Beruflich Dokumente
Kultur Dokumente
ME
INNOVATE OR
DETERIORATE
Dear Members,
From this edition of the magazine, the Internal Auditor magazine is going DIGITAL
ONLY. Let me take this opportunity to appraise you of few important events which have
taken place at the association. We began this year with an event to focus on emerging
trends on fraud risks and how organizations are protecting their reputation in the global
environment. Growing dependency on IT also makes us vulnerable to cyber threats.
With cars, Smart TV’s and medical devices going hi-tech with internet connectivity –
the risks are far larger.
Lastly, I call upon all Chief Audit Executives and aspiring leaders to step forward and
apply for the Qualification in Internal Audit Leadership (QIAL). With 450 professionals
in the world having achieved QIAL, this important certification is considered as a gold
standard to demonstrating your leadership excellence.
I wish you all the best and look forward to seeing you at our 18th Annual Regional Audit
Conference in Abu Dhabi from April 19th – 20th. A pre-audit conference workshop is
also scheduled on April 18th.
Sincerely,
F E AT U RES
16 COVER STORY: Innovate or Deteriorate... What are the Company’s innovation
priorities? Where will the company focus its innovation efforts? BY ADIL BUHARIWALLA
DE PARTMENTS
4 Reader Feedback 6 Knowledge Update 32 Human resources
The Security Intelligence what are the skills and
8 UAE-IAA Events Center - Next Steps: Beyond qualities needed to be
Response to Anticipation, distinguished internal
28 Fraud Risk Executive Perspectives on auditors?
How the organization Top Risks for 2017, Beyond BY ABDULLA HASSAN ALBARAEI
manages fraud risk.
the Checklist - Anti-Money
BY DR.KHALED MOUSA
Laundering, Sanctions and 10 IT Audit
12 Conversations Corruption Concerns for What are the common
with Colleagues: the Insurance Sector, Rise mistakes IT auditors make
PwC’s Middle East Assurance of the Drones - Is your while auditing the Logical
Clients & Markets Leader shares enterprise prepared?, Making access area
his views on what it means to be globalisation work for all - BY MUHAMMAD AWAIS NASEEM
an effective internal audit leader 20th CEO Survey by PWC.
BY FARAH ARAJ BY VISHAL THAKKAR
s
OR.ME
CIA, is Senior Vice President Internal
Audit at Abu Dhabi Airports Company
SEPTEM g fraud
countin corporate
IA INTE
prise tur
Enter nal ma h
izatio proac
RNAL
organ atic ap
d system
I would like to thank the author for this wonderful article that
ﺳﺒ
2016 ﺘﻤﱪ to int
ern
- MIDD
OR.ME
LAUDIT
ﻣﻘﺎرﻧﺔ ﻋﻤﻠﻴ
than one party interested ﴈ ﻣﻊin اﳌﺎthe internal audit
LE EAST
NTERNA
ﺎت اﻻﺣﺘﻴﺎل
WWW.I
اﳌﺤﺎﺳﺒﻲ اﻟ
carries an added value to the internal audit profession, and if I
SEPTEMBE
ﻀﺞ ﴘ
وﻣﺴﺘﻮى اﻟﻨ
ﱰاﺗﻴ اﺳ ﻬﺞ ﻧ اﺗﺒﺎع may add or comment thereon, I will focus on the angle of cost. I
every entity must be
ﻴﻴﻢ اﻟﺮﻗﺎﺑﺔ addressed
ﺠﻲ ﻣﻨﻈﻢ ﻟﺘﻘ اﻟﺪاﺧﻠﻴﺔ according to the think that the cost of internal audit procedures must be
importance of the report for such entity, taking
Cause considered within the framework of the value to be added to the
into account the volume of the required details. Root is for organization, as the costs of auditing are high and will not add
For example, when serving the reportﺐtoﺴﺒthe ﺤﻠﻴﻞ اﻟ ﺗ s
Analy l Audit
ي ﺬر ﺠ اﻟ e r n a value to the business if its returns are less than its cost. Audit
Audit Committee, it would be betterﻞto ﻣ
ﻦ ﻗﺒpass the In t
ﻖ اﻟﺪاan ﻗﻴ ﺪ ﻟﺘ ا of the Manager shall create a cost structure of the internal audit
report in brief, as much as possible, byﺧﲇmaking
heart
to the ore
Getting ding m
اﻟﻮﺻﻮل
issue
and ad
your or
ganiza
tion
function, including the breakdown of the cost of the
information brief stating the points ofﻀﻴﺔhigh وإﺿﺎ اﱃ ﺻﻠﺐ اﻟﻘ valu e to
ﻓﺔ ا
اﱃ ﻣﺆﺳﺴﺘﳌﺰﻚﻳﺪ ﻣﻦ اﻟ
importance, and then attach the full report to an
ﺳﺒﺘﻤﱪ
ﻤﺔ ﻘﻴ
- وﺳﻂ
ROL
NT AN
- اﺧﲇ
GEME
MANA
CE, RI
اﳌﺪﻗﻖ
INSIGH
Executive
Perspectives on
Top Risks for 2017
This report contains results from the
fifth annual risk survey of directors and
executives to obtain their views on likely
risks which will affect their organizations
in 2017. This survey provides insights
across various sizes of companies and
across different industry groups specifying
the key risks that are expected to be in
2017 based on the feedback provided
by executives and board members that
participated in the survey. Some of the
risk drivers mentioned by the participants
were Brexit, turmoil in the Middle East
and the resulting surge in immigration,
changes in national political leadership,
depressed oil prices, monetary policies
and concerns about inflation and
inflated asset prices in China, global
terrorism, escalating healthcare costs,
rapidly developing innovations from the
digital technology revolution, expanding
88%
interconnected global financial system, it is even more crucial for insurers to Of CEO’s promote
expectations from regulators continue to improve their AML/CFT compliance talent diversity
evolve. In order to satisfy their regulatory strategies on a continuous basis.
