SCORING GOALS… - Internal Auditor – Middle … Alrais, MSC; Ayesha Bin Lootah, MBA; Naeima...

MARCH 2014 WWW.INTERNALAUDITOR.ME

A veteran chief audit executive shares his game-plan for adding value and meeting stakeholder needs

SCORING GOALS…

I N T E R N A L A U D I T O RM I D D L E E A S T

I N S I G H T S O N G O V E R N A N C E , R I S K M A N A G E M E N T A N D C O N T R O L

A Rigid Approach to Internal Audit Independence May Destroy Value

The Need for Enterprise Risk Management in the Public Sector

Companies in the Gulf States are Protecting Themselves From Fraud

© 2

014

Erns

t & Y

oung

. All

Rig

hts

Rese

rved

.Laptops, smartphones, the cloud — your data gets around. And the more it travels, the more it’s at risk. EY’s Information Security team has an answer for every threat, a solution for every vulnerability. Information technology is always changing. Make sure your security can keep up. What makes us different is that we see things differently. You will, too.

Visit ey.com/mena

�EY�Abu�Dhabi�have�moved�offices�to�Nation�Tower�2,�Corniche.�

Security�threats�come�in�many�varieties.�Your�security�should,�too

INTERNAL AUDITOR - MIDDLE EAST 1 MARCH 2014

© 2

014

Erns

t & Y

oung

. All

Rig

hts

Rese

rved

.

Laptops, smartphones, the cloud — your data gets around. And the more it travels, the more it’s at risk. EY’s Information Security team has an answer for every threat, a solution for every vulnerability. Information technology is always changing. Make sure your security can keep up. What makes us different is that we see things differently. You will, too.

Visit ey.com/mena

�EY�Abu�Dhabi�have�moved�offices�to�Nation�Tower�2,�Corniche.�

Security�threats�come�in�many�varieties.�Your�security�should,�too

Marvelous March!

Dear Readers,

March 2014 is turning out to be quite a marvelous month for the Institute of Internal Auditors (IIA) here in the Middle East and in the UAE in particular. This marvellous month is characterized by 3 major events:

1. The Global Council: For the first time in Middle East, the UAE Internal Audit Association (UAE-IAA) is hosting the 11th Annual Global Council meeting from 9–12 March in Dubai. Leaders in the Profession from all over the world will meet to discuss initiatives and strategies for the future of Internal Audit.

2. The Regional Audit Conference: The month of March is also the month for the UAE-IAA’s premier regional event, the 15th Annual Regional Audit Conference. The theme this year is “Formula 1 Audit, The Future Race” and will be hi-tech event, where all attendees will receive pre-loaded tablets with the conference details. The conference will also feature presentations from global and regional experts to over 1,000 audit professionals.

3. Internal Auditor - Middle East: Also in March and with the help of a team of volunteers based in the UAE, Qatar & Australia, the UAE-IAA has launched Internal Auditor – Middle East with a vision to be the region’s leader for governance, risk management and control insights. Over the coming months, we will be connecting with the various IIA Chapters & professional associations from across the region to work with them to achieve the magazine’s vision.

The UAE-IAA’s Board of Governors, staff and volunteers are working tirelessly to promote the above events and serve the internal audit community in the region.I urge your continued valued support to the UAE-IAA by attending the events, conferences, securing sponsorships, writing articles, delivering training, volunteering at events, etc. We are a not-for-profit association and we can only succeed with the active participation and support of all.

Sincerely,

Abdulqader Obaid AliPresident

From The President


I N T E R N A L A U D I T O RM I D D L E E A S T MARCH 2014 WWW.INTERNALAUDITOR.ME

F E A T U R E S

D E P A R T M E N T S

16 COVER STORY: Scoring Goals... Chief Audit Executives must focus their efforts on adding value to stakeholders and meeting their expectations. BY BRUCE TURNER

28 Is Internal Auditor Independence Destroying Value? With internal auditor independence being more of a theory than a reality, Chief Audit Executives should direct their efforts to addressing the risks that matter. BY DR. STEVEN HALLIDAY

4 Reader Feedback

5 Knowledge Update A joint report from WEF & McKinsey on cyber attacks; Protiviti’s IT benchmarking report; Global risks for 2014; Middle East salary guide. BY VISHAL THAKKAR

8 UAE-IAA Events

22 Companies in the Gulf States are Protecting Themselves With fraud on the rise in the GCC, companies must take active measures to mitigate it. BY YASER DAJANI

12 Conversations with Colleagues Arindam De talks about the priorities of Chief Audit Executives for 2014. BY FARAH ARAJ

26 IT Audit Companies can arm themselves with digital forensics capabilities. BY ISSAM ZAGHLOUL

20 Risk Management Implementation in the Public Sector Having an effective Enterprise Risk Management framework is a key component in corporate governance in the public sector.BY GHALEB AL MASRI

25 Human Resources Understanding the Arab culture is an essential part of a successful audit approach. BY TAMER GHEITH

30 Fostering Fundamentals Effective soft controls form the foundation of a good control environment. BY AYMAN ABDELRAHIM

MARCH 20144 INTERNAL AUDITOR - MIDDLE EAST

U A E I N T E R N A L AU D I T A S S O C I AT I O N

B O A R D O F G O V E R N O R SAhmed A l Ansar i ; Kha l id A l Ha l yan ; Mohamed A l Har th i , MBA, CRMA; Abdu lqader Oba id A l i , CRMA, CFE; Naseeba A l ra i s , MSC; Ayesha B in Loo tah , MBA; Nae ima Mohammed A l Menha l i , MSC, CRMA; A l i A l Muwa i je i MAFB, MFA,CRMA, CT31000; Nah la A l Qass imi , Ph .D. , CRMA, CCP, CCA

E X E C U T I V E C O M M I T T E ERaza Abdu l la ; Abdu l rahman A l Hareb ; Ar indam De, MBA, CFA; Kar l Hendr icks , C IA , CCSA, CQA; Rus tom S. K re id l y, CPA, CRMA; Karem Obe id Fad i S idan i , CPA, MS; Rab i Yousse f , CPA; Adnan Za id i , CRMA, ACA, MBA, CCSA, C IA , CFE, C IPFA

G E N E R A L M A N AG E RSamia A l Yousu f

T E A MThaer Abdu l razek ; A isha Akhta r ; Yasmine A . E l Az i z ; Lo rna Mungka l ; Yousse f Musta fa ; A i l een Pe lag io

Reader Feedback


UAE Internal Audit Associationan IIA Global affi l iate

We want your views on the articles and the magazine! Share your thoughts and feedback with us via email at [email protected]

MARCH 2014 WWW.INTERNALAUDITOR.ME


I N S I G H T S O N G O V E R N A N C E , R I S K M A N A G E M E N T A N D C O N T R O L

A Rigid Approach to Internal Audit Independence May Destroy Value

The Need for Enterprise Risk Management in the Public Sector

Companies in the Gulf States are Protecting Themselves From Fraud

?

P R E S I D E N TAbdu lqader Oba id A l i

E D I T O RFarah Ara j (Ac t ing )

E D I T O R I A L A D V I S O R Y C O M M I T T E E Fa rah Ara j , CPA, C IA , CFE; Ma jed Bukhashem; Andrew Cox , MBA, MEC, CF I IA , C IA , C ISA, CFE, CGAP, MRMIA; Raymond He laye l , CPA, C IA ; Meenaksh i Razdan, CA, CPA C IA , CFE; Hossam Samy, CRMA, CFE, CPA, CGA; Nagesh Sur yanarayana , MBA, C IA ,CCSA; James Tebbs , CA; V isha l Thakkar, ACA, C IA ; I ssam Zagh lou l , MSc, C ISA, C ISSP, CGE IT

MARCH 2014VOLUME 2014: 1

C O N TAC T I N F O R M AT I O N

A D V E R T I S I N G & A D M I N I S T R AT I O NYasmine A . E l Az i z yasmeen@i iauae .o rg Te l : +971 4 433 9082

E D I T O R I A L Farah Ara j ed i to r@in te rna laud i to r.meTe l : +971 50 850 1780

D E S I G N & P R I N T I N G Gi r i sh MehtaAdventure G loba l g i r i sh@adventure-g loba l .comTe l : + 971 4 393 7696

A R A B I C T R A N S L AT I O N & L AYO U THossam Sami rE laph Trans la t ion hossam@elapht rans la t ion .comTe l : +971 4 331 0332

G U I D E L I N E S F O R AU T H O R Swww. in te rna laud i to r.me

D I S C L A I M E R SI n te rna l Aud i to r – Midd le Eas t i s in tended on l y f o r members o f the Ins t i tu te o f In te rna l Aud i to rs in the Midd le Eas t and as such i t i s no t in tended to be so ld o r re-so ld by any par t y.

