Update: What's Driving the Great Resignation?

For the third consecutive month, the U.S. set a record for job resignations, with 4.4 million people quitting in September, according to the most recent report from the U.S. Bureau of Labor Statistics, released in November. That equates to 3% of the workforce and follows an estimated 4.3 million U.S. workers who left their positions in August.

Although the reasons for these resignations are complex, many experts say the most significant driver of the trend is a new perspective on employee identity, quality of life, and their expectations of employers. In an interview with The Washington Post, Anthony Klotz, a professor of management at Texas A&M University, describes these feelings as "pandemic epiphanies," with individuals using their newfound leverage after a year of remote work to either demand something better from their current employer or look elsewhere. Some people seek full-time remote work, while others seek increased compensation or significant improvement in workplace culture.

This trend has led to a renewed organizational focus on attracting and retaining workers. According to a recent global survey by consulting firm Willis Towers Watson, 92% of companies say improving the "employee experience" will be a priority over the next three years, an increase of 40% from before the pandemic. In another global survey from UBS Group AG, 74% of companies report they have begun offering more flexible schedules, 71% are letting more employees choose whether to work from the office, and 66% say they have raised compensation.  — L. Wamsley

Assessing Audit Competency

Practitioners’ proficiency with technology and emerging risks isn’t matching their growing relevance.

Internal auditors give themselves high marks for audit proficiency, but their competency is falling short in key knowledge areas, notes the Assessing Internal Audit Competency report. Respondents consider all 28 competencies in The IIA's Internal Audit Competency Framework relevant, according to the global survey of almost 1,200 internal auditors by Deloitte and the Internal Audit Foundation.

Respondents' rate ethical behavior, due professional care, individual objectivity, and organizational independence the highest. Each is part of the framework's professionalism pillar. Professionalism is where respondents say they are most proficient, too, with ethical behavior, individual objectivity, and the mission of internal auditing leading the way.

However, the report finds a "relevance-to-competence" gap in technology areas such as IT control frameworks, analytics, and security and privacy. "Despite the criticality of these technologies, many auditors do not believe they have the skills needed to provide effective assurance and advisory services in these areas," the report notes. 

The gap is wide for risk management, soft skills, fraud, and agile auditing, as well, the report says. Further, respondents rate their competency in the emerging area of environmental, social, and governance low and consider it the least relevant area. — T. McCollum

The Corporate Broken Rung

Women still face a difficult climb to top positions.

Along every step of the corporate ladder, women in North America have made slight gains in representation over the last four years, yet they are still significantly underrepresented at all levels of management. These findings come from Women in the Workplace 2021, an annual study conducted by McKinsey & Co. and LeanIn.Org involving 423 companies in the U.S. and Canada.

Women are less likely than men to make the leap to management, the study finds. For every 100 men promoted to any management role, 86 women are promoted. Differences are more stark higher up the corporate ladder. 

The "broken rung" phenomenon is worse for women of color, who account for 12% of first-level managers, but only 4% of C-suite executives. Comparably, white women hold 28% of first-level management positions and 20% of C-suite roles. 

Organizations considered top performers in diversity and inclusion are more likely to have strong diversity-focused strategies compared with companies overall. Best practices cited by the study include tracking the representation of women and women of color among new hires and promotions, ensuring equitable promotions by reducing bias within performance reviews, creating an inclusive culture, and holding senior executives and managers accountable for progressing on diversity goals. 

Indra Nooyi, former chairperson and CEO of PepsiCo, says organizations cannot simply appoint a diversity and inclusion officer and call it "done." Nooyi, the first woman of color to head a Fortune 50 company, says diversity is a mathematical number, but inclusiveness involves emotion. "Are you going to make everybody feel welcome and included?" Nooyi asks pointedly in an interview with McKinsey & Co. "That requires deep involvement by all people in power to make sure that you identify bad behavior that's not inclusive, nip it in the bud, and model the right behavior." — C. Janesko

Ransomware Tool Spurs Warning 

Attackers armed with BlackMatter are demanding payments.

Amid a steep rise in ransomware attacks, the U.S. Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency have published a cybersecurity warning about recent hacking exploits using a tool known as BlackMatter. The ransomware-as-a-service tool first gained prominence in July by enabling bad actors to access secure networks and remotely encrypt host and shared drives. Hackers using the tool have demanded payments ranging from $80,000 to $15 million.

The warning details some of the tactics BlackMatter uses that make it so dangerous. It also recommends mitigation actions, including implementing detection signatures, using strong passwords and multifactor authentication, updating operating systems and software, limiting access to network resources, and deploying network segmentation and traversal monitoring. Additionally, the warning discourages organizations from making ransom payments not only because they encourage further attacks, but also because there is no guarantee any lost files will be recovered.

"This advisory highlights the evolving and persistent nature of criminal cyber actors and the need for a collective public and private approach to reduce the impact and prevalence of ransomware attacks," says Eric Goldstein, executive assistant director for Cybersecurity at CISA. — L. Wamsley

Auditors Back on the Road

Audit projects are among the types of business travel expected to resume in 2022, says Hatice Akyerli Dalton, internal audit leader for Deloitte's Travel, Hospitality, and Services sector.

What is the forecast for travel in 2022, and what types of business travel are most likely to occur? 

Deloitte forecasts corporate travel in the first quarter of 2022 will be 35% to 45% of 2019 spending, 40% to 60% in the second quarter, and will rise to 65% to 80% in the fourth quarter. 

The most likely reasons for travel include use cases high in importance to business success and dependent on face-to-face interaction. Travel motivations that fall into this category include client acquisition and relationship building, client project work such as internal audit projects, and industry conferences with strong networking opportunities or benefits.

How can internal audit functions make the case for audit-related travel? 

Nowadays, with all the technology, access to data remotely, collaboration tools, artificial intelligence, etc., a typical internal auditor can do a lot of work on preparation, planning, and wrap-up remotely. Not all source data that auditors would need resides only in the field anymore. As such, a generalization can be made that more can be done while we spend less time in the field.

However, that is true for established teams and areas in which internal auditors have strong knowledge of the business processes and related risks being audited. Also, preestablished relationships with the audit client are a must. Areas such as the acquisition of new business units and new management and staff would need more in-person presence and interaction.

One of the main reasons that internal audit professionals will likely still need to travel some comes down to the saying, "trust but verify." Internal audit desktop/remote test work reviews will provide little insights compared to actually observing the physical premises, walking the halls, counting inventory, and especially conducting face-to-face interviews. Internal auditors get a sense when something feels off or does not appear to be complete. To exercise this, one needs to be in person. 

Additionally, team training and collaboration is most impactful when in the field. Furthermore, most successful internal auditors are the ones who build the right level of relationships with their audit clients and earn their respect and trust. Those type of relationships will not easily form while not in person. In other words, relationship building requires an internal auditor to be authentic, knowledgeable about the business, and present in person.

How can those internal auditors who are traveling ensure they are doing so safely and productively?

Internal auditors should follow U.S. Centers for Disease Control and Prevention and Federal Aviation Administration guidelines around safety protocols, including wearing masks and maintaining as much space as possible during the boarding and deplaning processes. In addition, being vaccinated before traveling — although not a requirement domestically — would increase the likelihood of a safe travel experience. Based on recent survey results, we have also seen an increase in travelers preferring direct flights — versus connecting flights — to limit time on planes and airports and reduce the risk of travel disruptions.