Preparing a comprehensive risk and control matrix can help internal auditors focus on providing assurance on the key risks

By Hernan Murdock

March 27, 2017

Internal auditors must focus their reviews, prioritize what to audit, and concentrate on what matters most to the business. Since there are often insufficient resources to cover the entire audit plan, internal auditors can no longer conduct sprawling or unclear audits looking under every rock hoping to find something somewhere.

An audit is a complex undertaking that requires internal auditors to examine documents, speak with employees, observe business practices, and evaluate controls in business programs and processes. Given these dynamics, is there a document that organizes what needs to be understood and provides a clear roadmap for effective testing? Yes, there is. It's called the Risk and Control Matrix (RCM), and if you aren't taking the time to assemble one, you should.

Read more ...

Internal Auditor Spotlight with Devin Potter of RSM

By Joseph McCafferty

March 23, 2017

Devin Potter is a Supervisor in the Risk Advisory Services business at RSM, where he has worked since 2014. We recently sat down with Devin to talk about the internal audit profession.

Q: What do you like most about being an internal auditor?
A. I really enjoy having a sense that I’m improving things. Our primary role is to provide assurance that business risks are managed as management would expect. But if I can finish an internal audit project and at the end of it, we can provide insights that improve the business for my clients, while helping them manage risk at the same time, then I am adding enhanced value.

Keep reading...

With as much as 50 percent of some applications based on open source code, companies must ensure they are meeting compliance obligations

By Joseph McCafferty

March 22, 2017

If your organization is developing applications, it's likely that some of the code is borrowed from open source software that can be found freely on the Internet. While such code makes developing applications much easier, its use can come with legal hoops to jump through and security vulnerabilities that, if left unmanaged, could pose significant risks to the organization. Conducting an audit of the use of open source software code can help companies get a handle on this emerging risk area.

Keep reading...

Employers are looking for more certifications and a broad work experience, even as they struggle to fill these evolving positions

By Shawna Flanders

March 17, 2017

We all know IT audit is about providing assurance of the reasonable effectiveness of IT processes and controls, while information security is focused on the protection of data and information assets in all forms. While these differences are stark, do you have an appreciation of the distinctive characteristics that set IT auditors apart from information security professionals?

Are IT auditors more assessment oriented and information security professionals more technically savvy? Do information security professionals know the details better, while IT auditors are better at understanding the business applications of information technology?

Keep reading...

Congress to consider easing of SOX 404, along with repeal of several Dodd-Frank provisions

By Joseph McCafferty

March 16, 2017

Less than two weeks after taking the oath of office, President Donald Trump set about fulfilling one of his more tangible and oft-repeated campaign promises: dismantling the Dodd-Frank Act, passed in 2010 in response to the banking failures that brought about the financial crisis a few years before.

On February 3, Trump signed an executive order urging regulatory agencies to review recent regulation, such as Dodd-Frank, and ensure that the rules align with a list of "core principles" that include fostering economic growth and enabling American companies to be competitive with foreign firms. Missing from that list of principles was achieving stability in the financial markets, which was the main intent of Dodd-Frank.

Keep reading...

Companies are also looking for higher-quality hires and specific skill sets

By Joseph McCafferty

March 10, 2017

The competition for internal audit talent remains fierce, pushing salaries for in-demand internal auditors ever so higher. Two new salary surveys out from recruiting and staffing companies find that salaries for internal auditors at all levels continue to grow at a brisk pace.

A report from recruiting firm Parker + Lynch finds that the average internal audit director will earn an average of $163,000 in 2017 in total cash compensation, up from $145,200 in 2015 when the survey was last conducted. That puts the rate of growth at 6 percent annually, well above the average 2.8 percent wage increases for all professions over that time projected by the ERI Economic Research Institute.

Keep reading...

Customer service oriented internal audit departments are conducting surveys after audits to improve their own processes

By Karen Kroll

February 28, 2017

This is part two of a four-part series on how internal audit departments can benefit from a customer-service approach to auditing. See, part one, The Customer Service Oriented Internal Audit Department.

