International Standards for the Professional Practice of Internal … · 2017-04-19 ·...

The important of focusingon the organization’s“Innovation Governance”.

I N S I G H T S O N G O V E R N A N C E , R I S K M A N A G E M E N T A N D C O N T R O L

MARCH 2017 WWW.INTERNALAUDITOR.ME

INNOVATE ORDETERIORATE

Steps Helping in Recognizing the Added Value

International Standards for the Professional Practice of Internal Auditing new updates

Internal Audit responsivities to tackle important business issues and risks.

I N T E R N A L A U D I T O RM I D D L E E A S T

MARCH 20173 INTERNAL AUDITOR - MIDDLE EAST

From The President

Dear Members,

From this edition of the magazine, the Internal Auditor magazine is going DIGITAL ONLY. Let me take this opportunity to appraise you of few important events which have taken place at the association. We began this year with an event to focus on emerging trends on fraud risks and how organizations are protecting their reputation in the global environment. Growing dependency on IT also makes us vulnerable to cyber threats. With cars, Smart TV’s and medical devices going hi-tech with internet connectivity – the risks are far larger.

Conformance to the IIA Standards is of significant importance to demonstrate the commitment of the internal audit departments. The UAE IAA offers as a service, External Quality Assessments, to enable organizations comply with the International Professional Practices Framework (The IPPF).

Lastly, I call upon all Chief Audit Executives and aspiring leaders to step forward and apply for the Qualification in Internal Audit Leadership (QIAL). With 450 professionals in the world having achieved QIAL, this important certification is considered as a gold standard to demonstrating your leadership excellence.

I wish you all the best and look forward to seeing you at our 18th Annual Regional Audit Conference in Abu Dhabi from April 19th – 20th. A pre-audit conference workshop is also scheduled on April 18th.

Sincerely,

Abdulqader Obaid AliPresident

INTERNAL AUDITOR - MIDDLE EAST 5 MARCH 2017

I N T E R N A L A U D I T O RM I D D L E E A S T MARCH 2017 WWW.INTERNALAUDITOR.ME

F E A T U R E S

D E P A R T M E N T S

16 COVER STORY: Innovate or Deteriorate... What are the Company’s innovation priorities? Where will the company focus its innovation efforts? BY ADIL BUHARIWALLA

20 Internal Audit value Steps Helping in Recognizing the Value that may be added by internal audit team. BY AYMAN ABD EL RAHIM

23 New Internal Audit Standards Summary of updated International Standards for the Professional Practice of Internal Auditing.BY RAJIV THAKUR

27 The Audit Environment What is the ‘audit environment’? Why do we need it? Who is responsible for it?.BY LALIT DUA

4 Reader Feedback

8 UAE-IAA Events

28 Fraud RiskHow the organization manages fraud risk. BY DR.KHALED MOUSA

12 Conversations with Colleagues:PwC’s Middle East Assurance Clients & Markets Leader shares his views on what it means to be an effective internal audit leaderBY FARAH ARAJ

6 Knowledge UpdateThe Security Intelligence Center - Next Steps: Beyond Response to Anticipation, Executive Perspectives on Top Risks for 2017, Beyond the Checklist - Anti-Money Laundering, Sanctions and Corruption Concerns for the Insurance Sector, Rise of the Drones - Is your enterprise prepared?, Making globalisation work for all - 20th CEO Survey by PWC.BY VISHAL THAKKAR

32 Human resources what are the skills and qualities needed to be distinguished internal auditors? BY ABDULLA HASSAN ALBARAEI

10 IT Audit What are the common mistakes IT auditors make while auditing the Logical access area BY MUHAMMAD AWAIS NASEEM


ARABIC REVIEW TEAM

Ayman Abdelrahim, MQM, CIA, CCSA, CFE (Lead Member)

Khal id M. Alodhaibi , SOCPA

Qais Hamdan, CISA, CISM, PMP

Noora Ayoob

Waleed Sweimeh, CIA

Saif Kaddourah, MBA

UAE INTERNAL AUDITORS ASSOCIATION

PRESIDENTAbdulqader Obaid Al i , CFE, CRMA, QIAL

GENERAL MANAGERSamia Al Yousuf

REGISTRATION

Internal Audi tor - Middle East magazine is l icensed by the Nat ional Media Counci l of the United Arab Emirates (License Number 244).

I N T E R N A L A U D I T O RM I D D L E E A S T

EDITOR-IN-CHIEFAbdulqader Obaid Al i , CFE, CRMA, QIAL

EDITORGhada Abd Elbaky

EDITORIAL ADVISORY COMMITTEE Asem Al Naser, CPA, CIA, QIAL

Farah Araj , CPA, CIA, CFE, QIAL (Lead Member)

Andrew Cox, MBA, MEC, PFIIA, CIA, CISA, CFE, CGAP, MRMIA

Raymond Helayel , CPA, CIA

Meenakshi Razdan, CA, CPA CIA, CFE

Hossam Samy, CRMA, CFE, CPA, CGA

Nagesh Suryanarayana, MBA, CIA,CCSA

James Tebbs, CA

Vishal Thakkar, ACA, CIA

Gautam Gandhi, ACA, CIA, CISA, CFE

CONTACT INFORMATION

MARKETING & SOCIAL MEDIAAlaa Abu Nabaa, MACC, CIA, CRMA, CPA, [email protected]

GUIDELINES FOR AUTHORSwww.internalaudi tor.me

Internal Audi tor - Middle East is publ ished quarter ly by the UAE Internal Audi tors Associat ion (UAE-IAA), Off ice 1503, 15th Floor, API Tr io Tower, Dubai, Uni ted Arab Emirates

DISCLAIMERS

Internal Audi tor - Middle East is intended only for members of the Inst i tute of Internal Audi tors in the Middle East and as such i t is not intended to be sold or re-sold by any party.

The views expressed in Internal Audi tor - Middle East are solely those of the authors, and do not necessar i ly represent the v iews of the UAE-IAA or the authors’ respect ive employers.

Internal Audi tor - Middle East is a peer-reviewed magazine and does not ver i fy the or ig inal i ty of the content submit ted by the authors.

MARCH 2017

IA IN

TERN

AL AUD

ITOR - M

IDD

LE EAST SEPTEMBER

2016

2016رب

مسبت

-ط

سوألق ا

رش- ال

يل خ

داق ال

قدملد ا

م

SEPTEMBER 2016 WWW.INTERNALAUDITOR.ME

Comparing the accounting frauds

of the past to the current corporate

environment

Enterprise risk management and

organizational maturity

A strategic and systematic approach

to internal controls

Root Cause

Analysis for

Internal Audit

WWW.INTERNALAUDITOR.MEسبتمرب 2016

مقارنة عمليات االحتيال املحاسبي التي حدثت يف

املايض مع البيئة الحالية للرشكات

إدارة املخاطر املؤسسية ومستوى النضج املؤسيس

اتباع نهج اسرتاتيجي منظم لتقييم الرقابة

الداخلية

تحليل السبب

الجذري من قبل

التدقيق الداخيل

الداخلية والرقابة املخاطر وإدارة الحوكمة حول رؤى

INSIGHTS ON GOVERNANCE, RISK MANAGEMENT AND CONTROL

Getting to the heart of the

issue and adding more

value to your organization

الوصول اىل صلب القضية

وإضافة املزيد من القيمة

اىل مؤسستك

EDITORIALGhada Abd Elbaky

[email protected]

Tel: +971 55 728 5147

ADVERTISING &ADMINISTRATIONYasmine Abd El Aziz

[email protected]

Tel: +971 55 351 2335

DESIGNGir ish Mehta

Adventure Advert is ing L.L.C.

gir [email protected]

Tel: + 971 4 393 7696

VOLUME: 1

A Comment on the Article Entitled“Tips on Writing Internal Audit Reports”I would like to thank my colleague: RaviTakir for the valuable information in his article entitled: “Tips on Writing Internal Audit Reports“. Given that there is more than one party interested in the internal audit reports, and in order to get the best results, every entity must be addressed according to the importance of the report for such entity, taking into account the volume of the required details. For example, when serving the report to the Audit Committee, it would be better to pass the report in brief, as much as possible, by making an information brief stating the points of high importance, and then attach the full report to an appendix for those who wanted more. I always advise my colleagues to do a summary on the form of algorithms in one page, so that all the information can be passed to the reader of the report through such summary. Of course, the criteria is not in the number of pages of the report, but in the value added to the enterprise.

I would like to note that it is not necessary that all audit reports take the same form. �ere is what's called quick gain which �ts reporting on the results of a quick audit (not pre-planned) to make sure of something. In this case, I believe that it would be better to write a report starting directly with the Executive Summary, i.e. one paragraph, and then move on to the notes. It would be better to direct praise or compliments to the company because the things should be originally positive, and the exception is represented in the release of the report and most importantly is to avoid the provocative phrases. Ali Ahmad Abu MaelishDirector of Internal Audit in Umniah Mobile Co. - Jordan

A Comment on the Article of Mr. TORBEN HILBERTZ, (A Successful Take O�)CIA, is Senior Vice President Internal Audit at Abu Dhabi Airports Company

I would like to thank the author for this wonderful article that carries an added value to the internal audit profession, and if I may add or comment thereon, I will focus on the angle of cost. I think that the cost of internal audit procedures must be considered within the framework of the value to be added to the organization, as the costs of auditing are high and will not add value to the business if its returns are less than its cost. Audit Manager shall create a cost structure of the internal audit function, including the breakdown of the cost of the proceedings and same shall be a part of the Internal Audit Department. �e important question here is: Will the

cancellation of high-cost function be better for the organization? To answer this question, I think the Director of Internal Audit shall assess the cost of each audit procedure for each task compared to the cost of each task in order to determine the breakdown of its cost. �is information will undoubtedly help in deciding the implementation of certain procedures of the task, resulting in the elimination of some procedures rather than the cancelation of the entire task. So I believe that there shall be an assessment of the cost of each procedure to eventually reach the cost of a task and compare same to the return expected from this task in order to take an appropriate decision either to proceed, cancel or minimize some procedures or search for alternative procedures of lower cost or upskill the auditors to reduce the time and hence the cost, assessing the cost of each procedure for each auditor and compare among them to choose the appropriate auditor of least cost for each procedure.

