The Navigators Conference 2020

Thank you for attending The Navigators Conference!


This page will provide follow-up information including answers to some of the audience questions that we were unable to address during the live session, links to articles written by speakers, and slides (that are able to be shared) from some of the speakers.


Norman Marks Blog

Mike Jacka Blog



Toby Groves, Ph.D. (Slides used throughout the day-Dropbox link)

Raven Catlin Agile Auditing Slides (PDF Version) Raven Catlin Email

Kelly Paxton Pink Collar Crime Website


Questions and Answers

Q:  From Aneel: “Different auditors prioritize risk uniquely? Do you think management should be involved in risk assessment process? To what extent? What if management has other motivations, like Wells Fargo management had, which made Auditors look the other way?”

Answered by Norman Marks:  

I always involve management. First, if I can audit their risk assessment process and find it acceptable, I use it as a basis for my own. It can only be a basis as (a) I may have to confirm the controls are operating effectively to keep risk at desired levels, and (b) I have to decide which engagements to perform – and I might have to perform multiple engagements at different locations or of different departments to address one enterprise risk. f I cannot rely on management’s assessment, then I meet with them and ask for their assessment and talk to them about it during my process. Second, I review and obtain feedback from them of my assessment and also of the audit plan. On the question of other motives, that is a natural and human tendency, to point the auditors away from your own area. We always use our judgment and professional skepticism.


Also Answered by Mike Jacka: 

Performing risk assessment without management involvement is like trying to find the toilet in the middle of the night without turning on the bathroom light.  You might get the job done, but you and the environment are going to be a mess afterwards.  [Note: I know you can’t use this, but I loved writing it so much I just had to include it.]

 Let’s try again.

Performing risk assessment without management involvement is like trying to walk through a maze with a blindfold on.  You know what you are trying to accomplish, you know how to head out, you might even get it done correctly, but you haven’t got enough information to be efficiently and effectively successful. [Note: Don’t like this as well as the previous one, but I’ll stick with it.]  

The only…THE ONLY…expertise we bring to the table in risk assessment is understanding risk, the role it plays in achievement of objectives, and how to approach the mitigation of those risks.  We may have good knowledge of the business and its operations, but the business will have the details we need to make informed and intelligent decisions.

Note that the appropriate involvement of management has no bearing on situations like Wells Fargo.  Management may or may not have different motivations than internal audit. But that is why the final risk assessment is ours, not management’s.  We take their input and work with them on the final assessment. But we use our professional judgement and expertise to come to a conclusion.  And that means properly weighing management’s input.



From Gloria: “Hal, do you believe the reporting structure is still valid”?

Answered by Hal Garyn:

      By “reporting structure” I assume this means the dual reporting structure of internal audit reporting to one part of the organization functionally and another part of the organization administratively. Given that assumption, I wholeheartedly do believe this reporting structure remains valid. Internal audit needs to have the ability to have an independent reporting line into the governance structure to be able to effectively execute its responsibilities. In most organizations that will be to the Chair of the Audit Committee of the Board of Directors. This is where internal audit gets its risk-based plan approved, where its resource allocation is confirmed, where the Chief Audit Executive gets their performance evaluation completed/approved, where the Chief Audit Executive gets their compensation determined/approved, and so on. However, internal audit also has administrative and day-to-day needs that are not best accomplished via the Audit Committee, and this is where the administrative reporting line comes into play. The Chief Audit Executive, and internal audit, needs support for facilitation in the organization, expense reports approved, an organizational “advocate”, someone to discuss routine organizational matters with, etc. Those things come from the administrative reporting relationship which, in many organizations, is to the Chief Financial Officer. However, there are strong arguments to be made that this administrative relationship is better served with the Chief Executive Officer, the Chief Risk Officer, or another executive. Each organization needs to determine what is the best administrative reporting relationship for internal audit to fit its needs, consistent with the organizational culture, and in consultation with, and approval by, the Audit Committee. But, yes, I do very much still support the dual reporting structure.


From Cathy: “Our company is attempting to automate our audit support processes; however, we are being overwhelmed with the C&A evidence needed to validate the automation.  Any tips”?

Answered by Tammy Daugherty: 

There are a couple of steps: 1. Create the benefits case for why the project is important to the organization, the benefits it will provide and the risks of not automating.  2. Find a leader who has influence and passion for the project to sponsor it as their job will be to “sell” the benefits case to his or her peers and senior leaders. Without these two ingredients, your automation project will continually be challenged because there are always projects competing for attention with the lighting speed of change in today’s work environment. 3. Once prioritized, your project will need that sponsor to continually keep senior leaders informed of progress and it’s importance to keep it visible and make it to the finish line.


From Francisco: “Is there a higher risk of abuse or fraud from a full automation? (no human to notice things going wrong such as repeated extreme or limit requests)”

Answered by Raven Catlin: 

While I support more automation, I think a human must take a look periodically. I am not as concerned about increases in abuse or fraud, but more generally that we want to make sure everything is going as it should. Personally, I do not think exclusively about abuse and fraud as required by government audit standards, instead I think more about operational successes.


From Mukesh: Can you talk about what are the risks for not being able to conduct on-site audits in current situation”?


Answered by Raven Catlin: 

The biggest risk is, unless there is a conscious effort on the part of the auditor to establish and build relationships with our virtual clients, our delivery timeliness and thus ability to provide assurance will be delayed. Another risk is many auditors lack the technology skills to leverage collaboration platforms and analysis of data.


