1. Describe the critical elements of success as it relates to your experience LEADING INTERNAL AUDIT, RISK & COMPLIANCE FUNCTIONS and give an example oR Two describing how/when these elements were successfully implemented?
Critical elements of success for audit, risk and governance positions include a collaborative approach, technical proficiency, customer service focus, communications/team building skills, and talent identification and development.
Collaboration- Internal audit and compliance functions operate most effectively in environments that encourage collaboration and discussion. My experience has shown this approach usually leads to the identification and implementation of the best solution. It also fosters a shared sense of ownership and accountability. At one large company, my team and I were able to use facilitated sessions led by internal audit and business process owners to identify gaps and solutions related to the implementation of a new online service.
Technical Proficiency- Technical proficiency and a relentless commitment to quality are necessary to establish credibility and provide value added services to the organization. I have worked with my team to develop and instill this mindset in every project we touch and in every interaction we have with others. At several companies, I upgraded our talent and provided opportunities for stretch projects to increase technical proficiency and develop staff members.
Customer Service Focus- Internal audit is a service organization, intended to support the achievement of business objectives, identification and mitigation of risks, and furtherance of corporate governance. On an ongoing basis, my team and I met regularly with business unit leaders, solicited formal feedback at the conclusion of each audit, established service metrics and regularly reported on these to management and the audit committee.
Talent Identification and Development- Internal audit provides a unique opportunity to bring talented individuals in the organization, and give them exposure to a wide variety of corporate and operational functions. Early in my career at American Airlines, I was able to participate in the recruitment and development of staff members. I have tracked the careers of several of these individuals, mentored them along the way, and celebrated their career success as corporate officers and leaders. My supervisors at prior companies where I served as the Chief Audit Executive have recognized my track record for hiring good people that others in the organization also want to hire.
2. Describe two specific improvements/changes you have made in one of your previous jobs?
At one major multi-national company, I was able to change the previously held management perception that internal auditors had a “gotcha” mentality. This was accomplished by recruiting a highly talented team of professionals recognized by management and the Audit Committee. I was able to recruit top talent in a very tight market by sharing the vision and the roadmap for the world class internal audit organization I was recruited to build. Individuals became excited and energized and chose to work with us over competing opportunities with a large number of sizeable, high quality companies based in the DFW area.
At another company, my team and I were able to improve the efficiency and effectiveness of internal audit by working with business process owners, identifying key metrics, leveraging information technology and developing a continuous auditing process. We used facilitated sessions over the course of several days to brainstorm and received input from various individuals and managers with perspectives on key business drivers.
3. Describe your knowledge of global audit and compliance practices and please provide an example?
I have led and performed internal audits for multi-national companies for more than 30 years. My certifications and continuing education as a CPA and Certified Compliance and Ethics Professional ensure that I remain current with Global Audit and Compliance practices. One significant area of expertise has been in the area of anti-corruption compliance (ACA). At one multi-national company I created a dedicated anti-corruption compliance group within Internal Audit and performed numerous individual audits of ACA policies and procedures as well as ACA reviews for company operations, joint ventures and significant partners. I also am knowledgeable of the UK Bribery Act and performed compliance reviews of company operations in the UK. Privacy is another key area with differing global requirements and practices. Previously, I led an audit to evaluate and assess preparedness and compliance with the EU Privacy regulation and have included privacy audit procedures in other country audits, including Australia. Finally, I keep abreast of accounting requirements and regulations including IFRS and have held the AICPA designation as a Chartered Global Management Accountant. One example where I utilized knowledge of accounting requirements concerned an audit of a public company in Japan, involving a joint venture. I successfully challenged their assertion that “Japanese GAAP was flexible” concerning the need to record accruals on other than a cash basis.
