The attributes of the internal auditor that adds value to the business

As we know, the primary purpose of the internal audit activity is to add value to organizations and it does this through its recommendations for improvement of the risk management process and the internal control system, which are basic activities for good corporate governance. 

To make this possible, auditors should drive its activities based on the IIA's international framework of professional practice, also known as IPPFs, which outlines the key principles that must be observed in managing the audit organization as well as conducting audit work.

As part of these practices, the auditor's code of ethics is one of the most important instruments for an adequate positioning of the auditor in the organization in which it operates. The auditor's attitudes and behavior based on these ethical principles is basic to his professional recognition by the corporate organization. We must not forget that internal auditors play a key role in promoting an ethical business and internal environment guided by best management and control practices.

Internal auditors should be aware of the importance of their attitudes as an agent for disseminating ethics and good practice. In addition, it is very important that the auditor be viewed by the organization as a high-level, trustworthy professional and that their recommendations for improvement add real value to the corporation.

For this to be possible, in addition to the independence of the internal audit activity in the organization, the auditor should be proficient in the application of audit procedures and techniques, as well as having the objectivity necessary to always express an unbiased opinion and without conflict of interest.

The auditor's efforts and attitudes should always be guided to build a trust structure between auditor and management, and this is simple to explain: No one follows a professional who does not inspire confidence or take into account any information or opinion that does not come from recognized source.

If the auditor does not emanate confidence, how will his recommendations be observed and met?

At this point you can ask and how to achieve that level of trust within the organization?

And the answer is simple: Through professional attitudes!

The auditor should be clear, transparent, knowledgeable of the organization's corporate and business context. Auditor must act responsibly, observe laws and regulations, without exception, and disclose any information that is important and necessary for a clear understanding of the subject by management. Also, the auditor needs to have a good deal of humility to recognize that his recommendations are not always the best or at least factivies.

In connection, auditors also need to be prudent with the use of information obtained during the course of the audit work, protecting them and never using them for personal gain. Confidentiality is extremely important because the manager can be assured that all information will be handled by the auditor with the utmost discretion and his report will only be finalized after discussion and involvement with the manager responsible for the audited activity.

It is also necessary that the auditor has knowledge of the subject matter of the evaluation, as well as the ability and experience to conduct the work. Under no circumstances can the auditor compromise in evaluating an activity that is not knowledgeable enough to do so, would be very foolish if that happened, and would certainly jeopardize his judgment and reputation.

In this regard, the auditor should be efficient and effective in complying with audit standards and continually improving their proficiency in audit and management issues.

Note that it is only after all these criteria met that the auditor can truly solidify his or her position as a professional recognized by the organization, capable of adding value to the organization's business environment and committed to promoting best management practices in line with ethical values ​​and attitudes.

The auditor should note that their behavior outside the professional environment should follow the same pattern, especially now that social networks are present in the professional environment.

Building a good professional reputation takes time and a lot of work, but to destroy it is very fast.

Be happy!

Simplifying the application of the risk-based audit methodology.

It is very common today that audit professionals have doubts about the application of the risk-based audit methodology. 

Another day in the CONBRAI 2018, I heard a prominent speaker put in doubt the real need to have a plan and / or audit planning.

That is why I was motivated to write this article where I present my vision about the methodology that should be applied in an audit work, in line with the IIA audit definition.

The definition given by the IIA for Internal Audit indicates that:

"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."

This systematic and disciplined approach we call the audit methodology. In order to facilitate understanding, I will divide this methodology into two phases: the first as the preparation of the Annual Audit Plan and the second is the Execution of the audit. Both should always be applied in a risk-based view.

It is important to mention that risk-based auditing is nothing a new approach, it has always existed. I remember when I was an audit trainee in a big 10 audit company, in 1980, in Brazil, that this approach was already used, so, it is not new or neither a different audit approach.