and inclusiveness
obligations, financial institutions should
go beyond templates and checklists https://www.protiviti.com/sites/default/
to develop a deeper understanding files/united_states/insights/beyond-the-
checklist-aml-protiviti.pdf Of CEO’s say it is
69%
of the ever-changing risks of their
harder for
business to sustain
trust
Rise of the Drones
Is your enterprise prepared? of CEO’s say
44%
The commercial use of drone technology regulators, financial implications, safety globalisation has
is becoming increasingly popular in a
not helped to close
and operational requirements necessary the gap between
number of enterprises. Currently, the to properly sustain this type of business rich and poor
regulatory environment around drone tool, is a matter consider. Unless the
usage has evolved quickly to keep pace organizations have previous experience
with the technologies being used. If of CEO’s plan
managing aviation operations, the answer
52%
management is considering adopting
is most probably a reverberating “no.”
to increase the
drone technology, many factors must headcount, but
On the contrary, rushing to implement can’t find people
be well thought-out. This white paper
specifies some of the prospective uses
a drone technology without being with right skills
of drone technology in a commercial properly prepared in the first place can
environment, including business result in a legal and financial disaster.
An uncontrolled drone program can of CEO’s are
implications and risk considerations.
77%
concerned that a
It addresses critical questions that potentially cause significant damage to the shortage of skills
management must consider before reputation of the concerned organization. could impair their
implementing a drone program. company’s growth
http://www.isaca.org/Knowledge-Center/
Whether most organizations are prepared Research/Documents/Rise-of-the-Drones_ http://www.pwc.com/gx/en/ceo-agenda/
to address the requirements posed by whp_eng_0217.pdf?regnum=361492 ceosurvey/2017/gx.html
UAE Internal Auditors Association’s in collaboration with the Bassiouni, Managing Director at Protiviti - Member Firm for Middle
Higher Colleges of Technology and Protiviti had honored the East Region; Ms. Naima Al Menhali Board Member of UAE IAA
graduation ceremony for the third batch at HCT, Abu Dhabi. It was and Director of Internal Audit at the Petroleum Institute in Abu
attended by Abdulqader Obaid Ali, UAE IAA Chairman; Ahmed Dhabi and Ahmed Refaat Assistant Director at Protiviti
UAE IAA to host The program will offer participants the ability to hone their skills in designing,
implementing, and conducting an effective internal control system. Once
“COSO Internal Control” earned, the Certificate attests to the holder’s expertise in applying the 2013
COSO Internal Control–Integrated Framework
new certificate training for Through a blend of self-paced learning, classroom training and online exam,
this program will cover the COSO Internal Control–Integrated Framework from
the First time in the region start to finish, using real-world scenarios UAE IAA will be hosting the COSO
Internal Control new certificate training on 14-16 May 2017
2,000+
insights for internal auditors at every level.
Audit Industry
Practitioners and Providers
from 100+ Countries
18+
CPE Credit Hours
with Pre-conference
Sessions
Keynote Speakers:
Register Today!
2017-0269
ic.globaliia.org
Conversations with Colleagues
B Y FAR A H A R A J
Adnan Zaidi
I
n an exclusive interview, Internal Auditor - Middle East spoke to Adnan Zaidi who is
a Partner and Board Member at PwC Middle East. Adnan is also PwC Middle East’s
Assurance Clients & Markets Leader and is a Trusted Advisor to many of the region’s
largest Corporations. He began his career almost 25 years ago with Arthur Andersen in
London and subsequently moved to Dubai and held several leadership positions with
prominent companies. Adnan was the Audit Committee Chairman of the International
Cricket Council for the past five years and holds a number of Board positions at Not-for-
Profit organisations. He is one of the region’s pioneers in the field of internal auditing
and actively supports the profession at a global and regional level. Adnan is a member
of the Executive Committee of the UAE Internal Auditors Association (UAE-IAA) as
well as being a member of the Institute of Internal Auditors’ (IIA) Global Professional
Development Committee.
