Best Practices in Internal Audit [Visions & … Guide : IG 2010 - Planning : The chief audit executive must establish a risk-based plan to determine the priorities of the internal

Best Practices in Internal

Audit – [Visions &

Challenges]

Prepared by Mr. Basem Hijaz

Chief Audit Executive – NADEC

QIAL,CIA,CPA,CISA,CRMA,CRISC,CFE

1Best Practices in

Internal Audit

2

1. Consider Risks and link it to the audit plan.

2. Consistency & Work Closely with the second Line of Defense.

3. Provide Advice and Insights that Focus More on predictive.

4. Expand and Sharpen Internal Audit’s Skills.

5. Automate Wherever Possible with Technology.

3

Best Practices in Internal Audit

Implementation Guide :

IG 2010 - Planning : The chief audit executive must establish a risk-based

plan to determine the priorities of the internal audit activity, consistent with the

organization’s goals.

According to Standard 2010.A1, the internal audit plan must be based on a

documented risk assessment, undertaken at least annually, that considers

the input of senior management and the board

4

1- Consider Risks and link it to the audit plan

Implementation Guide (Cont.) :

When developing the internal audit plan, the CAE also considers any

requests made by the board and/or senior management and the internal audit

activity’s ability to rely on the work of other internal and external assurance

providers (as per Standard 2050).

5


Implementation Guide (Cont.) :

The internal audit plan is flexible enough to allow the CAE to review and

adjust it as necessary in response to changes in the organization’s business,

risks, operations, programs, systems, and controls. Significant changes

must be communicated to the board and senior management for review and

approval, in accordance with Standard 2020

6


Steps to Consider :

Identify top risks by meetings with stakeholders & industry analyses.

Coordinate with other assurance groups to assess and score risks.

Perform risk assessments to understand risk and what causes them.

Rank and prioritize the risks.

Conduct periodic reviews throughout the year.

7


Statistics & Surveys

Our Global Pulse of Internal

Audit survey is based on data

from 2,254 respondents in 111

countries or territories.

The report is available from

your Institute or at

www.theiia.org/gpi

http://www.theiia.org/gpi

Stakeholders want us to raise

the bar, however,

28% of CAEs say they rarely or never

participate in major organizational change

initiatives,

31% are never invited to join a full board

meeting, and

Only 26% of CAEs view themselves as

members of executive management


Sources: The Pulse of Internal Audit survey: © 2015 The IIA Audit Executive Center conducted in collaboration with the 2015 Common Body of Knowledge Study, © 2015

The IIA and The IIA Research Foundation. All rights reserved. No part of this data may be copied, reproduced or otherwise disseminated without explicit permission from

The IIA. Note: Q42: How frequently does internal audit conduct a risk assessment? Q48: What resources do you use to establish your audit plan?

• The good news:

91% of CAEs assess risks

85% develop risk-based plans

• However, CBOK revealed we are not “auditing at the speed of

risk”

63% of CAEs update audit plans no more than twice a year

15% have “highly flexible plans”

31% don’t update risk assessments

Only 21% deploy continuous risk assessment

methodologies


Source: KPMG’s Audit Committee Institute – “Is Everything Under Control?” 2017 GlobalAudit

Committee Pulse Survey, © 2017 KPMG LLP

• KPMG’s 2017 Global Audit

Committee Pulse Survey

• 832 responses

– 42 countries

– 55% audit committee chairs

– 45% audit committee members

• 63% public companies

• 25% private companies

KPMG’s 2017 Global Audit Committee Pulse Survey

Targets for Internal Audit to Maximize Value Response

Expand audit plan on key areas of risk (e.g. cyber security,

and key operational and technology risks)

56%

Maintain flexibility in the audit plan 53%

Expand the audit plan on effectiveness of risk

management processes generally

49%

Improve internal audit’s talent and expertise 42%

Helping to assess / “audit” the culture of the organization 27%

Beyond financial reporting and compliance risks, what

steps can internal audit take to maximize value?

Source: KPMG’s Audit Committee Institute – “Is Everything Under Control?” 2017 GlobalAudit

Committee Pulse Survey, © 2017 KPMG LLP

2- Consistency & Work Closely with the second Line of Defense


IG 2050 - Coordination and Reliance :

The chief audit executive should share information, coordinate activities, and

consider relying upon the work of other internal and external assurance and

consulting service providers to ensure proper coverage and minimize

duplication of efforts.

