Escolar Documentos
Profissional Documentos
Cultura Documentos
ME
ns
e
ng
io
nc
rti
at
ia
po
er
pl
m
Re
Op
Co
Function
Control Enviornment
Operating Unit
Division
Risk Assessment
Entity Level
Control Activities
Monitoring Activities
Internal audit is being asked to evolve beyond the “third line of defense” or ticking regulatory boxes.
Boards and senior management now value the insight and analysis that a strong audit function can deliver.
• Liberate audit teams from manual tasks • Deepen engagement with your board audit committee
• Enrich your dialogue with the business • Contribute to business operational excellence
• Drive enhancement of audit quality • Improve identification of emerging risks
Sincerely,
COVER IMAGE: ©2013, Committee of Sponsoring Organizations of the Treadway Commission (COSO). Used by permission.
Analytics
Data analysis for every audit
Integrates with TeamMate Audit Management
System and available for standalone use
Learn more at
TeamMateSolutions.com/Analytics
or call +44 207 981 0556
F E AT U RES
16 COVER STORY: COSO’s Internal Control – Integrated Framework COSO is the most
widely used internal control framework in the world and it is time for companies in Middle East to make use
of it. BY ROBERT HIRTH
DE PARTMENTS
4 Reader Feedback 10 IT Audit 15 Human Resources
A digital future can only be Internal auditors must
achieved if companies have have very good skills when
5 Knowledge Update trust in their data and it comes to dealing with
KPMG’s Audit Committee security. BY KONSTANTINOS TAKOS people.
Survey; COSO and Cyberse-
BY DR. KHALAF ALWARDAT
curity; Performance Auditing
Research; Anti-Fraud.
BY VISHAL THAKKAR 29 Risk Management
12 Conversations with How internal auditors should
Colleagues respond to emerging risks in
8 UAE-IAA Events Karl Hendricks talks about the banking sector.
what internal audit leader- BY TAUSEEF ABDUL GHAFFAR
ship really means.
BY MEENAKSHI RAZDAN
should also extend to all project managers all the controls you want in a project but
DECEMBER 2014 WWW.INTERNALAUDITOR.ME
and the project team. On another note, the people leading the project are the most
Using Feedback from Auditees to
Enhance Internal Audit Performance
I would have really liked it if the author important factor to ensure the success of
Global Developments that are
Changing Internal Audit
described the concept of “work in progress” any project.
INTERNAL AUDITOR
MIDDLE EAST
A Look Into the Characteristics and
Behaviors of the Typical Fraudster
management in more detail.
Hazem Mohamed Hosni Selim, CRMA
SHAPING TALENTED Vikas Anand, MRICS Senior Internal Auditor- Projects Audit
AUDIT TEAMS Projects Auditor Dubai, UAE
The top 10 innovative professional
development programs for internal auditors Abu Dhabi, UAE
Auditee Feedback
The article Auditee Feedback (December
The Importance of People in 2014) highlights an important topic for all
Projects Chief Audit Executives which is how to
The article Project Controls: More than
measure the effectiveness of the internal
Just a Box Ticking Exercise (December
audit activity. However, I don’t think we
2014) mentions many key controls for
should limit the feedback to only internal
projects but these alone will not ensure that
audit client; it should include all key
the project will be delivered successfully.
stakeholders. The Chief Audit Executive
INSIGHTS ON GOVERNANCE, RISK MANAGEMENT AND CONTROL I think the success of the project is the
must consider that constructive feedback
result of many factors, and the most
depends on two key factors: 1) the level of
important factor in my point of view is
Project Risks & Controls the individual or person in charge of the
understanding of internal audit role within
The article Project Controls: More than the organization (from audit client side)
project. This person will know how to use
Just a Box Ticking Exercise (December and 2) the level of applying the highest
the key controls properly and make the
2014) was very informative and gave good standard of due professional care (from the
correct decision at the right time. There are
insight into the various controls required auditor’s side ). I am certain that internal
many situations that may be faced during
for effective project management. From audit clients will provide constructive
the project life cycle (such as changes
my experience many of these controls are feedback when they realise that the internal
to the scope of work, instructions from
usually overlooked. Actively identifying, audit activity values this feedback.