In the corporate context, what is Profession study (the “Study”) showed a So what are the characteristics
your definition of a leader? correlation between strong Internal Audit of an effective Internal Audit leader?
While you’re unlikely to find a single leadership and the ability of the Internal While an effective Internal Audit leader
definition of what is a leader, I would Audit Department to add value and deliver
has many notable characteristic, my top
define a leader as someone who has an strong performance. When stakeholders
three characteristics would be:
inspiring vision for his company and is perceived the Chief Audit Executive as an
1) Strategic thinking: This involves
able to effectively manage and motivate effective leader, in over 90% of the cases
looking at the big picture of the
his subordinates to work hard and align they viewed the Internal Audit Department
organisation and the Internal Audit
themselves with that vision. This requires as a value adding and high performing
function. Function. Like any corporate leader,
the leader to have both high levels of
the Internal Audit leader needs to
integrity as well as emotional intelligence.
develop a vision for the Internal Audit
“
Department which is aligned to the
How has PwC developed leaders Internal Audit company’s strategy and stakeholders’
in the Middle East region?
leaders who invest expectations. This is not done
PwC is one of the largest companies in
the world. We are a market leader in the
in themselves gain through a Three Year Internal Audit
Middle East who have been in the region the respect of their plan - one needs an actual strategy
for over 40 years and we employ over stakeholder and document, with objectives and key
4,000 professionals across 12 countries and are a source of measures which feed into the annual
work with the region’s largest and most inspiration to their “ and long term Internal audit plans.
prominent entities. We have used this
team and peers Without this characteristic, internal
position of strength to attract and retain audit leaders cannot achieve strategic
the best and brightest individuals in our alignment.
region. We’ve leveraged our global career 2) Communication skills: Internal Audit
progression framework to provide our How do stakeholders leaders need to clearly communicate
staff with opportunities for international perceive the value internal their ideas to engage stakeholders, to
assignments and experience. We’ve also audit provides? highlight key risks to the business and
actively promoted board and executive The 2017 Study which we just released
to manage staff. These leaders use
education through events and through shows a negative trend in stakeholders’
their powerful communication skills
client projects. Also, we’ve invested heavily perceptions of the value provided by
to exert influence beyond the Internal
in training GCC nationals, both clients and Internal Audit. This year only 44% of
Audit function and to enthusiastically
staff, to prepare them for future leadership stakeholders believed their Internal Audit
promote positive change.
roles. I strongly believe that PwC has made Departments provide them with value
3) Develops talent: This is about more
a powerful and sustainable impact on compared to 54% in 2016. When we
than building your team’s skill but
leadership capabilities in the Middle East. dug a bit deeper we found out that even
the Internal Audit Departments which about building the right skills that
Do you believe there is a correlation add value are expected to provide even align to the business and Internal
between the value that an internal more value each year. This means that Audit’s vision! This also means
audit function generates and the an effective Internal Audit leader should leveraging external resources as
effectiveness of its leader? not be satisfied with the status quo and necessary to meet the organisation’s
Absolutely and this is not just my opinion. should continue to evolve and meet, as well needs and to facilitate knowledge
Last year’s PwC State of the Internal Audit exceed, stakeholders expectations. transfer to your team where required.
INNOVATE OR
DETERIORATE
Innovation is a key to a company’s ethos of my profession, “Progress Through Sharing”, I will provide
a summary of what I have learnt, which will give you additional
success. It is one of the essential means insights on the subject.
that organizations can use to thrive and Let us start by looking at certain facts about innovation:
• Over 40% of Fortune 500 companies who were on the 2000
differentiate their business or products list, were not on the 2010 list. One of the reasons attributed to
from the competition. •
this, was the lack of innovation.1
Both, in the public and private sectors, there are significant
To a greater extent in the business world, and to some extent at the obstacles in the path of innovation implementation.2
individual level, there is a constant push to think of ways to bring • By 2025, and due to continuous innovation it is estimated
about innovation. that solar power will become the largest source of electricity
in the world, there will be no more food shortages and food
Being an Internal Audit professional, I have considered how price fluctuations as genetically modified crops will be grown
innovation can be applied in the auditing sphere, and how internal rapidly indoors, petroleum-based packaging will be replaced
auditors can become effective drivers of business innovation. by fully biodegradable cellulose, and Quantum Teleportation,
This led me to further explore the topic. And in keeping with the will be tested.3
1
Innovation Excellence: 99 Facts on the Future of Innovation for 2014 - http://innovationexcellence.com/blog/2014/01/01/99-facts-on-the-future-of-innovation/
2
Brookings: A Dozen Economic Facts About Innovation - https://www.brookings.edu/research/a-dozen-economic-facts-about-innovation/
3
International Business Times: 10 Innovations Analysts Predict Will Change The World By 2025 - http://www.ibtimes.com/10-innovations-analysts-predict-will-change-world-2025-1614130
Moreover, history is witness to a large Having obtained some background about 9. Most companies are not structured to
number of organizations that “stagnated and innovation, let us now look at defining innovate
terminated” because they did not innovate. innovation? 10. Listening to your customers is a great
To name a few: But before we do that, let us first test our way to innovate
• Blockbuster video rental company was knowledge about this topic.
