Best Practices in Internal Audit – [Visions & Challenges] Prepared by Mr. Basem Hijaz Chief Audit Executive – NADEC QIAL,CIA,CPA,CISA,CRMA,CRISC,CFE
Best Practices in Internal
Audit – [Visions &
Challenges]
Prepared by Mr. Basem Hijaz
Chief Audit Executive – NADEC
QIAL,CIA,CPA,CISA,CRMA,CRISC,CFE
1Best Practices in
Internal Audit
2
1. Consider Risks and link it to the audit plan.
2. Consistency & Work Closely with the second Line of Defense.
3. Provide Advice and Insights that Focus More on predictive.
4. Expand and Sharpen Internal Audit’s Skills.
5. Automate Wherever Possible with Technology.
3
Best Practices in Internal Audit
Implementation Guide :
IG 2010 - Planning : The chief audit executive must establish a risk-based
plan to determine the priorities of the internal audit activity, consistent with the
organization’s goals.
According to Standard 2010.A1, the internal audit plan must be based on a
documented risk assessment, undertaken at least annually, that considers
the input of senior management and the board
4
1- Consider Risks and link it to the audit plan
Implementation Guide (Cont.) :
When developing the internal audit plan, the CAE also considers any
requests made by the board and/or senior management and the internal audit
activity’s ability to rely on the work of other internal and external assurance
providers (as per Standard 2050).
5
1- Consider Risks and link it to the audit plan
Implementation Guide (Cont.) :
The internal audit plan is flexible enough to allow the CAE to review and
adjust it as necessary in response to changes in the organization’s business,
risks, operations, programs, systems, and controls. Significant changes
must be communicated to the board and senior management for review and
approval, in accordance with Standard 2020
6
1- Consider Risks and link it to the audit plan
Steps to Consider :
Identify top risks by meetings with stakeholders & industry analyses.
Coordinate with other assurance groups to assess and score risks.
Perform risk assessments to understand risk and what causes them.
Rank and prioritize the risks.
Conduct periodic reviews throughout the year.
7
1- Consider Risks and link it to the audit plan
Statistics & Surveys
Our Global Pulse of Internal
Audit survey is based on data
from 2,254 respondents in 111
countries or territories.
The report is available from
your Institute or at
www.theiia.org/gpi
Stakeholders want us to raise
the bar, however,
28% of CAEs say they rarely or never
participate in major organizational change
initiatives,
31% are never invited to join a full board
meeting, and
Only 26% of CAEs view themselves as
members of executive management
Statistics & Surveys
Sources: The Pulse of Internal Audit survey: © 2015 The IIA Audit Executive Center conducted in collaboration with the 2015 Common Body of Knowledge Study, © 2015
The IIA and The IIA Research Foundation. All rights reserved. No part of this data may be copied, reproduced or otherwise disseminated without explicit permission from
The IIA. Note: Q42: How frequently does internal audit conduct a risk assessment? Q48: What resources do you use to establish your audit plan?
• The good news:
91% of CAEs assess risks
85% develop risk-based plans
• However, CBOK revealed we are not “auditing at the speed of
risk”
63% of CAEs update audit plans no more than twice a year
15% have “highly flexible plans”
31% don’t update risk assessments
Only 21% deploy continuous risk assessment
methodologies
Statistics & Surveys
Source: KPMG’s Audit Committee Institute – “Is Everything Under Control?” 2017 GlobalAudit
Committee Pulse Survey, © 2017 KPMG LLP
• KPMG’s 2017 Global Audit
Committee Pulse Survey
• 832 responses
– 42 countries
– 55% audit committee chairs
– 45% audit committee members
• 63% public companies
• 25% private companies
KPMG’s 2017 Global Audit Committee Pulse Survey
Targets for Internal Audit to Maximize Value Response
Expand audit plan on key areas of risk (e.g. cyber security,
and key operational and technology risks)
56%
Maintain flexibility in the audit plan 53%
Expand the audit plan on effectiveness of risk
management processes generally
49%
Improve internal audit’s talent and expertise 42%
Helping to assess / “audit” the culture of the organization 27%
Beyond financial reporting and compliance risks, what
steps can internal audit take to maximize value?
