Seven Deadly Sins of Internal Audit

Ask, Share, Learn – Within the Largest Community of Corporate Finance Professionals

The Seven Deadly Sins of Internal Audit

Michael Bechara, CPA, CRMA, Managing Director, Granite Consulting Group Inc.

© 2013 Proformative. Proprietary and confidential

Welcome to Proformative

Proformative is the largest and fastest growing online resource for senior level corporate finance, treasury, and accounting professionals.

A resource where corporate finance and related professionals excel in their careers through:

• Uniquely valuable, online Peer Network

• Direct subject-matter-expert advice

• Valuable Features and Resources

All of it completely noise-freeCheck it out at www.proformative.com

http://www.proformative.com/


Learning Objectives

After participating in this event you will be able to:

• Understand and refocus on issues of critical concern to your management and audit committee

• Learn how to avoid losing credibility within your company

• Discover on how having an internal audit team is seen as a strategic asset to the business

Ask, Share, Learn – Within the Largest Community of Corporate Finance Professionals

The Seven Deadly Sins of Internal Audit

Michael Bechara, CPA, CRMA, Managing Director, Granite Consulting Group Inc.

Why Are We Discussing the 7 Sins?

• Internal Audit is a unique job

• Skills for success are very different than other functions

• What is the secret for success?


What Makes an Internal Auditor Effective?

Technical Skills

Accounting Skills Industry Knowledge Regulatory Awareness Financial Acumen

Managing Employees Professional Image Your Boss Likes You

Understanding the value of Internal Audit and how this fits in with the organization

“Soft” or People Skills

Value & Fit


What Does Value & Fit Mean?

Value

Understanding of Risk

Ability to absorb information quickly

Translating knowledge into business solutions

Fit

Recognize costs & benefits

Realizing problems have many solutions

Gaining the confidence of others


The Seven Deadly Sins

Threats to Value and Fit

1. Ineffective Planning

2. Being Self Centered

3. Losing the Truth

4. Ineffective Communication

5. Failing Political Science

6. Inability to Negotiate

7. Destroying Credibility© 2013 Proformative. Proprietary and confidential

The Seven Sins




3. Losing the Truth




7. Destroying Credibility


• Risk Assessment • Audit Planning

• Reporting Lines

• Budgets • Staffing

• Technology

• Scheduling • Workpaper Review

• Audit Report


Strategy

Operations

Tactics



A good Internal Audit Plan has the following elements:

Risk Based Multiple Sources Of Input

Uses Some Technology to Support The

Process



• If audit plan is not based on risk then…– Audit everything on a rotational basis– Gut feelings/suspicions– Orders from management

• An effective risk assessment tells you what area of the organization to Audit… there really are no alternatives

“Internal audit must concentrate on inherent and residual high risks and remove low risk, low impact audits off our annual plans. – Joel Kramer, Managing Director MIS Training Institute

From the News!



Case Study #1 – Risk assessment is forced upon IA

• Large multi-national implemented a rotational internal audit schedule for operating units

• Every unit was to be audited once every three years

• Became hard to explain why many resources were dedicated to auditing the “best run” units while problem units had to wait their turn

• Senior Management and the Audit Committee became frustrated and the audit plan was constantly interrupted and reordered based on everyone’s evolving definition of risk

• Lesson = you end up auditing by risk anyway


The Seven Sins




3. Losing the Truth







• Every function within a company thinks they are doing the most important and critical work

• Some believe processes and controls are the company rather than a part of the company

Only 44% of respondents believe that Internal Audit is helping their organization achieve its business objectives…

…and fewer — 37% — say they involve Internal Audit in key business decisions and strategy

Forbes Insights Global Survey of Executives and Audit Committees



• Risk & Control Experts Wanted!

• Senior Management & the Board Value good opinions

• Help run the business do not give utopian answers

Understand:• Organization’s objectives • Macroeconomic and

industry risks

Make sure:• Your solutions support

the organization’s objectives

Evaluate:• The cost vs. benefits of

proposed solutions

Open mind:• Controls and

documentation are great tools

• Have their limitations

Logical/pragmatic: • Understand your role

as an advisor and facilitator

• There are many ways to solve internal audit issues

What is Needed What Do I Need To Know To Help? Specifically



Case Study #2 – The story of the new data center

• Global financial services company had a well established Internal Audit function

• Many of the staff had been in their positions for many years

• Management looked at the IA department with barely concealed contempt

• When asked for their opinion about IT security department personnel responded by saying, “You should build a new data center”

• Management responded by asking, “OK but can I do what you are suggesting?”….Internal Audit would respond, “Well……No”© 2013 Proformative. Proprietary and confidential

The Seven Sins




3. Losing the Truth






3. Losing the Truth

The Problem

We deal with complex issues that have many facets to them What may seem like a serious issue can turn out to be trivial and what

may seem trivial may turn out to be very serious The facts are revealed slowly and in pieces

Solidifying your position and refusing to reconsider based on new facts Do not become married to positions that are unsupported by facts This problem usually appears in Audit Reports Audit issues have a way of transforming from the workpaper to the final

audit report

You are allowed and you should change your mind when new facts are brought to light

Manage emotions of your team and management You will gain respect and prestige by aligning yourself with the facts Holding on to an outdated position will open you to the charge that “you

are just there to find something!”