higher authorities, changing laws, market
monitoring and responding to project risks fluctuations, and many others) which will Saif A. Kaddoura, MBA, CFC
is something that should not be limited need a quick and bold response from the Internal Audit Consultant
to project management consultant, but person in charge of the project. You can put Abu Dhabi, UAE
1
Regulatory Changes
& Scrutiny
2
Economic
Conditions
A survey carried out by KPMG of 1,500 • The quality of information specifically
3
Audit Committee members in more than related to particularly on cyber security and
36 countries stated that three out of four technology risk, talent and innovation and
surveyed said the time required to carry business model disruption is falling short.
out their audit committee responsibilities • The company’s readiness to respond
has increased significantly (24 percent) or to matters such as loss of critical
Cyberthreats
moderately (51 percent) and half said the infrastructure i.e. financial systems,
job continues to grow more difficult given
4
telecommunications networks,
the committee’s time and expertise. Further, transportation, energy / power may require
cyber security and the pace of technology more attention.
change, risk management and operational
• Succession planning of the Chief Finance
risk, and regulatory compliance are the
Officer continues to be a major gap, with
Ability to Attract &
issues which will require more attention
in 2015. many audit committees ranking themselves Retain Top Talent
lowest in this area.
5
More and more boards are reallocating • Many audit committees want to go into
oversight of risk, financial reporting and the details of finance organization’s work,
audit duties to Audit Committee and risk including financial risk management,
environment is straining Audit Committee capital allocation, tax, and debt.
agenda currently. More than one-third Corporate Culture
• The internal audit function could deliver
of boards have recently reallocated risk
greater value to the organization.
Not Supporting Risk
oversight duties among the full board
and its committees (up from 25 percent • External auditors could better support
Identification
last year), and 32 percent said they may the audit committee by sharing industry-
consider doing so in the near future specific insights and views on the quality of
the company’s financial management team. Source: Protiviti’s Executive Perspectives on
Audit committees are still expressing their Top Risks for 2015
confidence in oversight of the company’s http://www.protiviti.com/en-US/
financial reporting and audit, this survey https://www.kpmg-institutes.com/
Documents/Surveys/NC-State-Protiviti-
highlights many ongoing challenges and institutes/aci/articles/2015/01/kpmg-2015- Survey-Top-Risks-2015.pdf
concerns globally such as: global-audit-committee-survey.html
Even though businesses use great caution when sharing information about their
technology, both internally and externally, to protect their business operations, cyber
Emerging Strategies
attackers leverage technology to attack from virtually anywhere and to target virtually any
kind of data. Despite this far reaching cyber threat, it is clear that protecting all data is not
for Performance
possible and hence cyber risk is not something that can be avoided; instead, it must be
managed.
Auditing
Performance auditing can lead to more
An organization’s cyber risk assessment should begin by understanding what information efficient, effective, and economical program
systems are valuable to the organization and value should be measured against the delivery, stronger controls, and improved
potential impact to the entity’s objectives. Risk assessments should be updated on a compliance with laws and policies. Many
continuous basis to reflect changes that could impact an organization’s deployment of audit functions within local governments
cyber controls to protect its most critical information systems. in the United States and Canada have
embraced performance audits with the
http://coso.org/documents/COSO%20in%20the%20Cyber%20Age_FULL_r11.pdf
support audit committees and government
leaders to understand. The research report
from the Institute of Internal Auditors
Building
relationships,
creating value.
Whenever there is business to be done, you will find PwC providing insight,
perspective and solution to many of the world's most successful companies.
Through our global network of firms we can bring the power of more than
195,000 professionals in 157 countries. We believe that the best outcomes are
achieved through close collaboration with our clients and the many stakeholder
communities we serve.
Our people will listen to you and tailor solutions that will help you meet the
challenges and opportunities of doing business and beyond.
For more formation on how we can help you address your business needs, please
visit our website: www.pwc.com/me
© 2015 PwC. All right reserved. PwC refers to the PwC network and/or one or more of its member
firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.
UAE-IAA Events
B Y SAM IA A L Y O U S U F
In November 2014, the UAE Internal Audit Association hosted its Hirth then presented the first-ever Arabic version of COSO 2013
4th Annual Chief Audit Executive Conference designed as a fully to HE Eng. Sultan Al Mansouri. “COSO is very pleased that our
interactive round table to provide CAEs an opportunity to share 2013 Internal Control Framework is now translated into Arabic,
individual expertise with the entire audience. Themed “Change or allowing over 20 countries to take advantage of this material that
Be Changed,” nearly 190 delegates enjoyed several sessions over a helps organizations improve their governance and operational
two-day period in Abu Dhabi. performance through enhanced internal control,” said Hirth.