13

Implementation Guide (Cont.):

Internal providers include oversight functions that either report to senior

management or are part of senior management. Their involvement may include

areas such as environmental, financial, control, health and safety, IT

security, legal, risk management, compliance, or quality assurance.

14


Supplemental Guide (Cont.):

An assurance map is a matrix comprising a visual representation of the

organization’s risks and all the internal and external providers of assurance

services that cover those risks. This visual depiction exposes coverage gaps

and duplications.

15



Assurance providers may use the map to coordinate the timing and scope of

their services, preventing audit fatigue within areas and processes under

review, except in cases where senior management or the board may need a

second opinion or a double check from another assurance provider on a high

risk area.

16



Assurance mapping steps include:

1. Identifying sources of risk information.

2. Organizing risks into risk categories for consolidated viewing.

3. Identifying assurance providers.

4. Gathering information and documenting assurance activities by risk category.

5. Periodically reviewing, monitoring, and updating the assurance map.

17


18

Steps to Consider :

Establish a common risk and control language that will enable the second

and third line of defense to communicate with each other.

Conduct periodic meetings between IA and other assurance functions.

Question and challenge the findings from risk & compliance functions.

Link the risk function’s assessments of key risks to audit planning.

Report key risks, issues, and opportunities to stakeholders.

19


New Supplemental Guide [Auditing Model Risk Management]

Banks and other large financial services organizations rely extensively on

mathematical models to make business decisions and meet regulatory

requirements.

20

3- Provide Advice and Insights that Focus More on predictive

What is predictive audit?

The predictive audit is a forward-looking approach that examines the validity of

transactions before they are executed. It does so by comparing actual

transactions to timely normative models, allowing managers to be alerted to

potentially problematic transactions before they occur. This gives senior staff

the opportunity to investigate and resolve any issues before allowing flagged

transactions to go through.

21


Imagine the following scenario: You are a manager in a consumer bank that

offers customers a savings account with a minimum deposit and minimum of

six months before cash withdrawals can be made.

However, if a customer is dissatisfied with the account, they can immediately

close it and get their money back. Regardless of whether or not they close their

account within six months, the sales employee who set it up is still paid a

commission.

22


In such a scenario, an employee could seek to inflate their commission by

influencing a customer to open an account in order to be eligible for another

product (an accompanying loan, for example) with the condition that the

savings account can be closed, without penalty, immediately thereafter.

Certainly, such situations are not uncommon, and can occur in one form or

another, in any organization. But what if you could predict the occurrence of

such ‘bogus’ transactions and take action before they even occur? Wells Fargo

23


A Combination of Services – (Cont.)

IIA’s Audit Executive Center conducted a survey,

The results found that almost all internal audit functions represented in the

survey (94 percent) provide a combination of assurance and advisory

services. Key business areas where advisory services are being performed

include risk management, corporate governance, ethics, and performance

management.

24


25



IG 2030 – Resource Management : The CAE must ensure that internal audit

resources are appropriate, sufficient, and effectively deployed to achieve the

approved plan.

IG 1200 – Proficiency and Due Professional Care : Engagements must be

performed with proficiency and due professional care.

IG 1210 – Proficiency : The IA activity collectively must possess or obtain the

knowledge, skills, and other competencies needed to perform its

responsibilities.

26

4- Expand and Sharpen Internal Audit’s Skills

Supplemental Guide [Talent Management]:

Recruiting, motivating, and retaining great team members is recognized as one

of 10 imperatives that will enable internal audit to drive success in a changing

world.

According to The IIA’s 2015 Global Internal Audit Common Body of Knowledge

(CBOK) study, internal audit departments need to cast their nets wider to

attract, motivate, and retain team members who are able to understand and

anticipate the rapidly changing business environment.

27


Developing Talent

The CAE should align internal audit’s talent development approach with the

organization’s professional development practices.

Efforts to develop talent typically include :

Professional development plans, “Certification Policy”

Training and continuing education, and

Mentoring.

28


Steps to Consider :

Evaluate the existing skills of the internal audit team, identify gaps, and

conduct periodic training.

Align training and development programs with emerging risk, regulatory

and business objectives.

Consider communication skills as audit qualifications when recruit new

resources.

• Explore alternative staffing models such as rotation & guest auditor.

Build relationships with external service providers.

29


PwC’s 2016 State of the Internal Audit Profession Study found that strategic

and creative talent management is one of the most-significant drivers of the

value an internal audit function can provide. The study also showed a close

correlation between very effective internal audit leadership and talent

management.

