format a portion of blog posts

1 files changed, 162 insertions, 177 deletions

diff --git a/content/blog/2020-09-22-internal-audit.org b/content/blog/2020-09-22-internal-audit.org
index 3074266..b90b461 100644
--- a/content/blog/2020-09-22-internal-audit.org
+++ b/content/blog/2020-09-22-internal-audit.org
@@ -7,64 +7,63 @@
 [[https://img.cleberg.net/blog/20200922-what-is-internal-audit/internal-audit-overview.jpg]]
 
 * Definitions
-One of the many reasons that Internal Audit needs such thorough
-explaining to non-auditors is that Internal Audit can serve many
-purposes, depending on the organization's size and needs. However, the
-Institute of Internal Auditors (IIA) defines Internal Auditing as:
+One of the many reasons that Internal Audit needs such thorough explaining to
+non-auditors is that Internal Audit can serve many purposes, depending on the
+organization's size and needs. However, the Institute of Internal Auditors (IIA)
+defines Internal Auditing as:
 
 #+begin_quote
-Internal auditing is an independent, objective assurance and consulting
-activity designed to add value and improve an organization's operations.
-It helps an organization accomplish its objectives by bringing a
-systematic, disciplined approach to evaluate and improve the
-effectiveness of risk management, control, and governance processes.
+Internal auditing is an independent, objective assurance and consulting activity
+designed to add value and improve an organization's operations. It helps an
+organization accomplish its objectives by bringing a systematic, disciplined
+approach to evaluate and improve the effectiveness of risk management, control,
+and governance processes.
 
 #+end_quote
 
-However, this definition uses quite a few terms that aren't clear unless
-the reader already has a solid understanding of the auditing profession.
-To further explain, the following is a list of definitions that can help
-supplement understanding of internal auditing.
+However, this definition uses quite a few terms that aren't clear unless the
+reader already has a solid understanding of the auditing profession. To further
+explain, the following is a list of definitions that can help supplement
+understanding of internal auditing.
 
 ** Independent
-Independence is the freedom from conditions that threaten the ability of
-the internal audit activity to carry out internal audit responsibilities
-in an unbiased manner. To achieve the degree of independence necessary
-to effectively carry out the responsibilities of the internal audit
-activity, the chief audit executive has direct and unrestricted access
-to senior management and the board. This can be achieved through a
-dual-reporting relationship. Threats to independence must be managed at
-the individual auditor, engagement, functional, and organizational
-levels.
+Independence is the freedom from conditions that threaten the ability of the
+internal audit activity to carry out internal audit responsibilities in an
+unbiased manner. To achieve the degree of independence necessary to effectively
+carry out the responsibilities of the internal audit activity, the chief audit
+executive has direct and unrestricted access to senior management and the board.
+This can be achieved through a dual-reporting relationship. Threats to
+independence must be managed at the individual auditor, engagement, functional,
+and organizational levels.
 
 ** Objective
-Objectivity is an unbiased mental attitude that allows internal auditors
-to perform engagements in such a manner that they believe in their work
-product and that no quality compromises are made. Objectivity requires
-that internal auditors do not subordinate their judgment on audit
-matters to others. Threats to objectivity must be managed at the
-individual auditor, engagement, functional, and organizational levels.
+Objectivity is an unbiased mental attitude that allows internal auditors to
+perform engagements in such a manner that they believe in their work product and
+that no quality compromises are made. Objectivity requires that internal
+auditors do not subordinate their judgment on audit matters to others. Threats
+to objectivity must be managed at the individual auditor, engagement,
+functional, and organizational levels.
 
 ** Assurance
-Assurance services involve the internal auditor's objective assessment
-of evidence to provide opinions or conclusions regarding an entity,
-operation, function, process, system, or other subject matters. The
-internal auditor determines the nature and scope of an assurance
-engagement. Generally, three parties are participants in assurance
-services: (1) the person or group directly involved with the entity,
-operation, function, process, system, or other subject - (the process
-owner), (2) the person or group making the assessment - (the internal
-auditor), and (3) the person or group using the assessment - (the user).
+Assurance services involve the internal auditor's objective assessment of
+evidence to provide opinions or conclusions regarding an entity, operation,
+function, process, system, or other subject matters. The internal auditor
+determines the nature and scope of an assurance engagement. Generally, three
+parties are participants in assurance services: (1) the person or group directly
+involved with the entity, operation, function, process, system, or other
+subject - (the process owner), (2) the person or group making the assessment -
+(the internal auditor), and (3) the person or group using the assessment - (the
+user).
 
