Internal Auditors, Unite! IIA International Conference Recap

Key Takeaways

Internal audit gurus Charles Calovich and Grant Ostler discuss highlights from the IIA International Conference. Tune in as they touch on the intersection of psychology and audits, soft skills, the changing role of auditors, and more!

Show notes:

• Get more from the conference—read our recap to learn five trends from the IIA International Conference.

• If you’re looking for stories from internal audit heroes, Grant recommends Extraordinary Circumstances: The Journey of a Corporate Whistleblower, the book from former WorldCom Chief Audit Executive Cynthia Cooper.

• Cynthia Cooper will be speaking at the SOX Professionals Group Summit in September. Register for the SOX Professionals Group to get the details as they are released. Membership is free.

• If you liked this episode, you can help us out by subscribing to Off the Books! Hit the “subscribe” button on YouTube, Spotify, Apple Podcasts, or wherever you like to listen. Find every episode of Off the Books at workiva.com/off-the-books-podcast

Internal Auditors, Unite! IIA International Conference Recap | Transcript

Grant Ostler: Historically internal audit shop's have been a lot of accountants, right? We've had a sprinkling of some IT folks, but we've been pretty oriented towards—because that's kind of how we started. But that's changing a lot. 

Steve Soter: Hello and welcome to Off the Books, where we surf the unchartered waters of accounting, finance, risk, and wherever else the waves take us. This episode is brought to you by Workiva, the one platform that unites financial reporting, ESG, audit, and risk, which basically makes Workiva a unicorn. My name is Steve Soter, accounting enthusiast and Diet Coke aficionado. Looking forward to debiting a great conversation. And I'm so happy to have you with us. I'm also, as always, very happy to be joined by Catherine Tsai. Catherine, could you please tell everyone about yourself? 

Catherine Tsai: Well, golly, I'm not an accountant or Diet Coke aficionado, but I like asking questions and learning new things. And one very new thing that happened recently was the International Conference of the Institute of Internal Auditors, or IIA.

Steve: Yeah, that's right. And the IIA is a pretty big deal. I will be honest, as a financial reporting professional, that the IIA wasn't always on my radar, but a few of our colleagues actually went to the IIA 2023 International Conference that you just brought up. And it was a really, really big deal. And because of that, we were excited to bring them in and ask them a few questions. Well, we are joined by Charles Calovich and Grant Ostler, both of whom I have the opportunity to work with on a nearly daily basis. Wondering, to get us started, Charles and Grant, could you introduce yourself and maybe, Charles, we'll start with you and then go to Grant.

Charles Calovich: Appreciate that. Nice to be here. Yes, so I'm Charles Calovich, one of our GRC industry principals here at Workiva. I'm based in the Netherlands, so I roll with our EMEA team over here and really excited to be here today. 

Grant: All right. And I'm Grant Ostler. I'm another industry principal in the GRC space. I do have the opportunity to work with Charles and Steve a lot. And my background is I'm a recovering chief audit executive, so I spend a lot of time doing that. And I'm really happy to be part of this and share some insights on the IIA. 

Catherine: You both said GRC. What does that stand for? 

Grant: Governance, risk, and compliance. Sorry, good catch, Catherine. 

Catherine: Well, Charles, I know you attended the conference, but you also spoke. What was your session all about? 

Charles: Happy to talk about it. We took this opportunity to convey the importance of the internal audit's role as it pertains to internal controls over sustainability reporting—so ICSR—highlighting the impact of regulations like CSRD and the Integrated Reporting Framework released by COSO earlier this year. As with many instances of change, the drive to engage early and often with our key stakeholders is critical. Our client representative who joined us for the panel, Martha Anne Perez, Head of Group Finance, over at Westcoast, expressed how this was a major pillar of success for their team from a strategic planning execution perspective. We were also fortunate to have one of our partners from Deloitte, Shirley Tewary, providing excellent recommendations on when to start building your assurance activities, test and control effectiveness, and just considerations of timing. So to put it simply from Shirley's words, the best time to start is now. So in spite of the limited assurance requirements that will come up later in the year, today is a good day to get things going. 

Steve: Charles, you used a term there, internal controls over sustainability reporting. I know we have more questions to ask about the conference, but that's a little bit different than internal controls over financial reporting, which I'm sure many of our audience are familiar with. Can you just unpack that just for a little bit? 