Also Answered by Norman Marks:

You have to consider whether you are getting sufficient evidence to support your professional opinion. If you need to physically inspect something, that may be an issue but there may be ways around if you ask somebody like a security guard to walk around at your direction with a phone camera. You may also be less able to gauge the non-verbal language of the people you talk to. However, the test to apply is that first sentence: do you have sufficient evidence for your professional opinion.



Asked by Abbas: “Question for the panel: What are some themes you foresee as defining the future of internal audit? Data analytics and RPA are here and their use will continue to grow for obvious reasons (they certainly add value when used correctly), but I’m thinking about things such as AI, the intersection of second/third lines of defense, regulatory/QA requirements that use resources and demand more time be spent on admin work rather than actually identifying and helping address risk, etc.”


Answered by Mike Jacka:

Bots, RPA, and AI should be a significant influencer on the way we work. (That all assumes internal audit actually embraces and uses the tools.  That’s a whole  ‘nother discussion.)  But I think the second half of the question may well be misdirected.  Yes, there is more work in all the things that are asked (coordination of lines of defense, regulatory/QA requirements, and AI), but the audit department needs to determine if these activities are actually cutting overall costs/time/use of resources. Done right, that can be accomplished. But if the administration of such activities is taking up more time than is received, then they are valueless.

With that being said, I think that streamlining operations and focusing on bigger risks are the real themes that need to be addressed. (And, yes, nothing new here; the kind of things we’ve been hearing for a while.)  Accordingly, that means increased business acumen and increased value to the organization.  (Again, not new, but we don’t seem to do it that well and we need to get it done right.)


Also Answered by Norman Marks:  

As I said in the session, determine the need before picking a tool. Move first to continuous risk assessment and planning, with agile audits. Then and only then determine what tools you need to be effective. Finally, eliminate unnecessary admin work, even if you have to discuss with regulators first. Show them that you address their real needs.


Asked Abbas: Is Agile auditing more suitable for certain types of organization vs others”?

Answered by Raven Catlin: 

I find that it can be suitable to all organizations; the culture of the organization is the biggest factor in determining its success. We’ve seen it work in action in banks, insurance companies, state government, manufacturing, marketing entity, universities, and Big4/regional accounting firms.


Asked by Kathleen: As the role of audit changes, do you see the skillsets needed changing”?

Answered by Mike Jacka:

Quick answer. No.

Okay, guess I should explain.  The important skill sets for internal auditors have always been the soft skills.  They are the same skills necessary to be a good auditor/manager/executive/leader.  When CAEs list the top skills they are looking for in internal auditors, communication and critical thinking are usually tied for number one, with a bullet. Throw in creativity, initiative, empathy, conflict management, teambuilding, listening (listening!), the ability to function without ever holding a meeting…I’m getting a little off-track here, and the list could go on forever.  But you get the idea. Hard skills are important, but they are not the most important thing for internal auditors. It is the soft skills.

And two related references every auditor should read, although they are not specifically internal audit related.  First, read up on EQ, starting with Daniel Coleman’s Working with Emotional Intelligence.  Any auditor who understands EQ and applies it, growing their own EQ, will be successful. Second is Tom Peters latest book, The Excellence Divide. In fact, check out any of Tom’s books.  Tom is a major thought leader in the business world and has always been a proponent of soft over hard skills.  This latest is a great place to start.


Also Answered by Raven Catlin:

Our skillsets must change and evolve the meet the needs of the company. Personally, I see an ever increasing need to build better relationships (empathy and trustworthiness), leverage data (data analytics), write what we mean to say (report writing), and present ideas effectively and persuasively (presentation, influence, persuasion, negotiation).


Asked by Franz:Was the new guidance Norman speaks of issued by the IIA or another organization”?

Answered by Norman Marks:

The guidance was from the IIA in the form of a Practice Guide. But please see my blog about it, as it is of poor quality. If you want to do this well, I am afraid the best guide is my book, Auditing that Matters.


Asked by Gloria: My question would be: what do we need to do to recognize where in the change cycle are our team members to bring them to where they may need to be”?

Answered by Tammy Daugherty:

Below is a quick read that covers how people feel and behave at each stage and what is needed to move them through the curve.   This can give you an idea on what to look for and how to help.


Asked by Gloria: “Can you give us an example of how machine learning can help ensure accounting for transactions comply with the standards”?  

Answered by Melisa Galasso:  

One area machine learning has blossomed in the accounting world is in the area of leases. We are leveraging machines learning to “read” leases and identify unusual terms as well as provide inputs for accounting software. This reduces the need to spend staff time reviewing each lease and we know that people tend to “miss” certain elements more frequently than computers.


Asked by Carolyn: “What advice can you give when you are told to take sample items out of the audit population because the test results may make a certain department to look bad”.

Answered by Elizabeth Pittelkow Kittner:

This practice is not ethical. If you are being pressured to do something you are uncomfortable with, please speak up to someone who can help. If a department looks bad, there is probably something that needs to be remediated in that department.


Asked by Steve: “Do you have suggestions on how automation can be used to identify potential ethical/cultural issues in an organization”?

Answered by Elizabeth Pittelkow Kittner:

Ask your technology vendors to recommend how their products can help identify irregular data. You can review transactions that look odd like those that are booked outside of normal working hours or are booked in the opposite direction than normal (e.g. debit instead of a credit). Random reviews of everyone’s work can uncover issues that need to be addressed.





Scroll to Top