30


In fact, 83% of very effective internal audit leaders perform well at talent

management compared with just 47% of effective leaders and 24% of less-

effective leaders. However, chief audit executives (CAEs) also indicated that

acquiring and managing talent are their most-significant challenges.

31


As per IIA study in 2015 The top five areas where respondents are

experiencing difficulty hiring candidates are:

1. IT-general

2. Cybersecurity and privacy

3. Data mining and analytics

4. Industry-specific knowledge

5. Analytical/critical thinking

32


Guides:

Attribute Standard

1220.A2 :Internal auditors must consider the use of technology-based audit

and other data analysis techniques.

33

5- Automate Wherever Possible with Technology

Steps to Consider :

Consider replacing solid spreadsheets and tools with integrated audit

systems

Build a centralized library to integrate and map audit data.

Leverage mobile auditing tools to enter audit findings [smartphones or

tablets].

Implement intuitive dashboards (KPI) and reporting tools using Business

Intelligent Software (Continues Auditing)

34


Steps to Consider – (Cont.):

Internal audit analytics

Start by applying off-the-shelf analytics packages to datasets.

Depending on your industry, identify areas where audit should be forward-

looking, and thus, analytical.

Improving the first line of defense by certain analytical tasks.

35


Internal audit analytics – Why we use analytics?

Sample-based testing will not satisfy stakeholder needs.

Analytics can apply risk indicators to large datasets.

Reduce the complexity and time consuming.

Adopting analytics enhanced focus, efficiency, effectiveness, and value.

36


7% AdvancedStandard methods and training, using advanced tools and analysis techniques

24% IntermediateSome standardization of methods, some repeatable analytics

55% BasicAd-hoc analytics with limited repeatable solutions, basic tools (e.g.

spreadsheet, etc.)

11% NoneNo analytics capabilities

3% Not sure

Current Internal Audit Analytics Capabilities

37

Source: Deloitte’s Global Chief Audit Executive Survey 2016-2017

42%

26%

14%

18% 75% to 100%

51% to 75%

26% to 50%

1% to 25%

“What percentage of total audits utilize

some form of data analytics?”

Audits Using Analytics

How Many Audits Use Analytics?

38

Source: Protiviti – Internal Audit Capabilities and Needs Survey 2017

Data visualization

Impact Area

Data visualization transforms analytical output into visual formats.

The complexity and prices of these tools have dropped sharply.

Data visualization can pinpoint many areas.

Visualization can better meet stakeholder needs.

Visualization can depict trends, patterns, and anomalies that might

otherwise be missed.

39


Data visualization – (Continued)

Steps to consider

Train one or more staff members.

A desktop license for a good package is relatively inexpensive.

Then try using data visualization in scoping, execution, and reporting on

selected areas of the audit.

Data visualization is also meaningful in reports to the Board and Audit

Committee.

Famous Data Visualization tools (Tableau and BI (Oracle, Microsoft)

40


What is Continuous Auditing ?

“Is a method used to perform control and risk assessments automatically on a more

frequent basis”. IIA

41

Internal Audit Business Leads

Governance

Risk & ComplianceIA Data Analytics Continuous

Auditing

Continuous

Monitoring

Enterprise

Risk

Management


79

Dashboards Examples – GL Dashboard

81

Dashboards Examples – Accounts Payables

82

Dashboards Examples – General Ledger

83

Dashboards Examples – Fixed Assets

84

Dashboards Examples – Procure to Pay

85

Dashboards Examples – PO without PR

48


49

A report is only valuable when management and the board use it and see that it

helps them.

If they briefly look at it and then put it aside, then it is basically useless.

On the other hand, if they look at the report and say 'yes, this is something I

think will help me manage my business' or if they discuss the contents of the

report with other parts of the business, then it is a good sign.

Internal Audit In Practice

50

Board and Audit Committee Perspectives on Value Add:

Seen to be value adding:

Delivering the audit plan within the year;

Delivering assurance over key concerns or areas of interest for the

board/audit committee;

Providing comfort over core control and compliance areas;


51

Providing timely and tailored briefings on the position of the organization in

relation to topical issues;

Offering insights into emerging risks (VAT, Cyber security);

Identifying themes and trends in audit findings;

Being seen to be influential with senior management.


