March 4, 2025 • 32 mins
The Institute of Internal Auditors Presents: All Things Internal Audit
In this episode, Mike Levy talks with Mike Jacka about the growing role of advisory services in internal auditing. They discuss how today’s internal auditors are offering strategic insights that go beyond assurance work. They also cover how to balance objectivity with advisory work, how to fit advisory into audit planning, and how to show the value of these services.
Host:
Mike Levy, CIA, CRMA, chief executive officer and managing principal, Cherry Hill Advisory
Guests:
Mike Jacka, CIA, CPA, CPCU, CLU, chief creative pilot at Flying Pig Audit, Consulting and Training Solutions
Key Points:
- Introduction [00:00-00:06]
- The role of advisory services in internal audit [00:07-00:27]
- Balancing objectivity with advisory work [00:28-02:06]
- Early engagement and its impact on risk management [02:07-04:49]
- Real-world example: social media consulting [04:50-05:56]
- Advisory services in small vs. large internal audit functions [05:57-07:06]
- Pre-implementation reviews as a key advisory opportunity [07:07-09:32]
- Addressing the fear of losing objectivity in advisory work [09:33-10:45]
- Demonstrating advisory value to audit committees [10:46-14:08]
- Using assurance work to identify advisory opportunities [14:09-17:02]
- Developing skill sets for effective advisory work [17:03-19:03]
- The impact of strong relationships and trust in internal audit [19:04-22:41]
- How the Global Internal Audit Standards support advisory services [22:42-26:06]
- Fostering an advisory mindset within audit teams [26:07-28:18]
- Strategies for internal auditors to enhance their influence [28:19-30:37]
- Final thoughts and advice for internal auditors [30:38-32:00]
The IIA Related Content:
Interested in this topic? Visit the links below for more resources:
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:02):
The Institute of Internal Auditors presents
all things internal audit.
In this episode, Mike Levy talks
with Mike Jacka about the growing role of advisory services.
In internal auditing, they discuss
how today's internal auditors are offering
strategic insights that go beyond assurance work.
They also cover how to balance objectivity
with advisory work, how to fit advisory into audit planning,
(00:25):
and how to show the value of these services.
Welcome, Mike. Hi, glad to be here again.
Always interesting and fun.
We, we didn't scare them away
after our discussion on soft skills, so I,
I think we'll have to continue.
So, thinking about advisory services, it's one
of those things we always talk about.
You know, years ago it was trusted advisor.
(00:46):
We're talking about advisory. We used to be consulting.
When we think about internal audit functions,
I think historically many of us go to
the assurance based model.
We have to spotlight issues with management.
We report those issues to the audit committee
and executive management.
How do you see advisory services really
fitting into internal audit?
So it's a topic we talk about a lot.
(01:07):
Yeah. And, and I will warn you to some, well, lemme,
lemme go with the theory I have about this whole thing.
For some reason, internal auditors seem to think that, uh,
advisory is a subset of internal audit.
I would argue it's the other way.
Advisory is all things,
and then the control aspects
of the assurance aspect is almost a subset of that.
(01:30):
So I think internal auditors should already have the,
the tools, have the mindset in working with people
to expand into that broader issue of advisory services.
It's, it's well said.
I mean, I think when I think about internal audit
and I think about what we're really meant to do, I've heard,
you know, we could get into it probably a whole conversation
(01:51):
just on the concepts of independence and objectivity.
And obviously those are critically important for auditors.
However, one of my fears with those words is sometimes we
get stuck behind them and we don't focus on
what matters within our organizations
and how we need to deliver value.
We can't cross over those lines of objectivity
and what we do within organizations.
However, so many times there are opportunities
(02:14):
and we're seeing more and more of them as we talk about all
of the emerging risk topics.
A, you know, think ai, think some of the cyber risks
that are happening, businesses are very often learning
as they go, and they're trying
to figure a lot of these things out.
And if we wait till they are mature
topics within an organization where we can do audits,
we're almost, we're almost too late.
(02:35):
And that, that balance becomes
really critical and important.
And for me, some of that has come naturally
because I started my career in big four consulting
and was always focused on how we build that
value proposition as a, as a consultant coming in.
But when you're internal to the organization,
that's not always as apparent.
So Mike, just from your experiences in the past,
(02:56):
how do you go about developing some
of those things from, from the ground up?
When it comes to developing the advisory aspects of it?
It, it, unfortunately, it comes
to almost everything we were talking about in our last one.
It's the soft skills. It's about learning about the people,
about being a piece of the people,
about being a part of the team.
You, one of the important things you talked about there a
(03:17):
second ago was being there on the front end.
And I know so many internal auditors wanna sit back
and wait, then come in, I'll use the word judge,
they're gonna come in and judge.
And if you are a part of the team, if you're meeting
with people, if you're talking to people,
you're hearing the new things as they develop.
And that's where that comes.
(03:37):
We had probably one
of our most successful consulting projects
was when social media was first kicking off.
And, um, it was a fascinating one
because nobody was really looking at it, talking about it,
had new marketing who wanted to find out
what we were doing in, in the organization.
(03:57):
At the same time, we had another member
of the C-suite go, how can you do this?
We don't do audits of pencils,
we can't do audits of social media.
So it was a combination of helping them understand
what social media was about
and then working with this other person.
So what, we spent a lot of time talking
to the various departments
and we had those, that rapport built already,
(04:18):
that we could talk to them and they would talk with us.
What we found was that
all the individual departments had very good social media
situations set up,
but there was no over, there was no umbrella over it all.
And that's what the chief marketing officer came and did.
So I use that as a success story of how it works,
but I also use that, look, this is
(04:40):
where you internal audit work over all those years
should help set that up.
They were all people we had talked to,
worked with who trusted us.
We were trusted assurance providers,
not just trusted advisors.
And they, they trusted us. They were willing to speak
with us because they knew the work we had done in the past.
So it's that relationship building that's gone on and on
and on that allows someone to go forward,
(05:02):
become an advisory, uh, take on that advisory capacity.
This is an area where I've actually seen
small internal audit functions excel at, in some,
in some ways better than larger audit functions.
I've, I've been lucky in my career that I've gotten to work
with a lot of different departments.
And sometimes when you're a small internal audit function,
(05:23):
you're tasked with all of these risks that you have
to assess and evaluate
and think through for the organization.
And you don't always know how to, how to do it.
And I think the agility that you have to have
as a small function, this is really where one of the places
where advisory services can really shine a, um,
really important light in delivering
value for your stakeholders.
(05:43):
For me, when I've been successful at this in the past,
I've really thought about it in terms of less, in terms of
what is the report and what observations do I need to have?
And really more so how do I get involved early on?
And, and a lot of, and a lot of times if you,
if you're asking yourself, where do I get started?
Think about what technology
transformations your organization's having.
And for me, the, the low hanging fruit area
(06:04):
where we work on advisory services is pre-implementation
reviews instead of going in after an implementation is done
and assessing whether it's successful or failure success
or a failure, go in early on
and help them think through controls
and risks and the configuration.
And you know, obviously you can't turn the knobs
and actually implement the system.
However, sitting in the room and giving that coaching
(06:25):
and counseling really does deliver a lot of value
to groups at that stage in the process.
And you've hit the thing that so many,
and you talked about earlier too, so many people are afraid
of, you know, well gosh, if I'm there at the beginning,
have I become the control?
Have I become part of it? And,
and it's important to remember
that all you're doing is you're not teaching them controls.
You're not teaching them the aspects of it.
