SHAPING TALENTED AUDIT TEAMS - Internal Auditorinternalauditor.me/jomiz-ia/wp-content/uploads/2014/12/IA-Magazin… · SHAPING TALENTED AUDIT TEAMS INTERNAL AUDITOR MIDDLE EAST INSIGHTS

DECEMBER 2014 WWW.INTERNALAUDITOR.ME

SHAPING TALENTED AUDIT TEAMS

I N T E R N A L A U D I T O RM I D D L E E A S T

I N S I G H T S O N G O V E R N A N C E , R I S K M A N A G E M E N T A N D C O N T R O L

The top 10 innovative professional development programs for internal auditors

Using Feedback from Auditees to Enhance Internal Audit Performance

Global Developments that areChanging Internal Audit

A Look Into the Characteristics and Behaviors of the Typical Fraudster

INTERNAL AUDITOR - MIDDLE EAST 1 DECEMBER 2014

The Time for ResearchDear Readers,Over the past quarter, we’ve continued to see the Institute of Internal Auditors (IIA) Research Foundation release various insightful reports on the internal auditing profession globally. Similarly, we’ve seen new reports being released by local IIA institutes such as the UK’s Chartered Institute of Internal Auditors, the IIA Netherlands and others. All of these professional bodies have been working on researching topics important to internal auditors so that they can embody the IIA’s motto of “Progress Through Sharing”. The UAE Internal Audit Association (UAE-IAA) is no different. Over the course of a short period of time, we have successfully translated to Arabic the Certified Internal Auditor Study Materials & Exam, Sawyer’s Guide for Internal Auditors (6th Edition) and we are working on translating the 2013 COSO Internal Control – Integrated Framework. These efforts have made such publications more accessible to internal auditors in our region, and now the time has come to develop our own thought leadership through 2 major initiatives: 1. Risk Management Practices and the Role of Internal Audit: This study, which is well under way, will produce original research relating to non-financial institutions in the UAE. We’ve assembled a dynamic team consisting of both academics and internal audit practitioners who will reveal the results of this study in our 16th Annual Regional Audit Conference which will be held in early 2015. 2. Global Internal Audit Common Body of Knowledge (CBOK): This is the centerpiece of ongoing research efforts conducted by the IIA Research Foundation. As part of CBOK, the IIA will be conducting its 2015 Practitioner Survey covering over 100 countries. In addition to the global results, we will use the data collected from this survey to produce UAE specific insights. These efforts would not be possible had it not been for the support of our strategic partners, members and volunteers who work tirelessly to promote the internal audit profession. We ask all our members actively support our research efforts as we can only succeed with their cooperation and participation. On a final note, I am pleased to announce that thanks to the efforts of volunteers from the Editorial Advisory Committee, we have completely revamped the website of Internal Auditor – Middle East to a site we hope you will all be proud of. Please visit www.internalauditor.me and share your feedback with us. I wish you all a very happy and prosperous 2015.

Sincerely,

Abdulqader Obaid AliPresident

From The President

ACCELUS AUDIT MANAGERInternal audit is being asked to evolve beyond the “third line of de-fense” or ticking regulatory boxes. Boards and senior management now value the insight and analysis that a strong audit function can deliver. Accelus Audit Manager can help:

• Liberate audit teams from manual tasks• Enrich your dialogue with the business• Drive enhancement of audit quality• Deepen engagement with your board audit committee• Contribute to business operational excellence

For more information on Accelus Audit Manager please visit:http://accelus.thomsonreuters.com/

© 2014 Thomson Reuters. All rights reserved.

REACH NEW INTERNAL AUDIT HEIGHTSCONNECT | SIMPLIFY | PERFORM


I N T E R N A L A U D I T O RM I D D L E E A S T DECEMBER 2014 WWW.INTERNALAUDITOR.ME

F E A T U R E S

D E P A R T M E N T S

16 COVER STORY: Shaping Talented Audit Teams Innovative ways to improve the skills of your internal audit team and increase their business acumen. BY BRUCE TURNER & JACQUELINE TURNER

20 Auditee Feedback Internal auditors can use positive and honest feedback at various stages in the audit process to improve their per-formance. BY LALIT DUA

4 Reader Feedback

5 Knowledge Update New Reports from IIA UK and Netherlands; Data Analytics; Risk Management Guidance for Boards; Business Continuity Management. BY VISHAL THAKKAR

8 UAE-IAA Events

10 Governance Perspectives A healthy corporate culture is essential to good corporate governance and therefore it should be audited. BY ROBERT NOYE-ALLEN & KAMI NUTTALL

12 Conversations with Colleagues Harsh Mohan talks about the important role of internal auditing in risk management. BY FARAH ARAJ

26 Inside the Mind of a Fraudster What characteristics and behaviors does the typical fraudster display? Recent surveys and studies can help shed light on this. BY ROBIN SINGH

15 Human Resources Five characteristics of a successful chief audit executive. BY AYMAN ABDELRAHIM

29 Risk Management Having proper controls around construction projects provides better information and increases the chances of success. BY KETAN BHOOLA

22 Board & C-Suite Driven Assurance: The Dawn of a New Era Recent developments in governance and regulation will have a profound impact on internal audit approaches. BY TIM J. LEECH

DECEMBER 20144 INTERNAL AUDITOR - MIDDLE EAST

U A E I N T E R N A L AU D I T A S S O C I AT I O N

B O A R D O F G O V E R N O R SAhmed A l Ansar i ; Kha l id A l Ha l yan ; Mohamed A l Har th i , MBA, CRMA; Abdu lqader Oba id A l i , CRMA, CFE, Q IAL ; Naseeba A l ra i s , MSC; Ayesha B in Loo tah , MBA; Nae ima Mohammed A l Menha l i , MSC, CRMA; A l i A l Muwa i je i MAFB, MFA,CRMA, CT31000; Nah la A l Qass imi , Ph .D. , CRMA, CCP, CCA

E X E C U T I V E C O M M I T T E ERaza Abdu l la ; Abdu l rahman A l Hareb ; Ar indam De, MBA, CFA, Q IAL ; Kar l Hendr icks , C IA , CCSA, CQA; Rus tom S. K re id l y, CPA, CRMA; Karem Obe id Fad i S idan i , CPA, MS; Rab i Yousse f , CPA; Adnan Za id i , CRMA, ACA, MBA, CCSA, C IA , CFE, C IPFA

G E N E R A L M A N AG E RSamia A l Yousu f

T E A MAisha Akhta r ; Yasmine Abd E l Az i z ; Bassam E l Baghdad i ; Lo rna Mungka l ; Yousse f Musta fa ; A i l een Pe lag io

Reader Feedback

I N T E R N A L A U D I T O RM I D D L E E A S T

UAE Internal Audit Associationan IIA Global affi l iate

We want your views on the articles and the magazine! Share your thoughts and feedback with us via email at [email protected]

P R E S I D E N TAbdu lqader Oba id A l i

E D I T O RFarah Ara j (Ac t ing )

E D I T O R I A L A D V I S O R Y C O M M I T T E E Asem A l Naser, CPA, C IA , Q IAL ; Fa rah Ara j , CPA, C IA , CFE, Q IAL ; Ma jed Bukhashem; Andrew Cox , MBA, MEC, CF I IA , C IA , C ISA, CFE, CGAP, MRMIA; Raymond He laye l , CPA, C IA ; Meenaksh i Razdan, CA, CPA C IA , CFE; Hossam Samy, CRMA, CFE, CPA, CGA; Nagesh Sur yanarayana , MBA, C IA ,CCSA; James Tebbs , CA; V isha l Thakkar, ACA, C IA ; I ssam Zagh lou l , MSc, C ISA, C ISSP, CGE IT

A R A B I C R E V I E W T E A MAyman Abde l rah im, MQM, C IA , CCSA, CFE; Kha l id M. A lodha ib i , SOCPA; Qa is Hamdan, C ISA, C ISM, PMP; Wa leed Swe imeh

DECEMBER 2014VOLUME 2014: 4

C O N TAC T I N F O R M AT I O N

A D V E R T I S I N G & A D M I N I S T R AT I O NYasmine Abd E l Az i z yasmeen@i iauae .o rg Te l : +971 4 433 9082

E D I T O R I A L Farah Ara j ed i to r@in te rna laud i to r.meTe l : +971 50 850 1780

D E S I G N & P R I N T I N G Gi r i sh MehtaAdventure G loba l g i r i sh@adventure-g loba l .comTe l : + 971 4 393 7696

A R A B I C T R A N S L AT I O N & L AYO U THossam Sami rE laph Trans la t ion hossam@elapht rans la t ion .comTe l : +971 4 331 0332

G U I D E L I N E S F O R AU T H O R Swww. in te rna laud i to r.me

D I S C L A I M E R SI n te rna l Aud i to r – Midd le Eas t i s in tended on l y f o r members o f the Ins t i tu te o f In te rna l Aud i to rs in the Midd le Eas t and as such i t i s no t in tended to be so ld o r re-so ld by any par t y.

The v iews expressed in I n te rna l Aud i to r – Midd le Eas t a re so le l y those o f the au thors , and do no t necessar i l y represen t the v iews o f the UAE- IAA o r the au thors ’ respec t i ve employers .

I n te rna l Aud i to r – Midd le Eas t i s a peer- rev iewed magaz ine and does no t ve r i f y the o r ig ina l i t y o f the con ten t submi t ted by the au thors .

