Dear Valued Member,

It is with great excitement that I write this for the inaugural issue of The Northwest

News, our communication link to the chapter. The chapter’s officers and board of gov-

ernors have made a commitment to enhance the level of engagement within our organi-

zation. What you can expect from us this year:

More networking opportunities – Pictures from the September 1st event to be features in

the next edition

Great training sessions focused on the hottest audit topics – Hope to see you on Septem-

ber 20th at DeVry in Addison. We will explore the topic of Social Networking followed

by social networking in a relaxed setting with your peers.

Please provide feedback or content related to this inaugural issue to Elliott Bujan

(iiachicagonw@gmail.com), who has done a great job making the newsletter a reality.

Enjoy the rest of your summer and hope to see you soon!

Best Regards,

Brian

PRESIDENT PERSPECTIVES

‘Out of the Office’: How to Lead Remote Teams By: Robert Half Management Resources

Inside this issue:

President Perspectives 1

Out of the Office: How to lead

Remote Teams 1

Risk Assessment: A Hands on,

How to Guide 2

Drawing the Line: From Profes-

sional Skepticism to Suspicion 4

Financial Leadership: Tranform-

ing Internal Audit

7

Audit in Action—Audit in Mo-

tion

8

The Chicago NorthWest Metro I IA Chapter Newsletter

THE NORTHWEST NEWS SEPTEMBER 2011

ISSUE 1 , VOLUME 1

Upcoming Events

9/8, ISACA chapter meeting: Virtualization Security and Audit

9/16, Legal Elements of Fraud (Evidence Handling and Prosecution), AFCE—Federal Reserve Bank, Chicago

9/20, Social Networking & Social Event, Devry, Addison Campus

T oday, distance workers

are hardly a rarity. A

manager may allow

some employees to work re-

motely from a main location

for a variety of reasons. For

some supervisors, it’s to help

valued staff achieve better

work/life balance. For others,

it may make the difference in

convincing top talent to join

the firm. Underpinning this

trend are technological ad-

vances that make it easier than

ever before for remote profes-

sionals to work cohesively

with other team members.

Still, many managers find it

challenging to effectively lead

geographically dispersed em-

ployees. Even with today’s

communication tools, remote

working arrangements provide

limited opportunity for the

type of everyday interaction

that helps supervisors keep

employees motivated. And

because it can be harder to

gauge how much structure

these workers need, leaders

often end up either microman-

aging or not providing enough

support to them. Following are

tips for building positive and

productive relationships with

remote team members:

Explain the tie to the big pic-

(Continued on page 6)

Refreshing your Annual Enterprise Risk Assessment By: Eric Klink, CPA—Auditor, W.W. Grainger

Page 2

THE NORTHWEST NEWS

T he annual risk assess-

ment is a staple of

every internal audit

department’s annual pro-

jects, usually performed at

the beginning of each new

year to drive the future audit

plan. While the benefits are

well documented, and many

conceptual and academic

articles have been written on

the topic, there is a derisive

lack of practical guides and

tools to construct a risk as-

sessment process that is both

comprehensive and all inclu-

sive, covering (for those fa-

miliar with COSO) Strategic,

Operational, Financial, and

Compliance risks.

There are four key compo-

nents to a robust annual risk

assessment process. The

four phases are 1) Identify-

ing a Framework; 2) Exter-

nal Risk Assessment, 3) In-

ternal Risk Assessment; and

4) Aggregate the Risk Infor-

mation. Each part flows into

the next in a sequential or-

der, each building on the

next, and ultimately resulting

in the final risk assessment.

The first phase and founda-

tion of any good risk assess-

ment requires the use of a

framework. To keep it as

simple as possible, COSO or

ISO provide great risk as-

sessment frameworks and

most ERM literature is writ-

ten using concepts and lan-

guage from them. For pure

risk assessments for just in-

ternal audit usage, the COSO

frame work is the best. It

provides 90 unique risks

classified within the four

main risk categories, which

allows for easy tracking,

classifying, and counting of

risks.

The second step is the external

risk analysis, which focuses

on general global and econom-

ic risks. The best way to go

about this is to just do some

research online. Typing in

―Top 10 Risks of 2011‖ will

yield pages and pages of risks

to evaluate. All of the major

accounting and consulting

firms publish ―Top Risk of

20XX‖ documents annually.