The v iews expressed in I n te rna l Aud i to r – Midd le Eas t are so le l y those o f the au thors , and do no t necessar i l y represen t the v iews o f the UAE- IAA o r the au thors ’ respec t i ve employers .

I n te rna l Aud i to r – Midd le Eas t i s a peer- rev iewed magaz ine and does no t ve r i f y the o r ig ina l i t y o f the con ten t submi t ted by the au thors .

Constructive views are welcome!

I n te rna l Aud i to r – Midd le Eas t i s pub l i shed quar te r l y by the UAE In te rna l Aud i t Assoc ia t ion (UAE- IAA) , 8 th F loo r, Bu i ld ing 4 , The Ga l le r ies , Downtown Jebe l A l i , Duba i , Un i ted Arab Emi ra tes


Knowledge Update

The report assesses the impact of cyber attacks and response readiness. It sets alternative scenarios in which economic value from technological innovations is realized or lost depending on models of cyber resilience. The report is drawn based on the knowledge and opinions derived from a series of interviews, workshops and dialogues with global executives and thought leaders to estimate the potential value that can be created through the year 2020 by technological innovations. It then examines the value that could be at risk if the adoption of these innovations is delayed because of more frequent, intense cyber attacks which are not met with robust cyber resilience. The report draws conclusions from the analysis and research, and offers a roadmap for collaboration.Many leaders in business, civil society

A COORDINATED SYSTEM OF GLOBAL CYBER RESILIENCE TO MITIGATE THE RISK OF CYBER ATTACKS

and government realize that for the world’s economy to derive the value inherent in technological innovation, a robust, coordinated system of global cyber resilience is essential to effectively mitigate the risk of cyber attacks. This view is gaining momentum and many discussions are held amongst the senior leaders in the private and public sectors and across different industries, as concerns related to cyber resilience shift from the stage of ‘awareness’ to actual action. This insightful report is a joint effort between the World Economic Forum and McKinsey & Company.

http://www.mckinsey.com/Insights/Business_Technology/Risk_and_responsibility_in_a_hyperconnected_world_Implications_for_enterprises?cid=other-eml-alt-mip-mck-oth-1401

84% of CEOs say they are

confident in their security program

The number of incidents detected in the past

12 MONTHS INCREASED

BY 25%perhaps an indication of today’s elevated threat

environment

Source: PwC’s The Global State of Information Security® Survey 2014

http://www.pwc.com/gx/en/consulting-services/information-security-survey/

download.jhtml

BY V ISHAL THAKKAR ED ITED BY ISSAM ZAGHLOUL

In the year ahead, in which of the following

areas would you like your internal audit function to devote more of its time

and/or sharpen its focus?

65% RISK MANAGEMENT

PROCESSESSource: KPMG’s 2014

Global Audit Committee Surveyhttp://www.kpmg.com/global/en/

issuesandinsights/articlespublications/pages/global-audit-committee

survey-2014.aspx


Knowledge Update

INSIGHT REPORT BY WORLD ECONOMIC FORUM HIGHLIGHTING GLOBAL RISKS FOR 2014Global Risks 2014 is a thought provoking report for reflection of policy-makers, chief executive officers and thought leaders across the globe. It is a call for action to improve coordination and collaboration, going beyond the conventional roles and responsibilities of the public and private sectors to strengthen institutions to understand, map, monitor, manage and mitigate the global risks.Today, our life is changing at a phenomenally unprecedented pace. Fundamental shift in our economic, environmental, geopolitical, and technological systems offer significant opportunities, but the interconnections among them also bring systemic inherent risks. Various stakeholders across business, government and civil society face an ever evolving imperative in understanding and managing emerging global risks.The report emphasizes the importance of understanding systemic risks, long-term thinking to address and mitigate them and the critical role of today’s generation Y. To do so, it also offers analytical insights into interconnected risks with the potential to have systemic consequences in the geopolitical, socio-economic and digital spectrums. The report features an analysis of a survey of over 700 leaders and decision-makers from the World Economic Forum’s global multi-stakeholder community on 31 selected global risks. For the first time, survey respondents were asked directly to nominate their risks of highest concern and economic and social issues were placed at the top.The report stated that moving from urgency-driven and reactive risk management to more collaborative efforts to strengthen risk resilience would benefit the global society. Together, leaders from business, government and civil society have the foresight and collaborative spirit to shape our global future.

http://www3.weforum.org/docs/WEF_GlobalRisks_Report_2014.pdf

2014 MIDDLE EAST SALARY GUIDE AND REMUNERATION TRENDS BY ROBERT HALFStarting salaries for professional occupations in the Middle East are projected to increase an average of 3.8% in 2014 as per the Salary Guide published by Robert Half. As per the salary guide, this hike is expected for starting salaries of professional occupations and will vary depending on the sector, position and the circumstances of an individual. Jobs in accounting, finance, and technology will lead the way increasing on average 5% and 4.6% respectively. Qualified accountants will have strong opportunities with companies engaged in the real estate, construction, oil and gas, and FMCG sectors. Starting salaries for HR professionals are also expected to rise 1.2% in 2014 with all major industries hiring skilled HR professionals in the region.Nominal increase in base pay for financial services professionals is forecasted as salaries rise 2.5% over 2013 levels. Internal audit, compliance, transactional banking and insurance underwriting are in high demand but skilled professionals for these roles remain short in supply. Corporate banking, investment management and insurance sectors are seeing the strongest hiring activity.

http://www.roberthalf.ae/id/PR-03811/salary-guide-2014

ANNUAL IT AUDIT BENCHMARKING SURVEY BY PROTIVITI – 3RD EDITIONIT challenges from controls and infrastructure to cyber security are top-of-mind for organizations today. Therefore, it’s critical to have a strong IT security framework in place along with a strong IT audit function. However, the results of Protiviti’s latest IT audit Benchmarking Survey show that organizations have significant room for improvement in their IT audit practices to ensure an available, secure and efficient IT environment.The top three technology related challenges identified by the survey respondents were:• ITsecurity:datasecurity,cybersecurityandmobilesecurity• ITgovernance• LackofsuccessfulERPimplementations,developmentandknowledge Key findings from the survey show that:• Datasecurityisofparamountconcern• Organizationsarenotgainingtheauditcoveragetheyneed• ThereremainmajorshortcomingsinITauditriskassessments• MoreorganizationsareimplementingstrongITgovernanceprogramsand practices

http://www.protiviti.com/en-US/Documents/Surveys/3rd-Annual-IT-Audit-Benchmarking-Survey-Protiviti.pdf


UAE-IAA Events

The successful conclusion of the 3rd Annual Chief Audit Executive Conference which was held in Dubai on the 27th and 28th of November 2013 at the Atlantis, The Palm, was extremely rewarding. The quality and number of professional attendees and Internal Audit specialists who attended the two-day event proved to be very effective, added a positive and encouraging facet to the existing glory of the event.

The Chief Audit Executive Conference presented a very compre-hensive program highlighting the latest topics in Internal Audit. Several topics were presented at the Conference

THE 3rd

ANNUAL CHIEF AUDIT EXECUTIVE CONFERENCE

focusing on the most recent up-to-date in audit fields and advanced solutions. In addition, the Chief Audit Executive Conference was the first paperless conference in the region with each participant receiving a tablet which was pre-loaded with the conference application.

The Chief Audit Executive Conference exhibition was the gateway to the emerging and far-reaching Internal Audit field in the region. Wide-ranging services and products were displayed. A number of practical and interactive activities were run alongside the exhibition halls.

BY SAMIA AL YOUSUF


UAE-IAA Events

Internal auditors deal with issues that are fundamentally important to the survival and prosperity of any organization with different sectors. Given the importance of increasing internal auditor knowledge of different sectors, the UAE-IAA has formed 6 Subject Matter Groups (SMGs) as follows: 1. Technology2. Construction 3. Fraud 4. Governance & Risk Management 5. Banking 6. Hospitality The SMGs comprise volunteers from the UAE-IAA’s membership (organizations and people) who share common interests in order to address specific areas. These members volunteer their time and services with the objective of promoting the internal audit profession. Each SMG will operate under the umbrella of the UAE-IAA in line with bylaws approved by the Board of Governors. These bylaws aim to ensure that the SMGs work to fulfill the UAE-IAA’s vision. The SMG bylaws require, among other things, the following: • Promotetheprofessional development of the UAE-IAA’s members. • Conductworkshops/events/ trainings pertinent to each SMG’s specialty.• SubmitarticlestoInternal Auditor – Middle East on areas of the SMG’s speciality. • Participate/conduct benchmarking.• ReporttotheBoardof Governors on the SMG’s activities.Internal Auditors who are member of the UAE-IAA or UAE-IAA member organizations are eligible, as individuals or organizations, to apply for membership to one or more SMG. To volunteer your time for a SMG please contact Ms. Samia Al Yousuf at [email protected]

FORMATION OF SUBJECT MATTER

GROUPS

Road Show to Promote the UAE-IAA’s 15th Annual Regional Audit Conference

In order to attract and benefit the Internal Auditors from GCC countries, the UAE-IAA Board of Governors (BOG) decided to hold a campaign to visit GCC countries to promote and ensure maximum attendance for the upcoming UAE-IAA Annual Regional Audit Conference with the theme: “Formula 1 Audit: the Future Race”. The road show was presented by:- Mr. AbdulQader Obaid Ali (President of UAE-IAA)- Dr. Nahla Al Qasemi (BOG secretary)- Ms. Ayesha bin Lootah (BOG member)

They visited: Bahrain, Dammam, Jeddah, Kuwait, Oman, Qatar, Riyadh and other countries in the region. A new destination for the road show was India where Mr. Ali Al Muweijei(BOGmember)promotedtheconferenceduringtheAnnualconferenceofIIA/Bombay Chapter.

