the northwest news · audit in action —audit in mo-tion 8 the chicago northwest metro iia chapter...
TRANSCRIPT
Dear Valued Member,
It is with great excitement that I write this for the inaugural issue of The Northwest
News, our communication link to the chapter. The chapter’s officers and board of gov-
ernors have made a commitment to enhance the level of engagement within our organi-
zation. What you can expect from us this year:
More networking opportunities – Pictures from the September 1st event to be features in
the next edition
Great training sessions focused on the hottest audit topics – Hope to see you on Septem-
ber 20th at DeVry in Addison. We will explore the topic of Social Networking followed
by social networking in a relaxed setting with your peers.
Please provide feedback or content related to this inaugural issue to Elliott Bujan
([email protected]), who has done a great job making the newsletter a reality.
Enjoy the rest of your summer and hope to see you soon!
Best Regards,
Brian
PRESIDENT PERSPECTIVES
‘Out of the Office’: How to Lead Remote Teams By: Robert Half Management Resources
Inside this issue:
President Perspectives 1
Out of the Office: How to lead
Remote Teams 1
Risk Assessment: A Hands on,
How to Guide 2
Drawing the Line: From Profes-
sional Skepticism to Suspicion 4
Financial Leadership: Tranform-
ing Internal Audit
7
Audit in Action—Audit in Mo-
tion
8
The Chicago NorthWest Metro I IA Chapter Newsletter
THE NORTHWEST NEWS SEPTEMBER 2011
ISSUE 1 , VOLUME 1
Upcoming Events
9/8, ISACA chapter meeting: Virtualization Security and Audit
9/16, Legal Elements of Fraud (Evidence Handling and Prosecution), AFCE—Federal Reserve Bank, Chicago
9/20, Social Networking & Social Event, Devry, Addison Campus
T oday, distance workers
are hardly a rarity. A
manager may allow
some employees to work re-
motely from a main location
for a variety of reasons. For
some supervisors, it’s to help
valued staff achieve better
work/life balance. For others,
it may make the difference in
convincing top talent to join
the firm. Underpinning this
trend are technological ad-
vances that make it easier than
ever before for remote profes-
sionals to work cohesively
with other team members.
Still, many managers find it
challenging to effectively lead
geographically dispersed em-
ployees. Even with today’s
communication tools, remote
working arrangements provide
limited opportunity for the
type of everyday interaction
that helps supervisors keep
employees motivated. And
because it can be harder to
gauge how much structure
these workers need, leaders
often end up either microman-
aging or not providing enough
support to them. Following are
tips for building positive and
productive relationships with
remote team members:
Explain the tie to the big pic-
(Continued on page 6)
Refreshing your Annual Enterprise Risk Assessment By: Eric Klink, CPA—Auditor, W.W. Grainger
Page 2
THE NORTHWEST NEWS
T he annual risk assess-
ment is a staple of
every internal audit
department’s annual pro-
jects, usually performed at
the beginning of each new
year to drive the future audit
plan. While the benefits are
well documented, and many
conceptual and academic
articles have been written on
the topic, there is a derisive
lack of practical guides and
tools to construct a risk as-
sessment process that is both
comprehensive and all inclu-
sive, covering (for those fa-
miliar with COSO) Strategic,
Operational, Financial, and
Compliance risks.
There are four key compo-
nents to a robust annual risk
assessment process. The
four phases are 1) Identify-
ing a Framework; 2) Exter-
nal Risk Assessment, 3) In-
ternal Risk Assessment; and
4) Aggregate the Risk Infor-
mation. Each part flows into
the next in a sequential or-
der, each building on the
next, and ultimately resulting
in the final risk assessment.
The first phase and founda-
tion of any good risk assess-
ment requires the use of a
framework. To keep it as
simple as possible, COSO or
ISO provide great risk as-
sessment frameworks and
most ERM literature is writ-
ten using concepts and lan-
guage from them. For pure
risk assessments for just in-
ternal audit usage, the COSO
frame work is the best. It
provides 90 unique risks
classified within the four
main risk categories, which
allows for easy tracking,
classifying, and counting of
risks.
The second step is the external
risk analysis, which focuses
on general global and econom-
ic risks. The best way to go
about this is to just do some
research online. Typing in
―Top 10 Risks of 2011‖ will
yield pages and pages of risks
to evaluate. All of the major
accounting and consulting
firms publish ―Top Risk of
20XX‖ documents annually.
