WWW.INTERNALAUDITOR.ME
SHAPING TALENTED
AUDIT TEAMS
DECEMBER 2014
INTERNAL AUDITOR
MIDDLE EAST
DECEMBER 2014
WWW.INTERNALAUDITOR.ME
F E AT U RES
16 COVER STORY: Shaping Talented Audit Teams
JACQUELINE TURNER
22 Auditee Feedback
4 Reader Feedback
Recent developments in
governance and regulation
will have a profound impact
on internal audit approaches.
BY TIM J. LEECH
BY ROBIN SINGH
DE PARTMENTS
5 Knowledge Update
10 Governance
Perspectives
BY VISHAL THAKKAR
12 Conversations with
8 UAE-IAA Events
Colleagues
BY FARAH ARAJ
DECEMBER 2014
20 Human Resources
Five characteristics of
a successful chief audit
executive.
BY AYMAN ABDELRAHIM
30 Fostering
Fundamentals Having
Reader Feedback
We want your views on the articles and the magazine! Share your
thoughts and feedback with us via email at editor@internalauditor.me
Disagreements on Information
Technology Strategy
The article Information Technology
Strategy (Sept 2014) was a very interesting
read and in particular because it reflected
the views of a Chief Information Officer.
However, I did not agree with his
recommendation for internal auditors to
Nada Al Chalabi
Senior Audit Manager
Information Systems
Dubai, UAE
C ONTAC T I NF OR MAT I ON
BOARD OF GOVERNORS
Ya s m i n e A b d E l A zi z
ya s m e e n @i i a u a e . o rg
Te l : +9 7 1 4 4 3 3 9 0 8 2
A b d u l q a de r Oba id Ali
EDIT OR
EXECUTIVE COMMITTEE
INTERNAL AUDITOR
MIDDLE EAST
D E C E MBER 2 0 1 4
VOLUME 2014: 4
PRESIDENT
F a r a h A ra j ( Ac t ing)
EDIT ORIAL
F a ra h A ra j
e d i to r@i n te rn a l a u d i to r. m e
Te l : +9 7 1 5 0 8 5 0 1 7 8 0
I n te rn a l A u d i to r M i d d l e E a s t i s p u b l i s h e d q u a rte rl y b y t h e
U A E I n te rn a l A u d i t A s s o ci a ti o n ( U A E - I A A ) , 8 th F l o o r, B u ild in g
4 , T h e G a l l e ri e s , D o wn to wn Je b e l A l i , D u b a i ,
P. O. B o x 9 0 9 1 9 , U n i te d A ra b E m i ra te s
G i ri s h M e h ta
A d ve n tu re G l o b a l
g i ri s h @a d ve n tu re - g l o b a l . co m
Te l : + 9 7 1 4 3 9 3 7 6 9 6
Hossam Samir
E l a p h Tra n s l a ti o n
h o s s a m @e l a p h tra n s l a ti o n . co m
Te l : +9 7 1 4 3 3 1 0 3 3 2
GUIDELINES F OR AUTHORS
www. i n te rn a l a u d i to r. m e
DISCLAIMERS
I n te rn a l A u d i to r M i d d l e E a s t i s i n te n d e d o n l y f o r m em b er s
o f th e I n s ti tu te o f I n te rn a l A u d i to rs i n th e M i d d l e E as t an d
a s s u ch i t i s n o t i n te n d e d to b e s o l d o r re - s o l d b y an y p ar t y.
T h e vi e ws e xp re s s e d i n I n te rn a l A u d i to r M i d d l e E a s t
a re s o l e l y th o s e o f th e a u th o rs , a n d d o n o t n e ce s s ar il y
re p re s e n t th e vi e ws o f th e U A E - I A A o r th e a u th o rs
re s p e cti ve e m p l o ye rs .
I n te rn a l A u d i to r M i d d l e E a s t i s a p e e r- re vi e we d ma g az in e
a n d d o e s n o t ve ri fy th e o ri g i n a l i ty o f th e co n te n t s ub m it t ed
b y th e a u th o rs .
DECEMBER 2014
Knowledge Update
B Y VI S H A L T H A K K A R
Risk maturity.
Top risks internal auditors are focusing on.
Reporting relationships of internal audit.
The competencies that internal audit need to function effectively.
Over the past year, there has been a marked increase (from 68% to 82%) in the number of
heads of internal audit reporting functionally to the chair of the audit committee which is
results in an increase in internal audit effectiveness. However, there was little change in the
amount of respondents (57%) who felt the level of risk maturity in their company was well
established.
