- Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
- How is independence maintained when working for the company as an internal auditor?
- When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
Tamekia P. says
1. Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
The process includes the auditors determining potential audit area and then reaching out to the respective owners. After the audit is agreed upon, a letter is drafted indicating scope, length, procedures and team working on audit. The audit it’s then conducted in two phases: planning and fieldwork. Planning information is gathered and high level meeting occur. During fieldwork, specific controls are tested and initial findings are discussed. At the conclusion of fieldwork, a draft report is prepared including findings, etc. The report is finalized and the audit is concluded.
Tamekia P. says
2. How is independence maintained when working for the company as an internal auditor?
Independence is maintained when an auditor works for the company because the auditors do not report to the individuals they are auditing.
Heiang Cheung says
Hey Tamekia,
Good point Independence is maintain by having the Chief Audit Executive report to the Audit Committee, which report to the board. This helps because if audit reported to the CEO than there isn’t much independence because internal audit audit management and if the CEO don’t like something he could just tell them to change it.
Mahugnon B. Sohou says
You are right. in order to maintain independence the audit executive reports to the audit committee and then the audit committee reports to the board of director. this assures independence as the auditors do not report directly to the CEO who might want to change the results of the audit. Auditors should not report to the individuals they are auditing.
Akiyah says
It makes sense that an internal auditor not be a direct report of the individual that they are auditing. That would have a high likelihood of resulting in a conflict of interest.
Internal auditors should also be rotated in order to lessen the the amount of time spent in one department and give another auditor the opportunity to review the work that was previously audited by their peer.
Tamekia P. says
1. How is independence maintained when working for the company as an internal auditor?
Independence can also be maintained by ensuring that auditor does not work on their own work. This includes review or testing process area that they helped implement or were involved in the design.
Pascal Allison says
Never thought about the auditor becoming an auditee. The auditor cannot be an auditee at the same time. The must be segregation of duties or the auditor cannot have any personal interest in a process been audited. It defeats the purpose of independence, because the report could be partial or bias,
Mahugnon B. Sohou says
Yeah exactly Right. The auditor must not have a y interest in the process been audited, or any relationship besides a professional one with the auditee.
Tamekia P. says
3. When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
The cost of implementing a control is higher than the benefit obtained when cost is greater than the risk being addressed. In this case, a formal risk acceptance should be prepared and documented explaining why management feels it is not necessary to implement the control. The organization should also be sure perform an annual risk assessment to validate decisions made previously as the environment may have changed.
Heiang Cheung says
1. Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
I currently work at a non-profit/ quasi-government agency and haven’t really dealt much with internal auditors because usually my manager or director would handle that process. I remember one time when I was handling the account payable process an internal auditor wanted to interview me about the process because for the department I was in it was a little different from everything else in the company. He asked me about the process and the different controls in place and who signed off on payments. Later on the internal auditor recommended some extra controls to put in place.
Heiang Cheung says
2. How is independence maintained when working for the company as an internal auditor?
Independence is maintained by having no personal or professional involvement with the area being audited and maintaining an un-biased and impartial mindset in regard to all engagements. Also internal audit activity should have a mandate through a written audit charter that establishes its purpose, authority, and responsibility to support its independence and objectivity within an organization. The Chief Audit Executive should report directly to the audit committee and audit committee directly to the board of directors. This help internal audit keep independence from management.
Scott Radaszkiewicz says
I agree Heiang. This is how it should work, but in reality, I have seen scenarios where the auditor has come kind of link to the company. In my career, there was a state auditor that came once a year to audit. It was the same person doing the audit for 15 years. Toward the end, it was like he was an employee, there every year. Everybody knew him, and he knew everybody. Unfortunately, I do think it biased his work a bit.
Heiang Cheung says
3. When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
When the cost of implementing a compliance control is higher than the benefit it mean the risk is acceptable or the risk is minor and the probability of the risk is also low. An organization should probably do a risk assessment/ risk matrix to define the level of risk the organization is willing to accept and focus more on the areas of higher risk.
Mahugnon B. Sohou says
1. Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
I haven’t dealt with internal auditors directly, but during my Time working at a non-profit I have witnessed internal auditors interviewing others about their processes. From what I know the auditors first determine areas to be audited, then reaches out to the process owners. After determining the scope of the audit. Then comes the interview process, where the process owner is asked about the process and the controls in place. At the end of the audit a report is prepared including findings, If insufficiencies are detected internal auditors also include recommendations for compensating controls.
Mengqiao Liu says
Thank you for let me know the processes of an internal auditor’s work.
