Category: Internal Audit

May is the Internal Audit Awareness Month

Each year the month of May is celebrated globally as the “Internal Audit Awareness Month”. This initiative of the Institute of Internal Auditors (The IIA) was started in 1990s and has gained momentum over the decades. This is the month that witnesses enhanced advocacy of the profession of Internal Audit by various Internal Audit Associations world-wide through a series of articles, social media posts, seminars, talks, debates and panel discussions.

This year, thanks to the pandemic, the celebration of the Internal Audit Awareness Month transcended geographic boundaries, as audiences spaced across time zones came together virtually to attend interesting talks and events, spread awareness through social media posts and participated wholeheartedly in different ways. The Internal Audit community united globally as a single profession in this month and projected itself as a force to reckon with.

We, at Bombay Chartered Accountants’ Society, jointly with IIA India, hosted an interesting talk on “Internal Audit Lessons from Cricket” that was attended by a large number of professionals. This well-attended, engaging, animated talk, delivered by CA Satish Shenoy, was an excellent ‘pitch’ to communicate not only Internal Audit learnings by drawing parallels with the most popular Indian sport i.e. cricket, but also to project Internal Auditors as versatile, interesting, passionate and agile, ever-evolving with the times. For those who missed this talk or want to listen to this one more time, here’s the link: https://youtu.be/nrSwiiT6WGg

From Stakeholder Awareness to Self-Awareness: 

As the month comes to a close, I reflect on my own awareness of what Internal Audit is today. Having been an Internal Auditor for more than 3 decades, can I say that as an Internal Auditor, I am today what I was when I started, or what I was a year back in the pre-pandemic era? Have I spent time in creating self-awareness on what Internal Audit stands for today, what is the journey that the profession has covered and how it has adapted over time? Like the quote at the top of this blog post, Internal Audit has changed and evolved over time and the pace has got accelerated in the past few years, with technology playing a key role. Becoming self-aware about the contemporary state of Internal Audit is as important, if not more so, as creating Internal Audit awareness amongst other stakeholders.

As the month comes to an end, it is time to make a commitment to update ourselves on what is new in our profession, and what is expected of us. This is the time for us to draw up a plan for upskilling ourselves and our teams in terms of new tools, novel techniques, fresh thinking and deeper understanding of the world around us. As remote audits overtake the ‘look and feel’ audits of yester years, as data becomes the new oil, as privacy is traded for free access to tech platforms, as driverless cars get caught in accidents, as a hacker in a remote country threatens the energy supply to households in one of the most developed countries, as the past quarter information starts looking ancient, as currencies floated without the backing of governments and Central Banks become popular, as health passports become a reality…..are we in tune to perform good quality Internal Audits?

I exhort each one of you to spend time in assessing your own readiness and that of your team collectively, and to take strides to bridge the gaps you spot. In a fast-changing world, the gaps may be many, and thus, collaboration becomes the key to ensure that as a team, as a group, we work on covering the distance with speed and a sense of urgency. It is time to loosen our hold on the past and anchor ourselves more firmly in the future, as it unfolds. Being future-ready is the new mantra for everyone, especially for Internal Auditors.

In the eleven months that unfold between now and the beginning of May 2022, we have the most interesting and engaging job at hand – to create the stories that we will take to larger audiences next year, this time.

What are the steps you propose to take to upskill yourself and your team? What are the new areas of audit that are being added to your Internal Audit plan? How are you going to deal with new risks created by hybrid workspace? Is the Management looking up to you as ‘future-ready’ or are you being assigned traditional audit areas of the past?

I welcome your comments and would love to hear the stories that you plan to take to larger audiences next year, when yet another Internal Audit Awareness Month unfolds, in May 2022.

It is that time of the year when the organization is buzzing with IFC TESTING!

How does it work in your organization – is this activity the most mundane or significantly meaningful?

Our guess is, that for most, it would be the ‘most mundane’.

Ever since the confirmation of internal financial controls became an explicit part of the Directors’ Responsibility Statement, we have come across interesting views on the role of Internal Audit in this context, some of which, in our opinion, need a review.

It is the responsibility of the Management for ensuring that controls exist and are effective, and the ownership of these controls lies with the process owners.

Despite this, we have come across internal auditors being questioned by management, the audit committee, and the statutory auditors when the controls fail.

Hence, we felt it may be interesting to clear the air by attempting to spell out some basic principles as also explain the context.

We are all aware of the speed and urgency with which IFC was rolled out by companies when the Companies Act, 2013 came in force. Many companies availed services of external consultants to draft the framework. The brief was clear – ensure compliance with requirements of the Companies Act by the target date and keep it simple so as to avoid complications (read: embarrassment) with an intent of improvising in the coming year. (We do, however, know that more often than not, intents do not get translated into action! )

Given these boundaries, the framework was completed in record time and many companies passed the test with flying colors. Statutory auditors were advised by ICAI to restrict their review to controls that impacted financial reporting.

So, it was a ‘tick on the box’ approach used by most companies to ensure compliance in its first year.

By and large, a vast majority ended up paying lip service to the new requirement – paying attention to the form, in the most minimal way possible; with the good intentions of catching up with the spirit of the enactment at a later date.

The spirit versus the letter.

The spirit, with which these requirements were mandated, has perhaps been overshadowed with the thrust of compliance with the letter.

Some corporate boards view IFC as necessary technical compliance and, is logically delegated to the Audit Committee; Boards, as a whole, maybe spending not more than 30 minutes annually on the subject.

And herein lie both, the problem and the opportunity!!

Just as features of a new ERP package often are grossly underutilized, we believe that the power of IFC remains largely untapped. Even though we have been living with SOX requirements for over a decade, many companies have not matured or optimized their IFC programs.

Leveraging IFC for enhancing assurance and improving quality of internal audit.

We came across a survey which mentioned that majority of Indian companies are not treating compliance as an end-game. For all of them, this is a journey well begun. But why stop here?

While the intent is right, companies must now move up the curve and leverage IFC to enhance the control environment. We don’t think it’s possible to lock internal controls into a static framework. The controls are good for a period of time, but then these have to change.

Whilst the continuous re-evaluation and documentation may appear to be a burden, if institutionalised well, it will yield benefits beyond expectations. Changes in organization structure or processes or addition of new lines of business should trigger the re-evaluation and revised documentation.

