Risk-Based Performance Management - Internal Auditor · 8 BY Majed Al RasheedKnowledge Update Top 2019 risks for internal audit: Data-related issues looms large, elevating internal

JUNE 2019 WWW.INTERNALAUDITOR.ME

Leaders role to achieve company’sobjectives

Understanding the basic conceptsof auditing variations toconstruction contracts

Action Plan to overcomechallenges faced IA

Risk-Based Performance Management:A Framework for

IntegratingStrategy and

Risk Management

INSIGHTS ON GOVERNANCE, RISK MANAGEMENT AND CONTROL

INTERNAL AUDITOR - MIDDLE EAST 3 JUNE 2019

From The President

Dear Readers,

Let me take this opportunity to appraise you of few important events which have taken place at the association. At the recently concluded annual general meeting we had the elections for the association and a new board was elected. We do have some board members who got re-elected and a few new faces. I would like to welcome them on board. Together we aim to take our association to greater heights. At our first meeting, we have broadly discussed the way forward. Our new board members are:

Name Position

Abdulqader Obaid Ali President

Khalid Al Halyan Vice President

Dana Al Yazeedi Board Secretary

Dr. Hanan Almarzooqi Treasurer

Ali Al Muwaijei BOG Member

Ayesha Bin Lootah BOG Member

Ayyoub Abdulla Al Marzouqi BOG Member

Mohamed Al Harthi BOG Member

Naeima Mohammed Al Menhali BOG Member

Our recently concluded 19th Annual Regional Audit Conference was held in April in Abu Dhabi and was well attended by our members and delegates from the Middle-East. We were pleased that the Chairman of the IIA Global Board, Naohiro Mouri attended our conference and graced the occasion. Moving forward, we are now planning for our 8th Chief Audit Executive Conference which will be held in Dubai from November 20-21. More details will be made available in near future.

Some of our board members were at the recently concluded IIA’s 2019 International Conference in California and it brings back memories of the 2018 Internal Conference held in Dubai; which was a record breaking event in so many aspects. I reach out to you recommend to us the topics on which you would like to hear about during our conferences or member’s meeting. If you are aware of good speakers, please forward their details to the association on and we will certainly look into it. Your involvement will make our events that much more successful and engaging.

We are going to re-energize our subgroups and look forward to professionals and volunteers to drive this important initiative for the association. If you are interested to be part of our Subgroups please contact us on [email protected]..

Abdulqader Obaid AliPresident


I N T E R N A L A U D I T O RM I D D L E E A S T JUNE 2019 WWW.INTERNALAUDITOR.ME

F E A T U R E S

D E P A R T M E N T S

16 Main arTicle: Risk-Based Performance Management: A Framework for Integrating Strategy andRisk Management What are the most important element of the rBPM approach? By James Creelman

22 Leadership inInternal Auditelements of leadership and

relation To internal audit

By Kashif Husein

4 Reader Feedback

8 Knowledge Update Top 2019 risks for internal audit: Data-related

issues looms large, elevating internal audit’s

role: The digitally fit function, internal audit’s

role in Fraud risk Management, The new role

of internal audit: Key enablers in 2019, 2019

Vendor risk Management Benchmark StudyBy Vishal Thakkar

10 UAE-IAA Events

14 Fraud Riskrecent cases of Financial Fraud through Money TransferBy Mohammed Jallad

20 Conversation withColleaguesMazars Uae leaders share their insights on the value that robust internal audit practices can bring to the public sectorBy Farah Araj

32 Corporate governanceWhen Trust be an opportunity. a case studyBY Majed Al Rasheed

34 Frosting FundamentalsHow to establish the internal audit Department

in 8 simple stepsBy Arif Zaman

30 Practical Experi-ence: Key Challenges Facing Internal Auditexperience in taking accurate

actions to solve the key chal-

lenges facing internal audit func-

tion from scratch to innovation?

By Awad Elkarim Mohamed

24 Auditing VariationsWhat is auditing Variation and

what does it includes?

By Tauseef Ahmed

6 INTERNAL AUDITOR - MIDDLE EAST JUNE 2019

Comment on the article “ Working intelligently, not effortlessly, in the Internal Audit profession”:

To comment on the article which addressed recommendations and advices to be implemented to work efficiently, I think there are also some other important points that may contribute to this, which will be presented through this comment.

As a result of the expansion and growth in the activities and day-to-day work done by the institutions, the internal auditor may find great challenge in balancing the completion of the required work and maintaining an opportunity to invest part of his time in the development of his professional cultures which enables him to provide more in light of the rapid technological developments at all levels. Recommendations include:

1) Within the Audit Department:

Standardization in the preparation of work tasks to create a common approach and understanding among the members of the audit department, and to take advantage of the previous work and adopt it as one of the foundations on which “start is based on where the others ended” This helps save time and effort to implement the tasks and take advantage of the learning curve in Time management for audit tasks.

2) During planning audit tasks:

Focus on the key objectives of the organization and how to manage the risks that prevent them from being achieved, and maintain a close link between the audit functions, objectives and strategies of the organization and the needs and requirements of stakeholders.

3) During the implementation of audit tasks:

Work on the diversity of audit functions within a single team, and create opportunities for the exchange of tasks between members of the audit team to motivate them to present new views.

4) Invest in developing audit resources:

Directing part of the available resources to develop the auditor’s skills (cultural, educational, sports), and the best ways to utilize the available information, to optimize the maximum benefits from the available information and develop reporting skills in distinct style and find different ways to display the results in a brief and clear style.

Dr. Mervat Hussain Al Saed

Director of Internal Audit, Misr Clearing Company for Central Depository and Depository

Egyptian Capital Market Sector

ARABIC REVIEW TEAM

Qais Hamdan, CISA, CISM, PMP (Lead Member)Khal id M. Alodhaibi , SOCPA Waleed Sweimeh, CIANoora AyoobSaif Kaddourah, MBA

UAE INTERNAL AUDITORS ASSOCIATION

PRESIDENTAbdulqader Obaid Al i , CFE, CRMA, QIALGENERAL MANAGERSamia Al Yousuf

REGISTRATION

Internal Audi tor - Middle East magazine is l icensed by the Nat ional Media Counci l of the Uni ted Arab Emirates (License Number 244).

reader Feedback

I N T E R N A L A U D I T O RM I D D L E E A S T

UAE Internal Audiors Association

We want your views on the articles and the magazine! Share your thoughts and feedback with us via email at [email protected]

EDITOR-IN-CHIEFAbdulqader Obaid Al i , CFE, CRMA, QIALEDITORGhada Abd ElbakyEDITORIAL ADVISORY COMMITTEE Ayman Abdelrahim MQM, CIA, CCSA,CFE (Lead member)Asem Al Naser, CPA, CIA, QIALFarah Araj , CPA, CIA, CFE, QIALAndrew Cox, MBA, MEC, PFIIA, CIA, CISA, CFE, CGAP, MRMIARaymond Helayel , CPA, CIAMeenakshi Razdan, CA, CPA CIA, CFEHossam Samy, CRMA, CFE, CPA, CGANagesh Suryanarayana, MBA, CIA,CCSAJames Tebbs, CAVishal Thakkar, ACA, CIAGautam Gandhi, ACA, CIA, CISA, CFE

JUne 2019VOlUMe 2019: 1

CONTACT INFORMATION

MARKETING & SOCIAL MEDIAAlaa Abu Nabaa, MACC, CIA, CRMA, CPA, [email protected]

Al i Al HAshimifreelancer EDITORIAL

Ghada Abd Elbaky [email protected] : +971 55 728 5147 DESIGN & PRINTING

Gulf Internat ional Advert is ing& Publ ishing L.L.C.giadco511@gmai l .comTel: + 971 2 441 2299

GUIDELINES FOR AUTHORSwww.internalaudi tor.me

Internal Audi tor - Middle East is publ ished quarter ly by the UAE Internal Audi tors Associat ion (UAE-IAA), Off ice 1503, 15th Floor, API Tr io Tower, Dubai , Uni ted Arab Emirates

DISCLAIMERS

Internal Audi tor - Middle East is intended only for members of the Inst i tute of Internal Audi tors in the Middle East and as such i t is not intended to be sold or re-sold by any party. The views expressed in Internal Audi tor - Middle East are solely those of the authors, and do not necessar i ly represent the v iews of the UAE-IAA or the authors’ respect ive employers. Internal Audi tor - Middle East is a peer-reviewed magazine and does not ver i fy the or ig inal i ty of the content submit ted by the authors.

JUNE 2018 WWW.INTERNALAUDITOR.ME

Increasing the challenge of auditingculture.

Value-Added Based Audit PlanAchieving IA objectives with limited resources.

Breaking the RecordsInternational Conference, Dubai 2018

INSIGHTS ON GOVERNANCE, RISK MANAGEMENT AND CONTROL


Knowledge Update

By: Vishal Thakkar

Top 2019Risks forInternal Audit: Data-Related Issues Looms Large

As organizations are quickly moving through the digital transformation, internal audit functions that are more digitally fit, can more effectively help their stakeholders make better decisions and take smarter risks. The stakes from digital initiatives are high from both i.e. in gaining opportunities as well as missed threats. Following six habits were identified that lead to more-digitally-fit risk functions:• Go all-in on the organization’s digital plan.• Upskill and inject new talent to move at the

speed of the organization.• Find the right fit for emerging technologies.• Enabling the organization to act on risks in real

time.• Actively engaging decision makers of key digital

initiatives.

• Collaborating and aligning to provide a consolidated view of risks.

Internal audit digital fitness mean the following:• Having the skills and competencies to provide

strategic advice to stakeholders and to provide assurance regarding risks from the organization’s digital transportation.

