveness of a company's suite of controls to safeguard them.
More than eight years removed from the start of the financial crisis that caused a full-on risk management freak-out across Corporate America, it appears risk management programs are still not up to snuff.
As we say goodbye to 2016 and hello to 2017, it’s a good time to reflect on last year’s successes and missteps. The New Year provides a great chance to pause and consider some self-improvement opportunities and goals for the next 12 months.
The consequences of a cyber-attack—including a hit to reputation, lost customers, diminished credibility, and the cost of repairing the damage, just to name a few—are such that companies will do everything they can to defend against them.
Starting in January expect the gyms to be packed as many people look to make good on their New Year's resolution to get in shape and shed those few extra pounds they may have picked up during the holidays.
To whom should the chief audit executive report? That question has perplexed companies for decades. Once an underling of the finance or legal departments, many companies have made the CAE a direct report to the CEO.
We recently caught up with Michael Gallagher, managing director at CBIZ Risk & Advisory Services, to talk about how risk silos can crop up at companies, the dangers they present, and how organizations can dismantle them and manage risk in a more holistic way.
Several themes emerged during this year's SuperStrategies 2016 event, which was held in September in Las Vegas, as internal audit executives gathered to learn and exchange ideas on successful strategies and to gain insights.
In the latest edition of our video series "MISTI on Audit," Joel F. Kramer, vice president of audit curriculum at MIS Training Institute, talks about internal audit's role in detecting and preventing fraud.
Some risk managers may feel like they are in the failure portion of a late-night TV infomercial these days. Perhaps they even hear that deep TV announcer voice in their heads: "Is your organization drowning in risks that are becoming harder and harder to quantify?
From preventing failures in regulatory compliance to helping avoid devastating harm to the reputation of the organization from headline-making security breaches, IT auditors have an obligation and value-adding opportunities to assess enterprise vulnerabilities.
Among the most powerful tools these days to detect and deter fraud is data analytics. While some internal audit departments struggle to use sophisticated analytics tools and continuous monitoring, those that do have a leg up on rooting out fraud and finding it in unlikely places.
As internal auditors begin the process of planning audits for 2017, they are also looking to refine that planning process, which, of course, depends a great deal on risk assessment. With an intense focus on adding value, risk assessment and audit planning are as important as ever.
Whether it's data analytics; governance, risk, and compliance solutions; or planning and collaboration software packages, most internal audit departments are looking to improve their use of technology as they strive to do more with less.
It's no secret that internal audit departments are doing a wider variety of audits that increasingly take them outside the financial reporting sphere. They are also changing the way they staff the department to keep up with that trend.
As you may have heard, healthcare organizations have been under attack during the last three-plus years by various types of malicious hackers. The biggest of those attacks came against a healthcare payer organization which had over 100 million of its healthcare records exposed to a hostile government entity.
It's often said that the regulatory response to a large financial scandal or series of frauds will be swift and sweeping and that it will do absolutely nothing to stop the next series of frauds or scandals.
It's not often that you hear about auditors and accountants in the same breath as aid workers, healthcare providers, or charity workers. Indeed, you won't find internal audit on Forbes' list of the 25 Most Meaningful Professions.
Cash rebates, free media inventory rebates, markups from 30 to 90 percent, dual rate cards, and non-transparent business practices are all things that can keep senior audit managers and audit committee members of the board awake at night.
For the last few years we've been hearing about the skills and traits needed for good internal auditors. The lists generally include things like communication skills, critical thinking, IT savvy, and business acumen. Add one more to the list: "courage."
It's hard to justify recruiting great talent, investing in training, and passing on company knowledge, only to find that those recruits eventually leave for competitors because they didn't feel engaged.
The Securities and Exchange Commission has awarded more than $22 million to a whistleblower this week, putting the agency over $100 million in total whistleblower bounties awarded since the program was established in February 2011 under the Dodd-Frank Act.
Everyone knows that culture is set at the highest levels of the organization. We may all be tired of hearing about "tone at the top," but it's never been more important. Apart from influencing the culture of the organization as a whole, executives—especially the CEO—have a big role to play in setting the risk culture.
In this first installment of our new series, "MISTI on Audit," Joel F. Kramer, vice president of internal audit curriculum at MIS Training Institute, offers some advice for leaders of small audit departments on how to get the most out of a small team and a small budget.
You can have an army of risk managers and all the sophisticated risk-management models and tools you like, but if there is something wrong with the culture of the organization and what we all now call the “tone at the top,” they won’t work.
Companies might want to review their severance agreements and other employment contracts in light of a recent Securities and Exchange Commission ruling. The SEC is taking issue with language that discourages employees or former employees from raising concerns about wrongdoing to its whistleblower office.
Data analytics is supposed to be the great savior of the internal audit function. It has been heralded as the set of tools that will give organizations new insights into risk management, fraud, and corruption.
One of the big themes of the Audit, Risk and Governance Africa conference held by MIS Training Institute in Accra, Ghana last week was how to position internal audit for the future and how to ensure that the function continues to add value in the organization and remain relevant.
