April 2004

Training New Auditors

The demands of modern auditing have raised the performance bar for new practitioners. A comprehensive, multi-tiered training framework can help bring both rotational and professional auditors up to speed.

Dennis Applegate, CIA, CPA, CMA, CFE, CFM
Manager, Training & Development
Boeing Corporate Audit

Well-publicized control failures, perhaps best exemplified by WorldCom and Enron, have driven many U.S. public companies to take unprecedented steps to bolster corporate governance and better manage risk. Legislation such as the U.S. Sarbanes-Oxley Act of 2002, which mandates attestation of controls over financial reporting, has reinforced the need for effective governance and increases the need to manage risk effectively. On the heels of these developments, demand for internal audit services has risen dramatically, and new authoritative guidance from organizations such as The Institute of Internal Auditors (IIA) and The Committee of Sponsoring Organizations of the Treadway Commission (COSO) are shaping a new paradigm for the profession and raising the bar for audit performance. Today’s internal auditors need to be well-versed in risk management and control and capable of helping their clients meet complex business challenges.

The changing corporate landscape and increased demands of audit work place a new emphasis on internal auditor training. In many organizations, audit committee and board members face personal liability for any lack of due diligence, and governance failures place companies at significant risk for lost customers and investors, as well as reputation damage. Corporate leaders depend on internal auditors to be highly trained in the disciplines of their profession and equipped with deliberate tools to evaluate and improve corporate governance.

To meet the demands of 21st-century auditing, the profession needs an effective training strategy aimed at keeping pace with the variety of new initiatives for corporate governance, control, and risk management. Using a new auditor training model that can be adapted to any corporate business environment, audit leaders can maximize staff competency and knowledge, consistent with the new internal audit paradigm.

AN INTEGRATED APPROACH
Training internal auditors can prove immensely challenging. Audit work requires a breadth of knowledge and range of technical skills that can take extensive time and effort to develop. Because internal auditors need to be familiar with all aspects of the business environment, the scope of learning for staff members who aspire to a career in the profession can be daunting.

The audit-specific challenges related to training are often further complicated by corporate employee-rotation practices. In recent years, many large corporations have leveraged the unique function of internal auditing into developmental opportunities for employees with executive potential. Such programs expose employees with promising leadership capabilities to a variety of operations and functions routinely examined by professional auditors, providing them with the opportunity to observe and interact with executive management. Most programs are limited to terms of one to three years. Although the developmental concept is sound given the corporate visibility of internal auditing, rotational programs can strain the quality of internal audit oversight. New rotational auditors are often unfamiliar with basic audit techniques and must be taught the requisite skills in a structured and systematic manner to sustain audit quality. In many companies, the number of rotational auditors approaches that of the professional staff, increasing the need for effective training.

Training efforts geared toward new staff members, therefore, must address the broad business knowledge and specialized technical skills required of both professional and rotational internal auditors. “Internal Audit Training Framework” (JPG, click to open in new window) presents a criteria-based model for developing a comprehensive training program for all new auditors. The model addresses not just required internal audit skills, but also auditor career goals and performance objectives. The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) provides the basis for the training curriculum, focusing on planning and performing the audit and communicating and monitoring results.

OBJECTIVE-BASED TRAINING
The chart on page 70 presents a suggested two-year training progression and curriculum for new auditors. The featured courses address knowledge and skills that satisfy internal auditor proficiencies implicit in The IIA’s Standards and are commonly accepted in the industry. Each internal audit department should assess the proposed training curriculum and progression and adjust the focus, timing, or duration of each training module based on its specific objectives and desired audit behaviors. Some organizations may need to tailor the learning schedule to their respective audit processes and internal audit charter. Adjustments to the training progression also may be required to emphasize one module over another in light of a particular audit philosophy or business risk, or to reinforce auditor behaviors that support business requirements and company objectives. The knowledge and skill attributes inherent in the training modules, however, should remain essentially unchanged.

Year One
The first year of auditor training is framed around four modules — audit-process skills, audit techniques, financial audit tools, and advanced audit tools. Each module builds upon the previous one, enabling auditors to practice what they have learned before new proficiencies are taught. The scope and duration of each course can vary based on learning objectives and expected outcomes. An initial training period of two weeks is suggested for the first module, and quarterly training sessions of 20 hours each are recommended for the next three modules. The total first-year curriculum may require as many as 140 training hours for the standard audit shop of most large companies. Audit management should consider waiving some of the classes for employees with significant prior audit experience or for those who already possess the knowledge and skills to be taught.

