TRIALS AND TRANSFORMATION - IIA FIJI
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
FEBRUARY 2019 A PUBLICATION OF THE IIA
INTERNAL AUDITOR
FEBRUARY 2019
TRIALS AND
TRANSFORMATION
TRANSFORMATION
Ten years after the global
economic crisis, the internal
audit profession is strong
and ready to take on new
challenges.
Richard F. Chambers
INTERNALAUDITOR.ORG
IIA President and CEO
Updated – Aligned – Focused
As the only globally recognized certification for internal audit, the Certified Internal Auditor® (CIA®) is
changing. If you’ve been putting off earning your CIA, it’s time to take a fresh look at this important
step toward validating your knowledge, skills, and ability to carry out professional responsibilities for
any audit, anywhere.
Improve your credibility and proficiency. Learn more.
www.theiia.org/CIA
2018-1608 CERT-CIA Full Page Ad - Dec.indd 1 11/2/18 3:35 PM
Consulting (Oct 23)
Meet your challenges
when they’re still
opportunities.
RSM and our global network of consultants specialize in
working with dynamic, growing companies. This focus
leads to custom insights designed to meet your specific
challenges. Our experience, combined with yours, helps
you move forward with confidence to reach even
higher goals.
rsm us.com
RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. Visit rsmus.com/aboutus for more information regarding RSM US LLP and
RSM International.
“Consultants” can be replaced with the following specialties if necessary: Financial Advisory, Valuation, Forensic Accounting, Litigation, Technology and Management Consulting
Advisors, ERP and CRM, Infrastructure, Risk Advisory, Security and Privacy, and Internal Audit. “Middle market companies” can also be replaced by “dynamic, growing companies” when needed.
Learn
From The Leader.
IIA TRAINING ONDEMAND
PLATFORM OPEN 24/7
Featuring a suite of on-demand courses that tackle emerging issues
and challenges, IIA Training OnDemand provides convenient, self-
paced, and cost-effective professional development; accessible
online, anytime. With an expanded training catalog, you can easily
earn the CPEs needed to stay on the leading edge of the internal
audit profession’s best practices and proven techniques.
Get On Board. www.theiia.org/OnDemand
2018-1732 TRN-Global OnDemand Full-age Ad Feb IA.indd 1 12/13/18 1:18 PM
FEBRUARY 2019 VOLUME LXXVI: I
F E AT U R E S
24 COVER Trials and Transformation Ten years ago, amidst unprecedented economic
upheaval, Richard Chambers became The IIA’s president and CEO. The internal audit profession has
changed much since then, he says, and it will need to continue to evolve. BY ANNE MILLAGE
30 Building the Audit Function A strategic, sources and provide greater assurance.
measured approach to setting up shop can pro- BY CHRISTOPHER KELLY AND JAMES HAO
duce lasting results and strong relationships.
BY NEIL HODGE 48 An Audit of Strategy Four questions
can help internal auditors ensure an effective
36 The Audit Committee Connection strategic management process, the backbone
Internal audit’s ability to serve as a trusted of organizational success. BY MATEJ DRAŠCEK,
advisor to its primary stakeholder is key to ADRIANA REJC BUHOVAC, AND GAVIN LAWRIE
organizational success. BY SETH PETERSON
53 7 Practices for Better Audit Outcomes
42 Beneath the Data Auditing with self- The U.S. Department of Homeland Security
service business intelligence tools can help follows guidelines that improve the auditor–
practitioners mine the organization’s data auditee relationship. BY JIM H. CRUMPACKER
DOWNLOAD the Ia app on the
App Store and on Google Play!
FOR THE LATEST AUDIT-RELATED HEADLINES visit InternalAuditor.org
In the
Transformative Age,
is trust the most
valuable currency?
ey.com #BetterQuestions
© 2019 EYGM Limited. All Rights Reserved. ED 1119.
FEBRUARY 2019 VOLUME LXXVI: I
D E PA R T M E N T S
PRACTICES INSIGHTS
10 Update Basel compares NEW 57 Board Perspectives
cyber plans; businesses fear Audit committees and CAEs work
digital competitors; and crimi- best when they work together.
nals recruit money mules.
59 The Mind of Jacka Prac-
14 Back to Basics Opening titioners are more than just
and closing meetings are key auditors.
to successful audits.
60 Eye on Business Providing
16 ITAudit IT auditors prove foresight is a must for internal
their worth as trusted advisors. audit.
7 Editor’s Note 19 Risk Watch Audit’s role 64 In My Opinion The right
in addressing cyber risk is approach to client conversa-
8 Reader Forum evolving. tions can enhance internal
audit’s value.
63 Calendar 22 Fraud Findings A sales
rep capitalizes on weak inter-
nal controls.
O N L I N E InternalAuditor.org
Agile Planning With today’s Disruptive Leadership
COVER AND PREVIOUS PAGE: PHOTOS BY DOUG SCALETTA; THIS PAGE, TOP: HAKINMHAN /
rapidly shifting business pri- Watch Citigroup Chief Auditor
orities, established audit plans Mary McNiff explain the need
may need to be reshuffled for audit leaders to practice
quickly to meet stakeholder disruption, emphasizing its
demands. Are CAEs up to the key role in talent management
challenge? and innovation.
SHUTTERSTOCK.COM, BOTTOM: RA2STUDIO / SHUTTERSTOCK.COM
Assurance in the Privacy Fleecing the Crowd Despite
Regulatory Age Internal crowdfunding’s good inten-
audit can help ensure the tions, some campaigns may be
organization complies with raising money for fraud.
the new wave of privacy
regulations.
Internal Auditor ISSN 0020-5745 is published in February, April, June, August, October, and December. Yearly subscription rates: $75 in the United States and Canada, and $99 outside North America. No refunds on cancellations.
Editorial and advertising office: 1035 Greenwood Blvd., Suite 401, Lake Mary, FL, 32746, U.S.A. Copyright © 2019 The Institute of Internal Auditors Inc. Change of address notices and subscriptions should be directed to IIA Customer
Service, +1-407-937-1111. Periodicals postage paid in Lake Mary, Fla., and additional offices. POSTMASTER: Please send form 3579 to: Internal Auditor, 1035 Greenwood Blvd., Suite 401, Lake Mary, FL, 32746, U.S.A. CANADA POST
INTERNATIONAL: Publications Mail (Canadian Distribution) Sales Agreement number: 545880; GST registration number: R124590001. Opinions expressed in Internal Auditor may differ from policies and official statements of The
Institute of Internal Auditors and its committees and from opinions endorsed by authors’ employers or the editor of this journal. Internal Auditor does not attest to the originality of authors’ content.