I n te rna l Aud i to r – Midd le Eas t i s pub l i shed quar te r l y by the UAE In te rna l Aud i t Assoc ia t ion (UAE- IAA) , 8 th F loo r, Bu i ld ing 4 , The Ga l le r ies , Downtown Jebe l A l i , Duba i , P.O. Box 90919, Un i ted Arab Emi ra tes

C O M P L I M E N TA R Y T R A N S L AT I O N P R O V I D E D B Y:

Disagreements on Information Technology Strategy

The article Information Technology Strategy (Sept 2014) was a very interesting read and in particular because it reflected the views of a Chief Information Officer. However, I did not agree with his recommendation for internal auditors to

“be cautious” and avoid commenting on the strategies selected by management. Since internal audit should determine the effectiveness of the IT strategy, therefore we do need to question and understand the business case for the various IT initiatives and how they map to the enterprise objectives. For us to be seen as partners, we do need to raise risks we identify in various initiatives undertaken by management and not just raise risks relating to the strategic planning process. Very often I find that business cases developed are not fully justified and mislead management to making the wrong decisions.

Nada Al ChalabiSenior Audit Manager – Information SystemsDubai, UAE

Enjoyed the Information Technology Special Issue

I read with interest the articles published in the IT Special Issue (Sept 2014) of Internal Auditor - Middle East magazine.

I applaud the clarity with which articles were written; they have a good amount of interesting material without being too long winded or full of jargon. I especially liked the conversation with Deloitte’s leadership team (Tariq Ajmal and Fadi Sidani) and GRC by Satish Yadav. I agree with Tariq and Fadi on the fact that technology is changing the internal audit profession and that the future focus should be on data analytics and cybersecurity. I also like Statish’s view how GRC technology is the way to improve and streamline risk management efforts. However, I would have liked to see insights on top IT risks relating to ERP technologies like SAP and Oracle. This is because not all companies in the UAE have even implemented full-fledged ERPs and may are in still in their early stages. Going forward, I would like to see more IT related articles in the magazine on a recurring basis as IT is an integral part of an effective internal audit process.

Rahul VaidIT AuditorAbu Dhabi, UAE


of security incidents are carried out by current

employees of a company Source: PwC’s Global State of Information

Security® Survey 2015http://www.pwc.com/us/en/cfodirect/

issues/cyber-security/global-information-security-survey-2015.jhtml

Knowledge Update

42.8 million…is the total number of

security incidents detected in 2014

BY V ISHAL THAKKAR

The IIA UK’s 2nd Annual Survey of Heads of Internal Audit The Chartered Institute of Internal Auditors (IIA UK) has released its “Governance and Risk Report 2014” which discusses internal audit’s perspective on the management of risk. As part of this annual survey, the IIA UK obtained the views of 247 Heads of Internal Audit from the UK and Ireland. The report provides insight on:

• Riskmaturity.• Toprisksinternalauditorsarefocusingon.• Reportingrelationshipsofinternalaudit.• Thecompetenciesthatinternalauditneedtofunctioneffectively.

Over the past year, there has been a marked increase (from 68% to 82%) in the number of heads of internal audit reporting functionally to the chair of the audit committee which is results in an increase in internal audit effectiveness. However, there was little change in the amount of respondents (57%) who felt the level of risk maturity in their company was well established.

In terms of the skills needed by internal auditors, the top 3 skills identified by respondents were 1) Communication Skills, 2) Problem Identification and Solution Skills and 3) Knowledge of Industry, Regulatory, and Standards Changes. The report also covered quality assurance and the results show that over 60% of respondents had an External Quality Assessment carried out by an independent party in the past 5 years. This figure rose to 75% in the financial services sector.

https://www.iia.org.uk/policy/wwwiiaorgukgovandrisk2014/

Combining Internal Audit and the Second Line of DefenseThe IIA Netherlands published a report titled “Combining Internal Audit and Second Line of Defense Functions?”. The report discusses the pros and cons of combining internal audit and second line of defense functions. The main question the report tried to answer is whether the Internal Audit Function can work independently and objectively while providing support to areas such as risk management, compliance and internal controls.

The main conclusion from the research and round tables conducted was that combining internal audit and second line of defense functions is not the preferred solution considering the Three Lines of Defense model and the as well as safeguarding the auditor’s independence and objectivity as advocated by the Institute of Internal Auditors.

The report also covered the basic conditions and safeguards which should exist when combining internal audit and second line of defense functions:

• Internalauditshouldnotmakemanagerialdecisions.• Internalaudit’sroleshouldbeformalizedintheinternalauditcharter.• Segregatethepersonscarryingoutsuchresponsibilitiesfromthecore internal audit team.

http://iia.nl/actualiteit/nieuws?newsId=1613

87% of executives believe

reputation risk is the most important

strategic riskSource: Deloitte’s 2014 Global Survey on

Reputation Riskhttp://www2.deloitte.com/global/en/pages/governance-risk-and-compliance/articles/

reputation-at-risk.html

35%


New Practice Guide on Business Continuity Management

EY Report on How Internal Audit Can Add Value with Data Analytics

New Guidance for UK Listed CompaniesLast quarter the Financial Reporting Council released new guidance for Risk Management, Internal Control and Related Financial and Business Reporting. This guidance integrates and replaces “Internal Control: Guidance to Directors” (formerly known as the Turnbull Guidance) and reflects changes made to the UK Corporate Governance Code.This guidance focuses on elements of best practice for risk management and defines the responsibilities of the board which include:

The Institute of Internal Auditors (IIA) has released a new practice guide demonstrating how the internal audit function can help businesses keep running in the event of a cyber attack or a natural disaster. The practice guide shows how internal auditors can provide assistance in business continuity management. The IIA noted that internal audit functions typically have the skills, qualifications and in-depth knowledge of the organization to help develop, implement and evaluate the effectiveness of such plans.The goal of business continuity management is to restore critical operations, manage communications and minimize financial and other effects of disaster. According to the new practice guide, a good crisis management plan is like a company insurance policy - it helps to ensure that the organization remains viable and meets stakeholder expectations.IIA members can download the practice guide for free by visiting: https://global.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Business-Continuity-Management-Practice-Guide.aspx

Knowledge Update

• Designandimplementationof appropriate risk and control systems which allows for a robust assessment of major risks.• Determiningthecompany’srisk appetite. • Fosteringanappropriatecultureand reward system.• Agreeingonhowtomanagemajorrisks.• Monitoringandreviewingrisk management and internal control systems. One of the unique considerations

Big data is fundamentally changing the way the enterprise operates, and Internal Audit (IA) can’t afford to be left behind. This is the main theme of a publication released by EY titled “Harnessing the Power of Data” which discusses how internal audit can embed data analytics into its processes in order to deliver more value to the business.EY stresses the fact that building analytics capabilities is a journey that will take significant time and effort and defines 3 stages of analytics: 1. Descriptive Analytics: This relates to reporting on and understanding what has already happened whether in real time or after the fact. 2. Predictive Analytics: Understands the relationships between input and output to predict what will happen in a given scenario. 3. Prescriptive Analytics: This is the most advanced stage and is designed to determine which decision or action will produce the most effective results. Internal audit can maximize its ability to monitor key risks through timely identification of high-risk journal entries, early identification of potential accounting surprises and continuous auditing of all transactions flowing through the general ledger. Further, and using the example of vendors, data analytics is not just about routine business information (e.g. amount sold, average price) and goes down to lower level, higher-volume data (e.g. line item detail for purchase orders and invoices). Such detail allows internal audit to use data analytics in its annual risk assessment, in its regular audits as well as for special projects.

http://www.ey.com/GL/en/Services/Advisory/EY-internal-audit-harnessing-the-power-of-analytics

recommended for board members involves, determining the culture the board “wishes to embed in the company, and whether this has been achieved”. This involves communicating the desired values to management and considering whether the leadership style of the company undermines the risk management and internal control systems.

https://www.frc.org.uk/Our-Work/Publications/Corporate-Governance/Guidance-on-Risk-Management,-Internal-Control-and.pdf

Copyright © 2014 Wolters Kluwer Financial Services, Inc.

All Rights Reserved. 3642

TeamMate®

AnalyticsData analysis for every auditIntegrates with TeamMate Audit Management System and available for standalone use

Learn more at TeamMateSolutions.com/Analyticsor call +44 207 981 0556

Analytics advert ME 276 x 204.indd 1 05/11/2014 15:13:21

Copyright © 2014 Wolters Kluwer Financial Services, Inc.

All Rights Reserved. 3642

TeamMate®

AnalyticsData analysis for every auditIntegrates with TeamMate Audit Management System and available for standalone use

Learn more at TeamMateSolutions.com/Analyticsor call +44 207 981 0556

Analytics advert ME 276 x 204.indd 1 05/11/2014 15:13:21


UAE-IAA Events

The UAE Internal Audit Association Construction Subgroup held its first Business Event, which was hosted by the UAE Society of Engi-neers, in Dubai on 23 September 2014. The event was attended by Abdulqader Obaid Ali along with with Syed Imtiaz (Chairman of the Construction Subgroup) and Hakim Lalipurwala (Vice Chairman Construction Subgroup) who discussed areas of mutual cooperation with Maged Farouk Hanna, General Manager of the UAE Society of Engineers.