Mahugnon B. Sohou says
2. How is independence maintained when working for the company as an internal auditor?
Independence is maintained when an auditor working for a company does not report to the company they are auditing. It is also important to assure that auditors work is reviewed. To maintain independence an IT auditor should not be reviewing a process that they helped design. The auditor should not have any personal or professional involvement with the area being audited
Nauman Shah says
You brought up a good point that IA should never be involved in auditing a process that they helped design, but should IA get involved in design/implementation of a process in the first place? My understanding is that IA should always stay away from designing controls and processes.
Scott Radaszkiewicz says
I think a key point that you address here is that the auditors work is reviewed. It’s almost like segregation of duties. The initial auditors report and findings are verified by a 2nd auditor to ensure their validity. I guess a gap can exist for things that aren’t reported or found, but some precautions must be taken so a single auditor doesn’t have complete control.
Mahugnon B. Sohou says
3. When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
The cost of implementing a compliance control is higher than the benefit obtained when the risk is acceptable or is minor. A risk assessment is probably the best way to go in this case to determine the level of risk the company is willing to accept and gear resources toward mitigation risks in area with high risk level.
Nathan A. Van Cleave says
1. Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
As an internal auditor I’ve been involved in several business process and IT system specific audits. Our standard audit footprint is approximately 7 weeks and include advanced planning, planning, fieldwork and reporting.
In advanced planning, the engagement lead meets with the primary auditee and other key stakeholders to understand high-level processes, key risks and issues, and agree to audit initial scope. For planning, the entire audit team is assigned specific scope areas that aim to asses the sufficiency and effectiveness of the business process or system being audited as measured across the company’s internal control framework. The auditors interview key stakeholders (business/system/data owners) to understand the processes and controls in place.
During fieldwork, the audit reaffirms information they’ve discussed in planning and conduct fieldwork testing to assess the effectiveness of controls and with a risk-based approach (higher risk samples vs lower). In reporting the audit team confirms any findings with classifications (Critical, Major, Minor) and work towards agreement with the business. An audit report is issued with an overall opinion, findings, and corrective and preventative actions (to be completed by management).
The scope (and management’s agreement to the scope), open and honest communication throughout, and factual results are critical to the success of any audit. Not all audits end in agreement, however, so long as the audit team conducts themselves with transparency and respect, there’s a good chance they will be able to “land” the result well with the business.
Heiang Cheung says
Hey Nathan,
I liked how you describe what you actually do and broke down the process of the fieldwork and the scope. I was wondering how are the scopes broken out? Is it broken out by the auditor’s experience or is it just random?
Nathan A. Van Cleave says
Heiang,
That’s a great question. There’s a few things that feed into and help define the scope of every audit. To start, it depends on the entity we are auditing; ie. system or a business group/process. If it’s a system or application, then most often times we’ll want to look at IT general controls (Access/Change/Configs) or for business processes, the data sensitivity (PI/SPI/CSI) involved.
Often, we audit programs (large scale strategic or operational projects) to assess project based governance and risk management activities or possibly post implementation/future state/business as usual activities.
In all situations, during advanced planning and planning, we’ll assess any information gathered or external factors that either increases or decreases the key risks identified.
A really great example of scoping an audit and how it can change was our recent ERP audit. Heading into it, we thought we would do standard IT general controls but realized after some inquiry with our primary stakeholders that our external auditor had completed substantive testing around access (standard and privileged), and change and config management. This left us in a interesting scenario; how do we continue on, prevent duplication, execute an audit, and still add value?
We still took a risk based approach. We looked at the key risks, shifted focus and looked at very specific instances of privileged access that the external auditors did not provide an opinion on; crisis and continuity management/disaster recovery and third party management.
Other things we often need to consider are management self-identified issues that shows proactivity on the auditee’s part and prevents us from significant testing to realize an issue, gap or finding around what they would potentially self-report. Sorry, this was long winded, hope this helps.
Nathan A. Van Cleave says
Heiang,
Sorry, I just re-read your question. I realize now you were asking specifically about scope allocations to the team members.
You hit it on the head. Often times scope areas are assigned based on experience or expertise. I am an IT generalist and very often I am given more business process focused areas like CCM. TPO, or Privacy. While those areas can become technical quickly they are generally not as technical as access, change or config management testing.
Overall, since we do assess our internal control framework across all of the activities, the team may be required to focus on a particular element of the framework such as Risk Assessment or Training. That can cross any scope area, so it can either be assessed per area or it could be assessed as it’s own scope section if it makes sense to do so.
