Category: Internal Audit

The news of the sad and untimely demise of Mr. Cyrus Pallonji Mistry is tragic and shocking. The accident has been widely covered by news and social media and moving eulogies have been written about the gentleman who left the world too early. Amidst the feeling of sadness that surrounds the incident, one thing that keeps coming up in conversations and WhatsApp forwards is the importance of fastening the seat belt, even in the rear seat.

My mind goes back to a tragedy that hit my family in 1987, when my sister, at the age of 26 years, was the victim of a road accident that took her life; a tragedy that could have been avoided had there been seat belts and air bags. That was the time when the cars in India had no seat belts.

The two incidents together, reviewed from the perspective of risks and controls, highlight two vastly different situations – the latter, where controls were not instituted and the former, where the controls existed but were not operational. This has led me to examine the various controls that are instituted for our safety, but we have somehow not made them operational; particularly those that are not mandated by law.

I share a few examples here, that has made me introspect:

Fire extinguishers in residential houses and societies – many residential houses and societies, particularly in urban areas, now have fire extinguishers placed in visible location. At the time of installation, a small demo is also given, attended sparsely and soon forgotten. In the unfortunate event that a fire occurs in our residence, would we know how to operate the fire extinguisher? And, have we made sure that the extinguisher is refilled periodically, as required?

Air travel and life jackets – the quantum of air travel has increased manifold  and in countries like India, we have many first-time fliers. Airlines, at least in India, continue to follow the protocol of explaining the safety measures comprising of seat belts, oxygen masks and life jackets…. But like the warning given in mutual fund T V advertisements, these instructions are often delivered at a fast speed, in a mechanical manner – adequate to serve as a reminder to a seasoned flier, but perhaps not fully understood by first-time or infrequent fliers. In case of a real emergency, would there be chaos, or would the passengers be able to operate the safety measures with ease?

Pandemics and Masks – the covid pandemic that hit the world in 2020, saw the whole world getting in the habit of wearing masks and using hand sanitizers; we became aware and cautious about what we touch, whom we meet and whom we allow into our houses/offices. While the initial masks (N-95/N-99) were functional, plain, and effective, soon, even when the 2^nd wave made its way, the masks became colourful, well-coordinated with clothes and perhaps very superficial in their effectiveness. The effective control of a medically tested mask was soon replaced to preserve the appearance of safety, while sacrificing the effectiveness. Are there controls around you that have been diluted, so that they give a false comfort?

The familiarity trap – “Approximately 52 percent of all car accidents occur within a five-mile radius of home, and 69 percent of all collisions happen within a 10-mile radius from home. The implications are that shorter trips closer to home are among the highest for car accidents” reveals a study by National Highway Traffic Safety Administration (NHTSA), USA. In familiar territory, we tend to lower our guard, become more distracted and perhaps over-confident. The same is true about certain practices that we have seen around us and never questioned. For example, a traditional belief that a chubby, fat child is a healthy child; or, that without sugary sweets celebrations remain incomplete. And, what about the incidences of a familiar ‘home beautician’ walking away with gold bangles and mobile phones? A risk aware culture encourages examination of biases, beliefs and trends to reassess risks and plug the gaps.

Senior safeguards – with aging population, the risk of a fall increases, both, in likelihood and its impact. Femur bone fractures and hip ball replacement account for many emergency operations. We hear of so many cases of senior, aged persons falling in a locked bathroom and not receiving help for hours, till the bathroom door is forced open. And we see public spaces having stairs that have no railings, pavements that are difficult to maneuver without sports shoes and a huge reluctance amongst elders to use the basic safety measure – a walking stick.  We see these occurrences all around us, but we act only when an accident hits us directly. Much of health care costs and agony can be saved with proper publicity of the risks and the implications.

As I conclude, I prod you to sit back and think of all the day to day activities where you see risks being undermined, controls being absent or ignored…. So that together we can create an environment of greater safety, fewer regrets and a lot less agony.

P.S.– have you fastened your seat belt? Please do, because you are precious!

The Blog solely reflects the personal views and opinions of the author(s).

In initial years of my Practice, much before learning and understanding Internal Audit as a practice area, I got an opportunity to be a part of the organizing team of Residential Refresher Course (RRC) of Bombay Chartered Accountants Society (BCAS).  Then, I realized that this is my Passion. Once I found my passion, my entire approach to Planning RRCs changed. Passion always helps you getting extraordinary results whether it’s a Planning for RRC or conducting an Internal Audit Assignment. So, the first question that we must ask ourselves as Internal Auditors is “Am I passionate about Internal Audit?” Excellence demands passion – so to excel, developing passion for the subject makes a huge difference.

My journey of organizing BCAS RRC’s for last 35 years has taught me a lot and this process of learning is still on. I find it interesting to observe that many of the things that I learnt while organizing RRCs made me a better Internal Auditor. I can correlate so many of my experiences and learnings from RRC to the field of Internal Audit.

What are the common factors that lead to Success and give exceptional results whether it’s RRC or Internal Audit?

A.      Study of Human Nature

Understanding a person is necessary, be it Vendor, Service Provider, your Own Staff or Auditee and Auditees’ staff.  When you understand the persons with whom you are dealing, you develop the art of getting the best from each relationship. Understanding human nature, putting yourself in their shoes, helps you get a better perspective and also find workable solutions to the problems.  Be polite but remain firm on your views, so that you do not compromise the quality and yet maintain impeccable relationships. Your technical skills help you spot lapses and problems, but it is your interpersonal skills that make the stakeholder accept the problems and work towards a solution.

B.      Communication

Document everything as the evidence is necessary.  Whatever is not documented is considered as not done. But even more than the written communication, the quality of oral communication needs to be paid attention to. Communication eliminates assumptions. Communication creates connections. The BCAS RRCs requires us to communicate with a wide variety of people and agencies – ranging from senior paper writers and panelists, Past Presidents, pan-India participants across age groups, venue management staff, BCAS staff members, catering contractors, printers, audio visual service providers, et al. Communicating with each of these at a personal level, forming a pleasant connection, helped me and my team in ensuring that each agency delivered better than what the contract demanded and each of the participant went back enriched with a great learning experience.

Applying this analogy to Internal Audit, I realized that while it is important to maintain the written documentation trail impeccably; it is utmost necessary to supplement with oral communication – that adds charm and ease at every level in Internal Audit. Here too, different approach is required when talking to auditee, HODs, Audit Committee members, IT system specialists or the canteen staff at the audit location (after all, we all need those late evening snacks and strong coffee at the time of audit closures!!)

C.      Holistic Approach To Deliver Exceptional Serivces

Like in all RRC’s, an important factor in Internal Audits is the best use of available time which is always limited.  The entire RRC event is planned in a manner that maximum benefit goes to the participants, and they go back with not only better technical knowledge but also with great memories, lasting friendships, and lot of laughter. Planning technical sessions alongside networking and entertainment sessions, and excursions to experience the local culture are an integral part of each RRC.

For an Internal Audit engagement also, effective time allocation and planning ensures that not only the agreed scope is covered, but the assignment ends with an atmosphere of mutual trust and respect, and a high acceptance rate for valuable recommendations and suggestions made. This requires equitable time allocation to planning the audit, execution, communication, presentation, validation and persuasion. Going beyond the scope, delivering beyond expectations often creates the “Wow” in an internal audit assignment. Keeping the team morale high by adding that occasional outing, celebrating small wins and sharing some lighter moments makes the team member interested in the subject and deliver beyond expectations.

D.      SWOT Analysis – Talent Optimization

When we form the Team of volunteers in RRC, SWOT Analysis helps in getting desired results since the specific talent and aptitude of each person is engaged effectively. While forming the team for Internal Audit such analysis leads to desired results – not everyone in the team may be adapt at data analytics or drafting of reports, but a balanced team with optimal allocation of responsibilities creates a favourable working environment and gives most astounding outcomes, while helping team members to sharpen their skills in areas where they may be lacking.

E.      Operation Research (OR) Techniques

I had studied OR techniques in CA Final Examination.  At that time, I never fully understood the use of PERT, CPM, SIMO charts etc.  Now, when I use these techniques in somewhat modified form in organizing RRC’s as well as in conducting Internal Audits I realize how best we can optimize the use of resources to avoid duplication and save time.  These techniques help a lot in planning human and other resources. They also help in maintaining close attention to the project timelines and help in resource allocation in an objective manner. Monitoring progress to ensure timely completion becomes much easier with the help of these tools and approach.

F.      Checklists

Each Internal Audit Assignment should be treated as a fresh assignment even though it is similar or identical to other assignments handled in the past.  Checklist to carry out each assignment should be prepared afresh.  ‘Copy paste’ should be avoided.  Team leaders should not impose their ideas while making the checklists but should throw the ideas open for discussion.  The final checklist will certainly be a quality product and each team member will feel an ownership of that audit.  The same method is applied at BCAS RRC, treating each RRC as if it is the first one.  That gives the feeling to the participants that each RRC is Unique, as the planning is not constrained by old formats and thinking.

G.      Risk and Crisis Management  

In one of the RRC’s a senior participant suffered a Cardiac Arrest.  We realized that ambulance was not available at that Hill Station nor were adequate medical facilities. We learnt a hard lesson on not anticipating possible risks adequately. For all RRCs held thereafter, we ensured that the venue had adequate infrastructure for dealing with medical emergencies. RRCs invariably lead to some ‘fire-fighting’ situations – a last minute flight cancellation due to which a speaker does not arrive for the session, power failures or unseasonal rains at the venue which require relocation of outdoor sessions, etc. – overtime, the RRC organizing team has incorporated all such hiccups in their plans and are able to handle these situations with ease.

Taking a clue from this, Internal Auditor, while reviewing the efficacy of the risk management processes of the organization must consider such rare possibilities also, particularly when the impact could be disastrous. For risk events that have occurred during the period, suitable enhancement to the risk identification and assessment needs to be ensured. To be taken by surprise once is perhaps pardonable but missing out a second and a third time is a serious failure.

H.      Group Discussion

Group discussion is the soul of BCAS RRC’s. Papers written by scholars are discussed in smaller groups, led by a group leader. The role of the group leader is to moderate the discussion as also, to give opportunity to each of the group members to express their views. It is not uncommon that the best of the inputs come from the most unassuming or the very young members of the group.

Encouraging a group review in Internal Audit provides a great forum to encourage younger and newer team members to have a voice and also, for them to observe and learn from the more experienced members.

I.       Personal and Professional Growth

Like nature gives each season different hues and colours, each RRC adds to the personal and professional growth of the participants in different ways. As a part of the organizing team, I have drawn valuable lessons from each RRC and can say this with confidence, that for a participant each RRC has brought a different flavour and a most unique experience. I have seen the young shy participants of yesteryears become group leaders or even paper writers/panelists in later RRCs.

In a similar manner, each Internal Audit engagement has a unique flavour and adds to our experience bank. A keen learner with an open mind gains the most from each engagement. And just like the RRC, the junior team member soon becomes the team leader or even the engagement partner…. the trick is in approaching each engagement with curiosity and openness, and spending time after each assignment in internalizing the key learnings.