Charles: Yeah, absolutely happy to. Yeah. So this is a pretty exciting time. Very thankful for COSO for taking the plunge forward and providing us more framework, more guidance as it pertains to this. So as we're all familiar with ICFR, or internal controls over financial reporting, that's been a pretty good background and probably the most globally used framework, thanks to the COSO folks, that a lot of our reporting teams have leveraged. ICSR is an effort to kind of bring us forward and help understand what goes into integrated reporting from a process risk control level. So this framework is now available freely out in the market. And if you haven't had a chance to read through that and review it, I think it'll be a really great asset for a lot of teams there as they begin to understand now these new processes that'll go into their integrated reporting experience. So identifying what actual risk you're exposed to, the controls that you can design to probably mitigate that exposure, as well as understand what does good look like and what should your desired future state closely align to. 

Steve: Awesome. Charles, thank you. Grant, I know there was a, sounds like a track for audit executives at the IIA. You want to tell us a little about that? 

Grant: Yeah. It's interesting, the first time the IIA has ever done it. So a lot of times they'll have conferences, they'll have a session or two that kind of relates to people who are running audit teams. But this time they put a whole track together, and it was really great. Workiva was able to be a sponsor. I had a chance to spend a lot of time with those folks. And it really gave these executives a chance to network with their peers on topics that are really important in our current today. And it's funny, the IIA had never done this before. It's the first time ever. They assumed that we wouldn't have more than about 200 people who would need or want to be in this track. So they set it up for 200. They ended up having over 300 people in the track and trying to squeeze people in. And they had people angry because there wasn't enough room for them, so the response was outstanding. And the IIA is now trying to figure out, okay, do we need to have this in all of our conferences? What does this look like going forward because there was such a great response? 

Steve: Well, and I would assume that probably wasn't a surprise in retrospect. I mean, any time you've got teams thinking about pulling together financial data and ESG data, that of course, needs to be subject to assurance with this kind of integrated report, that's certainly going to get a lot of people's attention. And I think the use of technology there as well, which was kind of one of the questions that we wanted to ask you about, is how are auditors characterizing the use of new technology within this new environment of combining financial and ESG data together that doesn't need to be subject to—Charles, as you had mentioned, you know, beginning with limited assurance. 

Charles: As an auditor, every cycle we try and explore new ways to identify anomalous data, so the troublesome population as opposed to haphazard selections where, you know, you're not sure what you're examining. It could be, you know, instances that were fine. No thresholds or parameters were broken. It's operating as we'd expect it to. But focusing on the anomalous data, that disaggregated population where the problems may exist, allows you to kind of spend your time more wisely, focus on more projects, and add greater value back to the business. And from that lens, a lot of the technology that we're seeing—more mature AI capabilities—are basically designing better ways of working for our teams. So historically, I think auditors are uniquely positioned to really be involved with technological advancements because we're constantly looking for better ways of working, better ways of creating enhancements for processes. So adoption wise, I think internal audit is one of those teams that is very much up to speed with what's available in the market. I think another aspect to consider is kind of this transformation of the perception of internal auditors from this feared figure just to a valuable collaborator in achieving your organization's goals. So, you know, there's a certain level of human reaction that I think is pretty normal when you're undergoing an audit, whether it's internal or external. And that was one that was highly discussed by the attendees throughout the conference. So, yeah, while it's exciting to see these advancements that are going to be possible through AI other technology, the auditors carry a certain responsibility to understand what guardrails can be established just to ensure that not just our organization is safeguarded, but our colleagues as part of our process. 

Grant: Can I just add one other thing? In the CAE track, one of things they talked about was the challenge people are having getting enough qualified people to do the work that they've got. And so technology's a way to give them time back by making things more efficient, helping take some of the kind of busywork that auditors end up doing to some degree, and simplifying that down for them so they can focus on things that are more important to get to the things that they really want to focus on, that are higher risk they just don't have bandwidth for today. So I think technology does—you know, AI is going to be the future and it's coming. Right now there's technology that helps them today to get started. And then, you know, we'll build on that I think over time. 

Charles: The folks that we interacted with over at our booth coming over would basically outline a very similar kind of conversation. I have a small team, maybe four, eight people, and we have this project planning session for the year, and I know they're working at full capacity. Everyone's being utilized. How can I create a way for them to work more effectively so that their hours are more reasonable? At the same time, how do I work with a change management aspect to that so that people actually use the technology and process enhancements that we're providing? Those were two big topics from folks that came by our booth and just wanted to better understand how GRC software vendors like ourselves can really help them take things to the next level of maturity. So hopefully more sessions to come in the future around adoption and change management. But definitely a topic folks are bringing up by our booth. 

