-
DECEMBER 2014 WWW.INTERNALAUDITOR.ME
SHAPING TALENTED AUDIT TEAMS
I N T E R N A L A U D I T O RM I D D L E E A S T
I N S I G H T S O N G O V E R N A N C E , R I S K M A N A G E M
E N T A N D C O N T R O L
The top 10 innovative professional development programs for
internal auditors
Using Feedback from Auditees to Enhance Internal Audit
Performance
Global Developments that areChanging Internal Audit
A Look Into the Characteristics and Behaviors of the Typical
Fraudster
-
INTERNAL AUDITOR - MIDDLE EAST 1 DECEMBER 2014
The Time for ResearchDear Readers,Over the past quarter, weve
continued to see the Institute of Internal Auditors (IIA) Research
Foundation release various insightful reports on the internal
auditing profession globally. Similarly, weve seen new reports
being released by local IIA institutes such as the UKs Chartered
Institute of Internal Auditors, the IIA Netherlands and others. All
of these professional bodies have been working on researching
topics important to internal auditors so that they can embody the
IIAs motto of Progress Through Sharing. The UAE Internal Audit
Association (UAE-IAA) is no different. Over the course of a short
period of time, we have successfully translated to Arabic the
Certified Internal Auditor Study Materials & Exam, Sawyers
Guide for Internal Auditors (6th Edition) and we are working on
translating the 2013 COSO Internal Control Integrated Framework.
These efforts have made such publications more accessible to
internal auditors in our region, and now the time has come to
develop our own thought leadership through 2 major initiatives: 1.
Risk Management Practices and the Role of Internal Audit: This
study, which is well under way, will produce original research
relating to non-financial institutions in the UAE. Weve assembled a
dynamic team consisting of both academics and internal audit
practitioners who will reveal the results of this study in our 16th
Annual Regional Audit Conference which will be held in early 2015.
2. Global Internal Audit Common Body of Knowledge (CBOK): This is
the centerpiece of ongoing research efforts conducted by the IIA
Research Foundation. As part of CBOK, the IIA will be conducting
its 2015 Practitioner Survey covering over 100 countries. In
addition to the global results, we will use the data collected from
this survey to produce UAE specific insights. These efforts would
not be possible had it not been for the support of our strategic
partners, members and volunteers who work tirelessly to promote the
internal audit profession. We ask all our members actively support
our research efforts as we can only succeed with their cooperation
and participation. On a final note, I am pleased to announce that
thanks to the efforts of volunteers from the Editorial Advisory
Committee, we have completely revamped the website of Internal
Auditor Middle East to a site we hope you will all be proud of.
Please visit www.internalauditor.me and share your feedback with
us. I wish you all a very happy and prosperous 2015.
Sincerely,
Abdulqader Obaid AliPresident
From The President
-
ACCELUS AUDIT MANAGERInternal audit is being asked to evolve
beyond the third line of de-fense or ticking regulatory boxes.
Boards and senior management now value the insight and analysis
that a strong audit function can deliver. Accelus Audit Manager can
help:
Liberate audit teams from manual tasks Enrich your dialogue with
the business Drive enhancement of audit quality Deepen engagement
with your board audit committee Contribute to business operational
excellence
For more information on Accelus Audit Manager please
visit:http://accelus.thomsonreuters.com/
2014 Thomson Reuters. All rights reserved.
REACH NEW INTERNAL AUDIT HEIGHTSCONNECT | SIMPLIFY | PERFORM
-
INTERNAL AUDITOR - MIDDLE EAST 3 DECEMBER 2014
I N T E R N A L A U D I T O RM I D D L E E A S T DECEMBER 2014
WWW.INTERNALAUDITOR.ME
F E A T U R E S
D E P A R T M E N T S
16 COVER STORY: Shaping Talented Audit Teams Innovative ways to
improve the skills of your internal audit team and increase their
business acumen. BY BRUCE TURNER & JACQUELINE TURNER
22 Auditee Feedback Feedback Internal auditors can use positive
and honest feedback at various stages in the audit process to
improve their performance. BY LALIT DUA
4 Reader Feedback
5 Knowledge Update New Reports from IIA UK and Netherlands; Data
Analytics; Risk Management Guidance for Boards; Business
Continui-ty Management. BY VISHAL THAKKAR
8 UAE-IAA Events
10 Governance Perspectives A healthy corporate culture is
essential to good corporate governance and therefore it should be
audited. BY ROBERT NOYE-ALLEN & KAMI NUTTALL
12 Conversations with Colleagues Harsh Mohan talks about the
important role of internal auditing in risk management. BY FARAH
ARAJ
28 Inside the Mind of a Fraudster What characteristics and
behaviors does the typical fraudster display? Recent surveys and
studies can help shed light on this. BY ROBIN SINGH
20 Human Resources Five characteristics of a successful chief
audit executive. BY AYMAN ABDELRAHIM
30 Fostering Fundamentals Having proper controls around
construction projects provides better information and increases the
chances of success. BY KETAN BHOOLA
24 Board & C-Suite Driv-en Assurance: The Dawn of a New Era
Recent developments in governance and regulation will have a
profound impact on internal audit approaches. BY TIM J. LEECH
-
DECEMBER 2014INTERNAL AUDITOR - MIDDLE EAST
U A E I N T E R N A L AU D I T A S S O C I AT I O N
B O A R D O F G O V E R N O R SAhmed A l Ansar i ; Kha l id A l
Ha l yan ; Mohamed A l Har th i , MBA, CRMA; Abdu lqader Oba id A l
i , CRMA, CFE, Q IAL ; Naseeba A l ra i s , MSC; Ayesha B in Loo
tah , MBA; Nae ima Mohammed A l Menha l i , MSC, CRMA; A l i A l
Muwa i je i MAFB, MFA,CRMA, CT31000; Nah la A l Qass imi , Ph .D. ,
CRMA, CCP, CCA
E X E C U T I V E C O M M I T T E ERaza Abdu l la ; Abdu l
rahman A l Hareb ; Ar indam De, MBA, CFA, Q IAL ; Kar l Hendr icks
, C IA , CCSA, CQA; Rus tom S. K re id l y, CPA, CRMA; Karem Obe id
Fad i S idan i , CPA, MS; Rab i Yousse f , CPA; Adnan Za id i ,
CRMA, ACA, MBA, CCSA, C IA , CFE, C IPFA
G E N E R A L M A N AG E RSamia A l Yousu f
T E A MAisha Akhta r ; Yasmine Abd E l Az i z ; Bassam E l
Baghdad i ; Lo rna Mungka l ; Yousse f Musta fa ; A i l een Pe lag
io
Reader Feedback
I N T E R N A L A U D I T O RM I D D L E E A S T
UAE Internal Audit Associationan IIA Global affi l iate
We want your views on the articles and the magazine! Share your
thoughts and feedback with us via email at
[email protected]
P R E S I D E N TAbdu lqader Oba id A l i
E D I T O RFarah Ara j (Ac t ing )
E D I T O R I A L A D V I S O R Y C O M M I T T E E Asem A l
Naser, CPA, C IA , Q IAL ; Fa rah Ara j , CPA, C IA , CFE, Q IAL ;
Ma jed Bukhashem; Andrew Cox , MBA, MEC, CF I IA , C IA , C ISA,
CFE, CGAP, MRMIA; Raymond He laye l , CPA, C IA ; Meenaksh i
Razdan, CA, CPA C IA , CFE; Hossam Samy, CRMA, CFE, CPA, CGA;
Nagesh Sur yanarayana , MBA, C IA ,CCSA; James Tebbs , CA; V isha l
Thakkar, ACA, C IA ; I ssam Zagh lou l , MSc, C ISA, C ISSP, CGE
IT
A R A B I C R E V I E W T E A MAyman Abde l rah im, MQM, C IA ,
CCSA, CFE; Kha l id M. A lodha ib i , SOCPA; Qa is Hamdan, C ISA, C
ISM, PMP; Wa leed Swe imeh
DECEMBER 2014VOLUME 2014: 4
C O N TAC T I N F O R M AT I O N
A D V E R T I S I N G & A D M I N I S T R AT I O NYasmine
Abd E l Az i z yasmeen@i iauae .o rg Te l : +971 4 433 9082
E D I T O R I A L Farah Ara j ed i to r@in te rna laud i to
r.meTe l : +971 50 850 1780
D E S I G N & P R I N T I N G Gi r i sh MehtaAdventure G
loba l g i r i sh@adventure-g loba l .comTe l : + 971 4 393
7696
A R A B I C T R A N S L AT I O N & L AYO U THossam Sami rE
laph Trans la t ion hossam@elapht rans la t ion .comTe l : +971 4
331 0332
G U I D E L I N E S F O R AU T H O R Swww. in te rna laud i to
r.me
D I S C L A I M E R SI n te rna l Aud i to r Midd le Eas t i s
in tended on l y f o r members o f the Ins t i tu te o f In te rna
l Aud i to rs in the Midd le Eas t and as such i t i s no t in
tended to be so ld o r re-so ld by any par t y. The v iews
expressed in I n te rna l Aud i to r Midd le Eas t a re so le l y
those o f the au thors , and do no t necessar i l y represen t the
v iews o f the UAE- IAA o r the au thors respec t i ve employers .