The final place to gather risks
is from competitors’ 10K’s, all
of which include a discussion
on risk factors. By identifying
ten 10K’s and twenty ―Top
Risks‖ resources, these docu-
ments should provide roughly
300-400 individual risk. Each
risk must then be classified
using the COSO risk frame-
work.
The third portion of the risk
assessment is also the most
time consuming. The inter-
nal risk assessment focuses
on operational and strategic
risks, often ones that are
more specific to the busi-
ness. The most effective
way to gather internal risk
information is to organize
group risk discussions by
department or group within
the organization. To help
facilitate discussion, utilize
the external risk information (Continued on page 3)
“ Once the risks have
been rated and orga-
nized from highest to
lowest, it is important
to make a cut-off as
to identify your top
risks.”
What’s happening around the Internet
ISACA Meetings - Chicago chapter,
Midwest Regional Conference, Sept. 25 to Sept. 28 2011
AFCE—Chicago events
Global Technology Audit Guides (GTAG)
Do you have a link that would like to share? Send it to [email protected]
Risk Assessment...
. . . T IME FOR BROWSING
CAREER OPPORTUNITIES If your company is looking to fill an audit related position, we can post a short announcement in this
section. We will publish the title, employer name and contact person.
Staff Auditor, Sears, Kris Shellum-Allenson @847.286.5037
Senior Auditor, Sears, Kris Shellum-Allenson @847.286.5037
Grant Thornton is interested in talking with Internal Audit professionals who
are seeking a career in IT risk advisory and business consulting. Please con-
tact Colleen Johnson, Recruiting Manager at [email protected]
Page 3
THE NORTHWEST NEWS
and individualize some risks to
discuss as they relate to the
specialties of the various
groups. This will serve as a
good starting point to begin
discussions, eventually leading
the discussion to other risks
each group is faced with.
Again, once the risks have been
identified, they must be as-
signed COSO Risk ID’s.
Organizing and rating your
company’s key risks comprises
the fourth phase of the risk as-
sessment. A simple way of
identifying top risks is to count
the frequency of each COSO
Risk ID’s appearance within
both the external and internal
risk analysis. Often times, the
more frequently a risk is men-
tioned, the more relevance it
has to the business. Alterna-
tively, each risk can be evaluat-
ed on frequency and magnitude
which is used to develop a risk
rating in which to identify the
top risks. Once the risks have
been rated and organized from
highest to lowest, it is im-
portant to make a cut-off as to
identify your top risks. Now
that the key enterprise risks
have been identified and rated,
you have created a valuable
resource which can be used to
develop an audit plan, works
towards ERM, and help pro-
mote a culture of risk aware-
ness.
(Continued from page 2)
other information, and we
question what we see and
hear. We take pride in
never missing a clue or a
warning sign, in being
alert for the hidden
message that some other
auditor might miss. We
are all aware that without
professional skepticism
we might fail as auditors.
So why shouldn’t auditors
always exhibit extreme
professional skepticism?
The flip side of the issue
is that too much
skepticism can actually
hamper audit
effectiveness. Take, for
example, the case of the
hyper-suspicious auditor
who once worked for me.
He always assumed new
clients were guilty of
something and his job was
to ―blow the whistle.‖
Unsurprisingly, the
auditor’s working
relationships with
management and me
deteriorated over time.
Managers were less than
forthcoming during risk
assessments and the audit
engagement. The
auditor’s nature of being
overly suspicious
eventually led to
communications
breakdowns and weak
audit results.
For many auditors, our
written goals might
I enjoy working with
new auditors, in part
because they so often
see the world in terms of
clear black-and-white
issues. ―Should we do an
audit?‖ ―Should we issue
a finding?‖ ―Am I
maintaining a healthy
degree of professional
skepticism?‖ For many
new auditors, each yes-or-
no question points
unerringly to a single
correct answer.
With experience, our
horizons expand and we
start to see additional
repercussions for our
actions. The issue is not
merely whether we should
perform an audit, but
whether budget is
available, how extensive
an audit is justified, and
how soon the audit is
needed. The issue is not
merely whether or not to
report a finding, but how
significant the finding is
and how strongly to word
the description.
Experience can be even
more valuable when we
draw the line between
maintaining adequate
professional skepticism
and harboring
unwarranted suspicions.
Issues regarding
skepticism can be
emotionally charged
because they lie at the
core of how we see
ourselves as auditors.
Professional skepticism
means that we take
nothing for granted —
that we continuously
assess audit evidence and
include partnership-with-
management initiatives or
other relationship-
building initiatives.
