COSO-SO-What? | Complicated Creatures | Incident Command System | Memo In Lieu Of | Tools | Networking

As Bob Dylan once wrote, “The Times They Are a-Changin” and a-changin’ they are, at least for me. This week’s been a melancholic one for sure, but one that has been filled with excitement and anxiousness as well. Over on

Herd & Homestead, we welcomed a new 5-kit rabbit litter on January 26, 2025, which will be our second litter with a third on the way (today as I write this or tomorrow when you are seeing this). I moved on from my previous workplace and will be starting a new adventure come Monday and won’t be seeing many of my friends that I used to see every day. Embrace the chaos, take chances when you can, and let your success speak for itself.

Now that I’ve got that out of my system… Let’s learn some new things! Oh, also… trying something new today instead of long form content, we will try and make it shorter and snappier, be sure to tell me which you prefer- I’m sure I’ll have a poll on LinkedIn for you all to tell me just how you feel!

As a reminder—

• AuditPal Spotlight: Highlights of internal audit trends.
• Back of the Napkin: One new thing I learned this week.
• Borrowing Inspiration: Ideas or tools from other fields.
• Auditcraft: Update on what I tried or failed at this week.
• Tools of the Trade: A roundup of interesting ideas I found.
• foo: Random thoughts or ideas not necessarily related to audit.

Now that you’re up to speed, read on! 🙂

Zac Explains Audits is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

AuditPal Spotlight:

COSO-SO-What?

Why do we even have internal audit functions? I like to think of internal audit as the MythBusters of an organization and not just because my walrus ‘stache makes me look like Jamie Hyneman (just kidding). But really, the simplest way to boil it down is Internal Audit exists to say- I believe you, but prove it to me. But how do we know what is good enough? Enter COSO—the gold standard framework for managing risk and internal controls.

What is COSO?

• The Basics: COSO (Committee of Sponsoring Organizations) developed the Internal Control – Integrated Framework. It’s the backbone of internal audit strategies.
• Core Focus:
  • Control Environment: The culture and tone at the top.
  • Risk Assessment: Identifying and prioritizing what could go wrong.
  • Control Activities: The checks and balances that keep operations smooth.
  • Information & Communication: Ensuring everyone has the right info to act.
  • Monitoring: Continuously checking that controls are working.

Why COSO Matters

• It’s not just compliance. COSO pushes organizations to move beyond “checking boxes” and focus on creating a strong, resilient control environment.
• It’s universal. Whether you’re in finance, operations, or governance, the COSO framework applies.
• It’s strategic. COSO aligns risks with organizational goals, making it a tool for driving success, not just avoiding failure.

In Practice

Next time you’re making a new process or auditing one, ask yourself:

• Are we just reacting to risks, or are we proactively managing them?
• Does the team understand the importance of controls in this new process? Are accountability and integrity evident?
• Are there safeguards already built into the process?
• Is the right data reaching the right people at the right time?

Back of the Napkin:

People are complicated creatures

Auditing is a people job—simple as that. And like most jobs, the hardest part is dealing with, well, people.

Here’s the reality: as an auditor, you’re walking into someone else’s world. They likely know their work better than you do, and they may already feel defensive. Add in the universal “bad auditor” stories, and you’re often starting from behind the eight ball.

So what separates good auditors from great ones? Humility. Empathy. The ability to remember that people are messy, imperfect, and having their own struggles.

We’ve all had tough interactions—some our fault, some not. The key is recognizing this and cutting people some slack, the way we’d want them to for us.

Next time a client resists or annoys you, pause. That moment doesn’t define them—just like a bad day wouldn’t define you. Lead with patience, be better, and watch how it changes the dynamic.

Borrowing Inspiration:

Incident Command System for Audits

The Incident Command System (ICS) is a framework designed by the Federal Emergency Management Agency (FEMA) for efficient and effective management of incidents—such as natural disasters. ICS is built based on principles of clear roles, defined responsibilities, and modular scalability. ICS ensures that whatever the complexity, there’s a structured response. It doesn’t say exactly what need to happen, but focuses on putting the right people in charge of the right areas and allowing them to make the decisions. In this way, it allows flexibility in response. While it was designed for emergency management, ICS principles have applications beyond first responders.

