Ia Magazine Dec Eng1

DECEMBER 2014
WWW.INTERNALAUDITOR.ME
Using Feedback from Auditees to

Enhance Internal Audit Performance
Global Developments that are
Changing Internal Audit
INTERNAL AUDITOR
MIDDLE EAST
A Look Into the Characteristics and

Behaviors of the Typical Fraudster
SHAPING TALENTED
AUDIT TEAMS
The top 10 innovative professional

development programs for internal auditors
INSIGHTS ON GOVERNANCE, RISK MANAGEMENT AND CONTROL
From The President
The Time for Research

Dear Readers,
Over the past quarter, weve continued to see the Institute of Internal Auditors (IIA)
Research Foundation release various insightful reports on the internal auditing
profession globally. Similarly, weve seen new reports being released by local IIA
institutes such as the UKs Chartered Institute of Internal Auditors, the IIA Netherlands
and others. All of these professional bodies have been working on researching topics
important to internal auditors so that they can embody the IIAs motto of Progress
Through Sharing.
The UAE Internal Audit Association (UAE-IAA) is no different. Over the course of a
short period of time, we have successfully translated to Arabic the Certified Internal
Auditor Study Materials & Exam, Sawyers Guide for Internal Auditors (6th Edition) and
we are working on translating the 2013 COSO Internal Control Integrated Framework.
These efforts have made such publications more accessible to internal auditors in our
region, and now the time has come to develop our own thought leadership through 2
major initiatives:
1. Risk Management Practices and the Role of Internal Audit: This study, which is
well under way, will produce original research relating to non-financial institutions in
the UAE. Weve assembled a dynamic team consisting of both academics and internal
audit practitioners who will reveal the results of this study in our 16th Annual Regional
Audit Conference which will be held in early 2015.
2. Global Internal Audit Common Body of Knowledge (CBOK): This is the
centerpiece of ongoing research efforts conducted by the IIA Research Foundation. As
part of CBOK, the IIA will be conducting its 2015 Practitioner Survey covering over
100 countries. In addition to the global results, we will use the data collected from this
survey to produce UAE specific insights.
These efforts would not be possible had it not been for the support of our strategic
partners, members and volunteers who work tirelessly to promote the internal audit
profession. We ask all our members actively support our research efforts as we can only
succeed with their cooperation and participation.
On a final note, I am pleased to announce that thanks to the efforts of volunteers from
the Editorial Advisory Committee, we have completely revamped the website of Internal
Auditor Middle East to a site we hope you will all be proud of.
Please visit www.internalauditor.me and share your feedback with us.
I wish you all a very happy and prosperous 2015.
Sincerely,
Abdulqader Obaid Ali

President
DECEMBER 2014
INTERNAL AUDITOR - MIDDLE EAST
REACH NEW INTERNAL

AUDIT HEIGHTS
CONNECT | SIMPLIFY | PERFORM
ACCELUS AUDIT MANAGER

Internal audit is being asked to evolve beyond the third line of defense or ticking regulatory boxes. Boards and senior management
now value the insight and analysis that a strong audit function can
deliver. Accelus Audit Manager can help:
Liberate audit teams from manual tasks
Enrich your dialogue with the business
Drive enhancement of audit quality
Deepen engagement with your board audit committee
Contribute to business operational excellence
For more information on Accelus Audit Manager please visit:

http://accelus.thomsonreuters.com/
2014 Thomson Reuters. All rights reserved.
INTERNAL AUDITOR
MIDDLE EAST
DECEMBER 2014
WWW.INTERNALAUDITOR.ME
F E AT U RES
16 COVER STORY: Shaping Talented Audit Teams
Innovative ways to improve the

skills of your internal audit team and increase their business acumen. BY BRUCE TURNER &
JACQUELINE TURNER
22 Auditee Feedback
Feedback Internal auditors

can use positive and honest
feedback at various stages in
the audit process to improve
their performance.
BY LALIT DUA
4 Reader Feedback
24 Board & C-Suite Driven Assurance: The Dawn

of a New Era
28 Inside the Mind of a

Fraudster
Recent developments in
governance and regulation
will have a profound impact
on internal audit approaches.
What characteristics and

behaviors does the typical
fraudster display? Recent
surveys and studies can help
shed light on this.
BY TIM J. LEECH
BY ROBIN SINGH
DE PARTMENTS
5 Knowledge Update
New Reports from IIA UK and

Netherlands; Data Analytics;
Risk Management Guidance
for Boards; Business Continuity Management.
10 Governance
Perspectives
A healthy corporate culture is

essential to good corporate
governance and therefore it
should be audited.
BY ROBERT NOYE-ALLEN & KAMI
NUTTALL
BY VISHAL THAKKAR
12 Conversations with
8 UAE-IAA Events
Harsh Mohan talks about the

important role of internal
auditing in risk management.
Colleagues
BY FARAH ARAJ
DECEMBER 2014
20 Human Resources
Five characteristics of
a successful chief audit
executive.
BY AYMAN ABDELRAHIM
30 Fostering
Fundamentals Having
proper controls around

construction projects
provides better information
and increases the chances
of success.
BY KETAN BHOOLA
Reader Feedback
We want your views on the articles and the magazine! Share your
thoughts and feedback with us via email at editor@internalauditor.me
be cautious and avoid commenting on

the strategies selected by management.
Since internal audit should determine the
effectiveness of the IT strategy, therefore
we do need to question and understand the
business case for the various IT initiatives
and how they map to the enterprise
objectives. For us to be seen as partners, we
do need to raise risks we identify in various
initiatives undertaken by management
and not just raise risks relating to the
strategic planning process. Very often I
find that business cases developed are not
fully justified and mislead management to
making the wrong decisions.
Disagreements on Information
Technology Strategy
The article Information Technology
Strategy (Sept 2014) was a very interesting
read and in particular because it reflected
the views of a Chief Information Officer.
However, I did not agree with his
recommendation for internal auditors to
Nada Al Chalabi
Senior Audit Manager
Information Systems
Dubai, UAE
Enjoyed the Information

Technology Special Issue
I read with interest the articles published
in the IT Special Issue (Sept 2014) of
Internal Auditor - Middle East magazine.
UAE INTERN AL AU DIT ASSOCIATION
C ONTAC T I NF OR MAT I ON
BOARD OF GOVERNORS
ADVER TISING & ADMINIS TRATION
Ya s m i n e A b d E l A zi z
ya s m e e n @i i a u a e . o rg
Te l : +9 7 1 4 4 3 3 9 0 8 2
A b d u l q a de r Oba id Ali
Ah med Al An sari; Kh alid Al Hal yan ;

M oh am ed Al Harth i, M BA, CRM A;
Ab d u lq ad er Ob aid Ali, CRMA,
CFE , QIAL; Naseeb a Alrais, M SC;
Ayesh a Bin Lootah , M BA; Naeim a
M oh am m ed Al M en h ali, MSC, CRM A;
Ali Al Mu waijei M AFB, M FA,CRM A,
CT 31000; Nah la Al Qassim i, Ph .D.,
CRMA, CCP, CCA
EDIT OR
EXECUTIVE COMMITTEE
INTERNAL AUDITOR
MIDDLE EAST
D E C E MBER 2 0 1 4
VOLUME 2014: 4
PRESIDENT
F a r a h A ra j ( Ac t ing)
Raza Ab d u lla; Ab d u lrah man Al Hareb ;

Arin d am De, M BA, CFA, QIAL; Karl
EDIT ORIAL ADVISORY COMMITTEE
Hen d ricks, CIA, CCSA, CQA; Ru stom
A se m A l N a se r, CPA, CIA, QIAL ;
S. Kreid l y, CPA, CRMA; Karem Ob eid
F a r a h A ra j, CPA, CIA, CF E, QIAL ;
Fad i Sid an i, CPA, MS; Ra b i You ssef,
M a j e d Buk ha she m; Andre w Co x,
CPA; Ad n an Z aid i, CRM A, ACA, M BA,
M B A , M E C, CF IIA, CIA, CIS A, CF E ,
C G A P, MRMIA; Ra ymo nd He la ye l, CPA, CCSA, CIA, CFE , CIPFA
C I A ; M e e na k shi Ra z da n, CA, CPA CIA, GENERAL MAN AGER
C F E ; H o s sa m S a m y, CRMA, CF E, CPA, Samia Al You su f
C G A ; N a ge sh S ur ya na ra ya na , MBA,
TEAM
C I A , C C SA; J a me s Te b bs, CA; Vis h al
Aish a Akh tar; Yasmin e Ab d E l Aziz;
T h a k k a r, ACA, CIA; Issa m Za ghlou l,
Bassam E l Ba g h d ad i; Lorn a Mu n g kal;
M Sc , C I S A, CIS S P, CG EIT
You ssef M u stafa; Aileen Pela g io
ARABIC REVIEW TEAM
Ay m a n Abde lra him, MQM, CIA, CCSA,