Both, RRC and Internal Audit, help one to develop human qualities of empathy, teamwork, collaboration, agility, responsiveness, communication and more – thus, the professional growth is invariably coupled with personal growth of the individual.

As a Professional and CA in Practice, I am not a hard-core Internal Auditor but whatever assignments of Internal Audit that I have handled, I have tried to co-relate my experiences of unstructured learnings from RRC.

To conclude, Internal Audit is an integral part of our lives – the principles of Internal Audit can be applied to many aspects of our lives and experiences gained through different activities in life can be applied to internal Audit – what is required is the passion and the creativity to observe, capture, innovate and integrate these experiences seamlessly.

This is my first attempt to write a BLOG.  In fact, I was inspired by a blog written by Mitalee Chovatia, where she shared her experiences from travelling for Internal Audit Assignments and co-related the same effectively with her journey as an Internal Auditor. This got me thinking about my RRC planning experiences of decades and the parallels with Internal Audit engagement.

Thanks to Mitalee, I have penned my very first blog combining two subjects close to my heart – BCAS RRC and Internal Audit!

The Blog solely reflects the personal views and opinions of the author(s).

It is hard to appreciate the treasure trove of lessons that travelling for audit work can bring to you when you’re a starving vegetarian walking for miles in the bitter cold of a Korean winter; but a global pandemic certainly helps to put things into perspective. As I reflect on my journey as an internal auditor I realise that somewhere between my dwindling ‘thepla’ supply (a Gujarati vegetarian snack/lifeline) and increasing ‘to-do’ list, I picked up lessons no text book on audit could have taught me. I also gained an appreciation for the subtle nuances of culture and how those can also have a significant impact on your success as an auditor. From successfully avoiding being the junior auditor sent to photocopy pages and pages of meeting materials by highlighting  how we Asians prefer to ‘go green’ to watching my colleagues meet up for a 7.30 am breakfast to start the audit after an 18 hour flight at 8 am sharp; I may have taught a few things, but have certainly learnt so many more from my colleagues around the world.

Here I present to you a short synopsis of my journey as an auditor and as a traveller, a few anecdotes that may not be entirely relevant to my story as an auditor but certainly helped shape my overall professional outlook.

Perks of being in Pondicherry- I begin this blog with full disclosure, my views and love for taking up assignments outside of my home city are entirely biased because of this single experience. You see, when I was an intern there was a story going around the office that anyone who went to this particular audit in Pondicherry would pass their CA exam that attempt. As luck would have it, I was asked if I would like to go, I accepted and… I passed. So, you can see how my views may be slightly coloured when it comes to stepping out for an ‘outstation’ audit.

As a young intern, the lessons I learnt on this Pondicherry audit formed the very foundation of my professional persona. It felt like a crash course on being a team player even as an auditor. From making it in time for all of us to take one rickshaw to the audit place to joining my colleagues for lunch at the ‘Mami Mess’ where this lady who was called ‘Mami’ would serve you the most delicious meal, but there was only one caveat – asking for a spoon was taboo. I would sheepishly avoid looking like the brat from Bombay and try to blend in with this new culture. I realised that if I didn’t join my colleagues and auditees at their side of the table, I would not be viewed as someone who understood their world and business. In all cultures, and specifically in our Indian culture, breaking bread together is an integral part of starting a healthy relationship, be it professional or personal –  and I am a big proponent of the same.

After clearing my CA I moved on to roles in Internal audit that invariably involved opportunities to travel and I lapped those up.

Getting creative in China– One of my first international assignments and perhaps the single most humbling experience I have had as an auditor has been when I realised the phrase ‘let me look that up’ was no longer an option. No Google, no WhatsApp and zero Mandarin skills :  I was terrified of how I would get by. Two weeks into the audit, I was surprised how effectively I could ‘Baidu’(the Chinese equivalent of Google) my way through regulations and how effectively I learnt to delve deeper into the areas where my questions were parried by my auditees rapidly communicating with each other in Mandarin before responding to me in English. I learnt to look for non-verbal communication cues to help guide me through audit process, as also to observe my surroundings more closely.

As I moved along from audit to audit, I also had the opportunity of working with audit leads who would visit from their home country to cover certain specific assignments. One such audit was that in Korea.

Kindness in Korea- One of the nicest lessons I have learnt from an ex-boss and a senior auditor was that on kindness. I think it’s easy to forget (especially if you’re a career auditor) how intimidating it is to have an auditor visit you, however, routine or ordinary the audit may be. I recall several instances of watching my ex-boss interview someone new in a country he has never been to before, by immediately putting them at ease. After introducing himself, he would also outline his goal from the meeting and often add that he wasn’t there to issue ‘parking tickets’. For detailed walkthroughs he would encourage me to email my questions in advance to give an opportunity to  the auditee to prepare. With this one move, we gained the auditees trust, and more often a very fruitful discussion without the air of a policeman interrogating a suspect.

Besides the leadership lessons, I also picked up a few lessons that I find especially handy in the current work from home environment where it’s easier to replace turning on the video with a drab email exchange

 Hiking in Hongkong– I say this tongue-in-cheek, although I did learn a few lessons while hiking up to the big Buddha tourist attraction (mostly on my lack of fitness levels). My key lesson by using the hiking analogy was on the importance of a walkthrough in audit. With the increased sophistication of data analytics, one may be tempted to trade off a walkthrough with running an extra query. However, my travelling experience has taught me that there really is no substitute to sitting down with the auditees and requesting them to walk you through their process. You never know how a simple remark on the auditees dexterity on MS-Excel could lead to a candid discussion on the lack of automation in the process and the need for better systems.

As I look at my experiences as an auditor there has been one lesson that really stands out – and it is that of embracing diversity. An auditors journey for the most part is a lonely one, however, it is made much less lonely when one accepts two seemingly contradictory yet distinct truths– first, It’s a humbling fact when you remind yourself that your auditees do their role on a daily basis, and, your view, while fresh and different, may still need to be guided by their voice which must be heard; second,  You can’t audit your teacher so ensure that your saw is sharpened off your knowledge. While these statements may sound somewhat contradictory, here is some food for thought…I find that while it is empirically important to form your view backed by your information and knowledge , it is equally crucial to have a dialogue and an open mind to your auditees views. As a young auditor, I have often felt insulted and frustrated when my auditee would dismiss my arguments over the need for tighter controls with their wisdom and experience as trump cards. Having spent more time being an auditor I learnt that respect is a two-way street. Once I started to keep an open mind, I felt I could come up with stronger recommendations that were easier to implement as well.

As I conclude this blog, I would like to champion the cause of taking any chance you get to travel or ‘work from home’ on an assignment that introduces you to work with people outside of your comfort zone and into unfamiliar territories and cultures. You will be surprised at how much you grow as an auditor as you clock in those hours and in post-covid times hopefully some ‘miles’.  Finally, I’d like to invite you all to share your biggest lessons learnt as an internal auditor from fellow colleagues from across the country / world and from those beloved ‘outstation’ audits in the comments section for all of us to learn.

The Blog solely reflects the personal views and opinions of the author(s).

I entered the profession of Chartered Accountancy in 1984 and started calling myself ‘primarily an Internal Auditor’ somewhere in early 1990s. At that time, Internal Audit was at a nascent stage in India, and not many people understood what an internal Auditor really did.

Fast forward to 2022, and strange as it may seem, one thing that has not changed over these three decades is that even today, not many people in India understand what an Internal Auditor really does. I accept that Internal Audit has strongly anchored itself in multinationals, regulated industries (mainly BFSI sector), and public sector corporations – yet, for many large-listed companies, the role of an Internal Auditor remains somewhat hazy; and for most of the small and medium sized businesses the Internal Audit function exists only in name, if at all. For public at large, ‘Internal Audit’ holds no specific meaning.

At the other end of the spectrum, a question keeps cropping up in my mind – is the Internal Audit profession an attractive choice for young graduates starting their careers, or even mid-level professionals considering career shifts? Are there avenues for exploring the subject or a keenness to know more? I acknowledge, somewhat reluctantly, that ‘Internal Audit’ is not a word that one commonly hears amongst young professionals from different fields exploring their first job or internship, or from a mid-career professional as a sought-after career option.

What could be the reason? Well, there could be several reasons, but to my mind, the prominent reason is lack of systematic, well-thought-out efforts for advocacy.

Advocacy of a profession essentially means creating awareness about the existence and the relevance of the profession, in a concerted, strategic manner. It involves engaging with the stakeholders – regulators, organizations, aspiring professionals, Boards and CEOs, to drive home the potential of a well-structured Internal Audit function and the value that an Internal Auditor can add. Advocacy is best spearheaded by professional associations that are set up with the primary objective of promoting one or more professions and are led by experienced professionals who have a wide network and followers. But advocacy can also be done by committed Internal Auditors who believe in the value of Internal Audit, or stakeholders who have experienced the value of Internal Audit.

Advocacy of Internal Audit would mean reaching out to those who are not Internal Auditors but can promote or strengthen Internal Audit. It would mean engaging with organizational leaders and decision makers, reaching out to campuses, career counsellors and HR professionals. Engaging with media for rightful publicity or awareness campaigns, and with social media to create the right amount of curiosity about Internal Audit would help greatly.

In the past decade, and even more so in the post-covid era of lockdowns and virtual interactions, there have been a huge number of webinars and long duration training courses for skill enhancement for Internal Auditors. Various professional associations, such as the Bombay Chartered Accountants’ Society (BCAS), the Institute of Internal Auditors (IIA) and the Institute of Chartered Accountants of India (ICAI) have created great learning opportunities on virtual platforms for internal auditors to hone new skills, to adapt technology, to embrace analytics and to become the ‘change agents’ in this rapidly transforming world. And many Internal Auditors pan India have made good use of these opportunities – be it webinars, conferences, certifications, or long duration courses – to better equip themselves on various fronts.

With the Internal Audit profession in India raring to go, it is time for advocacy – for connecting with our stakeholders effectively, systematically, and consistently. It is also time to create the right amount of curiosity amongst young professionals so that the best talent would find its way into Internal Audit teams. The profession cannot prosper if starved of good talent and if it is not endorsed by its key stakeholders.

As I end this blog, let me nudge all the Internal Auditors out there to become the ambassadors of our profession and engage in effective advocacy at every opportunity. Advocacy can start with each one of us – when we talk with pride about Internal Audit at dinner tables; when we talk about value proposition of Internal Audit at business conferences; when we engage with Board members to update them on the changing face of Internal Audit; when we articulate effectively during cross functional meetings on the potential of Internal Audit; and when we work with professional associations to create awareness about Internal Audit. It is through interesting interactions and dialogues with those outside the profession, through collaborative actions and strategic thinking, that we will be able to raise Internal Audit to the place that it deserves.

For Internal Auditors in India, if 2020 was the year of rapidly adapting to a changing world, 2021 was the year of rapid learning, then, can we make 2022 the year of advocacy? This is a win-win proposition.

We invite you to share your ideas and suggestions. Your comments will give life to this blog.

The Blog solely reflects the personal views and opinions of the author(s).

Empty vessels make most sound. Idle mind is devil’s workshop. And an internal auditor as a patient (me) in isolation ends up spotting service deficiencies, leading to control gaps  – quite unnecessarily and definitely unsolicited. So please bear with me and read this blog.