Saad bin Mohammed Al-Huwaimel -Researches and Studies Center at the Institute ofPublic Administration in KSA (Saudi Arabia)

Reader Feedback We want your views on the articles and the magazine! Share yourthoughts and feedback with us via email at [email protected]


Knowledge Update

In a recent poll conducted by The Institute of Internal Auditor’s Audit Executive Center provide an insight on an emerging trend among organizations, as part of their cyber-security strategy viz. the use of Security Operations Centers (SOC’s). A defensive perspective to tackle cyber-security could be costly and ineffective. To gather another perspective at cyber-security, a research was carried out to explore how an offensive approach might appear and work against a cyber attack.This report provides and insight on the topic and provides a groundwork of terminology, frameworks, metrics and tools and culminates with a view of the current state of SOC’s and the use of intelligence tools.

Apart from offering a summary of that research, this report helps cyber-security professionals, Chief Audit Executives (CAEs) and other stakeholders to explore broader issues and to answer following two questions:

The Security Intelligence CenterNext Steps: Beyond Response to Anticipation

1) How organizations can move beyond merely being reactive and responsive to cyber-security incidents and instead being proactive and start to identify, anticipate, and actively defend against known and emerging threats?

2) Role of CAEs in encouraging and facilitating this shift from a reactive to a proactive stance

By addressing and answering these questions, organizations can take the important first step by advancing their cyber-security initiatives irrespective of whether they are first establishing a SOC, or advancing further and establishing a fully functioning Security Intelligence Center (SIC).

http://contentz.mkt5790.com/lp/2842/219329/Foundation%20IA%20Cyber%20Research%20Report%20Feb%202017.pdf

Executive Perspectives onTop Risks for 2017This report contains results from the fifth annual risk survey of directors and executives to obtain their views on likely risks which will affect their organizations in 2017. This survey provides insights across various sizes of companies and across different industry groups specifying the key risks that are expected to be in 2017 based on the feedback provided by executives and board members that participated in the survey. Some of the risk drivers mentioned by the participants were Brexit, turmoil in the Middle East and the resulting surge in immigration, changes in national political leadership, depressed oil prices, monetary policies and concerns about inflation and inflated asset prices in China, global terrorism, escalating healthcare costs, rapidly developing innovations from the digital technology revolution, expanding regulation and oversight, a strong US dollar. These and many other significant risk drivers are contributing to the risk related conversations in boardrooms and executive suites. Key findings for the year were as follows: • Overall global business context is

perceived to be markedly more risky in 2017

• Concerns about economic conditions top the list of risk issues for 2017 which was followed closely by regulatory changes and scrutiny

• Cyber-threats, information security and privacy also remain critical issues for organizations to address

Accordingly, the top risks consists the following:• Economic conditions in domestic and

international markets• Regulatory change and increased

regulatory scrutiny• Cyber-threats management• Speed of disruptive innovation• Privacy and protection of identity• Increased magnitude and severity of

risks expected in 2017• CEOs and CFOs see a riskier

environmenthttps://www.knowledgeleader.com/Knowl-edgeLeader/Content.nsf/Web+Content/ecutivePerspectivesonTopRisksfor2017

BY V ISHAL THAKKAR


Knowledge Update

Beyond the Checklist - Anti-Money Laundering, Sanctions and Corruption Concerns for the Insurance Sector

Rise of the Drones Is your enterprise prepared?

Even though there is legislative and

regulatory focus on anti-money

laundering (AML) and combating the financing of terrorism (CFT) across the globe for over a decade, financial institutions still struggle to meet compliance expectations. In this white paper, key risks, mitigating factors and critical considerations for the design, implementation and improvement of an AML/CFT compliance program for insurance companies are explored.

As methods of money laundering (ML) and terrorist financing (TF) become all the more sophisticated in an increasingly interconnected global financial system, expectations from regulators continue to evolve. In order to satisfy their regulatory obligations, financial institutions should go beyond templates and checklists to develop a deeper understanding of the ever-changing risks of their

The commercial use of drone technology is becoming increasingly popular in a number of enterprises. Currently, the regulatory environment around drone usage has evolved quickly to keep pace with the technologies being used. If management is considering adopting drone technology, many factors must be well thought-out. This white paper specifies some of the prospective uses of drone technology in a commercial environment, including business implications and risk considerations. It addresses critical questions that management must consider before implementing a drone program.

Whether most organizations are prepared to address the requirements posed by

markets, products, customer bases and intermediaries. This paper is not seeking to provide a comprehensive view of AML rules for insurance companies around the world, but it does focus on the environment in select countries in three regions viz. North America, Europe and Asia-Pacific.

Insurers are generally at lower risk of exposure to ML and TF as compared to other types of financial institutions, However, due to lack of awareness about existing AML/CFT risks and obligations can increase the insurance industry’s vulnerability to this activity. Increasing fines aimed at institutions and personnel, it is even more crucial for insurers to improve their AML/CFT compliance strategies on a continuous basis.

https://www.protiviti.com/sites/default/files/united_states/insights/beyond-the-checklist-aml-protiviti.pdf

regulators, financial implications, safety and operational requirements necessary to properly sustain this type of business tool, is a matter consider. Unless the organizations have previous experience managing aviation operations, the answer is most probably a reverberating “no.” On the contrary, rushing to implement a drone technology without being properly prepared in the first place can result in a legal and financial disaster. An uncontrolled drone program can potentially cause significant damage to the reputation of the concerned organization.

http://www.isaca.org/Knowledge-Center/Research/Documents/Rise-of-the-Drones_whp_eng_0217.pdf?regnum=361492

Making globalisationwork for all -

20th CEO Survey by PWC

38% Of CEO’s are very confidentabout short-term

business growth

88% Of CEO’s promote talent diversityand inclusiveness

69% Of CEO’s say it is harder forbusiness to sustain trust

44% of CEO’s say globalisation has not helped to close the gap between

rich and poor

52% of CEO’s plan to increase the headcount, but can’t find people

with right skills

77% of CEO’s are concerned that a shortage of skills could impair their

company’s growth

http://www.pwc.com/gx/en/ceo-agenda/ceosurvey/2017/gx.html


UAE-IAA Events March 2017

Global Trends in Investigations and Enforcement – PWC

UAE IAA Holds February Members Meeting

BY SAMIA AL YOUSUF

UAE Internal Auditors Association in collaboration with PwC Middle East’s Forensics Services team hosted a conference on Global Trends in Investigations and Enforcement at the Intercontinental Hotel Dubai, on January 25th. PwC’s Global Forensics leaders in attendance shared their experience on international trends in economic crime and discussed the importance of how new technologies can help protect and mitigate risks for businesses.Ms. Samia Al Yousuf, UAE IAA General Manager opened the event and welcomed Achraf El Zaim, Forensic Services Partner for PwC Middle East who discussed the impact of globalization on today’s economy and the latest Middle East statistics reported in PwC’s Global Economic Crime Survey. Abdul Qader Obeid Ali, Chairman of the UAE IAA followed by outlining the current threats of Fraud and Corruption facing local businesses.

UAE Internal Auditors Association held a members meeting on 27th February 2017 at Novotel Hotel, Dubai. The meeting focused on the role of internal audit in the UAE and that it has come a long way from being looked upon as merely a function that provides assurance on financial matters, to one that plays an active role in assisting an organization in implementing good governance practices. In line with the vision of our great leadership, which emphasizes on running businesses ethically, UAE’s organizations have been actively implementing measures to promote good governance, as internal audit plays a key role in helping to achieve the same. ‘’ There is a strong focus on innovation and smarter ways to implement these practices,” said Adil Buhariwalla, Managing Partner, MASC International, while addressing members of UAE Internal Auditors Association in Dubai, at the members’ meeting.


UAE-IAA promoting internal auditing amongst the youth via HASAAD program’s third batch graduation

The program will offer participants the ability to hone their skills in designing, implementing, and conducting an effective internal control system. Once earned, the Certificate attests to the holder’s expertise in applying the 2013 COSO Internal Control–Integrated Framework Through a blend of self-paced learning, classroom training and online exam, this program will cover the COSO Internal Control–Integrated Framework from start to finish, using real-world scenarios UAE IAA will be hosting the COSO Internal Control new certificate training on 14-16 May 2017

UAE IAA to host“COSO Internal Control”new certificate training forthe First time in the region

UAE-IAA Events March 2017

UAE IAA introduced the revised standard through March members meeting The UAE IAA hosted March members meeting discussing a very important topic over the Amendments in the Revised Standards of the IPPF (International Professional Practices Framework) on March 12th at Novotel Al Barsha. Mr. Rajiv Thakur was the speaker at the meeting.

UAE Internal Auditors Association’s in collaboration with the Higher Colleges of Technology and Protiviti had honored the graduation ceremony for the third batch at HCT, Abu Dhabi. It was attended by Abdulqader Obaid Ali, UAE IAA Chairman; Ahmed

Bassiouni, Managing Director at Protiviti - Member Firm for Middle East Region; Ms. Naima Al Menhali Board Member of UAE IAA and Director of Internal Audit at the Petroleum Institute in Abu Dhabi and Ahmed Refaat Assistant Director at Protiviti


The Overlooked AreasAuditing logical access area may seem intuitive for IT auditors but its importance can never be over emphasized, with latest security threats and Cyber Security attacks it is common that a successful cyber-attack may lead to a hacker gaining unauthor-ized access to critical system and data and allows them to alter or compromise the system/data.This article discusses the common mistakes IT auditors make while auditing the Logical access area, though Logical Access area is important to all system elements i.e. DB, OS, Applications etc, from now on where required we will be focusing on Application level access to narrate some examples.