C F E ; Kh a lid M. Alo dha ibi, S O CPA;
Q a i s H a mda n, CIS A, CIS M, P MP ;
Wa l e e d Sw e ime h
EDIT ORIAL
F a ra h A ra j
e d i to r@i n te rn a l a u d i to r. m e
Te l : +9 7 1 5 0 8 5 0 1 7 8 0
I applaud the clarity with which articles

were written; they have a good amount of
interesting material without being too long
winded or full of jargon. I especially liked
the conversation with Deloittes leadership
team (Tariq Ajmal and Fadi Sidani) and
GRC by Satish Yadav. I agree with Tariq
and Fadi on the fact that technology is
changing the internal audit profession
and that the future focus should be on
data analytics and cybersecurity. I also
like Statishs view how GRC technology
is the way to improve and streamline risk
management efforts. However, I would
have liked to see insights on top IT risks
relating to ERP technologies like SAP and
Oracle. This is because not all companies
in the UAE have even implemented fullfledged ERPs and may are in still in their
early stages. Going forward, I would like to
see more IT related articles in the magazine
on a recurring basis as IT is an integral part
of an effective internal audit process.
Rahul Vaid
IT Auditor
Abu Dhabi, UAE
UAE Internal Audit Association

an IIA Global affiliate
I n te rn a l A u d i to r M i d d l e E a s t i s p u b l i s h e d q u a rte rl y b y t h e
U A E I n te rn a l A u d i t A s s o ci a ti o n ( U A E - I A A ) , 8 th F l o o r, B u ild in g
4 , T h e G a l l e ri e s , D o wn to wn Je b e l A l i , D u b a i ,
P. O. B o x 9 0 9 1 9 , U n i te d A ra b E m i ra te s
DESIGN & PRINTING
G i ri s h M e h ta
A d ve n tu re G l o b a l
g i ri s h @a d ve n tu re - g l o b a l . co m
Te l : + 9 7 1 4 3 9 3 7 6 9 6
COMPLIMENTARY TRANSLATION PROVIDED BY:
ARABIC TRANSLATION & LAYOUT
Hossam Samir
E l a p h Tra n s l a ti o n
h o s s a m @e l a p h tra n s l a ti o n . co m
Te l : +9 7 1 4 3 3 1 0 3 3 2
GUIDELINES F OR AUTHORS
www. i n te rn a l a u d i to r. m e
DISCLAIMERS
I n te rn a l A u d i to r M i d d l e E a s t i s i n te n d e d o n l y f o r m em b er s
o f th e I n s ti tu te o f I n te rn a l A u d i to rs i n th e M i d d l e E as t an d
a s s u ch i t i s n o t i n te n d e d to b e s o l d o r re - s o l d b y an y p ar t y.
T h e vi e ws e xp re s s e d i n I n te rn a l A u d i to r M i d d l e E a s t
a re s o l e l y th o s e o f th e a u th o rs , a n d d o n o t n e ce s s ar il y
re p re s e n t th e vi e ws o f th e U A E - I A A o r th e a u th o rs
re s p e cti ve e m p l o ye rs .
I n te rn a l A u d i to r M i d d l e E a s t i s a p e e r- re vi e we d ma g az in e
a n d d o e s n o t ve ri fy th e o ri g i n a l i ty o f th e co n te n t s ub m it t ed
b y th e a u th o rs .
DECEMBER 2014
Knowledge Update
B Y VI S H A L T H A K K A R
The IIA UKs 2nd Annual Survey of

Heads of Internal Audit
The Chartered Institute of Internal Auditors (IIA UK) has released its Governance and
Risk Report 2014 which discusses internal audits perspective on the management of
risk. As part of this annual survey, the IIA UK obtained the views of 247 Heads of Internal
Audit from the UK and Ireland. The report provides insight on:

Risk maturity.
Top risks internal auditors are focusing on.
Reporting relationships of internal audit.
The competencies that internal audit need to function effectively.
Over the past year, there has been a marked increase (from 68% to 82%) in the number of
heads of internal audit reporting functionally to the chair of the audit committee which is
results in an increase in internal audit effectiveness. However, there was little change in the
amount of respondents (57%) who felt the level of risk maturity in their company was well
established.
In terms of the skills needed by internal auditors, the top 3 skills identified by respondents
were 1) Communication Skills, 2) Problem Identification and Solution Skills and 3)
Knowledge of Industry, Regulatory, and Standards Changes. The report also covered
quality assurance and the results show that over 60% of respondents had an External
Quality Assessment carried out by an independent party in the past 5 years. This figure
rose to 75% in the financial services sector.
87%
of executives believe
reputation risk is
the most important
strategic risk
Source: Deloittes 2014 Global Survey on
Reputation Risk
http://www2.deloitte.com/global/en/pages/
governance-risk-and-compliance/articles/
reputation-at-risk.html
42.8
million
is the total number of

security incidents detected
in 2014
https://www.iia.org.uk/policy/wwwiiaorgukgovandrisk2014/
Combining Internal Audit and the

Second Line of Defense
The IIA Netherlands published a report titled Combining Internal Audit and Second
Line of Defense Functions?. The report discusses the pros and cons of combining internal
audit and second line of defense functions. The main question the report tried to answer
is whether the Internal Audit Function can work independently and objectively while
providing support to areas such as risk management, compliance and internal controls.
The main conclusion from the research and round tables conducted was that combining
internal audit and second line of defense functions is not the preferred solution
considering the Three Lines of Defense model and the as well as safeguarding the auditors
independence and objectivity as advocated by the Institute of Internal Auditors.
The report also covered the basic conditions and safeguards which should exist when
combining internal audit and second line of defense functions:

Internal audit should not make managerial decisions.

Internal audits role should be formalized in the internal audit charter.
Segregate the persons carrying out such responsibilities from the core
internal audit team.
35%
of security incidents are
carried out by current
employees of a company
http://iia.nl/actualiteit/nieuws?newsId=1613
Source: PwCs Global State of Information

Security Survey 2015
http://www.pwc.com/us/en/cfodirect/
issues/cyber-security/global-informationsecurity-survey-2015.jhtml
DECEMBER 2014
Knowledge Update
EY Report on How Internal Audit Can

Add Value with Data Analytics
New Practice
Guide on Business
Continuity
Management
Big data is fundamentally changing the way the enterprise operates, and Internal Audit
(IA) cant afford to be left behind. This is the main theme of a publication released by EY
titled Harnessing the Power of Data which discusses how internal audit can embed data
analytics into its processes in order to deliver more value to the business.
EY stresses the fact that building analytics capabilities is a journey that will take significant
time and effort and defines 3 stages of analytics:
1. Descriptive Analytics: This relates to reporting on and understanding what has already
happened whether in real time or after the fact.
2. Predictive Analytics: Understands the relationships between input and output to
predict what will happen in a given scenario.
3. Prescriptive Analytics: This is the most advanced stage and is designed to determine
which decision or action will produce the most effective results.
Internal audit can maximize its ability to monitor key risks through timely identification
of high-risk journal entries, early identification of potential accounting surprises and
continuous auditing of all transactions flowing through the general ledger.
Further, and using the example of vendors, data analytics is not just about routine business
information (e.g. amount sold, average price) and goes down to lower level, higher-volume
data (e.g. line item detail for purchase orders and invoices). Such detail allows internal
audit to use data analytics in its annual risk assessment, in its regular audits as well as for
special projects.
The Institute of Internal Auditors

(IIA) has released a new practice guide
demonstrating how the internal audit
function can help businesses keep running
in the event of a cyber attack or a natural
disaster. The practice guide shows how
internal auditors can provide assistance
in business continuity management. The
IIA noted that internal audit functions
typically have the skills, qualifications and
in-depth knowledge of the organization to
help develop, implement and evaluate the
effectiveness of such plans.
The goal of business continuity
management is to restore critical
operations, manage communications and
minimize financial and other effects of
disaster. According to the new practice
guide, a good crisis management plan is
like a company insurance policy - it helps
to ensure that the organization remains
viable and meets stakeholder expectations.
IIA members can download the practice
guide for free by visiting:
https://global.theiia.org/standards-guidance/
recommended-guidance/practice-guides/Pages/
Business-Continuity-Management-PracticeGuide.aspx
http://www.ey.com/GL/en/Services/Advisory/EY-internal-audit-harnessing-the-power-of-analytics
New Guidance for UK Listed Companies

Last quarter the Financial Reporting
Council released new guidance for Risk
Management, Internal Control and Related
Financial and Business Reporting. This
guidance integrates and replaces Internal
Control: Guidance to Directors (formerly
known as the Turnbull Guidance) and
reflects changes made to the UK Corporate
Governance Code.
This guidance focuses on elements of best
practice for risk management and defines
the responsibilities of the board which
include:
Design and implementation of

appropriate risk and control systems
which allows for a robust assessment of
major risks.
Determining the companys risk
appetite.
Fostering an appropriate culture and

reward system.
Agreeing on how to manage major risks.
Monitoring and reviewing risk
management and internal control
systems.
One of the unique considerations

recommended for board members
involves, determining the culture the
board wishes to embed in the company,
and whether this has been achieved. This
involves communicating the desired values
to management and considering whether
the leadership style of the company
undermines the risk management and
internal control systems.
https://www.frc.org.uk/Our-Work/Publications/
Corporate-Governance/Guidance-on-RiskManagement,-Internal-Control-and.pdf
DECEMBER 2014
TeamMate
Analytics
Data analysis for every audit

Integrates with TeamMate Audit Management
System and available for standalone use
Learn more at
TeamMateSolutions.com/Analytics
or call +44 207 981 0556
Copyright 2014 Wolters Kluwer Financial Services, Inc.

