00:00:02 Vedant Akhauri
The Institute of Internal Auditors presents All Things Internal Audits.
00:00:07 Vedant Akhauri
In this episode, we're getting into the daily realities of modern internal auditing.
00:00:13 Vedant Akhauri
The messy, practical, and sometimes uncomfortable challenges that don't always make it onto conference agendas.
00:00:23 Vedant Akhauri
Jasdeep Gill sits down with Asim Fareeduddin,
00:00:26 Vedant Akhauri
to talk through what's shaping the function right now.
00:00:30 Vedant Akhauri
Fareeduddin shares why business acumen is the hardest skill to hire for, how to think about AI beyond the basics, and why understanding how your company makes and could lose money is the foundation of every valuable audit.
00:00:50 Jasdeep Gill
Asim, let's jump straight in.
00:00:51 Jasdeep Gill
Could you share how geopolitical instability has impacted the way we plan our audits and prioritize?
00:00:57 Asim Fareeduddin
Sure.
00:00:58 Asim Fareeduddin
So I think regardless of geopolitical instability, the audit plan has to be a living, breathing document.
00:01:06 Asim Fareeduddin
We have to be responsive to changes in market and regulatory conditions.
00:01:11 Asim Fareeduddin
And I think geopolitical is a good example of that.
00:01:14 Asim Fareeduddin
We can't predict geopolitical instability.
00:01:18 Asim Fareeduddin
I think we know that
00:01:20 Asim Fareeduddin
It's a constant.
00:01:21 Asim Fareeduddin
We just don't know where or what it's going to be.
00:01:23 Asim Fareeduddin
So I think we need to bake that into our risk assessment process while we're working with our business leaders, our risk assessment leaders, folks in our legal department, as well as our government affairs.
00:01:36 Asim Fareeduddin
I think sometimes we forget about those folks as they are more in tune to maybe what's going on in that arena.
00:01:44 Asim Fareeduddin
So I think working together as a broader team across disciplines is helpful.
00:01:48 Asim Fareeduddin
I'll give a concrete example.
00:01:49 Asim Fareeduddin
example, when the Ukraine-Russia war happened, there was a lot of sanctions imposed against Russia.
00:01:58 Asim Fareeduddin
So companies had to scramble to figure out, okay, what does this mean exactly?
00:02:03 Asim Fareeduddin
And then two, are we following those protocols, right?
00:02:07 Asim Fareeduddin
So I think internal audit plays a role there to act on the fly, so to speak, and pivot to audit geopolitically driven topic.
00:02:17 Asim Fareeduddin
I mean, there's certain geopolitical topics that
00:02:19 Asim Fareeduddin
that you can't audit, but you can serve as more of an advisor to management in terms of how do we mitigate the risk and stay on top of that.
00:02:28 Jasdeep Gill
That's a great example, Asim.
00:02:30 Jasdeep Gill
So I guess we're not trying to predict geopolitics.
00:02:33 Jasdeep Gill
We want to keep our audit plan flexible.
00:02:35 Jasdeep Gill
We want to stay close to the right stakeholders and really use internal audit's voice to stress test their preparedness and resilience.
00:02:43 Jasdeep Gill
So on the topic of resilience, let's talk cyber.
00:02:46 Jasdeep Gill
Do you think internal audit is genuinely equipped to challenge our cyber experts?
00:02:51 Jasdeep Gill
Or do you think internal audit leans a little bit too much on the second line?
00:02:55 Jasdeep Gill
What are your thoughts?
00:02:57 Asim Fareeduddin
So I think that's a great question.
00:02:58 Asim Fareeduddin
I think no matter if you're a novice or an expert in any field, whatever you're trying to accomplish is always a team effort.
00:03:06 Asim Fareeduddin
And when I look at cybersecurity, that's no different.
00:03:10 Asim Fareeduddin
We as internal auditors,
00:03:12 Asim Fareeduddin
have a varied tool belt of expertise, one of them being risk and controls.
