Root Cause Analysis for Internal Audit · Qais Hamdan, CISA, CISM, PMP Noora Ayoob Waleed Sweimeh,...

SEPTEMBER 2016 WWW.INTERNALAUDITOR.ME

Comparing the accounting frauds of the past to the current corporate environment Enterprise risk management and organizational maturity A strategic and systematic approach to internal controls

Root Cause Analysis for Internal Audit

INSIGHTS ON GOVERNANCE, RISK MANAGEMENT AND CONTROL

Getting to the heart of the issue and adding more value to your organization

INTERNAL AUDITOR - MIDDLE EAST 01 SEPTEMBER 2016

From The President

Dear Readers,

The Institute of Internal Auditors (IIA), which has helped shape the profession since 1941, celebrated its 75th anniversary this year, and UAE IAA was very proud to participate in these celebrations. UAE IAA Board, Executive Committee members and staff participated in the International Conference & Global Council which took place in New York, USA and also to promote the upcoming 2018 International Conference which will be in the UAE. During the Global Council, the UAE IAA was awarded the International Audit Awareness month champion and recognized as the Diamond Supporter for IIA’s Global Council.

We would also like to take this opportunity to congratulate the following Board & Executive committee members for their new appointments on the IIA Global board:

Adnan Zaidi – Member, Global Professional Development Committee

Adil Buhariwalla – Member, Committee of Research & Education Advisors

Ahmed Bassiouni – Member, Professional Certification Board Committee

Ayman El Saheb – Member, Global Advocacy Committee

Farah Araj – Member, International Internal Audit Standards Board

Karem Obeid – Vice Chairman, Global Services & member of the executive committee of IIA Global

We are also very proud to announce our upcoming 6th Chief Audit Executive Conference to be held from 9th & 10th of November at Four Seasons Hotel, Al Mariyah Island, Abu Dhabi.. The conference will also embrace the proclamation of the winners of the 2nd Best Practice Award. Participation is open for local, regional and foreign multinationals, government entities and small and medium enterprises. For more information about participating and the award, please visit our website www.iiauae.org

We would also like to strongly encourage volunteers to participate with the UAE IAA and be more active in advocating the profession and remind all sponsors to contact the UAE IAA staff for sponsorship opportunities on [email protected].

We look forward to receive your feedback that will help us to serve you better in future.

Regards,

Abdulqader Obaid AliPresident

TeamMate®

Ecosystem for Assurance

Copyright © 2014 Wolters Kluwer Financial Services, Inc. All Rights Reserved. 3946

To achieve new heights, finding the right balance of audit tools is essential. Only TeamMate offers an integrated set of solutions that include the industry’s leading audit management system, an innovative controls management system and powerful data analytics.

Audit

ControlsAnalytics

TeamMate AM

Learn more at: TeamMateSolutions.com

TeamMate CM TeamMate Analytics


I N T E R N A L A U D I T O RM I D D L E E A S T SEPTEMBER 2016 WWW.INTERNALAUDITOR.ME

F E A T U R E S

D E P A R T M E N T S

16 COVER STORY: Root Cause Analysis for Internal Audit What role should Internal Audit have in RCA? Some practical steps audit teams can take BY JAMES C PATERSON

20 AccountingScandals Revisited Pressures, Opportunities and Ra-tionalizations are the three factors that collaborate in creating fraudBY BINOD SHANKAR

4 Reader Feedback

6 Knowledge Update Aligning Risk with Strategy and Performance, Governance Guide-lines for Family Businesses, Global Trends and Business Ethics, Ethical questions about Big Data, Costs and Benefits of SOX Compli-ance survey.BY VISHAL THAKKAR

8 UAE-IAA Events

10 IT AuditIT auditor should bear in mind ob-taining an appropriate understand-ing over the IT control environmentBY MAIS BAROUqA

12 Conversations with Colleagues Raddad Ayoub & Indumon Das EY’s Risk Analytics leadership team explain how data analytics impacts companies and internal auditBY FARAH ARAJ

25 The ABCsAssessing Baseline Control ArrangementsInternal auditors have an impor-tant role to play in evaluating assurance arrangements over a wide range of the entity’s activities, including financial, performance, compliance, system security, and due diligenceBY BRUCE TUNER andJACqUELINE TUNER

28 Human resourceswhat are the five most important risks that affect the objectivity of internal BY SULEIMAN AL SHOUHA

31 Fostering Funda-mentalsStrong maintenance program can help on getting the maximum return on investment from equip-ment BY LAITH DUA

22 Is Your Company Prepared to Establish an ERM Function? What are the Basic Require-ments to Establish an ERM Function? And The 5 different organizational maturity stagesBY EHAB SAIF

TeamMate®

Ecosystem for Assurance

Copyright © 2014 Wolters Kluwer Financial Services, Inc. All Rights Reserved. 3946

To achieve new heights, finding the right balance of audit tools is essential. Only TeamMate offers an integrated set of solutions that include the industry’s leading audit management system, an innovative controls management system and powerful data analytics.

Audit

ControlsAnalytics

TeamMate AM

Learn more at: TeamMateSolutions.com

TeamMate CM TeamMate Analytics

04 INTERNAL AUDITOR - MIDDLE EAST SEPTEMBER 2016

The writer of “Fraud Risk Management” article, talked about the publication issued by The IIA under the statement Fraud Risk in Businesses discussed then reviewed some basic principles for managing proactively the risk of fraud in organizations. The writer expressed his opinion on what is the best way that internal auditors may add value to their organizations by using principle #2; by conducting fraud risk assessments despite the other principles holder great importance.

On the other hand, through Dr. Khalid Al Faddagh’s exclusive interview he stated his opinion on the role of internal audit in fraud detection and prevention, where he stated that the internal audit bears much of the responsibility when it comes to the disclosure of frauds (Principle #4) than those incurred to prevent fraud from happening (principle #3). Honestly speaking, I liked the contrast of views in the way of adding value to the organization as it reflects the beauty of internal audit and its dependence on professional judgment and way of thinking, which fits with the organization’s needs and emphasizes that there isn’t a single approach that fits all organizations in fraud risk management.

Amjad Faisal Albaaydh, CPA, CIA, CRMA,CCSA, DipIFRSaudi Telecommunication Company (STC)

The article by Mr. Ghazi Boyer titled “Fraud Detection and Data Analysis Programs” was useful and informative, what’s more interesting are the statistics in page 6 from the same issue where it estimates only 27% of internal audit departments uses the assistance of data analysis programs, so why is this alienation? One of the main reasons is the fear of the difficulty on reaching a firm understanding of the structure of operational data and its relation to the work environment, as without it an ambitious analyst will not listen to the full story of data as it happened, therefore, there is a continuing need for the deployment of professional awareness, training and solutions to reach this target or get as close to it as possible which is what I hoped the article would deal with, Data Analysis is the easy part, but the different challenge before that would be to understand its life cycle and behavior.

Muhannad Al Hakeem, CIA, CFSA, CISA, CIPAudit Supervisor, Arab Open University, Kuwait

ARABIC REVIEW TEAM

Ayman Abdelrahim, MQM, CIA, CCSA, CFE (Lead Member)Khal id M. Alodhaibi , SOCPAQais Hamdan, CISA, CISM, PMPNoora AyoobWaleed Sweimeh, CIASaif Kaddourah, MBA

UAE INTERNAL AUDITORS ASSOCIATION

PRESIDENTAbdulqader Obaid Al i , CFE, CRMA, QIALGENERAL MANAGERSamia Al Yousuf

REGISTRATION

Internal Audi tor - Middle East magazine is l icensed by the Nat ional Media Counci l of the Uni ted Arab Emirates (License Number 244).

Reader Feedback

I N T E R N A L A U D I T O RM I D D L E E A S T

UAE Internal Audiors Association

We want your views on the articles and the magazine! Share your thoughts and feedback with us via email at [email protected]

EDITOR-IN-CHIEFAbdulqader Obaid Al i , CFE, CRMA, QIALEDITORGhada Abd ElbakyEDITORIAL ADVISORY COMMITTEE Asem Al Naser, CPA, CIA, QIALFarah Araj , CPA, CIA, CFE, QIAL (Lead Member)Andrew Cox, MBA, MEC, PFIIA, CIA, CISA, CFE, CGAP, MRMIARaymond Helayel , CPA, CIAMeenakshi Razdan, CA, CPA CIA, CFEHossam Samy, CRMA, CFE, CPA, CGANagesh Suryanarayana, MBA, CIA,CCSAJames Tebbs, CAVishal Thakkar, ACA, CIAGautam Gandhi, ACA, CIA, CISA, CFE

SEPTEMBER 2016VOLUME 2016: 2

CONTACT INFORMATION

MARKETING & SOCIAL MEDIAAlaa Abu Nabaa, MACC, CIA, CRMA, CPA, [email protected]

ADVERTISING & ADMINISTRATION

Yasmine Abd El Aziz [email protected] Tel : +971 55 351 2335EDITORIAL

Ghada Abd Elbaky edi tor@internalaudi tor.meTel: +971 55 728 5147 DESIGN & PRINTING

Gulf Internat ional Advert is ing& Publ ishing L.L.C.giadco511@gmai l .comTel: + 971 2 441 2299

GUIDELINES FOR AUTHORSwww.internalaudi tor.me

Internal Audi tor - Middle East is publ ished quarter ly by the UAE Internal Audi tors Associat ion (UAE-IAA), Off ice 1503, 15th Floor, API Tr io Tower, Dubai , Uni ted Arab Emirates

DISCLAIMERS

Internal Audi tor - Middle East is intended only for members of the Inst i tute of Internal Audi tors in the Middle East and as such i t is not intended to be sold or re-sold by any party. The views expressed in Internal Audi tor - Middle East are solely those of the authors, and do not necessar i ly represent the v iews of the UAE-IAA or the authors’ respect ive employers. Internal Audi tor - Middle East is a peer-reviewed magazine and does not ver i fy the or ig inal i ty of the content submit ted by the authors.