Steve: If you don't mind me asking, just off the cuff, I'm curious whether it's AI or even the Workiva technology that you're talking about. Is there a clear path today where technology can like right now, today, fill those gaps in headcount? I mean, is that like a future thing that we expect to come in the future? Or like, no, today if you're having headcount issues, these are tools that can help you resolve that, not to take away people's jobs, but, you know, again, filling gaps in capacity. 

Grant: Yeah, it's absolutely real today. And what I think we have the ability or what we're seeing on the future with some of this new technology is how much bigger impact it can have. You know, I don't want to go too far off topic, but I mean we know that staffing is a challenge across finance, right? It's not just audit, but auditors are feeling the pinch hard. And so being able to help people spend their time on things that really add value makes sense rather than stuff that's just like dotting I's and crossing T's that can be done by technology is a big deal today. And then there's a lot of upside coming forward. 

Charles: Yeah, absolutely to Grant's point there—not taking away people's jobs but changing the value that they're driving. So instead of going through a population of samples and ticking the box to make sure this is that, this is that having something like an analytical device or procedure to pump back the disaggregated data where you should spend your time remediating or raising or escalating. So just using people who have a wealth of knowledge, experience, and understanding of their organization instead of a tick box or checklist exercise, really bringing that value and that expertise back to our strategic objectives and the value of the business. 

Grant: Staff get disengaged when they're doing busy work, right? They want to be doing things that they think or see make a difference. And so by giving them that time back where they can actually—you get better engagement from your team. And that allows you to retain people and all things that are really important right now. Even if I can find somebody to take, fill an empty slot. There's a time when that's open. There's a time to get them up to speed. There's a huge loss and cost to the organization. If I can keep the people that I have, it's just so much more valuable. And technology is a big contributor to that.

Catherine: I'm relieved to hear that both of you seem to see a role for human auditors continuing on into the future.

Grant: Well, one of the things we hear about AI is it's got a lot of upside, but it's not without its risks and dangers. We need to make sure we use properly—Charlie used the term "guardrails." How do we put the guardrails around this to make sure it's going to tee things up as somebody—now, I don't know where this stands 30 years from now. Maybe it really can do everything on its own, but it's not there yet, right? So you need people still with judgment, interpreting, and making decisions around that information. It just helps you filter through all that massive data to get down to those items that matter, as Charlie was talking about. 

Steve: I don't think it's just auditors that get disengaged when they're doing busywork. Steve gets disengaged when I'm doing busywork.

Grant: And that's exactly—I mean, it's a people business. Every business is a people business, right? And they're just people. How do we help them focus on things that are engaging so that they stay engaged and do more? They add greater value as an individual. And I feel more and more empowered and rewarded in all the different things that HR talks about all the time. We can help with that. 

Charles: Professional judgment isn't going away anytime soon. And I think there's a good lesson to be learned from what happened with algorithms leveraged by companies and businesses way back when. You know, the lack of monitoring and retrospective review, the output of some of these algorithms was actually hurting certain demographics and populations because it wasn't understood when the algorithm was created. Same thing happens with AI. We might set it up to perform certain tasks, but we still need that certain level of involvement from people like internal auditors to understand the mechanisms, how it's outputting, and do a retrospective review to make sure that how we structure this is actually providing the right output and that right output does change by business to business. But it's not something that I think could be set up and just left to run on its own accord.

Grant: Final note on this. I was speaking with a colleague a couple of weeks ago and he made the comment, he goes, "The law of unintended consequences has not been repealed," which I thought was a great soundbite. It's like, hey, this stuff is good. But again, bad stuff can happen. You really need to have, you know, people around it. And I love the term guardrails. I'm using it as well, right? You got to have the guardrails to keep us on the road. 

Steve: Well, speaking of guardrails, we do want to ask you lots more about the IIA conference. But first, let's take a quick break and we'll be right back. 

Commercial: Amplify is the conference for accounting, finance, ESG, audit, and risk professionals. Join us in Nashville, September 19 through the 21 for workshops, keynotes, and the entertainment Music City's known for. Register at Workiva.com/amplify. 

Catherine: All right. We are back talking with Charles Calovich and Grant Ostler. What I like about conferences—we're talking about the IIA International Conference today. What I like is hearing forecasts or predictions or trends. So what did people at the IIA International Conference say about the changing role of auditors?