Anyway, the first phase is when we build an audit plan for a predetermined period, which normally, but not necessarily, for 12 months, based on a corporate risk view, considering business cycles, operational processes, programs, projects or transactions which will be assessed for compliance or performance. The concept here is simple, since the audit has limited its activity by the available hours and budget, in order to demonstrate effectiveness by managing audit resources, those resources should be applied in objects which bring higher risk to the company; risk of not achieving its strategic objectives.

Once the plan is defined, we move to a second phase. This phase may be divided into three distinct stages: 

• Work planning, 
• Execution and collection of evidence,
• communication of results. 

Those steps will be applied for all kind of audit job: compliance, accounting or performance, also known as operational.

The planning the audit could be subdivided into three moments:

1. Moment 1 - Elaboration of the planning memorandum, where we define the objectives and scope of the audit, determine the team and, if it is the case, the need for specialists, budget the costs of the work, prepare an audit time schedule. In this moment we search and collect all the information about the audit object that is available in the corporate environment, like policies and procedures, risk matrix, organization chart, IT system applications, and etc.
2. Moment 2 - It is to get more detailed understanding of the object under evaluation. It may be done through interviews with who executes the transactions. The idea is to have a complete picture of the process under review, transaction by transaction. The formalization of the understanding may be by narrative or by the graphical form using flowchart. In this step, the risk matrix (inherent, IT, fraud) and the control matrix (identifying all existing controls) are prepared.
3. Moment 3 - It is the preparation of the audit program, where, based on risk and control matrix, are defined the audit procedures and techniques which will be applied to get evidence of the effectiveness of the control or conformity of the audited process.

At this level of the work, we will have the following working papers: audit memorandum, flow chart or narrative of the evaluated object, risk matrix, control matrix and audit program.

The next stage is the audit execution, also known as fieldwork job. In this stage where we apply the audit procedures and techniques defined in the audit program to collect and formalize the necessary evidence which will be base to achieve the pre-defined audit objectives. At this point, all audit findings should be listed in the findings matrix. This matrix is the support for the preparation of audit recommendations.

Once the execution is completed, we proceed to the stage of reporting the results. This is the moment where the audit report will be prepared. The suggestion is to divide the report into three documents: Audit opinion, executive summary and audit recommendations (with action plan aligned with the manager).

After submission of the final report, the implementation of the action plan should be monitored to verify that it has been implemented as agreed with the audit.

All audit documentation in those various stages are considered as a workpaper, all of them must be appropriately reviewed by an experienced auditor and referenced and organized in folders, even in electronic or physical format.

Of course, the planning stage of the audit work is the most important, since the better the work is planned, the more efficient the execution will be, and better will be the quality of the auditor's opinion and consequently the results of the audit, thus fulfilling its mission of adding value to the company.

Finally, I recall that an audit work will only be finalized when all actions regarding the recommendations are properly implemented.

Be happy!

The importance of the whistleblower Channel for an effective integrity program.

Nowadays, implementing an integrity program should be listed on the C-Level agenda of any business that wants to survive and thrive in the new business world, regardless of size, industry, or activity.

We have seen a number of laws, regulations and standards being enacted with the objective of strengthening corporate governance, especially with regard to the process of combating corruption and fraud.

Within all the necessary requirements for an effective integrity program, the whistleblower channel has a special place. This channel allows greater transparency and creates the possibility that any employee, service provider, suppliers and others stakeholders may report any fact of their knowledge that is in disagreement with the ethics, values and behavior of corporation policy.

Unfortunately, I believe that for the lack of knowledge, corporates in Brazil still do not use this tool in the way they should. Some organizations mistakenly include the whistleblower channel in to the ombudsman, or even with the consumer service channel.

This view is embodied in Kroll's Global Fraud and Risk Report 2016/17, which shows that globally 44% of frauds are identified through the whistleblower channel, however, this same report indicates that in Brazil the whistleblower channel is responsible by only 17% of the findings.

In this report, the whistleblower channel in Brazil ranked at the last position as a fraud detection tool. the most interesting is that the external audit appears in the first place as responsible for 43% of the fraudulent activities discoveries, which does not make any sense. 