IA IN

TERN

AL A

UD

ITOR - M

IDD

LE EAST JU

NE 2016

2016و

وني- ي

ط س

وألق ا

رش- ال

يل خ

داق ال

قدملد ا

م

JUNE 2016 WWW.INTERNALAUDITOR.ME

Insights on Governance, Risk Management and Control

Tips for Developing & Operating

Whistle-blowing Hotlines

Fraud Trends in the Arab World

Actively Combating Procurement

Fraud in Construction Projects

Fraud Detection

and Data Analytics

Bolstering Anti-Fraud Programs by Effectively

Identifying Anomalies & Red Flags

WWW.INTERNALAUDITOR.MEيونـيـو 2016

إرشادات خاصة بتطوير الخطوط الساخنة

لإلبالغ عن املخالفات وإدارة عملية التبليغ

اتجاهات االحتيال يف العامل العريب

مكافحة احتيال املشرتيات يف مجال

اإلنشاءات بفاعلية

الكـشــف عـن االحـتـيـال

ت الـبـيـانــات وتـحـلـيـــال

تعزيز برامج مكافحة االحتيال عن طريق تحديد

الحاالت االستثنائية ومؤرشات االحتيال بفاعلية

والرقابة املخاطر وإدارة حوكمة حول رؤى


Knowledge Update

BY VISHAL THAKKAR

Global Trends and Business EthicsWe are still to see end of 2016, but it has already been a crucial year for ethics and compliance. Leak of Panama Papers and Unaoil data have steered in a transformed transparency environment. Compliance thinkers have called for ‘Compliance 2.0’ i.e. a boost to the power and authority held by compliance functions in order to match its rising accountability.

Hyper-transparency and its consequencesGovernments are increasingly under pressure to commit to global transparency initiatives. Companies should also expect the trend toward transparency and accountability initiatives to intensify with emergence of each global corruption scandal.

Individual and collective empowerment and rising expectationsBy 2030, it is estimated that 90% of the world’s population will know how to read. With this improved living standards and education levels, an unprecedented level of individual empowerment, along with rising expectations from business and government would be created. Age-old concept that the purpose of a corporation is to “drive shareholder value” may be replaced by broader concepts of stakeholder trust and “shared value.”

Demographic shift and the automation of workAging process of the work force poses far-reaching social and economic implications such as a decline in the number of workers available to business and an increase in local communities’ need for services associated with an older population. There will be a premium on the abilities of business to support local communities via investments, local contracting, and tax revenues – and to explain the value of its support.

http://richardbistrong.com/global-trends-business-ethics/

The GCC Governance Code - Gov-ernance Guidelines for Family BusinessesAs an inherent feature of many Arab Gulf states, private businesses are family owned and these businesses do contribute significantly to the economy of their respective countries. Many of these family owned businesses are operating between 40-60 years of operation i.e. relatively young and approaching the critical stage of succession planning or transition from one generation to another.As per some estimates, almost US$ 1 trillion of assets are to be transferred to the third generation during the next decade. However, what is not known generally is that only approximately 30% of all family businesses make it to the second generation and even fewer making it to the third (est. 12%) and fourth generation (est. 3%). There is a unique dynamic at play at GCC family businesses, as these are predominantly run by very large families, which presents complexities typical of family businesses in their third and fourth generation cycles, at an earlier stage in their evolution. The probability of conflict increases with more family members who may have different views about the management such as future direction, investment decisions, and who is capable to run the company. A large family also puts significant pressure on the family business to grow quickly in order to maintain the same level of wealth for each family member across generations. A study estimates that the typical GCC family business must grow at an annual rate of 18% to maintain the same level of wealth for each family member.

http://fbc-gulf.org/downloads/The-GCC-Family-Business-Governance-Code-FBCG_English.pdf

Global profile of fraudster: Technology

enables and weak controls fuel the fraud

weak controls are a factor in 61% of frauds

of fraudsters detected through proactive data analytics

of fraudsters areworking alone

of fraudsters workin groups

are 36-55 years of age

61%

3%

38%

62%

69%https://home.kpmg.com/xx/en/home/

insights/2016/05/profiles-of-the-fraudster-an-illustrative-look-at-the-findings.html


Knowledge Update

COSO Enterprise RiskManagement - Aligning Risk with Strategy and Performance COSO had announced a project to review and update the Enterprise Risk Management – Integrated Framework, in October 2014. The update was released in June 2016 and public can provide comments on the proposed Framework till September 30, 2016. The revised Framework updates the core definitions of risk and enterprise risk management as well as the various components of enterprise risk management. In summary, the updated framework proposes:

l Adopting a structure of components and principlesl Simplifying the definition of ERMl Emphasizing the relationship between risk and valuel Renewing the focus on the integration of ERMl Elevating discussion of strategyl Enhancing the alignment between performance and ERMl More explicitly linking ERM to decision-makingl Delineating between ERM and internal controll Refining risk appetite and acceptable variation in performance

http://erm.coso.org/Pages/default.aspx

Ethical questions about Big DataAs the internet of things has provided companies with many ways to collect increased data about their customers, it also poses a significant challenge viz. regulations in this regard are developing at a slower pace than the technology, which shifts the responsibility to the company to decide how to exploit the insights offered by data from mobile phones, travel passes and thermostats among other devices, at the same time complying to their core ethical values. The Institute of Business Ethics recommends companies to consider the following six questions:

1. How does the company use Big Data and to what extent is it integrated into strategic planning?

2. Does the organization send a privacy notice when personal data are collected?

3. Does organization assess the risks linked to the specific type of data the organization uses?

4. Does organization have safeguards in place to mitigate these risks?

5. Do we make sure that the tools to manage these risks are effective and measure outcomes?

6. Do we conduct appropriate due diligence when sharing or acquiring data from third parties?

http://www.cgma.org/magazine/news/pages/ethical-questions-about-big-data.aspx

Understanding the Costs and Benefits of SOXCompliance – a Protiviti surveyImportant features noted in the 2016 survey are:l One in three organization spends

$500,000 or less per annum on Sarbanes-Oxley compliance, and just under half spend less than $1million

l Many large companies spend $2 million or more per year, as well as

organizations from industries including insurance and telecommunications

l Many organizations committed more hours to SOX compliance in the latest fiscal year as compared to prior years

l Majority of organizations with mature SOX compliance processes have improved their internal control

over financial reporting and most organizations are leveraging their SOX compliance efforts to drive continuous improvement of their business processes.

https://www.protiviti.com/en-US/Documents/Surveys/2016-SOX-Compliance-Survey-Protiviti.pdf


UAE-IAA Events

17th Annual RegionalAudit Conference

UAE IAA wasawarded the diamond

sponsorship in TheGlobal Council 2016

BY SAMIA AL YouSuf

The UAE IAA’s 17th Annual Regional Audit Conference was held from 19th – 21st April 2016 in Le Meridian Hotel, Dubai with the theme of “Driving Business innovation”. This conference is considered to be the largest “Smart” conference and premier training event related to internal audit in the Middle East region offering valuable networking opportunities for attendees and offers sponsors immense exposure.

The keynote speakers of the conference were: Michael J. Fucilli, Talal Abu Ghazalah, Abdullah Al Rowais & Jeremy P. Carver and the motivational speaker of the conference was: Mohammed Al Qahtani

The conference was preceded by a day fully dedicated to 9 different workshops for the attendees to choose from. Following the workshops, the conference was in full swing featuring recognized and respected keynote speakers from across the globe discussing the latest trends impacting all that is related to the internal audit profession, be it a current trend or a future prospect along with 20 different tracks for attendees to choose from.

The 13th annual Global Council took place on 16‒17 July in New York, NY, USA, with nearly 200 delegates representing 100 IIA Institutes and affiliated organizations, along with IIA executive officers and headquarters staff for what was one of largest Global Councils in The IIA’s history. This year was exceptional as the event was held in conjunction with The IIA’s 2016 International Conference, which celebrated The IIA’s 75th Anniversary.

UAE IAA was awarded the diamond sponsorship in that event

The UAE IAA delegate consisted of:

Abdulqader Obaid Ali, UAE IAA President;

Khalid Al Halyan, UAE IAA Vice President; and

Karem Obeid, UAE IAA Executive Committee Member & The IIA (Global)’s Vice Chairman for the Global Services and Executive Committee Member.

UAE IAA Participates in the IIA’sInternational conference 2016

UAE IAA Awarded building awareness Champion 2016

The upcoming 6th Chief Audit Executive (CAE) Conference 2016

UAE-IAA Events

In preparations for hosting the 2018 International Conference, the UAE IAA team along with representatives from the Board of Governors & Executive committee participated in IIA’s International Conference which was held between 17 – 20 July in New York, U.S.A.

