Documente Academic
Documente Profesional
Documente Cultură
ME
SHAPING TALENTED
AUDIT TEAMS
The top 10 innovative professional
development programs for internal auditors
Sincerely,
F E AT U RES
16 COVER STORY: Shaping Talented Audit Teams Innovative ways to improve the
skills of your internal audit team and increase their business acumen. BY BRUCE TURNER &
JACQUELINE TURNER
DE PARTMENTS
4 Reader Feedback 10 Governance 20 Human Resources
Perspectives Five characteristics of
A healthy corporate culture is a successful chief audit
5 Knowledge Update essential to good corporate executive.
New Reports from IIA UK and governance and therefore it BY AYMAN ABDELRAHIM
Netherlands; Data Analytics; should be audited.
Risk Management Guidance
for Boards; Business Continui-
BY ROBERT NOYE-ALLEN & KAMI 30 Fostering
NUTTALL Fundamentals Having
ty Management.
BY VISHAL THAKKAR 12 Conversations with proper controls around
construction projects
Colleagues
Harsh Mohan talks about the provides better information
8 UAE-IAA Events important role of internal and increases the chances
auditing in risk management. of success.
BY KETAN BHOOLA
BY FARAH ARAJ
be cautious and avoid commenting on I applaud the clarity with which articles
the strategies selected by management. were written; they have a good amount of
Since internal audit should determine the interesting material without being too long
effectiveness of the IT strategy, therefore winded or full of jargon. I especially liked
we do need to question and understand the the conversation with Deloittes leadership
business case for the various IT initiatives team (Tariq Ajmal and Fadi Sidani) and
and how they map to the enterprise GRC by Satish Yadav. I agree with Tariq
objectives. For us to be seen as partners, we and Fadi on the fact that technology is
do need to raise risks we identify in various changing the internal audit profession
initiatives undertaken by management and that the future focus should be on
and not just raise risks relating to the data analytics and cybersecurity. I also
strategic planning process. Very often I like Statishs view how GRC technology
find that business cases developed are not is the way to improve and streamline risk
fully justified and mislead management to management efforts. However, I would
making the wrong decisions. have liked to see insights on top IT risks
relating to ERP technologies like SAP and
Nada Al Chalabi
Oracle. This is because not all companies
Senior Audit Manager
Information Systems in the UAE have even implemented full-
Disagreements on Information Dubai, UAE fledged ERPs and may are in still in their
early stages. Going forward, I would like to
Technology Strategy
see more IT related articles in the magazine
on a recurring basis as IT is an integral part
The article Information Technology Enjoyed the Information
Strategy (Sept 2014) was a very interesting of an effective internal audit process.
Technology Special Issue
read and in particular because it reflected Rahul Vaid
the views of a Chief Information Officer. IT Auditor
I read with interest the articles published
However, I did not agree with his Abu Dhabi, UAE
in the IT Special Issue (Sept 2014) of
recommendation for internal auditors to
Internal Auditor - Middle East magazine.
Over the past year, there has been a marked increase (from 68% to 82%) in the number of
heads of internal audit reporting functionally to the chair of the audit committee which is
results in an increase in internal audit effectiveness. However, there was little change in the
amount of respondents (57%) who felt the level of risk maturity in their company was well
established.
42.8
In terms of the skills needed by internal auditors, the top 3 skills identified by respondents
were 1) Communication Skills, 2) Problem Identification and Solution Skills and 3)
Knowledge of Industry, Regulatory, and Standards Changes. The report also covered
million
is the total number of
quality assurance and the results show that over 60% of respondents had an External security incidents detected
Quality Assessment carried out by an independent party in the past 5 years. This figure in 2014
rose to 75% in the financial services sector.
https://www.iia.org.uk/policy/wwwiiaorgukgovandrisk2014/
The main conclusion from the research and round tables conducted was that combining
internal audit and second line of defense functions is not the preferred solution
considering the Three Lines of Defense model and the as well as safeguarding the auditors
35%
independence and objectivity as advocated by the Institute of Internal Auditors.
The report also covered the basic conditions and safeguards which should exist when of security incidents are
combining internal audit and second line of defense functions: carried out by current
employees of a company
Internal audit should not make managerial decisions.
Internal audits role should be formalized in the internal audit charter. Source: PwCs Global State of Information
Segregate the persons carrying out such responsibilities from the core Security Survey 2015
http://www.pwc.com/us/en/cfodirect/
internal audit team. issues/cyber-security/global-information-
http://iia.nl/actualiteit/nieuws?newsId=1613 security-survey-2015.jhtml
Analytics
Data analysis for every audit
Integrates with TeamMate Audit Management
System and available for standalone use
Learn more at
TeamMateSolutions.com/Analytics
or call +44 207 981 0556
The UAE Internal Audit Association Construction Subgroup held its first Business Event, which was hosted by the UAE Society of Engi-
neers, in Dubai on 23 September 2014. The event was attended by Abdulqader Obaid Ali along with with Syed Imtiaz (Chairman of the
Construction Subgroup) and Hakim Lalipurwala (Vice Chairman Construction Subgroup) who discussed areas of mutual cooperation
with Maged Farouk Hanna, General Manager of the UAE Society of Engineers.
In addition, Mike Lewis (Head of Internal Audit at Abu Dhabi Airports) and Mr. Matt Irvin (Senior Project Manager) delivered a pres-
entation titled Risks in Supply Chain Management in Mega Construction Projects. The presentation highlighted the mechanisms used
by Risk Management and Internal Audit to manage and mitigate the various risks faced in a mega construction project. The speakers
informed the participants about the Three Lines of Defense framework to help improve overall effectiveness of risk management and
internal audit.
The UAE Internal Audit Associations Hospitality Subgroup held its first meeting on 15 October 2014 at Abu Dhabi National Exhibitions
Company. The session was well attended and led by the Hospitality Subgroup Chairman, Aldrin Sequeira, who is currently the Chief
Internal Audit Officer for the Jumeirah Group.
The session also had 2 interesting specialist presentations. The first of which was a presentation by Deloitte led jointly by Grant Salt-
er (Director- Head of Travel, Hospitality and Leisure Advisory) and Hossam Samy (Principal - Enterprise Risk Services) discussing
Hospitality: Middle Eastern Trends, Challenges, and how the Internal Audit Profession can Support the Growth. This was followed by
an interactive session by Protiviti on Corporate Governance in the hospitality sector led by Nagesh Suryanarayana (Director - Internal
Audit and Risk Advisory Services).