And, in addition, review cycles should ensure that all Risk Control Matrices (RCMs) get attention at least once in two years. Internal audit can play a decisively constructive role in this journey – for example, recommendations to auditees must be comprehensive to encompass required changes in RCMs.

In fact, a one pager annexure to each audit report on how the internal audit findings align with the effectiveness of IFCs reflected in RCMs could be an easy way to facilitate this exercise.

Auditing at the Speed of Risk in the Digital Age. 

IA needs to keep up to date with the latest market developments and update their risk assessments more frequently. Technology is the biggest game changer. Some of the threats that will surface during a threat assessment could be malicious software, hacking attempts, unencrypted information, hacking and data theft.

As Internal auditors, check if RCMs have been amended to provide for Work from Home (WFH) controls. The digital space is exciting and scary at the same time – the social media is like the genie that can no longer go back in the lamp….hence, controls need to dynamically adjust.

It is important to thoroughly test the disaster recovery plans (DRPs) and Business Continuity Plans (BCPs) when reviewing IT General Controls (ITGC).

“Risk is like fire: If controlled it will help you; if uncontrolled it will rise up and destroy you.”- Theodore Roosevelt

Entity Level Controls(ELC): Auditing the Culture. 

The approach to establishing Internal Financial Controls and auditing them can only be top down, as it starts with the senior most management and drills down to the lowest operating level.

Basis our practical experience, we know that not all companies are able to demonstrate a control environment that creates confidence in entity level controls.

Frauds highlight the weaknesses in the governance structure. Culture audits can help gain insight into the causes of poor organizational behaviour. Not enough firms are auditing culture. It can be challenging because it is subjective and complex.

Culture is shaped by values that influence everyday behaviour within the organization. Managements create sub-cultures among their teams. Different departments have different cultures and risk tolerances etc. Building an ELC would foster a control conscious work culture for people entrusted with controls.

Stronger the culture, stronger will be the ELCand thus higher will be the reliance on overall controls.

The way forward

We recommend that internal auditors assume the role of evangelists for IFC – they are best positioned and they will do great service to the management and the board by doing this.

How is this possible? Here are some suggestions:

• RCMs were initially drafted to ensure tests of IFC would not fail and hence minimal approach for documented controls was adopted. Thereafter, the IFC check has become more of a routine compliance issue and hence the spirit of IFC is either lost or not completely upheld. As Internal Auditors, we can make a case for a more purposeful IFC framework and thereby nudge the management to leverage the power of IFC.
• ELC and ITGC – it is futile to spend energy in locking every closet if you have left the main door wide open. Strong ‘main-door’ security eliminates major risks by controlling who can go in – similarly, ELCs and ITGCs minimize the possibility of certain risks entering the company‘s systems.
• Make RCMs comprehensive and include all processes – accounting and operating. Capture all controls and document the intent. Business operations have evolved continuously and there may be changes in the policies and processes.  Documentation of a new process or sub-process must include supporting RCM and flowchart. An effective change management process needs to be defined and incorporated in these RCMs. Adequate training is to be imparted to process owners on documentation and change management.
• Have an annual presentation to the Audit committee on review of RCMs.
• Make IFC check an integral part of internal audit execution without worrying about comprehensive documentation. And reinforce your audit observations dealing with process issues by referencing the applicable RCM. The result will be surprising – process owners will retrieve the RCMs.

The above pre-supposes a strong support from management and the audit committee; if not,  when initiating these, buy stakeholder support. A progressive improvement will result in raising the bar of the control environment, and hence governance.

To conclude, IFC is not just a matter of compliance, it is in fact, a mine of opportunities to be tapped by organisations to ensure stress free business environment. And IA has the role of a catalyst in this….

We welcome your comments and feedback, and more importantly, your own experience with IFC. Your participation gives greater vibrancy to the blog.

Risk is a function of probability & impact. It’s what can go wrong and, which one doesn’t see coming. It may be a threat, vulnerability, loss, damage, impairment or injury. It’s the uncertainty and unpredictability that makes risk interesting & difficult at the same time.

The world is clearly looked at as the pre- and post-Covid era.

Even before the closing stages of pre-Covid era, in 2019, global economy was slowing down. Business was facing reduced margins, and many corporates were finding it difficult to survive. Both Numbers and monetary values of frauds were increasing, especially cyber frauds. Governance issues were cropping up and there was a general degeneration of ethics. Geo-political tensions were rising and climate change was causing widespread disruptions globally. Social media was an integral part of everyone’s daily lives and internet was all pervasive. Technology was making deep inroads in terms of innovation and speed to market. Artificial Intelligence, Blockchain, Cloud computing (ABC) were rapidly becoming the new normal. Business Continuity Planning and Disaster Recovery were factored in risk assessments. The world was exposed to Black Swan events post the 2008 Global crisis; however, risk assessment, though rigorously mandated by regulators, found compliance largely with the letter of law and not in spirit, perhaps due to the costs and efforts involved.

This is when Covid 19 struck & turned the world upside down in 2020. Vaccines are now available and vaccination is gradually happening. However newer strains of virus and eruption of second and third wave of the pandemic is still causing uncertainty. The virus progression is a classic case of risk identification failure. When it first stuck in Wuhan, in late- 2019, no one saw it coming and this was a classic risk identification failure. Once identified, post the impact, none could measure the volatility and amount of global disruption it could cause. Remedy has been found but too early to call it a complete success. The spreads have been drastically curtailed but that has taken its own time and has come at a heavy cost. Communication on current situation is still not very clear. There are still some mis-conceptions post unlocking, with people freely violating social distancing & masking norms.

Let’s look at the risk scenario change that Covid-19 brought about –

1) It has made us realize that risks can come in any shape and size, striking devastatingly. The speed at which risk can travel across globally causing wide-spread damage alongside is now part of risk record books.  Risk identification will now factor even the blackest of the black swan risks.

2) Technology has still to catch-up. Innovations in health care industry will continue to get increased funding.