The UAE IAA secured a booth to market the 2018 conference and UAE as a destination with the support and assistance of Dubai Tourism. The booth was very well received throughout the conference with close to 800 visitors. In addition to this, the UAE IAA conducted a raffle draw from within the booth visitors for a free pass to the 2018 conference.

The 2018 International Conference will be under the theme “Connecting the World Through Innovation” and will be held between May 6 – 9 at the Dubai World Trade Center, Dubai, UAE.

The IIA Global has chosen May as the International Internal Audit Awareness Month. It has requested all its affiliates to work on building awareness about the value that internal audit brings to stakeholders.

UAE IAA held more than 17 activities throughout the month so the IIA Global presented the 2016 Building Awareness Champion Award to UAE IAA and the other institutes, chapters and associated organization, in appreciation of their efforts to promote the profession during the International Internal Audit Awareness Month.

UAE Internal Auditors Association will hold its 6th Annual Chief Audit Executive (CAE) Conference themed “Enhance & Protect Challenges Ahead” at the Four Season Hotel at Al Maryah Island, Abu Dhabi on the 9th - 10th of November 2016. This year’s “Smart Conference” is dedicated for the Creme de la Creme in the field of Internal Audit, with Chief Audit Executives from across the region gathering on a roundtable discussion basis to discuss and share their experiences and challenges. Mrs. Angela Witzany, 2016-17 Chairman of The IIA’s Global Board, will provide the keynote speech of the conference.

The Conference will also present the 2nd edition of the Best Practice Award in Internal Audit. The award is aimed to appreciate Internal Audit departments that go the extra mile to implement practices and standards to ensure effective & efficient performances when compared to other organizations. Through this award UAE Internal Auditors Association aims to encourage Internal Audit departments to improve and enhance their activities by learning from those who have been successful at what they do.

The second batch of UAE nationals had completed of the world’s pioneering Internal Auditing training program HASAAD. UAE IAA in collaboration with the Higher Colleges of Technology and Protiviti had honored the graduation ceremony at HCT, Abu Dhabi Men’s college on 6th of June 2016 and was attended by Abdulqader Obaid Ali, UAE IAA President, Ahmed Al Khouli, HCT Head of Business Development and Mohamed Al Bouhee, Protiviti Director

UAE IAA HonorsHASAAD Graduates



BY MAIS BARouQA EdITEd BY fARAH ARAj

Information Technology General Controls: The Basics

General controls are defined by COBIT as controls, other than application controls, that relate to the environment within which computer-based application systems are developed, maintained and operated, and that is therefore applicable to all applications (ISACA Glossary,2014). These controls include policies, procedures and practices (tasks and activities) established by management to provide reasonable assurance that specific objectives will be achieved [2]; which are to ensure the proper development and implementation of applications and the integrity of program and data files and of computer operations. (ISACA Glossary, 2014)

General controls, in nature, can be automated, manual or hybrid [1], where in the case of an automated and/or hybrid control; further testing by an IT auditor is required in order to present assurance over any calculations and/or reports generated through an IT system, complex interfacing between several IT systems along with security access and segregation of duties.

Taking into account that general controls apply to all areas of the organization including IT infrastructure and Support services [2], each IT auditor should bear in mind obtaining an appropriate understanding over the IT control environment prior to any testing or walkthroughs covering the four key areas below:

1. Overall Information Technology Governance

The objective of this control is to gain an overall impression on the controls surrounding the information systems within the environment in order to provide assurance of leadership, organizational structure and processes existence. A set of areas should be taken into account while auditing this control such as Information Security framework and structure, IT strategy, organizational structure, policies and procedures; including information security, IT contracting strategies, IT controls monitoring, risk management plans and business continuity plan. [2]

IT AUDIT


TO [email protected]

2. Physical & Logical access management

The objective of this control is to verify the key components which affect the confidentiality, integrity and availability of information systems [2]. Areas such as information security policies, design and monitoring of data classification, security awareness programs, user access management; including user registration and deregistration, user access provisioning, management of access rights, management of secret authentication information of users, review of user access rights, logging and monitoring, removal or adjustment of access rights and data center access, should be addressed to provide a sufficient degree of assurance on this control.[1][2]

A fundamental aspect, within this control should be taken into account while auditing, is the appropriate assignment of roles and responsibilities along with appropriate access rights and restrictions in order to ensure segregation of duties accomplishment. [2]

3. Operational Controls

The objective of this control is to verify that the expected level of service, promised to the business, will be delivered through the day to day activities of the organization. Areas such as operational and end users procedures of both types scheduled and nonscheduled processes, automated and manual batches, backup and restore management, monitoring use of resources, malware detection activities, USB usage, Virtual Private Networks, Intrusion Prevention Systems, Intrusion Detection Systems and disaster recovery planning should be assessed by the IT auditor to provide assurance[2]

4. System development & changeThe objective of this control is to provide appropriate degree of assurance over the changes implemented on the Information Systems. Change Management processes and policies, help desk support, Incident handling, release management and Problem management should be addressed by the auditor to ensure that the control is effective. It should be noted that this control is not limited to software changes alone where it addresses hardware changes as well.[2]

Each key area referred to above is relevant to several information technology layers.

Conclusion The importance of Information Technology General Controls has massively elevated due to the focus given to them by Sarbanes- Oxley Act. Today, ITGCs are considered to be the base of information security systems for all types of industries. ISO 27001:2013[1] provides requirements for establishing, implementing, maintaining and continually improving an information security management system. Therefore, IT auditors should assess the ITGCs and consider the results before progressing further in the audit plan.

References

[1] ISO 27001:2013 Information technology — Security techniques — Information security management systems — Requirements.

[2] ISACA, 2011, Certified Information System Auditor Review Manual, USA.

MAIS BAROUQA,CRISC, CGEIT, COBIT 5, ISO27K, GRCP, is an IT Risk and Assurance senior consultant based in Jordan.

IT AUDIT


Conversations with Colleagues

BY fARAH ARAj

Raddad Ayoub & Indumon Das

EY’s Risk Analytics leadership team explain data analytics and how it is positively impacting both companies and the internal audit profession

In an exclusive interview, Internal Auditor - Middle East spoke to Raddad Ayoub and Indumon Das from EY’s Advisory teams in the EMEIA and the Middle East

respectively. Raddad is a Partner with more than 17 years of experience and is a member of EY’s Europe, Middle East, India and Africa Risk Advisory – Center of Excellence. Indumon is a Senior Manager in the Risk advisory team in the Middle East and North Africa Firm, with over 12 years of experience and leading the MENA Risk Analytics team. Both are pioneers in the risk analytics space in the Middle East region. In addition, they are both active supporters of the UAE Internal Auditors Association (UAE-IAA) and have delivered presentations at several of its conferences.

Internal Auditor - Middle East conducted a telephone interview with Raddad Ayoub (RA) and Indumon Das (ID).


interview

What is Risk analytics and how did it come about?

RA: Risk Analytics is the discipline of data analysis in the context of Risk Management. We continue to see a growing importance for fact-based decision making. This compounded with the exponential growth in the sheer amount of information we are generating every day, has made it important for risk management to adapt as well. today, has become just as important for business stakeholders to have access to operational as well as risk information in the decision making process. KRI’s and KPI’s are two sides of the same coin. Organizations looking at one without the other is potentially missing on the bigger picture.

ID: Agreed…Technically, Risk Analytics is a combination of Data Analytics tools and techniques to help organization to optimize the risk exposures and maximize the business opportunities to improve performance, increase profit and achieve business goals. The inception of Risk Analytics shifted the intuition based decision making paradigm to the data driven insights methodology, which the stake holders can accurately measure, quantify and foresee the risks.

How are companies in the Middle East benefiting from data analytics? RA: The risk horizon in MENA is changing rapidly, multiple segregated views over risks and opportunities are no longer useful, as they can cause organizations to lose track of real risk and performance indicators. And with an abundance of technology solutions available in the market, implementation without a clear unified strategy will also prove detrimental, increasing noise and reducing visibility. The largest challenge we foresee today is how well equipped organizations are to collect and assimilate data, and translate that into relevant information, that can in turn be used to hunt for real flashing red lights. Decision makers are measured by their ability to digest the immense volumes of information into insights, identifying first-movers advantages, while avoiding challenges that may have severe repercussions to their own organizations.

Organizations need to enable their lines of defense with a uniform structure and enable technology that looks at all traditional aspects of risk management, and capitalize on emerging analytical and dynamic visualization capability. This should be with two clear goals in mind: One, aligning the entirety of their Risk Management Operations to be clearly in line with business strategy; two, leverage the aggregation of the various risk function capabilities with information to Detect, Hunt and Respond to the risks and opportunities that really do matter to the organization

ID: In today’s dynamic business environment in the MENA region most of the leading organizations irrespective of the sector or size

adapted to Risk Analytics to manage their risks effectively and efficiently. It is difficult to classify the leading countries in terms of the adaptation, however UAE, KSA and Qatar are the early adapters of this concept. The adaptation primarily materialized in risk areas such as operations, regulatory compliances, supply chain, finance and credit.

So how can data analytics be used from an internal audit perspective?