Beware of…

Key Actions


Case Study #3 – The Auditor is the Last to Know

• An operating unit of a major aerospace company releases an accounting reserve causing a significant rise in net income

• The auditor asks the Controller for the justification for the release of the reserve

• The Controller responds that he has none

• The issue is documented in the audit report

• Later the Unit President calls and details many meetings and discussions and full support

• The auditor refuses to change his position and keeps referencing the Controller’s comments

3. Losing the Truth


3. Losing the TruthOriginal Audit Report – Support for Reserves

Condition:Management reserves were released without discussion, reasoning and/or documentation. Specifically, a management reserve that was released for submarine program (00084) in the amount of $1,052,779. Management was not able to explain the logic, assumptions or reasoning behind this release.

Risk:Unexplained/unsupported adjustments to profitability have been made that may create a misstatement in the financials.

Agreed Action: Documentation supporting the logic, assumptions and calculations for all management reserves will be discussed, documented and maintained.


3. Losing the TruthOriginal Audit Report – Support for ReservesRevised Audit Report – Support for Reserves

Condition:Support for releasing management reserves is not maintained with the accounting data and the Controller is not involved in the discussion regarding the release of reserves. Specifically, a management reserve was released for submarine program (00084) in the amount of $1,052,779 without the input of the Controller.

Risk:The appropriate accounting treatments may not be applied resulting in a misstatement to the financials.

Agreed Action: The Controller will be involved in all discussions regarding releasing reserves and will advise as to the appropriate accounting treatment based on the facts and circumstances of the program.


The Seven Sins




3. Losing the Truth







• Focus on Board/Executive communication

• How do we report to higher levels?

• Common fallacy is that more information is always better

• The Board/Executives are busy – Looking for expert

advice not reams of data © 2013 Proformative. Proprietary and confidential


What are we saying to the Board/Executives when we give too much detail?

• I have no insight

• I want to avoid blame

• I need your detailed supervision and input to manage my function



These days data is cheap and readily available Understand what is important to your audience Not what data but what concerns Communicate in business terms not in auditor speak

The Temptation

How Is this Done? Consolidate issues from audits into common

themes1. Get to the point or the “newspaper headline”2. Develop a thesis for why this condition exists

3. Back up your thesis with selected data4. Have the main body of data available



Case Study #4 – The presentation that said nothing

• Head of IA would present detailed information

• Constantly loaded the presentation with data

• Most was marginally relevant

• AC listen politely

• Afterwards they would always ask others, “So what's really going on?”

• They were hungry for a professional opinion© 2013 Proformative. Proprietary and confidential

Ineffective AC Slide

• Related party transactions were not disclosed to Senior Management in Q1 2011 and previous quarters. Unit does business with a computer equipment supplier owned by the IT Manager. FY 2010 totaled $60K and YTD FY 2011 totaled $12K. Q2 certifications from acknowledged this relationship and it will be disclosed quarterly going forward.

• Intercompany accounts between Unit and Corp. were not completely reconciled

• The Finance Director does not evidence his review of the Hyperion financial statements to the Trial Balance

• The Credit Manager has access to posting journal entries

• A vendor who supplies IT equipment and supplies to the Company is owned by the IT Manager. This was unknown to the Finance Director and the General Manager and was not disclosed with the Q1 financials.

• One payment over $50,000 was not approved by the Corp. Controller

• The Finance Director does not sign off on the Over 60 or the aging reports to evidence his review

• Intercompany Balances have not been reconciled with Unit A and Unit B since the beginning of the year and the amounts out of balance are substantial



Effective AC Slide

• Unit A has one serious issue and a few minor ones

• Most critical are related party transactions are not being reported to corporate

– This occurred due to second level managers not being aware of disclosure requirements

– IT Manager had a relationship with a supplier. Amounts ordered from supplier totaled FY 2010 totaled $60K and YTD FY 2011 totaled $12K.

– Unit has been reminded of their responsibility to report this going forward and has received a highlighted copy of the disclosure memo

– Management has prepared the required disclosure



The Seven Sins




3. Losing the Truth







We are not talking about gossip! Wikipedia defines politics as:

Politics is a process by which groups of people make decisions. The term is generally applied to behavior

within civil governments, but politics has been observed in all human group interactions, including corporate, academic and religious institutions. It consists of "social relations involving authority or

power" and refers to the regulation of a political unit, and to the methods and tactics used to formulate

and apply policy


http://en.wikipedia.org/wiki/Corporation

http://en.wikipedia.org/wiki/Academia

http://en.wikipedia.org/wiki/Religion

http://en.wikipedia.org/wiki/Policy


Why Should We Care?