• Changing its own processes and services to be more data driven and digitally enabled so that the function can align with organization’s strategic risks in order to anticipate and appropriately respond to the risk events effectively and efficiently within time the he organization’s digital transformation needs.

https://www.pwc.com/us/en/services/risk-assurance/library/internal-audit-transformation-study.html

As per the 2019 Gartner annual Audit Plan Hot Spots report, the growing strategic importance of data is a critical emerging risk area for heads of internal audit. Following 4 critical risk themes emerge as internal audit teams prepare for 2019:

Strategic importance of dataOrganizations that effectively can leverage data can surely increase its competitive advantage, unlock business value and enhance compliance efforts but big data also creates potential big risks such as quality of data, privacy protection and responsible use.

IT vulnerabilitiesWhile implementing new technologies to gather the data, Organizations must not overlook associated security concerns such as cyberattacks and cloud computing risks like data loss, outages and inappropriate data access.

Cost and growth pressuresWhile seeking cost efficiencies and implementing new growth strategies, organizations must ensure that it does not weaken the control environment or leave governance and oversight behind resulting from interconnected relationships with third parties.

Shortened planning horizonThe number of disruptions impacting business operations is growing at a fast pace, and this instability threatens to precipitate economic decline and increase regulatory scrutiny. This environment makes planning long-term strategies more complex for the organizations.

https://www.gartner.com/smarterwithgartner/data-related-issues-

feature-among-top-2019-risks-for-internal-audit/

Elevating internal audit’s role: The digitally fit function


Knowledge Update

Internal auditors have always had a role to play in the detection and prevention of fraud. Whilst, some internal auditors may investigate fraud, organizations should not expect internal auditor function to have the same expertise of a person whose primary responsibility is fraud investigation. Fraud investigations are best carried out by those experienced to undertake such assignments.Primary responsibility to prevent fraud from happening is of management as the first line of defense. Internal audit should consider where fraud risk is present within the business and respond appropriately by auditing the controls of that area, evaluating the

potential for the occurrence of fraud, and examining how the organization manages fraud risk through independent risk assessment and audit planning.Every organization should have an anti-fraud response plan outlining the key policies and related methodologies for investigation. The plan should clarify the role of internal audit when there is suspected fraud and associated control failure.

https://na.theiia.org/about-ia/PublicDocuments/

Fraud-and-Internal-Audit.pdf

Internal Audit’s Role in Fraud RiskManagement

2019 VendorRisk Management Benchmark Study

Initial visioning in program with ad hoc or no VRM activity; substantially below target

Non-existent program with ad hoc or no VRM activity; substantially below target

Determine roadmap to achieve success in program with ad hoc or no VRM activity; substantially below target

Fully determined and established in transitional program

Fully implemented and operational in in fully functional and advanced program / at or above target

Continuous improvement in fully functional and advanced program / at or above target

17%

28%

28%

12%

7%

8%

The Internal Audit (IA) Department is becoming one of the key pillars of organizations today. The role of IA has now evolved beyond the regulatory compliance responsibilities by diving deeper into the financial aspects of an organization in order to provide insights to support a high-quality audit. Due to these new expectations from stakeholders, the finance function is also getting elevated to support organizational value creation and internal auditing is expected to have more focus on assessing future risks instead of telling companies what went wrong in the past. 4 key enablers to enhance the power of internal audit through Internal Audit 3.0 are listed below:

Critical thinking in auditingCritical thinking will facilitate IA to analyze past fundamental risks, offer enhanced strategic input and provide with a new perspective on business processes and not just assessing the existing controls.

Technology adoption for Internal Audit 3.0The future of internal audit is led by the 3A’s i.e. Assurance, Advising and

Anticipating, also known as internal audit 3.0. Other than providing insights on necessary to relevant aspects, auditors should also be able to develop metrics that show the value of the expanded services in the fourth industrial revolution.

The Power of Data AnalyticsBy implementing a sound analytic platform, internal auditors are able to gather the power of data and derive exponential business outcomes. This is mainly achieved by leveraging operational insights gained by auditors to mitigate risks, reduce costs of compliance and enhance legacy efforts of governance, risk and compliance. New focus on fraudThe Institute of Internal Auditors (IIA), has recently launched a new mandatory guidance for internal auditors to evaluate fraud risks. As per this guidance, it is now expected that internal auditors will evaluate the potential of the occurrence of fraud and how the organization is managing its fraud risk.

https://managementevents.com/news/the-new-role-of-internal-audit-key-enablers-in-2019/

The New Role of Internal Audit:Key Enablers in 2019

https://www.protiviti.com/AE-en/insights/vendor-risk-

management


Uae-iaa events

By: Samia Al Yousuf

The UAE IAA signed a memorandum of understanding with Financial Audit Authority in Dubai – FAA. H.E Abdullah Bin Mohammed Ghobash - Director General of FAA and Abdulqader Obaid Ali – Chairman of UAE IAA, announced that this MOU is aiming at strengthening the cooperation to upgrade and develop further internal audit profession and to provide expertise and specializations that help grow this profession to keep up with the ambitions of the UAE government in strengthening governance for the transformation towards the digital economy and artificial intelligence.

Under the patronage of His Highness Sheikh Maktoum bin Mohammed bin Rashid Al Maktoum - Deputy ruler of Dubai and First Vice president of the Executive Council of Dubai, UAE IAA in cooperation with the General Directorate of Residency and Foreigners Affairs had organized the Corporate Governance Conference for 2019 under the theme “Gender balance”. More than 500 participants from all government entities in the UAE attended the conference where the keynote speakers shared their insights on best practices relating to the Leadership, Integrity, Accountability and Responsibility pillars.

The keynote speakers were:

• H.E. Abdullatif Bin Ahmed Al Othman - Governor of Saudi Arabian General Investment Authority

• H.E. Abdulla Bin Mohamed Ghobash - Director General of Dubai’s Financial Audit Authority

• H.E. Mona Al Marri - Director General of the Government of Dubai Media Office

The MOU signed by Abdulqader Obaid Ali- Chairman of UAE-IAA, and Lindsay Degouve De Nuncques - Head of the Association of Chartered Certified Accountants (ACCA) – Middle East aims to further aid collaboration in driving a robust Internal Audit and Accounting professions in the UAE. This collaboration contributes immensely in raising the bar of learning for all the professionals through advancing the knowledge and professional skills of the members, and equip them to face the challenges relating to digitization, business sustainability, governance and risks, fraud and corruption, information security, disruptive technology and artificial intelligence.

Under the patronage of H.E. Sami Dhaen AlQamzi - Director General of Dubai Economy, the UAE IAA was recognized for its remarkable contribution as a strategic partner who actively invested in maximizing the integrated partnership between government and private sectors.

Memorandum of understandingwith Financial Audit Authority

Corporate GovernanceConference 2019, Themed “ GenderBalance”.

Memorandum of understand-ing signing with ACCA

Appreciation at Dubai Economy

Uae-iaa events


UAE IAA held the 19th Annual Regional Audit conference titled “Digital Foundation… Endless Possibilities”, under the patronage ofH.E. Hamad Al Hur Al Suweidi - Chairman of Abu Dhabi Accountability Authority. The event was attended by more than 500 participants - Naohiro Mouri - Chairman of IIA Global Board, was the keynote speaker along with leading professionals and thinkers debating a wide range of audit related topics i.e. challenges emerging from artificial intelligence, data privacy, cyber security, and robotics… The conference was another step in the UAE IAA ongoing efforts to enhance the standing of the audit profession, by upgrading the auditors’ knowledge and skills to remain agile in facing the challenges posed by new and emerging technologies.

Appreciation at Dubai Economy

19th Annual Regional Audit conference


Uae-iaa events

UAE Internal Auditors Association & The Ministry of Human Resources & Emiratization play a strategic role in achieving the government vision. In recognition of the importance of this strategic role, an MOU was signed to enhance the joint cooperation and concerted efforts to develop qualified personnel capable of leading the internal audit profession to the highest echelons.

The Memorandum was signed by AbdelQader Obaid Ali - Chairman of UAE IAA, and H.E. Mohammed Saqr Al Nuaimi - Assistant Undersecretary for Support Services at the Ministry of Human Resources and Emiratization.

March 2019 UAE IAA organized an interactive sessions titled “How is artificial intelligence and data analytics improving the internal audit procedures? By Neil Meleike and “Internal Audit vs. Risk Management, where to draw the independence line” by Marwan AbdulHak .

January 2019 In partnership with Gulf Tax Accounting Group (GTAG), a “Pre-Vat Inspection” workshop was held to take the attendees through a drill on what is involved during a typical VAT inspection process and guide them to ensure organizational readiness for a real inspection. The session provided the attendees with an adequate understanding of the VAT compliance requirements, ways to interact with VAT inspectors, and tools to pro-actively evaluate organization’s current systems and processes and rectify non-compliance.

Members’ meeting and May awarenessmonth activities

MOU signing ceremony with MOHRE


Uae-iaa events

May 2019

- As part of the International Internal Audit Awareness Month, UAE IAA in cooperation with the internal audit department of the Ministry of Human Resources and Emiratization, held a workshop titled “Better Governance… Better Ministry”.

Dr. Ashraf Jamal ElDin and Mohammed Nassar shared their insights on the topic.

- During the International Internal Audit Awareness Month, UAE IAA Hospitality sub-group conducted a session about the Internal Audit role and responsibilities in the Hospitality field and the Artificial Intelligence challenges faced. The session was facilitated by Aldrin Sequeira, Antari Amine & Clement Chan.

