A Successful Take Off - Internal Auditor · DECEMBER 2016 INTERNAL AUDITOR - MIDDLE EAST 01 From The President Dear Readers, 2016 has been an extremely busy year for the association

DECEMBER 2016 WWW.INTERNALAUDITOR.ME

Using control self-assessmentsto improve risk managementprocesses

Social media presents newchallenges for public sectorinternal audit departments

Upgrading report writing skills from the beginner to the expert level

A Successful Take OffThe story of how Abu Dhabi Airports Company transformed its internal audit performance

INSIGHTS ON GOVERNANCE, RISK MANAGEMENT AND CONTROL

INTERNAL AUDITOR - MIDDLE EAST 01 DECEMBER 2016

From The President

Dear Readers,

2016 has been an extremely busy year for the association as we were putting into place all that is required to ensure that the International Conference in 2018 is successful like never before. We have established several committees and are in constant touch with the IIA Global to ensure that there is adequate communication. Volunteer support is always a critical component and if you feel you can contribute in any way, then I suggest you to get in touch with the UAE IAA offices.

In 2016 many of our Board and Executive Committee members were elected to important committees at the IIA Global. This, I am sure will give us more visibility and an opportunity to bring to you details as and when they happen. We have also been meeting several government and semi-government institutions to promote and advocate the profession of internal audit. Our targets for 2017 are greater and we will require every bit of your support to achieve them.

Of the several, I would like to highlight 3 important aspects of 2016

1. IIA UAE visit to the Minister of Social Affairs- it was an honor to know that the minister was greatly impressed with our organization’s achievements. To add more, she ensured us her support for the 2018 International Conference.

2. The 6th CAE conference Thanks to the efforts of so many the CAE Conference in November 2016 was a huge success. The UAE IIA was glad to have Ms. Angela Witzany Chairman of the IIA Board as the keynote speaker who shared with us her views and vision for the IIA and the profession. It was immensely satisfying to hear from her that she would like to see in near future someone from the UAE as the Chairman of the IIA Board.

3. Only digital. In our bid to contribute towards the environment and be e-friendly, from 2017 our IA Magazine will go entirely digital. There will be no more circulation of hard-copies; which should save you at least 1 trip to your post box. Members will be able to view the magazine from the magazine website www.internalauditor.me . I also urge members to contribute views and articles for consideration of including in the magazine.

On an ending note, I wish you a very productive and fruitful 2017 and look forward to interacting with you at our events.

Regards,

Abdulqader Obaid AliPresident

TeamMate®

Ecosystem for Assurance

Copyright © 2014 Wolters Kluwer Financial Services, Inc. All Rights Reserved. 3946

To achieve new heights, finding the right balance of audit tools is essential. Only TeamMate offers an integrated set of solutions that include the industry’s leading audit management system, an innovative controls management system and powerful data analytics.

Audit

ControlsAnalytics

TeamMate AM

Learn more at: TeamMateSolutions.com

TeamMate CM TeamMate Analytics


I N T E R N A L A U D I T O RM I D D L E E A S T DECEMBER 2016 WWW.INTERNALAUDITOR.ME

F E A T U R E S

D E P A R T M E N T S

14 COVER STORY: A Successful Take OffWhat approach did use to manage and measure Internal Audit performance? By Torben Hilbertz

18 Control Self-Assess-ment, Techniques and Strategies Control Self-Assessment results depend on the organization and the quality of the team By Zahia Touam

4 Reader Feedback

6 Knowledge Update Assessing Cybersecurity Risk, 2016 NASCIO Cybersecurity Study by Deloitte, IIA Updates Stand-ards for the Professional Practice of Internal Auditing, Fraud Risk Management Guide published by COSO and ACFE, Voice of the Cus-tomer: Stakeholders’ Messages for Internal AuditBy Vishal Thakkar

8 UAE-IAA Events 10 Fraud RiskDoes conducting Fraud Scenario Assessments mean management distrusts their employees?BY Ghassan El Shair

12 Conversations with Colleagues: Karem Obeid The Middle East’s first Vice-Chairman (Global Services) for the Institute of Internal Auditors (IIA) Global, explains his role and the importance of serving our profession By Farah Araj

25 Tips on writing Internal Audit Reports Essentials of writing an effective Internal Audit Report.By Rajiv Thakur

29 Human resourcesWhat are sufficient indicators to measure the effectiveness of the internal audit activity?BY Ayyoub Al Marzouqi

31 IT Audit Internal Auditors need to under-stand how technological innova-tions are enhancing businesses and impacting audit approaches

BY Arif Zaman

22 Public sector audit-ing in the era of Mobile Social MediaSocial media is also impacting the public sector and its internal auditors. By Karim Sliti

TeamMate®

Ecosystem for Assurance

Copyright © 2014 Wolters Kluwer Financial Services, Inc. All Rights Reserved. 3946

To achieve new heights, finding the right balance of audit tools is essential. Only TeamMate offers an integrated set of solutions that include the industry’s leading audit management system, an innovative controls management system and powerful data analytics.

Audit

ControlsAnalytics

TeamMate AM

Learn more at: TeamMateSolutions.com

TeamMate CM TeamMate Analytics

04 INTERNAL AUDITOR - MIDDLE EAST DECEMBER 2016

There are many Internal Audit Reports that have been reported to the concerned persons in organizations, yet they were kept in locked drawers and ignored, or were kept in their e-mails’ inbox. Neither were the risks and issues contained in these reports considered, nor were the recommendations acted on.

But why? I think this is ascribed to the lack of a common understanding between the concerned persons and the internal auditors of organizations about the issues, risks and recommendations contained in Internal Audit Reports.

I think that the essay of Mr. Paterson titled “Root Cause Analysis For Internal Audit” has explained and detailed one of the most important factors that help in understanding, interacting with and responding to Internal Audit Reports by the concerned people, which is the use of root cause analysis by internal auditors during carrying out internal audit works in the analysis of the issues and problems subject to the auditing and in reaching their conclusions and recommendations on them.

This approach, if used by internal auditors, will help in the identification of real reasons behind the issues and risks contained in their reports, which helps in proposing practical and effective recommendations that are acceptable by the concerned people and officials, thus guarantee their responsiveness by taking appropriate measures to implement such recommendations.

Hisham Abdul Karim Al-Attnh, ACCA, CIA, CRMA

Partner, Moore Stephens; Head of Internal Auditors Association, Yemen

The writer of “Accounting Scandals Revisited” has spoken about major frauds and the difficulty of discovery them. I would like to provide my feedback on the role of internal auditing in fraud.

Internal Auditing Standard No. 1210 is clear about the necessity of an auditing team to have sufficient knowledge to evaluate the risk of fraud and knowing how to manage this risk by the administration of the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. Therefore, the executive management is responsible for discovering and evaluating these risks. Is this evaluation considered during planning for internal auditing engagements? If it does not exist, what are the alternative procedures? Where is the role of the control culture and professional conduct in the reduction of fraud? The internal auditing in Toshiba failed to discover any fraud. Its

role was more advisory than assurance, without auditing the accounting operations and with weakness in the internal control environment and the role of the suspicious auditing committee, whose chair was the former Chief Financial Officer of Toshiba and most of the accounting entries were performed during his tenure (2011 – 2014). The solution is the application of the good governance principles, the activation of the role of the Board of Directors committees (Auditing, Risks and Compliance), and monitoring the executive departments resolutions. In the case of Toshiba, after the global economic crisis, achieving unreasonable sales and profitability objectives was formally requested, with the pressures increased at the approach of the end of each fiscal year. The complete elimination of fraud is getting difficult with the continuing technological development and services, with the necessity of the continuous training of the internal audit on the risk of fraud.

Emad Murad

Director of Internal Audit in the Arab Finance House (Islamic Bank), Lebanon

ARABIC REVIEW TEAM

Ayman Abdelrahim, MQM, CIA, CCSA, CFE (Lead Member)Khal id M. Alodhaibi , SOCPAQais Hamdan, CISA, CISM, PMPNoora AyoobWaleed Sweimeh, CIASaif Kaddourah, MBA

UAE INTERNAL AUDITORS ASSOCIATION

PRESIDENTAbdulqader Obaid Al i , CFE, CRMA, QIALGENERAL MANAGERSamia Al Yousuf

REGISTRATION

Internal Audi tor - Middle East magazine is l icensed by the Nat ional Media Counci l of the Uni ted Arab Emirates (License Number 244).