not able to keep up with changes in Answer True or False to the following 10 As you may have seen, innovation is not
the entertainment industry and how questions4. Then compare your answers with quite as simple as many of us think.
it affected consumer behavior such as: those shown on page 20. Innovation takes place when an
the ability to download videos from improvement or a significant contribution is
the Internet and video-on-demand 1. Innovation is the act of coming up with made to an existing product or service.
by cable companies. The company new and creative ideas It is about creating new value and/or
eventually filed for bankruptcy in 2010. 2. Innovation is a random process capturing value in a new way. As such, Value
• Kodak, did not foresee the innovations 3. Innovation is exclusively for a few
is the key driver for any innovation.
brought by the digital age, and naturally talented people
continued to rely on conventional In the business sense, innovation is an
4. The biggest obstacle to innovation is
technology in the production of organization’s process for introducing new
a lack of organizational resources and
cameras. In 2012, Kodak filed for know-how ideas, workflows, methodologies, services,
bankruptcy. 5. The most important type of innovation products, business concepts, which would
• Motorola failed to focus on the new is bringing new products and services enable the achievement of goals across the
trend in the phone industry with the to market entire organization, and drive the overall
introduction of smartphones that 6. Teaching employees to think creatively growth agenda.
have multifunction and provide users will guarantee innovation To further elaborate on the concept, it
with online access. The company lost 7. The most powerful way to trigger your is worth noting that there are two types
its market share to newcomers like brain is to simply ask it a question of innovation. The Evolutionary or
Research in Motion, Apple, LG, and 8. Most companies pursue known rather Incremental type, and the Revolutionary or
Samsung. than radical innovation Disruptive/Radical type.Ediame
Evolutionary or Incremental
innovation involves enhancing competence to build upon an existing concept (knowledge and resources), often
resulting in relatively small changes in performance and usefulness of the existing product or service. It is the more
common form of business innovation, which is generally aimed at existing customers, carries a low risk, and is
adopted with less resistance. Examples of this are the multi-blade versus the single blade razor, or the smart versus
the earlier mobile phones.
Revolutionary or Disruptive/Radical
innovation is directed at future customers, and requires delving into new concepts and knowledge. The performance
of innovation may initially be poor as compared to existing innovation, may not evoke interest of existing users,
and is therefore fraught with risk. Examples include the desktop PC versus the mainframe, or e-learning versus
classroom training.
Traditionally, most internal auditors talk about innovation that they have brought about in their daily operations,
specifically to Planning, Fieldwork, Reporting and Audit Administration areas. This, they believe helps to enhance the
quality of the assurance and consulting services that they provide to their internal or external clients. But most of
these improvements are of the evolutionary kind.
As an Internal Auditor, how can you use this knowledge to “Enhance and Protect Organizational Value” of your
company? Internal Auditors need to explore ways to apply Revolutionary or Disruptive innovations to their operations.
This can be done through focusing on the organization’s “Innovation Governance”.
4
Test Your Innovation IQ – Forbes - http://www.forbes.com/sites/work-in-progress/2011/12/06/test-your-innovation-iq/#2f61e6b63364
Innovation Governance is the 1. Why is the Company innovating? – Do • Do they encourage sensible
organization’s mechanism to achieve all stakeholders know the importance risk-taking?
the following: of innovation, and share the reasons • Do they have a compensation sys-
• Align goals – innovation goals with why the company needs to innovate, tem that encourages entrepreneur-
business growth, and how this relates to the corporate ship and teamwork?
• Allocate resources – build qualified vision and objectives? • Have they created an environment
teams, and 2. What are the Company’s innovation that facilitates networking and com-
• Assign decision-making authority for priorities? – Where will the company munication in all directions?
innovation. focus its innovation efforts?
