1

IIA-Ethiopia Newsletter Progress through Sharing

Informing & Educating IIA-Ethiopia Institute Members

SPECIAL ISSUE VOLUME I NUMBER 7

May 2017

MESSAGE FROM THE PRESIDENT

May is International Internal Audit Month- the perfect opportunity to promote the

profession and its important role in organizational governance, internal control, and

risk management.

Since its inception in 1996 Ethiopian Internal Auditors Association (IIA-Ethiopia) has

passed through several challenges and opportunities and is thriving to continue its

journey as part of the Global Internal Audit Association (Global IIA).

The year 2016 was an exciting year in that internal auditing is given more recognition

both worldwide and locally. Such recognition definitely brings more challenges for the

profession, as stakeholders demand upgraded and quality service which the profession

under the leadership of the Global internal audit is relentlessly working at.

A favourable legal and policy environment and proactive steps is taken by FDRE

government. Recently, internal audit activity in Federal Government has been made to

report to Ministry of Finance and Economic Cooperation (MoFEC). Such move enables

the internal audit profession to grow and upgrade itself to a level where it can give a

service based on the international standards of internal auditing.

IIA-Ethiopia recently elected a new Executive Board. The new Board gladly embrace

both the challenges and opportunities that have come to the profession. It has decided

to uphold the contribution of the founders of our Association for which the awareness

month is the perfect time to do so. The foundation laid by our courageous founder

fathers is the source of strength to the new generation.

The other theme of this year’s awareness month is Systems & IT Auditing. The

astounding growth of information technology has invaded all organizations and

subsequently creates a threat to their survival due to the existence of cyber security

crime, virus and hackers. Such threats require frequent updating and adequate control.

The Global Internal Audit Association has done a lot in IT Auditing and issued several

guidelines to equip internal auditors worldwide. IT Auditing in Ethiopia, however, is in

2

its introduction stage and much has to be done to cope up with the threats and

challenges faced by organizations. As a trumpet call to embark a new effort to Systems

and IT Auditing, we have included in this newsletter three articles to show both the

challenges and opportunities existed in IT Auditing. I invite active participation in the

panel discussion organized to discuss the basics and state of IT auditing in Ethiopia.

Finally, I thank all our sponsors, Ministry of Finance and Economic Cooperation, our

institutional members, the internal audit community at large and the organizations for

which internal audit is giving service and affirm the Board’s commitment to work for

realizing a value added and supportive internal audit profession.

Samuel Ademe, CIA, EMBA

President, IIA Ethiopia

IIA Ethiopia FOUNDERS

The idea of an Ethiopian Internal Auditors Association was conceived by three

individuals: H.E. Ato Lemma Argaw, the then Federal Auditor General of FDRE, the Late

Professor Johannes Kinfu, and Ato Wolderuphael W.Giorgis, the then Internal Audit

Manager of MIDROC Ethiopia. These three people imparted their ideas to individuals

who were mainly in internal auditing work. Later on the founders meeting was called on

December 16, 1995 and was attended by fifteen members (Their names is given on

Annex-1) who elected the executive committee composed of five members and from

that day onwards the Ethiopian Chapter was officially recognized by the Institute of

Internal Auditors (IIA). H.E. Ato Lemma Argaw and Ato Wolderuphael W. Giorgis has

been made life time members of IIA Ethiopia in 2012.

This special issue highlights briefly the contribution of the three founding fathers of IIA

Ethiopia.

H.E. Ato Lemma Argaw

Ato Lemma Argaw, the then Auditor General of

Ethiopia, the founding member and the first president

of IIA Ethiopia, has contributed a lot for the

introduction and expansion of internal auditing

profession in Ethiopia.

He has dedicated himself to the development and

progress of the internal auditing profession in Ethiopia

since day one of the legal establishment of IIA Ethiopia

Chapter in Addis Ababa. Since his election as the first

president of the chapter in 1997, he has introduced a

lot of important undertakings to the chapter.

3

To mention a few of them: a qualification examination center has been opened in Addis

Ababa, Ethiopia for the first time. He was instrumental to obtain a half reduced

examination fees for Ethiopian candidates .The IIA Ethiopia library was first opened in

the compound of the Office of Auditor General. Annual conferences were held in

different ministries’ halls. He has also enabled the chapter to enjoy a half annual

affiliation fees for all Ethiopian members for a long period of time. His efforts also

enabled the chapter to get a free office in the Ministry of Finance compound.