All Rights Reserved. 3642
UAE-IAA Events
B Y SAM IA A L Y O U S U F
Construction Subgroup Meeting
The UAE Internal Audit Association Construction Subgroup held its first Business Event, which was hosted by the UAE Society of Engineers, in Dubai on 23 September 2014. The event was attended by Abdulqader Obaid Ali along with with Syed Imtiaz (Chairman of the
Construction Subgroup) and Hakim Lalipurwala (Vice Chairman Construction Subgroup) who discussed areas of mutual cooperation
with Maged Farouk Hanna, General Manager of the UAE Society of Engineers.
In addition, Mike Lewis (Head of Internal Audit at Abu Dhabi Airports) and Mr. Matt Irvin (Senior Project Manager) delivered a presentation titled Risks in Supply Chain Management in Mega Construction Projects. The presentation highlighted the mechanisms used
by Risk Management and Internal Audit to manage and mitigate the various risks faced in a mega construction project. The speakers
informed the participants about the Three Lines of Defense framework to help improve overall effectiveness of risk management and
internal audit.
Launch of the Hospitality Subgroup
The UAE Internal Audit Associations Hospitality Subgroup held its first meeting on 15 October 2014 at Abu Dhabi National Exhibitions
Company. The session was well attended and led by the Hospitality Subgroup Chairman, Aldrin Sequeira, who is currently the Chief
Internal Audit Officer for the Jumeirah Group.
The session also had 2 interesting specialist presentations. The first of which was a presentation by Deloitte led jointly by Grant Salter (Director- Head of Travel, Hospitality and Leisure Advisory) and Hossam Samy (Principal - Enterprise Risk Services) discussing
Hospitality: Middle Eastern Trends, Challenges, and how the Internal Audit Profession can Support the Growth. This was followed by
an interactive session by Protiviti on Corporate Governance in the hospitality sector led by Nagesh Suryanarayana (Director - Internal
Audit and Risk Advisory Services).
Organizations are now trying to align their corporate governance frameworks in line with leading practices globally and local regulatory
mandate. Some key examples include, establishing internal audit functions, risk management frameworks, board evaluation matrices,
establishing board sub-committees, enhancing reporting and disclosures frameworks, explained Nagesh.
DECEMBER 2014
KPMG is a global
network of professional
firms providing Audit, Tax
and Advisory services.
We have more than
155,000 outstanding
professionals working
together to deliver value
in 155 countries
worldwide.
Governance Perspectives
B Y R O B E RT N O Y E - A L L E N AN D KAM I N UT TAL L
Auditing Culture
Can internal auditors
really give adequate
assurance on corporate
governance without
auditing corporate
culture?
Internal auditing is an evolving discipline, not least due to changing business environments and stakeholder priorities. In 2014,
auditing culture has emerged as a new area of focus a response
to growing awareness that hard controls arent the only ones that
matter. Soft controls that stem from a companys culture are also
vital for good governance.
Corporate culture is not only about the values an organisation
espouses, but also how the organisation lives them. The desired
values need to be communicated, embedded and monitored. The
extent to which these values are being applied is a legitimate subject for internal audit reporting, although there are challenges in
applying this philosophy.
Guidance recently issued on the subject by the Chartered Institute
of Internal Auditors in the UK and Ireland, recognises that auditing indicators of culture is complexinternal auditors need to be
comfortable in their understanding of culture and risk culture.
Chief Audit Executives should ask themselves: can we really offer
adequate assurance on the effectiveness of our organisations governance, risk and controls if we havent given any consideration to
the culture and risk culture of our organisation?
If there is any doubt about the importance of assessing the application of stated values, consider Enron and its stated values of
community, respect, integrity and excellence. But where is it now?
Examples from elsewhere around the world (Lehman Brothers,
AIG, and Nortel) also indicate there is a powerful link between
poor culture and performance, and ultimately corporate failure.
Cultural indicators are not always easy to recognise and rely on
interpretation. In the case of Lehman Brothers, for example, their

risk appetite could be interpreted as being high, and they seemingly ignored the signs that suggested that the subprime market was
experiencing a high number of defaults. Executives were still paid
highly despite company underperformance. Decisions were taken
to hide some of the companys liabilities resulting in a misstatement in the balance sheet. The companys culture was tied to risk
taking behaviours and a poor control environment.
On the other hand, good culture does seem to support good performance. The success of global brands such as Apple and Google
could be attributed in part to their powerful cultures that bind
people together and set the tone for high performance.
Internal auditors are primed to understand their organisations
control environment, in line with COSO 2013. However, that
control environment needs to be considered in the context of
both hard and soft controls. The challenge for internal auditors is
that assessing the effectiveness of soft controls is very different to
assessing the effectiveness of hard controls.
A useful starting point is to consider what we mean by soft controls. They include:

Commitment to ethics and integrity;

Attitudes to risk taking;
Board oversight of performance and internal control;
Accountabilities, responsibilities and structures;
Reporting lines; and
Recruitment practices a commitment to attract the right
people in line with the organisations objectives and values.
DECEMBER 2014
Governance Perspectives
TO COMMENT on the article,

EMAIL the author at kami.nuttall@moorestephens.com
Recommendations for auditing culture

Consider what kind of culture the organisation

champions, and how this is measured across
operations. For example, does your company have stated
values and what type of indicators exist for measuring
that employees are living the values? Does your
organisation use staff surveys to under stand employee
attitude and behaviours? Does your senior management
team listen to employees and take action when necessary?
Do they operate an open or closed door environment?
Ensure corporate culture is considered within your

organisations risk management framework. Who owns
it? For example, what does your risk management policy
say about risk culture? What kind of risk culture does the
company promote and how does it compare to reality?
Does the companys risk taking activities match its risk
appetite and stated policies?
When it comes to developing the internal audit strategy

and annual plans, agree with your board and executive
team what culture means to the organisation and a form of
reporting on softer issues to maintain confidentiality and
sensitivity. Ensure your audit and risk universe
incorporates culture as a viable audit entity or as a theme
which cuts across all audits. Ensure internal audit plans
are designed to seek evidence of softer controls such as
leadership, ethics and values. This will require judgement
based on sound knowledge. The Chartered Institute of
Internal Auditors talks about using gut instinct when
forming a view.
The COSO framework provides a good basis for

evaluating a companys control environment, and ascer
taining what kind of control culture exists. For example,
are decisions decentralised or centralised? What tone is set
by the Board? Is there a good relationship between the
Board and the Executive? What kind of reward and
Traditionally internal auditors are wary of providing subjective

judgement, we are hardwired to believe that professional judgement should underpin opinions. Auditing soft controls and organisational culture requires a certain attitude of mind and awareness.
It requires an understanding of the iceberg effect: what is hidden
from view may be of greater potential impact than what is visible.
It also needs the capacity to put individual audit pieces together to
form the bigger picture: local reports and recommendations need
to be considered from an organisation-wide perspective to see if
any patterns emerge. Many internal auditors are exploring ways in
which to encompass culture within their opinions.
DECEMBER 2014
retention packages does the company offer, and is it linked

to performance?
Remember that hard control issues are indicators of soft

control weaknesses. For example, consider the frequency
with which controls are overridden, as this could be an
indicator of managers who are interested in outputs at
any cost. Also, consider the effectiveness of
communications, what is the company telling employees?
Is information transparent or secret? Are auditors
evaluating final reports for evidence or indication of
culture related issues?
Consider the broader messages and not just the

symptomsderived from individual audits. If material

weaknesses have been identified, root cause analysis (e.g.

asking the question why? 5 times) will help identify the

reasons why an issue has occurred, and whether there is an

underlying problem that is linked to corporate culture and
values.

Comment on corporate culture (informed by your

consideration of soft controls) in your annual assurance
to the business. This could be through a reflection of
whether audit confirms or validates that corporate values
are lived. This could be a result of an evaluation of
all final audit reports issued during the year. Consider the
processes management has in place for engaging with staff,
and ensure these processes are two-way/ reciprocal.
Support your experienced auditors and encourage them to

ask questions that address cultural issues and soft controls.
Ensure your internal audit team has the necessary training

and interpersonal skills to pick up on and understand
indicators of cultural issues. Ask yourself who is the most
appropriate individual to conduct a review of culture.
Always audit with your head up be aware of what is

going on around you.
This sounds challenging and it is. Auditing culture is not

necessarily about people, but about behaviours, attitudes and,
fundamentally, values. Nevertheless, it is a challenge that internal
auditors need to accept if they are to provide the more rounded
assurance on governance, risk and controls that their stakeholders
require of them. Corporate culture is an emerging agenda item,
being pushed by regulators and stakeholders. It can no longer be
ignored. It is a key part of every companys second line of defence.
ROBERT NOYE-ALLEN is a Partner in Moore Stephens LLP
KAMI NUTTALL is the Head of the Centre of Excellence in the
Governance, Risk & Assurance Group of Moore Stephens LLP
11
Conversations with Colleagues

B Y FAR A H A R A J
Harsh Mohan
Etihad Airways
Senior Vice President
of Audit, Compliance
and Risk shares his
experience on the role
of Internal Audit in risk
management
n an exclusive interview, Internal

Auditor - Middle East spoke to Harsh
Mohan, CPA, CA, who joined Etihad
Airways (Etihad) in 2011 and is now the
Senior Vice President of Audit, Compliance
and Risk. He started his career over 31
years ago in internal audit and used the
experience gained to successfully work
across various functions in the airline
industry including finance, procurement,
risk management and strategic cost
management. Before joining Etihad, he was

the Auditor General Auditor and Senior
Director of Business Transformation at Air
Canada. Harsh is an active supporter of the
UAE Internal Audit Association (UAEIAA) and a prominent speaker on the topic
of risk management.
Internal Auditor - Middle East met with
Harsh Mohan at the Etihad Airways Head
Office in Abu Dhabi.
DECEMBER 2014