00:03:19 Asim Fareeduddin
And within controls, we do have expertise within cyber, although varying degrees, depending on the individual.
00:03:26 Asim Fareeduddin
I think there's a few things that we can do to ensure that we have that risk covered appropriately and the understanding of that risk and the compensating controls.
00:03:37 Asim Fareeduddin
So one, we can always upskill ourselves through
00:03:41 Asim Fareeduddin
certifications, which are important through formal education, through obviously attending trainings, but the best way to learn is obviously by doing.
00:03:51 Asim Fareeduddin
So once you are upscaled doing those audits, you know, I'll be the first to admit that auditing the cloud environment will only get you a certain understanding that's much different than a cloud engineer who does
00:04:06 Asim Fareeduddin
the processing and operations day in and day out.
00:04:09 Asim Fareeduddin
So I think that brings me to the point that you mentioned.
00:04:12 Asim Fareeduddin
We need to work with our second line and our first line through a symbiotic educational process, as well as looking at programs like guest auditor program and a bi-directional guest auditor, right?
00:04:26 Asim Fareeduddin
Can we bring in somebody from a cloud engineering perspective to work on one of our audits and help us
00:04:34 Asim Fareeduddin
obviously while maintaining independence.
00:04:36 Asim Fareeduddin
And then the flip side of that is can we work on a project in InfoSec where we can look at a project from start to finish and gain those skills, again, while maintaining our independence, because we obviously don't want to be auditing our own work in the future.
00:04:51 Asim Fareeduddin
I think there's ways around that, but I think that is the best way of looking at it.
00:04:57 Asim Fareeduddin
And then the third
00:04:58 Asim Fareeduddin
thing we can do is obviously bring in external resources, whether that's co-sourcing with a firm to bring in specific expertise or bringing in a specific vendor where we may have an audit that they have very discrete expertise.
00:05:13 Asim Fareeduddin
So that's my perspective on cyber and the intersection of internal audit.
00:05:19 Jasdeep Gill
That really resonates.
00:05:20 Jasdeep Gill
So I guess we don't need to out-expert our specialists, but we do need enough fluency to be able to challenge them well and translate what that actually means in terms of risk.
00:05:31 Jasdeep Gill
So if we stay on the same theme, but moving into something a little bit more challenging to evidence, corporate culture and behaviour, which I know has got a lot of attention over the years, how do you report that to the board in a way that lands well
00:05:46 Jasdeep Gill
and accurately.
00:05:47 Asim Fareeduddin
Sure.
00:05:48 Asim Fareeduddin
So I think a lot of these concepts are seen as maybe newer or newish, but at the core, if you look at it, really, what is culture?
00:05:57 Asim Fareeduddin
It's governance, it's tone at the top.
00:06:00 Asim Fareeduddin
It's how is that driven through the organization?
00:06:04 Asim Fareeduddin
I think a lot of folks ask, how do you measure culture or how do you know your culture is effective?
00:06:11 Asim Fareeduddin
I think there are certain metrics, if your companies or organizations do employee engagement surveys or employee opinion surveys, those can give you an indicator of morale and culture.
00:06:24 Asim Fareeduddin
On the flip side, you have your code of conduct violations, right?
00:06:27 Asim Fareeduddin
That gives you a good,
00:06:29 Asim Fareeduddin
understanding of governance as well as culture and insights from any investigations also can help to tell about the culture.
00:06:39 Asim Fareeduddin
I think all of those will help to feed your audit plan when the time comes for that annual process as well as your periodic updating of your plan.
00:06:51 Jasdeep Gill
So I think culture isn't just a single metric as you've described.
00:06:55 Jasdeep Gill
It's about joining the different dots, looking at proxies,
00:06:59 Jasdeep Gill
governance signals and behaviours to have a more credible kind of evidence-based review.
