2018

The issue of the rotational chief audit executive (CAE) model is one I’ve addressed in the past. In fact, the second blog post I ever wrote — more than nine years ago — was on this topic. My view is pretty clear that the practice, while widespread, has some inherent pitfalls. If not handled well, it can lead to problems, including real and perceived objectivity impairments for not only the CAE but the entire internal audit department.

My apprehension about this practice has grown proportionally to growth in the demands that stakeholders are placing on the profession. Internal audit is at the cusp of transformational change as technology and an expanding scope of work require that it become more agile and innovative.…

We are living in transformative times. Technology is accelerating the pace of change to breakneck speeds, demanding that we adapt, adopt, and accept change as a way of life. This brave new world requires organizations, institutions, and individuals to become adept at reinventing themselves.

For internal audit, this dynamic reality is adding complexity and urgency to our work. Change causes disruption, and the organizations we serve work best when disruption is minimized. Invariably, internal audit will be asked to do more, requiring us to pivot to stakeholder demands as we have done before. However, the pressures driving change and disruption today cannot be eased by simply relying on what we’ve done in the past.…

In its own words, fast-food giant KFC had “a hell of a week” as it scrambled recently to manage a supply-chain disruption that left most of its 900 franchise stores in the United Kingdom with no chicken. 

KFC blamed the disruption on “a couple of teething problems” with its new U.K. delivery partner, DHL, which explained that numerous deliveries had been incomplete or delayed because of unspecified operational issues.

It is interesting that, in the 21st century, when critical risks are assumed to be strategic or cyber-related, a good old-fashioned risk like supply chain could wreak such havoc. The incident offers a couple of informative lessons for internal audit in supply chain and crisis management.…

New guidance announced by the U.S. Securities and Exchange Commission last week is raising the bar on how publicly traded companies report on their handling of one of the top challenges facing every organization — cybersecurity.

The new cyber-risk guidance, an evolution of guidance first released by the regulator in 2011, boosts reporting requirements in various ways, from disclosures about board involvement in cyber-risk oversight to enhancing internal reporting procedures that more effectively determine when cyber issues rise to the level of materiality and, therefore, should be reported publicly. The new guidelines inevitably will create new compliance challenges and, with that, additional need for internal audit to provide assurance on those compliance efforts.…

“Speaking truth to power.” It is an expression that has been around for decades — often used in a social or political context. But it is also a concept with which many internal auditors struggle. In far too many organizations, those in a position of power and influence are simply not open to conversations around high risks or other uncomfortable topics — until it’s too late.

The challenges and risks facing organizations in the 21^st century are increasingly complex and, if ignored, potentially lethal. This requires those of us who provide assurance on governance, risk, and control to be unwavering in our conviction to examine all such threats.…

Misleading or patently false information has long been a risk for organizations. A disparaging comment, even one with little or no foundation in fact, can leave executives scrambling for a response that will contain and, hopefully, reverse any damage. Usually, the truth will prevail.

But as we are seeing more and more, an unceasing barrage of unsubstantiated and outright phony “news stories” powered by social media and biased websites can quickly overwhelm an organization and influence events.

That’s why it was no surprise to me when Google’s parent company, Alphabet, recently elevated objectionable content — specifically, content spreading across the internet and social media — as a key risk.…

I am writing my blog this week from Panama, where delegates from more than 80 countries and territories around the world have gathered to discuss vital strategic risks and opportunities facing the internal audit profession. An important topic of conversation at this annual event will be advocating the value of internal audit to key stakeholders and others globally.

One of the principal missions of The IIA is to advocate for the profession. This takes on many forms, from promoting The IIA’s International Standards for the Professional Practice of Internal Auditing as the standards for all internal auditors around the world, to special projects, such as our partnership with The World Bank to measure the maturity of the profession across Africa.…

I’m sure I visibly cringed when I read news accounts of criminal charges being brought against former U.S. Public Company Accounting Oversight Board (PCAOB) and KPMG employees, who are accused of using leaked PCAOB information to help the Big Four firm improve its audit results.

These charges are unproven in a court of law and all of those charged deserve the presumption of innocence at this point. However, the mere allegation that such a betrayal of ethics took place is painful, and it delivers a black eye on the accounting/auditing professions. Yet, it certainly is not without precedent. I’ve written many times that good people do bad things, and smart people do stupid things.…

In my recent book, Trusted Advisors: Key Attributes of Outstanding Internal Auditors, I explored what it takes to ascend to the level of trusted advisor in our profession. Before I explored the nine attributes that outstanding internal auditors share, I reflected on what it means to be trusted. I noted that trust is defined as “the firm belief in the reliability, truth, ability, or strength of someone or something.” For a small word, it packs a powerful punch.

Trust is one of the most underappreciated words in the internal audit “dictionary.” Without doubt, we talk about trust when considering whether we can rely on documents and assertions by management and those we audit.…

Let’s be honest. The vast majority of internal audit engagements are positive and constructive. Internal auditors and the clients whose areas of responsibility are being audited maintain a mutually respectful relationship, and the engagement results typically drive improvements or other beneficial change.

Forging strong and effective relationships within an organization is essential for the long-term effectiveness of internal auditors. Yet, try as they might, internal auditors will sometimes find themselves on the receiving end of management’s wrath.

When disgruntled executives lash out or retaliate against the internal auditors, it can feel like the empire is striking back.

From my experience, management disagreements with internal audit conclusions or recommendations are not uncommon.…