ia magazine dec eng1

DECEMBER 2014 WWW.INTERNALAUDITOR.ME

SHAPING TALENTED AUDIT TEAMS

I N T E R N A L A U D I T O RM I D D L E E A S T

I N S I G H T S O N G O V E R N A N C E , R I S K M A N A G E M E N T A N D C O N T R O L

The top 10 innovative professional development programs for internal auditors

Using Feedback from Auditees to Enhance Internal Audit Performance

Global Developments that areChanging Internal Audit

A Look Into the Characteristics and Behaviors of the Typical Fraudster

INTERNAL AUDITOR - MIDDLE EAST 1 DECEMBER 2014

The Time for ResearchDear Readers,Over the past quarter, weve continued to see the Institute of Internal Auditors (IIA) Research Foundation release various insightful reports on the internal auditing profession globally. Similarly, weve seen new reports being released by local IIA institutes such as the UKs Chartered Institute of Internal Auditors, the IIA Netherlands and others. All of these professional bodies have been working on researching topics important to internal auditors so that they can embody the IIAs motto of Progress Through Sharing. The UAE Internal Audit Association (UAE-IAA) is no different. Over the course of a short period of time, we have successfully translated to Arabic the Certified Internal Auditor Study Materials & Exam, Sawyers Guide for Internal Auditors (6th Edition) and we are working on translating the 2013 COSO Internal Control Integrated Framework. These efforts have made such publications more accessible to internal auditors in our region, and now the time has come to develop our own thought leadership through 2 major initiatives: 1. Risk Management Practices and the Role of Internal Audit: This study, which is well under way, will produce original research relating to non-financial institutions in the UAE. Weve assembled a dynamic team consisting of both academics and internal audit practitioners who will reveal the results of this study in our 16th Annual Regional Audit Conference which will be held in early 2015. 2. Global Internal Audit Common Body of Knowledge (CBOK): This is the centerpiece of ongoing research efforts conducted by the IIA Research Foundation. As part of CBOK, the IIA will be conducting its 2015 Practitioner Survey covering over 100 countries. In addition to the global results, we will use the data collected from this survey to produce UAE specific insights. These efforts would not be possible had it not been for the support of our strategic partners, members and volunteers who work tirelessly to promote the internal audit profession. We ask all our members actively support our research efforts as we can only succeed with their cooperation and participation. On a final note, I am pleased to announce that thanks to the efforts of volunteers from the Editorial Advisory Committee, we have completely revamped the website of Internal Auditor Middle East to a site we hope you will all be proud of. Please visit www.internalauditor.me and share your feedback with us. I wish you all a very happy and prosperous 2015.

Sincerely,

Abdulqader Obaid AliPresident

From The President

ACCELUS AUDIT MANAGERInternal audit is being asked to evolve beyond the third line of de-fense or ticking regulatory boxes. Boards and senior management now value the insight and analysis that a strong audit function can deliver. Accelus Audit Manager can help:

Liberate audit teams from manual tasks Enrich your dialogue with the business Drive enhancement of audit quality Deepen engagement with your board audit committee Contribute to business operational excellence

For more information on Accelus Audit Manager please visit:http://accelus.thomsonreuters.com/

2014 Thomson Reuters. All rights reserved.

REACH NEW INTERNAL AUDIT HEIGHTSCONNECT | SIMPLIFY | PERFORM


I N T E R N A L A U D I T O RM I D D L E E A S T DECEMBER 2014 WWW.INTERNALAUDITOR.ME

F E A T U R E S

D E P A R T M E N T S

16 COVER STORY: Shaping Talented Audit Teams Innovative ways to improve the skills of your internal audit team and increase their business acumen. BY BRUCE TURNER & JACQUELINE TURNER

22 Auditee Feedback Feedback Internal auditors can use positive and honest feedback at various stages in the audit process to improve their performance. BY LALIT DUA

4 Reader Feedback

5 Knowledge Update New Reports from IIA UK and Netherlands; Data Analytics; Risk Management Guidance for Boards; Business Continui-ty Management. BY VISHAL THAKKAR

8 UAE-IAA Events

10 Governance Perspectives A healthy corporate culture is essential to good corporate governance and therefore it should be audited. BY ROBERT NOYE-ALLEN & KAMI NUTTALL

12 Conversations with Colleagues Harsh Mohan talks about the important role of internal auditing in risk management. BY FARAH ARAJ

28 Inside the Mind of a Fraudster What characteristics and behaviors does the typical fraudster display? Recent surveys and studies can help shed light on this. BY ROBIN SINGH

20 Human Resources Five characteristics of a successful chief audit executive. BY AYMAN ABDELRAHIM

30 Fostering Fundamentals Having proper controls around construction projects provides better information and increases the chances of success. BY KETAN BHOOLA

24 Board & C-Suite Driv-en Assurance: The Dawn of a New Era Recent developments in governance and regulation will have a profound impact on internal audit approaches. BY TIM J. LEECH

DECEMBER 2014INTERNAL AUDITOR - MIDDLE EAST

U A E I N T E R N A L AU D I T A S S O C I AT I O N

B O A R D O F G O V E R N O R SAhmed A l Ansar i ; Kha l id A l Ha l yan ; Mohamed A l Har th i , MBA, CRMA; Abdu lqader Oba id A l i , CRMA, CFE, Q IAL ; Naseeba A l ra i s , MSC; Ayesha B in Loo tah , MBA; Nae ima Mohammed A l Menha l i , MSC, CRMA; A l i A l Muwa i je i MAFB, MFA,CRMA, CT31000; Nah la A l Qass imi , Ph .D. , CRMA, CCP, CCA

E X E C U T I V E C O M M I T T E ERaza Abdu l la ; Abdu l rahman A l Hareb ; Ar indam De, MBA, CFA, Q IAL ; Kar l Hendr icks , C IA , CCSA, CQA; Rus tom S. K re id l y, CPA, CRMA; Karem Obe id Fad i S idan i , CPA, MS; Rab i Yousse f , CPA; Adnan Za id i , CRMA, ACA, MBA, CCSA, C IA , CFE, C IPFA

G E N E R A L M A N AG E RSamia A l Yousu f

T E A MAisha Akhta r ; Yasmine Abd E l Az i z ; Bassam E l Baghdad i ; Lo rna Mungka l ; Yousse f Musta fa ; A i l een Pe lag io

Reader Feedback

I N T E R N A L A U D I T O RM I D D L E E A S T

UAE Internal Audit Associationan IIA Global affi l iate

We want your views on the articles and the magazine! Share your thoughts and feedback with us via email at [email protected]

P R E S I D E N TAbdu lqader Oba id A l i

E D I T O RFarah Ara j (Ac t ing )

E D I T O R I A L A D V I S O R Y C O M M I T T E E Asem A l Naser, CPA, C IA , Q IAL ; Fa rah Ara j , CPA, C IA , CFE, Q IAL ; Ma jed Bukhashem; Andrew Cox , MBA, MEC, CF I IA , C IA , C ISA, CFE, CGAP, MRMIA; Raymond He laye l , CPA, C IA ; Meenaksh i Razdan, CA, CPA C IA , CFE; Hossam Samy, CRMA, CFE, CPA, CGA; Nagesh Sur yanarayana , MBA, C IA ,CCSA; James Tebbs , CA; V isha l Thakkar, ACA, C IA ; I ssam Zagh lou l , MSc, C ISA, C ISSP, CGE IT

A R A B I C R E V I E W T E A MAyman Abde l rah im, MQM, C IA , CCSA, CFE; Kha l id M. A lodha ib i , SOCPA; Qa is Hamdan, C ISA, C ISM, PMP; Wa leed Swe imeh

DECEMBER 2014VOLUME 2014: 4

C O N TAC T I N F O R M AT I O N

A D V E R T I S I N G & A D M I N I S T R AT I O NYasmine Abd E l Az i z yasmeen@i iauae .o rg Te l : +971 4 433 9082

E D I T O R I A L Farah Ara j ed i to r@in te rna laud i to r.meTe l : +971 50 850 1780

D E S I G N & P R I N T I N G Gi r i sh MehtaAdventure G loba l g i r i sh@adventure-g loba l .comTe l : + 971 4 393 7696

A R A B I C T R A N S L AT I O N & L AYO U THossam Sami rE laph Trans la t ion hossam@elapht rans la t ion .comTe l : +971 4 331 0332

G U I D E L I N E S F O R AU T H O R Swww. in te rna laud i to r.me

D I S C L A I M E R SI n te rna l Aud i to r Midd le Eas t i s in tended on l y f o r members o f the Ins t i tu te o f In te rna l Aud i to rs in the Midd le Eas t and as such i t i s no t in tended to be so ld o r re-so ld by any par t y. The v iews expressed in I n te rna l Aud i to r Midd le Eas t a re so le l y those o f the au thors , and do no t necessar i l y represen t the v iews o f the UAE- IAA o r the au thors respec t i ve employers . I n te rna l Aud i to r Midd le Eas t i s a peer- rev iewed magaz ine and does no t ve r i f y the o r ig ina l i t y o f the con ten t submi t ted by the au thors .