00:07:05 Jasdeep Gill
So if we can't reduce culture to one single metric, it's probably a sign that only counting the number of audits on the audit plan that we've delivered can also be quite misleading.
00:07:17 Jasdeep Gill
So in that same train of thought, what other metrics, more innovative metrics, do you think that internal audit should be considering to demonstrate our impact and more importantly, our value to the organisation?
00:07:29 Asim Fareeduddin
I think at the basic level, obviously we need to count the number of audits we're doing.
00:07:33 Asim Fareeduddin
And that is a metric, although maybe not the strongest indicator of how effective an audit program is.
00:07:40 Asim Fareeduddin
It is your basic metric.
00:07:43 Asim Fareeduddin
But I think volume metrics don't necessarily equal or equate to impact, right?
00:07:50 Asim Fareeduddin
I think, you know, one of the things that you can do is
00:07:54 Asim Fareeduddin
benchmark your metrics.
00:07:56 Asim Fareeduddin
And there's plenty of benchmarks out there.
00:07:58 Asim Fareeduddin
Specifically, there's the IIA benchmarking through the, you know, IIA surveys.
00:08:05 Asim Fareeduddin
So you can take a look and they've benchmarked several attributes across the globe.
00:08:10 Asim Fareeduddin
So you can look at some of those.
00:08:12 Asim Fareeduddin
metrics and see, how does my inter-audit organization compare to that?
00:08:17 Asim Fareeduddin
So I think that will give you a really good starting point to see.
00:08:21 Asim Fareeduddin
And then, I'll give you some specific examples.
00:08:24 Asim Fareeduddin
I know a lot of times you might go to conferences and I was in a podcast and things are spoken at high level.
00:08:31 Asim Fareeduddin
So what I like to do in this is give you some tangible examples like I did with the sanctions.
00:08:37 Asim Fareeduddin
So I think average days to close findings
00:08:42 Asim Fareeduddin
versus whatever threshold you have internally.
00:08:44 Asim Fareeduddin
So you can have low, medium, and high findings, and each of those may have a certain threshold in terms of the amount of effort or the amount of days they need to be remediated with.
00:08:56 Asim Fareeduddin
So I think that one will tell you how management or particular management is responsive to remediating findings, as well as telling you
00:09:08 Asim Fareeduddin
potentially about the control environment and the governance and the governance culture, going back to the previous question and how responsive and serious they are.
00:09:19 Asim Fareeduddin
The other thing we can do is often say internal audit is almost like an internal consulting in the sense that we see everything in the company across corporate, across business units.
00:09:32 Asim Fareeduddin
So we as internal auditors can benchmark our own business units against each other, not to create competition, but to create some standards.
00:09:41 Asim Fareeduddin
And so the other business units can see, well, how are we doing compared to each other?
00:09:47 Asim Fareeduddin
And what does that mean?
00:09:48 Asim Fareeduddin
And get some intelligent, actionable advice out of that.
00:09:53 Jasdeep Gill
That's some really great metrics at them.
00:09:55 Jasdeep Gill
So I think it's really a people question as much as it was a metrics question.
00:10:00 Jasdeep Gill
It's more about how we share our story to our stakeholders.
00:10:04 Jasdeep Gill
So let's talk about talent.
00:10:05 Jasdeep Gill
When you're looking at building your internal audit function, what would you say is the most difficult skill to hire for?
00:10:11 Jasdeep Gill
And it'd be helpful, I think, for some of our listeners for you to answer that in the backdrop of what we're seeing with artificial intelligence.
00:10:20 Asim Fareeduddin
Sure.
00:10:20 Asim Fareeduddin
So people talk about cyber, investigative skills, and while those are hard, tangible skills to hire for, they're difficult.
00:10:31 Asim Fareeduddin
I think the most difficult is finding that skill set of business acumen.
00:10:38 Asim Fareeduddin
And a lot of people say, well, what does that even mean?
00:10:41 Asim Fareeduddin
So from my perspective, it's somebody that has an understanding of business and business operations.