Organizations are now trying to align their corporate governance frameworks in line with leading practices globally and local regulatory
mandate. Some key examples include, establishing internal audit functions, risk management frameworks, board evaluation matrices,
establishing board sub-committees, enhancing reporting and disclosures frameworks, explained Nagesh.
Auditing Culture
Can internal auditors
really give adequate
assurance on corporate
governance without
auditing corporate
culture?
Internal auditing is an evolving discipline, not least due to chang- interpretation. In the case of Lehman Brothers, for example, their
ing business environments and stakeholder priorities. In 2014, risk appetite could be interpreted as being high, and they seeming-
auditing culture has emerged as a new area of focus a response ly ignored the signs that suggested that the subprime market was
to growing awareness that hard controls arent the only ones that experiencing a high number of defaults. Executives were still paid
matter. Soft controls that stem from a companys culture are also highly despite company underperformance. Decisions were taken
vital for good governance. to hide some of the companys liabilities resulting in a misstate-
ment in the balance sheet. The companys culture was tied to risk
Corporate culture is not only about the values an organisation
taking behaviours and a poor control environment.
espouses, but also how the organisation lives them. The desired
values need to be communicated, embedded and monitored. The On the other hand, good culture does seem to support good per-
extent to which these values are being applied is a legitimate sub- formance. The success of global brands such as Apple and Google
ject for internal audit reporting, although there are challenges in could be attributed in part to their powerful cultures that bind
applying this philosophy. people together and set the tone for high performance.
Guidance recently issued on the subject by the Chartered Institute Internal auditors are primed to understand their organisations
of Internal Auditors in the UK and Ireland, recognises that audit- control environment, in line with COSO 2013. However, that
ing indicators of culture is complexinternal auditors need to be control environment needs to be considered in the context of
comfortable in their understanding of culture and risk culture. both hard and soft controls. The challenge for internal auditors is
that assessing the effectiveness of soft controls is very different to
Chief Audit Executives should ask themselves: can we really offer
assessing the effectiveness of hard controls.
adequate assurance on the effectiveness of our organisations gov-
ernance, risk and controls if we havent given any consideration to A useful starting point is to consider what we mean by soft con-
the culture and risk culture of our organisation? trols. They include:
If there is any doubt about the importance of assessing the ap-
Commitment to ethics and integrity;
plication of stated values, consider Enron and its stated values of
Attitudes to risk taking;
community, respect, integrity and excellence. But where is it now?
Board oversight of performance and internal control;
Examples from elsewhere around the world (Lehman Brothers,
Accountabilities, responsibilities and structures;
AIG, and Nortel) also indicate there is a powerful link between
Reporting lines; and
poor culture and performance, and ultimately corporate failure.
Recruitment practices a commitment to attract the right
Cultural indicators are not always easy to recognise and rely on people in line with the organisations objectives and values.
Recommendations for auditing culture retention packages does the company offer, and is it linked
to performance?
Consider what kind of culture the organisation
champions, and how this is measured across Remember that hard control issues are indicators of soft
operations. For example, does your company have stated control weaknesses. For example, consider the frequency
values and what type of indicators exist for measuring with which controls are overridden, as this could be an
that employees are living the values? Does your indicator of managers who are interested in outputs at
organisation use staff surveys to under stand employee any cost. Also, consider the effectiveness of
attitude and behaviours? Does your senior management communications, what is the company telling employees?
team listen to employees and take action when necessary? Is information transparent or secret? Are auditors
Do they operate an open or closed door environment? evaluating final reports for evidence or indication of
culture related issues?
Ensure corporate culture is considered within your
organisations risk management framework. Who owns Consider the broader messages and not just the
it? For example, what does your risk management policy symptomsderived from individual audits. If material
say about risk culture? What kind of risk culture does the weaknesses have been identified, root cause analysis (e.g.
company promote and how does it compare to reality? asking the question why? 5 times) will help identify the
Does the companys risk taking activities match its risk reasons why an issue has occurred, and whether there is an
appetite and stated policies? underlying problem that is linked to corporate culture and
values.
When it comes to developing the internal audit strategy
and annual plans, agree with your board and executive Comment on corporate culture (informed by your
team what culture means to the organisation and a form of consideration of soft controls) in your annual assurance
reporting on softer issues to maintain confidentiality and to the business. This could be through a reflection of
sensitivity. Ensure your audit and risk universe whether audit confirms or validates that corporate values
incorporates culture as a viable audit entity or as a theme are lived. This could be a result of an evaluation of
which cuts across all audits. Ensure internal audit plans all final audit reports issued during the year. Consider the
are designed to seek evidence of softer controls such as processes management has in place for engaging with staff,
leadership, ethics and values. This will require judgement and ensure these processes are two-way/ reciprocal.
based on sound knowledge. The Chartered Institute of Support your experienced auditors and encourage them to
Internal Auditors talks about using gut instinct when ask questions that address cultural issues and soft controls.
forming a view.
Ensure your internal audit team has the necessary training
The COSO framework provides a good basis for and interpersonal skills to pick up on and understand
evaluating a companys control environment, and ascer indicators of cultural issues. Ask yourself who is the most
taining what kind of control culture exists. For example, appropriate individual to conduct a review of culture.
are decisions decentralised or centralised? What tone is set
by the Board? Is there a good relationship between the Always audit with your head up be aware of what is
Board and the Executive? What kind of reward and going on around you.