- Among the activities of the 2019 International Internal Audit Awareness Month, the UAE Internal Auditors Association held a workshop entitled “Blind Spots and Ethical Dilemmas” presented by Colette Harb

- The Global Oil Companies Internal Audit Forum – Second Edition, hosted by Emirates National Oil Company (ENOC), took place on 2 May 2019 during Internal Audit Awareness Month in coordination with UAE Internal Auditors Association. The Forum founded by Abu Dhabi National Oil Company (ADNOC) in 2018 with members from leading Oil & Gas companies, is established primarily to facilitate knowledge sharing and deliberate on adoption of internal audit leading practices in Oil and Gas industry.


In the last few years, there have been multiple reports of frauds committed by various entities towards companies and major establishments. These frauds aimed at stealing money by requesting them to transfer some due amounts to certain accounts. The latest news were published in March 2018 reporting that the football club S.S. Lazio had been duped by an online scammer, which had cost the Italian club 2 million Euros sent to unknown individuals claimed to be officials of Dutch club Feyenoord.

The final installment from Feyenoord’s sale of Dutch defender Stefan de Vrij to S.S. Lazio in 2014 was due to the parent club by the end of the season in May of this year. Lazio has transferred 2 million Euros to the account, but were surprised by Feyenoord officials’ assertion that the Dutch club had not received any funds. They also denied their knowledge of the email that had reached S.S. Lazio via the fake email address.

Another incident took place in October 2015, when the “Indian Express” newspaper reported that an India Oil and Natural Gas Company had lost around 1.970 billion rupees in one of biggest online frauds in Mumbai.

The report mentioned that the loss was caused by spoofing the e-mail of the Indian company, with minor modifications, used to persuade Saudi ARAMCO to transfer funds to the fraudsters account instead of the legitimate banking account of the Indian company.

Fraudsters said they depended on the Saudi company not noticing the slight change in the Indian company’s e-mail address.

The “Express” reported also that the original email address

of the Indian company was [email protected] while the fraudsters email address is [email protected].

The above represents recent cases of fraud targeted particular personnel in companies to transfer funds to fake accounts. Many companies have made this mistake; some have lost their money while others are still trying to recover whatever they can recover.

There is no doubt that some fraudsters are making every effort to convince the other party to transfer the due amounts to their accounts; these efforts include forgery of official signatures, sending certified letters on the company’s letterheads, creating e-mail addresses very similar to the company with minor differences, in order to convince the other party to convert thousands, if not millions of dollars.

Therefore, we find that there are several ways used by fraudsters to deceive various parties to transfer due amounts to fake accounts where these fraudsters end up stealing these amounts and disappear, making it difficult to track them.

There are many procedures and steps to be followed by different departments in companies to avoid the occurrence of such errors, which will be discussed below:

1- Verbal confirmation

Always make sure to confirm verbally with the relevant parties in your company before you make the payment. For example, confirm with the procurement department that the supplier is entitled to this payment and that his/her banking account information and communication information are correct.

Fraud risk

By: Muhammad Jal lad

Financial Fraud through Money Transfers


TO cOMMenT on the article,eMail the author at [email protected]

2- Check for changes

Try as much as possible to communicate directly by phone with the other party to confirm the payment, especially if you have a certain doubt where you are provided with a new banking account number or changed any information about the company name or location.

3- Verifying unique requests

Such as when the other party sends an email asking you to transfer the amount to a bank account in an outside country, or any other not familiar requests, in this case , it is important to directly communicate with the second party to confirm such requests.

4- Double checking email addresses

The most common fraud method is by fabricating e-mail addresses and manipulating them with very simple modifications that a person might not notice if he/she did not give them enough focus and double-checking. For example, email may be manipulated from [email protected] to become [email protected] as we can see, the change may be so simple that you did not notice it and you may communicate with the wrong person, resulting in a money transfer to non-eligible entities.

5- Forward instead of Reply

If you receive any email from a second party (clients, suppliers, etc.), Forward the message and then use the addresses stored in your company’s address list to make sure you are communicating with the legitimate beneficiary to avoiding contact with wrong email addresses.

6- Practice caution

Make sure that you always fully alert and focused on payments to be transferred, in particular the payments that the beneficiary is required to be completed with urgency or forced circumstances, or may act with you aggressively if you ask him/her for more information and data. Often the cause of urgency is fear by the second party of fraud detection. Always take your time and do all the means to avoid making mistakes.

7- Beware of confidentiality

In the event where the beneficiary requests the payment to be confidentially processed without disclosing any information, you must communicate directly with the responsible parties in your company to confirm the request and then communicate with the beneficiary company itself by telephone for confirmation.

Conclusion:

Many fraudulent cases of remittances were caused by negligence of the financial department staff who are responsible for making the transfers. Simple additional steps should be taken to confirm and validate that the beneficiary’s address and data were changed by making a simple telephone call with the other party and communicating with other departments in the company as further proof.

The company should also raise awareness of its employees about this type of risk by attending specialized training courses and continuously guiding staff.

Fraud risk

Muhammed Khalil Jallad an accounting and auditing expert cur-rently working in a leading institution in Kuwait


risk Management

By: James Creelman

Risk-Based Performance Manage-ment: A Framework for Integrating Strategy and Risk Management

Strategy and risk are two sides of the same coin. No organization can implement a strategy without taking some level of risk. The more ambitious the strategy, the greater the risk: a simple equation.

To stay one step ahead of the competition (and even simply stay in the game) in this disruptive, digital era, firms are increasingly challenged to implement “inventive” strategies. These strategies require the introduction of breakthrough products and/or the instilling of a radically new way of competing and so are, by some distance, riskier than conventional incremental strategies (doing what we do now, but a bit better) as the ultimate results are to a large extent unknown: they are a set of assumptions.

A Corporate Governance IssueAs well as providing day-to-day headaches for executive leaders, the opportunities and risks of competing in the digital era is an issue for non-executive boards.

The financial crisis illustrated that in this the digital era, strategies cannot be responsibly executed by organizations without fully considering and managing the accompanying risks and, perhaps most importantly, their appetite for risk: after all, most of the financial institutions that suffered catastrophic losses believed they had sophisticated risk management instruments and processes. Appetite, alas, was hardly considered. As Citigroup’s Chief Executive, Charles O. Prince, said back in July 2007, just before the crunch, “As long as the music is playing, you’ve got to get up and dance. We’re still dancing.” And dance they did, all the way to a 90% fall in their share price.

Few would argue that the competitive landscape is less hazardous today than it was when the crisis hit in 2008. Most would argue it is significantly more so and much less predictable. To manage in unpredictable markets, I would argue that we need an approach that enables corporate boards and executive teams to keep one eye on performance and one eye on risk.


Risk-Based Performance Management My 2013 co-authored book, “Risk-Based Performance Management: Integrating strategy and risk management” introduced the Risk-Based Performance Management (RBPM) framework and methodology. RBPM provides organizations with an integrated strategy and risk management approach that places risk, and specifically risk appetite, at the core of strategy execution. Figure 1. Let’s consider each framework component.

Appetite The most important element of the RBPM approach is that of appetite. This is about defining the organization’s appetite for risk within the context of strategy and then executing accordingly.

Bringing strategy and risk closer together is right and proper and fundamentally important, but it is working within the parameters of appetite – “the amount and type of risk that an organization is willing to accept, and must take, to achieve their strategic objectives and therefore create value for shareholders and other stakeholders” – that will enable organizations to both establish the controls and inculcate the agility that are required in today’s markets.

Appetite is not just about the financials. For instance, back in the 1990s the once monolithic Arthur Anderson was destroyed overnight when its reputation was destroyed through the Enron scandal. If the organization instituted a zero-appetite policy with regard reputational damage, it would not have made such unethical decisions in pursuit of aggressive revenue growth. Reputation provided the firm with its competitive advantage.

By defining a clear statement of risk appetite, the board and executive leadership team can establish clear boundaries within which the organization can execute the strategy and manage risk. It also provides the foundation for cascading the strategy and risk management disciplines through the organization, thus shaping the organization culture.

Set strategy In the context of RBPM, the Strategy Management discipline is about developing a clear sense of direction as to where the organization is going, how much risk it is willing or required to accept to get there, and what the key opportunities and threats are along the way.

At the formulation stage, risk appetite plays a central role in that it broadly defines the risk boundaries for the subsequent execution phase. Risk appetite should play a key role in strategic options evaluation and the decision-making processes around which option(s) the organization will pursue.

Managing Performance For this discipline, RBPM draws mainly from the Balanced Scorecard strategy execution framework that comprises a Strategy Map and a scorecard. The Strategy Map (figure 2) describes how

value is created through cause-and-effect relationships between objectives. Supporting the Strategy Map is a scorecard of Key Performance Indicators (KPIs), targets and strategic initiatives (figure 3).

risk Management


The Strategy Map and scorecard are collocated according to four perspectives (although the exact number and even titles are not mandated) that are described hierarchically, with shareholder (or financial) at the apex and then flowing down through customer, internal processes and learning and growth. A slightly different hierarchy is typically used in the public sector.

Three Types of IndicatorsAt the measurement level, the RBPM methodology brings clarity through the use of three types of indicators, KPIs, Key Risk Indicators (KRIs) and Key Control Indicators (KCIs). While working in unison, each have different purposes.

KPIs enable organizations to assess progress toward strategic objectives and targets. KPIs are used to answer the question are we achieving our desired level of performance.

KRIs are used to help an organization assess its risk profile and monitor changes in that profile. They help answer the question how is our risk profile changing and is it in within the tolerance range.

KCIs are used by an organization to define its controls environment and monitor levels of controls relevant to its tolerance thresholds. They help answer the question are we, as an organization, in control.

Managing risk

Strategic risk management is all about understanding the risks the organization faces in pursuit of its objectives, and the continuous monitoring and management of those risks. It is also about understanding that risks can present opportunities as well as threats.

As with objectives, a broad set of key risks are identified as part of the strategy management process. These are then monitored and managed to increase the probability that the objectives of the organization will be delivered.

