© institute of internal auditors 2019 connect with the iia ... presentations/unlikely...

Unlikely Allies:Leveraging Internal Partners to Increase Audit’s Effectiveness and InfluenceKEN RAMALEY / RAMALEY GROUP

APRIL 1, 2019

© Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 2

ObjectivesIdentify key internal partnerships that can be brought to bear on specific audits to amplify messaging

Understand audit’s role in connecting disparate functions within the organization

Increase audit’s organizational influence based on broad strategic alignment


Introduction – The “Who Cares” ProblemAudit work in Customer-Facing areas tends to focus on customer-facing concerns

Enterprise-level risks correlating to these observations may reside elsewhere Delivery may not align with “brand promise” (marketing) Product/need matching may not align with profitability (finance/product) or with customer retention

efforts (customer experience / brand)

Client management may downplay significance of findings in discussions with audit


Opportunity: Engage “unlikely allies” to help client management understand significance of observations and drive prioritization of remediation efforts

Finding Unlikely AlliesPlanning Phase

When planning your audit, identify WHO will be impacted by various risks that are driving the audit’s scope and prioritization

Exception Assessment Phase

Once exceptions have been identified, understand WHO in the enterprise will be most impacted by the deficiency and enlist support appropriately


Planning PhaseWhen planning, most audit departments assess risk using a chart like the one below


This simplified chart identifies the types of risk that are driving the prioritization of different functions within the entities

The same risk drivers can help to identify unlikely allies as particular pieces of the enterprise are reviewed

Planning Example


In this example, we see Financial, Reputation, and Fraud Risk associated with the activity “Ticket Sales”

Who are our possible allies?

Planning EngagementOnce allies have been identified during the planning phase, they can be engaged:

1. Reach out to function impacted by audit client operations

2. Discuss the types of activities executed by the client and ask for perspective on risk

3. Identify expectations (possibly auditable standards)

4. Collect documentation supporting expectations and existing relationships / reporting provided by client to impacted area

5. Obtain commitment to partner if any deficiencies are observed


Exception Assessment PhaseAny time an exception is found, the auditor’s first question is “How big a deal is this?”

Audit will have an opinion on severity, but other impacted areas will be able to provide support and perspective that will assist auditor judgments

Steps for exception assessment:

1. Trace exception back to pre-review risk assessment for a clue as to severity

2. Using the same linkages established in planning phase, engage unlikely allies for support

3. Present exceptions to client, together with feedback from allies (can have a joint meeting if desired)

4. When writing final audit issue, incorporate impact assessments provided by allies


Exception Assessment Example #1During a review of customer-facing sales practices, the audit department determined that sales people were “going the extra mile” by helping their new customers log into the company’s website to demonstrate how to use its features.

Among other things, the sales team was creating the customer’s new password, and clicking past all of the “opt in” screens that appear during first login.

While the customer was immediately emailed a link indicating that a password had been created, the customer was not required to change password, nor were “privacy opt in” boxes popped up on any subsequent login.

Client management was delighted at the high website adoption rate of salespeople in those facilities that executed this practice

Information Security, Compliance, Marketing, and Customer Experience teams were all quite distressed to learn about this concern and rapidly formed a coalition to change the practice.


Exception Assessment Example #2During a call center review, an audit team identified that a “Frequent Guest” loyalty product had points that expire without notice to the customer. The policy of point expiration was clearly stated in paragraph 23 of the 4-page “terms and conditions” document.

When the observation was initially presented to the call center manager (client), she indicated that since her team was following the policy, there would be no problem.

The audit team contacted the product owner (potential unlikely ally), who explained that the only reason the product was profitable was due to “breakage” and that if the points didn’t expire, reward levels would have to be lowered dramatically.

The audit team then contacted the brand marketing department (another unlikely ally), who had advertised the program as having “easy to redeem points” that “never expire”.

VP of Marketing was outraged to learn that this product was not aligned with the promises being made and asked for a highest severity audit issue to be assigned to marketing, product, and fulfillment teams until such time as the policy was revised and new practices were executed.


Exception Assessment Phase Learnings Building a coalition of allies increases likelihood of audit-identified concerns being addressed

Acting to bring diverse segments of the company together puts audit in a “collaborative” role rather than more traditionally “combative”

While audit will always have independent, informed perspectives on severity (and may need to overrule even “allies”), this approach keeps audit’s credibility and influence high


Group Exercises / ExamplesAudit Finding:

During a period of low business volume, call center associates who have not been trained on certain product sets will be assigned to answer questions about those products. In testing, 15/50 basic questions about product pricing were answered incorrectly.

Business Response:

They were not off by much, and we know that customer hold time is a major driver of dissatisfaction, so this is the right choice – it can’t be an issue!

Who are some allies who may want to weigh in on this?


Group Exercises / ExamplesAudit Finding:

An audit of the new product launch department identifies that they fail to execute the “communicate new product parameters to IT” step in a timely manner consistent with their policy on 30% of product launches.

Business Response:

The products are still launching on time and we have not had any significant IT issues associated with our launches.

Who are some allies who may want to weigh in on this?


Next Steps Integrate “WHO CARES?” into enlisting allies during planning / risk assessment

Integrate “WHO CARES?” into enlisting allies during exception assessment

In ongoing management discussions, fish for challenges in OTHER GROUPS that may impact them


Questions and Answers?


For additional information or further discussion, contact:Ken [email protected]

Thank you for your time and attention!IIA CHAPTER CHICAGO | 59TH ANNUAL SEMINAR


© institute of internal auditors 2019 connect with the iia ... presentations/unlikely...

Documents