Traditionally internal auditors are wary of providing subjective This sounds challenging and it is. Auditing culture is not
judgement, we are hardwired to believe that professional judge- necessarily about people, but about behaviours, attitudes and,
ment should underpin opinions. Auditing soft controls and organ- fundamentally, values. Nevertheless, it is a challenge that internal
isational culture requires a certain attitude of mind and awareness. auditors need to accept if they are to provide the more rounded
It requires an understanding of the iceberg effect: what is hidden assurance on governance, risk and controls that their stakeholders
from view may be of greater potential impact than what is visible. require of them. Corporate culture is an emerging agenda item,
It also needs the capacity to put individual audit pieces together to being pushed by regulators and stakeholders. It can no longer be
form the bigger picture: local reports and recommendations need ignored. It is a key part of every companys second line of defence.
to be considered from an organisation-wide perspective to see if
any patterns emerge. Many internal auditors are exploring ways in ROBERT NOYE-ALLEN is a Partner in Moore Stephens LLP
which to encompass culture within their opinions. KAMI NUTTALL is the Head of the Centre of Excellence in the
Governance, Risk & Assurance Group of Moore Stephens LLP
Harsh Mohan
Etihad Airways
Senior Vice President
of Audit, Compliance
and Risk shares his
experience on the role
of Internal Audit in risk
management
I
n an exclusive interview, Internal management. Before joining Etihad, he was
Auditor - Middle East spoke to Harsh the Auditor General Auditor and Senior
Mohan, CPA, CA, who joined Etihad Director of Business Transformation at Air
Airways (Etihad) in 2011 and is now the Canada. Harsh is an active supporter of the
Senior Vice President of Audit, Compliance UAE Internal Audit Association (UAE-
and Risk. He started his career over 31 IAA) and a prominent speaker on the topic
years ago in internal audit and used the of risk management.
experience gained to successfully work
across various functions in the airline Internal Auditor - Middle East met with
industry including finance, procurement, Harsh Mohan at the Etihad Airways Head
risk management and strategic cost Office in Abu Dhabi.
How important is risk management to Does this approach impair your mitigate capacity constraints? This could
Etihad? departments independence? include audits of project oversight, baggage
(Smiling) Our business is managing risk. No. We do not own the risk mitigation handling, customer services etc. I also sit
I want you to think of a metal cylinder process. The assessment of risk and as an observer on the Midfield Terminal
which is 70 meters long, has 400 people, corresponding facilitation sessions with project committee to understand how
with engines operating at temperatures management are the roles performed by management is addressing the capacity
around 1,000 degrees Celsius, packed Internal Audit. As my title suggests, we strategic objective.
with 100,000 liters of fuel and travelling deal with risk and not risk management,
at a speed of over 800 km/h. This is, very differentiating between the two. We make The company which
simply put, what an airplane is. But the a clear distinction between our role and
passengers are reclining, watching videos, managements responsibility to manage manages its risk the
listening to music and are completely risks. Our approach is based on the IIA
comfortable. This is what risk management position paper on Internal Audits role in best is the one which
is all about; taking an inherently high
risk such as safety and managing it to a
Risk Management and each stakeholders
role in the Risk Management process is
succeeds
residually low level. clearly defined.
Also to give more comfort to our Board What about Internal Audits role in
What role does Internal Audit take with and regulators, we have a separate team providing insight on emerging risks?
respect to risk management at Etihad? within the department which carries Risk management is an ever evolving
At the start of every internal audit plan, we out the risk assessment and facilitation process! Take for example the CEBs
carry out a thorough risk assessment, and sessions. This team reports through me to (Audit Plan Hot Spots - https://www.
based on inherent and residual risks, we the full Board. This process of reporting executiveboard.com) views on the top risks
formulate the internal audit plan. Doing to the Board makes the risk management from 2010 2014. You will notice that the
proper risk assessments is a complex task process more effective. top risks have changed over the past five
which requires deep knowledge of the years. Now one of the major emerging risks
business. It also requires a high level of How is Internal Audit able to assess and is cybersecurity. When carrying out our
independence to report on major risks provide assurance on risks to strategic assessment of risk, we need to focus on
in a fair manner and for these risks to be objectives? such areas and ensure that management
acknowledged by management. Internal Every risk management framework refers and the Board are made aware of them.
Audit has a solid understanding of the to risk as something which impedes the
business and is sufficiently independent achievement of your objectives. We start Some chief audit executives may not be
of management. It therefore makes sense our strategy by defining our top strategic providing advice or assurance on risk
to use the risk assessment carried out objectives and cascading them downwards management. What are your thoughts on
by Internal Audit as the basis for the to the business units and individual this?
companys enterprise risk management departments. When we assess risk, we look As the needs of the business evolve, there
framework. In most non-financial services at objectives from all three layers, and this will be a need for Internal Audit to evolve
institutions, having a separate function way, it focuses on adding value to what to support the business. Internal Audit
carry out this role would be a waste of really matters to the business. has the skills required to support the risk
resources. So we send the risk assessment For example, one of our strategic risks management process and add value to
results to senior management so they can is the capacity of Abu Dhabi Airport to the business. By focusing on risk, Internal
identify existing or required controls that support our growth. We are expecting Audit will be included in management
will manage a particular risk within the to transport 15 million passengers in the discussions and committees and this will
companys risk appetite. So management coming years. So Etihad worked with Abu elevate its status because of our knowledge
identifies the existing or required controls, Dhabi Airports Company to expand the of the business. If Internal Audit does not
and we, at the time of our audit, assess airport to Terminal 3 and is now adding step in, some else will and that department
the risk and audit the controls in place. additional capacity in the new Midfield or person will go far ahead of Internal
Internal Audit at Etihad Airways validates Terminal. As Internal Audit, we will Audit. Chief Audit Executives who do not
the risks that the company is facing and look at the controls in place to mitigate play a role in risk management face a high
assesses the effectiveness of the controls put this strategic risk. In other words, what risk of becoming obsolete.
in place to mitigate those risks. action is being taken by management to
www.globaliia.org/QIAL
Human Resources TO COMMENT on the article,
EMAIL the author at ayman.abdelrahim@outlook.com
B Y AY M A N A B D E L R A H I M E D I T E D BY M E E N AKSH I RAZDAN
Characteristics of
a Successful
Chief Audit Executive
The increasing complexity of companies, be also be aware of any emerging risks and 5. Desire for Knowledge
combined with the impact of todays understand the impact of changes in the Knowledge distinguishes a leader from a
global economy, has resulted in a variety industry or the external environment. non-leader. The CAE should be constantly
new business risks and challenges. To alert to best practices, industry trends
3. Leadership Ability
help in responding to these new risks and and inspire internal auditors to develop
The CAE should have strong leadership
challenge, it is essential for a company to themselves, maintain a commitment to
skills which are demonstrated even beyond
have a highly skilled Chief Audit Executive ongoing training and learning.
the internal audit department. The CAE
(CAE). This CAE must possess several
should inspire, motivate, challenge the
core characteristics which will allow him or
her to be successful.