3) People can adapt with times and the lockdown phase proved that people can live frugally with minimal basic needs taken care of. If this psyche remains, apart from lack of purchasing power due to dwindling incomes, it will lead to closure of many businesses catering to luxury or discretionary spending. Only the fitter amongst the fittest will survive. Consolidation already happening across industries will be even quicker.

4) Personal Health and Hygiene, long neglected by many, will be in limelight. Preventive immunity will be the buzzword.

5) ‘Work from Home’ culture will continue. There would be hybrid work models. Business Continuity Planning will need to factor in long term disruption scenarios and adapt appropriately. Data availability and confidentiality will assume increased importance.

6) Unemployment levels will rise, necessitating people to re-skill. Mental toughness, Collaboration, Grit, Resilience, Networking, Creativity, Critical Thinking, Communication, Self-Awareness, Decision making skills, Empathy will be in demand. Online or Digital will be trending. Many business models will undergo changes.

7) The urgent necessity will be having a service / product which addresses a serious pain point or a real problem. Value will be the sole deciding factor with right pricing and speed being the key.

In all these scenarios, Risk function will need to evolve with the time, being strategically dynamic, flexible and adaptable to the new, changing normal. It will get the focus it rightly deserves.

1) Risk identification and Assessment–

Capturing probability and impact of an event will be even more pro-active, detailed, scientific, prudent, automated and comprehensive. The function will be focussed, specialized and manned by people with diverse skillsets. Processes will be more pro-active, preventive and continuously ongoing. The same will apply to risk evaluation, analysis, measurement and monitoring. The entire gamut of risks currently identified will be reviewed and looked afresh with more stringent stress testing norms. Risk Appetite, Risk Tolerance levels and limits will be re-defined.

2) Control mapping –

Identifying efficacy of current controls addressing risks (both design and implementation) will need to be comprehensively reviewed and re-looked afresh. Focus will be on pro-active, automated controls. Cost will be the key criteria and hence prioritization would be a must. Redundant controls will be weeded out to eliminate waste, make processes simpler, smoother and faster. Corroborative, deterrent and corrective controls will continue to be widely used. There will be zero tolerance for ethical violations and things will have to be done right first time. Human Resource function will need to be more active to especially handle skillset upgradation, work engagement, mental stress, delicately tackling termination and pay-cut issues.

3) Gap – Vulnerability analysis –

Solving or addressing the real threat or the main issue, will be a pivotal exercise in all organizations. Prudence, Conservatism, Scepticism will need fine balancing for optimal results within overall business strategy. This will be an ongoing exercise with no room for complacency at any stage. Risk owners will need to stringently meet deadlines and accountability will be non-negotiable. Each resource will need pro-active risk readiness at all times

The basic philosophy of risk can and will never change. It’s the focussed remediation or mitigation that will matter. The Risk function will have to manage disruptions better to avoid extinction. Perform or Perish will be the mantra.

The Blog solely reflects the personal views of the author(s).

Cricket and Bollywood are the two national favorite pastimes. With both taking a forced break after the outbreak of the virus, I am motivated to write about the sport I passionately played until a few years ago and follow closely now. Cricket did teach me many aspects of life that I have applied and continue to apply in my Internal Audit career.

1.Practice practice and practice

It is not magic that Lara, Sachin or Viv would be in such good positions to play a shot and convert even good balls into runs. It is all attributed to the hours and hours of practice that has enabled them to read the bowlers arm, gauge the speed of the delivery and the angle at which the ball is arriving. I learnt that as an auditor, I need to spend more time sharpening the saw so that it takes less time to cut the tree. Practice makes an auditor perfect. Each audit interaction for every  audit assignment is a practice which has led me in the direction of perfection….my journey is still on….it matters little to me now when I will reach, I am thoroughly enjoying the journey.

2. I may not be in the playing eleven

My team consists of players who are chosen depending upon on factors such as the strength & weakness of the opposition, one’s own ability & skill and the state of the pitch. My team has a combination of opening batsmen, one drop, middle order, all-rounders, wicket-keeper, fast bowlers, medium pacers and spinners. I could be among the top 6 batsmen but if the decision is to play only 5 batsmen, I could get left out; I could be the best spinner but if the wicket is fast paced, I do not get a chance to play, and so on. I learnt that as an auditor, I may get the assignment/job or it could go to someone else. But I have to continue to be good and better at my auditing skill-sets and do my best and wait for the next opportunity. As far as I go, either the opportunities have come or I have created them and that has worked for me. Apna time bhi aayega.

3. Home advantage

The national cricket team for long were known to be home tigers and did exceptionally well in Asian conditions but faltered when playing in swinging English conditions, or the fast paced tracks at Perth and Sabina Park. However things have changed now for the better. The recent win in Australia is a show case. Foreign teams are also now trained to do better than before in Asian conditions. We saw what England did to us in the first Test recently. I learnt that as auditors we need to adapt to the conditions in which we operate. We have handled India based assignments and done exemplary work for clients/businesses based abroad too. India, through the ICAI, has been the pioneer in framing Standards on Forensic Accounting & Investigation Services, in which many of us directly or indirectly contributed.

4. Advantage of the toss

In cricket, winning the toss is crucial to the outcome of the match and it is a matter of luck to get the favour of the coin. Depending upon the conditions, the toss winner puts the opposition in or chooses to bat first. Often in Test Cricket, the captain that wins the toss, chooses to bat first guided by the proved hypothesis that pitches tend to deteriorate over days and batting becomes more difficult as the spinners have a “field” day (pun intended). Batsmen also experience variable bounce that makes batting a nightmare. I learnt that while auditing, I am at times fortunate enough to have the first mover advantage – when I am called upon to audit a brand new business or to review a system before implementation or use a new audit tool for superior analysis – I need to seize these opportunities and play my best game. But, there will also be other times, when many things are not in my control. I have to make do with what is, and move on keeping a good strategy in mind. Winning a toss is not in my control, but playing my best game nevertheless is well within my reach.

