Final IA Magazine Updated English 18 April 20162

MARCH 2017 WWW.INTERNALAUDITOR.
ME
Steps Helping in Recognizing the

Added Value
International Standards for the

Professional Practice of Internal
Auditing new updates
INTERNAL AUDITOR Internal Audit responsivities to tackle

MIDDLE EAST important business issues and risks.
INNOVATE OR
DETERIORATE
The important of focusing

on the organization’s
“Innovation Governance”.
INSIGHTS ON GOVERNANCE, RISK MANAGEMENT AND CONTROL

From The President
Dear Members,
From this edition of the magazine, the Internal Auditor magazine is going DIGITAL
ONLY. Let me take this opportunity to appraise you of few important events which have
taken place at the association. We began this year with an event to focus on emerging
trends on fraud risks and how organizations are protecting their reputation in the global
environment. Growing dependency on IT also makes us vulnerable to cyber threats.
With cars, Smart TV’s and medical devices going hi-tech with internet connectivity –
the risks are far larger.
Conformance to the IIA Standards is of significant importance to demonstrate the

commitment of the internal audit departments. The UAE IAA offers as a service,
External Quality Assessments, to enable organizations comply with the International
Professional Practices Framework (The IPPF).
Lastly, I call upon all Chief Audit Executives and aspiring leaders to step forward and
apply for the Qualification in Internal Audit Leadership (QIAL). With 450 professionals
in the world having achieved QIAL, this important certification is considered as a gold
standard to demonstrating your leadership excellence.
I wish you all the best and look forward to seeing you at our 18th Annual Regional Audit
Conference in Abu Dhabi from April 19th – 20th. A pre-audit conference workshop is
also scheduled on April 18th.
Sincerely,
Abdulqader Obaid Ali

President
3 INTERNAL AUDITOR - MIDDLE EAST MARCH 2017

INTERNAL AUDITOR
MIDDLE EAST MARCH 2017 WWW.INTERNALAUDITOR.ME
F E AT U RES
16 COVER STORY: Innovate or Deteriorate... What are the Company’s innovation
priorities? Where will the company focus its innovation efforts? BY ADIL BUHARIWALLA
20 Internal Audit value 23 New Internal Audit 27 The Audit Environment

Steps Helping in Recognizing Standards What is the ‘audit
the Value that may be added Summary of updated International environment’? Why do
by internal audit team. Standards for the Professional we need it? Who is
BY AYMAN ABD EL RAHIM Practice of Internal Auditing. responsible for it?.
BY RAJIV THAKUR BY LALIT DUA
DE PARTMENTS
4 Reader Feedback 6 Knowledge Update 32 Human resources
The Security Intelligence what are the skills and
8 UAE-IAA Events Center - Next Steps: Beyond qualities needed to be
Response to Anticipation, distinguished internal
28 Fraud Risk Executive Perspectives on auditors?
How the organization Top Risks for 2017, Beyond BY ABDULLA HASSAN ALBARAEI
manages fraud risk.
the Checklist - Anti-Money
BY DR.KHALED MOUSA
Laundering, Sanctions and 10 IT Audit
12 Conversations Corruption Concerns for What are the common
with Colleagues: the Insurance Sector, Rise mistakes IT auditors make
PwC’s Middle East Assurance of the Drones - Is your while auditing the Logical
Clients & Markets Leader shares enterprise prepared?, Making access area
his views on what it means to be globalisation work for all - BY MUHAMMAD AWAIS NASEEM
an effective internal audit leader 20th CEO Survey by PWC.
BY FARAH ARAJ BY VISHAL THAKKAR
MARCH 2017 INTERNAL AUDITOR - MIDDLE EAST 5

Reader Feedback We want your views on the articles and the magazine! Share your
thoughts and feedback with us via email at ghada@iiauae.org
A Comment on the Article Entitled A Comment on the Article of Mr. TORBEN

“Tips on Writing Internal Audit Reports” HILBERTZ, (A Successful Take Off)
I would like to thank my colleague: Ravi BER 201
6
WWW.I
NTERNA
LAUDIT
s
OR.ME
CIA, is Senior Vice President Internal
Audit at Abu Dhabi Airports Company
SEPTEM g fraud
countin corporate
Takir for the valuable information in his

the ac rrent
aring the cu
Comp
past to
of the ment
environ nt and
geme
article entitled: “Tips on Writing Internal

na
risk ma ity
IA INTE
prise tur
Enter nal ma h
izatio proac
RNAL
organ atic ap
d system
Audit Reports“. Given that there is more AUDITOR

gic an
A strate al controls
I would like to thank the author for this wonderful article that
‫ﺳﺒ‬
2016 ‫ﺘﻤﱪ‬ to int
ern
- MIDD
OR.ME
LAUDIT
‫ﻣﻘﺎرﻧﺔ ﻋﻤﻠﻴ‬
than one party interested ‫ﴈ ﻣﻊ‬in ‫ اﳌﺎ‬the internal audit
LE EAST
NTERNA
‫ﺎت اﻻﺣﺘﻴﺎل‬
WWW.I
‫اﳌﺤﺎﺳﺒﻲ اﻟ‬
carries an added value to the internal audit profession, and if I
SEPTEMBE
‫اﻟﺒﻴﺌﺔ اﻟﺤﺎﻟﻴﺔ ﻟﻠﴩﻛﺎت ﺘﻲ ﺣﺪﺛﺖ ﰲ‬

reports, and in‫ اﳌﺆﺳ‬order ‫ﺴﻴﺔ‬to
‫ﻃﺮ اﳌﺆﺳ‬get
‫إدارة اﳌﺨﺎ‬
the best results,
R 2016
‫ﻀﺞ ﴘ‬
‫وﻣﺴﺘﻮى اﻟﻨ‬
‫ﱰاﺗﻴ‬ ‫اﺳ‬ ‫ﻬﺞ‬ ‫ﻧ‬ ‫اﺗﺒﺎع‬ may add or comment thereon, I will focus on the angle of cost. I
every entity must be
‫ﻴﻴﻢ اﻟﺮﻗﺎﺑﺔ‬ addressed
‫ﺠﻲ ﻣﻨﻈﻢ ﻟﺘﻘ‬ ‫اﻟﺪاﺧﻠﻴﺔ‬ according to the think that the cost of internal audit procedures must be
importance of the report for such entity, taking
Cause considered within the framework of the value to be added to the
into account the volume of the required details. Root is for organization, as the costs of auditing are high and will not add
For example, when serving the report‫ﺐ‬to‫ﺴﺒ‬the ‫ﺤﻠﻴﻞ اﻟ‬ ‫ﺗ‬ s
Analy l Audit
‫ي‬ ‫ﺬر‬ ‫ﺠ‬ ‫اﻟ‬ e r n a value to the business if its returns are less than its cost. Audit
Audit Committee, it would be better‫ﻞ‬to ‫ﻣ‬
‫ﻦ ﻗﺒ‬pass the In t
‫ ﻖ اﻟﺪا‬an ‫ﻗﻴ‬ ‫ﺪ‬ ‫ﻟﺘ‬ ‫ا‬ of the Manager shall create a cost structure of the internal audit
report in brief, as much as possible, by‫ﺧﲇ‬making
heart
to the ore
Getting ding m
‫اﻟﻮﺻﻮل‬
issue
and ad
your or
ganiza
tion
function, including the breakdown of the cost of the
information brief stating the points of‫ﻀﻴﺔ‬high ‫وإﺿﺎ اﱃ ﺻﻠﺐ اﻟﻘ‬ valu e to
proceedings and same shall be a part of the Internal Audit

2016
‫ﻓﺔ ا‬
‫اﱃ ﻣﺆﺳﺴﺘﳌﺰﻚﻳﺪ ﻣﻦ اﻟ‬
importance, and then attach the full report to an
‫ﺳﺒﺘﻤﱪ‬
‫ﻤﺔ‬ ‫ﻘﻴ‬
- ‫وﺳﻂ‬
Department. The important question here is: Will the

‫ﴩق اﻷ‬
ROL
appendix for those who wanted more. I always D CONT

‫اﻟ‬
NT AN
- ‫اﺧﲇ‬
GEME
MANA
cancellation of high-cost function be better for the

SK
‫اﻟﺪ‬
CE, RI
‫اﳌﺪﻗﻖ‬
advise my colleagues to do a summary on the form

VERNAN
TS ON GO
‫مد‬
INSIGH
of algorithms in one page, so that all ‫رة‬the ‫ﺣﻮل ا ﻟﺤ‬

‫رؤى‬ organization? To answer this question, I think the Director of Internal
‫ﻮﻛﻤﺔ وإ‬
information can be passed ‫ﺪا ﺧﻠﻴﺔ‬
‫ﺨﺎ ﻃﺮ واﻟ‬
‫دا اﳌ‬
to the reader of the report through such
‫اﻟ‬ ‫ﺑﺔ‬ ‫ﺮﻗﺎ‬ Audit shall assess the cost of each audit procedure for each task compared
summary. Of course, the criteria is not in the number of pages of the to the cost of each task in order to determine the breakdown of its cost.
report, but in the value added to the enterprise. This information will undoubtedly help in deciding the implementation of
certain procedures of the task, resulting in the elimination of some
I would like to note that it is not necessary that all audit reports take the procedures rather than the cancelation of the entire task. So I believe that
same form. There is what's called quick gain which fits reporting on the there shall be an assessment of the cost of each procedure to eventually
results of a quick audit (not pre-planned) to make sure of something. In reach the cost of a task and compare same to the return expected from this
this case, I believe that it would be better to write a report starting directly task in order to take an appropriate decision either to proceed, cancel or
with the Executive Summary, i.e. one paragraph, and then move on to the minimize some procedures or search for alternative procedures of lower
notes. It would be better to direct praise or compliments to the company cost or upskill the auditors to reduce the time and hence the cost, assessing
because the things should be originally positive, and the exception is the cost of each procedure for each auditor and compare among them to
represented in the release of the report and most importantly is to avoid choose the appropriate auditor of least cost for each procedure.
the provocative phrases.
Saad bin Mohammed Al-Huwaimel -
Ali Ahmad Abu Maelish Researches and Studies Center at the Institute of
Director of Internal Audit in Umniah Mobile Co. - Jordan Public Administration in KSA (Saudi Arabia)
A RA BIC RE V IE W TE A M CONTACT IN FORM ATION