(06:47):
You're helping them understand how those work
because they're still gonna be the ones
that know better how to develop it.
And you can say, okay, that, that makes sense to me,
or have you thought about this aspect of it?
But that's where consulting comes in too.
It's not telling them what to do,
just like an internal audit.
It's not telling them what to do.
It's about providing insights in the way these things work
(07:10):
so they can come to the decisions
that work best in their departments.
One of the things I often hear chief audit executives
who are grappling with this, um, think through is, well,
my audit committee and my KPI measurements are really all
about how, how many findings I have
and how many, what the resolution looks like.
And, you know, how do I demonstrate the value
of my function if I'm not delivering audit reports every,
(07:32):
every quarter and instead I'm spending my
time on advisory services.
So, you know, Mike, what would you, what would you say to
that in terms of how, how do I talk
to my audit committees about advisory services
and effectively take credit for the work
that I'm doing within business?
Well, first off, I can rent for hours on KPIs
because I have so many problems with so many
of the KPIs people use.
And I'd say that's where you go, what are your KPIs?
(07:54):
And it, you can literally establish KPIs
around advisory services.
You know, who's talking to us, who's coming to us?
I know there's some people who do have that kpi.
How many people have come to us with how many have come
to us with potential situations?
So if you have built into your KPIs, you bring
that advisory piece into it.
Now that does mean potentially educating audit committee.
(08:16):
They do not understand the advisory aspect
of an internal audit department.
Then you've got a lot of education at the higher level
that has to go on also.
But ultimately, I think that's it.
Do they understand what it is internal audit, the value
of internal audit beyond just assurance?
And once they understand that,
then finding the KPIs that measure that.
(08:37):
One of the organizations I've worked
with in the past when I was serving in a chief,
so I do consulting now,
but when I was serving in a chief audit executive role,
we got to a point, and this was,
you can't always do this with every organization.
'cause you really have to measure the culture of
where your business, where the business is
and what you can have support to do.
But we're actually doing more advisory services than we were
assurance based services.
And that doesn't always work that way.
(08:58):
And you can't always do it that way.
However, in that business, it made a whole lot of sense
because there are a lot of really immature processes
and it delivered a ton of value for them.
The other concept I've thought a lot about is when you can
sort of dual purpose the assurance and advisory services.
And what I mean by that is when does an assurance project
turn into an advisory project?
Or when can you, when can you identify something from an
(09:21):
assurance side of the house
and then have, have another project
that layers on afterwards, uh,
turn into an advisory services one.
Have you ever seen that or have you ever contemplated,
I have some examples, but curious to get your thought.
Yeah, uh, I would say in general, I, I cannot think of it.
I know what happened, but it does speak to the flexibility
that needs to be allowed for people.
(09:41):
I'll throw this quick story in this is a long time ago
in an audit department far, far away where on the annual
schedule, we were not allowed to change the annual annual
schedule in spite of the fact that risks had changed
because they didn't know how to go to the audit committee
and say, we're changing it,
because the fear was
that they would look like they
didn't know what they were doing.
So you have to get beyond that.
But I'd be interested in the stories you've got
(10:02):
where it actually did make those changes.
I had one time where it was actually an advisory, I mean,
it was a financial controls audit.
So we're doing it, it wasn't Sarbanes Oxley,
but it was very, it was privately private company that had,
um, adopted a lot of the elements of Sarbanes Oxley.
And we had basically been going
through the poor financial processes
and we act, we identified a control
(10:23):
that passed our financial testing.
And effectively it was a very basic
accounts payable control, right?
So we had something that was the equivalent
of check signatures are signed properly, signed
by the person with the right authority before, uh,
before sign off passed the test.
It was, it was signed. We saw a lot of inefficiency in
(10:43):
that process and what we looked at,
and we actually kicked off an advisory project with them
where we did a lot of the, you know, risk assessment
and worked with the business to really understand where some
of the pain points and breakdowns were in the process.
And what that translated to was a
very large transformation project that the business did
and generated seven figures
(11:05):
of savings for them in the business.
Because effectively what they had was a legacy,
a legacy process where they had an authority matrix
with physical signatures on the authority matrix.
And they were, they had a team of people
that was physically reviewing signatures against
a hand stamp that was on invoices.
And we looked at them, we said, well passes the control.
And it works highly inefficient
and doesn't really generate the value
(11:26):
that you can within the business.
So for us, we used even something that was the equivalent
of a sarbanes oxley process to identify an opportunity
for the business, and then we worked with them
through a separate advisory project.
Those types of things I think are always interesting.
And you know, I've, I've talked
to audit functions about this
and one of the key questions I always get is about the teams
(11:46):
that they have in place and how do I,
how do I develop talent so that we can have
resources on our team that aren't just just quote unquote
checking the box, but instead really looking for things
from a holistic lens of how you,
how do you improve the business?
What do you think about that side of things in terms
of the skill sets that might be required here?
And do we have them in internal audit functions now
or do you think we still need to do
(12:08):
a lot of work around training?
Well, desperately hope we have most
of them in internal audit departments.
I know there's a lot that don't,
but right off the bat, that flexibility I was talking about
back in the old and old
and olden days, we had IQs internal control questionnaires.
If any of you out there remember what they were, you know,
why we hate them, you know,
it was yes no, and you were done.
Well, we've learned to be ask questions that lead to things.
(12:30):
And we, the really good audit work is that work
that not only that is not only following the kind of
questions that need to be answered, but listening
to the answers to see which direction to go.
And that's where you start building that.
Wait a minute, this may not be a control,
but this is something important to look at.
So it's, it's the developing the listening skills,
it's developing the interviewing skills,
(12:51):
it's developing you, coming back to relationship management
so people will talk to you.
Um, that's such a big thing.
Even the one you're talking about, it sounds
to me like this was, Hey, we talked to people
and we found out this was happening, this was happening.
And having a mindset beyond, I'm just doing assurance.
Yes, I may be doing an insurance audit,
but that doesn't mean I can't be looking for broader
(13:13):
and more impactful things to do.
I mean, you could be in the middle of an audit
and I'd love to come up with an example right now,
and I can't off the top of my head,
you could be in the middle of an audit and somebody
realize, what am I doing this audit for?
I mean, I'm wasting time at this point
because I've got bigger issues in this audit.
I've got bigger issues in this department than this little
snapshot of internal audit assurance that I'm doing.
(13:33):
And so one, having the flexibility to listen
and make those changes, and two,
having the flexibility in the, in the higher ups
to say, good idea.
Let's do that. Let's cut it, let's move it.
And that comes all the way back then to your comment about
how you're showing the board value
because value is the key to it.
Assurance is a value we provide,
(13:55):
but if we can provide a broader value, something impactful
to them that isn't always assurance, then
that gives audit executives the opportunity
to make the changes they need to,
which give the auditors the changes they need.
Well said, well said.
And I, and I think when I take a step back
and I think about all of these things, one
of the things I was most excited about
in the new standards, right?
(14:16):
So as, as I probably mention every time I speak, we have
a new set of global internal audit standards that were just
went live this year with topical requirements that are now,
uh, you know, officially in in place, right?
The cyber, the cyber topical requirements just came out in
this month, in February a couple days ago.
And one of the things
that I think the new standards are really supportive on,
(14:37):
and I was really excited to see this, was
that there's the concept of advisory services.
And I think when we think about internal audit
and we thought about our standards
and we think about where we see the practice
of internal auditing going over the next 10 years when we do
our visiting, I think advisory is really the place
where we're gonna start delivering value.