I n te rna l Aud i to r Midd le Eas t i s pub l i shed quar te r l y by the UAE In te rna l Aud i t Assoc ia t ion (UAE- IAA) , 8 th F loo r, Bu i ld ing 4 , The Ga l le r ies , Downtown Jebe l A l i , Duba i , P.O. Box 90919, Un i ted Arab Emi ra tes

C O M P L I M E N TA R Y T R A N S L AT I O N P R O V I D E D B Y:

Disagreements on Information Technology Strategy

The article Information Technology Strategy (Sept 2014) was a very interesting read and in particular because it reflected the views of a Chief Information Officer. However, I did not agree with his recommendation for internal auditors to

be cautious and avoid commenting on the strategies selected by management. Since internal audit should determine the effectiveness of the IT strategy, therefore we do need to question and understand the business case for the various IT initiatives and how they map to the enterprise objectives. For us to be seen as partners, we do need to raise risks we identify in various initiatives undertaken by management and not just raise risks relating to the strategic planning process. Very often I find that business cases developed are not fully justified and mislead management to making the wrong decisions.

Nada Al ChalabiSenior Audit Manager Information SystemsDubai, UAE

Enjoyed the Information Technology Special Issue

I read with interest the articles published in the IT Special Issue (Sept 2014) of Internal Auditor - Middle East magazine.

I applaud the clarity with which articles were written; they have a good amount of interesting material without being too long winded or full of jargon. I especially liked the conversation with Deloittes leadership team (Tariq Ajmal and Fadi Sidani) and GRC by Satish Yadav. I agree with Tariq and Fadi on the fact that technology is changing the internal audit profession and that the future focus should be on data analytics and cybersecurity. I also like Statishs view how GRC technology is the way to improve and streamline risk management efforts. However, I would have liked to see insights on top IT risks relating to ERP technologies like SAP and Oracle. This is because not all companies in the UAE have even implemented full-fledged ERPs and may are in still in their early stages. Going forward, I would like to see more IT related articles in the magazine on a recurring basis as IT is an integral part of an effective internal audit process.

Rahul VaidIT AuditorAbu Dhabi, UAE


of security incidents are carried out by current

employees of a company Source: PwCs Global State of Information

Security Survey 2015http://www.pwc.com/us/en/cfodirect/

issues/cyber-security/global-information-security-survey-2015.jhtml

Knowledge Update

42.8 millionis the total number of

security incidents detected in 2014

BY V ISHAL THAKKAR

The IIA UKs 2nd Annual Survey of Heads of Internal Audit The Chartered Institute of Internal Auditors (IIA UK) has released its Governance and Risk Report 2014 which discusses internal audits perspective on the management of risk. As part of this annual survey, the IIA UK obtained the views of 247 Heads of Internal Audit from the UK and Ireland. The report provides insight on:

Riskmaturity. Toprisksinternalauditorsarefocusingon. Reportingrelationshipsofinternalaudit. Thecompetenciesthatinternalauditneedtofunctioneffectively.

Over the past year, there has been a marked increase (from 68% to 82%) in the number of heads of internal audit reporting functionally to the chair of the audit committee which is results in an increase in internal audit effectiveness. However, there was little change in the amount of respondents (57%) who felt the level of risk maturity in their company was well established.

In terms of the skills needed by internal auditors, the top 3 skills identified by respondents were 1) Communication Skills, 2) Problem Identification and Solution Skills and 3) Knowledge of Industry, Regulatory, and Standards Changes. The report also covered quality assurance and the results show that over 60% of respondents had an External Quality Assessment carried out by an independent party in the past 5 years. This figure rose to 75% in the financial services sector. https://www.iia.org.uk/policy/wwwiiaorgukgovandrisk2014/

Combining Internal Audit and the Second Line of DefenseThe IIA Netherlands published a report titled Combining Internal Audit and Second Line of Defense Functions?. The report discusses the pros and cons of combining internal audit and second line of defense functions. The main question the report tried to answer is whether the Internal Audit Function can work independently and objectively while providing support to areas such as risk management, compliance and internal controls.

The main conclusion from the research and round tables conducted was that combining internal audit and second line of defense functions is not the preferred solution considering the Three Lines of Defense model and the as well as safeguarding the auditors independence and objectivity as advocated by the Institute of Internal Auditors.

The report also covered the basic conditions and safeguards which should exist when combining internal audit and second line of defense functions:

Internalauditshouldnotmakemanagerialdecisions. Internalauditsroleshouldbeformalizedintheinternalauditcharter. Segregatethepersonscarryingoutsuchresponsibilitiesfromthecore internal audit team.

http://iia.nl/actualiteit/nieuws?newsId=1613

87% of executives believe

reputation risk is the most important

strategic riskSource: Deloittes 2014 Global Survey on

Reputation Riskhttp://www2.deloitte.com/global/en/pages/governance-risk-and-compliance/articles/

reputation-at-risk.html

35%


New Practice Guide on Business Continuity Management

EY Report on How Internal Audit Can Add Value with Data Analytics

New Guidance for UK Listed CompaniesLast quarter the Financial Reporting Council released new guidance for Risk Management, Internal Control and Related Financial and Business Reporting. This guidance integrates and replaces Internal Control: Guidance to Directors (formerly known as the Turnbull Guidance) and reflects changes made to the UK Corporate Governance Code.This guidance focuses on elements of best practice for risk management and defines the responsibilities of the board which include:

The Institute of Internal Auditors (IIA) has released a new practice guide demonstrating how the internal audit function can help businesses keep running in the event of a cyber attack or a natural disaster. The practice guide shows how internal auditors can provide assistance in business continuity management. The IIA noted that internal audit functions typically have the skills, qualifications and in-depth knowledge of the organization to help develop, implement and evaluate the effectiveness of such plans.The goal of business continuity management is to restore critical operations, manage communications and minimize financial and other effects of disaster. According to the new practice guide, a good crisis management plan is like a company insurance policy - it helps to ensure that the organization remains viable and meets stakeholder expectations.IIA members can download the practice guide for free by visiting: https://global.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Business-Continuity-Management-Practice-Guide.aspx

Knowledge Update

Designandimplementationof appropriate risk and control systems which allows for a robust assessment of major risks. Determiningthecompanysrisk appetite. Fosteringanappropriatecultureand reward system. Agreeingonhowtomanagemajorrisks.

Monitoringandreviewingrisk management and internal control systems.

Big data is fundamentally changing the way the enterprise operates, and Internal Audit (IA) cant afford to be left behind. This is the main theme of a publication released by EY titled Harnessing the Power of Data which discusses how internal audit can embed data analytics into its processes in order to deliver more value to the business.EY stresses the fact that building analytics capabilities is a journey that will take significant time and effort and defines 3 stages of analytics: 1. Descriptive Analytics: This relates to reporting on and understanding what has already happened whether in real time or after the fact. 2. Predictive Analytics: Understands the relationships between input and output to predict what will happen in a given scenario. 3. Prescriptive Analytics: This is the most advanced stage and is designed to determine which decision or action will produce the most effective results. Internal audit can maximize its ability to monitor key risks through timely identification of high-risk journal entries, early identification of potential accounting surprises and continuous auditing of all transactions flowing through the general ledger. Further, and using the example of vendors, data analytics is not just about routine business information (e.g. amount sold, average price) and goes down to lower level, higher-volume data (e.g. line item detail for purchase orders and invoices). Such detail allows internal audit to use data analytics in its annual risk assessment, in its regular audits as well as for special projects. http://www.ey.com/GL/en/Services/Advisory/EY-internal-audit-harnessing-the-power-of-analytics

One of the unique considerations recommended for board members involves, determining the culture the board wishes to embed in the company, and whether this has been achieved. This involves communicating the desired values to management and considering whether the leadership style of the company undermines the risk management and internal control systems. https://www.frc.org.uk/Our-Work/Publications/Corporate-Governance/Guidance-on-Risk-Management,-Internal-Control-and.pdf

Copyright 2014 Wolters Kluwer Financial Services, Inc.

