Quality Control & Reliability B u INTERNAL AUDIT AND IT AUDIT SERIES t e Risk-based operational audits and performance audits require a broad array of r a competencies. This book provides auditors and risk professionals with the under- standing required to improve results during risk-based audits. M Mastering the Five Tiers of Audit Competency: The Essence of Effective a Auditing is an anthology of powerful risk-based auditing practices. Filled with s practical do and don’t techniques, it encompasses the interpersonal aspects of riskt- e based auditing, not just the technical content. r i n Mastering the This book details the behaviors you need to demonstrate and the habitual actiongs you need to take at each phase in an audit to manage the people relationships as weltl h as the work itself. Each section of this book is devoted to a component of the audit: Five Tiers of e planning, detailed risk and control assessment, testing, audit report writing, projec t F management, audit team management, and client relationship management. i v e AThue dEsisetn cCe oof Emffepctievet Aeudnitcingy The book leverages The Whole Person Project, Inc.’s 30 years of hands-on organi - T zational development experience and custom-designed internal audit training proi- e grams to aid those just starting out in audit as well as more experienced auditorsr. s It also contains templates you can use to set performance goals and assess your o progress towards achieving those goals. f A This book will spark ideas that can enhance performance, improve workinug relationships, and make it easier to complete audits that improve your organization’ds i risk management culture and practices. Explaining how to make positive antd sustained changes to the way you approach your work, the book includes a summar Cy of the key points and a brief quiz to help you remember salient ideas in each chaptero. m Presenting proven methods and advice that can help you immediately save timep, e reduce stress, and produce reliable, quality results, this book is an ideal resource for t anyone looking to make positive changes and adopt more productive work habits. e n c y K26588 6000 Broken Sound Parkway, NW Suite 300, Boca Raton, FL 33487 ISBN: 978-1-4987-3849-1 711 Third Avenue 90000 New York, NY 10017 an informa business 2 Park Square, Milton Park www.crcpress.com Abingdon, Oxon OX14 4RN, UK 9 781498 738491 CRP Ann Butera, www.auerbach-publications.com K26588 cvr mech.indd 1 4/1/16 3:02 PM Internal Audit and IT Audit Series Editor: Dan Swanson A Guide to the National Initiative Mastering the Five Tiers of for Cybersecurity Education (NICE) Audit Competency: Cybersecurity Workforce Framework (2.0) The Essence of Effective Auditing Dan Shoemaker, Anne Kohnke, and Ken Sigler Ann Butera ISBN 978-1-4987-3996-2 ISBN 978-1-4987-3849-1 A Practical Guide to Performing Operational Assessment of IT Fraud Risk Assessments Steve Katzman Mary Breslin ISBN 978-1-4987-3768-5 ISBN 978-1-4987-4251-1 Operational Auditing: Corporate Defense and the Value Principles and Techniques Preservation Imperative: for a Changing World Bulletproof Your Corporate Hernan Murdock Defense Program ISBN 978-1-4987-4639-7 Sean Lyons Securing an IT Organization ISBN 978-1-4987-4228-3 through Governance, Data Analytics for Internal Auditors Risk Management, and Audit Richard E. Cascarino Ken E. Sigler and James L. Rainey, III ISBN 978-1-4987-3714-2 ISBN 978-1-4987-3731-9 Fighting Corruption in a Security and Auditing of Smart Devices: Global Marketplace: Managing Proliferation of How Culture, Geography, Language Confidential Data on Corporate and Economics Impact Audit and Fraud and BYOD Devices Investigations around the World Sajay Rai and Philip Chuckwuma Mary Breslin ISBN 9781498738835 ISBN 978-1-4987-3733-3 Software Quality Assurance: Investigations and the CAE: Integrating Testing, Security, The Design and Maintenance and Audit of an Investigative Function Abu Sayed Mahfuz within Internal Audit ISBN 978-1-4987-3553-7 Kevin L. Sisemore The Complete Guide to ISBN 978-1-4987-4411-9 Cybersecurity Risks and Controls Internal Audit Practice from A to Z Anne Kohnke, Dan Shoemaker, Patrick Onwura Nzechukwu and Ken E. Sigler ISBN 978-1-4987-4205-4 ISBN 978-1-4987-4054-8 Leading the Internal Audit Function Tracking the Digital Footprint of Breaches Lynn Fountain James Bone ISBN 978-1-4987-3042-6 ISBN 978-1-4987-4981-7 The Whole Person Project, Inc., Elmont, New York, USA CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2016 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Version Date: 20160413 International Standard Book Number-13: 978-1-4987-3851-4 (eBook - PDF) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmit- ted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright. com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com Contents Preface.......................................................................................................................ix Acknowledgments ..................................................................................................xiii Author ......................................................................................................................xv Chapter 1 How to Get the Most from This Book..................................................1 Chapter Contents at a Glance ...............................................................1 The Book at a Glance ...........................................................................1 Overview of the Five Tier Audit Competency Model ..........................3 Tier 1: Audit Methodology ..............................................................4 Tier 2: Documenting Audit Results at Each Step in the Methodology ....................................................................................4 Tier 3: Project Management ............................................................5 Tier 4: Managing Audit Team Members .........................................5 Tier 5: Managing Constituent Relations ..........................................5 Some Definitions before We Start ........................................................6 Change Management ............................................................................6 How to Effect Personal Change .......................................................6 The Value of Focusing on Behavior ................................................7 Three Categories of Change ............................................................8 How Individuals React to Change ...................................................9 Specific Ways to Increase Acceptance of Change .........................11 Why Change Is Never Easy ...........................................................12 Why Targeting the Right Behavioral Change Is So Important .....13 Why Change Is Even More Difficult in Audit Departments .........14 Keys to Achieving Sustained Change ...........................................16 Chapter Summary ..............................................................................16 Quiz ....................................................................................................17 Chapter 2 Techniques for Planning Useful Audits .............................................19 Chapter Contents at a Glance .............................................................19 Definition and Benefits of the Critical Linkage™ .............................21 Applying the Critical Linkage™ ...................................................21 An Example of the Critical Linkage™ in Action ..........................25 Audit Planning Techniques ................................................................25 How to Understand the Entity under Review ................................25 Where to Get Information about the Process under Review .........27 Other Tips for Efficiency during the Planning Phase ....................31 Data-Collection Interviewing: The Funnel Approach .......................32 Putting It All Together to Set the Scope and Objectives ....................36 v vi Contents Managing Your Time Effectively while Planning .............................36 Estimating Time Requirements .....................................................36 Actions to Take for Better Estimates .............................................37 Chapter Wrap-Up ...............................................................................38 Chapter Summary ..............................................................................38 Quiz ....................................................................................................39 Chapter 3 Techniques for Detailed Risk and Control Assessment .....................43 Chapter Contents at a Glance .............................................................43 Just What Is Inherent Risk? ................................................................45 Using the Risk Mental Model ........................................................46 Common Risk Categories ..............................................................47 Two Categories to Exclude When Identifying Inherent Risk.............52 Exercise 3.1: Which of the Following Describe Risk Events?.......54 Exercise 3.2: Determining Root Cause .........................................55 Tips for Analyzing the Inherent Risks ..........................................55 Understanding the Nature of the Risk ...........................................55 Risk’s Effect: Assessing a Risk’s Consequences................................56 Prioritizing Risks: Defining the Terms .........................................57 Ten Key Questions to Ask to Assess Risk .....................................60 Tips for Documenting the Risks ....................................................61 Control Assessment ............................................................................62 Understanding Controls .................................................................62 Managing Risks Using Controls ....................................................62 Monitoring and Control Activities ................................................62 Criteria for Assessing the Adequacy of Control Design ...............63 Types of Controls ...............................................................................65 Tips for Writing about Controls in Narratives ...................................70 Chapter Wrap-Up ...............................................................................71 Chapter Summary ..............................................................................71 Quiz ....................................................................................................71 Chapter 4 Testing and Sampling Techniques ......................................................73 Chapter Contents at a Glance .............................................................73 Testing Techniques .............................................................................74 Types of Testing .............................................................................75 A Step-by-Step Approach to Developing Control Tests for Operating Effectiveness .....................................................................77 Audit Sampling Techniques ...............................................................83 Chapter Wrap-Up ...............................................................................88 Chapter Summary ..............................................................................88 Quiz ....................................................................................................88 Contents vii Chapter 5 Documentation and Issue Development: The Building Blocks for Effective Audit Reports ................................................................91 Chapter Contents at a Glance .............................................................91 General, Four-Step Writing Process...................................................93 General Criteria for Written Communication ...............................94 Documenting the Audit: Getting Started ...........................................94 Mind-Mapping Approach ..............................................................95 “Stream of Consciousness” or “Don’t Edit while Writing” Approach .......................................................................................96 Chronological Approach ...............................................................96 Attention Grabbing Approach .......................................................96 Rational Approach .........................................................................97 Devil’s Advocate Approach ...........................................................97 Tips for Effective Summary Writing..................................................97 Issue Development ..............................................................................99 Guidelines for Identifying Issues.................................................103 Effective Audit Documentation Techniques ....................................107 Questions to Ask Yourself When Documenting Findings ..........107 Your Role in Preparing Audit Reports ........................................107 Four Secrets to Accelerated Report Issuance ..............................108 Chapter Wrap-Up .............................................................................109 Chapter Summary ............................................................................110 Quiz ..................................................................................................110 Chapter 6 Core Competencies You Need as an Auditor ...................................113 Chapter Contents at a Glance ...........................................................113 Executive Presence in Audit .............................................................114 Critical Thinking: What Is It? ..........................................................116 Ways to Increase Critical Thinking Ability ................................117 General Guidelines for Managing Your Time .................................119 Tips for Managing up the Ladder .....................................................122 General Ways to Organize the Message You Want to Communicate ...................................................................................122 Planning Effective Meetings ............................................................124 Building Your Facilitation Skills .....................................................125 Reporting on an Audit’s Status.........................................................126 Chapter Wrap-Up .............................................................................128 Chapter Summary ............................................................................128 Quiz ..................................................................................................128 Chapter 7 Techniques for Managing the Audit Team .......................................131 Chapter Contents at a Glance ...........................................................131 Delivering Feedback.........................................................................134 viii Contents Tips for Preparing to Deliver TACTful Feedback .......................136 Tips for Managing a Multigenerational Workforce ..........................138 Leaders and Managers .....................................................................138 Building and Motivating Teams .......................................................140 Practical Ways to Build Your Team now (or Once You Get One).......................................................................................140 Tips for Getting Teams to Perform ..............................................143 How to Delegate ..........................................................................143 Tips for Motivating Others without Money .................................145 How to Create Organizational Change ........................................146 Chapter Summary ............................................................................147 Quiz ..................................................................................................148 Chapter 8 Techniques for Managing the Constituent Relationship ..................151 Techniques for Achieving a Positive First Impression .....................152 Tips for Making Small Talk ........................................................154 Influencing Techniques ....................................................................157 Strategies for Increased Influencing Ability ................................158 Dealing with Different Behavioral Styles ...................................159 Diagnosing Others’ Styles ...........................................................162 Delivering Technical Information to Nontechnical People ..............163 Five Tips for Making the Abstract Concrete ...............................163 Techniques for Delivering Bad News ..........................................165 Tips to Soften the Blow ....................................................................166 Techniques for Overcoming Objections ......................................167 Fundamental Rules for Handling Objections ...................................167 Exercise 8.1: Overcoming Constituent Objections to Issues ............169 Tips for Managing the Constituent Relationship Efficiently .......169 Chapter Wrap-Up .............................................................................170 Chapter Summary ............................................................................171 Quiz ..................................................................................................171 Chapter 9 Chapter Quiz Answers .....................................................................173 Chapter 1: How to Get The Most from This Book ...........................173 Chapter 2: Techniques for Planning Useful Audits ..........................173 Chapter 3: Techniques for Detailed Risk and Control Assessment .....174 Chapter 4: Testing and Sampling Techniques ..................................175 Chapter 5: Documentation and Issue Development .........................175 Chapter 6: Core Competencies You Need as an Auditor .................176 Chapter 7: Techniques for Managing the Audit Team .....................176 Chapter 8: Techniques for Managing the Constituent Relationship......177 Bibliography .........................................................................................................179