ID: Big data and Analytics is changing the traditional way of managing the business, and internal audit function cannot stay away from it. The IA function must adapt analytics to keep pace with or outpace the business. In the context of IA, analytics is the analysis/mining of the entire population of data to gain the insights and reduce risks to improve the business performance and maximize the business value.

Analytics can be embedded into the entire IA lifecycle- from Risk Assessment, Audit Planning, Audit Execution, Audit Reporting, Action Plan to Continuous controls monitoring.

IA Analytics enables the IA function to explore the unprecedented data using various analytics techniques such as descriptive, predictive and prescriptive (machine learning etc..) from both external and internal sources. Hence IA function can identify the hidden patterns and attributes that were never visible before and increase the audit coverage.

Nowadays, Analytics become an inevitable part of IA function that many of the audits cannot be done without the analytics element on it for example; Inventory, Financial Statements, Account Receivables and Account Payables.

What about using data analytics for continuous auditing? ID: By definition Continuous auditing is an automatic method used to perform auditing activities, such as control and risk assessments. Data analytics tools and technology plays a pivotal role in facilitating continuous audit by helping to automate the data extraction processes, identifying exceptions or anomalies, analyzing patterns and trends, sending customized alerts for the stakeholders and building dynamic dashboards for digital devices.

Building the continuous audit capabilities into the IA function is a journey that involves significant time and effort. EY has developed the maturity model (Refer: Appendix- IA Analytics maturity model Image) that provides a useful way to measure an organization’s IA analytics progress. Many of the early adapters of data analytics in the MENA region has already achieved the Continuous Audit Maturity level and further pushed the analytics to management and continuous control monitoring phase (optimized maturity level).


TO COMMENT:[email protected]

Do you think the use of data analytics would impact internal audit’s relationship with the Audit Committee and other key stakeholders?

RA: Audit Committee members and executives are privy to sector trends in relation to risk management, we increasingly see AC members demanding more insightful reporting, and deeper analysis and predictive insights into what can go wrong and where.

ID: Companies are moving toward using the IA function for comprehensive, top-down enterprise risk assessments and stakeholders are placing a greater emphasis on how IA can play a role in evaluating and mitigating risk. The role of IA is shifting from an independent assurance function to that of a trusted management advisor with the help of IA analytics. IA analytics provides deeper visibility of the risks, enables dynamic monitoring of risk and mitigation plans, helps to predict the future risks and identify the new business opportunities.

There seem to be several data analytic tools in the market. How can internal auditors decide on what is the best tool for their department?

ID: Yes indeed, the current market is flooded with numerous analytics tools and technologies which makes the tool selection process a bit complex, but since the tool is one of the key success drivers of the IA analytics journey, it is really important to select the right tool for your business. Ideally an IA function should select the tools based on four capability parameters;

1. Self-service analytics: Whether the tool is easy to use with very minimal technical knowledge?

2. Variety and size of data: What type and size of data the tool can work with?

3. Data visualization: How easy to visualize the data and make the user engaging reports?

4. Mobility: Whether the tool or output can work on mobile devices?

Since the inception of self –service, data visualization, big data and mobile analytics concept the traditional IA analytics tools are shadowed by modern analytics tools and they are becoming very prominent in the Audit Analytics industry.

“KRI’s and KPI’s are two sides of the same coin. Organizations looking at one without the other is potentially missing the bigger picture”, - Raddad Ayoub, Partner, EY

Any recommendations on how internal auditors can start their data analytics journey?

ID: IA must integrate analytics into its audit processes to keep pace not only with the business but also with the organization’s competitors, hence Analytics is not a “nice to have” but a “must have” component for the IA function.

RA: In our region, Internal Audit is at the forefront of risk management and takes the driving seat to change in our discipline. Frequently, we see risk transformation initiatives, including those related to data risk analytics, championed by the Internal Audit Function, although they may not be the exclusive stakeholder (and sometimes even a third party to that transformational scope!). By adopting leading transformational initiatives, Internal Audit is playing its role in protecting the organizations most important assets, and ensuring that the science and art of risk management stays ahead of change.

interview


Audit Productivity

BY jAMES C PATERSoN

Root Cause Analysis for Internal Audit

By proactively applying Root Cause Analysis internal auditors can get to the heart of issues that they are auditing and add greater value to their organizations.

Over the past 15 years working in the internal audit arena I have seen a growing interest in the topic of Root Cause Analysis (RCA). My involvement in the topic

has evolved from using it as part and parcel of a “lean auditing” approach, to running RCA webinars and seminars for the Institute of Internal Auditors (IIA) UK, to the delivery of various in-house training workshops on this topic, and now more recently, offering a 1 day open course on RCA, as well as supporting the IIA UK to write a new practice guide on the topic. This article explains:


• WhatRootCauseAnalysisis

• Whatinvolvementshouldinternal audit have in RCA

• WhyeffectiveRCAisnotasstraight-forward as you might think

• WhyRCAisgaininginterestininternal audit

• Somepracticalstepsauditteamscan take

What is RCA?

RCA is about identifying why an issue occurred compared to simply reporting the issue, or its immediate or contributing causes. The issue could be an error, non-compliance, and non-delivery of an objective or anything else that would be regarded as a failure or problem in the eyes of an organization or its stakeholders.

What role should Internal Audit have in RCA?

The IIA has a clear practice advisory (2320-2) on this topic:

“Auditors whose reporting only recommends that management fix an issue and not the underlying reason that caused the issue are failing to add insights that improve the longer-term effectiveness and efficiency of business processes and thus the overall governance, risk and control environment”.

It goes on to say:

“A core competency necessary for delivering insights is the ability to identify the need for RCA and, as appropriate, actually facilitate, review and/or conduct a root cause(s) analysis”.

In my experience most audit teams believe they can identify root causes but only a few teams have an explicit written RCA methodology, and even if they do mention techniques such as the “5 whys”, they offer limited training on effective RCA techniques to ensure quality and

consistency within the audit team. I think the reason for this is that many internal auditors think they will naturally be good at RCA because they are auditors! Even if they have never had any formal training, or had only limited training, on the subject!

Why effective RCA is not as straightforward as you might think

When things don’t go according to plan in an organization there can often be a pressure to avoid taking the blame for what has gone wrong (for fear of the impact this might have on ones performance assessment or potential rating). Consider an IT system implementation that was delayed and over budget: it can be tempting to “point the finger” at external factors (“the IT contractor made things too complicated, adding time and cost”), or, if internal factors have to be acknowledged, to come up with a politically acceptable reason for the problem (“the IT department (or some other department) didn’t manage the project so well”). Another organizational defense can be to say, “projects are always over budget and a bit late, its just one of those things that happens” – resulting in no organizational learning and quite probably reinforcing a culture of project disappointments being quite common.

Even where there is a bona fide intention to carry out an unbiased RCA it can be easy to identify “obvious” issues that can be improved and to classify these as the root causes. For example, in the case of the IT system implementation an audit report might correctly state: “The finance department didn’t properly keep track of the project costs” resulting in the conclusion that: “finance needs to keep a closer track of IT project costs in future”. However, even if this is true, such an analysis of does not represent a proper RCA. To carry out a proper RCA, other avenues need to be pursued, even when “obvious” issues clearly need to be fixed. In the example above, two other avenues need to be pursued i) Why was the finance department not keeping track of the IT project costs? and ii) were there any other

factors responsible for the cost over-runs, in addition to the lack of monitoring of costs?

If we continue with the example (based on a real case), we might discover that there was no agreed process in relation to when and how finance staff should monitor IT project costs, and there were limited discussions between finance and the project team about the sorts of cost management issues that might arise and how these might be identified on a timely basis (a number of which would need to be done by the project team and not just the finance department). Further, we might find that finance staff have limited time to analyze and uncover issues with IT project cost estimates, partly due to missing or incomplete information from the project, and also due to poor financial systems. Thus simply saying that finance department should keep a better track of project costs can easily ignore the underlying causes that led to this, and therefore not offer a lasting long-term solution.

Looking at other reasons that contributed to the project running late and over budget we might uncover that some project decisions (to adjust the scope of the system implementation) were made without fully thinking through the impact on time and cost, and finance staff were not involved in these decisions. Furthermore, we might identify that some users of the IT system were not fully engaged early enough in the details of what was going to be delivered resulting in problems at the testing stage, causing rework, delays and additional costs. And we can go further: why were the some of the eventual users of the IT system not engaged earlier and as extensively as they might have been? Because they were busy on other business tasks and initiatives, which meant they did not have the time to contribute as fully as they could have done at the early stages of the project!. And why was this the case? Because the project budget made limited provision for back-filling operational staff so that they could contribute to the project at an early stage! And why was the budget for back-filling constrained? Because senior

Audit Productivity


TO COMMENT:[email protected] Audit Productivity

decision makers wanted the project to be done cheaply! The paradox here is that the desire to save costs at the beginning of the project was one of the reasons (but not the only reason) that there were higher costs later on in the project! Which was exactly the thing that senior managers wanted to avoid!

Thus an effective Root Cause Analysis will normally reveal several factors that led to the issue or disappointment. Indeed although a proper RCA process is more “forensic” and probing than an informal approach, it is actually less likely to blame any one individual or process. In reality, the reasons for many issues and disappointments is because of a combination of process, system, organizational and cultural factors, and effective RCA will make this clearer; clarifying why some issues keep re-occurring, and offering the key to lasting long-term performance and control improvements.