An example might be for say a IT system that supports the management of our GDPR related data assets (Privacy). We may have 4 sections that cover Access, Change, Config and TPO. There are also those ICF elements I mentioned too (training, risk assessment, written standards and controls) and auditors could be assigned one of the 4 sections mentioned and need to assess the elements as it relates to a section or an element could be assigned to one auditor to assess acrosss the entire process.
Heiang Cheung says
Wow thanks Nathan for the for the detail explanation. I was just wondering because going into IT audit I don’t really have technical expertise so I’m guessing I would probably deal more with business processes.
Scott Radaszkiewicz says
Nathan, great description of the audit process. Open and honest communication is a key you mention. I don’t know why people get so nervous when an audit is taking place. I guess the fear of their mistakes being found out. But an audit is a good thing. It finds irregularities in your processes and ensures things are being done correctly. Shouldn’t be feared, should be an open and hones process to help improve the organization.
Nathan A. Van Cleave says
2. How is independence maintained when working for the company as an internal auditor?
There are a few ways with which an internal audit function can operate with independence. The first is the reporting structure; my company’s Senior Vice President of audit has direct reporting to the Audit and Risk Committee (ARC). She also has a reporting line to the CFO, but primarily for financial or other reporting requirements. That reporting line to the ARC, though, is key, as it allows for our internal audit to provide independent assurance and overall opinions of enterprise risk to the ARC (made up of both internal and external stakeholders).
Additionally, the audit group themselves are made up of a wide range of individuals with both public accounting and business or IT expertise. This allows a level of diversity of experiences to look at business processes or systems with fewer opportunities for conflicts of interest. While there are occasions that an auditor used to be a business unit they are now auditing, it may not necessarily constitute a conflict per se, those every audit, the team members should vetted appropriately.
There are other situations, such as guest auditor or audit rotations, where a guest from the business experiences an audit, care is taken to ensure they are not auditing a process they own or touch.
Generally, an internal audit team should hold themselves to a high standard of assessment when reviewing the controls and processes in place and always keep the key risks in mind when assessing the effectiveness and sufficiency of those controls. Assumptions can be extrapolated, however, assertions around findings should always be based on facts discovered (and confirmed) during the audit process.
Independence is critical for internal audit to maintain as it is directly tied to its reputation. If independence, or even the perception of independence, is compromised the reputation can be easily degraded.
Pascal Allison says
Nathan, great point. Independence begins with the auditor. Keeping a high standards and upholding the trust bestow in the profession and position is key to independence. Audit process is not always black and white. There will be time where the auditor has to choose reputation and integrity over everything. Example, there could be threats to deal with during an audit that could hamper decision making or create partiality and biasness in report. If the audit read and agree to the audit chapter, the audit should have no fear but to do the right thing. That is maintain independence.
Independence can be maintained by ensuring all stakeholders roles are defined, and the audit chapter sets or define the audit activities and authorities of the process.
Scott Radaszkiewicz says
Great point Nathan about an auditor wanting to maintain their reputation. Any auditor that isn’t trustworthy won’t be in the business for long. It’s kind of like a checks and balances system. Audit implies integrity.
Nathan A. Van Cleave says
3. When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
This is always the balance that organizations must maintain between risk reduction and operational efficiency. I think a good example of a cost prohibitive compliance control outweighs the benefit would be Information Security as a whole. Any CISO will probably say that they don’t have enough resources (money or human) to fully/adequately protect their organization against all threats. And if the organization’s leadership one day woke up and said, “here’s a blank check, protect us from everything,” it’s likely that the cost of doing so would take so much money or resources away from other, critical areas of the business, it wouldn’t be worth doing.
Most companies can’t throw endless amounts of money at information security, so rightfully, most companies apply a risk-based approach to risk reduction. For any areas of the business they should have a register of key/critical risks to their processes and what controls they currently have in place and assess the gaps. The company can then prioritize the risks and determine what mitigations are needed and what solutions can be implemented. Additionally, a business group may decide that something is high impact, but low probability, determine it would be too expensive to remediate, and choose to accept the risk.
In other situations, a company may find that a solution to reduce risk is too cumbersome or obstructive for business users to effectively complete business tasks. For example, a company may want to disable internet browser access to reduce the likelihood that a user can download malicious code to an internal network. This would make most users unhappy, and based on their role, time consuming, tedious, or impossible to complete their tasks. An alternative solution would be to implement training and awareness campaigns to help educate users on good computing practices and protection of information assets and systems.
Pascal Allison says
1. Have you ever been involved with an internal audit or audit of your process /
project? Briefly describe.
I was an intern at Ecobank Liberia Limited as an auditor(trainee). I observed or learned that the audit process at Ecobank Liberia Limited was staged in four phases (Planning, execution, communication/Reporting, and follow-up) where the auditee (department) was involved with the process when required.
