Information System Governance was the focus of the August 2010 Internal Auditor magazine and is a recommended read for Chief Audit Executives who want to remain on the leading edge when it comes to Technology issues.  

David Salierno, the magazine’s editor, highlighted the importance of technology management and industry predictions of greater decentralization of the IT function, increasing use of outsourced providers and more integration of IT within core business processes (such as Human Resources and Finance).

For Chief Audit Executives, these predictions provide insight into emerging IT risks.   As the IT function becomes more dispersed throughout large organizations, CAEs need better abilities to audit data coming from disparate systems.   The process of validating that data at one level of the organization is accurate will be a challenge without the technological ability to cross check data accuracy across multiple systems.   As the trend continues to outsource core IT functions (both physical as well as virtual through cloud vendors) new challenges emerge in terms of auditing these functions and the data generated.  Finally, as core business processes start to utilize their own unique systems that meet their specific requirements, the growth of systems both for the enterprise and for smaller segments of the business will require audit teams to have the right tools and proper training to understand this growing complexity.     

CAEs should carefully consider their organization’s IT future and develop a plan to address these challenges through audit analysis technologies, technology-enabled audit processes and a focus on training and development of their audit team.      

There’s nothing like a spectacular headline to draw attention to an article or news flash.  So it was with interest that I clicked on through to read the following article, http://bit.ly/9UKWzV.  I don’t particularly like spreading bad news, but there was something about this Bloomberg article that stuck with me. 

The article is about a recent appeals court ruling in which KPMG LLP was found to have engaged in accounting malpractice.  Not only was the original verdict upheld, but the court also ordered a new trial on damages, saying that the previous jury improperly found the firm should pay $31.8 million.  Apparently, $31.8 million wasn’t enough!

What stuck with me is that the KPMG partner, John Quinn, said that the client’s CFO gave an “unfair and misleading characterization of the accounting and auditing issues.”  He said that he was “very much inclined” to recommend ending work with the client after that year’s audit. It appears that the client wasn’t acting with integrity and that there was a lack of trust between the auditors and their customer. 

I don’t claim for an instant to know what should have been done, or could have been done in this circumstance. External Audit firms have a tough row to hoe, balancing their professional responsibilities along with the business relationship with their clients.  But all accounting issues aside, doesn’t it just boil down to sticking with your principles above all else?  It’s tough to go wrong when one bases their decisions on the principles and values they hold to be just and true – at least that’s what my parents taught me.

It’s not my intention to keep referring to my own previous blogs. It makes me look like I’m just trying to grab attention, and my fellow bloggers might rightly complain that I’m not directing enough traffic to their postings.  That said, in my blog entitled ‘Got Data Skills?’ I moaned about a lack of understanding of tables and fields from ERP systems throughout internal audit.  I am still surprised at how dependent IA is on other departments to provide that knowledge.

CA Magazine recently ran a very good article which underlines this point. They published a PWC survey of 2,000 internal auditors who were asked their opinion on which capabilities will require an increase in knowledge in order to add value to the business going forward. What stood out for me was that 60% of respondents stated that a requirement for Specific Technology Experience (Security, ERP) would increase in the future. Top of the list of requirements were Critical Thinking and Analysis (68%) and Knowledge of Risk Management Approaches (67%). These 3 capabilities combined are extremely powerful attributes and, in many leading IA organizations, are interdependent skill sets.

Interestingly enough, most organizations said they intend to obtain these skill sets though training, rather than bringing in new staff.  In the same publication, a survey of 900 HR professionals were asked what factor contributes most to accelerated performance. Top answer was Organizational/Culture Fit (31%), but way down towards the bottom was Technical Skills (only 12%), which might indicate (I hope) that internal systems training is now more of a priority than in the past.

This morning I spoke to the Director of IA at a bank on the east coast whose team has created a library of audit tests for their data warehouse (almost 2 decades’ worth of IP, including all relevant database information). They are simply looking for the right technology to run them on.  I was caught on the hop, I have to admit, because they were the opposite of what I just described in my first paragraph.  Things are definitely looking up.

In July, I blogged about the importance of representing audit findings in a way that is appropriate for the intended audience (Let Me Illustrate...)  I should have really gone further, by not only describing different audience types and their required level of detail, but also the types of device they might access the results on.

