Ask, Share, Learn – Within the Largest Community of Corporate Finance Prof The Seven Deadly Sins of Internal Audit Michael Bechara, CPA, CRMA, Managing Director, Granite Consulting Group Inc.
Nov 27, 2014
Ask, Share, Learn – Within the Largest Community of Corporate Finance Professionals
The Seven Deadly Sins of Internal Audit
Michael Bechara, CPA, CRMA, Managing Director, Granite Consulting Group Inc.
© 2013 Proformative. Proprietary and confidential
Welcome to Proformative
Proformative is the largest and fastest growing online resource for senior level corporate finance, treasury, and accounting professionals.
A resource where corporate finance and related professionals excel in their careers through:
• Uniquely valuable, online Peer Network
• Direct subject-matter-expert advice
• Valuable Features and Resources
All of it completely noise-freeCheck it out at www.proformative.com
© 2013 Proformative. Proprietary and confidential
Learning Objectives
After participating in this event you will be able to:
• Understand and refocus on issues of critical concern to your management and audit committee
• Learn how to avoid losing credibility within your company
• Discover on how having an internal audit team is seen as a strategic asset to the business
Ask, Share, Learn – Within the Largest Community of Corporate Finance Professionals
The Seven Deadly Sins of Internal Audit
Michael Bechara, CPA, CRMA, Managing Director, Granite Consulting Group Inc.
Why Are We Discussing the 7 Sins?
• Internal Audit is a unique job
• Skills for success are very different than other functions
• What is the secret for success?
© 2013 Proformative. Proprietary and confidential
What Makes an Internal Auditor Effective?
Technical Skills
Accounting Skills Industry Knowledge Regulatory Awareness Financial Acumen
Managing Employees Professional Image Your Boss Likes You
Understanding the value of Internal Audit and how this fits in with the organization
“Soft” or People Skills
Value & Fit
© 2013 Proformative. Proprietary and confidential
What Does Value & Fit Mean?
Value
Understanding of Risk
Ability to absorb information quickly
Translating knowledge into business solutions
Fit
Recognize costs & benefits
Realizing problems have many solutions
Gaining the confidence of others
© 2013 Proformative. Proprietary and confidential
The Seven Deadly Sins
Threats to Value and Fit
1. Ineffective Planning
2. Being Self Centered
3. Losing the Truth
4. Ineffective Communication
5. Failing Political Science
6. Inability to Negotiate
7. Destroying Credibility© 2013 Proformative. Proprietary and confidential
The Seven Sins
Threats to Value and Fit
1. Ineffective Planning
2. Being Self Centered
3. Losing the Truth
4. Ineffective Communication
5. Failing Political Science
6. Inability to Negotiate
7. Destroying Credibility
© 2013 Proformative. Proprietary and confidential
• Risk Assessment • Audit Planning
• Reporting Lines
• Budgets • Staffing
• Technology
• Scheduling • Workpaper Review
• Audit Report
1. Ineffective Planning
Strategy
Operations
Tactics
© 2013 Proformative. Proprietary and confidential
1. Ineffective Planning
A good Internal Audit Plan has the following elements:
Risk Based Multiple Sources Of Input
Uses Some Technology to Support The
Process
© 2013 Proformative. Proprietary and confidential
1. Ineffective Planning
• If audit plan is not based on risk then…– Audit everything on a rotational basis– Gut feelings/suspicions– Orders from management
• An effective risk assessment tells you what area of the organization to Audit… there really are no alternatives
“Internal audit must concentrate on inherent and residual high risks and remove low risk, low impact audits off our annual plans. – Joel Kramer, Managing Director MIS Training Institute
From the News!
© 2013 Proformative. Proprietary and confidential
1. Ineffective Planning
Case Study #1 – Risk assessment is forced upon IA
• Large multi-national implemented a rotational internal audit schedule for operating units
• Every unit was to be audited once every three years
• Became hard to explain why many resources were dedicated to auditing the “best run” units while problem units had to wait their turn
• Senior Management and the Audit Committee became frustrated and the audit plan was constantly interrupted and reordered based on everyone’s evolving definition of risk
• Lesson = you end up auditing by risk anyway
© 2013 Proformative. Proprietary and confidential
The Seven Sins
Threats to Value and Fit
1. Ineffective Planning
2. Being Self Centered
3. Losing the Truth
4. Ineffective Communication
5. Failing Political Science
6. Inability to Negotiate
7. Destroying Credibility
© 2013 Proformative. Proprietary and confidential
2. Being Self Centered
• Every function within a company thinks they are doing the most important and critical work
• Some believe processes and controls are the company rather than a part of the company
Only 44% of respondents believe that Internal Audit is helping their organization achieve its business objectives…
…and fewer — 37% — say they involve Internal Audit in key business decisions and strategy
Forbes Insights Global Survey of Executives and Audit Committees
© 2013 Proformative. Proprietary and confidential
2. Being Self Centered
• Risk & Control Experts Wanted!