auditors to take greater ownership for
their work. Empowerment is important
If you want to be
One clue to these characteristics can be
found in the meaning of the word Audit,
to achieve high performance, without
empowerment internal auditors cannot
successful, you have
derived from the Latin word audire
which means to hear. Successful CAEs
own their work and take responsibility for to be willing to invest
their results. Also, the CAE should have
hear what is happening within a company
and also hear to what stakeholders have
the ability to create new leaders for the in yourself
organization; those leaders can drive the Richard Chambers, CIA, QIAL President
to say. Therefore, a successful CAE is one and CEO of The Institute of Internal
future of the organization.
who not only technically solid but has Auditors
appropriate behavioral characteristics. The The CAE can play significant role in
mix of essential characterizes that should driving the change in the organization and
be found in a CAE is as follows: can be effective champion for innovation, Conclusion
by providing improvements in strategy and As the requirements of companies change,
1. Strategic Thinking
activity through promotion of innovation the required characteristics of a successful
CAE plays an important role in providing
and awareness of emerging opportunities CAE will also need to change. CAEs have
assurance whether the organization has
and risks. The competencies for critical a big role to play in a company by helping
the ability to achieve its objectives or not.
thinking, innovation and improvement are an organization remain aware of and
This means that a CAE should understand
very important for CAE to succeed. effectively manage its current, strategic
the companys business and how he work
and emerging risks. To be successful at this
together with top management to achieve 4. Effective Communication
role, a CAE needs to have a combination
a companys strategy in order to and Listening to stakeholders and
of above characteristics mentioned above
help guide the organization in the right understanding their needs and concerns is
to allow him to add value to a company.
direction. vital for CAE role. Strong communication
In todays world, it is absolute critical for
skills can help in building positive
2. Mastery of Risk a CAE to continuously upgrade his or
relationships with senior management and
The CAE needs to establish risk-based her skills in order to meet the changing
business leaders. Communicating issues
internal audit plans to ensure that the expectations of companies and the internal
accurately and prioritizing them is also
priorities of the internal audit activity audit profession.
important. Another important thing is
are consistent with the companys goals.
using the right words in audit report which
Accordingly, it is necessary to have a AYMAN ABDELRAHIM, MQM, CIA, CCSA, CFE
demonstrates professionalism of CAE and
high sense of risk awareness and how the is a Chief Internal Auditor at a government
the audit team. organization in Dubai.
organization manages its risks; CAE should
B Y KA M R A N A H S A N
Shaping
talented
audit teams
A veteran chief audit executive and
a technical specialist join forces to
showcase innovative professional
development programs for internal audit.
A
fundamental role of internal out the importance of talent management: professional auditing standards
auditors in the twenty-first underpins audit value, with proficiency
Thinking strategically to reduce the
century is to add value to the and continuing professional
talent gap was emphasised in the IIAs
business and help it achieve its objectives. development emphasised in standards
Tone at the Top newsletter in January
At the same time, employee talent 1210 and 1230 respectively (ie
2013. The article also noted the need
management has become a priority, as possess and/or enhance knowledge,
to support professional development
stakeholders recognise that internal skills, and other competencies).
and encourage staff to work
auditors need to understand the business. Maximising individual potential is a key
collaboratively with other business units
to being an employee of choice. It helps
This article focuses on ten developmental to promote cross-pollination of
to create a highly satisfying place to
programs across three tracks (illustrated in knowledge.
work, and improves the intellectual
Exhibit 1) that can be structured to close Skill-set gaps was identified by delegates capital within the IAA.
skill-gaps and provide the internal audit at the IIAs Global Council meeting Keeping internal audit fresh
activity (IAA) with practical insights into held in Dubai in 2014 as one of the and up-to-date through effective
the business. top five obstacles the profession faces audit leadership. In a June 2014 blog,
through 2020. the IIA President and CEO Richard
Imperatives and CEO Richard Chambers
Understanding business was identified
There is broad diversity of need for emphasised the importance
as very important by over 70% of
technical and soft skills and a need for of audit leaders being role models,
respondents to the IIAs 2010
internal auditors to operate at a sufficient focusing on positives, being
global survey. This was the highest rated
level of competence to show the value of goal-oriented, making the time for
of 18 technical skills.
the profession. IIA Global Council 2014 the team, and getting help from
Leaders of our profession have clearly spelt Maintaining compliance with others through effective delegating.
Implementation of professional Audit Competency Framework or within Develop the selected programs for your
development programs is another a defined IAA Professional Development IAA, building up from bottom of the ten
leadership imperative. Plan. Determine any related development building blocks in Exhibit 2.
programs that your entity already has Recognise that motivation and state
Key steps in place. For instance, well-established of readiness to learn are important
graduate and mentoring programs exist in considerations in identifying the right
Tell me and Ill forget; show me and I may
many entities. Assess the best options for participant/s.
remember; involve me and Ill understand.
tailored development programs that suit Finally, irrespective of which program is
Chinese Proverb
your IAA. From the program overview chosen, ensure that fresh ideas and insights
Identify the competency needs of your table, select one or two programs to are generated for the IAA. This is the
IAA. These may already be identified implement now, and others that might be critical payback phase.
through an the IIAs IIAs Global Internal beneficial in the future.
Engage participants and undertake program Provide fair and valued learning feedback
Road test and promote the program Select participants based on selection criteria Establish and provide suitable induction
Define aim, desired outcome, and strategy Align to entity career development strategies
Identify IAA skill gaps and learning objectives Consider the key principles of audit learning Select best programs; formalise key elements
Program Overviews : Bringing business people in
Program 1 : Graduate Program
Design Aims : Introduce governance, risk and control fundamentals to entitys graduate program participants.
Primary Benefit : Helps shape career of potential future leaders, through experiential learning.
Secondary Benefit : Brings youthful enthusiasm into IAA. Builds ambassadors for IAA through a good experience.
Key Features : Provides graduates an IAA rotation to deliver practical insights on auditing, and holistic appreciation of core
activities of entity.
Program 2 : Guest auditors - for specific engagements
Design Aims : Draw guest auditors onto specific audits where their technical skills are needed.
Primary Benefit : Delivers subject matter experts from technical business areas to IAA to bring expertise to particular audit
engagements. Example: a Western Australian mining company utilised engineers to great effect.
Secondary Benefit : Runs for shorter duration than other programs, and is informal and less structured.