Source: KPMG’s Audit Committee Institute – “Is Everything Under Control?” 2017 GlobalAudit
Committee Pulse Survey, © 2017 KPMG LLP
2- Consistency & Work Closely with the second Line of Defense
Implementation Guide :
IG 2050 - Coordination and Reliance :
The chief audit executive should share information, coordinate activities, and
consider relying upon the work of other internal and external assurance and
consulting service providers to ensure proper coverage and minimize
duplication of efforts.
13
Implementation Guide (Cont.):
Internal providers include oversight functions that either report to senior
management or are part of senior management. Their involvement may include
areas such as environmental, financial, control, health and safety, IT
security, legal, risk management, compliance, or quality assurance.
14
2- Consistency & Work Closely with the second Line of Defense
Supplemental Guide (Cont.):
An assurance map is a matrix comprising a visual representation of the
organization’s risks and all the internal and external providers of assurance
services that cover those risks. This visual depiction exposes coverage gaps
and duplications.
15
2- Consistency & Work Closely with the second Line of Defense
Supplemental Guide (Cont.):
Assurance providers may use the map to coordinate the timing and scope of
their services, preventing audit fatigue within areas and processes under
review, except in cases where senior management or the board may need a
second opinion or a double check from another assurance provider on a high
risk area.
16
2- Consistency & Work Closely with the second Line of Defense
Supplemental Guide (Cont.):
Assurance mapping steps include:
1. Identifying sources of risk information.
2. Organizing risks into risk categories for consolidated viewing.
3. Identifying assurance providers.
4. Gathering information and documenting assurance activities by risk category.
5. Periodically reviewing, monitoring, and updating the assurance map.
17
2- Consistency & Work Closely with the second Line of Defense
18
Steps to Consider :
Establish a common risk and control language that will enable the second
and third line of defense to communicate with each other.
Conduct periodic meetings between IA and other assurance functions.
Question and challenge the findings from risk & compliance functions.
Link the risk function’s assessments of key risks to audit planning.
Report key risks, issues, and opportunities to stakeholders.
19
2- Consistency & Work Closely with the second Line of Defense
New Supplemental Guide [Auditing Model Risk Management]
Banks and other large financial services organizations rely extensively on
mathematical models to make business decisions and meet regulatory
requirements.
20
3- Provide Advice and Insights that Focus More on predictive
What is predictive audit?
The predictive audit is a forward-looking approach that examines the validity of
transactions before they are executed. It does so by comparing actual
transactions to timely normative models, allowing managers to be alerted to
potentially problematic transactions before they occur. This gives senior staff
the opportunity to investigate and resolve any issues before allowing flagged
transactions to go through.
21
3- Provide Advice and Insights that Focus More on predictive
Imagine the following scenario: You are a manager in a consumer bank that
offers customers a savings account with a minimum deposit and minimum of
six months before cash withdrawals can be made.
However, if a customer is dissatisfied with the account, they can immediately
close it and get their money back. Regardless of whether or not they close their
account within six months, the sales employee who set it up is still paid a
commission.
22
3- Provide Advice and Insights that Focus More on predictive
In such a scenario, an employee could seek to inflate their commission by
influencing a customer to open an account in order to be eligible for another
product (an accompanying loan, for example) with the condition that the
savings account can be closed, without penalty, immediately thereafter.
Certainly, such situations are not uncommon, and can occur in one form or
another, in any organization. But what if you could predict the occurrence of
such ‘bogus’ transactions and take action before they even occur? Wells Fargo
23
3- Provide Advice and Insights that Focus More on predictive
A Combination of Services – (Cont.)
IIA’s Audit Executive Center conducted a survey,
The results found that almost all internal audit functions represented in the
survey (94 percent) provide a combination of assurance and advisory
services. Key business areas where advisory services are being performed
include risk management, corporate governance, ethics, and performance
management.
24
3- Provide Advice and Insights that Focus More on predictive
25
3- Provide Advice and Insights that Focus More on predictive
Implementation Guide :
IG 2030 – Resource Management : The CAE must ensure that internal audit
resources are appropriate, sufficient, and effectively deployed to achieve the
approved plan.
IG 1200 – Proficiency and Due Professional Care : Engagements must be
performed with proficiency and due professional care.