The topics presented were: “The seven lessons learnt from audit: a personal journey”, “Why auditors do not discover fraud” & “Challenges that face young auditors”. The road show paved the way for more cooperation between GCC countries, especially those that don’t have IIA chapters. During the visits to Bahrain & Kuwait, the setting up of local dedicated chapters was discussed. The feedback received has been excellent, which should be a boost for the upcoming conference. All of them promised to support UAE-IAA in promoting the upcoming conference and get delegates to attend and benefit from the topics to be presented, as the conference will be held in English with some concurrent sessions to be held in Arabic.

KPMG is a global network of professional firms providing Audit, Tax

and Advisory services. We have more than

155,000 outstanding professionals working together to deliver value

in 155 countries worldwide.

Dates Course Name Number of CPE Target Participants

April 2 & 3 Quality Assessment Review - Based On The IIA Standards 16 IntermediateLevel/AdvancedLevel

April 9 & 10 IT For Non IT Auditors 16 FoundationLevel/IntermediateLevel

April 16 & 17 Corporate Governance: Strategies For Internal Audit 16 IntermediateLevel/AdvancedLevel

April 20 & 21 Intelligent Cost Reduction 16 IntermediateLevel/AdvancedLevel

April 20 – 24 ISO22301 Business Continuity Management Systems – Lead Auditor 40 IntermediateLevel/AdvancedLevel

April 23 & 24 Continuous Auditing Methodology 16 FoundationLevel/IntermediateLevel

April 23-24 & 27-29 CIA Arabic Part 3 48 IntermediateLevel/AdvancedLevel/FoundationLevel

April 27, 28, 29 Audit Manager – Tools & Techniques 24 IntermediateLevel/AdvancedLevel


June 4 & 5 Enterprise Risk Management: An Introduction 16 IntermediateLevel/AdvancedLevel

June 8 - 12 CIA English - Part 3 40 IntermediateLevel/AdvancedLevel/FoundationLevel

June 10 - 12 Leadership Skills For Auditors 24 IntermediateLevel/AdvancedLevel

June 15 & 16 Control Self Assessment - Facilitation Skills 16 IntermediateLevel/AdvancedLevel

June 17 - 19 Anti Bribery & Conducting Business Responsibly 24 IntermediateLevel/AdvancedLevel/FoundationLevel

June 19 How To Setup A Fraud Department (English) 8 Advanced Level

June 25 & 26 Planning, Managing and Follow-up of the Internal Audit Project 16 IntermediateLevel/AdvancedLevel

June 24 – 26 ISO22301 Business Continuity Management Systems – Internal Auditor 24 FoundationLevel/IntermediateLevel


May 1 Audit Committee Reporting 8 Advanced Level

May 7 & 8 Fraud Investigation Workshop 16 FoundationLevel/IntermediateLevel

May 11 & 12 Cloud Computing Fundamentals For Audit Professionals 16 IntermediateLevel/AdvancedLevel/FoundationLevel

May 14 & 15 Audit Report Writing 16 FoundationLevel/IntermediateLevel

May 18 & 19 Financial Auditing For Internal Auditors 16 FoundationLevel/Intermediate Level

May 18 – 22 ISO27001 Information Security Management Systems – Lead Auditor 40 IntermediateLevel/Advanced Level

May 21 & 22 Evaluating Organizational Ethics 16 IntermediateLevel/AdvancedLevel/FoundationLevel

April 2014

May 2014

June 2014

TRAINING EVENTS

For further information on course fees, content and trainer, please free to call or email us:Tel: 04 4339 102, Mob: 055 7275 100, Email: [email protected], [email protected]

UAE Internal Audit Associationan IIA Global affi l iate

Contact Us:


Protiviti’s Managing Director for the United Arab Emirates shares his insights and discusses the priorities for Chief Audit Executives (CAEs) in 2014.

ARINDAM DE

In an exclusive interview, Internal Auditor-Middle East spoke to Arindam De, MBA, CFA who is one of the founding members of Protiviti in the Middle East. Arindam started his career over 20 years ago as an engineer and a few years later moved to

consulting; both business consulting and risk advisory. Arindam is also an active supporter of the UAE Internal Audit Association (UAE-IAA) and a member of its Executive Committee.

Internal Auditor-Middle East met with Arindam De at Protiviti’s office in Abu Dhabi.

Conversations with Colleagues

BY FARAH ARAJ


Over the past few years, Protiviti’s profile has been increasing significantly within the region. What do you think is the reason for this? (Smiling) Do you know that we only came to the region back in 2007? We set up the Middle East firm with a handful of people and now we have established multiple service lines that offer Internal Audit, Risk Management, Capital Projects, Business Consulting, Information Technology and Forensics solutions to clients across diverse sectors like Telecom, Banking and Financial Services, Oil & Gas, Utilities, Government, Healthcare, etc. This shows that we have been able to understand what our clients want, and over the years we have been able to successfully build a strong team of specialists to cater to our client needs.

Based on your experience within the region, what are your views on the emphasis that is being placed on internal audit?

You see, the maturity of internal audit in the region differs by both country and industry. At the country level, the “Tone at the Top” plays a key role in the emphasis on internal audit. We see that, this tone is quite advanced in the UAE, as the Securities and Commodities Authority is driving good governance practices in listed companies across the country. Further in Abu Dhabi, the mandate of the Abu Dhabi Accountability Authority (ADAA) has resulted in the creation of internal audit departments across various governmental and semi-governmental entities. Another good example is Saudi Arabia, where the combination of large businesses and good regulation has focused on the need for internal audit. There, the Capital Market Authority and SAMA have played an active role in advancing good governance and

Interview

internal audit. It is generally seen that the financial services industry has the most matured internal audit functions within the region. This maturity has come from the market and central bank regulations (from the region and globally) which continue to emphasize the need for an effective and independent internal audit function.This industry is highly regulated and the financial implications of a risk are quite high due to the nature of banking business.Regardless of the regulation, the challenge every CAE faces is the need to increase awareness at the Board or Audit Committee level in order to drive “Tone at the Top”.

So what are the ways in which a CAE can increase the awareness of Board or Audit Committee members on internal audit and other related topics?

This is a journey that the CAE will need to take. Something like this doesn’t happen overnight or in one session. It starts with sharing new publications or thought leadership, followed by presentations and workshops on emerging issues in internal audit, governance, risk management, and internal control. You can even choose to invite experts from the profession to speak to the Board or Audit Committee. Such practices are not uncommon; many governance codes have provisions on the continued professional development of board members. By doing this, the Board or Audit Committee will slowly but surely realize the value of internal audit and the breadth of its mandate.

“Without sustaining your commitment to stakeholders it is difficult to succeed as a CAE”

You mentioned that financial services industry was one of your specializations and that internal audit functions in this industry are relatively mature. What do you think are the biggest challenges facing financial services industry in the region?

According to me, the top spot would be shared by two equally important challenges. The first would be regulatory risk. Banks globally and across the region are faced with a stream of new and complex regulations such as Basel

Committee guidelines, FATCA, local regulations, etc. This puts a burden on the processes and systems that support compliance with such regulation. The second would be information security risk including privacy risks (including impact of cloud computing and mobile apps). Protecting the data of a bank and its customers from the latest technological tools & techniques that may be used to breach security protocols is vital to the continuity and reputation of any bank. Audit Committees would want assurance from the CAE that compliance & security risks are being adequately managed by the business.

What else would Audit Committees in the region expect from the CAE? In other words what should be the CAE’s priorities for 2014?

First of all, linking corporate strategy to the internal audit plan is a primary focus area. Internal audit is not only about compliance


with policies and delegated authority. Audit Committees expect that a major portion of the internal audit efforts (whether assurance or advisory) are directed towards risks which hinder strategic objectives. This has also been emphasized by the Institute of Internal Auditors’ (IIA) Standards.

Secondly, we have seen many companies implement Enterprise Risk Management (ERM) programs but has internal audit carried out it’s role in evaluating the effectiveness of this framework? ERM is a major investment for companies and Audit Committees need assurance from the CAE on this key initiative.