Covid struck. And it struck all of us at home. With my fever continuing by the evening of Day 4, the doctors decided that I needed to be hospitalised if fever did not subside through the night. Duly next morning I reached the hospital.  After a few inquiries I reached the Covid OPD and I was taken in quickly, after sighting my RTPCR report on my mobile. All usual examinations began. But along with the examinations, the admission process had to be completed. So with an IV attached to me, there I was, filling up the admission forms and digitally sending to the hospital number my Aadhar and my PAN information. (Control Gap No. 1 – the hospital had no process in place to assist a solo patient to fill up the forms).

I had a cashless insurance policy (courtesy my employer), but the hospital insisted that I pay a deposit of Rs. 50,000/-. And, for this, they expected a relative to come over to their office. I informed them that I am alone. Nobody could accompany me as all immediate family was Covid positive, and I did not want to risk of exposure requesting some friend or relative to accompany me. Ultimately, the girl with the credit card machine came over to the Covid OPD and requested (nay, insisted) that I hand over my card and the PIN to her so she could swipe it. I refused. She refused. I refused. She blinked first, when the OPD nurse told her that the machine could be sanitised. The girl had no qualms of holding my credit card in her hand to swipe it, but did not want me to touch the machine to enter the PIN. Sense prevailed ultimately, and payment went through. I was now officially an in-patient of the hospital with a number allotted!!!  I requested that I be allowed to pay through net banking. The girl said that it would be difficult as she would need to wait for the Unique Transaction Reference (UTR) to confirm my admission. (Control Gap No. 2 – the hospital’s refusal to embrace technology).

What foxed me in this admission process was the lack of trust between the hospital and the insurance company. The insistence on payment of an initial deposit, when a cashless insurance cover existed, defied logic. The hospital said that the deposit would be their succour, in the event the insurer did not pay the entire amount. I thought about it later that the deposit would be to cover expenses not covered by insurance. However, at that moment the realisation that it is “not entirely cashless” sunk in.  (Control Gap No. 3 – lack of communication by the insurer as well as the hospital with the customer. Both entities on their website mention the convenience of cashless; fact is contrary). I now fully comprehended the phrase – The devil lies (pun intended) in the detail!!

A few days later, (with some excellent medical care given to me) the Doctor-in-charge (DIC!!) said I could get discharged. Well, it wasn’t so simple. The process involved a chain of communication – the Covid ward informing the billing department; the billing department informing the corporate department since I was a cashless insurance patient; the corporate department informing the insurer’s TPA (third party administrator); the TPA authorising the payment and all the way back. You would assume all this would be seamless but in reality, far from it!!. After all there was a TAT that was promised to us when we took the insurance cover. Reality, alas is something else. I waited for eternity.

Almost six hours later, with utter exasperation, I approached the nurse of the Covid ward and requested her to inquire about the discharge status. She nonchalantly mentioned that the TPA process always takes 3 to 4 hours and, if information comes in late and the hospital’s corporate department had closed for the day (their day ends at 3 PM!!!), then I will have to spend one more night at the hospital. Shudder! That also implied adding a day’s charges I guessed. She also said that the hospital had intimated the TPA about 4 hours ago. I got my office colleagues to speak with the insurer, who spoke to the TPA and, wonders be all, the TPA representative called me up  to confirm that they had cleared the claim an hour ago. (Control Gap No. 4 – customer convenience and service timelines were disregarded by both, the hospital as well as the insurer. Did someone mention reputation risk? Both, apparently, were blissfully unaware of that.).

In all this, I got a call from an official of the hospital where he insisted to speak with my relative. I told him that I am the patient. He said he was aware of it but, as a process, he needed to speak to the relative. The relative had to visit his department. I told him that I was unaccompanied, and I was in the Covid ward eagerly waiting to go home. He simply declared that if my relative did not meet him, I would not be able to go home. Period. I tried explaining in English, Hindi and Marathi that I am a solo unaccompanied patient, and whatever paperwork that was to be done could be digitally done. He was puzzled and bewildered!! It was nigh impossible for him to accept that there could be a solo patient who, along with taking care of himself, had to do all paperwork too. Somehow, finally, it dawned on him, and he signed off digitally, asking me to send an e-mail confirmation on a particular aspect. Thankfully, with that the discharge process was concluded, and I was permitted to leave the hospital. (Control Gap No. 5 – the hospital had no process in place to deal with a solo unaccompanied patient).

The last piece of the item is that the hospital has withheld Rs.10,000/- and said they will repay it after 45 days in case the TPA has some adjustments to be done. Everything of my claim is done and dusted. I have confirmed with the insurer and there is nothing else left to be done. The hospital has a free float for 45 days.

All in all, an interesting and memorable experience! The internal auditor in me had to spot these control gaps. It set me thinking – over the past 18-20 months we have the #newnormal. And, here, a couple of well-established entities were clueless and had not moved on with the #newnormal. The hospital has to realize and provide for a process for solo unaccompanied patients who need to be cared for. Processes need to be redesigned. Similarly, the insurer also needs to have more trust in the hospital as well as the insured and redesign its processes to ensure cashless works, as intended and, the promised TAT is achieved.

Amidst all this, lest I forget, let me thank the entire Covid ward staff for all their help and care. They were wonderful.

The Blog solely reflects the personal views and opinions of the author(s).

When I cleared my final Chartered Accountancy (CA) examination in 1997, I thought I have THE ultimate qualification and that I have taken the very last examination of my professional career. And indeed, the CA qualification accompanied by a rigorous articleship had equipped me to conduct statutory audits, tax engagements and similar assignments. Soon thereafter, as I started exploring various areas of professional practice and became interested in Internal Audit, I felt the need for deeper understanding of subjects like Internal Audit, IT systems Audit, Forensic reviews or other similar specializations. For many years, I ‘learnt on the job’ and gathered deeper understanding about risks, controls, resource optimization, governance and similar areas. However, all along, I missed not having the foundation – a structured framework of knowledge on which to position the superstructure of experience.

My hunger for structured learning took me to several post qualification courses offered by the Institute of Chartered Accountants of India (ICAI) and also, some international certifications offered by global organizations such as the Institute of Internal Auditors (IIA) and the Institute of Systems Audit and Controls Association (ISACA), etc. I gravitated towards the Certified Internal Auditor (CIA) certification as that was most relevant to me in the field of Internal Audit. Now, I was a working professional, with practical experience in the field of Internal Audit, opening text books and examination study material in the midst of a busy work life. I was delighted to find that the study material made intuitive sense as I could correlate my professional experience to the theory and principles stated therein – it helped me put my years of professional experience into a logical framework of understanding. Some misgivings got cleared, and I emerged well equipped, not just to execute the internal audit assignments, but also to explain the rationale to the stakeholders. It added immensely to my confidence, as I realized that my understanding and methodology were backed by a global body of professionals.

The CIA examination was different – I did not enter the exam halls with the fluttering in my heart as I had done during the CA exams; but with the confidence of a professionals whose understanding had been validated and who had enjoyed the learning process. The CIA certification thus, was a journey of consolidating my unstructured understanding into a systematic body of knowledge.

Encouraged by the experience of CIA, and observing the wide scale adoption of technology across clients, I took up the post-qualification course DISA (Diploma in Information System Audit) conducted by ICAI. At the beginning, it was more about being back in the classroom on weekends, group studies and exchanging knowledge with other professionals. As the course progressed, I learnt various facets of Information Technology and I got an in-depth understanding of the technology related risks/controls. This understanding came very handy for the process review and process re-engineering assignments as reliance on Information Technology was inevitable. Post that, I went on to do Certified Information Systems Auditor (CISA) conducted by ISACA, USA. Both, the DISA and CISA certification helped me to take up assignments that required in-depth understanding of IT systems and related controls.

The CIA certification helped me consolidate my knowledge in an area that I was already involved with, namely, Internal Audit; whereas the DISA and CISA certifications enabled me to develop new specializations and branch out to Systems Audits.

By now, I became addicted to challenging myself to learn and develop new areas through taking up courses and examinations. The recent years thus, saw me enrol for the Forensic Audits and Fraud Detection (FAFD) course offered by ICAI and the Independent Directors’ examination offered by The Indian Institute of Corporate Affairs (IICA).

So, here’s my take based on my experience – a professional certification will help you grow in different ways – through consolidation of knowledge, by exposure to new opportunities, by widening of network, by exploring the depths of a topic with focus, by becoming a student once again! I am a strong advocate for being a lifelong learner, and till we have the luxury and feasibility of ‘going back to school’, professional certifications offer the best opportunity for expanding our horizon during our work life.

I believe that our busy schedules don’t allow us to do in-depth study of any new subject unless it is goal-driven and time bound. These certification exams help achieving that. It facilitates widening the horizon on the subjects, which can be put to application in our day-to-day work. It offered me opportunities to interact and network with the professionals from other specializations such as Engineers, IT specialists and learn technical aspects from them which were difficult to visualise with my background and experience.

As said by Abraham Lincoln, “If I had eight hours to cut down a tree, I’d spend six hours sharpening my axe”; these certifications also work on similar lines for the aspiring Internal Auditors.

For those pursuing a career in Internal Audit, the certifications offered by the IIA, USA provide a great opportunity for  ‘sharpening the axe’. What is more, right now, for a very limited period, there is a window of opportunity open for Chartered Accountants (Members of ICAI) to take the CIA Challenge Examination that combines three different modules in a single examination paper and gain an international certification. On September 18, 2021, BCAS hosted a curtain-raiser event to create awareness about the CIA Challenge Examination opportunity open to members of ICAI for a limited period.

Here’s the link to the recording of the curtain-raiser event on BCAS YouTube Channel: https://youtu.be/_vt6kbuj5Ww. For those interested in knowing more, here’s the link to the relevant information on the IIA India website: https://www.iiaindia.co/cia-challenge.

The Blog solely reflects the personal views and opinions of the author(s).

The IA-101 is one of the flagship programmes at the BCAS Internal Audit Committee. We delve into the basics of what is internal audit and what is expected of an internal auditor. And what better to share my thoughts on what can be the traits of a good internal auditor, other than doing it alphabetically. So here it goes the A to Z of a good internal auditor.