In terms of the skills needed by internal auditors, the top 3 skills identified by respondents
were 1) Communication Skills, 2) Problem Identification and Solution Skills and 3)
Knowledge of Industry, Regulatory, and Standards Changes. The report also covered
quality assurance and the results show that over 60% of respondents had an External
Quality Assessment carried out by an independent party in the past 5 years. This figure
rose to 75% in the financial services sector.
87%
of executives believe
reputation risk is
the most important
strategic risk
Source: Deloittes 2014 Global Survey on
Reputation Risk
http://www2.deloitte.com/global/en/pages/
governance-risk-and-compliance/articles/
reputation-at-risk.html
42.8
million
https://www.iia.org.uk/policy/wwwiiaorgukgovandrisk2014/
35%
of security incidents are
carried out by current
employees of a company
http://iia.nl/actualiteit/nieuws?newsId=1613
DECEMBER 2014
Knowledge Update
New Practice
Guide on Business
Continuity
Management
Big data is fundamentally changing the way the enterprise operates, and Internal Audit
(IA) cant afford to be left behind. This is the main theme of a publication released by EY
titled Harnessing the Power of Data which discusses how internal audit can embed data
analytics into its processes in order to deliver more value to the business.
EY stresses the fact that building analytics capabilities is a journey that will take significant
time and effort and defines 3 stages of analytics:
1. Descriptive Analytics: This relates to reporting on and understanding what has already
happened whether in real time or after the fact.
2. Predictive Analytics: Understands the relationships between input and output to
predict what will happen in a given scenario.
3. Prescriptive Analytics: This is the most advanced stage and is designed to determine
which decision or action will produce the most effective results.
Internal audit can maximize its ability to monitor key risks through timely identification
of high-risk journal entries, early identification of potential accounting surprises and
continuous auditing of all transactions flowing through the general ledger.
Further, and using the example of vendors, data analytics is not just about routine business
information (e.g. amount sold, average price) and goes down to lower level, higher-volume
data (e.g. line item detail for purchase orders and invoices). Such detail allows internal
audit to use data analytics in its annual risk assessment, in its regular audits as well as for
special projects.
http://www.ey.com/GL/en/Services/Advisory/EY-internal-audit-harnessing-the-power-of-analytics
DECEMBER 2014
TeamMate
Analytics
UAE-IAA Events
B Y SAM IA A L Y O U S U F
The UAE Internal Audit Association Construction Subgroup held its first Business Event, which was hosted by the UAE Society of Engineers, in Dubai on 23 September 2014. The event was attended by Abdulqader Obaid Ali along with with Syed Imtiaz (Chairman of the
Construction Subgroup) and Hakim Lalipurwala (Vice Chairman Construction Subgroup) who discussed areas of mutual cooperation
with Maged Farouk Hanna, General Manager of the UAE Society of Engineers.
In addition, Mike Lewis (Head of Internal Audit at Abu Dhabi Airports) and Mr. Matt Irvin (Senior Project Manager) delivered a presentation titled Risks in Supply Chain Management in Mega Construction Projects. The presentation highlighted the mechanisms used
by Risk Management and Internal Audit to manage and mitigate the various risks faced in a mega construction project. The speakers
informed the participants about the Three Lines of Defense framework to help improve overall effectiveness of risk management and
internal audit.
The UAE Internal Audit Associations Hospitality Subgroup held its first meeting on 15 October 2014 at Abu Dhabi National Exhibitions
Company. The session was well attended and led by the Hospitality Subgroup Chairman, Aldrin Sequeira, who is currently the Chief
Internal Audit Officer for the Jumeirah Group.
The session also had 2 interesting specialist presentations. The first of which was a presentation by Deloitte led jointly by Grant Salter (Director- Head of Travel, Hospitality and Leisure Advisory) and Hossam Samy (Principal - Enterprise Risk Services) discussing
Hospitality: Middle Eastern Trends, Challenges, and how the Internal Audit Profession can Support the Growth. This was followed by
an interactive session by Protiviti on Corporate Governance in the hospitality sector led by Nagesh Suryanarayana (Director - Internal
Audit and Risk Advisory Services).
Organizations are now trying to align their corporate governance frameworks in line with leading practices globally and local regulatory
mandate. Some key examples include, establishing internal audit functions, risk management frameworks, board evaluation matrices,
establishing board sub-committees, enhancing reporting and disclosures frameworks, explained Nagesh.
DECEMBER 2014
KPMG is a global
network of professional
firms providing Audit, Tax
and Advisory services.
We have more than
155,000 outstanding
professionals working
together to deliver value
in 155 countries
worldwide.
Governance Perspectives
B Y R O B E RT N O Y E - A L L E N AN D KAM I N UT TAL L
Auditing Culture
Can internal auditors
really give adequate
assurance on corporate
governance without
auditing corporate
culture?