All Rights Reserved. 3642

TeamMateAnalyticsData analysis for every auditIntegrates with TeamMate Audit Management System and available for standalone use

Learn more at TeamMateSolutions.com/Analyticsor call +44 207 981 0556

Analytics advert ME 276 x 204.indd 1 05/11/2014 15:13:21

Copyright 2014 Wolters Kluwer Financial Services, Inc.

All Rights Reserved. 3642

TeamMateAnalyticsData analysis for every auditIntegrates with TeamMate Audit Management System and available for standalone use

Learn more at TeamMateSolutions.com/Analyticsor call +44 207 981 0556

Analytics advert ME 276 x 204.indd 1 05/11/2014 15:13:21


UAE-IAA Events

The UAE Internal Audit Association Construction Subgroup held its first Business Event, which was hosted by the UAE Society of Engi-neers, in Dubai on 23 September 2014. The event was attended by Abdulqader Obaid Ali along with with Syed Imtiaz (Chairman of the Construction Subgroup) and Hakim Lalipurwala (Vice Chairman Construction Subgroup) who discussed areas of mutual cooperation with Maged Farouk Hanna, General Manager of the UAE Society of Engineers. In addition, Mike Lewis (Head of Internal Audit at Abu Dhabi Airports) and Mr. Matt Irvin (Senior Project Manager) delivered a pres-entation titled Risks in Supply Chain Management in Mega Construction Projects. The presentation highlighted the mechanisms used by Risk Management and Internal Audit to manage and mitigate the various risks faced in a mega construction project. The speakers informed the participants about the Three Lines of Defense framework to help improve overall effectiveness of risk management and internal audit.

The UAE Internal Audit Associations Hospitality Subgroup held its first meeting on 15 October 2014 at Abu Dhabi National Exhibitions Company. The session was well attended and led by the Hospitality Subgroup Chairman, Aldrin Sequeira, who is currently the Chief Internal Audit Officer for the Jumeirah Group.The session also had 2 interesting specialist presentations. The first of which was a presentation by Deloitte led jointly by Grant Salt-er (Director- Head of Travel, Hospitality and Leisure Advisory) and Hossam Samy (Principal - Enterprise Risk Services) discussing Hospitality: Middle Eastern Trends, Challenges, and how the Internal Audit Profession can Support the Growth. This was followed by an interactive session by Protiviti on Corporate Governance in the hospitality sector led by Nagesh Suryanarayana (Director - Internal Audit and Risk Advisory Services).

Organizations are now trying to align their corporate governance frameworks in line with leading practices globally and local regulatory mandate. Some key examples include, establishing internal audit functions, risk management frameworks, board evaluation matrices, establishing board sub-committees, enhancing reporting and disclosures frameworks, explained Nagesh.

Construction Subgroup Meeting

Launch of the Hospitality Subgroup

BY SAMIA AL YOUSUF

KPMG is a global network of professional firms providing Audit, Tax

and Advisory services. We have more than

155,000 outstanding professionals working together to deliver value

in 155 countries worldwide.


Governance Perspectives

BY ROBERT NOYE-ALLEN AND KAMI NUTTALL

Auditing Culture

Internal auditing is an evolving discipline, not least due to chang-ing business environments and stakeholder priorities. In 2014, auditing culture has emerged as a new area of focus a response to growing awareness that hard controls arent the only ones that matter. Soft controls that stem from a companys culture are also vital for good governance.

Corporate culture is not only about the values an organisation espouses, but also how the organisation lives them. The desired values need to be communicated, embedded and monitored. The extent to which these values are being applied is a legitimate sub-ject for internal audit reporting, although there are challenges in applying this philosophy.

Guidance recently issued on the subject by the Chartered Institute of Internal Auditors in the UK and Ireland, recognises that audit-ing indicators of culture is complexinternal auditors need to be comfortable in their understanding of culture and risk culture.

Chief Audit Executives should ask themselves: can we really offer adequate assurance on the effectiveness of our organisations gov-ernance, risk and controls if we havent given any consideration to the culture and risk culture of our organisation?

If there is any doubt about the importance of assessing the ap-plication of stated values, consider Enron and its stated values of community, respect, integrity and excellence. But where is it now? Examples from elsewhere around the world (Lehman Brothers, AIG, and Nortel) also indicate there is a powerful link between poor culture and performance, and ultimately corporate failure.

Cultural indicators are not always easy to recognise and rely on

interpretation. In the case of Lehman Brothers, for example, their risk appetite could be interpreted as being high, and they seeming-ly ignored the signs that suggested that the subprime market was experiencing a high number of defaults. Executives were still paid highly despite company underperformance. Decisions were taken to hide some of the companys liabilities resulting in a misstate-ment in the balance sheet. The companys culture was tied to risk taking behaviours and a poor control environment.

On the other hand, good culture does seem to support good per-formance. The success of global brands such as Apple and Google could be attributed in part to their powerful cultures that bind people together and set the tone for high performance.

Internal auditors are primed to understand their organisations control environment, in line with COSO 2013. However, that control environment needs to be considered in the context of both hard and soft controls. The challenge for internal auditors is that assessing the effectiveness of soft controls is very different to assessing the effectiveness of hard controls.

A useful starting point is to consider what we mean by soft con-trols. They include:

Commitmenttoethicsandintegrity; Attitudestorisktaking; Boardoversightofperformanceandinternalcontrol; Accountabilities,responsibilitiesandstructures; Reportinglines;and Recruitmentpracticesacommitmenttoattracttheright people in line with the organisations objectives and values.

Can internal auditors really give adequate

assurance on corporate governance without

auditing corporate culture?


Recommendations for auditing culture Considerwhatkindofculturetheorganisation champions, and how this is measured across operations. For example, does your company have stated values and what type of indicators exist for measuring that employees are living the values? Does your organisation use staff surveys to under stand employee attitude and behaviours? Does your senior management team listen to employees and take action when necessary? Do they operate an open or closed door environment?

Ensurecorporatecultureisconsideredwithinyour organisations risk management framework. Who owns it? For example, what does your risk management policy say about risk culture? What kind of risk culture does the company promote and how does it compare to reality? Does the companys risk taking activities match its risk appetite and stated policies?

Whenitcomestodevelopingtheinternalauditstrategy and annual plans, agree with your board and executive team what culture means to the organisation and a form of reporting on softer issues to maintain confidentiality and sensitivity. Ensure your audit and risk universe incorporates culture as a viable audit entity or as a theme which cuts across all audits. Ensure internal audit plans are designed to seek evidence of softer controls such as leadership, ethics and values. This will require judgement based on sound knowledge. The Chartered Institute of Internal Auditors talks about using gut instinct when forming a view.

TheCOSOframeworkprovidesagoodbasisfor evaluating a companys control environment, and ascer taining what kind of control culture exists. For example, are decisions decentralised or centralised? What tone is set by the Board? Is there a good relationship between the Board and the Executive? What kind of reward and

TO COMMENT on the article,EMAIL the author at [email protected]

Governance Perspectives

retention packages does the company offer, and is it linked to performance?

Rememberthathardcontrolissuesareindicatorsofsoft control weaknesses. For example, consider the frequency with which controls are overridden, as this could be an indicator of managers who are interested in outputs at any cost. Also, consider the effectiveness of communications, what is the company telling employees? Is information transparent or secret? Are auditors evaluating final reports for evidence or indication of culture related issues?

Considerthebroadermessagesandnotjustthe symptomsderived from individual audits. If material weaknesses have been identified, root cause analysis (e.g. asking the question why? 5 times) will help identify the reasons why an issue has occurred, and whether there is an underlying problem that is linked to corporate culture and values.

Commentoncorporateculture(informedbyyour consideration of soft controls) in your annual assurance to the business. This could be through a reflection of whether audit confirms or validates that corporate values are lived. This could be a result of an evaluation of all final audit reports issued during the year. Consider the processes management has in place for engaging with staff, and ensure these processes are two-way/ reciprocal.

Supportyourexperiencedauditorsandencouragethemto ask questions that address cultural issues and soft controls.