00:10:47 Asim Fareeduddin
is business focused while still maintaining independence, of course, and being objective, and also while being able to exercise sound judgment and having the right communication skills, both written and spoken, soft skills, right?
00:11:03 Asim Fareeduddin
I think, you know, those areas are what defines or differentiates an auditor to one that's maybe an exceptional auditor versus one that is just
00:11:15 Asim Fareeduddin
doing the traditional ticking and tying, right?
00:11:17 Asim Fareeduddin
We need to do our core work, but we need to do it in a risk-based manner, and we need to do a manner in which we're adding value to the business.
00:11:27 Asim Fareeduddin
You know, I'll give you an example.
00:11:30 Asim Fareeduddin
If I were to do a user access testing and I find, okay, well, we had three terminated users that had access to a system, and I go to a CFO or a CEO and tell them that, they'll say, okay, well, you know, what does that mean?
00:11:45 Asim Fareeduddin
I think if you have the appropriate business acumen, you'll be able to tell a narrative or a story that would resonate with a business leader.
00:11:54 Asim Fareeduddin
Okay, well, this means X, Y, and Z to your business, right?
00:11:58 Asim Fareeduddin
It means something more tangible than just testing attributes.
00:12:02 Asim Fareeduddin
So I think that's really what's helpful to distinguish internal auditor from
00:12:10 Asim Fareeduddin
more of an exceptional internal auditor than somebody that's just doing, kind of the traditional audits.
00:12:16 Jasdeep Gill
I think I completely agree with you, Sim.
00:12:18 Jasdeep Gill
So the real differentiator here isn't just the technical knowledge.
00:12:22 Jasdeep Gill
It's that translator skill.
00:12:24 Jasdeep Gill
So using a combination of judgment, communication, and writing that lands differently depending on the stakeholder you're talking to, whether it's a CTO, a CFO, or indeed the board.
00:12:36 Jasdeep Gill
And I think it's fair to say that the future of internal audit is going to be much broader than it is today.
00:12:42 Jasdeep Gill
So with that in mind, how do we upskill ourselves to stay relevant and bring our team along with us on that journey?
00:12:50 Asim Fareeduddin
Sure.
00:12:51 Asim Fareeduddin
You know, obviously, how do you upskill?
00:12:54 Asim Fareeduddin
So, you know, if I start off with the basics, you know, cyber skills,
00:12:59 Asim Fareeduddin
Her understanding of cyber skills is important.
00:13:01 Asim Fareeduddin
I think certifications, of course, is a way to upskill.
00:13:05 Asim Fareeduddin
And of course, you cannot have any conversation anywhere without talking about AI.
00:13:10 Asim Fareeduddin
So it's not just about our company's use of AI and are they doing it appropriately and how do we audit that?
00:13:18 Asim Fareeduddin
But I think even more important than that is how are we using it as internal auditors, right?
00:13:26 Asim Fareeduddin
What are we doing with it?
00:13:28 Asim Fareeduddin
How are we becoming more efficient and how are we getting more effective?
00:13:32 Asim Fareeduddin
I think, in the earlier days of my career, upskilling meant, okay, just go to a week of training and you'll come back as an expert.
00:13:40 Asim Fareeduddin
And now you're trained and you're upskilled.
00:13:43 Asim Fareeduddin
Well, I think training is good.
00:13:45 Asim Fareeduddin
It's not just about a week of training, right?
00:13:48 Asim Fareeduddin
It's constant.
00:13:49 Asim Fareeduddin
It's thinking differently about training.
00:13:51 Asim Fareeduddin
To me, training is, yes, going to the conference.
00:13:54 Asim Fareeduddin
But it's also about listening to a podcast like this, listening to, going to...
00:14:00 Asim Fareeduddin
IIA meetings or other meetings, other professional community meetings as well, reading the IIA newsletters that come out periodically, and then applying that training to your day-to-day audit works.