A	Audit	That is what we are required to do. First, foremost and last. Let us keep executing to the best of our abilities with the sole focus that audit objectives are achieved.
B	Books of Account	Whatever happens in a commercial entity finally resides in the books of account. Even when we are reviewing processes, the final outcome of that process has to flow into the financial statements and these emanate from books of account. As auditors, we can go back to the golden rules of accounting to determine if this impact is properly captured.
C	Curiosity	Curiosity may have killed the cat; but the cat has 9 lives. An internal auditor has 1 life and needs to harness his / her curiosity to reach an audit conclusion. Right curiosity levels to seek right answers will only enhance audit value.
D	Diligent, not Dogmatic	As an internal auditor we definitely do need to be diligent and not dogmatic. Businesses are dynamic, innovative, keep changing courses and keep changing processes. Internal auditors need to be equally diligent, if not more agile and innovative to keep pace with the business. It is only then audit objectives will be met.
E	Enthusiasm	Approach each aspect of the IA cycle with enthusiasm. Lack of enthusiasm will drive down the outcome of the audit. An auditor needs to be excited of the audit tasks to be done to deliver an effective report.
F	Forensic	The next frontier for us internal auditors. As demands of stakeholders change, we need to gear ourselves to foray into the domain of forensics.
G	Gravitas	A quality that has to be inherent in an internal auditor without which delivery of audit planning, execution and reporting will not be achieved.
H	Humility	A trait that is pre-requisite for being an efficient and effective internal auditor. We need to set aside our egos and not boast of our achievements. Humility is what will drive home the auditor’s point.
I	Internal	This is something an internal auditor should never forget. We are internal to the organization. Period. We may be out-sourced / co-sourced but our responsibilities are and will always remain “internal” to the auditee entity, albeit within the independence domain of an auditor.
J	Juggler	We should categorise our role in various jobs to be done. As expectations rise the jobs to be done by us rise too. We need to juggle them effectively. We may handle them one at a time or if required, simultaneously. Focus remains on the end objective of internal audit as we go about these jobs.
K	Keenness	We need to have the keenness for details. The devil lies in it. An alert eye and ear (goes without saying, we are auditors!!) is required to deliver the audit.
L	Learn	Ron Weber says that an auditor needs to know more about the business then the businessman himself. Whether it is true or not is a different matter but as auditors there is no option but to learn and keep learning. It is an ever ascending requirement that needs to be met on continuous basis.
M	Moderation	We love to hold our views, especially when the audit report carries our recommendation. Please practice moderation. Learn to appreciate the other view. It will only lead to better quality output.
N	NexGen	Child is the father of man. Applies to experienced auditors. Listen to the next generation and learn from them. As businesses become more technology driven the NexGen will have an edge for better understanding of processes. Use their knowledge and mix it with your experience of risks and controls. Audit outcome will surely end up a notch or two higher.
O	Objectivity	Objectivity is an ingrained trait in an internal auditor. I have experienced in discussions of tricky control issues and initially not acceptable recommendations; the objective attitude of the internal auditor does become infectious and changes the tone of the deliberations for better.
P	Pleasure	Audits have to be pleasurable. The moment the internal auditor feels that audit is a drudgery, the effectiveness will not just diminish, but can vanish too. It is upto us to devise techniques and practices that makes audits a pleasure.
Q	Query	Basic principle of audit – raise a query when you notice something in your audit execution. Do not hesitate. It is fine even if the query is something mundane or basic. The skill lies in you being guided by your experienced seniors on how to convert the query into an effective audit observation.
R	Re-learn	As internal auditors we need to accept that re-learning is a continuous task. We need to keep unlearning and relearning as businesses, processes, techniques and technology evolve. There is no stopping here. Ever!
S	Style	Each internal auditor needs to develop his / her individual style. As we conduct more and more audits, it is our style that will be our identity. The style of internal audit will need to transcend across compliance with auditing standards, professionalism and communication. Once the style is developed, the auditee will also be aware of it and will know what to expect.  This will help make the audit process smoother.
T	Technology	There is no escape from technology if the internal auditor has to remain relevant. There is hardly, if ever anything at all that is not touched by technology. As internal auditors we need to embrace all new technologies relevant to us as auditors as well as understand the new technologies implemented by the auditee. This will ensure that the auditee respects the internal auditor and the internal auditor has the confidence to deliver a high quality output.
U	Utilitarian	We need to be utilitarian. Our conduct and performance need to be of such standards that the auditee sees the utility in us. A conscious effort is required  by us to establish this and be recognized for it.
V	Vigilant	We need to remain vigilant throughout the audit cycle. Vigilant to the business atmosphere, the activities that are going around, the requirements of audit, the data & information that is presented. In short, everything. This vigilance is a fantastic tool to achieve audit objectives.
W	Wind down	Wind down by having regular de-brief sessions with the auditee.  Such sessions need to be at all levels of auditee management – operations to executive to the top. This gives an opportunity of understanding better the nuances of business, risks, controls and expectations of audit.
X	Xenolith	Internal auditors are like xenolith – a fragment of rock differing in origin, composition, structure etc., from the igneous rock enclosing it. We remain internal to the business but yet independent of it. This differential makes us deliver what we are required to do in the overall scheme of controls of an entity.
Y	Yorker	In cricket a yorker is a delivery by a bowler that bounces just beneath the bat or feet of a batsman. A yorker does not allow a batsman to play a shot freely. Like wise the audit findings need to be yorker length to be effective. The auditee, of course, gets to defend and dig the delivery out. A reasonable discussion later the auditor and auditee agree on the finding and the recommendations, if any.
Z	Zeal	Zeal is what will keep all us, internal auditors, going on. A zeal to excel; a zeal to learn, unlearn and relearn; a zeal to be relevant. That’s how internal audit will remain a fulcrum of business.

We could convert the above into a maturity model.  Give yourself 1 mark for each of the 26 traits. You score 26 you are the best!!!. For anything other than 26, design your own matrix. All it means is that there is room for improvement. Track yourself and have fun. We are jolly good folks at the end of the day.

The Blog solely reflects the personal views and opinions of the author(s).

I sat in a corner,

quiet and meek

Ready to give assistance,

that no one would seek

---

A one-person department,

I was the “Internal Auditor”

Asked to review vouchers

To find petty faults, like a class monitor.

---

An invitee to the Audit Committee,

Because the law said so,

I was given FULL 5 minutes

To summarize the entire year on the go.

---

My CEO said “We are in trouble,”

Sales are dipping, competition severe”

“I look at the vouchers, nothing more I do,

I am just an Internal Auditor, what can I do?”

---

Then came a mentor who took me aside,

Wise words she spoke that made me realize,

“YOU are the Internal Auditor, with your canvass so wide,

Be fearless and fair, you will have insights to emphasize.”

---

I left my lonely corner

And started looking around

Across functions and activities,

And Oh! There was so much to be found.

---

I met with many folks

In cabins and on shopfloors

No longer to find their faults

But to ease their woes

---

Analyzed the sales, studied the competition,

Read research reports and understood the global trends

Armed with my insights, with the CEO I met,

“If you don’t change your ways, your business is dead!”

---

Angered by my words, yet worried to the core,

I got an audience with the CEO and many more,

“Technology is changing our world in ways unseen,

Today’s thieves don’t break the locks, they enter through your screen”

---

“Opportunities are many and so are the threats,

May I take you through some gaps that must surely make you fret?”

And allow me to show you the ways to succeed

With risks and controls and culture and ethics

---

Invited to the Board Room, no longer as a pest

I laid bare my reviews, with utmost grit and zest

My presentations enchanting, few words to read,

They spoke with urgency through pictures, charts and reels

---

As I unfold this session

Here’s what remember must you,

If you want the world to change,

The change must start with YOU!

May is the Internal Audit Awareness Month

Each year the month of May is celebrated globally as the “Internal Audit Awareness Month”. This initiative of the Institute of Internal Auditors (The IIA) was started in 1990s and has gained momentum over the decades. This is the month that witnesses enhanced advocacy of the profession of Internal Audit by various Internal Audit Associations world-wide through a series of articles, social media posts, seminars, talks, debates and panel discussions.

This year, thanks to the pandemic, the celebration of the Internal Audit Awareness Month transcended geographic boundaries, as audiences spaced across time zones came together virtually to attend interesting talks and events, spread awareness through social media posts and participated wholeheartedly in different ways. The Internal Audit community united globally as a single profession in this month and projected itself as a force to reckon with.

We, at Bombay Chartered Accountants’ Society, jointly with IIA India, hosted an interesting talk on “Internal Audit Lessons from Cricket” that was attended by a large number of professionals. This well-attended, engaging, animated talk, delivered by CA Satish Shenoy, was an excellent ‘pitch’ to communicate not only Internal Audit learnings by drawing parallels with the most popular Indian sport i.e. cricket, but also to project Internal Auditors as versatile, interesting, passionate and agile, ever-evolving with the times. For those who missed this talk or want to listen to this one more time, here’s the link: https://youtu.be/nrSwiiT6WGg

From Stakeholder Awareness to Self-Awareness: 

As the month comes to a close, I reflect on my own awareness of what Internal Audit is today. Having been an Internal Auditor for more than 3 decades, can I say that as an Internal Auditor, I am today what I was when I started, or what I was a year back in the pre-pandemic era? Have I spent time in creating self-awareness on what Internal Audit stands for today, what is the journey that the profession has covered and how it has adapted over time? Like the quote at the top of this blog post, Internal Audit has changed and evolved over time and the pace has got accelerated in the past few years, with technology playing a key role. Becoming self-aware about the contemporary state of Internal Audit is as important, if not more so, as creating Internal Audit awareness amongst other stakeholders.

As the month comes to an end, it is time to make a commitment to update ourselves on what is new in our profession, and what is expected of us. This is the time for us to draw up a plan for upskilling ourselves and our teams in terms of new tools, novel techniques, fresh thinking and deeper understanding of the world around us. As remote audits overtake the ‘look and feel’ audits of yester years, as data becomes the new oil, as privacy is traded for free access to tech platforms, as driverless cars get caught in accidents, as a hacker in a remote country threatens the energy supply to households in one of the most developed countries, as the past quarter information starts looking ancient, as currencies floated without the backing of governments and Central Banks become popular, as health passports become a reality…..are we in tune to perform good quality Internal Audits?

I exhort each one of you to spend time in assessing your own readiness and that of your team collectively, and to take strides to bridge the gaps you spot. In a fast-changing world, the gaps may be many, and thus, collaboration becomes the key to ensure that as a team, as a group, we work on covering the distance with speed and a sense of urgency. It is time to loosen our hold on the past and anchor ourselves more firmly in the future, as it unfolds. Being future-ready is the new mantra for everyone, especially for Internal Auditors.

In the eleven months that unfold between now and the beginning of May 2022, we have the most interesting and engaging job at hand – to create the stories that we will take to larger audiences next year, this time.

What are the steps you propose to take to upskill yourself and your team? What are the new areas of audit that are being added to your Internal Audit plan? How are you going to deal with new risks created by hybrid workspace? Is the Management looking up to you as ‘future-ready’ or are you being assigned traditional audit areas of the past?

I welcome your comments and would love to hear the stories that you plan to take to larger audiences next year, when yet another Internal Audit Awareness Month unfolds, in May 2022.

It is that time of the year when the organization is buzzing with IFC TESTING!

How does it work in your organization – is this activity the most mundane or significantly meaningful?

Our guess is, that for most, it would be the ‘most mundane’.

Ever since the confirmation of internal financial controls became an explicit part of the Directors’ Responsibility Statement, we have come across interesting views on the role of Internal Audit in this context, some of which, in our opinion, need a review.

It is the responsibility of the Management for ensuring that controls exist and are effective, and the ownership of these controls lies with the process owners.

Despite this, we have come across internal auditors being questioned by management, the audit committee, and the statutory auditors when the controls fail.

Hence, we felt it may be interesting to clear the air by attempting to spell out some basic principles as also explain the context.