Ensureyourinternalauditteamhasthenecessarytraining and interpersonal skills to pick up on and understand indicators of cultural issues. Ask yourself who is the most appropriate individual to conduct a review of culture.

Alwaysauditwithyourheadupbeawareofwhatis going on around you.

Traditionally internal auditors are wary of providing subjective judgement, we are hardwired to believe that professional judge-ment should underpin opinions. Auditing soft controls and organ-isational culture requires a certain attitude of mind and awareness. It requires an understanding of the iceberg effect: what is hidden from view may be of greater potential impact than what is visible. It also needs the capacity to put individual audit pieces together to form the bigger picture: local reports and recommendations need to be considered from an organisation-wide perspective to see if any patterns emerge. Many internal auditors are exploring ways in which to encompass culture within their opinions.

This sounds challenging and it is. Auditing culture is not necessarily about people, but about behaviours, attitudes and, fundamentally, values. Nevertheless, it is a challenge that internal auditors need to accept if they are to provide the more rounded assurance on governance, risk and controls that their stakeholders require of them. Corporate culture is an emerging agenda item, being pushed by regulators and stakeholders. It can no longer be ignored. It is a key part of every companys second line of defence.

ROBERT NOYE-ALLEN is a Partner in Moore Stephens LLP KAMI NUTTALL is the Head of the Centre of Excellence in the Governance, Risk & Assurance Group of Moore Stephens LLP


Conversations with Colleagues

BY FARAH ARAJ

Etihad Airways Senior Vice President of Audit, Compliance and Risk shares his

experience on the role of Internal Audit in risk

management

Harsh Mohan

In an exclusive interview, Internal Auditor - Middle East spoke to Harsh Mohan, CPA, CA, who joined Etihad Airways (Etihad) in 2011 and is now the Senior Vice President of Audit, Compliance and Risk. He started his career over 31 years ago in internal audit and used the experience gained to successfully work across various functions in the airline industry including finance, procurement, risk management and strategic cost

management. Before joining Etihad, he was the Auditor General Auditor and Senior Director of Business Transformation at Air Canada. Harsh is an active supporter of the UAE Internal Audit Association (UAE-IAA) and a prominent speaker on the topic of risk management.

Internal Auditor - Middle East met with Harsh Mohan at the Etihad Airways Head Office in Abu Dhabi.


mitigate capacity constraints? This could include audits of project oversight, baggage handling, customer services etc. I also sit as an observer on the Midfield Terminal project committee to understand how management is addressing the capacity strategic objective.

What about Internal Audits role in providing insight on emerging risks? Risk management is an ever evolving process! Take for example the CEBs (Audit Plan Hot Spots - https://www.executiveboard.com) views on the top risks from 2010 2014. You will notice that the top risks have changed over the past five years. Now one of the major emerging risks is cybersecurity. When carrying out our assessment of risk, we need to focus on such areas and ensure that management and the Board are made aware of them.

Some chief audit executives may not be providing advice or assurance on risk management. What are your thoughts on this? As the needs of the business evolve, there will be a need for Internal Audit to evolve to support the business. Internal Audit has the skills required to support the risk management process and add value to the business. By focusing on risk, Internal Audit will be included in management discussions and committees and this will elevate its status because of our knowledge of the business. If Internal Audit does not step in, some else will and that department or person will go far ahead of Internal Audit. Chief Audit Executives who do not play a role in risk management face a high risk of becoming obsolete.

Interview

How important is risk management to Etihad? (Smiling) Our business is managing risk. I want you to think of a metal cylinder which is 70 meters long, has 400 people, with engines operating at temperatures around 1,000 degrees Celsius, packed with 100,000 liters of fuel and travelling at a speed of over 800 km/h. This is, very simply put, what an airplane is. But the passengers are reclining, watching videos, listening to music and are completely comfortable. This is what risk management is all about; taking an inherently high risk such as safety and managing it to a residually low level.

What role does Internal Audit take with respect to risk management at Etihad? At the start of every internal audit plan, we carry out a thorough risk assessment, and based on inherent and residual risks, we formulate the internal audit plan. Doing proper risk assessments is a complex task which requires deep knowledge of the business. It also requires a high level of independence to report on major risks in a fair manner and for these risks to be acknowledged by management. Internal Audit has a solid understanding of the business and is sufficiently independent of management. It therefore makes sense to use the risk assessment carried out by Internal Audit as the basis for the companys enterprise risk management framework. In most non-financial services institutions, having a separate function carry out this role would be a waste of resources. So we send the risk assessment results to senior management so they can identify existing or required controls that will manage a particular risk within the companys risk appetite. So management identifies the existing or required controls, and we, at the time of our audit, assess the risk and audit the controls in place. Internal Audit at Etihad Airways validates the risks that the company is facing and assesses the effectiveness of the controls put in place to mitigate those risks.

Does this approach impair your departments independence? No. We do not own the risk mitigation process. The assessment of risk and corresponding facilitation sessions with management are the roles performed by Internal Audit. As my title suggests, we deal with risk and not risk management, differentiating between the two. We make a clear distinction between our role and managements responsibility to manage risks. Our approach is based on the IIA position paper on Internal Audits role in Risk Management and each stakeholders role in the Risk Management process is clearly defined.Also to give more comfort to our Board and regulators, we have a separate team within the department which carries out the risk assessment and facilitation sessions. This team reports through me to the full Board. This process of reporting to the Board makes the risk management process more effective.

How is Internal Audit able to assess and provide assurance on risks to strategic objectives? Every risk management framework refers to risk as something which impedes the achievement of your objectives. We start our strategy by defining our top strategic objectives and cascading them downwards to the business units and individual departments. When we assess risk, we look at objectives from all three layers, and this way, it focuses on adding value to what really matters to the business. For example, one of our strategic risks is the capacity of Abu Dhabi Airport to support our growth. We are expecting to transport 15 million passengers in the coming years. So Etihad worked with Abu Dhabi Airports Company to expand the airport to Terminal 3 and is now adding additional capacity in the new Midfield Terminal. As Internal Audit, we will look at the controls in place to mitigate this strategic risk. In other words, what action is being taken by management to


The company which manages its risk the best is the one which succeeds

Youre successful, respected, and committed. What does it take to get to the next level?

The QIAL identifies, assesses, and develops core skills linked to audit leadership success. It caters to CIAs and CAEs who are already strong performers and have the potential for greater leadership.

Registration is now open. Start your leadership journey TODAY at globaliia.org/QIAL.

www.globaliia.org/QIAL

141526

BUILDING THE LEADERS OF TOMORROW, TODAY.


Characteristics of a Successful Chief Audit Executive

Human Resources TO COMMENT on the article,EMAIL the author at [email protected]

The increasing complexity of companies, combined with the impact of todays global economy, has resulted in a variety new business risks and challenges. To help in responding to these new risks and challenge, it is essential for a company to have a highly skilled Chief Audit Executive (CAE). This CAE must possess several core characteristics which will allow him or her to be successful. One clue to these characteristics can be found in the meaning of the word Audit, derived from the Latin word audire which means to hear. Successful CAEs hear what is happening within a company and also hear to what stakeholders have to say. Therefore, a successful CAE is one who not only technically solid but has appropriate behavioral characteristics. The mix of essential characterizes that should be found in a CAE is as follows:

1. Strategic ThinkingCAE plays an important role in providing assurance whether the organization has the ability to achieve its objectives or not. This means that a CAE should understand the companys business and how he work together with top management to achieve a companys strategy in order to and help guide the organization in the right direction.

2. Mastery of Risk The CAE needs to establish risk-based internal audit plans to ensure that the priorities of the internal audit activity are consistent with the companys goals. Accordingly, it is necessary to have a high sense of risk awareness and how the organization manages its risks; CAE should

BY AYMAN ABDELRAHIM ED ITED BY MEENAKSHI RAZDAN

be also be aware of any emerging risks and understand the impact of changes in the industry or the external environment.

3. Leadership AbilityThe CAE should have strong leadership skills which are demonstrated even beyond the internal audit department. The CAE should inspire, motivate, challenge the auditors to take greater ownership for their work. Empowerment is important to achieve high performance, without empowerment internal auditors cannot own their work and take responsibility for their results. Also, the CAE should have the ability to create new leaders for the organization; those leaders can drive the future of the organization.