Ayman Abdelrahim, MQM, CIA, CCSA, M ARKE TI NG & SOCIA L M E DIA
CFE (Lead Member) A laa A bu N abaa, MAC C , C IA , C R MA,
C PA, C IC P
Khalid M. Alodhaibi, SOCPA
aabunabaa@yahoo.com
INTERNAL AUDITOR
MIDDLE EAST
Qais Hamdan, CISA, CISM, PMP
Noora Ayoob A DV E RTISING &
MARCH 2017
A DM INI S TRATION
VO LU ME: 1 Waleed Sweimeh, CIA
Yasmine Abd El Aziz
Saif Kaddourah, MBA yasmeen@iiauae.org
E DITOR-I N-CHI EF
Abdulqader Obaid Ali, CFE, CRMA, QIAL Tel: +971 55 351 2335 Internal Auditor - Middle East is published quarterly by the UAE
UA E INTE RNA L AUDITORS Internal Auditors Association (UAE-IAA), Office 1503, 15th Floor,
E DITOR A S SOCIATION API Trio Tower, Dubai, United Arab Emirates
Ghada Abd Elbaky E DITORI A L
PRESIDENT Ghada Abd Elbaky
E DITORI A L A DV IS ORY Abdulqader Obaid Ali, CFE, CRMA, QIAL
COMM ITTEE ghada@iiauae.org
Asem Al Naser, CPA, CIA, QIAL GENERAL MANAGER Tel: +971 55 728 5147 DI SCLA IM E RS
Farah Araj, CPA, CIA, CFE, QIAL (Lead Samia Al Yousuf
Member) Internal Auditor - Middle East is intended only for members of the
DE SI GN
Institute of Internal Auditors in the Middle East and as such it is
Andrew Cox, MBA, MEC, PFIIA, CIA, Girish Mehta
CISA, CFE, CGAP, MRMIA not intended to be sold or re-sold by any party.
RE GI S TRATION
Adventure Advertising L.L.C. The views expressed in Internal Auditor - Middle East are solely
Raymond Helayel, CPA, CIA Internal Auditor - Middle East magazine girish@adventureuae.com those of the authors, and do not necessarily represent the views
Meenakshi Razdan, CA, CPA CIA, CFE is licensed by the National Media Council
Tel: + 971 4 393 7696 of the UAE-IAA or the authors’ respective employers.
Hossam Samy, CRMA, CFE, CPA, CGA of the United Arab Emirates (License
Number 244). Internal Auditor - Middle East is a peer-reviewed magazine and
Nagesh Suryanarayana, MBA, CIA,CCSA
GUIDE LI N E S FOR AUTHORS does not verify the originality of the content submitted by the
James Tebbs, CA authors.
www.internalauditor.me
Vishal Thakkar, ACA, CIA
Gautam Gandhi, ACA, CIA, CISA, CFE

Knowledge Update
B Y VI S H A L T H A K K A R
Executive
Perspectives on
Top Risks for 2017
This report contains results from the
fifth annual risk survey of directors and
executives to obtain their views on likely
risks which will affect their organizations
in 2017. This survey provides insights
across various sizes of companies and
across different industry groups specifying
the key risks that are expected to be in
2017 based on the feedback provided
by executives and board members that
participated in the survey. Some of the
risk drivers mentioned by the participants
were Brexit, turmoil in the Middle East
and the resulting surge in immigration,
changes in national political leadership,
depressed oil prices, monetary policies
and concerns about inflation and
inflated asset prices in China, global
terrorism, escalating healthcare costs,
rapidly developing innovations from the
digital technology revolution, expanding
The Security Intelligence Center

regulation and oversight, a strong US
dollar. These and many other significant
risk drivers are contributing to the risk
Next Steps: Beyond Response to Anticipation

related conversations in boardrooms and
executive suites. Key findings for the year
were as follows:
In a recent poll conducted by The Institute 1) How organizations can move beyond • Overall global business context is
of Internal Auditor’s Audit Executive merely being reactive and responsive to perceived to be markedly more risky in
Center provide an insight on an emerging cyber-security incidents and instead being 2017
• Concerns about economic conditions
trend among organizations, as part of proactive and start to identify, anticipate,
top the list of risk issues for 2017
their cyber-security strategy viz. the use and actively defend against known and which was followed closely by
of Security Operations Centers (SOC’s). emerging threats? regulatory changes and scrutiny
A defensive perspective to tackle cyber- • Cyber-threats, information security
security could be costly and ineffective. 2) Role of CAEs in encouraging and and privacy also remain critical issues
To gather another perspective at cyber- facilitating this shift from a reactive to a for organizations to address
security, a research was carried out to proactive stance
Accordingly, the top risks consists the
explore how an offensive approach might following:
appear and work against a cyber attack.This By addressing and answering these • Economic conditions in domestic and
report provides and insight on the topic questions, organizations can take the international markets
and provides a groundwork of terminology, important first step by advancing their • Regulatory change and increased
frameworks, metrics and tools and cyber-security initiatives irrespective of regulatory scrutiny
culminates with a view of the current state whether they are first establishing a SOC, • Cyber-threats management
or advancing further and establishing a • Speed of disruptive innovation
of SOC’s and the use of intelligence tools.
fully functioning Security Intelligence • Privacy and protection of identity
• Increased magnitude and severity of
Apart from offering a summary of that Center (SIC).
risks expected in 2017
research, this report helps cyber-security • CEOs and CFOs see a riskier
professionals, Chief Audit Executives http://contentz.mkt5790.com/ environment
(CAEs) and other stakeholders to explore lp/2842/219329/Foundation%20IA%20
https://www.knowledgeleader.com/Knowl-
broader issues and to answer following two Cyber%20Research%20Report%20Feb%20 edgeLeader/Content.nsf/Web+Content/
2017.pdf ecutivePerspectivesonTopRisksfor2017
questions:

Knowledge Update
Beyond the Checklist - Anti-Money

Laundering, Sanctions and Corruption
Concerns for the Insurance Sector
Even though there is legislative and markets, products, customer bases and
regulatory focus on anti-money intermediaries. This paper is not seeking
to provide a comprehensive view of
laundering (AML) and combating the AML rules for insurance companies
financing of terrorism (CFT) across
Making globalisation
around the world, but it does focus on the
the globe for over a decade, financial environment in select countries in three
institutions still struggle to meet regions viz. North America, Europe and work for all -
compliance expectations. In this white Asia-Pacific. 20th CEO Survey by PWC
paper, key risks, mitigating factors and
critical considerations for the design, Insurers are generally at lower risk of
implementation and improvement of Of CEO’s are very
38%
exposure to ML and TF as compared
an AML/CFT compliance program for to other types of financial institutions, confident
insurance companies are explored. about short-term
However, due to lack of awareness about
business growth
existing AML/CFT risks and obligations
As methods of money laundering (ML) can increase the insurance industry’s
and terrorist financing (TF) become all vulnerability to this activity. Increasing
the more sophisticated in an increasingly fines aimed at institutions and personnel,
88%
interconnected global financial system, it is even more crucial for insurers to Of CEO’s promote
expectations from regulators continue to improve their AML/CFT compliance talent diversity
evolve. In order to satisfy their regulatory strategies on a continuous basis.
and inclusiveness
obligations, financial institutions should
go beyond templates and checklists https://www.protiviti.com/sites/default/
to develop a deeper understanding files/united_states/insights/beyond-the-
checklist-aml-protiviti.pdf Of CEO’s say it is
69%
of the ever-changing risks of their
harder for
business to sustain
trust
Rise of the Drones
Is your enterprise prepared? of CEO’s say
44%
The commercial use of drone technology regulators, financial implications, safety globalisation has
is becoming increasingly popular in a
not helped to close
and operational requirements necessary the gap between
number of enterprises. Currently, the to properly sustain this type of business rich and poor
regulatory environment around drone tool, is a matter consider. Unless the
usage has evolved quickly to keep pace organizations have previous experience
with the technologies being used. If of CEO’s plan
managing aviation operations, the answer
52%
management is considering adopting
is most probably a reverberating “no.”
to increase the
drone technology, many factors must headcount, but
On the contrary, rushing to implement can’t find people
be well thought-out. This white paper
specifies some of the prospective uses
a drone technology without being with right skills
of drone technology in a commercial properly prepared in the first place can
environment, including business result in a legal and financial disaster.
An uncontrolled drone program can of CEO’s are
implications and risk considerations.
77%
concerned that a
It addresses critical questions that potentially cause significant damage to the shortage of skills
management must consider before reputation of the concerned organization. could impair their
implementing a drone program. company’s growth
http://www.isaca.org/Knowledge-Center/
Whether most organizations are prepared Research/Documents/Rise-of-the-Drones_ http://www.pwc.com/gx/en/ceo-agenda/
to address the requirements posed by whp_eng_0217.pdf?regnum=361492 ceosurvey/2017/gx.html

UAE-IAA Events March 2017
B Y SAM IA A L Y O U S U F
Global Trends in Investigations and Enforcement – PWC

UAE Internal Auditors Association in
collaboration with PwC Middle East’s
Forensics Services team hosted a conference
on Global Trends in Investigations and
Enforcement at the Intercontinental Hotel
Dubai, on January 25th. PwC’s Global
Forensics leaders in attendance shared
their experience on international trends
in economic crime and discussed the
importance of how new technologies
can help protect and mitigate risks for
businesses.
Ms. Samia Al Yousuf, UAE IAA General
Manager opened the event and welcomed
Achraf El Zaim, Forensic Services Partner
for PwC Middle East who discussed the
impact of globalization on today’s economy
and the latest Middle East statistics reported
in PwC’s Global Economic Crime Survey.
Abdul Qader Obeid Ali, Chairman of the
UAE IAA followed by outlining the current
threats of Fraud and Corruption facing
local businesses.
UAE IAA Holds February Members Meeting

UAE Internal Auditors Association held a
members meeting on 27th February 2017
at Novotel Hotel, Dubai. The meeting
focused on the role of internal audit in
the UAE and that it has come a long
way from being looked upon as merely
a function that provides assurance on
financial matters, to one that plays an
active role in assisting an organization in
implementing good governance practices.
In line with the vision of our great
leadership, which emphasizes on running
businesses ethically, UAE’s organizations
have been actively implementing measures
to promote good governance, as internal
audit plays a key role in helping to achieve
the same.
‘’ There is a strong focus on innovation and
smarter ways to implement these practices,”
said Adil Buhariwalla, Managing Partner,
MASC International, while addressing
members of UAE Internal Auditors
Association in Dubai, at the members’
meeting.