Social media sites are becoming a bigger part of most companies' plans to connect with customers and other stakeholders. Now internal audit departments are taking a closer look at those risks and the controls companies are instituting to manage them.
By H. David Kotz, Managing Director, Berkeley Research Group, LLC
August 02, 2016
In December 2007, I was appointed as the Inpsector General of the Securities and Exchange Commission and served in that capacity until January 2012. An IG is an internal watchdog for a governmental body with its primary purpose being to identity and reduce waste, fraud, and abuse in the agency. IGs supervise both internal audit and investigative units.
The Securities and Exchange Commission has charged South American-based LAN Airlines with making illegal payments to attempt to settle a labor dispute, in violation of the Foreign Corrupt Practices Act.
As audit committees work to strengthen how companies approach risk management, corporate reporting, cybersecurity, and other key areas, they are relying on internal audit to provide more value, greater oversight, and better communication about issues of concern.
What if access to our online bank accounts was managed the same way we manage access to information systems at work? Would we know who can get into our accounts? Who could see how much we have in what accounts? Who could take money out?
In this podcast, Joseph McCafferty, head of audit content at MIS Training Institute, talks with Michael Volkov, CEO of law firm The Volkov Law Group and author of the Corruption, Crime, & Compliance blog, about the convergence of internal audit and compliance.
Corporate frauds are cyclical, meaning that they tend to come in waves, particularly when the markets perform poorly or a recession hits. (That is, when the scandals themselves aren't the actual cause of the recession as we saw in the financial crisis of 2008.)
Just 10 percent of companies are prepared to adopt the new Financial Accounting Standards Board (FASB) lease accounting standards, according to a recent report by audit firm Deloitte. And it's not that many companies are just procrastinating.
Warren Buffet, the king of folksy, one-liner investment aphorisms, has one for the problems that a bear market can cause: "It's only when the tide goes out that you can see who has been swimming without their trunks on."
The fury over the increasing use of non-GAAP accounting measures when companies report earnings is building, and now the Securities and Exchange Commission is weighing in with some guidance on practices that are and aren’t acceptable.
Companies are paying a huge price for worldwide corruption and bribery, even if they are adopting practices to fight against it. That's because the cost of corruption takes many forms, including loss of business to less scrupulous companies, and regulatory requirements.
A new survey is out about the skills that audit leaders are looking to add to their departments and you may be surprised at what tops the list. Cybersecurity chops? Nope, that ranked twelfth. Financial acumen? Tenth.
Office politics and turf wars are a fact of corporate life. They are also among the most dangerous forces an organization can face, because they pit employees against each other and lead individuals to put their own or their departments' interests ahead of the business as a whole.
During the past several years that I have covered corporate compliance, auditing, accounting, and other functions that intersect with government regulation the executives and company representatives I've talked to have always chosen their words very carefully.
Most information security experts aren't afraid to state bluntly: "We're losing the battle for information security." But then again, we already knew that. Near-daily headlines about the latest cyber-theft or data breach have made that pretty clear to most people.
In this podcast, Joseph McCafferty, head of audit content at the MIS Training Institute, talks with Blythe McGarvie, an author, speaker and director on several corporate boards. She is also chair of the audit committee at Viacom.
Last week the Securities and Exchange Commission approved a $258 million budget for the Public Company Accounting Oversight Board. The PCAOB acts as a check on accounting firms that conduct audits of public companies.
Bad news for internal auditors, compliance executives, and risk managers who were hoping that bribery and corruption risks would start to subside after being on high alert for the last few years: they are actually increasing.
Internal auditors are making progress at carving out a more strategic role for themselves and are gaining influence with management and the board at their organizations, according to a new report out earlier this month.
As Donald Trump is quickly finding out, when you outsource business processes you incur risk. And these days there are few companies, if any, that don’t outsource at least some parts of their business.
Chief audit executives know the feeling of having to serve many masters. They have several constituencies they must answer to or advise—including management, business lines, regulators, and shareholders—all while retaining their independence to provide clear and objective views.
A new survey from the Institute of Internal Auditors (IIA) suggests that internal audit departments are not changing fast enough to address emerging risks that lie outside the traditional purview of internal audit.
This week the Securities and Exchange Commission settled a case with Mass.-based technology company PTC Inc. and its Chinese subsidiaries that could create new imperatives for internal audit practices and assurance of anti-bribery programs.
The buzz for the last few years now is that social media represents a unique risk that companies must manage, lest they leave their corporate reputations hanging out there for others to tweet all over them.
Jose Tabuena, a former internal auditor and compliance executive at various companies including Orion Health and Texas Health Resources, discusses the role of internal audit in influencing and shaping corporate culture.
A group of global investors is hoping that convincing companies to adopt good governance standards—and avoid making decisions that provide a quick pop but don’t support long-term goals—can be a lucrative proposition.
How can we tell if the external auditors are doing a good job? Often we can’t. Lots of companies have had large accounting and fraud issues blow up shortly after the external auditors issued a clean audit opinion.
Last Friday, the Securities and Exchange Commission’s whistleblower office announced an important first: It revealed the only award to date for aiding in the prosecution of securities fraud paid to an individual who had never worked at the company in question.