EMAIL the author at farah.araj@gmail.com
How important is risk management to

Etihad?
(Smiling) Our business is managing risk.
I want you to think of a metal cylinder
which is 70 meters long, has 400 people,
with engines operating at temperatures
around 1,000 degrees Celsius, packed
with 100,000 liters of fuel and travelling
at a speed of over 800 km/h. This is, very
simply put, what an airplane is. But the
passengers are reclining, watching videos,
listening to music and are completely
comfortable. This is what risk management
is all about; taking an inherently high
risk such as safety and managing it to a
residually low level.
What role does Internal Audit take with
respect to risk management at Etihad?
At the start of every internal audit plan, we
carry out a thorough risk assessment, and
based on inherent and residual risks, we
formulate the internal audit plan. Doing
proper risk assessments is a complex task
which requires deep knowledge of the
business. It also requires a high level of
independence to report on major risks
in a fair manner and for these risks to be
acknowledged by management. Internal
Audit has a solid understanding of the
business and is sufficiently independent
of management. It therefore makes sense
to use the risk assessment carried out
by Internal Audit as the basis for the
companys enterprise risk management
framework. In most non-financial services
institutions, having a separate function
carry out this role would be a waste of
resources. So we send the risk assessment
results to senior management so they can
identify existing or required controls that
will manage a particular risk within the
companys risk appetite. So management
identifies the existing or required controls,
and we, at the time of our audit, assess
the risk and audit the controls in place.
Internal Audit at Etihad Airways validates
the risks that the company is facing and
assesses the effectiveness of the controls put
in place to mitigate those risks.
DECEMBER 2014
Interview
Does this approach impair your

departments independence?
No. We do not own the risk mitigation
process. The assessment of risk and
corresponding facilitation sessions with
management are the roles performed by
Internal Audit. As my title suggests, we
deal with risk and not risk management,
differentiating between the two. We make
a clear distinction between our role and
managements responsibility to manage
risks. Our approach is based on the IIA
position paper on Internal Audits role in
Risk Management and each stakeholders
role in the Risk Management process is
clearly defined.
Also to give more comfort to our Board
and regulators, we have a separate team
within the department which carries
out the risk assessment and facilitation
sessions. This team reports through me to
the full Board. This process of reporting
to the Board makes the risk management
process more effective.
How is Internal Audit able to assess and
provide assurance on risks to strategic
objectives?
Every risk management framework refers
to risk as something which impedes the
achievement of your objectives. We start
our strategy by defining our top strategic
objectives and cascading them downwards
to the business units and individual
departments. When we assess risk, we look
at objectives from all three layers, and this
way, it focuses on adding value to what
really matters to the business.
For example, one of our strategic risks
is the capacity of Abu Dhabi Airport to
support our growth. We are expecting
to transport 15 million passengers in the
coming years. So Etihad worked with Abu
Dhabi Airports Company to expand the
airport to Terminal 3 and is now adding
additional capacity in the new Midfield
Terminal. As Internal Audit, we will
look at the controls in place to mitigate
this strategic risk. In other words, what
action is being taken by management to
mitigate capacity constraints? This could

include audits of project oversight, baggage
handling, customer services etc. I also sit
as an observer on the Midfield Terminal
project committee to understand how
management is addressing the capacity
strategic objective.
The company which

manages its risk the
best is the one which
succeeds
What about Internal Audits role in
providing insight on emerging risks?
Risk management is an ever evolving
process! Take for example the CEBs
(Audit Plan Hot Spots - https://www.
executiveboard.com) views on the top risks
from 2010 2014. You will notice that the
top risks have changed over the past five
years. Now one of the major emerging risks
is cybersecurity. When carrying out our
assessment of risk, we need to focus on
such areas and ensure that management
and the Board are made aware of them.
Some chief audit executives may not be
providing advice or assurance on risk
management. What are your thoughts on
this?
As the needs of the business evolve, there
will be a need for Internal Audit to evolve
to support the business. Internal Audit
has the skills required to support the risk
management process and add value to
the business. By focusing on risk, Internal
Audit will be included in management
discussions and committees and this will
elevate its status because of our knowledge
of the business. If Internal Audit does not
step in, some else will and that department
or person will go far ahead of Internal
Audit. Chief Audit Executives who do not
play a role in risk management face a high
risk of becoming obsolete.
13
BUILDING THE LEADERS

OF TOMORROW, TODAY.
Youre successful, respected, and committed.

What does it take to get to the next level?
The QIAL identifies, assesses, and develops core skills linked to audit leadership success. It caters
to CIAs and CAEs who are already strong performers and have the potential for greater leadership.
Registration is now open. Start your leadership journey TODAY at globaliia.org/QIAL.
141526
www.globaliia.org/QIAL
Human Resources
B Y AY M A N A B D E L R A H I M

EMAIL the author at ayman.abdelrahim@outlook.com
E D I T E D BY M E E N AKSH I RAZDAN
Characteristics of
a Successful
Chief Audit Executive
The increasing complexity of companies,
combined with the impact of todays
global economy, has resulted in a variety
new business risks and challenges. To
help in responding to these new risks and
challenge, it is essential for a company to
have a highly skilled Chief Audit Executive
(CAE). This CAE must possess several
core characteristics which will allow him or
her to be successful.
One clue to these characteristics can be
found in the meaning of the word Audit,
derived from the Latin word audire
which means to hear. Successful CAEs
hear what is happening within a company
and also hear to what stakeholders have
to say. Therefore, a successful CAE is one
who not only technically solid but has
appropriate behavioral characteristics. The
mix of essential characterizes that should
be found in a CAE is as follows:
1. Strategic Thinking
CAE plays an important role in providing
assurance whether the organization has
the ability to achieve its objectives or not.
This means that a CAE should understand
the companys business and how he work
together with top management to achieve
a companys strategy in order to and
help guide the organization in the right
direction.
2. Mastery of Risk
The CAE needs to establish risk-based
internal audit plans to ensure that the
priorities of the internal audit activity
are consistent with the companys goals.
Accordingly, it is necessary to have a
high sense of risk awareness and how the
organization manages its risks; CAE should
DECEMBER 2014
be also be aware of any emerging risks and

understand the impact of changes in the
industry or the external environment.
3. Leadership Ability
The CAE should have strong leadership
skills which are demonstrated even beyond
the internal audit department. The CAE
should inspire, motivate, challenge the
auditors to take greater ownership for
their work. Empowerment is important
to achieve high performance, without
empowerment internal auditors cannot
own their work and take responsibility for
their results. Also, the CAE should have
the ability to create new leaders for the
organization; those leaders can drive the
future of the organization.
The CAE can play significant role in
driving the change in the organization and
can be effective champion for innovation,
by providing improvements in strategy and
activity through promotion of innovation
and awareness of emerging opportunities
and risks. The competencies for critical
thinking, innovation and improvement are
very important for CAE to succeed.
4. Effective Communication
Listening to stakeholders and
understanding their needs and concerns is
vital for CAE role. Strong communication
skills can help in building positive
relationships with senior management and
business leaders. Communicating issues
accurately and prioritizing them is also
important. Another important thing is
using the right words in audit report which
demonstrates professionalism of CAE and
the audit team.
5. Desire for Knowledge

Knowledge distinguishes a leader from a
non-leader. The CAE should be constantly
alert to best practices, industry trends
and inspire internal auditors to develop
themselves, maintain a commitment to
ongoing training and learning.
If you want to be
successful, you have
to be willing to invest
in yourself
Richard Chambers, CIA, QIAL President

and CEO of The Institute of Internal
Auditors
Conclusion
As the requirements of companies change,
the required characteristics of a successful
CAE will also need to change. CAEs have
a big role to play in a company by helping
an organization remain aware of and
effectively manage its current, strategic
and emerging risks. To be successful at this
role, a CAE needs to have a combination
of above characteristics mentioned above
to allow him to add value to a company.
In todays world, it is absolute critical for
a CAE to continuously upgrade his or
her skills in order to meet the changing
expectations of companies and the internal
audit profession.
AYMAN ABDELRAHIM, MQM, CIA, CCSA, CFE
is a Chief Internal Auditor at a government
organization in Dubai.
15
Innovation
B Y KA M R A N A H S A N
Shaping
talented
audit teams
A veteran chief audit executive and

a technical specialist join forces to
showcase innovative professional
development programs for internal audit.
fundamental role of internal

auditors in the twenty-first
century is to add value to the
business and help it achieve its objectives.
At the same time, employee talent
management has become a priority, as
stakeholders recognise that internal
auditors need to understand the business.
This article focuses on ten developmental
programs across three tracks (illustrated in
Exhibit 1) that can be structured to close
skill-gaps and provide the internal audit
activity (IAA) with practical insights into
the business.
Imperatives
There is broad diversity of need for

technical and soft skills and a need for
internal auditors to operate at a sufficient
level of competence to show the value of
the profession. IIA Global Council 2014
Leaders of our profession have clearly spelt
out the importance of talent management:

Thinking strategically to reduce the
talent gap was emphasised in the IIAs
Tone at the Top newsletter in January
2013. The article also noted the need
to support professional development
and encourage staff to work
collaboratively with other business units
to promote cross-pollination of
knowledge.

Skill-set gaps was identified by delegates

at the IIAs Global Council meeting
held in Dubai in 2014 as one of the
top five obstacles the profession faces
through 2020.
Understanding business was identified

as very important by over 70% of
respondents to the IIAs 2010
global survey. This was the highest rated
of 18 technical skills.
Maintaining compliance with
professional auditing standards

underpins audit value, with proficiency
and continuing professional
development emphasised in standards
1210 and 1230 respectively (ie
possess and/or enhance knowledge,
skills, and other competencies).
Maximising individual potential is a key
to being an employee of choice. It helps
to create a highly satisfying place to
work, and improves the intellectual
capital within the IAA.
Keeping internal audit fresh

and up-to-date through effective
audit leadership. In a June 2014 blog,
the IIA President and CEO Richard
and CEO Richard Chambers
emphasised the importance
of audit leaders being role models,
focusing on positives, being
goal-oriented, making the time for
the team, and getting help from
others through effective delegating.
Exhibit 1 Overview of audit development programs

Bringing Business People into Audit
Delivering Inhouse Programs
Sending Auditors into the Business
1. Graduate program
5. Alumni network
8. Frontline connections
2. Guest auditors - specific audits
6. Knowledge champions
9. Secondments within the entity
3. Guest auditors - longer-term

secondments
7. Mentoring
10. Swap or secondment with another
4. Middle management rotation program

16
entity or service provider
DECEMBER 2014
Innovation
Implementation of professional
development programs is another
leadership imperative.
Key steps
Tell me and Ill forget; show me and I may
remember; involve me and Ill understand.
Chinese Proverb
Identify the competency needs of your
IAA. These may already be identified
through an the IIAs IIAs Global Internal
Audit Competency Framework or within

a defined IAA Professional Development
Plan. Determine any related development
programs that your entity already has
in place. For instance, well-established
graduate and mentoring programs exist in
many entities. Assess the best options for
tailored development programs that suit
your IAA. From the program overview
table, select one or two programs to
implement now, and others that might be
beneficial in the future.
Engage participants and undertake program