The final place to gather risks

is from competitors’ 10K’s, all

of which include a discussion

on risk factors. By identifying

ten 10K’s and twenty ―Top

Risks‖ resources, these docu-

ments should provide roughly

300-400 individual risk. Each

risk must then be classified

using the COSO risk frame-

work.

The third portion of the risk

assessment is also the most

time consuming. The inter-

nal risk assessment focuses

on operational and strategic

risks, often ones that are

more specific to the busi-

ness. The most effective

way to gather internal risk

information is to organize

group risk discussions by

department or group within

the organization. To help

facilitate discussion, utilize

the external risk information (Continued on page 3)

“ Once the risks have

been rated and orga-

nized from highest to

lowest, it is important

to make a cut-off as

to identify your top

risks.”

What’s happening around the Internet

ISACA Meetings - Chicago chapter,

Midwest Regional Conference, Sept. 25 to Sept. 28 2011

AFCE—Chicago events

Global Technology Audit Guides (GTAG)

Do you have a link that would like to share? Send it to iiachicagonw@gmail.com

Risk Assessment...

. . . T IME FOR BROWSING

CAREER OPPORTUNITIES If your company is looking to fill an audit related position, we can post a short announcement in this

section. We will publish the title, employer name and contact person.

Staff Auditor, Sears, Kris Shellum-Allenson @847.286.5037

Senior Auditor, Sears, Kris Shellum-Allenson @847.286.5037

Grant Thornton is interested in talking with Internal Audit professionals who

are seeking a career in IT risk advisory and business consulting. Please con-

tact Colleen Johnson, Recruiting Manager at colleen.johnson@us.gt.com

Page 3

THE NORTHWEST NEWS

and individualize some risks to

discuss as they relate to the

specialties of the various

groups. This will serve as a

good starting point to begin

discussions, eventually leading

the discussion to other risks

each group is faced with.

Again, once the risks have been

identified, they must be as-

signed COSO Risk ID’s.

Organizing and rating your

company’s key risks comprises

the fourth phase of the risk as-

sessment. A simple way of

identifying top risks is to count

the frequency of each COSO

Risk ID’s appearance within

both the external and internal

risk analysis. Often times, the

more frequently a risk is men-

tioned, the more relevance it

has to the business. Alterna-

tively, each risk can be evaluat-

ed on frequency and magnitude

which is used to develop a risk

rating in which to identify the

top risks. Once the risks have

been rated and organized from

highest to lowest, it is im-

portant to make a cut-off as to

identify your top risks. Now

that the key enterprise risks

have been identified and rated,

you have created a valuable

resource which can be used to

develop an audit plan, works

towards ERM, and help pro-

mote a culture of risk aware-

ness.

(Continued from page 2)

other information, and we

question what we see and

hear. We take pride in

never missing a clue or a

warning sign, in being

alert for the hidden

message that some other

auditor might miss. We

are all aware that without

professional skepticism

we might fail as auditors.

So why shouldn’t auditors

always exhibit extreme

professional skepticism?

The flip side of the issue

is that too much

skepticism can actually

hamper audit

effectiveness. Take, for

example, the case of the

hyper-suspicious auditor

who once worked for me.

He always assumed new

clients were guilty of

something and his job was

to ―blow the whistle.‖

Unsurprisingly, the

auditor’s working

relationships with

management and me

deteriorated over time.

Managers were less than

forthcoming during risk

assessments and the audit

engagement. The

auditor’s nature of being

overly suspicious

eventually led to

communications

breakdowns and weak

audit results.

For many auditors, our

written goals might

I enjoy working with

new auditors, in part

because they so often

see the world in terms of

clear black-and-white

issues. ―Should we do an

audit?‖ ―Should we issue

a finding?‖ ―Am I

maintaining a healthy

degree of professional

skepticism?‖ For many

new auditors, each yes-or-

no question points

unerringly to a single

correct answer.

With experience, our

horizons expand and we

start to see additional

repercussions for our

actions. The issue is not

merely whether we should

perform an audit, but

whether budget is

available, how extensive

an audit is justified, and

how soon the audit is

needed. The issue is not

merely whether or not to

report a finding, but how

significant the finding is

and how strongly to word

the description.

Experience can be even

more valuable when we

draw the line between

maintaining adequate

professional skepticism

and harboring

unwarranted suspicions.

Issues regarding

skepticism can be

emotionally charged

because they lie at the

core of how we see

ourselves as auditors.

Professional skepticism

means that we take

nothing for granted —

that we continuously

assess audit evidence and

include partnership-with-

management initiatives or

other relationship-

building initiatives.