4. Describe a situation where you have made a life or career decision based on your personal values or ethics?
Fortunately I have worked in organizations that have generally reflected my own personal values and ethics. The only example I can cite relates to my experience at a former company involving misstatement of a key metric associated with the performance of the business. A previous internal audit had noted procedural deficiencies that could result in the manipulation of the metric. At that time, testing indicated there was no evidence of actual misstatement. The audit results were communicated to management and the audit committee. During the annual risk assessment process I personally interviewed senior management concerning this area and was assured there were no issues. Subsequently, misstatements later surfaced through a whistle blower. At a special audit committee meeting to review the results of the investigation, I learned that irregularities had been previously reported to the general counsel which I had never been made aware of. I expressed my concern to management and the audit committee along with my statement that the integrity of the audit process is dependent open and honest dialogue with management. I was disappointed with the corrective action taken by the audit committee and believed that I could no longer trust some members of the management team. While I understood that impending litigation made it difficult to take stronger personnel action, personal integrity and reputation is my brand and I made an immediate decision to pursue my career with another company.
5. Describe a crisis situation that you have managed with an Internal Audit member?
During my career I’ve had a few occasions where I’ve managed crisis situations with an internal audit member as well as some personal staff crisis situations such as the death of a spouse. A significant business crisis situation involved an internal audit of the major consulting project where my company served as a managing partner for a partnership involving four other major public companies. My employer provided consulting services to the partnership and recorded revenue based on reported percentage of completion. The audit identified a significant fraud on the part of the management team and was difficult to complete because the individual responsible attempted to hide the fraud by disparaging the audit team and attempting to have them replaced by senior management. My supervisor was concerned about upsetting senior management and had me apologize to the president for the actions of our staff. The situation was further exacerbated by some personal idiosyncrasies of one of the staff members that hurt the credibility of his work. I worked closely with the audit staff member and was tenacious in grinding through the audit despite the lack of cooperation. We were able to complete the audit which led to a multi-million dollar write-off of improper revenue. The managing partnership vice-president and controller were fired, and the president retired.
6. Please describe your experience in auditing Information Technology. If you have been part of the implementation process of a new system, please describe your involvement?
Since 1982, I have maintained proficiency as an IT auditor and professional designation as a Certified Information Systems Auditor (CISA). Early in my professional career, I developed computer programs to automate audit procedures. I was also seconded to a system development team for six months (Republic Airlines) in conjunction with development of a new revenue accounting system. At other companies I audited development and implementation of several large applications, upgrades to ERP systems (PeopleSoft and Oracle) and full scale implementation of a new ERP system (Oracle). I also provided ongoing audit feedback for the major SAP enhancement, particularly concerning the impact on SOX controls and testing. At one multi-national company, I participated on the ERP Steering Committee and led several audits of key milestones in the project deployment, in partnership with PwC technical personnel who I engaged to support IA. For a retail company, I provided audit support and testing for the Payment Card Industry Data Security Standards (PCI DSS) compliance. My experience enabled me to significantly enhance IT Audit services and capabilities within several IA Departments. Utilizing internal as well as co-sourced resources, I led audits of data privacy, IT governance, disaster recovery and contingency planning, attack and penetration testing, information security, cyber security, social media, phishing and social engineering, data classification policies, data privacy, data retention, data loss prevention, digital commerce, system and application development, and other IT security and control activities. I also enhanced data analytics capabilities, audit automation and continuous auditing within IT audit functions and am knowledgeable of key IT control models including COBIT, the NIST Cybersecurity Framework, and the ISO 27001 Information Security Standard.
7. How do you stay privy to new methodologies and technologies related to audit and how have you used these to help transform your audit plan?