IG 1210 – Proficiency : The IA activity collectively must possess or obtain the
knowledge, skills, and other competencies needed to perform its
responsibilities.
26
4- Expand and Sharpen Internal Audit’s Skills
Supplemental Guide [Talent Management]:
Recruiting, motivating, and retaining great team members is recognized as one
of 10 imperatives that will enable internal audit to drive success in a changing
world.
According to The IIA’s 2015 Global Internal Audit Common Body of Knowledge
(CBOK) study, internal audit departments need to cast their nets wider to
attract, motivate, and retain team members who are able to understand and
anticipate the rapidly changing business environment.
27
4- Expand and Sharpen Internal Audit’s Skills
Developing Talent
The CAE should align internal audit’s talent development approach with the
organization’s professional development practices.
Efforts to develop talent typically include :
Professional development plans, “Certification Policy”
Training and continuing education, and
Mentoring.
28
4- Expand and Sharpen Internal Audit’s Skills
Steps to Consider :
Evaluate the existing skills of the internal audit team, identify gaps, and
conduct periodic training.
Align training and development programs with emerging risk, regulatory
and business objectives.
Consider communication skills as audit qualifications when recruit new
resources.
• Explore alternative staffing models such as rotation & guest auditor.
Build relationships with external service providers.
29
4- Expand and Sharpen Internal Audit’s Skills
PwC’s 2016 State of the Internal Audit Profession Study found that strategic
and creative talent management is one of the most-significant drivers of the
value an internal audit function can provide. The study also showed a close
correlation between very effective internal audit leadership and talent
management.
30
4- Expand and Sharpen Internal Audit’s Skills
In fact, 83% of very effective internal audit leaders perform well at talent
management compared with just 47% of effective leaders and 24% of less-
effective leaders. However, chief audit executives (CAEs) also indicated that
acquiring and managing talent are their most-significant challenges.
31
4- Expand and Sharpen Internal Audit’s Skills
As per IIA study in 2015 The top five areas where respondents are
experiencing difficulty hiring candidates are:
1. IT-general
2. Cybersecurity and privacy
3. Data mining and analytics
4. Industry-specific knowledge
5. Analytical/critical thinking
32
4- Expand and Sharpen Internal Audit’s Skills
Guides:
Attribute Standard
1220.A2 :Internal auditors must consider the use of technology-based audit
and other data analysis techniques.
33
5- Automate Wherever Possible with Technology
Steps to Consider :
Consider replacing solid spreadsheets and tools with integrated audit
systems
Build a centralized library to integrate and map audit data.
Leverage mobile auditing tools to enter audit findings [smartphones or
tablets].
Implement intuitive dashboards (KPI) and reporting tools using Business
Intelligent Software (Continues Auditing)
34
5- Automate Wherever Possible with Technology
Steps to Consider – (Cont.):
Internal audit analytics
Start by applying off-the-shelf analytics packages to datasets.
Depending on your industry, identify areas where audit should be forward-
looking, and thus, analytical.
Improving the first line of defense by certain analytical tasks.
35
5- Automate Wherever Possible with Technology
Internal audit analytics – Why we use analytics?
Sample-based testing will not satisfy stakeholder needs.
Analytics can apply risk indicators to large datasets.
Reduce the complexity and time consuming.
Adopting analytics enhanced focus, efficiency, effectiveness, and value.
36
5- Automate Wherever Possible with Technology
7% AdvancedStandard methods and training, using advanced tools and analysis techniques
24% IntermediateSome standardization of methods, some repeatable analytics
55% BasicAd-hoc analytics with limited repeatable solutions, basic tools (e.g.
spreadsheet, etc.)
11% NoneNo analytics capabilities
3% Not sure
Current Internal Audit Analytics Capabilities
37
Source: Deloitte’s Global Chief Audit Executive Survey 2016-2017
42%
26%
14%
18% 75% to 100%
51% to 75%
26% to 50%
1% to 25%
“What percentage of total audits utilize
some form of data analytics?”
Audits Using Analytics
How Many Audits Use Analytics?
38
Source: Protiviti – Internal Audit Capabilities and Needs Survey 2017
Data visualization
Impact Area
Data visualization transforms analytical output into visual formats.
The complexity and prices of these tools have dropped sharply.