52

Board and Audit Committee Perspectives on Value Add:

Seen not to add value:

Failing to deliver the audit plan;

Having a major issue occur in an area that was recently audited (e.g. “Why

didn’t you spot that issue when you audited that area last year?”);

Appearing un-influential with senior management (and expecting the board

to do the running) or appearing in the pocket of management;


53

Audit receiving negative feedback in a quality review or from a regulator or

from the external auditor;

Audit “Pushing the nuclear button” on an issue which proves to be relatively

minor;


54

Senior Management Perspectives on Value Add:

Seen to be value adding:

Audit being on hand to do targeted work for some senior managers;

Audit delivering advisory assignments that are seen to support the

achievement of priority objectives;

Audit producing short, balanced reports on a timely basis;


55

Audit working in a joined up way with other functions, including the external

auditor, to manage the burden of assurance activities across the

organization;

Audit delivering the audit plan to (or under) budget;

Audit identifying inefficiencies or cost savings.


56

Senior Management Perspectives on Value Add:

Seen not to add value:

Audit reports with negative ratings that do not align with senior

management’s risk appetite;

Audit report wording that is either inflammatory or that might be unhelpful if

disclosed to a regulator or in litigation;


57

Anything that comes as a surprise;

Anything communicated out of chain;

Audit reports that simply repeat known issues in more detail;

Audit reports that are issued too late to do anything with.


2Cases in Corporate

Governance

58

What causes the companies to conduct a criminal

behavior?

I. Pressure from top management on Middle management to achieve nonrealistic

target.

II. Opportunity arises most basically from the susceptibility of the company’s

accounting systems to manipulation due to inherent risks from management

override or collusion.

III. Some regulations that may affects corporation regional sales.

IV. To increase corporation stock price or to stay at the leading position.

A. I,III

B. I,II,III

C. I,II,III and IV

D. III,IV

59

Cases in Corporate Governance

Wells Fargo Scandal

Volkswagen Scandal

Cambridge Analytica scandal

Rolls-Royce Scandal

Mobily Scandal

60

Cases in Corporate Governance – [Wells Fargo]

61


Wells Fargo & Company is an American international banking and financial

services holding company headquartered in San Francisco, California, with

"hubquarters" throughout the country

“Where wells went Wrong”

Wells Fargo employees created millions of fake bank accounts for customers

to hit sales targets and receive bonuses.

62

Source: Forbes


63

“Eight is Great”

Meaning get eight wells Fargo products into the hands of each customers.

But this directive proved burdensome for bank employees as they

struggled to meet demand.

Opened deposit accounts and credit cards for well customers without their

knowledge or permission.


64

Source: Forbes


“Two Million Phony Accounts”

From 2009 to mid 2016 created more than 1.5 Million unauthorized deposit

accounts.

Issued more than 500,000 unauthorized credit card application.

These accounts racked up $2.6 million in fees for the bank

65

Source: Forbes


66


“The Results”

$185 million fines

Fired 5,300 employees over five years for creating the phony accounts

A public demand and government officials attacked wells for its actions.

On September 13 eliminate all sales goals in its retail banking business

[meaning that the types of quotas that led the fraud will soon no longer

exist

CEO resign in October -2016

67

Source: Forbes

Cases in Corporate Governance – [Volkswagen]

68


The Volkswagen emissions scandal (also called "emissionsgate" or

"dieselgate")

In September 2015 Environmental Protection Agency (EPA) issued a

notice of violation of the Clean Air Act.

Intentionally programmed turbocharged direct injection (TDI) diesel

engines to active their emissions controls during laboratory emissions

testing only.

69


70


“The Results”

11 Million cars around the world have emission program problem.

Withdrawal 9 Million cars from Euro market.

Withdrawal 500K cars from US market.

Lost the confidence of its customers and the confidence of the public.

Volkswagen has announced that it will give up 30,000 jobs in an effort to

save about $ 4 billion a year, starting in 2020 after carbon emissions

scandal.

A $ 15 billion settlement with US consumers and regulators and gave

diesel owners the choice between repurchase, refunds or free repair.

71


72

This coming statistics show Volkswagen's operating profit from the fiscal year

of 2006 to the fiscal year of 2017. In light of the diesel scandal, Volkswagen

produced an operating profit of around 13.8 billion euros in 2017.


73

74

Cases in Corporate Governance – [Analytica]


Cambridge Analytica captured more than 50 million Facebook user without

their consent to develop an information program that allows voters to reveal

their intentions and how to manipulate since 2014.

Christopher Wylie helped in the development of voters studies to analyze

data from Facebook through application.