The CAE can play significant role in driving the change in the organization and can be effective champion for innovation, by providing improvements in strategy and activity through promotion of innovation and awareness of emerging opportunities and risks. The competencies for critical thinking, innovation and improvement are very important for CAE to succeed.

4. Effective CommunicationListening to stakeholders and understanding their needs and concerns is vital for CAE role. Strong communication skills can help in building positive relationships with senior management and business leaders. Communicating issues accurately and prioritizing them is also important. Another important thing is using the right words in audit report which demonstrates professionalism of CAE and the audit team.

5. Desire for KnowledgeKnowledge distinguishes a leader from a non-leader. The CAE should be constantly alert to best practices, industry trends and inspire internal auditors to develop themselves, maintain a commitment to ongoing training and learning.

ConclusionAs the requirements of companies change, the required characteristics of a successful CAE will also need to change. CAEs have a big role to play in a company by helping an organization remain aware of and effectively manage its current, strategic and emerging risks. To be successful at this role, a CAE needs to have a combination of above characteristics mentioned above to allow him to add value to a company. In todays world, it is absolute critical for a CAE to continuously upgrade his or her skills in order to meet the changing expectations of companies and the internal audit profession.

AYMAN ABDELRAHIM, MQM, CIA, CCSA, CFE is a Chief Internal Auditor at a government organization in Dubai.

If you want to be successful, you have to be willing to invest in yourselfRichard Chambers, CIA, QIAL President and CEO of The Institute of Internal Auditors

16 INTERNAL AUDITOR - MIDDLE EAST DECEMBER 2014

BY KAMRAN AHSAN

A veteran chief audit executive and a technical specialist join forces to showcase innovative professional

development programs for internal audit.

Innovation

A fundamental role of internal auditors in the twenty-first century is to add value to the business and help it achieve its objectives. At the same time, employee talent management has become a priority, as stakeholders recognise that internal auditors need to understand the business.

This article focuses on ten developmental programs across three tracks (illustrated in Exhibit 1) that can be structured to close skill-gaps and provide the internal audit activity (IAA) with practical insights into the business.

ImperativesThere is broad diversity of need for technical and soft skills and a need for internal auditors to operate at a sufficient level of competence to show the value of the profession. IIA Global Council 2014Leaders of our profession have clearly spelt

Shaping talented

audit teams

out the importance of talent management:

Thinkingstrategicallytoreducethe

talent gap was emphasised in the IIAs Tone at the Top newsletter in January 2013. The article also noted the need to support professional development and encourage staff to work collaboratively with other business units to promote cross-pollination of knowledge.

Skill-set gaps was identified by delegates at the IIAs Global Council meeting held in Dubai in 2014 as one of the top five obstacles the profession faces through 2020.

Understandingbusinesswasidentified

as very important by over 70% of respondents to the IIAs 2010 global survey. This was the highest rated of 18 technical skills.

Maintainingcompliancewith

professional auditing standards underpins audit value, with proficiency and continuing professional development emphasised in standards 1210 and 1230 respectively (ie possess and/or enhance knowledge, skills, and other competencies). Maximisingindividualpotentialisakey

to being an employee of choice. It helps to create a highly satisfying place to work, and improves the intellectual capital within the IAA. Keepinginternalauditfresh

and up-to-date through effective audit leadership. In a June 2014 blog, the IIA President and CEO Richard and CEO Richard Chambers emphasised the importance of audit leaders being role models, focusing on positives, being goal-oriented, making the time for the team, and getting help from others through effective delegating.

Bringing Business People into Audit1. Graduate program2. Guest auditors - specific audits3. Guest auditors - longer-term secondments4. Middle management rotation program

Delivering Inhouse Programs5. Alumni network6. Knowledge champions7. Mentoring

Exhibit 1 Overview of audit development programsSending Auditors into the Business8. Frontline connections9. Secondments within the entity10. Swap or secondment with another entity or service provider


Innovation

Implementation of professional development programs is another leadership imperative.

Key stepsTell me and Ill forget; show me and I may remember; involve me and Ill understand. Chinese Proverb

Identify the competency needs of your IAA. These may already be identified through an the IIAs IIAs Global Internal

Audit Competency Framework or within a defined IAA Professional Development Plan. Determine any related development programs that your entity already has in place. For instance, well-established graduate and mentoring programs exist in many entities. Assess the best options for tailored development programs that suit your IAA. From the program overview table, select one or two programs to implement now, and others that might be beneficial in the future.

Develop the selected programs for your IAA, building up from bottom of the ten building blocks in Exhibit 2. Recognise that motivation and state of readiness to learn are important considerations in identifying the right participant/s. Finally, irrespective of which program is chosen, ensure that fresh ideas and insights are generated for the IAA. This is the critical payback phase.

Engage participants and undertake program Provide fair and valued learning feedback

Road test and promote the program Select participants based on selection criteria Establish and provide suitable induction

Dene aim, desired outcome, and strategy Align to entity career development strategies

Identify IAA skill gaps and learning objectives Consider the key principles of audit learning Select best programs; formalise key elements

Program Overviews : Bringing business people inProgram 1 : Graduate ProgramDesign Aims : Introduce governance, risk and control fundamentals to entitys graduate program participants.Primary Benefit : Helps shape career of potential future leaders, through experiential learning.Secondary Benefit : Brings youthful enthusiasm into IAA. Builds ambassadors for IAA through a good experience.Key Features : Provides graduates an IAA rotation to deliver practical insights on auditing, and holistic appreciation of core activities of entity. Program 2 : Guest auditors - for specific engagementsDesign Aims : Draw guest auditors onto specific audits where their technical skills are needed.Primary Benefit : Delivers subject matter experts from technical business areas to IAA to bring expertise to particular audit engagements. Example: a Western Australian mining company utilised engineers to great effect. Secondary Benefit : Runs for shorter duration than other programs, and is informal and less structured.Key Features : Provides graduates an IAA rotation to deliver practical insights on auditing, and holistic appreciation of core activities of entity. Program 3 : Guest auditors - longer term secondmentsDesign Aims : Leverage expertise of business staff.Primary Benefit : Drives audit improvement strategies through technical advice on audit planning, fieldwork or reporting.Secondary Benefit : Brings in a free expert resource.Key Features : Facilitates secondment of operational staff from business areas to IAA for defined periods (several weeks or months).

Program 4 : Middle management rotation programDesign Aims : Build capability of middle managers, whilst drawing business experience into IAA. Primary Benefit : Helps management by giving high potential middle managers opportunity to learn first-hand about entity-wide governance, risk and control arrangements.Secondary Benefit : Facilitates two-way learning. IAA gains services of respected business people to work on audits. Helps to build business acumen in auditors.Key Features : Delivers longer term learning benefits for future executives through structured program; CAE partners with C-suite.

Delivering in-house programs Program 1 : Alumni NetworkDesign Aims : Invite alumni to IAA events to provide insights on direction, planning and strategies of IAA.Primary Benefit : Uses structured approach to leverage rich source of ideas, insights and perspectives that former internal auditors have gained in their new roles.Secondary Benefit : Achieves progress through sharing for professional counterparts. Key Features : Provides basis for staying connected with experienced auditors who move into other parts of business or to other entities.


Anticipated outcomes The best minute I spend is the one I invest in people. Kenneth Blanchard Well-structured professional development programs can help shape a legacy that goes beyond the outcomes traditionally expected of members of the internal audit profession. In particular: TheCAEcreatesahighlysatisfyingplace

to work, which helps to attract and retain excellent staff.Thevalueofinternalauditisenhanced

in the eyes of the entitys most senior executives (commonly called the C-suite) and the audit committee, through practical

InnovationTO COMMENT on the article,EMAIL the author at [email protected]

insights gained by drawing business-based expertise into more complex audits.TheIIAasawholebenefitsbyimproving

its intellectual capital and expertise; building on the overall talent at its disposal; and enhancing its credibility through technically strong outputs. Programs interfacing directly with the business have the added benefit of showing the human face of internal auditors.BusinessspecialistsbroughtintotheIAA

benefit from the insights that they gain in respect to corporate governance, risk management and internal control; skills which they will need as they move into

future senior leadership positions. They are also influenced to become ambassadors for internal audit.Auditorsplacedintothebusinessor

involved in in-house programs gain job enrichment; build their skills; gain greater understanding of the business; and take steps to maximise their individual potential.