Course details for the four modules are as follows:

  • Audit-process Skills is divided into two sections. The first half provides the general competencies required to conduct proficient audits and covers IIA standards and industry practices for planning an engagement, identifying and analyzing information, developing and recording conclusions, and communicating and monitoring results. The next section covers the general knowledge needed to understand and audit the given business environment. Typically, instruction will include such topics as financial analysis, market pricing, planning and performance, and regulatory requirements. Depending on the nature of the business, training may also address operational methods such as learning curves, waiting line models, or statistical process controls.
  • Audit Techniques concentrates more intensely on the audit-process skills introduced in the first module. Course coverage includes COSO’s Internal Control–Integrated Framework, analytic techniques for audit planning and final review, micro-level risk assessment methodologies, and audit sampling plans for tests of controls and substantive testing. The audit sampling course should contain an extensive review of attribute sampling plans — the mainstay of control testing — and unbiased sample selection techniques.
  • Financial Audit Tools covers internal audit knowledge and skills for examining controls over financial reporting and the propriety of reported financial data. Many internal audit shops dedicate as much as half their resources to audit objectives related to the reliability of financial reporting, and this reason alone justifies placement of this module early in the training progression. Separate courses address relevant Generally Accepted Accounting Principles and the reporting requirements of federal securities laws, including Sarbanes-Oxley. A fraud awareness course weaves red-flag indicators of fraudulent financial reporting into the curriculum as well.
  • Advanced Audit Tools bridges financial/compliance auditing and the more complex process and operational audit training offered in the second year of the progression. Course coverage includes an introduction to generalized audit software, which helps expedite and improve audit data-gathering and analysis and enhances new auditor productivity. A separate course in day-to-day engagement organization prepares new auditors to help lead audit teams as early as their second year, and a foundational course in general and application controls introduces auditors to information technology (IT) audit coverage for better integration of systems and process auditing. To train new auditors for upcoming engagements, the module also provides for optional business-based courses to be scheduled in coordination with the annual audit plan. In addition, an operational auditing course reviews legal and regulatory compliance issues including environmental, employer–employee, and other laws and regulations relevant to the business. A final course on monitoring results covers IIA Standard 2500: Monitoring Progress and concentrates on advanced procedures for ensuring the accuracy and effectiveness of management actions in response to audit findings.

The proposed curriculum grounds new auditors not just in audit standards, tools, and techniques but also in the business environment to be audited, covering both risks and opportunities. Using this approach, the framework satisfies the “due diligence” mandated by many companies, as well as the provisions of IIA Standard 1220: Due Professional Care.

Year Two
“Second-year Training,” (JPG, click to open in new window) illustrates two alternative training tracks. Although all auditors receive the same training during the first year, second-year training is aligned with individual career goals. Rotational auditors build leadership and related skills and prepare for additional responsibility outside of internal auditing through structured career planning (see “Rotational Auditors: Second-year Training Curriculum” below). By contrast, professional auditors continue to develop corporate governance skills through advanced technical and analytical courses, preparing them for greater responsibility within the internal audit function. This two-pronged approach meets the needs of the company, the individual employee, and the internal audit department.

Rotational Auditors: Second-year Training Curriculum

Training modules for a second-year, rotational auditor training track contain courses that will grow future company leaders within the context of an executive development program. Some companies will restrict rotational auditors to high-potential employees from particular business units or functions such as the finance organization. Others will limit the program to promising new hires right out of college, using it to familiarize them with company culture, procedures, and sites.

Training should include the following tracks, though additional subjects can be included as needed. Professional auditors could also enroll in these courses if the subject matter is consistent with their career objectives.

Leadership contains four parts delivered in discrete modules over successive training periods. The first course in the series provides an understanding of what leadership means and describes leadership qualities that can help facilitate organizational goals. Some companies use their stated ethical values or corporate code of conduct to anchor course content. The second course addresses a range of leadership theories and current trends. A methodology for understanding an organization’s leadership style typically precedes a discussion of practical tools to frame and resolve leadership issues. The third course describes the leadership culture of troubled organizations and provides an opportunity to apply the issue-framing tools prescribed in the second module to understand and diagnose a given leadership situation. Leadership failures at WorldCom, Enron, and Andersen provide fertile ground for class discussion and practical application. The fourth course reviews contemporary issues of “power” and contrasts them with desired leadership traits based on company ethical values presented in the first course session. All modules use case studies, simulations, role playing, and group exercises to reinforce desired leadership behaviors.