Grant: You know, I think one of the things that we talk about a lot—and this conference, I think, leaned heavily into it—is that, you know, management and audit committees have expectations for auditors to do more with less, like the rest of finance, but to bring a lot more value. Yet we've really indexed heavily since Sarbanes came into effect about 20 years ago on compliance. And we've leaned really, really hard into compliance. And there's a push and a lot of conversation about how do we a) get more value from the compliance efforts that we do, and b) how do we get more efficient at the compliance so we can focus in areas that are high risk that maybe aren't a compliance risk, but that we can really help the organization to be more efficient, to take advantage of opportunities that are available to us, and just mitigate risks and downsides that otherwise really stand to derail our organization. So a lot of conversation about that and how we can help auditors who have basically spent their entire career thus far in this post-Sarbanes world that is pretty checklist oriented, right? And say, look, how do we help them develop the skills or technical skills that they need with real critical thinking skills and root cause analysis skills? How do we help them to solve, understand how to do problem-solving, and to collaborate effectively and to facilitate sessions so they can be more effective in an advisory capacity that complements the assurance work that they do. How do we bring that together? Because we have a lot of people in the profession right now that haven't built those skills as well because of the orientation we've had on compliance. And we're really trying to say, look, we've got to go bring back—part of the reason we have Sarbanes is because internal and external auditors kind of didn't do enough compliance work. So we kind of went too far one way. I think we've kind of come too far the other side on this pendulum. We're trying to come more to the middle a little bit by helping people do both sides—not stop doing compliance but add to it and be better at it. 

Charles: And just to build on there, like there was a nice focus as well on soft skills and that kind of development over time. So one thing like you'll continue to see it as a pillar—I think at these conferences and hopefully within the IA profession long term—is the focus on the culture of being ethical and what that means. So I think that's something that it might not be new, but I think it's going to be a trend that we continue to see, especially as technology continues to develop, as regulations add more pressure to leadership that increases your exposure and your responsibility as an auditor to understand your organization and where those risks might lie. So I think that's something that is always going to remain a critical point and something that we should continue to have advocates for and evangelizing at these conferences. I also think there was a nice focus on the human side of things. So the personnel on those teams, diversity, and inclusion. I really appreciate the speakers that focus their sessions on this, to raise the awareness and get people to understand that, you know, as our profession continues to evolve and mature and we do become these, you know, collaborators earlier on in the process, more aligned with the overall strategy of the business, understanding that there's a person there as well who has ambitions, careers, potentially different experiences in their life to lead them down the path of value add. So I think that was a really nice session to see here and hopefully more to come in the future around that. 

Steve: I would never want to minimize the importance of diversity, equity, and inclusion anywhere in an organization, but it's often occurred to me just how important that is in internal audit because there's a little bit of a both a psychology and a bedside manner that kind of goes along with the job. And, you know, when you find an error, when you find an issue, and it struck me how important it is to have those multiple perspectives, the multiple backgrounds that, you know, a diverse audit staff bring to that. And I don't know if either of you have any thoughts or perspectives on that, but I've long felt like, boy, you really want as broad a group of people as possible, but bring in a lot of different perspectives just because you're always going to see something a little bit differently than somebody else. And that thing that you saw that somebody else maybe didn't might just be the very thing that needed to be found or identified in an audit. 

Grant: Yeah, I think that's right honestly. I mean, historically internal audit shops have been a lot of accountants, right? We've had a sprinkling of some IT folks, but we've been pretty oriented towards—because that's kind of how we started. But that's changing a lot. You know, we're starting, like over my career, we had people—I had an HR person was here in my group. I had people out of engineering, out of our EH&S teams come into my group. I had a credit manager that moved into my group. We had people from a lot of different areas in engineering because, a) we were doing audits where we could leverage that, and b) it was developmental for them, so it was a really good blend. But you're right, having those different perspectives is really, really important. You said something else. And a conversation I used to have a with my team a lot was in our role, there are times we're going to disagree with the management, right, the people we're auditing, and that's okay. That's our job. We need to be that person. We're the independent, right, view of that. But we can do without being disagreeable. We don't have to be, you know, busting people's chops. We can work with them because at the end of the day, we have the same goal they do, and that is to have a business where we manage the risk that we face effectively and in a cost-effective manner, right? We have the same goal, like when we write reports, audit reports, it always used to be here's all the stuff you did wrong. You've seen those, Steve, and it's painful. Instead say, hey, look, by the way, here's a lot of stuff they did right and they're doing this really well. Here's some stuff that we think they need to focus on. By the way, they're aware of this. They know it. They just have other things prioritized in front of this. We think they need to reprioritize a little bit. We think this needs to go up the scale. Those conversations doesn't put them in a negative light. It puts them in a positive light. And you become an ally. You're still independent. You're still doing your job, but you're helping them. And that's when they come to you say, hey, look, we've got a challenge we're trying to get our brains wrapped around. We'd like your perspective. We'd like this, you know, and let's get on the front end of problems instead of cleaning up messes. Let's prevent things. And I think that's where audit's trying to go. There are a lot of shops that are there today and doing it well. A lot of others are trying to get caught up. And, Steve, again, as when you were a controller, you think about that. That relationship now makes audit truly a trusted partner. Yes, it's the banner we all want to have, but it can be real, right? And it comes from what you just talked about, right? Really just having that different view, but share it in a positive, constructive way rather than just beating people up. 