Road test and promote the program
Provide fair and valued learning feedback
Select participants based on selection criteria
Define aim, desired outcome, and strategy

Identify IAA skill gaps and learning objectives
Develop the selected programs for your

IAA, building up from bottom of the ten
building blocks in Exhibit 2.
Recognise that motivation and state
of readiness to learn are important
considerations in identifying the right
participant/s.
Finally, irrespective of which program is
chosen, ensure that fresh ideas and insights
are generated for the IAA. This is the
critical payback phase.
Establish and provide suitable induction
Align to entity career development strategies
Consider the key principles of audit learning
Select best programs; formalise key elements
Program Overviews : Bringing business people in

Program 1
: Graduate Program
Design Aims
: Introduce governance, risk and control fundamentals to entitys graduate program participants.
Primary Benefit : Helps shape career of potential future leaders, through experiential learning.
Secondary Benefit : Brings youthful enthusiasm into IAA. Builds ambassadors for IAA through a good experience.
Key Features
: Provides graduates an IAA rotation to deliver practical insights on auditing, and holistic appreciation of core
activities of entity.
Program 2
: Guest auditors - for specific engagements
Design Aims
: Draw guest auditors onto specific audits where their technical skills are needed.
Primary Benefit : Delivers subject matter experts from technical business areas to IAA to bring expertise to particular audit
engagements. Example: a Western Australian mining company utilised engineers to great effect.
Secondary Benefit : Runs for shorter duration than other programs, and is informal and less structured.
Key Features
: Provides graduates an IAA rotation to deliver practical insights on auditing, and holistic appreciation of core
activities of entity.
Program 3
: Guest auditors - longer term secondments
Design Aims
: Leverage expertise of business staff.
Primary Benefit : Drives audit improvement strategies through technical advice on audit planning, fieldwork or reporting.
Secondary Benefit : Brings in a free expert resource.
Key Features
: Facilitates secondment of operational staff from business areas to IAA for defined periods (several weeks or months).
Program 4
: Middle management rotation program
Design Aims
: Build capability of middle managers, whilst drawing business experience into IAA.
Primary Benefit : Helps management by giving high potential middle managers opportunity to learn first-hand
about entity-wide governance, risk and control arrangements.
Secondary Benefit : Facilitates two-way learning. IAA gains services of respected business people to work on audits.
Helps to build business acumen in auditors.
Key Features
: Delivers longer term learning benefits for future executives through structured program; CAE partners with C-suite.
Delivering in-house programs
Program 1
: Alumni Network
Design Aims
: Invite alumni to IAA events to provide insights on direction, planning and strategies of IAA.
Primary Benefit : Uses structured approach to leverage rich source of ideas, insights and perspectives that former
internal auditors have gained in their new roles.
Secondary Benefit : Achieves progress through sharing for professional counterparts.
Key Features
: Provides basis for staying connected with experienced auditors who move into other parts of business or to other entities.
DECEMBER 2014
17

EMAIL the author at bruce.turner@mail.com
Innovation
Program 2
: Knowledge champions
Design Aims
: Nurture mid-level audit staff to become knowledge champions.
Primary Benefit : Auditors develop expertise in assigned specific knowledge areas, such as emerging practices and issues; governance,
risk, control; or technical areas of entity. Example: tax collection agency CAE might assign indirect taxes, direct taxes,
client register etc.
Secondary Benefit : Provides CAE with timely information on contemporary trends and business issues, and be well-briefed for C-suite
and audit committee interactions.
Key Features
: Reduces dependency on hiring terrain experts.
Program 3
:
Design Aims
:
Primary Benefit :

Secondary Benefit :
Key Features
:
Mentoring
Achieve full potential of auditors.
Fosters professional relationships, where auditors have opportunity to collaborate and share insights
with experienced executives outside IAA.
Provides forum offering constructive and frank advice to support auditors career development.
Offers cost-effective way of assisting auditors to acquire knowledge and skills to operate within challenging environment.
Sending auditors into the business

Program 1
:
Design Aims
:
Primary Benefit :

Secondary Benefit :
Key Features
:

Frontline connections
Enable senior audit staff to spend time in field with operational staff.
Provides an opportunity for auditors to gain experience on the ground so they better comprehend frontline
activities and day-to-day challenges of entity.
Provides job enrichment for participants so they remain sharp and objective.
Enables auditors to spend half a day every month or quarter in the business shadowing frontline staff and completing
lower-risk operational tasks.
Program 2
:
Design Aims
:
Primary Benefit :

Secondary Benefit :
Key Features
:
Secondments within the entity

Provide a short break from auditing to refresh key staff.
Refreshes knowledge of seasoned auditors across business operations, and enables them to
experience day-to-day operational pressures.
Showcases to management the talent within IAA, and helps to further build IAAs professional profile.
Facilitates targeted secondments within business areas.
Program 3
:
Design Aims
:
Primary Benefit :
Secondary Benefit :

Key Features
:

Swap or secondment with another entity or service provider

Boost breadth of experience of high potential auditors.
Enables auditors to gain experience in another entity or service provider and bring fresh insights back to IAA.
Reduces risk of auditors becoming stale and resigning, by enabling them to gain broader experience and build
their career path.
Provides swap of high-potential auditors or secondments for pre-determined periods (say, three months) to achieve
defined experiential learning objectives; established through mutual agreement of CAEs.
Anticipated outcomes
The best minute I spend is the one I invest

in people. Kenneth Blanchard
Well-structured professional development
programs can help shape a legacy that goes
beyond the outcomes traditionally expected
of members of the internal audit profession.
In particular:
The CAE creates a highly satisfying place
to work, which helps to attract and retain
excellent staff.
The value of internal audit is enhanced
in the eyes of the entitys most senior
executives (commonly called the C-suite)
and the audit committee, through practical
18
insights gained by drawing business-based

expertise into more complex audits.
The IIA as a whole benefits by improving
its intellectual capital and expertise;
building on the overall talent at its disposal;
and enhancing its credibility through
technically strong outputs. Programs
interfacing directly with the business have
the added benefit of showing the human
face of internal auditors.
Business specialists brought into the IAA
benefit from the insights that they gain
in respect to corporate governance, risk
management and internal control; skills
which they will need as they move into
future senior leadership positions. They are

also influenced to become ambassadors for
internal audit.
Auditors placed into the business or
involved in in-house programs gain job
enrichment; build their skills; gain greater
understanding of the business; and take
steps to maximise their individual potential.
BRUCE TURNER, CGAP, CRMA, CFE, CISA,
PFIIA, FFin, FIPA, MAICD, FAIM is an audit
committee chairman in Australia and Chairman
JACQUELINE TURNER, B.L JS,
GradCertFraudInv is a white collar crime
analyst at a multi-national financial services
institution in Australia
DECEMBER 2014
Held under the patronage of

H. H. Nahyan bin Mubarak Al Nahyan
UAE Minister of Culture, Youth & Community
The Association of Certiifed Fraud
Examiners (ACFE)s Inagural Annual
Conference in the Middle East & North
Africa (MENA) region is dedicated to
eliminate and minimise the risk of
Fraud & Corruption, manage the Risk
of Fraud and Give an Insight on the
latest techniques and strategies to
fight Cybercrimes.
Book now to earn
16 CPEs
Venue: Intercontinental Hotel Dubai Festival City, Dubai, UAE

Date: 21st - 22nd January 2015
Email: acfe@iiauae.org
or visit our website: www.iiauae.org
Quality Improvement
B Y L AL IT D U A
Auditee
Feedback
Positive and Honest feedback adds
to Audit Effectiveness
ne of the important factors

for an effective audit is
Auditee feedback which has
commonly been ignored and
has not usually been part of professional
discussions. It appears very simple and
nice to read this statement but all internal
auditors know how much effort it takes
to get focused, positive and value adding
feedback from an auditee. Dealing with
behavior and responses of auditee during
this process is quite a challenge.
The auditee should recognize the fact
that his enhanced performance, through
auditors recommended corrective
measures, will help in achieving his
departments objectives. So establishing an
honest understanding of objectives of the
audit and respective roles of auditor and
auditee, should take place before the start
of the audit process.
The Need for Feedback
Audit reviews can be a smooth journey
if both auditor and auditee understand
the objective and both of them work in
coordination and participation with each
other, to achieve desired improvements.
The auditor has to ensure transparency
in review approaches, conduct and
finalization of the audit. The auditee also
20
has to support the review by demonstrating

confidence in auditor.
Feedback from auditees is a confirmation
on the auditors analysis of data,
compilation of information, approaches
of audit, observations made, acceptance
of recommendations etc.. The auditee is
the one who can approve or reject the
internal auditors efforts, which should
be done diligently and honestly. Even the
auditee at higher levels of management will
not accept the observations unless they
have been accepted by the previous levels
of management. Hence the auditee can
even make or break auditors positivity of
approach in audit review.
The auditees feedback should be specific
to the issues/observations, timely and be
delivered in an appropriate way.
A. Specific to issues
Feedback is at its best when it relates to a
specific observation, data analysis and audit
query. The auditee feedback will be to the
point and constructive if all the relevant
details have been provided as any gap will
lead the auditor to an unwanted direction.
Submitting an audit observation to
auditee like Observed that exercise of
identification of slow, non-moving and
dead inventory items is not effectively

conducted during the year will not
yield any tangible feedback unless it is
specific like As per policy the exercise of
identification of slow, non-moving and
dead inventory is not being done quarterly
and our exercise of identification of such
inventory items resulted in 12 such items,
the detail of which is in the attached
statement.
B. Timeliness
The auditor is required to submit any
detail or observation to auditee well in
time and for the period under review. Any
undesired delay in feedback will lose its
significance and may delay the process of
audit. The sooner the auditor identifies
the requirement of changing approach,
working and source of information/data,
the sooner they can correct the point
involved and conclude the audit effectively.
C. Manner
Feedback should be given in a manner that
will help to improve audit performance.
Since people respond better to information
presented in a positive way, feedback
should also be expressed in a positive
manner. It must be accurate, factual, and
complete. Feedback is more effective when
it reinforces what the auditor did right and/
DECEMBER 2014

EMAIL the author at lalitrdua@gmail.com
wrong and then letting him judge what

needs to be done during the course of
audit.
Frequency and Stages of feedback
The feedback from the auditee can be
regular or as requested by the auditor.
Regular feedback can be given as and
when the auditor discusses processes,
asks for records and data for review and
when querying the auditee about some
observations. The auditee feedback is
expected to be with positive intent as it
would depict auditee desire for the auditor
to add value.
The periodic feedback sessions are normal
features of any audit review where formally
the details of issues to be discussed and
Quality Improvement
and assures of complete support.