Finally, companies, and particularly in the governmental and semi-governmental sectors are focusing on nationalizing their labor force. Regardless of program structure, all of them have a similar

Interview

objective - which aims at recruiting and retaining local talent after training them. The CAE needs to review this program to see if the organization is taking the right steps in supporting the country’s nationalization drive. I feel that Internal Audit Department should also extensively encourage young national talent in taking up internal audit profession.

Would these priorities be different for CAEs in Dubai & Qatar as they approach the Expo 2020 and World Cup 2022 respectively?

I would say that the priorities would still be relevant but with the boom in Dubai and Qatar, the nature of the risks (both strategic and operational) would also differ. The planned large-scale construction activity will impact both real estate developers and contractors alike; each of them would

want to learn from the lessons of the past and ensure proper controls are in place (including controls to mitigate fraud risk). The boom will also bring in major M&A deals, new entrants to the market, etc. Therefore CAEs should actively be aware of such risks while assessing the impact of change and the effectiveness of the organization’s change management programs.

How can the CAE keep senior management and the Board or Audit Committee aware of any new risks that may arise during the audit cycle? The traditional once-a-year risk assessment for audit planning purposes would not address this. Alternatively, integrating the internal audit process with the company’s ERM program would result in synergies and would better focus internal audit effort on the organization’s changing risk profile. For example, technology is becoming a bigger dimension in the internal audit world. As companies grow and become more automated, new audit areas such as social media risk and cloud computing risk become more prominent.

Any final advice to CAEs on how they can stay relevant given the challenges of the profession and changing Audit Committee expectations?

Professional knowledge and awareness is constantly challenged by global changes. As individuals, CAEs need to update themselves on what is happening globally & regionally by attending IIA conferences, building a strong professional network, reading thought leadership, participating in surveys, etc. This will help today’s CAE in aligning their internal audit strategy in a way that strikes a perfect balance with all of his stakeholders.

TO COMMENT on the article,EMAIL the author at [email protected]

ABU DHABI

Al Ghaith Holding Tower, 9th FloorAirport RoadP.O. Box: 32468, Abu DhabiUnited Arab EmiratesTel: +971 2658 4640Fax: +971 2658 4641Email: [email protected]

DUBAI

Office 2104, 21st FloorU-Bora Tower 2, Business BayP.O. Box: 78475, DubaiUnited Arab EmiratesTel: +971 4438 0660Fax: +971 4438 0655Email: [email protected]

Contact Us:

Protiviti Ad.indd 1 2/16/14 1:49:08 PM

16 INTERNAL AUDITOR - MIDDLE EAST MARCH 2014

SCORING A veteran chief audit executive shares his game-plan for adding value and meeting stakeholder needs

GOALS…

As the FIFA football World Cup in Rio de Janeiro Brazil approaches, it’s timely to consider how well your internal audit team is positioned for success. Does your team have

the skills, conditioning and coaching to succeed at the highest level in the boardroom?Consider a ‘game-plan’ that will enhance your internal audit team’s goal-scoring potential by ensuring that your team:• Isintunewithwhat’sreallygoingoninthe business, and what’s coming over the horizon. • Discoversthingsthattheauditcommitteeandsenior management didn’t know. • Consistentlydeliversprofessioalexcellence at the levels de manded by high performing audit committees.

CASE STUDYAn entity needed to rebuild and re-energize its internal audit team from the ground up. The team was struggling. The results showed that they were well behind the exemplars … the Audit Committee’s average satisfaction rating sat at a lowly 55%. The champions were scoring around 90%.A new ‘captain-coach’ was appointed in the form of the chief audit executive. He articulated the vision, and then established strategies to sharpen the team’s focus and direction, enhance its contribution, and satisfy the needs of the audit committee and other stakeholders.After three years,the audit team was scoring sensational goals … they were providing fresh and meaningful insights. The function was widely regarded as high-performing and was seen as mature. Its overall approach, processes and reporting were representative of world class. And the Audit Committee’s average satisfaction rating had risen to 95%. Worthy World Cup contenders! This article captures the essence of the transformation, and provides tips that you can champion irrespective of your position on the team.

BY BRUCE TURNER

Audit Management


TIP 2 Be balanced - apply a balanced approach to provide valued insights

Audit committees need skilled and competent internal auditors to help them to discover things they didn’t know. For instance, internal auditors with a solid ‘game-plan’ in the form of a risk based audit plan are well-positioned to:• Identifyemergingissuesandrisks.• Maketheconnections,sotheauditcommitteecanunderstand the trends, systemic issues and reporting themes arising from internal audits.• Provideinsightsonthecultureoftheentity,togetherwithan opinion of the efficiency, effectiveness and ethics of its operations.• Delivercreativereports,wherethe‘pictureispainted’through photographs, pictures, illustrations, graphs, or video rather than many pages of written commentary.• Provideassurancethatmanagementisembracingaudit recommendations and achieving sustained improvements to the associated governance, risk and control arrangements.

TIP 1 – TOP TEN PRACTICES1. Understand the environment in which the entity is operating, including external factors and competition.2. Know the entity’s strategic direction – what’s happening now, what’s likely to happen, and what are the emerging risks.3. Establish a constructive partnering arrangement with the audit committee, and build a high level of mutual trust. 4. Keep abreast of audit committee expectations through regular discussions (mainly chief audit executive and committee chair). Whilst formal reporting and presentations at audit committee meetings are vital, the informal discussions with members are often even more valuable.5. Establish a comprehensive and structured stakeholder relationship program to know what is coming ‘across the horizon’.6. Develop a risk-based and strategically focused forward work program that ensures that the internal auditors get into the right areas at the right time.7. Establish high-level themes within the forward work program to facilitate future reporting on trends and systemic issues, rather than just focusing on the results of individual audits. 8. Assist the entity to value independent scrutiny and embed early in major system developments, construction and similar projects, and business re-engineering projects.9. Strive to always deliver auditor excellence in what, when and how they do their work.10. Get into the business to see what really goes on.

TIP 1 Be attuned - know the business and

what needs audit focus

“The head of internal audit should live and breathe

the business – not live and breathe auditing.”

Audit Committee Chair in Better Practice Guide

issued by Auditor General of Australia

“I like the way that internal audit asks the right strategic

questions and reports on trends and systemic issues rather than just focusing on

the results of an audit.” Audit Committee Chair

Audit Management

Given the symbiotic relationship between the audit committee and internal auditors, it is essential that internal auditors understand the changing needs of their stakeholders. Internal auditors can shape their own plans to be in tune with the business by drawing on:• Thevision,values,objectivesandprioritiesoftheentity’s strategic planning suite. • Thedocumentedenterpriserisks(bothcurrentandemerging) and legislative obligations.• Informationontheentity’sgovernancearrangements.


TIP 3 – TOP TEN PRACTICES1. Review the internal audit charter each year so it remains relevant, consistent with better practice models, and complements the audit committee charter.2. Maintain effective structural reporting lines, with functional reporting to the highest level, such as the auditcommitteeand/orchiefexecutive.3. Showcase the role, standing, independence and contribution of internal audit in the entity’s published annual report.4. Pursue positive trends in management’s perception of internal audit, through key measures such as the value add and usefulness of audit recommendations.5. Tailor a balanced scorecard reporting approach that suits the nature of the entity.6. Comply with professional auditing standards, and deliver an overarching quality assurance assertion to the audit committee each year.7. Provide to the audit committee a periodic benchmarking report outlining the overall auditing capability (experience, average auditing years, qualifications, and professional certifications).8. Establish recruitment and retention strategies that deliver a well-balanced auditing team with a professional culture. Complement the strategies with a professional development plan for internal audit.9. Maintain internal auditor communication strategies to ensure consistency in dealings with stakeholders. 10. Maintain honesty and fairness in all reporting and relationships, at all times and at all levels; especially, handle sensitive matters in an impartial way.

TIP 3 Be credible - regarded as credible

in the eyes of stakeholders

“The credibility of an internal audit function is underpinned by three key pillars –

professional excellence, quality of service, and professional outreach.”

Audit Committee ChairProfessional excellence reflects that the internal auditing leaders:• Maintainarisk-basedauditingmethodologythatisefficient, effective, and contemporary, and leads to the timely discovery of issues and opportunities.• Delivervaluetothebusinessandhelpmanagementtoachieve business objectives through governance, risk and control insights.• Haveacontemporaryauditingmandatecoupledwithan independence of mind.• Understandandconsistentlyapplyprofessionalauditing standards.• Establishawell-balancedmulti-disciplinaryteamofauditors with relevant industry experience. • Maintainacredibleandcapableauditingteamthatdeliversthe requirements of the internal audit charter and the forward work program. • Establishamandatoryrequirementforauditorstomaintain continued professional development to stay relevant.• ProvidestrongencouragementforauditorstopursueCIAand other auditing-specific certifications• Utilizeprofessionaloutreachstrategiestomaintain connections with audit leaders and practitioners from outside their entity to avoid becoming too inward-looking.