Please join TeamMate and ArcelorMittal
for an engaging presentation
at the IIA GAM Conference
Session Name, Date, and Time:
Delivering Greater Value through Global Combined Assurance
Monday, March 11 from 2:00pm - 3:00pm
Description:
Many organizations are striving to create a combined assurance process
that is pragmatic, collaborative, and efficient. Getting all parties on board
and working towards this common goal can be challenging without a clear
vision and a well-defined process on how to get there. Learn how one
Fortune Global 500 organization has not only implemented a combined
assurance strategy, but also created both time and cost efficiencies along
the way.
Presented by:
Sign up to receive a Sneak Peek of the presentation
ahead of GAM and a full copy afterwords at
www.TeamMateSolutions.com/GAM19
Copyright © 2019 Wolters Kluwer Financial Services, Inc. 10322
TM-19-10322-MK-GAM19 Session-PAD-EN.indd 1 1/14/19 3:12 PM
Editor’s Note
10 YEARS ON
I
look back at late 2008 and early 2009 as the most difficult time of my 18-year
career with The IIA. It was the one time I was forced to let team members go,
and to watch friends and co-workers lose their jobs through no fault of their
own. At the time, the global economic crisis was making its way through orga-
nizations, and The IIA was not spared. The Institute was forced to part with more
than 40 employees despite efforts by leadership to steady the ship.
As that difficult time was beginning, The IIA’s Board of Directors brought
in Richard Chambers as The Institute’s ninth president. Chambers, along with
the Board, worked closely with IIA staff members to identify areas where The IIA
could cut costs and grow revenue. “Those early months of 2009 were really spent
working collaboratively,” Chambers says, adding that the process “really exempli-
fied the very best of who we are.”
Ten years on, I had the opportunity to sit down with Chambers at The IIA’s
Headquarters in Lake Mary, Fla. He reflected on those challenging days, discuss-
ing how The IIA and the internal audit profession responded to the financial crisis
and how both have grown in scope and influence since then. In “Trials and Trans-
formation” (on page 24), Chambers notes, however, that there is much room for
improvement when it comes to internal audit’s value proposition. For example, he
points out the need for practitioners to fully embrace the International Standards
for the Professional Practice of Internal Auditing and learn to provide foresight on
risks to the organization.
In “The Forward-looking Auditor” (on page 60), Shawn Stewart of Grant
Thornton and Sandy Pundmann of Deloitte take the internal audit foresight dis-
cussion further, delving into just what it will take for internal auditors to succeed
in this area. “If successful, internal auditors have an opportunity to inform and
shape the critical decisions that their management teams must make,” Stewart says.
Among those decision-makers is the audit committee, which is the focus of
Internal Auditor’s new department, “Board Perspectives,” on page 57. We have
revamped and renamed “Governance Perspectives” to focus on the expectations
of internal audit’s stakeholders — the board and audit committee. The depart-
ment is written from the perspective of the audit committee, featuring committee
members sharing their views on how internal audit can provide value to them and
the organization. These leaders also will discuss the audit committee’s oversight
responsibilities, ways to align internal audit with the audit committee, and timely
business events in which audit committees and internal audit should be involved.
Matt Kelly, editor and CEO of Radical Compliance, is the author of the new
department. Let us know what you think!
@AMillage on Twitter
FEBRUARY 2019 INTERNAL AUDITOR 7
Reader Forum
WE WANT TO HEAR FROM YOU! Let us know what you think of this issue.
Reach us via email at editor@theiia.org. Letters may be edited for clarity and length.
our work relevant to the business, assessment for the more traditional
and not getting below the surface of value preservation objectives.
what causes issues to recur (e.g., root TIM LEECH comments on the Chambers
causes). It takes brains, teamwork, and on the Profession blog post, “‘We Are
Here to Help You’: Managing Relationships
good communication to get the right When Management Is Skeptical”
balance of thoughtful but practical (InternalAuditor.org).
and rigorous but not overcomplicated.
Let’s think critically about any book Fear of Organizational
with an overly simplistic answer to all Politics
our challenges. From my observations, rather than
J. PATERSON comments on Murray ignoring organizational politics due
Wolfe’s “Breaking Free of Mental Traps” to professionalism and ethical rea-
(December 2018).
sons, most of us are, in fact, afraid to
The Danger of Underthinking become actively involved in it. Maybe
I recognize a number of these Being Relevant to Management because there is an inverse correlation
issues — as I am sure many auditors I think the key is not for internal audit between strong analytical skills and
do — and they are some of the reasons to focus on the biggest risks, but, strong interpersonal ones. Whatever
audit is not as value adding and pro- instead, to focus on the top value cre- the reasons may be behind nonpar-
ductive as it could be. However, there ation and preservation objectives using ticipation in organizational politics,
is an irony when we hear of a book an objective-centric risk assessment it is a fact that our achievements are
about overthinking that is followed by that links to strategy and performance. significantly affected by our skills to
seven things not to do. In other words, That will immediately make audit’s understand the organization’s “shadow
arguably overthinking, itself. work more relevant to management, activities” and use their dynamics. Of
As I see it, we need to be wary of particularly if management’s com- course, my comments refer only to
all thought traps — overthinking and pensation is linked to performance. If positive politics.
overcomplicating things — but we also management and the board won’t allow ELTON XHAFA comments on the From the
need to be wary of underthinking: internal audit to look at value creation, Mind of Jacka blog post, “I Hate Politics”
doing superficial work, not making at least use an objective-centric risk (InternalAuditor.org).