At a more detailed level, Innovation 5. With whom is the Company inno-
3. What level of innovation does the vating? – Concept of “open-source
Governance covers an organization’s Company want? – Is the Company
systems and processes that: innovation” – building on ideas and
looking for breakthroughs, and willing
• Define innovation commitments technologies from third parties.
to embrace uncertainty, or favoring
• Define key responsibilities of the main 6. Who will be/is responsible for what,
a more prudent approach through
players regarding innovation? – Specific inno-
incremental innovation and lower level
• Establish the set of values for all inno- vation management responsibilities at
of funding?
vation efforts all levels, owners of all key innovation
4. How can the Company innovate more
• Define innovation expectations processes.
effectively? –
• Define how to measure innovation
• Make decisions on innovation budgets • What process will take most time,
and be cost-effective, from new In conclusion, when Internal Auditors
• Balance and prioritize innovation
market needs and ideas, to success- plays a role in reviewing innovation
activities across divisions
ful market introduction? governance, they would be helping in the
• Establish management routines
regarding communications and deci- • What organizational effort is re- identification of major risks in the process.
sions quired? This would help the organization in better
The following are the areas that Internal • What tools will be/are used for understanding the challenges associated
Auditors should look at as part of their implementation? with the various innovation initiatives it is
review of whether an organization has a • What measures will be/are tracked? undertaking, and therefore allow it to grow
comprehensive innovation governance • How is a climate of creativity and and ensure its continuity in the market/
system in place: discipline being developed? industry.
1. False: In business, innovation is the act of applying 7. True: The key to innovation is to ask questions that open
knowledge, new or old, to actually creating something people to possibilities, new ways of looking at the same
different that has value
data, and new interpretations of the same old thing
2. False: Innovation is a discipline that can (and should) be
planned, measured, and managed. 8. True: Most companies focus on using internally generated
3. False: Everyone has the power to innovate by letting ideas based on known facts to produce slightly better
their brain wander, explore, connect, and see the world products
differently 9. True: Most organizations are physically set-up with little
4. False: In most organizations, the biggest obstacle to
interactions between functions, except where needed for
innovation is what people already know to be true about
their customers, markets, and business work. People often withhold information, believing that it
5. False: It is important to bring new products and services puts them in a position of power
to market. But the most important form of innovation, 10. True and False: The answer is “it depends.” Research
and the #1 challenge, is reinventing the way we manage shows that customers can be a good source of ideas
ourselves and our companies
for improving existing products and services. For new
6. False: New ideas are a dime a dozen. The hard part is
turning those ideas into new products and services that unknown products and services, customer research is not
customers value and are willing to pay for sufficient
Adil Buhariwalla,
FCA, CIA, CFE, CRMA, CI31000, CT31000, Managing Partner – MASC International
5
Innovation Management .se: What is Innovation Governance? Definition and Scope - http://www.innovationmanagement.se/2013/05/03/what-is-innovation-governance-definition-and-scope/
141695
Internal Audit Management
B Y AY M A N A B D E L R A H I M
Have you ever found it difficult to answer approach to evaluate and improve the
these questions: What is the added value effectiveness of risk management, control,
provided by the internal audit? Can and governance processes”.
you convince the senior management The Value Adding term may sound
of that the internal audit adds a value ambiguous to the senior management Assurance
to the organization you are working because they have the belief that the
for? Is the added value understandable, immeasurable is unachievable. This
clear and identified as per the internal ambiguity has been exacerbated by
audit standards? If you can’t answer
these questions, you are certainly one
defining such term among the terms set
out in the internal audit standards. Value Internal Auditing
of the many auditors who are not able Adding means “The internal audit activity
to reply to the senior management or adds value to the organization (and its Insight Objectivity
audit committee when they ask about stakeholders) when it provides objective
the added value provided by the internal and relevant assurance, and contributes
audit. to the effectiveness and efficiency of
governance, risk management, and
Ambiguity of the control processes.”. This definition is very
The Internal Audit Value Proposition
Value Adding Concept general and it is confined to the objective
assurance and effective contribution, graphic approved by the IIA.
Auditors often use the term “Value which are an integral part of the
Adding” which is circulated at characteristics of the professional internal
conferences and workshops held on the auditor.
internal audit profession. The internal The Value-Adding Activities
audit definition is influential in the use Delivering on the Promise The outcomes of “Delivering on the
of such term because it clearly refers to In November 2015, the international Promise” Report identify the activities
the internal audit. It means “An Internal Institute of Internal Auditors (IIA) issued that add value to the organization
auditing is an independent, objective a report among the publications of the according to CAEs, based on the
assurance and consulting activity Common Body of Knowledge (CBOK) outcomes of a questionnaire conducted in
designed to add value and improve an entitled “Delivering on the Promise - 2015. The CAEs identified (9) out of (14)
organization’s operations. It helps an Measuring Internal Audit Value and activities included in the questionnaire as
organization accomplish its objectives Performance”. The report addresses the they are adding value to the organization.
by bringing a systematic, disciplined concept of value adding which started These activities are:
B Y AY M A N A B D E L R A HI M
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Finally, the concept of value adding is
Assurance Activities Objective Advice Activities Insight Activities
still not clear enough to facilitate the
realization of the role of internal audit
for the stakeholders, and to put an end to
Outcomes Indicating a shift in the Internal Audit Profession the growing responsibilities that fall on
the shoulders of internal audit, which is
The summary of the “Delivering on the of the method of measurement in order expected to do lot of things that go beyond
Promise” Report addresses the realization to measure the internal audit efficiency providing assurance on grounds that they
that the added value, form the prospective in the organization. In addition, there are are part of the value adding that must be
of the stakeholders, is different from some steps that must be followed when provided.
determining the value that the internal
that realization from the prospective of audit can add, as well as the need to align
internal audit. There must be a consensus the same with the performance. The steps Ayman Abdelrahim
between the two parties and determination to be followed are as follows: MQM, CIA, CCSA, CFE.