Reader Feedback

I N T E R N A L A U D I T O RM I D D L E E A S T

UAE Internal Audiors Association

We want your views on the articles and the magazine! Share your thoughts and feedback with us via email at [email protected]

EDITOR-IN-CHIEFAbdulqader Obaid Al i , CFE, CRMA, QIALEDITORGhada Abd ElbakyEDITORIAL ADVISORY COMMITTEE Asem Al Naser, CPA, CIA, QIALFarah Araj , CPA, CIA, CFE, QIAL (Lead Member)Andrew Cox, MBA, MEC, PFIIA, CIA, CISA, CFE, CGAP, MRMIARaymond Helayel , CPA, CIAMeenakshi Razdan, CA, CPA CIA, CFEHossam Samy, CRMA, CFE, CPA, CGANagesh Suryanarayana, MBA, CIA,CCSAJames Tebbs, CAVishal Thakkar, ACA, CIAGautam Gandhi, ACA, CIA, CISA, CFE

DECEMBER 2016VOLUME 2016: 3

CONTACT INFORMATION

MARKETING & SOCIAL MEDIAAlaa Abu Nabaa, MACC, CIA, CRMA, CPA, [email protected]

ADVERTISING & ADMINISTRATION

Yasmine Abd El Aziz [email protected] Tel : +971 55 351 2335EDITORIAL

Ghada Abd Elbaky edi tor@internalaudi tor.meTel: +971 55 728 5147 DESIGN & PRINTING

Gulf Internat ional Advert is ing& Publ ishing L.L.C.giadco511@gmai l .comTel: + 971 2 441 2299

GUIDELINES FOR AUTHORSwww.internalaudi tor.me

Internal Audi tor - Middle East is publ ished quarter ly by the UAE Internal Audi tors Associat ion (UAE-IAA), Off ice 1503, 15th Floor, API Tr io Tower, Dubai , Uni ted Arab Emirates

DISCLAIMERS

Internal Audi tor - Middle East is intended only for members of the Inst i tute of Internal Audi tors in the Middle East and as such i t is not intended to be sold or re-sold by any party. The views expressed in Internal Audi tor - Middle East are solely those of the authors, and do not necessar i ly represent the v iews of the UAE-IAA or the authors’ respect ive employers. Internal Audi tor - Middle East is a peer-reviewed magazine and does not ver i fy the or ig inal i ty of the content submit ted by the authors.

IA IN

TERN

AL A

UD

ITOR - M

IDD

LE EAST S

EPTEMBER

2016

2016رب

مسبت

-ط

سوألق ا

رش- ال

يل خ

داق ال

قدملد ا

م

SEPTEMBER 2016 WWW.INTERNALAUDITOR.ME

Comparing the accounting frauds

of the past to the current corporate

environment

Enterprise risk management and

organizational maturity

A strategic and systematic approach

to internal controls

Root Cause

Analysis for

Internal Audit

WWW.INTERNALAUDITOR.MEسبتمرب 2016

مقارنة عمليات االحتيال املحاسبي التي حدثت يف

املايض مع البيئة الحالية للرشكات

إدارة املخاطر املؤسسية ومستوى النضج املؤسيس

اتباع نهج اسرتاتيجي منظم لتقييم الرقابة

الداخلية

تحليل السبب

الجذري من قبل

التدقيق الداخيل

الداخلية والرقابة املخاطر وإدارة الحوكمة حول رؤى

INSIGHTS ON GOVERNANCE, RISK MANAGEMENT AND CONTROL

Getting to the heart of the

issue and adding more

value to your organization

الوصول اىل صلب القضية

وإضافة املزيد من القيمة

اىل مؤسستك


Knowledge Update

By V isha l Thakkar

AssessingCybersecurity RiskAll type of organizations are becoming more susceptible to cyber threats due to their increasing reliance on cyber-world i.e. computers, networks, software, applications, social media and significant data being generated. To respond to this emerging risk, CAEs are challenged to ensure that management has implemented both preventive and detective controls. CAEs are also required to create internal audit approach which us comprehensible in order to assess risk posed by cybersecutiry and response capability of management, with specific focus on quick response time.

The IIA’s latest Global Technology Audit Guide (GTAG), ‘Assessing Cybersecurity Risk: Roles of the Three Lines of Defense’, is designed to assist internal auditors in developing proficiency in providing assurance over risks posed by cybersecurity. The guide also discusses the internal audit’s role in cybersecurity and evaluates emerging risks and other common threats encountered by all three lines of defense and put forwards a clear-cut approach to assessing cybersecurity risks and controls.

https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG-Assessing-Cybersecurity-Risk-Roles-of-the-Three-Lines-of-Defense.aspx

2016 NASCIO Cyberse-curity Study by DeloitteMany challenges of managing cyber risk exist for state government in both i.e. funding and talent have persisted over the years. Inspite of this, states have made progress, due to rise in collaboration between governor-level awareness and CISOs with other government agencies. The 2016 NASCIO Cybersecurity Study carried out by Deloitte shows that cyber risk has gained in importance for governors and other state executives. For CIOs and CISOs, this governor-level attention is encouraging phenomena and presents an opportunity to secure resources in order to support state cybersecurity programs.

Following are some of the key takeaways from the 2016 survey:

• RiseinawarenessatGovernor-level:Thecybersecurity is very critical for governors and other state officials as the state officials survey year shows that over 90% mentioned that cybersecurity is important to their state and over 94% mentioned that it is important to their individual agency.

• Cybersecuritybecomingkeypartofgovernmentoperations: CISOs have started taking a more systematic approach to manage cyber risk and are starting to concentrate on areas that are in their control as only 45% of CISOs mentioned that the “growing sophistication of threats” as a barrier to addressing cybersecurity challenges which is down from 61% in 2014.

• Formalstrategyandbettercommunicationswill lead to increased command of resources: even as CISOs are better defining their roles and becoming an integral part of state government, they are still facing challenges, especially in securing the resources they require to contest ever-evolving threat of cybersecurity. 80% of respondents say that inadequate funding is one of the top barriers to effectively address cybersecurity threats and 51% say inadequate availability of cybersecurity professionals.

https://dupress.deloitte.com/dup-us-en/industry/public-sector/nascio-survey-government-cybersecurity-strategies.html


Knowledge Update

IIA Updates Standards for the Profes-sional Practice of Internal AuditingThe Institute of Internal Auditors (IIA) has recently announced adoption of changes to the Standards for the Professional Practice of Internal Auditing (Standards) which will go into effect January 1, 2017.

One of the most important change in the Standards reflect the evolving roles and responsibilities of the Chief Audit Executive (CAE). Also, two new Standards recognize evolving demands on the CAE and the resulting potential for impairment to CAE’s objectivity. Other changes to the Standards stresses on aligning with the 10 Core Principles, introduced as part of last year’s update to The IIA’s International Professional Practices Framework (IPPF). These Core Principles reflect primary belief of the profession that were practiced but were not formally expressed before the IPPF update. The update reasons that, for an internal audit function to be considered effective, all Principles should be present.

https://na.theiia.org/news/Pages/IIA-Updates-Standards.aspx

Fraud Risk Management Guidepublished by COSO and ACFEThe Committee of Sponsoring Organizations of the Treadway Commission (COSO) released a framework in 1992 which was recognized worldwide for designing, implementing and conducting internal control viz. ‘Internal Control—Integrated Framework’. In 201, COSO revised this original framework to include 17 additional principles so as to create internal control system more effective. Principle 8, addressed specifically the importance of organizations considering “the potential for fraud in assessing risks to the achievement of objectives.”

In order to provide best-practices guidance for organizations to adhere to, when implementing this principle, COSO has partnered with the Association of Certified Fraud Examiners (ACFE) in 2016 to create the ‘Fraud Risk Management Guide’. The joint report specifies manner in which organizations can effectively create a comprehensive fraud risk management program. It specifically identifies how organizations can:

• Establishpoliciesrelatedtofraudriskgovernance• Performafraudriskassessment• Designanddeployfraudpreventionanddetectioncontrolactivities• Conductfraudinvestigations• Monitorandevaluatethecomprehensivefraudriskmanagementprogram

http://www.acfe.com/fraudrisktools/guide.aspx

Voice of the Customer: Stakehold-ers’ Messages for Internal AuditRole of Internal audit is very unique and critical with regards to organizational governance. To fulfill this role, internal auditors work with many stakeholders in their organizations. The report focuses on board members and the executive team members of organizations that have internal audit functions. Even if there are other types of stakeholders, these are most directly affect the work of internal audit.

This study was not designed to determine if there is a gap between expectation of shareholders from internal audit and whether these expectations are being met. Instead, it focused on the recommendations from stakeholders on the best practices that internal auditors should consider in their pursuit to continually improve performance and bring value to their organizations.http://theiia.mkt5790.com/CBOK_2015_Voice_of_the_Customer/?webSyncID=3d03cb58-df97-43da-a8a4-7f027ead890c&sessionGUID=7e17182a-4c77-d19b-29a7-000b87ae0707

Technology in Construction Projects

use drones to monitor construction status

use remote monitoringon sites

use radio-frequency identification to track

equipment and materials on site

use Building Information Modeling on a majority of

their projects

42%

65%

30%

61%

Source: KPMG’s 2016 GlobalConstruction Survey

https://assets.kpmg.com/content/dam/kpmg/xx/pdf/2016/09/global-construction-

survey-2016.pdf


UAE-IAA Events

By Samia A l Yousuf

UAE Internal Auditors Association held its 6th CAE conference at Four-season Al Maryah island Abu Dhabi on 9-10 November.

Ms. Angela Witzany – IIA Global Chairman 2016-2017 was the keynote speaker during the concluded Conference themed “Enhance & Protect, Challenges Ahead”. During her presentation, Ms. Angela talked about her current theme which is “Audit Never Sleeps”

The second Best Practice Awards in Internal Audit for private and government sector was held during the Conference. The awards were divided into three categories comprising: IT, Fraud and Governance, Risks & Controls. The winners were judged on the criteria of innovation, successfully structured

implementation, and benefits to the internal audit department and the organization.