Key Features : Provides graduates an IAA rotation to deliver practical insights on auditing, and holistic appreciation of core
activities of entity.
Program 3 : Guest auditors - longer term secondments
Design Aims : Leverage expertise of business staff.
Primary Benefit : Drives audit improvement strategies through technical advice on audit planning, fieldwork or reporting.
Secondary Benefit : Brings in a free expert resource.
Key Features : Facilitates secondment of operational staff from business areas to IAA for defined periods (several weeks or months).
Program 4 : Middle management rotation program
Design Aims : Build capability of middle managers, whilst drawing business experience into IAA.
Primary Benefit : Helps management by giving high potential middle managers opportunity to learn first-hand
about entity-wide governance, risk and control arrangements.
Secondary Benefit : Facilitates two-way learning. IAA gains services of respected business people to work on audits.
Helps to build business acumen in auditors.
Key Features : Delivers longer term learning benefits for future executives through structured program; CAE partners with C-suite.
Delivering in-house programs
Program 1 : Alumni Network
Design Aims : Invite alumni to IAA events to provide insights on direction, planning and strategies of IAA.
Primary Benefit : Uses structured approach to leverage rich source of ideas, insights and perspectives that former
internal auditors have gained in their new roles.
Secondary Benefit : Achieves progress through sharing for professional counterparts.
Key Features : Provides basis for staying connected with experienced auditors who move into other parts of business or to other entities.
Anticipated outcomes insights gained by drawing business-based future senior leadership positions. They are
The best minute I spend is the one I invest expertise into more complex audits. also influenced to become ambassadors for
in people. Kenneth Blanchard The IIA as a whole benefits by improving internal audit.
Well-structured professional development its intellectual capital and expertise; Auditors placed into the business or
programs can help shape a legacy that goes building on the overall talent at its disposal; involved in in-house programs gain job
beyond the outcomes traditionally expected and enhancing its credibility through enrichment; build their skills; gain greater
of members of the internal audit profession. technically strong outputs. Programs understanding of the business; and take
In particular: interfacing directly with the business have steps to maximise their individual potential.
The CAE creates a highly satisfying place the added benefit of showing the human
BRUCE TURNER, CGAP, CRMA, CFE, CISA,
to work, which helps to attract and retain face of internal auditors. PFIIA, FFin, FIPA, MAICD, FAIM is an audit
excellent staff. Business specialists brought into the IAA committee chairman in Australia and Chairman
The value of internal audit is enhanced benefit from the insights that they gain
JACQUELINE TURNER, B.L JS,
in the eyes of the entitys most senior in respect to corporate governance, risk GradCertFraudInv is a white collar crime
executives (commonly called the C-suite) management and internal control; skills analyst at a multi-national financial services
and the audit committee, through practical which they will need as they move into institution in Australia
B Y L AL IT D U A
Auditee
Feedback
Positive and Honest feedback adds
to Audit Effectiveness
O
ne of the important factors has to support the review by demonstrating dead inventory items is not effectively
for an effective audit is confidence in auditor. conducted during the year will not
Auditee feedback which has yield any tangible feedback unless it is
commonly been ignored and Feedback from auditees is a confirmation specific like As per policy the exercise of
has not usually been part of professional on the auditors analysis of data, identification of slow, non-moving and
discussions. It appears very simple and compilation of information, approaches dead inventory is not being done quarterly
nice to read this statement but all internal of audit, observations made, acceptance and our exercise of identification of such
auditors know how much effort it takes of recommendations etc.. The auditee is inventory items resulted in 12 such items,
to get focused, positive and value adding the one who can approve or reject the the detail of which is in the attached
feedback from an auditee. Dealing with internal auditors efforts, which should statement.
behavior and responses of auditee during be done diligently and honestly. Even the
this process is quite a challenge. auditee at higher levels of management will B. Timeliness
not accept the observations unless they The auditor is required to submit any
The auditee should recognize the fact have been accepted by the previous levels detail or observation to auditee well in
that his enhanced performance, through of management. Hence the auditee can time and for the period under review. Any
auditors recommended corrective even make or break auditors positivity of undesired delay in feedback will lose its
measures, will help in achieving his approach in audit review. significance and may delay the process of
departments objectives. So establishing an audit. The sooner the auditor identifies
honest understanding of objectives of the The auditees feedback should be specific the requirement of changing approach,
audit and respective roles of auditor and to the issues/observations, timely and be working and source of information/data,
auditee, should take place before the start delivered in an appropriate way. the sooner they can correct the point
of the audit process. involved and conclude the audit effectively.
A. Specific to issues
The Need for Feedback Feedback is at its best when it relates to a C. Manner
Audit reviews can be a smooth journey specific observation, data analysis and audit Feedback should be given in a manner that
if both auditor and auditee understand query. The auditee feedback will be to the will help to improve audit performance.
the objective and both of them work in point and constructive if all the relevant Since people respond better to information
coordination and participation with each details have been provided as any gap will presented in a positive way, feedback
other, to achieve desired improvements. lead the auditor to an unwanted direction. should also be expressed in a positive
The auditor has to ensure transparency Submitting an audit observation to manner. It must be accurate, factual, and
in review approaches, conduct and auditee like Observed that exercise of complete. Feedback is more effective when
finalization of the audit. The auditee also identification of slow, non-moving and it reinforces what the auditor did right and/
wrong and then letting him judge what and assures of complete support. at each of these levels will differ in content
needs to be done during the course of and style. The process of getting feedback
B. During conduct of audit
audit. in the closing meetings will be smoothened
While conducting audit reviews the
if auditor has been transparent in his
auditor is applying different approaches
Frequency and Stages of feedback approach and conduct during the course
and techniques of audit. He also makes
The feedback from the auditee can be of audit.
verbal and written communication on
regular or as requested by the auditor.
issues involved in reviews. The responses, Overall feedback
Regular feedback can be given as and
actions, reactions and behavior of auditee Though an auditor is getting feedback at
when the auditor discusses processes,
to such activities are a kind of feedback to different stages and from different level of
asks for records and data for review and
auditor on how the audit review is being auditees and management staff on specific
when querying the auditee about some
conducted. After having explained the areas of audit, the practice of getting an
observations. The auditee feedback is
scope and objective of audit review in the overall audit feedback has been formalized
expected to be with positive intent as it
kick off meeting, the auditor should ensure in many organisations. The criteria on
would depict auditee desire for the auditor
that the review is being conducted within which overall performance of audit is to
to add value.
the same scope, with positivity and without be evaluated are many and in use. It is
The periodic feedback sessions are normal
any intention to find mistakes, the maturity of the organisation and the
features of any audit review where formally
errors, frauds etc.. The moment the auditee role of the auditor it has foreseen, which
the details of issues to be discussed and
defines the list of criteria for feedback. An
organisation may even require the auditor
to rate different auditees also on defined
criteria.