UAE-IAA Events March 2017
UAE IAA introduced

the revised standard
through March
members meeting
The UAE IAA hosted March members
meeting discussing a very important topic
over the Amendments in the Revised
Standards of the IPPF (International
Professional Practices Framework) on
March 12th at Novotel Al Barsha. Mr. Rajiv
Thakur was the speaker at the meeting.
UAE-IAA promoting internal auditing amongst the youth via HASAAD

program’s third batch graduation
UAE Internal Auditors Association’s in collaboration with the Bassiouni, Managing Director at Protiviti - Member Firm for Middle
Higher Colleges of Technology and Protiviti had honored the East Region; Ms. Naima Al Menhali Board Member of UAE IAA
graduation ceremony for the third batch at HCT, Abu Dhabi. It was and Director of Internal Audit at the Petroleum Institute in Abu
attended by Abdulqader Obaid Ali, UAE IAA Chairman; Ahmed Dhabi and Ahmed Refaat Assistant Director at Protiviti
UAE IAA to host The program will offer participants the ability to hone their skills in designing,
implementing, and conducting an effective internal control system. Once
“COSO Internal Control” earned, the Certificate attests to the holder’s expertise in applying the 2013
COSO Internal Control–Integrated Framework
new certificate training for Through a blend of self-paced learning, classroom training and online exam,
this program will cover the COSO Internal Control–Integrated Framework from
the First time in the region start to finish, using real-world scenarios UAE IAA will be hosting the COSO
Internal Control new certificate training on 14-16 May 2017

IT Audit TO COMMENT on the article,
EMAIL the author at awais1116@hotmail.com
BY M U H A M M A D AWAI S NASEEM EDI TED B Y NAGESH SURYAN ARAYAN A
Auditing Logical Access

The Overlooked Areas Job descriptions or role to determine the Access Revocation
Auditing logical access area may seem appropriateness. Issue: While verifying the user access
intuitive for IT auditors but its importance revocation process IT Auditors generally
can never be over emphasized, with latest Admin Activity Review adopt an approach of obtaining list of
security threats and Cyber Security attacks Issue: The other important area which Leavers from HR and compare with the
it is common that a successful cyber-attack the IT auditors generally overlook is the active users on applications using a unique
may lead to a hacker gaining unauthor- review of the activity logs of privilege users reference e.g. employee ID to validate the
ized access to critical system and data and / administrators. Though the focus is more status of the user (active or inactive). While
allows them to alter or compromise the of the existence of admin logs to review this procedure provides the status of the
system/data. the privilege user activities “which acts user account (active of revoked) it does not
This article discusses provide the assurance
the common mistakes for full audit period.
IT auditors make while Solution: While the
auditing the Logical auditor performs the
access area, though above procedure,
Logical Access area is there is a need to
important to all system ensure the adequacy
elements i.e. DB, OS, of the demobilization
Applications etc, from process by verifying
now on where required the last working day
we will be focusing of employee (From
on Application level HR List) with the
access to narrate some last login or disable
examples. date (Extracted
from application).
Access Rights Review as a detective control”, need of preventive For instance the policy mandated the
Issue: One of the most common mistake by controls to eliminate such occurrence is revocation of employee access to the
the IT auditors while auditing the LA area not emphasized. No doubt you need to system on last day or within 5 days, this test
is to just relay on the periodic access rights trust your own personnel to certain extent, will provide assurance on timely revocation
review performed by the management, this warrant such requirement due to the of the employee access to eliminate misuse
certain cases it’s just a formality to sign the role of administrators being critical for the or violation of user access.
access rights review document without continuity of business.
even reviewing the adequacy and need of Solution: IT auditor should interview Conclusion :
user rights like it’s a tick box activity, may relevant personnel to determine if admin Access management is being one of the
be just to meet audit requirements. activity is being logged and periodically critical areas of the overall security posture
Solution: An IT auditor should interview reviewed. Due to the extensive number of the organization, enhanced focus/ro-
the reviewer of access rights and ascertain of logs it’s not humanly possible to review bust assessment on this area will enable IT
how he or she performs this review and manually, hence an effective SIEM or Logs Auditor to provide good insight on their
on what basis the validity of user rights is correlating tools should be implemented current security posture and reasonable
assessed or determined. and configured to capture critical events assurance to the management & key stake-
IT auditor should also perform sample such as e.g. user creation/deletion, access holders.
basis testing of such access provided to provisioning and revocation and unusual
users to verify adequacy of the rights pro- activities noted after office hours etc.. for Muhammad Awais Naseem
vided to the users are in line with his/her timely detection of such occurrence. Senior IT Auditor, EY

100+
Speakers
From Around
the Globe
Join us Down Under in Sydney, Australia

for The IIA’s International Conference, 70+
Sessions in 10
23–26 July 2017. Educational
Streams
With an innovative program customizable to training needs,
this premier event provides an engaging journey, rich with
2,000+
insights for internal auditors at every level.
Audit Industry
Practitioners and Providers
from 100+ Countries
18+
CPE Credit Hours
with Pre-conference
Sessions
Keynote Speakers:
Jonathan Calvert Dee Madigan

Editor, Author, Insight Executive Creative Director
Investigations Team, Campaign Edge
The Sunday Times Selling Internal Audit: Is It Really
Bend It Like FIFA! That Hard to Show Our Value?
Register Today!
2017-0269
ic.globaliia.org
Conversations with Colleagues
B Y FAR A H A R A J
Adnan Zaidi
PwC’s Middle East

Assurance Clients
& Markets Leader
shares his views on
what it means to be
an effective internal
audit leader
I
n an exclusive interview, Internal Auditor - Middle East spoke to Adnan Zaidi who is
a Partner and Board Member at PwC Middle East. Adnan is also PwC Middle East’s
Assurance Clients & Markets Leader and is a Trusted Advisor to many of the region’s
largest Corporations. He began his career almost 25 years ago with Arthur Andersen in
London and subsequently moved to Dubai and held several leadership positions with
prominent companies. Adnan was the Audit Committee Chairman of the International
Cricket Council for the past five years and holds a number of Board positions at Not-for-
Profit organisations. He is one of the region’s pioneers in the field of internal auditing
and actively supports the profession at a global and regional level. Adnan is a member
of the Executive Committee of the UAE Internal Auditors Association (UAE-IAA) as
well as being a member of the Institute of Internal Auditors’ (IIA) Global Professional
Development Committee.

Interviews - FA
In the corporate context, what is Profession study (the “Study”) showed a So what are the characteristics
your definition of a leader? correlation between strong Internal Audit of an effective Internal Audit leader?
While you’re unlikely to find a single leadership and the ability of the Internal While an effective Internal Audit leader
definition of what is a leader, I would Audit Department to add value and deliver
has many notable characteristic, my top
define a leader as someone who has an strong performance. When stakeholders
three characteristics would be:
inspiring vision for his company and is perceived the Chief Audit Executive as an
1) Strategic thinking: This involves
able to effectively manage and motivate effective leader, in over 90% of the cases
looking at the big picture of the
his subordinates to work hard and align they viewed the Internal Audit Department
organisation and the Internal Audit
themselves with that vision. This requires as a value adding and high performing
function. Function. Like any corporate leader,
the leader to have both high levels of
the Internal Audit leader needs to
integrity as well as emotional intelligence.
develop a vision for the Internal Audit
“
Department which is aligned to the
How has PwC developed leaders Internal Audit company’s strategy and stakeholders’
in the Middle East region?
leaders who invest expectations. This is not done
PwC is one of the largest companies in
the world. We are a market leader in the
in themselves gain through a Three Year Internal Audit
Middle East who have been in the region the respect of their plan - one needs an actual strategy
for over 40 years and we employ over stakeholder and document, with objectives and key
4,000 professionals across 12 countries and are a source of measures which feed into the annual
work with the region’s largest and most inspiration to their “ and long term Internal audit plans.
prominent entities. We have used this
team and peers Without this characteristic, internal
position of strength to attract and retain audit leaders cannot achieve strategic
the best and brightest individuals in our alignment.
region. We’ve leveraged our global career 2) Communication skills: Internal Audit
progression framework to provide our How do stakeholders leaders need to clearly communicate
staff with opportunities for international perceive the value internal their ideas to engage stakeholders, to
assignments and experience. We’ve also audit provides? highlight key risks to the business and
actively promoted board and executive The 2017 Study which we just released
to manage staff. These leaders use
education through events and through shows a negative trend in stakeholders’
their powerful communication skills
client projects. Also, we’ve invested heavily perceptions of the value provided by
to exert influence beyond the Internal
in training GCC nationals, both clients and Internal Audit. This year only 44% of
Audit function and to enthusiastically
staff, to prepare them for future leadership stakeholders believed their Internal Audit
promote positive change.
roles. I strongly believe that PwC has made Departments provide them with value
3) Develops talent: This is about more
a powerful and sustainable impact on compared to 54% in 2016. When we
than building your team’s skill but
leadership capabilities in the Middle East. dug a bit deeper we found out that even
the Internal Audit Departments which about building the right skills that
Do you believe there is a correlation add value are expected to provide even align to the business and Internal
between the value that an internal more value each year. This means that Audit’s vision! This also means
audit function generates and the an effective Internal Audit leader should leveraging external resources as
effectiveness of its leader? not be satisfied with the status quo and necessary to meet the organisation’s
Absolutely and this is not just my opinion. should continue to evolve and meet, as well needs and to facilitate knowledge
Last year’s PwC State of the Internal Audit exceed, stakeholders expectations. transfer to your team where required.

TO COMMENT on the article, Interviews - FA
EMAIL the author at farah.araj@gmail.com
Is there a role for the Audit

Committee in increasing the
effectiveness of Chief Audit
Executives and their successors?
Most certainly! This role takes place at
many levels. From the human resources
side, there they should require succession
plans to be put in place for key positions in
the Internal Audit department and provide
the department with a sufficient budget to
attend trainings and conferences. From the
scope side, they should ask the Chief Audit
Executive for a more complete picture of
the organization’s response to business
disruptions. From the quality side, the
Audit Committee should actively review
the results of the quality assurance and
improvement program and demand both
internal and external assessments. Finally,
the Audit Committee should clearly
communicate expectations to the Chief
Audit Executive and formally evaluate his
performance on an annual basis. All these
elements create an environment which
helps grow and retain effective Internal
Audit leaders.
Do you have any final

advice for aspiring or current
Internal Audit leaders?
If I had to leave you with one last thought
Thinking about a couple of effective circumstances alone would not necessarily
it would be that our stakeholders are
Internal Audit leaders who possess result in an effective Internal Audit
continually demanding more from the
these characteristics, could you tell leader. They have pushed the boundaries
Internal Audit function and it is imperative
us how these leaders attained these of their responsibilities, they’ve stayed
for Internal Audit leaders to focus on
characteristics? up to date with developments in the
the big picture and aligning to what is
The 2017 Study showed that 47% of profession and they’ve continued their
important to the business. Do this by
Internal Audit Departments are not professional education through attending
seen by stakeholders as an advisor to the creating a great vision for the Internal
relevant conferences and trainings. Most Audit department, hire great people and
business or that their corporate culture
importantly, these Internal Audit leaders motivate them to work towards that vision!
does not support Internal Audit taking a
have been involved early in the business Also, make sure that this vision pushes the
more strategic role. This would indicate
disruption cycle. Our 2017 Study showed boundaries of Internal Audit and focuses
that most effective Internal Audit leaders
had a challenging journey to become that Internal Audit departments that on new value add areas such as business
trusted advisors to the business. They have addressed business disruptions (such as disruption. This is the only way the Internal
gained experience in good companies, new regulation, changes in business model Audit function would be able to provide
they were mentored by effective leaders or strategy, cybersecurity and privacy value-adding services and proactive advice
and they achieved relevant Internal Audit threats) were perceived to be adding for the business today and become a
certifications. However, these healthy significant value to their organisations. trusted advisor.

