test conversion back to markdown

1 files changed, 0 insertions, 232 deletions

diff --git a/content/blog/2020-09-22-internal-audit.org b/content/blog/2020-09-22-internal-audit.org
deleted file mode 100644
index b90b461..0000000
--- a/content/blog/2020-09-22-internal-audit.org
+++ /dev/null
@@ -1,232 +0,0 @@
-#+title: What is Internal Audit?
-#+date: 2020-09-22
-#+description: Learn about the Internal Audit function and their purpose.
-#+filetags: :audit:
-
-#+caption: Internal Audit Overview
-[[https://img.cleberg.net/blog/20200922-what-is-internal-audit/internal-audit-overview.jpg]]
-
-* Definitions
-One of the many reasons that Internal Audit needs such thorough explaining to
-non-auditors is that Internal Audit can serve many purposes, depending on the
-organization's size and needs. However, the Institute of Internal Auditors (IIA)
-defines Internal Auditing as:
-
-#+begin_quote
-Internal auditing is an independent, objective assurance and consulting activity
-designed to add value and improve an organization's operations. It helps an
-organization accomplish its objectives by bringing a systematic, disciplined
-approach to evaluate and improve the effectiveness of risk management, control,
-and governance processes.
-
-#+end_quote
-
-However, this definition uses quite a few terms that aren't clear unless the
-reader already has a solid understanding of the auditing profession. To further
-explain, the following is a list of definitions that can help supplement
-understanding of internal auditing.
-
-** Independent
-Independence is the freedom from conditions that threaten the ability of the
-internal audit activity to carry out internal audit responsibilities in an
-unbiased manner. To achieve the degree of independence necessary to effectively
-carry out the responsibilities of the internal audit activity, the chief audit
-executive has direct and unrestricted access to senior management and the board.
-This can be achieved through a dual-reporting relationship. Threats to
-independence must be managed at the individual auditor, engagement, functional,
-and organizational levels.
-
-** Objective
-Objectivity is an unbiased mental attitude that allows internal auditors to
-perform engagements in such a manner that they believe in their work product and
-that no quality compromises are made. Objectivity requires that internal
-auditors do not subordinate their judgment on audit matters to others. Threats
-to objectivity must be managed at the individual auditor, engagement,
-functional, and organizational levels.
-
-** Assurance
-Assurance services involve the internal auditor's objective assessment of
-evidence to provide opinions or conclusions regarding an entity, operation,
-function, process, system, or other subject matters. The internal auditor
-determines the nature and scope of an assurance engagement. Generally, three
-parties are participants in assurance services: (1) the person or group directly
-involved with the entity, operation, function, process, system, or other
-subject - (the process owner), (2) the person or group making the assessment -
-(the internal auditor), and (3) the person or group using the assessment - (the
-user).
-
-** Consulting
-Consulting services are advisory in nature and are generally performed at the
-specific request of an engagement client. The nature and scope of the consulting
-engagement are subject to agreement with the engagement client. Consulting
-services generally involve two parties: (1) the person or group offering the
-advice (the internal auditor), and (2) the person or group seeking and receiving
-the advice (the engagement client). When performing consulting services, the
-internal auditor should maintain objectivity and not assume management
-responsibility.
-
-** Governance, Risk Management, & Compliance (GRC)
-The integrated collection of capabilities that enable an organization to
-reliably achieve objectives, address uncertainty and act with integrity.
-
-* Audit Charter & Standards
-First, it's important to note that not every organization needs internal
-auditors. In fact, it's unwise for an organization to hire internal auditors
-unless they have regulatory requirements for auditing and have the capital to
-support the department. Internal audit is a cost center that can only affect
-revenue indirectly.
-
-Once an organization determines the need for internal assurance services, they
-will hire a Chief Audit Executive and create the audit charter. This charter is
-a document, approved by the company's governing body, that will define internal
-audit's purpose, authority, responsibility, and position within the
-organization. Fortunately, the IIA has model charters available to IIA members
-for those developing or improving their charter.
-
-Beyond the charter and organizational documents, internal auditors follow a few
-different standards in order to perform their job. First is the International
-Professional Practices Framework (IPPF) by the IIA, which is the model of
-standards for internal auditing. In addition, ISACA's Information Technology
-Assurance Framework (ITAF) helps guide auditors in reference to information
-technology (IT) compliance and assurance. Finally, additional standards such as
-FASB, GAAP, and industry-specific standards are used when performing internal
-audit work.
-
-* Three Lines of Defense
-[[https://theiia.org][The IIA]] released the original Three Lines of Defense model in 2013, but have
-released an updated version in 2020. Here is what the Three Lines of Defense
-model has historically looked like:
-
-#+caption: 2013 Three Lines of Defense Model
-[[https://img.cleberg.net/blog/20200922-what-is-internal-audit/three_lines_model.png]]
-
-I won't go into depth about the changes made to the model in this article.
-Instead, let's take a look at the most current model.
-
-#+caption: 2020 Three Lines of Defense Model
-[[https://img.cleberg.net/blog/20200922-what-is-internal-audit/updated_three_lines_model.png]]
-
-The updated model forgets the strict idea of areas performing their own
-functions or line of defense. Instead of talking about management, risk, and
-internal audit as 1-2-3, the new model creates a more fluid and cooperative
-model.