75

Source: Monte Carlo International


The application requires access to Facebook, allowing third parties

(Academic) to obtain data from users of Facebook.

The aim of study to creating models of personalities and exploitation of

their spirits and what affects them to build campaigns and targeting them

better. “This is known as machine the learning"

76



The idea is inspired by a study done by two researchers at Cambridge

University Michal Kosinski and David Stillwell by application called [My

Personality] via Facebook.

They use this application to study the psychology of users, after answering

specific questions or through what they share on Facebook pages and what

they like. (It means data usage to understand the user's psychology across the

amount of data).

77



Dr. Aleksander Kogan, A psychologist and researcher professor at the

University of Cambridge reproduced the study of Kosinski and data used and

sold them to the company Strategic Communication Laboratories, one of the

companies under "Cambridge Analytica”, which allowed for Kogan as a

researcher at Cambridge from telling Facebook that his data collection is an

academic goals but in fact is not.

78



It turned out that Facebook was aware of this collection process since 2015,

and only took limited steps to retrieve and protect the data of these users,

these data according to the report of the Observer is still available "raw" on the

Internet and can be found.

79



80


After the information was released publicly, Facebook:

Shares fell 6.8 percent at the close of Monday's trading and 7 percent on

Tuesday,

A new laws could by applied that could hurt the company's business

model.

81



After the information was released publicly, (Cont.) :

Technology giant companies in Wall Street, including Apple, Alphabet and

Netflix, has been on the decline.

Asian markets also suffered losses, with Sony shares in Tokyo, Samsung

in Seoul and Chinese equities in Hong Kong

82


Cases in Corporate Governance – [Rolls-Royce]

83

Source: BBC


Rolls-Royce paid bribes including a luxury car and millions of pounds’

worth of cash to middlemen to secure orders in six countries, including

Indonesia, Russia and China.

Settlement of £671m has been reached, which means engineering giant

will avoid being prosecuted by anti-corruption investigators in UK, US or

Brazil

84

Source: BBC


In Indonesia, Rolls-Royce gave $2.25m (£1.8m) and a Rolls-Royce Silver

Spirit car

In Thailand, the firm paid more than $36m between 1991 and 2005

In India, where the use of agents to secure defense contracts is prohibited,

Rolls-Royce disguised its use of middlemen as “general consulting

services”.

85

Source: BBC


In Nigeria a middleman hired by the company paid bribes to public officials

In China, Rolls-Royce failed to prevent bribery in relation to the extension

of a £5m cash credit to China Eastern Airlines in exchange of the purchase

of engines for aircraft in 2013.

In Russia, Rolls-Royce won a contract to supply equipment by making

payments to a senior official.

86Source: BBC

Cases in Corporate Governance – [Mobily]

87


The share price of Mobily dropping from 92 riyals to less than 60 riyals in

just three days?

Has Mobily deliberately manipulated the earnings figure or not?

Starting from the loyalty program, this program aims to guarantee the

customer loyalty to the company by giving him points whenever he uses

the services of the company.

88

Source : Al Arabiya


The customers can replace these points with rewards from Mobily or

agreed companies.[ Company Services or other goods and products]

In this case, the sellers (agreed companies) of the goods registers the

points and considers Mobily debit on the amount of goods which are

replaced with customers until it pays them.

89

Source : Al Arabiya


A new way in which it agreed with a number of companies from various

industries that Mobily broadcast messages for several days to all users of

the network urging them to replace their points with those agreed

companies, and then the agreed companies pay the rights of these ads

through the points that will Replaced.

This turns Mobily from a debit to a vendor of these points on the

companies that participated and announced to them.

90

Source : Al Arabiya


Where is the problem?

The agreement provided that the companies would pay Mobily only the used

points.

But Mobily recorded the "full" points allocated to them as revenue while the

actual revenue was only a fraction of it, which was actually replaced by

customers only, and it seems to have been very little, and this is a huge

revenue figure on the contrary

91

Source : Al Arabiya


The Results

Mobily amended net profit in 2013 from 6.6 Billion riyals to 5.9 Billion riyals

Mobily loss more than 10 Billion riyals from its market value within a week.

Mobily Share loss all earnings and profits for the last two years.

92

Source : Al Arabiya

Thank You

Best Practices in Internal Audit [Visions & … Guide : IG 2010 - Planning : The chief audit executive must establish a risk-based plan to determine the priorities of the internal

Documents