Unfortunately,

maintaining professional

skepticism means we can

never completely trust the

very leaders who would

be our partners in these

initiatives. In turn,

management may become

less likely to think of

internal auditors as trusted

advisers. It’s human

nature to trust and confide

in people who trust and

confide in us — but also

to distrust people whose

(remarkably poor)

judgment makes them

suspicious of us. Is it any

wonder, then, that taking a

hard line on professional

skepticism can potentially

damage valuable working

relationships?

Having a handle on an

appropriate level of

professional skepticism is

critical to long-term

internal audit success, but

evaluating our own

professional skepticism

can be dismayingly

subjective. One size does

not fit all. Some auditors

rely more on relationship

building; others are more

inclined to ―dig out the

truth‖ in hard facts. Every

situation is unique, and

(Continued on page 5)

Drawing the Line: From Professional Skepticism to Suspicion

Richard Chambers, CIA, CGAP, CCSA, shares his personal reflections and insights on the internal audit profession.

Page 4

THE NORTHWEST NEWS

Drawing the Line…

Get Involved!

“...why

shouldn’t

auditors always

exhibit extreme

professional

skepticism? ”

Have you thought about taking

your involvement with The IIA

or your local chapter to a new

level? The Institute has many

opportunities for internal audi-

tors to participate beyond the

membership level.

You can: Make a Difference in Your

Profession

Use your personal and profes-

sional skills with The Institute

of Internal Auditors by serving

as a volunteer with your local

chapter or at a regional or in-

ternational level.

Help Guide the Future

through the partnership

program

Write Exam Questions

Develop Research Re-

ports and Educational

Products

Write an Article

Give the Gift of Time-

Volunteer Your Audit

Services!

Invest. Involve. Inspire.

Page 5

THE NORTHWEST NEWS

the trick is not merely to

decide how much skepticism

is enough in general, but to

draw the line so clearly that

we exhibit just the right

degree of professional

skepticism in any given

situation.

If only we could use a

standardized rating system to

assess our level of skepticism!

Unfortunately, an accurate,

flexible rating scale is not

likely in the near future.

(Imagine a checklist with

statements such as, ―The

interviewee seemed nervous

and was sweating profusely.

Deduct one skepticism point,‖

or ―The sample size was

statistically significant. Add

three skepticism points.‖)

There’s a fine line between

maintaining a healthy degree

of professional skepticism and

having an overly suspicious

attitude. How we decide to

draw that line says a lot about

us … as auditors and as

individuals. To me, the secret

is simply to approach each

situation with an open mind

and to communicate in a way

that demonstrates our

underlying trust and

confidence in management.

We will always need to ask

the hard questions, but we

also need to use tact in

deciding how and when to ask

the questions.

Former U.S. President Ronald

Reagan once said, ―trust but

verify.‖ At the time, Reagan

was discussing ongoing

relationships with a U.S.

adversary, but for auditors,

―trust but verify‖ should be

words to live by. We need to

demonstrate our trust in our co

-workers, and we need to

verify that our trust continues

to be well-placed.

(Continued from page 4)

9/25 - 28, Midwestern Regional Conference, Milwaukee, WI

10/13, ISACA Monthly Meeting: Internal Control Implications of Middleware Technologies

10/29 to 11/1, CFE Exam Preparation & Review, National ACFE Training, Chicago

(Continued from page 1)

‘Out of the Office’...

ture – and keep communica-

tion going

The more remote workers

understand project goals, and

how their contributions move

forward company objectives,

the easier it will be for them

to buy into those goals and

contribute at a higher level.

To reinforce your expecta-

tions about performance and

deliverables, work with re-

mote staff to establish a time-

line, in writing, for achieving

action items and other objec-

tives. Make sure they have

the resources they need for

success, including any neces-

sary training.

Maintaining a positive rela-

tionship and strong communi-

cation channels with remote

employees is crucial to clari-

fying accountabilities and

ensuring they can continue to

handle their workload. After

setting clear objectives, select

a date for an in-person follow

-up meeting and arrange for

subsequent trips for these

employees to your main loca-

tion to discuss progress and

strategize for the next period.

Meetings in between these

visits can be conducted via

phone if geographic con-

straints make it difficult to get

together often.

Make good use of technology

Although technology tools

can’t surmount every chal-

lenge in remote working rela-

tionships, at least make sure

you’re taking advantage of

everything you can to en-

hance communication chan-

nels. Solutions such as

telepresence videoconferenc-

ing and web conferencing

allow you to have more ―face

time‖ with remote employees,

and can help create a more

―human‖ experience when

meeting with dispersed team

members.