Well, with the corporate governance maturing processes, aimed at strengthening ethics and values ​​in Brazilian corporations, in the medium-term the perception of the importance of having a robust whistleblower channel in place for the prevention of fraud and acts of corruption should change.

Now, let's look at some attributes of excellence which must be considered for whistleblower channel in order to really fulfill its mission:

1. The channel must be available 24 hours, 7 days a week, and can be accessed by different ways by whistleblowers,
2. It is best to be operate through an independent company with the technical and professional requirements for proper receipt of the complaint,
3. The protection of the whistleblower's anonymity is of utmost importance for the success of the channel,
4. There must be a way of exchanging the message with the denouncer, without breaking the anonymity,
5. The company contracted to operate the whistleblowers channel must have the technical capacity and knowledge to carry out the first review of the complaint received,
6. The complaint received must be sent to at least three different bodies, such as: Legal, Human Resources, fraud prevention or internal audit. It will improve the assurance that all complaints received will be properly dealt with,
7. A strong and constant communication and training process should be part of this process so that all employees, service providers, suppliers and others know how to use the channel correctly, without worrying about possible retaliation.

To conclude, the effectiveness of this tool requires an internal environment that is culturally prepared and maturity to understand the ethical values of the organization and consequently the top management has a great responsibility in this regard, since they must be the spokesperson and the example of the integrity program.

Audit and internal controls challenges on the use of "Data Analytics"

Corporations that are increasingly embedded in a digital convergence environment must build business processes based on reliable data processing frameworks. Today the competitive advantage of some organizations is based on their capacity for innovation and use of electronic processes.

In this digital environment both the internal audit as well as the internal controls area must have and be proficient in the use of Data Analytics tools in order to support data collection and also their evaluations.

I have observed, by participating in some events on the subject and also in some of our projects that audits are investing in the ability to collect data, but not so much, in their ability to analyze the data collected. I also see that most of the time auditors and internal control specialists are being spent behind a computer screen, which I think is a mistake.

There are excellent tools to perform the data collection in the format that the auditor wants parametrizable in various forms and models, however, this process will be effective if there is also capacity for analysis by the auditor. The investment must be in the tool and also in the human being to be proficient in the analysis of the data, including the peripheral data.

Now all of this will pay off if the organization's database is truly reliable. ERP platforms are great vectors for loss of integrity if not well structured, including your access process. In a survey conducted by KPMG in 2017 only 35% of respondents said they had a high degree of confidence in the use of various types of analysis in their organization, which to me came as a surprise, expecting a higher percentage even though large companies have experienced information integrity issues in their business processes.

Another interesting point in this research is that executives and managers are being asked to make decisions based on information generated by algorithms they did not create and that do not fully understand them either.

With this in mind, let's go back to internal audit and control and understand the challenges they must face to conduct your assessment work in this new digital environment.

First of all, it is very important that internal auditing and internal controls have in their team professional with information technology knowledge, in order to be able to act in the evaluation of governance and IT management as well as to support the operational professionals of internal audit and control.

The next point is to form an opinion about the degree of confidence that will be placed in the processing of information through digital systems, data management and its security, as well as in the analysis models used by the managers. For this my suggestion is to observe the three points below:

1. Assess whether database management has the appropriate governance and control system to quickly identify any possible breach of integrity, confidentiality, and completeness.

2. Evaluate whether the analysis models and the algorithms used are doing the right things in the right way, achieving the desired results.

3. Evaluate whether electronic accesses and interfaces between processes are consistent and appropriate for the context. Both analysis models and data sources must be able to be replicated in a sustainable manner.

I have no doubt that the use of more complex systems by corporations, including the use of Artificial Intelligence for business decisions, is an integral part of the new corporate environment, bringing new risks and new challenges to the whole management.

Auditors and internal control specialists should be aware of all of those changes and innovations, preparing themselves and getting the appropriate proficiency to create value for the corporation through the execution of their work