TO COMMENT on the article,EMAIL the author at [email protected] Audit Management

BRUCE TURNER, CGAP, CRMA, CISA, CFE, CFIIA (AUST), FIPA, FFIN, FAIM, MAICD is a former CAE and is now an audit com-mittee chairman in Australia.

TIP 2 – TOP TEN PRACTICES1. Achieve a balanced coverage in the forward work program, blending traditional areas of financial audit coverage with efficiency, effectiveness and ethics elements; incorporate deep dives and spot checks.2. Position internal audit so that it is looked upon as a source of advice and provider of quality value-add services.3. Expand involvement in activities that may be beyond traditional coverage, working with business leaders on areas like business continuity, risk management, and compliance until they reach a reasonable level of maturity.4. Access industry and economic information independently to reduce reliance on management’s perspective of organizational and sector risks.5. Tap into organizational health, and share impressions and insights on emerging issues with audit committee members.6. Showcase the contribution to the business of internal audit activities in a comprehensive annual report to the audit committee and key executives.7. Deliver crisp reports that really matter, and pitch them in a manner that aligns to the critical business drivers. Reports must be short, sharp and succinct.8. Enhance high-level reporting to the audit committee by summarizing and reporting the outcomes of all audits under agreed themes.9. Write ‘without fear or favor’, and ‘tell it as it is’ but write in a balanced style ‘for the world to see’ recognizing the concepts of freedom of information.10. Undertake effective monitoring and reporting of the status of audit recommendations.

29 - 30 July 2014

+61 2 9267 9155

www.iia.org.au


BY GHALEB AL MASRI ED ITED BY RAYMOND HELAYEL

Risk Management

RISK MANAGEMENT IMPLEMENTATION IN THE PUBLIC SECTORThese days, risk management has become pivotal for the senior management of many public sector entities, as well as local and international entities. With this increasing focus on transparency in the public sector, and on the need to ensure quality and efficient service delivery to the general public – we see a gradual and even natural transformation from a ‘firefighting’ and risk identification culture within superficial, divisional, or individual level frameworks, to a culture devoted to strategic planning and continuous improvement. This shift to a strategic-planning oriented culture aims to improve work progress, and enhance staff cooperation as one team with a consistent and effective vision.One of the most prevalent concepts about the public sector, in contrast with the private sector, is that it is fully supported by the government and is strictly controlled by laws and regulations. This leads many to conclude that the need for risk management in the public sector is nonessential. However, a number of factors must be kept in perspective:• Globalization: In terms of service quality, efficiency, public outreach, etc., the public sector is comparable to other sectors. • Lack of Resources: Even with government support; human resources, fixed assets, and budgets are limited, and therefore must be properly used, maintained, and conserved.• Responsibility and Accountability: Even if the public sector is not primarily driven by profit, management must still be held accountable due to their responsibility towards the general public. The government’s commitment to the protection of public interests and the improvement of the quality of life remains a fundamental responsibility to which these entities can never turn their backs on, and for which managements must be held accountable.

Enterprise Risk ManagementEnterprise Risk Management (ERM) is a process involving the organization’s management board, managers, and other staff. It is carried out by developing an organization-wide strategy. This strategy identifies potential incidents that may affect it, and controls associated risks to keep them within acceptable levels. This in turn provides reasonable assurance with respect to the organization’s ability to attain goals set by the senior management.

Why Manage Risks?In order to understand the importance of risk management, we need to examine corporate governance.

Corporate GovernanceCorporate Governance refers to the system by which corporations are directed and controlled. It affects the way corporations identify and achieve their goals, and how risks are monitored and evaluated to ensure maximum performance improvement. If this system is effectively implemented, it brings about a major transformation on all levels: beginning with instilling a deeply - rooted professional culture within

individuals to raising their awareness about individual accountability and the organization’s goals, operations, and general strategic and holistic approach.Corporate governance is typically viewed as a simple concept that is difficult to achieve in practice. As a theoretical notion, corporate governance is not complicated and comprises a number of clearly defined elements. However, when it comes to implementation, which involves building a whole system with closely connected constituents, corporate governance is anything but simple. As illustrated in the figure below, all elements need to be active and linked with one another. For example, the Risk Management element cannot add value to the corporation unless adequately supported and monitored by the Management Committees and the Management Board to ensure maximum benefit is secured.

Importance of Risk ManagementFirst, we will provide a standard definition of ‘Risk’: Risk is the potential of losing something of value or of diminishing the opportunities for gain as a result of a given action or inaction, which may negatively affect an entity’s achievement of goals.Thus, according to this definition, risk is not only about the likelihood of a future loss, italsoaddressesthepotentialoffuturefailureinmakinguseofand/ormissinganopportunity for improvement.From this perspective, the entities with the highest risk management efficiency are those most capable of maintaining their course in regards to success, growth, and goal achievement. Consequently, Risk Management has a number of benefits that include:•Ensuringastrongerlinkbetweengoalsandoperationsononesideandtheorganization’soverall strategic vision on the other.•Efficientcommunicationbetweenvariousfunctionstomonitorandimplementriskcontrol plans and assess their impact.•Increasedawarenessabouttherelationshipbetweensetgoals,operations,andresults.•Improvedcapabilitiesofdecision-makersbasedonmoreholisticandtransparentinformation.

RiskManagement

Internal &External Audit

Compliance& Professional

Conduct

Board/ManagementCommittees

Policies &Procedures


Risk ManagementTO COMMENT on the article,EMAIL the author at [email protected]

GHALEB AL MASRI, CPA, CIA, CFE is a finance & risk professional at a government department in Abu Dhabi.

Further, in order to understand the significant role of risk management, kindly look at the Risk Status (indicated in Red) of any major corporation as illustrated in the model across.

The Association for Financial Professionals (AFP) is the professional society that

represents finance executives globally.

92%Respondents who believe

their executive management teams consider risk assessment

important or extremely important

67% Respondents who want to standardize risk and

performance management reports

The most common action organizations are taking to

counter current and emerging business risks is increasing

the focus on risk culture and awareness within organizations,

followed by increasing IT investments and increasing

revenue growth targets.

Source: 2014 AFP Risk Surveyhttp://www.afponline.org/

risksurvey/

Board/ManagementCommittees

Policies &Procedures

Internal &External

Audit

Compliance &Professional

Conduct

Medium High High Critical Critical

Medium Medium High High Critical

Low Medium Medium High High

Low Low Medium Medium High

Low Low Low Medium Medium

Impact

3

2 1

Probability

1. Attract, retain, and develop human resources fit for the nature of work

2. Ensure accuracy, clarity and transparency of procedures

3. Set clear definitions and frameworks for inter-departmental coordination relating to their respective procedures

We note the wide range of risks and the difficulty of assessing their seriousness. We also note the absence of an efficient system for linking elements with risks.This model highlights the importance of management and management committees and their central position within any organization, regardless of whether it is in the public sector or the private sector. Moreover, the model also shows that in the absence of an effective and transparent system for risk assessment and identification, risk and risk control will be a dark area for the management and management committees.This is where the role of Risk Management comes in, as it brings risk assessment closer to the role of other elements in risk control as follows:

Consequently, risks are being anticipated, assessed, and controlled beforehand and in a holistic fashion that supports coordination between the organization’s various divisions to achieve its

strategic goals. Indeed, this is where the importance of risk management lies, as it is a tool that allows the management to focus on root causes and obstacles that impede goal achievement. If we take the First Risk as an example; it is true that, if such risk is properly assessed and its causes efficiently investigated - according to the methodology which we will be tackling later - this would allow the management to develop an in-depth understanding of the issue and enable other concerned functions, such as the Human Resources, Finance, and IT departments, to work

in coordination as one team to find and implement an appropriate solution.Furthermore, despite the availability of multiple international approaches to risk management, the ISO

31000 guidelines are the most applicable for the government entities of the public sector, as they adopt a simple model of the risk management cycle that directly addresses risks and links them with the relevant entities. We shall discuss this methodology in the next issue, along with a practical example which illustrates the various measures for implementing this methodology. In summary, risk management is an essential and integral concept that comes under the umbrella of corporate governance. It is a vital process for any government entity seeking to achieve its goals

and continually improve and develop in the service of its clients and in the protection of public interests, particularly within a world of rapid technological and economic changes.