Innovation
B Y A D IL B U H A R IWA LL A
INNOVATE OR
DETERIORATE
Innovation is a key to a company’s ethos of my profession, “Progress Through Sharing”, I will provide
a summary of what I have learnt, which will give you additional
success. It is one of the essential means insights on the subject.
that organizations can use to thrive and Let us start by looking at certain facts about innovation:
• Over 40% of Fortune 500 companies who were on the 2000
differentiate their business or products list, were not on the 2010 list. One of the reasons attributed to
from the competition. •
this, was the lack of innovation.1
Both, in the public and private sectors, there are significant
To a greater extent in the business world, and to some extent at the obstacles in the path of innovation implementation.2
individual level, there is a constant push to think of ways to bring • By 2025, and due to continuous innovation it is estimated
about innovation. that solar power will become the largest source of electricity
in the world, there will be no more food shortages and food
Being an Internal Audit professional, I have considered how price fluctuations as genetically modified crops will be grown
innovation can be applied in the auditing sphere, and how internal rapidly indoors, petroleum-based packaging will be replaced
auditors can become effective drivers of business innovation. by fully biodegradable cellulose, and Quantum Teleportation,
This led me to further explore the topic. And in keeping with the will be tested.3
1
Innovation Excellence: 99 Facts on the Future of Innovation for 2014 - http://innovationexcellence.com/blog/2014/01/01/99-facts-on-the-future-of-innovation/
2
Brookings: A Dozen Economic Facts About Innovation - https://www.brookings.edu/research/a-dozen-economic-facts-about-innovation/
3
International Business Times: 10 Innovations Analysts Predict Will Change The World By 2025 - http://www.ibtimes.com/10-innovations-analysts-predict-will-change-world-2025-1614130

Innovation
Moreover, history is witness to a large Having obtained some background about 9. Most companies are not structured to
number of organizations that “stagnated and innovation, let us now look at defining innovate
terminated” because they did not innovate. innovation? 10. Listening to your customers is a great
To name a few: But before we do that, let us first test our way to innovate
• Blockbuster video rental company was knowledge about this topic.
not able to keep up with changes in Answer True or False to the following 10 As you may have seen, innovation is not
the entertainment industry and how questions4. Then compare your answers with quite as simple as many of us think.
it affected consumer behavior such as: those shown on page 20. Innovation takes place when an
the ability to download videos from improvement or a significant contribution is
the Internet and video-on-demand 1. Innovation is the act of coming up with made to an existing product or service.
by cable companies. The company new and creative ideas It is about creating new value and/or
eventually filed for bankruptcy in 2010. 2. Innovation is a random process capturing value in a new way. As such, Value
• Kodak, did not foresee the innovations 3. Innovation is exclusively for a few
is the key driver for any innovation.
brought by the digital age, and naturally talented people
continued to rely on conventional In the business sense, innovation is an
4. The biggest obstacle to innovation is
technology in the production of organization’s process for introducing new
a lack of organizational resources and
cameras. In 2012, Kodak filed for know-how ideas, workflows, methodologies, services,
bankruptcy. 5. The most important type of innovation products, business concepts, which would
• Motorola failed to focus on the new is bringing new products and services enable the achievement of goals across the
trend in the phone industry with the to market entire organization, and drive the overall
introduction of smartphones that 6. Teaching employees to think creatively growth agenda.
have multifunction and provide users will guarantee innovation To further elaborate on the concept, it
with online access. The company lost 7. The most powerful way to trigger your is worth noting that there are two types
its market share to newcomers like brain is to simply ask it a question of innovation. The Evolutionary or
Research in Motion, Apple, LG, and 8. Most companies pursue known rather Incremental type, and the Revolutionary or
Samsung. than radical innovation Disruptive/Radical type.Ediame
Evolutionary or Incremental
innovation involves enhancing competence to build upon an existing concept (knowledge and resources), often
resulting in relatively small changes in performance and usefulness of the existing product or service. It is the more
common form of business innovation, which is generally aimed at existing customers, carries a low risk, and is
adopted with less resistance. Examples of this are the multi-blade versus the single blade razor, or the smart versus
the earlier mobile phones.
Revolutionary or Disruptive/Radical
innovation is directed at future customers, and requires delving into new concepts and knowledge. The performance
of innovation may initially be poor as compared to existing innovation, may not evoke interest of existing users,
and is therefore fraught with risk. Examples include the desktop PC versus the mainframe, or e-learning versus
classroom training.
Traditionally, most internal auditors talk about innovation that they have brought about in their daily operations,
specifically to Planning, Fieldwork, Reporting and Audit Administration areas. This, they believe helps to enhance the
quality of the assurance and consulting services that they provide to their internal or external clients. But most of
these improvements are of the evolutionary kind.
As an Internal Auditor, how can you use this knowledge to “Enhance and Protect Organizational Value” of your
company? Internal Auditors need to explore ways to apply Revolutionary or Disruptive innovations to their operations.
This can be done through focusing on the organization’s “Innovation Governance”.
4
Test Your Innovation IQ – Forbes - http://www.forbes.com/sites/work-in-progress/2011/12/06/test-your-innovation-iq/#2f61e6b63364

TO COMMENT on the article,
EMAIL the author at adilbu@mailme.ae
Innovation
Innovation Governance is the 1. Why is the Company innovating? – Do • Do they encourage sensible
organization’s mechanism to achieve all stakeholders know the importance risk-taking?
the following: of innovation, and share the reasons • Do they have a compensation sys-
• Align goals – innovation goals with why the company needs to innovate, tem that encourages entrepreneur-
business growth, and how this relates to the corporate ship and teamwork?
• Allocate resources – build qualified vision and objectives? • Have they created an environment
teams, and 2. What are the Company’s innovation that facilitates networking and com-
• Assign decision-making authority for priorities? – Where will the company munication in all directions?
innovation. focus its innovation efforts?
At a more detailed level, Innovation 5. With whom is the Company inno-
3. What level of innovation does the vating? – Concept of “open-source
Governance covers an organization’s Company want? – Is the Company
systems and processes that: innovation” – building on ideas and
looking for breakthroughs, and willing
• Define innovation commitments technologies from third parties.
to embrace uncertainty, or favoring
• Define key responsibilities of the main 6. Who will be/is responsible for what,
a more prudent approach through
players regarding innovation? – Specific inno-
incremental innovation and lower level
• Establish the set of values for all innovation management responsibilities at
of funding?
vation efforts all levels, owners of all key innovation
4. How can the Company innovate more
• Define innovation expectations processes.
effectively? –
• Define how to measure innovation
• Make decisions on innovation budgets • What process will take most time,
and be cost-effective, from new In conclusion, when Internal Auditors
• Balance and prioritize innovation
market needs and ideas, to success- plays a role in reviewing innovation
activities across divisions
ful market introduction? governance, they would be helping in the
• Establish management routines
regarding communications and deci- • What organizational effort is re- identification of major risks in the process.
sions quired? This would help the organization in better
The following are the areas that Internal • What tools will be/are used for understanding the challenges associated
Auditors should look at as part of their implementation? with the various innovation initiatives it is
review of whether an organization has a • What measures will be/are tracked? undertaking, and therefore allow it to grow
comprehensive innovation governance • How is a climate of creativity and and ensure its continuity in the market/
system in place: discipline being developed? industry.
1. False: In business, innovation is the act of applying 7. True: The key to innovation is to ask questions that open
knowledge, new or old, to actually creating something people to possibilities, new ways of looking at the same
different that has value
data, and new interpretations of the same old thing
2. False: Innovation is a discipline that can (and should) be
planned, measured, and managed. 8. True: Most companies focus on using internally generated
3. False: Everyone has the power to innovate by letting ideas based on known facts to produce slightly better
their brain wander, explore, connect, and see the world products
differently 9. True: Most organizations are physically set-up with little
4. False: In most organizations, the biggest obstacle to
interactions between functions, except where needed for
innovation is what people already know to be true about
their customers, markets, and business work. People often withhold information, believing that it
5. False: It is important to bring new products and services puts them in a position of power
to market. But the most important form of innovation, 10. True and False: The answer is “it depends.” Research
and the #1 challenge, is reinventing the way we manage shows that customers can be a good source of ideas
ourselves and our companies
for improving existing products and services. For new
6. False: New ideas are a dime a dozen. The hard part is
turning those ideas into new products and services that unknown products and services, customer research is not
customers value and are willing to pay for sufficient
Adil Buhariwalla,
FCA, CIA, CFE, CRMA, CI31000, CT31000, Managing Partner – MASC International
5
Innovation Management .se: What is Innovation Governance? Definition and Scope - http://www.innovationmanagement.se/2013/05/03/what-is-innovation-governance-definition-and-scope/

www.theiia.org/goto/CIAGlobal
141695
Internal Audit Management
B Y AY M A N A B D E L R A H I M
Searching for Added Value

by identifying internal audit value
proposition in 2010, which consists of
three key elements as follows:
• Assurance: Providing assurance on

the organization’s governance, risk
management, and control processes.
• Objectivity: The Internal Audit
is committed to the integrity and
accountability through which a
value shall be provided to the senior
management in an objective and
independent manner for guidance
and advice.
• Insight: Internal audit is a catalyst
for improving an organization’s
effectiveness and efficiency
by providing insight and
recommendations based on analyses
and assessments of data and business
process.
Have you ever found it difficult to answer approach to evaluate and improve the
these questions: What is the added value effectiveness of risk management, control,
provided by the internal audit? Can and governance processes”.
you convince the senior management The Value Adding term may sound
of that the internal audit adds a value ambiguous to the senior management Assurance
to the organization you are working because they have the belief that the
for? Is the added value understandable, immeasurable is unachievable. This
clear and identified as per the internal ambiguity has been exacerbated by
audit standards? If you can’t answer
these questions, you are certainly one
defining such term among the terms set
out in the internal audit standards. Value Internal Auditing
of the many auditors who are not able Adding means “The internal audit activity
to reply to the senior management or adds value to the organization (and its Insight Objectivity
audit committee when they ask about stakeholders) when it provides objective
the added value provided by the internal and relevant assurance, and contributes
audit. to the effectiveness and efficiency of
governance, risk management, and
Ambiguity of the control processes.”. This definition is very
The Internal Audit Value Proposition
Value Adding Concept general and it is confined to the objective
assurance and effective contribution, graphic approved by the IIA.
Auditors often use the term “Value which are an integral part of the
Adding” which is circulated at characteristics of the professional internal
conferences and workshops held on the auditor.
internal audit profession. The internal The Value-Adding Activities
audit definition is influential in the use Delivering on the Promise The outcomes of “Delivering on the
of such term because it clearly refers to In November 2015, the international Promise” Report identify the activities
the internal audit. It means “An Internal Institute of Internal Auditors (IIA) issued that add value to the organization
auditing is an independent, objective a report among the publications of the according to CAEs, based on the
assurance and consulting activity Common Body of Knowledge (CBOK) outcomes of a questionnaire conducted in
designed to add value and improve an entitled “Delivering on the Promise - 2015. The CAEs identified (9) out of (14)
organization’s operations. It helps an Measuring Internal Audit Value and activities included in the questionnaire as
organization accomplish its objectives Performance”. The report addresses the they are adding value to the organization.
by bringing a systematic, disciplined concept of value adding which started These activities are:

EMAIL the author at ayman.abdelrahim@outlook.com Internal Audit Management
B Y AY M A N A B D E L R A HI M
1. Learning the stakeholders’ expectations

Key Value-Adding Activities through holding meetings and
interviews with them to know what the
Assurance Activities Objective Advice Activities Insight Activities added value means to them.
2. Surveying and identifying stakeholders’
• Assuring the adequacy and • Informing and advising • Recommending expectations and presenting the same
effectiveness of the internal the management. business improvement. for such stakeholders for confirmation
control system. • Investigating or deterring • Identifying emerging and approval.
• Assuring the organization’s fraud. risks. 3. Developing performance indicators in
risk management processes. • Informing and advising line with expectations to achieve them.
• Assuring regulatory the audit committee For example, setting performance index
for each item of the agreed upon added
compliance.
value.
• Assuring the organization’s 4. Conducing periodic monitoring of
governance processes. the achievement of performance
indicators and identifying the causes
of any obstacles to the achievement of
Outcomes Indicating a shift in the Internal Audit Profession indicators.
5. Reporting to the stakeholders on the
It is worth mentioning that the outcomes Moreover, one third of the answers were extent of fulfilling the performance
of the questionnaire set out in the that the activity of “Identifying emerging indicators.
“Delivering on the Promise” Report risks” adds value to the organization; 6. Repeating the previous steps
indicate that the “Recommending business suggesting that the internal audit plays a periodically and at least annually.
improvement” activity ranked second in role in determining the emerging risks,
terms of value adding after the “Assuring and this is in contrary to what is known Planning for Value Adding
the adequacy and effectiveness of the in terms of non-audit responsibility for
internal control system” activity. identifying internal risks as they are the The value adding is not limited to
responsibility of the management. However, providing of assurance only as pointed out
This is an indication that the internal audit the activity of “Informing and advising the in “Delivering on the Promise” Report.
had exceeded providing assurance in many audit committee” came in last among the Rather, it seems that the internal audit is in
need of developing a new method for the
organizations. value-adding activities.
preparation of the internal audit plan. Such
method must be better than the current one
which depends on risk based audit plan in
Audit Activities that Bring Most Value order to focus on the activities that bring
most value to the organization. Moreover,
Assuring the adequacy and effectiveness of the internal control system 86%
it is difficult to participate in identifying
Recommending business improvement 55% emerging risks and recommending business
Assuring the organizations risk management processes 53%
improvement through traditional audit.
This must be taken into consideration when
Assuring regulatory compliance 50% rethinking the method of developing the
Informing and advising the management 40% internal audit plan. Having an insightful
vision by the auditor is also required for the
Identifying emerging risks 37%
sustainability and continuity of the business
Assuring the organizations governance processes 37% of the organization he/she is working for.
Investigating or deterring fraud 29%
Summary
Informing and advising the audit committee 28%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Finally, the concept of value adding is
Assurance Activities Objective Advice Activities Insight Activities
still not clear enough to facilitate the
realization of the role of internal audit
for the stakeholders, and to put an end to
Outcomes Indicating a shift in the Internal Audit Profession the growing responsibilities that fall on
the shoulders of internal audit, which is
The summary of the “Delivering on the of the method of measurement in order expected to do lot of things that go beyond
Promise” Report addresses the realization to measure the internal audit efficiency providing assurance on grounds that they
that the added value, form the prospective in the organization. In addition, there are are part of the value adding that must be
of the stakeholders, is different from some steps that must be followed when provided.
determining the value that the internal
that realization from the prospective of audit can add, as well as the need to align
internal audit. There must be a consensus the same with the performance. The steps Ayman Abdelrahim
between the two parties and determination to be followed are as follows: MQM, CIA, CCSA, CFE.

Audit . Advisory
Mitigate risk and

safeguard growth
Our professionals have a wealth of local and international experience. They work with you to ensure
your business is safeguarded and protected from hidden risks throughout your business lifecycle.
Our distinct services include:
• Internal Audit Outsourcing & Co-sourcing

• Enterprise Risk Management
• Corporate Governance
• Standard Operating Policies & Procedures
• Internal control analysis & design
• Fraud prevention and detection
• Training
Find out more at www.grantthornton.ae

Internal Audit Quality
BY RAJIV THAKUR
New Internal Audit Standards
The International Standards for the Amendments to Attribute

Standards:
Professional Practice of Internal Auditing The amendments and its possible effects
(Standards) have been revised effective to this section are covered below:
from January 01, 2017. 1000 - Purpose, Authority and

Responsibility: The purpose, authority
This is a summary of the main changes.

and responsibility of the Internal
Audit Department must be defined
in the Internal Audit Charter and be
consistent with the Mission of Internal
The International Professional Practice beyond internal auditing such as
compliance, risk management, etc. Audit and the mandatory elements of
Framework (IPPF) last revised in 2015 IPPF consisting of Core Principles as
was introduced with a new Mission These Standards were amended after introduced in the revised IPPF. Thus, a
of Internal Audit and the Mandatory considering the revision to IPPF and revision to the Internal Audit Charter is
also considering the additional roles and demanded incorporating the Mission of
Guidance Section was also introduced with
responsibilities of the CAEs so that the Internal Audit and Core Principles.
10 Core Principles for the Professional independence is not compromised and the
Practice of Internal Auditing. Further, the Internal Audit Department adds value to 1110.A1: Organizational Independence
roles and responsibilities of the CAEs are the entity. – Generally, the Internal Audit
Department must be free from any
ever changing considering the business The revision to the Standards have occurred interference in determining the scope
requirements and the CAEs are also under many headings. These are broadly of internal auditing, performing work
entrusted with many other responsibilities covered in the following two categories: and communicating results. Where an

Internal Audit Quality
interference exists, the CAE is empowered of current activities, trends and emerging • Scope and frequency of internal and
to disclose such interferences to the board external assessments,
issues for providing relevant advice and
and discuss its implications. • Qualifications and independence
recommendations apart from the existing
of assessor(s) and assessment team,
1112 – CAE Roles Beyond Internal competencies needed to remain proficient.
Auditing: including potential conflict of interest
This new standard added, emphasizes • Assessor’s Conclusions
the need to have appropriate safeguards 1300 – Quality Assurance and • Corrective Action Plans
in place when the CAE’s responsibilities Improvement Program: The Interpretation
extends beyond Internal Auditing. Amendments to Performance
is amended stating that a quality assurance
These safeguards are necessitated to
limit impairments to independence or and improvement program should be Standards:
objectivity. The external assessors will have designed to enable an evaluation whether
to have to ensure that Audit Committee The amendments and its possible effects to
Members are monitoring the independence the Internal Audit Department confirms this section are covered below:
of the CAE and obtaining assurance (from with the Standards only and whether
functions other than Internal Audit) on the
internal auditors apply the Code of Ethics. 2000 – Managing the Internal Audit
areas of responsibilities beyond internal
audit. Activity: The CAE is responsible for
A further responsibility is entrusted on the
effectively managing the Internal Audit
Interpretation: This new interpretation CAE by encouraging Board’s oversight in Department by always considering the
states that where the CAE is requested to this quality assurance and improvement trends and other emerging issues impacting
take additional roles and responsibilities its organization thereby adding value to
program.
beyond internal auditing such as the organization and its stakeholders. The
compliance, risk management, etc. and
Internal Audit Department adds value
assuming such roles and responsibilities
1312 – External Assessments: The to the organization and its stakeholders
might impair the independence and
objectivity of the internal audit activity Interpretation is amended stating the full when it considers Company’s strategies,
and internal auditor respectively, so external assessments or a self-assessment objectives, risks and strives to offer ways to
safeguards should be in place to limit such enhance governance, risk management and
impairments. Board will have additional with independent external valuation
control processes and objectively provide
responsibilities of having appropriate are modes of accomplishing external relevant assurance.
safeguards in place by undertaking
oversight activities that would address such assessments. The external assessor is
potential impairments due to additional 2010 – Planning: The Interpretation
made responsible to conclude its external
roles sought by the CAEs. Board can is partially amended thereby having
further conduct periodic evaluation of assessment by stating whether the internal responsibility on CAE to consult with
reporting lines and responsibilities and audit department has / has not confirmed senior management and board rather
develop alternative processes for obtaining than to use his / her own judgement in
assurance pertaining to the areas of such with the Code of Ethics and Standards
understanding the organization’s strategies,
additional responsibilities. and to support that, the external assessor’s
key business objectives, associated risks
reports can include operational or strategic and risk management process to develop
1130.A3: This new sub-standard
under Standard 1130 (Impairment to comments. The CAE is entrusted with a risk based plan. The CAE’s role as a
Independence and Objectivity) and states the responsibility of encouraging board’s Consultant is required only when no risk
that internal audit department can conduct management framework exists
an assurance service to a previously oversight in the external assessment
within the entity.
provided consulting engagement. This is thereby reducing possibilities of perceived
possible subject to the consulting service
provided earlier did not impair objectivity or potential conflict of interest. 2050 – Coordination and Reliance: The
then and individual objectivity is duly Standard title is added with the word
managed while assigning resources to this “Reliance.” The CAE is entrusted with
engagement. Thus, the CAE has to ensure 1320 – Reporting on the Quality Assurance
the responsibility of sharing information,
that objectivity is not compromised under and Improvement Program: The CAE is coordinating activities and consider relying
such circumstances.
entrusted with responsibility of having upon the work of other internal and
1210 – Proficiency: The Interpretation here external assurance and consulting service
specific disclosures on the reporting on
is amended by rewording “Professional providers to ensure proper coverage and
the quality assurance and improvement minimize duplication of efforts.
Proficiency” to “Proficiency”. The definition
here is enriched by including consideration program. They being: The Interpretation is a new addition.