• Senior Management & the Board Value good opinions
• Help run the business do not give utopian answers
Understand:• Organization’s objectives • Macroeconomic and
industry risks
Make sure:• Your solutions support
the organization’s objectives
Evaluate:• The cost vs. benefits of
proposed solutions
Open mind:• Controls and
documentation are great tools
• Have their limitations
Logical/pragmatic: • Understand your role
as an advisor and facilitator
• There are many ways to solve internal audit issues
What is Needed What Do I Need To Know To Help? Specifically
© 2013 Proformative. Proprietary and confidential
2. Being Self Centered
Case Study #2 – The story of the new data center
• Global financial services company had a well established Internal Audit function
• Many of the staff had been in their positions for many years
• Management looked at the IA department with barely concealed contempt
• When asked for their opinion about IT security department personnel responded by saying, “You should build a new data center”
• Management responded by asking, “OK but can I do what you are suggesting?”….Internal Audit would respond, “Well……No”© 2013 Proformative. Proprietary and confidential
The Seven Sins
Threats to Value and Fit
1. Ineffective Planning
2. Being Self Centered
3. Losing the Truth
4. Ineffective Communication
5. Failing Political Science
6. Inability to Negotiate
7. Destroying Credibility
© 2013 Proformative. Proprietary and confidential
3. Losing the Truth
The Problem
We deal with complex issues that have many facets to them What may seem like a serious issue can turn out to be trivial and what
may seem trivial may turn out to be very serious The facts are revealed slowly and in pieces
Solidifying your position and refusing to reconsider based on new facts Do not become married to positions that are unsupported by facts This problem usually appears in Audit Reports Audit issues have a way of transforming from the workpaper to the final
audit report
You are allowed and you should change your mind when new facts are brought to light
Manage emotions of your team and management You will gain respect and prestige by aligning yourself with the facts Holding on to an outdated position will open you to the charge that “you
are just there to find something!”
Beware of…
Key Actions
© 2013 Proformative. Proprietary and confidential
Case Study #3 – The Auditor is the Last to Know
• An operating unit of a major aerospace company releases an accounting reserve causing a significant rise in net income
• The auditor asks the Controller for the justification for the release of the reserve
• The Controller responds that he has none
• The issue is documented in the audit report
• Later the Unit President calls and details many meetings and discussions and full support
• The auditor refuses to change his position and keeps referencing the Controller’s comments
3. Losing the Truth
© 2013 Proformative. Proprietary and confidential
3. Losing the TruthOriginal Audit Report – Support for Reserves
Condition:Management reserves were released without discussion, reasoning and/or documentation. Specifically, a management reserve that was released for submarine program (00084) in the amount of $1,052,779. Management was not able to explain the logic, assumptions or reasoning behind this release.
Risk:Unexplained/unsupported adjustments to profitability have been made that may create a misstatement in the financials.
Agreed Action: Documentation supporting the logic, assumptions and calculations for all management reserves will be discussed, documented and maintained.
© 2013 Proformative. Proprietary and confidential
3. Losing the TruthOriginal Audit Report – Support for ReservesRevised Audit Report – Support for Reserves
Condition:Support for releasing management reserves is not maintained with the accounting data and the Controller is not involved in the discussion regarding the release of reserves. Specifically, a management reserve was released for submarine program (00084) in the amount of $1,052,779 without the input of the Controller.
Risk:The appropriate accounting treatments may not be applied resulting in a misstatement to the financials.
Agreed Action: The Controller will be involved in all discussions regarding releasing reserves and will advise as to the appropriate accounting treatment based on the facts and circumstances of the program.
© 2013 Proformative. Proprietary and confidential
The Seven Sins
Threats to Value and Fit
1. Ineffective Planning
2. Being Self Centered
3. Losing the Truth
4. Ineffective Communication
5. Failing Political Science
6. Inability to Negotiate
7. Destroying Credibility
© 2013 Proformative. Proprietary and confidential
4. Ineffective Communication
• Focus on Board/Executive communication
• How do we report to higher levels?
• Common fallacy is that more information is always better
• The Board/Executives are busy – Looking for expert
advice not reams of data © 2013 Proformative. Proprietary and confidential
4. Ineffective Communication
What are we saying to the Board/Executives when we give too much detail?