00:14:15 Asim Fareeduddin
I think it's thinking differently about how do we upskill and stepping out of your comfort zone.
00:14:20 Asim Fareeduddin
We spoke about guest auditor programs.
00:14:23 Asim Fareeduddin
and taking advantage of that if your company has one, doing a secondment internally within your organization is another way to upskill.
00:14:32 Jasdeep Gill
I like that.
00:14:32 Jasdeep Gill
So upskilling isn't just about a week's worth of formal training.
00:14:36 Jasdeep Gill
It's designing, learning, and embedding that into work through exposure, networks, secondments, and practical work experience.
00:14:45 Jasdeep Gill
So I guess on the same theme, if we're asking internal auditors to upskill themselves and undertake stretch assignments, we also have to be really honest about the internal audit talent market.
00:14:56 Jasdeep Gill
So how do you think internal audit compares to other functions such as data or strategy in the quest for top talent?
00:15:05 Asim Fareeduddin
Sure.
00:15:06 Asim Fareeduddin
So it's an interesting question because I think up until a few years ago, people might not have been aware of
00:15:13 Asim Fareeduddin
of what internal audit is, especially at the university level, at least here in the US.
00:15:19 Asim Fareeduddin
I think internal audit through the IIA as a profession has done a great job of making internal audit more relevant amongst our future leaders, especially those early career or university-based.
00:15:33 Asim Fareeduddin
And I think the university themselves are also doing a better job.
00:15:36 Asim Fareeduddin
They're creating internal audit programs.
00:15:39 Asim Fareeduddin
I mean, I think if you ask somebody even what an auditor is in general, they might not
00:15:43 Asim Fareeduddin
know, let alone an internal auditor.
00:15:46 Asim Fareeduddin
So I think, there's work that's been done to change that mindset.
00:15:51 Asim Fareeduddin
And then there's continues to be work that's being done to build that awareness.
00:15:56 Asim Fareeduddin
You know, I have a number of recruiter friends and speaking with them, they're saying that, you know, recruiters are seeing good candidates.
00:16:04 Asim Fareeduddin
Obviously, we're in
00:16:06 Asim Fareeduddin
a little bit difficult economic situation.
00:16:08 Asim Fareeduddin
So maybe the number of openings may be less, but I think that there's good candidates out there.
00:16:13 Asim Fareeduddin
And it's, again, how do you differentiate yourselves, right?
00:16:17 Asim Fareeduddin
There's a bit of a market imbalance, right, with fewer roles versus the number of people looking.
00:16:22 Asim Fareeduddin
And that's, you know, obviously due to macroeconomic conditions.
00:16:26 Asim Fareeduddin
accounting enrollment, as I mentioned, is up.
00:16:28 Asim Fareeduddin
I think, versus a few years ago, I think now, especially a generational shift, students are looking for more stability and predictability.
00:16:37 Asim Fareeduddin
And I think internal audit gives you that.
00:16:39 Asim Fareeduddin
And it's a good roadmap and a learning roadmap for those, especially coming out of university.
00:16:45 Asim Fareeduddin
If you grab, if you join a organization and you can learn a lot about a company,
00:16:50 Asim Fareeduddin
through internal audit, and potentially that could lead to a secondment, guest auditor, or a position outside of internal audit within an organization.
00:16:58 Asim Fareeduddin
So, and the IIA has really improved how it sells internal audit to be beyond just ticking and tying, right?
00:17:06 Asim Fareeduddin
I think we're now seen as a trusted advisor, a business advisor, management's, you know, right-hand in certain instances where we're talking about risk and controls.
00:17:16 Jasdeep Gill
I agree, Sim, and I think it's really the responsibility of internal auditors like you and I to really make sure we're consistently telling the story of what modern internal audit actually does and what it looks like.
00:17:29 Jasdeep Gill
Okay, so let's assume we all tell a better story about internal audit.