I n te rna l Aud i to r Midd le Eas t i s a peer- rev iewed magaz
ine and does no t ve r i f y the o r ig ina l i t y o f the con ten
t submi t ted by the au thors .
I n te rna l Aud i to r Midd le Eas t i s pub l i shed quar te r
l y by the UAE In te rna l Aud i t Assoc ia t ion (UAE- IAA) , 8 th
F loo r, Bu i ld ing 4 , The Ga l le r ies , Downtown Jebe l A l i
, Duba i , P.O. Box 90919, Un i ted Arab Emi ra tes
C O M P L I M E N TA R Y T R A N S L AT I O N P R O V I D E D B
Y:
Disagreements on Information Technology Strategy
The article Information Technology Strategy (Sept 2014) was a
very interesting read and in particular because it reflected the
views of a Chief Information Officer. However, I did not agree with
his recommendation for internal auditors to
be cautious and avoid commenting on the strategies selected by
management. Since internal audit should determine the effectiveness
of the IT strategy, therefore we do need to question and understand
the business case for the various IT initiatives and how they map
to the enterprise objectives. For us to be seen as partners, we do
need to raise risks we identify in various initiatives undertaken
by management and not just raise risks relating to the strategic
planning process. Very often I find that business cases developed
are not fully justified and mislead management to making the wrong
decisions.
Nada Al ChalabiSenior Audit Manager Information SystemsDubai,
UAE
Enjoyed the Information Technology Special Issue
I read with interest the articles published in the IT Special
Issue (Sept 2014) of Internal Auditor - Middle East magazine.
I applaud the clarity with which articles were written; they
have a good amount of interesting material without being too long
winded or full of jargon. I especially liked the conversation with
Deloittes leadership team (Tariq Ajmal and Fadi Sidani) and GRC by
Satish Yadav. I agree with Tariq and Fadi on the fact that
technology is changing the internal audit profession and that the
future focus should be on data analytics and cybersecurity. I also
like Statishs view how GRC technology is the way to improve and
streamline risk management efforts. However, I would have liked to
see insights on top IT risks relating to ERP technologies like SAP
and Oracle. This is because not all companies in the UAE have even
implemented full-fledged ERPs and may are in still in their early
stages. Going forward, I would like to see more IT related articles
in the magazine on a recurring basis as IT is an integral part of
an effective internal audit process.
Rahul VaidIT AuditorAbu Dhabi, UAE
-
INTERNAL AUDITOR - MIDDLE EAST 5 DECEMBER 2014
of security incidents are carried out by current
employees of a company Source: PwCs Global State of
Information
Security Survey 2015http://www.pwc.com/us/en/cfodirect/
issues/cyber-security/global-information-security-survey-2015.jhtml
Knowledge Update
42.8 millionis the total number of
security incidents detected in 2014
BY V ISHAL THAKKAR
The IIA UKs 2nd Annual Survey of Heads of Internal Audit The
Chartered Institute of Internal Auditors (IIA UK) has released its
Governance and Risk Report 2014 which discusses internal audits
perspective on the management of risk. As part of this annual
survey, the IIA UK obtained the views of 247 Heads of Internal
Audit from the UK and Ireland. The report provides insight on:
Riskmaturity. Toprisksinternalauditorsarefocusingon.
Reportingrelationshipsofinternalaudit.
Thecompetenciesthatinternalauditneedtofunctioneffectively.
Over the past year, there has been a marked increase (from 68%
to 82%) in the number of heads of internal audit reporting
functionally to the chair of the audit committee which is results
in an increase in internal audit effectiveness. However, there was
little change in the amount of respondents (57%) who felt the level
of risk maturity in their company was well established.
In terms of the skills needed by internal auditors, the top 3
skills identified by respondents were 1) Communication Skills, 2)
Problem Identification and Solution Skills and 3) Knowledge of
Industry, Regulatory, and Standards Changes. The report also
covered quality assurance and the results show that over 60% of
respondents had an External Quality Assessment carried out by an
independent party in the past 5 years. This figure rose to 75% in
the financial services sector.
https://www.iia.org.uk/policy/wwwiiaorgukgovandrisk2014/
Combining Internal Audit and the Second Line of DefenseThe IIA
Netherlands published a report titled Combining Internal Audit and
Second Line of Defense Functions?. The report discusses the pros
and cons of combining internal audit and second line of defense
functions. The main question the report tried to answer is whether
the Internal Audit Function can work independently and objectively
while providing support to areas such as risk management,
compliance and internal controls.
The main conclusion from the research and round tables conducted
was that combining internal audit and second line of defense
functions is not the preferred solution considering the Three Lines
of Defense model and the as well as safeguarding the auditors
independence and objectivity as advocated by the Institute of
Internal Auditors.
The report also covered the basic conditions and safeguards
which should exist when combining internal audit and second line of
defense functions:
Internalauditshouldnotmakemanagerialdecisions.
Internalauditsroleshouldbeformalizedintheinternalauditcharter.
Segregatethepersonscarryingoutsuchresponsibilitiesfromthecore
internal audit team.
http://iia.nl/actualiteit/nieuws?newsId=1613
87% of executives believe
reputation risk is the most important
strategic riskSource: Deloittes 2014 Global Survey on
Reputation
Riskhttp://www2.deloitte.com/global/en/pages/governance-risk-and-compliance/articles/
reputation-at-risk.html
35%
-
DECEMBER 2014INTERNAL AUDITOR - MIDDLE EAST
New Practice Guide on Business Continuity Management
EY Report on How Internal Audit Can Add Value with Data
Analytics
New Guidance for UK Listed CompaniesLast quarter the Financial
Reporting Council released new guidance for Risk Management,
Internal Control and Related Financial and Business Reporting. This
guidance integrates and replaces Internal Control: Guidance to
Directors (formerly known as the Turnbull Guidance) and reflects
changes made to the UK Corporate Governance Code.This guidance
focuses on elements of best practice for risk management and
defines the responsibilities of the board which include:
The Institute of Internal Auditors (IIA) has released a new
practice guide demonstrating how the internal audit function can
help businesses keep running in the event of a cyber attack or a
natural disaster. The practice guide shows how internal auditors
can provide assistance in business continuity management. The IIA
noted that internal audit functions typically have the skills,
qualifications and in-depth knowledge of the organization to help
develop, implement and evaluate the effectiveness of such plans.The
goal of business continuity management is to restore critical
operations, manage communications and minimize financial and other
effects of disaster. According to the new practice guide, a good
crisis management plan is like a company insurance policy - it
helps to ensure that the organization remains viable and meets
stakeholder expectations.IIA members can download the practice
guide for free by visiting:
https://global.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Business-Continuity-Management-Practice-Guide.aspx
Knowledge Update
Designandimplementationof appropriate risk and control systems
which allows for a robust assessment of major risks.
Determiningthecompanysrisk appetite.
Fosteringanappropriatecultureand reward system.
Agreeingonhowtomanagemajorrisks.
Monitoringandreviewingrisk management and internal control
systems.
Big data is fundamentally changing the way the enterprise
operates, and Internal Audit (IA) cant afford to be left behind.
This is the main theme of a publication released by EY titled
Harnessing the Power of Data which discusses how internal audit can
embed data analytics into its processes in order to deliver more
value to the business.EY stresses the fact that building analytics
capabilities is a journey that will take significant time and
effort and defines 3 stages of analytics: 1. Descriptive Analytics:
This relates to reporting on and understanding what has already
happened whether in real time or after the fact. 2. Predictive
Analytics: Understands the relationships between input and output
to predict what will happen in a given scenario. 3. Prescriptive
Analytics: This is the most advanced stage and is designed to
determine which decision or action will produce the most effective
results. Internal audit can maximize its ability to monitor key
risks through timely identification of high-risk journal entries,
early identification of potential accounting surprises and
continuous auditing of all transactions flowing through the general
ledger. Further, and using the example of vendors, data analytics
is not just about routine business information (e.g. amount sold,
average price) and goes down to lower level, higher-volume data
(e.g. line item detail for purchase orders and invoices). Such
detail allows internal audit to use data analytics in its annual
risk assessment, in its regular audits as well as for special
projects.
http://www.ey.com/GL/en/Services/Advisory/EY-internal-audit-harnessing-the-power-of-analytics
One of the unique considerations recommended for board members
involves, determining the culture the board wishes to embed in the
company, and whether this has been achieved. This involves
communicating the desired values to management and considering
whether the leadership style of the company undermines the risk
management and internal control systems.
https://www.frc.org.uk/Our-Work/Publications/Corporate-Governance/Guidance-on-Risk-Management,-Internal-Control-and.pdf
Copyright 2014 Wolters Kluwer Financial Services, Inc.