CONTRIBUTING EDITORS Daniel Helming, cia, cpa David Weiss, cia CONTA CT INFORMA TION
Wade Cassels, cia, ccsa, crma, cfe Karin L. Hill, cia, cgap, crma Scott White, cia, cfsa, crma ADVERTISING
J. Michael Jacka, cia, cpcu, cfe, cpa J. Michael Jacka, cia, cpcu, cfe, cpa Rodney Wright, cia, cpa, cfsa advertising@theiia.org
Steve Mar, cfsa, cisa Sandra Kasahara, cia, cpa Benito Ybarra, cia
Bryant Richards, cia, crma
+1-407-937-1109; fax +1-407-937-1101
Michael Levy, cia, crma, cisa, cissp
James Roth, phd, cia, ccsa, crma Merek Lipson, cia SUBSCRIPTIONS, CHANGE OF ADDRESS, MISSING ISSUES
IIA PRESIDENT AND CEO
FEBRUARY 2019 Charlie Wright, cia, cpa, cisa Thomas Luccock, cia, cpa Richard F. Chambers, cia, customerrelations@theiia.org
VOLUME LXXVI: I +1-407-937-1111; fax +1-407-937-1101
Michael Marinaccio, cia qial, cgap, ccsa, crma
EDITOR IN CHIEF EDITORIAL ADVISORY BOARD Alyssa G. Martin, cpa EDITORIAL
Anne Millage Dennis Applegate, cia, cpa, cma, cfe Dennis McGuffie, cpa IIA CHAIRMAN OF THE BOARD David Salierno, david.salierno@theiia.org
MANAGING EDITOR Lal Balkaran, cia, fcpa, fcga, fcma Stephen Minder, cia Naohiro Mouri, cia, cpa +1-407-937-1233; fax +1-407-937-1101
David Salierno Andrew Bowman, cpa, cfe, cisa Rick Neisser, cia, cisa, clu, cpcu PERMISSIONS AND REPRINTS
ASSOCIATE MANAGING Mark Brinkley, cia, cfsa, crma Hans Nieuwlands, cia, ra, ccsa, cgap editor@theiia.org
EDITOR Robin Altia Brown Manish Pathak, ca +1-407-937-1232; fax +1-407-937-1101
Tim McCollum Adil Buhariwalla, cia, crma, cfe, fca Bryant Richards, cia, crma WRITER’S GUIDELINES
SENIOR EDITOR Wade Cassels, cia, ccsa, crma, cfe Jeffrey Ridley, cia, fcis, fiia InternalAuditor.org (click on “Writer’s Guidelines”)
Shannon Steffee Faizal Chaudhury, cpa, cgma James Roth, phd, cia, ccsa
ART DIRECTION Daniel J. Clemens, cia Katherine Shamai, cia, ca, cfe, crma Authorization to photocopy is granted to users registered with the
Yacinski Design Michael Cox, fiia(nz), at Debora Shelton, cia, crma Copyright Clearance Center (CCC) Transactional Reporting Service,
PRODUCTION MANAGER Haylee Deniston, cpa Laura Soileau, cia, crma provided that the current fee is paid directly to CCC, 222 Rosewood
Gretchen Gorfine Kayla Flanders, cia, crma Jerry Strawser, phd, cpa Dr., Danvers, MA 01923 USA; phone: +1-508-750-8400. Internal Auditor
James Fox, cia, cfe Glenn Sumners, phd, cia, cpa, crma cannot accept responsibility for claims made by its advertisers, although
Michael Garvey, cia Stephen Tiley, cia PUBLISHED BY THE staff would like to hear from readers who have concerns regarding
Jorge Gonzalez, cia, cisa Robert Venczel, cia, crma, cisa INSTITUTE OF INTERNAL advertisements that appear.
Nancy Haig, cia, cfe, ccsa, crma Curtis Verschoor, cia, cpa, cfe AUDITORS INC.
8 INTERNAL AUDITOR FEBRUARY 2019it’s time to
evolve.
Are you registered yet? 2018 was a sold-out event, and you don’t want to miss
this year’s future-focused, solution-based, and undeniably immersive program —
Looking Ahead: Turning Disruption Into Opportunity. Earn up to 16.5 CPE credits as you
engage with world-renowned influencers during 42 concurrent and 5 general sessions.
Register Today! www.theiia.org/GAM
GENERAL AUDIT MANAGEMENT CONFERENCE / M A RC H 1 1 –1 3 / D A L L A S - F T. W O R T H , T XDigital capabilities are executives’ top risk… Low cost for cybercriminals…
Stakeholders’ internal audit expectations… “Mules” and money laundering.
Update
AI STEWARDSHIP
Businesses are acting to
ensure responsible use of
artificial intelligence (AI).
Boost AI security
64% with validation,
monitoring, and
verification.
Create transpar-
ent, explainable,
and provable
AI models.
61%
Create systems BASEL GAUGES International standards-
setter reviews cybersecurity
55% that are ethical,
understandable, CYBER RESILIENCE practices.
A
and legal.
Basel Committee on Banking Super- assessment and management, communica-
Improve gover- vision report compares bank, regula- tion, and interconnections with third-party
nance with AI
operating models
and processes.
52% tory, and supervisory cyber resilience
practices across the committee’s
member jurisdictions. Cyber-resilience:
service providers. Within these areas, the
research summarizes current challenges and
initiatives along 10 key findings, illustrated
Range of Practices draws from analysis of by case studies.
Test for bias in
47% data, models, and authorities’ responses to previous surveys and Among its findings, the committee
human use of exchanges between international experts. The reports that most supervisors leverage exist-
algorithms. report aims to help banks and supervisors ing standards for their cyber resilience efforts,
IMAGES: TOP, KIDA / SHUTTERSTOCK.COM;
LEFT, HAKINMHAN / SHUTTERSTOCK.COM
“navigate the regulatory environment” and including the International Organization for
Source: PwC, 2019 AI Predictions identify “areas where further policy work by Standardization’s ISO 27000 and the U.S.
the committee may be warranted.” National Institute of Standards and Technol-
The Basel Committee classifies its ogy Cybersecurity Framework. And while the
review of cyber resilience along four main report notes supervisory practices converge in
categories: governance and culture, cyber risk areas such as governance and testing, technical
FOR THE LATEST AUDIT-RELATED HEADLINES follow us on Twitter @TheIIA
10 INTERNAL AUDITOR FEBRUARY 2019Practices/Update
specifications and cybersecurity expertise dif- the report notes, “Jurisdictions expect banks
fer across jurisdictions. to have a strategy and framework to compre-
The report also found high levels of hensively map and actively manage their IT
maturity within IT and operational risk man- system architecture.” Still, the report finds
agement practices, pointing out that banks that banks generally do not have a board-
leverage these practices to address cyber risk approved strategy that clearly defines cyber
and supervise cyber resilience. In particular, risk appetite and tolerance. — D. SALIERNO
FEAR THE DIGITAL COMPETITORS
Digital uncertainty heads
executives’ top 2019 risks.
N 55 %
imble, “born digital” companies
are coming after their busi-
ness — that’s the top risk keeping OF FINANCIAL
business leaders up at night. And
SERVICE
PROFESSIONALS CITE
they are concerned their organizations GEOPOLITICAL RISK
aren’t ready to compete, according to in areas such as China, the
Executive Perspectives on Top Risks 2019. Middle East, and emerging
The report from North Carolina State Meanwhile, new competitors are markets as a top industry
risk for 2019.
