As a newly appointed internal auditor, you might find yourself a bit lost. It’s not an easy job, and working with experienced colleagues might be a little intimidating. There is so much to learn. Here are ten basic things that as a new auditor you should expect to follow when that first assignment comes your way.
It’s becoming clear to most internal auditors that the profession is changing very rapidly. The strategies that have worked in the past will no longer be enough to carry out internal audit’s new mandate. To meet these challenges, internal audit must improve on three major fronts: innovation, new technology, and talent management.
Tech-based processes can often seem like black boxes that are too complex for process improvement. It doesn’t have to be that way. In fact, there’s a lot of waste and inefficiency that gets built-in along the way, and internal audit can play a big role in identifying and eliminating it.
Companies are rapidly finding applications for blockchain technology, meaning internal auditors will need to assess those applications. To do so will require some foundational knowledge of how blockchain works and the risks associated with its use.
HR audits have evolved from a simple checklist of dos and don’ts or periodic affirmative action plans to a comprehensive, sustainable process that is an integral part of the organization’s internal controls, due diligence, and risk management function.
Many internal audit departments are struggling to keep up with fast-moving technologies and widespread change in the profession. Staying on track will require more than adopting new technology, it will involve adopting a new mindset.
Traditionally, internal auditing was done retroactively. While our methodology has relied on this practice and it has been used widely for a long time, one of the issues with this after-the-event approach is that the actions have already occurred. It is based on auditors focusing on issue detection.
Those entering the internal audit and compliance professions often wonder what they need to do to succeed in their new careers. There is a lot to learn. In fact, the general advice is to become lifelong learners. But there is also the constant pressure from within the department. Here, MISTI's Dr. Hernan Murdock lists nine skills and actions essential for success.
The work of internal auditors and compliance professionals is filled with frameworks, regulations, and policies and procedures documents that define the path for operational effectiveness. Follow those guidelines, manage risk effectively and the likelihood of success increases. But what about our own success?
It’s easy to overlook your own grammar errors. But you’ll be a better writer if you become mindful of your writing and correct your own editing mistakes. Here are five common editing mistakes we all make or might have questions about. Maybe a couple will resonate with you.
Robots are having a growing influence on organizational practices and this dynamic is of great interest to internal auditors and compliance professionals who examine the impact of these technologies on organizational objectives, risks and controls. But they also present a growing concern as the work performed by internal auditors may be replaced by machines.
Evidence is something that provides proof and it proves or disproves something. It is presented as verification of the facts at issue and generally includes the testimony of witnesses, and the examination of records, documents, and objects. This feature by MISTI's Dr. Hernan Murdock, examines the qualitative elements to consider when it comes to leveraging high-quality evidence.
Performance auditing is the review of a program or process, and the systems supporting it, to determine whether it is achieving the primary goals of efficiency, effectiveness, and economy in its use of available resources. These reviews are often done in government and non-profit entities, but they are equally important in the for-profit sector.
To become trusted advisors to management it would help if we spoke the same language they do. While auditors and compliance professionals often talk in terms of controls, and increasingly in terms of risk, managers and business leaders often talk in terms of costs, benefits, revenue, reputation, and market share.
One of the most overlooked, but essential, elements of the persuasive process is establishing a definite need in your to-be-persuaded-audience’s mind. In other words, how does the client know that they need what you have to offer? Here, we explore the topic.
As business processes become more complex, information more widely dispersed, and the risk environment more complicated, the need for internal auditors to adapt to this new environment becomes imperative. This is where rotation programs can really save the day.
The Three Lines of Defense Model provides a framework to clarify the involvement and alignment of multiple assurance providers acting on behalf of their client organizations. It has become increasingly common to have various risk and control professionals working side by side to help their organizations manage risk and increase the likelihood of achieving strategic and operational goals.
And just like that, another year has gone by. We've had a blast providing you with insights all throughout the year, covering audit report writing, project management, and coverage on emerging technology. Here we've compiled a list of the most read articles.
Data analytics is being leveraged more than ever by internal audit departments, but for those that haven't jumped on the bandwagon yet, this interview with CVS Health's head of data analytics explains the benefits, challenges, and misconceptions tied to the technology.
RPA, robotics, robots, bots … as internal auditors you have undoubtedly been hearing this terminology tossed around more and more. What exactly is it? Why is it such a hot topic? Here we answer those questions.