In addition, Mike Lewis (Head of Internal Audit at Abu Dhabi Airports) and Mr. Matt Irvin (Senior Project Manager) delivered a pres-entation titled “Risks in Supply Chain Management in Mega Construction Projects”. The presentation highlighted the mechanisms used by Risk Management and Internal Audit to manage and mitigate the various risks faced in a mega construction project. The speakers informed the participants about the Three Lines of Defense framework to help improve overall effectiveness of risk management and internal audit.

The UAE Internal Audit Association’s Hospitality Subgroup held its first meeting on 15 October 2014 at Abu Dhabi National Exhibitions Company. The session was well attended and led by the Hospitality Subgroup Chairman, Aldrin Sequeira, who is currently the Chief Internal Audit Officer for the Jumeirah Group.

The session also had 2 interesting specialist presentations. The first of which was a presentation by Deloitte led jointly by Grant Salt-er (Director- Head of Travel, Hospitality and Leisure Advisory) and Hossam Samy (Principal - Enterprise Risk Services) discussing “Hospitality: Middle Eastern Trends, Challenges, and how the Internal Audit Profession can Support the Growth”. This was followed by an interactive session by Protiviti on “Corporate Governance” in the hospitality sector led by Nagesh Suryanarayana (Director - Internal Audit and Risk Advisory Services).

“Organizations are now trying to align their corporate governance frameworks in line with leading practices globally and local regulatory mandate. Some key examples include, establishing internal audit functions, risk management frameworks, board evaluation matrices, establishing board sub-committees, enhancing reporting and disclosures frameworks,” explained Nagesh.

Construction Subgroup Meeting

Launch of the Hospitality Subgroup

BY SAMIA AL YOUSUF

© 2014 KPMG, KPMG LLP and KPMG Lower Gulf Limited, registered in the UAE and member firms of the KPMG network of independent

member firms affiliated with KPMG International Cooperative (”KPMG International”), a Swiss entity. All rights reserved. Printed in the United

Arab Emirates. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks or trademarks of KPMG International.

KPMG is a global network of professional firms providing Audit, Tax and Advisory services. We have

more than 155,000 outstanding professional working together to deliver value in 155 countries worldwide.

KPMG’s Internal Audit Risk & Compliance Services (IARCS) deploys multidisciplinary teams of professionals

experienced in financial and operational internal audit, governance, compliance, and risk assessment to

augment and enhance an organizations’ existing internal audit capabilities.

Contact Details for IARCS UAE

Karl Hendricks, Partner [email protected]

+971 442 489 86+971 505 043 129

Sudhir Arvind, [email protected]

+971 240 148 33+971 502 380 378

Harikrishnan J, [email protected]

+971 442 489 21+971 502 402 559


Governance Perspectives

BY ROBERT NOYE-ALLEN AND KAMI NUTTALL

Auditing Culture

Internal auditing is an evolving discipline, not least due to changing business environments and stakeholder priorities. In 2014, auditing culture has emerged as a new area of focus – a

response to growing awareness that hard controls aren’t the only ones that matter. Soft controls that stem from a company’s culture are also vital for good governance.

Corporate culture is not only about the values an organisation espouses, but also how the organisation lives them. The desired values need to be communicated, embedded and monitored. The extent to which these values are being applied is a legitimate sub-ject for internal audit reporting, although there are challenges in applying this philosophy.

Guidance recently issued on the subject by the Chartered Institute of Internal Auditors in the UK and Ireland, recognises that ‘audit-ing indicators of culture is complex…internal auditors need to be comfortable in their understanding of culture and risk culture’.

Chief Audit Executives should ask themselves: can we really offer adequate assurance on the effectiveness of our organisation’s gov-ernance, risk and controls if we haven’t given any consideration to the culture and risk culture of our organisation?

If there is any doubt about the importance of assessing the ap-plication of stated values, consider Enron and its stated values of community, respect, integrity and excellence. But where is it now? Examples from elsewhere around the world (Lehman Brothers, AIG, and Nortel) also indicate there is a powerful link between poor culture and performance, and ultimately corporate failure.

Cultural indicators are not always easy to recognise and rely on

interpretation. In the case of Lehman Brothers, for example, their risk appetite could be interpreted as being high, and they seeming-ly ignored the signs that suggested that the subprime market was experiencing a high number of defaults. Executives were still paid highly despite company underperformance. Decisions were taken to hide some of the company’s liabilities resulting in a misstate-ment in the balance sheet. The company’s culture was tied to risk taking behaviours and a poor control environment.

On the other hand, good culture does seem to support good per-formance. The success of global brands such as Apple and Google could be attributed in part to their powerful cultures that bind people together and set the tone for high performance.

Internal auditors are primed to understand their organisation’s control environment, in line with COSO 2013. However, that control environment needs to be considered in the context of both hard and soft controls. The challenge for internal auditors is that assessing the effectiveness of soft controls is very different to assessing the effectiveness of hard controls.

A useful starting point is to consider what we mean by soft con-trols. They include:

• Commitmenttoethicsandintegrity;• Attitudestorisktaking;• Boardoversightofperformanceandinternalcontrol;• Accountabilities,responsibilitiesandstructures;• Reportinglines;and• Recruitmentpractices–acommitmenttoattracttheright people in line with the organisation’s objectives and values.

Can internal auditors really give adequate

assurance on corporate governance without

auditing corporate culture?


Recommendations for auditing culture • Considerwhatkindofculturetheorganisation champions, and how this is measured across operations. For example, does your company have stated values and what type of indicators exist for measuring that employees are living the values? Does your organisation use staff surveys to understand employee attitude and behaviours? Does your senior management team listen to employees and take action when necessary? Do they operate an open or closed door environment?

• Ensurecorporatecultureisconsideredwithinyour organisation’s risk management framework. Who owns it? For example, what does your risk management policy say about risk culture? What kind of risk culture does the company promote and how does it compare to reality? Does the company’s risk taking activities match its risk appetite and stated policies?

• Whenitcomestodevelopingtheinternalauditstrategy and annual plans, agree with your board and executive team what culture means to the organisation and a form of reporting on softer issues to maintain confidentiality and sensitivity. Ensure your audit and risk universe incorporates culture as a viable audit entity or as a theme which cuts across all audits. Ensure internal audit plans are designed to seek evidence of softer controls such as leadership, ethics and values. This will require judgement based on sound knowledge. The Chartered Institute of Internal Auditors talks about using ‘gut instinct’ when forming a view.

• TheCOSOframeworkprovidesagoodbasisfor evaluating a company’s control environment, and ascer- taining what kind of control culture exists. For example, are decisions decentralised or centralised? What tone is set by the Board? Is there a good relationship between the Board and the Executive? What kind of reward and

TO COMMENT on the article,EMAIL the author at [email protected]

Governance Perspectives

retention packages does the company offer, and is it linked to performance?

• Rememberthathardcontrolissuesareindicatorsofsoft control weaknesses. For example, consider the frequency with which controls are overridden, as this could be an indicator of managers who are interested in outputs at any cost. Also, consider the effectiveness of communications, what is the company telling employees? Is information transparent or secret? Are auditors evaluating final reports for evidence or indication of culture related issues?

• Considerthebroadermessagesandnotjustthe symptoms derived from individual audits. If material weaknesses have been identified, root cause analysis (e.g. asking the question ‘why?’ 5 times) will help identify the reasons why an issue has occurred, and whether there is an underlying problem that is linked to corporate culture and values.

• Commentoncorporateculture(informedbyyour consideration of soft controls) in your annual assurance to the business. This could be through a reflection of whether audit confirms or validates that corporate values are lived. This could be a result of an evaluation of all final audit reports issued during the year. Consider the processes management has in place for engaging with staff, and ensure these processes are two-way/ reciprocal.

• Supportyourexperiencedauditorsandencouragethemto ask questions that address cultural issues and soft controls.

• Ensureyourinternalauditteamhasthenecessarytraining and interpersonal skills to pick up on and understand indicators of cultural issues. Ask yourself who is the most appropriate individual to conduct a review of culture.

• Alwaysauditwithyourheadup–beawareofwhatis going on around you.

Traditionally internal auditors are wary of providing subjective judgement, we are hardwired to believe that professional judge-ment should underpin opinions. Auditing soft controls and organ-isational culture requires a certain attitude of mind and awareness. It requires an understanding of the iceberg effect: what is hidden from view may be of greater potential impact than what is visible. It also needs the capacity to put individual audit pieces together to form the bigger picture: local reports and recommendations need to be considered from an organisation-wide perspective to see if any patterns emerge. Many internal auditors are exploring ways in which to encompass culture within their opinions.

This sounds challenging – and it is. Auditing culture is not necessarily about people, but about behaviours, attitudes and, fundamentally, values. Nevertheless, it is a challenge that internal auditors need to accept if they are to provide the more rounded assurance on governance, risk and controls that their stakeholders require of them. Corporate culture is an emerging agenda item, being pushed by regulators and stakeholders. It can no longer be ignored. It is a key part of every company’s second line of defence.

ROBERT NOYE-ALLEN is a Partner in Moore Stephens LLP.

KAMI NUTTALL is the Head of the Centre of Excellence in the Governance, Risk & Assurance Group of Moore Stephens LLP.