Adopting the ICS Structure for Internal Audit

While smaller organizations have no need for the amount of personnel spelled out within the ICS; it’s important to note the different responsibilities that exist within it and how those might be covered on your team.

• Command Staff = Audit Leadership:
  The Chief Audit Executive serves as the “Incident Commander,” supported by key roles like:
  • Public Information Officer: Managing communication with stakeholders.
  • Safety Officer: Ensuring compliance and operational integrity.
  • Liaison Officer: Coordinating with external auditors, legal teams, or regulators.
  In many ways, these public information, safety, and Liaison responsibilities could be seen in an audit director or manager, who ensures that the audit function is communicating, complying, and coordinating with all applicable areas.
• Sections = Core Audit Functions:
  • Operations: Fieldwork, testing controls, and gathering evidence.
  • Planning: Developing the audit plan and identifying risks.
  • Logistics: Coordinating resources, like staff assignments or data access.
  • Finance/Administration: Budgeting and timekeeping for audit projects.
• Divisions and Groups = Scope Management:
  Assign specific teams to focus on geographic areas (e.g., regional offices) or functional areas (e.g., procurement, IT, or HR).

Tactical Tools for Internal Audit

• Task Forces: Assemble multidisciplinary teams (e.g., IT, operations, and compliance specialists) for special projects like cybersecurity audits or fraud investigations.
• Strike Teams: Use single-focus teams for targeted reviews, such as SOX testing or data analytics deep dives.

Why It Works:

1. Clarity: ICS’s structure ensures every auditor knows their role and scope, reducing duplication and gaps.
2. Scalability: Whether auditing a small issue or a global crisis, the structure adjusts to fit the complexity.
3. Communication: Clear reporting lines and designated roles streamline updates to leadership and stakeholders.

Bottom Line:

By borrowing elements of the ICS, Internal Audit can bring discipline, efficiency, and adaptability to complex situations—ensuring risks are managed effectively. Most importantly, being able to identify these areas within your own organizations could show gaps or areas of improvement.

Auditcraft:

Memo in lieu of controls existing

This one is for the auditors in the room (Are the auditors in the room with us right now?)… I recently faced a situation where control owners had operating controls, but they weren’t formalized and needed a gap analysis.

Normally, we’d rely on a policy, narrative, or process flow to guide our audit. In this case, none of that existed, and there was barely any documentation to sample from. So, what’s the move here?

I suggested drafting a memo to outline the process, include recommendations, and treat it like a mini-audit report for the specific business objective. Note: This was an operational audit, which is less policy-heavy than SOX or compliance audits. Always follow the directives for your specific audit type.

What resulted was a pretty well-documented process that helped the control owners start formalizing their approach. That said, this method took a lot longer than other options, and it may not have been necessary since the control owners were already on board with the recommendations.

For less supportive control owners, this approach could help secure executive-level backing for recommendations. Win or lesson? Maybe both—but definitely a learning experience either way…

Tools of the Trade:

• Tool: Spotify
• Read: The Subtle Art of Not Giving a F*ckby Mark Manson
• Watch: All the Queen’s Horses by Kelly Richmond Pope

Foo:

Turns out networking is pretty cool

Earlier this week, I joined a new online community called the Internal Audit Collective (IAC). The IAC aims to provide training in Internal Audit and SOX compliance while fostering a network of industry professionals.

For those who know me, joining organizations hasn’t been my thing in the past. But lately, I’ve been challenging myself to step outside my comfort zone (hence this newsletter). Taking the leap with IAC has been incredible—I’ve already connected with so many talented professionals, many with years of experience in areas I aspire to grow. Most are leaders in their fields, and their insights have been truly inspiring.

Communities like this are what you make of them. You have to dive in and get involved, which isn’t always easy. For me, being part of something just starting out has been especially rewarding—I feel like I’m contributing to its growth. If you’re passionate about a particular industry or role, I highly recommend finding a group to join. It’s surprising how small the world feels when you meet people who are just a connection or two away from someone you already know.