Over the past few years, more internal audit departments are seeking to shed their reputation as the company's monitors and provide more value and service to those they audit. But how does internal audit know if it's meeting those goals? Some are simply asking.

Read more ...

A brief look at this week's news insights that impact internal auditors

February 24, 2017

How important information governance is during restructuring planning, IT security budgets are on the rise in 2017, and how the treasurer of a Swiss technology firm may be to blame for a $100 million shortfall in the company's 2016 results. This and more in this edition of This Week in Internal Audit.

Read more ...

When a consultant couldn't find positive portrayals of internal auditors in fiction, he decided to create his own

By Joseph McCafferty

February 22, 2017

It's safe to say that popular culture hasn't been kind to internal auditors. The few references to the profession in television, movies, and books either confuse them with accountants or portray them as disliked corporate stooges or nerdy paper-pushers.

This non-existent or negative portrayal so bothered Wa'el Bibi, a former internal auditor and current internal audit consultant, that he decided to do something about it. Bibi authored a short book of fiction, The Internal Auditor, which includes a hero internal audit protagonist who draws on his full complex of talents to uncover a burgeoning corporate fraud and save the day.

Keep reading...

A brief look at this week's news insights that impact internal auditors

February 17, 2017

Congress is being pressured to soften a Sarbanes-Oxley rule by business groups, Shadow IT is slowing down the adoption of the cloud thanks to a shortage in cybersecurity skills, and internal audit departments are becoming more customer service oriented. This and more in this edition of This Week in Internal Audit

Read more ...

More internal audit shops are treating auditees as customers, emphasizing service and value

By Karen Kroll

February 14, 2017

This is part one of a four-part series on how internal audit departments can benefit from a customer-service approach to auditing. See part two, Tell Us How We Did: More Internal Audit Departments Surveying Auditees.

By now, we've probably all heard as much as we care to about the need for internal audit to move from acting as a policing function to that of a trusted business partner. Indeed, many have moved in this direction during the last several years.

Now, some internal audit departments are looking to take the concept to the next level and treat the business units, functions, and process owners they audit as customers. They are ensuring not only that a thorough audit is completed that provides assurance and enables better decision-making, but that the auditees—now called customers—are happy with the audit work, face minimal disruption during the audit, and are treated with the care and concern typically reserved for paying customers.

Read more ...

A conversation with Jeffrey Ritter, information governance expert and author of Achieving Digital Trust

Podcast

Interview by Joseph McCafferty

February 13, 2017

We've all seen ambiguous and imprecise language in the business world, whether in standards and regulations, our own policies and requirements, or in everyday reports and memos. Words like "adequate," "reasonable," "suitable," and "appropriate" pervade business writing, especially when it comes to setting rules and standards, including those that internal auditors must provide assurance over.

Jeffrey Ritter a data security and governance expert and lecturer at John Hopkins University and University of Oxford, says it's no accident that business writing is littered with confusing and imprecise language. "The goal is to be intentionally ambiguous," says Ritter. He says such language allow us to take shortcuts and avoid the hard work of being precise. He says it also keeps one group from having to learn the business vocabulary of another or to really understand what they are trying to say at a detailed level.

Keep reading...

A brief look at this week's news insights that impact internal auditors

February 10, 2017

How the internal audit function can take steps in addressing the talent gap tied to the department, artificial intelligence attempts to perform the auditor's job, and why managing one's individual brand is essential for internal auditors. This and more in this edition of This Week in Internal Audit

Read more ...

There's real value in managing your individual brand as an internal auditor

By Daniel A. Clark

February 9, 2017

Whether we know it or not, as internal audit professionals we all have a brand.

Chief audit executives may have a more established brand, while upwardly mobile internal auditors are likely still working to establish their brands. We may have created it haphazardly through actions that others interpret or painstakingly built it through a structured process. Either way, this brand, like all brands, conveys a lot of information about us—positive and negative—can be easily damaged, takes a long time to build, and is a critical component of how others perceive us, including the person on the other side of the desk at your next job interview.

Read more ...