We always talk about that we're a group that wants
(14:57):
to have a seat at the table
and we want management to come to us
and bring us problems so
that we can help them think through them.
And this is the place where I see us being able
to deliver on that promise within businesses.
And I think ultimately when I look at the new standards
and I look at how we're starting
to assess internal audit functions
and the concepts of, uh, advisory services,
(15:18):
it's very pronounced in the new standards
and it's very pronounced in the topical
requirements as part of those standards.
So even when we look at things like
the new cybersecurity topical requirement,
how do we apply them to advisory services?
They're not necessarily required for advisory,
but they are written in a way that we can take elements
of them and think about the governance process of a,
(15:39):
of a cybersecurity operation within business or I
or any other information security apparatus.
And as we continue to develop more topical requirements
and really continue to evolve our standards
to meet the needs of our profession,
I think you're gonna see more and more of
that come down the pike.
I wanna get into, again, back
to the concept of the mindset.
(15:59):
And I think you're right, the standards are allowing us
to have a mindset that allows us for more of that change.
How do auditors get that?
And again, I come back to a mindset,
and the reason I mentioned mindset is I was very lucky.
The audit department I came into, we were doing nothing
but assurance, but it still had an advisory aspect to it.
And as we went on more and more I was learning
(16:22):
and I was then teaching my, I almost had to reverse engineer
how how I got there.
It was not about a control, it was about
how things ran better.
Now if a control helps things run better,
then that's what you're looking for.
We did a lot of, I was with Farmer's Insurance, we did a lot
of audits of our agents, I can't even remember, thousands
of agents every year.
(16:44):
And I learned quickly and I trained others quickly.
You do not tell people you do this
because it's a control, especially these
were independent contractors.
They didn't care what we had to say.
Instead you had to show them
how it made them run their business better.
That's the mindset even in an assurance audit
that you need to have.
How are you making them do their job better?
How are they allowing them to get their job done better so
(17:06):
that they can get more work done more efficiently rather
than look, gotta control, gotta control, gotta control.
Yes, control's a great story,
but that cannot be the end all and be all of it.
And in a lot of ways, when you think about some
of the pain points our stakeholders have with audit
to the traditional audit reports that happen
with advisory services, you know, we could,
we could also get into debates about the, uh,
(17:26):
traffic light colors or the A BC findings
or satisfactory versus unsatisfactory
and all the different terminologies
and definitions that audit departments use.
One of the nice things about advisory services is it also
takes you away from some of the things that the, the pieces
of this that don't deliver as much value.
So for me, I've always been, maybe this is,
this is my own views is not the I a's views,
(17:47):
but I've always been, been a bigger proponent
of the issue is what matters
to me more than the actual rating itself.
And as long as I use that issue to drive change,
positive change within my organization,
that's really all that matters.
And when I think about, and I work
with Chief Audit Executives about
how do we actuate advisory services within their
departments, one of the things going back
(18:08):
to audit committee reporting
and management reporting is the way we quote unquote go back
to the concept of taking credit for what we're doing
with them within the business and reporting.
We get into more dashboard like views and,
and presentation views.
And it's less about here's the number
of findings we found in more just here's the number
of conversations we've had with the business.
And you know, if you want to count a KPI think about
(18:29):
how many times management gets asked
you a question throughout the year.
And if you start tabulating
and counting that, it's a pretty impactful statistic.
If you can go to your audit committee and say, you know,
I responded to a hundred inquiries from management this
quarter and things like that and how we report on it.
I've seen departments do things like, um,
field memorandums when they start doing an advisory project
where they're just writing a memo about
(18:49):
what they did to, to the file.
And that gets reported to the audit committee.
Um, and there's a, there's varying natures
and extent of this, uh, of this.
And I think, you know, we're, we're all sort
of figuring out the best ways to report on it
and how to deliver some of those results.
But one thing I do like is that we're finding ways to do
that in and it's ways that provide visibility
and transparency into the work we're doing.
(19:10):
But really it's, it goes back to the value we're delivering
and that people are seeing it
and they're asking the questions.
That brings up another point, and this was probably
getting a little too high and esoteric, but that's too bad.
Uh, you know, they, if we sell ourselves,
that's wonderful, that's beautiful.
That's what we should be doing. It's our customers selling
us that really makes a difference.
So that if we're in a committee meeting,
(19:31):
audit committee meeting, I was in one of these one time
where actually the bigger advocate was not audit.
One of the people sitting on the board saying,
they've done this, they've done this, they've done this.
And that's the kind of thing we need to strive for.
And we only get that by continually partnering.
Partnering is probably the best word in
the world for this whole thing.
(19:51):
We talk about relationship management and all of it.
You know, when we do any audit work, are we doing the work
or are we working with the client when we do it?
And that, you know, call it assurance or advisory
or whichever one you wind up with,
you're setting the groundwork
for partners working together to make things better.
And the minute you come that partner, then
that builds throughout the organization and
(20:13):
and that grows and that grows.
And I'm sorry, I'm tearing up just a little,
just thinking about somewhat,
Luckily for you,
this is an audio only podcast. That's right.
No, no One but me gets to
See your peers choking up a little.
One of my favorite things to do, um,
as a consultanting practitioner is eqa, right?
So ex external reviews of internal audit functions,
and part of why I get like to do them is you get
(20:34):
to understand the inner workings
of what's working really well within internal audit
functions of what's not working so well.
And to your point on advisory services
and developing those relationships with management,
having them seek you out, you know, it's a, when you go in,
you start doing some interview as part of an EQA process,
we very commonly will interview key
stakeholders within management.
(20:54):
That goes one of two ways.
What I found, you know, one, one way is if they're unhappy
with the relationships they've developed
with internal audit, they use that as an opportunity
to tell you all about the problems
and the pain points that they have.
My favorite part of doing EQA is actually when you go sit
down with key members of management
and you see a really well-functioning internal audit
department that's, that's really spent the time
(21:14):
and has a well-respected chief audit executive
and a team that is delivering
on their promises to the business.
You hear it in the voice
and the tone that stakeholders talk about
the internal audit function.
So I was, I was very recently, you know,
without sharing any specific names,
obviously very recently out in Minnesota
and we were doing, we were doing one of these
and the level of positivity
(21:36):
and the way that they talked about internal audit was a
central part of the process.
And the team had really spent a lot
of time developing key relationships
and they, they saw them as key stakeholders.
And time and time again, every single time I spoke
to a stakeholder in management,
the first thing they would talk about was the value
proposition, value proposition of internal audit
and how they see us as someone that they want to bring
(22:00):
to the table because we are delivering value
and there's a level of trust.
And it was talked about in such a, such a way of reverence
that I wi I wish I could have heard that at every function
that I, that I visit because they weren't executing on
advisory services quite well.
You'd hear the business say, I was gonna go put in a new
process, but I really don't wanna do that
until I ran it by internal audit.
And I talked to them about the different oppor, you know,
(22:21):
opportunities and risks
and controls that needed to be in place.
And you know, we had the auditors with us every step
of the way from the ideas ideation stage all the
way through implementation.
You know, just hearing some of the words people are using.
To me that's an example of a really, you know,
highly functioning department.
And you know, I think if you kind
of work backwards at root into some of the root,
we always do root cause
(22:42):
analysis when something negative happens.
But when something positive like that,
and you think about the root cause analysis, it goes back
to the leadership and the style
and the, the way
that they are doing their planning at the end of the day.