University’s ERM Initiative and Protiviti is scaling up digital business models and
based on a survey of more than 800 board
members, CEOs, and senior executives.
“redefining” the customer experience so
quickly that established organizations don’t 49 %
IDENTIFY BREXIT
Specifically, respondents worry their see it coming. Such disruptive competition AS A TOP RISK.
organizations can’t adjust their existing could spell doom for organizations that
infrastructure and operations to meet per- can’t adjust their business models and core “It is critical that firms
formance expectations, the report notes. operations, warns Jim DeLoach, a manag- continue to remain vigilant
That concern is multifaceted, comprising ing director at Protiviti. to anticipate and prepare
for not only these emerging
uncertainty about the organization’s digital “Strategic error in the digital economy risks, but the potential cas-
readiness, ability to keep pace with chang- can result in the ultimate price, if a com- cading effects that may arise
ing market realities, and lack of innovative pany continues to play a losing hand in the from an increasingly inter-
thinking about its business model. marketplace,” he says. — T. MCCOLLUM connected financial system,”
says Michael Leibrock, chief
systemic risk officer for the
Depository Trust & Clearing
Corp. (DTCC).
Hackers need little money
MAKING CRIME PAY to cost victims millions. Source: DTCC, 2019 Systemic Risk
Barometer Survey
C
IMAGES: TOP, HIBRIDA / SHUTTERSTOCK.COM;
riminals responsible monthly operating invest- of dominating or defeating
RIGHT, MINISTOCKER / SHUTTERSTOCK.COM
for companies losing ment of $3,800 could yield an opponent impressively.
millions of dollars up to $1 million per month, The study points out
in coordinated cyber according to Deloitte’s that almost every criminal
attacks are making the most threat study, Black Market enterprise uses multiple
of a small investment. For Ecosystem: Estimating the related, but discreet, tools
as little as $34 a month, Cost of “Pwnership.” Pwner- and services purchased on
a criminal business could ship is gaming community the black market. It identi-
return up to $25,000. A slang that describes the act fies the most commonly
FEBRUARY 2019 INTERNAL AUDITOR 11Practices/Update
used tools and services, their
average estimated costs, the
tools required to operate
HIGH EXPECTATIONS
real-world criminal busi- Audit committees need internal audit to help them navigate disruptive
nesses, and the estimated risks, says National Association of Corporate Directors President and
operating costs of various CEO Peter Gleason.
cybercrime businesses. What do audit committees expect of internal audit in
Keith Brogan, managing 2019? Given the current political and economic uncertainty,
director with Deloitte, says it progressive audit committees will have their internal audit
is important “to review and teams probe the effectiveness of management’s scenario
compare these criminal busi- planning and operating assumptions that underpin corpo-
nesses to help identify which rate strategy. In particular, they would like internal audit to
exploits are the most afford- test the effectiveness of controls and processes related to
able and lucrative for them the management of political risk.
to pursue.” Recognizing the significant investments made in shoring
When Deloitte mod- up corporate defenses, audit committees would like to get
eled enterprise operations better assurances that cybersecurity programs are effec-
for comparison, it found tively designed and implemented and whether appropriate controls are in place. Similarly,
that the most affordable they will expect internal audit to more thoroughly examine the effectiveness of data privacy
approach is phishing kits, programs in light of increased compliance requirements and reputational risk. Technology
while a campaign that uses governance is rapidly becoming a major mandate for boards, who will turn to internal audit
several types of malware is to better understand risks associated with emerging technologies.
the most expensive. It deter- Internal audit possesses a distinct view and perspective on a range of risks that are
mined this by looking at strategic to the company, and must find opportunities to contribute to board-level dialogue
the most common services, about disruptive risks that are likely to plague the company over the next one to two years.
tools, and enablers indepen-
dently, and calculating the
average cost in each category.
Researchers then identi-
fied which are necessary to
THE MONEY MULES
perform common malicious Criminals are recruiting individuals
activities to establish how to launder stolen funds.
A
the tools and services are
related to one another. recent money-laundering sting by
Rather than focusing European police authorities has
on taking down specific drawn attention to the use of
tools, organizations are “money mules” to hide the origin of
better off detecting cer- stolen funds. The three-month enforcement
tain types of behavior, the action resulted in 168 arrests and the identi-
PHOTO: LEFT, WAVEBREAKMEDIA / SHUTTERSTOCK.COM
report asserts. To challenge fication of more than 1,500 individuals alleg-
the criminal’s cost-benefit edly involved in transferring funds between
scenario, organizations can accounts, Europol reports.
monitor activities and alter Criminal organizations recruit money 21 acting as money mules, according to U.K.
security controls based on mules to move money through the individu- fraud prevention service Cifas. “Criminals
tactics, techniques, and als’ bank or payment accounts on their behalf. are more and more turning to social media
procedures — gleaned from Europol says these individuals often are to recruit new accomplices,” through fake-
threat intelligence — that young, new to a country, and unemployed or job and get-rich-quick posts, Europol states.
require criminals to rein- in financial distress. Cybercrime is the source of more than
vent their operations from Indeed, last year there was a 26 percent 90 percent of money mule transactions,
scratch. — S. STEFFEE increase in the number of individuals under Europol notes. — T. MCCOLLUM
12 INTERNAL AUDITOR FEBRUARY 2019CONNECTING DATA
AND TECHNOLOGY
TO EMPOWER
SMARTER RISK
AND COMPLIANCE.
Manage all areas of risk effectively:
enterprise, customer, third party,
regulatory, compliance, corporate
and financial.
refinitiv.com
The Financial and
Risk business of
Thomson Reuters
is now Refinitiv.Back to Basics
BY SCOTT FELTNER EDITED BY JAMES ROTH + WADE CASSELS
OPENING AND CLOSING MEETINGS
Successful audits
start and end
with well-planned
I
meetings.
magine attending an a different audit that went the person on the phone as
opening meeting for a well. The clients are engaged the others disengage into
scheduled audit. The with the issues internal audit side conversations or check-
audit topic is somewhat finds and want to use the ing their phones and laptops.
controversial and there audit to help drive improve- Many times, internal
has been pushback on the ments in their business. The audit takes opening and
review’s timing. The auditor- meeting is held in a huge closing meetings for granted
in-charge worked hard to training room set up with and just goes through the
find time to get everyone to circular tables suitable for motions to conduct them.