Access Rights ReviewIssue: One of the most common mistake by the IT auditors while auditing the LA area is to just relay on the periodic access rights review performed by the management, certain cases it’s just a formality to sign the access rights review document without even reviewing the adequacy and need of user rights like it’s a tick box activity, may be just to meet audit requirements.Solution: An IT auditor should interview the reviewer of access rights and ascertain how he or she performs this review and on what basis the validity of user rights is assessed or determined.IT auditor should also perform sample basis testing of such access provided to users to verify adequacy of the rights pro-vided to the users are in line with his/her

Job descriptions or role to determine the appropriateness.

Admin Activity ReviewIssue: The other important area which the IT auditors generally overlook is the review of the activity logs of privilege users / administrators. Though the focus is more of the existence of admin logs to review the privilege user activities “which acts

as a detective control”, need of preventive controls to eliminate such occurrence is not emphasized. No doubt you need to trust your own personnel to certain extent, this warrant such requirement due to the role of administrators being critical for the continuity of business. Solution: IT auditor should interview relevant personnel to determine if admin activity is being logged and periodically reviewed. Due to the extensive number of logs it’s not humanly possible to review manually, hence an effective SIEM or Logs correlating tools should be implemented and configured to capture critical events such as e.g. user creation/deletion, access provisioning and revocation and unusual activities noted after office hours etc.. for timely detection of such occurrence.

Access Revocation Issue: While verifying the user access revocation process IT Auditors generally adopt an approach of obtaining list of Leavers from HR and compare with the active users on applications using a unique reference e.g. employee ID to validate the status of the user (active or inactive). While this procedure provides the status of the user account (active of revoked) it does not

provide the assurance for full audit period.Solution: While the auditor performs the above procedure, there is a need to ensure the adequacy of the demobilization process by verifying the last working day of employee (From HR List) with the last login or disable date (Extracted from application).

For instance the policy mandated the revocation of employee access to the system on last day or within 5 days, this test will provide assurance on timely revocation of the employee access to eliminate misuse or violation of user access.

Conclusion :Access management is being one of the critical areas of the overall security posture of the organization, enhanced focus/ro-bust assessment on this area will enable IT Auditor to provide good insight on their current security posture and reasonable assurance to the management & key stake-holders.

Muhammad Awais Naseem

Senior IT Auditor, EY

BY MUHAMMAD AWAIS NASEEM ED ITED BY NAGESH SURYANARAYANA

IT Audit

Auditing Logical Access

TO COMMENT on the article,EMAIL the author at [email protected]

2017-0269

Join us Down Under in Sydney, Australia for The IIA’s International Conference, 23–26 July 2017.

With an innovative program customizable to training needs,

this premier event provides an engaging journey, rich with

insights for internal auditors at every level.

Register Today!ic.globaliia.org

Jonathan CalvertEditor, Author, Insight Investigations Team, The Sunday Times

Bend It Like FIFA!

Keynote Speakers:

100+Speakers

From Around the Globe

70+Sessions in 10

Educational Streams

2,000+Audit Industry

Practitioners and Providers from 100+ Countries

18+CPE Credit Hours

with Pre-conference Sessions

Dee MadiganExecutive Creative DirectorCampaign Edge

Selling Internal Audit: Is It Really That Hard to Show Our Value?

2017-0337 CON-2017 Sydney IC Ad Global Pub-UAE.indd 1 3/17/17 2:37 PM


Conversations with Colleagues

BY FARAH ARAJ

PwC’s Middle East Assurance Clients & Markets Leader

shares his views on what it means to be an effective internal

audit leader

Adnan Zaidi

In an exclusive interview, Internal Auditor - Middle East spoke to Adnan Zaidi who is a Partner and Board Member at PwC Middle East. Adnan is also PwC Middle East’s Assurance Clients & Markets Leader and is a Trusted Advisor to many of the region’s

largest Corporations. He began his career almost 25 years ago with Arthur Andersen in London and subsequently moved to Dubai and held several leadership positions with prominent companies. Adnan was the Audit Committee Chairman of the International Cricket Council for the past five years and holds a number of Board positions at Not-for-Profit organisations. He is one of the region’s pioneers in the field of internal auditing and actively supports the profession at a global and regional level. Adnan is a member of the Executive Committee of the UAE Internal Auditors Association (UAE-IAA) as well as being a member of the Institute of Internal Auditors’ (IIA) Global Professional Development Committee.


Interviews - FA

In the corporate context, what is your definition of a leader? While you’re unlikely to find a single definition of what is a leader, I would define a leader as someone who has an inspiring vision for his company and is able to effectively manage and motivate his subordinates to work hard and align themselves with that vision. This requires the leader to have both high levels of integrity as well as emotional intelligence. How has PwC developed leaders in the Middle East region? PwC is one of the largest companies in the world. We are a market leader in the Middle East who have been in the region for over 40 years and we employ over 4,000 professionals across 12 countries and work with the region’s largest and most prominent entities. We have used this position of strength to attract and retain the best and brightest individuals in our region. We’ve leveraged our global career progression framework to provide our staff with opportunities for international assignments and experience. We’ve also actively promoted board and executive education through events and through client projects. Also, we’ve invested heavily in training GCC nationals, both clients and staff, to prepare them for future leadership roles. I strongly believe that PwC has made a powerful and sustainable impact on leadership capabilities in the Middle East.

Do you believe there is a correlation between the value that an internal audit function generates and the effectiveness of its leader? Absolutely and this is not just my opinion. Last year’s PwC State of the Internal Audit

Profession study (the “Study”) showed a correlation between strong Internal Audit leadership and the ability of the Internal Audit Department to add value and deliver strong performance. When stakeholders perceived the Chief Audit Executive as an effective leader, in over 90% of the cases they viewed the Internal Audit Department as a value adding and high performing function.

How do stakeholders perceive the value internal audit provides? The 2017 Study which we just released shows a negative trend in stakeholders’ perceptions of the value provided by Internal Audit. This year only 44% of stakeholders believed their Internal Audit Departments provide them with value compared to 54% in 2016. When we dug a bit deeper we found out that even the Internal Audit Departments which add value are expected to provide even more value each year. This means that an effective Internal Audit leader should not be satisfied with the status quo and should continue to evolve and meet, as well exceed, stakeholders expectations.

Internal Audit leaders who invest in themselves gain the respect of their

stakeholder andare a source of

inspiration to their team and peers

“

“

So what are the characteristics of an effective Internal Audit leader? While an effective Internal Audit leader

has many notable characteristic, my top

three characteristics would be:

1) Strategic thinking: This involves

looking at the big picture of the

organisation and the Internal Audit

Function. Like any corporate leader,

the Internal Audit leader needs to

develop a vision for the Internal Audit

Department which is aligned to the

company’s strategy and stakeholders’

expectations. This is not done

through a Three Year Internal Audit

plan - one needs an actual strategy

document, with objectives and key

measures which feed into the annual

and long term Internal audit plans.

Without this characteristic, internal

audit leaders cannot achieve strategic

alignment.

2) Communication skills: Internal Audit

leaders need to clearly communicate

their ideas to engage stakeholders, to

highlight key risks to the business and

to manage staff. These leaders use

their powerful communication skills

to exert influence beyond the Internal

Audit function and to enthusiastically

promote positive change.

3) Develops talent: This is about more

than building your team’s skill but

about building the right skills that

align to the business and Internal

Audit’s vision! This also means

leveraging external resources as

necessary to meet the organisation’s

needs and to facilitate knowledge

transfer to your team where required.


Interviews - FATO COMMENT on the article,EMAIL the author at [email protected]

Is there a role for the Audit Committee in increasing the effectiveness of Chief Audit Executives and their successors? Most certainly! This role takes place at many levels. From the human resources side, there they should require succession plans to be put in place for key positions in the Internal Audit department and provide the department with a sufficient budget to attend trainings and conferences. From the scope side, they should ask the Chief Audit Executive for a more complete picture of the organization’s response to business disruptions. From the quality side, the Audit Committee should actively review the results of the quality assurance and improvement program and demand both internal and external assessments. Finally, the Audit Committee should clearly communicate expectations to the Chief Audit Executive and formally evaluate his performance on an annual basis. All these elements create an environment which helps grow and retain effective Internal Audit leaders.

Do you have any final advice for aspiring or current Internal Audit leaders? If I had to leave you with one last thought it would be that our stakeholders are continually demanding more from the Internal Audit function and it is imperative for Internal Audit leaders to focus on the big picture and aligning to what is important to the business. Do this by creating a great vision for the Internal Audit department, hire great people and motivate them to work towards that vision! Also, make sure that this vision pushes the boundaries of Internal Audit and focuses on new value add areas such as business disruption. This is the only way the Internal Audit function would be able to provide value-adding services and proactive advice for the business today and become a trusted advisor.