And sorry, there's a question here,
I'm just meandering a little bit,
but when you think about the planning
of an internal audit function
and what makes a highly effective CAE, um,
(23:02):
and their leadership of the team, what do you think are,
you know, are the CAEs that are here
or audit leadership that are listening into this can do
to really effectuate some of this change within the group?
Um, when, when thinking about it this way
from a relational perspective?
Yeah, and I'll, and I'll go
to buzzwords right off the bat, what's your vision?
I know that's a buzzword
and I know we all have our objectives and our visions
(23:24):
and all that kind stuff because
what you've gotta have is something that can be articulated.
Most audit departments have something that looks like
it's one half of the i i standards, you know,
just goes on forever can.
So the point is, have you got something concise
and easily understood so that you can, you can explain this
and live that vision for the rest of the department so
(23:47):
that then also when the executives happen to be talking
to your auditors, what do you do for a living?
Bam. They've got it. It just so happened
that farmer's insurance, we had a knife came up
with something that just worked for us,
creative solutions to customer needs.
And every auditor could tell you what the customer was,
what their needs were,
what the solutions were, and how we were creative.
And from that, you know,
(24:08):
we're talking basically about having an elevator speech
to give to the executives
or anyone you talk to so
that they understand the value that's being provided.
And that had to be quick because
our executives were on the third floor.
That's quick, that's elevator.
But in, in other words, does the leader know
what the heck the team is trying to do to accomplish?
And do they have this vision of advisory beyond a,
(24:32):
can they articulate that?
Do they live it? And then does it get driven down
to the point where the people at all levels can do
that same speech to everybody throughout the department,
through throughout the company?
You've hit on a lot of really important parts,
but one thing you said that kind of goes back
to something I had said earlier too, which is so under,
you know, it's really understanding
our stakeholder needs, right?
(24:52):
So you wanna, that elevator's pitch
and the vision of the department
and aligning it to the organizational values
and the culture, you have to know and develop your taxonomy
and the way you talk about things to fit the organization
that you are not, you know, we could write a book about this
and effectively if you said, say these 10 things,
it's not gonna work within every organization.
(25:13):
'cause different personalities, different cultures exist.
And part of how
and why we embed, whether you're embedding as a consultant,
as an external consultant coming in,
or you're an internal in-house internal auditor,
it's all about understanding the people and the culture
and developing your vocabulary in a way that you can
say things that influence change within the organization.
(25:35):
And to me that's, that's ultimately whether we're doing an
assurance based project or an advisory project, if I were
to summarize as simplistically as I could,
what is the purpose of internal audit?
It's to really influence positive
change within the organization.
Now we have to do that in very careful
and we deliberate ways and that's why we have standards.
However, the best practitioners that I have seen,
they are masters of influence.
(25:56):
At the end of the day, we, we go into an area
that we don't know a ton about always,
and we have to identify issues
and we try to facilitate change happening in those issues
without us actually having any direct oversight
or control ourselves.
And it's all about influence.
So the nature and extent of
what we're doing on the assurance side goes back
to the same thing we're trying
to talk about on the advisory side, which is
(26:17):
how do you influence a stakeholder
to deliver on the commitment to the organization?
And you brought up a key one, which is alignment
with our client needs.
And a fascinating thing.
I cannot overemphasize the need
to pass information throughout the department.
I know an auditor out there
who, how come I didn't know this?
Where was this information?
(26:38):
I needed to know this, wait a minute.
And then there's something, and it happened to me too,
you know, next thing I know I'm, I'm a manager
and I'm thinking, oh, they don't need to know all this.
Oh no, they did, you know, over inundate people
with your auditors with information about the organization,
about the departments and what's going on with them,
if it's something they don't need in and out,
but it may be something they want,
(26:59):
getting information about the organization is the only way
auditors can be effective.
And it helps them too, as you mentioned,
we go into departments, we dunno what's going on in a lot
of them or what's happening,
and if we walk in just a little too naive
and, uh, tabular, we'll get eaten alive,
whereas we got at least a background information
to understand what they're doing
(27:20):
and we can prove we're gonna add value to
that, then it's that much better.
This was a, you know, maybe it's not a a diplomatic way
to say it, but early in my career when I first started,
I was, without saying their name, I was at one
of the big four public accounting firms in an internal
audit, co-sourcing practice where we would go into, uh,
large internal audit functions.
And I was a 20, you know, 22-year-old right outta school.
(27:42):
And I didn't know anything
beyond what I had learned in class.
And I had to go into CFOs and CIOs offices
and try to tell them that they were doing
or not doing something correctly.
And, you know, there was, there's no way as a,
even even someone now that has more than a couple years
of experience, uh, I won't say how long,
but, um, it's, it's, no,
it's really the technical expertise that we have.
(28:04):
There's obviously a requisite amount of that that you need
to have to be successful in your career.
But so much of what we're doing in this day
and age, very similar to what you
and I talked about when we had the,
our last webinar around soft skills.
So much of our success
or failure isn't about our
technical skill sets or abilities.
It's about how we can develop relationships
and how we say things in a way that influences,
influences the decision.
(28:25):
And, and to me that that's really the critical part here.
When you get into advisory services,
it becomes more and more important.
And if you're chief audit executive or a leader
or early in your career practitioner that's trying
to figure out how do I do this more
and get more experiences?
And one of the things I did early on was I just said yes
to a lot of things to be, to be honest.
And I got a lot of, a lot of experiences in a lot
(28:46):
of different places, both within my day job.
I was a volunteer for the I I a early on.
I, I was, you know, looking
for every opportunity to get in front of people.
And all of those interactions on top
of developing a network really helped me to craft my story
and the way I could talk to people to help advance,
advance what we were trying to advance.
(29:08):
And then talking to people may, we've kind
of hit this in a couple of different ways,
but I'll go back, maybe this is the way I even started it.
We have to go in talking to people, working
with people, not like we're auditing.
We have to go in like we're consulting
and your mindset's instantly different when you think
I'm consulting with these people.
Now that doesn't mean you're not doing insurance work,
(29:28):
but you're still, it's,
your mind just works differently when you go, I'm consulting
with them, I'm part of the team as, as opposed to, you know,
we still have a lot of people out there
that think they're internal auditors
and you know, they, there's still a lot of cops out there.
A hundred percent. It's well said.
And you know, the other thing I would just say is if you're
(29:49):
a practitioner thing there, there's,
if you're a practitioner earlier in your career
or a ca looking for opportunities for your team,
training is always a good opportunity.
But there are mentor, yeah, I, a a for example,
has a great mentorship program where you can connect,
you know, connect someone earlier in their career
with someone more senior and it gives them another input.
And it's really just all about getting more inputs into
what you're doing so that you can develop some
(30:09):
of those skill sets and, you know, look, look to some of the
practice guides that are out there, but talk
to your peers about what they're doing from a,
from an advisory services perspective.
Because I think you'll find that
no two departments are doing it exactly the same way.
A lot of us are figuring it out.
There's a lot of best practices that are out there.
So as we go to different events and conferences
and as we get, get in person with people, I mean, so much
(30:32):
of those interactions is where, you know,
where these ideas formulate
and how we, how we get better at what we do.
Well, and you and I, this last one
and this one, we've thrown out about 60 12 different ideas,
you know, and so when you're hearing this
and you're going, well wait a minute, I want more on that,
more on that, more on that.
Obviously the IA is a perfect place to start.
A lot of other resources obviously out there too,
(30:54):
read nonstop, look for what's out there.