 ** Consulting
-Consulting services are advisory in nature and are generally performed
-at the specific request of an engagement client. The nature and scope of
-the consulting engagement are subject to agreement with the engagement
-client. Consulting services generally involve two parties: (1) the
-person or group offering the advice (the internal auditor), and (2) the
-person or group seeking and receiving the advice (the engagement
-client). When performing consulting services, the internal auditor
-should maintain objectivity and not assume management responsibility.
+Consulting services are advisory in nature and are generally performed at the
+specific request of an engagement client. The nature and scope of the consulting
+engagement are subject to agreement with the engagement client. Consulting
+services generally involve two parties: (1) the person or group offering the
+advice (the internal auditor), and (2) the person or group seeking and receiving
+the advice (the engagement client). When performing consulting services, the
+internal auditor should maintain objectivity and not assume management
+responsibility.
 
 ** Governance, Risk Management, & Compliance (GRC)
 The integrated collection of capabilities that enable an organization to
@@ -72,176 +71,162 @@ reliably achieve objectives, address uncertainty and act with integrity.
 
 * Audit Charter & Standards
 First, it's important to note that not every organization needs internal
-auditors. In fact, it's unwise for an organization to hire internal
-auditors unless they have regulatory requirements for auditing and have
-the capital to support the department. Internal audit is a cost center
-that can only affect revenue indirectly.
-
-Once an organization determines the need for internal assurance
-services, they will hire a Chief Audit Executive and create the audit
-charter. This charter is a document, approved by the company's governing
-body, that will define internal audit's purpose, authority,
-responsibility, and position within the organization. Fortunately, the
-IIA has model charters available to IIA members for those developing or
-improving their charter.
-
-Beyond the charter and organizational documents, internal auditors
-follow a few different standards in order to perform their job. First is
-the International Professional Practices Framework (IPPF) by the IIA,
-which is the model of standards for internal auditing. In addition,
-ISACA's Information Technology Assurance Framework (ITAF) helps guide
-auditors in reference to information technology (IT) compliance and
-assurance. Finally, additional standards such as FASB, GAAP, and
-industry-specific standards are used when performing internal audit
-work.
+auditors. In fact, it's unwise for an organization to hire internal auditors
+unless they have regulatory requirements for auditing and have the capital to
+support the department. Internal audit is a cost center that can only affect
+revenue indirectly.
+
+Once an organization determines the need for internal assurance services, they
+will hire a Chief Audit Executive and create the audit charter. This charter is
+a document, approved by the company's governing body, that will define internal
+audit's purpose, authority, responsibility, and position within the
+organization. Fortunately, the IIA has model charters available to IIA members
+for those developing or improving their charter.
+
+Beyond the charter and organizational documents, internal auditors follow a few
+different standards in order to perform their job. First is the International
+Professional Practices Framework (IPPF) by the IIA, which is the model of
+standards for internal auditing. In addition, ISACA's Information Technology
+Assurance Framework (ITAF) helps guide auditors in reference to information
+technology (IT) compliance and assurance. Finally, additional standards such as
+FASB, GAAP, and industry-specific standards are used when performing internal
+audit work.
 
 * Three Lines of Defense
-[[https://theiia.org][The IIA]] released the original Three Lines of
-Defense model in 2013, but have released an updated version in 2020.
-Here is what the Three Lines of Defense model has historically looked
-like:
+[[https://theiia.org][The IIA]] released the original Three Lines of Defense model in 2013, but have
+released an updated version in 2020. Here is what the Three Lines of Defense
+model has historically looked like:
 
 #+caption: 2013 Three Lines of Defense Model
 [[https://img.cleberg.net/blog/20200922-what-is-internal-audit/three_lines_model.png]]
 
-I won't go into depth about the changes made to the model in this
-article. Instead, let's take a look at the most current model.
+I won't go into depth about the changes made to the model in this article.
+Instead, let's take a look at the most current model.
 
 #+caption: 2020 Three Lines of Defense Model
 [[https://img.cleberg.net/blog/20200922-what-is-internal-audit/updated_three_lines_model.png]]
 
 The updated model forgets the strict idea of areas performing their own
-functions or line of defense. Instead of talking about management, risk,
-and internal audit as 1-2-3, the new model creates a more fluid and
-cooperative model.
-
-Looking at this model from an auditing perspective shows us that
-auditors will need to align, communicate, and collaborate with
-management, including business area managers and chief officers, as well
-as reporting to the governing body. The governing body will instruct
-internal audit /functionally/ on their goals and track their progress
-periodically.
-
-However, the internal audit department will report /administratively/ to
-a chief officer in the company for the purposes of collaboration,
-direction, and assistance with the business. Note that in most
-situations, the governing body is the audit committee on the company's
-board of directors.
-
-The result of this structure is that internal audit is an independent
-and objective function that can provide assurance over the topics they
-audit.
+functions or line of defense. Instead of talking about management, risk, and
+internal audit as 1-2-3, the new model creates a more fluid and cooperative
+model.
+
+Looking at this model from an auditing perspective shows us that auditors will
+need to align, communicate, and collaborate with management, including business
+area managers and chief officers, as well as reporting to the governing body.
+The governing body will instruct internal audit /functionally/ on their goals
+and track their progress periodically.
+
+However, the internal audit department will report /administratively/ to a chief
+officer in the company for the purposes of collaboration, direction, and
+assistance with the business. Note that in most situations, the governing body
+is the audit committee on the company's board of directors.
+
+The result of this structure is that internal audit is an independent and
+objective function that can provide assurance over the topics they audit.
 