Our professionals have a wealth of local and international experience. They work with you to ensure
your business is safeguarded and protected from hidden risks throughout your business lifecycle.
Our distinct services include:
(Standards) have been revised effective to this section are covered below:
interference exists, the CAE is empowered of current activities, trends and emerging • Scope and frequency of internal and
to disclose such interferences to the board external assessments,
issues for providing relevant advice and
and discuss its implications. • Qualifications and independence
recommendations apart from the existing
of assessor(s) and assessment team,
1112 – CAE Roles Beyond Internal competencies needed to remain proficient.
Auditing: including potential conflict of interest
This new standard added, emphasizes • Assessor’s Conclusions
the need to have appropriate safeguards 1300 – Quality Assurance and • Corrective Action Plans
in place when the CAE’s responsibilities Improvement Program: The Interpretation
extends beyond Internal Auditing. Amendments to Performance
is amended stating that a quality assurance
These safeguards are necessitated to
limit impairments to independence or and improvement program should be Standards:
objectivity. The external assessors will have designed to enable an evaluation whether
to have to ensure that Audit Committee The amendments and its possible effects to
Members are monitoring the independence the Internal Audit Department confirms this section are covered below:
of the CAE and obtaining assurance (from with the Standards only and whether
functions other than Internal Audit) on the
internal auditors apply the Code of Ethics. 2000 – Managing the Internal Audit
areas of responsibilities beyond internal
audit. Activity: The CAE is responsible for
A further responsibility is entrusted on the
effectively managing the Internal Audit
Interpretation: This new interpretation CAE by encouraging Board’s oversight in Department by always considering the
states that where the CAE is requested to this quality assurance and improvement trends and other emerging issues impacting
take additional roles and responsibilities its organization thereby adding value to
program.
beyond internal auditing such as the organization and its stakeholders. The
compliance, risk management, etc. and
Internal Audit Department adds value
assuming such roles and responsibilities
1312 – External Assessments: The to the organization and its stakeholders
might impair the independence and
objectivity of the internal audit activity Interpretation is amended stating the full when it considers Company’s strategies,
and internal auditor respectively, so external assessments or a self-assessment objectives, risks and strives to offer ways to
safeguards should be in place to limit such enhance governance, risk management and
impairments. Board will have additional with independent external valuation
control processes and objectively provide
responsibilities of having appropriate are modes of accomplishing external relevant assurance.
safeguards in place by undertaking
oversight activities that would address such assessments. The external assessor is
potential impairments due to additional 2010 – Planning: The Interpretation
made responsible to conclude its external
roles sought by the CAEs. Board can is partially amended thereby having
further conduct periodic evaluation of assessment by stating whether the internal responsibility on CAE to consult with
reporting lines and responsibilities and audit department has / has not confirmed senior management and board rather
develop alternative processes for obtaining than to use his / her own judgement in
assurance pertaining to the areas of such with the Code of Ethics and Standards
understanding the organization’s strategies,
additional responsibilities. and to support that, the external assessor’s
key business objectives, associated risks
reports can include operational or strategic and risk management process to develop
1130.A3: This new sub-standard
under Standard 1130 (Impairment to comments. The CAE is entrusted with a risk based plan. The CAE’s role as a
Independence and Objectivity) and states the responsibility of encouraging board’s Consultant is required only when no risk
that internal audit department can conduct management framework exists
an assurance service to a previously oversight in the external assessment
within the entity.
provided consulting engagement. This is thereby reducing possibilities of perceived
possible subject to the consulting service
provided earlier did not impair objectivity or potential conflict of interest. 2050 – Coordination and Reliance: The
then and individual objectivity is duly Standard title is added with the word
managed while assigning resources to this “Reliance.” The CAE is entrusted with
engagement. Thus, the CAE has to ensure 1320 – Reporting on the Quality Assurance
the responsibility of sharing information,
that objectivity is not compromised under and Improvement Program: The CAE is coordinating activities and consider relying
such circumstances.
entrusted with responsibility of having upon the work of other internal and
1210 – Proficiency: The Interpretation here external assurance and consulting service
specific disclosures on the reporting on
is amended by rewording “Professional providers to ensure proper coverage and
the quality assurance and improvement minimize duplication of efforts.
Proficiency” to “Proficiency”. The definition
here is enriched by including consideration program. They being: The Interpretation is a new addition.