5. Googly & Doosra

Googly is a type of deceptive delivery bowled by a right-arm leg spin bowler, achieved by bowling the ball as a conventional leg break, but spinning the ball further with the fingers just before it is released. It is also called a wrong ‘un. Muttiah Muralitharan was the best exponent of the googly and now it’s over to Rashid Khan. Doosra is a recent addition, first developed by Saqlain Mushtaq. Doosra is the delivery which goes with the arm. It means when an off spinner is bowling, the batsmen expects the delivery to be coming in but it goes straight with the arm and foxes the batsmen. If batsmen does not pick the bowler’s arm, the chances are high of getting out. I have learnt during my audits, that situations threw me lots of challenges but I made sure to study what’s coming at me and adapt my actions accordingly. I have always felt the need to do something different. We as auditors, meet difficult auditees and also experience challenges in getting data and information that are critical for the purpose of our work. But that does not stop us from completing assignments as required. Read the mind and body language of the people we connect with in the audits, and we will be the best.

6. Reverse swing

Normal swing occurs mostly when the ball is new. As the ball wears out, the aerodynamics of the asymmetry changes and it is more difficult to extract a large amount of swing. When the ball becomes 50 plus overs old, it begins to swing towards the shine. This is known as reverse swing, meaning that a natural out-swinger will become an in-swinger and vice versa. Imran Khan, Wasim Akram and Waqar Younis were the pioneers of reverse swing. A batsman needs good eye reflexes which are considered to be a key skill when facing swing bowling and must anticipate beforehand what the ball will do and adjust accordingly by observing the bowler’s grip and action. I learnt that as auditor I had to use the scarce resources available to me and discover new techniques and I need to adjust my audit technique depending upon the situation through keen observation. Attending thoughtfully crafted training programs have helped me immensely in use of technology in conduct of audits. Observing senior members of the profession going about the audit tasks has also considerably helped me in my journey.

7. No second chance

As a batsman, reputation does not count. A poor judgement, a mis-reading of the ball, a top-edge and you are a gonner, at least for this innings. A bowler can get away with a loose ball, a fielder with the ball going through his legs or a dropped catch but not the batsman. He can make amends only in the next innings. Whether it is a Sachin or a tail-ender, if a rank bad ball is hit into the hands of the fielder, you are out. I learnt that I need to understand the role I am playing and I have to give it my best. As an auditor, reputation does not act in my favour. In fact, my reputation comes with higher and higher expectations and I need to be performing at my best all the time. Like the batsman, I need to perform the best here and now. This philosophy has helped me sustain a continuous good performance.

8. Judging a quick single

This is where the team spirit comes in. While judging a run, the batsman has not only to judge that he will reach the other end, it is also important for him to judge that his partner will also reach the other end. Technically, if the ball is played to mid-on, the non-striker relies solely on the call of the striker and the run is taken. I learnt that while doing audits, it is not just important about how well I perform, but it is the team effort that counts. This is what team spirit is all about. Take care of yourself but also take care of your team mates. You must reach your destination but along the way, the team also needs to reach with you. How important it is to collaborate with team members who bring different skill sets to the assignment.

9. Walking

What’s walking to do with cricket? Adam Gilchrist was one player who “walked” every time he knew he had edged. Walking is the act on part of the batsman to walk back to the pavilion when he knows he has edged and the catch has been taken behind the wicket, irrespective of whether it has come to the notice of the umpire or of the opponents. These moral custodians can sleep easy, safe in the knowledge that they did the right thing and upheld the ‘Spirit of Cricket’. This has taught me one thing – a right is a right even if no one is doing it, a wrong is a wrong even if everyone is doing it. Integrity is important in life – it builds a great reputation. Integrity is one of the seven prized attributes that Richard Chambers has identified for Highly Effective Internal Auditors.

10. Judging a High Catch

Just think what goes on in the mind of the fielder when the ball is hit high and he is on the boundary line with the background sound of the entire stadium rooting supporting for or against with all eyes on you – a million pair of eyes (including the television audience) and you have to perform. The fielder has to adjust the light (artificial or the sun) and the swerve of the ball due to the wind and not cross the boundary line. I learnt that when executing audits, we have to be consistent in performance, I am continuously being watched and evaluated by my colleagues, my auditees, my management, my Board, my profession and above all my conscience. I have to perform all the time and yet always remain within the “Boundary” (pun intended).

11. Comradeship

Don’t we see that when a buckle of the pad or the shoe lace gets untied, the opposition team member would help in getting it back to position. When a match is over, there is a warm shake of hands and a pat on the back between each of the umpires, the players and support staff. I learnt that in audits we must celebrate success with our own team mates, we must be cordial in our relationship with all those we come in contact during the course of the audits and we must have the best relationship with the top management/client. We must create win-win situations all through.

12.  Communication

When the batsmen are taking say two or three runs, there is always an instruction by the batsman who is facing the direction in which the ball is hit when the two batsmen cross, whether there is an opportunity for the next run. At times, instructions are given whether it is an easy run or a cheeky one. This enables the other player to adjust the pace of run to conserve the stamina. Fielders also communicate loudly and clearly whose catch it is, when the ball is hit high and there is a possibility of more than one fielder getting close to taking the catch. I learnt that I have to give clear guidance to my team members and say the right thing and at the right time. I also have to receive the communication from others correctly as communication is not a one-way street. Non-verbal communication, at times, is as effective as verbal communication.

13. Ambidextrous

We have seen quite a few fielders in a position to throw the ball with the wrong hand which makes them so versatile and has resulted in many a run-outs too. This ability also increase their utility to the team. I learnt that as auditors we must continue to improve in whatever we are good at and find out ways to be more in a position to deliver. Audit is all about the balance between identifying gaps (finding control weaknesses), providing assurance and encouraging good governance; and knowing what to emphasise when.

14. Run on a mis-field

We all have grown up hearing the oft-repeated coach instruction, “Never run on a mis-field”. Many batsmen have got run-out running on a mis-field when the fielder quickly re-coups and throws the ball and effects a run-out. I learnt that while doing an audit and coming out with observations, I must not attempt to capitalize on another’s mistake and respect the ability of the other to quickly re-coup after the mistake. What is really necessary to unearth is why that mistake happened and suggest steps that will help that mistake from not happening again in the same place and also elsewhere in the organisation.

15. Sledging

The Australians have the track record of being the best sledgers in the world. The banter among the keeper and close-in fielders (they out-number the batsman) can rattle the concentration of the best in the world resulting in needless errors of a disturbed mind. The Dravids and the Sachins have mastered the art of ignoring the banter. What I learnt is that while doing audits, there will be such cross talk going on endlessly, but I must be so sure of my own ability and performance and should not get provoked.