BRUCE TURNER, CGAP, CRMA, CFE, CISA, PFIIA, FFin, FIPA, MAICD, FAIM is an audit committee chairman in Australia and Chairman

JACQUELINE TURNER, B.L JS, GradCertFraudInv is a white collar crime analyst at a multi-national financial services institution in Australia

Program 2 : Knowledge championsDesign Aims : Nurture mid-level audit staff to become knowledge champions.Primary Benefit : Auditors develop expertise in assigned specific knowledge areas, such as emerging practices and issues; governance, risk, control; or technical areas of entity. Example: tax collection agency CAE might assign indirect taxes, direct taxes, client register etc.Secondary Benefit : Provides CAE with timely information on contemporary trends and business issues, and be well-briefed for C-suite and audit committee interactions.Key Features : Reduces dependency on hiring terrain experts.Program 3 : MentoringDesign Aims : Achieve full potential of auditors.Primary Benefit : Fosters professional relationships, where auditors have opportunity to collaborate and share insights with experienced executives outside IAA.Secondary Benefit : Provides forum offering constructive and frank advice to support auditors career development.Key Features : Offers cost-effective way of assisting auditors to acquire knowledge and skills to operate within challenging environment.Sending auditors into the businessProgram 1 : Frontline connectionsDesign Aims : Enable senior audit staff to spend time in field with operational staff.Primary Benefit : Provides an opportunity for auditors to gain experience on the ground so they better comprehend frontline activities and day-to-day challenges of entity.Secondary Benefit : Provides job enrichment for participants so they remain sharp and objective. Key Features : Enables auditors to spend half a day every month or quarter in the business shadowing frontline staff and completing lower-risk operational tasks.Program 2 : Secondments within the entityDesign Aims : Provide a short break from auditing to refresh key staff.Primary Benefit : Refreshes knowledge of seasoned auditors across business operations, and enables them to experience day-to-day operational pressures.Secondary Benefit : Showcases to management the talent within IAA, and helps to further build IAAs professional profile.Key Features : Facilitates targeted secondments within business areas.Program 3 : Swap or secondment with another entity or service providerDesign Aims : Boost breadth of experience of high potential auditors. Primary Benefit : Enables auditors to gain experience in another entity or service provider and bring fresh insights back to IAA.Secondary Benefit : Reduces risk of auditors becoming stale and resigning, by enabling them to gain broader experience and build their career path. Key Features : Provides swap of high-potential auditors or secondments for pre-determined periods (say, three months) to achieve defined experiential learning objectives; established through mutual agreement of CAEs.

Held under the patronage ofH. H. Nahyan bin Mubarak Al Nahyan

UAE Minister of Culture, Youth & Community

Venue: Intercontinental Hotel Dubai Festival City, Dubai, UAEDate: 21st - 22nd January 2015Email: [email protected] visit our website: www.iiauae.org

The Association of Certiifed Fraud Examiners (ACFE)s Inagural Annual

Conference in the Middle East & North Africa (MENA) region is dedicated to

eliminate and minimise the risk ofFraud & Corruption, manage the Risk of Fraud and Give an Insight on the latest techniques and strategies to

ght Cybercrimes.Book now to earn

16 CPEs


Quality Improvement

BY LAL IT DUA

Auditee Feedback

One of the important factors for an effective audit is Auditee feedback which has commonly been ignored and has not usually been part of professional discussions. It appears very simple and nice to read this statement but all internal auditors know how much effort it takes to get focused, positive and value adding feedback from an auditee. Dealing with behavior and responses of auditee during this process is quite a challenge.

The auditee should recognize the fact that his enhanced performance, through auditors recommended corrective measures, will help in achieving his departments objectives. So establishing an honest understanding of objectives of the audit and respective roles of auditor and auditee, should take place before the start of the audit process.

The Need for FeedbackAudit reviews can be a smooth journey if both auditor and auditee understand the objective and both of them work in coordination and participation with each other, to achieve desired improvements. The auditor has to ensure transparency in review approaches, conduct and finalization of the audit. The auditee also

has to support the review by demonstrating confidence in auditor.

Feedback from auditees is a confirmation on the auditors analysis of data, compilation of information, approaches of audit, observations made, acceptance of recommendations etc.. The auditee is the one who can approve or reject the internal auditors efforts, which should be done diligently and honestly. Even the auditee at higher levels of management will not accept the observations unless they have been accepted by the previous levels of management. Hence the auditee can even make or break auditors positivity of approach in audit review.

The auditees feedback should be specific to the issues/observations, timely and be delivered in an appropriate way.

A. Specific to issuesFeedback is at its best when it relates to a specific observation, data analysis and audit query. The auditee feedback will be to the point and constructive if all the relevant details have been provided as any gap will lead the auditor to an unwanted direction. Submitting an audit observation to auditee like Observed that exercise of identification of slow, non-moving and

dead inventory items is not effectively conducted during the year will not yield any tangible feedback unless it is specific like As per policy the exercise of identification of slow, non-moving and dead inventory is not being done quarterly and our exercise of identification of such inventory items resulted in 12 such items, the detail of which is in the attached statement.

B. TimelinessThe auditor is required to submit any detail or observation to auditee well in time and for the period under review. Any undesired delay in feedback will lose its significance and may delay the process of audit. The sooner the auditor identifies the requirement of changing approach, working and source of information/data, the sooner they can correct the point involved and conclude the audit effectively.

C. MannerFeedback should be given in a manner that will help to improve audit performance. Since people respond better to information presented in a positive way, feedback should also be expressed in a positive manner. It must be accurate, factual, and complete. Feedback is more effective when it reinforces what the auditor did right and/

Positive and Honest feedback adds to Audit Effectiveness


Quality ImprovementTO COMMENT on the article,EMAIL the author at [email protected]

LALIT DUA, CA is head of internal audit at

wrong and then letting him judge what needs to be done during the course of audit.

Frequency and Stages of feedback The feedback from the auditee can be regular or as requested by the auditor. Regular feedback can be given as and when the auditor discusses processes, asks for records and data for review and when querying the auditee about some observations. The auditee feedback is expected to be with positive intent as it would depict auditee desire for the auditor to add value.The periodic feedback sessions are normal features of any audit review where formally the details of issues to be discussed and

feedback to be taken from the auditee are provided in advance. The feedback is documented and is either taken as base for the next level of audit review or forms part of report itself. With effective feedback, auditor will be working in right direction and will be more potent in conduct of audit.

A. Feedback in the opening meeting with auditeeThe auditor has to explain to auditee the objective, scope, tentative duration of review, initial record and details required in the Kick off meeting. The meeting will give opportunity to the auditee as well to raise questions and ask for clarifications, if any from the auditor. At the end of the meeting his clear understanding about the whole process of the review is a kind of feedback whereby he gives his concurrence

and assures of complete support.

B. During conduct of auditWhile conducting audit reviews the auditor is applying different approaches and techniques of audit. He also makes verbal and written communication on issues involved in reviews. The responses, actions, reactions and behavior of auditee to such activities are a kind of feedback to auditor on how the audit review is being conducted. After having explained the scope and objective of audit review in the kick off meeting, the auditor should ensure that the review is being conducted withinthe same scope, with positivity and without any intention to find mistakes,errors, frauds etc.. The moment the auditee

will get any sense of negativity in what the auditor is doing; the auditee will withdraw himself and will tend to feed or provide whatever has been asked without any positive participation. The end result will be extra efforts by the auditor, not enough confidence in whatever is being done and non-participation of the auditee in the process of improvement.

C. In the closing meetingsThe feedback requirement in the closing meeting should not come as a surprise. It is better to raise issues as they arise in the course of an audit, having a constructive discussion on the spot as and when required. The closing meetings are done at various stages and with various auditees during the course of finalizing audits. Since these closing meetings are done with concerned auditee, department and functional heads levels so types of feedback

at each of these levels will differ in content and style. The process of getting feedback in the closing meetings will be smoothened if auditor has been transparent in his approach and conduct during the course of audit.

Overall feedbackThough an auditor is getting feedback at different stages and from different level of auditees and management staff on specific areas of audit, the practice of getting an overall audit feedback has been formalized in many organisations. The criteria on which overall performance of audit is to be evaluated are many and in use. It is the maturity of the organisation and the role of the auditor it has foreseen, which defines the list of criteria for feedback. An organisation may even require the auditor to rate different auditees also on defined criteria.The overall feedback on different aspects of the audit sets a benchmark or highlights the gaps in performance acceptance of management from audit department.