“The demands on internal audit are with management and the board instead
of working with the management and / or
evolving rapidly, and The IIA is working board in developing appropriate evaluation
criteria as per previous standards. Thus,
diligently to make sure the Standards internal auditors are supposed to use their
consulting skills and identify appropriate
• Objectives are achieved. What is Internal Audit’s role? partner, etc. It is therefore incumbent on
• Decisions are properly authorised. the Chief Audit Executive to have deep
The role of Internal Audit is usually defined knowledge of the organisation and its busi-
• Reliability and integrity of ness activities through review of strategic
in the Internal Audit Charter approved by
information. the Audit Committee. The charter may also and business plans, risk assessments, and
• Assets are safeguarded. include organisation expectations about In- other relevant information.
ternal Audit and its value-add. The charter Ultimately, the Chief Audit Executive
• There is compliance with laws, should be circulated to key management so needs to drive the ‘audit environment’ and
regulations, policies and contracts. they understand Internal Audit’s obliga- provide continuous review of the effective-
• Efficiency, effectiveness, economy and tions, but also their obligations. ness of governance, risk management and
The standing of Internal Audit in an or- control processes by:
ethics of business activities is promoted. ganisation can be raised by the Chief Audit
• Opportunities for fraud and Executive becoming a trusted adviser to • Providing independent, unbiased
management. It is up to the Chief Audit assessment of an organisation’s opera-
corruption are minimised.
Executive to effectively communicate with tions.
management, develop a stakeholder rela- • Offering information to management
Stakeholders contribute to make this tionship strategy, and implement actions on the effectiveness of governance,
designed to develop a partnership rela- risk management and control process-
foundation strong and effective. tionship with management that together es. To comment Email the author at
improves the business. lalitrdua@gmail.com
The standing of Internal Audit in an or- • Acting as a catalyst for improvements
The role of Internal Audit is well-de-
ganisation can be raised by the Chief Audit in governance, risk management and
fined, with the ‘International Professional Executive becoming a trusted adviser to control processes.
Practices Framework’ (IPPF) issued by management. • Advising management what it needs
the Institute of Internal Auditors stating to know, when it needs to know it. To
Is it important to have a control be successful, the Chief Audit Exec-
Internal Audit’s mission as: environment? utive needs to have deep knowledge
“To enhance and protect organisational of the organisation and its business
The existence and robustness of a ‘control activities.
value by providing risk-based and objec-
environment’ has been emphasised for
tive assurance, advice, and insight.” many years, has been discussed by Audit Conclusion
Committees and management, and in
some jurisdictions is required by law. The Chief Audit Executive needs to devel-
In this context, Internal Audit has a duty
In conjunction with the ‘control environ- op a relationship with the Audit Commit-
to work with management to improve the ment’, an ‘audit environment’ can be de- tee and management through compelling
organisation’s risk management, control veloped and implemented in collaboration analysis and data that provides clarity and
between the Chief Audit Executive and encourages management to make timely
and governance processes.
management. The Chief Audit Execu- remedial actions.
tive should ideally be seen as a business
partner. The Audit Committee can assist As a ‘governance guardian’, the Audit Com-
Internal Audit’s contribution to the organ- mittee will be more confident of the audit
An ‘audit environment’ isation by making the ‘audit environment’ environment’ being effective if Internal
would see Internal Audit complementary to the ‘control environ- Audit steps up and collaboratively tackles
ment’. A spin-off is likely to be greater important business issues and risks.
services focus on strategic acceptance of Internal Audit by the people
who are audited. That is where the real value of Internal
and operational issues In conjunction with the ‘control envi- Audit can be found and where organisation
ronment’, an ‘audit environment’ can be
important to the business, developed and implemented in collabo-
value can be enhanced.