Likelihood X Impact

A key part of the risk management process is regularly assessing risk to understand the level of risk that the organization is taking. Typically, this is done based on a Likelihood × Impact assessment, which provides an “at risk” value, and can be used as one of the steers to identify where risk mitigation interventions are required.

One of the main ways that risks are managed is via an effective controls’ environment. Controls are the processes, policies, practices or other devices or actions designed to affect control over the risk. Key controls should be defined for each risk identified

and the effectiveness of those controls regularly assessed. The key controls can be either preventive, that is, designed to reduce the likelihood of the risk materializing, or detective, that is, controls that are designed to detect when a risk has materialized.

Aligning Risk-Taking with Strategy

A key component of operating within appetite is appetite alignment: the process of continuously aligning current risk exposure to the defined risk appetite.

Translated into simple terms, it is about understanding if an organization’s current risk-taking is aligned to its chosen business strategy; that is, are we operating within appetite? The RBPM methodology introduces a new and innovative tool for managing and assessing appetite, the Appetite Alignment Matrix, which assesses an organization’s exposure to risk against its agreed appetite levels (Figure 4).

One of the key benefits of paying close attention to appetite and one that is rarely recognized is that doing so sometimes leads organizations to take on more risk, because in doing so they are still “operating within appetite”.

Governance

It is generally agreed that a failure of corporate governance was a major contributor to the Credit Crunch. Such failure was somewhat surprising as corporate governance was hardly new and codes such as Cadbury, Turnbury and Greenbury had been in place since the 1990s.

risk Management


Corporate Governance was believed to be essentially in good shape - robust and effective, as was risk management. It was, therefore, something of a surprise that many experts and reports pointed to a failure of corporate governance being a major cause of the financial crisis – or more markedly, a failure to properly understand and manage the firms risk profile and exposure.

Governance is embedded into the RBPM approach, supporting the corporate level obligations and enabling those commitments to be cascaded through the organization. A greater focus by the board on demanding the parameterizing of risk appetite and then supervising how executives execute strategy within those boundaries is now a critical governance role and has been stressed in many reports by regulatory and expert bodies.

However, as part of the RBPM approach, governance also has a more operational, day-to-day role to play within an organization. This approach to governance is based on the RACI framework which has been widely used within the program and project management world. RACI is an acronym for Responsible, Accountable, Consult and Inform, and is used to clarify individual roles in the achievement of objectives and management of risks.

Culture

Culture is perhaps the ultimate strategy and risk management tool.

The importance of getting the culture right is often overlooked in

major change efforts. Although few organizational leaders would

publicly state that culture is less important than process, structure

or technology, the fact is that due to its being so nebulous, and

so difficult to define and to equate a precise financial figure to

its effective management, it is more often than not “dealt with”

through a nice sounding value statement and then either forgotten

about or handed over to the HR function to manage. Many

organizations live to regret this oversight.

The importance of getting the culture right cannot and should not

be underestimated. Culture is, quite simply, a showstopper. Indeed,

an August 2012 article in the Financial Times reported a survey of

risk managers that found that 62% of major risk events were the

result of culture, leadership or behaviour.

Get the culture right and objectives will more likely be achieved

and risk managed. Get the culture wrong and failure will be just

about inevitable; even though ultimate failure might well be

preceded by a period of stunning financial success, as we have seen

with many organizations that suffered catastrophic failure.

Communication

Communication is a key management discipline in any

circumstance, and especially when large-scale change is taking

place. Communication is critical when an organization is

setting out to take an integrated approach to strategy and risk

management and so has been included as a discipline within the

RBPM approach – most notably in getting the appetite message

across and in driving the correct behaviours.

Crucially, communication should be an ongoing process, rather than a one-off exercise repeated on an ad-hoc basis. Messaging must be a constant part of reinforcing the dos and don’ts around strategy, risk and risk appetite and the importance of balancing risk and reward must be fully inculcated. If these are not done, there is a pressing danger that decision-makers and indeed all employees might revert to inappropriate behaviours.

Parting Words

The rigour provided through the seven RBPM disciplines might go a long way toward ensuring that the organizational (especially financial) value delivered is sustainable over the longer term; that the pursuit of profit and the delivery of short-term and superior returns to shareholders is not at the expense of long-term value, or even continued survival.

As well as a day-to-day system for effectively managing the business, it provides a mechanism for effective performance oversight by corporate boards. The RBPM approach, with its emphasis on the integration of strategy and risk management, and specifically risk appetite, provides a framework for boards and senior executives to ensure that from a strategic direction and risk-taking perspective they can deliver lasting success as well as meet their corporate governance obligations.

Specifically, internal auditors should consider risk exposure versus appetite when assessing the rigour and robustness of the organizational controls on performance. When the former exceeds the latter on critical strategic thrusts, be they financial, customer, process, people or technological, the enterprise might, and often unknowingly, be engaging in a dangerous dance. The corporate boards of firms such as Enron, Arthur Anderson and many financial institutions would no doubt agree.

TO cOMMenT on the article,eMail the author at [email protected] risk Management

James Creelman is an advisor and trainer in strategy management and related fields and has worked extensively in the Gulf.


conversations with colleagues

By Farah Araj

Mohammed Abu Hijleh & Ghaleb Al MasriMazars Uae leaders share their insights on the value that robust internal audit practices can bring to the public sector

In an exclusive interview, Internal Auditor Middle East spoke to Mohammed Abu Hijleh, CPA and Ghaleb Al

Masri, CPA, CIA, CFE, who are partners with Mazars in the UAE and are supporters of good governance in the public sector.

Mohammed started his career in public accounting after graduating from the United States. He spent time with international consulting companies and was the Chief Financial Officer of a prominent real estate developer before becoming Mazars UAE Managing Partner. Mohamed also serves as an independent audit committee member for an Abu Dhabi based investment company.

Ghaleb leads the Risk Advisory practice for Abu Dhabi and brings a wealth of internal audit and risk experience working with major corporations and public sector entities across the Middle East. In addition to working for international consulting companies, Ghaleb has served as a risk management leader and a Chief Audit Executive within the public sector.

Internal Auditor - Middle East connected with Mohammed Abu Hijleh and Ghaleb Al Masri at the Mazars offices in Abu Dhabi.

Can you introduce Mazars to us?Mohammed: Mazars is an international, integrated and independent firm specializing in Audit, Risk Advisory, Financial Advisory, Tax, and Legal services. With over 23,000 professionals servicing clients from across 310 offices in more than 85 countries around the world, Mazars has positioned itself as a global player with an annual growth of over 8% and revenue exceeding $ 1.8 Billion in 2018.

Ghaleb: Locally, we have attracted a number of top tier governmental clients who are benefiting from our internal audit services. We’ve also supported local non-governmental organizations that have been established decades ago and are well-known within their respective sectors (manufacturing, construction, retail and food & beverage) in the UAE.

Based on your experience, what are your views on the challenges currently facing the public sector?

Mohammed: The UAE market & public sector is evolving at an unprecedented rate. Having said this, adopting new technologies is the biggest challenge in a region where in some countries IT infrastructure lacks behind developed countries. Locally, the UAE has done a fantastic job building the necessary infrastructure to implement new technologies however, finding the right talent/expertise is quite challenging and will require attracting the same from abroad.

Mohammed Abu Hijleh (on the right) and Ghaleb Al Masri (on the left)


conversations with colleagues

Are these challenges impacting stakeholder expectations of internal audit?Ghaleb: Since the vast majority of governmental organizations are becoming more proactive and are focusing more on issues such as strategy, corporate governance, risk management and such, they’re demanding a more customized and added-value approach from internal audit. This emphasizes the dual roles of both assurance and consulting required from internal audit and the fact that increasingly, internal audit has to provide much more than cut and dry audit reports that lean more towards compliance issues only. From my perspective, I think this is an opportunity rather than a challenge as we’ve been able to find a niche for our Risk Advisory Services due to the aforementioned. We’ve adopted a model that revolves upon this concept and is based on the direct involvement and on the field presence of our senior level employees (managers and above) to ensure the right level of experience and know-how is provided to meet our clients’ needs. Our clients expect our support in dealing with complex issues that entail multiple scenarios and may lead to far reaching consequences. We have deliberately structured our Risk Advisory Services Division to be “top-heavy” with a low ratio of senior management to staff in order to handle such high-level relationships with our clients.

“as the public sector evolves and becomes more sophisticated, heads of internal audit will need to be more self-aware in challenging the status quo within their own internal audit functions and be more proactive in finding ways they can optimize their added-value to the organization”Ghaleb Al Masri, Partner Risk Advisory, Mazars

How can CAEs respond effectively to these changing expectations?Ghaleb: Primarily, CAEs and internal audit functions need to constantly be self-conscious and assess their own approach towards the execution of their risk assessments, developing their audit plans and such. The risk assessment methodology itself needs to be adapted to suit the client and ensure that the resulting audit plan is aligned to the strategic direction of the organization whilst also considering the organization’s maturity and environment. For example, whilst keeping within internal audit standards and guidelines in implementing a risk based approach, we’ve been able to highlight to our clients (where deemed suitable), the advantages in adopting a process oriented rather than a department oriented audit approach. This inherently forces the internal audit function

to view and understand the whole cycle or journey of any given process if you will, which obviously optimizes the value added by internal audit.

CAEs also need to achieve and constantly maintain the balance between being independent and holding their ultimate responsibility towards the organization as a whole; and creating a synergetic relationship with management that is based on transparency and reliability.

Is regulation impacting the assurance internal auditors are providing on technology risks?Mohammed: Technology risks play a key role in today’s tech heavy market as almost all organizations have to deal with application access controls, changes/updates to applications, development of new programs or embedding of new modules in existing applications and lastly data protection and problem management. Internal auditors will have to ensure that such application-based controls exist and provide reasonable assurance that the environment hosting these applications are secure. Internal auditors have increased responsibility towards ensuring that the technology risks are managed as an organization’s risk management framework depends on it.