Fraud is on the rise, but regional businesses are adopting resilient corporate governance programs to protect themselves

Every year,we publish the Kroll Global Fraud Report in which we describe and analyse the results of

a survey carried out on our behalf by the Economist Intelligence Unit. In 2013, over 900 executives from around the world were polled in July and August. More than half of these C-level participants represented companies with annual revenues of over $500 million. A wide range of industries was represented including financial services, telecommunication, retail, FMCG, construction, engineering, manufacturing and oil and gas.In 2012, the overall incidence of fraud in the Gulf region – in other words, companies that were hit by fraud at least once in the preceding 12 months – stood at 49%. In 2013, the figure jumped to 72%. There are multiple reasons that might explain this jump of 23%.First, the percentage of companies where exposure has increased stood at 54% in 2012, but in 2013 that figure rose to 89%. As the table below shows, the four main drivers that increased exposure to fraud are high staff turnover, entry into new markets, lack of budget for compliance and internal audit, and the complexity of the IT infrastructure resulting in multiple points of attacks and IT security vulnerabilities. Second, the heightened awareness of fraud also demonstrates that executives across the Gulf region are changing their thinking and attitudes in the way they address it. In particular, they are openly discussing the

Fraud

BY YASER DAJANI

COMPANIES IN THE GULF STATES ARE

2012-2013

72%

Information the�, loss or attack (23%)Vendor or supplier

fraud (23%)Internal �nancial

fraud & the� (23%)Management con�ict

of interest (19%)

89%

High sta� turnover Entry into new markets

Lack of budget for compliance.

Complex IT infrastructure

2011-2012

49%

�e� of physical assets or stock (18%)Management con�ict

of interest (15%)

54%

Entry into new markets

Prevalence ofcompanies a�ected by fraud

Areas of frequent loss, Percentage of �rms reporting loss to this type of fraud.

Increase in exposureCompanies where exposure to fraud has increased

Biggest drivers of increased exposureMost widespread factors leading to greater fraud exposure and percentage of �rms a�ected

PROTECTING THEMSELVES


issue of fraud and the fact that it is costing businesses tens of millions of dollars in losses every year.

Our experience shows that many corporations in the Gulf are fighting the problem head-on, although at times somewhat reluctantly in fear of leaks of information and reputational damage. Businesses in the Gulf are becoming more inclined to engage fraud specialists to help deal with internal and external misfortunes and achieve the best possible outcome. They are gradually engaging with external risk specialists to develop focused mitigation strategies and response to attacks. Many require specialist skills such as computer forensics, cyber investigation and forensic accounting, and the issuance of expert and an independent’s report to support clients’ commercial and legal objectives, which may not otherwise be available in-house.

It is interesting to note that according to the survey, fraud is usuallycommittedbybusinesspartners,vendors/suppliers,customers, junior employees, and senior-and middle-management. Regarding the latter two (employees and management), combined they represent43% of all fraud committed. This explains why, according to the survey, 56% of companies are investing in whistle-

blowing programs and staff training in an attempt to undermine that high risk.We should note that these figures are consistent with international standards – i.e. other emerging markets are implementing similar measures, including Asia and Africa. But for this to succeed, businesses must design and implement appropriate and clear whistle-blowing procedures. The decision must come from the board, and this is intended to create an overarching culture of disclosure and good corporate governance; robust and transparent internal audit and compliance functions and activities; inclusion of clear and obligatory responsibilities, and specific guidelines in the Code of Conduct and corresponding employee contracts. Some today also rely on external whistle-blowing specialists and ‘hot line’ consultants to manage and analyse the reporting that comes from whistle-blowers’ submission of information and the appropriate timing and speed by which to react.

To complement these activities and increase a more resilient business, when asked what specific anti-fraud measures businesses will focus on in the next 12 months, the answers in order of priority were: financial controls, information security, physical security, management controls and third party due diligence.

However, when we asked executives about corporate vulnerabilities, the answers were rather contradictory. For example, when executives were asked ‘how vulnerable is your organization to internal financial fraud’, 32% responded ‘not at all vulnerable’. When asked ‘how vulnerable is your organization to misappropriation of company funds’, almost a third responded ‘not vulnerable at all’. The perception that businesses are not vulnerable to fraud is worrying. These respondents are advised to reconsider their responses. There is no more effective way to invite attack than to lower defences to the floor.

Our experience in the region suggests there is clearly a gap between the perception of threat and the actual risk that Gulf businesses are facing in domestic and foreign markets. Companies recognize they have a problem, but sometimes only when it is too late. The wider this gap grows, the greater the real risk becomes. Regrettably, we often find that those who have been bitten are the fastest learners, and those that have not, are more inclined to sweep the problem under the carpet until they have.

Despite this, it would appear that systematic methods toward risk management and mitigation are being used by some of the leading corporations in the region – they are making the investment because they recognize it will protect them in the long run. However, they remain in the minority and many still make the same mistakes. Internal audit and lawyers alone cannot provide sufficient protection. This would suggest there is some pain to come, and the consequences for those who fail to plan and respond accordingly could prove far reaching and have considerable financial and reputational repercussions.

Fraud

YASER DAJANI, MA is Managing Director at Kroll for the Middle East & North Africa region.

GULF STATES ARE


�e� of physicalassets or stock17%

KROLL FINDINGS

THE GULF STATES72% of companies in the Gulf su�ered at least one incidenceof fraud – slightly above the global average, but the increase

from 2012 of 49% was more than twice as great as thatexperienced in the rest of the world. Gulf States currentlyhave the highest regional incidence of information the�

(35%), vendor or procurement fraud (30%), marketcollusion(28%), and management con�ict of interest (24%).

Vendor, supplier or procurement fraud 30%

Information the�, loss or attack 35%

Internal �nancial fraud or the� 17%

Market collusion 28%

Management con�ict of interest 24%

PREVALENCE

72%

Your Global Investigations Partner

Kroll’s Investigations team comprises a unique mix of specialised skills. We work in small multi-skilled teams to deliver customised investigations which produce evidence that meets the highest litigation standards. Around the world we enable our clients to make informed decisions about their most difficult challenges.

Our team includes intelligence gathering, law enforcement, accountancy, data analytics and cyber investigation expertise.

» Fraud

» Bribery & Corruption

» Information Security & Cyber threats

» Asset Tracing & Recovery

» Litigation Support

» Dispute Resolution

» Forensic Accounting

» Transaction Intelligence

+9714 4496714 | [email protected] | www.kroll.com

Kroll_AD_YourGlobalIP230x297.indd 1 05/02/2014 12:19


A tray of traditional Arabic Coffee has long been one of the most common rituals of hospitality during internal audit meetings. What a delightful experience! Arabic

Coffee’s unique taste fuses noble heritage with modernity, and its strong aroma blends Arab cultural traditions deeply rooted in this Nation’s history, especially the most well-known tradition of warm hospitality and generosity. Arabic Coffee is an inseparable part of Arab heritage. That’s why it is important to gain an understanding of the habits and traditions of Arab communities in the Middle East, so that one may find common ground that aids in undertaking audit tasks. In this article, I will outline the ways to find this common ground.Despite all the efforts made to define the role of internal audit, the prevailing image of internal auditors in the Middle East portrays them as policemen, whose job is to hunt for auditees’ mistakes. Therefore, auditees (Arabs in this case) tend to show resistance, along with a misunderstanding of the role of internal auditors, even prior to meeting the auditors. This makes the audit kick-off meeting a golden opportunity to change this image and gain auditee’s trust, as the first impression is always the last one. Following the handshake – a common practice at the beginning and end of meetings - traditional Arabic coffee is normally served, at which time it is customary for all guests to drink at least one cup of coffee. This is considered a sign of respect and esteem. Sharing Arabic Coffee with guests has symbolic and ritual significance in the Middle East. While sipping your coffee, you may take this opportunity to break the ice by engaging in small talks not related to business. While steering clear of delving into personal matters, and instead focusing on more general topics- you can express your admiration for the places you’ve been to, or the people you have met in the country, if you have only recently been there.

Moreover, you must respect and abide by all the laws of the Middle Eastern region, as they are generally based on religious, traditional and cultural strings attached to these laws. So you are expected to fully comply with these laws in order to avoid publicly embarrassing yourself or committing an unintentional offense. And don’t forget to pay as much attention to social habits as you can. For example, if somebody greets you by saying:

Assalamu Alaykum (Peace be upon you), you should reply properly with a welcoming attitude. You should also stand up while shaking hands, as shaking hands while seated could be perceived as a sign of disrespect to the other party. Having reached this far, you have now found common ground with the auditee. This is the perfect time to explain the modern role of the internal auditor and the key objective of the audit process. This explanation serves to change the prevalent image of the auditor, who is generally viewed as a law enforcer or a policeman. It would also be useful, towards the end of the meeting, to discuss the scope of the audit; specifically, the processes that are subject to audit and the time frame. The main objective here is to dispel any worries or concerns and pave the way towards a common understanding regarding the role of the internal audit.What has been discussed here -

adapting to the surrounding social environment and obtaining a deep understanding of the changes this adaptation entails - is just a starting point for the internal auditor to efficiently carry out an audit in the Middle East. The auditor has to bear in mind that there’s no single, standard method to carry out internal audit activities, and as they say in the Middle East: “Variety is the spice of life.”Last but not least, don’t you ever miss the opportunity to enjoy Arabic Coffee during a weekend at one of the UAE’s spectacular beaches.