We are all aware of the speed and urgency with which IFC was rolled out by companies when the Companies Act, 2013 came in force. Many companies availed services of external consultants to draft the framework. The brief was clear – ensure compliance with requirements of the Companies Act by the target date and keep it simple so as to avoid complications (read: embarrassment) with an intent of improvising in the coming year. (We do, however, know that more often than not, intents do not get translated into action! )

Given these boundaries, the framework was completed in record time and many companies passed the test with flying colors. Statutory auditors were advised by ICAI to restrict their review to controls that impacted financial reporting.

So, it was a ‘tick on the box’ approach used by most companies to ensure compliance in its first year.

By and large, a vast majority ended up paying lip service to the new requirement – paying attention to the form, in the most minimal way possible; with the good intentions of catching up with the spirit of the enactment at a later date.

The spirit versus the letter.

The spirit, with which these requirements were mandated, has perhaps been overshadowed with the thrust of compliance with the letter.

Some corporate boards view IFC as necessary technical compliance and, is logically delegated to the Audit Committee; Boards, as a whole, maybe spending not more than 30 minutes annually on the subject.

And herein lie both, the problem and the opportunity!!

Just as features of a new ERP package often are grossly underutilized, we believe that the power of IFC remains largely untapped. Even though we have been living with SOX requirements for over a decade, many companies have not matured or optimized their IFC programs.

Leveraging IFC for enhancing assurance and improving quality of internal audit.

We came across a survey which mentioned that majority of Indian companies are not treating compliance as an end-game. For all of them, this is a journey well begun. But why stop here?

While the intent is right, companies must now move up the curve and leverage IFC to enhance the control environment. We don’t think it’s possible to lock internal controls into a static framework. The controls are good for a period of time, but then these have to change.

Whilst the continuous re-evaluation and documentation may appear to be a burden, if institutionalised well, it will yield benefits beyond expectations. Changes in organization structure or processes or addition of new lines of business should trigger the re-evaluation and revised documentation.

And, in addition, review cycles should ensure that all Risk Control Matrices (RCMs) get attention at least once in two years. Internal audit can play a decisively constructive role in this journey – for example, recommendations to auditees must be comprehensive to encompass required changes in RCMs.

In fact, a one pager annexure to each audit report on how the internal audit findings align with the effectiveness of IFCs reflected in RCMs could be an easy way to facilitate this exercise.

Auditing at the Speed of Risk in the Digital Age. 

IA needs to keep up to date with the latest market developments and update their risk assessments more frequently. Technology is the biggest game changer. Some of the threats that will surface during a threat assessment could be malicious software, hacking attempts, unencrypted information, hacking and data theft.

As Internal auditors, check if RCMs have been amended to provide for Work from Home (WFH) controls. The digital space is exciting and scary at the same time – the social media is like the genie that can no longer go back in the lamp….hence, controls need to dynamically adjust.

It is important to thoroughly test the disaster recovery plans (DRPs) and Business Continuity Plans (BCPs) when reviewing IT General Controls (ITGC).

“Risk is like fire: If controlled it will help you; if uncontrolled it will rise up and destroy you.”- Theodore Roosevelt

Entity Level Controls(ELC): Auditing the Culture. 

The approach to establishing Internal Financial Controls and auditing them can only be top down, as it starts with the senior most management and drills down to the lowest operating level.

Basis our practical experience, we know that not all companies are able to demonstrate a control environment that creates confidence in entity level controls.

Frauds highlight the weaknesses in the governance structure. Culture audits can help gain insight into the causes of poor organizational behaviour. Not enough firms are auditing culture. It can be challenging because it is subjective and complex.

Culture is shaped by values that influence everyday behaviour within the organization. Managements create sub-cultures among their teams. Different departments have different cultures and risk tolerances etc. Building an ELC would foster a control conscious work culture for people entrusted with controls.

Stronger the culture, stronger will be the ELCand thus higher will be the reliance on overall controls.

The way forward

We recommend that internal auditors assume the role of evangelists for IFC – they are best positioned and they will do great service to the management and the board by doing this.

How is this possible? Here are some suggestions:

• RCMs were initially drafted to ensure tests of IFC would not fail and hence minimal approach for documented controls was adopted. Thereafter, the IFC check has become more of a routine compliance issue and hence the spirit of IFC is either lost or not completely upheld. As Internal Auditors, we can make a case for a more purposeful IFC framework and thereby nudge the management to leverage the power of IFC.
• ELC and ITGC – it is futile to spend energy in locking every closet if you have left the main door wide open. Strong ‘main-door’ security eliminates major risks by controlling who can go in – similarly, ELCs and ITGCs minimize the possibility of certain risks entering the company‘s systems.
• Make RCMs comprehensive and include all processes – accounting and operating. Capture all controls and document the intent. Business operations have evolved continuously and there may be changes in the policies and processes.  Documentation of a new process or sub-process must include supporting RCM and flowchart. An effective change management process needs to be defined and incorporated in these RCMs. Adequate training is to be imparted to process owners on documentation and change management.
• Have an annual presentation to the Audit committee on review of RCMs.
• Make IFC check an integral part of internal audit execution without worrying about comprehensive documentation. And reinforce your audit observations dealing with process issues by referencing the applicable RCM. The result will be surprising – process owners will retrieve the RCMs.

The above pre-supposes a strong support from management and the audit committee; if not,  when initiating these, buy stakeholder support. A progressive improvement will result in raising the bar of the control environment, and hence governance.

To conclude, IFC is not just a matter of compliance, it is in fact, a mine of opportunities to be tapped by organisations to ensure stress free business environment. And IA has the role of a catalyst in this….

We welcome your comments and feedback, and more importantly, your own experience with IFC. Your participation gives greater vibrancy to the blog.

Risk is a function of probability & impact. It’s what can go wrong and, which one doesn’t see coming. It may be a threat, vulnerability, loss, damage, impairment or injury. It’s the uncertainty and unpredictability that makes risk interesting & difficult at the same time.

The world is clearly looked at as the pre- and post-Covid era.

Even before the closing stages of pre-Covid era, in 2019, global economy was slowing down. Business was facing reduced margins, and many corporates were finding it difficult to survive. Both Numbers and monetary values of frauds were increasing, especially cyber frauds. Governance issues were cropping up and there was a general degeneration of ethics. Geo-political tensions were rising and climate change was causing widespread disruptions globally. Social media was an integral part of everyone’s daily lives and internet was all pervasive. Technology was making deep inroads in terms of innovation and speed to market. Artificial Intelligence, Blockchain, Cloud computing (ABC) were rapidly becoming the new normal. Business Continuity Planning and Disaster Recovery were factored in risk assessments. The world was exposed to Black Swan events post the 2008 Global crisis; however, risk assessment, though rigorously mandated by regulators, found compliance largely with the letter of law and not in spirit, perhaps due to the costs and efforts involved.

This is when Covid 19 struck & turned the world upside down in 2020. Vaccines are now available and vaccination is gradually happening. However newer strains of virus and eruption of second and third wave of the pandemic is still causing uncertainty. The virus progression is a classic case of risk identification failure. When it first stuck in Wuhan, in late- 2019, no one saw it coming and this was a classic risk identification failure. Once identified, post the impact, none could measure the volatility and amount of global disruption it could cause. Remedy has been found but too early to call it a complete success. The spreads have been drastically curtailed but that has taken its own time and has come at a heavy cost. Communication on current situation is still not very clear. There are still some mis-conceptions post unlocking, with people freely violating social distancing & masking norms.

Let’s look at the risk scenario change that Covid-19 brought about –

1) It has made us realize that risks can come in any shape and size, striking devastatingly. The speed at which risk can travel across globally causing wide-spread damage alongside is now part of risk record books.  Risk identification will now factor even the blackest of the black swan risks.

2) Technology has still to catch-up. Innovations in health care industry will continue to get increased funding.

3) People can adapt with times and the lockdown phase proved that people can live frugally with minimal basic needs taken care of. If this psyche remains, apart from lack of purchasing power due to dwindling incomes, it will lead to closure of many businesses catering to luxury or discretionary spending. Only the fitter amongst the fittest will survive. Consolidation already happening across industries will be even quicker.

4) Personal Health and Hygiene, long neglected by many, will be in limelight. Preventive immunity will be the buzzword.

5) ‘Work from Home’ culture will continue. There would be hybrid work models. Business Continuity Planning will need to factor in long term disruption scenarios and adapt appropriately. Data availability and confidentiality will assume increased importance.

6) Unemployment levels will rise, necessitating people to re-skill. Mental toughness, Collaboration, Grit, Resilience, Networking, Creativity, Critical Thinking, Communication, Self-Awareness, Decision making skills, Empathy will be in demand. Online or Digital will be trending. Many business models will undergo changes.

7) The urgent necessity will be having a service / product which addresses a serious pain point or a real problem. Value will be the sole deciding factor with right pricing and speed being the key.

In all these scenarios, Risk function will need to evolve with the time, being strategically dynamic, flexible and adaptable to the new, changing normal. It will get the focus it rightly deserves.

1) Risk identification and Assessment–

Capturing probability and impact of an event will be even more pro-active, detailed, scientific, prudent, automated and comprehensive. The function will be focussed, specialized and manned by people with diverse skillsets. Processes will be more pro-active, preventive and continuously ongoing. The same will apply to risk evaluation, analysis, measurement and monitoring. The entire gamut of risks currently identified will be reviewed and looked afresh with more stringent stress testing norms. Risk Appetite, Risk Tolerance levels and limits will be re-defined.

2) Control mapping –

Identifying efficacy of current controls addressing risks (both design and implementation) will need to be comprehensively reviewed and re-looked afresh. Focus will be on pro-active, automated controls. Cost will be the key criteria and hence prioritization would be a must. Redundant controls will be weeded out to eliminate waste, make processes simpler, smoother and faster. Corroborative, deterrent and corrective controls will continue to be widely used. There will be zero tolerance for ethical violations and things will have to be done right first time. Human Resource function will need to be more active to especially handle skillset upgradation, work engagement, mental stress, delicately tackling termination and pay-cut issues.

3) Gap – Vulnerability analysis –

Solving or addressing the real threat or the main issue, will be a pivotal exercise in all organizations. Prudence, Conservatism, Scepticism will need fine balancing for optimal results within overall business strategy. This will be an ongoing exercise with no room for complacency at any stage. Risk owners will need to stringently meet deadlines and accountability will be non-negotiable. Each resource will need pro-active risk readiness at all times

The basic philosophy of risk can and will never change. It’s the focussed remediation or mitigation that will matter. The Risk function will have to manage disruptions better to avoid extinction. Perform or Perish will be the mantra.

The Blog solely reflects the personal views of the author(s).

Cricket and Bollywood are the two national favorite pastimes. With both taking a forced break after the outbreak of the virus, I am motivated to write about the sport I passionately played until a few years ago and follow closely now. Cricket did teach me many aspects of life that I have applied and continue to apply in my Internal Audit career.

1.Practice practice and practice

It is not magic that Lara, Sachin or Viv would be in such good positions to play a shot and convert even good balls into runs. It is all attributed to the hours and hours of practice that has enabled them to read the bowlers arm, gauge the speed of the delivery and the angle at which the ball is arriving. I learnt that as an auditor, I need to spend more time sharpening the saw so that it takes less time to cut the tree. Practice makes an auditor perfect. Each audit interaction for every  audit assignment is a practice which has led me in the direction of perfection….my journey is still on….it matters little to me now when I will reach, I am thoroughly enjoying the journey.