But yeah, find what, find what interests
or find where, you know, I need some help
and start digging and going into it.
And if you see Mike and I at a conference,
feel free to flag us down.
We're happy to always talk about it as well
As you can tell, They keep inviting us back, Mike,
so we must be doing something right. Well,
No comment.
(31:17):
Well, thank you very much for your time today.
We really appreciate it
and looking forward to seeing you soon.
Okay. Thank you much. Thank you all.
Are you concerned about security in the age of ai?
Join the IIAS 2025 analytics, automation
and AI virtual conference on April 24th.
You can hear from industry experts
how cutting edge technology is transforming internal audit
(31:39):
by securing your spot and registering today@theiia.org.
If you like this podcast, please subscribe and rate us.
You can subscribe wherever you get your podcasts.
You can also catch other episodes on YouTube or@theia.org.
That's THEI a.org.
The Institute of Internal Auditors presents
all things internal audit.
In this episode, Mike Levy talks
with Mike Jacka about the growing role of advisory services.
In internal auditing, they discuss
how today's internal auditors are offering
strategic insights that go beyond assurance work.
They also cover how to balance objectivity
with advisory work, how to fit advisory into audit planning,
(00:25):
and how to show the value of these services.
Welcome, Mike. Hi, glad to be here again.
Always interesting and fun.
We, we didn't scare them away
after our discussion on soft skills, so I,
I think we'll have to continue.
So, thinking about advisory services, it's one
of those things we always talk about.
You know, years ago it was trusted advisor.
(00:46):
We're talking about advisory. We used to be consulting.
When we think about internal audit functions,
I think historically many of us go to
the assurance based model.
We have to spotlight issues with management.
We report those issues to the audit committee
and executive management.
How do you see advisory services really
fitting into internal audit?
So it's a topic we talk about a lot.
(01:07):
Yeah. And, and I will warn you to some, well, lemme,
lemme go with the theory I have about this whole thing.
For some reason, internal auditors seem to think that, uh,
advisory is a subset of internal audit.
I would argue it's the other way.
Advisory is all things,
and then the control aspects
of the assurance aspect is almost a subset of that.
(01:30):
So I think internal auditors should already have the,
the tools, have the mindset in working with people
to expand into that broader issue of advisory services.
It's, it's well said.
I mean, I think when I think about internal audit
and I think about what we're really meant to do, I've heard,
you know, we could get into it probably a whole conversation
(01:51):
just on the concepts of independence and objectivity.
And obviously those are critically important for auditors.
However, one of my fears with those words is sometimes we
get stuck behind them and we don't focus on
what matters within our organizations
and how we need to deliver value.
We can't cross over those lines of objectivity
and what we do within organizations.
However, so many times there are opportunities
(02:14):
and we're seeing more and more of them as we talk about all
of the emerging risk topics.
A, you know, think ai, think some of the cyber risks
that are happening, businesses are very often learning
as they go, and they're trying
to figure a lot of these things out.
And if we wait till they are mature
topics within an organization where we can do audits,
we're almost, we're almost too late.
(02:35):
And that, that balance becomes
really critical and important.
And for me, some of that has come naturally
because I started my career in big four consulting
and was always focused on how we build that
value proposition as a, as a consultant coming in.
But when you're internal to the organization,
that's not always as apparent.
So Mike, just from your experiences in the past,
(02:56):
how do you go about developing some
of those things from, from the ground up?
When it comes to developing the advisory aspects of it?
It, it, unfortunately, it comes
to almost everything we were talking about in our last one.
It's the soft skills. It's about learning about the people,
about being a piece of the people,
about being a part of the team.
You, one of the important things you talked about there a
(03:17):
second ago was being there on the front end.
And I know so many internal auditors wanna sit back
and wait, then come in, I'll use the word judge,
they're gonna come in and judge.
And if you are a part of the team, if you're meeting
with people, if you're talking to people,
you're hearing the new things as they develop.
And that's where that comes.
(03:37):
We had probably one
of our most successful consulting projects
was when social media was first kicking off.
And, um, it was a fascinating one
because nobody was really looking at it, talking about it,
had new marketing who wanted to find out
what we were doing in, in the organization.
(03:57):
At the same time, we had another member
of the C-suite go, how can you do this?
We don't do audits of pencils,
we can't do audits of social media.
So it was a combination of helping them understand
what social media was about
and then working with this other person.
So what, we spent a lot of time talking
to the various departments
and we had those, that rapport built already,
(04:18):
that we could talk to them and they would talk with us.
What we found was that
all the individual departments had very good social media
situations set up,
but there was no over, there was no umbrella over it all.
And that's what the chief marketing officer came and did.
So I use that as a success story of how it works,
but I also use that, look, this is
(04:40):
where you internal audit work over all those years
should help set that up.
They were all people we had talked to,
worked with who trusted us.
We were trusted assurance providers,
not just trusted advisors.
And they, they trusted us. They were willing to speak
with us because they knew the work we had done in the past.
So it's that relationship building that's gone on and on
and on that allows someone to go forward,
(05:02):
become an advisory, uh, take on that advisory capacity.
This is an area where I've actually seen
small internal audit functions excel at, in some,
in some ways better than larger audit functions.
I've, I've been lucky in my career that I've gotten to work
with a lot of different departments.
And sometimes when you're a small internal audit function,
(05:23):
you're tasked with all of these risks that you have
to assess and evaluate
and think through for the organization.
And you don't always know how to, how to do it.
And I think the agility that you have to have
as a small function, this is really where one of the places
where advisory services can really shine a, um,
really important light in delivering
value for your stakeholders.
(05:43):
For me, when I've been successful at this in the past,
I've really thought about it in terms of less, in terms of
what is the report and what observations do I need to have?
And really more so how do I get involved early on?
And, and a lot of, and a lot of times if you,
if you're asking yourself, where do I get started?
Think about what technology
transformations your organization's having.
And for me, the, the low hanging fruit area
(06:04):
where we work on advisory services is pre-implementation
reviews instead of going in after an implementation is done
and assessing whether it's successful or failure success
or a failure, go in early on
and help them think through controls
and risks and the configuration.
And you know, obviously you can't turn the knobs
and actually implement the system.
However, sitting in the room and giving that coaching
(06:25):
and counseling really does deliver a lot of value
to groups at that stage in the process.
And you've hit the thing that so many,
and you talked about earlier too, so many people are afraid
of, you know, well gosh, if I'm there at the beginning,
have I become the control?
Have I become part of it? And,
and it's important to remember
that all you're doing is you're not teaching them controls.
You're not teaching them the aspects of it.
(06:47):
You're helping them understand how those work
because they're still gonna be the ones
that know better how to develop it.
And you can say, okay, that, that makes sense to me,
or have you thought about this aspect of it?
But that's where consulting comes in too.
It's not telling them what to do,
just like an internal audit.
It's not telling them what to do.
It's about providing insights in the way these things work
(07:10):
so they can come to the decisions
that work best in their departments.
One of the things I often hear chief audit executives
who are grappling with this, um, think through is, well,
my audit committee and my KPI measurements are really all
about how, how many findings I have
and how many, what the resolution looks like.
And, you know, how do I demonstrate the value
of my function if I'm not delivering audit reports every,
(07:32):
every quarter and instead I'm spending my
time on advisory services.
So, you know, Mike, what would you, what would you say to
that in terms of how, how do I talk
to my audit committees about advisory services
and effectively take credit for the work
that I'm doing within business?