Internal auditing is an evolving discipline, not least due to changing business environments and stakeholder priorities. In 2014,
auditing culture has emerged as a new area of focus a response
to growing awareness that hard controls arent the only ones that
matter. Soft controls that stem from a companys culture are also
vital for good governance.
Corporate culture is not only about the values an organisation
espouses, but also how the organisation lives them. The desired
values need to be communicated, embedded and monitored. The
extent to which these values are being applied is a legitimate subject for internal audit reporting, although there are challenges in
applying this philosophy.
Guidance recently issued on the subject by the Chartered Institute
of Internal Auditors in the UK and Ireland, recognises that auditing indicators of culture is complexinternal auditors need to be
comfortable in their understanding of culture and risk culture.
Chief Audit Executives should ask themselves: can we really offer
adequate assurance on the effectiveness of our organisations governance, risk and controls if we havent given any consideration to
the culture and risk culture of our organisation?
If there is any doubt about the importance of assessing the application of stated values, consider Enron and its stated values of
community, respect, integrity and excellence. But where is it now?
Examples from elsewhere around the world (Lehman Brothers,
AIG, and Nortel) also indicate there is a powerful link between
poor culture and performance, and ultimately corporate failure.
Cultural indicators are not always easy to recognise and rely on
INTERNAL AUDITOR - MIDDLE EAST
Governance Perspectives
DECEMBER 2014
11
Harsh Mohan
Etihad Airways
Senior Vice President
of Audit, Compliance
and Risk shares his
experience on the role
of Internal Audit in risk
management
DECEMBER 2014
Interview
13
141526
www.globaliia.org/QIAL
Human Resources
B Y AY M A N A B D E L R A H I M
E D I T E D BY M E E N AKSH I RAZDAN
Characteristics of
a Successful
Chief Audit Executive
The increasing complexity of companies,
combined with the impact of todays
global economy, has resulted in a variety
new business risks and challenges. To
help in responding to these new risks and
challenge, it is essential for a company to
have a highly skilled Chief Audit Executive
(CAE). This CAE must possess several
core characteristics which will allow him or
her to be successful.
One clue to these characteristics can be
found in the meaning of the word Audit,
derived from the Latin word audire
which means to hear. Successful CAEs
hear what is happening within a company
and also hear to what stakeholders have
to say. Therefore, a successful CAE is one
who not only technically solid but has
appropriate behavioral characteristics. The
mix of essential characterizes that should
be found in a CAE is as follows:
1. Strategic Thinking
CAE plays an important role in providing
assurance whether the organization has
the ability to achieve its objectives or not.
This means that a CAE should understand
the companys business and how he work
together with top management to achieve
a companys strategy in order to and
help guide the organization in the right
direction.
2. Mastery of Risk
The CAE needs to establish risk-based
internal audit plans to ensure that the
priorities of the internal audit activity
are consistent with the companys goals.
Accordingly, it is necessary to have a
high sense of risk awareness and how the
organization manages its risks; CAE should
DECEMBER 2014
If you want to be
successful, you have
to be willing to invest
in yourself
15
Innovation
B Y KA M R A N A H S A N
Shaping
talented
audit teams
Imperatives
1. Graduate program
5. Alumni network
8. Frontline connections
6. Knowledge champions
7. Mentoring
DECEMBER 2014
Innovation
Implementation of professional
development programs is another
leadership imperative.
Key steps
Tell me and Ill forget; show me and I may
remember; involve me and Ill understand.
Chinese Proverb
Identify the competency needs of your
IAA. These may already be identified
through an the IIAs IIAs Global Internal
17
Innovation
Program 2
: Knowledge champions
Design Aims
: Nurture mid-level audit staff to become knowledge champions.
Primary Benefit : Auditors develop expertise in assigned specific knowledge areas, such as emerging practices and issues; governance,
risk, control; or technical areas of entity. Example: tax collection agency CAE might assign indirect taxes, direct taxes,
client register etc.
Secondary Benefit : Provides CAE with timely information on contemporary trends and business issues, and be well-briefed for C-suite
and audit committee interactions.
Key Features
: Reduces dependency on hiring terrain experts.
Program 3
:
Design Aims
:
Primary Benefit :
Secondary Benefit :
Key Features
:
Mentoring
Achieve full potential of auditors.
Fosters professional relationships, where auditors have opportunity to collaborate and share insights
with experienced executives outside IAA.
Provides forum offering constructive and frank advice to support auditors career development.
Offers cost-effective way of assisting auditors to acquire knowledge and skills to operate within challenging environment.
Frontline connections
Enable senior audit staff to spend time in field with operational staff.