Anyone who deals with improvement needs to understand the decision making process

We need to be sure the decisions that are made will “stick” Solutions will be implemented far more quickly if you know

where to go

Ignore conventional wisdom i.e. the CEO is the top decision maker

Open our eyes and observe the decision making process Follow the decision even after its made

Understanding the politics of your organization allows you to formulate workable solutions to business issues that will get implemented.

Success Requires…

Key Point



1.Where are decisions made?

– In what forum?

2.Who makes decisions?

– Highest ranking, functional area, etc.

3.How are decision made?

– Consensus, ratification, declaration, etc.

4.Who ignores decisions?

– And gets away with it?

5.Who overturns decisions?

– And how long after the fact?

Evaluate:



Case Study #5 – The tale of the busy President

• A company has implemented a new software system

• The CEO calls the Head of IA and says he wants a post implementation review done

• Head of IA initiates planning on that basis

• President of the largest division calls the Head of IA with a request to desist/delay

• Head of IA proceeds nonetheless (CEO said so right?)

• CEO calls a few days later and berates the Head of IA for disrupting his largest business


The Seven Sins




3. Losing the Truth





“It starts with relationships … with senior management, company leaders and the audit committee. This is a service function, and you do have

clients. You do not subordinate your judgment, but you do serve.

Negotiation is a BIG part our job

We deal with business problems− Typically more than one solution

We are the experts but we have to take into account the views of others

Why Do We Have To Negotiate?

Richard Chambers, President & CEO of the IIA

6. Failing to Negotiate


Moderation in business is a skill that is acquired through experience

Knowing when to stand like a rock and knowing when to compromise requires a vast database of prior experiences

We Need To Be Flexible But Still Maintain Our Integrity

Like a stalk of wheat If you are too stiff, you will be broken and too soft you will

trampled on



Focus on the end goal and not how to get there− The end rather than the

means Make sure you understand the

other position Make the other side work

− Demand suggestions! Career Development

− Develop an understanding of what has significant impact

Compromising on the wrong issue

Bringing an external audit mentality to internal audit

Never developing the ability to distinguish between critical and non critical issues

Tips Traps




Case Study #6 – Follow the small rules and break the big ones

• Engineering company had very detailed internal controls over financial reporting

• Voluminous documentation is produced followed by meticulous testing of many of the company’s controls

• Deviation from documentation and lower level controls are not tolerated

• Policy says revenue can be recognized in anticipation of a contract

• Which issue do you think the CAE compromised on?


The Seven Sins




3. Losing the Truth





7. Destroying Your Credibility

• Credibility is Internal Audit’s biggest asset

• If credibility is lost, we have nothing

• Our entire profession is based on “Independent Assessments”

• If these assessments cannot be believed then they are worthless



Acting on initial feelings

Listening to people that try to feed you information or “inside data”

Forming an opinion on data that you or your team have not independently verified

Sharing this unverified data with others (Even worse!)

Relying on reputations, forecasts and preliminary opinions

Ways to Destroy Your Credibility



Make judgments and voice opinions based on actual audit testing and documentation

Do not be swayed by, or act on, rumor or “inside information”

Do not discuss the audit results except with those who must know

Not depending on past performance during audits

Only presenting issues that you have personally reviewed

Ways to Build Your Credibility



Case Study #7 – He said, she said but there was nothing

• At a company gathering, many operating unit heads made negative remarks about Unit A

• The Head of IA was taken aside many times and told that he must “do something” about Unit A

• Threats were made about the competency of the Head of IA if he did not act

• No hard evidence was presented

• Fortunately the Head of IA did not react and during later audits the Unit was found to be very well controlled


The Seven Virtues!

Here are the more familiar terms:

1. Effective Planning2. Integrating Activities with

Others3. Integrity to the Facts4. Communicating Clearly5. Understanding Decision

Making6. Negotiating Fairly7. Maintaining Credibility

Nothing more than what your first business mentor probably told you


Back to Value and Fit

Value & Fit To be successful we need to understand how we provide

value and how this fits in with the organization

A solid base of technical skills and regulatory knowledge is a basic requirement

The ability to translate this knowledge into effective and pragmatic solutions that others will buy into

Having the credibility and integrity to deliver this to the organization

What separates the executives from managers

This Means…

The Result


Thank You



If you have questions about CPE Credit please contact

[email protected]

Please join us at www.proformative.com to ask any additional questions you may have and to continue this conversation with your peers and the experts you heard from today.

mailto:[email protected]

http://www.proformative.com/

Seven Deadly Sins of Internal Audit

Business