How often do you read your email and calendar entries on devices that are not desktop PCs? How about news, sports and social media updates? BlackBerries, iPhones and other ‘smart’ devices are so ubiquitous in business today that, collectively they are becoming the most-used devices for viewing myriad types of information.  But are they used to view the results of data analytics? In many cases, yes.

I recently had lunch with a friend who implements analytics for healthcare professionals.  She told me that it is already commonplace for physicians to view clinical data using hand-held smart devices, especially tablet-based devices such as the iPad.  And with good reason – they are constantly on the move, require results quickly and are able to look at the results of data analytics without having to return to the office to operate a fixed workstation or laptop.  It’s not only the medical profession: from warehouse inventory counts to sales analysis and forecasting, proven business analytics are increasingly executed on the fly.  So, always up for a challenge, I set out to see if I could set up audit analytics to run and produce results in the same way. I already had the proven analytics, but could they be run and produce results using an iPad?

The answer again was yes, and it was easier to achieve than I expected.  Without going into monotonous technical detail, a small portal for my ACL analytics was designed for tactile input (rather than being designed for a mouse user) and was put on an existing ACL server. Each screen was designed to execute a script (following user-defined input on a hand-held). The script then worked behind the scenes by pulling data, analyzing it and emailing various stakeholders with the results (traditional PC and/or BlackBerry users). Provided that I was on the VPN using either the phone network or a WiFi connection, it worked every time.

The bottom line here is that you could execute and read the results of audit analytics from your smart phone, while sipping your latte on your way to work if you want to, while ensuring that results are also still available for traditional consumption.  Will such accessibility catch on in audit? Who knows? Put down your BlackBerry and send me your thoughts.

For Board Members, one key learning from the economic fallout that shook the financial community a few years ago was that companies “that escaped 2008 financial crisis relatively unscathed had CEOs who personally understood risk and made management decisions accordingly.”   

This observation, published by PricewaterhouseCoopers in “Thoughts from the Boardroom” earlier this month, suggests that Chief Audit Executives (CAEs) can help safeguard their organizations by educating the Chief Executive Officer about compliance, risk and governance issues.   In some organizations, this duty to manage risk is in the purview of the Chief Compliance Officer.   In most other organizations though, the CAE is the key executive with the requisite skills and background of experience to fill this important space.  

And, it’s not just CEOs that need this guidance.   “Boards [and audit committees] need to fully understand both the risks and potential returns of [their business].”  

It’s an opportunity for CAEs to elevate their executive profile and to add considerable value in the protection of their organization.   In doing so, the CAE should ensure that their Internal Audit department is equipped to meet this responsibility through improved risk-based auditing practices and technology enabled audits using leading software solutions to monitor risk, evaluate controls, and report non-compliance.  

CAEs can teach their CEOs about risk, and in the process, strengthening the corporate entity as well as enhancing their profile internally.  

Just the other week, I received an e-mail from the IIA about a YouTube video. (My, how times change!)  In this video, IIA Chairman for 2010-2011, Günther Meggeneder, challenges internal auditors everywhere to "Shape the Future."  Having met and spoken with Herr Meggeneder several times over the years at IIA committee meetings and conferences, I was really keen to hear what he had to say. 

I found his message positive and inspiring.  Meggeneder was articulate in the delivery of his message that by working together globally, internal audit can shape the future and be a critical component to the success of our respective organizations.  I especially liked how Meggeneder stated that Internal Audit was the cornerstone of good governance and how by living a risk-centric approach and leveraging technology, we can shape the future. 

Believe it or not, I often flip through the IIA’s International Professional Practices Framework seeking inspiration for Blog postings, Tweets, and credible references for my presentations at conferences.  I find the IPPF’s Practice Advisories (PA) ground my thinking in auditing, as opposed to software features, buzz-words and cryptic industry acronyms – as us techno-guys are apt to do.

I like to quote Standard 1220.A2 for obvious reasons,

“In exercising due professional care internal auditors must consider the use of technology-based audit and other data analysis techniques.”

So, internal auditors must CONSIDER the use of CAATs, eh?  Is this good enough in today’s day and age of automation? Can internal audit provide effective assurance without using CAATs?  I wonder.  (Not really, I’m just trying to be rhetorical and pithy.)