ConclusionAuditee feedback on different aspects of the audit sets a benchmark or highlights the gaps in performance acceptance of management from audit department. Each audit observation has to be taken up in its right perspective, without over doing and mis-interpretation. An auditee expects to be given the opportunity to give their perspective, a process that helps to gain their commitment, so the auditor should welcome feedback. By adopting and implementing a collaborative approach to feedback and highlighting the ultimate aim of the audit to support auditees in order to improve organizational performance, will provide solid foundations for a positive experience for all concerned.


Audit Management

Board & C-Suite Driven Assurance: The Dawn of a New Era

BY T IM J . LEECH

Many years ago I wrote a seminal article titled Control & Risk Self-Assessment: The Dawn of a New Era in Corporate Governance. That article, and the ideas in it, played a significant role launching my first company in 1991, and had a significant impact on the profession globally. Almost 25 years later this article describes recent developments and forces that will almost certainly see the onset of an even more profound and significant transformation truly the dawn of a new era in internal auditing.

Traditional/Historical Internal AuditingI joined the profession as an internal auditor in the summer of 1981. Since

that time the profession has evolved and advanced in many positive ways, but continues to be bound by some fundamental and confining paradigms. The paradigms include:

1. Internal auditors plan, execute, and report results of point-in-time audits.2. Internal auditors assess internal controls and report opinions on whether they believe controls are effective. 3. Internal auditors report what they believe to be control deficiencies, material weaknesses, significant deficiencies or opportunities for improvement.

4. Direct report auditing is the primary approach used globally. In a direct report engagement the auditor evaluates the subject matter for which the accountable party is responsible. The accountable party does not make a written assertion on the subject matter they are responsible for.5. The profession has been primarily supply driven not demand driven. 6. Internal audit does not usually know, or require that management and boards define, the type and amounts of risk the company and its board are prepared to accept. 7. A majority of internal audit departments have not, for a variety of


Audit Management

reasons, assessed and reported on risks to the organizations top strategic/value creation objectives, or the effectiveness of the entitys entire risk management framework.

The traditional/historical direct report approach to internal auditing described above is now under attack. Evidence collected globally in 2014 indicates dramatic drops in internal audit customer satisfaction.

Key Developments Globally

Board responsibility to oversee managements risk appetite and tolerance significantly elevated - Following the 2008 global financial crisis commissions were convened around the world to try and understand what had gone wrong and prevent similar destabilizing events in the future. A unanimous conclusion was that boards of directors and, to a lesser degree,

4.6 Internal audit (or other independent assessor) should: a) Routinely include assessments of the RAF on an institution-wide basis as well as on an individual business line and legal entity basis; b) Identify whether breaches in risk limits are being appropriately identified, escalated and reported, and report on the implementation of the RAF to the board and senior management as appropriate; c) Independently assess periodically the design and effectiveness of the RAF and its alignment with supervisory expectations; d) assess the effectiveness of the implementation of the RAF, including linkage to organisational culture, as well as strategic and business planning, compensation, and decision-making processes; e) Assess the design and effectiveness of risk measurement techniques and MIS used to monitor the institutions risk profile in relation to its risk appetite; f) Report any material deficiencies in the RAF and on alignment (or otherwise) of risk appetite and risk profile with risk culture to the board and senior management in a timely manner; and g) Evaluate the need to supplement its own independent assessment with expertise from third parties to provide a comprehensive independent view of the effectiveness of the RAF. Source: Financial Stability Board, Principles for an Effective Risk Appetite Framework, November 18 2013.

regulators, had not adequately discharged their duty to oversee what is increasingly being called managements risk appetite and tolerance.

Creation of the worlds first preeminent regulator guidance body Financial Stability Board (FSB) Shortly after the onset of the global financial crisis a decision was made to create a new super regulatory power, the Financial Stability Board (FSB). This organization, currently chaired by Mark Carney, Governor of the Bank of England, with representation from governments and financial sector and securities regulators from around the world, has, with unprecedented speed, formulated and disseminated what is most aptly termed paradigm shift guidance with an overarching, albeit unstated, goal of reengineering corporate governance globally. One of the FSBs most significant contributions to date is a November 2013 guide for national regulators, companies,

Codification of board responsibility to oversee managements risk appetite and tolerance In parallel with the FSB, regulators around the world have started to enact regulations that reflect key FSB recommendations, particularly the need to assign primary responsibility for risk management and reporting to management; and risk appetite/tolerance oversight to boards of directors. One of the most graphic illustrations is the new UK Governance Code issued in September 2014. It positions responsibility for risk oversight squarely with boards of directors; calls on management to design, implement and maintain effective risk governance frameworks; and calls on boards to seek independent assurance that management has, in fact, designed, implemented, and maintained effective risk governance frameworks. It is expected other major countries that want to improve the integrity of their capital markets will follow

and auditors titled Principles for an Effective Risk Appetite Framework. The authors of the FSB guidance took the bold step of defining new and bold mandates for management, boards of directors and, most significantly for readers of this article, internal auditors. Details of the new role envisioned for internal auditors is shown in the box below. The FSB is, in essence, calling on internal audit to transition from providing spot-in-time, direct report, subjective opinions on control effectiveness on a small percentage of an entitys risk universe, to reporting on the reliability and effectiveness of an organizations entire RAF, including, but not limited to, reporting on the reliability of risk status reports provided to the organizations board of directors by senior management.

IIA Pulse on the Profession, Enhancing Value Through Collaboration: A Call to Action, IIA AEC, July 2014.


Audit Management

the UKs lead. Internal audit customer satisfaction plummets as these regulator driven developments gain traction globally a summary of customer satisfaction surveys done by 3 major consulting firms and the Institute of Internal Auditors was reported in the July 2014 IIA Pulse on the Profession Report referenced earlier. The report paints a graphic picture of a significant and very recent decline in board and senior management satisfaction with traditional/historical direct report internal audit services.

What This Means to the Internal Audit Profession Going Forward

Need to Transition from Direct Report/Spot-in-Time Auditing to Attestation Reporting on Management Representations on Risk Framework Effectiveness and Risk Status the FSB has defined roles for the board, senior management, and internal audit that call for a fundamental accountability shift - a shift that requires management continuously assess and report upward on risk status, and for internal audit to assess and report opinions to the board how well management is discharging their assigned risk governance responsibilities. This new paradigm requires radical and fundamental shifts in existing IIA certification curriculum and training offerings. IIA IPPF professional practice standard 2120 was modified in 2010 specifically to provide support for the shift, and the Certification in Risk Management Assurance (CRMA) launched globally. Internal audit departments will need to evolve from the business of performing traditional spot-in-time direct report audits and providing subjective opinions on control effectiveness on a small percentage of the risk universe and, instead, focus substantially more resources on

providing assurance to boards that senior management is creating and maintaining effective risk management and reporting frameworks.

Educate Boards of Directors on Evolving Expectations - the evolution of these expectations is likely to evolve at varying speeds and intensity in different countries. Not all senior management and board members have been actively following the evolution of these new expectations, and not all national regulators have codified risk governance expectations with the clarity and simplicity of the September 2014 UK Governance Code to spur the needed transition. It is also important to note that not all CEOs and CFOs are likely to welcome direct responsibility for creating and maintaining effective risk appetite frameworks and providing formal and candid reports on residual/retained risk status to their boards.

Look for Opportunities to Gain the New Knowledge and Skills Required - If internal auditors are to accept and assume the type of responsibilities defined by the FSB earlier in this article, they must retool their knowledge and skills. Instead of the traditional internal audit focus on providing subjective opinions on control effectiveness, internal auditors now need to acquire the knowledge and skills to assess and report on the reliability of managements risk appetite frameworks, including managements reports to the board on retained/residual risk status. This means learning the type of vocabulary defined by the FSB in its Principles For An Effective Risk Appetite Frameworks guidance and the globally accepted ISO 31000 and ISO Guide 73, and gaining the knowledge and skills necessary to identify the full range of risks, risk treatments, and a picture of residual risk status, not the much narrower assessment of traditional

internal controls internal audit has historically focused on. More importantly, internal auditors need to continuously assess and report on whether the current residual risk status related to key strategic and foundation objectives is currently within the board and senior managements risk appetite and tolerance.