Conversations with Colleagues

BY FARAH ARAJ

Etihad Airways’ Senior Vice President of Audit, Compliance and Risk shares his

experience on the role of Internal Audit in risk

management

Harsh Mohan

In an exclusive interview, Internal Auditor - Middle East spoke to Harsh Mohan, CPA, CA, who joined Etihad

Airways (Etihad) in 2011 and is now the Senior Vice President of Audit, Compliance and Risk. He started his career over 31 years ago in internal audit and used the experience gained to successfully work across various functions in the airline industry including finance, procurement, risk management and strategic cost

management. Before joining Etihad, he was the Auditor General and Senior Director of Business Transformation at Air Canada. Harsh is an active supporter of the UAE Internal Audit Association (UAE-IAA) and a prominent speaker on the topic of risk management.

Internal Auditor - Middle East met with Harsh Mohan at the Etihad Airways Head Office in Abu Dhabi.


additional capacity in the new Midfield Terminal. As Internal Audit, we will look at the controls in place to mitigate this strategic risk. In other words, what action is being taken by management to mitigate capacity constraints? This could include audits of project oversight, baggage handling, customer services etc. I also sit as an observer on the Midfield Terminal project committee to understand how management is addressing the capacity strategic objective.

What about Internal Audit’s role in providing insight on emerging risks? Risk management is an ever evolving process! Take for example the CEB’s (Audit Plan Hot Spots - https://www.executiveboard.com) views on the top risks from 2010 – 2014. You will notice that the top risks have changed over the past five years. Now one of the major emerging risks is cybersecurity. When carrying out our assessment of risk, we need to focus on such areas and ensure that management and the Board are made aware of them.

Some chief audit executives may not be providing advice or assurance on risk management. What are your thoughts on this? As the needs of the business evolve, there will be a need for Internal Audit to evolve to support the business. Internal Audit has the skills required to support the risk management process and add value to the business. By focusing on risk, Internal Audit will be included in management discussions and committees and this will elevate its status because of our knowledge of the business. If Internal Audit does not step in, some else will and that department or person will go far ahead of Internal Audit. Chief Audit Executives who do not play a role in risk management face a high risk of becoming obsolete.

Interview

How important is risk management to Etihad? (Smiling) Our business is managing risk. I want you to think of a metal cylinder which is 70 meters long, has 400 people, with engines operating at temperatures around 1,000 degrees Celsius, packed with 100,000 liters of fuel and travelling at a speed of over 800 km/h. This is, very simply put, what an airplane is. But the passengers are reclining, watching videos, listening to music and are completely comfortable. This is what risk management is all about; taking an inherently high risk such as safety and managing it to a residually low level.

What role does Internal Audit take with respect to risk management at Etihad? At the start of every internal audit plan, we carry out a thorough risk assessment, and based on inherent and residual risks, we formulate the internal audit plan. Doing proper risk assessments is a complex task which requires deep knowledge of the business. It also requires a high level of independence to report on major risks in a fair manner and for these risks to be acknowledged by management. Internal Audit has a solid understanding of the business and is sufficiently independent of management. It therefore makes sense to use the risk assessment carried out by Internal Audit as the basis for the company’s enterprise risk management framework. In most non-financial services institutions, having a separate function carry out this role would be a waste of resources. So we send the risk assessment results to senior management so they can identify existing or required controls that will manage a particular risk within the company’s risk appetite. So management identifies the existing or required controls, and we, at the time of our audit, assess the risk and audit the controls in place. Internal Audit at Etihad Airways validates the risks that the company is facing and assesses the effectiveness of the controls put in place to mitigate those risks.

Does this approach impair your department’s independence? No. We do not own the risk mitigation process. The assessment of risk and corresponding facilitation sessions with management are the roles performed by Internal Audit. As my title suggests, we deal with risk and not risk management, differentiating between the two. We make a clear distinction between our role and management’s responsibility to manage risks. Our approach is based on the IIA

position paper on Internal Audit’s role in Risk Management and each stakeholder’s role in the Risk Management process is clearly defined.Also to give more comfort to our Board and regulators, we have a separate team within the department which carries out the risk assessment and facilitation sessions. This team reports through me to the full Board. This process of reporting to the Board makes the risk management process more effective.

How is Internal Audit able to assess and provide assurance on risks to strategic objectives? Every risk management framework refers to risk as something which impedes the achievement of your objectives. We start our strategy by defining our top strategic objectives and cascading them downwards to the business units and individual departments. When we assess risk, we look at objectives from all three layers, and this way, it focuses on adding value to what really matters to the business. For example, one of our strategic risks is the capacity of Abu Dhabi Airport to support our growth. We are expecting to transport 50 million passengers in the coming years. So Etihad worked with Abu Dhabi Airports Company to expand the airport to Terminal 3 and is now adding


“The company which manages its risk the best is the one which succeeds”

You’re successful, respected, and committed. What does it take to get to the next level?

The QIAL identifies, assesses, and develops core skills linked to audit leadership success. It caters to CIAs and CAEs who are already strong performers and have the potential for greater leadership.

Registration is now open. Start your leadership journey TODAY at globaliia.org/QIAL.

www.globaliia.org/QIAL

141526

BUILDING THE LEADERS OF TOMORROW, TODAY.


Characteristics of a Successful Chief Audit Executive

Human Resources TO COMMENT on the article,EMAIL the author at [email protected]

The increasing complexity of companies, combined with the impact of today’s global economy, has resulted in a variety of new business risks and challenges. To help in responding to these new risks and challenge, it is essential for a company to have a highly skilled Chief Audit Executive (CAE). This CAE must possess several core characteristics which will allow him or her to be successful. One clue to these characteristics can be found in the meaning of the word “Audit”, derived from the Latin word “audire” which means “to hear”. Successful CAEs hear what is happening within a company and also hear to what stakeholders have to say. Therefore, a successful CAE is one who is not only technically solid, but also has appropriate behavioral characteristics. The mix of essential characterizes that should be found in a CAE is as follows:

1. Strategic ThinkingCAE plays an important role in providing assurance whether the organization has the ability to achieve its objectives or not. This means that a CAE should understand the company’s business and how he work together with top management to achieve a company’s strategy in order to and help guide the organization in the right direction.

2. Mastery of Risk The CAE needs to establish risk-based internal audit plans to ensure that the priorities of the internal audit activity are consistent with the company’s goals. Accordingly, it is necessary to have a high sense of risk awareness and how the organization manages its risks; CAE should

BY AYMAN ABDELRAHIM ED ITED BY MEENAKSHI RAZDAN

be also be aware of any emerging risks and understand the impact of changes in the industry or the external environment.

3. Leadership AbilityThe CAE should have strong leadership skills which are demonstrated even beyond the internal audit department. The CAE should inspire, motivate, challenge the auditors to take greater ownership for their work. Empowerment is important to achieve high performance, without empowerment internal auditors cannot own their work and take responsibility for their results. Also, the CAE should have the ability to create new leaders for the organization; those leaders can drive the future of the organization.

The CAE can play significant role in driving the change in the organization and can be effective champion for innovation, by providing improvements in strategy and through the promotion of innovation and awareness of emerging opportunities and risks. The competencies for critical thinking, innovation and improvement are very important for CAE to succeed.

4. Effective CommunicationListening to stakeholders and understanding their needs and concerns is vital for CAE role. Strong communication skills can help in building positive relationships with senior management and business leaders. Communicating issues accurately and prioritizing them is also important. Another important thing is using the right words in audit report which demonstrates professionalism of CAE and the audit team. 5. Desire for KnowledgeKnowledge distinguishes a leader from a non-leader. The CAE should be constantly alert to best practices, industry trends and inspire internal auditors to develop themselves, maintain a commitment to ongoing training and learning.

ConclusionAs the requirements of companies change, the required characteristics of a successful CAE will also need to change. CAEs have a big role to play in a company by helping an organization remain aware of and effectively manage its current, strategic and emerging risks. To be successful at this role, a CAE needs to have a combination of the characteristics mentioned above to allow him or her to add value to a company. In today’s world, it is absolute critical for a CAE to continuously upgrade his or her skills in order to meet the changing expectations of companies and the internal audit profession.

AYMAN ABDELRAHIM, MQM, CIA, CCSA, CFE is a Chief Internal Auditor at a government organization in Dubai.

“If you want to be successful, you have to be willing to invest

in yourself”Richard Chambers, CIA, QIAL

President and CEO of The Institute of Internal Auditors

16 INTERNAL AUDITOR - MIDDLE EAST DECEMBER 2014

BY BRUCE TURNER AND JACQUEL INE TURNER

A veteran chief audit executive and a technical specialist join forces to showcase innovative professional

development programs for internal audit

Innovation

A fundamental role of internal auditors in the twenty-first century is to add value to the

business and help it achieve its objectives. At the same time, employee talent management has become a priority, as stakeholders recognise that internal auditors need to understand the business.

This article focuses on ten developmental programs across three tracks (illustrated in Exhibit 1) that can be structured to close skill-gaps and provide the internal audit activity (IAA) with practical insights into the business.

Imperatives“There is broad diversity of need for technical and soft skills and a need for internal auditors to operate at a sufficient level of competence to show the value of the profession.” IIA Global Council 2014Leaders of our profession have clearly spelt out the importance of talent management:

Shaping talented

audit teams

• Thinkingstrategicallytoreducethe talent gap was emphasised in the IIA’s ‘Tone at the Top’ newsletter in January 2013. The article also noted the need to support professional development and encourage staff to work collaboratively with other business units to promote cross-pollination of knowledge.