Unfortunately,
maintaining professional
skepticism means we can
never completely trust the
very leaders who would
be our partners in these
initiatives. In turn,
management may become
less likely to think of
internal auditors as trusted
advisers. It’s human
nature to trust and confide
in people who trust and
confide in us — but also
to distrust people whose
(remarkably poor)
judgment makes them
suspicious of us. Is it any
wonder, then, that taking a
hard line on professional
skepticism can potentially
damage valuable working
relationships?
Having a handle on an
appropriate level of
professional skepticism is
critical to long-term
internal audit success, but
evaluating our own
professional skepticism
can be dismayingly
subjective. One size does
not fit all. Some auditors
rely more on relationship
building; others are more
inclined to ―dig out the
truth‖ in hard facts. Every
situation is unique, and
(Continued on page 5)
Drawing the Line: From Professional Skepticism to Suspicion
Richard Chambers, CIA, CGAP, CCSA, shares his personal reflections and insights on the internal audit profession.
Page 4
THE NORTHWEST NEWS
Drawing the Line…
Get Involved!
“...why
shouldn’t
auditors always
exhibit extreme
professional
skepticism? ”
Have you thought about taking
your involvement with The IIA
or your local chapter to a new
level? The Institute has many
opportunities for internal audi-
tors to participate beyond the
membership level.
You can: Make a Difference in Your
Profession
Use your personal and profes-
sional skills with The Institute
of Internal Auditors by serving
as a volunteer with your local
chapter or at a regional or in-
ternational level.
Help Guide the Future
through the partnership
program
Write Exam Questions
Develop Research Re-
ports and Educational
Products
Write an Article
Give the Gift of Time-
Volunteer Your Audit
Services!
Invest. Involve. Inspire.
Page 5
THE NORTHWEST NEWS
the trick is not merely to
decide how much skepticism
is enough in general, but to
draw the line so clearly that
we exhibit just the right
degree of professional
skepticism in any given
situation.
If only we could use a
standardized rating system to
assess our level of skepticism!
Unfortunately, an accurate,
flexible rating scale is not
likely in the near future.
(Imagine a checklist with
statements such as, ―The
interviewee seemed nervous
and was sweating profusely.
Deduct one skepticism point,‖
or ―The sample size was
statistically significant. Add
three skepticism points.‖)
There’s a fine line between
maintaining a healthy degree
of professional skepticism and
having an overly suspicious
attitude. How we decide to
draw that line says a lot about
us … as auditors and as
individuals. To me, the secret
is simply to approach each
situation with an open mind
and to communicate in a way
that demonstrates our
underlying trust and
confidence in management.
We will always need to ask
the hard questions, but we
also need to use tact in
deciding how and when to ask
the questions.
Former U.S. President Ronald
Reagan once said, ―trust but
verify.‖ At the time, Reagan
was discussing ongoing
relationships with a U.S.
adversary, but for auditors,
―trust but verify‖ should be
words to live by. We need to
demonstrate our trust in our co
-workers, and we need to
verify that our trust continues
to be well-placed.
(Continued from page 4)
9/25 - 28, Midwestern Regional Conference, Milwaukee, WI
10/13, ISACA Monthly Meeting: Internal Control Implications of Middleware Technologies
10/29 to 11/1, CFE Exam Preparation & Review, National ACFE Training, Chicago
(Continued from page 1)
‘Out of the Office’...
ture – and keep communica-
tion going
The more remote workers
understand project goals, and
how their contributions move
forward company objectives,
the easier it will be for them
to buy into those goals and
contribute at a higher level.
To reinforce your expecta-
tions about performance and
deliverables, work with re-
mote staff to establish a time-
line, in writing, for achieving
action items and other objec-
tives. Make sure they have
the resources they need for
success, including any neces-
sary training.
Maintaining a positive rela-
tionship and strong communi-
cation channels with remote
employees is crucial to clari-
fying accountabilities and
ensuring they can continue to
handle their workload. After
setting clear objectives, select
a date for an in-person follow
-up meeting and arrange for
subsequent trips for these
employees to your main loca-
tion to discuss progress and
strategize for the next period.
Meetings in between these
visits can be conducted via
phone if geographic con-
straints make it difficult to get
together often.
