May 2017

I’m taking a short break from my blog, so I’m reposting one of the more popular posts from previous years that remains relevant to today’s internal audit practitioners. This was originally published on Oct. 21, 2011. Enjoy.

I’ll never forget my seventh-grade English teacher telling us, “It’s not what you say, but how you say it that counts.” Obviously, she was exaggerating, but the point still stands: How we say things can make a difference. A well-written audit report should be a call to action, but a poorly written report can result in inappropriate action or in no action at all.…

Organizations face risks today that are as varied and challenging as ever. Cybersecurity, technology, big data, social and geopolitical dynamics, and other factors are contributing to a complex and evolving risk landscape.

As boards and C-suite executives struggle to manage such risks, they are increasingly turning to internal audit for assurance and advice that fall outside of the more traditional engagements with which many internal auditors are comfortable — assurance on financial reporting and compliance. Higher demands amid limited time and resources, developing new skills, and nurturing out-of-the-box thinking are sure to pose significant challenges for internal audit functions. Indeed, keeping up with growing expectations while delivering high-quality service may be the single biggest threat facing the profession.…

It didn’t take long for social media to adopt #wannacry for last week’s massive cyberattack, which hit computer networks in nearly 100 countries from the U.S. to the U.K. to China. The ransomware virus, called Wanna Decryptor, encrypted valuable data on compromised networks, then threatened to destroy it unless payments were made.

For those of us who have spent our careers promoting good internal controls and risk management, this latest cyberattack could indeed bring tears of frustration because the attack successfully exploited some of the most basic and easily mitigated cyber risks.

First, the perpetrators relied on simple phishing to introduce the virus through an email attachment, according to cybersecurity experts quoted by multiple news outlets.…

In 2013, I published a blog post that resonated widely with readers. In “Do You Live Your Life in Color?” I reflected on the passing of two people — one a friend and one a relative — who lived their lives with vigor and passion, never failing to pursue their dreams and ambitions.

I observed that their passion for their work “inspired me to live my professional life as if I would only live it once.” Unfortunately, far too many professionals today are simply punching the clock when it comes to their careers. Quite frankly, they are pursuing their professional careers in black and white!…

The majority of publicly listed companies in Malaysia (54 percent) fully outsourced their internal audit functions in 2016, according to a survey conducted by The IIA’s affiliate in that rapidly growing country. The survey found that outsourcing is more prevalent in smaller companies and less so in the financial sector.

This survey raises an important age-old question that a growing number of organizations may be facing in the future as the demands of effective governance and risk management become more complex. Is outsourcing internal audit a viable option?

There is little question that the profession will have to expand its skill sets as it pivots to meet stakeholder demands for assurance related to emerging risks and to be trusted advisors when it comes to risk, business, and operating strategies.…