How can CAEs assure their audit committees that they are maximizing the value of their internal audit resources?Ghaleb: Quantitative KPIs in the form of number of audits and observations, utilization percentages and such are always informative, however, I think it is equally if not more important to ensure that CAEs are constantly in touch with the audit committee (without of course miring the audit committee members in unnecessary details) and obtaining their input regarding key matters. As an example, at the onset of a full-fledged internal audit engagement, I make sure to meet each audit committee member one to one and obtain their expectations. I also present to them different scenarios with objective pros and cons to each when tackling issues such as the internal audit function’s structure, risk assessment methodology, audit plan etc.

Finally, what would be one thing that a public sector internal audit function should strive to achieve over the next 2 years?Ghaleb: Even though I alluded to the same subject earlier in the interview, I would stress that it is imperative for a public sector internal audit function to build a regular and open relationship with both management and the Board as represented by the audit committee. The underlying premise for this is the core of an internal audit function, which relies on adding value to the organization based on in-depth understanding of the business and processes and striving to identify root causes and corresponding feasible recommendations. Of course, the introduction of internal audit in any organization is bound to cause some resistance, but with time, management gradually realizes the objective of internal audit in improving and optimizing rather than finding fault.


Leadership is defined by Oxford Dictionary as an action of leading a group of people in an organization. The definition provides an insight of what a leader should be doing. And leading a group of people does not in a simple sentence imply “LEADING”. In a more exhaustive manner it implies understanding the internal and external environment and then leading the group of people. Internal environment implies understanding the group dynamics – as every person in the group will have his own unique nature to be dealt with. External environment will mean to understand the objectives of the organization and then align the group towards achieving the objectives. Further due to the interactions with other groups, the leader will have to possess a myriad of traits and wear different hats at different point of time to achieve his goals.

ELEMENTS OF LEADERSHIP AND RELATION TO INTERNAL AUDIT

A Leader as mentioned above must display a variety of traits to guide the team in the achievement of organization objectives. I have mentioned some of them here, relate them to Internal Audit and how these characteristics help in achieving organization goals.

A. Teacher – Teaching is an essential skill for the leader to have. Employees look towards their leader for guidance and knowledge. As we advance from a school based learning to self-learning, leader is expected to guide by setting own examples. Further for a beginner or a novice person joining the Internal Audit Team or any Department in an organization, teaching the nuances and the requirements is a key skill for the leader to possess and display. Internal Audit Heads/Senior Managers can guide the juniors on how to ferret out the information required for performing the job. And at the same time, it is also dependent on the learner’s capability and skill on how he/she can pick it up and learn from it.

B. Humility – Humility is a key consideration for a leader to display. In a poll conducted by Mc Kinsey columnist Christine Porath, incivility amongst leaders have been displayed:

Employees are affected in a myriad of ways and some of the consequences noted by the article is: - a. Workplace performance; b. Employee turnover; c. Customer experience; d. Collaboration. As Internal Auditors are also involved in Risk Assessment, hence the effects and consequences are dependent on the degree (impact and likelihood) of the incivility.

It is imperative that leaders show respect and have proper accountability procedures in place. This places the feeling to the employees that they are being treated in a fair and consistent manner. The research found that those getting respect from their leaders reported much higher levels of health and well-being, derived greater enjoyment, satisfaction and meaning from their jobs, and had better focus, and a greater ability to prioritize. Those feeling respected were also much more likely to engage with work tasks and more likely to stay with their organizations.

C. Change Manager – Change is the only thing permanent. The famous statement by Charles Darwin “It is not the strongest of the species that survive, or the most intelligent

leadership

By: Kashi f Husein

Leadershipin InternalAuditDefinition


that survives. It is the one that is most adaptable to change”. In an era dominated by manual ledgers and manual way of working, concept of Risk Management and Risk Assessment was alien. But nowadays with GRC (Governance, Risk and Compliance) concept in prevalence, Internal Audit Heads must be more perceptive of change. Process automation and Robotics is going to be the in-thing and the one that is going to drive the business. It is imperative that the Compliance Heads are in the forefront to provide the right governance directions. In the Katzenbach Center survey, 84 percent said that the organization’s culture was critical to the success of change management, and 64 percent saw it as more critical than strategy or operating model. Yet change leaders often fail to address culture—in terms of either overcoming cultural resistance or making the most of cultural support.

D. Communicator – Leaders are expected to be at the forefront of communication channel. In today’s world when news travels faster than speed and gossip mongering at the corporate level, effective communication is the key. Getting the right message to the right people at the right time makes all the difference. A leader may have the right message and may communicate to the right people but at the wrong time will dilute his credibility.

So as an example Internal Audit Department may be aware of a fraud happening in a department and have all the evidence in place. However if it is not communicated to the Audit Committee/reporting Authority in time, then the Department’s role becomes diluted.

E. Transparent – Transparency ranks as an important element in a leadership. It speaks a lot about the leader if the team does not perceive him/her to be transparent. It shows that the leader lacks confidence to handle the outbreak of the news. And then how to handle the consequences. Leader has to be transparent in his way of working, in the words he communicates so that his word do not appear to be different from what his actions are. Employees have the right to know the correct picture. Nobody likes surprises in workplace.

By being transparent, the leader is also giving an opportunity and empowering his/her employees to come up with solutions. There is a possibility that a leader may not have the solutions for all the work problems but then when it is shared with his/her team, the solutions can always be worked on.

However excessive transparency may sometime be an impediment to fair perception. A judgement call is required by the leader of what details need to be shared and what not. As illustrated below in a McKinsey article, employee’s perception changed when the bonus plan in a company was published.

What went wrong? Interviews conducted with employees suggested two unintended side effects of the new process. First, transparency invited a critical and transactional evaluation, rather than the bonus being seen as an unexpected gift. Second, transparency highlighted those who received larger bonuses, inviting envy on the part of those who fared less well. (source – McKinsey)

F. Learn from Failures – A critical piece in being a leader is learning from one’s failures. More often than not, Internal Audit department is blamed for a major control lapse/fraud in the Company. However rather than indulging in blame game, there needs to be a proper soul searching to ensure that the source of failure is understood and necessary actions taken thereupon.

In the case of Wells Fargo when staff opened 2 million deposit accounts and applied for approximately 500,000 plus credit cards, then question arose as to what was the role of Internal Audit and Risk Management.

Learning from failures and taking the necessary steps is key to ensure the achievement of long-term goals.

NEW ENVIRONMENT

In the new environment wherein 5th Industrial Revolution is being discussed, Governance, risk and compliance will have a major role to play. Internal Audit will have to step up. The Chief Audit Executive will need to possess the necessary skills and capabilities to provide the right guidance to his team so the Internal Audit Department as a whole is effective and considered as a serious business partner.

Kashif Husein , T

TO cOMMenT on the article,eMail the author at [email protected] leadership


Maturity of an organization is vital to determine the modus operandi of an audit. An organization with robust procedures and established systems, creates new opportunities for auditor to perform his/her duties with utmost efficiency but carries different level of challenges. For a less mature organization, having outdated procedures, manual processing and undefined strategy may create more challenging task for an auditor to perform. In such circumstances, if not effectiveness, having an impact on efficiency is unavoidable.

What is a Variation

The Clause 1.1.6.9 of FIDIC (Red Book) defines ‘Variation’ as any change to the works which is instructed or approved as a variation under clause 13 (Variations and Adjustments).

As per Clause 13.1 of FIDIC Red book, each Variation may include:

(a) changes to the quantities of any item of work included in the Contract (however, such changes do not necessarily constitute a Variation).

(b) changes to the quality and other characteristics of any item of work.

(c) changes to the levels, positions and/or dimensions of any part of the works.

(d) omission of any work unless it is to be carried out by others.

(e) any additional work, plant, materials or services necessary for the permanent works, including any associated tests on completion, boreholes and other testing and exploratory work. or

(f) changes to the sequence or timing of the execution of the works.

Note: Variation Orders or Change Orders are interchangeable terms.

Understanding Types of Variations

Prior to Auditing variations to the contract, understanding the basic concept thereof is essential. Variations are amendments to the original contractual scope and if not administered properly, can create disagreements and disputes. Therefore, variation is generally covered in majority standard construction contracts and provide liberty to the contracting parties, to amend the scope as per changes in the requirements or circumstances.

As a first step, an auditor needs to understand the contractual terms and conditions governing variations. A variation can be initiated by the Employer, Engineer, Contractor or subcontractor due to change in requirement, circumstances or sometimes opportunity framing.

An auditor needs to develop his understanding over various types of variations. Construction contracts carry specific uniqueness having different nature, type or complexity and the parties involved have their own understanding or interpretation

Auditing VariationsBY: Tauseef Ahmed

construction audit


construction audit

contractually, however, variations can take many forms, in the manner they arise, which are defined by FIDIC (Red Book) as below:

1) Variation initiated by Engineer or Employer

Variation clause(s) in the contract permits the employer to make amendments in the contract’s elements and this ensures responding to practical needs of the project. These changes can be additional works, modifications or omissions (full or partial descoping or deletion of an activity or element).

Changes can also include ‘Acceleration order or Sequence changes’ which is generally required to complete the works prior to agreed completion of the project. The works included as provisional sums in the BOQ can be executed using variation order. Any other minor or incidental nature of works are required to be carried out in a day work basis (FIDIC, Red book).

2) Variations initiated by Contractor

For reasons attributable to the contractor or when value engineering is part of the scope, the contractor may work on an acceleration plan and intends to complete the project earlier than planned. In certain circumstances, contractor may identify certain additional works to be carried out, eventhough not specifically part of scope. In this scenario, contractor identify these works for approval of Engineer and Employer. In a dispute situation, the same can be part of contractor’s claim.