EMAIL the author at rajiv.thakur@massarsolutions.ae Internal Audit Quality
“The demands on internal audit are with management and the board instead
of working with the management and / or
evolving rapidly, and The IIA is working board in developing appropriate evaluation
criteria as per previous standards. Thus,
diligently to make sure the Standards internal auditors are supposed to use their
consulting skills and identify appropriate
and IPPF reflect that evolution”

evaluation criteria by due discussion with
management and / or the board rather
than working with management / board to
IIA President and CEO Richard Chambers 1 develop suitable criteria rather.
A new Interpretation is added stating there
are three types of criteria being 1) Internal,
It mentions that where engagement • Conformance with the Code of Ethics 2) External and 3) Leading Practices.
activities require coordination from and the Standards and action plans to 2410 – Criteria for Communicating:
other assurance and consulting service address any significant conformance
The amended standard states that
providers, the CAE can do so, provided issues,
a consistent approach for reliance • Management’s response to risk that, communication must include engagement’s
is followed and the competencies, in the CAE’s judgment, may be objectives, scope and results.
objectivity and due professional care of unacceptable to the organization. 2410.A1: The amendment done is the final
these service providers are considered. communication of engagement results
The CAE is expected to have clear 2100 – Nature of Work: The Internal should mandatorily include applicable
understanding of the scope, objectives Audit Department is entrusted with conclusions, applicable recommendations
and results of work performed by the responsibility of evaluating and and / or action plans. Internal auditor’s
such providers. The CAE still remains contributing to the improvement of opinion should be provided only where
accountable and responsible even if the organization’s governance, risk appropriate. Previously, internal auditor’s
the reliance is placed on work of others management and control processes using opinion and / or conclusions must be
for ensuring adequate support for a systematic, disciplined and risk based provided only where appropriate. Further,
conclusions and opinions reached by the approach. The value and creditability of only opinion (and not conclusion as in
internal audit activity. the department enhances when the team previous standards) must take account of
is proactive and the evaluation offers
expectations of senior management, board
2060 – Reporting to Senior Management gives better insight and forecasts future
and other stakeholders.
and the Board: The CAE is assigned with impact. Thus, Internal Audit Department
additional responsibilities on periodically is made more responsible in providing 2430 – Use of “Conducted in Conformance
reporting to the Senior Management value adding insights to the entity and with the International Standards for
and Board on the Internal Audit improving organization’s governance, risk the Professional Practice of Internal
Department’s conformance with the Code management and control processes. Auditing”: The internal auditors can
of Ethics and the Standards in addition 2110 – Governance: The Internal indicate that engagements are conducted
to the department’s purpose, authority, Audit Department is entrusted with in conformance with the International
responsibility and performance relative additional responsibilities on improving Standards for the Professional Practice
to its plan. the organizations’ governance process of Internal Auditing if the results of the
The Interpretation is amended and states by assessing and making appropriate quality assurance and improvement
that the frequency of the reporting to recommendations on the strategic and program support this. Thus, the emphasis
the Senior Management and the Board operational decisions and overseeing the is on indication rather than on reporting
is determined in collaboration and risk management and controls. on the conformance.
not just mere discussion by the Senior 2200 – Engagement Planning: The standard 2450 – Overall Opinions: The internal
Management, Board and the CAE. Thus, is revised to include that the internal
auditors have an added responsibility of
the CAE is empowered to collaborate auditors have to be well aware of the
with Senior Management and Board organizations’ strategies, objectives and taking into consideration the organization’s
for deciding the frequency and content relevant risks and must consider the same strategies, objectives and also risks when
of the reporting. The CAE is entrusted while planning any engagement. framing an overall opinion. Further, the
with the responsibility of reporting and 2201 – Planning Considerations: In Interpretation states that a summary of
communication to Senior Management planning an engagement, internal auditors relevant information supporting such
and the Board which must include must consider organization’s strategies and opinion must be included in addition to
information about: significant risk to activity’s objectives under the earlier requirements.
review. 1 https://na.theiia.org/news/press-
• The audit charter, 2210.A3 – This is a sub-standard under releases/Pages/Proposed-Internal-Audit-
• Independence of the internal audit Standard 2210 (Engagement Objectives) Standards-Changes-Unveiled.aspx
activity, and the amendment is that where criteria
• The audit plan and progress against to evaluate governance, risk management
the plan, and controls is inadequate, internal
RAJIV THAKUR
• Resource requirements, auditors must identify appropriate CA, CIA, is an internal audit team leader at a
• Results of audit activities, evaluation criteria through discussion leading automotive company in Abu Dhabi.

Internal Control
BY LA L I T D U A EDI TED B Y ANDER W C OX
The Audit Environment
Audit environment….. A definition of ‘audit environment’

could be:
What is it ? “An organisation environment where

Internal Audit aligns its activities with
Never heard of it ? business activities and risks. Internal Audit
services focus on strategic and operational
Why do we need it ? issues important to the business, with a

collaborative partnership formed between
Who is responsible for it ? Internal Audit and management. Action

plans emanating from audits are facilitated
by Internal Audit, but agreed, owned and
implemented by management.”
What is the ‘audit environment’?
For many years, Internal Audit profes-
Internal Audit reports to the Audit Committee and has independent status to make sionals have been focusing on the ‘control
objective, unbiased evaluation and judgement about systems, controls and risks relating environment’, which is the foundation
to business operations. The Internal Audit Charter gives Internal Audit a mandate to ac- on which an effective system of internal
cess information, records and people. Yet the Internal Audit Department often struggles control is built within an organisation. It is
to gain acceptance and prove its value to stakeholders in their organisation. designed to ensure:

EMAIL the author at lalitrdua@gmail.com
Internal Control
• Objectives are achieved. What is Internal Audit’s role? partner, etc. It is therefore incumbent on
• Decisions are properly authorised. the Chief Audit Executive to have deep
The role of Internal Audit is usually defined knowledge of the organisation and its busi-
• Reliability and integrity of ness activities through review of strategic
in the Internal Audit Charter approved by
information. the Audit Committee. The charter may also and business plans, risk assessments, and
• Assets are safeguarded. include organisation expectations about In- other relevant information.
ternal Audit and its value-add. The charter Ultimately, the Chief Audit Executive
• There is compliance with laws, should be circulated to key management so needs to drive the ‘audit environment’ and
regulations, policies and contracts. they understand Internal Audit’s obliga- provide continuous review of the effective-
• Efficiency, effectiveness, economy and tions, but also their obligations. ness of governance, risk management and
The standing of Internal Audit in an or- control processes by:
ethics of business activities is promoted. ganisation can be raised by the Chief Audit
• Opportunities for fraud and Executive becoming a trusted adviser to • Providing independent, unbiased
management. It is up to the Chief Audit assessment of an organisation’s opera-
corruption are minimised.
Executive to effectively communicate with tions.
management, develop a stakeholder rela- • Offering information to management
Stakeholders contribute to make this tionship strategy, and implement actions on the effectiveness of governance,
designed to develop a partnership rela- risk management and control process-
foundation strong and effective. tionship with management that together es. To comment Email the author at
improves the business. lalitrdua@gmail.com
The standing of Internal Audit in an or- • Acting as a catalyst for improvements
The role of Internal Audit is well-de-
ganisation can be raised by the Chief Audit in governance, risk management and
fined, with the ‘International Professional Executive becoming a trusted adviser to control processes.
Practices Framework’ (IPPF) issued by management. • Advising management what it needs
the Institute of Internal Auditors stating to know, when it needs to know it. To
Is it important to have a control be successful, the Chief Audit Exec-
Internal Audit’s mission as: environment? utive needs to have deep knowledge
“To enhance and protect organisational of the organisation and its business
The existence and robustness of a ‘control activities.
value by providing risk-based and objec-
environment’ has been emphasised for
tive assurance, advice, and insight.” many years, has been discussed by Audit Conclusion
Committees and management, and in
some jurisdictions is required by law. The Chief Audit Executive needs to devel-
In this context, Internal Audit has a duty
In conjunction with the ‘control environ- op a relationship with the Audit Commit-
to work with management to improve the ment’, an ‘audit environment’ can be de- tee and management through compelling
organisation’s risk management, control veloped and implemented in collaboration analysis and data that provides clarity and
between the Chief Audit Executive and encourages management to make timely
and governance processes.
management. The Chief Audit Execu- remedial actions.
tive should ideally be seen as a business
partner. The Audit Committee can assist As a ‘governance guardian’, the Audit Com-
Internal Audit’s contribution to the organ- mittee will be more confident of the audit
An ‘audit environment’ isation by making the ‘audit environment’ environment’ being effective if Internal
would see Internal Audit complementary to the ‘control environ- Audit steps up and collaboratively tackles
ment’. A spin-off is likely to be greater important business issues and risks.
services focus on strategic acceptance of Internal Audit by the people
who are audited. That is where the real value of Internal
and operational issues In conjunction with the ‘control envi- Audit can be found and where organisation
ronment’, an ‘audit environment’ can be
important to the business, developed and implemented in collabo-
value can be enhanced.
with a collaborative ration between the Chief Audit Executive

Internal Audit needs to step up and
and management.
partnership formed collaboratively tackle important
Who is responsible for that? business issues and risks.
between Internal Audit and
management. The Chief Audit Executive is often con- Lalit Dua
sidered to have many roles, such as an Vice President Internal Audit in Health care
appraiser, consultant, facilitator, business group Dubai

Fraud Risk
B Y KH A L ID M O U S A
The Risk of Fraud and

committees and stakeholders of the effec-
tive role of internal audit in drawing the
attention of the stakeholders to the risk of
the Role of Internal Audit

fraud. Therefore, internal auditors are now
required to help organizations in reducing
the risk of fraud through the examination
and evaluation of the control methods, the
role of the organization in the management
of the risk of fraud and how effective and
sufficient they are. The findings of the
ACFE report of 2016 pointed out that the
internal audit departments in organizations
have played an important role in the detec-
tion of embezzlement, misuse of assets and
corruption. The cases of fraud detected by
internal auditors represent 16.5% vs. 3.8%
detected by external auditors for the total
cases detected in 2016.
The International Standards for the

Professional Practice of Internal Auditing
have adopted a development for the role
of internal audit in organizations through
the provision of an evidence that the
organization’s management deals efficiently
and effectively with the fraud risk, and an
evaluation of the management’s responses
to fraud risk within the levels acceptable
and approved by the Boards of Directors,
through the Performance Standards which
provided for the role of internal audit in
the evaluation of the management of the
fraud risk in Standard No. 2120.A2, “The
Fraud is one of the challenges that face dif-
internal audit activity must evaluate the
ferent organizations and sectors. It hinders potential for the occurrence of fraud and
performance, wastes money and scarce Pressures/ how the organization manages fraud risk.”
resources, and inflicts damages on the incentives
organization, its reputation and its compet- The Standards also clarified the role of
the chief audit executive to report to the
itiveness. This damage is not restricted to
senior management about the fraud risk
financial losses; it may take other forms as Fraud in Standard No. 2060, “The chief audit
well. It could be a loss in the organization’s Risk executive must report periodically to senior
performance, its reputation and credibility, management and the board on the internal
and the trust of its investors, which render Attitudes & audit activity’s purpose, authority, responsi-
Opportunities bility, and performance relative to its plan.
the organization exposed to many risks. justifications
Reporting must also include significant
The different stakeholders expect that the risk exposures and control issues, including
management of the organization would fraud risks, governance issues, and other
manage this risk by developing programs matters needed or requested by senior
to combat the risk of fraud. management and/or the board.”
The updated Internal Control - Integrat-
ed Framework issued by Committee of Furthermore, the Standards included the
Companies nowadays face the risk of fraud Sponsoring Organizations (COSO) of the
Treadway Commission in May 2013 placed attributes necessary for internal auditors
more than any time before as a result of through the Attribute Standard No. 1210.
emphasis on some points that might be of
the economic instability, the increasing help to the management in the effective de- A2 which reads “Internal auditors must
reliance on information technology and sign and implementation of internal control have sufficient knowledge to evaluate the
transactional complexity, leading to the ex- such as fraud risk considerations, which risk of fraud and the manner in which
must be evaluated by the internal audit as a it is managed by the organization, but
istence of pressures, opportunities and jus- part of the internal control. are not expected to have the expertise of
tifications for fraud. These three elements There is increased recognition by the a person whose primary responsibility is
constitute the basis of the risk of fraud. authorities, boards of directors, audit detecting and investigating fraud.”