attend (8-10 people). The 36 people. The auditor-in- The difference between
meeting is held in a huge charge had difficulty align- meetings that are successful
conference room, so people ing everyone’s schedules, and meetings that are not is
are waving across the room so the meeting is held at 4 preparation and clear objec-
and jokingly asking, “How’s p.m. on Friday. Six of the tives. Internal auditors can
the weather over there?” 18 people call in to attend follow guidelines that will
There is anticipation mixed the meeting while the rest ensure these meetings are
with nervousness and anxiety sit at the back of the room. informative and engage their
as the auditors introduce Unfortunately, the auditor- audit clients.
themselves. The auditor-in- in-charge shows up just five
charge turns on the projector minutes before the meeting Prepare for the Meeting
and forwards through the 12 starts and has multiple issues The meeting room should
slides in the opening meeting with the technology — he be visited the day before the
slide deck in about five min- neglects to bring an adapter meeting to make sure it is
utes. She asks if there are any for the laptop and doesn’t appropriate for the number
questions (there are none) know how to use the projec- of people attending and
and thanks them for their tor. As a result, the meeting that the auditor running
time. The group proceeds starts 15 minutes late. Two the meeting understands
to exit the conference room slides in, the meeting is how to use the technology
feeling deflated. Everyone derailed by someone on the in the room. If the auditor-
thinks, “What was the point phone asking a question, in-charge is uncomfortable
of that?” resulting in a five-minute speaking in front of people,
Now imagine attend- side conversation between he or she should rehearse the
ing a closing meeting for the auditor-in-charge and entire meeting.
SEND BACK TO BASICS ARTICLE IDEAS to James Roth at jamesroth@audittrends.com
14 INTERNAL AUDITOR FEBRUARY 2019TO COMMENT on this article,
EMAIL the author at scott.feltner@theiia.org
CONDUCTING EFFECTIVE MEETINGS
B
ecause the opening meeting can set the tone having a conversation. Use the slide deck and audit
for the audit and the closing meeting is a cru- report as a guide, not a crutch. If an auditor is unable
cial last step in the audit process, internal audi- to do that, then he or she has not prepared well
tors can benefit from tips to run the meetings in the enough for the meeting.
most professional manner possible. »» Remarks should be addressed to the most
»» Consider your appearance at the meetings. senior (nonaudit) person in the room. This is sim-
Because internal audit is positioning itself as a com- ply good etiquette.
petent team of professionals, they should look the »» Be culturally sensitive. In the U.S., staff members
part and dress appropriately. present their own findings as a development oppor-
»» Never sit opposite the clients in an “us vs. them” tunity. In other countries, the senior member of the
setup. The audit team should mingle to make the audit team is expected to do so. There may be some
meeting more collaborative. other cultural etiquette for meetings, as well. Internal
»» Don’t use “auditee” or other internal audit jargon auditors should always research cultural norms if
with clients or other meeting participants. The they are presenting in another country.
only people who use those words are auditors. »» The auditor-in-charge should stand up during the
»» Never read directly from the slides or the audit meeting, if appropriate. Standing reinforces that he
report. Points should be made as if the auditor is or she is facilitating the discussion.
Make Your Objective Clear A meeting must have a specific Sixty minutes is generally the longest time people can
and defined purpose. Before sending that calendar invitation, remain truly engaged. A Harvard Business Review article,
ask yourself: What do I want to accomplish? This should be “The 50-minute Meeting,” suggests allowing 10 minutes of
shared ahead of time with the client. the 60 minutes for travel and administrative time. And if
only 30 minutes is needed, don’t schedule an hour.
Consider Who Is Invited Think about who really needs
to be in the meeting. When people feel that what’s being Ban Technology Laptops and smartphones distract people
discussed isn’t relevant to them, or that they lack the skills or from being focused on the meeting or contributing to it.
expertise to be of assistance, they’ll view their attendance as a Instead, they’ll be sending emails or surfing the web.
waste of time. If there are any doubts about certain attendees,
make them optional and let them decide whether to attend. Note Action Items and Follow-up So that everyone is
on the same page, a follow-up email highlighting what was
Stick to the Schedule Create an agenda (or slide deck, in accomplished should be sent within 24 hours to all who
this case) that lays out everything that will be covered in the attended. Document the responsibilities given, tasks del-
meeting, along with a timeline that allots a certain number of egated, and any assigned deadlines.
minutes to each item, and email it to people in advance.
If opening and closing meetings seem repetitive and boring,
Be Assertive If one person is monopolizing the conversa- consider the actors who perform in some Broadway plays for
tion — the fastest way to derail a meeting — call him or her years. They strive to do every performance, even the 873rd,
out delicately. For example, “We appreciate your contribu- with the same passion as the first. They polish and perfect it
tions, but let’s get some input from others.” Establishing each time. Clients deserve the best from internal auditors, and
ground rules early on will create a framework for how the there will always be someone in the room who hasn’t seen the
group functions. Internal audit is in charge of the meeting. slide deck or been through an audit before. The right prepa-
Discussions of risk ratings, for example, can be a derailer that ration can make these meetings valuable and productive for
the auditor should consider discussing outside of the meeting. auditor and client.
Start on Time, End on Time Knowing that time is valu- SCOTT FELTNER, CIA, CISA, is vice president, internal audit, at
able, do not schedule any meeting for more than an hour. Kohler Co. in Kohler, Wisc.
FEBRUARY 2019 INTERNAL AUDITOR 15ITAudit
BY PAUL SLYE + CHRIS WELTER EDITED BY STEVE MAR
TRUSTED FOR TECHNOLOGY
Nordstrom’s IT
audit specialists
pinpointed five areas
T
to prove their worth
as advisors. echnology is a key to understand the emerging National Institute of Stan-
enabler of business technologies with which their dards and Technology Cyber-
value. Internal audi- business partners are working security Framework.
tors must be able to as well as developments such Auditors translate the
verify that these processes as DevOps, the Internet of security requirements of
provide the intended return Things, and serverless archi- these frameworks into the
on investment and that tecture. In learning to provide language the audit clients
technology risk decisions such advice, technology audi- use. For example, applica-
and resources are optimized. tors focused on five areas. tion teams have adopted a
Without the necessary skills, DevOps structure whereby
auditors may not deliver Cybersecurity and Privacy any member of the team can
the value that the business Most industries consider make changes to production
expects of them. cybersecurity and privacy to code. Auditors explained to
Most technology be inherently high risks. As a the team the potential for
auditors at Nordstrom are company that relies on tech- unauthorized code change
integrated auditors — tech- nology, Nordstrom has hired and the requirements
nologists with business professionals with cybersecu- contained in the security
degrees and years of consult- rity certifications to consult standards. That helped
ing firm experience. They and audit how to optimize team members realize they
work as peers to three other its risk posture. should implement logging
unofficial designations of In turn, technology and file-integrity monitor-
auditors: operations, business auditors have interpreted and ing linked to change tickets
intelligence, and compliance. applied controls from security as a compensating control
Nordstrom uses two frameworks to Nordstrom’s to ensure that unauthorized
metrics to determine whether new, cloud-based environ- changes would be detected
its technology auditors are ment. Two frameworks audi- immediately. As teams learn
trusted advisors: whether cli- tors use are the International about security risk and con-
ents return to request internal Organization for Standardiza- trols, they make more risk-
audit’s services and whether tion’s ISO 27002 — Informa- optimized decisions.