Well, first off, I can rent for hours on KPIs
because I have so many problems with so many
of the KPIs people use.
And I'd say that's where you go, what are your KPIs?
(07:54):
And it, you can literally establish KPIs
around advisory services.
You know, who's talking to us, who's coming to us?
I know there's some people who do have that kpi.
How many people have come to us with how many have come
to us with potential situations?
So if you have built into your KPIs, you bring
that advisory piece into it.
Now that does mean potentially educating audit committee.
(08:16):
They do not understand the advisory aspect
of an internal audit department.
Then you've got a lot of education at the higher level
that has to go on also.
But ultimately, I think that's it.
Do they understand what it is internal audit, the value
of internal audit beyond just assurance?
And once they understand that,
then finding the KPIs that measure that.
(08:37):
One of the organizations I've worked
with in the past when I was serving in a chief,
so I do consulting now,
but when I was serving in a chief audit executive role,
we got to a point, and this was,
you can't always do this with every organization.
'cause you really have to measure the culture of
where your business, where the business is
and what you can have support to do.
But we're actually doing more advisory services than we were
assurance based services.
And that doesn't always work that way.
(08:58):
And you can't always do it that way.
However, in that business, it made a whole lot of sense
because there are a lot of really immature processes
and it delivered a ton of value for them.
The other concept I've thought a lot about is when you can
sort of dual purpose the assurance and advisory services.
And what I mean by that is when does an assurance project
turn into an advisory project?
Or when can you, when can you identify something from an
(09:21):
assurance side of the house
and then have, have another project
that layers on afterwards, uh,
turn into an advisory services one.
Have you ever seen that or have you ever contemplated,
I have some examples, but curious to get your thought.
Yeah, uh, I would say in general, I, I cannot think of it.
I know what happened, but it does speak to the flexibility
that needs to be allowed for people.
(09:41):
I'll throw this quick story in this is a long time ago
in an audit department far, far away where on the annual
schedule, we were not allowed to change the annual annual
schedule in spite of the fact that risks had changed
because they didn't know how to go to the audit committee
and say, we're changing it,
because the fear was
that they would look like they
didn't know what they were doing.
So you have to get beyond that.
But I'd be interested in the stories you've got
(10:02):
where it actually did make those changes.
I had one time where it was actually an advisory, I mean,
it was a financial controls audit.
So we're doing it, it wasn't Sarbanes Oxley,
but it was very, it was privately private company that had,
um, adopted a lot of the elements of Sarbanes Oxley.
And we had basically been going
through the poor financial processes
and we act, we identified a control
(10:23):
that passed our financial testing.
And effectively it was a very basic
accounts payable control, right?
So we had something that was the equivalent
of check signatures are signed properly, signed
by the person with the right authority before, uh,
before sign off passed the test.
It was, it was signed. We saw a lot of inefficiency in
(10:43):
that process and what we looked at,
and we actually kicked off an advisory project with them
where we did a lot of the, you know, risk assessment
and worked with the business to really understand where some
of the pain points and breakdowns were in the process.
And what that translated to was a
very large transformation project that the business did
and generated seven figures
(11:05):
of savings for them in the business.
Because effectively what they had was a legacy,
a legacy process where they had an authority matrix
with physical signatures on the authority matrix.
And they were, they had a team of people
that was physically reviewing signatures against
a hand stamp that was on invoices.
And we looked at them, we said, well passes the control.
And it works highly inefficient
and doesn't really generate the value
(11:26):
that you can within the business.
So for us, we used even something that was the equivalent
of a sarbanes oxley process to identify an opportunity
for the business, and then we worked with them
through a separate advisory project.
Those types of things I think are always interesting.
And you know, I've, I've talked
to audit functions about this
and one of the key questions I always get is about the teams
(11:46):
that they have in place and how do I,
how do I develop talent so that we can have
resources on our team that aren't just just quote unquote
checking the box, but instead really looking for things
from a holistic lens of how you,
how do you improve the business?
What do you think about that side of things in terms
of the skill sets that might be required here?
And do we have them in internal audit functions now
or do you think we still need to do
(12:08):
a lot of work around training?
Well, desperately hope we have most
of them in internal audit departments.
I know there's a lot that don't,
but right off the bat, that flexibility I was talking about
back in the old and old
and olden days, we had IQs internal control questionnaires.
If any of you out there remember what they were, you know,
why we hate them, you know,
it was yes no, and you were done.
Well, we've learned to be ask questions that lead to things.
(12:30):
And we, the really good audit work is that work
that not only that is not only following the kind of
questions that need to be answered, but listening
to the answers to see which direction to go.
And that's where you start building that.
Wait a minute, this may not be a control,
but this is something important to look at.
So it's, it's the developing the listening skills,
it's developing the interviewing skills,
(12:51):
it's developing you, coming back to relationship management
so people will talk to you.
Um, that's such a big thing.
Even the one you're talking about, it sounds
to me like this was, Hey, we talked to people
and we found out this was happening, this was happening.
And having a mindset beyond, I'm just doing assurance.
Yes, I may be doing an insurance audit,
but that doesn't mean I can't be looking for broader
(13:13):
and more impactful things to do.
I mean, you could be in the middle of an audit
and I'd love to come up with an example right now,
and I can't off the top of my head,
you could be in the middle of an audit and somebody
realize, what am I doing this audit for?
I mean, I'm wasting time at this point
because I've got bigger issues in this audit.
I've got bigger issues in this department than this little
snapshot of internal audit assurance that I'm doing.
(13:33):
And so one, having the flexibility to listen
and make those changes, and two,
having the flexibility in the, in the higher ups
to say, good idea.
Let's do that. Let's cut it, let's move it.
And that comes all the way back then to your comment about
how you're showing the board value
because value is the key to it.
Assurance is a value we provide,
(13:55):
but if we can provide a broader value, something impactful
to them that isn't always assurance, then
that gives audit executives the opportunity
to make the changes they need to,
which give the auditors the changes they need.
Well said, well said.
And I, and I think when I take a step back
and I think about all of these things, one
of the things I was most excited about
in the new standards, right?
(14:16):
So as, as I probably mention every time I speak, we have
a new set of global internal audit standards that were just
went live this year with topical requirements that are now,
uh, you know, officially in in place, right?
The cyber, the cyber topical requirements just came out in
this month, in February a couple days ago.
And one of the things
that I think the new standards are really supportive on,
(14:37):
and I was really excited to see this, was
that there's the concept of advisory services.
And I think when we think about internal audit
and we thought about our standards
and we think about where we see the practice
of internal auditing going over the next 10 years when we do
our visiting, I think advisory is really the place
where we're gonna start delivering value.
We always talk about that we're a group that wants
(14:57):
to have a seat at the table
and we want management to come to us
and bring us problems so
that we can help them think through them.
And this is the place where I see us being able
to deliver on that promise within businesses.
And I think ultimately when I look at the new standards
and I look at how we're starting
to assess internal audit functions
and the concepts of, uh, advisory services,
(15:18):
it's very pronounced in the new standards
and it's very pronounced in the topical
requirements as part of those standards.
So even when we look at things like
the new cybersecurity topical requirement,
how do we apply them to advisory services?
They're not necessarily required for advisory,
but they are written in a way that we can take elements
of them and think about the governance process of a,
(15:39):
of a cybersecurity operation within business or I
or any other information security apparatus.
And as we continue to develop more topical requirements
and really continue to evolve our standards
to meet the needs of our profession,
I think you're gonna see more and more of
that come down the pike.
