2017

The end of the calendar year is customarily a time to reflect on one’s personal and professional accomplishments. It also offers me the opportunity to look back on the year’s events that had direct implications for the internal audit profession.

As I reviewed key events in 2017, I was reminded of a fundamental truth that all internal auditors should take to heart: Effective risk management, internal controls, and corporate governance are pursuits fraught with continuous obstacles. From culture-driven scandals, to continued brazen cyberattacks, to geopolitical and socio-economic unrest, this year provided vivid examples of how fleeting successful risk management, control, and governance can be.…

Periodically, I am provided statistics about my blog by Internal Auditor magazine, and I was pleased to learn that my posts in 2017 were read more than 100,000 times.

The most popular was one I fondly refer to as the blog post that keeps on giving – or resonating with my readers. In May, I featured a repeat of a 2011 blog post titled 10 Things Not to Say in an Internal Audit Report, which drew more than 11,000 reads on its own this year. This post possesses two key characteristics of my most-read posts throughout the year.

First, it provides practitioners with practical advice about enhancing performance.…

It was more than 40 years ago when the first internal audit standards were introduced. Since that time, the profession has matured immensely, and the proliferation of internal audit departments around the world has been remarkable. The standards have been revised and upgraded periodically and are now a c​ritical component of The IIA’s International Professional Practices Framework.

No true profession can exist without standards to which its members are held accountable. The Merriam-Webster dictionary defines a standard as “a level of quality, achievement, etc., that is considered acceptable or desirable . . . ideas about morally correct and acceptable behavior.”…

Regular readers of this blog know its focus is to provide internal audit practitioners insight and advice on doing their jobs and ultimately helping their organizations reach their goals. This is why my most-read posts often involve straightforward and practical advice and observations about the daily work of internal auditors. Over the years, posts that include lists of specific recommended actions have proven to be some of the most popular.

Yet, I find it is also necessary to comment occasionally on high-profile news events, adding important context to how risks associated with these events could impact organizations and, therefore, internal audit.…

I frequently observe that the internal audit profession is on a journey — from hindsight to insight to foresight. Following its origins more than a century ago, internal audit focused primarily on hindsight. Our predecessors assessed what happened the week, month, or even year before. They provided assurance of the effectiveness of (primary financial) controls from the past.

Eventually, the profession began to focus too on the “here and now,” providing assurance on the effectiveness of (often operational) controls in the present. This assurance, coupled with internal auditors’ perspective on risks facing their organizations, provided valuable insight for management and the board.…

Courage is often discussed as a necessary trait for internal auditors, and over the decades countless practitioners have put their livelihoods on the line to bring wrongdoing to light. Like many others, I have long believed that Cynthia Cooper, the former vice president of internal audit at WorldCom, is the model of courage in our profession.

Cooper’s story is well known within internal audit and accounting circles, and she is rightly praised and lauded for having the courage to stand up in the face of enormous pressure and adversity to unearth the $3.8 billion fraud.

In her book, Extraordinary Circumstances: The Journey of a Corporate Whistleblower, Cooper counsels internal auditors to “find your courage.”…

Data in a recently published report from our colleagues at the Center for Audit Quality (CAQ) reflect an encouraging trend. Publicly traded companies are sharing more information about how their audit committees interact with the companies’ external auditors.

One of the more telling findings in the Audit Committee Transparency Barometer is the surprising growth in the number of companies willing to share details about how their audit committees evaluate the work external auditors do. The CAQ report finds the number of S&P 500 organizations reporting the evaluation criteria has grown from 8 percent in 2014 to 38 percent in 2017.

The CAQ report isn’t the only one that shows the move toward more transparency:

• Deloitte’s Center for Board Effectiveness reviewed proxies for the S&P 100 and found disclosures in three key areas — the number of financial experts on the audit committee, the audit committee’s role in reviewing certain external communications, and the audit committee’s role in approving audit engagement fees grew by more than 10 percent in 2016.

Halloween is celebrated this week across large parts of Europe and North America, bringing a quirky combination of costumed revelers and things that go bump in the night. While it’s safe to say most internal auditors won’t be scared by the ghosts and ghoulies who appear at their doorsteps, there are some aspects of the future that should make them tremble.

Technology has accelerated the pace of change to breakneck speed. We are in an era when a backlash to too much change in too short a period of time is affecting diverse areas of our lives, from our politics to how we communicate to the security of our jobs.…

With few exceptions, organizations in every sector and industry face compliance risks, and those risks grow every year. This is reflected in statistics that show compliance audits account for an increasing percentage of internal audit plans.

In health care, compliance with laws and regulations is critical. ​Not only do compliance breaches subject health-care providers to potential fines and penalties, they are often literally a matter of life or death. I think everyone could learn something from the way cultures of compliance are built within that highly regulated industry.

The U.S. Department of Health and Human Services (HHS) oversees hundreds, if not thousands, of regulations and rules designed to make the provision of health care safe and efficient.…

Every profession evolves as the body of knowledge expands and new tools and technology become available. The best and brightest professionals embrace evolution and leverage new strategies and tactics to enhance their effectiveness. The same is (or should be) true of internal audit professionals.

Several years ago, I adopted a term to describe internal auditors who were not very progressive, who tended to cling to outdated practices. I called them “Jurassic Auditors.” The term Jurassic derives from the geologic period that spanned more than 50 million years and ended about 145 million years ago. The vast majority of species from that period are long extinct, because they were unable to adapt.…