I am happy that I have written this on the day that the world’s largest stadium – Narendra Modi Stadium was inaugurated at Ahmedabad by the Honorable President and Honorable Home Minister. I am so proud to say that the stadium was built by L&T, a company where I spent one fourth of my professional life – a company which redeveloped and refurbished the Wankhede Stadium in record time for the finals of the 2011 World Cup.

There are so many other aspects of the game that have given me valuable life lessons. Just 15 lessons have consumed close to 2500 words, so I will leave it for some other day to share my balance thoughts. Cricket is a fascinating game and I used to think as a teenager, that there is nothing better in life than cricket, until I decided to make my career in Internal Audit. Now Internal Audit means the world to me and time has certainly come to give back, not only to the Internal Audit profession but to the world at large. The world is waiting for capable people to give, rather than continue to take from the world. There is nothing better in life than Internal Audit. The future is for Gen-next. My best wishes and encouragement to each of you.

The teacher learns more than the student. The author learns more than the reader. The speaker learns more than the attendee. The way to learn is by doing.

What say?

I welcome your comments and as a batsman, I promise to respond to each one with my best shot!

The Blog solely reflects the personal views of the author(s).

As I look back at the 30 odd years that I have spent in the profession, I feel a sense of satisfaction and joy. I recount the number of times, when I found myself at crossroads, and ventured along the untrodden path, the road less travelled.

What is a Chemistry student doing in a CA firm?

I completed my graduation in Science stream, majoring in Chemistry. After graduation, unlike most of my peers, I found myself signing up for articleship for Chartered Accountancy – little did I know then that this was not to be the first time I was stepping away from the beaten track.

The Early Inspiration

The initial seeds of inspiration for internal auditing and consulting were planted by my mentor, Shri Shailesh Haribhakti during my articleship and I was fortunate to have guidance from a number of mentors including Dr. N. Balasubramanian thereafter. To equip myself for a career in Internal Audit I pursued CIA (Certified Internal Auditor). Stability to weather the initial storm of long gestation period in practice was provided by my partners: partner in office, Manish Pipalia, and partner in life, my wife, Sangita.

Questioning the Status Quo

Starting out with conducting internal audits,  risk management and consulting assignments, I was soon focusing on these assignments with a “positive dissatisfaction” of ‘what and how these were being done’ and ‘what should be and could be done’. This was a continuous dilemma and thought process -this journey from ‘what is’ to ‘what should be’ has always enchanted me. I found myself engaging with the internal audit community to collaborate to change the way internal audit was being conducted including bringing in a strong consulting focus. Opting for specialization in Internal audit at an early age helped me to remain focused and also become a catalyst for change.

Many Doors Keep Opening Up

Professional interactions with the internal audit community in India and abroad coupled with an attitude of professional sharing with the internal audit community led to opportunities of speaking assignments, training engagements, holding positions such as President, Institute of Internal Auditors, India, Bombay Chapter, and as a Member of Academic Relations Committee, IIA Inc., Florida, USA, Internal Audit Standards Board, ICAI and also in the BCAS etc. The wide exposure to new ideas and interactions with the stalwarts of the Internal Audit profession humbled me and also empowered me greatly. I started seeing myself as a catalyst for my clients and a change agent for my profession. I have always wanted nothing but the best for my clients and for my profession.

Sharing Strengthens A Profession

Continuous emphasis on professional sharing also led to designing internal audit courses for BCAS and INGAF, Controller General of Accounts. Writing articles and books became a habit. One such endeavour was to interview fourteen CAEs of leading organizations in India and publishing the best practices for the benefit of the internal audit community at large; another exercise led to BCAS releasing a book titled ‘Internal Audit – Practical Case Studies’ that was a compilation of articles published in the BCA journal over seven years.

A Step Ahead –Introducing Frameworks and Technology to India

Studying contemporary developments and meeting CAEs abroad specially North America, Australia and Europe brought out the emerging frameworks and technology being used in the profession. Successful attempts were made to bring such advanced frameworks and emerging technology to the professional community here in India. Analytics, audit process automation, risk management solutions were made available almost 20 years back. Use of technology solutions has now become a ‘given’ for any progressive internal audit team.

From Internal Audit to Management Consulting

A collateral advantage of travelling far and wide has been the appreciation of different cultures and the way professionals think and work in different geographies in India and abroad. Professional interactions, with the business and academic community outside of internal audit, in general management area, like CEOs, CFOs, professors in India and abroad,  increased understanding of management styles and needs. At this stage Peter Drucker’s Principles and Philosophy of management and leadership entered my thought process. This opened up opportunities that eventually led to becoming the World President for the Drucker Society and interaction with leading management thinkers like Prof. C.K.Prahalad, Charles Handy, Joseph Massierillo and others. Perspectives gleaned from such interactions have only helped in value addition to clients and graduating to be a management advisor to businesses.

Milestones of My Journey

All this has been enabled by ‘keeping an open mind’, an attitude of positive dissatisfaction of where one is and a strong desire to change the status quo, exploring and applying new ideas, adapting to change and learning continuously through professional sharing. The most important pillar has been a strong “people orientation”.

To conclude, the way to achieve professional satisfaction and growth is to:

• share with a missionary zeal (give back to the professional community),
• embrace continuous change including latest frameworks and technology solutions,
• always be in learning mode,
• be passionate about the work being carried out and add value to clients.

I share my unusual journey here so that it may provide courage to someone who is standing at a crossroad, or to someone who is waiting at a door half-open wondering what lies beyond. I remember Robert Frost’s poem which said “Two roads diverged in a yellow wood….. and I took the one less travelled by, and that has made all the difference”.

To all those at crossroads I say, take the road less travelled by and see the difference that it makes!

We invite your feedback and comments. Your comments will give life to this blog and be instrumental in creating an even more vibrant IA community.

It is that time of the year when New Year resolutions get mulled over, new dietary plans emerge, ambitious fitness regimes are embraced, enrolments to new on-line courses soar, gym memberships see an uptick, bold book-reading commitments are announced on the likes of ‘Goodreads’, the daily alarm clock is set 30 minutes earlier than usual….It is indeed a time for soul-searching, deep reflection and imagination, a time to truly “ring out the old, ring in the new”.