2. I may not be in the playing eleven

My team consists of players who are chosen depending upon on factors such as the strength & weakness of the opposition, one’s own ability & skill and the state of the pitch. My team has a combination of opening batsmen, one drop, middle order, all-rounders, wicket-keeper, fast bowlers, medium pacers and spinners. I could be among the top 6 batsmen but if the decision is to play only 5 batsmen, I could get left out; I could be the best spinner but if the wicket is fast paced, I do not get a chance to play, and so on. I learnt that as an auditor, I may get the assignment/job or it could go to someone else. But I have to continue to be good and better at my auditing skill-sets and do my best and wait for the next opportunity. As far as I go, either the opportunities have come or I have created them and that has worked for me. Apna time bhi aayega.

3. Home advantage

The national cricket team for long were known to be home tigers and did exceptionally well in Asian conditions but faltered when playing in swinging English conditions, or the fast paced tracks at Perth and Sabina Park. However things have changed now for the better. The recent win in Australia is a show case. Foreign teams are also now trained to do better than before in Asian conditions. We saw what England did to us in the first Test recently. I learnt that as auditors we need to adapt to the conditions in which we operate. We have handled India based assignments and done exemplary work for clients/businesses based abroad too. India, through the ICAI, has been the pioneer in framing Standards on Forensic Accounting & Investigation Services, in which many of us directly or indirectly contributed.

4. Advantage of the toss

In cricket, winning the toss is crucial to the outcome of the match and it is a matter of luck to get the favour of the coin. Depending upon the conditions, the toss winner puts the opposition in or chooses to bat first. Often in Test Cricket, the captain that wins the toss, chooses to bat first guided by the proved hypothesis that pitches tend to deteriorate over days and batting becomes more difficult as the spinners have a “field” day (pun intended). Batsmen also experience variable bounce that makes batting a nightmare. I learnt that while auditing, I am at times fortunate enough to have the first mover advantage – when I am called upon to audit a brand new business or to review a system before implementation or use a new audit tool for superior analysis – I need to seize these opportunities and play my best game. But, there will also be other times, when many things are not in my control. I have to make do with what is, and move on keeping a good strategy in mind. Winning a toss is not in my control, but playing my best game nevertheless is well within my reach.

5. Googly & Doosra

Googly is a type of deceptive delivery bowled by a right-arm leg spin bowler, achieved by bowling the ball as a conventional leg break, but spinning the ball further with the fingers just before it is released. It is also called a wrong ‘un. Muttiah Muralitharan was the best exponent of the googly and now it’s over to Rashid Khan. Doosra is a recent addition, first developed by Saqlain Mushtaq. Doosra is the delivery which goes with the arm. It means when an off spinner is bowling, the batsmen expects the delivery to be coming in but it goes straight with the arm and foxes the batsmen. If batsmen does not pick the bowler’s arm, the chances are high of getting out. I have learnt during my audits, that situations threw me lots of challenges but I made sure to study what’s coming at me and adapt my actions accordingly. I have always felt the need to do something different. We as auditors, meet difficult auditees and also experience challenges in getting data and information that are critical for the purpose of our work. But that does not stop us from completing assignments as required. Read the mind and body language of the people we connect with in the audits, and we will be the best.

6. Reverse swing

Normal swing occurs mostly when the ball is new. As the ball wears out, the aerodynamics of the asymmetry changes and it is more difficult to extract a large amount of swing. When the ball becomes 50 plus overs old, it begins to swing towards the shine. This is known as reverse swing, meaning that a natural out-swinger will become an in-swinger and vice versa. Imran Khan, Wasim Akram and Waqar Younis were the pioneers of reverse swing. A batsman needs good eye reflexes which are considered to be a key skill when facing swing bowling and must anticipate beforehand what the ball will do and adjust accordingly by observing the bowler’s grip and action. I learnt that as auditor I had to use the scarce resources available to me and discover new techniques and I need to adjust my audit technique depending upon the situation through keen observation. Attending thoughtfully crafted training programs have helped me immensely in use of technology in conduct of audits. Observing senior members of the profession going about the audit tasks has also considerably helped me in my journey.

7. No second chance

As a batsman, reputation does not count. A poor judgement, a mis-reading of the ball, a top-edge and you are a gonner, at least for this innings. A bowler can get away with a loose ball, a fielder with the ball going through his legs or a dropped catch but not the batsman. He can make amends only in the next innings. Whether it is a Sachin or a tail-ender, if a rank bad ball is hit into the hands of the fielder, you are out. I learnt that I need to understand the role I am playing and I have to give it my best. As an auditor, reputation does not act in my favour. In fact, my reputation comes with higher and higher expectations and I need to be performing at my best all the time. Like the batsman, I need to perform the best here and now. This philosophy has helped me sustain a continuous good performance.

8. Judging a quick single

This is where the team spirit comes in. While judging a run, the batsman has not only to judge that he will reach the other end, it is also important for him to judge that his partner will also reach the other end. Technically, if the ball is played to mid-on, the non-striker relies solely on the call of the striker and the run is taken. I learnt that while doing audits, it is not just important about how well I perform, but it is the team effort that counts. This is what team spirit is all about. Take care of yourself but also take care of your team mates. You must reach your destination but along the way, the team also needs to reach with you. How important it is to collaborate with team members who bring different skill sets to the assignment.

9. Walking

What’s walking to do with cricket? Adam Gilchrist was one player who “walked” every time he knew he had edged. Walking is the act on part of the batsman to walk back to the pavilion when he knows he has edged and the catch has been taken behind the wicket, irrespective of whether it has come to the notice of the umpire or of the opponents. These moral custodians can sleep easy, safe in the knowledge that they did the right thing and upheld the ‘Spirit of Cricket’. This has taught me one thing – a right is a right even if no one is doing it, a wrong is a wrong even if everyone is doing it. Integrity is important in life – it builds a great reputation. Integrity is one of the seven prized attributes that Richard Chambers has identified for Highly Effective Internal Auditors.

10. Judging a High Catch

Just think what goes on in the mind of the fielder when the ball is hit high and he is on the boundary line with the background sound of the entire stadium rooting supporting for or against with all eyes on you – a million pair of eyes (including the television audience) and you have to perform. The fielder has to adjust the light (artificial or the sun) and the swerve of the ball due to the wind and not cross the boundary line. I learnt that when executing audits, we have to be consistent in performance, I am continuously being watched and evaluated by my colleagues, my auditees, my management, my Board, my profession and above all my conscience. I have to perform all the time and yet always remain within the “Boundary” (pun intended).

11. Comradeship

Don’t we see that when a buckle of the pad or the shoe lace gets untied, the opposition team member would help in getting it back to position. When a match is over, there is a warm shake of hands and a pat on the back between each of the umpires, the players and support staff. I learnt that in audits we must celebrate success with our own team mates, we must be cordial in our relationship with all those we come in contact during the course of the audits and we must have the best relationship with the top management/client. We must create win-win situations all through.

12.  Communication

When the batsmen are taking say two or three runs, there is always an instruction by the batsman who is facing the direction in which the ball is hit when the two batsmen cross, whether there is an opportunity for the next run. At times, instructions are given whether it is an easy run or a cheeky one. This enables the other player to adjust the pace of run to conserve the stamina. Fielders also communicate loudly and clearly whose catch it is, when the ball is hit high and there is a possibility of more than one fielder getting close to taking the catch. I learnt that I have to give clear guidance to my team members and say the right thing and at the right time. I also have to receive the communication from others correctly as communication is not a one-way street. Non-verbal communication, at times, is as effective as verbal communication.

13. Ambidextrous

We have seen quite a few fielders in a position to throw the ball with the wrong hand which makes them so versatile and has resulted in many a run-outs too. This ability also increase their utility to the team. I learnt that as auditors we must continue to improve in whatever we are good at and find out ways to be more in a position to deliver. Audit is all about the balance between identifying gaps (finding control weaknesses), providing assurance and encouraging good governance; and knowing what to emphasise when.

14. Run on a mis-field

We all have grown up hearing the oft-repeated coach instruction, “Never run on a mis-field”. Many batsmen have got run-out running on a mis-field when the fielder quickly re-coups and throws the ball and effects a run-out. I learnt that while doing an audit and coming out with observations, I must not attempt to capitalize on another’s mistake and respect the ability of the other to quickly re-coup after the mistake. What is really necessary to unearth is why that mistake happened and suggest steps that will help that mistake from not happening again in the same place and also elsewhere in the organisation.

15. Sledging

The Australians have the track record of being the best sledgers in the world. The banter among the keeper and close-in fielders (they out-number the batsman) can rattle the concentration of the best in the world resulting in needless errors of a disturbed mind. The Dravids and the Sachins have mastered the art of ignoring the banter. What I learnt is that while doing audits, there will be such cross talk going on endlessly, but I must be so sure of my own ability and performance and should not get provoked.

I am happy that I have written this on the day that the world’s largest stadium – Narendra Modi Stadium was inaugurated at Ahmedabad by the Honorable President and Honorable Home Minister. I am so proud to say that the stadium was built by L&T, a company where I spent one fourth of my professional life – a company which redeveloped and refurbished the Wankhede Stadium in record time for the finals of the 2011 World Cup.

There are so many other aspects of the game that have given me valuable life lessons. Just 15 lessons have consumed close to 2500 words, so I will leave it for some other day to share my balance thoughts. Cricket is a fascinating game and I used to think as a teenager, that there is nothing better in life than cricket, until I decided to make my career in Internal Audit. Now Internal Audit means the world to me and time has certainly come to give back, not only to the Internal Audit profession but to the world at large. The world is waiting for capable people to give, rather than continue to take from the world. There is nothing better in life than Internal Audit. The future is for Gen-next. My best wishes and encouragement to each of you.

The teacher learns more than the student. The author learns more than the reader. The speaker learns more than the attendee. The way to learn is by doing.

What say?

I welcome your comments and as a batsman, I promise to respond to each one with my best shot!

The Blog solely reflects the personal views of the author(s).

As I look back at the 30 odd years that I have spent in the profession, I feel a sense of satisfaction and joy. I recount the number of times, when I found myself at crossroads, and ventured along the untrodden path, the road less travelled.

What is a Chemistry student doing in a CA firm?

I completed my graduation in Science stream, majoring in Chemistry. After graduation, unlike most of my peers, I found myself signing up for articleship for Chartered Accountancy – little did I know then that this was not to be the first time I was stepping away from the beaten track.

The Early Inspiration

The initial seeds of inspiration for internal auditing and consulting were planted by my mentor, Shri Shailesh Haribhakti during my articleship and I was fortunate to have guidance from a number of mentors including Dr. N. Balasubramanian thereafter. To equip myself for a career in Internal Audit I pursued CIA (Certified Internal Auditor). Stability to weather the initial storm of long gestation period in practice was provided by my partners: partner in office, Manish Pipalia, and partner in life, my wife, Sangita.