I wanna get into, again, back
to the concept of the mindset.
(15:59):
And I think you're right, the standards are allowing us
to have a mindset that allows us for more of that change.
How do auditors get that?
And again, I come back to a mindset,
and the reason I mentioned mindset is I was very lucky.
The audit department I came into, we were doing nothing
but assurance, but it still had an advisory aspect to it.
And as we went on more and more I was learning
(16:22):
and I was then teaching my, I almost had to reverse engineer
how how I got there.
It was not about a control, it was about
how things ran better.
Now if a control helps things run better,
then that's what you're looking for.
We did a lot of, I was with Farmer's Insurance, we did a lot
of audits of our agents, I can't even remember, thousands
of agents every year.
(16:44):
And I learned quickly and I trained others quickly.
You do not tell people you do this
because it's a control, especially these
were independent contractors.
They didn't care what we had to say.
Instead you had to show them
how it made them run their business better.
That's the mindset even in an assurance audit
that you need to have.
How are you making them do their job better?
How are they allowing them to get their job done better so
(17:06):
that they can get more work done more efficiently rather
than look, gotta control, gotta control, gotta control.
Yes, control's a great story,
but that cannot be the end all and be all of it.
And in a lot of ways, when you think about some
of the pain points our stakeholders have with audit
to the traditional audit reports that happen
with advisory services, you know, we could,
we could also get into debates about the, uh,
(17:26):
traffic light colors or the A BC findings
or satisfactory versus unsatisfactory
and all the different terminologies
and definitions that audit departments use.
One of the nice things about advisory services is it also
takes you away from some of the things that the, the pieces
of this that don't deliver as much value.
So for me, I've always been, maybe this is,
this is my own views is not the I a's views,
(17:47):
but I've always been, been a bigger proponent
of the issue is what matters
to me more than the actual rating itself.
And as long as I use that issue to drive change,
positive change within my organization,
that's really all that matters.
And when I think about, and I work
with Chief Audit Executives about
how do we actuate advisory services within their
departments, one of the things going back
(18:08):
to audit committee reporting
and management reporting is the way we quote unquote go back
to the concept of taking credit for what we're doing
with them within the business and reporting.
We get into more dashboard like views and,
and presentation views.
And it's less about here's the number
of findings we found in more just here's the number
of conversations we've had with the business.
And you know, if you want to count a KPI think about
(18:29):
how many times management gets asked
you a question throughout the year.
And if you start tabulating
and counting that, it's a pretty impactful statistic.
If you can go to your audit committee and say, you know,
I responded to a hundred inquiries from management this
quarter and things like that and how we report on it.
I've seen departments do things like, um,
field memorandums when they start doing an advisory project
where they're just writing a memo about
(18:49):
what they did to, to the file.
And that gets reported to the audit committee.
Um, and there's a, there's varying natures
and extent of this, uh, of this.
And I think, you know, we're, we're all sort
of figuring out the best ways to report on it
and how to deliver some of those results.
But one thing I do like is that we're finding ways to do
that in and it's ways that provide visibility
and transparency into the work we're doing.
(19:10):
But really it's, it goes back to the value we're delivering
and that people are seeing it
and they're asking the questions.
That brings up another point, and this was probably
getting a little too high and esoteric, but that's too bad.
Uh, you know, they, if we sell ourselves,
that's wonderful, that's beautiful.
That's what we should be doing. It's our customers selling
us that really makes a difference.
So that if we're in a committee meeting,
(19:31):
audit committee meeting, I was in one of these one time
where actually the bigger advocate was not audit.
One of the people sitting on the board saying,
they've done this, they've done this, they've done this.
And that's the kind of thing we need to strive for.
And we only get that by continually partnering.
Partnering is probably the best word in
the world for this whole thing.
(19:51):
We talk about relationship management and all of it.
You know, when we do any audit work, are we doing the work
or are we working with the client when we do it?
And that, you know, call it assurance or advisory
or whichever one you wind up with,
you're setting the groundwork
for partners working together to make things better.
And the minute you come that partner, then
that builds throughout the organization and
(20:13):
and that grows and that grows.
And I'm sorry, I'm tearing up just a little,
just thinking about somewhat,
Luckily for you,
this is an audio only podcast. That's right.
No, no One but me gets to
See your peers choking up a little.
One of my favorite things to do, um,
as a consultanting practitioner is eqa, right?
So ex external reviews of internal audit functions,
and part of why I get like to do them is you get
(20:34):
to understand the inner workings
of what's working really well within internal audit
functions of what's not working so well.
And to your point on advisory services
and developing those relationships with management,
having them seek you out, you know, it's a, when you go in,
you start doing some interview as part of an EQA process,
we very commonly will interview key
stakeholders within management.
(20:54):
That goes one of two ways.
What I found, you know, one, one way is if they're unhappy
with the relationships they've developed
with internal audit, they use that as an opportunity
to tell you all about the problems
and the pain points that they have.
My favorite part of doing EQA is actually when you go sit
down with key members of management
and you see a really well-functioning internal audit
department that's, that's really spent the time
(21:14):
and has a well-respected chief audit executive
and a team that is delivering
on their promises to the business.
You hear it in the voice
and the tone that stakeholders talk about
the internal audit function.
So I was, I was very recently, you know,
without sharing any specific names,
obviously very recently out in Minnesota
and we were doing, we were doing one of these
and the level of positivity
(21:36):
and the way that they talked about internal audit was a
central part of the process.
And the team had really spent a lot
of time developing key relationships
and they, they saw them as key stakeholders.
And time and time again, every single time I spoke
to a stakeholder in management,
the first thing they would talk about was the value
proposition, value proposition of internal audit
and how they see us as someone that they want to bring
(22:00):
to the table because we are delivering value
and there's a level of trust.
And it was talked about in such a, such a way of reverence
that I wi I wish I could have heard that at every function
that I, that I visit because they weren't executing on
advisory services quite well.
You'd hear the business say, I was gonna go put in a new
process, but I really don't wanna do that
until I ran it by internal audit.
And I talked to them about the different oppor, you know,
(22:21):
opportunities and risks
and controls that needed to be in place.
And you know, we had the auditors with us every step
of the way from the ideas ideation stage all the
way through implementation.
You know, just hearing some of the words people are using.
To me that's an example of a really, you know,
highly functioning department.
And you know, I think if you kind
of work backwards at root into some of the root,
we always do root cause
(22:42):
analysis when something negative happens.
But when something positive like that,
and you think about the root cause analysis, it goes back
to the leadership and the style
and the, the way
that they are doing their planning at the end of the day.
And sorry, there's a question here,
I'm just meandering a little bit,
but when you think about the planning
of an internal audit function
and what makes a highly effective CAE, um,
(23:02):
and their leadership of the team, what do you think are,
you know, are the CAEs that are here
or audit leadership that are listening into this can do
to really effectuate some of this change within the group?
Um, when, when thinking about it this way
from a relational perspective?
Yeah, and I'll, and I'll go
to buzzwords right off the bat, what's your vision?
I know that's a buzzword
and I know we all have our objectives and our visions
(23:24):
and all that kind stuff because
what you've gotta have is something that can be articulated.
Most audit departments have something that looks like
it's one half of the i i standards, you know,
just goes on forever can.
So the point is, have you got something concise
and easily understood so that you can, you can explain this
and live that vision for the rest of the department so
(23:47):
that then also when the executives happen to be talking
to your auditors, what do you do for a living?