Your Global Investigations Partner

Kroll’s Investigations team comprises a unique mix of specialised skills. We work in small multi-skilled teams to deliver customised investigations which produce evidence that meets the highest litigation standards. Around the world we enable our clients to make informed decisions about their most difficult challenges.

Our team includes intelligence gathering, law enforcement, accountancy, data analytics and cyber investigation expertise.

» Fraud

» Bribery & Corruption

» Information Security & Cyber threats

» Asset Tracing & Recovery

» Litigation Support

» Dispute Resolution

» Forensic Accounting

» Transaction Intelligence

+9714 4496714 | [email protected] | www.kroll.com

Kroll_AD_YourGlobalIP230x297.indd 1 05/02/2014 12:19

BY TAMER GHE ITH ED ITED BY MAJED BUKHASHEM

TAMER GHEITH, CPA, CIA, CFE, CGAP, CCSA, CGMA, CRMA is a internal audit professional with a government organization in Qatar.

ARAB CULTURE AND INTERNAL AUDIT


ARABIC COFFEE :

Human Resources


In today’s business world the use of information technology has enabled new opportunities and efficiencies. However,

this same technology has also opened new doors to crime and abuse. Whether it’s violating company policy or breaking the law, individuals from both inside and outside an organization may use digital means as tools to perpetrate crimes and create serious business disruption. Digital forensics is the practice of scientifically derived and proven technical methods and tools towards the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of after-the-fact digital information derived from digital sources for the purpose of facilitating or furthering the reconstruction of the events as forensic evidence [1]. The use of digital forensic methods ensures the ability to review greater volumes of information, to bring greater structure and wider access to an investigation and to produce evidence in a legally admissible form where needed. Without digital forensics, organizations may be unable to prove misconduct, determine the full degree of damage, or identify the root cause of incidents in order to prevent their reoccurrence.Digital forensic investigations have typically been conducted by law enforcement agencies, the military, or specialized companies. While it is still the case that digital forensics readiness

is a rarity in today’s corporate world [2], reliance on information technology and its pervasiveness in business is creating a need and supporting the case for building digital forensics capabilities in the corporate world. Indeed, it is becoming increasingly common for any organization which operates a specialist corporate investigations team to consider boosting their capabilities with specialist digital forensic tools.

Drivers for Digital Forensics Capability

The drivers for establishing digital forensics readiness in organizations are typically internal and include the needs of various stakeholders within the organization for digital forensics such as:• Legaldepartmentswhichmayrequire digital forensic support for litigious cases;• Humanresourcesdepartmentswhich may require digital forensic support to provide evidence of misconduct and support the initiation of disciplinary actions;• Informationtechnologydepartments which may require digital forensics to deal with cases of cyber attacks as part of their information security incident management;• Anycorporateinvestigationsteam within the organization which may require digital forensics

support when dealing with cases of fraud or misconduct.

Practical Approaches for Digital Forensics Capability Building

A practical approach should be sought for building digital forensic capability depending on the drivers in each specific organization along with the potential frequency and impact of incidents, balanced with the cost of acquiring the required tools. A three-level digital forensics readiness framework may be adopted as follows:

Level 1: Basic

Train relevant teams on the basic principles of digital forensics to prevent loss or contamination of digital evidence (e.g. the need to forensically image data from laptops or desktops, to avoid data loss or alteration). Provide basic tools for digital forensic acquisition. Many of these acquisition tools are freely available from providers of digital forensics solutions like EnCase Forensic Imager or FTK Imager. If the organization considers this basic level to be appropriate, it is advisable to consider establishing relationships with specialized digital forensics service providers so that they can be called upon at short notice when required.

BUILDING DIGITAL FORENSICS READINESS IN THE CORPORATE WORLD

BY ISSAM ZAGHLOUL ED ITED BY JAMES TEBBS

IT Audit


Level 2: Advanced

Implement a set of specialized tools which enable the acquisition and analysis of forensic evidence. The responsibility to conduct digital forensic investigations will be assigned to an established and experienced function as an additional task (normally the IT team or a corporate investigations specialist like internal audit). At this level careful training is needed, and those responsible should build strong relationships with the providers of the forensic tools who should provide ongoing support.

Level 3: Specialized

Establish a full time specialized digital forensic team and implement all the necessary tools in a sophisticated lab. This function would typically be under a corporate investigations body within the organization. The team should be fully responsible for conducting specialized digital forensic investigations of variable complexities, and be highly trained. Regardless of the digital forensics readiness level suitable for the organization depending on its needs the following preliminary requirements should be in place for all levels:• Adigitalforensicinvestigationspolicyshould be established which defines the roles, responsibilities, authority, and principles for conducting the digital investigative work;• Digitalforensicsreadinessshouldbe incorporated in the design of the IT infrastructure and applications as a standard component. This can be achieved through developing, configuring, retaining, and protecting logs and audit trails within any system introduced to the IT environment;• Continuoustrainingandawarenessshould be provided to the team responsible for digital forensic investigations.It is important to realize that even after building an in-house digital forensics capability, there may be some complex cases where the digital forensic investigation needs to be done by specialized external providers such as law enforcement or specialist investigations and digital forensics

firms, particularly where issues around chain of custody or legal admissibility in future litigation are of paramount importance. Such cases should be covered and supported in the digital forensic investigations policy. In any case it is essential to ensure that digital forensic tools are used properly by trained staff, as their misuse can equally hamper the progress of an investigation, or the integrity of evidence when subject to legal scrutiny.

Digital Forensic Tools

Having the right tool for the acquisition and analysis of digital evidence is a key enabler for establishing digital forensics readiness in a corporate setup. While there are multiple digital forensics tools in the market which provide many features and capabilities such as EnCase, FTK, Oxygen Forensics Suite, and Belkasoft Evidence Center the following set of features are of key relevance to the corporate world when choosing the right tool: • Evidenceacquiredthroughthetoolmust be tamper proof, verifiable, and admissible in the relevant jurisdictions;• Thetoolsshouldbeabletosupportacquisition from a wide spectrum of operating environments including servers, laptops, mobile phones and external storage devices;• Remoteacquisitionfeaturesshould be supported which allow the forensic acquisition of evidence over a network without the need for physical access to machines. This is of special importance in a corporate setup as it enables conducting the digital forensic investigations without disruption to the business or affecting employee’s morale;• Logsoraudittrailsoftheactionsconducted by the investigators should be recorded and retained for review and verification;• Theforensictoolshouldbeabletoanalyze huge amounts of data if required, given the vast data volumes prevalent in today’s businesses. These tools would typically need to run on high performance machines.• Roundtheclocksupportshouldbeavailable from the vendor to provide the

necessary assistance when needed to the digital forensics team. The total cost of ownership of digital forensic tools must be carefully considered and weighed against the frequency with which they are likely to be used, and against the cost of hiring external parties to conduct this work. However, the basic cost need not be prohibitive and is usually within the reach of most organizations. For example a decent digital forensics tool can be implemented for under $25,000 including both the required hardware and software. It should be noted that digital forensic tools are naturally powerful and invasive and therefore need to be carefully deployed and controlled. Access to these tools should be restricted to authorized investigators. The responsibility for authorizing forensic investigation (e.g., for a specific machine) should be segregated from the role of the investigator in order to limit opportunities for misuse. In addition, the digital evidence acquired through the forensic tools should be adequately protected and access should be restricted, including by keeping evidence in a secure environment such as a safe.

ConclusionThere is an ever increasing need for establishing digital forensics readiness in the corporate world. Organizational needs for digital forensic capabilities differ and therefore each organization should consider a practical readiness level that caters for their needs. The implementation of a digital forensics tool is a key enabler for supporting digital forensic capabilities and therefore should be chosen following an appropriate needs assessment. Nonetheless, the use of digital forensics is a powerful and efficient methodology for improving corporate investigations capabilities.

References 1. Willassen, S. Y. and S. F. Mjølsnes (2005). “Digital forensics research.” Telektronikk 1: 92-97. 2. Sommer, P. (2012). Digital Evidence, Digital Investigation and E-Disclosure: A Guide to Forensic Readiness, The Information Assurance Advisory Council (IAAC).

ISSAM ZAGHLOUL, MSc, CISA, CISSP, CGEIT is a senior IT audit manager at a private holding company in Abu Dhabi.

IT AuditTO COMMENT on the article,EMAIL the author at [email protected]


Adhering to a rigid definition of independence is holding back integration with risk management

IS INTERNAL AUDITOR INDEPENDENCE DESTROYING VALUE?