The Deloitte study showed the overall structure of the fraud risk management in the following graph:
Recommend
Diagnose Detect gaps in Continuous or Develop Fraud Investigate cases
Mitigating Antifraud
vulnerability to fraud anti-fraud controls Periodic Monitoring Response Plan of alleged fraud
Controls
• Evaluate the current • Evaluate management’s • Recommend • Enable continuous • Develop a fraud • Assist in the
status and effectiveness existing fraud risk enhancement of existing monitoring of controls using response plan to address investigation of cases of
of the organization’s anti- management framework controls or mitigating technology; and/or cases of alleged or alleged or confirmed fraud
fraud control environment to detect potential gaps of antifraud controls for confirmed fraud within the organization
- this involves assessing antifraud controls in the implementation, based on • Perform forensic data
the culture, attitude, and processes ‘antifraud control’ gaps analytics of transactions • Investigate cases of • Incorporate identified
awareness amongst detected periodically at the process alleged or confirmed fraud fraud risks and schemes
employees about their • Establish fraud risk level to alert Management into fraud risk management
knowledge of and response profiles by analysis and of fraud signals framework based on
to any issues of fraud or ranking of fraud risks (as findings from investigation
misconduct high/ medium/ low) against
existing anti-fraud controls
Tools Employees’ Ethics Survey Fraud Risk Management Recommend mitigating Forensic data analytics Develop Fraud Response Investigate cases of alleged
(DIAGNOSE) Tool (DETECT) anti-fraud Controls (DETECT) Plan (RESPOND) fraud (RESPOND)
(RESPOND)
Another KPMG Study specified the control methods in every stage of the fraud risk management,
which the internal auditors must ensure their effectiveness in the organization:
Prevention Detection Response
Board/audit committee oversight
Executive and line management functions
Internal audit, compliance, and monitoring functions
• Code of conduct and related standards • Hotlines and whistle-blower • Internal investigation protocols
• Employee and third-party due diligence • Auditing and monitoring • Enforcement and accountability protocols
• Communication and training • Retrospective forensic data analysis • Disclosure protocols
• Process-specific fraud risk controls • Remedial action protocols
• Proactive forensic data analysis
From this point, the role of internal audit Internal Audit Systems in organizations, the effectiveness of the design and
is reviewed in each stage of the fraud risk along with their potential exposures performance of the fraud-related
management as follows: to violations, transgression and non- control methods, ensuring that the
compliance inside the organization. Thus, audit plans and programs specify the
A. Reduction of the internal auditors must take the following residual risks under the integration
Occurrence of Fraud: factors into consideration: of fraud auditing procedures with
Reduction of the occurrence of fraud • Control Environment: Evaluation auditing the possible variations of
is internal control methods designed of the aspects of the control laws, rules and regulations and their
to reduce the occurrence of fraud risk environment, conduct of auditing effect on the control methods.
and misconduct. Despite the efforts of procedures for proactive fraud plans, • Information and Communication:
Evaluation of the effectiveness of the
organizations to reduce fraud, there is an conduct of necessary investigations,
communication system operation, with
inescapable reality, which is the occurrence reporting on the audit of fraud cases,
the provision of the necessary support
of fraud, due to the fraud and misconduct and provision of necessary support
to fraud-related training initiatives.
committed at different levels of the for corrective actions. In some cases,
• Follow-Up Activities: Evaluation of
organization. Therefore, it is necessary internal auditors may have hotlines to
the control over software, conduct
to have proper preventive and detective report any cases or suspicions of fraud. of investigations, support to the
methods. • Fraud Risk Evaluation: Evaluation of Audit Committee in supervising the
The Professional Practices issued by the fraud risk management, in particular fraud-related issues, support to the
Institute of Internal Auditors explained the management’s actions to identify, development of the identification of
the role of internal auditors in helping evaluate and test potential fraud plans fraud indicators, employment and
organizations to reduce the fraud risk and misconduct, including those training of employees to enable them
through the examination and evaluation involving suppliers and other parties. to conduct auditing of fraud and
of the sufficiency and effectiveness of the • Control Activities: Evaluation of investigations with adequate expertise.
Therefore, this shows the role of the 2. Does the organization have a clear through the existing internal control
internal audit in the supervision in order anti-fraud strategy, for example a methods and evaluate the design and
to monitor progress of the investigations policy that coordinates the ongoing effectiveness of such methods (for
to help in ensuring that the organization activities to reduce and detect fraud? example, powers, credit, separation of
follows the relevant policies, procedures, 3. Does the organization conduct duties, etc.)?
and applicable laws and legislation (where through examination for the 8. Are there effective channels to
the internal audit is not responsible for backgrounds of new potential enhance the flow of information with
conducting the investigations), in the employees? Are the investigations quality whether top down or vice
identification of misappropriated assets or and inspection of the employees who versa across the organization?
the assets related to the investigation, as are promoted to higher positions 9. Are training and awareness of cases
well as in supporting the organization in conducted? of fraud and corruption for all
its legal, insurance and other procedures 4. Is there a process for the employees provided? Is the training
through the evaluation of and control documentation of registration, regularly held and promoted in the
over the organization’s practices and tracking and response to all the organization?
plans to report on investigations, whether allegations or suspicions of a crime 10. Are there sufficient, regular and
internal or external, and monitoring the (for example reporting violations and ongoing procedures to ensure
implementation of improvements in the fraud hotline)? that the Senior Management took
control methods to ensure their efficiency 5. Is there a regular evaluation of the into consideration how effective
and effectiveness. orientations, incentives, pressures and the control environment and risk
The role of internal audit can be summed opportunities to commit the crime assessment are and how much
up in the evaluation of how sufficient across the organization? modification or update the control
the fraud risk management is in the 6. Does the organization have methods that reduce fraud risk may
organization through asking the following categorization for the potential fraud need?
questions: and its effect on the organization
through an evaluation of all the types
1. Do the Board of Directors and of fraud risk including bribery and
the Audit Committee have clear money laundering?
responsibilities regarding the fraud 7. Does the organization evaluate
risk management? whether the risks are reduced
is my Profession?
added value: Officials/Management always
estimate deep observations which show
that the auditor is not simply confined with
the broad lines of the observations, but he/
she went the extra mile to conduct an in-