Team Motivation provides concepts and techniques for building cooperation and trust in an organization. Coverage includes four motivational elements — establishing group rapport, generating enthusiasm and inner drive, building respect and trust, and giving recognition.

Negotiation describes the principles of effective bargaining, as well as common negotiating styles and techniques. The course places emphasis on the negotiating process, particularly on ascertaining the objectives of the other party and persuading through logical reasoning backed by evidence.

Conflict Management shows the importance of resolving individual disputes or alleviating group discord promptly and provides a step-by-step approach to reaching a state of tolerance or consensus. Course objectives emphasize coping with conflict and cover common mistakes made during conflict management.

Career Planning prepares rotational auditors for a technical or entry-level management position outside of internal auditing. The module provides tools that help match work preferences to competencies, cultivate networking arrangements, and build outstanding résumés that generate interest rather than just provide information.

The following courses are offered during second-year, non-rotational training.

  • Operational Auditing II makes the transition from financial/compliance auditing to an evaluation of management goals, strategies, and initiatives using a consultative approach that encourages positive change. The course focuses on both risk-based and value-for-dollar approaches. Course content consists of methodologies, customized to the policies of the particular internal audit department, for designing and improving controls governing business risk.
  • Analytical Review Procedures, an extension of the risk assessment training offered in the first year, presents a range of audit techniques to identify financial and operating risk. The course focuses on the use of regression analysis to create audit efficiencies and gather evidence in a cost-effective manner. Audit planning and fieldwork applications show the statistical reliability and analytical strength of both coefficients of correlation and determination in directing audit work to areas of high risk. The course also covers probability theory and expected value techniques applicable to almost any business situation, including internal audits.
  • Process Auditing provides technical tools for evaluating the efficiency and effectiveness of process controls that cut across functional lines. The course reviews COSO’s Internal Control–Integrated Framework and covers control identification, objective–risk–control alignment, and flowcharting techniques for analysis and presentation. It then considers operational effectiveness objectives, focusing on computer-assisted audit techniques that identify control exceptions and process irregularities in large systems. The course also addresses operational efficiency objectives by covering audit methods for identifying and evaluating redundant activities, process constraints, and data overproduction.
  • Fraud Analysis addresses internal auditor responsibility for recognizing and detecting fraud, focusing in particular on fraudulent financial reporting and irregularities in the procurement, inventory, payables, and payroll functions — common areas for corruption. Course objectives consider the requirements of IIA Practice Advisory 1210.a2-1: Identification of Fraud and include assessing fraud risk, identifying fraud indicators, and reporting on fraud at the conclusion of the detection phase. Fraud investigation procedures are covered but tailored to the specific involvement of the particular internal audit organization in such investigations. The course gives special attention to the internal auditor’s responsibility for determining needed controls to reduce future vulnerability and for designing audit tests to disclose similar frauds in the future.
  • Corporate Meltdowns reviews control failures at companies such as Enron, WorldCom, Adelphia, and HealthSouth and uses them as objective lessons for ascertaining when control environments are troubled. Guided by IIA Standard 2130: Governance, the course addresses the underlying causes of control breakdowns, identifying symptoms of a weak control environment and ensuring that significant residual risk is communicated appropriately throughout the company. Course objectives emphasize audit techniques that ensure accountability and promote strong ethics and values.
  • Logical Reasoning focuses on time-tested analytical and problem-solving methods internal auditors can use to help resolve difficult audit issues. Course objectives include the use of analogies to support audit findings, the logical relation between cause and effect in evaluating audit conditions, and the application of logical fallacies to detect faulty reasoning. The course also demonstrates methods for analyzing and evaluating the rationale behind the claims of audit clients, relying on a premise–conclusion framework for analysis.
  • Business Writing addresses common deficiencies found in written products — mainly audit reports and audit committee letters — and covers writing style and constructive tone. A similar course taught earlier in the training progression focuses on procedural and formatting issues related to audit reports. By contrast, business writing emphasizes brevity and simple language to enhance understanding and explains how to convey complex issues in concise terms.
  • Executive Presentations provides time-proven techniques for informing and persuading when making oral internal audit reports to management. Coverage includes logical organization, prioritization, tone, and “chartsmanship.”