In the private sector, Mubadala received the Best Practice Award for IT category, Dubai Holding for the Fraud category and Sharjah Islamic Bank for the Governance, Risks & Controls category

In the government sector, Petroleum Institute received the Best Practice Award for the IT category and Roads & Transport Authority received the Best Practice Award for both; the Fraud and the Governance, Risks & Controls categories. Roads and Transport Authority was also declared as the Overall Winner in the government sector.

The Sixth Chief Audit ExecutiveConference - Abu Dhabi

UAE IAA and Dubai Aviation City Corporation hold Government

Innovation Forum 2016

UAE IAA hospitality subgroup partners with Ernst & Young to discuss

Cybersecurity and Due Diligence

UAE-IAA Events

UAE Internal Auditors Association, in collaboration with the Internal Audit and Risk Assessment Group at Dubai Aviation City Corporation, held Government Innovation Forum 2016 at Jumeirah Creek Hotel, Dubai on Sunday, November 20, 2016. The forum emphasized on the importance of promoting a culture of innovation, creativity and enrichment amongst auditors in government and private sectors to enhance the quality of internal audit in the times ahead. The event also highlighted the essence of strengthening the competence of internal audit professionals and encouraging them to find innovative ideas and profound solutions in the field of Internal Audit within the region and beyond.

UAE Internal Auditors Association’s hospitality subgroup and Ernst & Young spearheaded an important seminar which covered topics concerning the hospitality industry like cybercrime attacks, due diligence and employee fraud on October 24, 2016 at Atlantis, The Palms, Dubai, UAE.

Mr. Aldrin Sequeira, UAE-IAA Hospitality Subgroup Chairman, pointed out that it is essential to discuss about cybercrime attacks because of its increasing prevalence in the UAE and the MENA region. The guest speakers for the even where

Mr. Omar Soufanate, Manager of Forensic Technology & eDiscovery Services at Ernst & Young Ms. Jennifer Christianson, Assurance Senior Manager at Ernst & Young,

Mr. David Hall, Director at Ernst & Young

Ms. Olivia von dem Bussche-Ippenburg, Manager at Ernst & Young

UAE IAA and Deloitte Corporate Finance Limited joint forces for a seminar about forensic investigation with the theme “Internal Auditors and Forensic Investigators – Same Commitment, Different Skills” on October 17, 2016 at the Four Seasons Hotel, Jumeirah, Dubai, UAE. Mr. David Clements, Principal Director of Forensics at Deloitte, was the keynote speaker and shared his expertise on the topic. He explained that the primary goal of the event was to exchange information and education about forensic investigation. Ms. Ayesha Bin Lootah, Board member of IAA BOGs, expressed her support for the event.

The event was a grand success and IAA thanked Mr. David Clements with a token of appreciation after his informative talk about forensic investigation

UAE IAAcollaborates with Deloitte to spread awareness about

forensicinvestigation



In today’s environment, there is an increasing demand from both private and public sectors in the Middle East to conduct Fraud Scenario Assessments (“FSA”) as part

of their anti-fraud framework, as more organizations start to realize that they have to take fraud risk more seriously.

FSAs are about identifying potential fraudulent events that could negatively impact the organization if they occur. Nevertheless, in almost every FSA that I have conducted, I was asked by at least one of the Process Owners: “Why are we conducting these Fraud Scenario Assessments? Does Management not trust us?” This repeated question about correlating FSAs with distrust is what motivated me to write this article.

“Trust, but verify”. This famous quote by Ronald Reagan, the former US President, indicates that there is no contradiction

between trusting and verifying. Similarly, conducting FSAs doesn’t mean that Management distrusts their employees, simply because FSAs focus on assessing the processes, not the employees. This is evident in the steps and activities carried out when conducting FSAs as highlighted below:

Does conducting Fraud Scenario Assessments mean management distrusts their employees?

By Ghassan E l Sha i r

Understanding the fraud risk

environment and establishing content

Activity: • C o n d u c t

meetings with key employees to understand the bus iness a n d i t s processes.

Identifying and prioritising fraud

risks and scenarios

Activity: • I d e n t i f y

loopholes in the processes that fraudsters can take advantage of and list them in the Fraud Risk Register.

Identifying and rating fraud controls

Activity: • I d e n t i f y

c o n t r o l s associated with e a c h f r a u d scenario.

Assessing residual fraud risks

Activity: • etaluclaC

residual r isk b a s e d o n Inherent Risk R a t i n g a n d Control Risk Rating using t h e R i s k Appetite Matrix o f t h e organization.

Recommending Controls

Activity: • S u g g e s t n e w

c o n t r o l s t o m i t i g a t e t h e fraud scenarios m o r e effectively.

Finalising fraud risk and scenario assessment

Activity: • Conduct final

review to the Fraud Risk Register and update it as appropriate.

• Create the Fraud Scenarios Assessment Report.

Fraud Risk


Fraud RiskTO COMMENT:[email protected]

Indeed, employees should gain a great deal from being involved in FSAs because:

• Getting employees involved in the FSA process demonstrates that Management trusts their employees and wants them to take ownership of their involvement and improvement. It is an educational process to do better and become more effective.

• Prevention is better than cure. FSAs are an eye opener about fraud scenarios that your organization may be vulnerable to. FSAs allow Process Owners to look at their own work from a different perspective. In almost every FSA I conducted, the Process Owners tell me “We never thought of such a smart fraud scenario. We need to have more effective controls”.

• The 2016 Report to the Nations on Occupational Fraud and Abuse estimated that a typical company loses 5% of its revenues to fraud each year. Moreover, the 2016 Global Economic Crime Survey

estimated that 36% of organizations

experienced economic crime in the past

24 months. FSAs create the ethical tone

from top Management to establish a zero

tolerance culture to fraud. Hence, FSAs

make the employees think about the

internal controls that directly protect their

organization by preventing fraud, and

indirectly secure their job, as usually the

ones who bear these losses at the end of

the day are the employees!

In conclusion, conducting FSAs is not about

distrusting employees. Rather, it is about

protecting the organization and its employees.

Managers should not be hesitant to conduct

FSAs and employees should not be alarmed

about FSAs or abstain from engaging in them.

Indeed, the result of conducting FSAs is a

win-win situation for all stakeholders including

employees, shareholders, management,

customers, and regulators.

GHASSAN EL SHAIR CFE, CRMA.

Fraud Triangle

Clearly, none of the steps or activities above point towards mistrusting employees.

Moreover, the Fraud Triangle theory, which is an underpinning concept of FSAs, suggests that no one is born a fraudster; employees may commit fraud because of external factors that provoke such a behavior. For example, a Finance Manager may commit fraud if:

• He / She is under financial pressure to pay for his / her son’s expensive operation that the health insurance does not cover,

• He / She rationalizes the fraud if, for example, he /she was overlooked for promotion this year, and

• He / She has the opportunity to misuse his / her power over cash, as an example.

Clearly, the Fraud Triangle theory, which again underpins the concept of FSAs, is also not pointing towards distrusting the employees, rather it is suggesting that fraud could occur when all of the three elements above take place, regardless of whether the employee is trustworthy or not.

Fraud Risk Assessment Statistics

of companies with more than 100

employees conduct fraud risk assessments.

Where present, Fraud Risk Assessments reduced:

o Median losses from fraud schemes by 46.5%

o The median duration of fraud schemes by 12 months

Source: ACFE’s 2016 Report to the Nations on Occupational Fraud and Abuse

http://www.acfe.com/rttn2016/docs/2016-report-to-the-nations.pdf

49

Pressure

Rationalize Opportunity

Fraud


Conversations with Colleagues

By Farah Ara j

Karem Toufic Obeid

The Middle East’s first Vice-Chairman (Global Services) for the Institute of In-ternal Auditors (IIA) Global, explains his role and the impor-tance of serving our profession.

In an exclusive interview, Internal Auditor - Middle East spoke to Mr. Karem Toufic Obeid, CIA, CPA, CISA, CCSA, CRMA, and MBA, who is the Vice Chairman of Global Services for the

Institute of Internal Auditors’ Global Executive Committee. He is the first internal auditor from the Middle East to assume this leadership role. Mr. Obeid has more than 22 years of experience and is currently the Chief Audit Executive of Tawazun in the UAE. He has also served in Internal Audit leadership roles in several leading organizations in the UAE. Mr. Obeid is an active supporter of the UAE Internal Auditors Association (UAE-IAA) and a member of its Executive Committee. He has also served as a member on several audit committees/boards and is frequently invited to speak at local and international conferences and training events.

Internal Auditor - Middle East conducted a telephone interview with Mr. Karem Toufic Obeid.


interview

How did you start your journey with the Institute of Internal Auditors (IIA)?

I joined the Institute in 2005 and dedicated time and effort along with a group of professional peers to promote the UAE counter part of the IIA Global. This paved the way to advocate the Internal Audit profession and raise its profile in the UAE and the region. I then moved on to be a member of one of the IIA Global committees and that led to my election as a member of the board and then the Executive Committee of the IIA Global. Furthermore, I was privileged to always get the support of the companies I worked with, especially my current employer, which made it easier for me to achieve this.

What does it mean to be Vice Chairman of Global Services?