B. During conduct of audit
While conducting audit reviews the
auditor is applying different approaches
and techniques of audit. He also makes
verbal and written communication on
issues involved in reviews. The responses,
actions, reactions and behavior of auditee
to such activities are a kind of feedback to
auditor on how the audit review is being
conducted. After having explained the
scope and objective of audit review in the
kick off meeting, the auditor should ensure
that the review is being conducted within
the same scope, with positivity and without
any intention to find mistakes,
errors, frauds etc.. The moment the auditee
feedback to be taken from the auditee

are provided in advance. The feedback is
documented and is either taken as base for
the next level of audit review or forms part
of report itself. With effective feedback,
auditor will be working in right direction
and will be more potent in conduct of
audit.
will get any sense of negativity in what the

auditor is doing; the auditee will withdraw
himself and will tend to feed or provide
whatever has been asked without any
positive participation. The end result will
be extra efforts by the auditor, not enough
confidence in whatever is being done and
non-participation of the auditee in the
process of improvement.
A. Feedback in the opening meeting with

auditee
The auditor has to explain to auditee the
objective, scope, tentative duration of
review, initial record and details required
in the Kick off meeting. The meeting will
give opportunity to the auditee as well to
raise questions and ask for clarifications,
if any from the auditor. At the end of the
meeting his clear understanding about the
whole process of the review is a kind of
feedback whereby he gives his concurrence
C. In the closing meetings

The feedback requirement in the closing
meeting should not come as a surprise. It
is better to raise issues as they arise in the
course of an audit, having a constructive
discussion on the spot as and when
required. The closing meetings are done at
various stages and with various auditees
during the course of finalizing audits.
Since these closing meetings are done
with concerned auditee, department and
functional heads levels so types of feedback
DECEMBER 2014
at each of these levels will differ in content

and style. The process of getting feedback
in the closing meetings will be smoothened
if auditor has been transparent in his
approach and conduct during the course
of audit.
Overall feedback
Though an auditor is getting feedback at
different stages and from different level of
auditees and management staff on specific
areas of audit, the practice of getting an
overall audit feedback has been formalized
in many organisations. The criteria on
which overall performance of audit is to
be evaluated are many and in use. It is
the maturity of the organisation and the
role of the auditor it has foreseen, which
defines the list of criteria for feedback. An
organisation may even require the auditor
to rate different auditees also on defined
criteria.
The overall feedback on different aspects
of the audit sets a benchmark or highlights
the gaps in performance acceptance of
management from audit department.
Conclusion
Auditee feedback on different aspects of
the audit sets a benchmark or highlights
the gaps in performance acceptance of
management from audit department.
Each audit observation has to be taken
up in its right perspective, without over
doing and mis-interpretation. An auditee
expects to be given the opportunity to
give their perspective, a process that helps
to gain their commitment, so the auditor
should welcome feedback. By adopting and
implementing a collaborative approach to
feedback and highlighting the ultimate aim
of the audit to support auditees in order to
improve organizational performance, will
provide solid foundations for a positive
experience for all concerned.
LALIT DUA, CA is head of internal audit at
21
Audit Management
B Y TI M J . L E E C H
Board & C-Suite Driven Assurance:

The Dawn of a New Era
any years ago I wrote a seminal

article titled Control & Risk SelfAssessment: The Dawn of a New
Era in Corporate Governance. That article,
and the ideas in it, played a significant role
launching my first company in 1991, and
had a significant impact on the profession
globally. Almost 25 years later this article
describes recent developments and forces
that will almost certainly see the onset of
an even more profound and significant
transformation truly the dawn of a new
era in internal auditing.
Traditional/Historical Internal
Auditing
I joined the profession as an internal
auditor in the summer of 1981. Since
22
that time the profession has evolved

and advanced in many positive ways,
but continues to be bound by some
fundamental and confining paradigms.
The paradigms include:
1. Internal auditors plan, execute, and
report results of point-in-time audits.
2. Internal auditors assess internal
controls and report opinions on
whether they believe controls are
effective.
3. Internal auditors report what they
believe to be control
deficiencies, material
weaknesses, significant
deficiencies or opportunities
for improvement.
4.

5.

6.

7.

Direct report auditing is the

primary approach used globally.
In a direct report engagement
the auditor evaluates the subject
matter for which the accountable party
is responsible. The accountable
party does not make a written
assertion on the subject matter they are
responsible for.
The profession has been primarily
supply driven not demand driven.
Internal audit does not usually know,
or require that management and
boards define, the type and amounts
of risk the company and its board are
prepared to accept.
A majority of internal audit
departments have not, for a variety of
DECEMBER 2014
4.6 Internal audit (or other independent assessor) should:

a)

b)

c)

d)

e)

f)

g)

Routinely include assessments of the RAF on an institution-wide basis as well

as on an individual business line and legal entity basis;
Identify whether breaches in risk limits are being appropriately identified,
escalated and reported, and report on the implementation of the RAF to the
board and senior management as appropriate;
Independently assess periodically the design and effectiveness of the RAF and
its alignment with supervisory expectations;
assess the effectiveness of the implementation of the RAF, including linkage
to organisational culture, as well as strategic and business planning,
compensation, and decision-making processes;
Assess the design and effectiveness of risk measurement techniques and MIS
used to monitor the institutions risk profile in relation to its risk appetite;
Report any material deficiencies in the RAF and on alignment (or otherwise)
of risk appetite and risk profile with risk culture to the board and senior
management in a timely manner; and
Evaluate the need to supplement its own independent assessment with
expertise from third parties to provide a comprehensive independent view of
the effectiveness of the RAF.
Source: Financial Stability Board, Principles for an Effective Risk Appetite
Framework, November 18 2013.
Audit Management
and auditors titled Principles for an

Effective Risk Appetite Framework.
The authors of the FSB guidance took
the bold step of defining new and bold
mandates for management, boards of
directors and, most significantly for
readers of this article, internal auditors.
Details of the new role envisioned for
internal auditors is shown in the box
below. The FSB is, in essence, calling on
internal audit to transition from providing
spot-in-time, direct report, subjective
opinions on control effectiveness on
a small percentage of an entitys risk
universe, to reporting on the reliability
and effectiveness of an organizations
entire RAF, including, but not limited to,
reporting on the reliability of risk status
reports provided to the organizations
board of directors by senior management.
IIA Pulse on the Profession, Enhancing Value
Through Collaboration: A Call to Action, IIA
AEC, July 2014.
reasons, assessed and reported on risks

to the organizations top strategic/value
creation objectives, or the effectiveness
of the entitys entire risk management
framework.
The traditional/historical direct report
approach to internal auditing described
above is now under attack. Evidence
collected globally in 2014 indicates
dramatic drops in internal audit customer
satisfaction.
Key Developments Globally

Board responsibility to oversee
managements risk appetite and tolerance
significantly elevated - Following the 2008
global financial crisis commissions were
convened around the world to try and
understand what had gone wrong and
prevent similar destabilizing events in the
future. A unanimous conclusion was that
boards of directors and, to a lesser degree,
DECEMBER 2014
regulators, had not adequately discharged

their duty to oversee what is increasingly
being called managements risk appetite
and tolerance.
Creation of the worlds first preeminent
regulator guidance body Financial
Stability Board (FSB) Shortly after
the onset of the global financial crisis a
decision was made to create a new super
regulatory power, the Financial Stability
Board (FSB). This organization, currently
chaired by Mark Carney, Governor of
the Bank of England, with representation
from governments and financial sector
and securities regulators from around the
world, has, with unprecedented speed,
formulated and disseminated what is most
aptly termed paradigm shift guidance
with an overarching, albeit unstated, goal
of reengineering corporate governance
globally. One of the FSBs most significant
contributions to date is a November 2013
guide for national regulators, companies,
Codification of board responsibility

to oversee managements risk appetite
and tolerance In parallel with the
FSB, regulators around the world have
started to enact regulations that reflect
key FSB recommendations, particularly
the need to assign primary responsibility
for risk management and reporting to
management; and risk appetite/tolerance
oversight to boards of directors. One of
the most graphic illustrations is the new
UK Governance Code issued in September
2014. It positions responsibility for risk
oversight squarely with boards of directors;
calls on management to design, implement
and maintain effective risk governance
frameworks; and calls on boards to seek
independent assurance that management
has, in fact, designed, implemented, and
maintained effective risk governance
frameworks. It is expected other major
countries that want to improve the
integrity of their capital markets will follow
23

EMAIL the author at tim.leech@riskoversight.ca
the UKs lead.