For Internal Auditors world over, particularly in the backdrop of the year that has been, this is the time that merits some innovative thinking, impactful initiatives and above all, re-imagining Internal Audit; for, it is not just a New Year that is about to begin, but a whole new era is upon us.

As a ‘just-retired’ internal Auditor, I wonder what my thoughts would have been, had I continued to lead the Internal Audit team of my firm. Here are a few thoughts that cross my mind; and may perhaps resonate with Internal Auditors across industries and geographies.

Zero-based strategic planning:

This is the time to set free from the past trajectory of the internal audit practice/function and think afresh – how can internal audit be relevant to the new world of e-commerce and digital payments, of remote work and global classrooms, of physical lockdown and digital freedom, of driverless cars and bitcoin-driven economy. What is interesting is that many of the traditional business models and revenue streams have got replaced – the customer gets a lot of things free (free entertainment, free news, free training, free credit) but in exchange pays with privacy, data and digital trail, and a higher vulnerability to cyber risks.

In these times, to plan based on the past, making incremental growth projections and marginal tweaking of audit plans would not suffice. I would encourage the internal audit strategy and plan to be zero-based – start with a blank canvas and approach the changed world with some bold masterstrokes!

Realigning the Team

The Internal Audit team will need to be realigned to respond to the changing world. In addition to understanding of risks and controls, processes and procedures, laws and industry practices, I would invest in people who understand the paperless, borderless economy better. At this point, I would need to supplement my team with people on the ground – the street-smart ‘slumdog millionaire’ would be as valuable to me as those with professional qualifications and formal work experience.

I acknowledge that the age of the stereotype CV (matriculation, graduation, internship, professional qualification and work experience, in that order) is history. We will have to understand CVs that have diversions and gaps, and multitude sources of learning and experience. Those who have learnt fraud vulnerabilities through episodes of “jhamtara” may be regarded equally well-trained as those who have attended classroom case studies on cyber frauds; just as those who have understood financial markets through watching “Scam 1992” may be well-placed to match those who have taken certificate courses on understanding capital markets.

The Tech Imperative

Much has been said about the need for Internal Auditors to embrace technology; and yet, many Internal Audit teams struggle to make that big shift. I have realized that an existing Internal Audit team may be able to embrace technology incrementally, one application at a time. The team will keep attending training workshops and the organization will invest in getting the relevant software licenses – but integrating technology into internal Audit takes more than that. I would identify (from within the team or outside), a few persons who are passionate about technology and are capable of catalyzing the team’s technology shift at a rapid pace and make them the tech champions for my team, empowering them to challenge and change the status-quo.

My entire focus at this stage would be to absorb technology in every facet of my team’s working – holding meetings, internal and external communication, data analysis, process automation, reporting, visual presentations, work paper documentation, team appraisals and more. There is now no looking back.

Team Well-being:

The year 2020 has made most of us make rapid changes to almost all aspects of our lives. What started off as a lockdown of a few weeks continues to limit our movement and activities even after 9 months. This change has not been easy for everyone – and while most have got used to WFH culture and screen-based meetings, the loss of personal connections, social interactions and physical environments has left a void. It has created a greater need for looking after the well-being our teams.

I would pay attention to the overall well-being of my team members, create open forums to reach out in case someone felt the burnout or ‘disconnection’ stress. I would have an open house, periodically, to discuss how each one is coping and explore what we, as a team, can do to ensure that each of us feels connected and supported. Sharing talks from leading mental health experts and healthcare specialists would also help in bringing the focus on overall well-being of the entire team. Building resilience in my team would be a priority for me at this point.

Social media and increased screen time has caused a serious problem of being distracted all the time. I would invest in helping my team stay “indistractable” and pursue their work and other life passions with focus. Perhaps, starting a book club with books such as “Indistractable” (by Nir Eyal) may be a good start.

Connections

Staying connected with our stakeholders wasn’t easy even in the past era. In these post-Covid times, this has become even more challenging. We would develop a strategy for staying connected with our key stakeholders by creative means. In an era where even a “5 Minute Read” is “saved for later” and “forgotten forever”; my team will have to innovate ways for meaningful engagement, with minimum intrusion on the stakeholders’ time and privacy. We will explore options such as hosting an interesting 15-minute capsule talk by an expert to a “coffee meet” with a small group; stage a quiz contest on cyber risks or conduct interesting surveys on data privacy, we will create small video movies on topics such as “what’s new with Internal Audit” or “How did our team support the Covid crisis within the organization”. We will earn our time slots with those who govern by always keeping our reports and presentations crisp, fair and forward looking.

Solution-Orientation:

For long, our internal Audit teams have focused on “spotting the problem” or identification of gaps. While we have made certain broad recommendations, we are not perceived as solution providers. As we move from one audit to another, we have seen our role as bringing out the gaps or deviations and leaving others to resolve them. The present times have revealed that versatility, holistic understanding and coming up with innovative and workable solutions are skills that make or mar careers not only in Internal Audit but in all spheres.

Solution-orientation, like technology absorption, cannot be taught but needs to be cultivated. Offering our team members to become part of cross-functional teams working on specific solutions, creating training modules that focus on coming up with collaborative solutions (modelled on hackathon) and arranging formal training in design-thinking and novel work approaches could be some of the approaches. Adding team members that have experience in working on social issues (low resources, practical solutions) or adventure travel (critical thinking, quick action) could help in bringing in the “solutions” mindset. Developing such traits would be an integral part of every training and development initiative; likewise, assessment of these traits would be integral to performance reviews and potential assessments.

Engaging with the New Economy:

The best way to understand the dynamics of the new economy is to plunge into it. As a head of Internal Audit team, I would seek every opportunity to engage with, and provide professional services to, the players in the new age economy proliferating with payment gateways, Edtech, Fintech, App developers, influencers, social entrepreneurs, digital entertainers, virtual universities, Healthtech and more.

We cannot learn to swim with an instruction book or trainer videos – taking a plunge would be not only the fastest way but the only way to learn. So, here’s to a New Year and a New Era – are you ready to take the plunge?

We invite your feedback and comments. Your comments will give life to this blog and be instrumental in creating an even more vibrant IA community.