Fraud Risk
The Deloitte study showed the overall structure of the fraud risk management in the following graph:
Recommend
Diagnose Detect gaps in Continuous or Develop Fraud Investigate cases
Mitigating Antifraud
vulnerability to fraud anti-fraud controls Periodic Monitoring Response Plan of alleged fraud
Controls
• Evaluate the current • Evaluate management’s • Recommend • Enable continuous • Develop a fraud • Assist in the
status and effectiveness existing fraud risk enhancement of existing monitoring of controls using response plan to address investigation of cases of
of the organization’s anti- management framework controls or mitigating technology; and/or cases of alleged or alleged or confirmed fraud
fraud control environment to detect potential gaps of antifraud controls for confirmed fraud within the organization
- this involves assessing antifraud controls in the implementation, based on • Perform forensic data
the culture, attitude, and processes ‘antifraud control’ gaps analytics of transactions • Investigate cases of • Incorporate identified
awareness amongst detected periodically at the process alleged or confirmed fraud fraud risks and schemes
employees about their • Establish fraud risk level to alert Management into fraud risk management
knowledge of and response profiles by analysis and of fraud signals framework based on
to any issues of fraud or ranking of fraud risks (as findings from investigation
misconduct high/ medium/ low) against
existing anti-fraud controls
Tools Employees’ Ethics Survey Fraud Risk Management Recommend mitigating Forensic data analytics Develop Fraud Response Investigate cases of alleged
(DIAGNOSE) Tool (DETECT) anti-fraud Controls (DETECT) Plan (RESPOND) fraud (RESPOND)
(RESPOND)
Another KPMG Study specified the control methods in every stage of the fraud risk management,
which the internal auditors must ensure their effectiveness in the organization:
Prevention Detection Response
Board/audit committee oversight
Executive and line management functions
Internal audit, compliance, and monitoring functions
• Code of conduct and related standards • Hotlines and whistle-blower • Internal investigation protocols
• Employee and third-party due diligence • Auditing and monitoring • Enforcement and accountability protocols
• Communication and training • Retrospective forensic data analysis • Disclosure protocols
• Process-specific fraud risk controls • Remedial action protocols
• Proactive forensic data analysis
From this point, the role of internal audit Internal Audit Systems in organizations, the effectiveness of the design and
is reviewed in each stage of the fraud risk along with their potential exposures performance of the fraud-related
management as follows: to violations, transgression and non- control methods, ensuring that the
compliance inside the organization. Thus, audit plans and programs specify the
A. Reduction of the internal auditors must take the following residual risks under the integration
Occurrence of Fraud: factors into consideration: of fraud auditing procedures with
Reduction of the occurrence of fraud • Control Environment: Evaluation auditing the possible variations of
is internal control methods designed of the aspects of the control laws, rules and regulations and their
to reduce the occurrence of fraud risk environment, conduct of auditing effect on the control methods.
and misconduct. Despite the efforts of procedures for proactive fraud plans, • Information and Communication:
Evaluation of the effectiveness of the
organizations to reduce fraud, there is an conduct of necessary investigations,
communication system operation, with
inescapable reality, which is the occurrence reporting on the audit of fraud cases,
the provision of the necessary support
of fraud, due to the fraud and misconduct and provision of necessary support
to fraud-related training initiatives.
committed at different levels of the for corrective actions. In some cases,
• Follow-Up Activities: Evaluation of
organization. Therefore, it is necessary internal auditors may have hotlines to
the control over software, conduct
to have proper preventive and detective report any cases or suspicions of fraud. of investigations, support to the
methods. • Fraud Risk Evaluation: Evaluation of Audit Committee in supervising the
The Professional Practices issued by the fraud risk management, in particular fraud-related issues, support to the
Institute of Internal Auditors explained the management’s actions to identify, development of the identification of
the role of internal auditors in helping evaluate and test potential fraud plans fraud indicators, employment and
organizations to reduce the fraud risk and misconduct, including those training of employees to enable them
through the examination and evaluation involving suppliers and other parties. to conduct auditing of fraud and
of the sufficiency and effectiveness of the • Control Activities: Evaluation of investigations with adequate expertise.

Fraud Risk
B. Detection of Fraud 1. Taking into consideration the fraud

risk when evaluating the control
Moreover, an assertion must be
obtained that there is no potential
Detection of fraud is represented in the methods and the determination of the conflict of interests with those who
internal control methods designed to detect necessary audit procedures. Whereas will be investigated or any employee
fraud and misconduct when they occur. internal auditors are not expected to in the organization.
The existence of sufficient and appropriate detect fraud and violations, they are When preparing the plan of the
detective control methods is one of the expected to give reasonable confirma- investigation activities, the team leader
strongest deterrent of fraudulent conduct. tion that the objectives of the business must take the following into consideration:
They are used along with preventive control environment of the operations have
methods to enhance the effectiveness been achieved. • Collect evidence through surveillance,
of the fraud risk management program 2. Providing adequate knowledge interviews and any documents;
about fraud cases to determine fraud • Document and preserve evidence
through the provision of evidence that the
indicators. This knowledge includes without violation to any legal rules in
preventive control methods are working as awareness of fraud properties and
planned in the detection of fraud that may obtaining such evidence;
factors and the techniques used in the • Determine the scope and extent to
occur. Although the detective controls may commission of fraud.
provide evidence that fraud is occurring, or which the organization’s operations are
3. Being ready to any opportunity that affected by the fraud;
has already occurred, they are not designed may allow the commission of fraud
to prevent fraud. • Specify the methods used in the fraud;
such as any weakness in the control • Evaluate the reasons of the fraud; and
methods. If a major deficiency in the • Identify the perpetrators of fraud.
Internal control methods are designed control methods has been detected,
to provide evidence and warnings that additional tests must be conducted 2. Reporting on Investigations
fraud is occurring or has already occurred. by internal auditors to specify fraud The form of the report, whether oral
Effective internal control methods are one indicators.
or written, whether provisional or
of the strongest ways to reduce or prevent 4. Evaluating fraud indicators and taking
any other necessary procedures or final, and whether submitted to the
fraudulent conduct or procedures. The si- Senior Management or to the Board
multaneous use of detective and preventive conducting investigations if needed.
5. Whistle-blowing and reporting to of Directors, differs according to the
internal control methods support the fraud investigation findings. A formal written
risk management program. Although de- the competent authorities inside the
organization if a fraud case is detected report may be issued at the end of
tective controls may provide evidence for the investigation stages, including the
the occurrence of fraud, they do not aim, to recommend the conduct of an
investigation. reasons for conducting the investigation,
or are unable, to prevent fraud. the time frame for the investigation,
The auditors auditing cases of fraud must
be aware of the basic requirements of the
C. Response and and the notes, conclusions and
recommendations necessary to correct
detection of fraud. These basic require- Investigation: and enhance the control methods. The
ments are: Response and investigation are represented reporting may be required to be written
in the internal control designed to take in a way that secures confidentiality
1. Specification of the fraud risk in the a remedial and corrective action for the of individuals. The requirements of
organization through the examination damages resulting from the occurrence of the Board of Directors and executive
fraud and misconduct. management must also be taken into
of the control and operational envi- The role of internal audit must be
ronment to determine the categories account, with compliance with the
determined in the investigation process in legal requirements and the policies and
and methods of fraud; the internal audit regulations as well as in
2. Evaluation of fraud risk; procedures of the organization.
the fraud-related policies and procedures.
3. Examination of risks and their occur- Internal auditors may participate in
This includes collecting sufficient
rence from the perspective of the per- information on specific details and the following processes as consultants
petrator of fraud in order to determine carrying out these necessary procedures through this stage as long as the effect
what the control methods are and the to determine whether fraud is committed, of these activities on the independence
manipulation methods that cause the who was involved and how it happened. of the internal audit is identified and
occurrence of fraud; One of the most important outputs of appropriately dealt with, which may
4. Full understanding of fraud indicators the investigations is the exclusion of include all or some of the following:
and the data that may include these innocent people from the circle of doubt • Providing a document indicating the end
or suspicion. Investigation starts with of investigation for the suspected who
indicators; and
planning and ends with the issuance of a were acquitted;
5. Readiness for the occurrence of any
report on the findings of the investigation. • Punishing employees according to
fraud cases as a result of the indicators, the company standards, labor laws or
as well knowledge of how to search for employment contracts;
these indicators in the data. 1. Investigation Planning
A plan for each investigation process • Requesting voluntary financial
is set according to the procedures compensations from the employee,
When these requirements are fulfilled, client or supplier;
of the organization. The team
it is easy to deter perpetrators, to inves- leader in charge in the internal • Terminating the contracts of the
tigate and report the detected cases, and audit department determines the suppliers involved in the fraud; and
to develop control methods to detect the skills, competencies and knowledge • Reporting the fraud cases to the
repetition of such cases. required for conducting the legal and regulatory authorities and
The role of internal audit in the detection investigation procedures through the cooperating in the investigations
of fraud through the stages of the fraud identification of suitable individuals that would be conducted by those
risk management is as follows: for carrying out the investigation. authorities.