Through active networking with other IA professionals and Big Four audit partners, I maintain strong awareness of emerging issues, new methodologies and new technology. I regularly participate in the annual Institute of Internal Auditors (IIA) conference for Chief Audit Executives (GAM) which focuses on all of these items. Key presenters include Big Four partners, CAEs sharing best practices, and vendors discussing the latest software and technology. I have spoken at GAM several times and participate in other professional forums and bench marking groups. I have also held leadership positions in industry focused IA networking groups. Through active engagement and personal emphasis on continuing learning, I am able to ensure the internal audit plan is updated timely and modified to include new and emerging risks, as well as anticipating needs of key stakeholders including the Audit Committee. Several examples include mapping the IA risk assessment and audit plan to the revised COSO 2013 model prior to company implementation and modifying the plan to take a deeper dive on fraud risk assessment procedures, which received greater emphasis with COSO 2013. Cyber security risks continue to increase, and I included social engineering, social media, data loss prevention, and attack and penetration audits in the plan to add value and help promote risk mitigation controls. As a previous company increased outsourcing and reliance on third parties, I ensured the audit plan included a review of global resiliency governance. New and emerging topics I would add to current audit plans include reviews of corporate culture, compliance with global privacy regulations, security and control for the Internet of Things (IoT).
8. From your experience, what have you learned about yourself from the results you have achieved?
- Pick one item and demonstrate the behavior with a “clear cut” example.
I learned that I have the ability to implement something based on a “vision” of what I expect the outcome or product to look like. This has happened in large and small ways in my personal life and my business career. Usually, I establish what I want to achieve, and then go about identifying the plan, resources and tasks necessary. Working hard, motivating and engaging others, and looking for creative approaches have allowed me to achieve significant successes.
One small example is development of a worldwide organization for internal auditors in the airline industry. I founded the International Association of Airline Internal Auditors (IAAIA) about 20 years ago along with a few colleagues from other international carriers. After the group had a few basic organizational meetings, I was able to dramatically expand the organization and ensure the long-term viability by executing on the vision I had. I became the first two-time Chairman in the second year, recruited a strong Board with representatives from influential carriers such as British Airways, Continental Airlines, Singapore Airlines, Lufthansa, Emirates, etc. I also brought sponsorship into the organization from professional service firms and others and organized several high-quality international conferences. In addition, I reached out to other countries such as Vietnam, Russia, (Aerolineas) Argentina, etc. that had generally not participated in airline organizations. By providing world class meetings, the organization grew and continues to thrive to this day. My vision of an international organization to share internal audit information was fulfilled and creation of this organization led to other governance improvements in the airline industry such as strengthened oversight of the international bank settlement plans in less developed countries by IATA.
9. Describe a time where you identified a significant business risk and the approach you took to mitigate that risk?
One company I joined had just committed to a major ERP system implementation from SAP to Oracle. In performing my first risk assessment, I determined the number one risk at that time was the ERP project. This had not been listed as a significant risk in the Company’s ERM assessment and the CEO stated he did not believe it was a risk at all, and certainly not the top risk. I explained my rationale for this assessment and detailed feedback from other senior officers and stakeholders; the CFO also corroborated my judgment and was in full agreement. Furthermore, I indicated that feedback suggested the project was not being managed properly and was at risk of failure. The CEO then asked Internal Audit to conduct a confidential survey of over 100 key stakeholders, including executives, IT personnel, system implementers and contractors. The results indicated a significant lack of confidence in the project direction and methodology as well as potential conflicts of interest with some contractors. The CEO and I presented the results to the Audit Committee with his action plan for resolution, including replacement of the CIO and certain contractors.
10. Describe (from past experience), your perspective on key attributes a chief audit executive must possess. Give a specific example where you have exhibited at least two of the attributes?
The Chief Audit Executive (CAE) should possess unquestioned personal integrity, confidence, diplomacy, corporate agility, sound judgment, good intuition, persuasive ability, strong backbone without being considered “stubborn”, the ability to motivate others, intelligence, a “quick learner”, excellent written and oral communication skills, energy, passion and enthusiasm!
One example where I was able to demonstrate these traits involved transition of responsibility for Sox compliance from the Corporate Controller to the Internal Audit Department. I used persuasive ability, diplomacy, corporate agility and my leadership skills to convince the CFO I could take Sox organization responsibility, execute, and achieve positive results from business process owners who did not report to me. I was able to convince the Controller this would improve the compliance burden for his staff through improved processes and greater efficiency by having the Audit group oversee Sox compliance. By reengineering the process, we were able to reduce costs by 50% with improved Sox compliance results.