The overall feedback on different aspects
of the audit sets a benchmark or highlights
the gaps in performance acceptance of
management from audit department.
Conclusion
will get any sense of negativity in what the
feedback to be taken from the auditee Auditee feedback on different aspects of
auditor is doing; the auditee will withdraw
are provided in advance. The feedback is the audit sets a benchmark or highlights
himself and will tend to feed or provide
documented and is either taken as base for the gaps in performance acceptance of
whatever has been asked without any
the next level of audit review or forms part management from audit department.
positive participation. The end result will
of report itself. With effective feedback, Each audit observation has to be taken
be extra efforts by the auditor, not enough
auditor will be working in right direction up in its right perspective, without over
confidence in whatever is being done and
and will be more potent in conduct of doing and mis-interpretation. An auditee
non-participation of the auditee in the
audit. expects to be given the opportunity to
process of improvement.
give their perspective, a process that helps
A. Feedback in the opening meeting with C. In the closing meetings to gain their commitment, so the auditor
auditee The feedback requirement in the closing should welcome feedback. By adopting and
The auditor has to explain to auditee the meeting should not come as a surprise. It implementing a collaborative approach to
objective, scope, tentative duration of is better to raise issues as they arise in the feedback and highlighting the ultimate aim
review, initial record and details required course of an audit, having a constructive of the audit to support auditees in order to
in the Kick off meeting. The meeting will discussion on the spot as and when improve organizational performance, will
give opportunity to the auditee as well to required. The closing meetings are done at provide solid foundations for a positive
raise questions and ask for clarifications, various stages and with various auditees experience for all concerned.
if any from the auditor. At the end of the during the course of finalizing audits.
meeting his clear understanding about the Since these closing meetings are done
whole process of the review is a kind of with concerned auditee, department and
feedback whereby he gives his concurrence functional heads levels so types of feedback LALIT DUA, CA is head of internal audit at
B Y TI M J . L E E C H
M
any years ago I wrote a seminal that time the profession has evolved 4. Direct report auditing is the
article titled Control & Risk Self- and advanced in many positive ways, primary approach used globally.
Assessment: The Dawn of a New but continues to be bound by some In a direct report engagement
Era in Corporate Governance. That article, fundamental and confining paradigms. the auditor evaluates the subject
and the ideas in it, played a significant role The paradigms include: matter for which the accountable party
launching my first company in 1991, and is responsible. The accountable
had a significant impact on the profession 1. Internal auditors plan, execute, and party does not make a written
globally. Almost 25 years later this article report results of point-in-time audits. assertion on the subject matter they are
describes recent developments and forces 2. Internal auditors assess internal responsible for.
that will almost certainly see the onset of controls and report opinions on 5. The profession has been primarily
an even more profound and significant whether they believe controls are supply driven not demand driven.
transformation truly the dawn of a new effective. 6. Internal audit does not usually know,
era in internal auditing. 3. Internal auditors report what they or require that management and
believe to be control boards define, the type and amounts
Traditional/Historical Internal deficiencies, material of risk the company and its board are
Auditing weaknesses, significant prepared to accept.
I joined the profession as an internal
deficiencies or opportunities 7. A majority of internal audit
auditor in the summer of 1981. Since
for improvement. departments have not, for a variety of
reasons, assessed and reported on risks regulators, had not adequately discharged Codification of board responsibility
to the organizations top strategic/value their duty to oversee what is increasingly to oversee managements risk appetite
creation objectives, or the effectiveness being called managements risk appetite and tolerance In parallel with the
of the entitys entire risk management and tolerance. FSB, regulators around the world have
framework. started to enact regulations that reflect
Creation of the worlds first preeminent key FSB recommendations, particularly
The traditional/historical direct report regulator guidance body Financial the need to assign primary responsibility
approach to internal auditing described Stability Board (FSB) Shortly after for risk management and reporting to
above is now under attack. Evidence the onset of the global financial crisis a management; and risk appetite/tolerance
collected globally in 2014 indicates decision was made to create a new super oversight to boards of directors. One of
dramatic drops in internal audit customer regulatory power, the Financial Stability the most graphic illustrations is the new
satisfaction. Board (FSB). This organization, currently UK Governance Code issued in September
chaired by Mark Carney, Governor of 2014. It positions responsibility for risk
Key Developments Globally the Bank of England, with representation
oversight squarely with boards of directors;
from governments and financial sector
calls on management to design, implement
Board responsibility to oversee and securities regulators from around the
and maintain effective risk governance
managements risk appetite and tolerance world, has, with unprecedented speed,
frameworks; and calls on boards to seek
significantly elevated - Following the 2008 formulated and disseminated what is most
independent assurance that management
global financial crisis commissions were aptly termed paradigm shift guidance
has, in fact, designed, implemented, and
convened around the world to try and with an overarching, albeit unstated, goal
maintained effective risk governance
understand what had gone wrong and of reengineering corporate governance
frameworks. It is expected other major
prevent similar destabilizing events in the globally. One of the FSBs most significant
countries that want to improve the
future. A unanimous conclusion was that contributions to date is a November 2013
integrity of their capital markets will follow
boards of directors and, to a lesser degree, guide for national regulators, companies,
the UKs lead. providing assurance to boards that senior internal controls internal audit has
Internal audit customer satisfaction management is creating and maintaining historically focused on. More importantly,
plummets as these regulator driven effective risk management and reporting internal auditors need to continuously
developments gain traction globally a frameworks. assess and report on whether the current
summary of customer satisfaction surveys residual risk status related to key strategic
done by 3 major consulting firms and the Educate Boards of Directors on Evolving and foundation objectives is currently
Institute of Internal Auditors was reported Expectations - the evolution of these within the board and senior managements
in the July 2014 IIA Pulse on the Profession expectations is likely to evolve at varying risk appetite and tolerance.