• Skill-set gaps was identified by delegates at the IIA’s Global Council meeting held in Dubai in 2014 as one of the top five obstacles the profession faces through 2020.

• Understandingbusinesswasidentified as very important by over 70% of respondents to the IIA’s 2010 global survey. This was the highest rated of 18 technical skills.

• Maintainingcompliancewith professional auditing standards underpins audit value, with ‘proficiency’

and ‘continuing professional development’ emphasised in standards 1210 and 1230 respectively (ie possess and/or enhance knowledge, skills, and other competencies).

• Maximisingindividualpotentialisakey to being an employee of choice. It helps to create a highly satisfying place to work, and improves the intellectual capital within the IAA.

• Keepinginternalauditfresh and up-to-date through effective audit leadership. In a June 2014 blog, the IIA President and CEO Richard Chambers emphasised the importance of audit leaders being role models, focusing on positives, being goal-oriented, making the time for the team, and getting help from others through effective delegating. Implementation of professional development programs is another leadership imperative.

Bringing Business People into Audit1. Graduate program2. Guest auditors - specific audits3. Guest auditors - longer-term secondments4. Middle management rotation program

Delivering Inhouse Programs5. Alumni network6. Knowledge champions7. Mentoring

Exhibit 1 – Overview of audit development programsSending Auditors into the Business8. Frontline connections9. Secondments within the entity10. Swap or secondment with another entity or service provider


Innovation

Key steps“Tell me and I’ll forget; show me and I may remember; involve me and I’ll understand.” Chinese Proverb

•IdentifythecompetencyneedsofyourIAA. These may already be identified through an the IIA’s Global Internal Audit Competency Framework or within a defined IAA Professional Development Plan.

•Determineanyrelateddevelopmentprograms that your entity already has in place. For instance, well-established graduate and mentoring programs exist in many entities.

•Assessthebestoptionsfortailoreddevelopment programs that suit your IAA. From the ‘program overview’ table, select one or two programs to implement now, and others that might be beneficial in the future.

•DeveloptheselectedprogramsforyourIAA, building up from bottom of the ten building blocks in Exhibit 2. Recognise that motivation and state of readiness to learn are important

considerations in identifying the ‘right’ participant/s. •Finally,irrespectiveofwhichprogramischosen, ensure that fresh ideas and insights are generated for the IAA. This is the critical ‘payback’ phase.

Engage participants and undertake program Provide fair and valued learning feedback

‘Road test’ and promote the program Select participants based on selection criteria Establish and provide suitable induction

De�ne aim, desired outcome, and strategy Align to entity career development strategies

Identify IAA skill gaps and learning objectives Consider the key principles of audit learning Select best programs; formalise key elements

Exhibit 2

Bringing Business People into AuditProgram 1 : Graduate ProgramDesign Aims : Introduce governance, risk and control fundamentals to entity’s graduate program participants.Primary Benefit : Helps shape career of potential future leaders, through experiential learning.Secondary Benefit : Brings youthful enthusiasm into IAA. Builds ‘ambassadors’ for IAA through a good experience.Key Features : Provides graduates an IAA rotation to deliver practical insights on auditing, and holistic appreciation of core activities of entity.

Program 2 : Guest auditors - for specific engagementsDesign Aims : Draw guest auditors onto specific audits where their technical skills are needed.Primary Benefit : Delivers subject matter experts from technical business areas to IAA to bring expertise to particular audit engagements. Example: a Western Australian mining company utilised engineers to great effect. Secondary Benefit : Runs for shorter duration than other programs, and is informal and less structured.Key Features : Allows guest auditors to assess specific components of audits, rather than experience whole audit process.

Program 3 : Guest auditors - longer term secondmentsDesign Aims : Leverage expertise of business staff.Primary Benefit : Drives audit improvement strategies through technical advice on audit planning, fieldwork or reporting.Secondary Benefit : Brings in a ‘free’ expert resource.Key Features : Facilitates secondment of operational staff from business areas to IAA for defined periods (several weeks or months).

Program 4 : Middle management rotation programDesign Aims : Build capability of middle managers, whilst drawing business experience into IAA. Primary Benefit : Helps management by giving high potential middle managers opportunity to learn first-hand about entity-wide governance, risk and control arrangements.Secondary Benefit : Facilitates two-way learning. IAA gains services of respected business people to work on audits. Helps to build business acumen in auditors.Key Features : Delivers longer term learning benefits for future executives through structured program; CAE partners with ‘C-suite’.

Delivering Inhouse Programs Program 5 : Alumni NetworkDesign Aims : Invite alumni to IAA events to provide insights on direction, planning and strategies of IAA.Primary Benefit : Uses structured approach to leverage rich source of ideas, insights and perspectives that former internal auditors have gained in their new roles.Secondary Benefit : Achieves ‘progress through sharing’ for professional counterparts. Key Features : Provides basis for ‘staying connected’ with experienced auditors who move into other parts of business or to other entities.

Program Overviews:


Anticipated outcomes “The best minute I spend is the one I invest in people.” Kenneth Blanchard Well-structured professional development programs can help shape a legacy that goes beyond the outcomes traditionally expected of members of the internal audit profession. In particular: •TheCAEcreatesahighlysatisfyingplaceto work, which helps to attract and retain excellent staff.•Thevalueofinternalauditisenhancedin the eyes of the entity’s most senior executives (commonly called the ‘C-suite’) and the audit committee, through practical

InnovationTO COMMENT on the article,EMAIL the author at [email protected]

insights gained by drawing business-based expertise into more complex audits.•TheIIAasawholebenefitsbyimprovingits intellectual capital and expertise; building on the overall talent at its disposal; and enhancing its credibility through technically strong outputs. Programs interfacing directly with the business have the added benefit of showing the ‘human face’ of internal auditors.•BusinessspecialistsbroughtintotheIAAbenefit from the insights that they gain in respect to corporate governance, risk management and internal control; skills which they will need as they move into

future senior leadership positions. They are also influenced to become ‘ambassadors’ for internal audit.•Auditorsplacedintothebusinessorinvolved in in-house programs gain job enrichment; build their skills; gain greater understanding of the business; and take steps to maximise their individual potential.

BRUCE TURNER, CGAP, CRMA, CFE, CISA, PFIIA, FFin, FIPA, MAICD, FAIM is an audit committee chairman in Australia and Chairman of the IIA-Global Public Sector Committee.

JACQUELINE TURNER, B. LJS, GradCertFraudInv is a white collar crime analyst at a multi-national financial services institution in Australia.

Program 6 : Knowledge championsDesign Aims : Nurture mid-level audit staff to become knowledge champions.Primary Benefit : Auditors develop expertise in assigned specific knowledge areas, such as emerging practices and issues; governance, risk, control; or technical areas of entity. Example: tax collection agency CAE might assign indirect taxes, direct taxes, client register etc.Secondary Benefit : Provides CAE with timely information on contemporary trends and business issues, and to be well-briefed for ‘C-suite’ and audit committee interactions.Key Features : Reduces dependency on hiring terrain experts.

Program 7 : MentoringDesign Aims : Achieve full potential of auditors.Primary Benefit : Fosters professional relationships, where auditors have opportunity to collaborate and share insights with experienced executives outside IAA.Secondary Benefit : Provides forum offering constructive and frank advice to support auditor’s career development.Key Features : Offers cost-effective way of assisting auditors to acquire knowledge and skills to operate within challenging environment.

Sending Auditors into the BusinessProgram 8 : Frontline connectionsDesign Aims : Enable senior audit staff to spend time in field with operational staff.Primary Benefit : Provides an opportunity for auditors to gain experience ‘on the ground’ so they better comprehend frontline activities and day-to-day challenges of entity.Secondary Benefit : Provides job enrichment for participants so they remain sharp and objective. Key Features : Enables auditors to spend half a day every month or quarter in the business shadowing frontline staff and completing lower-risk operational tasks.

Program 9 : Secondments within the entityDesign Aims : Provide a short break from auditing to refresh key staff.Primary Benefit : Refreshes knowledge of seasoned auditors across business operations, and enables them to experience day-to-day operational pressures.Secondary Benefit : Showcases to management the talent within IAA, and helps to further build IAA’s professional profile.Key Features : Facilitates targeted secondments within business areas.

Program 10 : Swap or secondment with another entity or service providerDesign Aims : Boost breadth of experience of high potential auditors. Primary Benefit : Enables auditors to gain experience in another entity or service provider and bring fresh insights back to IAA.Secondary Benefit : Reduces risk of auditors becoming stale and resigning, by enabling them to gain broader experience and build their career path. Key Features : Provides swap of high-potential auditors or secondments for pre-determined periods (say, three months) to achieve defined experiential learning objectives; established through mutual agreement of CAEs.

Held under the patronage ofH. H. Nahyan bin Mubarak Al Nahyan

UAE Minister of Culture, Youth & Community

Venue: Intercontinental Hotel Dubai Festival City, Dubai, UAEDate: 21st - 22nd January 2015To register, email us at: [email protected] or visit our website: www.iiauae.og

The Association of Certiifed Fraud Examiners (ACFE)’s Inagural Annual

Conference in the Middle East & North Africa (MENA) region is dedicated to

eliminate and minimise the risk ofFraud & Corruption, manage the Risk of Fraud and Give an Insight on the latest techniques and strategies to

�ght Cybercrimes.Book now to earn

16 CPEs

Sponsored by

Media SponsorsPlatinum Sponsors


Quality Improvement

BY LAL IT DUA

Auditee Feedback

One of the important factors for an effective audit is “Auditee feedback” which has commonly been ignored and

has not usually been part of professional discussions. It appears very simple and nice to read this statement but all internal auditors know how much effort it takes to get focused, positive and value adding feedback from an auditee. Dealing with behavior and responses of auditee during this process is quite a challenge.