Thinking about a couple of effective Internal Audit leaders who possess these characteristics, could you tell us how these leaders attained these characteristics? The 2017 Study showed that 47% of Internal Audit Departments are not seen by stakeholders as an advisor to the business or that their corporate culture does not support Internal Audit taking a more strategic role. This would indicate that most effective Internal Audit leaders had a challenging journey to become trusted advisors to the business. They have gained experience in good companies, they were mentored by effective leaders and they achieved relevant Internal Audit certifications. However, these healthy

circumstances alone would not necessarily result in an effective Internal Audit leader. They have pushed the boundaries of their responsibilities, they’ve stayed up to date with developments in the profession and they’ve continued their professional education through attending relevant conferences and trainings. Most importantly, these Internal Audit leaders have been involved early in the business disruption cycle. Our 2017 Study showed that Internal Audit departments that addressed business disruptions (such as new regulation, changes in business model or strategy, cybersecurity and privacy threats) were perceived to be adding significant value to their organisations.


Innovation is a key to a company’s success. It is one of the essential means that organizations can use to thrive and differentiate their business or products from the competition. To a greater extent in the business world, and to some extent at the individual level, there is a constant push to think of ways to bring about innovation.

Being an Internal Audit professional, I have considered how innovation can be applied in the auditing sphere, and how internal auditors can become effective drivers of business innovation. This led me to further explore the topic. And in keeping with the

ethos of my profession, “Progress Through Sharing”, I will provide a summary of what I have learnt, which will give you additional insights on the subject.

Let us start by looking at certain facts about innovation:

• Over 40% of Fortune 500 companies who were on the 2000 list, were not on the 2010 list. One of the reasons attributed to this, was the lack of innovation.1

• Both, in the public and private sectors, there are significant obstacles in the path of innovation implementation.2

• By 2025, and due to continuous innovation it is estimated that solar power will become the largest source of electricity in the world, there will be no more food shortages and food price fluctuations as genetically modified crops will be grown rapidly indoors, petroleum-based packaging will be replaced by fully biodegradable cellulose, and Quantum Teleportation, will be tested.3

BY AD IL BUHARIWALLA

INNOVATE ORDETERIORATE

Innovation

1Innovation Excellence: 99 Facts on the Future of Innovation for 2014 - http://innovationexcellence.com/blog/2014/01/01/99-facts-on-the-future-of-innovation/ 2Brookings: A Dozen Economic Facts About Innovation - https://www.brookings.edu/research/a-dozen-economic-facts-about-innovation/ 3International Business Times: 10 Innovations Analysts Predict Will Change The World By 2025 - http://www.ibtimes.com/10-innovations-analysts-predict-will-change-world-2025-1614130


Innovation

4 Test Your Innovation IQ – Forbes - http://www.forbes.com/sites/work-in-progress/2011/12/06/test-your-innovation-iq/#2f61e6b63364

Moreover, history is witness to a large number of organizations that “stagnated and terminated” because they did not innovate. To name a few:• Blockbuster video rental company was

not able to keep up with changes in the entertainment industry and how it affected consumer behavior such as: the ability to download videos from the Internet and video-on-demand by cable companies. The company eventually filed for bankruptcy in 2010.

• Kodak, did not foresee the innovations brought by the digital age, and continued to rely on conventional technology in the production of cameras. In 2012, Kodak filed for bankruptcy.

• Motorola failed to focus on the new trend in the phone industry with the introduction of smartphones that have multifunction and provide users with online access. The company lost its market share to newcomers like Research in Motion, Apple, LG, and Samsung.

Having obtained some background about innovation, let us now look at defining innovation? But before we do that, let us first test our knowledge about this topic. Answer True or False to the following 10 questions4. Then compare your answers with those shown on page 20.

1. Innovation is the act of coming up with new and creative ideas

2. Innovation is a random process3. Innovation is exclusively for a few

naturally talented people 4. The biggest obstacle to innovation is

a lack of organizational resources and know-how

5. The most important type of innovation is bringing new products and services to market

6. Teaching employees to think creatively will guarantee innovation

7. The most powerful way to trigger your brain is to simply ask it a question

8. Most companies pursue known rather than radical innovation

9. Most companies are not structured to innovate

10. Listening to your customers is a great way to innovate

As you may have seen, innovation is not quite as simple as many of us think. Innovation takes place when an improvement or a significant contribution is made to an existing product or service. It is about creating new value and/or capturing value in a new way. As such, Value is the key driver for any innovation. In the business sense, innovation is an organization’s process for introducing new ideas, workflows, methodologies, services, products, business concepts, which would enable the achievement of goals across the entire organization, and drive the overall growth agenda. To further elaborate on the concept, it is worth noting that there are two types of innovation. The Evolutionary or Incremental type, and the Revolutionary or Disruptive/Radical type.Ediame

Evolutionary or Incrementalinnovation involves enhancing competence to build upon an existing concept (knowledge and resources), often resulting in relatively small changes in performance and usefulness of the existing product or service. It is the more common form of business innovation, which is generally aimed at existing customers, carries a low risk, and is adopted with less resistance. Examples of this are the multi-blade versus the single blade razor, or the smart versus the earlier mobile phones.

Revolutionary or Disruptive/Radicalinnovation is directed at future customers, and requires delving into new concepts and knowledge. The performance of innovation may initially be poor as compared to existing innovation, may not evoke interest of existing users, and is therefore fraught with risk. Examples include the desktop PC versus the mainframe, or e-learning versus classroom training.

Traditionally, most internal auditors talk about innovation that they have brought about in their daily operations, specifically to Planning, Fieldwork, Reporting and Audit Administration areas. This, they believe helps to enhance the quality of the assurance and consulting services that they provide to their internal or external clients. But most of these improvements are of the evolutionary kind.

As an Internal Auditor, how can you use this knowledge to “Enhance and Protect Organizational Value” of your company? Internal Auditors need to explore ways to apply Revolutionary or Disruptive innovations to their operations. This can be done through focusing on the organization’s “Innovation Governance”.


Innovation

Adil Buhariwalla,FCA, CIA, CFE, CRMA, CI31000, CT31000, Managing Partner – MASC International

1. False: In business, innovation is the act of applying knowledge, new or old, to actually creating something different that has value

2. False: Innovation is a discipline that can (and should) be planned, measured, and managed.

3. False: Everyone has the power to innovate by letting their brain wander, explore, connect, and see the world differently

4. False: In most organizations, the biggest obstacle to innovation is what people already know to be true about their customers, markets, and business

5. False: It is important to bring new products and services to market. But the most important form of innovation, and the #1 challenge, is reinventing the way we manage ourselves and our companies

6. False: New ideas are a dime a dozen. The hard part is turning those ideas into new products and services that customers value and are willing to pay for

7. True: The key to innovation is to ask questions that open

people to possibilities, new ways of looking at the same

data, and new interpretations of the same old thing

8. True: Most companies focus on using internally generated

ideas based on known facts to produce slightly better

products

9. True: Most organizations are physically set-up with little

interactions between functions, except where needed for

work. People often withhold information, believing that it

puts them in a position of power

10. True and False: The answer is “it depends.” Research

shows that customers can be a good source of ideas

for improving existing products and services. For new

unknown products and services, customer research is not

sufficient

1. Why is the Company innovating? – Do all stakeholders know the importance of innovation, and share the reasons why the company needs to innovate, and how this relates to the corporate vision and objectives?

2. What are the Company’s innovation priorities? – Where will the company focus its innovation efforts?

3. What level of innovation does the Company want? – Is the Company looking for breakthroughs, and willing to embrace uncertainty, or favoring a more prudent approach through incremental innovation and lower level of funding?

4. How can the Company innovate more effectively? –• What process will take most time,

and be cost-effective, from new market needs and ideas, to success-ful market introduction?

• What organizational effort is re-quired?

• What tools will be/are used for implementation?

• What measures will be/are tracked? • How is a climate of creativity and

discipline being developed?

• Do they encourage sensible risk-taking?

• Do they have a compensation sys-tem that encourages entrepreneur-ship and teamwork?

• Have they created an environment that facilitates networking and com-munication in all directions?

5. With whom is the Company inno-vating? – Concept of “open-source innovation” – building on ideas and technologies from third parties.

6. Who will be/is responsible for what, regarding innovation? – Specific inno-vation management responsibilities at all levels, owners of all key innovation processes.

In conclusion, when Internal Auditors plays a role in reviewing innovation governance, they would be helping in the identification of major risks in the process. This would help the organization in better understanding the challenges associated with the various innovation initiatives it is undertaking, and therefore allow it to grow and ensure its continuity in the market/industry.

Innovation Governance is the organization’s mechanism to achieve the following: • Align goals – innovation goals with

business growth, • Allocate resources – build qualified

teams, and • Assign decision-making authority for

innovation. At a more detailed level, Innovation Governance covers an organization’s systems and processes that: • Define innovation commitments • Define key responsibilities of the main

players • Establish the set of values for all inno-

vation efforts • Define innovation expectations • Define how to measure innovation • Make decisions on innovation budgets • Balance and prioritize innovation

activities across divisions • Establish management routines

regarding communications and deci-sions

The following are the areas that Internal Auditors should look at as part of their review of whether an organization has a comprehensive innovation governance system in place:

5 Innovation Management .se: What is Innovation Governance? Definition and Scope - http://www.innovationmanagement.se/2013/05/03/what-is-innovation-governance-definition-and-scope/


www.theiia.org/goto/CIAGlobal

141695

22 INTERNAL AUDITOR - MIDDLE EAST MARCH 2017

by identifying internal audit value proposition in 2010, which consists of three key elements as follows:

• Assurance: Providing assurance on the organization’s governance, risk management, and control processes.

• Objectivity: The Internal Audit is committed to the integrity and accountability through which a value shall be provided to the senior management in an objective and independent manner for guidance and advice.

• Insight: Internal audit is a catalyst for improving an organization’s effectiveness and efficiency by providing insight and recommendations based on analyses and assessments of data and business process.

The Internal Audit Value Proposition graphic approved by the IIA.