 * Audit Process
-A normal audit will generally follow the same process, regardless of the
-topic. However, certain special projects or abnormal business areas may
-call for changes to the audit process. The audit process is not set in
-stone, it's simply a set of best practices so that audits can be
-performed consistently.
+A normal audit will generally follow the same process, regardless of the topic.
+However, certain special projects or abnormal business areas may call for
+changes to the audit process. The audit process is not set in stone, it's simply
+a set of best practices so that audits can be performed consistently.
 
 #+caption: The Internal Audit Process
 [[https://img.cleberg.net/blog/20200922-what-is-internal-audit/internal-audit-process.jpg]]
 
-While different organizations may tweak the process, it will generally
-follow this flow:
+While different organizations may tweak the process, it will generally follow
+this flow:
 
 ** 1. Risk Assessment
 The risk assessment part of the process has historically been performed
-annually, but many organizations have moved to performing this process
-much more frequently. In fact, some organizations are moving to an agile
-approach that can take new risks into the risk assessment and
-re-prioritize risk areas on-the-go. To perform a risk assessment,
-leaders in internal audit will research industry risks, consult with
-business leaders around the company, and perform analyses on company
-data.
+annually, but many organizations have moved to performing this process much more
+frequently. In fact, some organizations are moving to an agile approach that can
+take new risks into the risk assessment and re-prioritize risk areas on-the-go.
+To perform a risk assessment, leaders in internal audit will research industry
+risks, consult with business leaders around the company, and perform analyses on
+company data.
 
 Once a risk assessment has been documented, the audit department has a
-prioritized list of risks that can be audited. This is usually in the
-form of auditable entities, such as business areas or departments.
+prioritized list of risks that can be audited. This is usually in the form of
+auditable entities, such as business areas or departments.
 
 ** 2. Planning
-During the planning phase of an audit, auditors will meet with the
-business area to discuss the various processes, controls, and risks
-applicable to the business. This helps the auditors determine the scope
-limits for the audit, as well as timing and subject-matter experts.
-Certain documents will be created in this phase that will be used to
-keep the audit on-track an in-scope as it goes forward.
+During the planning phase of an audit, auditors will meet with the business area
+to discuss the various processes, controls, and risks applicable to the
+business. This helps the auditors determine the scope limits for the audit, as
+well as timing and subject-matter experts. Certain documents will be created in
+this phase that will be used to keep the audit on-track an in-scope as it goes
+forward.
 
 ** 3. Testing
-The testing phase, also known as fieldwork or execution, is where
-internal auditors will take the information they've discovered and test
-it against regulations, industry standards, company rules, best
-practices, as well as validating that any processes are complete and
-accurate. For example, an audit of HR would most likely examine
-processes such as employee on-boarding, employee termination, security
-of personally identifiable information (PII), or the IT systems involved
-in these processes. Company standards would be examined and compared
-against how the processes are actually being performed day-to-day, as
-well as compared against regulations such as the Equal Employment
-Opportunity (EEO), American with Disabilities Act, and National Labor
-Relations Act.
+The testing phase, also known as fieldwork or execution, is where internal
+auditors will take the information they've discovered and test it against
+regulations, industry standards, company rules, best practices, as well as
+validating that any processes are complete and accurate. For example, an audit
+of HR would most likely examine processes such as employee on-boarding, employee
+termination, security of personally identifiable information (PII), or the IT
+systems involved in these processes. Company standards would be examined and
+compared against how the processes are actually being performed day-to-day, as
+well as compared against regulations such as the Equal Employment Opportunity
+(EEO), American with Disabilities Act, and National Labor Relations Act.
 
