2017

The practice of including ratings in internal audit reports to highlight or summarize results is not something new. I began exploring and lecturing on the pros and cons of ratings more than 10 years ago. But the subject came up recently at a CAE roundtable, reminding me how popular — yet controversial — the practice continues to be.

Almost 40 percent of those in the room use ratings in some form, and the last time I formally surveyed on the practice, more than two-thirds of respondents said they were including ratings in their audit reports.

Ratings are often assigned based on the overall results of the audit, and they can take on adjectival forms, such as “satisfactory,” “needs improvement,” or “unsatisfactory.”…

The world recently learned the Vatican’s former auditor general believes he was forced out of the post by an “old guard” at the Holy See. Libero Milone stepped down in June less than halfway through a five-year mandate to introduce more transparency into the finances of the Roman Catholic Church.

Just four months before his resignation, Milone spoke at The IIA’s 2017 Global Council in Rome, offering an intriguing glimpse into Pope Francis’ commitment to economic reforms. In his presentation, Milone described what would appear to be idyllic conditions to carry out his work as the Vatican’s first auditor general. He described the office as having full autonomy and independence in keeping with the “best international practices” for public administration.…

Let’s face it. We all hit the wall occasionally when it comes to generating the energy and enthusiasm that make us great internal auditors. Maybe we have just been assigned our third audit of the same business unit; it may be because we have been traveling for three weeks straight, or simply because it is Monday!

In most cases, the lull is short-lived, and we soon find the motivation and energy to deliver another great audit. But, what if we find ourselves in career doldrums that are more prolonged or severe? What should we do if we dread the thought of going to work day after day, week after week?…

The iconic American humorist Will Rogers once said, “If you find yourself in a hole, stop digging.” It is a timeless expression that is as applicable today as it would have been decades ago when Rogers first uttered those words. In the age of social media and endless news cycles, politicians, other public figures, and well-known companies can find themselves in a hole without warning. Too often, their instincts are to just keep digging.

The latest company that’s failing to heed Will Rogers’ sage advice is Equifax. At a time when announcements about a new cyberattack have become almost routine, Equifax’s disclosure of a breach that compromised information relating to about 143 million of its customers was shocking.…

My blog post is a bit delayed this week because of the unwelcome​ visit to Central Florida by Hurricane Irma. Like the thousands of people in Texas affected recently by Hurricane Harvey, families in several areas of South Florida, particularly the Florida Keys, face weeks and months of rebuilding. And, sadly, there were losses of life, though thankfully it was limited.

I am relieved that, despite widespread power outages, flooding, and property damage, our IIA Headquarters staff emerged safely from the storm and our offices reopened today to serve our global members.

It is often said that we manage risks every day in our personal lives.…

Internal auditors around the world should take note of an important development this week – the release of the updated COSO enterprise risk management framework.

Several of my blog posts in the past year have focused on the growing demands being placed on internal auditing by its stakeholders and the importance of practitioners being able to rise up to meet new tasks we are being asked to perform.

This new reality reflects the growing complexity of governance, risk, and control in a fast-moving world where powerful technological, socioeconomic, and geopolitical forces can quickly morph the risk landscape. As such, all those who help manage and assess risk across the enterprise must have the best tools and processes available to them.…

Relationships between audit committees and chief audit executives (CAEs) have become increasingly more complex as the risks facing organizations have become more diverse and dynamic. Indeed, surveys of audit committees suggest they are turning to internal audit more often for an expanding scope of assurance and advisory services.

But the relationship between the audit committee and the CAE is often complicated by personal dynamics and the awkwardness that comes with “constructive feedback.” As a result, I often find that audit committees are uncomfortable pointing out to the CAE what internal audit could do better. Instead, they leave it to management to deliver the news, and the translation isn’t always pure.…

News of violent acts snuffing out the lives of innocent bystanders assaults our senses seemingly on a daily basis. Heart-wrenching events, such as last week’s deadly terrorist attack in Spain, leave many of us weary, and worse, pessimistic about the future.

A few months ago, terrorism hit especially close to home for the IIA family when one of our affiliate leaders lost a childhood friend in a deadly bombing attack in Kabul, Afghanistan. Sadly, I’m sure this was not a unique situation, given The IIA’s reach in more than 170 countries and territories.   

Over the years, I’ve written a great deal about risk as it applies to the profession of internal auditing.…

Trouble is something most people avoid. With rare exception, the desire for safety and security is deep seated. The same holds true in business where often there is an instinct in the corporate sector to avoid examination of controversial topics such as executive compensation, legal compliance, culture, and others that could well bring the wrath of those who feel targeted.

But in my experience, this tendency to look the other way more often than not compounds unexamined problems that may exist. After all, ignoring the source of smoke may well lead to an uncontrollable fire.

Sadly, some internal auditors fear that auditing high-risk areas will not resonate well with executive management.…

​(First published on Nov. ​​16, 2015)​

This summer, I have been taking the opportunity to share blogs from my archives that generated a lot of interest at the time they were published. This week, I reexamine how the internal audit function can be manipulated when its resources are compromised. 

In a recent conversation, a seasoned chief audit executive (CAE) recruiter shared his frustration that a number of high-profile companies are offering below-market salaries for their CAE positions. I responded to him that I wasn’t surprised. In fact, I shared my long-held view that some companies don’t want a strong CAE, so they price the role accordingly.…