All Rights Reserved. 3642
TeamMateAnalyticsData analysis for every auditIntegrates with
TeamMate Audit Management System and available for standalone
use
Learn more at TeamMateSolutions.com/Analyticsor call +44 207 981
0556
Analytics advert ME 276 x 204.indd 1 05/11/2014 15:13:21
-
Copyright 2014 Wolters Kluwer Financial Services, Inc.
All Rights Reserved. 3642
TeamMateAnalyticsData analysis for every auditIntegrates with
TeamMate Audit Management System and available for standalone
use
Learn more at TeamMateSolutions.com/Analyticsor call +44 207 981
0556
Analytics advert ME 276 x 204.indd 1 05/11/2014 15:13:21
-
DECEMBER 2014INTERNAL AUDITOR - MIDDLE EAST
UAE-IAA Events
The UAE Internal Audit Association Construction Subgroup held
its first Business Event, which was hosted by the UAE Society of
Engi-neers, in Dubai on 23 September 2014. The event was attended
by Abdulqader Obaid Ali along with with Syed Imtiaz (Chairman of
the Construction Subgroup) and Hakim Lalipurwala (Vice Chairman
Construction Subgroup) who discussed areas of mutual cooperation
with Maged Farouk Hanna, General Manager of the UAE Society of
Engineers. In addition, Mike Lewis (Head of Internal Audit at Abu
Dhabi Airports) and Mr. Matt Irvin (Senior Project Manager)
delivered a pres-entation titled Risks in Supply Chain Management
in Mega Construction Projects. The presentation highlighted the
mechanisms used by Risk Management and Internal Audit to manage and
mitigate the various risks faced in a mega construction project.
The speakers informed the participants about the Three Lines of
Defense framework to help improve overall effectiveness of risk
management and internal audit.
The UAE Internal Audit Associations Hospitality Subgroup held
its first meeting on 15 October 2014 at Abu Dhabi National
Exhibitions Company. The session was well attended and led by the
Hospitality Subgroup Chairman, Aldrin Sequeira, who is currently
the Chief Internal Audit Officer for the Jumeirah Group.The session
also had 2 interesting specialist presentations. The first of which
was a presentation by Deloitte led jointly by Grant Salt-er
(Director- Head of Travel, Hospitality and Leisure Advisory) and
Hossam Samy (Principal - Enterprise Risk Services) discussing
Hospitality: Middle Eastern Trends, Challenges, and how the
Internal Audit Profession can Support the Growth. This was followed
by an interactive session by Protiviti on Corporate Governance in
the hospitality sector led by Nagesh Suryanarayana (Director -
Internal Audit and Risk Advisory Services).
Organizations are now trying to align their corporate governance
frameworks in line with leading practices globally and local
regulatory mandate. Some key examples include, establishing
internal audit functions, risk management frameworks, board
evaluation matrices, establishing board sub-committees, enhancing
reporting and disclosures frameworks, explained Nagesh.
Construction Subgroup Meeting
Launch of the Hospitality Subgroup
BY SAMIA AL YOUSUF
-
KPMG is a global network of professional firms providing Audit,
Tax
and Advisory services. We have more than
155,000 outstanding professionals working together to deliver
value
in 155 countries worldwide.
-
DECEMBER 2014INTERNAL AUDITOR - MIDDLE EAST
Governance Perspectives
BY ROBERT NOYE-ALLEN AND KAMI NUTTALL
Auditing Culture
Internal auditing is an evolving discipline, not least due to
chang-ing business environments and stakeholder priorities. In
2014, auditing culture has emerged as a new area of focus a
response to growing awareness that hard controls arent the only
ones that matter. Soft controls that stem from a companys culture
are also vital for good governance.
Corporate culture is not only about the values an organisation
espouses, but also how the organisation lives them. The desired
values need to be communicated, embedded and monitored. The extent
to which these values are being applied is a legitimate sub-ject
for internal audit reporting, although there are challenges in
applying this philosophy.
Guidance recently issued on the subject by the Chartered
Institute of Internal Auditors in the UK and Ireland, recognises
that audit-ing indicators of culture is complexinternal auditors
need to be comfortable in their understanding of culture and risk
culture.
Chief Audit Executives should ask themselves: can we really
offer adequate assurance on the effectiveness of our organisations
gov-ernance, risk and controls if we havent given any consideration
to the culture and risk culture of our organisation?
If there is any doubt about the importance of assessing the
ap-plication of stated values, consider Enron and its stated values
of community, respect, integrity and excellence. But where is it
now? Examples from elsewhere around the world (Lehman Brothers,
AIG, and Nortel) also indicate there is a powerful link between
poor culture and performance, and ultimately corporate failure.
Cultural indicators are not always easy to recognise and rely
on
interpretation. In the case of Lehman Brothers, for example,
their risk appetite could be interpreted as being high, and they
seeming-ly ignored the signs that suggested that the subprime
market was experiencing a high number of defaults. Executives were
still paid highly despite company underperformance. Decisions were
taken to hide some of the companys liabilities resulting in a
misstate-ment in the balance sheet. The companys culture was tied
to risk taking behaviours and a poor control environment.
On the other hand, good culture does seem to support good
per-formance. The success of global brands such as Apple and Google
could be attributed in part to their powerful cultures that bind
people together and set the tone for high performance.
Internal auditors are primed to understand their organisations
control environment, in line with COSO 2013. However, that control
environment needs to be considered in the context of both hard and
soft controls. The challenge for internal auditors is that
assessing the effectiveness of soft controls is very different to
assessing the effectiveness of hard controls.
A useful starting point is to consider what we mean by soft
con-trols. They include:
Commitmenttoethicsandintegrity; Attitudestorisktaking;
Boardoversightofperformanceandinternalcontrol;
Accountabilities,responsibilitiesandstructures; Reportinglines;and
Recruitmentpracticesacommitmenttoattracttheright people in line
with the organisations objectives and values.
Can internal auditors really give adequate
assurance on corporate governance without
auditing corporate culture?
-
INTERNAL AUDITOR - MIDDLE EAST 11 DECEMBER 2014
Recommendations for auditing culture
Considerwhatkindofculturetheorganisation champions, and how this is
measured across operations. For example, does your company have
stated values and what type of indicators exist for measuring that
employees are living the values? Does your organisation use staff
surveys to under stand employee attitude and behaviours? Does your
senior management team listen to employees and take action when
necessary? Do they operate an open or closed door environment?
Ensurecorporatecultureisconsideredwithinyour organisations risk
management framework. Who owns it? For example, what does your risk
management policy say about risk culture? What kind of risk culture
does the company promote and how does it compare to reality? Does
the companys risk taking activities match its risk appetite and
stated policies?
Whenitcomestodevelopingtheinternalauditstrategy and annual
plans, agree with your board and executive team what culture means
to the organisation and a form of reporting on softer issues to
maintain confidentiality and sensitivity. Ensure your audit and
risk universe incorporates culture as a viable audit entity or as a
theme which cuts across all audits. Ensure internal audit plans are
designed to seek evidence of softer controls such as leadership,
ethics and values. This will require judgement based on sound
knowledge. The Chartered Institute of Internal Auditors talks about
using gut instinct when forming a view.
TheCOSOframeworkprovidesagoodbasisfor evaluating a companys
control environment, and ascer taining what kind of control culture
exists. For example, are decisions decentralised or centralised?
What tone is set by the Board? Is there a good relationship between
the Board and the Executive? What kind of reward and
TO COMMENT on the article,EMAIL the author at
[email protected]
Governance Perspectives
retention packages does the company offer, and is it linked to
performance?
Rememberthathardcontrolissuesareindicatorsofsoft control
weaknesses. For example, consider the frequency with which controls
are overridden, as this could be an indicator of managers who are
interested in outputs at any cost. Also, consider the effectiveness
of communications, what is the company telling employees? Is
information transparent or secret? Are auditors evaluating final
reports for evidence or indication of culture related issues?
Considerthebroadermessagesandnotjustthe symptomsderived from
individual audits. If material weaknesses have been identified,
root cause analysis (e.g. asking the question why? 5 times) will
help identify the reasons why an issue has occurred, and whether
there is an underlying problem that is linked to corporate culture
and values.
Commentoncorporateculture(informedbyyour consideration of soft
controls) in your annual assurance to the business. This could be
through a reflection of whether audit confirms or validates that
corporate values are lived. This could be a result of an evaluation
of all final audit reports issued during the year. Consider the
processes management has in place for engaging with staff, and
ensure these processes are two-way/ reciprocal.
Supportyourexperiencedauditorsandencouragethemto ask questions
that address cultural issues and soft controls.
Ensureyourinternalauditteamhasthenecessarytraining and
interpersonal skills to pick up on and understand indicators of
cultural issues. Ask yourself who is the most appropriate
individual to conduct a review of culture.