The balanced scorecard is a system used to make sure business operations are aligned with the organization’s mission, vision, and strategy. Since it uses several measures to determine success, it helps those involved to balance what is achieved with how it is achieved. Here's how.
There tends to be a fair amount of confusion when it comes to a fraud risk identification approach versus an experience-based approach but here we set out to create a list of universal definitions intended to clarify how and why you might use this approach.
As auditors, we all know that internal audit is uniquely positioned to understand where risks lay within an organization. But sometimes audit doesn’t get the opportunity to communicate the company’s risks to a broader audience. Here, we share a few ideas to help internal audit build bridges between knowing, communicating, and fixing risk in a company.
IT audit is only beginning to familiarize itself with DevOps as more organizations begin to deploy successful programs. But is it fair to say that DevOps and compliance go hand in hand? In this video interview with Atlassian Risk Futurist Guy Herbert, he gives his take on the topic.
A great deal has changed over the years when it comes to risk, including the willingness and interest of CAE’s, Audit Committees and Boards to talk about risk. As part of the increase in dialogue relating to risk and risks on the horizon much has been written and discussed. Here, Experis's Alec Arons consolidates that information.
Histograms are a very powerful tool to analyze data because they show the distribution of a continuous variable in a diagram and their appearance is similar to bar graphs. In this feature article, MISTI's Dr. Hernan Murdock explains how internal auditors can leverage them.
Many organizations are still failing to effectively audit areas such as cloud security or even social media. So what areas should you be covering and why? This article answers questions tied to that topic. Here you'll find the top IT risks that consistently vex companies and protect your assets.
In this second installment of our two-part series on vendor overbilling, we look at how to use fraud data analytics designed to uncover a complex fraud scheme and the fraud audit procedures designed to provide credible evidence.
Measurably reducing cyber risk in the business is an obstacle nearly all organizations face today. Needless to say, it's critical for businesses to conduct cyber risk assessments. In this contributed article by Experis' Stephen Head, he dives into the topic.
One of the challenges internal auditors encounter when analyzing a finding is identifying the root cause of the problem. This is where the Cause and Effect Diagram can help. In this featured post, MISTI's Dr. Hernan Murdock explains how and why.
As internal auditors increase their use of data analytics to better understand process characteristics, isolate issues and perform more accurate root cause analysis, the Pareto Diagram continues to grow as a useful tool for them.
IT audit expert Mark Thomas, president of Escoute Consulting, chats with Internal Audit Insights on the impact that cloud migration has had on the business, and shares the major Dos and Don'ts that IT auditors should know about GRC in the cloud.
The balanced scorecard is a system used for planning and management to make sure business operations are aligned with the organization’s mission, vision, and strategy. In this featured article, MISTI's Dr. Hernan Murdock explains how you can use it to your advantage.
By Terry Hatherell, Deloitte Global Internal Audit Leader
August 14, 2018
As organizations continue to evolve and innovate, new risks arise. Meanwhile, the larger business environment continues to change, often rapidly and in unexpected ways. This places new demands on the internal audit function.
Organizations are accumulating large amounts of data and internal auditors are rapidly increasing their mining for, and use of, these sizable data sets. This proliferation of data raises the question of how to extract meaning from it all.
As the number of blockchain implementations continues to grow, internal auditors will need to learn about both the promise and risk this technology offers. So what exactly is blockchain technology and what does it mean to you as an internal auditor? This article answers that question.
The value of a strong "tone at the top" cannot be underestimated as it can improve a company's performance. The benefits of a strong tone at the top should be of interest to leaders in all departments within every organization. Here's what you can do to evaluate it.
Scatter diagrams can help find the answer to many questions. Internal auditors can leverage them to analyze pairs of numerical data and show the relationship between two variables. In this feature write-up, MISTI's Dr. Hernan Murdock highlights their benefits.
Creativity is the use of imagination or original ideas, but it's not that important for internal auditing. Given that reporting rules and regulations are non-negotiable, there is little room for creativity and original ideas, right? Wrong! Here's what you can do to be creative while conducting audits.
Rotational auditing has been a fishing hole for years. The pros and cons have been fished around too. And then fished around some more. Auditors have a way of fishing. But paddling deeper into audit's consulting water, rotational auditing could provide a venue for teaching risk awareness.