Audit Independence – The Standards

In the view of the Institute of Internal Auditors (IIA), internal auditors cannot be fully responsible for Enterprise Risk Management (ERM) because this would create a conflict of interest. Section 1100 of the IIA standards requires that:The internal audit activity must be independent, and internal auditors must be objective in performing their work.The supporters of strict independence, arguably the more traditional internal auditors, avoid involvement in management decision making so that they cannot be compromised and can therefore audit the results of those management decisions. These auditors are reluctant to become involved in risk management functions or indeed to become members of the top executive team. This attitude can drive the internal audit function down into an intermediate position in the organisational hierarchy, where, even if independent, the internal auditor becomes ineffective.To overcome this problem, the auditing profession has created a set of rules regarding internal audit involvement in risk management (see IIA Position Statement, 2009). These rules are based on management retaining responsibility for ERM and internal audit providing underlying support and assurance. This aligns with the traditional role of internal auditors, to audit and attest to the internal control systems for which management is responsible.The IIA standards, as supported by leading commentators, do allow internal audit into the risk management space, provided safeguards are adopted. The independence issue does however set up a barrier to the clean integration of internal audit and risk management.

BY DR. STEVEN HALL IDAY

Independence


Auditor Independence – The Reality Delving into the concept of auditor independence in more detail exposes some cracks.Christopher, Leung and Sarens (2009) identified the tension that currently exists within internal audit functions regarding independence. The Christopher study identified three areas that impact on and subsequently raised questions over the value of audit independence:

1Internal audit is a training ground for future managers

The Christopher study found that internal audit is a “training ground or jumping stone” for promising staff to move on to management positions. Can internal auditors raise reports against management, independently, when they are dependent on management for a career in a future operational role?

2Internal audit budget and planningThe Christopher study found that in

30% of cases, either the CEO or CFO approved the internal audit budget. The study also found that in 64% of cases, the CEO and CFO had a strong influence on audit planning.

3Partnership with managementThe Christopher study indicated

that 56% of internal audit functions perceived internal audit to be a partner to management. Christopher argued that:

This culture may indirectly put additional pressure on internal audit to work with management to achieve a common goal rather than act as a separate independent body checking on them.

In the author’s view the benefits of a collaborative, partnership approach outweigh the traditional independence view. The partnership approach sees auditors working with management as team members, to achieve a common goal. The partnership approach is at odds with the traditional views on independence and objectivity. The traditional role of internal audit was a backward looking model, directed towards assurance over compliance with policy and procedure. This policeman style of role

reviewed past events, was non-strategic and was not seen as adding value by management:

The contemporary partnership approach aligns with the IIA’s (GAIN, 2009) statement on the Global Financial Crisis:

A shift in stakeholder expectations is requiring that internal auditors take on a more strategic role, with risk management activities taking precedence over other controls and compliance auditing. The modern internal auditor is trying to break free of that backward looking mould. Nowadays internal auditors see themselves as having a strategic focus, with a view to the future and with a breadth of audit coverage that adds value to the management team. They see themselves as valued consultants.

Strict adherence to independence rules may be keeping CAEs away from the top team, forcing them lower down into the management structure and preventing internal auditors from being involved in key issues such as strategy and risk management. This situation will not be sustainable in the modern, rapidly evolving and mature organisation.

To be accepted as a valued part of the contemporary organisation, the lead internal auditor needs to be on the executive team, needs to be a part of management decision making and needs to be both strategically focused and also forward thinking.

Conclusion

Strict adherence to audit independence rules is still a barrier to integration.Studies have found that internal auditors, while seeking independence, often operate in an environment that compromises independence. Audit independence may be more of an illusion than reality. Strict audit independence may no longer suit the more mature, partnership model of internalaudit/managementinteraction.If audit independence is a mythical illusion that no longer aligns with a modern business methodology, then audit independence should not be a barrier to the integration of internal audit and risk management.

References 1. Christopher, J., Sarens, G., and Leung, P. (2009). A critical analysis of internal audit’s independence: Evidence from Australia, Accounting, Auditing and Accountability Journal, 22, 2, 200-220.

2. Institute of Internal Auditors. (2009). A world in economic crisis: key themes for refocussing internal audit strategy. In Global Audit Information Network Series.

3.Institute of Internal Auditors, Position Statement (2009). The role of internal audit in enterprise-wide risk management.

DR STEVEN HALLIDAY, CA is Chief Risk & Audit Officer at Tabreed in Abu Dhabi.

IndependenceTO COMMENT on the article,EMAIL the author at [email protected]

Modern mature organisations no longer look at internal audit as policemen / compliance function,

but as a valued partner and advisor. The next logical step in this more mature world is for the audit and risk to combine as valued forward looking partners, helping identify opportunities, manage blockers and

assist with controls.

CRO from an S&P / ASX 200 financial services company


Hard Controls Soft Controls

Nature of ControlsTangible. Intangible.

Explicit Activates. Implicit Attitudes.

Objective. Subjective.

Impact to Audit

Not difficult to obtain reliable information.

Difficult to obtain reliable information.

Internal auditor should have good experience in analysis skills.

Internal auditor should have good experience in interpersonal skills.

Usually evaluation based on doc-uments.

Usually evaluation based on results of distributed survey.

Clear recommended action in internal audit report.

Unclear recommended action in internal audit report.

Examples

•Approvals. •Morale.

•Authorizations. •EthicalClimate.

•Verifications. •SharedValues.

•Reconciliations. •Integrity.

•ReviewofPerformance. •Trust.

On the one hand, the explicit controls (hard controls) can guide employee behavior through defined policies and procedures while on the other, soft controls can influence the behavior of the employees and ensure compliance with procedures. Therefore, soft controls can be viewed as the foundation of efficient hard controls.They directly affect the behavior of organizations by fostering tone at the top and have positive influence on the moral behavior of employees when they are doing their work. Soft controls are part of the culture within the organization which is

affected by social and cultural background of the employees.Even when the code of conduct in the organization expects employees to comply with its ethical values, employeeshave their own personal culture and ethical behavior which can be changed gradually.For several years, internal auditors have played significant role in evaluating the ef-fectiveness of control systems, but internal auditors today perform traditional audits which focus exclusively on hard controls which ensure that organizations achieve their objectives. The role of internal audi-

tors should not be limited to hard controls but must also extend to soft controls. This role is not easy. The main reason being that hard controls can be measured and evalu-ated, but it is difficult for internal auditors to test soft controls and obtain evidence of non-compliance with soft controls.COSO internal control framework divided control components into hard and soft con-trols. Control environment factors include the integrity, ethical values and competence of the entity’s people; management’s philos-ophy and operating style; the way manage-ment assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors. However, when internal auditors have to evaluate soft controls in control environment according to COSO evaluation tools, they can only evaluate the design of internal control system.They have difficulty in evaluating the effectiveness of soft controls. For example one can evaluate the ethical culture of the organization by asking this question “Is there a code of conduct in your organization and is it com-prehensive, addressing conflicts of interest, illegal or other improper payments and is it published to employees?” But it is not easy to evaluate the effectiveness of code of con-duct, in other words, how can one know if code of conduct is implemented or not? Another important issue is that soft con-trols defined as intangible controls cannot be audited by reviewing documentation. So the question is “Do we need psychological auditor in internal audit department?”Finally, despite of the importance of soft controls in achieving organization objectives, internal auditor is still unable to assess the effectiveness of these controls. However, awareness program to top management about the differences between soft controls and hard controls before any assessment can help the internal auditor to obtain management support for his evalu-ation. Also, a separate annual report about the design of soft controls in organization can support any conclusion about effective-ness of soft controls.I am interested in hearing how do you evalu-ate soft controls in your organization?

AYMAN ABDELRAHIM, MQM, CIA, CCSA, CFE is a chief internal auditor at the Roads & Trans-port Authority in Dubai.

ARE SOFT CONTROLS BETTER THAN HARD CONTROLS? After the financial crisis in 2008, Corporate Governance became more important than ever before. Governments imposed regula-tions to enhance transparency and ethical culture in organizations. However, most of the regulations focused on enhancing hard controls rather than soft controls. Let us first understand the difference between soft controls and hard controls.While soft controls are intangible con-

trols like morale, integrity, ethical climate, empowerment, competencies, openness and shared values, hard controls include organ-izational structure, assignment of authority and responsibility and human resources policies. Soft controls lead to efficient hard controls and help in strengthening hard controls. The following table explains the differences between hard controls and soft controls:

BY AYMAN ABDELRAHIM ED ITED BY MEENAKSHI RAZDAN

Fostering Fundamentals TO COMMENT on the article,EMAIL the author at [email protected]

SCORING GOALS… - Internal Auditor – Middle … Alrais, MSC; Ayesha Bin Lootah, MBA; Naeima...

Documents

Transcript of SCORING GOALS… - Internal Auditor – Middle … Alrais, MSC; Ayesha Bin Lootah, MBA; Naeima...