Ato Lemma is the first and the few CGAP qualified Auditors in Ethiopia. He is a typical

and living example of a lifetime learner. Ato Lemma has also taught internal auditing in

IIA Ethiopia, Ethiopian Management Institute, Commercial Bank of Ethiopia and other

private enterprises, to promote the internal auditing profession in the country. He had

also written several articles on auditing and has presented papers at different

conferences both locally and internationally.

We members of IIA Ethiopia are very grateful and deeply indebted to him for his

dedicated service, guidance and enormous contribution to the development of internal

audit in Ethiopia and particularly to IIA Ethiopia.

The Late Professor Johannes Kinfu

Professor Johannes was Emeritus Professor of Accounting and Finance at Addis Ababa University (AAU) who dedicated all his life to education and training. He taught accounting at the Addis Ababa University for 44 years. He was also in charge of planning and served as Dean of the Faculty of Business and Economics.

His expertise and proficiency as well as his passion and dedication in the field of Accounting and Finance are unrivalled not only in Ethiopia, but also at the African level.

IIA Ethiopia is fortunate to have such a distinguished scholar as its founding member and its first V/President. Professor

Johannes was instrumental to lay a foundation for a close relationship of the Addis Ababa University and IIA Ethiopia. We at the IIA Ethiopia always remember Professor Johannes for his great contribution and dedication to the field of accounting and auditing in Ethiopia.

4

Ato Wolderuphael W.Giorgis

Ato Wolderuphael W. Giorgis who holds BBA in

Accounting (HSIU), LLB (AAU) and MSc in Internal

Auditing (City University, UK) is a long time internal

audit practitioner in both government organizations

and private companies. He is one of the founders of IIA

Ethiopia and has dedicated his life for the

development of internal auditing in general and IIA

Ethiopia in particular.

He had been an active trainer and delivered several

trainings for both IIA Ethiopia and MIDROC Ethiopia

companies to internal auditors and senior

management members when he was the Chief Internal Auditor at MIDROC Ethiopia.

Ato Wolderuphael represented IIA Ethiopia in several IIA International Conferences and

Global Council meetings and has helped IIA Ethiopia to establish a solid relationship

with the Global Association. He was also instrumental in bringing IIA Global officials to

visit IIA Ethiopia. Last year, Ato Wolderuphael donated 36 books to the library of the

Institute.

IIA Ethiopia is very grateful to Ato Wolderuphael for his relentless, sacrificial and

devoted service to the Institute.

Articles on IT Auditing

Introduction

We have included three article reviews on IT auditing and related areas which were

published on different local and international journals by an Ethiopian Author, Ato

Shemlse G/medhin Kassa. It is customary in other countries to celebrate May internal

audit awareness month by presenting such kinds of articles or reviewing different

related books for participants with panel discussion and training. The three articles

reviewed aim to motivate further reading as well as to encourage contribution for the

success of our profession. In addition, this review shows the existence of qualified

professionals in our country and if we work hard in the area we have also a good

opportunity to contribute to the development of the profession. A brief description and

address of Ato Shemlse G/medhin Kassa is given at the end of the articles.

5

Article 1: Ethiopian Banking Industries Readiness for IT security Audit

EBA® Volume 1, Feb 2015: for your further reading please refer https://www.linkedin.com/pulse/ethiopien-bank-industries-radinasse-information-audit?published=t

Audit is one of the major management and technical activities to identify all the possible

risks in any organization. Security audits is a type of audit that provide a fair and

measurable way to examine how secure a system or site really is. In the very nature

financial sectors especially, banks are more exposed to risk or security threat than any

other sectors, while they are highly aggravated to adopt new technology. Although,

security is a never ending process that requires continuous follow up but it is rapidly

changing. Therefore, Banking industries frequently need to identify their current

security status and adopt the required updated Information Security and audit.

The study has been conducted on the Ethiopian Banking Industry using mixed research

method as a research paradigm and questionnaire and interview are used as a method

of data collection. The survey result is used for identifying the readiness of banking

industry to adopt security audit, identify the required criteria’s and advise the industry

to come up to better security auditing process. Questionnaires were prepared based on

ISO, NIST and ICT readiness check list for developing country. Finally the research

proposes 12 minimum security requirements, auditors’ responsibility towards those

requirements and presents the status of Ethiopian banking industry. Consequently, the

total results of security implementation in Ethiopian banking industry based on survey

study stood at 46.2%, which shows the industry is found in an embryonic stage of

security audit readiness.