the audit recommendations tion Technology–Security
result in business value. To Techniques–Code of Practice Technology Governance
provide valuable counsel, for Information Security Nordstrom’s internal auditors
technology auditors need Controls and the U.S. rely on ISACA’s COBIT 5
SEND ITAUDIT ARTICLE IDEAS to Steve Mar at steve_mar2003@msn.com
16 INTERNAL AUDITOR FEBRUARY 2019TO COMMENT on this article,
EMAIL the authors at paul.slye@theiia.org
framework to evaluate technology governance maturity on a Another example is the company’s user-access review
repeatable basis. Auditors merged COBIT 5 and ISO stan- and validation process. Auditors incorporated control owners’
dards to create a framework specific to Nordstrom as a basis control documentation into internal audit’s testing procedures
for audits. This framework enables auditors and audit clients and used RPA to test attributes. One test validated that users
to see where their activities fit into the big picture. had their access revoked timely. RPA has enabled auditors to
Having a framework has enabled the department to accomplish more testing within the same time frame.
partner operational auditors with technology auditors to per-
form integrated audits on nontechnical aspects of technology Communication
governance. In one review, auditors provided assurance that Nordstrom’s technology auditors have focused on improving
technology projects were delivering the value promised in the their verbal and written communication skills. To communi-
business case. The auditors on the integrated audit expanded cate effectively with the technology organization, the depart-
their knowledge by covering tech strategy, enterprise architec- ment’s IT audit director spent six months working directly for
ture, and performance measurement. technology leaders before starting his role in internal audit.
During this time, he learned those executives’ leadership and
Data Science communication styles, which internal auditors now incorpo-
Nordstrom’s auditors have written more compelling audit rate into their reports to increase their impact.
reports by testing 100 percent of populations using data Auditors also have become persuasive communicators,
science techniques. To write such reports, all auditors are effective negotiators, and great listeners. They have increased
expected to have basic knowledge of Microsoft Excel, statis- stakeholder buy-in by using data to buttress audit findings and
tics, and data validation. Internal audit leverages data extrac- action plans. Business partners now expect audit findings to be
tion tools to obtain data for use in creating impactful issue supported by data, even when the topic is difficult to quantify.
statements in reports. However, visualizing data is not required for all audit
Data science tools are especially useful when joining two reports. Sometimes, visualizations cause the client to jump to
or more data sets (see “Beneath the Data” on page 42). In assumptions without reading all the details. Some clients prefer
one project, internal audit extracted incident ticket informa- to read the text instead. While audit reports should always
tion and linked it with information about problem tickets, focus on the most important risks and opportunities, auditors
tailor the department’s report style to
meet stakeholders’ desired format.
Business partners now expect audit Earning Trust
findings to be supported by data. To benefit the organization, internal
audit needs to constantly develop staff
members into trusted advisors and retain
root-cause analysis, and application IDs from multiple sys- them. So far, Nordstrom’s efforts have:
tems of record. To extract knowledge from these unique data ɅɅ Increased risk-focused conversations led by leadership,
sets, auditors used data visualization tools to tell the story of resulting in more effective controls.
how well the company’s change-management controls were ɅɅ Led to a cultural shift to spend time building technology
performing and if it was learning from the incidents. The risk mitigation strategies.
client capitalized on the analysis to track how much progress In the process, technology auditors have received high client
was made since the report was delivered. satisfaction ratings as well as more requests from management
to perform work. Moreover, management is more proactive
Robotic Process Automation in driving change about issues that auditors have identified,
A recent development for Nordstrom’s internal auditors is even before they receive audit reports. Once clients realize that
the use of robotic process automation (RPA). Projects are an audit report can propel them faster toward achieving their
advisory in nature and aligned with internal audit’s goal of objectives, they tend to become repeat clients and tell their
identifying ways to reduce expense or work effort. Partner- peers throughout the organization.
ing with the company’s restaurant and tax divisions, auditors
created robots to automate manual processes relevant to food PAUL SLYE, CISSP, CISA, is an internal audit manager at
and beverage licensing and entry of invoices. Through this Nordstrom in Seattle.
automation, auditors reduced the clients’ payroll expenses. CHRIS WELTER, CISA, is an audit principal II at Nordstrom.
FEBRUARY 2019 INTERNAL AUDITOR 17James Anderson
September 29 MD Consent
ACTION OF THE MANAGING DIRECTORS OF
WORKIVA LLC
BY UNANIMOUS WRITTEN CONSENT
The undersigned, constituting all of the Managing Directors
(the “Board”) of Workiva LLC, a Delaware limited liability company (the
“Company”), in accordance with Section 5.1.6 of the Operating Agreement
of Workiva LLC dated September 17, 2014 (the “Operating Agreement”)
and Section 18-404(d) of the Delaware Limited Liability Company Act, by
unanimous written consent, as evidenced by the signatures set forth
below, do hereby consent in writing that the resolutions set forth in Appen-
dix A hereto are hereby ratified, confirmed and approved. It is each of the
undersigned’s intent that this consent be executed in lieu of, and consti-
tutes, a meeting of the Managing Directors pursuant to Section 5.1.6 of
the Operating Agreement, which consent shall be filed by the Secretary of
the Company with the minutes of the meetings of the Board. All terms not
defined herein shall have the meanings ascribed to them in the Operating
Agreement.
I hereby confirm that I have read and understand the resolutions set
forth in Appendix A hereto.
Yes No
I hereby consent to the adoption of the resolutions set forth in Appendix
A hereto.
Yes No
PDF Attachment: Workiva S-1.PDF
Matt
Date
Make 2019
Your Best Year Yet
Closing this year's audit plan is the optimal time to reevaluate
processes and tools that may be slowing you down.
Wdesk for Internal Audit Management is a streamlined, collaborative
platform that saves you valuable time. Focus on strategic areas that
position you for success in the months—and years—to come.