Why RCA is gaining an interest in internal audit

Apart from the fact that it is good practice to carry out robust RCA, my experience is that the growing interest in being more professional in relation to RCA is due to three key factors:

1) An increasing realization by internal audit teams that some issues keep repeating themselves, despite internal audit raising the same, or similar, audit points on a regular basis. I call this the “Groundhog day” phenomenon based on the film in which the lead character has to live the same day over and over again (e.g. frauds, losses and policy non-compliance). Indeed some heads of internal audit that I have worked with have said: “I could often write 80% of an audit report in advance – there will be problems with accountabilities, risk registers

will not be up to date, managers will not do enough monitoring. Etc. Etc.” Audit teams should recognize that recurring issues are a clear warning sign that Root Causes are not yet being addressed effectively.

2) An appreciation that audit reports can normally be shortened, and made more impactful, if root causes are identified. One client I worked with was finding stakeholders were not properly reading audit reports and were wondering what value they were adding. We reviewed a draft audit report concerning an IT system that had 20 findings – and 20 actions. After we did some work on the Root causes, we identified there were in fact 5 key root causes (supported by the 20 facts) and therefore only 5 key actions were needed. The report was cut in half, but still captured all of the key factual concerns but it also raised much more interesting points for senior managers.

3) A recognition of the importance of understanding the cultural factors that are contributing to audit findings. There are often increasing expectations that audit teams should be better able to comment on the risk and control culture of the organization, and a growing number of audit teams are recognizing that effective RCA is actually an important “window” into the culture of an organization.

Some practical steps audit teams can take

My first advice would be for audit teams to consider and debate:

1) How often do issues repeat themselves in your organization (e.g. are there common issues that the audit team sees, or other areas that seem to recur often? (e.g. reported through

management incident, or fraud, or loss reporting)

2) How long are audit or investigation reports, and are stakeholders reading them?

3) What does the current internal audit, or investigation methodology say about RCA and what guidance and training is provided to internal audit team members concerning RCA? And what is available for the wider organization?

4) Start a dialogue with stakeholders about the benefits of improving Root Cause of analysis so there is a developing interest and capability to do this in managers and second line functions (such as finance, Health & Safety, Compliance and Risk).

If there is room for improvement in any of these areas, auditors should familiarize themselves with the IIA guidance materials and either: i) start to pilot the use of techniques such as the “5 whys” and “the fishbone diagram” in selected assignments or ii) try to analyse the common themes in audit findings and assess the root causes for these. In addition, audit teams might want to consider whether more in-depth training (for them or other departments) could be used as a way of building competence and clarifying priority areas for action.

JAMES C PATERSON, PIIA is the found-ing Director of Risk & Assurance Insights, Ltd that specializes in the delivery of training and workshops for heads of audit and their teams. James was previously the Chief Internal Audi-tor for a global pharmaceuticals company for over 7 years. He is the author of the book “Lean Auditing” published by J Wiley & Sons.

Good Root Cause Analysis can also help audit teams deliver shorter, more impactful, audit reports


Once upon a time I was an auditor with Andersen in Dubai. I had joined in December 2000.

Exactly two years later and my career and that of tens of thousands of others worldwide was in serious danger because of what had happened thousands of miles away in Houston.

Ever since Enron went bust in late 2002 I’ve been fascinated by accounting scandals and there have been many including some big names; WorldCom, Global Crossing, Parmalat, Lehman Brothers, Xerox, Halliburton, Tyco etc. They happened due to three reasons- Pressures, Opportunities and Rationalizations. If there are good reasons to do bad things (mostly money related), some clever ways of doing it and a good alibi then CEOs and CFOs may not hesitate to as a greedy and incompetent ex CEO of mine so elegantly put it, “enhance their personal net worth”. Fraudulent financial reporting is relatively rare, but these cause the most damage.

From an internal audit and external audit perspective one can focus on all or some of these three factors. The existence of opportunities does mean that fraud is likely to happen. But if there are strong pressures you must be watchful because fraud is far more likely to happen.

Common examples of pressures are high debt levels, impending breach of a debt covenant, increasing competition, declining industry fortunes, operating losses, personal guarantees in debts of the entity, significant financial interests in the entity, new accounting or regulatory requirements, high revenue or profit targets and compensation tied to stock prices/sales/profits. The last mentioned is probably the most common, which calls into doubt the conventional wisdom of performance linked executive compensation. As an example, almost 90% of the compensation of Enron’s C- suite executives was not in the form of salaries. Re: industry issues, the massive scandals

at WorldCom and Global Crossing were mainly due to the vast oversupply in telecom capacity in the late 1990s.

The Opportunities are many. Significant related party transactions. Domination of management by a single person/group of people. But the most common manipulations happen when estimates and judgements are required and accounting is rife with such instances. Useful lives of depreciable/amortizable assets. Salvage values. Selling prices for calculating net realizable value of inventory. Impairment of fixed assets, goodwill and investments. Fair value of investments. Percentage completion for revenue and cost recognition. Goodwill on acquisition. Provision for doubtful debts and obsolete inventory. Pension liability and pension expense (for a defined benefit pension plan). The list goes on and it is truly a treasure chest for a cunning CFO.

Rationalization is the weirdest of the three as it is mainly psychological and invisible. It’s all about attitude. It’s the fraudster

Accounting Scandals Revisited

Fraud

BY BINod SHANKAR EdITEd BY fARAH ARAj

A former auditor looks to the accounting frauds of the past and examines whether the present is any different.


FraudTO COMMENT:[email protected]

convincing himself that it’s OK. That it is only a small amount. That is a big amount but it is just temporary. That it is big but I won’t do it again. That it didn’t hurt anyone. That everyone else is doing it……. One big red flag is frequent change in external auditors.

One important part of rationalization is the culture of the company. Enron had a toxic culture, a dog eat dog world where revenues and profits were paramount. The weekly Andersen partner meetings with the Anderson CEO (Joe Berardino) always focused on one thing- new clients and firm revenues. Andersen was the only Big 5 audit firm to allow the partner in charge of an audit to override a ruling made by the quality control partner. In Fannie Mae, if you ever dissented your career was over.

“Images of external auditors shredding documents come to

mind when looking at the accounting scandals

of the past”

All three factors must be present for fraud to take place. For example if there is a terrible pressure and a fraudulent mindset but no opportunity then fraud is unlikely to happen. Or if there is both opportunity and rationalization but no motivation we have no problems.

Of the three elements, a company can only control opportunity. So, if a company wants to reduce the chances of fraud, they need to eliminate the one element they can: opportunity. One way opportunity can be controlled is by implementing and enforcing good internal controls.

LOOKING TO THE PAST

If you look at history, neither external nor internal auditors have come out of all these accounting scandals smelling of roses.

Since this is a magazine for internal auditors, let us focus on them. There is a spectrum here: from proactivity to inertia to outright collaboration in the fraud:

•InthecaseofWorldCom,itwastheteam led by Cynthia Cooper, Head of Internal Audit, that picked up the nearly USD 3.8 billion overstatement of profit (Done by the relatively simple expedient of capitalizing expenses!). More about her later.

•Inmostoftheotherscandals,theinternal auditors didn’t bring the scandal to the public eye. Either they were incompetent or they were simply too scared to tell the truth.

•Inactionisunacceptablebuttheprizefor outright collaboration goes to the boys at Satyam, the large Indian IT company. Satyam inflated revenue by creating fictitious invoices on fake clients which led to fake receivables, fake cash, fake interest on the fake cash etc. All this fell apart in 2008 and it was discovered that the Head of Internal Audit helped in setting up the fake customer accounts!

I believe Internal Auditors have far more responsibility to pick up accounting frauds. Unlike the external auditors whose scope (and hence the nature, extent and timing of their tests) is strictly defined by Statute and Audit Standards. Internal audit has a far wider scope that covers not just the financial statements but also operations, propriety etc. The internal auditor knows the industry, the company and the issues much better than an external auditor. If he is competent, bold and has independence we should not have any problem.

And it’s not easy. When Ms. Cooper first saw a USD 500 million capitalization at WorldCom that was clearly wrong she talked to the auditors (Andersen) who first told her that the accounting practices were OK and then refused to cooperate with her. She disagreed with her CFO and took the matter to the audit committee of the Board. The Board agreed with her. The CFO was furious and warned her to mind her own business. Her team secretly spent countless late nights digging into the IT system analyzing hundreds of thousands of entries. Repeatedly blocked by her CFO and Andersen, she went to the new auditors, KPMG who supported her. Her decision to finally go to the board with the evidence was a difficult one; she knew that people would be fired, that WorldCom

would suffer massively, that she and her team could lose their livelihoods and also be blamed for the mess. On 20 June 2002 she presented her findings to the Board. The next day the Board issued a press release detailing the fraud and it created corporate history.

IS THE PRESENT ANY DIFFERENT?