Make good use of technology
Although technology tools
can’t surmount every chal-
lenge in remote working rela-
tionships, at least make sure
you’re taking advantage of
everything you can to en-
hance communication chan-
nels. Solutions such as
telepresence videoconferenc-
ing and web conferencing
allow you to have more ―face
time‖ with remote employees,
and can help create a more
―human‖ experience when
meeting with dispersed team
members.
Additionally, your employees
can make use of a wide array
of online collaborative work
tools that allow them, no mat-
ter where they are, to contrib-
ute to projects and stay ap-
prised of changes. Internal
use of social media also can
help far-flung teams build
camaraderie, which boosts
overall workforce morale.
(Just make sure the firm has
clear policies about on-the-
job use of these technologies
and information security.)
Be inclusive – and give praise
Your off-site personnel
should never feel left out, so
be sure they have the same or
similar opportunities as their
on-site counterparts. For ex-
ample, if your CEO will be
addressing the whole office,
let remote workers listen in
by conference call or watch
the meeting online. If you
offer training, allow off-site
staff to participate virtually or
attend the session in person, if
possible. And don’t forget the
small gestures: During the
holiday season, for instance,
send a basket of treats to re-
mote employees who can’t
attend the company party.
Last but certainly
not least, never fail to person-
ally and promptly praise re-
mote workers for outstanding
performance. Be sure to share
their achievements with other
staff, as well – for instance,
by sending a ―shout-out‖
email to all project members
or specifically mentioning the
employee’s achievement dur-
ing a weekly team conference
call. Acknowledgement of
contributions not only will
help remote workers feel like
vital team members, but also
raise their profile throughout
the firm.
The bottom line: If
communication channels are
kept open and wisely used,
motivating remote staff and
keeping them on track can be
as effective as managing on-
site employees.
This article is provided cour-
tesy of Robert Half Manage-
ment Resources, North Amer-
ica’s largest consulting ser-
vices firm providing senior-
level accounting and finance
professionals on a project
basis.
For further information, visit
www.roberthalfmr.com or
follow Robert Half Manage-
ment Resources on Twitter at
twitter.com/roberthalfmr
(Continued from page 1)
Page 6
THE NORTHWEST NEWS
Financial Leadership: Transforming Internal Audit By David Chiang CA.CIA, CMC, ACDA
A s today’s Chief Audit
Executive works to
evolve Internal Audit
to make it more integrated
with an organization’s strate-
gic initiatives, the role of the
Chief Financial Officer in
facilitating this transfor-
mation is an important con-
sideration. A visionary CFO,
who understands the value of
Internal Audit, can be a useful
ally and catalyst agent for
change.
The report Financial Leader-
ship in Challenging Times
published by Pricewater-
houseCoopers in November
2009 provides a snapshot of
the influential perspective of
the CFO. ―CFOs [who have]
the vision to look beyond
core functions of finance and
the fortitude to use their fi-
nancial acumen and insights
to drive new value and higher
levels of business transfor-
mation and performance‖ will
be needed in these challeng-
ing times.
The report goes on to say that
one key area for the CFO to
drive success, rather than
remain in survival mode, is
achieving ―continuous im-
provement in accuracy, time-
liness and cost effectiveness
of control and compliance
activities.‖
This quote resonated with me
greatly, as I have been articu-
lating this concept in recent
articles and presentations.
Using leading edge data anal-
ysis technologies to provide
an organization with im-
proved business assurance is
a critical way to achieve im-
proved results for both the
internal audit department and
for the organization as a
whole.
To support the CFO as an
agent of change, CAEs need
to inform CFOs about current
developments in technology-
enabled auditing. For exam-
ple, data analysis that previ-
ously had to be done manual-
ly on a repetitive basis can
now be performed automati-
cally using audit technology.
This frees up auditors from
repetitive manual data analy-
sis to focus on other value-
based audit tasks. Technology
such as ACL AuditExchange
enables users to manage the
frequency, timing and param-
eters of automated analytics,
as well as have an overall
view of scheduled analyses
past and present.
Providing internal auditors
with content management
capabilities also makes for a
more efficient audit team.
The ability to store key audit
evidence, including data, ana-
lytics, results and all forms of
working papers, in a secure
and centralized location, ena-
bles audit shops to be more
organized and better at ac-
quiring and assessing their
audit results.
Further, the move towards
more continuous assurance
over controls and risks can be
achieved with the use of ex-
ception management technol-
ogy, which allows audit
teams to easily distribute ex-
ceptions found during data
analysis testing. These results
can be communicated to man-
agement and operational staff
for further follow up – im-
proving the overall controls
and compliance environment.