Being a member of the IIA Global Executive Board has two aspects, one being part of the board that drives the strategic goals and plans of the IIA and determines the future direction for our members. The other as the Vice-Chairman of Global Services, I am currently overseeing two (2) committees namely the Institute Relations Committee (IRC) and Global Professional Development Committee (GPDC). IRC oversees the formation, development and expansion of IIA institutes around the world, while the GPDC promotes and enhances the global development of internal audit professionals.

Are there other IIA members from the Middle East on these global committees?

Currently, we have seven (7) internal audit leaders from the UAE IAA who are active

volunteers in IIA Global committees. The global committee members are selected by the committee’s chairman and the nominating committee in IIA Global. I always encourage the members of UAE-IAA to be involved and be active in the IIA.

How has the work of the IIA benefited the internal audit profession in the Middle East?

I have witnessed the development in the UAE’s internal audit landscape over the past decade and would say that the UAE-IAA has been instrumental in advocating the internal audit profession in the region. The UAE-IAA opened the door for professional development of the internal auditors in the region by promoting the profession, standards and best practices. This increased the number of its members significantly over the past years especially Emiratis who have joined the profession. Additionally, we work together closely with other internal audit institutes in the region.

“For me, internal audit is not just a career or a profession, it is apassion”

How does volunteering with the IIA help you with your work as a Chief Audit Executive?

Volunteering provides opportunities to

enhance one’s knowledge and experience

and be abreast of all contemporary

matters. When I reflect on how

volunteering with the IIA at the local and

then at Global Committees and Board

level influenced me, I instantly realize the

positive impact on my professional career

and personal level. Additionally, it also

provides a great venue for networking

opportunities with enthusiastic self-

motivated auditors from all over the world

who team up to enhance and add value to

our profession.

Given your global role with the IIA, what do you think the future holds for our profession?

The profession is very promising; it

facilitates effective governance and

achievement of the organization’s business

objectives. Internal auditors have always

worked hard to demonstrate the value

they bring to the business, however, this is

changing as organizations now appreciate

the value addition of the internal auditors.

I believe that internal auditors nowadays

have bigger responsibilities and they

should aim to be the trusted advisors for

management in the areas of Governance,

Risk, and Controls.

Any advice to internal auditors and Chief Audit Executives on how they can support the IIA?

Internal auditors should always take

the opportunity to elevate and advocate

our profession. In addition, they

should pursue professional growth by

participating in events, conferences and

training initiatives that will connect

them to a network of peers who are also

committed to enhancing the practice of

internal auditing.

TO COMMENT:[email protected]


Would you be ready to pay a higher price for an ordinary Internal Audit report than you would be willing to pay

for a brand-new Porsche 911? Do you think that your Audit Committee would be ready to pay that price? Ask yourself what the average cost of an Internal Audit report in your department is (as a rule of thumb, just divide the annual Internal Audit budget by the number of Internal Audit reports issued during a year). Once you have determined the average cost of an Internal Audit report, ask yourself whether you are in a good position to compete with possible outsourcing alternatives. Then assess whether your departmental strategy and business model sufficiently considers competitiveness and performance.

For most organisations it is mandatory to satisfy the need of having an Internal Audit department. However, this requirement might also be satisfied by outsourcing that responsibility to a professional audit firm (e.g. to a Big-4 company). A successful Chief Audit Executive who wants to keep most Internal Audit activities in-house and who wants to be competitive (compared to possible outsourcing solutions) should therefore think of a efficient Internal Audit strategy and business model in order to stay in business (and safeguard the jobs of his team members).

What do the Institute of Internal Auditors (IIA) Standards tell us?

The IIA Standard 1300 “Quality Assurance and Improvement Program” states that “The Chief Audit Executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity”. In its interpretation, the IIA adds “…The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement”.

An approach to manage and measure Internal Audit performance should therefore (amongst others) contain the following:

• A small number of defined key targets focused on Internal Audit adding value and improving its operations;

• These targets should follow the SMART (Specific, Measurable, Attainable, Realistic and Timely) rule;

• Targets should be made simple so that all can understand them;

• Targets should include stakeholder feedback; and

• Targets and achievement should be communicated inside and outside the team.

Internal Audit Strategy & Business Model

ADAC Internal Audit has opted for being highly competitive and to reflect that choice in the Internal Audit strategy & business model. This competitiveness is considerably linked to the ability to manage an Internal Audit department in the same way a Big-4 Partner manages his team, hence focusing on effectiveness, efficiency and cost. Unlike in the case of outsourcing, no additional profit margin is added to the actual cost of Internal Audit resources. Both, the Internal Audit Strategy & Business Model are clearly guided by the main principle which is adding value to ADAC.

The main focus of the Internal Audit Business Model, which supports the organisation’s overall strategy, is on the following main areas:

• Add value to ADAC;

• Be cost efficient (costs per IA Report need to be competitive);

• Focus on topics / processes of most interest for ADAC;

• Increase audit days / year by reducing admin time;

Internal Audit Management

By Torben H i lber tz

A Successful Take Off Should an Internal Audit report cost more than a brand-new Porsche 911? This is the story of how Abu Dhabi Airports Company (ADAC) transformed its internal audit department through innovative management and measurement of performance.


• Shorten audit cycle times (IA Report to be issued shortly after the audit closing);

• Include more top management tailored information in IA Reports; and

• Become a valued business partner over time.

It goes without saying that performance targets and key performance indicators (KPIs) are linked to the business model:

• Management Satisfaction (satisfaction survey results to be monitored);

• Time between the end of fieldwork and IA Report distribution (target: < 5 days);

• Direct audit time / available time (increase direct audit time to > 75%);

• Percentage of closed audit recommendations;

• Completion of the Annual Audit Plan (> 75%); and

• Number of audits per auditor per year (to be increased over time).

One crucial element of the Internal Audit Business Model consists in making more time available for value adding activities (real internal audit work). This increase of the time spent by individuals on audit projects can be reached via reduction of administrative time as well as by an improved Internal Audit planning process that allocates time budgets as well as start and end days for each audit. Additionally, short Internal Audit report cycle times help individuals to better focus on single projects instead of keeping multiple balls in the air, simultaneously.

Management & Measurement of Internal Audit Performance

The author is convinced of the old management adage “You Can’t Manage What You Don’t Measure”. Following that adage in combination with the Balanced Scorecard approach (translated and tailored to the Internal Audit needs), a set of KPIs that contributes to the achievement of strategic goals, was defined for ADAC’s Internal Audit department that is shown below:

Individual goals and objectives for all Internal Audit team members were logically derived from the departmental goals and objectives. The regular tracking of KPIs was started immediately as follows.

• KPIs shared on a monthly basis

o Audit plan completion as a percentage;

o Number of audit report issued; and

o Communication of KPIs to Audit Committee & C-level management.

• KPIs tracked on a monthly basis

o Auditee satisfaction;

o Time budgets (actual vs. plan) per audit;

o Time between closing meeting and report distribution;

o Training days; and

o Sharing of KPIs within Internal Audit Team.

• KPIs tracked bi-annually or annually

o Implementation rate of audit issues;

o Management satisfaction;

o Audit Committee satisfaction; and

o Further KPIs.

Current KPI results were shared within the Internal Audit team on a monthly basis as well as disclosed to the Audit Committee during regular meetings.

Although the defined goals and objectives for 2014 (the year the new approach was adopted) appeared challenging, no single objective was missed thanks to the work of a great team. The achievement of the 2014 goals and objectives is shown in the table below. In subsequent years, the departmental performance could be increased, again.

Professional Communication and Marketing of Internal Audit Activities

How big would the benefit of a high performing Internal Audit department be if that performance would not be visible within the organisation? Especially when a wish to further improve the reputation of Internal Audit exists, professional communication and marketing of Internal Audit activities and achievements is an important element for the recognition of Internal Audit as value adding partner throughout the organisation.

The right Internal Audit report template can play a considerable role in an effective reporting of Internal Audit observations to the Audit Committee and management. Reporting to top management in a “top management language” rather than in an “auditor’s

Internal Audit Management

Internal Audit Strategy Map

Aud

it C

omm

ittee

M

anag

emen

t IA

Pro

cess

es

Inno

vatio

n

Add value to ADAC

Support achievement of ADAC strategy

Improve governance, risk management &

controls

Identify key risks & opportunities

Increase productivity

Steadily improve tools & processes

Attract & retain high-skilled

Emiratis

Expand auditor’s capabilities

Increase effectiveness

Manage audit cycle times

Foster implementation rate of actions

Address business concerns & risks

Audit Committee satisfaction in % Implementation of IA plan in ٪

Management satisfaction in ٪ Auditee satisfaction in ٪ Implementation rate of audit actions

Days to issue IA report # IA reports per auditor / year Direct time in ٪ of available time

Training days / auditor p.a. Improvements of tools & processes ٪ of CIA in team ٪ of Emiratis in team

Goals Measures Unit Actual Target Stay within the budget for consultancy services Implementation of Audit Plan

Budget utilisation Audit Plan Completion

٪ ٪

33

100

< 100

> 70

Good feedback from management C-level management satisfaction

٪ 86 75

Improve feedback from auditees Auditee satisfaction ٪ 85 75

Release IA reports on time Complete audits within the given time budget (person days)

Av. Days after closing meeting Audits finalised within given time budget

Days ٪

3

97

14

80

Sufficient training to develop skills and to maintain qualifications (CIA, CFE, etc.) Increase Internal Audit Productivity (overall & Emirati) Emiratization percentage

Training days per person per year Audits p.p.p.a. Emiratization percentage

Days

Audits p.p.p.a. ٪

5.9

5.6

33

5

3.5

33


TO COMMENT:[email protected] Internal Audit Management

language” might be another benefit. As the real identification of adding value happens during the pure Internal Audit fieldwork, the right template can free time for the real audit work (e.g. by reducing the necessary time for report writing).