See how Wdesk works at workiva.com/ IIA-videoRisk Watch
BY LYNN FOUNTAIN EDITED BY CHARLIE WRIGHT
INTERNAL AUDIT’S EVOLVING
CYBERSECURITY ROLE
Auditors need to
become involved
in helping their
T
organizations
address cyber risks. echnology is pro- technology risks and their ɅɅ The threat of cyber
gressing at such potential impact. fraud to their organiza-
lightning speed that One of the most preva- tions and the manner
even IT specialists lent issues organizations face in which it could pres-
struggle to keep their fingers today is the constant threat of ent itself.
on the pulse of technological cyberattacks. Every day there ɅɅ Procedures that should
change. So how are internal is some new threat, breach, be followed to assess
auditors expected to ade- or cybersecurity incident. cyber risk.
quately assess and examine It is now imperative that all ɅɅ Types of new and exist-
the various risks emerging in internal auditors understand ing breaches.
this cyber age? the underlying drivers as ɅɅ Various tools for manag-
As technology continues well as the nature and causes ing cybersecurity issues.
to advance, internal auditing of cyber risks. With this ɅɅ Methods to prioritize
must evolve. For many years, knowledge, internal auditors assets at risk for protec-
internal audit departments can add significant value to tion plans.
relied on IT audit special- the organization by assessing ɅɅ Methods to appropri-
ists as partners in integrated and helping management ately allocate resources
audits. Although those spe- strengthen cybersecurity. to protect assets.
cialists focused on systems
and technology, integrated Knowledge Is Power Understand Cyber
audits worked best when Yes, internal auditors know Risk Frameworks
operational and financial how to use a computer and Organizations need to under-
auditors knew what to look a cell phone, but do they stand and use a structured
at from an IT perspective. realize the risks these tech- cyber risk framework to miti-
In today’s world, inter- nologies pose? What you gate threats. Although there
nal auditors cannot delegate don’t know can hurt you! are several frameworks, some
responsibility to their IT In today’s business environ- organizations may focus on a
departments or IT auditors. ment, training on cybersecu- specific framework, depend-
All auditors should have a rity issues should be a basic ing on their industry.
solid understanding and curriculum expected of inter- One of the most widely
awareness of more than just nal auditors. Training that is used frameworks is the
general and application con- essential for internal auditors U.S. National Institute of
trols. They should realize the includes understanding: Standards and Technology’s
SEND RISK WATCH ARTICLE IDEAS to Charlie Wright at charliewright.audit@gmail.com
FEBRUARY 2019 INTERNAL AUDITOR 19A New Look
at Internal Auditing.
Audit Intelligence Suite
Benchmark | Assess | Survey
Benchmark your audit function, assess your team, and survey your key stakeholders. Once you know the results,
you will be in a better position to improve your audit function.
Learn More
www.theiia.org/AISPractices/Risk Watch
TO COMMENT on this article,
EMAIL the author at lynn.fountain@theiia.org
(NIST’s) Cybersecurity Framework. The framework directs incident. The objective is to contain the incident’s impact on
organizations to use a standard protocol in their cybersecu- the organization.
rity efforts to identify and protect assets, and respond to and Compare a cybersecurity incident to a fire. Both are “all
recover from incidents. hands on deck” events. If management has not structured a
cyber risk program appropriately, there may be many reactive
Identify and Protect Assets at Risk actions and ad-hoc approaches to plugging the gaps. Internal
The NIST framework recommends that organizations iden- auditors can be important consultants in this situation.
tify assets within the organization that are most susceptible to Often when a breach occurs, management looks for
cyber threat. Next, it advises organizations to prioritize assets the quick fix. This may not always be the best solution.
for protection, and develop and implement appropriate safe- The response must consider not just the tactical steps
guards to ensure delivery of critical infrastructure services. taken to fix the problem but all of the ancillary commu-
Identifying and protecting assets is similar to other risk nication and documentation that is required. In this cir-
assessment processes and is an area in which internal auditors cumstance, internal auditors can provide an independent
can provide valuable insight to help protect their organiza- perspective and guide management on the best path to
tions. Auditors can help their organization by: follow to respond to the incident. But to be helpful, audi-
ɅɅ Following a structured approach to perform a top- tors must understand the technology issues as well as the
down assessment. incident-response processes.
ɅɅ Evaluating cyber risks within individual audits.
ɅɅ Assessing the organization’s capabilities to manage Use Recovery to Learn Lessons
assets that might be impacted by a cyber risk event. Recovering from a cybersecurity incident is comparable
ɅɅ Evaluating whether management and the board have to recovering from an illness. When a person discovers he
developed a comprehensive cybersecurity strategy. or she has a serious illness, all focus is placed on acting to
ɅɅ Fully integrating cyber risks into the annual audit plan. respond to the illness. At that point, the mindset is survival
ɅɅ Determining whether management is using the most rather than recovery.
effective process to prioritize assets for protection and As defined by NIST, the recovery phase occurs after the
allocate resources. organization has responded to a breach. This phase includes
identifying activities to maintain plans for resilience and to
Monitor Detection Procedures restore any services that were impaired due to a cybersecurity
Detecting cyber threats is the third component the NIST incident. The organization must be able to constructively
framework recommends. Once assets have been identified review what occurred and extract appropriate lessons learned
and protected, the organization should develop and imple- from the incident. Then the organization must incorporate
ment appropriate activities to take action when a cybersecu- those lessons into its current response protocol.
rity event is detected. By assessing the lessons learned from an incident, internal
As with The Committee of Sponsoring Organizations audit can contribute to the ongoing viability of the organiza-
of the Treadway Commission’s Internal Control–Integrated tion’s cybersecurity incident plan. This assessment can assist the
Framework monitoring component, performing detection organization in evaluating gaps in how assets were identified
procedures is management’s responsibility. However, inter- and prioritized, how protection procedures were prioritized
nal auditors can test detection procedures to ensure they are and executed, how detection procedures were implemented,
designed appropriately. and how response procedures were put into effect.
Management should follow a well-devised protocol to
develop, design, and implement detection procedures. Audi- Internal Audit’s Expertise
tors can review and test that protocol and ensure detection The NIST Cybersecurity Framework’s guidance is just a
procedures are addressing the most vulnerable assets. This sample of important concepts to understand. As technology
act requires auditors to collaborate with management to fully evolves, so do the duties of internal auditors. The profession
understand the procedures used in the design phase and in needs to step out of its comfort zone and insert its expertise
identifying which assets are prioritized as higher risk. into addressing cyber risk.