Planning – the auditor worked with the auditee to understand and ascertain information about area of concern to gage the processes and controls;
Execution – during this phase, a test was done to identify areas that lack controls and areas with controls weaknesses.
Reporting/Communication – findings or result of the testing and recommendations were presented or communicated through a transparent means (report);
Follow-up – to ensure the recommendations are implemented as agreed, a comeback or follow up was done to reevaluate the process and progress.
2. How is independence maintained when working for the company as an internal
auditor?
The start off for independence is to clearly establish the audit purpose, authority, and responsibility of all stakeholders within the company involve with the audit. To be declared independent, the auditors must conduct the engagement and render judgement with impartialities, unbiasedness, and without threats. The auditor must uphold the integrity bestow on the profession or position.
The should be room for dual reporting. The internal auditors through the Chief Audit Executive (CAE) should report directly to the audit committee or its equivalent and the board. For administrative reason, the auditors can report to a senior manager, yet maintain direct communication with the audit committee to retain access to all resources and erode the impairment of independence.
These are signs that independence exists for an internal auditor.
3. When is the cost of implementing a compliance control higher then the benefit
obtained? What should an organization do to ensure efficiency and profitability?
The cost of implementing a compliance control is higher than the benefit obtained when the control does not reduce or mitigate the risk, when the risk is an acceptable risk, yet a cost is incurred for control, when the control increases the risk or gives rise to other risks.
To ensure efficiency and profitability, an organization should do an analysis of the cost of compliance control and its effectiveness to ensure the cost and benefit are parallel. If not benefit should be greater than cost for implementation.
James T. Foggie says
It would be interesting to hear what the follow up process entailed. I am wondering if Ecobank utilized a gRC system of some sort to provide a central repository of data relating to findings, controls, risks etc.
Pascal Allison says
As an intern I did not have the opportunity to participate in the follow up process, that was an FYI for interns. What I observe was that there was more manual work done as suppose to application/software. Like each branch had a resident auditor to monitor and ensure the recommendations were executed or implemented, then a team of auditors from the audit team will revisit the branch to ensure the recommendation implementation by the resident auditor report and assessment of the process.
Mengqiao Liu says
1. Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
I had an audit project last semester, it was an audit finding report of a real estate company. Me and my teammates found that the passwords are not required to change periodically, which could lead to malicious attacks and data breach.
2. How is independence maintained when working for the company as an internal auditor?
Internal auditors are independent when they render impartial and unbiased judgment in the conduct of their engagement. To ensure this independence, best practices suggest the internal auditors should report directly to the audit committee or its equivalent. For day to day administrative purposes, the internal auditors should report to the most senior executive (i.e., the chief executive officer) of the organization.
3. When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
Effective compliance requires organizational support, process control methodology, and content control. Create an explicit link between compliance, performance management, and value. To control compliance costs, look for commonality in compliance requirements, use an investment approach for budgeting, and take the complexity out of the system whenever possible.
Robert Conard says
1. Yes, somewhat. My most recent experience involved doing a walk through of a tax firm that had previously had a breach of client information. I, along with the new business owners, evaluated the infrastructure the previous owner had experienced trouble with,and found recommendations for controls around those insufficiencies. Some of the recommendations included 2FA on server entry, additional login credential for tax software, and a new CRM tool that would centralize that information with modernized licensing capabilities.
Robert Conard says
2. Independence can be maintained by staying professionally and operationally independent from that process before and after conducting an audit. For internal purposes, there can be feedback given to management, but not solutions. The solutions are up to the department to decide so that internal audit can return for another audit an remain independent.
Robert Conard says
3. The cost is higher depending on what risks are mitigated and to what extent that compliance provision is enforced. Does remaining compliant become too expensive? Does lack of compliance lead to administrative obstacles? The organization has an acceptable risk margin and if there are compliance initiatives meant to be added on top of what is already acceptable, there is likely to be a diminishing return on those protections.
Akiyah Baugh says
Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
The only experience that I have with being involved in an internal audit was providing data requested by auditors. The request was assigned to my area to complete, therefore providing the data was the extent of my involvement. Also, when in the design phase of any projects when always add control and audit functions to document and gather data for auditing purposes that will be made available upon request.
Akiyah says
How is independence maintained when working for the company as an internal auditor?
The internal auditor should maintain impartiality and avoid situations that would cause a conflict of interest such as accepting gifts or personal relationships. The auditor should have to provide feedback and suggested solutions to management.
Akiyah says
When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
The cost of implementing a compliance control is higher than the benefit obtained when the cost of the losses and risks are less than cost of implementing the compliance control. Assessing the risks, losses, and making sure that processes are documented well and standardized when possible can help lessen the cost and improve efficiency.