Steve: Well, sadly, not only have I been the recipient of many audit reports, I have probably been the subject of the other reports. 

Grant: And way back you were an author, so I don't know how that works. 

Steve: Well, but I do remember distinctly actually, Grant, to that point of when my paradigm shifted to seeing internal audit less as adversaries and more of, hey, you know what? I really want these folks to be beaten things up to find something because if we don't find it in financial reporting and they don't find it internal audit, the next step is external audit. And you know, when they start to identify issues and errors, that's a whole different ballgame. 

Grant: Or worse they miss it and becomes a restatement down the road, right? I mean, that's really ugly, right? 

Steve: Yeah, exactly.

Grant: I know I'm never supposed to use that term. 

Steve: Well, sometimes it starts with accepting the what could go wrong. And I would say the restatement, it certainly is something not to be overlooked. We are going to get overlooked on the clock if we don't get moving on. Although I think any of the topics we discussed today would definitely be worth digging into even further. But unfortunately, we are running out of time. 

Catherine: That's too bad. I have so many more questions. But we do have a closing question for you today. What is the favorite explanation you've gotten from someone when you caught them committing fraud? We can have a very loose definition of fraud there. 

Charles: Well, I had one in my first year auditing. I was talking to a CFO at a mid-sized bank. I was going through their fixed assets. I noticed that it almost nearly doubled in the account and their head count hadn't changed. The revenue was fairly consistent, so I couldn't quite figure out what the cause for this was. So I went there and after a quick conversation with the CFO, they'd recently moved offices a couple of streets down, and it pretty clearly became obvious that they had capitalized the expense of moving costs into, let's say, the table. So I moved a table from one room to the other, and now it's inherently worth more because I've increased the cost basis. For anyone with an accounting background, we know that's not okay. And when I pressed the CFO on this as my humble first-year self, they told me that the moving costs were very expensive. So I had to take that one on the chin. We got them to make an adjusting entry and fixed the account. But I remember really being a very colorful response to a misclassification. 

Catherine: Interesting. That must've been a fun conversation.

Charles: It was. It was definitely intense. I think I was shaking with my little audit notes and whatnot, getting ready to talk to a bank CFO. But it was a good conversation. It stuck with me. And, you know, it's part of that questioning mindset, I think internal audit, external audit, they have to maintain. You know, it's trust but verify. 

Catherine: Grant, how about you? 

Grant: You know, as Charlie's talking, I'm, like, having flashbacks. I'm going to have to start therapy again probably. But one that stands out in my mind is one of the companies I worked for, we had—actually it was teed up for us by our travel entertainment people saying, hey. You know, people processing expense reports were saying something looks weird here. So we started looking. We had an executive who was doing a lot of travel, taking their personal travel, taking their family stuff, and running it through. And it was interesting because when I sat down with him to ask about this, like they started out this big explanation. Well, you know, I'm always working when I'm on vacation, so it's really a business thing. And da da da da da, and they were really working this hard. And I said, well, that's great, but like, did you hire your family members to, like, work with us too when you're doing this? And all the sudden he was just kind of like silent and goes, fine you caught me. And it's interesting because this person was actually getting ready to be made redundant through another action and they had a package that was kind of being worked out and the package went away. It cost them a lot of money to have done that. I'm no longer on the Christmas card list for that particular individual, I don't believe. 

Catherine: We have to call you Detective Ostler. 

Steve: Yeah. 

Grant: Yeah. We were not very collaborative probably on that one, as the previous conversation. But it was the situation. 

Steve: This has been a terrific conversation. Big thanks to Grant Ostler and Charles Calovich for joining us. And big thanks to you, dear listener, for surfing along with us. I'm Steve Soter. That was Catherine Tsai. And this had been Off the Books presented by Workiva. Please subscribe. Leave a review and tell your buddies, especially your internal audit buddies, if you like the show. Now, if you're watching this on YouTube, please leave us a note in the comments or you are always welcome to drop us a line at OffTheBooks@workiva.com. Surf's up and we'll see you on the next wave.