Additionally, your employees

can make use of a wide array

of online collaborative work

tools that allow them, no mat-

ter where they are, to contrib-

ute to projects and stay ap-

prised of changes. Internal

use of social media also can

help far-flung teams build

camaraderie, which boosts

overall workforce morale.

(Just make sure the firm has

clear policies about on-the-

job use of these technologies

and information security.)

Be inclusive – and give praise

Your off-site personnel

should never feel left out, so

be sure they have the same or

similar opportunities as their

on-site counterparts. For ex-

ample, if your CEO will be

addressing the whole office,

let remote workers listen in

by conference call or watch

the meeting online. If you

offer training, allow off-site

staff to participate virtually or

attend the session in person, if

possible. And don’t forget the

small gestures: During the

holiday season, for instance,

send a basket of treats to re-

mote employees who can’t

attend the company party.

Last but certainly

not least, never fail to person-

ally and promptly praise re-

mote workers for outstanding

performance. Be sure to share

their achievements with other

staff, as well – for instance,

by sending a ―shout-out‖

email to all project members

or specifically mentioning the

employee’s achievement dur-

ing a weekly team conference

call. Acknowledgement of

contributions not only will

help remote workers feel like

vital team members, but also

raise their profile throughout

the firm.

The bottom line: If

communication channels are

kept open and wisely used,

motivating remote staff and

keeping them on track can be

as effective as managing on-

site employees.

This article is provided cour-

tesy of Robert Half Manage-

ment Resources, North Amer-

ica’s largest consulting ser-

vices firm providing senior-

level accounting and finance

professionals on a project

basis.

For further information, visit

www.roberthalfmr.com or

follow Robert Half Manage-

ment Resources on Twitter at

twitter.com/roberthalfmr

(Continued from page 1)

Page 6

THE NORTHWEST NEWS

Financial Leadership: Transforming Internal Audit By David Chiang CA.CIA, CMC, ACDA

A s today’s Chief Audit

Executive works to

evolve Internal Audit

to make it more integrated

with an organization’s strate-

gic initiatives, the role of the

Chief Financial Officer in

facilitating this transfor-

mation is an important con-

sideration. A visionary CFO,

who understands the value of

Internal Audit, can be a useful

ally and catalyst agent for

change.

The report Financial Leader-

ship in Challenging Times

published by Pricewater-

houseCoopers in November

2009 provides a snapshot of

the influential perspective of

the CFO. ―CFOs [who have]

the vision to look beyond

core functions of finance and

the fortitude to use their fi-

nancial acumen and insights

to drive new value and higher

levels of business transfor-

mation and performance‖ will

be needed in these challeng-

ing times.

The report goes on to say that

one key area for the CFO to

drive success, rather than

remain in survival mode, is

achieving ―continuous im-

provement in accuracy, time-

liness and cost effectiveness

of control and compliance

activities.‖

This quote resonated with me

greatly, as I have been articu-

lating this concept in recent

articles and presentations.

Using leading edge data anal-

ysis technologies to provide

an organization with im-

proved business assurance is

a critical way to achieve im-

proved results for both the

internal audit department and

for the organization as a

whole.

To support the CFO as an

agent of change, CAEs need

to inform CFOs about current

developments in technology-

enabled auditing. For exam-

ple, data analysis that previ-

ously had to be done manual-

ly on a repetitive basis can

now be performed automati-

cally using audit technology.

This frees up auditors from

repetitive manual data analy-

sis to focus on other value-

based audit tasks. Technology

such as ACL AuditExchange

enables users to manage the

frequency, timing and param-

eters of automated analytics,

as well as have an overall

view of scheduled analyses

past and present.

Providing internal auditors

with content management

capabilities also makes for a

more efficient audit team.

The ability to store key audit

evidence, including data, ana-

lytics, results and all forms of

working papers, in a secure

and centralized location, ena-

bles audit shops to be more

organized and better at ac-

quiring and assessing their

audit results.

Further, the move towards

more continuous assurance

over controls and risks can be

achieved with the use of ex-

ception management technol-

ogy, which allows audit

teams to easily distribute ex-

ceptions found during data

analysis testing. These results

can be communicated to man-

agement and operational staff

for further follow up – im-

proving the overall controls

and compliance environment.