For that reason, the SVP Internal Audit started an active communication with Internal Audit stakeholders upon his arrival. The first meetings were used to market the Internal Audit approach (via a professional presentation), to ensure an alignment of expectations as well as to create a common understanding of roles and responsibilities. At the same time, an audit risk heat map was presented and introduced that aims at being an objective rating criteria for Internal Audit Observations, which formed an integral part of the revised Internal Audit report format.

The Senior Vice President Internal Audit started sharing one-paged monthly Internal Audit activity reports with the Audit Committee and top management. These monthly activity reports :

• Summarise key Internal Audit activities of the completed month;

• Indicate key Internal Audit activities planned for the coming month;

• Show progress in terms of Audit Plan completion and number of IA Reports issued; and

• Share Executive Summaries of IA reports during the month.

In addition to this, Internal Audit performance was also made visible by sharing the Internal Audit KPIs to the Audit Committee and top management.

Moreover, the 2014 (and subsequent years) Internal Audit contribution was - upon the successful achievement of all

departmental goals and objectives - summarised on a single page and presented to the Audit Committee and top management.

As management and measurement of Internal Audit performance is an on-going process, the successful achievement of defined goals and objectives should motivate for reaching the next level via continuously aiming for improvement.

Conclusion

The ADAC Internal Audit performance management approach and characteristics can be described as follows:

• Active Internal Audit performance management;

• Transparency of Internal Audit KPIs within and outside the department;

• Management tailored audit reports, easy to read - highly appreciated by top management;

• Distribution of audit report: on average 3 days or less after the closing meeting; and

• Strong focus on main business processes.

Within less than one year after the start of the current SVP Internal Audit, ADAC Internal Audit was able to increase its productivity by focusing on both quality and quantity. Simultaneously, cycle times for the final report issuance could be significantly reduced. With such an approach, ADAC Internal Audit had a successful take off and elevated its perception with all key stakeholders. So is ADAC internal audit paying more for an internal audit report than a brand-new Porsche 911? Definitely not!

TORBEN HILBERTZ, CIA, is Senior Vice President Internal Audit at Abu Dhabi Airports Company.

Issue Category / Risk Rating Low Medium High # of Issues Benefits / Savings if measurable

Accounting Issue- Accounting issues 4 4 1 9 Impact on profit close to AED -XXm

Compliance - Improvement of compli-ance 14 21 2 37

DoA issues, fulfilment of requirements or contracts

IT Security- Improvement of IT data security

6 3 9 Especially monitoring over critical applications & user access rights

Key Controls - Implementation of key controls 25 18 1 88

Clear improvement of the safeguarding of assets

Processes- Operational improvements 47 24 7 78 Increase process efficiency & monitoring

Savings- Savings resulting out of audit issues 3 2 1 6

Proposed saving potentials totalling to almost XXAED

Strategy- Support of strategy 6 2 3 11 Mainly project management approach and struc-

tures

Total 105 74 15 194

“Control Self-Assessment is an important component of risk assessment and is based on engaging all different levels of an organization’s staff to help achieve the desired objectives.”Control Self-Assessment is a modern concept in the field of control and risks. It is a system that helps an organization to improve

its ability to achieve its objectives, where all different levels of

employees take part in risk identification and control procedures

assessment.1 This is achieved through many workshops, of which

the Internal Audit Department works as a coordinator, and it is

carried out as follows:

- These workshops are applied to the projects, operations and

units that can precisely define their objectives;

Control Self-Assessment, Techniques and Strategies

By Zah ia Touam Ed i ted By Hossam Sami


Risk Management


Risk Management

- These workshops include the persons directly responsible for achieving the organization’s objectives; and

- Through these workshops, the extent to which the objectives are achieved is tested and evaluated; and necessary reports are filed.

First: What is Control Self-Assessment?

There are many definitions. Yet, there are two that have been accredited by the Institute of Internal Auditors (IIA):

The first definition was developed in 1995 by Glenda Joran2 who defined Control Self-Assessment as: “The organizations that perform self-assessment through the use of certified assessment forms, so the management and/or teams can directly enter into operational operations with the aim of:

- Judging the effectiveness of operations;

- Provide reasonable assurance that the operational objectives have been wholly or partly achieved.”

The second concept was accredited and published by the American Institute of Internal Auditors in 1998,3 and it defines Control Self-Assessment as: “A process through which internal control is tested and evaluated with the aim of providing reasonable assurance that all the operational objectives will be achieved.”

Furthermore, Paul Makosz has outlined4 a concept for Control Self-Assessment through two levels:

First Level (Team Level): through this level, teams work together in addition to the team leaders and the specialized coordinators, and carry out an analysis for the strengths, challenges and risks that may affect the organization’s ability to achieve its objectives within the control framework and to take the appropriate procedures in this regard.

Second Level (Organization Level): through this level, the results reached by the team in the first level are analyzed to identify the strengths, weaknesses and risks and to link them in order to identify the main reasons for each one of them in the existing control system.

In the light of these definitions, it is shown that Control Self-Assessment relies on internal control assessment through the use of specific assessment techniques, in which the major role is carried out by the operational management rather than internal audit. In addition, this technique depends on team work rather than individual work, and it provides a reasonable rather than absolute assurance that the objectives will be achieved.

“Control Self-Assessment results are dependable on the team level in the process of Control Self-Assessment on the organization level”.

Second, Control Self-Assessment Techniques

There are three techniques used in Control Self-Assessment, and

these are:5

1- Workshops technique;

2- Questionnaire technique; and

3- Management tailored analysis technique.

1. Workshops Technique “Workshops technique is a simplified technique that can depend on five different foundations.”

It is a simplified technique whereby teams are formed to carry out Control Self-Assessment procedures. The coordination of this team is carried out by the internal audit. The team consists of 6-15 members in addition to two members from Internal Audit Department, one is a coordinator and the other is a writer of what the team agrees on. There are five foundations on which Control Self-Assessment procedures can be built: objectives, risks, control, operations and location.

1.1 Workshops based on objectives: this technique focuses on the extent to which the objectives are achieved. According to this technique, workshops identify objectives, and define the existing controls to achieve these objectives. After that, the residual risks (risks remaining after assuming the application of controls) are identified. Thus, this technique is based on the assumption that controls and risks are already present in the system. The team’s task is identifying and assessing these controls.

1.2 Workshops based on risks: this workshop technique relies on objectives identification, and then definition of risks that face the achievement of such objectives. Controls that ensure enough management of risks are then determined. This is the most used technique internationally in comparison with the other techniques.

1.3 Workshops based on control: this technique depends on evaluating how much the controls cover risks in order for the objectives to be achieved. The auditors or coordinators determine the risks and controls beforehand and prior to the workshops. During the preparations of Control Self-Assessment, the task of workshops is evaluating how these controls work to reduce risks.

The difference between the first technique, which is based on objectives, and this technique is that in the first, the controls are already present in the system and built into it when it was designed. In the third technique, which is based on control, the controls are identified during the preparatory phase before the start of the work of workshops.

1.4 Workshops based on operations: this technique depends on the evaluation of the operations through which the activities are carried out, such as procurement, production, lending, issuing bank transfers, etc. Teams define all the operations’ objectives at the activity level, and then the risks and controls that contribute to the achievement of objectives are determined.

1.5 Workshops based on location: this is a simplified technique, whereby each work center is dealt with separately. Through the workshop, two questions are asked to each work center and they must be answered:


TO COMMENT:[email protected] Risk Management

Zahia Touam, Assistant Professor in University of Algeria

Question 1: What are the factors that contribute to the achievement of objectives?

Question 2: What are the obstacles standing in the way of the achievement of objectives?

The coordinator then collects and summarizes the answers and they are discussed during the workshops to reach possible solutions to address significant obstacles.

2. Questionnaire technique: “One of the most important advantages of the questionnaire technique is its wide scope and the limitedness of effort and cost in comparison with other techniques. One of the drawbacks of this technique is the possibility of lack of seriousness by respondents, especially in the case of no follow-up, and the low response rate.”

This technique is based on performing Control Self-Assessment through designing a questionnaire including a number of yes-no questions. The results of the questionnaire are then analyzed to reach the required evaluation of internal control. This technique is preferably used in the following cases:

1. When the culture of the organization is not based on explicit dialogue; therefore, discussions in the workshops between the members of teams lack credibility. Due to the members’ fear of any administrative procedures that may be taken against them, this technique is preferable.

2. When the scope of Control Self-Assessment is wide and quick information is needed. In this case, holding workshops is difficult.