Fig: Readiness of Ethiopian banking industry for IT security Audit, Source – S. G. Kassa. Reprinted with permission

40.50 47.20

37.40

52.50 59.99

50.50 43.40 41.80 44.00 43.20 46.20

6

Article 2:Information Systems Security Audit: An Ontological Framework

ISACA® Volume 5, Sep 2016: for your further reading please refer

https://www.isaca.org/Journal/Blog/Lists/Posts/Post.aspx?ID=333

Technology is evolving at an amazing pace and offering a vital benefit for businesses. On the other hand, it has also brought ever-increasing security threats. There is no agreed upon and well-suited security audit framework for tackling IT security challenges, and there is also no holistic approach for the audit process. Because of this lack of agreement, it is getting more challenging to monitor assets; confidentiality, integrity and availability (CIA); threats; vulnerability; risk; and control.

This article proposed 8 audit processes in 1 hierarchical framework to understand and design visualizations on the previously mentioned security concepts.

The following are a few of the benefits of using the framework:

Provide a common understanding on concepts, definitions and approaches

Create a common understanding of steps and processes

Clearly show how you perform the audit

Help managers follow along with the audit stages

Demonstrate how ontological and hierarchical thinking simplifies tasks

Increase efficiency and performance

Improve skills of auditors and people in the area to manage security auditing process Build a common base for evaluation, monitoring, reporting, analyzing and training

After performing several audits, the researcher fined the framework quite helpful. Today, auditors are driven to perform risk-based audit. To identify risk-based IT auditable areasth is can be a difficult process, but this framework help to precede more on audit activity. (The Proposed ISSA ontological framework is portrayed on the next page)

7

Fig: Proposed ISSA ontological Framework, Source – S. G. Kassa. Reprinted with permission

8

Article 3: IT Asset Valuation, Risk Assessment and IT Control Implementation

Model

ISACA® volume 3, June 2017: for your further reading please

referhttps://www.isaca.org/Journal/Blog/default.aspx

The researcher proposes different models that help to measure, manage and implement

concepts objectively by using the previously proposed ontological framework. The aim

of this recent article is to help you quantitatively conduct asset valuation, risk

measurement, impact analysis and identification of the existing control gap of the

company’s IT resource for a regulatory body, management, auditors and other

concerned parties.

In general, the model would enable us to:

Quantitatively measure the value of IT assets, risk impact and control

implementation gap

Facilitate the control follow-up process

Use a common base for evaluating, monitoring, reporting and analyzing a risk

assessment

Realize the required skills of different models and security components

Understand how the weight of an IT asset is assigned

The researcher inspiration for this article came from what he observed while working

as IT and systems auditor, he and his colleagues are challenged to give equal valuation and

similar opinion on IT Asset, Risk and control implementation gaps, without existence of clear

and accepted models. Hence, in order to solve such kinds of challenges he motivated to

create this model. This model provides an easy approach to measure values of IT assets,

risk impact, threat, vulnerability and controls; quantitatively and objectively for

company managements and owners for the purpose of their critical decision making.

By this model measurement:

Assumptions for asset valuation include: The value of an asset depends on the sensitivity of data inside the container and

its potential impact on CIA.

CIA of information will have a minimum value of 1 for each.

The value of levels for CIA are as follows; A rating of 3 is high, 2 is medium and 1 is low.

9

The Value of the information asset is determined by the sum of the three (C + I + A) attributes.