EMAIL the author at dr.kmousa@gmail.com
Fraud Risk
Therefore, this shows the role of the 2. Does the organization have a clear through the existing internal control
internal audit in the supervision in order anti-fraud strategy, for example a methods and evaluate the design and
to monitor progress of the investigations policy that coordinates the ongoing effectiveness of such methods (for
to help in ensuring that the organization activities to reduce and detect fraud? example, powers, credit, separation of
follows the relevant policies, procedures, 3. Does the organization conduct duties, etc.)?
and applicable laws and legislation (where through examination for the 8. Are there effective channels to
the internal audit is not responsible for backgrounds of new potential enhance the flow of information with
conducting the investigations), in the employees? Are the investigations quality whether top down or vice
identification of misappropriated assets or and inspection of the employees who versa across the organization?
the assets related to the investigation, as are promoted to higher positions 9. Are training and awareness of cases
well as in supporting the organization in conducted? of fraud and corruption for all
its legal, insurance and other procedures 4. Is there a process for the employees provided? Is the training
through the evaluation of and control documentation of registration, regularly held and promoted in the
over the organization’s practices and tracking and response to all the organization?
plans to report on investigations, whether allegations or suspicions of a crime 10. Are there sufficient, regular and
internal or external, and monitoring the (for example reporting violations and ongoing procedures to ensure
implementation of improvements in the fraud hotline)? that the Senior Management took
control methods to ensure their efficiency 5. Is there a regular evaluation of the into consideration how effective
and effectiveness. orientations, incentives, pressures and the control environment and risk
The role of internal audit can be summed opportunities to commit the crime assessment are and how much
up in the evaluation of how sufficient across the organization? modification or update the control
the fraud risk management is in the 6. Does the organization have methods that reduce fraud risk may
organization through asking the following categorization for the potential fraud need?
questions: and its effect on the organization
through an evaluation of all the types
1. Do the Board of Directors and of fraud risk including bribery and
the Audit Committee have clear money laundering?
responsibilities regarding the fraud 7. Does the organization evaluate
risk management? whether the risks are reduced
For more information, please use the following references:

• Association of Certified Fraud Examiners, “Report to • Price water house Coopers LLP, “Fraud in a Downturn A
the Nation on Occupational Fraud and Abuse”, Global review of how fraud and other integrity risks will affect
Fraud Study, ACFE, 2016. business in 2009”, a limited liability partnership in the
United Kingdom, 2009
• Coderre, D, “Internal Audit Efficiency through
Automation”, The Institute of Internal Auditors (IIA),
John Wiley & Sons, Inc, 2009. • The Institute of Internal Auditors (IIA),”Auditor s
Responsibilities Relating to Fraud Risk Assessment,
• Deloitte LLP, “Fraud Risk Management – providing Prevention, and Detection”, Practice Advisory 1210.
insight into fraud preventive, detection and response”, A2-1, The International Professional Practices
Deloitte Touche Tohmatsu Private Limited, 2013 Framework (IPPF), April, 2006.
• HM Treasury, “Fraud and the Government Internal

• The Institute of Internal Auditors (IIA), the American
Auditor”, Crown copyright, London, January, 2012.
institute of Certified public accountants (AICPA) and
• KPMG, “Fraud Risk Management Developing a strategy Association of Certified Fraud examiners (ACFE),
for prevention, detection, and response”, KPMG “Managing the Business Risk of Fraud: A Practical
forensic, KPMG LLP, 2013. Guide”, The IIA, AICPA, and ACFE, 2008.
Dr. Khaled Mohamed Abdalla Mousa, Ph D, CFE

Human Resources
EMAIL the author at abdulla.hassan@dtc.gov.ae
BY A B D U L L A H A S S A N AL B AR AEI EDI TED B Y HO SSAM SAMI
Is the Internal audit

observations and convince the auditee of
their importance.
4. Endless pursuit to reach the
is my Profession?
added value: Officials/Management always
estimate deep observations which show
that the auditor is not simply confined with
the broad lines of the observations, but he/
she went the extra mile to conduct an in-
The successful depth analysis, extract data that is difficult

to be extracted, or reveal facts or fact
internal audit impacts on the business which are hidden
from such officials. In addition, to make
department is, first the officials/management more convinced
of the importance of the observation and
and foremost, in need the return such official will obtain through
of efficient auditors the implementation of the auditor’s
recommendation.
Based on my expertise in the internal audit 5. Passion for the profession: This quality
field, I realized that the successful internal is my favorite because it enables the
audit department is, first and foremost, in auditor to overcome the most difficult
need of efficient auditors. Thus, I started challenges of auditing tasks. Passion for
to give due care to the skills and qualities the profession inspires the auditor to look
possessed by the candidates to work with forward to auditing new and more complex
us in order to make sure that I employ the topics. The audit starts by thinking about
right person and that the time and money the new challenge and how to address its
In 1999, a Colleague of mine and I met invested in such person will be fruitful. In difficulties. However, once you proceed
with met with a strategic expert in a the following lines, I will share with you with audit work, you will understand the
friendly meeting. It was our first year my opinion about the most important activity and identify the most important
on the job as internal auditors after our skills and qualities that must be owned processes and then analyze the risks...
graduation from the higher technology by the internal auditor in order to be etc., and gradually the mission clues will
faculties (fresh graduates). During our distinguished among his/her colleagues. be identified. This quality adds to the
conversation, he surprised us that he has a 1. The ability to understand the business auditor the possibility of providing the
short test for me and my friend on internal and activities: In my opinion, this skill is
audit. He also told us that he has a goal in added value to the officials/management
the most important skill an internal auditor by submitting an audit report inclusive
mind behind such test and he will tell us must possess as the nature of his/her work
about it after taking the test and having the of the most important risks and the most
requires that he/she shall audit different important problems and opportunities that
results. Some of the questions in that test types of business and activities within a
were about the theories of internal audit the officials/management might not know
very short period of time. In addition, the
and working methods while others were about, through conducting a professional
lack of this skill would greatly limit the
about the qualities and skills of the internal internal audit with high added value.
ability of the auditor, and will adversely
audit. We have already submitted the tests Finally, I’m sure that there are many other
affect the audit results.
and the result was that my friend obtained qualities and skills, but from my point of
2. The ability to analyze and reach
high scores in the questions relating to the view these are the most important ones.
theories and methods of working in the logical conclusions: The examination
works for auditors rely on the analysis and However, the most important question is
field of internal audit. For me, I obtained that can the candidate for the position of an
high scores in the questions relating to drawing conclusions as the documents or
statements will give us information only, internal auditor acquire these qualities and
the qualities and skills of internal audit.
which requires the existence of this skill to skills by practice while on the job or he/she
Having analyzed the results, the expert
told us that the goal behind such test is to pick up any signs that may lead to a risk or must own them before joining the internal
determine which one of us is more suitable an opportunity. audit profession.
for the internal audit profession than the 3. The skill of discussion and persuasion: I believe that we all have these qualities
other on the long run. I still remember his I’m fully convinced that (the auditee) and skills but at different levels, but I also
words that knowledge and science can be knows its business more than the auditor. believe that the person who has a good deal
acquired through studiousness and hard This means that the evidence and facts of such skills is a perfect candidate for this
work while the qualities and skills required mentioned in the audit report are not profession and he/she may be trained to
for a specialized profession will make you sufficient in many cases to convince enhance theses qualities and skills.
a distinguished person in your career. the auditee of the importance of the
Although we could not deeply understand observations and risks related to it. Thus,
his words at that time, I realized the the auditor must be well-versed and
Abdulla Hassan Al Baraei
significance and importance of such test by fully aware of the nature of the audited CIA, CCSA, CGAP, Senior Manager
the lapse of time. activity so that he/she could discuss the Internal Audit Office, Dubai Taxi Corporation

Final IA Magazine Updated English 18 April 20162

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Final IA Magazine Updated English 18 April 20162

Hochgeladen von

Copyright:

Verfügbare Formate

MARCH 2017 WWW.INTERNALAUDITOR.

Steps Helping in Recognizing the

International Standards for the

INTERNAL AUDITOR Internal Audit responsivities to tackle

The important of focusing

INSIGHTS ON GOVERNANCE, RISK MANAGEMENT AND CONTROL

Conformance to the IIA Standards is of significant importance to demonstrate the

Abdulqader Obaid Ali

3 INTERNAL AUDITOR - MIDDLE EAST MARCH 2017

20 Internal Audit value 23 New Internal Audit 27 The Audit Environment

MARCH 2017 INTERNAL AUDITOR - MIDDLE EAST 5

A Comment on the Article Entitled A Comment on the Article of Mr. TORBEN

Takir for the valuable information in his

article entitled: “Tips on Writing Internal

Audit Reports“. Given that there is more AUDITOR

‫اﻟﺒﻴﺌﺔ اﻟﺤﺎﻟﻴﺔ ﻟﻠﴩﻛﺎت ﺘﻲ ﺣﺪﺛﺖ ﰲ‬

proceedings and same shall be a part of the Internal Audit

Department. The important question here is: Will the

appendix for those who wanted more. I always D CONT

cancellation of high-cost function be better for the

advise my colleagues to do a summary on the form

of algorithms in one page, so that all ‫رة‬the ‫ﺣﻮل ا ﻟﺤ‬

A RA BIC RE V IE W TE A M CONTACT IN FORM ATION

6 INTERNAL AUDITOR - MIDDLE EAST MARCH 2017

The Security Intelligence Center

Next Steps: Beyond Response to Anticipation

8 INTERNAL AUDITOR - MIDDLE EAST MARCH 2017

Beyond the Checklist - Anti-Money

9 INTERNAL AUDITOR - MIDDLE EAST MARCH 2017

Global Trends in Investigations and Enforcement – PWC

UAE IAA Holds February Members Meeting

10 INTERNAL AUDITOR - MIDDLE EAST MARCH 2017

UAE IAA introduced

UAE-IAA promoting internal auditing amongst the youth via HASAAD

11 INTERNAL AUDITOR - MIDDLE EAST MARCH 2017

BY M U H A M M A D AWAI S NASEEM EDI TED B Y NAGESH SURYAN ARAYAN A

Auditing Logical Access

12 INTERNAL AUDITOR - MIDDLE EAST MARCH 2017

Join us Down Under in Sydney, Australia

Jonathan Calvert Dee Madigan

PwC’s Middle East

14 INTERNAL AUDITOR - MIDDLE EAST MARCH 2017

15 INTERNAL AUDITOR - MIDDLE EAST MARCH 2017

Is there a role for the Audit

Do you have any final

16 INTERNAL AUDITOR - MIDDLE EAST MARCH 2017

18 INTERNAL AUDITOR - MIDDLE EAST MARCH 2017

19 INTERNAL AUDITOR - MIDDLE EAST MARCH 2017

20 INTERNAL AUDITOR - MIDDLE EAST MARCH 2017

Searching for Added Value

• Assurance: Providing assurance on

22 INTERNAL AUDITOR - MIDDLE EAST MARCH 2017

1. Learning the stakeholders’ expectations

23 INTERNAL AUDITOR - MIDDLE EAST MARCH 2017

Mitigate risk and

• Internal Audit Outsourcing & Co-sourcing

Find out more at www.grantthornton.ae

New Internal Audit Standards

The International Standards for the Amendments to Attribute

from January 01, 2017. 1000 - Purpose, Authority and

This is a summary of the main changes.

25 INTERNAL AUDITOR - MIDDLE EAST MARCH 2017

26 INTERNAL AUDITOR - MIDDLE EAST MARCH 2017

and IPPF reflect that evolution”