Bam. They've got it. It just so happened
that farmer's insurance, we had a knife came up
with something that just worked for us,
creative solutions to customer needs.
And every auditor could tell you what the customer was,
what their needs were,
what the solutions were, and how we were creative.
And from that, you know,
(24:08):
we're talking basically about having an elevator speech
to give to the executives
or anyone you talk to so
that they understand the value that's being provided.
And that had to be quick because
our executives were on the third floor.
That's quick, that's elevator.
But in, in other words, does the leader know
what the heck the team is trying to do to accomplish?
And do they have this vision of advisory beyond a,
(24:32):
can they articulate that?
Do they live it? And then does it get driven down
to the point where the people at all levels can do
that same speech to everybody throughout the department,
through throughout the company?
You've hit on a lot of really important parts,
but one thing you said that kind of goes back
to something I had said earlier too, which is so under,
you know, it's really understanding
our stakeholder needs, right?
(24:52):
So you wanna, that elevator's pitch
and the vision of the department
and aligning it to the organizational values
and the culture, you have to know and develop your taxonomy
and the way you talk about things to fit the organization
that you are not, you know, we could write a book about this
and effectively if you said, say these 10 things,
it's not gonna work within every organization.
(25:13):
'cause different personalities, different cultures exist.
And part of how
and why we embed, whether you're embedding as a consultant,
as an external consultant coming in,
or you're an internal in-house internal auditor,
it's all about understanding the people and the culture
and developing your vocabulary in a way that you can
say things that influence change within the organization.
(25:35):
And to me that's, that's ultimately whether we're doing an
assurance based project or an advisory project, if I were
to summarize as simplistically as I could,
what is the purpose of internal audit?
It's to really influence positive
change within the organization.
Now we have to do that in very careful
and we deliberate ways and that's why we have standards.
However, the best practitioners that I have seen,
they are masters of influence.
(25:56):
At the end of the day, we, we go into an area
that we don't know a ton about always,
and we have to identify issues
and we try to facilitate change happening in those issues
without us actually having any direct oversight
or control ourselves.
And it's all about influence.
So the nature and extent of
what we're doing on the assurance side goes back
to the same thing we're trying
to talk about on the advisory side, which is
(26:17):
how do you influence a stakeholder
to deliver on the commitment to the organization?
And you brought up a key one, which is alignment
with our client needs.
And a fascinating thing.
I cannot overemphasize the need
to pass information throughout the department.
I know an auditor out there
who, how come I didn't know this?
Where was this information?
(26:38):
I needed to know this, wait a minute.
And then there's something, and it happened to me too,
you know, next thing I know I'm, I'm a manager
and I'm thinking, oh, they don't need to know all this.
Oh no, they did, you know, over inundate people
with your auditors with information about the organization,
about the departments and what's going on with them,
if it's something they don't need in and out,
but it may be something they want,
(26:59):
getting information about the organization is the only way
auditors can be effective.
And it helps them too, as you mentioned,
we go into departments, we dunno what's going on in a lot
of them or what's happening,
and if we walk in just a little too naive
and, uh, tabular, we'll get eaten alive,
whereas we got at least a background information
to understand what they're doing
(27:20):
and we can prove we're gonna add value to
that, then it's that much better.
This was a, you know, maybe it's not a a diplomatic way
to say it, but early in my career when I first started,
I was, without saying their name, I was at one
of the big four public accounting firms in an internal
audit, co-sourcing practice where we would go into, uh,
large internal audit functions.
And I was a 20, you know, 22-year-old right outta school.
(27:42):
And I didn't know anything
beyond what I had learned in class.
And I had to go into CFOs and CIOs offices
and try to tell them that they were doing
or not doing something correctly.
And, you know, there was, there's no way as a,
even even someone now that has more than a couple years
of experience, uh, I won't say how long,
but, um, it's, it's, no,
it's really the technical expertise that we have.
(28:04):
There's obviously a requisite amount of that that you need
to have to be successful in your career.
But so much of what we're doing in this day
and age, very similar to what you
and I talked about when we had the,
our last webinar around soft skills.
So much of our success
or failure isn't about our
technical skill sets or abilities.
It's about how we can develop relationships
and how we say things in a way that influences,
influences the decision.
(28:25):
And, and to me that that's really the critical part here.
When you get into advisory services,
it becomes more and more important.
And if you're chief audit executive or a leader
or early in your career practitioner that's trying
to figure out how do I do this more
and get more experiences?
And one of the things I did early on was I just said yes
to a lot of things to be, to be honest.
And I got a lot of, a lot of experiences in a lot
(28:46):
of different places, both within my day job.
I was a volunteer for the I I a early on.
I, I was, you know, looking
for every opportunity to get in front of people.
And all of those interactions on top
of developing a network really helped me to craft my story
and the way I could talk to people to help advance,
advance what we were trying to advance.
(29:08):
And then talking to people may, we've kind
of hit this in a couple of different ways,
but I'll go back, maybe this is the way I even started it.
We have to go in talking to people, working
with people, not like we're auditing.
We have to go in like we're consulting
and your mindset's instantly different when you think
I'm consulting with these people.
Now that doesn't mean you're not doing insurance work,
(29:28):
but you're still, it's,
your mind just works differently when you go, I'm consulting
with them, I'm part of the team as, as opposed to, you know,
we still have a lot of people out there
that think they're internal auditors
and you know, they, there's still a lot of cops out there.
A hundred percent. It's well said.
And you know, the other thing I would just say is if you're
(29:49):
a practitioner thing there, there's,
if you're a practitioner earlier in your career
or a ca looking for opportunities for your team,
training is always a good opportunity.
But there are mentor, yeah, I, a a for example,
has a great mentorship program where you can connect,
you know, connect someone earlier in their career
with someone more senior and it gives them another input.
And it's really just all about getting more inputs into
what you're doing so that you can develop some
(30:09):
of those skill sets and, you know, look, look to some of the
practice guides that are out there, but talk
to your peers about what they're doing from a,
from an advisory services perspective.
Because I think you'll find that
no two departments are doing it exactly the same way.
A lot of us are figuring it out.
There's a lot of best practices that are out there.
So as we go to different events and conferences
and as we get, get in person with people, I mean, so much
(30:32):
of those interactions is where, you know,
where these ideas formulate
and how we, how we get better at what we do.
Well, and you and I, this last one
and this one, we've thrown out about 60 12 different ideas,
you know, and so when you're hearing this
and you're going, well wait a minute, I want more on that,
more on that, more on that.
Obviously the IA is a perfect place to start.
A lot of other resources obviously out there too,
(30:54):
read nonstop, look for what's out there.
But yeah, find what, find what interests
or find where, you know, I need some help
and start digging and going into it.
And if you see Mike and I at a conference,
feel free to flag us down.
We're happy to always talk about it as well
As you can tell, They keep inviting us back, Mike,
so we must be doing something right. Well,
No comment.
(31:17):
Well, thank you very much for your time today.
We really appreciate it
and looking forward to seeing you soon.
Okay. Thank you much. Thank you all.
Are you concerned about security in the age of ai?
Join the IIAS 2025 analytics, automation
and AI virtual conference on April 24th.
You can hear from industry experts
how cutting edge technology is transforming internal audit
(31:39):
by securing your spot and registering today@theiia.org.
If you like this podcast, please subscribe and rate us.
You can subscribe wherever you get your podcasts.
You can also catch other episodes on YouTube or@theia.org.
That's THEI a.org.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.