Asset Value = value of ConfidentialityI + Integrity (I) + Availability (A)

(Max. Asset Value= the Sum of Max. Implemented value of CIA: 3+3+3)

Total Asset = Asset Value * Wight of Asset (Max. Total Asset: 9*3=27)

Potential Risk = Total Asset Value * Severity of Risk* Severity of Vulnerability (Max. Potential Risk: 27*5*5=675) Risk Impact = Potential Risk * Probability (Max. Risk Impact: 675*5=3375)

Acceptable Risk range from 3 to 540

Max value of Acceptable Risk:Max Asset value* Low vulnerability* Low Threat * Frequent probability = 27*2*2*5= 540

Tolerable risk range from 541 to 1215

Value of Tolerable Risk: Max. Total Asset*Medium vulnerability* Medium Threat *Frequent Probability27*3*3*5=1215 and

In tolerable Risk range from 1215 to 3375

Max value of Intolerable Risk = Max. Total Asset* Very High vulnerability* Very High Threat * Frequent Probability= 27*5*5*5= 3375

Shemlse G/Medhin Kassa, CISA, MSCS, CEH

Is Head of systems and IT audit for United Bank S.C. and a security consultant for MASSK

Consulting in Ethiopia. He has a multidisciplinary academic and practicum background in

business and IT with more than 10 years of experience in accounting, budgeting,

auditing, controlling and security consultancy in the banking and financial industries.

Kassa is highly motivated and engaged in IT security projects and research, and he

strives to update current systems and IT audit developments to keep up with the

dynamically changing world and ever-increasing challenge of cybercrimes and hacking.

He published different articles on local and international Journals.

The author of the articles can be reached at: Email: shime2002@gmail.com, P.O.Box: 17968

Addis Ababa, Ethiopia

10

The Current IIA Certifications

The IIA is the only certifying body for the profession of internal auditing. In addition to

offering the only internationally accepted designation for the profession, The Certified

Internal Auditor (CIA), The IIA offers five speciality designations to further distinguish

qualified practitioners.

IIA certifications is available through computer-based testing, allowing candidates to test

year-round at approximately 500 locations worldwide (1 in Ethiopia). Registration is

completed through The IIA’s online Certification Candidate Management System (CCMS).

A short description for each certification is given below

The Certified Internal Auditor® (CIA®) designation is the only globally accepted

certification for internal auditors and remains the standard by which individuals demonstrate

their professionalism in the internal audit field. Candidates leave the program enriched with

educational experience, information, and business tools that can be applied immediately in

any organization or business environment.

The Certification in Control Self-Assessment® (CCSA®) designation is an esteemed

certification for control self-assessment practitioners. It measures a candidate’s knowledge of

important CSA fundamentals, processes, and related topics such as risk, controls, and

business objectives. It is the standard by which individuals demonstrate their comprehensive

professionalism in the field.

The Certified Financial Services Auditor® (CFSA®) measures an individual’s knowledge

of audit principles and practices within the banking, insurance, and financial services

industries. Candidates may choose any one of these disciplines when takingthe exam,

regardless of their current occupational field. The CFSA is a respected certification for

practitioners of financial services auditing

.

The Certified Government Auditing

Professional® (CGAP®) certification program was designed especially for auditors working

in the public sector at all levels — federal/national, state/provincial, local, quasi-

governmental, or crown authority. It is an excellent professional credential that prepares and

qualifies practitioners for the many challenges they face in this demanding arena.

The Certification in Risk Management Assurance™ (CRMA®) program has been

designed to allow audit practitioners and others interested in risk management assurance to

demonstrate their ability to provide advice and assurance to audit committees and executive

management on whether key risk management and governance processes in their

organizations are in place and effective.

11

(QIAL®) Qualification in Internal Audit Leadership designation provides with the

opportunity to demonstrate the key leadership competencies valued by executives and

stakeholders resulting in greater credibility. (For more information on certifications visit

IIA website at: www.theiia.org/certifications)

Publications of IIA Global

The following are major publications of IIA Global for members:

The Internal Auditor Magazine – Internal Auditor is the world’s leading publication printed

by the Institute of Internal Auditors six times a year, namely in February, April, June, August,

October, and December. In its effort to disseminate the latest auditing information,

knowledge, and skills to its CIA members, IIA-Global has a bulk subscription service at a

discount price.

Global connections – is The IIAs new quarterly global newsletter distributed by e-mail to

members.

Institutional and Individual Members

To date, there are twenty three (23) Institutional and 150 active individual IIA-Ethiopia

members.

The Institutional members are: Addis International Bank, Buna International Bank,

Commercial bank of Ethiopia, Dashen Bank S.Co., Defense Construction Enterprise,

Ethiopian Electric Light, Ethiopian Electric Utility, Ethiopian Airlines, PPESA, Ethiopian

Red Cross Society, Ethio Agri-CEFT Plc., Ethiopian Insurance Corporation, Ethiopian

Shipping and Logistics Service, Ethiopian Sugar Corporation, Ethio Telecom, Kality

Construction Materials, MIDROC Ethiopia Technology Group, MOHA Soft Drinks,

National Bank of Ethiopia, Nib Insurance Company, Nib International Bank, Oromia

International Bank, and Wegagen Bank.