The second year of training enhances some of the concepts and techniques taught in the first year, but primarily teaches new audit skills connected with fraud, process and system integration, management consulting, and analytical tools. Whereas the first-year curriculum emphasizes control, the second year focuses on governance and risk — a logical sequence that also reflects the historical development of the profession.

FINDING INSTRUCTORS
Internal audit management should consider using in-house training support when possible. Large companies usually staff organizational development specialists or leadership centers that can support curriculum development, and in-house expertise can be leveraged to cover a variety of subjects.

Several benefits can be derived from using internal training resources. First, courses can be adapted to the unique aspects of the company, thus improving relevance. In addition, learning from in-house trainers enables new auditors to network with other company professionals and senior management, further enhancing the trainees’ professional development. Furthermore, in-house training costs are typically lower than those of external providers.

Audit managers can enlist company subject matter experts to teach business-based and accounting-related electives. Many such experts are eager for the opportunity to share their expertise, as it provides corporate visibility and improves presentation skills. Likewise, senior audit staff may be able to teach audit-specific subjects. Courses on risk assessment, audit programs, working papers, and audit reports are often best handled by these experienced team members.

Still, some technical topics may be best suited to external service providers. For example, classes such as analytics, audit sampling, and process auditing usually require extensive development and may not be feasible for in-house treatment. Coverage of specialized disciplines may also require outside expertise.

EXECUTING COURSE DELIVERY
The method used to deliver course content can have a significant impact on training effectiveness. The type of media used, timing of delivery, and process employed to assess course applicability each represent important factors for audit managers to consider. Managers who assess these attributes early during program design generally produce superior results.

Media
Classroom courses, e-learning, and self-study CD-ROMs or workbooks comprise the relevant range of delivery-format options for audit training. The classroom normally serves as the best learning environment for introductory-level or technical courses, as it allows for immediate instructor feedback on technical questions and enables instructors to provide “hands-on” attention. Collaborative e-learning, where training content is delivered online by several employees at once, may prove effective for less technical course offerings. Alternatively, self-paced e-learning, or independent online instruction, should be considered for behavioral courses and certain audit specialties such as working papers or regulatory reporting — instructor feedback is rarely required for these topics. When employing individual learning methods, audit management should be sure to verify the adequacy of course completion using some form of testing to ensure learning objectives are achieved.

Timing
Audit management should determine the frequency of training intervals based on the needs of the particular internal audit environment. In general, however, quarterly delivery will serve to adequately inculcate new knowledge and skills into audit projects. This level of frequency also helps instill the value of continuous learning, encouraging employees to seek further learning opportunities on their own after they’ve completed the company training progression.
A minimum of 40 hours of annual training, or 120 hours over a three-year period, is the normal continuing professional education requirement of professional designations such as the The IIA’s Certified Internal Auditor program. The new auditor’s first year, however, requires a much heavier training effort. Three weeks of initial training and at least two to three days each quarter normally provides sufficient coverage.

Evaluation
The nature and extent of fieldwork application should serve as the main criteria for validating curriculum appropriateness. Training participants should also evaluate the course instructor and materials at the end of each class session to assess effectiveness. In addition, audit management should conduct follow-up evaluations four to six weeks after training is completed. The follow-up assessment enables managers to solicit feedback on the utility and applicability of the training to actual audit projects and will often reveal opportunities to strengthen the training curriculum. Additional improvement areas also may surface during annual employee performance reviews and audit management reviews of audit reports and working papers. An established process should help guide constructive feedback from all sources into the training curriculum.

ASSESSING THE BENEFITS
Each internal audit department must gauge for itself the benefits derived from implementing the auditor training framework described. The appropriateness of the proposed model depends on many factors, including the size of the internal audit department and its organizational structure, the type of internal auditing performed, the complexity of the business, the nature and extent of audit project supervision, and cost–benefit considerations.

Under the right circumstances, the training model can play an important role in helping internal audit organizations evaluate and strengthen their training efforts, as well as satisfy the requirements of IIA Standard 1230: Continuing Professional Development. Audit managers looking to initiate a training program may find the model a useful addition to their pedagogical toolbox.

To comment on this article, e-mail the author at dapplegate@theiia.org.
 

 


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

April 2012 IA Online Cover

CCH 2012-2

 On-site Training

 

 Write for FSA Times

  

 

 Twitter

facebook IAO 

IA APP