The auditee should recognize the fact that his enhanced performance, through auditor’s recommended corrective measures, will help in achieving his department’s objectives. So establishing an honest understanding of objectives of the audit and respective roles of auditor and auditee, should take place before the start of the audit process.

The Need for FeedbackAudit reviews can be a smooth journey if both auditor and auditee understand the objective and both of them work in coordination and participation with each other, to achieve desired improvements. The auditor has to ensure transparency in review approaches, conduct and

finalization of the audit. The auditee also has to support the review by demonstrating confidence in auditor.

Feedback from auditees is a confirmation on the auditor’s analysis of data, compilation of information, approaches of audit, observations made, acceptance of recommendations etc.. The auditee is the one who can approve or reject the internal auditor’s efforts, which should be done diligently and honestly. Even the auditee at higher levels of management will not accept the observations unless they have been accepted by the previous levels of management. Hence the auditee can even make or break auditor’s positivity of approach in audit review.

The auditee’s feedback should be specific to the issues/observations, timely and be delivered in an appropriate way.

A. Specific to issuesFeedback is at its best when it relates to a specific observation, data analysis and audit query. The auditee’ feedback will be to the point and constructive if all the relevant details have been provided as any gap will lead the auditor to an unwanted direction. Submitting an audit observation to

auditee like “Observed that exercise of identification of slow, non-moving and dead inventory items is not effectively conducted during the year” will not yield any tangible feedback unless it is specific like “As per policy the exercise of identification of slow, non-moving and dead inventory is not being done quarterly and our exercise of identification of such inventory items resulted in 12 such items, the detail of which is in the attached statement.”

B. TimelinessThe auditor is required to submit any detail or observation to auditee well in time and for the period under review. Any undesired delay in feedback will lose its significance and may delay the process of audit. The sooner the auditor identifies the requirement of changing approach, working and source of information/data, the sooner they can correct the point involved and conclude the audit effectively.

C. MannerFeedback should be given in a manner that will help to improve audit performance. Since people respond better to information presented in a positive way, feedback should also be expressed in a positive

Positive and Honest feedback adds to Internal Audit Effectiveness


Quality ImprovementTO COMMENT on the article,EMAIL the author at [email protected]

LALIT DUA, CA is head of internal audit at Shalina Healthcare in Dubai.

manner. It must be accurate, factual, and complete. Feedback is more effective when it reinforces what the auditor did right and/wrong and then letting him judge what needs to be done during the course of audit.

Frequency and Stages of feedback The feedback from the auditee can be regular or as requested by the auditor. Regular feedback can be given as and when the auditor discusses processes, asks for records and data for review and when querying the auditee about some observations. The auditee’ feedback is expected to be with positive intent as it would depict auditee’ desire for the auditor to add value.

The periodic feedback sessions are normal features of any audit review where formally the details of issues to be discussed and feedback to be taken from the auditee are provided in advance. The feedback is documented and is either taken as base for the next level of audit review or forms part of report itself. With effective feedback, auditor will be working in right direction and will be more potent in conduct of audit.

A. Feedback in the opening meeting with auditeeThe auditor has to explain to auditee the objective, scope, tentative duration of review, initial record and details required in the Kick off meeting. The meeting will give opportunity to the auditee as well to raise questions and ask for clarifications, if any from the auditor. At the end of the

meeting his clear understanding about the whole process of the review is a kind of feedback whereby he gives his concurrence and assures of complete support.

B. During conduct of auditWhile conducting audit reviews the auditor is applying different approaches and techniques of audit. He also makes verbal and written communication on issues involved in reviews. The responses, actions, reactions and behavior of auditee to such activities are a kind of feedback to auditor on how the audit review is being conducted. After having explained the scope and objective of audit review in the kick off meeting, the auditor should ensure that the review is being conducted within

the same scope, with positivity and without any intention to find mistakes,errors, frauds etc.. The moment the auditee will get any sense of negativity in what the auditor is doing; the auditee will withdraw himself and will tend to feed or provide whatever has been asked without any positive participation. The end result will be extra efforts by the auditor, not enough confidence in whatever is being done and non-participation of the auditee in the process of improvement.

C. In the closing meetingsThe feedback requirement in the closing meeting should not come as a surprise. It is better to raise issues as they arise in the course of an audit, having a constructive discussion on the spot as and when required. The closing meetings are done at various stages and with various auditees during the course of finalizing audits.

Since these closing meetings are done with concerned auditee, department and functional heads levels so types of feedback at each of these levels will differ in content and style. The process of getting feedback in the closing meetings will be smoothened if auditor has been transparent in his approach and conduct during the course of audit.

Overall feedbackThough an auditor is getting feedback at different stages and from different level of auditees and management staff on specific areas of audit, the practice of getting an overall audit feedback has been formalized in many organisations. The criteria on which overall performance of audit is to be evaluated are many and in use. It is the maturity of the organisation and the role of the auditor it has foreseen, which defines the list of criteria for feedback. An organisation may even require the auditor to rate different auditees also on defined criteria.

ConclusionAuditee feedback on different aspects of the audit sets a benchmark or highlights the gaps in performance acceptance of management from audit department. Each audit observation has to be taken up in its right perspective, without over doing and mis-interpretation. An auditee expects to be given the opportunity to give their perspective, a process that helps to gain their commitment, so the auditor should welcome feedback. By adopting and implementing a collaborative approach to feedback and highlighting the ultimate aim of the audit to support auditees in order to improve organizational performance, will provide solid foundations for a positive experience for all concerned.


Audit Management

Board & C-Suite Driven Assurance: The Dawn of a New Era

BY T IM J . LEECH

Many years ago I wrote a seminal article titled “Control & Risk Self-Assessment: The Dawn

of a New Era in Corporate Governance”. That article, and the ideas in it, played a significant role launching my first company in 1991, and had a significant impact on the profession globally. Almost 25 years later this article describes recent developments and forces that will almost certainly see the onset of an even more profound and significant transformation – truly the dawn of a new era in internal auditing.

TRADITIONAL/HISTORICAL INTERNAL AuDITINGI joined the profession as an internal

auditor in the summer of 1981. Since that time the profession has evolved and advanced in many positive ways, but continues to be bound by some fundamental and confining paradigms. The paradigms include:

1. Internal auditors plan, execute, and report results of point-in-time audits.2. Internal auditors assess “internal controls” and report opinions on whether they believe controls are “effective”. 3. Internal auditors report what they believe to be “control deficiencies”, “material weaknesses”, “significant deficiencies” or “opportunities

for improvement”.4. “Direct report” auditing is the primary approach used globally. In a direct report engagement the auditor evaluates the subject matter for which the accountable party is responsible. The accountable party does not make a written assertion on the subject matter they are responsible for.5. The profession has been primarily “supply driven” not “demand driven”. 6. Internal audit does not usually know, or require that management and boards define the type and amounts of risk the company and its board are prepared to accept. 7. A majority of internal audit


Audit Management

departments have not, for a variety of reasons, assessed and reported on risks to the organization’s top strategic/value creation objectives, or the effectiveness of the entity’s entire risk management framework.

The traditional/historical direct report approach to internal auditing described above is now under attack. Evidence collected globally1 in 2014 indicates dramatic drops in internal audit customer satisfaction.

KEy DEvELOPMENTS GLOBALLyBoard responsibility to oversee management’s risk appetite and tolerance significantly elevated - Following the 2008 global financial crisis commissions were convened around the world to try and understand what had gone wrong and prevent similar destabilizing events in the future. A unanimous conclusion was that

4.6 Internal audit (or other independent assessor) should: a) Routinely include assessments of the RAF on an institution-wide basis as well as on an individual business line and legal entity basis; b) Identify whether breaches in risk limits are being appropriately identified, escalated and reported, and report on the implementation of the RAF to the board and senior management as appropriate; c) Independently assess periodically the design and effectiveness of the RAF and its alignment with supervisory expectations; d) assess the effectiveness of the implementation of the RAF, including linkage to organisational culture, as well as strategic and business planning, compensation, and decision-making processes; e) Assess the design and effectiveness of risk measurement techniques and MIS used to monitor the institution’s risk profile in relation to its risk appetite; f) Report any material deficiencies in the RAF and on alignment (or otherwise) of risk appetite and risk profile with risk culture to the board and senior management in a timely manner; and g) Evaluate the need to supplement its own independent assessment with expertise from third parties to provide a comprehensive independent view of the effectiveness of the RAF.

Source: Financial Stability Board, Principles for an Effective Risk Appetite Framework, November 18 2013.

boards of directors and, to a lesser degree, regulators, had not adequately discharged their duty to oversee what is increasingly being called management’s “risk appetite and tolerance”.