 ** 4. Reporting
-Once all the tests have been completed, the audit will enter the
-reporting phase. This is when the audit team will conclude on the
-evidence they've collected, interviews they've held, and any opinions
-they've formed on the controls in place. A summary of the audit
-findings, conclusions, and specific recommendations are officially
-communicated to the client through a draft report. Clients have the
-opportunity to respond to the report and submit an action plan and time
-frame. These responses become part of the final report which is
-distributed to the appropriate level of administration.
+Once all the tests have been completed, the audit will enter the reporting
+phase. This is when the audit team will conclude on the evidence they've
+collected, interviews they've held, and any opinions they've formed on the
+controls in place. A summary of the audit findings, conclusions, and specific
+recommendations are officially communicated to the client through a draft
+report. Clients have the opportunity to respond to the report and submit an
+action plan and time frame. These responses become part of the final report
+which is distributed to the appropriate level of administration.
 
 ** 5. Follow-Up
-After audits have been completed and management has formed action plans
-and time frames for audit issues, internal audit will follow up once
-that due date has arrived. In most cases, the follow-up will simply
-consist of a meeting to discuss how the action plan has been completed
-and to request documentation to prove it.
+After audits have been completed and management has formed action plans and time
+frames for audit issues, internal audit will follow up once that due date has
+arrived. In most cases, the follow-up will simply consist of a meeting to
+discuss how the action plan has been completed and to request documentation to
+prove it.
 
 * Audit Department Structure
 While an internal audit department is most often thought of as a team of
 full-time employees, there are actually many different ways in which a
-department can be structured. As the world becomes more digital and
-fast-paced, outsourcing has become a more attractive option for some
-organizations. Internal audit can be fully outsourced or partially
-outsourced, allowing for flexibility in cases where turnover is high.
-
-In addition, departments can implement a rotational model. This allows
-for interested employees around the organization to rotate into the
-internal audit department for a period of time, allowing them to obtain
-knowledge of risks and controls and allowing the internal audit team to
-obtain more business area knowledge. This program is popular in very
-large organizations, but organizations tend to rotate lower-level audit
-staff instead of managers. This helps prevent any significant knowledge
-loss as auditors rotate out to business areas.
+department can be structured. As the world becomes more digital and fast-paced,
+outsourcing has become a more attractive option for some organizations. Internal
+audit can be fully outsourced or partially outsourced, allowing for flexibility
+in cases where turnover is high.
+
+In addition, departments can implement a rotational model. This allows for
+interested employees around the organization to rotate into the internal audit
+department for a period of time, allowing them to obtain knowledge of risks and
+controls and allowing the internal audit team to obtain more business area
+knowledge. This program is popular in very large organizations, but
+organizations tend to rotate lower-level audit staff instead of managers. This
+helps prevent any significant knowledge loss as auditors rotate out to business
+areas.
 
 * Consulting
-Consulting is not an easy task at any organization, especially for a
-department that can have negative perceptions within the organization as
-the "compliance police." However, once an internal audit department has
-delivered value to organization, adding consulting to their suite of
-services is a smart move. In most cases, Internal Audit can insert
-themselves into a consulting role without affecting the process of
-project management at the company. This means that internal audit can
-add objective assurance and opinions to business areas as they develop
-new processes, instead of coming in periodically to audit an area and
-file issues that could have been fixed at the beginning.
+Consulting is not an easy task at any organization, especially for a department
+that can have negative perceptions within the organization as the "compliance
+police." However, once an internal audit department has delivered value to
+organization, adding consulting to their suite of services is a smart move. In
+most cases, Internal Audit can insert themselves into a consulting role without
+affecting the process of project management at the company. This means that
+internal audit can add objective assurance and opinions to business areas as
+they develop new processes, instead of coming in periodically to audit an area
+and file issues that could have been fixed at the beginning.
 
 * Data Science & Data Analytics
 #+caption: Data Science Skill Set
 [[https://img.cleberg.net/blog/20200922-what-is-internal-audit/data-science-skillset.png]]
 
-One major piece of the internal audit function in the modern world is
-data science. While the process is data science, most auditors will
-refer to anything in this realm as data analytics. Hot topics such as
-robotic process automation (RPA), machine learning (ML), and data mining
-have taken over the auditing world in recent years. These technologies
-have been immensely helpful with increasing the effectiveness and
-efficiency of auditors.
-
-For example, mundane and repetitive tasks can be automated in order for
-auditors to make more room in their schedules for labor-intensive work.
-Further, auditors will need to adapt technologies like machine learning
-in order to extract more value from the data they're using to form
-conclusions.
+One major piece of the internal audit function in the modern world is data
+science. While the process is data science, most auditors will refer to anything
+in this realm as data analytics. Hot topics such as robotic process automation
+(RPA), machine learning (ML), and data mining have taken over the auditing world
+in recent years. These technologies have been immensely helpful with increasing
+the effectiveness and efficiency of auditors.
+
+For example, mundane and repetitive tasks can be automated in order for auditors
+to make more room in their schedules for labor-intensive work. Further, auditors
+will need to adapt technologies like machine learning in order to extract more
+value from the data they're using to form conclusions.