Individual members are selected on the basis of their university credentials and practical

experience in the field of internal auditing and related disciplines. Ethiopians and other

foreign residents satisfying these requirements are accepted as regular members. Included in

this category are academic members (whose two years of teaching is considered as a one-year

of internal auditing work experience) and student members (full-time university students who

are in their senior (final) year.

Todate, individual members pay an initial IIA-Ethiopia registration and annual membership

fee of Birr 50 and Birr 360 respectively as well as an affiliation fee of equivalent Birr amount

of USD 16.50 at the beginning of IIA-Ethiopia’s fiscal year.

12

NEWS IN BRIEF

a. Election of a New Board

The Ethiopian Internal Auditors Association conducted its Annual General Meeting on

February 25, 2017. The following new Executive Board members were elected for the next

four years.

Ato Samuel Ademe President

W/o Kokeb Ashame V/President

Ato Alemneh Abebe Secretary

W/o Tenaye Aklilu Finance Officer

Ato Endashaw Kifle Treasurer

W/o Seble Abera Member

Ato Fekadu Agonafir Member

Ato Asrat Tesfa Internal Auditor

b. 2017 Certification Application, Registration, and CPE Reporting Fee Increase

IIA Global has made a moderate increase in certification application, registration and CPE

reporting effective April 1, 2017.

2017 Certification Application and Exam Registration Fee

Product Member Non-Member

Applications USD $ 115.00 USD $230.00

CIA Part 1 USD $ 280.00 USD $395.00

CIA Part 2 USD $ 230.00 USD$ 345.00

CIA Part 3 USD $ 230.00 USD$ 345.00

Speciality USD $ 380.00 USD$ 495.00

2017 Continuing Professional Education Fees Paid Directly by Certified Individuals

Product Member Non_Member

CIA or QIAL CPE/CPD USD$ 30.00 USD$ 120.00

Specialty CPE USD$ 20.00 USD$ 120.00

13

c. 2017 May Awareness Month Celebration

The month of May is international internal audit awareness month to promote the profession

and its important role in organizational governance, internal control and risk management.

This year the major event will be the half day national symposium to be held at Ministry of

Finance and Economic Cooperation Conference Hall on 27 May 2017. This year’s

symposium aims at giving recognition for the three founders of Ethiopian Internal Auditors

Association (IIA Ethiopia), H.E. Ato Lemma Argaw, the late Professor Johannes Kinfu and

Ato Wolderuphael W.Giorgis and includes presentations and panel discussion on the

important issues related to Systems and IT Auditing.

H.E. Dr. Abraham Tekeste, minister of Finance and Economic Cooperation is expected to

grace this important event.

e. A Call for Articles and Opinion

Since IIA-Ethiopia intends to publish this Newsletter semi-annually, we would appreciate if

you could send any article or opinion related to internal auditing via iiaethiopia1@gmail.com

or write to P. O. Box 26887/1000, Addis Ababa, Ethiopia. This will serve as a basis for

exchanging news, information, opinion, and suggestions.

Annex 1-

Name Organization 1. H.E. Ato Lemma Argaw OAG

2. Professor Johannes Kinfu Director of IDR/AAU

3. Ato Assefan Desta OAG

4. W/O Alia Abdulahi ALIA ABDULAHI & Co.

5. Ato Demissie G.Michael A.A BromHEAD & Co.

6. Ato Wolderuphael W. Giorgis MIDROC ETHIOPIA

7. W/O Wolansa Mekuria OAU

8. Ato Tamrate Bekele TAMBEK

9. Ato Antonio Silla ILRI

10. Ato Haile Tegegn MIDROC ETHIOPIA

11. Ato Tafesse Bekele MIDROC ETHIOPIA

12. Ato Kifle Shewangezaw THLECOMMUNICATIONS

13. Ato Abrham Gebre Yesus MIN. OF INDUSTRY

14. Ato Engdashet Gebre Hana ILRI

15. Ato kebede Tessema WONJI/SHOWA SUGAR F