What would you say if the PA was worded this way, 

“In exercising due professional care internal auditors must make use of technology-based audit and other data analysis techniques, as appropriate, in order to more efficiently and effectively perform assurance and consulting engagements.”

I eagerly await your comments…

The final day of the conference featured sessions delivered by Steve Goepfert, Staff VP, Internal Audit, from Continental Airlines and Kim Hatley, Assistant VP, from Hospital Corporation of America (HCA).

Steve’s session focused on how Internal Audit needs to form stronger and more open relationships with the Audit Committee. He also outlined what he feels are hot-button issues that both Internal Audit and the Audit Committee need to pay attention to, including FCPA, social media, IFRS, Fraud, ERM, and mergers & acquisitions. It was timely that Steve mentioned mergers & acquisitions as we are planning to feature how ACL’s data analysis technology can successfully be utilized during a merger or acquisition in our next issue of ACL Insight. Stay tuned for that.

We at ACL are very familiar with HCA as we’ve heard some of the great things they have done using ACL technology in the past (See HCA Success Story). Kim said, “We in Internal Audit all hear the need to do more with less, but don’t let training fall by the waist side.” The audit team at HCA, like in many organizations, functions as a training ground for producing future leaders in the company. If the audit staff are well trained in fraud for example, and the controls in place to prevent it, then when they move on into management roles, they hopefully retain this knowledge and are better equipped to manage the controls they are now responsible for…a win for both management and audit.

With everyone’s busy schedules, training can often get put off indefinitely. Kim stressed the value of online training as a time and cost effective way to build skills. We at ACL have certainly noticed this based on the popularity of our Virtual Classroom Training Series.

This year’s conference was well attended and very informative. Apart from the weather (I still haven’t seen the sun yet) I’m very pleased with the IIA’s organization of this event.

See you next year!

The successful capping of the Macondo oil well that was the cause of the worst environmental spill in the Gulf of Mexico is the beginning of a lengthy cleanup process as well as an expensive legal process to sort out liability and damages.  This unfortunate incident provides many learning lessons. 

For Chief Audit Executives (CAEs) of companies with high environmental risks, one lesson from this tragic story is what reliance the CAE needs to place in outside specialists to truly understand the risk exposure to their organization.    The IIA Professional Practices Framework provides a practice advisory 1210.A1-1 that suggests “Chief Audit Executives should obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed to perform all or part of the engagement.”    When engaging these specialists, opportunity exists to combine the expertise of the specialist with the data analytics skills of internal auditors.   

Internal Audit has long been exposed to data in financial systems and have become more proficient with audit analytics and other CAAT applications.    What we are observing is that operational systems are rich in data and Internal Auditors are more often using these data to audit key operational processes.    

It’s therefore important to bridge the skills of the internal auditor with that of the specialist.   And to look at areas where the application of data analysis technologies can help audit key risks.   This duality of skills of both the specialist and internal auditor is essential in today’s complex business environment and critical if CAEs want to achieve their audit outcomes.  

We cannot prevent environment disasters, like the BP spill in the Gulf of Mexico, but we can certainly learn from these events.   Please share a comment of how this is being done in your organization.

Day 2 started off with another great general session titled, The Future of Fraud, delivered by James Ratley, President of the Association of Certified Fraud Examiners.

James’ presentation focused on occupational fraud and how Internal Audit professionals need to help their organizations by being more proactive in identifying potential fraudulent behavior. He made one comment that really stood out for me. James’ said, “It’s virtually impossible to perpetrate a fraud in an organization without using a computer.” I think most people would agree…but so what? What does that mean? To me it means every fraud will always leave an electronic trail. Some form of transaction will have taken place…and by transaction I don’t just mean financial. An approval process, a system sign-in, a setting change are all transactions that will inevitably leave an electronic trail. And like we at ACL like to say, “The truth is in the transactions.” All it takes is the right technology to analyze the data and the knowledge of what questions to ask of the data.

James also stressed the age old saying, “Knowledge is power.” He urged those in the audience to invest not only in data analysis technology such as ACL, but also in the training required to use it more effectively.

The content offered at this year’s conference has been excellent so far. Now if only it would stop raining…I was hoping to enjoy some Florida sunshine while I’m down here.