00:17:32 Jasdeep Gill
The next thing people will ask is,
00:17:34 Jasdeep Gill
What do I need to learn to thrive in this modern era of internal audit?
00:17:40 Jasdeep Gill
And to make this a really practical example, let's just assume that I'm a senior internal auditor, I have a CIA designation, and I'm five years into our profession.
00:17:50 Jasdeep Gill
What should I be thinking about in terms of skills development so I can really outperform my peers and also thrive in this modern era of internal audit?
00:18:00 Jasdeep Gill
What are your thoughts?
00:18:01 Asim Fareeduddin
Great question about what are the IA skills of the future.
00:18:05 Asim Fareeduddin
I think, I wish I had a crystal ball.
00:18:07 Asim Fareeduddin
Well, I'll give you give you what my thoughts on it.
00:18:10 Asim Fareeduddin
I think, you know, we've already mentioned AI.
00:18:13 Asim Fareeduddin
I think AI is huge regardless of what your profession is, right?
00:18:16 Asim Fareeduddin
Or even in your personal life.
00:18:18 Asim Fareeduddin
I think to upscale and the skill of the futures,
00:18:22 Asim Fareeduddin
as an auditor, you really need to look at the use of AI, but look at it beyond just proofreading a document, right?
00:18:28 Asim Fareeduddin
I think a lot of us are beyond the basic steps, but see how you can apply it to all stages of field work, right?
00:18:35 Asim Fareeduddin
Planning, substantive testing, data gathering, and report writing and remediation.
00:18:43 Asim Fareeduddin
I think looking at how can we use AI throughout the life cycle of an audit.
00:18:48 Asim Fareeduddin
And I think it's
00:18:50 Asim Fareeduddin
similar to what people did with analytics several years ago, right?
00:18:53 Asim Fareeduddin
We thought about, okay, we thought about it from a tool or analytics perspective.
00:18:58 Asim Fareeduddin
I think we need to do the opposite is look at the process and see, where can it be automated or where can AI help?
00:19:06 Asim Fareeduddin
So I think using it from the reverse, right?
00:19:08 Asim Fareeduddin
Looking at what we're doing now and how can AI fit in rather than
00:19:12 Asim Fareeduddin
starting with AI, right?
00:19:13 Asim Fareeduddin
It's a business process re-engineering, so much like how we flowchart during our walkthroughs, we need to do that in our own processes and see how AI can help us be more effective and more efficient.
00:19:29 Asim Fareeduddin
And pairing it with analytics, whether it's using AI for analytics or other analytics tools out there,
00:19:36 Asim Fareeduddin
I mentioned telling a story with your audit findings, and I think analytics really helped to tell a story of a control environment.
00:19:45 Asim Fareeduddin
Maybe in five years, the distinction between a financial operational auditor and a technology auditor may be narrower, maybe even non-existent.
00:19:56 Asim Fareeduddin
We talked about the hybrid auditor for years, but all financial systems are
00:20:02 Asim Fareeduddin
have IT risks, right?
00:20:04 Asim Fareeduddin
And companies have cyber risk as probably one of their top five risks, if not higher.
00:20:10 Asim Fareeduddin
So I think all auditors, even financial auditors, need to be well-versed on IT general controls.
00:20:18 Asim Fareeduddin
And the last piece, I know I've talked more about technical skills, but soft skills, I think, again, will differentiate folks and really learning how to be the translator, right?
00:20:29 Asim Fareeduddin
How
00:20:30 Asim Fareeduddin
What does a finding mean?
00:20:32 Asim Fareeduddin
How big is it?
00:20:32 Asim Fareeduddin
What are the ramifications?
00:20:35 Asim Fareeduddin
And why stakeholders should care about that?
00:20:37 Asim Fareeduddin
I think each of our stakeholders, we have to translate things differently, right?
00:20:42 Asim Fareeduddin
Whether we're talking to a CFO or a CTO or even, you know, an accounting manager or even our own
00:20:50 Asim Fareeduddin
manager with an internal audit, we need to really tailor the message to what's important and relevant to that individual.
