Slide Heading Enhanced Professional Development Skills

Norm Kelson, CPA, CISA, CGEITThe Kelson Group

November 18, 2009

© The Kelson Group, 2009

Agenda

Slide Heading

Identifying our skill set needs

Fulfilling the skill set

Enhancing our staff

Providing value to the organization

© The Kelson Group, 20092

How Has the Audit Landscape Changed?

General Controls, 20%

Existing Applications, 25%

New Applications, 25%

Technical Audits, 30%

Historical Focus

© The Kelson Group, 20093

How Has the Audit Landscape Changed? (2)

AS5, 60%IT General

Controls, 10%

All Applications, 30%

SOx Era

© The Kelson Group, 20094

How Has the Audit Landscape Changed (3)

SOx Testing, 10%

GRC, 10%

IT Gen Ctrl, 25%Bus Process, 40%

Technical Audits, 15%

Today

© The Kelson Group, 20095

How Has the Audit Landscape Changed (3)

SOx Testing, 5%

GRC, 25%

IT Gen Ctrl, 20%

Bus Process, 40%

Technical Audits, 10%

Within 5 Years

© The Kelson Group, 20096

What Do I Need to Know About My Organization?

• Internal Audit– Mission– Audit Charter

• Business– Long term strategy– Industry– Best practices within industry– Regulations

• Technology– Current architecture– Architecture of the future

• Application Portfolio– Applications topography– Applications functionality

© The Kelson Group, 20097

What Do I Need to Know About My Organization? (2)

• IT Service & Delivery Architecture & Practices– In House– Out Sourced

• Governance Framework– COSO?– IT Governance Framework – CobiT/ITIL

• Compliance Approaches & Requirements– AS5– GLBA– PCI-DSS– HIPAA– Federal/State/Local data privacy requirements

• Enterprise Risk Management Approach

© The Kelson Group, 20098

Senior Management Drivers

© The Kelson Group, 20099

Chief Audit Executive

CIO

C-Suite

Board of

Directors

Regulators

Exte

rnal

Au

dito

rs

Business U

nit

Managem

ent

Drivers for Audit Services

ValueControls

Security

Com

plia

nce

Governance

IT Audit Universe

• Which Audit Landscape?– Historical– SOx Era– Today– Next 5 years

© The Kelson Group, 200910

Skills Required

• Communications & Interpersonal Skills– Ability to relate to audit customer– Understand their needs– Argumentation skills– Communicate to technical and non-technical constituencies – written and oral

• Business skills– Industry expertise– Finance/accounting subject-matter competency

• Business process – Understanding of business process– Specific processes to enterprise

• Controls management– Controls framework– Control objectives

© The Kelson Group, 200911

Skills Required (2)

• Risk management– Risk assessment methodologies– Enterprise-adopted risk management process

• Value management– Ability to relate control requirements and risk management into a

value to the organization• Project management

– Ability to manage internal audit projects– Ability evaluate effectiveness of enterprise and business projects

• IT Technical– Core technical functions– General IT functions

© The Kelson Group, 200912

Take Inventory

• Results of Enterprise Risk Assessment– Essential Audits – Rated “A”– Needed Audits – Rated “B”– Nice to Have Audits – Rated “C”

• What resources needed for “A” and “B” audits?– FTE’s– Skills

• What resources available?• Result is your delta

13© The Kelson Group, 2009

Auditor Skill Sets

© The Kelson Group, 200914

Financial

Operational

Business Process /

Applications / Projects

Gen

eral

IT C

ontr

ols

Tech

nica

l IT

Con

trols

Financial Auditor

Business Auditor

IT Audit Generalist

IT Audit Technical Specialist

Subject Matter Experts

• Sources– Financial / Operational / Business / IT Auditors– Internal rotation from technical department– External

• Non-core audit requirements• Internal SME deficiency

© The Kelson Group, 200915

Essential Training

• Internal Audit Concepts• Business / Industry Concepts• Finance/Accounting – scope for IT

auditors more limited• Business psychology – as needed• Communications, Argumentation, Written

& Oral Presentation• IT Technical – core functions

© The Kelson Group, 200916

How Do I Receive Value from Internal Audit

• Invest in good personnel– Talented staff– Competent and focused training– Reasonable compensation– Reasonable working conditions and tools

• Allocate resources to your staff’s strengths• Identify and select audits that fit the risk

assessment• Keep audit rotations to a minimum of 24 months

© The Kelson Group, 200917

How Do I Receive Value from Internal Audit (2)

• Use staff for recurring audits, assign consultants to specialty and non-recurring audits

• Consider building audit teams by line of business– Cohesive team– Lessens learning curve– Include IT audit in Line of Business team

• Keep turnover to a minimum (cost of replacement extremely high)

• Budget reasonable time to an audit – don’t squeeze staff

© The Kelson Group, 200918

How Can I Build a High Performance Team

• Resolve Personnel Issues• Provide Opportunity• Empower• Provide training• Support team

19© The Kelson Group, 2009

Personnel Issues

• Understand the drivers of each generation• Economics push staff

– Recognize burnout– Build for tomorrow – don’t deplete the staff– Mirror staff with management expectations

• Employee Mentoring– Understand employee career goals

• Seek opportunities within company• Keep employee for reasonable period of time• Outplace employees not fitting in

– Provide an open door policy to assist employee in performing duties• Manage but don’t micro-manage• Run interference where appropriate

– Support employee within and outside department– Respect

© The Kelson Group, 200920

Training

• Meaningful training to fit Audit Plan• Design training plan for each staff member

– Technical training• Specific expertise• Industry expertise

– Management skills• Leadership• GRC management• Project management

– Business skills• Presentation skills (oral and written)• Finance/Accounting• Industry concentration

• Quality programs• Training program tailored to the needs of each employee• Consider distant learning, where possible

– Give staff time to utilize distant learning

21© The Kelson Group, 2009

Certification

• Encourage obtaining and maintaining certifications for job function:– Audit related:

• CPA, CISA, CIA, CFE– Security related:

• CISM, CISSP– GRC

• CGEIT, IT Risk – (soon to be announced)• Certification preparation

– Reimburse for certification test fees, reasonable refresher or study courses

– Time off to sit for test– Time off for preparation (reasonable)

• Certification maintenance– Reimburse for yearly fees– Provide training opportunities and reimbursement to maintain

certification in good standing

22© The Kelson Group, 2009

Management

• Build a team of complimentary skills• Foster open dialogue• Provide feedback• Meet with customers – foster relationships

and represent department

23© The Kelson Group, 2009

Key Areas for Professional Skill Enhancement

• Governance and related practices• Understanding for financial processes• Understanding business processes• Maintaining core IT technical skills• Improving soft skills

© The Kelson Group, 200924

Questions?

© The Kelson Group, 200925

Contact Information

Norm Kelson

Telephone: (781) 784-4390

Email: nkelson@thekelsongroup.com

© The Kelson Group, 200926