Internal audit customer satisfaction
plummets as these regulator driven
developments gain traction globally a
summary of customer satisfaction surveys
done by 3 major consulting firms and the
Institute of Internal Auditors was reported
in the July 2014 IIA Pulse on the Profession
Report referenced earlier. The report
paints a graphic picture of a significant and
very recent decline in board and senior
management satisfaction with traditional/
historical direct report internal audit
services.
What This Means to the Internal

Audit Profession Going Forward
Need to Transition from Direct
Report/Spot-in-Time Auditing to
Attestation Reporting on Management
Representations on Risk Framework
Effectiveness and Risk Status the FSB
has defined roles for the board, senior
management, and internal audit that
call for a fundamental accountability
shift - a shift that requires management
continuously assess and report upward
on risk status, and for internal audit to
assess and report opinions to the board
how well management is discharging their
assigned risk governance responsibilities.
This new paradigm requires radical
and fundamental shifts in existing IIA
certification curriculum and training
offerings. IIA IPPF professional practice
standard 2120 was modified in 2010
specifically to provide support for the shift,
and the Certification in Risk Management
Assurance (CRMA) launched globally.
Internal audit departments will need to
evolve from the business of performing
traditional spot-in-time direct report
audits and providing subjective opinions
on control effectiveness on a small
percentage of the risk universe and, instead,
focus substantially more resources on
24
providing assurance to boards that senior

management is creating and maintaining
effective risk management and reporting
frameworks.
Educate Boards of Directors on Evolving
Expectations - the evolution of these
expectations is likely to evolve at varying
speeds and intensity in different countries.
Not all senior management and board
members have been actively following the
evolution of these new expectations, and
not all national regulators have codified
risk governance expectations with the
clarity and simplicity of the September
2014 UK Governance Code to spur the
needed transition. It is also important
to note that not all CEOs and CFOs are
likely to welcome direct responsibility for
creating and maintaining effective risk
appetite frameworks and providing formal
and candid reports on residual/retained
risk status to their boards.
Look for Opportunities to Gain the New
Knowledge and Skills Required - If internal
auditors are to accept and assume the
type of responsibilities defined by the FSB
earlier in this article, they must retool
their knowledge and skills. Instead of
the traditional internal audit focus on
providing subjective opinions on control
effectiveness, internal auditors now need
to acquire the knowledge and skills to
assess and report on the reliability of
managements risk appetite frameworks,
including managements reports to the
board on retained/residual risk status.
This means learning the type of vocabulary
defined by the FSB in its Principles For
An Effective Risk Appetite Frameworks
guidance and the globally accepted ISO
31000 and ISO Guide 73, and gaining the
knowledge and skills necessary to identify
the full range of risks, risk treatments,
and a picture of residual risk status, not the
much narrower assessment of traditional
Audit Management
internal controls internal audit has

historically focused on. More importantly,
internal auditors need to continuously
assess and report on whether the current
residual risk status related to key strategic
and foundation objectives is currently
within the board and senior managements
risk appetite and tolerance.
Closing Remark - Recognize that aversion
to change is a human condition this short
article outlines events and drivers that call
for radical and quantum change in the
current internal audit paradigm. A natural
human trait is to resist radical change
and favour smaller and more incremental
steps. The dramatic drops in customer
satisfaction statistics described in the IIA
July 2014 Pulse on the Profession report
have led to the IIA literally issuing A
CALL TO ACTION to internal auditors
around the globe. Addressing rapidly
evolving and escalating customer and
regulatory expectations will require the
profession globally make rapid and radical
changes if it is to ensure it remains fully
relevant to key customers in the years to
come. There is a well-known adage that
states necessity is the mother of invention.
The need for radical and rapid change
in the traditional internal audit delivery
model is real. Its time the internal audit
profession literally reinvent itself to meet
the needs of key customers particularly
boards of directors. No small task to be
sure, but a job that absolutely needs to
be done. Best wishes for success as the
profession decides whether it welcomes, or
resists, the dawn of a new era in internal
auditing.
Tim J. Leech CIA CCSA CRSA FCPA is Managing

Director Global Services at Risk Oversight in
Canada and is recognized globally as a thought
leader and advisor in the risk and assurance field.
DECEMBER 2014
AD SPACE
Risk Oversight
Fraud
BY ROBIN SINGH
Inside the Mind

of a Fraudster
Identifying potential suspects based on the profile
of a fraudster is not a straightforward task.
or as long as white-collar crime

fraudsters have been a common
occurrence throughout multiple
industries, specialists have wondered aloud
whether or not it is possible to properly
develop a profile that allows organisations
to accurately identify fraudsters while
the fraud is happening, or in some cases
beforehand. Of course, predicting crime
before it actually happens is a concept best
left to science fiction novels and movies
at the moment but what if there were
some easily identifiable warning signs of
potential fraudsters?
General Attributes
While any individual could potentially
conduct fraudulent actions, there does
seem to be some basic elements that make
an individual more likely to take part in
fraud. According to a study by KPMG1,
the typical fraudster displays the following
attributes:
Is between the ages of 36 and 45. More
than 70% of fraudsters fall into this age
group.
Acts with little regard for the

organisations which they work for.
Is employed in a position that gives
them power over important
organisational processes including
executives, finance, operations and
marketing.
Has been with the organisation for six
years, or long enough to know the
internal processes of the company.
26
Acts with others in committing fraud.

According to KPMGs study, more than
61% of individuals that committed
fraud did so with the help of at least
one other individual.
Personality
Another compelling fact which the KPMG
study bought forward was that a large
percentage of fraudsters were extroverted
(33%), friendly (35%) and highly respected
(39%). These personality traits do not seem
to be indicators of someone who is prone
to fraud but when combined with traits
like greed and desire for personal gain1,
one can then get a clearer picture of the
personality of these individuals.
Studies have proven that these are people
who are either malignant narcissist,
or suffer from Narcissistic Personality
Disorder (NPD), which is defined as an
enduring pattern of inner experience
and behavior that deviates markedly
from the expectation of the individuals
culture, is pervasive and inflexible, has an
onset in adolescence or early adulthood,
is stable over time, and leads to distress
or impairment. Because these disorders
are chronic and pervasive, they can lead
to serious impairments in daily life and
functioning.
Actually, to really go inside the mind of
a fraudster, one needs to understand the
traits of a person suffering from NPD:
Have an inflated sense of their own
importance; Believes that he or she is

special and can only be understood
by high status people.
Have a deep need for admiration for
themselves; a sense of superiority.
Believe that theyre superior to others.
Constantly bending the rules for
himself although outwardly criticising
others for similar behavior.
Have little regard for other peoples
feelings.
Be intolerant of anything perceived as
less than a perfect performance.
Exaggerate their own achievements or
talents.
Expecting others to go along with your
ideas and plans.
Taking advantage of others.
Trouble keeping healthy relationships.
Be envious of others and / or believes
that others are envious of him or her.
To add to the above, the Association
of Certified Fraud Examiners (ACFE),
mentions in its 2014 report that the
financial losses resulting from fraud
committed by Owners/Executives at
companies were at least than 3 times
larger than the losses resulting from fraud
committed by managers or employees.
Similarly, the ACFE study showed that
the longer a fraudster had worked for a
company, the more financial harm he
or she caused. This supports the fact
conclusion that big game players are the
ones who are at the top of the corporate
pyramid.
DECEMBER 2014

EMAIL the author at drobinsingh@gmail.com
Fraud
There is a strong correlation between the

fraudsters level of authority and the losses
resulting from the fraud ACFE 2014 Report to
the Nations
But a good investigator / interviewer would
be able to identify that behind this mask
of ultra-confidence lies a person with
fragile self-esteem and vulnerability to the
slightest criticism / comment made against
them in a negative manner. Additionally,
an investigator will need be good at
profiling since the majority of fraudsters
would have never been punish and would
not have criminal records!
Try and imagine people like Jeffrey Skilling,
Enron Corp.s former chief executive, who
carried a tremendous pride that he could
do anything under the sun such as build
idealistic concept of energy trading and
explored Mark to Market accounting which
could show people that they can bill for
future profits right now and everyone, even
the authorities bought into that concept.
The whole office used to look up to him.
Think of people like in the Wolf of Wall
Street, Jordan Belfort, who could sell penny
stocks better than Apple, Intel etc. The
whole office admired him. They all had an
attractive, role model personality, etc.
The list can go on and on and includes
Ponzi Scheme perpetrators such as Scott
Rothstein and Bernard Madoff as well as
accounting fraudsters such as Ramalinga
Raju (formerly of Satyam Computer
Services) and so forth.
Behavior
There are certain behaviors which
fraudsters exhibit. These behaviors can
serve as tell-tale signs that an individual
may be committing fraud. From my
experience, the most common behavioral
red flag displayed by fraudsters is living
DECEMBER 2014
beyond his or her means. In the Middle

East, the question asked is Where did
you get this from? This alludes to the
how an individual can afford to purchase
something which is clearly above his
financial abilities. ACFEs 3 top 3
behavioral red flags displayed by fraudsters
are shown in the table below:
of your typical fraudster, it can be very

difficult to implement fair policies that
target individuals that fit that profile
without causing some unrest within the
company.
Naturally, management positions should
be afforded some type of oversight in
order to limit the chances of fraud.
However, placing increased oversight on
a specific group of individuals can seem
like unfair targeting to employees and can
cause issues. In some cases the improper
implementation of fraud mitigation
strategies can open a company up to
potential lawsuits. Lawyers and industry
Behavioral Red Flags Displayed Perpetrators

Living Beyond Means
43.8%
Financial Difficulties
33%
Unusually Close Assoication

with Vendor/Customer
On another note, experience also shows

that individuals that committed fraud
did so with the help of at least one other
individual. What do you think the other
person would be like? Generally the other
partner is a submissive one, who would
generally take instructions from the
dominant partner. Since the dominant
partner might want to remain in control,
they should avoid choosing the person
of equal stature because they would have
to share their loot equally with other
partners. If an investigator cracks the
weaker link, the whole case would unravel
like a blossoming sunflower .
Individuals exhibiting the aforementioned
behaviors must be critically examined.
Quantitative tools must be especially
keen, and third-party verification like
a psychometric test can be a good
component of this analysis.
Drawbacks of Profiling
Even though a large portion of fraudsters
meet the previously mentioned guidelines
21.8%
professionals should be consulted before

implementing strategies based on profiles
of fraudsters.
Conclusion
While it is definitely possible to create a
basic profile for fraudsters, it is important
to remember that this profile constantly
changes as technology adapts and new
avenues of fraud become available.
Mitigating the risk of fraud is an important
consideration for any business, and
utilising data has become a large part of the
equation for many.
References:
1.