Data visualization can pinpoint many areas.
Visualization can better meet stakeholder needs.
Visualization can depict trends, patterns, and anomalies that might
otherwise be missed.
39
5- Automate Wherever Possible with Technology
Data visualization – (Continued)
Steps to consider
Train one or more staff members.
A desktop license for a good package is relatively inexpensive.
Then try using data visualization in scoping, execution, and reporting on
selected areas of the audit.
Data visualization is also meaningful in reports to the Board and Audit
Committee.
Famous Data Visualization tools (Tableau and BI (Oracle, Microsoft)
40
5- Automate Wherever Possible with Technology
What is Continuous Auditing ?
“Is a method used to perform control and risk assessments automatically on a more
frequent basis”. IIA
41
Internal Audit Business Leads
Governance
Risk & ComplianceIA Data Analytics Continuous
Auditing
Continuous
Monitoring
Enterprise
Risk
Management
5- Automate Wherever Possible with Technology
79
Dashboards Examples – GL Dashboard
81
Dashboards Examples – Accounts Payables
82
Dashboards Examples – General Ledger
83
Dashboards Examples – Fixed Assets
84
Dashboards Examples – Procure to Pay
85
Dashboards Examples – PO without PR
48
5- Automate Wherever Possible with Technology
49
A report is only valuable when management and the board use it and see that it
helps them.
If they briefly look at it and then put it aside, then it is basically useless.
On the other hand, if they look at the report and say 'yes, this is something I
think will help me manage my business' or if they discuss the contents of the
report with other parts of the business, then it is a good sign.
Internal Audit In Practice
50
Board and Audit Committee Perspectives on Value Add:
Seen to be value adding:
Delivering the audit plan within the year;
Delivering assurance over key concerns or areas of interest for the
board/audit committee;
Providing comfort over core control and compliance areas;
Internal Audit In Practice
51
Providing timely and tailored briefings on the position of the organization in
relation to topical issues;
Offering insights into emerging risks (VAT, Cyber security);
Identifying themes and trends in audit findings;
Being seen to be influential with senior management.
Internal Audit In Practice
52
Board and Audit Committee Perspectives on Value Add:
Seen not to add value:
Failing to deliver the audit plan;
Having a major issue occur in an area that was recently audited (e.g. “Why
didn’t you spot that issue when you audited that area last year?”);
Appearing un-influential with senior management (and expecting the board
to do the running) or appearing in the pocket of management;
Internal Audit In Practice
53
Audit receiving negative feedback in a quality review or from a regulator or
from the external auditor;
Audit “Pushing the nuclear button” on an issue which proves to be relatively
minor;
Internal Audit In Practice
54
Senior Management Perspectives on Value Add:
Seen to be value adding:
Audit being on hand to do targeted work for some senior managers;
Audit delivering advisory assignments that are seen to support the
achievement of priority objectives;
Audit producing short, balanced reports on a timely basis;
Internal Audit In Practice
55
Audit working in a joined up way with other functions, including the external
auditor, to manage the burden of assurance activities across the
organization;
Audit delivering the audit plan to (or under) budget;
Audit identifying inefficiencies or cost savings.
Internal Audit In Practice
56
Senior Management Perspectives on Value Add:
Seen not to add value:
Audit reports with negative ratings that do not align with senior
management’s risk appetite;
Audit report wording that is either inflammatory or that might be unhelpful if
disclosed to a regulator or in litigation;
Internal Audit In Practice
57
Anything that comes as a surprise;
Anything communicated out of chain;
Audit reports that simply repeat known issues in more detail;
Audit reports that are issued too late to do anything with.
Internal Audit In Practice
2Cases in Corporate
Governance
58
What causes the companies to conduct a criminal
behavior?
I. Pressure from top management on Middle management to achieve nonrealistic
target.
II. Opportunity arises most basically from the susceptibility of the company’s
accounting systems to manipulation due to inherent risks from management
override or collusion.