Thereby allowing the CFO to
take comfort that the organi-
zation’s internal controls and
remediation programs are
working as intended.
Visionary CAEs and CFOs
who have the foresight to
innovate across the organiza-
tion, including adopting best
practices in their internal au-
dit departments, can be driv-
ers of improved operational
performance and business
excellence. As stated in
PwC’s report, ―a sustained,
focused program of financial
leadership invests continually
in people, process and tech-
nologies.‖
It’s now up to CAEs, support-
ed by the CFO, to accept this
mantle and truly become a
change agent in transforming
the internal audit department
and taking a place at the lead-
ership table.
So, what the heck is continuous con-trols monitoring? It’s just a fancy way to describe a way of reviewing
the ZILLIONS of transactions that are happening
across an enterprise.
But, why should you care?
Here are some hints: 70%...$994 Billion…€6 Billion…10,000 staff hours. The numbers in this video will show you why you should stop worrying and learn to love CCM technology.
watch “What the heck is CCM?” on ACL’s YouTube
channel: »www.youtube.com/aclservices
Page 7
THE NORTHWEST NEWS
Page 8
THE NORTHWEST NEWS
Serious training is brewing in Milwaukee this September – so if you are thirsty for knowledge and networking click here.
2011 Midwestern Regional Conference
September 25 – 28
Hilton Milwaukee City Center Download the Conference Brochure
Todd Richard facilitating a great Audit Best Practices
session. Kindly hosted by our friends at Sears
Breakout session for Full day Continuous
Auditing Session. Kindly hosted by our
friends at Sears
Cloud Computing session panelists.
Kindly hosted by our friends at Allstate
Breakout Session for Audit Best Practices Training
Breakout session for Full day Continuous Auditing
Session
Anniversaries
chapter stats / anniversaries / new members, etc.
Board members
Brian Babendir President
Mark Alexander Academic Relations
Elliott Bujan Communications
John Turner Research, Publication and Certifications
Matthew Budy Operations
Frank Moriarty Enterprise Relations and Advocacy
Brian Duffy Membership
Curtis W. Siegel Director of Forums
Angela Banks-Buford Administration
Toula Panagakos Programs
Oliver J. Tang Finance
Term expiring in 2012
Tami McLane Michael Heraty
Sharon Bell Tracy Heming-Littwin
Term expiring in 2013
Frank Moriarty Adewale Ademokunla
Earl Potjeau James A. Ruzicka
Governors
CHAPTER SITE: WWW.THEIIA.ORG/NORTHWESTMETROCHICAGO
EMAIL: [email protected]
LINKEDIN: … we need you to coordinate our page, send us an email
Mr. Robert M. Ernst, 30
Mr. Howard R. Greene, 30
Mr. Phillip D. Hunt, 25
Mr. Curtis W. Siegel, 25
Mr. Philip W. Bertram, 25
Ms Jody M. Campbell, 20
Ms J Alexander So, 10
Mr. Garry Barksdale, 10
Mr. Brian Babendir, 10
Mr. John G. Morgan, 10
Ms Diana Quinn 10
Ms Gail Leeds 10
Mr. Brian Selby, 10
Mr. Thomas Zeken, 10
Mr. Alcides Mariano Jr., 10
Mr. Edilberto Ortiz, 5
Ms Kristen Zak, 5
Mr. Tom Stamatelos, 5
Mr. Manish Khosla, 5
Yulia Gurman, 5
Mr. Colin Connor, 5
Ms Dorothy A Dombrowski, 5
Ms Jennifer Noe, 5
Kevin Klepper, 5
Ms Nicole S Lynn, 5
Mr. Earl Potjeau, 5
Ms Katarzyna K Dee, 5
Mr. Steve C. Meyer, 5
Ms Toula Panagakos, 5
Ms Maitri Jani, 5
Mr. Jeffery R Barlow, 5
Ms Sarah Mariotti, 5
Ms Joanna Michailova, 5
Gregory Kamp, 5
Mr. John Turner, 5
Mr. Eric Wunderlich, 5
Ms Robin Nimmo, 5
Mr. Dante A. Fiocca, 5
Ms Bhumika Shah, 5
Mr. Ihab Abukhalaf, 5
Ms Kristina Borrelli, 5
Mr. Michal Urbanowicz, 5
Mr. Elliott Bujan, 5
Ms Jaclyn Plock, 5
Mr. Milan Stankovich, 5
THE NORTHWEST NEWS
Page 9