00:20:56 Asim Fareeduddin
And I think that the translator is really important because many times internal audit is a translator between external audit and the business.
00:21:04 Asim Fareeduddin
Okay, what are they really looking for?
00:21:06 Asim Fareeduddin
What are the documents to satisfy the request and how do we make sense out of it, right?
00:21:12 Asim Fareeduddin
And how do we really get down to what we need?
00:21:15 Jasdeep Gill
I think that's brilliant.
00:21:16 Jasdeep Gill
So use AI.
00:21:17 Jasdeep Gill
and analytics for the substance of the audit work, and then pair it with solid ITGC foundations, and then really stand out amongst your colleagues enabled and translate those findings into business impact and value.
00:21:31 Jasdeep Gill
That's great.
00:21:32 Jasdeep Gill
So another topic I wanted to talk about today was professional courage.
00:21:36 Jasdeep Gill
So the IIA standards talk a lot about how important courage is for internal auditors.
00:21:42 Jasdeep Gill
And my question to you, Asim, is in your view,
00:21:45 Jasdeep Gill
Do you think internal auditors are truly courageous?
00:21:49 Jasdeep Gill
And how do we build that skill?
00:21:51 Asim Fareeduddin
Sure.
00:21:52 Asim Fareeduddin
So I think a lot of the ability to be courageous is dependent on the organization.
00:21:58 Asim Fareeduddin
If you have a strong tone at the top, strong support for internal audit, then certainly being courageous is much easier because you have backing and you have the importance
00:22:10 Asim Fareeduddin
of the internal audit function.
00:22:13 Asim Fareeduddin
So I think it depends on your environment, but I think everyone defines courage differently.
00:22:20 Asim Fareeduddin
A lot of how you define courage in an internal audit perspective depends on the branding and positioning of internal auditor.
00:22:29 Asim Fareeduddin
Are you seen as the police or are you seen as a trusted advisor and a business partner?
00:22:36 Asim Fareeduddin
And are you seen as
00:22:38 Asim Fareeduddin
Proactive, meaning are you involved early on in projects or are you reactive where you don't even know about a project until after it's been implemented?
00:22:49 Asim Fareeduddin
I actually went to a CAE roundtable sponsored by the IIA here in Atlanta last week, and one of the CAEs mentioned that
00:23:00 Asim Fareeduddin
we shouldn't be the last one to know about a project or system implementation.
00:23:05 Asim Fareeduddin
We should be the, some of the first folks to know, and we should be in the room when those decisions are being made.
00:23:11 Asim Fareeduddin
It's a balance because you don't want to get in the way of an implementation or a project, but you want to get ahead of it to ensure that controls are being
00:23:20 Asim Fareeduddin
considered because controls, as everyone know, can be implemented on the front end much easier and less costly than on the back end.
00:23:29 Asim Fareeduddin
And of course, being in a control conscious environment, folks would want to do that and be a part of any of that.
00:23:37 Asim Fareeduddin
I think the other thing to build the brand is no surprises.
00:23:43 Asim Fareeduddin
So I think
00:23:44 Asim Fareeduddin
any potential issues that you may have or deficiencies should be vetted with the stakeholders before you put anything in writing, I think, to protect your credibility and, again, to show that you are a trusted advisor.
00:23:59 Asim Fareeduddin
You know, I've come across auditors in the past that have
00:24:03 Asim Fareeduddin
put things in writing and sent it to a stakeholder that, simply weren't factually correct.
00:24:08 Asim Fareeduddin
I think we really need to be careful that whatever we're doing has been vetted and is fully accurate before we share that, especially in writing, because, as auditors, part of what we do is we have conversations with people and sometimes we might not have all the information and we need to make sure that we get that information from the right folks.
00:24:27 Jasdeep Gill
I think that's a really great way to explain it, Asim.