3. When the auditors lack the expertise and skills necessary to work as coordinators for the workshops.

4. When the organization is so time-sensitive that devoting a lot of time for the workshops is not allowed.

It should be mentioned that disclosing the names of the respondents to these questionnaires is not preferable in order to obtain more credible results. One of the most important advantages of this technique is its wide scope. It also requires a small amount of time from the concerned people. It does not require much effort or meetings coordination skills. The shortcomings of this technique include the lack of seriousness by respondents, especially when there is no follow-up. The response rate may be low, with no chances to clarify the questions of the questionnaire.

3. Management tailored analysis technique: “Management tailored analysis technique is the least common of all the techniques. It is usually used in certain cases.”

This technique includes the analyses through which the management are provided with information on the control situation. This technique is the least common of the three and is used in certain cases including:

1- Questionnaires developed by the management to provide an opinion on internal control procedures.

2- Discussions between the financial administration officials to submit the annual representation letter required by external auditors.

3- The investigations carried out to discover the reason for a fraud or the failure of a certain control.

4- The evaluation of internal control applications within the newly developed systems.

Third, Control Self-Assessment Building Strategies

Below are the most important strategies for building Control Self-Assessment, which are selected through expertise and experience.6

First Strategy: Training all the auditors, then training a group of them on workshops coordination methods, and hiring external consultants to manage the first two workshops.

Second Strategy: Hiring external consultants to plan and manage a pilot workshop, and then training a secondary group of auditors on the key concepts of control and workshops coordination methods.

Third Strategy: Purchase of computers and software, and holding a pilot workshop to use these technologies.

Fourth Strategy: Training all auditors, then training a group of them on workshops coordination methods, then assigning those auditors to administer the workshops through the Internal Audit Department.

Fifth Strategy: Sending a specific person from the organization in a training course on the key concepts of Control Self-Assessment and coordination skills, and then assigning that person to administer the pilot workshops of self-assessment.

Sixth Strategy: Training all auditors, then training a group of them on workshops coordination methods, and hiring consultants to train these auditors so that they can administer workshops for Control Self-Assessment.

Seventh Strategy: Sending a specific person from the organization to a training course on key concepts of Control Self-Assessment and coordination skills, then this person, through a workshop, collects the data of the last two actually performed audits, then administers a pilot workshop for Control Self-Assessment.

References

1- Al-Yacoub, Faihaa Abdullah, Internal Auditing: Its Role in Institutional Control, Empirical Study on Businesses in Iraq, Ph.D. Thesis on Accounting, Faculty of Management and Economics, University of Mustansiriya, Iraq, 2006, P. 125.

2- Glenda Jondon, Control Self-Assessment, Marketing Thechoise Altamonte spring, Florida, the IIA, 1995, p1.

3- Larry HUBBARD, Control Self-Assessment, A Practical Guide, the IIA, 2000, P.2.

4- Keithwade, Ardywyme, Control Self-Assessment For Risk Management And Other Practical Applications, 1999, P. 30

5- ibid, PP 12-21.

6 - Larry HUBBARD, op-cit: P.83.


By Kar im S l i t i Ed i ted By Andrew Cox

Public Sector Auditing in the Era of Mobile Social MediaThe world is witnessing significant change as a result of technology affecting our lives. This includes mobile social media (MSM).

MSM refers to the use of social media on mobile devices such as smartphones and tablet computers. This allows creation, exchange and circulation of user-generated content.

People today are speaking a new technology language, with our speech punctuated by new terms driven by social media, leading to change in our priorities, schedules, and our lives.

Public sector entities are facing new challenges, but also new opportunities (Juergens, et al., 2013). MSM is becoming an integral part of public sector service delivery.

In turn, this means public sector audit has new challenges driven by the rise of MSM. Questions to be considered are:

• What are the MSM opportunities for public sector entities?

• Is management sufficiently aware of changes brought about by MSM and potential impact on service delivery?

• Is public sector audit ready to cope with MSM and the risks?

• Does public sector audit have the ability to effectively review risks and controls around MSM?

People today are speaking a new technology language, leading to change in our priorities, schedules, and our lives.

MSM opportunities for public sector entities

Nowadays most public sector entities have a presence on social media such as Facebook, Twitter, Instagram, Pinterest and LinkedIn, with regular comment received on the quality of their services and how they are delivered. Communication has never been so easy and interactive.

For public sector entities, it can be an effective method to communicate in real-time with their customers, stakeholders and the wider public. This includes collection of feedback relating to the quality of services.

Public sector entities were initially slow adopters of social media and moving towards innovation. They generally lacked creativity and adopted a risk-averse position (Bourn, 2007). This has now changed.

MSM, if well managed and exploited, has potential to improve design of strategies and programs, and assist with more informed

and timely decision-making, leading to better outcomes.

MSM adoption has potential to increase organizational transparency, openness, and accountability.

MSM also has potential to improve quality of service delivery and responsiveness.

Nowadays most public sector entities have a presence on social media.

Public sector awareness of technology innovation

People generally believe the public sector is not dynamic in terms of adoption of new technology and new media. In the past this is generally acknowledged to be a combination of low awareness and risk-averse thinking.

In the USA, the Government Accountability Office (GAO) reported “Establishing a communications strategy to foster transformation, create shared expectations, and build involvement” is one of six priority tasks for a government agency to strengthen its capacity to perform its mission (McNabb, 2007). This means public sector management should be aware and proactive in adopting a MSM strategy.

No one denies the risks related to MSM. There are many potential risks that could impact a public sector entity.

Risks may be data spill of sensitive information, hacking of customer information, publication of misleading or malicious information, non-reaction to an important event, or delay in publishing important information or breaking news (Juergens, et al., 2013). As a result, reputation risk a significant factor.

Social media websites may be used by a variety of people to disseminate misinformation or negative information. This may be initiated by dissatisfied customers, disgruntled public sector employees, or individuals with resentment against a public sector entity.

Citizens expect integrity from governments and their employees (Office of the Auditor General of Canada, 1997). However, public sector employees may share information via social media and intentionally or unintentionally disclose confidential information with potential to cause damage to public sector entity reputation.

Some public sector entities may choose to avoid the risk altogether by not opening social media accounts, but would be in the minority these days.

Public Sector


TO [email protected]

People generally believe the public sector is not dynamic in terms of adoption of new technology and new media.

Public sector entity preparedness for MSM

Expansion in the scope of government auditing has taken place in a short span of time (Khan, 1997), with auditing MSM one of the newest audit engagements.

There are questions to be asked pertaining to the role of public sector audit in the era of MSM, for example:

• What are the MSM opportunities and challenges for public sector auditing?

• How should public sector audit handle MSM engagements?

• Does public sector audit have sufficient technical knowledge and experience to complete a MSM engagement professionally and effectively?

• Are public sector entities ready for a MSM audit?

The primary role of public sector audit is to assure that public funds are spent properly, meaning service delivery should be managed effectively and efficiently (Bourn, 2007). The biggest issue has generally been how to measure customer satisfaction. In the past, this has necessitated special studies, which could be time-consuming and expensive. Today, with the necessary software tools, feedback data via social media can be more easily collected and analysed.

When it comes to MSM, public sector audit has responsibilities. Disconnecting from the digital age is not an option (Juergens, et al., 2013). Therefore, it is up to public sector audit to be at the forefront of assuring controls over social media, helping to monitor guidelines, and providing advice on how to deal with threats, risks and opportunities.

MSM is a new battlefield for public sector audit, requiring special capabilities. Public sector audit needs to have the technical knowledge and expertise to effectively perform MSM engagements. Continuous auditing is a valid tool to monitor MSM activities.

The audit team should have a clear methodology, objectives, and an audit program detailing the audit steps to be performed. The following questions should be answered by the audit:

1. Is responsibility for MSM allocated to a senior executive?

2. Has a MSM risk assessment been performed?

3. Is there an effective MSM strategy?

4. Are there MSM policy and procedures, and are these disseminated throughout the organization?

5. Are there adequate MSM assurance activities built upon the ‘3 Lines of Defence’?

6. Does management have adequate awareness of MSM risks and opportunities?

7. Is there a code of conduct specifying MSM activities permitted, both professionally and personally?

8. Is there capability to monitor and manage MSM activities?

9. Does the organization exploit MSM feedback as an input to strategy improvement?

10. Is there a periodic SWOT (strengths, weaknesses, opportunities, threats) assessment of MSM activities?

Disconnecting from the digital age is not an option.

Conclusion

MSM is a relatively new challenge for public sector audit, with very real risks and challenges.

Public sector audit has a responsibility to provide assurance to their management that MSM is effectively controlled and risks are being mitigated.

MSM is a relatively new challenge for public sector audit, with very real risks and challenges.

Karim Sliti, CIA, CRMA, MPA, CGAP, CCSA, Audit Controller, State Audit Bureau of Qatar

Public Sector

Construction Fraud

JUNE 201624 INTERNAL AUDITOR - MIDDLE EAST

INTERNAL AUDITOR - MIDDLE EAST 25

Tips on writing InternalAudit Reports

By Ra j i v Thakur Ed i ted By Gautam Gandh i

DECEMBER 2016

Internal Audit Report writing constitutes the most critical and significant component of any internal audit assignment regardless of the size, location and complexity of business, process or department audited.

