Why Internal Auditors Are Annoyed

internal auditors

Today I want to circle back to that proposal from the Public Company Accounting Oversight Board about third-party confirmations in financial audits, a seemingly reasonable idea that in practice has alienated legions of internal auditors. We should take a few minutes to understand why that is. For those who missed our first post on this…

Read More

Confirmations Contretemps in Audit World!


The internal auditing world is in an uproar this week over a proposed new auditing standard from the Public Company Accounting Oversight Board — one that throws some notable shade at the internal audit profession, and prompted the Institute of Internal Auditors to declare that it is “deeply concerned” about the idea. The proposed standard…

Read More

Getting a Better Grip on IT Controls


Today I want to circle back to last week’s collapse of cryptocurrency exchange FTX. One allegation is that FTX’s now-former CEO, Sam Bankman-Fried, engineered a “back door” into the company’s financial systems so that he could execute transactions without review. My question: would an audit of internal controls over financial reporting catch something like that? …

Read More

Thoughts on ESG Controls & Reporting


I spent several days last week attending the annual user conference for Workiva, maker of audit and risk management software. ESG was all over the agenda, with numerous speakers talking about how to integrate ESG concerns into your annual audit and reporting. I took detailed notes, and my recap is below. First, I was struck…

Read More

Fresh Approaches to Cybersecurity Risk


Every regulator and their uncle is climbing aboard the cybersecurity bandwagon these days. Before that bandwagon starts rolling away with itself, however, we might want to ask whether corporate audit and compliance teams, and even the regulators themselves, are going about all this in the wisest way possible. Two recent posts on Radical Compliance capture…

Read More

On Wisconsin and Cyber Risks


IT audit professionals looking for a fresh example of cybersecurity risk to study should turn their gaze to Wisconsin. A voter fraud conspiracy theorist there uncovered what is indeed a legitimate risk to election integrity, and his discovery speaks volumes about taking a risk-based approach to design of internal controls. The gadfly in question is…

Read More

Pointers on Preventing Ransomware 


Among the many interesting discussions I heard at the Institute of Internal Auditors’ global conference this week, one particularly compelling session was about ransomware: how attackers try to foist it upon companies, and the internal controls you could implement to keep such attacks at bay. Since ransomware risk is going nowhere but up these days,…

Read More

Dispatches From IIA Conference


The Institute of Internal Auditors held its global annual conference this week in Chicago, drawing together more than 1,700 audit professionals for its first in-person conference since 2019 to talk about internal controls, audit reports, working with boards, and lots more. Yours truly was on the scene, and I’ve pulled together some dispatches from social…

Read More

Some Thoughts on IT Workforce Risks

Looking for another reason to worry about the long-term success of your compliance, audit, or risk management efforts? Fear not! A recent report on workforce development in cybersecurity paints a stark picture of just how challenging it is these days to build and maintain a good team.  The report comes from ISACA, the professional association…

Read More

Citigroup Internal Audit Hiring Spree


Citigroup announced today that it plans to hire at least 100 additional internal auditors  next year, one of the largest single hiring sprees we’ve seen in the field in years. If any audit professionals out there like the banking sector and want a change of pace, here’s your big chance.  Citi already has more than…

Read More