Report referenced earlier. The report speeds and intensity in different countries.
paints a graphic picture of a significant and Not all senior management and board Closing Remark - Recognize that aversion
very recent decline in board and senior members have been actively following the to change is a human condition this short
management satisfaction with traditional/ evolution of these new expectations, and article outlines events and drivers that call
historical direct report internal audit not all national regulators have codified for radical and quantum change in the
services. risk governance expectations with the current internal audit paradigm. A natural
clarity and simplicity of the September human trait is to resist radical change
What This Means to the Internal 2014 UK Governance Code to spur the and favour smaller and more incremental
Audit Profession Going Forward needed transition. It is also important steps. The dramatic drops in customer
to note that not all CEOs and CFOs are satisfaction statistics described in the IIA
Need to Transition from Direct likely to welcome direct responsibility for July 2014 Pulse on the Profession report
Report/Spot-in-Time Auditing to creating and maintaining effective risk have led to the IIA literally issuing A
Attestation Reporting on Management appetite frameworks and providing formal CALL TO ACTION to internal auditors
Representations on Risk Framework and candid reports on residual/retained around the globe. Addressing rapidly
Effectiveness and Risk Status the FSB risk status to their boards. evolving and escalating customer and
has defined roles for the board, senior regulatory expectations will require the
management, and internal audit that Look for Opportunities to Gain the New profession globally make rapid and radical
call for a fundamental accountability Knowledge and Skills Required - If internal changes if it is to ensure it remains fully
shift - a shift that requires management auditors are to accept and assume the relevant to key customers in the years to
continuously assess and report upward type of responsibilities defined by the FSB come. There is a well-known adage that
on risk status, and for internal audit to earlier in this article, they must retool states necessity is the mother of invention.
assess and report opinions to the board their knowledge and skills. Instead of The need for radical and rapid change
how well management is discharging their the traditional internal audit focus on in the traditional internal audit delivery
assigned risk governance responsibilities. providing subjective opinions on control model is real. Its time the internal audit
This new paradigm requires radical effectiveness, internal auditors now need profession literally reinvent itself to meet
and fundamental shifts in existing IIA to acquire the knowledge and skills to the needs of key customers particularly
certification curriculum and training assess and report on the reliability of boards of directors. No small task to be
offerings. IIA IPPF professional practice managements risk appetite frameworks, sure, but a job that absolutely needs to
standard 2120 was modified in 2010 including managements reports to the be done. Best wishes for success as the
specifically to provide support for the shift, board on retained/residual risk status. profession decides whether it welcomes, or
and the Certification in Risk Management This means learning the type of vocabulary resists, the dawn of a new era in internal
Assurance (CRMA) launched globally. defined by the FSB in its Principles For auditing.
Internal audit departments will need to An Effective Risk Appetite Frameworks
evolve from the business of performing guidance and the globally accepted ISO
traditional spot-in-time direct report 31000 and ISO Guide 73, and gaining the
Tim J. Leech CIA CCSA CRSA FCPA is Managing
audits and providing subjective opinions knowledge and skills necessary to identify
Director Global Services at Risk Oversight in
on control effectiveness on a small the full range of risks, risk treatments,
Canada and is recognized globally as a thought
percentage of the risk universe and, instead, and a picture of residual risk status, not the
leader and advisor in the risk and assurance field.
focus substantially more resources on much narrower assessment of traditional
BY ROBIN SINGH
F
or as long as white-collar crime Acts with others in committing fraud. importance; Believes that he or she is
fraudsters have been a common According to KPMGs study, more than special and can only be understood
occurrence throughout multiple 61% of individuals that committed by high status people.
industries, specialists have wondered aloud fraud did so with the help of at least Have a deep need for admiration for
whether or not it is possible to properly one other individual. themselves; a sense of superiority.
develop a profile that allows organisations Believe that theyre superior to others.
to accurately identify fraudsters while
Personality Constantly bending the rules for
Another compelling fact which the KPMG himself although outwardly criticising
the fraud is happening, or in some cases
study bought forward was that a large others for similar behavior.
beforehand. Of course, predicting crime
percentage of fraudsters were extroverted Have little regard for other peoples
before it actually happens is a concept best
(33%), friendly (35%) and highly respected feelings.
left to science fiction novels and movies
(39%). These personality traits do not seem Be intolerant of anything perceived as
at the moment but what if there were
to be indicators of someone who is prone less than a perfect performance.
some easily identifiable warning signs of
to fraud but when combined with traits Exaggerate their own achievements or
potential fraudsters?
like greed and desire for personal gain1, talents.
General Attributes one can then get a clearer picture of the Expecting others to go along with your
While any individual could potentially personality of these individuals. ideas and plans.
conduct fraudulent actions, there does Taking advantage of others.
Studies have proven that these are people
seem to be some basic elements that make Trouble keeping healthy relationships.
who are either malignant narcissist,
an individual more likely to take part in Be envious of others and / or believes
or suffer from Narcissistic Personality
fraud. According to a study by KPMG1, that others are envious of him or her.
Disorder (NPD), which is defined as an
the typical fraudster displays the following To add to the above, the Association
enduring pattern of inner experience
attributes: of Certified Fraud Examiners (ACFE),
and behavior that deviates markedly
Is between the ages of 36 and 45. More mentions in its 2014 report that the
from the expectation of the individuals
than 70% of fraudsters fall into this age financial losses resulting from fraud
culture, is pervasive and inflexible, has an
group. committed by Owners/Executives at
onset in adolescence or early adulthood,
Acts with little regard for the companies were at least than 3 times
is stable over time, and leads to distress
organisations which they work for. larger than the losses resulting from fraud
or impairment. Because these disorders
Is employed in a position that gives committed by managers or employees.
are chronic and pervasive, they can lead
them power over important Similarly, the ACFE study showed that
to serious impairments in daily life and
organisational processes including the longer a fraudster had worked for a
functioning.
executives, finance, operations and company, the more financial harm he
Actually, to really go inside the mind of
marketing. or she caused. This supports the fact
a fraudster, one needs to understand the
Has been with the organisation for six conclusion that big game players are the
traits of a person suffering from NPD:
years, or long enough to know the ones who are at the top of the corporate
Have an inflated sense of their own
internal processes of the company. pyramid.