TalaTek’s Baan Alsinawi provides an update on the state of third-party risk management as it relates to IT auditors and sheds light on the hidden traps they should look out for as it relates to trusted business partners.
After 25 years in internal audit, I have come to the conclusion that excellent audit planning is essential to ensuring an effective audit. What is a successful audit? A good measure is whether both audit management and the auditee feel good about the end results.
Escoute Consulting President Mark Thomas dives into the topic of communication challenges within the enterprise, why they exist among IT audit and cybersecurity, and the steps you can take to ensure those silos are broken down.
Information drives modern organizations, so it is imperative that metrics be used that give management objective information. In this instructive article by MISTI's Dr. Hernan Murdock, he advises on how internal auditors can do just that.
When designing continuous auditing procedures, auditors and management must think through what the metrics are, and what thresholds would trigger the auditors’ desire to gain a better understanding of operational issues.
XebiaLabs’ Robert Stroud highlights what it is that IT audit needs to know about DevOps, why they should care, and offers up ways in which they can approach DevOps in a constructive manner that ultimately reduces risk in the organization.
According to MISTI’s annual Internal Audit Priorities Report, internal audit leaders are in need of hiring outside assistance for challenges they face surrounding IT security. Here, we share a few tips to help you find the best IT consultant for your needs.
Numbers and fancy charts are only able to tell part of the story for internal auditors. If you want your reports and your data to come alive for your clients, you need to make your words matter. Words, when it comes to driving action, are your most valuable currency. Here's why.
The Sarbanes-Oxley Act of 2002 Section 301 requires publicly-traded companies to have a whistleblowing program. But, how do we know if the program is effective? This article should help get you on your way.
To continually operate more efficiently and add greater value to the business, internal audit has to boost its performance throughout each stage of the audit cycle. The guidelines below can help you improve the risk assessment, planning, execution, and reporting stages of the audit cycle.
We recently discussed the intersection of emotional intelligence and strategic intelligence. Here are some more common strategic areas to look at. One of these may be similar to your company, or maybe you have some additional strategic areas too. We’d love to hear about them.
Infusing an audit with strategic intelligence can be a little uncomfortable. But a little stretch does an auditor (and the company) good. Here, we've provided a few tips to articulate the big picture to your team and your auditee.
If continuous auditing doesn’t strictly mean automated data analytics or fancy software, then it means a larger group of internal audit shops can employ continuous auditing. This article highlights five ways you can continuously audit your business without all the software and by just using your brain.
Even if you’re a dollar-menu writer now, that does not mean you always will be. Anyone can become a gourmet audit report writer. Over the next few weeks, Audit Writer’s Hub articles will focus on specific writing tips to help you begin crafting your gourmet issues. This week, we look at passive voice.
Developing a strong working relationship with audit clients goes a long way, but that can be a lot easier said than done. In this post, we examine 7 areas that internal auditors can focus on that will help them improve their relationships with audit clients.
By improving the tone of the audit report, auditors maintained – if not, increased – the integrity of findings and developed better relationships with their clients. Rather than brutal honesty, auditors became humanely honest. Here are four strategies to improve tone in your audit reports.
Effective communication, teamwork, and accountability are key ingredients of efficient programs, processes, and projects. Unfortunately, many organizations suffer due to a misunderstanding of who’s responsible for what. Here, Dr. Hernan Murdock details how RACI Charts can help internal auditors overcome these challenges.
Auditors in search of a great decision-making tool to identify the forces for and against a course of action should look no further than Force Field Analysis. In this feature by MISTI's own Dr. Hernan Murdock, he details how internal audit can leverage this technique.
A quick ask on social media about pet peeves in email etiquette unleashed a tirade of email annoyances from friends and acquaintances. The list of email frustrations is enough to make anyone self-conscious, because we’ve all committed email blunders of our own. This week, we review email etiquette for auditors.
In this recent video shot at MISTI’s ITAC Conference, INARMA's Jason Claycomb gives his take on the state of auditing social media in the enterprise, and what steps internal auditors can take to monitor the risks associated with the technology.
Surveys can benefit internal audit when it comes to reviewing intangible topics such as corporate culture, entity-level controls, and an ethical environment. In this feature article, we highlight the critical stages of conducting and designing effective surveys.
Response plans vary somewhat. But here we'll focus on giving you the best insight on how the internal audit function can provide support for the business's incident response plan. Here's a look at some proven tips that can help you get started.