• I have no insight
• I want to avoid blame
• I need your detailed supervision and input to manage my function
© 2013 Proformative. Proprietary and confidential
4. Ineffective Communication
These days data is cheap and readily available Understand what is important to your audience Not what data but what concerns Communicate in business terms not in auditor speak
The Temptation
How Is this Done? Consolidate issues from audits into common
themes1. Get to the point or the “newspaper headline”2. Develop a thesis for why this condition exists
3. Back up your thesis with selected data4. Have the main body of data available
© 2013 Proformative. Proprietary and confidential
4. Ineffective Communication
Case Study #4 – The presentation that said nothing
• Head of IA would present detailed information
• Constantly loaded the presentation with data
• Most was marginally relevant
• AC listen politely
• Afterwards they would always ask others, “So what's really going on?”
• They were hungry for a professional opinion© 2013 Proformative. Proprietary and confidential
Ineffective AC Slide
• Related party transactions were not disclosed to Senior Management in Q1 2011 and previous quarters. Unit does business with a computer equipment supplier owned by the IT Manager. FY 2010 totaled $60K and YTD FY 2011 totaled $12K. Q2 certifications from acknowledged this relationship and it will be disclosed quarterly going forward.
• Intercompany accounts between Unit and Corp. were not completely reconciled
• The Finance Director does not evidence his review of the Hyperion financial statements to the Trial Balance
• The Credit Manager has access to posting journal entries
• A vendor who supplies IT equipment and supplies to the Company is owned by the IT Manager. This was unknown to the Finance Director and the General Manager and was not disclosed with the Q1 financials.
• One payment over $50,000 was not approved by the Corp. Controller
• The Finance Director does not sign off on the Over 60 or the aging reports to evidence his review
• Intercompany Balances have not been reconciled with Unit A and Unit B since the beginning of the year and the amounts out of balance are substantial
4. Ineffective Communication
© 2013 Proformative. Proprietary and confidential
Effective AC Slide
• Unit A has one serious issue and a few minor ones
• Most critical are related party transactions are not being reported to corporate
– This occurred due to second level managers not being aware of disclosure requirements
– IT Manager had a relationship with a supplier. Amounts ordered from supplier totaled FY 2010 totaled $60K and YTD FY 2011 totaled $12K.
– Unit has been reminded of their responsibility to report this going forward and has received a highlighted copy of the disclosure memo
– Management has prepared the required disclosure
4. Ineffective Communication
© 2013 Proformative. Proprietary and confidential
The Seven Sins
Threats to Value and Fit
1. Ineffective Planning
2. Being Self Centered
3. Losing the Truth
4. Ineffective Communication
5. Failing Political Science
6. Inability to Negotiate
7. Destroying Credibility
© 2013 Proformative. Proprietary and confidential
5. Failing Political Science
We are not talking about gossip! Wikipedia defines politics as:
Politics is a process by which groups of people make decisions. The term is generally applied to behavior
within civil governments, but politics has been observed in all human group interactions, including corporate, academic and religious institutions. It consists of "social relations involving authority or
power" and refers to the regulation of a political unit, and to the methods and tactics used to formulate
and apply policy
© 2013 Proformative. Proprietary and confidential
5. Failing Political Science
Why Should We Care?
Anyone who deals with improvement needs to understand the decision making process
We need to be sure the decisions that are made will “stick” Solutions will be implemented far more quickly if you know
where to go
Ignore conventional wisdom i.e. the CEO is the top decision maker
Open our eyes and observe the decision making process Follow the decision even after its made
Understanding the politics of your organization allows you to formulate workable solutions to business issues that will get implemented.
Success Requires…
Key Point
© 2013 Proformative. Proprietary and confidential
5. Failing Political Science
1.Where are decisions made?
– In what forum?
2.Who makes decisions?
– Highest ranking, functional area, etc.
3.How are decision made?
– Consensus, ratification, declaration, etc.
4.Who ignores decisions?
– And gets away with it?
5.Who overturns decisions?
– And how long after the fact?
Evaluate:
© 2013 Proformative. Proprietary and confidential
5. Failing Political Science
Case Study #5 – The tale of the busy President
• A company has implemented a new software system
• The CEO calls the Head of IA and says he wants a post implementation review done
• Head of IA initiates planning on that basis
• President of the largest division calls the Head of IA with a request to desist/delay
• Head of IA proceeds nonetheless (CEO said so right?)