The Value-Adding Activities The outcomes of “Delivering on the Promise” Report identify the activities that add value to the organization according to CAEs, based on the outcomes of a questionnaire conducted in 2015. The CAEs identified (9) out of (14) activities included in the questionnaire as they are adding value to the organization. These activities are:

BY AYMAN ABDELRAHIM

Searching for Added Value

Have you ever found it difficult to answer these questions: What is the added value provided by the internal audit? Can you convince the senior management of that the internal audit adds a value to the organization you are working for? Is the added value understandable, clear and identified as per the internal audit standards? If you can’t answer these questions, you are certainly one of the many auditors who are not able to reply to the senior management or audit committee when they ask about the added value provided by the internal audit.

Ambiguity of theValue Adding Concept

Auditors often use the term “Value Adding” which is circulated at conferences and workshops held on the internal audit profession. The internal audit definition is influential in the use of such term because it clearly refers to the internal audit. It means “An Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined

approach to evaluate and improve the effectiveness of risk management, control, and governance processes”.The Value Adding term may sound ambiguous to the senior management because they have the belief that the immeasurable is unachievable. This ambiguity has been exacerbated by defining such term among the terms set out in the internal audit standards. Value Adding means “The internal audit activity adds value to the organization (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and control processes.”. This definition is very general and it is confined to the objective assurance and effective contribution, which are an integral part of the characteristics of the professional internal auditor.

Delivering on the PromiseIn November 2015, the international Institute of Internal Auditors (IIA) issued a report among the publications of the Common Body of Knowledge (CBOK) entitled “Delivering on the Promise - Measuring Internal Audit Value and Performance”. The report addresses the concept of value adding which started

Assurance

Internal AuditingInsight Objectivity

Internal Audit Management


BY AYMAN ABDELRAHIM

Internal Audit Management

It is worth mentioning that the outcomes of the questionnaire set out in the “Delivering on the Promise” Report indicate that the “Recommending business improvement” activity ranked second in terms of value adding after the “Assuring the adequacy and effectiveness of the internal control system” activity.

This is an indication that the internal audit had exceeded providing assurance in many organizations.

The summary of the “Delivering on the Promise” Report addresses the realization that the added value, form the prospective of the stakeholders, is different from that realization from the prospective of internal audit. There must be a consensus between the two parties and determination

Moreover, one third of the answers were that the activity of “Identifying emerging risks” adds value to the organization; suggesting that the internal audit plays a role in determining the emerging risks, and this is in contrary to what is known in terms of non-audit responsibility for identifying internal risks as they are the responsibility of the management. However, the activity of “Informing and advising the audit committee” came in last among the value-adding activities.

of the method of measurement in order to measure the internal audit efficiency in the organization. In addition, there are some steps that must be followed when determining the value that the internal audit can add, as well as the need to align the same with the performance. The steps to be followed are as follows:

1. Learning the stakeholders’ expectations through holding meetings and interviews with them to know what the added value means to them.

2. Surveying and identifying stakeholders’ expectations and presenting the same for such stakeholders for confirmation and approval.

3. Developing performance indicators in line with expectations to achieve them. For example, setting performance index for each item of the agreed upon added value.

4. Conducing periodic monitoring of the achievement of performance indicators and identifying the causes of any obstacles to the achievement of indicators.

5. Reporting to the stakeholders on the extent of fulfilling the performance indicators.

6. Repeating the previous steps periodically and at least annually.

Planning for Value Adding

The value adding is not limited to providing of assurance only as pointed out in “Delivering on the Promise” Report. Rather, it seems that the internal audit is in need of developing a new method for the preparation of the internal audit plan. Such method must be better than the current one which depends on risk based audit plan in order to focus on the activities that bring most value to the organization. Moreover, it is difficult to participate in identifying emerging risks and recommending business improvement through traditional audit. This must be taken into consideration when rethinking the method of developing the internal audit plan. Having an insightful vision by the auditor is also required for the sustainability and continuity of the business of the organization he/she is working for.

Summary

Finally, the concept of value adding is still not clear enough to facilitate the realization of the role of internal audit for the stakeholders, and to put an end to the growing responsibilities that fall on the shoulders of internal audit, which is expected to do lot of things that go beyond providing assurance on grounds that they are part of the value adding that must be provided.

Ayman AbdelrahimMQM, CIA, CCSA, CFE.

Outcomes Indicating a shift in the Internal Audit Profession

Outcomes Indicating a shift in the Internal Audit Profession


Key Value-Adding ActivitiesAssurance Activities Objective Advice Activities Insight Activities

• Assuring the adequacy and effectiveness of the internal control system.

• Assuring the organization’s risk management processes.

• Assuring regulatory compliance.

• Assuring the organization’s governance processes.

• Informing and advising the management.

• Investigating or deterring fraud.

• Informing and advising the audit committee

• Recommending business improvement.

• Identifying emerging risks.

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

86%

55%

53%

50%

40%

37%

37%

29%

28%

Assurance Activities Objective Advice Activities Insight Activities

Audit Activities that Bring Most Value

Assuring the adequacy and effectiveness of the internal control system

Recommending business improvement

Assuring the organizations risk management processes

Assuring regulatory compliance

Informing and advising the management

Identifying emerging risks

Assuring the organizations governance processes

Investigating or deterring fraud

Informing and advising the audit committee

Mitigate risk andsafeguard growth

Find out more at www.grantthornton.ae

Audit . Advisory

•

Internal Audit Outsourcing & Co-sourcing• Enterprise Risk Management•

Standard Operating Policies & Procedures• Corporate Governance

• Internal control analysis & design•

Fraud prevention and detection•

Training

Our professionals have a wealth of local and international experience. They work with you to ensure your business is safeguarded and protected from hidden risks throughout your business lifecycle. Our distinct services include:


New Internal Audit Standards

The International Professional Practice Framework (IPPF) last revised in 2015 was introduced with a new Mission of Internal Audit and the Mandatory Guidance Section was also introduced with 10 Core Principles for the Professional Practice of Internal Auditing. Further, the roles and responsibilities of the CAEs are ever changing considering the business requirements and the CAEs are also entrusted with many other responsibilities

beyond internal auditing such as compliance, risk management, etc.

These Standards were amended after considering the revision to IPPF and also considering the additional roles and responsibilities of the CAEs so that the independence is not compromised and the Internal Audit Department adds value to the entity.

The revision to the Standards have occurred under many headings. These are broadly covered in the following two categories:

The International Standards for the Professional Practice of Internal Auditing (Standards) have been revised effective from January 01, 2017.This is a summary of the main changes.

Amendments to Attribute Standards:

The amendments and its possible effects to this section are covered below:

1000 - Purpose, Authority and Responsibility: The purpose, authority and responsibility of the Internal Audit Department must be defined in the Internal Audit Charter and be consistent with the Mission of Internal Audit and the mandatory elements of IPPF consisting of Core Principles as introduced in the revised IPPF. Thus, a revision to the Internal Audit Charter is demanded incorporating the Mission of Internal Audit and Core Principles.

1110.A1: Organizational Independence – Generally, the Internal Audit Department must be free from any interference in determining the scope of internal auditing, performing work and communicating results. Where an

Internal Audit QualityBY RAJ IV THAKUR


of current activities, trends and emerging

issues for providing relevant advice and

recommendations apart from the existing

competencies needed to remain proficient.

1300 – Quality Assurance and Improvement Program: The Interpretation

is amended stating that a quality assurance

and improvement program should be

designed to enable an evaluation whether

the Internal Audit Department confirms

with the Standards only and whether

internal auditors apply the Code of Ethics.

A further responsibility is entrusted on the

CAE by encouraging Board’s oversight in

this quality assurance and improvement

program.

1312 – External Assessments: The

Interpretation is amended stating the full

external assessments or a self-assessment

with independent external valuation

are modes of accomplishing external

assessments. The external assessor is

made responsible to conclude its external

assessment by stating whether the internal

audit department has / has not confirmed

with the Code of Ethics and Standards

and to support that, the external assessor’s

reports can include operational or strategic

comments. The CAE is entrusted with

the responsibility of encouraging board’s

oversight in the external assessment

thereby reducing possibilities of perceived

or potential conflict of interest.

1320 – Reporting on the Quality Assurance

and Improvement Program: The CAE is

entrusted with responsibility of having

specific disclosures on the reporting on

the quality assurance and improvement

program. They being:

Internal Audit Quality

interference exists, the CAE is empowered to disclose such interferences to the board and discuss its implications.

1112 – CAE Roles Beyond Internal Auditing:This new standard added, emphasizes the need to have appropriate safeguards in place when the CAE’s responsibilities extends beyond Internal Auditing. These safeguards are necessitated to limit impairments to independence or objectivity. The external assessors will have to have to ensure that Audit Committee Members are monitoring the independence of the CAE and obtaining assurance (from functions other than Internal Audit) on the areas of responsibilities beyond internal audit.

Interpretation: This new interpretation states that where the CAE is requested to take additional roles and responsibilities beyond internal auditing such as compliance, risk management, etc. and assuming such roles and responsibilities might impair the independence and objectivity of the internal audit activity and internal auditor respectively, so safeguards should be in place to limit such impairments. Board will have additional responsibilities of having appropriate safeguards in place by undertaking oversight activities that would address such potential impairments due to additional roles sought by the CAEs. Board can further conduct periodic evaluation of reporting lines and responsibilities and develop alternative processes for obtaining assurance pertaining to the areas of such additional responsibilities.

1130.A3: This new sub-standard under Standard 1130 (Impairment to Independence and Objectivity) and states that internal audit department can conduct an assurance service to a previously provided consulting engagement. This is possible subject to the consulting service provided earlier did not impair objectivity then and individual objectivity is duly managed while assigning resources to this engagement. Thus, the CAE has to ensure that objectivity is not compromised under such circumstances.