In this video interview with Glenn Sumners, Director of LSU's Center for Internal Auditing, he discusses what attracts his students to the internal audit program at LSU, what you can expect from the next crop of internal auditors, and how you can help them adjust to the internal audit department of today.
If done well and communicated properly, reporting the root cause can be the glue your report needs to tie findings to the overall health of the company and create significant change for the business. This article provides some strategies to use in writing and communicating root cause in audit findings.
In this interview featuring Bob Hirth, Chairman at COSO, he sheds light on the recent updates made to the COSO ERM framework, discusses what those changes mean for internal auditors, and advises on how to best leverage the framework.
Given the talents and skills that auditors possess (analyzing data, spotting trends, forming conclusions), auditors are in a perfect position in a company to be part of data analytic innovation. This article proposes a plan to fill in the gaps and implement data analytics in the business.
Within a communications group, chances are that someone is performing a level of auditing of weekly or monthly online analytics already. But it doesn’t hurt to talk to these people and fill in any gaps you discover. How effective is your social media presence and how do you audit it? This article should get you started on auditing social media within a larger audit.
Technology continues to flood organizations and IT auditors are facing increasing challenges. The Center for Internet Security's Critical Security Controls are intended to help the cause. In this exclusive video interview with Internal Audit Insights, subject matter experts define the controls and discuss their benefits for IT auditors.
Rather than robotic humanoids or machines who have become “self-aware,” artificial intelligence might be better described as computer systems that can predict human behavior. For internal audit, it can be a handy tool for specific processes within audit and analyzing overall sets of data with greater accuracy and even predict risk.
At times, internal auditors don't explain to their clients that processes should be built to operate error-free. Even when controls detect errors, customers report gaffes, or sheer luck saves the day, these events often cause re-work. Here's what you can do to help your clients prevent mistakes.
You picked them! Here's a look at the most read articles published on Internal Audit Insights in 2018. From building great audit teams to writing an audit report that gets results, you'll find a unique mix of some engaging content that answers some of your pressing questions.
Raytheon's Thomas Sanglier discusses the positive impact that the internal audit function can make when it comes to handling outside audits, the challenges this task can present, and how to overcome them.
Today, we’ll be cleaning out the metaphorical “auditor’s closet.” The auditor’s closet comes stashed with a variety of documents that identify, document, record, and communicate specific controls for both you and whoever needs to review these controls in the future.
If you’re going to audit social media, then develop a method. Kate Mullin, a social engineering expert, shares a formulaic approach to begin thinking like a hacker and doing the reconnaissance a hacker would do so that you can protect your organization.
As internal auditors apply risk-based auditing techniques to their reviews and increase their focus on the needs of customers to achieve organizational aims, it is essential to gain a panoramic understanding of the process. The SIPOC diagram can help.
Good content is necessary, but ensuring that good content is written well is another experience on its own. Here, we dive into three areas that improve sentence flow: topic sentences, transitions, and filler phrases.
Study after study has shown that data analytics is effective and efficient at detecting risk and identifying control weaknesses, non-compliance, and inefficient business processes. So why have some internal audit departments still not embraced it?
Is it historic or historical? Mass or weight? Mean or average? Coke or Pepsi? The items in these pairs are similar to each other and certainly related, but have important distinctions that make them different in how they are defined and applied (or in that last case, enjoyed).
No organization is 100 percent safe from hacks, cybercrime, or boneheaded employee actions that can expose the company to data breaches. Most companies have shifted from a purely prevention mindset to one of a risk-based approach to cybersecurity with a robust incident response plan.
A new report finds that the majority of large, multinational companies based in emerging markets, including China and Brazil, are falling down on their responsibility to provide transparent corporate reporting.
The first chief of the Securities and Exchange Commission's whistleblower office, Sean McKessy, announced that he is stepping down later this month. Depending on his successor, the office could become more aggressive in spurring whistleblowers to come forward.
The Securities and Exchange Commission has approved a plan by the Public Company Accounting Oversight Board to require audit firms to disclose the names of audit engagement partners and to provide more information about other firms that participate in audits.
In this podcast, Joseph McCafferty, head of audit content at the MIS Training Institute, talks with Brian Barnier, a principal at ValueBridge Advisors and an OCEG fellow, about the role of controls in audit and risk management and their limitations.