No it is not! Has anyone heard of the Toshiba accounting scandal (2015)? Richard Chambers, President of the Institute of Internal Auditors, wrote a blog about it 1 and how internal audit didn’t manage to detect this USD 1 billion accounting fraud. However, is fraud really detected by internal auditors? According to a 2016 study by the Association of Certified Fraud Examiners, internal auditors only detected fraud in 16.5% of the cases with tips from employees being the most common way fraud is detected. In the Middle East, internal auditors seem to do a better job at detecting fraud, as they detected fraud in 25.3% of the cases. Furthermore, when it comes to external auditors, the results are even worse. Globally they detected 3.8% of fraud while in the Middle East the percentage dropped to 1.3% of cases.

Today, accounting fraud is alive and well both globally and in the Middle East; if you’ve paid attention to the news over the past few months you would know that a global accounting firm was banned from conducting audits in Saudi Arabia, a result of what was labeled as “accounting fraud”.

Both internal and external auditors have a near sacred duty. On all matters concerning their task, I am reminded of the quote by Edmund Burke, the 18th century Irish Philosopher: “The only thing necessary for the triumph of evil is for good men to do nothing”

References:

1. https://iaonline.theiia.org/blogs/chambers/2015/lessons-from-toshiba-when-corporate-scandals-implicate-internal-audit

2. http://www.acfe.com/rttn2016/docs/2016-report-to-the-nations.pdf

BINOD SHANKAR, CFA is the Managing Director of Genesis Institute, a leading UAE based financial training company which he co-founded.

Organizational maturity level is a key factor to consider prior to implementing an Enterprise Risk Management (ERM) program and is also critical to decide on the best approach to position an ERM function within any organization. organizational maturity level is important to plan a risk management roadmap, ERM functional reporting structure and helps design ERM implementation stages to embed risk management in business processes.

What are the Basic Requirements to Establish an ERM Function?Having a separate ERM function is a decision that has to be taken by an organization’s Board of Directors (BoD)/business owners after the careful assessment of the following organizational readiness factors:

•CORPORATECULTUREANDTONEATTHETOPAn organization’s BoD/business owners should have, at least, a basic understanding of risk management components and frameworks. They should believe in the importance of an ERM function and build a reasonable level of expectations regarding its roles and responsibilities.

In addition, an open communication culture is vital to identify and respond to internal and external risk exposures. An organization’s BoD/business owners have to realize the fact that in order for an ERM function to add value, high level of transparency, support and empowerment should be provided to the ERM team. The BoD/business owners should be prepared to accept change, new ideas and initiatives as a result of ERM program implementation.

The organizational culture should be in line with the ERM’s functional objectives in managing and mitigating business risks and promoting a strong internal control environment. This should be clear in the communications coming from the organization’s BoD/business owners to senior management and process owners.

•GOVERNANCESTRUCTUREANDRISK

OVERSIGHTBasic governance components have to be in place in order to achieve the intended objectives from establishing an ERM function. It is not possible to establish an effective ERM function without, at minimum, having the following components:

o A BoD or another committee that plays a similar governance role (e.g. a Management Committee). The governance committee has to be active in its risk oversight role through continuous monitoring and assessment of the internal control environment;

o Defined business objectives and strategic direction which will be translated and cascaded into departmental objectives;

o A clear reporting structure within the organization;

o Appropriate delegation of authorities, which empower middle management and process owners to make decisions on action plans and to become accountable for implementation of risk mitigation strategies; and

o Policies, procedures and systems that are in line with business objectives.

•FIRSTLINEOFDEFENSEThe first line of defense is the front-line management/employees who, through exercising their roles and responsibilities, are able to manage business risks as part of their day to day activities.

It is clear that the organization cannot establish the second line of defense, being the Risk Management Function, without having competent management members/employees in place, who would bear the direct responsibility to manage business risks.

Is Your Company Ready to Establish an Enterprise Risk Management Function?

BY EHAB R. SAIF EdItEd BY GAutAm GAndHI


Risk Management


TO COMMENT on the article,EMAIL the author at [email protected] Risk Management

Ehab R. Saif, CMA, CIA, CFE is an Internal Audit Manager at a pri-vate holding company in Abu Dhabi.

ERM has to be supported by the first line of defense, which should bear the following responsibilities:

o Help ERM teams in defining risk capacity, appetite and tolerance for the organization based on their risk attitude;

o Support the ERM function in strategic risk identification and analysis;

o Identify and validate operational, financial and compliance risks; hence, being able to give insights to analyze risks through their operational experience;

o Communicate to the ERM team the existing controls and mitigating practices in place for the risks identified during the risk assessment process;

o Participate in designing risk action plans to mitigate risk exposures; and

o Take ownership over developed and agreed-upon Risk Registers to establish accountability and assign action plans’ execution responsibility.

On one hand, it is not essential for the resources of the first line of defense to be experts in risk management to ensure successful implementation of the aforementioned ERM program steps, but on the other hand, it is required from them to have a basic understanding of risk management concepts and most importantly having the business acumen and competency to interact and be an integral part in the success of the ERM program.

ERM Positioning and the Level of Organizational Maturity

The 5 different organizational maturity stages with a brief description of the main characteristics of each stage are shown below :

The decision of when and how to establish an ERM function depends on the organizational maturity levels outlined in the diagram above. The following structures are recommended for each level of organizational maturity:

•Chaotic: In this stage, the organization is not ready to adopt risk management practices due to weak governance and unclear reporting lines. The priority should be given for building the fundamental components of the corporate governance framework. An internal Audit function might be established to provide assurance over company’s operations.

• Fragmented: The focus of the organization should be on identifying gaps in corporate governance and improving internal policies and processes. Establishment of a “Risk Assessment” division, which is positioned under the umbrella of the Internal Audit function, would be helpful in risk identification and prioritization, ensuring that the correct direction is followed and available resources are appropriately optimized.

During this stage, the Internal Audit function should take the lead in establishing and leading the risk assessment practices, considering its ability to justify the existence of such division and taking into consideration the low level of organizational maturity.

•Defined and Integrated: A corporate governance framework is already in place with an acceptable level of delegation of authorities. The company is ready to establish an independent

ERM function, reporting directly to the CEO. This reporting structure will give more flexibility to the ERM function in its risk advisory role apart from Internal Audit independence considerations.

The organization’s BoD/Senior Management needs reliable advisors during those evolving stages to achieve the company’s objectives and reach an advanced organizational maturity level. The ERM function would be the best fit for this role through its ability to identify business risks and advise management on suitable risk mitigation plans.

•Optimized:Leadingcorporategovernancepracticesarealreadyimplemented and a transparent and open culture is practiced. All governance committees are well established and the monitoring environment is activated. Risk management practices are embedded within business processes and a well-defined ethics and compliance program is adopted in the organization.

Due to the advanced organizational maturity level, the best reporting structure for the ERM function is to a Risk/Audit Committee.

The ERM function priority will be focusing on strategic risks and making sure that those risks are communicated to the responsible parties and proper risk mitigation plans are designed and practiced. This is due to the fact that the first line of defense is very capable and competent in managing business risks and it will be difficult for the ERM team to advise them in their core areas of expertise.

ConclusionBased on what we discussed earlier, the decision to establish an ERM function should be justified and based on a detailed study of organizational maturity, with reasonable level of expectations. Many organizations tend to establish ERM functions to satisfy regulatory requirements, generally, in the absence of a solid business case. This will result in classifying the ERM function as unnecessary luxury, which will be the first department to be let go in case of any business downturn.

Chaotic•Governancepracticesareinveryearlystagesornotestablishedyet.•Reportingstructureandprocessflowsaread-hoc.•Centralizedauthoritieswithnodelegationtomiddlemanagement/processowners.

Fragmented•GapsintheCorporateGovernancestructurehavebeenidentified.•Processesaredependentonindividuals/Lackofappropriatedocumentation.•Basic governance framework is in place (e.g. BoD, Basic documentation of Policies & Procedures).

Defined •Establishedtoneatthetopandboardcommittees.•Documentedandstandardizedprocesses.•Acceptablelevelofauthoritydelegation.

Integrated •Proactivegovernanceframeworkandcorporateculture.•HighlevelriskoversightandactiveBoD/AuditCommittee.

Optimized •LeadingCorporateGovernancepracticesareimplemented.•Corporatecultureisbasedontransparency,openness,em-

powerment of human capital and sharing of information.

1

2

3

4

5

Construction Fraud

JUNE 201624 INTERNAL AUDITOR - MIDDLE EAST

INTERNAL AUDITOR - MIDDLE EAST 25

Internal Controls

Football fans across the world have been stunned over the last year with news of arrests for alleged wrongdoing by officials from soccer’s global governing body, FIFA (Federation Internationale de Football Association). Allegations of “rampant, systemic, and deep-rooted corruption” along similar lines to FIFA will potentially have much longer-term negative consequences for entities, their leadership cohort, and the brand as a whole.

The FIFA scandal and others like it provide a catalyst for internal auditors to apply the ABC’s for assessing the strength of their entity’s baseline control arrangements - assurance arrangements, business ethics safeguards, and the compliance framework. Potential internal audit reviews and advisory activities summarised in Exhibit 1 are followed by more detailed commentary that provides deeper insights for internal auditors.

Assurance ArrangementsInternal auditors have an important role to play in evaluating assurance arrangements over a wide range of the entity’s activities, including financial, performance, compliance, system security, and due diligence.