3) Other categories of Variations

The other categories may include re-measured contracts, whereby any change in quantities may be claimed via a variation order. There may be other situations like technical errors in contractual terms or design and force majeure which may give rise to variation orders.

A variation for addition in the scope or an omission for descoping can arise from any of the categories.

During Audit Planning Phase (ref: Audit Process) auditor should obtain the basic understanding of the type and complexity of the project, contractual requirements for variations vis-à-vis nature and type of variations. Auditor should update the audit programme considering the special conditions, timelines, agreed methodology, key risk areas and materiality.

Variation Log

The first basic document, which provides an overview of the variations’ status is “Variation Log”. Log provides information about type of variations (generally separate logs are maintained for each category), status of submission, description of variation to the contract, reference to the engineering instruction and reference to the letters and notifications, submission/claim value, internal value and value attributable to the subcontractor. Log may also have certification and/or back to back status of certifications with subcontractors.

Log also provides the status of variation order i.e. approved, rejected, disputed, in process etc. Comprehensive logs may also carry percentage of completion for each variation, showing the status of works.

While selecting a sample, auditor should consider the quantum of engineering instructions received, variations submitted, general status of approvals, values, certifications and work performed. A sample may be selected considering the impact on cost or activity e.g. works on a variation for an activity affects project’s critical path, which results in extension of time.

Audit ObjectivesThe key audit objectives for variation reviews are:

• To provide assurance on the design and effectiveness of the internal controls for variation management;

• To ensure compliance with policies & procedures and with applicable rules & regulations;

• To ensure ‘variation workflow procedures’ make the most efficient use of the available resources.

• To ascertain that the required knowledge, skill and competency is resourced.

Review Scope Outline Following are the recommended scope review areas which should be considered for testing analysis on variations to the contract.

The auditor should always consider circumstances having a material impact on variation management. One of those situations can be absence of robust procedure to capture variations and out of scope works which can directly affect the project’s profitability and can cause cost overruns. With review of correspondence and minutes, an auditor should always be vigilant about situations giving rise to variations.

Another situation can be delayed or missed notifications and submissions, which may not only be classified as noncompliance of the contractual terms but can cause rejections or delay in cash flows.

The following process flow provides the basic understanding of a generic audit process flow, embedded with variations review:

Timely communication Variation orders are approved

Cost and Cause Assessment Conditions agreed

Methodology and procedure to establish a variation

Compliance with policy & procedure and contractual

requirement

Follow-up and dispute resolution procedure

Variation - Claimed in payment applications

Documentation and audit trail Back to back contracts

Staff competence and efficiency Management Reporting


construction audit

Audit Pre‐Planning Phase

Process Flow ‐ Auditing VariationsThis is a recommendatory process and one should consider organizational requirement and make adjustments accordingly

Audit Notification is sent with Audit

Engagement Letter

Audit Planning Phase

Audit Fieldwork Phase

Audit Reporting Phase

Information Required

Audit Scope

Audit Objectives

Budget & Time Allocation

Risk & Control Matrix

Audit Programme

Audit Opening Meeting is conducted while planning stage documents are

discussed and finalized

Testing Analysis to be conducted inline with the Audit Programme

Audit Closing Meeting to be conducted to obtain

management’s comments

Work Reivews

Validations

Scope Coverage mapping

Work Reivews

Validations

Final Audit Report

Audit Phase Relevant Activities Documentation Variation Specific

‐ Specific Objectives and Scope (As given) covering key risk areas

‐ Contract Review is important at this stage to adjust the scope as needed

‐ Key documents to be made available for next phase are Contract, LOI, Variation log(s), EI log (if separate), correspondence log.

‐ Allocation of Budgeted Audit Cost to Variation Scope Coverage

‐ The Risk & Control Matrix emphasis on key Risks (As given) in variations management and plan the review of internal controls mitigating those risks.

‐ Audit Programme should be ready in this phase considering KRAs considered and after review of policies & procedures.

Testing should be performed as per Audit Programme:

1) Variation requests are timely and clearly communicated2) Variation Cost Assessment3) Price charged, and conditions agreed4) Compliance with policy & procedure and contractual requirement5) Documentation and audit trail6) Staff competence and efficiency7) Back to back contracts8) Variation orders are approved Cause assessment9) Methodology and procedure to establish a variation10) Follow-up and dispute resolution procedure11) Management Reporting12) Variation - Claimed in payment applications


construction audit TO cOMMenT on the article,eMail the author at [email protected]

Variation / Omissions Cost Assessment

Under clause 13.3 of FIDIC Red Book, each variation shall be evaluated in accordance with Clause 12 (Measurement and Evaluation).

An auditor should enhance his knowledge over the contractual requirements and special conditions appended to the contract, prior to reviewing variations. A contract would invariably provide a mechanism for variations and method of payment thereof. Any works done via engineering instructions (EIs) or approved variation orders are included in payment application.

By review of EI log or correspondences and minutes of meetings, the auditor should review situations where, works are done without approval. In this scenario contractor has executed works on his own discretion and can be contractually rendered as having no right of payment.

For verification of cost assessed by management, the auditor may select a representative sample of cases. Rates used in the variation orders can be verified against bill of quantity (BOQ). There might be cases where BOQ rates are not being used for e.g. similar items are not available in the BOQ, then, generally a new price is agreed. In case, works must be executed without delay while rate is not agreed, then a provisional rate or amount is approved or on account payment is permitted. An auditor should also look for situation of disagreements on prices and rates and review the same.

Extension of Time Impact

Clause 8.4 (Extension of Time for Completion) and Clause 20.1 (Contractor’s Claims) of FIDIC Red Book are applicable in extension of time claims.

Variations, usually increases the scope and may have an impact on completion time. Auditor needs to ensure that management has implemented a procedure to review impact of variation works on critical path. In such cases, timely notifications are served, and extension of time approval is requested, which should be followed by cost claims for extension of time.

Clause 20.1 of FIDIC Red Book stipulates a timeline of 28 days within which Contractor shall serve a notice to the Engineer, describing the event or circumstances given rise to the claim. The auditor should review EIs, correspondences and minutes of meetings for delayed and unserved notices, in order to ensure that timely action is taken to avoid risk of unserved or delay notices and risk of liquidated damages. In similar perspective, a claim is served by the Contractor within 42 days (Under Clause 20.1).

The parties have right to use different timelines with mutual consent.

Back to Back contract

The auditor needs to gain knowledge of subcontractors claims. The

main contractor should incorporate these claims while claiming for a relevant activity. In case of approving or certifying any variations, the approval and certification should not be more than the approval / certification received. The same should be applicable in cases of advance payments, advance payment guarantees, performance guarantees or retention against variations, however some exceptions always remains as the conditions of the specific project desires. The auditor needs to understand those conditions and fairly document the same.

Key Risk Areas

1) Unidentified or late identification of Variations:

Absence of procedure or skill to timely capture the variation

2) Unidentified impact over Extension of time:

Absence of procedure or skill to assess impact of variation on critical path

3) Late notifications:

Lack of control over contractual requirement may have impact over approval of variations as late notifications can be considered as noncompliance, therefore can create a risk of rejection of valid claims.

4) Incorrect valuation:

Absence of a robust procedure over variation cost assessment.

Conclusion

Variations may be initiated at any time prior to issuing the Taking-Over Certificate for the Works, either by an instruction or by a request for the Contractor to submit a proposal. The Contractor shall execute and be bound by each Variation (Clause 13.1 FIDIC Red Book).

An auditor must establish an understanding over contractual requirements for variation. The audit program should be prepared around this requirement, considering key risk areas. The materiality should also be considered while allocating resources for the scope. During Planning phase, auditor should allocate weightage to the variations’ review and scope to be covered. This is followed by review of policies and procedures and basic mechanism established to capture variations, valuation, work execution and claim.

Tauseef Ahmed, Fca, aca (icaeW), cia, cFe, ciSa, audit Manager, arabtec Holding PJSc


IIA defines corporate governance as “policies, processes and structures used by an organization to direct and control its activities to achieve its objective and to protect the interests of its diverse stakeholder groups in a manner consistent with appropriate ethical standards”. The determinant key for any business success is the corporate governance and employee’s satisfaction. This methodology will be explained in detail in this article. First, I would like to indicate the importance of an effective corporate governance structure. Having an effective corporate governance will build a strong and profitable organization that will stay in business for long-term. Most organizations are just establishing corporate governance policies and principles to state that they are having governance in their organization. Other organizations are applying the governance framework system, but not in a correct manner.

Stakeholders and investors are concerned about their expected returns or dividend payment in the long-run,If the board of directors are not able to appoint an executive manager who will increase the company’s profit on yearly basis, there will be two options ;either changing the board of directors or change the executive manager in the organization. This frequent turnover of board of directors and CEO will gain/increase the organizational profit but only in the short-run. Unfortunately, the stakeholders, board of directors and executive managers are not focusing really on the main cause or reason for the company’s lower profit. The real reason is employee dissatisfaction. Job satisfaction is the reason why the organization is not able to gain profit in the long-run, but only in the short-run. All sectors should take into consideration how to build a strong and effective job satisfaction system as

it is only through that the organization will be able to increase their profit. The European mechanism of corporate governance indicates the relevance of corporate governance with the employee’s satisfaction and states that employee welfare should be considered in the ‘best interest of the company’. Establishing code of conduct, compensation system and accountability framework of all employees including executive managers and board of directors, authority for making decisions, transparency of policies and procedures in the organization are all important to gain or increase the employee’s satisfaction in the organization. This will in return increase the image and reputation and productivity of the organization which will in turn result in higher profit in the industry. Head of departments should engage and allow employees to give their opinions in the policies and procedures of the department since they are the ones who have indepth knowledge of the risks and opportunities related to their work.. Moreover, transparency in management decision making and the reasons behind it will ensure acceptance of decisions by employees.