Alwaysauditwithyourheadupbeawareofwhatis going on around
you.
Traditionally internal auditors are wary of providing subjective
judgement, we are hardwired to believe that professional judge-ment
should underpin opinions. Auditing soft controls and
organ-isational culture requires a certain attitude of mind and
awareness. It requires an understanding of the iceberg effect: what
is hidden from view may be of greater potential impact than what is
visible. It also needs the capacity to put individual audit pieces
together to form the bigger picture: local reports and
recommendations need to be considered from an organisation-wide
perspective to see if any patterns emerge. Many internal auditors
are exploring ways in which to encompass culture within their
opinions.
This sounds challenging and it is. Auditing culture is not
necessarily about people, but about behaviours, attitudes and,
fundamentally, values. Nevertheless, it is a challenge that
internal auditors need to accept if they are to provide the more
rounded assurance on governance, risk and controls that their
stakeholders require of them. Corporate culture is an emerging
agenda item, being pushed by regulators and stakeholders. It can no
longer be ignored. It is a key part of every companys second line
of defence.
ROBERT NOYE-ALLEN is a Partner in Moore Stephens LLP KAMI
NUTTALL is the Head of the Centre of Excellence in the Governance,
Risk & Assurance Group of Moore Stephens LLP
-
DECEMBER 2014INTERNAL AUDITOR - MIDDLE EAST
Conversations with Colleagues
BY FARAH ARAJ
Etihad Airways Senior Vice President of Audit, Compliance and
Risk shares his
experience on the role of Internal Audit in risk
management
Harsh Mohan
In an exclusive interview, Internal Auditor - Middle East spoke
to Harsh Mohan, CPA, CA, who joined Etihad Airways (Etihad) in 2011
and is now the Senior Vice President of Audit, Compliance and Risk.
He started his career over 31 years ago in internal audit and used
the experience gained to successfully work across various functions
in the airline industry including finance, procurement, risk
management and strategic cost
management. Before joining Etihad, he was the Auditor General
Auditor and Senior Director of Business Transformation at Air
Canada. Harsh is an active supporter of the UAE Internal Audit
Association (UAE-IAA) and a prominent speaker on the topic of risk
management.
Internal Auditor - Middle East met with Harsh Mohan at the
Etihad Airways Head Office in Abu Dhabi.
-
INTERNAL AUDITOR - MIDDLE EAST 13 DECEMBER 2014
mitigate capacity constraints? This could include audits of
project oversight, baggage handling, customer services etc. I also
sit as an observer on the Midfield Terminal project committee to
understand how management is addressing the capacity strategic
objective.
What about Internal Audits role in providing insight on emerging
risks? Risk management is an ever evolving process! Take for
example the CEBs (Audit Plan Hot Spots -
https://www.executiveboard.com) views on the top risks from 2010
2014. You will notice that the top risks have changed over the past
five years. Now one of the major emerging risks is cybersecurity.
When carrying out our assessment of risk, we need to focus on such
areas and ensure that management and the Board are made aware of
them.
Some chief audit executives may not be providing advice or
assurance on risk management. What are your thoughts on this? As
the needs of the business evolve, there will be a need for Internal
Audit to evolve to support the business. Internal Audit has the
skills required to support the risk management process and add
value to the business. By focusing on risk, Internal Audit will be
included in management discussions and committees and this will
elevate its status because of our knowledge of the business. If
Internal Audit does not step in, some else will and that department
or person will go far ahead of Internal Audit. Chief Audit
Executives who do not play a role in risk management face a high
risk of becoming obsolete.
Interview
How important is risk management to Etihad? (Smiling) Our
business is managing risk. I want you to think of a metal cylinder
which is 70 meters long, has 400 people, with engines operating at
temperatures around 1,000 degrees Celsius, packed with 100,000
liters of fuel and travelling at a speed of over 800 km/h. This is,
very simply put, what an airplane is. But the passengers are
reclining, watching videos, listening to music and are completely
comfortable. This is what risk management is all about; taking an
inherently high risk such as safety and managing it to a residually
low level.
What role does Internal Audit take with respect to risk
management at Etihad? At the start of every internal audit plan, we
carry out a thorough risk assessment, and based on inherent and
residual risks, we formulate the internal audit plan. Doing proper
risk assessments is a complex task which requires deep knowledge of
the business. It also requires a high level of independence to
report on major risks in a fair manner and for these risks to be
acknowledged by management. Internal Audit has a solid
understanding of the business and is sufficiently independent of
management. It therefore makes sense to use the risk assessment
carried out by Internal Audit as the basis for the companys
enterprise risk management framework. In most non-financial
services institutions, having a separate function carry out this
role would be a waste of resources. So we send the risk assessment
results to senior management so they can identify existing or
required controls that will manage a particular risk within the
companys risk appetite. So management identifies the existing or
required controls, and we, at the time of our audit, assess the
risk and audit the controls in place. Internal Audit at Etihad
Airways validates the risks that the company is facing and assesses
the effectiveness of the controls put in place to mitigate those
risks.
Does this approach impair your departments independence? No. We
do not own the risk mitigation process. The assessment of risk and
corresponding facilitation sessions with management are the roles
performed by Internal Audit. As my title suggests, we deal with
risk and not risk management, differentiating between the two. We
make a clear distinction between our role and managements
responsibility to manage risks. Our approach is based on the IIA
position paper on Internal Audits role in Risk Management and each
stakeholders role in the Risk Management process is clearly
defined.Also to give more comfort to our Board and regulators, we
have a separate team within the department which carries out the
risk assessment and facilitation sessions. This team reports
through me to the full Board. This process of reporting to the
Board makes the risk management process more effective.
How is Internal Audit able to assess and provide assurance on
risks to strategic objectives? Every risk management framework
refers to risk as something which impedes the achievement of your
objectives. We start our strategy by defining our top strategic
objectives and cascading them downwards to the business units and
individual departments. When we assess risk, we look at objectives
from all three layers, and this way, it focuses on adding value to
what really matters to the business. For example, one of our
strategic risks is the capacity of Abu Dhabi Airport to support our
growth. We are expecting to transport 15 million passengers in the
coming years. So Etihad worked with Abu Dhabi Airports Company to
expand the airport to Terminal 3 and is now adding additional
capacity in the new Midfield Terminal. As Internal Audit, we will
look at the controls in place to mitigate this strategic risk. In
other words, what action is being taken by management to
TO COMMENT on the article,EMAIL the author at
[email protected]
The company which manages its risk the best is the one which
succeeds
-
Youre successful, respected, and committed. What does it take to
get to the next level?
The QIAL identifies, assesses, and develops core skills linked
to audit leadership success. It caters to CIAs and CAEs who are
already strong performers and have the potential for greater
leadership.
Registration is now open. Start your leadership journey TODAY at
globaliia.org/QIAL.
www.globaliia.org/QIAL
141526
BUILDING THE LEADERS OF TOMORROW, TODAY.
-
INTERNAL AUDITOR - MIDDLE EAST 15 DECEMBER 2014
Characteristics of a Successful Chief Audit Executive
Human Resources TO COMMENT on the article,EMAIL the author at
[email protected]
The increasing complexity of companies, combined with the impact
of todays global economy, has resulted in a variety new business
risks and challenges. To help in responding to these new risks and
challenge, it is essential for a company to have a highly skilled
Chief Audit Executive (CAE). This CAE must possess several core
characteristics which will allow him or her to be successful. One
clue to these characteristics can be found in the meaning of the
word Audit, derived from the Latin word audire which means to hear.
Successful CAEs hear what is happening within a company and also
hear to what stakeholders have to say. Therefore, a successful CAE
is one who not only technically solid but has appropriate
behavioral characteristics. The mix of essential characterizes that
should be found in a CAE is as follows:
1. Strategic ThinkingCAE plays an important role in providing
assurance whether the organization has the ability to achieve its
objectives or not. This means that a CAE should understand the
companys business and how he work together with top management to
achieve a companys strategy in order to and help guide the
organization in the right direction.
2. Mastery of Risk The CAE needs to establish risk-based
internal audit plans to ensure that the priorities of the internal
audit activity are consistent with the companys goals. Accordingly,
it is necessary to have a high sense of risk awareness and how the
organization manages its risks; CAE should
BY AYMAN ABDELRAHIM ED ITED BY MEENAKSHI RAZDAN
be also be aware of any emerging risks and understand the impact
of changes in the industry or the external environment.
3. Leadership AbilityThe CAE should have strong leadership
skills which are demonstrated even beyond the internal audit
department. The CAE should inspire, motivate, challenge the
auditors to take greater ownership for their work. Empowerment is
important to achieve high performance, without empowerment internal
auditors cannot own their work and take responsibility for their
results. Also, the CAE should have the ability to create new
leaders for the organization; those leaders can drive the future of
the organization.
The CAE can play significant role in driving the change in the
organization and can be effective champion for innovation, by
providing improvements in strategy and activity through promotion
of innovation and awareness of emerging opportunities and risks.