• CEO calls a few days later and berates the Head of IA for disrupting his largest business
© 2013 Proformative. Proprietary and confidential
The Seven Sins
Threats to Value and Fit
1. Ineffective Planning
2. Being Self Centered
3. Losing the Truth
4. Ineffective Communication
5. Failing Political Science
6. Inability to Negotiate
7. Destroying Credibility© 2013 Proformative. Proprietary and confidential
“It starts with relationships … with senior management, company leaders and the audit committee. This is a service function, and you do have
clients. You do not subordinate your judgment, but you do serve.
Negotiation is a BIG part our job
We deal with business problems− Typically more than one solution
We are the experts but we have to take into account the views of others
Why Do We Have To Negotiate?
Richard Chambers, President & CEO of the IIA
6. Failing to Negotiate
© 2013 Proformative. Proprietary and confidential
Moderation in business is a skill that is acquired through experience
Knowing when to stand like a rock and knowing when to compromise requires a vast database of prior experiences
We Need To Be Flexible But Still Maintain Our Integrity
Like a stalk of wheat If you are too stiff, you will be broken and too soft you will
trampled on
6. Failing to Negotiate
© 2013 Proformative. Proprietary and confidential
Focus on the end goal and not how to get there− The end rather than the
means Make sure you understand the
other position Make the other side work
− Demand suggestions! Career Development
− Develop an understanding of what has significant impact
Compromising on the wrong issue
Bringing an external audit mentality to internal audit
Never developing the ability to distinguish between critical and non critical issues
Tips Traps
6. Failing to Negotiate
© 2013 Proformative. Proprietary and confidential
6. Failing to Negotiate
Case Study #6 – Follow the small rules and break the big ones
• Engineering company had very detailed internal controls over financial reporting
• Voluminous documentation is produced followed by meticulous testing of many of the company’s controls
• Deviation from documentation and lower level controls are not tolerated
• Policy says revenue can be recognized in anticipation of a contract
• Which issue do you think the CAE compromised on?
© 2013 Proformative. Proprietary and confidential
The Seven Sins
Threats to Value and Fit
1. Ineffective Planning
2. Being Self Centered
3. Losing the Truth
4. Ineffective Communication
5. Failing Political Science
6. Inability to Negotiate
7. Destroying Credibility© 2013 Proformative. Proprietary and confidential
7. Destroying Your Credibility
• Credibility is Internal Audit’s biggest asset
• If credibility is lost, we have nothing
• Our entire profession is based on “Independent Assessments”
• If these assessments cannot be believed then they are worthless
© 2013 Proformative. Proprietary and confidential
7. Destroying Your Credibility
Acting on initial feelings
Listening to people that try to feed you information or “inside data”
Forming an opinion on data that you or your team have not independently verified
Sharing this unverified data with others (Even worse!)
Relying on reputations, forecasts and preliminary opinions
Ways to Destroy Your Credibility
© 2013 Proformative. Proprietary and confidential
7. Destroying Your Credibility
Make judgments and voice opinions based on actual audit testing and documentation
Do not be swayed by, or act on, rumor or “inside information”
Do not discuss the audit results except with those who must know
Not depending on past performance during audits
Only presenting issues that you have personally reviewed
Ways to Build Your Credibility
© 2013 Proformative. Proprietary and confidential
7. Destroying Your Credibility
Case Study #7 – He said, she said but there was nothing
• At a company gathering, many operating unit heads made negative remarks about Unit A
• The Head of IA was taken aside many times and told that he must “do something” about Unit A
• Threats were made about the competency of the Head of IA if he did not act
• No hard evidence was presented
• Fortunately the Head of IA did not react and during later audits the Unit was found to be very well controlled
© 2013 Proformative. Proprietary and confidential
The Seven Virtues!
Here are the more familiar terms:
1. Effective Planning2. Integrating Activities with
Others3. Integrity to the Facts4. Communicating Clearly5. Understanding Decision
Making6. Negotiating Fairly7. Maintaining Credibility
Nothing more than what your first business mentor probably told you
© 2013 Proformative. Proprietary and confidential
Back to Value and Fit
Value & Fit To be successful we need to understand how we provide
value and how this fits in with the organization
A solid base of technical skills and regulatory knowledge is a basic requirement
The ability to translate this knowledge into effective and pragmatic solutions that others will buy into
Having the credibility and integrity to deliver this to the organization
What separates the executives from managers
This Means…
The Result
© 2013 Proformative. Proprietary and confidential
Thank You
© 2013 Proformative. Proprietary and confidential
© 2013 Proformative. Proprietary and confidential
If you have questions about CPE Credit please contact
Please join us at www.proformative.com to ask any additional questions you may have and to continue this conversation with your peers and the experts you heard from today.