Around 53% of Chief Audit Executives (CAEs) and directors in the Middle East and North Africa have implemented or are planning to implement a formal combined-

assurance model, slightly higher than the global average of 49%, according to The IIA’s 2015 Global Pulse of Internal Audit – Embracing Opportunities in a Dynamic Environment report. This recognises, in part, that audit, risk and compliance specialists are increasingly expected to work together to interpret and report on the patterns emerging in their collective work.

Five elements of assurance to consider for your annual audit plan:

Evaluate control self assessment arrangements maintained by the entity to form an opinion on the reasonableness of the program coverage (completeness, breadth, timeliness, and integrity), individual reporting, program monitoring, high-level themes-based reporting to the audit committee, and overall value of the arrangements for the entity.

Assess the availability of a Chief Financial Officer (CFO) certification of controls over financial and related operations of the entity, which should include supporting representation sign-offs by management and significant any outsourced service providers. Assess supporting documentary evidence, which could include internal control questionnaires prepared by management, and audit reports and certifications provided by outsourced service providers. Establish whether the audit committee is

reviewing the certification arrangements. Evaluate any gaps in these sign-offs together with any ‘exceptions’ recorded by management which could represent ‘red flags’.

Utilise assurance mapping to identify, understand and evaluate the combined work of internal and external assurance providers across the ‘Three Lines of Defence’ and external audit. Consider emerging risk areas like cyber-security. Establish whether there is proper assurance coverage across key risk areas of the entity with no significant gaps and minimal duplication of effort.

Evaluate the entity’s overarching governance assurance arrangements, including integrity safeguards, stakeholder engagement, defining outcomes, determining interventions, capacity development, risk management, and transparency.

Assess the extent to which the entity has embraced combined assurance reporting, and any potential future opportunities to pursue this approach. Consider if there is an understanding of all assurance providers, awareness of what is being assured, nature of reporting with the entity’s discrete governance structures, alignment between assurance and high-level risk exposures, consolidated risk and assurance profile, and coordination of the reporting of assurance activities.

The ABC’s for Assessing Baseline Control Arrangements

ABC Baseline Control Maturity Level of Internal Audit FunctionFoundation Positioning for Success Mature Practice

Assurance Arrangements Potential Internal Audit ActivitiesControl self assessment Certification of controls

Assurance mappingGovernance assurance Combined assurance reporting

Business Ethics Safeguards Staff code of ethics Fraud control planStatement of business ethics

Conflicts of interest policyAssessment of culture

Compliance Framework Compliance activities Central regulatory coordinationCompliance committee meetings

Compliance governanceCompliance framework

Internal Audit Maturity

Exhibit 1 – Examples of Auditable Activities

BY BRuCE TuRNER ANd jACQuELINE TuRNER

SEPTEMBER 2016

Internal Controls

Business Ethics SafeguardsIt makes good business sense for an entity to behave with integrity and maintain proper mechanisms that enforce the ethical behaviour of its employees and service providers. A strong commitment to business ethics helps to minimise financial losses directly attributable to wrongdoing, recognising about 5% of an entity’s revenues are typically lost to fraud each year. (Report to the Nations on Occupational Fraud and Abuse, 2015 Global Fraud Study, Association of Certified Fraud Examiners).

External supplier costs represent one of the most significant lines of expenditure and can provide an opportunity for fraud and corruption. The International Federation of Accountants and the Chartered Institute of Public Finance and Accounting recognise that “an entity’s strong commitment to

ethical values needs to be communicated to suppliers through a Statement of Business Ethics” (International Framework: Good Governance in the Public Sector, 2014).

Five areas of business ethics to evaluate in your entity:

Availability of an up-to-date values-based staff code of ethics that articulates the entity’s expectations of staff conduct and the sanctions that it applies for wrongdoing. Consider the robustness of reporting and whistleblower arrangements for alleged wrongdoing.

Availability of a fraud control plan that articulates your entity’s fraud risks, controls, and mitigation strategies, including significant business activities; potential areas of fraud risk; related fraud controls; gaps in control and assurance coverage; defined remedial actions to minimize fraud risks; and mechanisms

for evaluating effectiveness of fraud control strategies.

Adoption and dissemination of a statement of business ethics targeted at third parties that outlines both acceptable and unacceptable practices in third-party dealings with your entity. Common features include: Chief Executive Officer (CEO) commitment to operating ethically; values and business principles; third parties dealings and behaviours; guidance on bribery; benefits; conflicts; confidentiality; ethical communications; secondary employment; post-separation employment; and contacts.

Availability and effectiveness of a conflicts of interest policy. Evaluate whether key elements for managing conflicts have been established and are operating in practice within your entity and associated entities. These


Internal ControlsTO [email protected]


will typically cover both prevention and detection elements.

Undertake an assessment of culture, which is one of the recognised control layers together with systems and controls, and capability. In assessing culture, internal auditors have an opportunity - as a first step - to assess ‘soft controls’ as part of their audits, and then consolidate these findings with the outcomes of other work within the entity, such as the results of periodic staff engagement surveys, fraud control health checks, and the analysis of allegations of wrongdoing and the like. (The Internal Auditor – Middle East journal included an article on ‘Auditing Culture’ in its December 2014 edition).

Compliance FrameworkEffective compliance programs ensure that entities are adhering to laws, regulations, standards, licenses, policies,

plans, procedures, contracts, guidelines, specifications and other requirements relevant to their business. An entity’s reputation can be severely impacted when serious non-compliances occur and lead to punishment by the courts or regulatory authorities, such as prosecution, fines, or imprisonment of company officials. Approximately 87% of executives across the world believe that reputation risk is the most important strategic risk (according to Deloitte’s 2014 Global Survey of Reputation Risk).

Regulators have the right to independently validate that an entity in their jurisdiction is compliant with legislation and regulations by conducting documentary and/or onsite reviews of the entity’s policies, procedures, operations, activities, systems, premises and related information. The outcomes of the regulatory review might be reported publicly or to parliament.

Five compliance-related activities to consider for your annual audit plan:

Individual audits in the approved internal audit plan should consider discrete ‘at risk’ compliance activities at a micro level, including whether established controls over compliance risks are operating in practice in line with established policies and procedures. A high-level register should list all of the entity’s policies and procedures, approval dates, related legislation/regulations, accountabilities, and review dates.

Provide a central regulatory coordination point for the regulator’s review team for any high risk or high profile regulatory reviews. Then monitor the implementation of significant regulatory recommendations in the internal audit activity’s process for monitoring and reporting on the implementation of recommendations.

The CAE or a senior delegate to periodically attend key board or executive compliance committee meetings as an observer, and report on significant insights to the audit

committee. (Each of the compliance committee charters should contain suitable wording to preserve audit independence).

Complete a high-level assessment of compliance governance to ensure adequate coverage of the entity’s respective licence conditions, legislative / regulatory obligations, and elements of its sustainability platform. Assess the entity’s related risk management arrangements, including compliance obligations and reporting.

A periodic high-level internal audit to assess the compliance framework at a macro level and how well the core elements are operating in practice. This will include how the entity identifies, creates awareness and promotes compliance; facilitates compliance to minimise risk of fines, prosecution, complaints, litigation and imprisonment; undertakes risk assessment and identifies strategies; establishes monitoring mechanisms; fosters continuous improvement; maintains a Compliance Register containing legislation, regulations, policies, standards; and compliance reporting arrangements.

ConclusionIt is increasingly important for internal auditors to anticipate the needs of their stakeholders if they are to play a leading role in the success of their entity. Boards and audit committees will increasingly value the independent insights delivered by internal auditors who apply a strategic and systematic approach to evaluating and reporting on the entity’s baseline control arrangements.

BRUCE TURNER, AM, CGAP, CRMA, CFE, CISA, PFIIA, FFin, FIPA, MAICD, FAIM is a company director and audit committee chair-man in Australia.JACQUELINE TURNER, B.L JS, GradCert-FraudInv, is a white collar crime senior ana-lyst at a multi-national financial services insti-tution in Australia.

DefinitionsAssurance Services – An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the entity. (IPPF Glossary Excerpt)

Business Ethics – A means of ensuring that individuals working in organisations act in a positive way consistent with the rule of law and other principles underpinning market economies and democratic governance. (World Bank)

Combined Assurance – Aims to optimise the assurance coverage obtained from management, internal assurance providers, and external assurance providers on the risk areas affecting the entity. (King Code of Governance Principles, South Africa)

Compliance – Adherence to policies, plans, procedures, laws, regulations, contracts or other requirements. (IPPF Glossary)

Control – Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. (IPPF Glossary Excerpt)


Human Resources

PREPAREd BY: SulEImAn Al-SHouHA EdItEd BY: AYmAn ABdElRAHIm

Objectivity, efficiency and due professional care are all significant factors for the successful work of any internal auditor. Yet, the factor that mostly affects the effectiveness of internal auditing and the achievement of required results is the objectivity of internal auditors. Objectivity is a basic characteristic and a corner stone that should characterize any person wants to be an internal auditor, and is a complement for the other corner stone that affects the effectiveness of internal auditing, which is the independence of internal auditing. However, there are some risks that affect the objectivity of internal auditors and require both evaluation by the Chief Audit Executive and development of appropriate means to reduce and handle them if they occurred.