The competencies for critical thinking, innovation and improvement
are very important for CAE to succeed.
4. Effective CommunicationListening to stakeholders and
understanding their needs and concerns is vital for CAE role.
Strong communication skills can help in building positive
relationships with senior management and business leaders.
Communicating issues accurately and prioritizing them is also
important. Another important thing is using the right words in
audit report which demonstrates professionalism of CAE and the
audit team.
5. Desire for KnowledgeKnowledge distinguishes a leader from a
non-leader. The CAE should be constantly alert to best practices,
industry trends and inspire internal auditors to develop
themselves, maintain a commitment to ongoing training and
learning.
ConclusionAs the requirements of companies change, the required
characteristics of a successful CAE will also need to change. CAEs
have a big role to play in a company by helping an organization
remain aware of and effectively manage its current, strategic and
emerging risks. To be successful at this role, a CAE needs to have
a combination of above characteristics mentioned above to allow him
to add value to a company. In todays world, it is absolute critical
for a CAE to continuously upgrade his or her skills in order to
meet the changing expectations of companies and the internal audit
profession.
AYMAN ABDELRAHIM, MQM, CIA, CCSA, CFE is a Chief Internal
Auditor at a government organization in Dubai.
If you want to be successful, you have to be willing to invest
in yourselfRichard Chambers, CIA, QIAL President and CEO of The
Institute of Internal Auditors
-
16 INTERNAL AUDITOR - MIDDLE EAST DECEMBER 2014
BY KAMRAN AHSAN
A veteran chief audit executive and a technical specialist join
forces to showcase innovative professional
development programs for internal audit.
Innovation
A fundamental role of internal auditors in the twenty-first
century is to add value to the business and help it achieve its
objectives. At the same time, employee talent management has become
a priority, as stakeholders recognise that internal auditors need
to understand the business.
This article focuses on ten developmental programs across three
tracks (illustrated in Exhibit 1) that can be structured to close
skill-gaps and provide the internal audit activity (IAA) with
practical insights into the business.
ImperativesThere is broad diversity of need for technical and
soft skills and a need for internal auditors to operate at a
sufficient level of competence to show the value of the profession.
IIA Global Council 2014Leaders of our profession have clearly
spelt
Shaping talented
audit teams
out the importance of talent management:
Thinkingstrategicallytoreducethe
talent gap was emphasised in the IIAs Tone at the Top newsletter
in January 2013. The article also noted the need to support
professional development and encourage staff to work
collaboratively with other business units to promote
cross-pollination of knowledge.
Skill-set gaps was identified by delegates at the IIAs Global
Council meeting held in Dubai in 2014 as one of the top five
obstacles the profession faces through 2020.
Understandingbusinesswasidentified
as very important by over 70% of respondents to the IIAs 2010
global survey. This was the highest rated of 18 technical
skills.
Maintainingcompliancewith
professional auditing standards underpins audit value, with
proficiency and continuing professional development emphasised in
standards 1210 and 1230 respectively (ie possess and/or enhance
knowledge, skills, and other competencies).
Maximisingindividualpotentialisakey
to being an employee of choice. It helps to create a highly
satisfying place to work, and improves the intellectual capital
within the IAA. Keepinginternalauditfresh
and up-to-date through effective audit leadership. In a June
2014 blog, the IIA President and CEO Richard and CEO Richard
Chambers emphasised the importance of audit leaders being role
models, focusing on positives, being goal-oriented, making the time
for the team, and getting help from others through effective
delegating.
Bringing Business People into Audit1. Graduate program2. Guest
auditors - specific audits3. Guest auditors - longer-term
secondments4. Middle management rotation program
Delivering Inhouse Programs5. Alumni network6. Knowledge
champions7. Mentoring
Exhibit 1 Overview of audit development programsSending Auditors
into the Business8. Frontline connections9. Secondments within the
entity10. Swap or secondment with another entity or service
provider
-
INTERNAL AUDITOR - MIDDLE EAST 17 DECEMBER 2014
Innovation
Implementation of professional development programs is another
leadership imperative.
Key stepsTell me and Ill forget; show me and I may remember;
involve me and Ill understand. Chinese Proverb
Identify the competency needs of your IAA. These may already be
identified through an the IIAs IIAs Global Internal
Audit Competency Framework or within a defined IAA Professional
Development Plan. Determine any related development programs that
your entity already has in place. For instance, well-established
graduate and mentoring programs exist in many entities. Assess the
best options for tailored development programs that suit your IAA.
From the program overview table, select one or two programs to
implement now, and others that might be beneficial in the
future.
Develop the selected programs for your IAA, building up from
bottom of the ten building blocks in Exhibit 2. Recognise that
motivation and state of readiness to learn are important
considerations in identifying the right participant/s. Finally,
irrespective of which program is chosen, ensure that fresh ideas
and insights are generated for the IAA. This is the critical
payback phase.
Engage participants and undertake program Provide fair and
valued learning feedback
Road test and promote the program Select participants based on
selection criteria Establish and provide suitable induction
Dene aim, desired outcome, and strategy Align to entity career
development strategies
Identify IAA skill gaps and learning objectives Consider the key
principles of audit learning Select best programs; formalise key
elements
Program Overviews : Bringing business people inProgram 1 :
Graduate ProgramDesign Aims : Introduce governance, risk and
control fundamentals to entitys graduate program
participants.Primary Benefit : Helps shape career of potential
future leaders, through experiential learning.Secondary Benefit :
Brings youthful enthusiasm into IAA. Builds ambassadors for IAA
through a good experience.Key Features : Provides graduates an IAA
rotation to deliver practical insights on auditing, and holistic
appreciation of core activities of entity. Program 2 : Guest
auditors - for specific engagementsDesign Aims : Draw guest
auditors onto specific audits where their technical skills are
needed.Primary Benefit : Delivers subject matter experts from
technical business areas to IAA to bring expertise to particular
audit engagements. Example: a Western Australian mining company
utilised engineers to great effect. Secondary Benefit : Runs for
shorter duration than other programs, and is informal and less
structured.Key Features : Provides graduates an IAA rotation to
deliver practical insights on auditing, and holistic appreciation
of core activities of entity. Program 3 : Guest auditors - longer
term secondmentsDesign Aims : Leverage expertise of business
staff.Primary Benefit : Drives audit improvement strategies through
technical advice on audit planning, fieldwork or
reporting.Secondary Benefit : Brings in a free expert resource.Key
Features : Facilitates secondment of operational staff from
business areas to IAA for defined periods (several weeks or
months).
Program 4 : Middle management rotation programDesign Aims :
Build capability of middle managers, whilst drawing business
experience into IAA. Primary Benefit : Helps management by giving
high potential middle managers opportunity to learn first-hand
about entity-wide governance, risk and control
arrangements.Secondary Benefit : Facilitates two-way learning. IAA
gains services of respected business people to work on audits.
Helps to build business acumen in auditors.Key Features : Delivers
longer term learning benefits for future executives through
structured program; CAE partners with C-suite.
Delivering in-house programs Program 1 : Alumni NetworkDesign
Aims : Invite alumni to IAA events to provide insights on
direction, planning and strategies of IAA.Primary Benefit : Uses
structured approach to leverage rich source of ideas, insights and
perspectives that former internal auditors have gained in their new
roles.Secondary Benefit : Achieves progress through sharing for
professional counterparts. Key Features : Provides basis for
staying connected with experienced auditors who move into other
parts of business or to other entities.
-
18 INTERNAL AUDITOR - MIDDLE EAST DECEMBER 2014
Anticipated outcomes The best minute I spend is the one I invest
in people. Kenneth Blanchard Well-structured professional
development programs can help shape a legacy that goes beyond the
outcomes traditionally expected of members of the internal audit
profession. In particular: TheCAEcreatesahighlysatisfyingplace
to work, which helps to attract and retain excellent
staff.Thevalueofinternalauditisenhanced
in the eyes of the entitys most senior executives (commonly
called the C-suite) and the audit committee, through practical
InnovationTO COMMENT on the article,EMAIL the author at
[email protected]
insights gained by drawing business-based expertise into more
complex audits.TheIIAasawholebenefitsbyimproving
its intellectual capital and expertise; building on the overall
talent at its disposal; and enhancing its credibility through
technically strong outputs. Programs interfacing directly with the
business have the added benefit of showing the human face of
internal auditors.BusinessspecialistsbroughtintotheIAA
benefit from the insights that they gain in respect to corporate
governance, risk management and internal control; skills which they
will need as they move into
future senior leadership positions. They are also influenced to
become ambassadors for internal
audit.Auditorsplacedintothebusinessor
involved in in-house programs gain job enrichment; build their
skills; gain greater understanding of the business; and take steps
to maximise their individual potential.