2.

3.

Global Profiles of a Fraudster, KPMG

International, 2013.
Diagnostic and Statistical Manual
of Mental Disorders (DSM-5), American
Psychiatric Association, 2013.
ACFEs 2014 Report to Nations on
Occupational Fraud and Abuse.
ROBIN SINGH, MBA, MIT, CFE, CFAP is Senior

Ethics / Fraud Control Officer at Abu Dhabi Health
Services Company (SEHA).
27
Risk Management
B Y KE TA N B H O O L A
Project Controls:
More than just a
box ticking
exercise
In my previous life as a site architect
working on the design and build of a mega
shopping center, I vividly recall a cold
winters morning, standing on site with
the team that included the finance guy,
as we called him. He was understandably
worried because he had to deliver a difficult
message to the project team. The message?
The project had run out of cash. The
project manager was infuriated but all he
could do was throw his hands in the air
and walk off the site. Someone in our team
said sarcastically, so much for our project
controls!
What exactly are project controls? What do
they do and why are they so important? In
fact, in my experience, I have found that if
you were to ask many people that question,
you may be met with a few puzzled stares.
However, the truth of the matter is that
project controls are probably the most
important element of any successful capital
project delivery.
Project controls have much to do with
monitoring all the metrics of a project.
This can include quantities, time, cost,
cash flows, risk reporting, etc. The simple
definition in my book is that project
controls are all the actions you would take
to ensure that your project is delivered on
time, on budget and in accordance with
the projects design specifications. This of
course means that project controls cover
the entire life cycle of the project - from
its initiation, to the planning, execution,
monitoring and control and even at the
project closeout phase.
DECEMBER 2014
Based on my experience, as an advisory

partner to many leading developers in the
region, I have summarized below what
project controls we would expect to see in
place on capital projects. This summary
is by no means all inclusive, but will go
a long way towards delivering a project
successfully.
1. Stage gate approvals
As the project moves through the lifecycle
from initiation, planning, executing,
monitoring and control to close-out,
we would expect to see formal sign-off
from senior management and the key
stakeholders. These stage gate approvals do
not allow the project to proceed without
the required formal documented approvals
in place.
2. Policies and procedures
We have seen the use of detailed policies
and procedures leading to improved
project delivery functionality, from predevelopment through to handover, leading
to better decision-making, greater accuracy
of forecasted spend and the capability
to deliver on budget, thus limiting cost
overruns. In essence, defining all the
actions needed to be taken in a detailed
policies and procedures document provides
guidance to your team, makes their tasks
predictable and ultimately, limits surprises.
3. RACI matrix
A Responsible, Accountable,
Communicated and Informed (RACI)
matrix describes the level of participation
by the various roles in completing tasks
and the project. This simple yet effective
tool can be very useful in clarifying roles

and responsibilities across the various
departments/functions within the team.
4. Delegation of authority matrix
In most cases, we have observed the
incorrect use of a delegation of authority
matrix. Entities have moved to extreme
cases where either too much or too little
authority has been placed on the project
team. The net effect allows variations to
be carried out outside the mandate of the
delegated authorities. In many of these
cases we have also observed the use of
retrospective approvals being obtained
when the Variation Order is prepared.
Having key personnel with the adequate
level of authority and accountability is key
to project delivery.
5. Project reporting
Daily, weekly and monthly reporting can
provide a good mechanism to ensure
projects are being accurately reported on.
A report produced for the sake of reporting
is meaningless. Below are examples of good
practices that should be considered:
5.1 Forecasting and variance analysis
Monthly forecasting and variance analysis
is essential to project reporting. The use
of variance analysis on actual versus
budget and forecasted cost data
provides the where did we plan to be,
where are we now and what is the expected
final cost of the project.
5.2 KPI and project specific KPIs
The project team should meet with senior
management and the board at the start
and during the project to develop, track
29

EMAIL the author at kbhoola@deloitte.com
and enhance the KPIs. This is the perfect

opportunity to ensure all stakeholders
are aligned, and the required KPIs are in
place. We recently reviewed the monthly
reporting of a leading contractor and
observed that the contractor did not report
on Paid to date. The project team did not
feel it was their responsibility to report
on this metric as they felt that it was up
to the finance team to report on payment
related issues. We challenged the Board
of Directors and senior management on
the lack of input from other departments
including finance and procurement
departments in the monthly reports. We
stressed the importance of including
finance and procurement KPIs in the
monthly reporting. This would also ensure
they are measured accurately and in line
with the needs of the business.
5.3 Absence of Early Warning Notices
(EWNs)
This is essentially management looking
out for anything on the horizon that would
affect the delivery of the project. We work
closely with senior management and
the project team to develop and identify
EWNs, so that problems are avoided and
projects are successful in delivering the
expected value for their owners and other
stakeholders.
5.4 Work-in-progress (WIP) management
A recent client had completed his mega
project and was happy that his project
was delivered on time. While the project
was slightly over budget, he believed
that he had successfully delivered the
project. In the months that followed, to
his horror, he became aware of the fact
that over 20% of the project value was
still work in progress and had not been
certified and accounted for before. To his
disappointment, he began to realize his
accruals and WIP management system
was almost non-existent.
5.5 Earned value or value of work done
Like WIP management, the value of work
done and earned value methodology
needs to be closely monitored. The project
Risk Management
team and consultants should be able

to demonstrate a robust methodology
to measure and communicate the real
physical progress of a project taking into
account the work completed, the time
taken and the costs incurred to complete
that work. If done correctly it should allow
for effective management decision-making,
which helps evaluate and control project
risk.
Senior Management needs to have accurate
project information, one version of the
truth, to make informed decisions.
5.6 Risk management function

In our experience, we have seen a worrying
trend where we find no evidence to
support the fact that our clients identify
risks, prioritize them, establish mitigating
strategies to deal with these risks and
then monitor the effectiveness of these
strategies. In other words, we cannot
effectively say that the majority of our
clients have a robust risk management
culture in their organization.
While the previous metrics may seem
daunting to a project control office that
is still in its infancy, it is important to
realize that the aim of these is to provide
useful information to management so that
a project may be delivered successfully.
Most organizations are encouraged to use
metrics that work for them. For example,
during the course of our advisory work,
we have assisted leading clients with
the development and use of a one-page
project dashboard report. This one-pager
would ideally be provided to executive
management to help them provide the
correct oversight on projects. In hindsight,
it would have also helped our little
shopping center back in the day!
KETAN BHOOLA, B.ARCH, MRICS, is an
Assistant Director at Deloitte Corporate
Finance Ltd.s Infrastructure & Capital Projects
division.
Project Critical
Success Factors
Top 3 critical success
factors for Clients in
projects:
1.
Certainty of Cost
2.
Qualified Staff
3.
Return on Investment
Top 3 critical success

factors for Contractors
in projects:
1.
Qualified Staff
2.
Compliance with
Specifications
3.
Profitability
Source: Deloitte Survey at Arabian
World Construction Summit 2014
DECEMBER 2014

Ia Magazine Dec Eng1

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Ia Magazine Dec Eng1

Diunggah oleh

Hak Cipta:

Format Tersedia

DECEMBER 2014

Using Feedback from Auditees to

A Look Into the Characteristics and

The top 10 innovative professional

INSIGHTS ON GOVERNANCE, RISK MANAGEMENT AND CONTROL

From The President

The Time for Research

Abdulqader Obaid Ali

INTERNAL AUDITOR - MIDDLE EAST

REACH NEW INTERNAL

ACCELUS AUDIT MANAGER

For more information on Accelus Audit Manager please visit:

2014 Thomson Reuters. All rights reserved.

Innovative ways to improve the

Feedback Internal auditors

24 Board & C-Suite Driven Assurance: The Dawn

28 Inside the Mind of a

What characteristics and

New Reports from IIA UK and

A healthy corporate culture is

Harsh Mohan talks about the

proper controls around

INTERNAL AUDITOR - MIDDLE EAST

be cautious and avoid commenting on

Enjoyed the Information

UAE INTERN AL AU DIT ASSOCIATION

ADVER TISING & ADMINIS TRATION

Ah med Al An sari; Kh alid Al Hal yan ;

Raza Ab d u lla; Ab d u lrah man Al Hareb ;

Ay m a n Abde lra him, MQM, CIA, CCSA,

INTERNAL AUDITOR - MIDDLE EAST

I applaud the clarity with which articles

UAE Internal Audit Association

DESIGN & PRINTING

COMPLIMENTARY TRANSLATION PROVIDED BY:

ARABIC TRANSLATION & LAYOUT

The IIA UKs 2nd Annual Survey of

is the total number of

Combining Internal Audit and the

Internal audit should not make managerial decisions.

Source: PwCs Global State of Information

INTERNAL AUDITOR - MIDDLE EAST

EY Report on How Internal Audit Can

The Institute of Internal Auditors

New Guidance for UK Listed Companies

Design and implementation of

Fostering an appropriate culture and

One of the unique considerations

Data analysis for every audit

Copyright 2014 Wolters Kluwer Financial Services, Inc.

Construction Subgroup Meeting

Launch of the Hospitality Subgroup

INTERNAL AUDITOR - MIDDLE EAST

interpretation. In the case of Lehman Brothers, for example, their

Commitment to ethics and integrity;

TO COMMENT on the article,

Recommendations for auditing culture

Consider what kind of culture the organisation

Ensure corporate culture is considered within your

When it comes to developing the internal audit strategy

The COSO framework provides a good basis for

Traditionally internal auditors are wary of providing subjective

retention packages does the company offer, and is it linked