Provides an opportunity for auditors to gain experience on the ground so they better comprehend frontline
activities and day-to-day challenges of entity.
Provides job enrichment for participants so they remain sharp and objective.
Enables auditors to spend half a day every month or quarter in the business shadowing frontline staff and completing
lower-risk operational tasks.
Program 2
:
Design Aims
:
Primary Benefit :
Secondary Benefit :
Key Features
:
Program 3
:
Design Aims
:
Primary Benefit :
Secondary Benefit :
Key Features
:
Anticipated outcomes
16 CPEs
Quality Improvement
B Y L AL IT D U A
Auditee
Feedback
Positive and Honest feedback adds
to Audit Effectiveness
20
Quality Improvement
DECEMBER 2014
21
Audit Management
B Y TI M J . L E E C H
Traditional/Historical Internal
Auditing
I joined the profession as an internal
auditor in the summer of 1981. Since
22
4.
5.
6.
7.
Audit Management
23
Audit Management
DECEMBER 2014
AD SPACE
Risk Oversight
Fraud
BY ROBIN SINGH
General Attributes
While any individual could potentially
conduct fraudulent actions, there does
seem to be some basic elements that make
an individual more likely to take part in
fraud. According to a study by KPMG1,
the typical fraudster displays the following
attributes:
Is between the ages of 36 and 45. More
than 70% of fraudsters fall into this age
group.
Acts with little regard for the
organisations which they work for.
Is employed in a position that gives
them power over important
organisational processes including
executives, finance, operations and
marketing.
Has been with the organisation for six
years, or long enough to know the
internal processes of the company.
26
Personality
Another compelling fact which the KPMG
study bought forward was that a large
percentage of fraudsters were extroverted
(33%), friendly (35%) and highly respected
(39%). These personality traits do not seem
to be indicators of someone who is prone
to fraud but when combined with traits
like greed and desire for personal gain1,
one can then get a clearer picture of the
personality of these individuals.
Studies have proven that these are people
who are either malignant narcissist,
or suffer from Narcissistic Personality
Disorder (NPD), which is defined as an
enduring pattern of inner experience
and behavior that deviates markedly
from the expectation of the individuals
culture, is pervasive and inflexible, has an
onset in adolescence or early adulthood,
is stable over time, and leads to distress
or impairment. Because these disorders
are chronic and pervasive, they can lead
to serious impairments in daily life and
functioning.
Actually, to really go inside the mind of
a fraudster, one needs to understand the
traits of a person suffering from NPD:
Have an inflated sense of their own
Fraud
Behavior
There are certain behaviors which
fraudsters exhibit. These behaviors can
serve as tell-tale signs that an individual
may be committing fraud. From my
experience, the most common behavioral
red flag displayed by fraudsters is living
DECEMBER 2014
43.8%
Financial Difficulties
33%
Drawbacks of Profiling
Even though a large portion of fraudsters
meet the previously mentioned guidelines
21.8%
Conclusion
While it is definitely possible to create a
basic profile for fraudsters, it is important
to remember that this profile constantly
changes as technology adapts and new
avenues of fraud become available.
Mitigating the risk of fraud is an important
consideration for any business, and
utilising data has become a large part of the
equation for many.
References:
1.
2.
3.
27
Risk Management
B Y KE TA N B H O O L A
Project Controls:
More than just a
box ticking
exercise
In my previous life as a site architect
working on the design and build of a mega
shopping center, I vividly recall a cold
winters morning, standing on site with
the team that included the finance guy,
as we called him. He was understandably
worried because he had to deliver a difficult
message to the project team. The message?
The project had run out of cash. The
project manager was infuriated but all he
could do was throw his hands in the air
and walk off the site. Someone in our team
said sarcastically, so much for our project
controls!
What exactly are project controls? What do
they do and why are they so important? In
fact, in my experience, I have found that if
you were to ask many people that question,
you may be met with a few puzzled stares.
However, the truth of the matter is that
project controls are probably the most
important element of any successful capital
project delivery.
Project controls have much to do with
monitoring all the metrics of a project.
This can include quantities, time, cost,
cash flows, risk reporting, etc. The simple
definition in my book is that project
controls are all the actions you would take
to ensure that your project is delivered on
time, on budget and in accordance with
the projects design specifications. This of
course means that project controls cover
the entire life cycle of the project - from
its initiation, to the planning, execution,
monitoring and control and even at the
project closeout phase.
DECEMBER 2014
29
Risk Management
Project Critical
Success Factors
Top 3 critical success
factors for Clients in
projects:
1.
Certainty of Cost
2.
Qualified Staff
3.
Return on Investment
DECEMBER 2014