Finally, focusing on satisfying the employees inside the organization by issuing a transparent policy and procedure, effective accountability and compensation framework will lead to an effective corporate governance of the organization which in return will increase the profit and return to the stakeholders and investors without the need to change or turnover the executive managers or board of directors on frequent basis.

The New CIA® Exam Keeps Up to Date With a Changing ProfessionLearn What Changed—and WhyThe newly updated Certified Internal Auditor® (CIA®) exam, now available in English, is more current, relevant and balanced than ever. With additional languages set to roll out beginning in June 2019, this is the perfect time to take a fresh look at CIA.

The CIA exam tests a candidate’s knowledge and skills required for current internal auditing practices. While the exam was updated in 2013 to reorganize the topics, The IIA began a process in 2017 to review the material within all three parts of the CIA exam. The CIA underwent a global job analysis study to determine the knowledge, skills, and abilities most applicable to today’s internal audit practitioners, and the study results in the revised CIA exam to reflect the evolution of the internal audit profession worldwide.

While there are important changes to all three parts of the new CIA syllabi, the most exciting changes are in Part 3. Part 3 has always been the most challenging and intimidating exam because the scope was massive. The new syllabus for Part 3 is streamlined to focus on four core areas that are the most critical for internal auditors: Business Acumen, Information Security, Information Technology, and Financial Management. To keep up with technological disruptions, it is essential for internal auditors to possess advanced technology skills such as data privacy and cybersecurity; which is why 45% of Part Three is focused on these areas. Internal audit’s roles in strategic risks and data analytics were also added.

Part 1 and Part 2 have been revised to more closely align with The IIA’s Standards. The new Part 1 exam assesses Attribute Standards, such as the foundations of internal auditing, fraud, and governance, risk management, and controls. The nature of internal auditors work is evaluating and contributing to the improvement of an organization’s governance, risk management, and controls processes; therefore, 35% of Part 1 is focused on these areas. The new Part 2 focuses on Performance Standards, such as managing the internal audit activity and performing internal audit engagements. Planning and performing engagements, and communicating results are what internal auditors do every day, which is why 80% of Part 2 is focused on internal audit engagements.

Here’s a look at what specifically has been updated in each part

Part 1 – Essentials of Internal Auditing

The CIA exam Part 1 is well aligned with The IIA’s International Professional Practices Framework (IPPF) and includes six domains covering the foundation of internal auditing; independence and objectivity; proficiency and due professional care; quality assurance and improvement programs; governance, risk management, and control; and fraud risk. Part one tests candidates’ knowledge, skills, and abilities related to the International Standards for the Professional Practice of Internal Auditing, particularly the Attribute Standards (series 1000, 1100, 1200, and 1300) as well as Performance Standard 2100.

CIA Part 1 domains are allocated as follows:

Foundations of Internal Auditing (15%)

Independence and Objectivity (15%)

Proficiency and Due Professional Care (18%)

Quality Assurance and Improvement Program (7%)

Governance, Risk Management, and Control (35%)

Fraud Risks (10%)

Additional noteworthy elements related to the revised Part 1 exam syllabus:

IPPF elements such as the Mission of Internal Audit and Core Principles for the Professional Practice of Internal Auditing are included.

The syllabus features greater alignment with The IIA’s Attribute Standards.

The exam covers the differences between assurance and consulting engagements.

The exam covers appropriate disclosure of conformance vs. nonconformance with the Standards.

The largest domain is “Governance, Risk Management, and Control,” which makes up 35%of the exam.

A portion of the exam requires candidates to demonstrate a basic comprehension of concepts; another portion requires candidates to demonstrate proficiency in their knowledge, skills, and abilities.


Part 2 – Practice of Internal Auditing

The CIA exam Part 2 includes four domains focused on managing the internal audit activity, planning the engagement, performing the engagement, and communicating engagement results and monitoring progress. Part 2 tests candidates’ knowledge, skills, and abilities particularly related to Performance Standards (series 2000, 2200, 2300, 2400, 2500, and 2600) and current internal audit practices.


Managing the Internal Audit Activity (20%)

Planning the Engagement (20%)

Performing the Engagement (40%)

Communicating Engagement Results and Monitoring Progress (20%)

Additional noteworthy elements related to the revised Part 2 exam syllabus:

The syllabus features greater alignment with The IIA’s Performance Standards.

The exam covers the chief audit executive’s responsibility for assessing residual risk and communicating risk acceptance.

The largest domain is “Performing the Engagement,” which makes up 40% of the exam.

Aportion of the exam requires candidates to demonstrate a basic comprehension of concepts; another portion requires candidates to demonstrate proficiency in their knowledge, skills, and abilities.

Part 3 – Business Knowledge for Internal Auditing

The CIA exam Part 3 includes four domains focused on business acumen, information security, information technology, and financial management. Part 3 is designed to test candidates’ knowledge, skills, and abilities particularly as they relate to these core business concepts.


I. Business Acumen (35%)

II. Information Security (25%)

III. Information Technology (20%)

IV. Financial Management (20%) Additional noteworthy elements related to the revised Part 3 exam syllabus:

The number of topics covered on the Part 3 exam has been greatly refocused to the core areas that are most critical for internal auditors.

The exam syllabus features a new subdomain on data analytics.

The information security portion of the exam has been expanded to include additional topics such as cybersecurity risks and emerging technology practices.

The largest domain is “Business Acumen,” which makes up 35% of the exam.

Aportion of the exam requires candidates to demonstrate a

basic comprehension of concepts; another portion requires candidates to demonstrate proficiency in their knowledge, skills, and abilities. … Wherever your journey takes you, as the only globally recognized internal audit certification, the CIA accelerates your success as a credible and proficient internal auditor. Join the over 157,000 CIAs in 170+ countries awarded the designation that adds immeasurable distinction with only three letters.

For more information on the updated CIA exam, click here.


audit committee

It is my pleasure to share my practical experience as a Group Head of Internal Audit for Hayel Saeed Anam Group (HSA) Group since Mar 2011, the experience in taking accurate actions to solve the key challenges facing Internal Audit function from scratch to innovation.

1. Fragmented Internal Audit Function

2. Lack of Internal Audit Policies and Procedures

3. Absence of Risk Based Audit Methodology

4. Threat to Internal Audit Independence

5. Lack of Awareness of Internal Audit Role

6. Lack of Audit’s Competence

7. Lack of Automation and Data Analytics Tool

1. Fragmented Internal Audit Function:

The Group has internal control function but in the traditional way and not based on modern Internal Audit basics as per the International Professional Practices Framework (IPPF) issued by The Institute of Internal Auditors (IIA).

Action Taken:

• Set-up Group Internal Audit Function from scratch.

• Gathered all the auditors under centralized regional audit function.

• Assigned Regional Head of Internal Audit for each region.

• Introduce the service-based billing system, based on the actual audit assignment hours conducted at each company under one pool of one centralized audit function.

• Provided all the resources and assistance to the Regional IA Function.

• Centralized reporting of Regional IA Function to Group IA Function.

2. Lack of Internal Audit Policies & Procedures:

There is no one consistent audit practice implemented across the Group. Each independent IA function has its own set of audit practice. There was absence of IA Charter, inconsistent audit working papers, and reporting templates.

Action Taken:

• Develop IA Charter, approved by the Board Chairman.

• Develop Group IA Manual (Policies & Procedures).

• Communicated the IA Charter and Group IA Manual across the Group.

• Encourage suggestion proposals for continuous improvement.

Practical Experience:Key Challenges Facing Internal Audit

By: Awad Elkar im Mohamed Ahmed


TO cOMMenT on the article,eMail the author at [email protected] audit committee

3. Absence of Risk Based Audit Methodology:

The internal auditors were carrying out very routine audit, with more emphasis of coverage rather than based on high risks. It was more of a checklist approach by the internal auditors to perform during audit.

Action Taken:

• Introduced Risk Based Audit methodology in the Group.

• The Group IA Methodology made was based on Risk Based Audit in the IA Manual.

• Carry out road-show map with extensive training.

• Introduce the concept of Risk Assessment at the audit planning stage.

• Encourage developing Internal Risk Register.

4. Threat to Internal Audit Independence:

I observed a threat to IA independence, initially the Internal Auditors were reporting to the General Managers of the Companies. Internal audit recruitment, termination, reporting, performance appraisal were being done by the Companies General Managers..

Action Taken:

• Introduced individual Internal Auditors reporting to the Regional Head of IA.

• Provide authority to the Regional Head of IA over his audit team.

• All the Regional Heads of IA have a functional reporting line to the Group Head of IA in order to ensure independence.

• Group Head of IA’s functional reporting to the audit committee and Chairman of the Board.

5. Lack of Awareness of IA Role:

There was a lack of awareness in the Group about the role of IA. This was due to many factors. The auditor was deploying classic audit techniques and

Audit was considered as police catching the auditee for errors and mistakes. The role of internal audit was also confused with internal control. For some of the General Managers (GM’s), it was a new set up function.

Action Taken:

• Carry out Group wide road show map with the regional General Managers (GM’s).

• Introduce the vision, mission, role, and benefits of IA.

• Establish open door policy with the top management.

• Stress the participation of IA in strategic meetings and projects.

• Carry out several structural changes by segregating IA from Internal Control.

6. Lack of Audit Competence:

Initially, there were hardly any criteria to hire Internal Auditors. Most of the Auditors were internally transferred from other functions. The auditors lack audit experience and with no professional certifications.