James T. Foggie says
1. Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
I have had the ‘pleasure’ of being involved in several internal and external audits. I have been audited by my company’s internal audit process relating to Sarbanes-Oxley control and process assessments. Process and controls are reviewed annually to ensure compliance to policies. It is imperative that controls and processes are reviewed regularly to make sure they are current. Management testing and assertions are performed, which rely upon the sign-off from front-line managers. The internal auditors role is one of assistance and guidance within the company’s org structure. Internal audits(auditors) review practices within the company to ensure that controls, processes and procedures adhere to industry standards with respect to compliance.
James T. Foggie says
2.How is independence maintained when working for the company as an internal auditor?
The internal auditors usually report up to the audit committee. The internal auditors submit reports, and work with the c-suite executives in an effort to establish a functional relationship with the organizations being audited. By reporting to management outside the structure of the audited org, auditors maintain independence when assessing and reporting on the controls and weaknesses of any org.
James T. Foggie says
3. When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
A cost of implementing a compliance control is higher than the benefit when the end result of implementing the control do not yield a return on investment that clearly supports the overall business objectives of the company. When such a scenario exist, companies can consider implementing compensating controls to mitigate whatever risks that have been identified. Compensating controls may be considered for most control requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate documented business constraints.
Heiang Cheung says
This was actually a great point about compensating controls I was just watching a 20/20 episode about data and how all the big tech companies back in the day before GDPR in Europe didn’t really care about the regulation because the fines were so minimal that they would just run the risk of getting caught because the fineswere cheaper than hiring lawyers. So I think depending on the situation sometime you just ignore the risk not saying it’s ethical but business wise it make sense.
Nauman Shah says
1 – Every year, our IT Risk Management team, performs a risk assessment of all the applications that are utilized at the company. Based on the risk assessment, they are given a certain risk rating, which determines whether or not we are going to audit those applications. The audit starts with sending a notification letter to the application/business process owners, which has the timelines and resources of the audit. Our fieldwork for most SOX applications is 3 weeks, followed by one week of documentation, after which the report is issued.
Heiang Cheung says
Hey Nauman
Great point that a risk assessment is done to determine what are the areas that are more prone to risk and base your audit according to the the risk assessment. I was wondering how often is a risk assessment done? Once a year or more often?
Nauman Shah says
2 – Independence is maintained through the reporting structure, as well as not involving in the design or implementation of controls. IA reports to the audit committee, which makes them independent of the people they audit and they usually do not get involved in the design of controls and processes, thereby maintaining their independence.
Nauman Shah says
3 – When the cost of implementing a compliance control is higher than the benefit obtained from it then management should formally document the risk acceptance from the lack of control. They should also look into other detective controls, such as manual reviews to mitigate the risk arising from lack of the primary control.
Derrick A. Gyamfi says
Internal auditors must be free to advise the board, directly or through an audit committee, on risk management, governance, and internal control issues, having unrestricted access to all parts of the organization. While internal auditors should work closely with the executive to resolve issues that arise in their work, their accountability is to the board, not management, and they should operate free from interference or obstruction.
Derrick A. Gyamfi says
Internal audit teams also need suitably experienced, qualified and trained staff to produce the best advice and judgments for boards and management. Boards should ensure that internal audit work is sufficiently resourced to allow it to fulfill its mandate, that staff in key positions have a recognized skill set appropriate to their functions, and that staff receive the training and development they need to deal with the increasing challenges organizations are facing
Derrick A. Gyamfi says
The cost of implementing a compliance control is higher than the benefit when there is a misalignment of the compliance function and growth. Efficiency and profitability can be ensured by:
– Hiring compliance specialists appropriately
– Establishing a culture of compliance in the organization
– Inclusion of a profitability analysis as part of compliance
Derrick A. Gyamfi says
In my experience performing annual audit audits the process includes the client to:
– Schedule personnel for audit activities such as interviews, observation, or walkthroughs;
– Make the pertinent data, records, and technology resources available to the auditor;
– Review preliminary findings and provide written responses regarding corrective actions and specified time frames
– Establish and maintain required controls
Scott Radaszkiewicz says
Question 1: Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.
So, one particular audit comes to mind. I work in education and we have financial audits every year. Several years back, the State of PA decided to implement and IT audit. I’m in the IT field. Per standard PA Department of Education operation, this audit was a good concept, but bad design. The auditor assigned to do the IT audit, was the financial auditor, who knew little about technology. The auditor said, “I’m not real sure what some of these questions mean, so you’ll have to help me out here.”