BRUCE TURNER, CGAP, CRMA, CFE, CISA, PFIIA, FFin, FIPA, MAICD,
FAIM is an audit committee chairman in Australia and Chairman
JACQUELINE TURNER, B.L JS, GradCertFraudInv is a white collar
crime analyst at a multi-national financial services institution in
Australia
Program 2 : Knowledge championsDesign Aims : Nurture mid-level
audit staff to become knowledge champions.Primary Benefit :
Auditors develop expertise in assigned specific knowledge areas,
such as emerging practices and issues; governance, risk, control;
or technical areas of entity. Example: tax collection agency CAE
might assign indirect taxes, direct taxes, client register
etc.Secondary Benefit : Provides CAE with timely information on
contemporary trends and business issues, and be well-briefed for
C-suite and audit committee interactions.Key Features : Reduces
dependency on hiring terrain experts.Program 3 : MentoringDesign
Aims : Achieve full potential of auditors.Primary Benefit : Fosters
professional relationships, where auditors have opportunity to
collaborate and share insights with experienced executives outside
IAA.Secondary Benefit : Provides forum offering constructive and
frank advice to support auditors career development.Key Features :
Offers cost-effective way of assisting auditors to acquire
knowledge and skills to operate within challenging
environment.Sending auditors into the businessProgram 1 : Frontline
connectionsDesign Aims : Enable senior audit staff to spend time in
field with operational staff.Primary Benefit : Provides an
opportunity for auditors to gain experience on the ground so they
better comprehend frontline activities and day-to-day challenges of
entity.Secondary Benefit : Provides job enrichment for participants
so they remain sharp and objective. Key Features : Enables auditors
to spend half a day every month or quarter in the business
shadowing frontline staff and completing lower-risk operational
tasks.Program 2 : Secondments within the entityDesign Aims :
Provide a short break from auditing to refresh key staff.Primary
Benefit : Refreshes knowledge of seasoned auditors across business
operations, and enables them to experience day-to-day operational
pressures.Secondary Benefit : Showcases to management the talent
within IAA, and helps to further build IAAs professional
profile.Key Features : Facilitates targeted secondments within
business areas.Program 3 : Swap or secondment with another entity
or service providerDesign Aims : Boost breadth of experience of
high potential auditors. Primary Benefit : Enables auditors to gain
experience in another entity or service provider and bring fresh
insights back to IAA.Secondary Benefit : Reduces risk of auditors
becoming stale and resigning, by enabling them to gain broader
experience and build their career path. Key Features : Provides
swap of high-potential auditors or secondments for pre-determined
periods (say, three months) to achieve defined experiential
learning objectives; established through mutual agreement of
CAEs.
-
Held under the patronage ofH. H. Nahyan bin Mubarak Al
Nahyan
UAE Minister of Culture, Youth & Community
Venue: Intercontinental Hotel Dubai Festival City, Dubai,
UAEDate: 21st - 22nd January 2015Email: [email protected] visit our
website: www.iiauae.org
The Association of Certiifed Fraud Examiners (ACFE)s Inagural
Annual
Conference in the Middle East & North Africa (MENA) region
is dedicated to
eliminate and minimise the risk ofFraud & Corruption, manage
the Risk of Fraud and Give an Insight on the latest techniques and
strategies to
ght Cybercrimes.Book now to earn
16 CPEs
-
20 INTERNAL AUDITOR - MIDDLE EAST DECEMBER 2014
Quality Improvement
BY LAL IT DUA
Auditee Feedback
One of the important factors for an effective audit is Auditee
feedback which has commonly been ignored and has not usually been
part of professional discussions. It appears very simple and nice
to read this statement but all internal auditors know how much
effort it takes to get focused, positive and value adding feedback
from an auditee. Dealing with behavior and responses of auditee
during this process is quite a challenge.
The auditee should recognize the fact that his enhanced
performance, through auditors recommended corrective measures, will
help in achieving his departments objectives. So establishing an
honest understanding of objectives of the audit and respective
roles of auditor and auditee, should take place before the start of
the audit process.
The Need for FeedbackAudit reviews can be a smooth journey if
both auditor and auditee understand the objective and both of them
work in coordination and participation with each other, to achieve
desired improvements. The auditor has to ensure transparency in
review approaches, conduct and finalization of the audit. The
auditee also
has to support the review by demonstrating confidence in
auditor.
Feedback from auditees is a confirmation on the auditors
analysis of data, compilation of information, approaches of audit,
observations made, acceptance of recommendations etc.. The auditee
is the one who can approve or reject the internal auditors efforts,
which should be done diligently and honestly. Even the auditee at
higher levels of management will not accept the observations unless
they have been accepted by the previous levels of management. Hence
the auditee can even make or break auditors positivity of approach
in audit review.
The auditees feedback should be specific to the
issues/observations, timely and be delivered in an appropriate
way.
A. Specific to issuesFeedback is at its best when it relates to
a specific observation, data analysis and audit query. The auditee
feedback will be to the point and constructive if all the relevant
details have been provided as any gap will lead the auditor to an
unwanted direction. Submitting an audit observation to auditee like
Observed that exercise of identification of slow, non-moving
and
dead inventory items is not effectively conducted during the
year will not yield any tangible feedback unless it is specific
like As per policy the exercise of identification of slow,
non-moving and dead inventory is not being done quarterly and our
exercise of identification of such inventory items resulted in 12
such items, the detail of which is in the attached statement.
B. TimelinessThe auditor is required to submit any detail or
observation to auditee well in time and for the period under
review. Any undesired delay in feedback will lose its significance
and may delay the process of audit. The sooner the auditor
identifies the requirement of changing approach, working and source
of information/data, the sooner they can correct the point involved
and conclude the audit effectively.
C. MannerFeedback should be given in a manner that will help to
improve audit performance. Since people respond better to
information presented in a positive way, feedback should also be
expressed in a positive manner. It must be accurate, factual, and
complete. Feedback is more effective when it reinforces what the
auditor did right and/
Positive and Honest feedback adds to Audit Effectiveness
-
INTERNAL AUDITOR - MIDDLE EAST 21 DECEMBER 2014
Quality ImprovementTO COMMENT on the article,EMAIL the author at
[email protected]
LALIT DUA, CA is head of internal audit at
wrong and then letting him judge what needs to be done during
the course of audit.
Frequency and Stages of feedback The feedback from the auditee
can be regular or as requested by the auditor. Regular feedback can
be given as and when the auditor discusses processes, asks for
records and data for review and when querying the auditee about
some observations. The auditee feedback is expected to be with
positive intent as it would depict auditee desire for the auditor
to add value.The periodic feedback sessions are normal features of
any audit review where formally the details of issues to be
discussed and
feedback to be taken from the auditee are provided in advance.
The feedback is documented and is either taken as base for the next
level of audit review or forms part of report itself. With
effective feedback, auditor will be working in right direction and
will be more potent in conduct of audit.
A. Feedback in the opening meeting with auditeeThe auditor has
to explain to auditee the objective, scope, tentative duration of
review, initial record and details required in the Kick off
meeting. The meeting will give opportunity to the auditee as well
to raise questions and ask for clarifications, if any from the
auditor. At the end of the meeting his clear understanding about
the whole process of the review is a kind of feedback whereby he
gives his concurrence
and assures of complete support.
B. During conduct of auditWhile conducting audit reviews the
auditor is applying different approaches and techniques of audit.
He also makes verbal and written communication on issues involved
in reviews. The responses, actions, reactions and behavior of
auditee to such activities are a kind of feedback to auditor on how
the audit review is being conducted. After having explained the
scope and objective of audit review in the kick off meeting, the
auditor should ensure that the review is being conducted withinthe
same scope, with positivity and without any intention to find
mistakes,errors, frauds etc.. The moment the auditee
will get any sense of negativity in what the auditor is doing;
the auditee will withdraw himself and will tend to feed or provide
whatever has been asked without any positive participation. The end
result will be extra efforts by the auditor, not enough confidence
in whatever is being done and non-participation of the auditee in
the process of improvement.
C. In the closing meetingsThe feedback requirement in the
closing meeting should not come as a surprise. It is better to
raise issues as they arise in the course of an audit, having a
constructive discussion on the spot as and when required. The
closing meetings are done at various stages and with various
auditees during the course of finalizing audits. Since these
closing meetings are done with concerned auditee, department and
functional heads levels so types of feedback
at each of these levels will differ in content and style. The
process of getting feedback in the closing meetings will be
smoothened if auditor has been transparent in his approach and
conduct during the course of audit.
Overall feedbackThough an auditor is getting feedback at
different stages and from different level of auditees and
management staff on specific areas of audit, the practice of
getting an overall audit feedback has been formalized in many
organisations. The criteria on which overall performance of audit
is to be evaluated are many and in use. It is the maturity of the
organisation and the role of the auditor it has foreseen, which
defines the list of criteria for feedback. An organisation may even
require the auditor to rate different auditees also on defined
criteria.The overall feedback on different aspects of the audit
sets a benchmark or highlights the gaps in performance acceptance
of management from audit department.