The truth is rarely pure and never simple – so wrote Oscar Wilde in his 1895 play, The Importance of Being Earnest. The play, which is a farcical comedy, mocks Victorian traditions of false seriousness and social customs. We, internal auditors certainly do not mock traditions and practices, but  earnestly go about the not-so-simple path of seeking the truth to achieve the audit objectives.  There are dilemmas faced by us as we go about conducting internal audit. This blog is an attempt to how we can earnestly conduct our internal audits while dealing with dilemmas.

Let’s reflect on our experiences when we draw up the audit plan. Whether based on a risk assessment or not, we do get conflicting thoughts on where to focus more and where not to. Business is dynamic and we realise that something seemingly as simple as drawing up an audit plan requires us to do a bit of back and forth in our minds till we conclude earnestly what the plan finally is. Whether we should focus on a high risk item once or twice in a year or with greater frequency in the audit cycle? Whether an audit area can move from moderate to high or vice versa? How do we keep our plan flexible and agile enough so as not to lose out on any changes to business processes and systems?

Similar thoughts come through while designing the scope of each area of audit; while executing our audit; while discussing our audit conclusions; while deliberating over our draft report and finally, when we prepare the final report.

The dilemma  of what is good  for business and what is required for adequate controls seems to be from time immemorial. It is easier said  that the cost of controls should not surpass the benefits the controls intend. Calculations to quantify costs/ benefits are based on probabilities (nowadays, simple probabilities have been replaced by complex weighted average probabilities) that could swing either way. While all these calculations are done and decisions justified, do we not get a feeling that perhaps we should let the process be, not tweak it greatly and appeal to the human instinct of good behavior and the corporate instinct of good governance to ensure that the originally designed and / or recommended controls fall in place? How often, in our discussions do we tell  the auditee, “Leave alone what I am saying, what is your opinion?” or  “Just step back and tell me, what do you think?” That is our way of trying to impress upon the basic good human thoughts. Sometimes this works as a clincher in discussing our observations and recommendations and getting the auditee to agree with us.  But many a times, it does not.

So, as internal auditors, what are we supposed to do? To arrive at an earnest result of internal audit, we need to be true to ourselves. We need to look at the situation from both sides – the auditor’s view and the business view. Many a times when we understand the business view, we are able to better articulate our auditor’s view. We are then able to traverse that path of adequacy of control and tweak our recommendation appropriately. This way the objective of audit is achieved as well as the perspective of business is not lost. Is this the elusive ‘golden mean’? Wonder whether this term emanated from an auditee-auditor conversation sometime in history? Well, that would be a topic for another blog, another research!

The other dilemma is when we need to present our audit findings to the Top Management or the Audit Committee of the Board. Do we tend to get carried away by our own recommendations? Do we underplay our own recommendations? Do we allow the business to sway our communication? Do we override the business and say, this is my privilege and I will report it in my way ? Do we think that our next internal audit assignment / tenure will be influenced by what and how we say? Do we think, to hell with it, let us just go out and say what we want to say? Reality is, nothing like this happens; reality is, a bit of everything happens! Our earnestness enables us to find, once again, the golden mean. And with each experience we realise that we are communicating better. We are communicating the right things in the right manner. Effectiveness and efficiency, both achieved. This sincerity of approach is always well appreciated. It leads to a better acceptance of our observations and recommendations. And then we are satisfied that objectives of internal audit are achieved.

The position of internal audit is vital in any business entity and carries immense responsibility. The Peter Parker (a.k.a Spiderman) Principle (with great power comes great responsibility) applies equally to internal audit. It has been the experience of many of us internal auditors that only because we say so, the Top Management and the Audit Committee believe in the proposition we put forward. This is  because of the faith reposed in us; an outcome of our unbiased work. This reflects  an outcome of years of performance of internal audit across businesses, sectors and entities. And that, to my mind is our single most attribute that keeps us performing the way we are expected to perform.

We will not belie the expectations of our stakeholders if we perform our role as internal auditors with the expected sincerity and earnestness. Unlike sportsmen, we cannot afford to have an off-day. We need to perform every day. This can be done by imbibing the principles embodied in global and domestic standards of internal audit and performing by them. This in turn will lead us to delivering sound recommendations for business process improvements. The synopsis of our recommendations remains, however, within the troika of parameters – time, money and people – which I found in the writings of Pu La Deshpande, perhaps one of India’s greatest literary genius whom I quote verbatim:-

प्रोब्लेम्स नसतात कोणाला? ते शेवटपर्यंत असतात. पण प्रत्येक प्रोब्लेमला उत्तर असतंच.
ते सोडवायला कधी वेळ हवा असतो, कधी पैसा तर कधी माणसं.
या तिन्ही गोष्टीपलीकडला प्रोब्लेम अस्तित्वातच नसतो.

As internal auditors, if we detect a problem within the control system and attempt to solve it with these three resources, I am sure our earnestness of internal audit will be seen, accepted and appreciated by business, regulators and all stakeholders.

The Blog solely reflects the personal views and opinions of the author(s).

Time and again and, in all probability, when the performance of a Chief Internal Auditor or a Chief Audit Executive (CAE) is being assessed, Audit Committee (AC) and Management wish to understand the value addition made by Internal Audit (IA).

It is not easy for the CAE to respond to this requirement, mainly because his internal customers almost always believe that ‘All’s Well’; that there is no need to have IA, or better still, IA is a necessary transgression in their life!  Hence, for those who are being audited, the best way to deal with internal auditors is to get them complete their assignment expeditiously and negotiate hard for the audit scoring and get back to ‘business as usual’ (pun intended).

I believe that IA itself is value accretive if deployed correctly by all stakeholders and hence, a new journey to discover ‘value adds’ may not be needed.

Having said that, let me deal with this subject at two levels.

First, internal auditors need to maintain complete trail on how their audits have resulted in remedial action, process changes and compliance corrections. A simple but organized and crisp summary presented annually and proactively to the AC will surely sensitize the AC (and hence, the Board) on value addition brought about by IA. My recommendation is to focus on process improvements, control awareness and compliance corrections (I am sure that internal auditors of every company will have something meaty enough to present annually). Further, my sincere unsolicited advice is – do not attempt to put a number to the value addition – this poses multiple problems because auditees feel reluctant to acknowledge the IA share in the pie of gains. Whilst an attempt to quantify monetary value may be counter-productive, presenting qualitative contribution in a persuasive manner may help CAE to get the AC and Management appreciate IA’s contribution over time.