There is a strong correlation between the of your typical fraudster, it can be very
difficult to implement fair policies that
fraudsters level of authority and the losses target individuals that fit that profile
without causing some unrest within the
resulting from the fraud ACFE 2014 Report to company.
Project Controls:
More than just a
box ticking
exercise
In my previous life as a site architect Based on my experience, as an advisory tool can be very useful in clarifying roles
working on the design and build of a mega partner to many leading developers in the and responsibilities across the various
shopping center, I vividly recall a cold region, I have summarized below what departments/functions within the team.
winters morning, standing on site with project controls we would expect to see in 4. Delegation of authority matrix
the team that included the finance guy, place on capital projects. This summary In most cases, we have observed the
as we called him. He was understandably is by no means all inclusive, but will go incorrect use of a delegation of authority
worried because he had to deliver a difficult a long way towards delivering a project matrix. Entities have moved to extreme
message to the project team. The message? successfully. cases where either too much or too little
The project had run out of cash. The 1. Stage gate approvals authority has been placed on the project
project manager was infuriated but all he As the project moves through the lifecycle team. The net effect allows variations to
could do was throw his hands in the air from initiation, planning, executing, be carried out outside the mandate of the
and walk off the site. Someone in our team monitoring and control to close-out, delegated authorities. In many of these
said sarcastically, so much for our project we would expect to see formal sign-off cases we have also observed the use of
controls! from senior management and the key retrospective approvals being obtained
What exactly are project controls? What do stakeholders. These stage gate approvals do when the Variation Order is prepared.
they do and why are they so important? In not allow the project to proceed without Having key personnel with the adequate
fact, in my experience, I have found that if the required formal documented approvals level of authority and accountability is key
you were to ask many people that question, in place. to project delivery.
you may be met with a few puzzled stares. 2. Policies and procedures 5. Project reporting
However, the truth of the matter is that We have seen the use of detailed policies Daily, weekly and monthly reporting can
project controls are probably the most and procedures leading to improved provide a good mechanism to ensure
important element of any successful capital project delivery functionality, from pre- projects are being accurately reported on.
project delivery. development through to handover, leading A report produced for the sake of reporting
Project controls have much to do with to better decision-making, greater accuracy is meaningless. Below are examples of good
monitoring all the metrics of a project. of forecasted spend and the capability practices that should be considered:
This can include quantities, time, cost, to deliver on budget, thus limiting cost 5.1 Forecasting and variance analysis
cash flows, risk reporting, etc. The simple overruns. In essence, defining all the Monthly forecasting and variance analysis
definition in my book is that project actions needed to be taken in a detailed is essential to project reporting. The use
controls are all the actions you would take policies and procedures document provides of variance analysis on actual versus
to ensure that your project is delivered on guidance to your team, makes their tasks budget and forecasted cost data
time, on budget and in accordance with predictable and ultimately, limits surprises. provides the where did we plan to be,
the projects design specifications. This of 3. RACI matrix where are we now and what is the expected
course means that project controls cover A Responsible, Accountable, final cost of the project.
the entire life cycle of the project - from Communicated and Informed (RACI) 5.2 KPI and project specific KPIs
its initiation, to the planning, execution, matrix describes the level of participation The project team should meet with senior
monitoring and control and even at the by the various roles in completing tasks management and the board at the start
project closeout phase. and the project. This simple yet effective and during the project to develop, track
and enhance the KPIs. This is the perfect team and consultants should be able
opportunity to ensure all stakeholders to demonstrate a robust methodology
are aligned, and the required KPIs are in to measure and communicate the real Project Critical
place. We recently reviewed the monthly physical progress of a project taking into
reporting of a leading contractor and account the work completed, the time
Success Factors
observed that the contractor did not report taken and the costs incurred to complete
on Paid to date. The project team did not that work. If done correctly it should allow Top 3 critical success
feel it was their responsibility to report for effective management decision-making,
on this metric as they felt that it was up which helps evaluate and control project
factors for Clients in
to the finance team to report on payment risk. projects:
related issues. We challenged the Board
of Directors and senior management on Senior Management needs to have accurate
the lack of input from other departments project information, one version of the 1.
including finance and procurement truth, to make informed decisions. Certainty of Cost
departments in the monthly reports. We
stressed the importance of including
finance and procurement KPIs in the
5.6 Risk management function 2.
In our experience, we have seen a worrying
monthly reporting. This would also ensure
trend where we find no evidence to
Qualified Staff
they are measured accurately and in line
support the fact that our clients identify
with the needs of the business.
5.3 Absence of Early Warning Notices
risks, prioritize them, establish mitigating 3.
strategies to deal with these risks and
(EWNs)
then monitor the effectiveness of these
Return on Investment
This is essentially management looking
strategies. In other words, we cannot
out for anything on the horizon that would
effectively say that the majority of our
affect the delivery of the project. We work
clients have a robust risk management
closely with senior management and
culture in their organization.
the project team to develop and identify
While the previous metrics may seem
Top 3 critical success
EWNs, so that problems are avoided and
projects are successful in delivering the
daunting to a project control office that factors for Contractors
is still in its infancy, it is important to
expected value for their owners and other
realize that the aim of these is to provide
in projects:
stakeholders.
useful information to management so that
5.4 Work-in-progress (WIP) management
A recent client had completed his mega
a project may be delivered successfully. 1.
Most organizations are encouraged to use
project and was happy that his project Qualified Staff
metrics that work for them. For example,
was delivered on time. While the project
during the course of our advisory work,
was slightly over budget, he believed
that he had successfully delivered the
we have assisted leading clients with 2.
the development and use of a one-page
project. In the months that followed, to Compliance with
project dashboard report. This one-pager
his horror, he became aware of the fact
would ideally be provided to executive Specifications
that over 20% of the project value was
management to help them provide the
still work in progress and had not been
certified and accounted for before. To his
correct oversight on projects. In hindsight,
3.
it would have also helped our little
disappointment, he began to realize his
accruals and WIP management system
shopping center back in the day! Profitability
was almost non-existent.
Source: Deloitte Survey at Arabian
5.5 Earned value or value of work done KETAN BHOOLA, B.ARCH, MRICS, is an World Construction Summit 2014
Like WIP management, the value of work Assistant Director at Deloitte Corporate
done and earned value methodology Finance Ltd.s Infrastructure & Capital Projects
needs to be closely monitored. The project division.