Questioning the Status Quo

Starting out with conducting internal audits,  risk management and consulting assignments, I was soon focusing on these assignments with a “positive dissatisfaction” of ‘what and how these were being done’ and ‘what should be and could be done’. This was a continuous dilemma and thought process -this journey from ‘what is’ to ‘what should be’ has always enchanted me. I found myself engaging with the internal audit community to collaborate to change the way internal audit was being conducted including bringing in a strong consulting focus. Opting for specialization in Internal audit at an early age helped me to remain focused and also become a catalyst for change.

Many Doors Keep Opening Up

Professional interactions with the internal audit community in India and abroad coupled with an attitude of professional sharing with the internal audit community led to opportunities of speaking assignments, training engagements, holding positions such as President, Institute of Internal Auditors, India, Bombay Chapter, and as a Member of Academic Relations Committee, IIA Inc., Florida, USA, Internal Audit Standards Board, ICAI and also in the BCAS etc. The wide exposure to new ideas and interactions with the stalwarts of the Internal Audit profession humbled me and also empowered me greatly. I started seeing myself as a catalyst for my clients and a change agent for my profession. I have always wanted nothing but the best for my clients and for my profession.

Sharing Strengthens A Profession

Continuous emphasis on professional sharing also led to designing internal audit courses for BCAS and INGAF, Controller General of Accounts. Writing articles and books became a habit. One such endeavour was to interview fourteen CAEs of leading organizations in India and publishing the best practices for the benefit of the internal audit community at large; another exercise led to BCAS releasing a book titled ‘Internal Audit – Practical Case Studies’ that was a compilation of articles published in the BCA journal over seven years.

A Step Ahead –Introducing Frameworks and Technology to India

Studying contemporary developments and meeting CAEs abroad specially North America, Australia and Europe brought out the emerging frameworks and technology being used in the profession. Successful attempts were made to bring such advanced frameworks and emerging technology to the professional community here in India. Analytics, audit process automation, risk management solutions were made available almost 20 years back. Use of technology solutions has now become a ‘given’ for any progressive internal audit team.

From Internal Audit to Management Consulting

A collateral advantage of travelling far and wide has been the appreciation of different cultures and the way professionals think and work in different geographies in India and abroad. Professional interactions, with the business and academic community outside of internal audit, in general management area, like CEOs, CFOs, professors in India and abroad,  increased understanding of management styles and needs. At this stage Peter Drucker’s Principles and Philosophy of management and leadership entered my thought process. This opened up opportunities that eventually led to becoming the World President for the Drucker Society and interaction with leading management thinkers like Prof. C.K.Prahalad, Charles Handy, Joseph Massierillo and others. Perspectives gleaned from such interactions have only helped in value addition to clients and graduating to be a management advisor to businesses.

Milestones of My Journey

All this has been enabled by ‘keeping an open mind’, an attitude of positive dissatisfaction of where one is and a strong desire to change the status quo, exploring and applying new ideas, adapting to change and learning continuously through professional sharing. The most important pillar has been a strong “people orientation”.

To conclude, the way to achieve professional satisfaction and growth is to:

• share with a missionary zeal (give back to the professional community),
• embrace continuous change including latest frameworks and technology solutions,
• always be in learning mode,
• be passionate about the work being carried out and add value to clients.

I share my unusual journey here so that it may provide courage to someone who is standing at a crossroad, or to someone who is waiting at a door half-open wondering what lies beyond. I remember Robert Frost’s poem which said “Two roads diverged in a yellow wood….. and I took the one less travelled by, and that has made all the difference”.

To all those at crossroads I say, take the road less travelled by and see the difference that it makes!

We invite your feedback and comments. Your comments will give life to this blog and be instrumental in creating an even more vibrant IA community.

It is that time of the year when New Year resolutions get mulled over, new dietary plans emerge, ambitious fitness regimes are embraced, enrolments to new on-line courses soar, gym memberships see an uptick, bold book-reading commitments are announced on the likes of ‘Goodreads’, the daily alarm clock is set 30 minutes earlier than usual….It is indeed a time for soul-searching, deep reflection and imagination, a time to truly “ring out the old, ring in the new”.

For Internal Auditors world over, particularly in the backdrop of the year that has been, this is the time that merits some innovative thinking, impactful initiatives and above all, re-imagining Internal Audit; for, it is not just a New Year that is about to begin, but a whole new era is upon us.

As a ‘just-retired’ internal Auditor, I wonder what my thoughts would have been, had I continued to lead the Internal Audit team of my firm. Here are a few thoughts that cross my mind; and may perhaps resonate with Internal Auditors across industries and geographies.

Zero-based strategic planning:

This is the time to set free from the past trajectory of the internal audit practice/function and think afresh – how can internal audit be relevant to the new world of e-commerce and digital payments, of remote work and global classrooms, of physical lockdown and digital freedom, of driverless cars and bitcoin-driven economy. What is interesting is that many of the traditional business models and revenue streams have got replaced – the customer gets a lot of things free (free entertainment, free news, free training, free credit) but in exchange pays with privacy, data and digital trail, and a higher vulnerability to cyber risks.

In these times, to plan based on the past, making incremental growth projections and marginal tweaking of audit plans would not suffice. I would encourage the internal audit strategy and plan to be zero-based – start with a blank canvas and approach the changed world with some bold masterstrokes!

Realigning the Team

The Internal Audit team will need to be realigned to respond to the changing world. In addition to understanding of risks and controls, processes and procedures, laws and industry practices, I would invest in people who understand the paperless, borderless economy better. At this point, I would need to supplement my team with people on the ground – the street-smart ‘slumdog millionaire’ would be as valuable to me as those with professional qualifications and formal work experience.

I acknowledge that the age of the stereotype CV (matriculation, graduation, internship, professional qualification and work experience, in that order) is history. We will have to understand CVs that have diversions and gaps, and multitude sources of learning and experience. Those who have learnt fraud vulnerabilities through episodes of “jhamtara” may be regarded equally well-trained as those who have attended classroom case studies on cyber frauds; just as those who have understood financial markets through watching “Scam 1992” may be well-placed to match those who have taken certificate courses on understanding capital markets.

The Tech Imperative

Much has been said about the need for Internal Auditors to embrace technology; and yet, many Internal Audit teams struggle to make that big shift. I have realized that an existing Internal Audit team may be able to embrace technology incrementally, one application at a time. The team will keep attending training workshops and the organization will invest in getting the relevant software licenses – but integrating technology into internal Audit takes more than that. I would identify (from within the team or outside), a few persons who are passionate about technology and are capable of catalyzing the team’s technology shift at a rapid pace and make them the tech champions for my team, empowering them to challenge and change the status-quo.

My entire focus at this stage would be to absorb technology in every facet of my team’s working – holding meetings, internal and external communication, data analysis, process automation, reporting, visual presentations, work paper documentation, team appraisals and more. There is now no looking back.

Team Well-being:

The year 2020 has made most of us make rapid changes to almost all aspects of our lives. What started off as a lockdown of a few weeks continues to limit our movement and activities even after 9 months. This change has not been easy for everyone – and while most have got used to WFH culture and screen-based meetings, the loss of personal connections, social interactions and physical environments has left a void. It has created a greater need for looking after the well-being our teams.

I would pay attention to the overall well-being of my team members, create open forums to reach out in case someone felt the burnout or ‘disconnection’ stress. I would have an open house, periodically, to discuss how each one is coping and explore what we, as a team, can do to ensure that each of us feels connected and supported. Sharing talks from leading mental health experts and healthcare specialists would also help in bringing the focus on overall well-being of the entire team. Building resilience in my team would be a priority for me at this point.

Social media and increased screen time has caused a serious problem of being distracted all the time. I would invest in helping my team stay “indistractable” and pursue their work and other life passions with focus. Perhaps, starting a book club with books such as “Indistractable” (by Nir Eyal) may be a good start.

Connections

Staying connected with our stakeholders wasn’t easy even in the past era. In these post-Covid times, this has become even more challenging. We would develop a strategy for staying connected with our key stakeholders by creative means. In an era where even a “5 Minute Read” is “saved for later” and “forgotten forever”; my team will have to innovate ways for meaningful engagement, with minimum intrusion on the stakeholders’ time and privacy. We will explore options such as hosting an interesting 15-minute capsule talk by an expert to a “coffee meet” with a small group; stage a quiz contest on cyber risks or conduct interesting surveys on data privacy, we will create small video movies on topics such as “what’s new with Internal Audit” or “How did our team support the Covid crisis within the organization”. We will earn our time slots with those who govern by always keeping our reports and presentations crisp, fair and forward looking.

Solution-Orientation:

For long, our internal Audit teams have focused on “spotting the problem” or identification of gaps. While we have made certain broad recommendations, we are not perceived as solution providers. As we move from one audit to another, we have seen our role as bringing out the gaps or deviations and leaving others to resolve them. The present times have revealed that versatility, holistic understanding and coming up with innovative and workable solutions are skills that make or mar careers not only in Internal Audit but in all spheres.

Solution-orientation, like technology absorption, cannot be taught but needs to be cultivated. Offering our team members to become part of cross-functional teams working on specific solutions, creating training modules that focus on coming up with collaborative solutions (modelled on hackathon) and arranging formal training in design-thinking and novel work approaches could be some of the approaches. Adding team members that have experience in working on social issues (low resources, practical solutions) or adventure travel (critical thinking, quick action) could help in bringing in the “solutions” mindset. Developing such traits would be an integral part of every training and development initiative; likewise, assessment of these traits would be integral to performance reviews and potential assessments.

Engaging with the New Economy:

The best way to understand the dynamics of the new economy is to plunge into it. As a head of Internal Audit team, I would seek every opportunity to engage with, and provide professional services to, the players in the new age economy proliferating with payment gateways, Edtech, Fintech, App developers, influencers, social entrepreneurs, digital entertainers, virtual universities, Healthtech and more.

We cannot learn to swim with an instruction book or trainer videos – taking a plunge would be not only the fastest way but the only way to learn. So, here’s to a New Year and a New Era – are you ready to take the plunge?

We invite your feedback and comments. Your comments will give life to this blog and be instrumental in creating an even more vibrant IA community.

The truth is rarely pure and never simple – so wrote Oscar Wilde in his 1895 play, The Importance of Being Earnest. The play, which is a farcical comedy, mocks Victorian traditions of false seriousness and social customs. We, internal auditors certainly do not mock traditions and practices, but  earnestly go about the not-so-simple path of seeking the truth to achieve the audit objectives.  There are dilemmas faced by us as we go about conducting internal audit. This blog is an attempt to how we can earnestly conduct our internal audits while dealing with dilemmas.

Let’s reflect on our experiences when we draw up the audit plan. Whether based on a risk assessment or not, we do get conflicting thoughts on where to focus more and where not to. Business is dynamic and we realise that something seemingly as simple as drawing up an audit plan requires us to do a bit of back and forth in our minds till we conclude earnestly what the plan finally is. Whether we should focus on a high risk item once or twice in a year or with greater frequency in the audit cycle? Whether an audit area can move from moderate to high or vice versa? How do we keep our plan flexible and agile enough so as not to lose out on any changes to business processes and systems?