1210 – Proficiency: The Interpretation here is amended by rewording “Professional Proficiency” to “Proficiency”. The definition here is enriched by including consideration

• Scope and frequency of internal and external assessments,

• Qualifications and independence of assessor(s) and assessment team, including potential conflict of interest

• Assessor’s Conclusions• Corrective Action Plans

Amendments to Performance Standards:

The amendments and its possible effects to this section are covered below:

2000 – Managing the Internal Audit Activity: The CAE is responsible for effectively managing the Internal Audit Department by always considering the trends and other emerging issues impacting its organization thereby adding value to the organization and its stakeholders. The Internal Audit Department adds value to the organization and its stakeholders when it considers Company’s strategies, objectives, risks and strives to offer ways to enhance governance, risk management and control processes and objectively provide relevant assurance.

2010 – Planning: The Interpretation is partially amended thereby having responsibility on CAE to consult with senior management and board rather than to use his / her own judgement in understanding the organization’s strategies, key business objectives, associated risks and risk management process to develop a risk based plan. The CAE’s role as a Consultant is required only when no risk management framework existswithin the entity.

2050 – Coordination and Reliance: The Standard title is added with the word “Reliance.” The CAE is entrusted with the responsibility of sharing information, coordinating activities and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimize duplication of efforts. The Interpretation is a new addition.


Internal Audit Quality

It mentions that where engagement activities require coordination from other assurance and consulting service providers, the CAE can do so, provided a consistent approach for reliance is followed and the competencies, objectivity and due professional care of these service providers are considered. The CAE is expected to have clear understanding of the scope, objectives and results of work performed by such providers. The CAE still remains accountable and responsible even if the reliance is placed on work of others for ensuring adequate support for conclusions and opinions reached by the internal audit activity.

2060 – Reporting to Senior Management and the Board: The CAE is assigned with additional responsibilities on periodically reporting to the Senior Management and Board on the Internal Audit Department’s conformance with the Code of Ethics and the Standards in addition to the department’s purpose, authority, responsibility and performance relative to its plan. The Interpretation is amended and states that the frequency of the reporting to the Senior Management and the Board is determined in collaboration and not just mere discussion by the Senior Management, Board and the CAE. Thus, the CAE is empowered to collaborate with Senior Management and Board for deciding the frequency and content of the reporting. The CAE is entrusted with the responsibility of reporting and communication to Senior Management and the Board which must include information about:

• The audit charter, • Independence of the internal audit

activity, • The audit plan and progress against

the plan, • Resource requirements, • Results of audit activities,

• Conformance with the Code of Ethics and the Standards and action plans to address any significant conformance issues,

• Management’s response to risk that, in the CAE’s judgment, may be unacceptable to the organization.

2100 – Nature of Work: The Internal Audit Department is entrusted with the responsibility of evaluating and contributing to the improvement of the organization’s governance, risk management and control processes using a systematic, disciplined and risk based approach. The value and creditability of the department enhances when the team is proactive and the evaluation offers gives better insight and forecasts future impact. Thus, Internal Audit Department is made more responsible in providing value adding insights to the entity and improving organization’s governance, risk management and control processes. 2110 – Governance: The Internal Audit Department is entrusted with additional responsibilities on improving the organizations’ governance process by assessing and making appropriate recommendations on the strategic and operational decisions and overseeing the risk management and controls. 2200 – Engagement Planning: The standard is revised to include that the internal auditors have to be well aware of the organizations’ strategies, objectives and relevant risks and must consider the same while planning any engagement. 2201 – Planning Considerations: In planning an engagement, internal auditors must consider organization’s strategies and significant risk to activity’s objectives under review. 2210.A3 – This is a sub-standard under Standard 2210 (Engagement Objectives) and the amendment is that where criteria to evaluate governance, risk management and controls is inadequate, internal auditors must identify appropriate evaluation criteria through discussion

with management and the board instead of working with the management and / or board in developing appropriate evaluation criteria as per previous standards. Thus, internal auditors are supposed to use their consulting skills and identify appropriate evaluation criteria by due discussion with management and / or the board rather than working with management / board to develop suitable criteria rather. A new Interpretation is added stating there are three types of criteria being 1) Internal, 2) External and 3) Leading Practices. 2410 – Criteria for Communicating: The amended standard states that communication must include engagement’s objectives, scope and results. 2410.A1: The amendment done is the final communication of engagement results should mandatorily include applicable conclusions, applicable recommendations and / or action plans. Internal auditor’s opinion should be provided only where appropriate. Previously, internal auditor’s opinion and / or conclusions must be provided only where appropriate. Further, only opinion (and not conclusion as in previous standards) must take account of expectations of senior management, board and other stakeholders. 2430 – Use of “Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing”: The internal auditors can indicate that engagements are conducted in conformance with the International Standards for the Professional Practice of Internal Auditing if the results of the quality assurance and improvement program support this. Thus, the emphasis is on indication rather than on reporting on the conformance. 2450 – Overall Opinions: The internal auditors have an added responsibility of taking into consideration the organization’s strategies, objectives and also risks when framing an overall opinion. Further, the Interpretation states that a summary of relevant information supporting such opinion must be included in addition to the earlier requirements.1 https://na.theiia.org/news/press-releases/Pages/Proposed-Internal-Audit-Standards-Changes-Unveiled.aspx

RAJIV THAKURCA, CIA, is an internal audit team leader at a leading automotive company in Abu Dhabi.

“The demands on internal audit are evolving rapidly, and The IIA is working diligently to make sure the Standards

and IPPF reflect that evolution”IIA President and CEO Richard Chambers1



What is the ‘audit environment’?

Internal Audit reports to the Audit Committee and has independent status to make objective, unbiased evaluation and judgement about systems, controls and risks relating to business operations. The Internal Audit Charter gives Internal Audit a mandate to ac-cess information, records and people. Yet the Internal Audit Department often struggles to gain acceptance and prove its value to stakeholders in their organisation.

A definition of ‘audit environment’could be:

“An organisation environment where Internal Audit aligns its activities with business activities and risks. Internal Audit services focus on strategic and operational issues important to the business, with a collaborative partnership formed between Internal Audit and management. Action plans emanating from audits are facilitated by Internal Audit, but agreed, owned and implemented by management.”

For many years, Internal Audit profes-sionals have been focusing on the ‘control environment’, which is the foundation on which an effective system of internal control is built within an organisation. It is designed to ensure:

Audit environment…..What is it ?Never heard of it ? Why do we need it ?Who is responsible for it ?

The Audit EnvironmentBY LAL IT DUA ED ITED BY ANDERW COX

Internal Control


• Objectives are achieved.

• Decisions are properly authorised.

• Reliability and integrity of

information.

• Assets are safeguarded.

• There is compliance with laws,

regulations, policies and contracts.

• Efficiency, effectiveness, economy and

ethics of business activities is promoted.

• Opportunities for fraud and

corruption are minimised.

Stakeholders contribute to make this

foundation strong and effective.

The role of Internal Audit is well-de-

fined, with the ‘International Professional

Practices Framework’ (IPPF) issued by

the Institute of Internal Auditors stating

Internal Audit’s mission as:

“To enhance and protect organisational

value by providing risk-based and objec-

tive assurance, advice, and insight.”

In this context, Internal Audit has a duty

to work with management to improve the

organisation’s risk management, control

and governance processes.

What is Internal Audit’s role?

The role of Internal Audit is usually defined in the Internal Audit Charter approved by the Audit Committee. The charter may also include organisation expectations about In-ternal Audit and its value-add. The charter should be circulated to key management so they understand Internal Audit’s obliga-tions, but also their obligations.The standing of Internal Audit in an or-ganisation can be raised by the Chief Audit Executive becoming a trusted adviser to management. It is up to the Chief Audit Executive to effectively communicate with management, develop a stakeholder rela-tionship strategy, and implement actions designed to develop a partnership rela-tionship with management that together improves the business.The standing of Internal Audit in an or-ganisation can be raised by the Chief Audit Executive becoming a trusted adviser to management.

Is it important to have a control environment?

The existence and robustness of a ‘control environment’ has been emphasised for many years, has been discussed by Audit Committees and management, and in some jurisdictions is required by law.In conjunction with the ‘control environ-ment’, an ‘audit environment’ can be de-veloped and implemented in collaboration between the Chief Audit Executive and management. The Chief Audit Execu-tive should ideally be seen as a business partner. The Audit Committee can assist Internal Audit’s contribution to the organ-isation by making the ‘audit environment’ complementary to the ‘control environ-ment’. A spin-off is likely to be greater acceptance of Internal Audit by the people who are audited.In conjunction with the ‘control envi-ronment’, an ‘audit environment’ can be developed and implemented in collabo-ration between the Chief Audit Executive and management.

Who is responsible for that?

The Chief Audit Executive is often con-sidered to have many roles, such as an appraiser, consultant, facilitator, business

partner, etc. It is therefore incumbent on the Chief Audit Executive to have deep knowledge of the organisation and its busi-ness activities through review of strategic and business plans, risk assessments, and other relevant information.Ultimately, the Chief Audit Executive needs to drive the ‘audit environment’ and provide continuous review of the effective-ness of governance, risk management and control processes by:

• Providing independent, unbiased assessment of an organisation’s opera-tions.

• Offering information to management on the effectiveness of governance, risk management and control process-es. To comment Email the author at [email protected]

• Acting as a catalyst for improvements in governance, risk management and control processes.

• Advising management what it needs to know, when it needs to know it. To be successful, the Chief Audit Exec-utive needs to have deep knowledge of the organisation and its business activities.

Conclusion

The Chief Audit Executive needs to devel-op a relationship with the Audit Commit-tee and management through compelling analysis and data that provides clarity and encourages management to make timely remedial actions.