00:24:29 Jasdeep Gill
So courage isn't really about being confrontational.
00:24:32 Jasdeep Gill
It's being invited to the right rooms.
00:24:36 Jasdeep Gill
For example, system implementations.
00:24:37 Jasdeep Gill
It's about building trust with our stakeholders, adequate preparations, a no surprises approach to audit, and making sure that we back our judgment with evidence before we present our findings to the stakeholders.
00:24:50 Jasdeep Gill
That makes sense.
00:24:51 Jasdeep Gill
So Asim, we've talked a lot about some big themes today, geopolitics, cyber,
00:24:56 Jasdeep Gill
talent, and culture.
00:24:58 Jasdeep Gill
And for anyone listening today who's thinking, okay, just give me one thing that I could take away from this podcast that I can do differently in the short term to improve how they work.
00:25:08 Jasdeep Gill
What would be that advice?
00:25:10 Asim Fareeduddin
So I think we get focused on AI and tools and certifications, which are all great, but I think sometimes folks forget the basics.
00:25:18 Asim Fareeduddin
And the basics are that we
00:25:21 Asim Fareeduddin
all work for organizations that make revenue and that you either make products or services.
00:25:28 Asim Fareeduddin
And I think a lot of times auditors don't understand how the company makes their revenue, right?
00:25:34 Asim Fareeduddin
Obviously, you may add a macro level, but I think digging down into learning the business and not only how the company makes money, because there's risks in that, but there's also risk in how could the company lose money.
00:25:49 Asim Fareeduddin
I think that
00:25:50 Asim Fareeduddin
will really help you become a better auditor because it helps you become more business focused.
00:25:55 Asim Fareeduddin
And if you're more business focused, you're closer to the business and you can really understand the risks and associated controls.
00:26:03 Asim Fareeduddin
If you understand how the revenue flows through an organization that will really help you be a better auditor.
00:26:11 Asim Fareeduddin
If you don't understand the revenue stream, you can't understand the risks and do an audit appropriately.
00:26:17 Asim Fareeduddin
And I know in
00:26:19 Asim Fareeduddin
Financial and operational audits, some of this is inherent in those audits.
00:26:24 Asim Fareeduddin
I think this message is even more important for technology audits, where an auditor may be doing, you know, vulnerability management assessment and not really think about the revenue.
00:26:36 Asim Fareeduddin
But I think it's important to understand that revenue process so we can, you know, truly audit and add value to, you know, to our stakeholders.
00:26:47 Jasdeep Gill
I 100% agree with you, Asim.
00:26:49 Jasdeep Gill
That's a great way to end the episode.
00:26:51 Jasdeep Gill
Commercial curiosity is the shortcut, and understanding how the business makes money, and more importantly, how it could potentially lose money, makes our audits instantly relevant and more valuable.
00:27:02 Jasdeep Gill
This has been a fantastic discussion.
00:27:04 Jasdeep Gill
Thank you for your insights, Asim.
00:27:06 Jasdeep Gill
It's exactly the kind of perspective our profession really benefits from.
00:27:10 Jasdeep Gill
There's so much we've discussed today that can help auditors at any stage of their career.
00:27:16 Jasdeep Gill
from how we plan our audits, how we measure impact, right through to how we build credibility and courage in the role.
00:27:22 Jasdeep Gill
Thank you so much.
00:27:23 Asim Fareeduddin
Thank you, Shaz.
00:27:24 Asim Fareeduddin
I appreciate the time and really had a great opportunity here and look forward to doing it again with you sometime soon.
00:27:31 Vedant Akhauri
If you like this podcast, please subscribe and rate us.
00:27:35 Vedant Akhauri
You can subscribe wherever you get your podcasts.
00:27:38 Vedant Akhauri
You can also catch other episodes on YouTube or at theiia.org.
00:27:44 Vedant Akhauri
That's T-H-E-I-I-A dot O-R-G.