11. Describe, in detail, a specific situation where you have exhibited leadership abilities?
I was able to exhibit leadership abilities in creating the Blockbuster internal audit function from scratch. Previously internal audit services were provided by a parent company and the overall relationship was difficult and confrontational. When I came into Blockbuster I established credibility for the function through communication and relationship building with management. I spent time traveling to all of the significant operating units, visiting stores, distribution centers, and corporate facilities. I was able to recruit a couple of high-profile talented directors to my management team which further helped to establish credibility and support for the internal audit function. We were then able to develop and sell an implementation plan and began developing the infrastructure and building out the team. We had some bumps along the way, though we were able to build these into successes. As a result of my leadership and that of my team, we were able to reduce the costs of internal audit by bringing outsourced resources in house, and improve the overall service and value provided by the function.
12. How do you communicate you can be trusted to you internal audit peers?
I try to establish a good working relationship with my peers by talking with them frequently, asking for their opinion and input, and by following through on what I promise. My personal style is to find and employ “win-win” solutions wherever possible. I have a personal philosophy of “no surprises” which I also instill with my team. This ensures individuals are not caught off guard and embarrassed in front of others. I also practice personal discretion and find ways to accomplish my business objectives without compromising the sources of information where individuals request anonymity.
13. Please describe a time that you had to work cross-functionally in order to solve a problem or mitigate a risk?
I have had several opportunities to work cross functionally to mitigate business risks, particularly with respect to working with Legal and Operations personnel on anti-corruption audits, audits of joint venture partners and conducting complex investigations. However, the most challenging and comprehensive cross-functional task involved leadership related to Y2K readiness. At SkyTel, a telecommunications company where I headed Internal Audit before the company was sold to MCI WorldCom, I was requested to take charge of the company’s worldwide Y2K project. It was 1999, less than a year away from expected compliance, and the company did not have a formal plan and processes in place. SkyTel’s largest investor, other investors, and vendors were demanding to audit the compliance activity which was several years behind the effort of other large telecom companies. It was a very technical “IT intensive” project that was outside of my expertise and comfort zone. Due to the late start relative to most other companies and the sheer volume of work that needed to be done, I was not sure the task could be physically accomplished. However, I have strong organization and project management skills and quickly organized a cross-functional Steering Committee and work group consisting of IA, Operations, Engineering, IT and Accounting and Finance personnel supported by technical consultants and our external audit firm. The vision for “the deliverable”, enthusiasm and communications helped me engage many others in the organization and the “team effort” allowed us to be successful.
14. Please explain a time where you added value to the Company through a decision you made as part of your audit process.
At one retailer, I undertook a first time audit of the Loss Prevention organization which had over 100 individuals and a multi-million dollar budget. This function had never been audited and some executives initially questioned the value of performing this audit. The audit identified numerous opportunities to increase efficiency and accountability and the SVP in charge reacted emotionally when the audit results were summarized. The audit was supported by research from other retailers including metrics and best practices as well as the VP of Loss Prevention. I held my ground, calmly and coolly, and reached out on several occasions to talk through the concerns with the SVP. He eventually recognized we were working in a collaborative manner to improve the business and were not attempting to embarrass or attack him or his organization. Within a couple months, he established a Loss Prevention Steering Committee, invited me to participate, and implemented most of the audit recommendations. Ultimately, he became one of our strongest supporters in the company and helped us establish relationships with other key executives.
15. Describe a situation where you have had to deliver a vision or message with which you did not agree?
At one major company, I had to deliver a message that we were outsourcing much of the function to reduce costs and gain better access to technical resources. I delivered the message in a straightforward manner and tried to communicate the different perspectives that led to this decision. I also encouraged everyone to continue to work professionally and energetically to the best of their ability, even though they might lose their jobs. In addition, I promised to keep them updated and encouraged them to talk with me about their concerns and career objectives. I am happy to say that most individuals who wanted to stay with the company, or needed to stay because of personal issues or visa considerations were retained, and most others who left the company found great positions with other, stronger organizations.