ConclusionAuditee feedback on different aspects of the audit
sets a benchmark or highlights the gaps in performance acceptance
of management from audit department. Each audit observation has to
be taken up in its right perspective, without over doing and
mis-interpretation. An auditee expects to be given the opportunity
to give their perspective, a process that helps to gain their
commitment, so the auditor should welcome feedback. By adopting and
implementing a collaborative approach to feedback and highlighting
the ultimate aim of the audit to support auditees in order to
improve organizational performance, will provide solid foundations
for a positive experience for all concerned.
-
22 INTERNAL AUDITOR - MIDDLE EAST DECEMBER 2014
Audit Management
Board & C-Suite Driven Assurance: The Dawn of a New Era
BY T IM J . LEECH
Many years ago I wrote a seminal article titled Control &
Risk Self-Assessment: The Dawn of a New Era in Corporate
Governance. That article, and the ideas in it, played a significant
role launching my first company in 1991, and had a significant
impact on the profession globally. Almost 25 years later this
article describes recent developments and forces that will almost
certainly see the onset of an even more profound and significant
transformation truly the dawn of a new era in internal
auditing.
Traditional/Historical Internal AuditingI joined the profession
as an internal auditor in the summer of 1981. Since
that time the profession has evolved and advanced in many
positive ways, but continues to be bound by some fundamental and
confining paradigms. The paradigms include:
1. Internal auditors plan, execute, and report results of
point-in-time audits.2. Internal auditors assess internal controls
and report opinions on whether they believe controls are effective.
3. Internal auditors report what they believe to be control
deficiencies, material weaknesses, significant deficiencies or
opportunities for improvement.
4. Direct report auditing is the primary approach used globally.
In a direct report engagement the auditor evaluates the subject
matter for which the accountable party is responsible. The
accountable party does not make a written assertion on the subject
matter they are responsible for.5. The profession has been
primarily supply driven not demand driven. 6. Internal audit does
not usually know, or require that management and boards define, the
type and amounts of risk the company and its board are prepared to
accept. 7. A majority of internal audit departments have not, for a
variety of
-
INTERNAL AUDITOR - MIDDLE EAST 23 DECEMBER 2014
Audit Management
reasons, assessed and reported on risks to the organizations top
strategic/value creation objectives, or the effectiveness of the
entitys entire risk management framework.
The traditional/historical direct report approach to internal
auditing described above is now under attack. Evidence collected
globally in 2014 indicates dramatic drops in internal audit
customer satisfaction.
Key Developments Globally
Board responsibility to oversee managements risk appetite and
tolerance significantly elevated - Following the 2008 global
financial crisis commissions were convened around the world to try
and understand what had gone wrong and prevent similar
destabilizing events in the future. A unanimous conclusion was that
boards of directors and, to a lesser degree,
4.6 Internal audit (or other independent assessor) should: a)
Routinely include assessments of the RAF on an institution-wide
basis as well as on an individual business line and legal entity
basis; b) Identify whether breaches in risk limits are being
appropriately identified, escalated and reported, and report on the
implementation of the RAF to the board and senior management as
appropriate; c) Independently assess periodically the design and
effectiveness of the RAF and its alignment with supervisory
expectations; d) assess the effectiveness of the implementation of
the RAF, including linkage to organisational culture, as well as
strategic and business planning, compensation, and decision-making
processes; e) Assess the design and effectiveness of risk
measurement techniques and MIS used to monitor the institutions
risk profile in relation to its risk appetite; f) Report any
material deficiencies in the RAF and on alignment (or otherwise) of
risk appetite and risk profile with risk culture to the board and
senior management in a timely manner; and g) Evaluate the need to
supplement its own independent assessment with expertise from third
parties to provide a comprehensive independent view of the
effectiveness of the RAF. Source: Financial Stability Board,
Principles for an Effective Risk Appetite Framework, November 18
2013.
regulators, had not adequately discharged their duty to oversee
what is increasingly being called managements risk appetite and
tolerance.
Creation of the worlds first preeminent regulator guidance body
Financial Stability Board (FSB) Shortly after the onset of the
global financial crisis a decision was made to create a new super
regulatory power, the Financial Stability Board (FSB). This
organization, currently chaired by Mark Carney, Governor of the
Bank of England, with representation from governments and financial
sector and securities regulators from around the world, has, with
unprecedented speed, formulated and disseminated what is most aptly
termed paradigm shift guidance with an overarching, albeit
unstated, goal of reengineering corporate governance globally. One
of the FSBs most significant contributions to date is a November
2013 guide for national regulators, companies,
Codification of board responsibility to oversee managements risk
appetite and tolerance In parallel with the FSB, regulators around
the world have started to enact regulations that reflect key FSB
recommendations, particularly the need to assign primary
responsibility for risk management and reporting to management; and
risk appetite/tolerance oversight to boards of directors. One of
the most graphic illustrations is the new UK Governance Code issued
in September 2014. It positions responsibility for risk oversight
squarely with boards of directors; calls on management to design,
implement and maintain effective risk governance frameworks; and
calls on boards to seek independent assurance that management has,
in fact, designed, implemented, and maintained effective risk
governance frameworks. It is expected other major countries that
want to improve the integrity of their capital markets will
follow
and auditors titled Principles for an Effective Risk Appetite
Framework. The authors of the FSB guidance took the bold step of
defining new and bold mandates for management, boards of directors
and, most significantly for readers of this article, internal
auditors. Details of the new role envisioned for internal auditors
is shown in the box below. The FSB is, in essence, calling on
internal audit to transition from providing spot-in-time, direct
report, subjective opinions on control effectiveness on a small
percentage of an entitys risk universe, to reporting on the
reliability and effectiveness of an organizations entire RAF,
including, but not limited to, reporting on the reliability of risk
status reports provided to the organizations board of directors by
senior management.
IIA Pulse on the Profession, Enhancing Value Through
Collaboration: A Call to Action, IIA AEC, July 2014.
-
24 INTERNAL AUDITOR - MIDDLE EAST DECEMBER 2014
Audit Management
the UKs lead. Internal audit customer satisfaction plummets as
these regulator driven developments gain traction globally a
summary of customer satisfaction surveys done by 3 major consulting
firms and the Institute of Internal Auditors was reported in the
July 2014 IIA Pulse on the Profession Report referenced earlier.
The report paints a graphic picture of a significant and very
recent decline in board and senior management satisfaction with
traditional/historical direct report internal audit services.
What This Means to the Internal Audit Profession Going
Forward
Need to Transition from Direct Report/Spot-in-Time Auditing to
Attestation Reporting on Management Representations on Risk
Framework Effectiveness and Risk Status the FSB has defined roles
for the board, senior management, and internal audit that call for
a fundamental accountability shift - a shift that requires
management continuously assess and report upward on risk status,
and for internal audit to assess and report opinions to the board
how well management is discharging their assigned risk governance
responsibilities. This new paradigm requires radical and
fundamental shifts in existing IIA certification curriculum and
training offerings. IIA IPPF professional practice standard 2120
was modified in 2010 specifically to provide support for the shift,
and the Certification in Risk Management Assurance (CRMA) launched
globally. Internal audit departments will need to evolve from the
business of performing traditional spot-in-time direct report
audits and providing subjective opinions on control effectiveness
on a small percentage of the risk universe and, instead, focus
substantially more resources on
providing assurance to boards that senior management is creating
and maintaining effective risk management and reporting
frameworks.
Educate Boards of Directors on Evolving Expectations - the
evolution of these expectations is likely to evolve at varying
speeds and intensity in different countries. Not all senior
management and board members have been actively following the
evolution of these new expectations, and not all national
regulators have codified risk governance expectations with the
clarity and simplicity of the September 2014 UK Governance Code to
spur the needed transition. It is also important to note that not
all CEOs and CFOs are likely to welcome direct responsibility for
creating and maintaining effective risk appetite frameworks and
providing formal and candid reports on residual/retained risk
status to their boards.
Look for Opportunities to Gain the New Knowledge and Skills
Required - If internal auditors are to accept and assume the type
of responsibilities defined by the FSB earlier in this article,
they must retool their knowledge and skills. Instead of the
traditional internal audit focus on providing subjective opinions
on control effectiveness, internal auditors now need to acquire the
knowledge and skills to assess and report on the reliability of
managements risk appetite frameworks, including managements reports
to the board on retained/residual risk status. This means learning
the type of vocabulary defined by the FSB in its Principles For An
Effective Risk Appetite Frameworks guidance and the globally
accepted ISO 31000 and ISO Guide 73, and gaining the knowledge and
skills necessary to identify the full range of risks, risk
treatments, and a picture of residual risk status, not the much
narrower assessment of traditional
internal controls internal audit has historically focused on.
More importantly, internal auditors need to continuously assess and
report on whether the current residual risk status related to key
strategic and foundation objectives is currently within the board
and senior managements risk appetite and tolerance.