-
-Looking at this model from an auditing perspective shows us that auditors will
-need to align, communicate, and collaborate with management, including business
-area managers and chief officers, as well as reporting to the governing body.
-The governing body will instruct internal audit /functionally/ on their goals
-and track their progress periodically.
-
-However, the internal audit department will report /administratively/ to a chief
-officer in the company for the purposes of collaboration, direction, and
-assistance with the business. Note that in most situations, the governing body
-is the audit committee on the company's board of directors.
-
-The result of this structure is that internal audit is an independent and
-objective function that can provide assurance over the topics they audit.
-
-* Audit Process
-A normal audit will generally follow the same process, regardless of the topic.
-However, certain special projects or abnormal business areas may call for
-changes to the audit process. The audit process is not set in stone, it's simply
-a set of best practices so that audits can be performed consistently.
-
-#+caption: The Internal Audit Process
-[[https://img.cleberg.net/blog/20200922-what-is-internal-audit/internal-audit-process.jpg]]
-
-While different organizations may tweak the process, it will generally follow
-this flow:
-
-** 1. Risk Assessment
-The risk assessment part of the process has historically been performed
-annually, but many organizations have moved to performing this process much more
-frequently. In fact, some organizations are moving to an agile approach that can
-take new risks into the risk assessment and re-prioritize risk areas on-the-go.
-To perform a risk assessment, leaders in internal audit will research industry
-risks, consult with business leaders around the company, and perform analyses on
-company data.
-
-Once a risk assessment has been documented, the audit department has a
-prioritized list of risks that can be audited. This is usually in the form of
-auditable entities, such as business areas or departments.
-
-** 2. Planning
-During the planning phase of an audit, auditors will meet with the business area
-to discuss the various processes, controls, and risks applicable to the
-business. This helps the auditors determine the scope limits for the audit, as
-well as timing and subject-matter experts. Certain documents will be created in
-this phase that will be used to keep the audit on-track an in-scope as it goes
-forward.
-
-** 3. Testing
-The testing phase, also known as fieldwork or execution, is where internal
-auditors will take the information they've discovered and test it against
-regulations, industry standards, company rules, best practices, as well as
-validating that any processes are complete and accurate. For example, an audit
-of HR would most likely examine processes such as employee on-boarding, employee
-termination, security of personally identifiable information (PII), or the IT
-systems involved in these processes. Company standards would be examined and
-compared against how the processes are actually being performed day-to-day, as
-well as compared against regulations such as the Equal Employment Opportunity
-(EEO), American with Disabilities Act, and National Labor Relations Act.
-
-** 4. Reporting
-Once all the tests have been completed, the audit will enter the reporting
-phase. This is when the audit team will conclude on the evidence they've
-collected, interviews they've held, and any opinions they've formed on the
-controls in place. A summary of the audit findings, conclusions, and specific
-recommendations are officially communicated to the client through a draft
-report. Clients have the opportunity to respond to the report and submit an
-action plan and time frame. These responses become part of the final report
-which is distributed to the appropriate level of administration.
-
-** 5. Follow-Up
-After audits have been completed and management has formed action plans and time
-frames for audit issues, internal audit will follow up once that due date has
-arrived. In most cases, the follow-up will simply consist of a meeting to
-discuss how the action plan has been completed and to request documentation to
-prove it.
-
-* Audit Department Structure
-While an internal audit department is most often thought of as a team of
-full-time employees, there are actually many different ways in which a
-department can be structured. As the world becomes more digital and fast-paced,
-outsourcing has become a more attractive option for some organizations. Internal
-audit can be fully outsourced or partially outsourced, allowing for flexibility
-in cases where turnover is high.
-
-In addition, departments can implement a rotational model. This allows for
-interested employees around the organization to rotate into the internal audit
-department for a period of time, allowing them to obtain knowledge of risks and
-controls and allowing the internal audit team to obtain more business area
-knowledge. This program is popular in very large organizations, but
-organizations tend to rotate lower-level audit staff instead of managers. This
-helps prevent any significant knowledge loss as auditors rotate out to business
-areas.
-
-* Consulting
-Consulting is not an easy task at any organization, especially for a department
-that can have negative perceptions within the organization as the "compliance
-police." However, once an internal audit department has delivered value to
-organization, adding consulting to their suite of services is a smart move. In
-most cases, Internal Audit can insert themselves into a consulting role without
-affecting the process of project management at the company. This means that
-internal audit can add objective assurance and opinions to business areas as
-they develop new processes, instead of coming in periodically to audit an area
-and file issues that could have been fixed at the beginning.
-
-* Data Science & Data Analytics
-#+caption: Data Science Skill Set
-[[https://img.cleberg.net/blog/20200922-what-is-internal-audit/data-science-skillset.png]]
-
-One major piece of the internal audit function in the modern world is data
-science. While the process is data science, most auditors will refer to anything
-in this realm as data analytics. Hot topics such as robotic process automation
-(RPA), machine learning (ML), and data mining have taken over the auditing world
-in recent years. These technologies have been immensely helpful with increasing
-the effectiveness and efficiency of auditors.
-
-For example, mundane and repetitive tasks can be automated in order for auditors
-to make more room in their schedules for labor-intensive work. Further, auditors
-will need to adapt technologies like machine learning in order to extract more
-value from the data they're using to form conclusions.