Closing Remark - Recognize that aversion to change is a human condition this short article outlines events and drivers that call for radical and quantum change in the current internal audit paradigm. A natural human trait is to resist radical change and favour smaller and more incremental steps. The dramatic drops in customer satisfaction statistics described in the IIA July 2014 Pulse on the Profession report have led to the IIA literally issuing A CALL TO ACTION to internal auditors around the globe. Addressing rapidly evolving and escalating customer and regulatory expectations will require the profession globally make rapid and radical changes if it is to ensure it remains fully relevant to key customers in the years to come. There is a well-known adage that states necessity is the mother of invention. The need for radical and rapid change in the traditional internal audit delivery model is real. Its time the internal audit profession literally reinvent itself to meet the needs of key customers particularly boards of directors. No small task to be sure, but a job that absolutely needs to be done. Best wishes for success as the profession decides whether it welcomes, or resists, the dawn of a new era in internal auditing.


Tim J. Leech CIA CCSA CRSA FCPA is Managing Director Global Services at Risk Oversight in

Canada and is recognized globally as a thought

leader and advisor in the risk and assurance field.

AD SPACERisk Oversight


Fraud

BY ROBIN S INGH

Inside the Mind of a Fraudster

For as long as white-collar crime fraudsters have been a common occurrence throughout multiple industries, specialists have wondered aloud whether or not it is possible to properly develop a profile that allows organisations to accurately identify fraudsters while the fraud is happening, or in some cases beforehand. Of course, predicting crime before it actually happens is a concept best left to science fiction novels and movies at the moment but what if there were some easily identifiable warning signs of potential fraudsters?

General Attributes While any individual could potentially conduct fraudulent actions, there does seem to be some basic elements that make an individual more likely to take part in fraud. According to a study by KPMG1, the typical fraudster displays the following attributes: Isbetweentheagesof36and45.More

than 70% of fraudsters fall into this age group. Actswithlittleregardforthe

organisations which they work for. Isemployedinapositionthatgives

them power over important organisational processes including executives, finance, operations and marketing. Hasbeenwiththeorganisationforsix

years, or long enough to know the internal processes of the company.

Identifying potential suspects based on the profile of a fraudster is not a straightforward task.

Actswithothersincommittingfraud.

According to KPMGs study, more than 61% of individuals that committed fraud did so with the help of at least one other individual.

PersonalityAnother compelling fact which the KPMG study bought forward was that a large percentage of fraudsters were extroverted (33%), friendly (35%) and highly respected (39%). These personality traits do not seem to be indicators of someone who is prone to fraud but when combined with traits like greed and desire for personal gain1, one can then get a clearer picture of the personality of these individuals.

Studies have proven that these are people who are either malignant narcissist, or suffer from Narcissistic Personality Disorder (NPD), which is defined as an enduring pattern of inner experience and behavior that deviates markedly from the expectation of the individuals culture, is pervasive and inflexible, has an onset in adolescence or early adulthood, is stable over time, and leads to distress or impairment. Because these disorders are chronic and pervasive, they can lead to serious impairments in daily life and functioning.Actually, to really go inside the mind of a fraudster, one needs to understand the traits of a person suffering from NPD: Haveaninflatedsenseoftheirown

importance; Believes that he or she is special and can only be understood by high status people. Haveadeepneedforadmirationfor

themselves; a sense of superiority. Believethattheyresuperiortoothers.

Constantlybendingtherulesfor

himself although outwardly criticising others for similar behavior. Havelittleregardforotherpeoples

feelings. Beintolerantofanythingperceivedas

less than a perfect performance. Exaggeratetheirownachievementsor

talents. Expectingotherstogoalongwithyour

ideas and plans. Takingadvantageofothers.

Troublekeepinghealthyrelationships.

Beenviousofothersand/orbelieves

that others are envious of him or her.To add to the above, the Association of Certified Fraud Examiners (ACFE), mentions in its 2014 report that the financial losses resulting from fraud committed by Owners/Executives at companies were at least than 3 times larger than the losses resulting from fraud committed by managers or employees. Similarly, the ACFE study showed that the longer a fraudster had worked for a company, the more financial harm he or she caused. This supports the fact conclusion that big game players are the ones who are at the top of the corporate pyramid.


TO COMMENT on the article,EMAIL the author at [email protected] Fraud

beyond his or her means. In the Middle East, the question asked is Where did you get this from? This alludes to the how an individual can afford to purchase something which is clearly above his financial abilities. ACFEs 3 top 3 behavioral red flags displayed by fraudsters are shown in the table below:

On another note, experience also shows that individuals that committed fraud did so with the help of at least one other individual. What do you think the other person would be like? Generally the other partner is a submissive one, who would generally take instructions from the dominant partner. Since the dominant partner might want to remain in control, they should avoid choosing the person of equal stature because they would have to share their loot equally with other partners. If an investigator cracks the weaker link, the whole case would unravel like a blossoming sunflower .

Individuals exhibiting the aforementioned behaviors must be critically examined. Quantitative tools must be especially keen, and third-party verification like a psychometric test can be a good component of this analysis.

Drawbacks of ProfilingEven though a large portion of fraudsters meet the previously mentioned guidelines

of your typical fraudster, it can be very difficult to implement fair policies that target individuals that fit that profile without causing some unrest within the company. Naturally, management positions should be afforded some type of oversight in order to limit the chances of fraud. However, placing increased oversight on a specific group of individuals can seem like unfair targeting to employees and can cause issues. In some cases the improper implementation of fraud mitigation strategies can open a company up topotential lawsuits. Lawyers and industry

professionals should be consulted before implementing strategies based on profiles of fraudsters.

ConclusionWhile it is definitely possible to create a basic profile for fraudsters, it is important to remember that this profile constantly changes as technology adapts and new avenues of fraud become available. Mitigating the risk of fraud is an important consideration for any business, and utilising data has become a large part of the equation for many.

References: 1. Global Profiles of a Fraudster, KPMG International, 2013.2. Diagnostic and Statistical Manual of Mental Disorders (DSM-5), American Psychiatric Association, 2013.3. ACFEs 2014 Report to Nations on Occupational Fraud and Abuse.

ROBIN SINGH, MBA, MIT, CFE, CFAP is Senior Ethics / Fraud Control Officer at Abu Dhabi Health Services Company (SEHA).

But a good investigator / interviewer would be able to identify that behind this mask of ultra-confidence lies a person with fragile self-esteem and vulnerability to the slightest criticism / comment made against them in a negative manner. Additionally, an investigator will need be good at profiling since the majority of fraudsters would have never been punish and would not have criminal records!

Try and imagine people like Jeffrey Skilling, Enron Corp.s former chief executive, who carried a tremendous pride that he could do anything under the sun such as build idealistic concept of energy trading and explored Mark to Market accounting which could show people that they can bill for future profits right now and everyone, even the authorities bought into that concept. The whole office used to look up to him.

Think of people like in the Wolf of Wall Street, Jordan Belfort, who could sell penny stocks better than Apple, Intel etc. The whole office admired him. They all had an attractive, role model personality, etc.

The list can go on and on and includes Ponzi Scheme perpetrators such as Scott Rothstein and Bernard Madoff as well as accounting fraudsters such as Ramalinga Raju (formerly of Satyam Computer Services) and so forth.

BehaviorThere are certain behaviors which fraudsters exhibit. These behaviors can serve as tell-tale signs that an individual may be committing fraud. From my experience, the most common behavioral red flag displayed by fraudsters is living

There is a strong correlation between the fraudsters level of authority and the losses resulting from the fraud ACFE 2014 Report to the Nations

Behavioral Red Flags Displayed Perpetrators

Living Beyond Means

Financial Diculties

Unusually Close Assoicationwith Vendor/Customer

43.8%

33%

21.8%


BY KETAN BHOOLA

Project Controls: More than just a box ticking exerciseIn my previous life as a site architect working on the design and build of a mega shopping center, I vividly recall a cold winters morning, standing on site with the team that included the finance guy, as we called him. He was understandably worried because he had to deliver a difficult message to the project team. The message? The project had run out of cash. The project manager was infuriated but all he could do was throw his hands in the air and walk off the site. Someone in our team said sarcastically, so much for our project controls! What exactly are project controls? What do they do and why are they so important? In fact,

ia magazine dec eng1

Documents

internal audit profession

role of internal audit

internal audit practitioners

internal audita

n t e r n

internal auditing profession

n d c o n t r o lthe

talented audit teams