Slide Heading Enhanced Professional Development Skills
Norm Kelson, CPA, CISA, CGEITThe Kelson Group
November 18, 2009
© The Kelson Group, 2009
Agenda
Slide Heading
Identifying our skill set needs
Fulfilling the skill set
Enhancing our staff
Providing value to the organization
© The Kelson Group, 20092
How Has the Audit Landscape Changed?
General Controls, 20%
Existing Applications, 25%
New Applications, 25%
Technical Audits, 30%
Historical Focus
© The Kelson Group, 20093
How Has the Audit Landscape Changed? (2)
AS5, 60%IT General
Controls, 10%
All Applications, 30%
SOx Era
© The Kelson Group, 20094
How Has the Audit Landscape Changed (3)
SOx Testing, 10%
GRC, 10%
IT Gen Ctrl, 25%Bus Process, 40%
Technical Audits, 15%
Today
© The Kelson Group, 20095
How Has the Audit Landscape Changed (3)
SOx Testing, 5%
GRC, 25%
IT Gen Ctrl, 20%
Bus Process, 40%
Technical Audits, 10%
Within 5 Years
© The Kelson Group, 20096
What Do I Need to Know About My Organization?
• Internal Audit– Mission– Audit Charter
• Business– Long term strategy– Industry– Best practices within industry– Regulations
• Technology– Current architecture– Architecture of the future
• Application Portfolio– Applications topography– Applications functionality
© The Kelson Group, 20097
What Do I Need to Know About My Organization? (2)
• IT Service & Delivery Architecture & Practices– In House– Out Sourced
• Governance Framework– COSO?– IT Governance Framework – CobiT/ITIL
• Compliance Approaches & Requirements– AS5– GLBA– PCI-DSS– HIPAA– Federal/State/Local data privacy requirements
• Enterprise Risk Management Approach
© The Kelson Group, 20098
Senior Management Drivers
© The Kelson Group, 20099
Chief Audit Executive
CIO
C-Suite
Board of
Directors
Regulators
Exte
rnal
Au
dito
rs
Business U
nit
Managem
ent
Drivers for Audit Services
ValueControls
Security
Com
plia
nce
Governance
IT Audit Universe
• Which Audit Landscape?– Historical– SOx Era– Today– Next 5 years
© The Kelson Group, 200910
Skills Required
• Communications & Interpersonal Skills– Ability to relate to audit customer– Understand their needs– Argumentation skills– Communicate to technical and non-technical constituencies – written and oral
• Business skills– Industry expertise– Finance/accounting subject-matter competency
• Business process – Understanding of business process– Specific processes to enterprise
• Controls management– Controls framework– Control objectives
© The Kelson Group, 200911
Skills Required (2)
• Risk management– Risk assessment methodologies– Enterprise-adopted risk management process
• Value management– Ability to relate control requirements and risk management into a
value to the organization• Project management
– Ability to manage internal audit projects– Ability evaluate effectiveness of enterprise and business projects
• IT Technical– Core technical functions– General IT functions
© The Kelson Group, 200912
Take Inventory
• Results of Enterprise Risk Assessment– Essential Audits – Rated “A”– Needed Audits – Rated “B”– Nice to Have Audits – Rated “C”
• What resources needed for “A” and “B” audits?– FTE’s– Skills
• What resources available?• Result is your delta
13© The Kelson Group, 2009
Auditor Skill Sets
© The Kelson Group, 200914
Financial
Operational
Business Process /
Applications / Projects
Gen
eral
IT C
ontr
ols
Tech
nica
l IT
Con
trols
Financial Auditor
Business Auditor
IT Audit Generalist
IT Audit Technical Specialist
Subject Matter Experts
• Sources– Financial / Operational / Business / IT Auditors– Internal rotation from technical department– External
• Non-core audit requirements• Internal SME deficiency
© The Kelson Group, 200915
Essential Training
• Internal Audit Concepts• Business / Industry Concepts• Finance/Accounting – scope for IT
auditors more limited• Business psychology – as needed• Communications, Argumentation, Written
& Oral Presentation• IT Technical – core functions
© The Kelson Group, 200916
How Do I Receive Value from Internal Audit
• Invest in good personnel– Talented staff– Competent and focused training– Reasonable compensation– Reasonable working conditions and tools
• Allocate resources to your staff’s strengths• Identify and select audits that fit the risk
assessment• Keep audit rotations to a minimum of 24 months
© The Kelson Group, 200917
How Do I Receive Value from Internal Audit (2)
• Use staff for recurring audits, assign consultants to specialty and non-recurring audits
• Consider building audit teams by line of business– Cohesive team– Lessens learning curve– Include IT audit in Line of Business team
• Keep turnover to a minimum (cost of replacement extremely high)
• Budget reasonable time to an audit – don’t squeeze staff
© The Kelson Group, 200918
How Can I Build a High Performance Team
• Resolve Personnel Issues• Provide Opportunity• Empower• Provide training• Support team
19© The Kelson Group, 2009
Personnel Issues
• Understand the drivers of each generation• Economics push staff
– Recognize burnout– Build for tomorrow – don’t deplete the staff– Mirror staff with management expectations
• Employee Mentoring– Understand employee career goals
• Seek opportunities within company• Keep employee for reasonable period of time• Outplace employees not fitting in
– Provide an open door policy to assist employee in performing duties• Manage but don’t micro-manage• Run interference where appropriate
– Support employee within and outside department– Respect
© The Kelson Group, 200920
Training
• Meaningful training to fit Audit Plan• Design training plan for each staff member
– Technical training• Specific expertise• Industry expertise
– Management skills• Leadership• GRC management• Project management
– Business skills• Presentation skills (oral and written)• Finance/Accounting• Industry concentration
• Quality programs• Training program tailored to the needs of each employee• Consider distant learning, where possible
– Give staff time to utilize distant learning
21© The Kelson Group, 2009
Certification
• Encourage obtaining and maintaining certifications for job function:– Audit related:
• CPA, CISA, CIA, CFE– Security related:
• CISM, CISSP– GRC
• CGEIT, IT Risk – (soon to be announced)• Certification preparation
– Reimburse for certification test fees, reasonable refresher or study courses
– Time off to sit for test– Time off for preparation (reasonable)
• Certification maintenance– Reimburse for yearly fees– Provide training opportunities and reimbursement to maintain
certification in good standing
22© The Kelson Group, 2009
Management
• Build a team of complimentary skills• Foster open dialogue• Provide feedback• Meet with customers – foster relationships
and represent department
23© The Kelson Group, 2009
Key Areas for Professional Skill Enhancement
• Governance and related practices• Understanding for financial processes• Understanding business processes• Maintaining core IT technical skills• Improving soft skills
© The Kelson Group, 200924
Contact Information
Norm Kelson
Telephone: (781) 784-4390
Email: [email protected]
© The Kelson Group, 200926