III. Some regulations that may affects corporation regional sales.
IV. To increase corporation stock price or to stay at the leading position.
A. I,III
B. I,II,III
C. I,II,III and IV
D. III,IV
59
Cases in Corporate Governance
Wells Fargo Scandal
Volkswagen Scandal
Cambridge Analytica scandal
Rolls-Royce Scandal
Mobily Scandal
60
Cases in Corporate Governance – [Wells Fargo]
61
Cases in Corporate Governance – [Wells Fargo]
Wells Fargo & Company is an American international banking and financial
services holding company headquartered in San Francisco, California, with
"hubquarters" throughout the country
“Where wells went Wrong”
Wells Fargo employees created millions of fake bank accounts for customers
to hit sales targets and receive bonuses.
62
Source: Forbes
Cases in Corporate Governance – [Wells Fargo]
63
“Eight is Great”
Meaning get eight wells Fargo products into the hands of each customers.
But this directive proved burdensome for bank employees as they
struggled to meet demand.
Opened deposit accounts and credit cards for well customers without their
knowledge or permission.
Cases in Corporate Governance – [Wells Fargo]
64
Source: Forbes
Cases in Corporate Governance – [Wells Fargo]
“Two Million Phony Accounts”
From 2009 to mid 2016 created more than 1.5 Million unauthorized deposit
accounts.
Issued more than 500,000 unauthorized credit card application.
These accounts racked up $2.6 million in fees for the bank
65
Source: Forbes
Cases in Corporate Governance – [Wells Fargo]
66
Cases in Corporate Governance – [Wells Fargo]
“The Results”
$185 million fines
Fired 5,300 employees over five years for creating the phony accounts
A public demand and government officials attacked wells for its actions.
On September 13 eliminate all sales goals in its retail banking business
[meaning that the types of quotas that led the fraud will soon no longer
exist
CEO resign in October -2016
67
Source: Forbes
Cases in Corporate Governance – [Volkswagen]
68
Cases in Corporate Governance – [Volkswagen]
The Volkswagen emissions scandal (also called "emissionsgate" or
"dieselgate")
In September 2015 Environmental Protection Agency (EPA) issued a
notice of violation of the Clean Air Act.
Intentionally programmed turbocharged direct injection (TDI) diesel
engines to active their emissions controls during laboratory emissions
testing only.
69
Cases in Corporate Governance – [Volkswagen]
70
Cases in Corporate Governance – [Volkswagen]
“The Results”
11 Million cars around the world have emission program problem.
Withdrawal 9 Million cars from Euro market.
Withdrawal 500K cars from US market.
Lost the confidence of its customers and the confidence of the public.
Volkswagen has announced that it will give up 30,000 jobs in an effort to
save about $ 4 billion a year, starting in 2020 after carbon emissions
scandal.
A $ 15 billion settlement with US consumers and regulators and gave
diesel owners the choice between repurchase, refunds or free repair.
71
Cases in Corporate Governance – [Volkswagen]
72
This coming statistics show Volkswagen's operating profit from the fiscal year
of 2006 to the fiscal year of 2017. In light of the diesel scandal, Volkswagen
produced an operating profit of around 13.8 billion euros in 2017.
Cases in Corporate Governance – [Volkswagen]
73
74
Cases in Corporate Governance – [Analytica]
Cases in Corporate Governance – [Analytica]
Cambridge Analytica captured more than 50 million Facebook user without
their consent to develop an information program that allows voters to reveal
their intentions and how to manipulate since 2014.
Christopher Wylie helped in the development of voters studies to analyze
data from Facebook through application.
75
Source: Monte Carlo International
Cases in Corporate Governance – [Analytica]
The application requires access to Facebook, allowing third parties
(Academic) to obtain data from users of Facebook.
The aim of study to creating models of personalities and exploitation of
their spirits and what affects them to build campaigns and targeting them
better. “This is known as machine the learning"
76
Source: Monte Carlo International
Cases in Corporate Governance – [Analytica]
The idea is inspired by a study done by two researchers at Cambridge
University Michal Kosinski and David Stillwell by application called [My
Personality] via Facebook.
They use this application to study the psychology of users, after answering
specific questions or through what they share on Facebook pages and what
they like. (It means data usage to understand the user's psychology across the
amount of data).
77
Source: Monte Carlo International
Cases in Corporate Governance – [Analytica]
Dr. Aleksander Kogan, A psychologist and researcher professor at the
University of Cambridge reproduced the study of Kosinski and data used and
sold them to the company Strategic Communication Laboratories, one of the
companies under "Cambridge Analytica”, which allowed for Kogan as a
researcher at Cambridge from telling Facebook that his data collection is an
academic goals but in fact is not.