As a ‘governance guardian’, the Audit Com-mittee will be more confident of the audit environment’ being effective if Internal Audit steps up and collaboratively tackles important business issues and risks.

That is where the real value of Internal Audit can be found and where organisation value can be enhanced.

Internal Audit needs to step up and collaboratively tackle important business issues and risks.

Lalit DuaVice President Internal Audit in Health care group Dubai

Internal ControlTO COMMENT on the article,EMAIL the author at [email protected]

An ‘audit environment’

would see Internal Audit

services focus on strategic

and operational issues

important to the business,

with a collaborative

partnership formed

between Internal Audit and

management.


committees and stakeholders of the effec-tive role of internal audit in drawing the attention of the stakeholders to the risk of fraud. Therefore, internal auditors are now required to help organizations in reducing the risk of fraud through the examination and evaluation of the control methods, the role of the organization in the management of the risk of fraud and how effective and sufficient they are. The findings of the ACFE report of 2016 pointed out that the internal audit departments in organizations have played an important role in the detec-tion of embezzlement, misuse of assets and corruption. The cases of fraud detected by internal auditors represent 16.5% vs. 3.8% detected by external auditors for the total cases detected in 2016.

The International Standards for the Professional Practice of Internal Auditing have adopted a development for the role of internal audit in organizations through the provision of an evidence that the organization’s management deals efficiently and effectively with the fraud risk, and an evaluation of the management’s responses to fraud risk within the levels acceptable and approved by the Boards of Directors, through the Performance Standards which provided for the role of internal audit in the evaluation of the management of the fraud risk in Standard No. 2120.A2, “The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.”

The Standards also clarified the role of the chief audit executive to report to the senior management about the fraud risk in Standard No. 2060, “The chief audit executive must report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsi-bility, and performance relative to its plan. Reporting must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and/or the board.”

Furthermore, the Standards included the attributes necessary for internal auditors through the Attribute Standard No. 1210.A2 which reads “Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.”

Fraud is one of the challenges that face dif-ferent organizations and sectors. It hinders performance, wastes money and scarce resources, and inflicts damages on the organization, its reputation and its compet-itiveness. This damage is not restricted to financial losses; it may take other forms as well. It could be a loss in the organization’s performance, its reputation and credibility, and the trust of its investors, which render the organization exposed to many risks. The different stakeholders expect that the management of the organization would manage this risk by developing programs to combat the risk of fraud.

Companies nowadays face the risk of fraud more than any time before as a result of the economic instability, the increasing reliance on information technology and transactional complexity, leading to the ex-istence of pressures, opportunities and jus-tifications for fraud. These three elements constitute the basis of the risk of fraud.

The updated Internal Control - Integrat-ed Framework issued by Committee of Sponsoring Organizations (COSO) of the Treadway Commission in May 2013 placed emphasis on some points that might be of help to the management in the effective de-sign and implementation of internal control such as fraud risk considerations, which must be evaluated by the internal audit as a part of the internal control.There is increased recognition by the authorities, boards of directors, audit

BY KHAL ID MOUSA

The Risk of Fraud andthe Role of Internal Audit

Pressures/incentives

Opportunities Attitudes &justifications

FraudRisk

Fraud Risk


Another KPMG Study specified the control methods in every stage of the fraud risk management,which the internal auditors must ensure their effectiveness in the organization:

The Deloitte study showed the overall structure of the fraud risk management in the following graph:

From this point, the role of internal audit is reviewed in each stage of the fraud risk management as follows:

A. Reduction of the Occurrence of Fraud: Reduction of the occurrence of fraud is internal control methods designed to reduce the occurrence of fraud risk and misconduct. Despite the efforts of organizations to reduce fraud, there is an inescapable reality, which is the occurrence of fraud, due to the fraud and misconduct committed at different levels of the organization. Therefore, it is necessary to have proper preventive and detective methods.The Professional Practices issued by the Institute of Internal Auditors explained the role of internal auditors in helping organizations to reduce the fraud risk through the examination and evaluation of the sufficiency and effectiveness of the

Internal Audit Systems in organizations, along with their potential exposures to violations, transgression and non-compliance inside the organization. Thus, internal auditors must take the following factors into consideration: • Control Environment: Evaluation

of the aspects of the control environment, conduct of auditing procedures for proactive fraud plans, conduct of necessary investigations, reporting on the audit of fraud cases, and provision of necessary support for corrective actions. In some cases, internal auditors may have hotlines to report any cases or suspicions of fraud.

• Fraud Risk Evaluation: Evaluation of fraud risk management, in particular the management’s actions to identify, evaluate and test potential fraud plans and misconduct, including those involving suppliers and other parties.

• Control Activities: Evaluation of

the effectiveness of the design and performance of the fraud-related control methods, ensuring that the audit plans and programs specify the residual risks under the integration of fraud auditing procedures with auditing the possible variations of laws, rules and regulations and their effect on the control methods.

• Information and Communication: Evaluation of the effectiveness of the communication system operation, with the provision of the necessary support to fraud-related training initiatives.

• Follow-Up Activities: Evaluation of the control over software, conduct of investigations, support to the Audit Committee in supervising the fraud-related issues, support to the development of the identification of fraud indicators, employment and training of employees to enable them to conduct auditing of fraud and investigations with adequate expertise.

Diagnosevulnerability to fraud

Detect gaps in anti-fraud controls

Recommend Mitigating Antifraud

Controls

Continuous or Periodic Monitoring

Develop FraudResponse Plan

Investigate casesof alleged fraud

• Evaluate the current status and effectiveness of the organization’s anti-fraud control environment- this involves assessing the culture, attitude, and awareness amongst employees about their knowledge of and response to any issues of fraud or misconduct

• Evaluate management’s existing fraud risk management framework to detect potential gaps of antifraud controls in the processes

• Establish fraud risk profiles by analysis and ranking of fraud risks (as high/ medium/ low) against existing anti-fraud controls

• Recommend enhancement of existing controls or mitigating antifraud controls for implementation, based on ‘antifraud control’ gaps detected

• Enable continuous monitoring of controls using technology; and/or

• Perform forensic data analytics of transactions periodically at the process level to alert Management of fraud signals

• Develop a fraud response plan to address cases of alleged or confirmed fraud

• Investigate cases of alleged or confirmed fraud

• Assist in the investigation of cases of alleged or confirmed fraud within the organization

• Incorporate identified fraud risks and schemes into fraud risk management framework based on findings from investigation

Tools Employees’ Ethics Survey (DIAGNOSE)

Fraud Risk Management Tool (DETECT)

Recommend mitigating anti-fraud Controls (RESPOND)

Forensic data analytics (DETECT)

Develop Fraud Response Plan (RESPOND)

Investigate cases of alleged fraud (RESPOND)

Prevention Detection Response

Board/audit committee oversight

Executive and line management functions

Internal audit, compliance, and monitoring functions

• Code of conduct and related standards • Hotlines and whistle-blower • Internal investigation protocols

• Employee and third-party due diligence • Auditing and monitoring • Enforcement and accountability protocols

• Communication and training • Retrospective forensic data analysis • Disclosure protocols

• Process-specific fraud risk controls • Remedial action protocols

• Proactive forensic data analysis

Fraud Risk


B. Detection of FraudDetection of fraud is represented in the internal control methods designed to detect fraud and misconduct when they occur. The existence of sufficient and appropriate detective control methods is one of the strongest deterrent of fraudulent conduct. They are used along with preventive control methods to enhance the effectiveness of the fraud risk management program through the provision of evidence that the preventive control methods are working as planned in the detection of fraud that may occur. Although the detective controls may provide evidence that fraud is occurring, or has already occurred, they are not designed to prevent fraud.

Internal control methods are designed to provide evidence and warnings that fraud is occurring or has already occurred. Effective internal control methods are one of the strongest ways to reduce or prevent fraudulent conduct or procedures. The si-multaneous use of detective and preventive internal control methods support the fraud risk management program. Although de-tective controls may provide evidence for the occurrence of fraud, they do not aim, or are unable, to prevent fraud.The auditors auditing cases of fraud must be aware of the basic requirements of the detection of fraud. These basic require-ments are:

1. Specification of the fraud risk in the organization through the examination of the control and operational envi-ronment to determine the categories and methods of fraud;

2. Evaluation of fraud risk;3. Examination of risks and their occur-

rence from the perspective of the per-petrator of fraud in order to determine what the control methods are and the manipulation methods that cause the occurrence of fraud;

4. Full understanding of fraud indicators and the data that may include these indicators; and

5. Readiness for the occurrence of any fraud cases as a result of the indicators, as well knowledge of how to search for these indicators in the data.

When these requirements are fulfilled, it is easy to deter perpetrators, to inves-tigate and report the detected cases, and to develop control methods to detect the repetition of such cases.The role of internal audit in the detection of fraud through the stages of the fraud risk management is as follows:

1. Taking into consideration the fraud risk when evaluating the control methods and the determination of the necessary audit procedures. Whereas internal auditors are not expected to detect fraud and violations, they are expected to give reasonable confirma-tion that the objectives of the business environment of the operations have been achieved.

2. Providing adequate knowledge about fraud cases to determine fraud indicators. This knowledge includes awareness of fraud properties and factors and the techniques used in the commission of fraud.

3. Being ready to any opportunity that may allow the commission of fraud such as any weakness in the control methods. If a major deficiency in the control methods has been detected, additional tests must be conducted by internal auditors to specify fraud indicators.

4. Evaluating fraud indicators and taking any other necessary procedures or conducting investigations if needed.

5. Whistle-blowing and reporting to the competent authorities inside the organization if a fraud case is detected to recommend the conduct of an investigation.