The end result of an internal auditor’s work

is the Internal Audit Report. The internal audit team may have worked for days and months together on completing an audit assignment and may have identified critical control lapses, processes not followed correctly or other issues which could lead

to loss of time, money, manpower, etc. These now need to be presented to key stakeholders and Internal Audit Report is the only way to highlight the work done and the value the Audit will bring to the organization.

Audit Essentials

Audit Essentials


What is an Internal Audit Report?

Standard 2400 of the International Professional Practices Framework (IPPF) 2013 states that the Internal auditors must communicate the results of the engagements.

Thus, going by the above standard, an Internal Audit Report is a document provided by the internal audit department communicating the results / outcome of the engagement to key stakeholders. It is also an important document to agree action plans and timelines with the auditee in order to remediate the finding or potential improvement area.

Components of an Internal Audit Report:

Before delivering an effective audit report, it is of utmost importance to have a broad view of the major objectives and recipients of relevant assignment.

Once the objectives, scope and recipients of the internal audit report are known, drafting an audit report will be simpler and will ensure that relevant outcome is gained.

Standard 2410 of the IPPF 2013 states the criteria for communication. Communication must include the engagement’s objectives and scope as well as applicable conclusions, recommendations, and action plans.

Thus, going with the above standard, it is mandatory that the following sections are part of the internal audit report:

•Objectives:Any audit engagement is done keeping in mind the major objective(s). Objectives define the intended outcome to be achieved as a result of the audit. These objective(s) are either a result of a risk based assessment, instructions received from Audit Committee or Senior Management. The objective(s) should be clearly stated in the internal audit report.

•ScopeofAudit:Every audit engagement has certain set parameters i.e. scope of the audit, this should be clearly highlighted in the report. Further limitation to scope if any should be clearly highlighted. Scope should also include, period covered, documents verified, etc. during an audit. Thus, scope of an audit basically defines the depth of an audit engagement.

•DetailedObservations/Findings: This section should cover the detailed finding revealed during the course of audit. This section should commence with a brief title of the observation and then followed with the detailed narration. Factual information in figures, amounts, quantity, etc. should be reported here or as part of an Annexure to validate the observation thereby emphasizing the impact of this observation / finding. It is also beneficial to add the sample verified out the total population so that a relative analysis is known thereby enhancing the flavor of the observation. E.g. we verified a total of 100 vouchers out of 1000 and observed that for 50 vouchers the supporting documents were improper. Thus, there existed an error rate of 50%. Risk involved should also be clearly stated in order that the reader can associate with things that may go wrong if observations/ findings are not rectified.

•Recommendations: These are suggested corrective action plans that the internal audit department recommends the audit management team to execute so that the impact of the observations highlighted are reduced / mitigated. They call for action to existing conditions or improve operations. These recommendations may suggest approaches to correcting or enhancing performance as a guide for management in achieving desired results. The recommendations should

generally be specific, identify the person who should take action, and very brief and precise.

•ActionPlans/Auditee’sComments:These are the corrective action that the auditee agrees and plans to execute to mitigate or control the finding identified. If the auditee agrees to accept the risk and decides not to take any action, then such comments should be mentioned in this section. These action plans forms an input for the follow up audits in future to ensure that agreed action plans were executed or not. Action Plans should also clearly include timelines and action owners.

Apart from the mandatory requirements in the audit report, there are other sections that can be added to the internal audit report for better presentation. These being as follows:

•HeaderPage: This is the cover page of the internal audit report. It generally should give the Company’s Name, Address, Contact Details, Name of the Assignment, Month in which audit report is issued, etc.

•CoverLetter: This is the first page of the internal audit report. It should generally include the addressee’s details on the top (left hand side). The Cover Letter should outline the subject of the audit report and the type of audit (Compliance, Financial, Operational, and Investigative). It should also include a briefing about the review conducted, intended recipients, any restrictions on the contents or circulation, the signature of the signing authority from the internal audit department and date. The cover letter can also include a statement stating that the engagement was conducted in conformance to the International Standards for the Professional Practice of Internal Auditing.

•TableofContents: This is generally the subsequent page after the Cover Letter page. It contains a brief title of the each

Audit EssentialsTO [email protected]


section and sub-section forming part of the internal audit report along with the relevant page numbers for easy reference.

•Introduction: A brief introduction / background of the assignment conducted such as department, process information, its linkage to the strategic objectives of the entity, its significance on account of its failure, manpower involved, etc. can be provided in this section. This section can be at the beginning of the report before the start of the scope and objectives.

•ExecutiveSummary: An executive summary is a brief section before the commencement of the detailed audit report. it summarizes the findings, recommendations and action plan in minimal text. The idea of having an executive summary to briefly summarize all the observations of an assignment and give an overall opinion of its risks to the entity. It is to give a macro view of the assignment and the risk it carries to the Company’s business. This section should not just highlight the non-conformities only but also should include the positive points so as to give equal credit to the process audited. Any scope limitations and disagreements during the audit with the auditee should also be clearly highlighted. It can end with an overall conclusion/ opinion.

•DegreeofSignificanceofFindings:The observations highlighted also should be supported with the degree of its significance. Generally they are of three types: (Major, Moderate and Insignificant). These classifications are generally based on the best judgment of an internal auditor and may vary from person to person. The criteria to rate any observation should generally be based on the impact and criticality of the finding highlighted. The definition for each of these criteria is given below:

o Major: Where a devastating effect can happen to the process based on

the finding highlighted due to which continuity of operations can be disrupted tremendously.

o Moderate: Where a significant effect can happen to the process based on the finding highlighted due to which short term continuity of operations is possible but long term sustainability of the operation might be difficult if rectification / controls are not tightened.

o Insignificant: Where there would be very minimal effect to the operations under review and no major impact is expected. Nevertheless, rectification to the operations is required so as impact on it is not worsened and remains under control.

Essentials of writing an effective Internal Audit Report:Any internal audit report should contain 5 elements to be effective and deliver the right message to its audience. These 5 elements are also known as 5Cs:

Criteria: These are the standards / benchmarks as defined and used for making an evaluation, testing or verification. It can be in the form of a policy, procedure, guidelines, rule, mandate, circular, etc. A question to ask here is: “What should exist?”

Condition: It is the factual evidence that was observed during the course of audit. A question to ask here is: “What does exist?”

Causes: This defines the reasons for difference between the expected and actual conditions. A question to ask here is: “Why did the problem occur?”

Consequence: It is to state the risk or exposure the entity could face if the condition is not consistent with the criteria. A question to ask here is: “What is the risk/negativeoutcomebecauseofthefinding?”

Corrective Action: It refers to the action recommended to correct conditions to improve operations and may include suggestions for enhancing performance.

The question to ask here is: “What should be done to rectify this error?”

Apart from the above essential requirements for internal audit report writing, there are some further guidelines which can be observed for drafting any audit report, adherence to which can bring out a more qualitative and effective audit report. These guidelines being:

Precision: The observations noted should be precise. Redundant phrasing and inexact terminology should be avoided. A thumb rule can be made that the sentence in the audit report should not exceed more than 15 to 18 words. Further, ambiguous words can be avoided such as reasonable, key, etc.

Consistency: Terminologies used in the audit report should be consistent throughout the report. E.g. if the word “Human Resource Management” appears in the report, it should be used consistently. Thus, substitute words e.g. Personnel Management should be avoided.

Avoid Passive Voice: Passive voice is a dull and difficult way of reading any document. The audit report should be free from such sentences which seems challenging for the reader to grasp. E.g. instead of reporting “Based on the information available, no irregularity in operation was found”, it can be said “The audit team did not any evidence of irregularity in the available information”

Conclusion:Internal Audit Report is the end result of an internal auditors’ hard work. It takes a lot of practice to write clear, concise and actionable audit reports. As it is said “Practice makes a man more perfect”. Thus, taking every opportunity in writing the audit reports, reading other audit reports and reading and understanding the relevant Internal Audit Standards and Practice Advisories will help in improving the skills of drafting and producing useful and effective audit reports.

RAJIV THAKUR ACA, CIA, CFE, CGAP, Team Leader – Internal Audit



By Ayoub A l Marzouq i Ed i ted By Asem A l Naser

Internal audit is one of the most important organizational units in the Organization. Because of its resulting responsibilities toward organization, which most important one is its objectivity in offering, touching the most important areas that need to be developed, and its duty to seek to identify the expectations of stakeholders of the Internal Audit Department. Therefore, it is a part of organization’s strategy and an important factor in achieving the organization’s vision and strategic objectives.

Effectiveness of internal audit is one of the most important factors that affect positively on achieving the above mentioned, and making internal audit an added value to organization.

To ensure the effectiveness of the internal audit activity you must have indicators to measure the effectiveness. However, by reference to the reality of the internal audit, its activity recommended for the development, improvement, and take appropriate decisions by the department concerned to address gaps, develop procedures and systems. Therefore the quantitative indicators such as commitment to the internal audit plan, and days of completion of the report in accordance with the targeted days, extent of closure of observations in the reports, and the acceptance of the recommendations or not, are important indicators, but are it actually sufficient indicators to measure the effectiveness of the audit activity?