By Shawna Flanders

February 7, 2017

Is it historic or historical? Mass or weight? Mean or average? Coke or Pepsi?

The items in these pairs are similar to each other and certainly related, but have important distinctions that make them different in how they are defined and applied (or in that last case, enjoyed). The same can be said about information security and cybersecurity. These topics are related and can easily be confused. They are different, however, and understanding these differences may help internal auditors decide what to audit, how much assistance they will need during the audit, and how they provide assurance to the board of directors and executive management teams.

Keep reading...

Newest version addresses online supply chain risk management and use of metrics

By Joseph McCafferty

February 6, 2017

Last month, the National Institute of Standards and Technology issued a new update to its Framework for Improving Critical Infrastructure Cybersecurity. The cybersecurity framework is used by many organizations for assessing and improving their systems to prevent, detect, and respond to cyber-attacks. While it was first intended as a framework for protecting critical infrastructure such as the electrical grid and roads and bridges, many companies have adopted it as a blueprint for managing cybersecurity risks.

The updated framework provides new details on managing online supply chain risks and also clarifies some additional terms and measurement methods for cybersecurity. According to NIST, a unit of the Commerce Department that promotes industry measurement standards, the updated framework "aims to further develop NIST's voluntary guidance to organizations on reducing cybersecurity risks."

Keep reading...

Most companies still manage risk in silos and don't have a clearly defined strategy, report finds

By Joseph McCafferty

February 6, 2017

A new report from the Ponemon Institute finds that many companies lack a cohesive approach to risk management.

According to the study, "The Imperative to Raise Enterprise Risk Intelligence," three-quarters of the risk management professionals surveyed said their organizations don't have a clearly defined risk management strategy that applies across the full company. Of those, a third (33 percent) said they didn't have a clearly defined strategy at all, and another 43 percent said that while the strategy was defined, it was not applied to the entire enterprise.

Keep reading...

A brief look at this week's news insights that impact internal auditors

February 3, 2017

Tips to ensure that the internal audit function performs optimally, circumstances where internal auditors can receive SEC whistleblower awards, and a new study indicates organizations are more concerned about brand reputation than cyber attacks when it comes to risk management. 

Read more ...

Pressure may be easing on companies that prefer to use unsanctioned measures when reporting earnings

By Joseph McCafferty

February 1, 2017

The battle over the use of non-GAAP measures in financial reporting has been simmering for well over a year, but now it may be starting to cool off. New leadership at the SEC may be less inclined to pursue non-GAAP as an issue, and accounting's top rule maker says he's open to rethinking the rules around the use of the unsanctioned metrics.

Companies commonly report financial measures that don't conform to Generally Accepted Accounting Principles (GAAP). A company may think that it's important to include or exclude certain amounts to give what it considers a more accurate picture of performance or to provide greater insight into the business, even when accounting rules require a different computation. The use of non-GAAP metrics isn't necessarily a violation of reporting rules, but using them to mislead investors is. Companies must also reconcile the non-GAAP measures to GAAP and report those figures as well.

Keep reading...

A week-long series of internal audit courses provides internal auditors the opportunity to fill gaps in their portfolio of skills

February 1, 2017

Despite the phrase "what happens in Vegas stays in Vegas," there are some events that take place there that you'd be happy to take with you and apply in your professional life. In March, we will offer just such an event, as MISTI's Training Week heads to the City of Lights.

The week-long series of seminars will take place from March 13-17 at the Flamingo Las Vegas. Internal auditors can choose from among 11 courses, including such foundational courses as Fundamentals of Internal Auditing, IT Audit School, and Intermediate IT Audit School.

Keep reading...

Event Search

Download Catalog Dark Blue 300x58

Subscribe to Newsletter LightBlue 2 300x58

Register Cloud Security eSummit 300x58

MIS|TI Tweets

ACL MISTI Grey 300x58

Please choose your region

Submit
Select a Region
United States
United Kingdom/Ireland
Africa
Americas
Asia-Pacific
Europe
Middle East

By continuing to use misti.com you will be agreeing to the website Terms and Conditions, the Privacy Policy, and the Use of cookies while using the website.