C. Response and Investigation:Response and investigation are represented in the internal control designed to take a remedial and corrective action for the damages resulting from the occurrence of fraud and misconduct.The role of internal audit must be determined in the investigation process in the internal audit regulations as well as in the fraud-related policies and procedures. This includes collecting sufficient information on specific details and carrying out these necessary procedures to determine whether fraud is committed, who was involved and how it happened. One of the most important outputs of the investigations is the exclusion of innocent people from the circle of doubt or suspicion. Investigation starts with planning and ends with the issuance of a report on the findings of the investigation.

1. Investigation Planning A plan for each investigation process

is set according to the procedures of the organization. The team leader in charge in the internal audit department determines the skills, competencies and knowledge required for conducting the investigation procedures through the identification of suitable individuals for carrying out the investigation.

Moreover, an assertion must be obtained that there is no potential conflict of interests with those who will be investigated or any employee in the organization.

When preparing the plan of the investigation activities, the team leader must take the following into consideration:

• Collect evidence through surveillance, interviews and any documents;

• Document and preserve evidence without violation to any legal rules in obtaining such evidence;

• Determine the scope and extent to which the organization’s operations are affected by the fraud;

• Specify the methods used in the fraud;• Evaluate the reasons of the fraud; and• Identify the perpetrators of fraud.

2. Reporting on Investigations The form of the report, whether oral or written, whether provisional or final, and whether submitted to the Senior Management or to the Board of Directors, differs according to the investigation findings. A formal written report may be issued at the end of the investigation stages, including the reasons for conducting the investigation, the time frame for the investigation, and the notes, conclusions and recommendations necessary to correct and enhance the control methods. The reporting may be required to be written in a way that secures confidentiality of individuals. The requirements of the Board of Directors and executive management must also be taken into account, with compliance with the legal requirements and the policies and procedures of the organization.

Internal auditors may participate in the following processes as consultants through this stage as long as the effect of these activities on the independence of the internal audit is identified and appropriately dealt with, which may include all or some of the following:

• Providing a document indicating the end of investigation for the suspected who were acquitted;

• Punishing employees according to the company standards, labor laws or employment contracts;

• Requesting voluntary financial compensations from the employee, client or supplier;

• Terminating the contracts of the suppliers involved in the fraud; and

• Reporting the fraud cases to the legal and regulatory authorities and cooperating in the investigations that would be conducted by those authorities.

Fraud Risk


For more information, please use the following references:


Fraud Risk

Therefore, this shows the role of the internal audit in the supervision in order to monitor progress of the investigations to help in ensuring that the organization follows the relevant policies, procedures, and applicable laws and legislation (where the internal audit is not responsible for conducting the investigations), in the identification of misappropriated assets or the assets related to the investigation, as well as in supporting the organization in its legal, insurance and other procedures through the evaluation of and control over the organization’s practices and plans to report on investigations, whether internal or external, and monitoring the implementation of improvements in the control methods to ensure their efficiency and effectiveness. The role of internal audit can be summed up in the evaluation of how sufficient the fraud risk management is in the organization through asking the following questions:

1. Do the Board of Directors and the Audit Committee have clear responsibilities regarding the fraud risk management?

2. Does the organization have a clear anti-fraud strategy, for example a policy that coordinates the ongoing activities to reduce and detect fraud?

3. Does the organization conduct through examination for the backgrounds of new potential employees? Are the investigations and inspection of the employees who are promoted to higher positions conducted?

4. Is there a process for the documentation of registration, tracking and response to all the allegations or suspicions of a crime (for example reporting violations and fraud hotline)?

5. Is there a regular evaluation of the orientations, incentives, pressures and opportunities to commit the crime across the organization?

6. Does the organization have categorization for the potential fraud and its effect on the organization through an evaluation of all the types of fraud risk including bribery and money laundering?

7. Does the organization evaluate whether the risks are reduced

through the existing internal control methods and evaluate the design and effectiveness of such methods (for example, powers, credit, separation of duties, etc.)?

8. Are there effective channels to enhance the flow of information with quality whether top down or vice versa across the organization?

9. Are training and awareness of cases of fraud and corruption for all employees provided? Is the training regularly held and promoted in the organization?

10. Are there sufficient, regular and ongoing procedures to ensure that the Senior Management took into consideration how effective the control environment and risk assessment are and how much modification or update the control methods that reduce fraud risk may need?

• Association of Certified Fraud Examiners, “Report to the Nation on Occupational Fraud and Abuse”, Global Fraud Study, ACFE, 2016.

• Coderre, D, “Internal Audit Efficiency through Automation”, The Institute of Internal Auditors (IIA), John Wiley & Sons, Inc, 2009.

• Deloitte LLP, “Fraud Risk Management – providing insight into fraud preventive, detection and response”, Deloitte Touche Tohmatsu Private Limited, 2013

• HM Treasury, “Fraud and the Government Internal Auditor”, Crown copyright, London, January, 2012.

• KPMG, “Fraud Risk Management Developing a strategy for prevention, detection, and response”, KPMG forensic, KPMG LLP, 2013.

• Price water house Coopers LLP, “Fraud in a Downturn A review of how fraud and other integrity risks will affect business in 2009”, a limited liability partnership in the United Kingdom, 2009

• The Institute of Internal Auditors (IIA),”Auditor s Responsibilities Relating to Fraud Risk Assessment, Prevention, and Detection”, Practice Advisory 1210. A2-1, The International Professional Practices Framework (IPPF), April, 2006.

• The Institute of Internal Auditors (IIA), the American institute of Certified public accountants (AICPA) and Association of Certified Fraud examiners (ACFE), “Managing the Business Risk of Fraud: A Practical Guide”, The IIA, AICPA, and ACFE, 2008.

Dr. Khaled Mohamed Abdalla Mousa, Ph D, CFE


In 1999, a Colleague of mine and I met with met with a strategic expert in a friendly meeting. It was our first year on the job as internal auditors after our graduation from the higher technology faculties (fresh graduates). During our conversation, he surprised us that he has a short test for me and my friend on internal audit. He also told us that he has a goal in mind behind such test and he will tell us about it after taking the test and having the results. Some of the questions in that test were about the theories of internal audit and working methods while others were about the qualities and skills of the internal audit. We have already submitted the tests and the result was that my friend obtained high scores in the questions relating to the theories and methods of working in the field of internal audit. For me, I obtained high scores in the questions relating to the qualities and skills of internal audit. Having analyzed the results, the expert told us that the goal behind such test is to determine which one of us is more suitable for the internal audit profession than the other on the long run. I still remember his words that knowledge and science can be acquired through studiousness and hard work while the qualities and skills required for a specialized profession will make you a distinguished person in your career. Although we could not deeply understand his words at that time, I realized the significance and importance of such test by the lapse of time.

The successful internal audit department is, first and foremost, in need of efficient auditorsBased on my expertise in the internal audit field, I realized that the successful internal audit department is, first and foremost, in need of efficient auditors. Thus, I started to give due care to the skills and qualities possessed by the candidates to work with us in order to make sure that I employ the right person and that the time and money invested in such person will be fruitful. In the following lines, I will share with you my opinion about the most important skills and qualities that must be owned by the internal auditor in order to be distinguished among his/her colleagues.1. The ability to understand the business and activities: In my opinion, this skill is the most important skill an internal auditor must possess as the nature of his/her work requires that he/she shall audit different types of business and activities within a very short period of time. In addition, the lack of this skill would greatly limit the ability of the auditor, and will adversely affect the audit results.2. The ability to analyze and reach logical conclusions: The examination works for auditors rely on the analysis and drawing conclusions as the documents or statements will give us information only, which requires the existence of this skill to pick up any signs that may lead to a risk or an opportunity.3. The skill of discussion and persuasion: I’m fully convinced that (the auditee) knows its business more than the auditor. This means that the evidence and facts mentioned in the audit report are not sufficient in many cases to convince the auditee of the importance of the observations and risks related to it. Thus, the auditor must be well-versed and fully aware of the nature of the audited activity so that he/she could discuss the

observations and convince the auditee of their importance.4. Endless pursuit to reach the added value: Officials/Management always estimate deep observations which show that the auditor is not simply confined with the broad lines of the observations, but he/she went the extra mile to conduct an in-depth analysis, extract data that is difficult to be extracted, or reveal facts or fact impacts on the business which are hidden from such officials. In addition, to make the officials/management more convinced of the importance of the observation and the return such official will obtain through the implementation of the auditor’s recommendation.5. Passion for the profession: This quality is my favorite because it enables the auditor to overcome the most difficult challenges of auditing tasks. Passion for the profession inspires the auditor to look forward to auditing new and more complex topics. The audit starts by thinking about the new challenge and how to address its difficulties. However, once you proceed with audit work, you will understand the activity and identify the most important processes and then analyze the risks... etc., and gradually the mission clues will be identified. This quality adds to the auditor the possibility of providing the added value to the officials/management by submitting an audit report inclusive of the most important risks and the most important problems and opportunities that the officials/management might not know about, through conducting a professional internal audit with high added value. Finally, I’m sure that there are many other qualities and skills, but from my point of view these are the most important ones. However, the most important question is that can the candidate for the position of an internal auditor acquire these qualities and skills by practice while on the job or he/she must own them before joining the internal audit profession.I believe that we all have these qualities and skills but at different levels, but I also believe that the person who has a good deal of such skills is a perfect candidate for this profession and he/she may be trained to enhance theses qualities and skills.

Abdulla Hassan Al BaraeiCIA, CCSA, CGAP, Senior ManagerInternal Audit Office, Dubai Taxi Corporation

BY ABDULLA HASSAN AL BARAEI ED ITED BY HOSSAM SAMI

Human Resources

Is the Internal auditis my Profession?


Date post:	18-Jan-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times