The internal audit team is minimal compared to the organization; therefore, the audit team may not be able to cover all activities throughout year or two years. So, a medium-term strategy for the audit must be developed be mostly for three years, gives priority to high-risk activities, and audit low risk activities can only done after a long period of time. Although, how low-risk activities’ impact tiny is as individuals on the organization, but being combined with a negative effect on the organization. From here, the importance of increasing audit sense stems among all organizations’ staff.

Spreading of internal audit sense culture of staff in respect of not to exercise daily procedures without following the systems used, procedures, and policies adopted leads thus to not to make decisions haphazardly, but rather through the study of its risks and its dimensions and the surrounding circumstances. In this case, awareness and recognition of importance of internal audit increases not only as an independent department follows board of directors, but as an authentic and important part of employees’ lives. Thus, practical and homogeneous teamwork can be consist ensuring spreading the culture of the audit in the organization.

From here stems the importance of creating tools to measure and disseminate the culture of audit sense. Internal Audit Department plays an important role in compiling details include quality indicators and not just quantity linked to the culture of internal audit and audit sense among staff. From which management decisions and their compatibility with the thought of the internal audit and the size of the discovered remarks and this and it is possible to compile this data through a questionnaire is adopted by management and distributed on a regular basis, including the following:

1. Measuring to what extent staff aware of the importance of internal audit, the scope of work, and its mechanism.

2. Identify strengths and opportunities to develop staff performance in order to be observed by the audit departments.

3. Measuring the level of staff awareness of internal controls related to their everyday work and its importance. This can be done through stating number of controls, and taking the opinion of the staff.

Themes raised could include some of the following questions:

1. I am aware of the importance of internal audit and its objectives.

2. What are the preventive and corrective measures?

3. Procedures of audit are clear and understandable.

4. Effectiveness and efficiency of internal controls are taken into account in my daily practices.

5. What is the responsibility of management and staff toward audit remarks?

6. Internal audit activity in line with the strategic objectives of the organization.

7. What are the three lines of defense and its importance?

We have mentioned above a few questions that can be used to measure the culture and sense of audit of the staff. Spreading and awareness of the same is the responsibility of Internal Audit Department. As, communication with the organizational units will be necessary to discuss, clarify, and deliver the same in the right way.

Will you measure today culture and sense of internal audit in your organization?

Culture of Internal Audit

Ayoub Abdullah Al Marzouqi, Director Of Internal Audit Department-Emirates Transport

Human ResourcesTO [email protected]


By Ar i f Zaman Ed i ted By Nagesh Suryanarayana

With of constant changes of the corporate environment and transformation of business process from traditional to digital and smart applications, it is becoming important that internal auditors stay up- to-date on this subject to provide assurance to their stakeholders.

There is also greater need for internal auditors to understand how new technological innovations are enhancing and impacting their businesses and its relevance.

Therefor the priority for todays’ internal

auditors is to ensure continuous update of their knowledge on current technologies , their risk trends and advise their stakeholders on the best possible way to address these current and emerging IT risks. The IPPF list three implementation standards that mandates the responsibilities of internal auditors pertaining to technology:

•1210–Proficiency(1210.A3) – Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based

audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing.

•1220–DueProfessionalCare(1220.A2) – In exercising due professional care internal auditors must consider the use of technology-based audit and other data analysis techniques.

•2110–Governance(2110.A2)– The internal audit activity must assess whether

Emerging Disruptive IT risks : New Challenges for Internal Auditors

IT Audit


IT Audit

the information technology governance of the organization supports the organization’s strategies and objectives.

Now let us look at some of the key risk areas that are required to be considered, in terms of emerging technology that pose greater risk to organization:

1. Cybersecurity

According to the Protiviti 2015 survey, most of Chief Audit Executive views strengthening data security, adhering to the standards/frameworks for improving data privacy issues are among their highest priority.

The magnitude and frequency of cybersecurity incidents are increasing dramatically, in fact, the attacks that are reported these days are only “the tip of a vast iceberg”.

Organizations have to stay abreast of a wide variety of cyber threats in order to avoid falling prey to cyber-criminal attacks. As cybersecurity threats continue to rise, there is shortage of security experts / professionals worldwide.

In order to provide assurance on the cybersecurity risk, internal auditor can conduct network vulnerability scan and penetration test, review network architecture, review recent security breach incident and carry out simulation exercise to ensure the organization crisis management plan is resilient and effective. 2. Social Media

These days there will be hardly any enterprise which does not have online presence through Social Media. Along with the known bright side of the social media, it has a dark side too. Social media sites can be used by dissatisfied customers, employees or individuals with a grudge against an enterprise to disseminate misinformation and negative information.

In addition, employees sharing daily activities with friends may inadvertently and unintentionally disclose information

that could be damaging to the enterprise’s reputation or provide information otherwise considered confidential.

In this area of review, internal auditor can provide management with an independent assessment relating to the effectiveness of controls over the enterprise’s social media. Internal auditor can perform audit of social media policies and procedures, review the adequacy of awareness training on social media usage and content sharing, perform scan of social media sites to determine the organization content that is available.

3. Mobile Computing

In current environment mobile devices have become an integral part of the IT infrastructure and mobile computing is taking over traditional web based applications. Mobile computing devices include smart phones, laptops, PDAs, USB, digital cameras, RFIDs, IrDA etc.

These devices may contain an enterprise’s confidential information. They may also contain intellectual property, industrial secrets and information under regulatory monitoring.

The internal auditor should consider the risks associated with the use of mobile devices and relate them to the criticality of the information they store and access and the transactions they process, from the business, law and regulatory perspectives.

Internal auditor can perform audit of the mobile devices inventory and review how stolen and lost devices are managed, ensure the controls are in place for lost devices, review how organization categories the type of information that can be stored on mobile devices, ensure sensitive organization either not stored on mobile devices or that it is securely encrypted.

4. Cloud Computing

The world is moving from onsite computing to using shared resources available as service through internet from Cloud Service Providers, also broadly known as cloud computing. In the simplest terms, cloud computing means storing and accessing data and programs over the internet instead of your onsite computer’s hard drive.

In a survey conducted by Grant Thornton,

43% CAEs responded they haven’t really given a thought about risk and control implication in cloud environment.

Internal auditor can play an important role in the adoption of cloud computing. In the early stages internal auditor can become part of technological task force to determine the risk introduced by such an environment.

The cloud model requires that internal auditor to understand the technology and processes underlying cloud computing, as well as the complex processes used to assess provider performance. Internal auditor should also understand its company’s contractual, operational, and regulatory requirements that might be affected.

Internal audit can determine if the service provider is meeting the company’s data security requirement and analyze the security based on standards such as ISO, PCI, DSS etc. Internal auditor can review the Service Level Agreement (SLA) to ensure organization rights to audit and gain access to cloud and perform limited audit procedure.

Some other area of concerns are inquiring about the data location and potential risk in a foreign country in regards to privacy and data access issue, review of quality parameters in terms of service outage, timing of upgrades and patches with the SLA.

Lastly, determine if the service provider can meet the organization anticipated growth requirement, in case if they cannot, determine if the organization has contingency plan in the event the service provider systems cannot scale to meet the Company’s need.

IT Skills Among Internal Auditor

The need for the IT skills arise through a convergence of accounting and technology field in a computer driven economy. The next generation auditors need IT knowledge as well as the traditional competencies in accounting and finance.

According to a recent survey by Deloite in which more than 1,200 CAEs participated, half of CAEs (57%) are not convinced that their teams have the skills and expertise needed to deliver on stakeholders’ current expectations.

The survey further reveal that the top 2


TO [email protected] IT Audit

skill gap in internal auditor capabilities are specialized IT (42%) and data analytics (41%) skills.

In the domain of specialized IT domain, generally two type of certification geared, one toward information system auditing such as CISA, QiCA, CRISC ect. and the other concentrating toward information security such as CISM, CISSP, CSP, CISRCP etc.

Another area where there is significant potential in the transformation of the audit is data mining and data analytics. The purpose of data mining and data analytics is to search for patterns, plausible interrelationships and anomalies, which will help in improving operational efficiency and effectiveness, detection and prevention of fraud, reliable

financial reporting and adequate compliance with laws and regulations.

Experts estimate that there will be 35 trillion gigabytes of stored data in the world by 2020. Considering the vast amount of data at auditor disposal, internal auditor will not only require to evaluate past trends but will also supposed to explore the future trend in the audit practice.

Software tools such as ACL and IDEA are used to extract data from other systems and run data analysis routines against this information. These types of systems require auditor to gain specialized knowledge through intensive training sessions.

The Institute of Internal Auditors (IIA)

recommends use of data analytics across all levels of the audit staff and in all audit

Conclusion

The need and challenge for the internal auditors is to keep up with the pace of addressing these dynamic changes to stay relevant.

The success of internal auditors lies with their commitment to ongoing learning and improvement, along with deep understanding of the emerging trend in the profession and business around.

Arif Zaman ACCA, CIA, CISA, CPA, CFE, CCSA, CRBA, CRMA is a Group Manager In-ternal Audit at HSA Group based in Dubai, UAE.

Documents

A Successful Take Off - Internal Auditor · DECEMBER 2016 INTERNAL AUDITOR - MIDDLE EAST 01 From The President Dear Readers, 2016 has been an extremely busy year for the association