Creation of the world’s first preeminent regulator guidance body – Financial Stability Board (“FSB”) – Shortly after the onset of the global financial crisis a decision was made to create a new super regulatory power, the Financial Stability Board (“FSB”). This organization, currently chaired by Mark Carney, Governor of the Bank of England, with representation from governments and financial sector and securities regulators from around the world, has, with unprecedented speed, formulated and disseminated what is most aptly termed paradigm shift guidance with an overarching, albeit unstated, goal of reengineering corporate governance globally. One of the FSB’s most significant contributions to date is a November 2013

Codification of board responsibility to oversee management’s risk appetite and tolerance – In parallel with the FSB, regulators around the world have started to enact regulations that reflect key FSB recommendations, particularly the need to assign primary responsibility for risk management and reporting to management; and risk appetite/tolerance oversight to boards of directors. One of the most graphic illustrations is the new UK Governance Code issued in September 2014. It positions responsibility for risk oversight squarely with boards of directors; calls on management to design, implement and maintain effective risk governance frameworks; and calls on boards to seek independent assurance that management has, in fact, designed, implemented, and maintained effective risk governance frameworks. It is expected other major countries that want to improve the integrity of their capital markets will follow the UK’s lead. Internal audit customer satisfaction plummets – as these regulator driven

guide for national regulators, companies, and auditors titled “Principles for an Effective Risk Appetite Framework”. The authors of the FSB guidance took the bold step of defining new and bold mandates for management, boards of directors and, most significantly for readers of this article, internal auditors. Details of the new role envisioned for internal auditors is shown in the box across. The FSB is, in essence, calling on internal audit to transition from providing spot-in-time, direct report, subjective opinions on “control effectiveness” on a small percentage of an entity’s risk universe, to reporting on the reliability and effectiveness of an organization’s entire RAF, including, but not limited to, reporting on the reliability of risk status reports provided to the organization’s board of directors by senior management.


Audit Management

developments gain traction globally a summary of customer satisfaction surveys done by 3 major consulting firms and the Institute of Internal Auditors was reported in the July 2014 IIA Pulse on the Profession Report referenced earlier. The report paints a graphic picture of a significant and very recent decline in board and senior management satisfaction with traditional/historical direct report internal audit services.

WHAT THIS MEANS TO THE INTERNAL AuDIT PROFESSION GOING FORWARDNeed to Transition from “Direct Report/Spot-in-Time” Auditing to Attestation Reporting on Management Representations on Risk Framework Effectiveness and Risk Status – the FSB has defined roles for the board, senior management, and internal audit that call for a fundamental accountability shift - a shift that requires management continuously assess and report upward on risk status, and for internal audit to assess and report opinions to the board how well management is discharging their assigned risk governance responsibilities. This new paradigm requires radical and fundamental shifts in existing IIA certification curriculum and training offerings. IIA IPPF professional practice standard 2120 was modified in 2010 specifically to provide support for the shift, and the Certification in Risk Management Assurance (“CRMA”) launched globally. Internal audit departments will need to evolve from the business of performing traditional spot-in-time direct report audits and providing subjective opinions on “control effectiveness” on a small percentage of the risk universe and, instead, focus substantially more resources on providing assurance to boards that senior management is creating and maintaining

effective risk management and reporting frameworks.

Educate Boards of Directors on Evolving Expectations - the evolution of these expectations is likely to evolve at varying speeds and intensity in different countries. Not all senior management and board members have been actively following the evolution of these new expectations, and not all national regulators have codified risk governance expectations with the clarity and simplicity of the September 2014 UK Governance Code to spur the needed transition. It is also important to note that not all CEOs and CFOs are likely to welcome direct responsibility for creating and maintaining effective risk appetite frameworks and providing formal and candid reports on residual/retained risk status to their boards.

Look for Opportunities to Gain the New Knowledge and Skills Required - If internal auditors are to accept and assume the type of responsibilities defined by the FSB earlier in this article, they must “retool” their knowledge and skills. Instead of the traditional internal audit focus on providing subjective opinions on “control effectiveness”, internal auditors now need to acquire the knowledge and skills to assess and report on the reliability of management’s risk appetite frameworks, including management’s reports to the board on retained/residual risk status. This means learning the type of vocabulary defined by the FSB in its Principles For An Effective Risk Appetite Frameworks guidance and the globally accepted ISO 31000 and ISO Guide 73, and gaining the knowledge and skills necessary to identify the full range of risks, “risk treatments”, and a picture of residual risk status, not the much narrower assessment of traditional “internal controls” internal audit has historically focused on. More importantly,

internal auditors need to continuously assess and report on whether the current residual risk status related to key strategic and foundation objectives is currently within the board and senior management’s risk appetite and tolerance.

CLOSING REMARK Recognize that aversion to change is a human condition – this short article outlines events and drivers that call for radical and quantum change in the current internal audit paradigm. A natural human trait is to resist radical change and favour smaller and more incremental steps. The dramatic drops in customer satisfaction statistics described in the IIA July 2014 Pulse on the Profession report have led to the IIA literally issuing – A CALL TO ACTION to internal auditors around the globe. Addressing rapidly evolving and escalating customer and regulatory expectations will require the profession globally make rapid and radical changes if it is to ensure it remains fully relevant to key customers in the years to come. There is a well-known adage that states “necessity is the mother of invention”. The need for radical and rapid change in the traditional internal audit delivery model is real. It’s time the internal audit profession literally reinvent itself to meet the needs of key customers – particularly boards of directors. No small task to be sure, but a job that absolutely needs to be done. Best wishes for success as the profession decides whether it welcomes, or resists, the dawn of a new era in internal auditing.

References:[1] IIA Pulse on the Profession, Enhancing Value Through Collaboration: A Call to Action, IIA AEC, July 2014.


Tim J. Leech CIA CCSA CRSA FCPA is Managing Director Global Services at Risk Oversight in Canada and is recognized globally as a thought leader and advisor in the risk and assurance field.

Four major 2014 customer surveys indicate growing dissatisfaction with traditional internal audit methods and tools. Find out what’s causing this rapid drop in customer satisfaction globally and what to do about it. www.riskoversight.ca A better response to risk


Fraud

BY ROBIN S INGH

Inside the Mind of a Fraudster

For as long as white-collar crime fraudsters have been a common occurrence throughout multiple

industries, specialists have wondered aloud whether or not it is possible to properly develop a profile that allows organisations to accurately identify fraudsters while the fraud is happening, or in some cases beforehand. Of course, predicting crime before it actually happens is a concept best left to science fiction novels and movies at the moment – but what if there were some easily identifiable warning signs of potential fraudsters?

General Attributes While any individual could potentially conduct fraudulent actions, there does seem to be some basic elements that make an individual more likely to take part in fraud. According to a study by KPMG1, the typical fraudster displays the following attributes: • Isbetweentheagesof36and45.More than 70% of fraudsters fall into this age group.• Actswithlittleregardforthe organisations which they work for.• Isemployedinapositionthatgives them power over important organisational processes including executives, finance, operations and marketing. • Hasbeenwiththeorganisationforsix years, or long enough to know the internal processes of the company.

Identifying potential suspects based on the profile of a fraudster is not a straightforward task

• Actswithothersincommittingfraud. According to KPMG’s study, more than 61% of individuals that committed fraud did so with the help of at least one other individual.

PersonalityAnother compelling fact which the KPMG study bought forward was that a large percentage of fraudsters were extroverted (33%), friendly (35%) and highly respected (39%). These personality traits do not seem to be indicators of someone who is prone to fraud but when combined with traits like greed and desire for personal gain1, one can then get a clearer picture of the personality of these individuals.

Studies have proven that these are people who are either malignant narcissist, or suffer from Narcissistic Personality Disorder (NPD), which is defined2 as an “enduring pattern of inner experience and behavior that deviates markedly from the expectation of the individual’s culture, is pervasive and inflexible, has an onset in adolescence or early adulthood, is stable over time, and leads to distress or impairment.” Because these disorders are chronic and pervasive, they can lead to serious impairments in daily life and functioning.Actually, to really go inside the mind of a fraudster, one needs to understand the traits of a person suffering from NPD:• Haveaninflatedsenseoftheirown

importance; Believes that he or she is “special” and can only be understood by high status people. • Haveadeepneedforadmirationfor themselves; a sense of superiority.• Believethatthey’resuperiortoothers.• Constantlybendingtherulesfor himself although outwardly criticising others for similar behavior.• Havelittleregardforotherpeople’s feelings.• Beintolerantofanythingperceivedas less than a perfect performance.• Exaggeratetheirownachievementsor talents.• Expectingotherstogoalongwithyour ideas and plans.• Takingadvantageofothers.• Troublekeepinghealthyrelationships.• Beenviousofothersand/orbelieves that others are envious of him or her.To add to the above, the Association of Certified Fraud Examiners (ACFE), mentions in its 2014 report3 that the financial losses resulting from fraud committed by Owners/Executives at companies were at least than 3 times larger than the losses resulting from fraud committed by managers or employees. Similarly, the ACFE study showed that the longer a fraudster had worked for a company, the more financial harm he or she caused. This supports the fact conclusion that big game players are the ones who are at the top of the corporate pyramid.


TO COMMENT on the article,EMAIL the author at [email protected] Fraud

beyond his or her means. In the Middle East, the question asked is “Where did you get this from?” This alludes to the how an individual can afford to purchase something which is clearly above his financial abilities. ACFE’s top 3 behavioral red flags displayed by fraudsters are shown in the table below:

On another note, experience also shows that individuals that committed fraud did so with the help of at least one other individual. What do you think the other person would be like? Generally the other partner is a submissive one, who would generally take instructions from the dominant partner. Since the dominant partner might want to remain in control, they should avoid choosing the person of equal stature because they would have to share their ‘loot’ equally with other partners. If an investigator cracks the weaker link, the whole case would unravel like a blossoming sunflower .