Action Taken:

• Encourage existing Auditors to pursue CIA certification, incentivized them by reimbursing the exam cost for those who passed the exam and become CIA holders.

• CIA certification preparation training course conducted to selected 25 Auditors based on passing a qualifying exam set especially for course attendees’ selection.

• All new hires made mandatory to have bachelors (Business/ Finance) and at least CIA. Additional complementing certificates desirable such as CPA, CCSA, CRMA, CFSA, CISA, CFE, etc.

• Introduce internal training and knowledge sharing initiative within the IA function, power point presentations sent through email to all regional Audit teams.

• Successfully delivered by myself a training program “Internal Audit Core Skills” to Hayel Saeed Anam (HSA Group) audit team in Yemen, 30 hours training held at “Al Saeed Foundation of Science and Culture” attended by 114 Auditors from Sanaa, Aden, Taiz, and Alhodeidah. Similar trainings held at different regions.

7. Lack of Automation and Data Analytics Tool:

Urgent need to transfer from manual to automation.

Action Taken:

Audit software selection based on the following criteria:

• SAP Compatibility: The audit software should be compatible with the SAP system which can easily integrate and can extract reports.

• Audit Management: The audit software should have the following functionality; risk based annual audit plan, scheduling, audit management, performance reporting, electronic working papers, recommendation tracking, comprehensive reporting, and resource allocation

• Common Platform: The software connected to one platform, enabling multiple teams working at multiple locations and the manager can review offsite.

• Common Depository: The software should provide access to the regional/group head to locate the audit engagement working papers, audit reports, etc. from one place.

• Language: Require feature of the software in Arabic especially for Middle East, the software language must be Arabic and English.

Awad Elkarim Mohamed Ahmed cia, cFSa, cGaP, ccSa, crMa, cceP-i, aSQ cQa, cSaa, iFQ, acSi, cFe, cacM, cica, crBa Group Head of internal audit, at Hayel Saeed anam (HSa) GroupBoard audit and risk committees Member, at Tadhamon international islamic Bank (TiiB)


Motivation, Rationalization and Opportunity are the three factors that must be met and available to enable a fraudster committing fraud. The motivation may be a material; to make money, or moral; to achieve fame. Rationalization, however, is

the justification of the act to be committed and the reasons for persuading one’s mind that this work leads to justifiable benefit and an acquired right in some cases. While the third factor, which is in relation to the availability of an opportunity, is the most

important factor because it is the only one that can be oversighted, controlled and reduced. The opportunity factor is the possibility of a defect in the procedures such as lack of control measures or lack of effectiveness. However, what if the trust

When Trust Turns Into an Opportunity

By: Majed Al Rashid Edi tor : Ayman Abdel Rahim

audit expectations


factor among staff, which is required to accomplish business smoothly and easily, becomes an opportunity that can be exploited and manipulated without affecting the person committing the act?

An incident that happened in a company shows that the disregard for the implementation of some actions as a result of trusting certain staff, eventually led to fraud, which could occur in any other company. The added trust towards particular personnel, coupled with the leniency or laziness in the implementation of controls were the cause of this fraud case as would be revealed in detail through the remainder of this article.

Incident Details

A certain company is made up of a group of showrooms. According to the policy of the company, each showroom should have at least one manager and an assistant; however, this does not necessarily mean that there are no showrooms with one personnel only, due to lack of hired staff. This is the case in our discussion of this fraud case here: one of the company’s showrooms suffered from a difference in the inventory due to the manager of the showroom selling the products in the name of his own personal account (since the sales were not registered in the company’s books). Since he works alone at the exhibition without the availability of a second pair of eyes. Later, the company decided to appoint another employee – an assistant manager – to assist him in performing the tasks assigned to him. This decision served as a gift from heaven to the manager to get him out of his troubles in the inventory... so, how did that happen?

The manager decided to go on a short leave for several days. The company’s procedures stated that the showroom inventory must be counted and documented in the inventory books before the showroom was handed over to the assistant, and that he was responsible during the period of the manager’s vacation. However, the manager belittled the importance of the inventory to the assistant, informed him that it is just a formality, it’s just a short leave of absence, and that it does not warrant all this hassle and effort to go over the entire

inventory, and thus convinced him to only sign on the dotted lines. The assistant was convinced, and signed on the basis of trusting his manager (the assistant was not keen to apply the company policy). The manager acknowledged that there were no differences in stock and informed him orally, not in a written report that once he returns from his leave he would take charge over the showroom. Therefore, the assistant took charge of the showroom, and the manager travelled on vacation.

After the manager returned from his leave, two days went by and the manager did not ask his assistant to hand the showroom over back to him, as was agreed orally between them. And as soon as he asked the manager to do that procedure, the manager replied with: “I do not take charge of anything until after an inventory counting”!!! ... Then, he raised a letter to the company’s main office to contact the showrooms management where he asked for an inventory committee to oversee the process to complete a showroom handover. The committee attended, oversaw the inventory counting and found differences in their numbers... The assistant was shocked and stated he was not aware of such differences and pleaded his innocence that he did not sell these items during the manager’s vacation period!!! Then the committee asked him; is not this your signature on the inventory record? To which he replied with “Yes, but it is just a formality”. The inventory committee informed him that as soon as he signed the records, he become responsible and was now accused of embezzlement from the company.

The assistant was obliged to pay the value of the stolen items, which he did not steal, and was relieved from his duties. This exact scenario happened with two others in the same way ... The manager steals; the assistants pay the difference. Had the assistant applied the system and internal policies of the company, he would have protected himself from exploitation from such fraudsters. Later, the company made a surprise visit and an inventory counting of the same showroom, which helped uncover the manager’s misdemeanor, resulting in the company taking the appropriate action against him.

Lessons learned

While analyzing the incident, there were some lessons learned that must be shared, which are:

· It is necessary to know the purpose of the policies and procedures that are developed and applied, and not just skip through them without applying. The employee must understand the policies and procedures assigned to him/her, or at the very least, ask colleagues if any point was unclear.

· The company must analyze any fraud incident, dive into its root causes, and not take any measures without fully knowing these reasons, not as in the incident discussed in this article where the company only dismissed the employee(s) without analyzing the root causes of the incident.

· The recurrence of the incident is indicative of a certain pattern of fraud that must be acknowledged and prevented from ever happening again. We noted in the incident the use of the same method with three different employees in the same showroom with the exact same manager.

· Staff rotation helps detect errors, abuses and any differences in inventory as a result of the receipt and delivery process. The company did not have a policy to rotate its staff between its showrooms.

Conclusion

Policies and procedures are designed to ensure that work does not prevent the existence of trust among staff from applying these said policies and procedures. The case of fraud addressed in this article showed that trust could turn into an opportunity that maybe exploited. Without the presence of such an opportunity, the showroom manager would have been unable to hide the stolen items from the inventory and would not have been able to shift responsibility onto his assistant.

Majed Al Rashid




I am fortunate to have experience of establishing the Internal Audit Department in several parts of the world.

I have been asked by a couple of new audit leaders to assist them in the formation of the Internal Audit Department. Based on my personal experience, I would like to illustrate my approach and share my learning experience in the following steps:

Step 1: Tone At The Top - It is the most vital component before establishing any function especially internal audit. Internal auditors need the utmost support of the top management and the Board in the establishment of the Internal Audit Department. Once they have it, it will be easy to approve the framework and reporting structure, which will allow internal auditors to maintain their independence and objectivity.

Step 2: Business Understanding - It is very much important to be acquainted with the culture and business acumen of the company. It gives a general idea of the company risk maturity and control environment; accordingly, an internal auditor can determine their approach to pitch the Internal Audit Department framework.

Step 3: Structure - The structure of the Internal Audit Department is very crucial. Some of the important questions to ponder upon are where does the Internal Audit Department will fall within the organization structure, to whom they will report? who will have the decision to hire or fire internal auditors Etc? In order to maintain independence, Internal Audit Department shall report to the Audit Committee or directly to the Board.

Step 4: Audit Committee Charter - Once the reporting line is defined, an Audit Committee Charter shall be developed to define the role and responsibilities of the Committee. The Charter shall be approved by the Board.

The model template of the Audit Committee Charter is available at the IIA website.

Step 5: Internal Audit Charter - The second governing document after the Audit Committee Charter is the Internal Audit Charter, which define the role and responsibilities of the Internal Audit Department. The Internal Audit Charter shall be approved by the Audit Committee.

The model -template of the Internal Audit Charter is available at the IIA website.

Step 6: Policies and Procedures - As per the IPPF, the Head of Internal Audit must develop internal audit policies and procedures to regulate, standardize and document the audit activities. The policies shall cover the following process but not limited to; annual audit plan, approval process, engagement plan, audit execution, audit reporting, follow-up, reporting to different stakeholders, quality assurance etc. The policies and procedures shall be approved by the Audit Committee.

Step 7: Budget - The Audit Committee shall approve the budget of the Internal Audit Department, sufficient enough to attract good talent and provide resources for the Internal Audit Department to carry out functional activities.

Step 8: Liaison with Management and Other Departments - Internal Audit Department shall meet with the Management and the other Departmental Heads to develop business and operational understanding. All another department especially the second line of defense will enable the Internal Audit Department to work together by leveraging their expertise to bridge silos within the organization. This interaction may also help in developing the Audit Universe and carry out Risk Assessment.

Once the above prerequisites are met, Internal Audit Department can presume with carrying out an annual risk assessment, developing an annual audit plan, presenting to the appropriate authority for approval and execute the audit engagement according to the plan.

Fostering Fundamentals

By: Ar i f Zaman

How to establish the Internal Audit Department in 8 simple steps?

Arif Zaman FCCA, cia, ciSa, cPa, cFe , is the Head of internal audit at emaar industries and investments based in Dubai, Uae.