Closing Remark - Recognize that aversion to change is a human
condition this short article outlines events and drivers that call
for radical and quantum change in the current internal audit
paradigm. A natural human trait is to resist radical change and
favour smaller and more incremental steps. The dramatic drops in
customer satisfaction statistics described in the IIA July 2014
Pulse on the Profession report have led to the IIA literally
issuing A CALL TO ACTION to internal auditors around the globe.
Addressing rapidly evolving and escalating customer and regulatory
expectations will require the profession globally make rapid and
radical changes if it is to ensure it remains fully relevant to key
customers in the years to come. There is a well-known adage that
states necessity is the mother of invention. The need for radical
and rapid change in the traditional internal audit delivery model
is real. Its time the internal audit profession literally reinvent
itself to meet the needs of key customers particularly boards of
directors. No small task to be sure, but a job that absolutely
needs to be done. Best wishes for success as the profession decides
whether it welcomes, or resists, the dawn of a new era in internal
auditing.
TO COMMENT on the article,EMAIL the author at
[email protected]
Tim J. Leech CIA CCSA CRSA FCPA is Managing Director Global
Services at Risk Oversight in
Canada and is recognized globally as a thought
leader and advisor in the risk and assurance field.
-
AD SPACERisk Oversight
-
26 INTERNAL AUDITOR - MIDDLE EAST DECEMBER 2014
Fraud
BY ROBIN S INGH
Inside the Mind of a Fraudster
For as long as white-collar crime fraudsters have been a common
occurrence throughout multiple industries, specialists have
wondered aloud whether or not it is possible to properly develop a
profile that allows organisations to accurately identify fraudsters
while the fraud is happening, or in some cases beforehand. Of
course, predicting crime before it actually happens is a concept
best left to science fiction novels and movies at the moment but
what if there were some easily identifiable warning signs of
potential fraudsters?
General Attributes While any individual could potentially
conduct fraudulent actions, there does seem to be some basic
elements that make an individual more likely to take part in fraud.
According to a study by KPMG1, the typical fraudster displays the
following attributes: Isbetweentheagesof36and45.More
than 70% of fraudsters fall into this age group.
Actswithlittleregardforthe
organisations which they work for.
Isemployedinapositionthatgives
them power over important organisational processes including
executives, finance, operations and marketing.
Hasbeenwiththeorganisationforsix
years, or long enough to know the internal processes of the
company.
Identifying potential suspects based on the profile of a
fraudster is not a straightforward task.
Actswithothersincommittingfraud.
According to KPMGs study, more than 61% of individuals that
committed fraud did so with the help of at least one other
individual.
PersonalityAnother compelling fact which the KPMG study bought
forward was that a large percentage of fraudsters were extroverted
(33%), friendly (35%) and highly respected (39%). These personality
traits do not seem to be indicators of someone who is prone to
fraud but when combined with traits like greed and desire for
personal gain1, one can then get a clearer picture of the
personality of these individuals.
Studies have proven that these are people who are either
malignant narcissist, or suffer from Narcissistic Personality
Disorder (NPD), which is defined as an enduring pattern of inner
experience and behavior that deviates markedly from the expectation
of the individuals culture, is pervasive and inflexible, has an
onset in adolescence or early adulthood, is stable over time, and
leads to distress or impairment. Because these disorders are
chronic and pervasive, they can lead to serious impairments in
daily life and functioning.Actually, to really go inside the mind
of a fraudster, one needs to understand the traits of a person
suffering from NPD: Haveaninflatedsenseoftheirown
importance; Believes that he or she is special and can only be
understood by high status people. Haveadeepneedforadmirationfor
themselves; a sense of superiority.
Believethattheyresuperiortoothers.
Constantlybendingtherulesfor
himself although outwardly criticising others for similar
behavior. Havelittleregardforotherpeoples
feelings. Beintolerantofanythingperceivedas
less than a perfect performance.
Exaggeratetheirownachievementsor
talents. Expectingotherstogoalongwithyour
ideas and plans. Takingadvantageofothers.
Troublekeepinghealthyrelationships.
Beenviousofothersand/orbelieves
that others are envious of him or her.To add to the above, the
Association of Certified Fraud Examiners (ACFE), mentions in its
2014 report that the financial losses resulting from fraud
committed by Owners/Executives at companies were at least than 3
times larger than the losses resulting from fraud committed by
managers or employees. Similarly, the ACFE study showed that the
longer a fraudster had worked for a company, the more financial
harm he or she caused. This supports the fact conclusion that big
game players are the ones who are at the top of the corporate
pyramid.
-
INTERNAL AUDITOR - MIDDLE EAST 27 DECEMBER 2014
TO COMMENT on the article,EMAIL the author at
[email protected] Fraud
beyond his or her means. In the Middle East, the question asked
is Where did you get this from? This alludes to the how an
individual can afford to purchase something which is clearly above
his financial abilities. ACFEs 3 top 3 behavioral red flags
displayed by fraudsters are shown in the table below:
On another note, experience also shows that individuals that
committed fraud did so with the help of at least one other
individual. What do you think the other person would be like?
Generally the other partner is a submissive one, who would
generally take instructions from the dominant partner. Since the
dominant partner might want to remain in control, they should avoid
choosing the person of equal stature because they would have to
share their loot equally with other partners. If an investigator
cracks the weaker link, the whole case would unravel like a
blossoming sunflower .
Individuals exhibiting the aforementioned behaviors must be
critically examined. Quantitative tools must be especially keen,
and third-party verification like a psychometric test can be a good
component of this analysis.
Drawbacks of ProfilingEven though a large portion of fraudsters
meet the previously mentioned guidelines
of your typical fraudster, it can be very difficult to implement
fair policies that target individuals that fit that profile without
causing some unrest within the company. Naturally, management
positions should be afforded some type of oversight in order to
limit the chances of fraud. However, placing increased oversight on
a specific group of individuals can seem like unfair targeting to
employees and can cause issues. In some cases the improper
implementation of fraud mitigation strategies can open a company up
topotential lawsuits. Lawyers and industry
professionals should be consulted before implementing strategies
based on profiles of fraudsters.
ConclusionWhile it is definitely possible to create a basic
profile for fraudsters, it is important to remember that this
profile constantly changes as technology adapts and new avenues of
fraud become available. Mitigating the risk of fraud is an
important consideration for any business, and utilising data has
become a large part of the equation for many.
References: 1. Global Profiles of a Fraudster, KPMG
International, 2013.2. Diagnostic and Statistical Manual of Mental
Disorders (DSM-5), American Psychiatric Association, 2013.3. ACFEs
2014 Report to Nations on Occupational Fraud and Abuse.
ROBIN SINGH, MBA, MIT, CFE, CFAP is Senior Ethics / Fraud
Control Officer at Abu Dhabi Health Services Company (SEHA).
But a good investigator / interviewer would be able to identify
that behind this mask of ultra-confidence lies a person with
fragile self-esteem and vulnerability to the slightest criticism /
comment made against them in a negative manner. Additionally, an
investigator will need be good at profiling since the majority of
fraudsters would have never been punish and would not have criminal
records!
Try and imagine people like Jeffrey Skilling, Enron Corp.s
former chief executive, who carried a tremendous pride that he
could do anything under the sun such as build idealistic concept of
energy trading and explored Mark to Market accounting which could
show people that they can bill for future profits right now and
everyone, even the authorities bought into that concept. The whole
office used to look up to him.
Think of people like in the Wolf of Wall Street, Jordan Belfort,
who could sell penny stocks better than Apple, Intel etc. The whole
office admired him. They all had an attractive, role model
personality, etc.
The list can go on and on and includes Ponzi Scheme perpetrators
such as Scott Rothstein and Bernard Madoff as well as accounting
fraudsters such as Ramalinga Raju (formerly of Satyam Computer
Services) and so forth.
BehaviorThere are certain behaviors which fraudsters exhibit.
These behaviors can serve as tell-tale signs that an individual may
be committing fraud. From my experience, the most common behavioral
red flag displayed by fraudsters is living
There is a strong correlation between the fraudsters level of
authority and the losses resulting from the fraud ACFE 2014 Report
to the Nations
Behavioral Red Flags Displayed Perpetrators
Living Beyond Means
Financial Diculties
Unusually Close Assoicationwith Vendor/Customer
43.8%
33%
21.8%
-
INTERNAL AUDITOR - MIDDLE EAST 29 DECEMBER 2014
BY KETAN BHOOLA
Project Controls: More than just a box ticking exerciseIn my
previous life as a site architect working on the design and build
of a mega shopping center, I vividly recall a cold winters morning,
standing on site with the team that included the finance guy, as we
called him. He was understandably worried because he had to deliver
a difficult message to the project team. The message? The project
had run out of cash. The project manager was infuriated but all he
could do was throw his hands in the air and walk off the site.
Someone in our team said sarcastically, so much for our project
controls! What exactly are project controls? What do they do and
why are they so important? In fact,