Thereby allowing the CFO to

take comfort that the organi-

zation’s internal controls and

remediation programs are

working as intended.

Visionary CAEs and CFOs

who have the foresight to

innovate across the organiza-

tion, including adopting best

practices in their internal au-

dit departments, can be driv-

ers of improved operational

performance and business

excellence. As stated in

PwC’s report, ―a sustained,

focused program of financial

leadership invests continually

in people, process and tech-

nologies.‖

It’s now up to CAEs, support-

ed by the CFO, to accept this

mantle and truly become a

change agent in transforming

the internal audit department

and taking a place at the lead-

ership table.

So, what the heck is continuous con-trols monitoring? It’s just a fancy way to describe a way of reviewing

the ZILLIONS of transactions that are happening

across an enterprise.

But, why should you care?

Here are some hints: 70%...$994 Billion…€6 Billion…10,000 staff hours. The numbers in this video will show you why you should stop worrying and learn to love CCM technology.

watch “What the heck is CCM?” on ACL’s YouTube

channel: »www.youtube.com/aclservices

Page 7

THE NORTHWEST NEWS

Page 8

THE NORTHWEST NEWS

Serious training is brewing in Milwaukee this September – so if you are thirsty for knowledge and networking click here.

2011 Midwestern Regional Conference

September 25 – 28

Hilton Milwaukee City Center Download the Conference Brochure

Todd Richard facilitating a great Audit Best Practices

session. Kindly hosted by our friends at Sears

Breakout session for Full day Continuous

Auditing Session. Kindly hosted by our

friends at Sears

Cloud Computing session panelists.

Kindly hosted by our friends at Allstate

Breakout Session for Audit Best Practices Training

Breakout session for Full day Continuous Auditing

Session

Anniversaries

chapter stats / anniversaries / new members, etc.

Board members

Brian Babendir President

Mark Alexander Academic Relations

Elliott Bujan Communications

John Turner Research, Publication and Certifications

Matthew Budy Operations

Frank Moriarty Enterprise Relations and Advocacy

Brian Duffy Membership

Curtis W. Siegel Director of Forums

Angela Banks-Buford Administration

Toula Panagakos Programs

Oliver J. Tang Finance

Term expiring in 2012

Tami McLane Michael Heraty

Sharon Bell Tracy Heming-Littwin

Term expiring in 2013

Frank Moriarty Adewale Ademokunla

Earl Potjeau James A. Ruzicka

Governors

CHAPTER SITE: WWW.THEIIA.ORG/NORTHWESTMETROCHICAGO

EMAIL: IIACHICAGONW@GMAIL.COM

LINKEDIN: … we need you to coordinate our page, send us an email

Mr. Robert M. Ernst, 30

Mr. Howard R. Greene, 30

Mr. Phillip D. Hunt, 25

Mr. Curtis W. Siegel, 25

Mr. Philip W. Bertram, 25

Ms Jody M. Campbell, 20

Ms J Alexander So, 10

Mr. Garry Barksdale, 10

Mr. Brian Babendir, 10

Mr. John G. Morgan, 10

Ms Diana Quinn 10

Ms Gail Leeds 10

Mr. Brian Selby, 10

Mr. Thomas Zeken, 10

Mr. Alcides Mariano Jr., 10

Mr. Edilberto Ortiz, 5

Ms Kristen Zak, 5

Mr. Tom Stamatelos, 5

Mr. Manish Khosla, 5

Yulia Gurman, 5

Mr. Colin Connor, 5

Ms Dorothy A Dombrowski, 5

Ms Jennifer Noe, 5

Kevin Klepper, 5

Ms Nicole S Lynn, 5

Mr. Earl Potjeau, 5

Ms Katarzyna K Dee, 5

Mr. Steve C. Meyer, 5

Ms Toula Panagakos, 5

Ms Maitri Jani, 5

Mr. Jeffery R Barlow, 5

Ms Sarah Mariotti, 5

Ms Joanna Michailova, 5

Gregory Kamp, 5

Mr. John Turner, 5

Mr. Eric Wunderlich, 5

Ms Robin Nimmo, 5

Mr. Dante A. Fiocca, 5

Ms Bhumika Shah, 5

Mr. Ihab Abukhalaf, 5

Ms Kristina Borrelli, 5

Mr. Michal Urbanowicz, 5

Mr. Elliott Bujan, 5

Ms Jaclyn Plock, 5

Mr. Milan Stankovich, 5

THE NORTHWEST NEWS

Page 9