Respond to Incidents LYNN FOUNTAIN, CRMA, CPA, CGMA, is an internal control,
This component of the NIST framework includes activities to risk management, and business process consultant in Overland
undertake when the organization has detected a cybersecurity Park, Kan.
FEBRUARY 2019 INTERNAL AUDITOR 21Fraud Findings
BY GRANT WAHLSTROM + ANISA CHOWDHURY EDITED BY BRYANT RICHARDS
THE PHONY CUSTOMER FRAUD
An unscrupulous
employee reaps the
benefits of weak
B
internal controls.
rightstar Corp. is a representatives. At the end his offer letter allowing him
solar panel company of the presentation, Myers to keep all commissions for
with an annual rev- approached Schull and prior sales, even if custom-
enue of $4.5 billion. Cayden to discuss her con- ers cancelled their accounts.
It had recently acquired cerns about Eddie Fogbot- Myers suspected fraud.
Solarstar Inc., a smaller tom, a sales representative in Solarstar uses elec-
competitor. Both compa- the Austin, Texas, market. tronic contracts, which are
nies employ commission- Fogbottom was a rising emailed to the customer
only sales representatives; superstar at Solarstar. Before when completed. The cus-
however, commission plans joining the company, he was tomer reviews the contract,
vary between the compa- an executive in loss preven- and electronically signs and
nies. Brightstar pays sales tion at several large publicly returns it. Contracts are not
representatives upon the traded companies. He had legally binding until the
installation of a solar panel incredible success as a sales contract is returned and a
system, while Solarstar’s representative and was down payment is received.
commission plan pays half a recently promoted into a An electronic time and date
commission upon the sign- highly sought-after manager stamp is recorded on the
ing of a customer contract. role within the company’s contract as well as the cus-
The remaining commission national sales team. Shortly tomer’s computer internet
is paid after installation of after accepting his new posi- protocol (IP) address.
the system. If the customer tion, 39 of Fogbottom’s sales Schull and Cayden
cancels the installation, the were cancelled, representing began reviewing the can-
commission already paid $10,000 in commissions celled contracts. The team
is clawed back against that would need to be identified several days where
future commissions. clawed back. Because it was Fogbottom sold products to
Robert Schull and such a large amount, Myers multiple customers in what
Alysa Cayden, Brightstar’s contacted him to discuss a appeared to be strip malls
forensic audit team, were repayment plan. in the Austin market. What
conducting a training ses- Fogbottom told Myers caught the attention of
sion with the recently hired that the company could not Schull and Cayden was the
director of compensa- claw back the commissions. fact that the contracts were
tion, Lisa Myers, on fraud When he was promoted, signed and returned within
schemes perpetrated by sales he had a clause written into several minutes of each
SEND FRAUD FINDINGS ARTICLE IDEAS to Bryant Richards at bryant_richards@yahoo.com
22 INTERNAL AUDITOR FEBRUARY 2019TO COMMENT on this article,
EMAIL the author at grant.wahlstrom@theiia.org
other. Even more perplexing, the contracts were returned
from the same IP address. LESSONS LEARNED
The team began conducting customer service calls to »» A combination of fundamental internal control
the alleged customers to determine why they cancelled their activities helps minimize fraud.
purchases. Surprisingly, none of the phone numbers docu- »» Conduct and update a fraud risk assessment
mented on the contracts were in service. In addition, an regularly. In this case, a fraud risk assessment
internet review of the customers revealed that not a single should have identified the control weakness in the
customer had an internet presence. backlog report, commission payment process, and
The investigation team turned their attention to the revenue reconciliation process.
down payments received on the contracts. Solarstar required »» Conduct appropriate background checks on key
its sales representatives to collect a down payment when a employees to identify any red flags for possible
customer signed a contract. The sales representative would unethical behavior.
document the collection in the company’s order system. If »» Perform regular reviews of installation backlog
the down payment was paid with a check, the sales repre- reports to identify irregular activities. Detecting
sentative would bring the check into the local sales office to any potential exploitation is the best approach to
be compiled and sent to the company’s lockbox. A review of minimizing negative unintended consequences.
the order system revealed that Fogbottom documented that »» Conduct monthly reconciliations of revenue col-
checks were obtained during the contracting process, but lections. Discrepancies should be researched
none of them had been received in the lockbox. immediately and escalated if unresolved.
Cayden reviewed the customer sites using Google Earth.
The review revealed that many of the customer locations did
not appear to exist or had been constructed after Google’s
last update. Schull enlisted the assistance of Brightstar’s area When presented with the photographs of the empty
general manager, Michael Gonzalez. A 25-year Brightstar fields, Fogbottom’s demeanor changed. He alleged that a
veteran and lifelong resident of Austin, Gonzalez accompa- general contractor named Sal was constructing all three
nied Schull to the customer locations. It came as no surprise strip malls, and that the customers met him at a local coffee
when Schull and Gonzalez found themselves standing in shop where they all completed their contracts in succession.
empty fields. Schull documented the visits with photos of the Fogbottom could not remember Sal’s last name or produce
alleged customer sites. a contact number for him or any of the alleged customers.
Schull then reviewed Fogbottom’s employment history. Initially, Fogbottom refused to admit that he falsified the
An internet search revealed that Fogbottom had, in fact, contracts in question. However, after an extensive interview,
worked for the organizations he had listed on his résumé. Fogbottom admitted that he was having personal problems
However, no references were listed in his employment file. and was fired from his former employer. He also admitted
that he falsified the contracts for the
commissions because he had taken a
Fogbottom could not remember Sal’s substantial pay cut from his previous
role and was having trouble making
last name or produce a contact number. ends meet.
Fogbottom was terminated, but
no charges were brought, and the
Schull was suspicious about why a former loss prevention money was clawed back. Solarstar updated its commission
executive would accept an entry-level sales position. plans to only pay sales representatives upon installation. Two
Fogbottom was asked to come to the Austin office for an weeks after Fogbottom’s termination, Schull received a call
interview with Schull and Karol Vesey from human resources. from Brightstar’s Fresno, Calif., office where the same fraud
Schull believed the interview would be challenging as Fogbot- scheme was suspected and later validated.
tom had extensive interviewing experience in his loss preven-
tion role. During the initial stages of the interview, Fogbottom GRANT WAHLSTROM, CIA, CPA, CFE, is the forensic audit
presented himself as a professional loss prevention executive manager at a security company in South Florida.
turned successful national sales manager. He bragged about his ANISA CHOWDHURY, CPA, is a senior forensic auditor at a
experience and connections to the community. security company in South Florida.
FEBRUARY 2019 INTERNAL AUDITOR 23You can also read