78
Source: Monte Carlo International
Cases in Corporate Governance – [Analytica]
It turned out that Facebook was aware of this collection process since 2015,
and only took limited steps to retrieve and protect the data of these users,
these data according to the report of the Observer is still available "raw" on the
Internet and can be found.
79
Source: Monte Carlo International
Cases in Corporate Governance – [Analytica]
80
Cases in Corporate Governance – [Analytica]
After the information was released publicly, Facebook:
Shares fell 6.8 percent at the close of Monday's trading and 7 percent on
Tuesday,
A new laws could by applied that could hurt the company's business
model.
81
Source: Monte Carlo International
Cases in Corporate Governance – [Analytica]
After the information was released publicly, (Cont.) :
Technology giant companies in Wall Street, including Apple, Alphabet and
Netflix, has been on the decline.
Asian markets also suffered losses, with Sony shares in Tokyo, Samsung
in Seoul and Chinese equities in Hong Kong
82
Source: Monte Carlo International
Cases in Corporate Governance – [Rolls-Royce]
83
Source: BBC
Cases in Corporate Governance – [Rolls-Royce]
Rolls-Royce paid bribes including a luxury car and millions of pounds’
worth of cash to middlemen to secure orders in six countries, including
Indonesia, Russia and China.
Settlement of £671m has been reached, which means engineering giant
will avoid being prosecuted by anti-corruption investigators in UK, US or
Brazil
84
Source: BBC
Cases in Corporate Governance – [Rolls-Royce]
In Indonesia, Rolls-Royce gave $2.25m (£1.8m) and a Rolls-Royce Silver
Spirit car
In Thailand, the firm paid more than $36m between 1991 and 2005
In India, where the use of agents to secure defense contracts is prohibited,
Rolls-Royce disguised its use of middlemen as “general consulting
services”.
85
Source: BBC
Cases in Corporate Governance – [Rolls-Royce]
In Nigeria a middleman hired by the company paid bribes to public officials
In China, Rolls-Royce failed to prevent bribery in relation to the extension
of a £5m cash credit to China Eastern Airlines in exchange of the purchase
of engines for aircraft in 2013.
In Russia, Rolls-Royce won a contract to supply equipment by making
payments to a senior official.
86Source: BBC
Cases in Corporate Governance – [Mobily]
87
Cases in Corporate Governance – [Mobily]
The share price of Mobily dropping from 92 riyals to less than 60 riyals in
just three days?
Has Mobily deliberately manipulated the earnings figure or not?
Starting from the loyalty program, this program aims to guarantee the
customer loyalty to the company by giving him points whenever he uses
the services of the company.
88
Source : Al Arabiya
Cases in Corporate Governance – [Mobily]
The customers can replace these points with rewards from Mobily or
agreed companies.[ Company Services or other goods and products]
In this case, the sellers (agreed companies) of the goods registers the
points and considers Mobily debit on the amount of goods which are
replaced with customers until it pays them.
89
Source : Al Arabiya
Cases in Corporate Governance – [Mobily]
A new way in which it agreed with a number of companies from various
industries that Mobily broadcast messages for several days to all users of
the network urging them to replace their points with those agreed
companies, and then the agreed companies pay the rights of these ads
through the points that will Replaced.
This turns Mobily from a debit to a vendor of these points on the
companies that participated and announced to them.
90
Source : Al Arabiya
Cases in Corporate Governance – [Mobily]
Where is the problem?
The agreement provided that the companies would pay Mobily only the used
points.
But Mobily recorded the "full" points allocated to them as revenue while the
actual revenue was only a fraction of it, which was actually replaced by
customers only, and it seems to have been very little, and this is a huge
revenue figure on the contrary
91
Source : Al Arabiya
Cases in Corporate Governance – [Mobily]
The Results
Mobily amended net profit in 2013 from 6.6 Billion riyals to 5.9 Billion riyals
Mobily loss more than 10 Billion riyals from its market value within a week.
Mobily Share loss all earnings and profits for the last two years.
92
Source : Al Arabiya
Thank You