Let me also share my thoughts on another related topic of fraud detection. Whereas detection of an irregularity or fraud may be sensational, prevention is subtle, and its impact may not be easy to quantify. But we all know well – Prevention is better than Cure and AC and Management need to acknowledge this!

I recommend that the dialogue with stakeholders on value addition should be timed typically in March/April or at least a month ahead of accounts approval meeting. This will ensure nearly complete information for the year and also help the AC when approving the next year’s annual internal audit plan. It is essential to manage your stakeholders well and keep them abreast of internal audit activities so that they are on board when the value addition is presented to the AC.

At the second level, as an independent director and member of AC of a few companies, I feel that Management and AC should also think about deployment of internal audit as internal consultants – IA can be leveraged as independent yet in-house consultants by identifying areas where intervention by external consultant is being contemplated. I know of one Chairman of AC who gets internal audit validate the assumptions for business plan before the Board meets for strategy discussions and plan approval. Having access to information across the organization and with an ear to the ground, a motivated IA team can be an asset to the AC and the Management.

I will also offer some tips to internal auditors on how to help themselves in getting value addition recognized. Be agile and observant, be clued into external events that can impact the organization and network within the profession, especially within the industry, so that your team becomes repository of knowledge and good practices. By doing so, the IA team will evolve into a team of internal consultants. In fact, IA has visibility over the entire organization and is well placed to be an evangelist to spread good practices within the organization.

Please also note some pitfalls to avoid – the ‘I got you attitude’, ‘it all goes to files after all’, ‘I am the only ‘kosher’ employee in the organization’ etc. Most important, get your communication right – be firm without being aggressive, be heard without shouting, be perceived by your actions…!

At an individual level, every internal auditor would do well to reflect and assess the impact his or her work has brought about within the company. Not to forget how each assignment has also been a value-add in terms of learning. A digital diary to record daily work and key learnings in an organized manner would facilitate this.

A parting advice – please solicit and welcome feedback from all your stakeholders, including auditees. Analyze this with your team in an open house meeting to distil the same and blend it with your next execution plan.

I hope my thoughts will help CAEs to reflect and bring the target of value addition in its true spirit on their dashboard.

The Blog solely reflects the personal views and opinions of the author(s).

The Blog on Internal Audit recently launched by BCAS prompted me to pen down my thoughts on what a day in the life of a CAE looks like – what are the activities and engagements that fill the day of a CAE?

As a precursor to writing this blog, I looked at my calendar for the past few weeks and based on that, I ‘curated’ a day in the life of a CAE, giving the readers a flavour of the myriad of issues and activities that keep a CAE engaged through the day.

In my search for some relevant articles, I chanced upon a beautiful article “Succeeding as a 21st Century Internal Auditor: 7 Attributes of Highly Effective Internal Auditors by Richard Chambers and Paul McDonald.” I thought to myself, the attributes listed in the article resonate with any leadership role in a business organisation, including that of a CAE.

(htps://global.theiia.org/news/Documents/7%20Attributes%20of%20Highly%20Effective%20Internal%20Auditors.pdf).

Here’s a sneak peek at my day:

I leave home at 7.45a.m. fresh after a good night’s sleep, my morning philosophical thoughts, a brisk 60 minute morning walk and a sumptuous breakfast. Purposefully, I do not make or take calls during the commute time as I use this as “Me-time” to plan my day. (On days that I am working from home, my commute time is replaced by ‘quiet’ time when I gather my thoughts to plan my day.)

My plan today includes:

• • Creating strategies for countering difficult issues on hand, including a very serious process deviation with a high impact and it’s honest reporting in the ensuing Audit Committee;

 

• • Planning for a structured 30 minute discussion with a Business Head to update him on the outcome of the work done by my team in the past 2 quarters;

 

• • Informal calls to two senior business leaders which could perhaps help me gather clues for audit planning and execution;

 

• • Discussion with two team colleagues to help them tackle some personal and work related difficulties;

 

• • Discussion with a team colleague who has displayed an exemplary performance in a specific tough assignment and has earned the praise of the business;

 

• • A pep talk to motivate a high performing team which has suddenly shown a downward trend in performance;

 

• • Conveying to the HR, the proposed steps to increase gender diversity in the team;

 

• • Reviewing the progress made on Deep-Dive Data Analytics assignment which was done in partnership with the Group Data Analytics Team, and;

 

• • Making time to attend an exciting program on Future Trends in Auditing organised by a professional body.

 

As I glanced through the article by Chambers and McDonald, I was happy to note that the 7 attributes (Integrity, Relationship Building, Partnering, Communication, Team Work, Diversity and Continuous Learning) that the article dwells on seem so aligned to my activities of the day!  I reflect upon the article and draw parallels with my day – I realize that each of my planned activity is aligned to one or more of the attributes.

I reach my office and I have a surprise waiting. There is a voice message for me that the Chairman of the Audit Committee wants me to talk to him @ 11am for 20 minutes – icing on the cake on a day that was building up to be yet another eventful day.

As the day unfolds, I take a few moments to gather my learnings:

• Not all things happen the way you plan;
• Not all people react the way you want them to;
• Some conversations are better than what you thought would be, and;
• Some people will surprise you with their goodness.

 

As I reflect, I acknowledge some other attributes that we, as internal auditors, need to have – agility, use of technology, adoption of data analytics resulting in giving an assurance with 100% validation rather than on test basis, active listening and unflinching focus on results. Some other day, maybe I will write about these.

 As I am back in my car heading towards home, I introspect on my day, making a mental note of my unfinished agenda and new items lined up for the next day. I feel joyful, pleasurable, confident and contented – I indeed had a great day!!

What does your day at work look like? Is there something that you would like to change or do differently? Do you end your day with a sense of fulfilment?

I look forward to your feedback– let us have a peek into each other’s day, to make our days more fulfilling, more impactful.

The Blog solely reflects the personal views of the author(s).