Individuals exhibiting the aforementioned behaviors must be critically examined. Quantitative tools must be especially keen, and third-party verification like a psychometric test can be a good component of this analysis.

Drawbacks of ProfilingEven though a large portion of fraudsters meet the previously mentioned guidelines

of your typical fraudster, it can be very difficult to implement fair policies that target individuals that fit that profile without causing some unrest within the company. Naturally, management positions should be afforded some type of oversight in order to limit the chances of fraud. However, placing increased oversight on a specific group of individuals can seem like unfair targeting to employees and can cause issues. In some cases the improper implementation of fraud mitigation strategies can open a company up topotential lawsuits. Lawyers and industry

professionals should be consulted before implementing strategies based on profiles of fraudsters.

ConclusionWhile it is definitely possible to create a basic profile for fraudsters, it is important to remember that this profile constantly changes as technology adapts and new avenues of fraud become available. Mitigating the risk of fraud is an important consideration for any business, and utilising data has become a large part of the equation for many.

References: 1. Global Profiles of a Fraudster, KPMG International, 2013.2. Diagnostic and Statistical Manual of Mental Disorders (DSM-5), American Psychiatric Association, 2013.3. ACFE’s 2014 Report to Nations on Occupational Fraud and Abuse.

ROBIN SINGH, MBA, MIT, CFE, CFAP is a Senior Fraud Investigator working a government entity in

the healthcare sector.

But a good investigator / interviewer would be able to identify that behind this mask of ultra-confidence lies a person with fragile self-esteem and vulnerability to the slightest criticism / comment made against them in a negative manner. Additionally, an investigator will need be good at profiling since the majority of fraudsters would have never been punish and would not have criminal records!

Try and imagine people like Jeffrey Skilling, Enron Corp.’s former chief executive, who carried a tremendous pride that he could do anything under the sun such as build idealistic concept of energy trading and explored Mark to Market accounting which could show people that they can bill for future profits right now and everyone, even the authorities bought into that concept. The whole office used to look up to him.

Think of people like in the Wolf of Wall Street, Jordan Belfort, who could sell penny stocks better than Apple, Intel etc. The whole office admired him. They all had an attractive, role model personality, etc.

The list can go on and on and includes Ponzi Scheme perpetrators such as Scott Rothstein and Bernard Madoff as well as accounting fraudsters such as Ramalinga Raju (formerly of Satyam Computer Services) and so forth.

BehaviorThere are certain behaviors which fraudsters exhibit. These behaviors can serve as tell-tale signs that an individual may be committing fraud. From my experience, the most common behavioral red flag displayed by fraudsters is living

“There is a strong correlation between the fraudster’s level of authority and the losses resulting from the fraud” – ACFE 2014 Report to the Nations

Behavioral Red Flags Displayed Perpetrators

Living Beyond Means

Financial Di�culties

Unusually Close Assoicationwith Vendor/Customer

43.8%

33%

21.8%


BY KETAN BHOOLA

Project Controls: More than just a box ticking exerciseIn my previous life as a site architect working on the design and build of a mega shopping center, I vividly recall a cold winter’s morning, standing on site with the team that included the “finance guy”, as we called him. He was understandably worried because he had to deliver a difficult message to the project team. The message? The project had run out of cash. The project manager was infuriated but all he could do was throw his hands in the air and walk off the site. Someone in our team said sarcastically, “so much for our project controls!” What exactly are project controls? What do they do and why are they so important? In fact, in my experience, I have found that if you were to ask many people that question, you may be met with a few puzzled stares. However, the truth of the matter is that project controls are probably the most important element of any successful capital project delivery. Project controls have much to do with monitoring all the metrics of a project. This can include quantities, time, cost, cash flows, risk reporting, etc. The simple definition in my book is that project controls are all the actions you would take to ensure that your project is delivered on time, on budget and in accordance with the project’s design specifications. This of course means that project controls cover the entire life cycle of the project - from its initiation, to the planning, execution, monitoring and control and even at the project closeout phase.

Based on my experience, as an advisory partner to many leading developers in the region, I have summarized below what project controls we would expect to see in place on capital projects. This summary is by no means all inclusive, but will go a long way towards delivering a project successfully. 1. Stage gate approvalsAs the project moves through the lifecycle from initiation, planning, executing, monitoring and control to close-out, we would expect to see formal sign-off from senior management and the key stakeholders. These stage gate approvals do not allow the project to proceed without the required formal documented approvals in place.

2. Policies and proceduresWe have seen the use of detailed policies and procedures leading to improved project delivery functionality, from pre-development through to handover, leading to better decision-making, greater accuracy of forecasted spend and the capability to deliver on budget, thus limiting cost overruns. In essence, defining all the actions needed to be taken in a detailed policies and procedures document provides guidance to your team, makes their tasks predictable and ultimately, limits surprises.

3. RACI matrixA Responsible, Accountable, Communicated and Informed (RACI)

matrix describes the level of participation by the various roles in completing tasks and the project. This simple yet effective tool can be very useful in clarifying roles and responsibilities across the various departments/functions within the team.

4. Delegation of authority matrixIn most cases, we have observed the incorrect use of a delegation of authority matrix. Entities have moved to extreme cases where either too much or too little authority has been placed on the project team. The net effect allows variations to be carried out outside the mandate of the delegated authorities. In many of these cases we have also observed the use of retrospective approvals being obtained when the Variation Order is prepared. Having key personnel with the adequate level of authority and accountability is key to project delivery.

5. Project reportingDaily, weekly and monthly reporting can provide a good mechanism to ensure projects are being accurately reported on. A report produced for the sake of reporting is meaningless. Below are examples of good practices that should be considered:

5.1 Forecasting and variance analysisMonthly forecasting and variance analysis is essential to project reporting. The use of variance analysis on “actual” versus “budget” and “forecasted cost” data provides the where did we plan to be,

Risk Management


the project team to develop and identify EWNs, so that problems are avoided and projects are successful in delivering the expected value for their owners and other stakeholders.

5.4 Work-in-progress (WIP) managementA recent client had completed his mega project and was happy that his project was delivered on time. While the project was slightly over budget, he believed that he had successfully delivered the project. In the months that followed, to his horror, he became aware of the fact that over 20% of the project value was still “work in progress” and had not been

certified and accounted for before. To his disappointment, he began to realize his “accruals” and “WIP management” system was almost non-existent.

5.5 Earned value or value of work doneLike WIP management, the value of work done and earned value methodology needs to be closely monitored. The project team and consultants should be able to demonstrate a robust methodology to measure and communicate the real physical


where are we now and what is the expected final cost of the project.

5.2 KPI and project specific KPIsThe project team should meet with senior management and the board at the start and during the project to develop, track and enhance the KPIs. This is the perfect opportunity to ensure all stakeholders are aligned, and the required KPIs are in place. We recently reviewed the monthly reporting of a leading contractor and observed that the contractor did not report on “Paid to date.” The project team did not feel it was their responsibility to report on this metric as they felt that it was up to the finance team to report on payment related issues. We challenged the Board of Directors and senior management on the lack of input from other departments including finance and procurement departments in the monthly reports. We stressed the importance of including finance and procurement KPIs in the monthly reporting. This would also ensure they are measured accurately and in line with the needs of the business.

5.3 Absence of Early Warning Notices (EWNs)This is essentially management looking out for anything on the horizon that would affect the delivery of the project. We work closely with senior management and

Risk Management

progress of a project taking into account the work completed, the time taken and the costs incurred to complete that work. If done correctly it should allow for effective management decision-making, which helps evaluate and control project risk.

5.6 Risk management functionIn our experience, we have seen a worrying trend where we find no evidence to support the fact that our clients identify risks, prioritize them, establish mitigating strategies to deal with these risks and then monitor the effectiveness of these strategies. In other words, we cannot effectively say that the majority of our clients have a robust risk management culture in their organization.

While the previous metrics may seem daunting to a project control office that is still in its infancy, it is important to realize that the aim of these is to provide useful information to management so that a project may be delivered successfully. Most organizations are encouraged to use metrics that work for them. For example, during the course of our advisory work, we have assisted leading clients with the development and use of a one-page

project dashboard report. This “one-pager” would ideally be provided to executive management to help them provide the correct oversight on projects. In hindsight, it would have also helped our little shopping center back in the day!

KETAN BHOOLA, B.ARCH, MRICS, is an Assistant Director at Deloitte Corporate Finance Ltd.’s Infrastructure & Capital Projects division.

Project critical SucceSS FactorS

Source: Deloitte Survey at Arabian World Construction Summit 2014

Top 3 critical success factors for Clients in projects: 1. Certainty of Cost 2. Qualified Staff3. Return on Investment

Top 3 critical success factors for Contractors in projects: 1. Qualified Staff2. Compliance with Specifications3. Profitability

Senior management needs to have accurate project information, “one version of the truth”, to make informed decisions.

Documents

SHAPING TALENTED AUDIT TEAMS - Internal Auditorinternalauditor.me/jomiz-ia/wp-content/uploads/2014/12/IA-Magazin… · SHAPING TALENTED AUDIT TEAMS INTERNAL AUDITOR MIDDLE EAST INSIGHTS