What are the risks that may limit the objectivity of internal auditors?There are risks that affect the objectivity of internal auditors and have a great impact on the way internal auditors think. They may lead to a bias in sample selection or may affect the judgments and interpretation of the results reached

by internal auditors through their work. Only a few papers and studies addressed the risks that affect the objectivity of internal auditors. Yet, a rare study, issued by the Institute of Internal Auditors Research Foundation in 2003 titled “Independence and Impartiality: A Framework - Opportunities for Research in Internal Auditing”, has discussed many risks that endanger the internal auditors’ objectivity, which require us, as internal auditors, to be aware of, given their significance as we are liable to be affected by such risks. The five most important risks that affect the objectivity of internal auditors are as follows:

1. Self-ReviewRisks related to self-review is divided into two parts. The first part is risks resulting from an organization employee joining the internal auditing department. Then, the joining employee carries out auditing tasks on the activities he/she used to perform before in the organization. The second part is risks resulting from repetitive auditing on the same activity by the same internal auditor within a previous short-term period. For example, within one year, the HR department activities were audited

twice by the same internal auditor. Moreover, there are other risks that may affect objectivity in cases where an internal auditor provides consultations in a specific field, and then he/she performs auditing tasks in the same field of consultations, or in cases where auditing tasks are performed for works created according to the recommendations of the auditor who recommended their creation.

2. Relations and Personal InterestsSocial relations in most Arab countries are mostly of a tribal and clannish nature. Therefore, an internal auditor may give preference to the interests of relatives or friends and co-workers over the interest of the work. He/she may, thus, turn a blind eye to some auditing results that may get him into embarrassing situations with them. Subsequently, there are risks resulting from the desire of internal auditors to maintain and keep unharmed their personal relations. In some cases, however, an internal auditor may have personal interests related to the aspect on which he/she audits. For example, he/she may own a company that deals with the organization in which he works, and he/she performs

Risks Affecting the Objectivity of Internal Auditors


Human ResourcesTO COMMENT on the article,EMAIL the author at [email protected]

an auditing task, the scope of which includes some data related to his/her own company. Here, it must be said that internal auditing standards have explicitly provided for observing such aspect and avoiding the conflict of interests. Standard No. 1120 mention that “internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.”

3. Social PressuresRisks resulting from social pressures play a role in steering the thinking of internal auditors so that their thinking is directed towards the thinking of the entity being auditing, which is known as collective thinking. Here, social pressure placed by the administration and employees of the entity being audited plays a role in preventing the internal auditor from practicing professional skepticism or critical thinking. Thus, the definition of objectivity is quite clear in this regard; objectivity, according to the International Standards for the Professional Practice of Internal Auditing, is “an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others.”

Objectivity is “an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made.”

4. Trust and IntimacyTrust and intimacy risks may affect the objectivity of internal auditors

through proactive judgments issued by an internal auditor before reaching the results of a required examination. Furthermore, a relationship with the entity being audited as well as the internal auditor’s knowledge and full awareness of all the issued related to the auditing subject matter render him/her overly sympathetic to the audited entity, and may lead him/her to issue proactive judgments as a result of such relationship. The historical information previously available to the internal auditor may play a significant role in reaching such judgments without reliance on the results of a requited examination. He/she may select unrepresentative samples, or may disregard any changes or events that need focus during auditing tasks.

5. Career BenefitsRisks related to career benefits may significantly affect the objectivity of internal auditors. They may occur as a result of pressures placed on an internal auditor when he/she is auditing the works of powerful authorities in the organization. Fear of making decisions that may have an impact on the continuity of the internal auditor’s employment in the organization or on his/her career development, or that may affect his/her salary, is a key factor in influencing the scope of auditing, the interpretation of the auditing results reached by the internal auditor, and his/her commitment to carry out the required auditing procedures and to select representative samples.

Dealing With Risks That Affect ObjectivityStandards of Internal Auditing have set the minimum of how to deal with cases in which the objectivity of internal auditors are affected. Standard No. 1130, which is related to impairment to independence or objectivity, points out that the details

of the impairment must be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment. On the other hand, risks that affect the objectivity can be dealt with through the following proposed ways:

•Establishingproceduresfordisclosure and for dealing with any cases in which the objectivity of internal auditors is affected.

•Publishingacodeofethicsforinternal auditing with stressing the importance of internal auditors’ objectivity.

•Followingarotationmethodwhenperforming repeated auditing tasks.

•Discussingtherisksthatmayaffectthe objectivity of internal auditors during the planning of an auditing task.

•Adoptingmethodsofsamplesdefinition and selection so that the samples selected by the auditing managers are reviewed.

•Creatingsupervisorylevelsduringthe performance of auditing tasks and depending on a team rather than on individuals.

•Constanttrainingandraisingawareness in the area of internal auditors’ objectivity.

•Developingapolicyforacceptinggifts and identifying standards for such acceptance.

Eventually, risks that affect the objectivity of internal auditors have a great impact on the effectiveness and results of internal auditing. Thus, such risks must be seriously dealt with. Chief Audit Executive must play a major role in periodically evaluating such risks and developing ways of reporting and addressing them if they occurred.

References:

Independence and Objectivity: A Framework For Research opportunities in Internal Auditing https://na.theiia.org/iiarf/Public%20Documents/Chapter%207%20Independence%20and%20Objectivity%20A%20Framework%20for%20Research%20Opportunities%20in%20Internal%20Auditing.pdf

Suleiman Al-Shouha Internal Auditor in international organization


Human Resources


Manufacturing companies make substantial investments in plant, machinery and equipment. The investment decision requires assessment of business need, detailed requirements, production volume,

the investment amount, source of funding and payback period.

Progressive enhancement of engineering and technology means equipment has become increasingly complex to maintain.

An important consideration for companies is getting the maximum return on investment from equipment. A strong maintenance program can help to achieve this.

BY LALIT duA EdITEd BY ANdREw Cox

Maintenance : the backbone of maximizing manufacturing investment

Fostering Fundamentals

Maintenance costs can be substantial and need to be approached in a cost-effective way, ensuring there is an effective maintenance program in place to maximise equipment usage and output.

An important consideration for companies is getting the maximum return on investment from equipment. A strong maintenance program can help to achieve this.

Maintenance types

Various maintenance types are described below, though other terms may be used, for example operational maintenance, corrective maintenance or adaptive maintenance. For the purpose of this paper, the following maintenance types will be discussed:

Preventive maintenance – Pre-planned proactive maintenance where equipment in use is maintained before breakdown occurs. The engineering department plans a program of preventive maintenance in consultation with the production department. The aim is to lower the potential for breakdown to occur. A maintenance program is generally based on manufacturer recommendations or history of maintenance, including breakdown. Considerations will include prescribed maintenance requirements, previous maintenance, and breakdown and repair history.

Breakdown Maintenance – Specific reactive maintenance initiated when a breakdown event occurs. A breakdown maintenance activity occurs when equipment in use fails in some way. It may happen without warning and have an adverse effect on production, requiring a co-ordinated approach by the production and engineering departments. Time is of the essence to minimise production outages and the potential for financial loss.

Shutdown maintenance – Maintenance that can only be performed when the plant, machinery and equipment has been put out of service. For example,

this may occur in the oil and gas industry where it is risky or not possible to continue production at the same time as maintenance activities are performed.

Maintenance documentation

To provide real-time support, it is prudent for a company to have a well-defined operations manual of documented maintenance activities. The manual should define processes throughout the end-to-end operations lifecycle, including maintenance activities.

Maintenance records

It is essential for accurate maintenance records to be maintained and continually updated. Records may be hardcopy or electronic, and should contain information such as manufacturer recommended maintenance, history of breakdown and repair, and information on cost to maintain the equipment.

Maintenance sources

There are various options for maintaining equipment, including:

In-house – Maintenance is performed by an in-house workforce.

Original manufacturer – Regular maintenance of equipment is often performed by the manufacturer of the equipment. This is particularly the case where a manufacturer has specialist knowledge of the equipment that is not available in-house, or a manufacturer warranty is voided if anyone else maintains the equipment.

Service providers – Dedicated service providers with specialist skills may be a cost-effective option to growing in-house expertise in maintenance of various equipment.

Decisions made on sources to maintain equipment will generally come down to who has the expertise required, and what is cost-effective.

Engineering department responsibilities

The engineering department should maintain details of:

Suppliers, to ensure they are available when needed to provide parts and technical specialists.

Critical spare parts, throughput, and current stock levels.

Warranty records to ensure manufacturers repair equipment at no cost where it is under warranty. Warranty should also extend to replacement parts.

Equipment usage information including uptime, downtime, maintenance and breakdown information, together with equipment cost history.

Annual maintenance program.

Deviations from scheduled maintenance activities, including the reasons for these and management approval.

Conclusion

Maintenance is an important activity in a manufacturing enterprise and should receive the attention it deserves. Poor maintenance programs may save money initially, but production outages and resulting financial losses ae likely to be higher and may threaten ongoing viability of a company.

A sound maintenance program will provide management with assurance of:

Conformance with the maintenance program of activities.

Effective review activities to assure quality of maintenance activities being performed.

Performance measures (KPIs) to demonstrate the maintenance program is achieving results.

Lalit Dua, ICAI Vice President Internal Audit in Healthcare group, Dubai .

Fostering Fundamentals TO COMMENT [email protected]


Date post:	26-Aug-2018
Category:	Documents
Upload:	trantuyen
View:	230 times
Download:	0 times