Similar thoughts come through while designing the scope of each area of audit; while executing our audit; while discussing our audit conclusions; while deliberating over our draft report and finally, when we prepare the final report.

The dilemma  of what is good  for business and what is required for adequate controls seems to be from time immemorial. It is easier said  that the cost of controls should not surpass the benefits the controls intend. Calculations to quantify costs/ benefits are based on probabilities (nowadays, simple probabilities have been replaced by complex weighted average probabilities) that could swing either way. While all these calculations are done and decisions justified, do we not get a feeling that perhaps we should let the process be, not tweak it greatly and appeal to the human instinct of good behavior and the corporate instinct of good governance to ensure that the originally designed and / or recommended controls fall in place? How often, in our discussions do we tell  the auditee, “Leave alone what I am saying, what is your opinion?” or  “Just step back and tell me, what do you think?” That is our way of trying to impress upon the basic good human thoughts. Sometimes this works as a clincher in discussing our observations and recommendations and getting the auditee to agree with us.  But many a times, it does not.

So, as internal auditors, what are we supposed to do? To arrive at an earnest result of internal audit, we need to be true to ourselves. We need to look at the situation from both sides – the auditor’s view and the business view. Many a times when we understand the business view, we are able to better articulate our auditor’s view. We are then able to traverse that path of adequacy of control and tweak our recommendation appropriately. This way the objective of audit is achieved as well as the perspective of business is not lost. Is this the elusive ‘golden mean’? Wonder whether this term emanated from an auditee-auditor conversation sometime in history? Well, that would be a topic for another blog, another research!

The other dilemma is when we need to present our audit findings to the Top Management or the Audit Committee of the Board. Do we tend to get carried away by our own recommendations? Do we underplay our own recommendations? Do we allow the business to sway our communication? Do we override the business and say, this is my privilege and I will report it in my way ? Do we think that our next internal audit assignment / tenure will be influenced by what and how we say? Do we think, to hell with it, let us just go out and say what we want to say? Reality is, nothing like this happens; reality is, a bit of everything happens! Our earnestness enables us to find, once again, the golden mean. And with each experience we realise that we are communicating better. We are communicating the right things in the right manner. Effectiveness and efficiency, both achieved. This sincerity of approach is always well appreciated. It leads to a better acceptance of our observations and recommendations. And then we are satisfied that objectives of internal audit are achieved.

The position of internal audit is vital in any business entity and carries immense responsibility. The Peter Parker (a.k.a Spiderman) Principle (with great power comes great responsibility) applies equally to internal audit. It has been the experience of many of us internal auditors that only because we say so, the Top Management and the Audit Committee believe in the proposition we put forward. This is  because of the faith reposed in us; an outcome of our unbiased work. This reflects  an outcome of years of performance of internal audit across businesses, sectors and entities. And that, to my mind is our single most attribute that keeps us performing the way we are expected to perform.

We will not belie the expectations of our stakeholders if we perform our role as internal auditors with the expected sincerity and earnestness. Unlike sportsmen, we cannot afford to have an off-day. We need to perform every day. This can be done by imbibing the principles embodied in global and domestic standards of internal audit and performing by them. This in turn will lead us to delivering sound recommendations for business process improvements. The synopsis of our recommendations remains, however, within the troika of parameters – time, money and people – which I found in the writings of Pu La Deshpande, perhaps one of India’s greatest literary genius whom I quote verbatim:-

प्रोब्लेम्स नसतात कोणाला? ते शेवटपर्यंत असतात. पण प्रत्येक प्रोब्लेमला उत्तर असतंच.
ते सोडवायला कधी वेळ हवा असतो, कधी पैसा तर कधी माणसं.
या तिन्ही गोष्टीपलीकडला प्रोब्लेम अस्तित्वातच नसतो.

As internal auditors, if we detect a problem within the control system and attempt to solve it with these three resources, I am sure our earnestness of internal audit will be seen, accepted and appreciated by business, regulators and all stakeholders.

The Blog solely reflects the personal views and opinions of the author(s).

Time and again and, in all probability, when the performance of a Chief Internal Auditor or a Chief Audit Executive (CAE) is being assessed, Audit Committee (AC) and Management wish to understand the value addition made by Internal Audit (IA).

It is not easy for the CAE to respond to this requirement, mainly because his internal customers almost always believe that ‘All’s Well’; that there is no need to have IA, or better still, IA is a necessary transgression in their life!  Hence, for those who are being audited, the best way to deal with internal auditors is to get them complete their assignment expeditiously and negotiate hard for the audit scoring and get back to ‘business as usual’ (pun intended).

I believe that IA itself is value accretive if deployed correctly by all stakeholders and hence, a new journey to discover ‘value adds’ may not be needed.

Having said that, let me deal with this subject at two levels.

First, internal auditors need to maintain complete trail on how their audits have resulted in remedial action, process changes and compliance corrections. A simple but organized and crisp summary presented annually and proactively to the AC will surely sensitize the AC (and hence, the Board) on value addition brought about by IA. My recommendation is to focus on process improvements, control awareness and compliance corrections (I am sure that internal auditors of every company will have something meaty enough to present annually). Further, my sincere unsolicited advice is – do not attempt to put a number to the value addition – this poses multiple problems because auditees feel reluctant to acknowledge the IA share in the pie of gains. Whilst an attempt to quantify monetary value may be counter-productive, presenting qualitative contribution in a persuasive manner may help CAE to get the AC and Management appreciate IA’s contribution over time.

Let me also share my thoughts on another related topic of fraud detection. Whereas detection of an irregularity or fraud may be sensational, prevention is subtle, and its impact may not be easy to quantify. But we all know well – Prevention is better than Cure and AC and Management need to acknowledge this!

I recommend that the dialogue with stakeholders on value addition should be timed typically in March/April or at least a month ahead of accounts approval meeting. This will ensure nearly complete information for the year and also help the AC when approving the next year’s annual internal audit plan. It is essential to manage your stakeholders well and keep them abreast of internal audit activities so that they are on board when the value addition is presented to the AC.

At the second level, as an independent director and member of AC of a few companies, I feel that Management and AC should also think about deployment of internal audit as internal consultants – IA can be leveraged as independent yet in-house consultants by identifying areas where intervention by external consultant is being contemplated. I know of one Chairman of AC who gets internal audit validate the assumptions for business plan before the Board meets for strategy discussions and plan approval. Having access to information across the organization and with an ear to the ground, a motivated IA team can be an asset to the AC and the Management.

I will also offer some tips to internal auditors on how to help themselves in getting value addition recognized. Be agile and observant, be clued into external events that can impact the organization and network within the profession, especially within the industry, so that your team becomes repository of knowledge and good practices. By doing so, the IA team will evolve into a team of internal consultants. In fact, IA has visibility over the entire organization and is well placed to be an evangelist to spread good practices within the organization.

Please also note some pitfalls to avoid – the ‘I got you attitude’, ‘it all goes to files after all’, ‘I am the only ‘kosher’ employee in the organization’ etc. Most important, get your communication right – be firm without being aggressive, be heard without shouting, be perceived by your actions…!

At an individual level, every internal auditor would do well to reflect and assess the impact his or her work has brought about within the company. Not to forget how each assignment has also been a value-add in terms of learning. A digital diary to record daily work and key learnings in an organized manner would facilitate this.

A parting advice – please solicit and welcome feedback from all your stakeholders, including auditees. Analyze this with your team in an open house meeting to distil the same and blend it with your next execution plan.

I hope my thoughts will help CAEs to reflect and bring the target of value addition in its true spirit on their dashboard.

The Blog solely reflects the personal views and opinions of the author(s).

The Blog on Internal Audit recently launched by BCAS prompted me to pen down my thoughts on what a day in the life of a CAE looks like – what are the activities and engagements that fill the day of a CAE?

As a precursor to writing this blog, I looked at my calendar for the past few weeks and based on that, I ‘curated’ a day in the life of a CAE, giving the readers a flavour of the myriad of issues and activities that keep a CAE engaged through the day.

In my search for some relevant articles, I chanced upon a beautiful article “Succeeding as a 21st Century Internal Auditor: 7 Attributes of Highly Effective Internal Auditors by Richard Chambers and Paul McDonald.” I thought to myself, the attributes listed in the article resonate with any leadership role in a business organisation, including that of a CAE.

(htps://global.theiia.org/news/Documents/7%20Attributes%20of%20Highly%20Effective%20Internal%20Auditors.pdf).

Here’s a sneak peek at my day:

I leave home at 7.45a.m. fresh after a good night’s sleep, my morning philosophical thoughts, a brisk 60 minute morning walk and a sumptuous breakfast. Purposefully, I do not make or take calls during the commute time as I use this as “Me-time” to plan my day. (On days that I am working from home, my commute time is replaced by ‘quiet’ time when I gather my thoughts to plan my day.)

My plan today includes:

• • Creating strategies for countering difficult issues on hand, including a very serious process deviation with a high impact and it’s honest reporting in the ensuing Audit Committee;

 

• • Planning for a structured 30 minute discussion with a Business Head to update him on the outcome of the work done by my team in the past 2 quarters;

 

• • Informal calls to two senior business leaders which could perhaps help me gather clues for audit planning and execution;

 

• • Discussion with two team colleagues to help them tackle some personal and work related difficulties;

 

• • Discussion with a team colleague who has displayed an exemplary performance in a specific tough assignment and has earned the praise of the business;

 

• • A pep talk to motivate a high performing team which has suddenly shown a downward trend in performance;

 

• • Conveying to the HR, the proposed steps to increase gender diversity in the team;

 

• • Reviewing the progress made on Deep-Dive Data Analytics assignment which was done in partnership with the Group Data Analytics Team, and;

 

• • Making time to attend an exciting program on Future Trends in Auditing organised by a professional body.

 

As I glanced through the article by Chambers and McDonald, I was happy to note that the 7 attributes (Integrity, Relationship Building, Partnering, Communication, Team Work, Diversity and Continuous Learning) that the article dwells on seem so aligned to my activities of the day!  I reflect upon the article and draw parallels with my day – I realize that each of my planned activity is aligned to one or more of the attributes.

I reach my office and I have a surprise waiting. There is a voice message for me that the Chairman of the Audit Committee wants me to talk to him @ 11am for 20 minutes – icing on the cake on a day that was building up to be yet another eventful day.

As the day unfolds, I take a few moments to gather my learnings:

• Not all things happen the way you plan;
• Not all people react the way you want them to;
• Some conversations are better than what you thought would be, and;
• Some people will surprise you with their goodness.

 

As I reflect, I acknowledge some other attributes that we, as internal auditors, need to have – agility, use of technology, adoption of data analytics resulting in giving an assurance with 100% validation rather than on test basis, active listening and unflinching focus on results. Some other day, maybe I will write about these.

 As I am back in my car heading towards home, I introspect on my day, making a mental note of my unfinished agenda and new items lined up for the next day. I feel joyful, pleasurable, confident and contented – I indeed had a great day!!

What does your day at work look like? Is there something that you would like to change or do differently? Do you end your day with a sense of fulfilment?

I look forward to your feedback– let us have a peek into each other’s day, to make our days more fulfilling, more impactful.

The Blog solely reflects the personal views of the author(s).