In his inaugural speech, His Excellency Engineer Sultan Bin Saeed The conference also had a panel discussion on the latest trends in
Al Mansouri, UAE Minister of Economy, stated “It is not an exag- the internal audit profession, and delegates could chose among
geration to say that for a country to grow and develop organically, concurrent sessions on risk management, corporate governance,
its auditing practices and systems must be developed as a core pri- smart and continuous auditing, and top priorities for internal au-
ority.” Following this, Committee of Sponsoring Organizations of dit in addressing emerging technology. Delegates were also given
the Treadway Commission (COSO) Chairman Robert Hirth deliv- the opportunity to learn more about The IIA’s new Qualification
ered a keynote address updating the audience on COSO including in Internal Audit Leadership™ (QIAL™).
how utilizing thought leadership can improve their organizations.
The digital era cloud computing, enhanced Enterprise Resource Planning (ERP)
systems, customer experience innovations, Big Data and the
You hear it called the digital revolution – the transformation of
growth of connected devices – the so-called Internet of Things
how we work and live, which is one of the great megatrends that
(IoT).
will continue shaping the world this century. Organisations in
the Middle East are coming to the realisation that technological Not surprisingly, Middle East executives are interested in shaping
advances will have the greatest impact on their business over the their organisation in the best possible way to cater for innovation,
next five years. This is in line with what CEOs (85%) responded in whether this is through new organisational roles, better processes
last years’ PwC survey of Middle East CEOs. and reporting, stronger corporate governance or increased interest
on IT altogether.
The speed of change is accelerating and the majority of businesses
are increasingly becoming dependent on technology-driven
transformation programmes. Over the last two decades, a Boards spend more time on IT
technology revolution has changed the way we do business. With technology rapidly changing the way companies do business,
Change will only continue and while it will offer opportunities for Boards increasingly recognise the importance of effective IT
innovation and productivity, the digital era presents new risks and oversight. That’s likely why the amount of board time dedicated to
challenges. A digital ecosystem has developed, linking enterprises IT oversight increased year-over-year according to PwC’s Annual
to customers and suppliers through multiple channels. Corporate Directors Survey 2013. Directors are enhancing their
digital IQ by meeting more frequently with the company’s Chief
Innovation built into everything Information Officer (CIO) as they are dealing with challenges like
Only by seeking new ways of delivering their products and services the ones below:
will companies stay ahead of the competition and maintain a • Significant IT investments
strategic edge. Businesses that are confident in their ability to Businesses are making significant investments in technology led
deliver technology enabled transformation will have a distinct transformation to gain competitive advantage in the digital age.
advantage in this new world. With fewer and fewer skills retained in most businesses to achieve
In last year’s PwC’s survey of Middle East CEOs 30% said these, successful delivery is far from assured.
innovation around products and services would provide the • Focus on resilience
main opportunity to grow their business over the next 12 months
Businesses have never been more dependent on secure, reliable
(second only to increasing their share of existing markets).
technology, systems and data. Cyber breaches and system outages
Many of those products will be shaped by a combination of new
are being reported daily – destroying trust between businesses and
technologies and investments in the form of industrial automation,
their stakeholders.
• New regulation and standards flow, reporting and decision making responsibilities remain
Regulators and standards setters are slowly starting to define a raft conveniently unclear. This is despite that the International
of regulations and frameworks that businesses will eventually need Standards for the Professional Practice of Internal Auditing
to comply with in order to ensure that they build the right level of mandates the internal audit activity to assess whether the
trust into their technology environments. information technology governance of the organization supports
the organization’s strategies and objectives (2110.A2).
Focus on trust It is not all negative though, as new standards (e.g. COBIT 5) that
Many global companies now invest a good deal of time and effort are slowly being adopted by the IT department help explain and
to demonstrate business transparency and build trust. Indeed, 68% elevate the importance of IT governance. Some CIOs who are
of Middle East CEOs report that customer and client confidence increasingly pressured to engage with the Business are seeing this
in their companies has improved in the last five years. Still, most as a great opportunity to change and also elevate their status within
Middle East CEOs understand that relationship is only as strong their organisations.
as its weakest link. 60% say they were concerned about the lack of
trust in business as a potential threat to their organisation. Skill shortage
When it comes to technology, getting the right attention in the Changing though seems too great of a challenge for many CIOs.
boardroom is key. With digital opportunities and risks becoming The majority of skills within the IT department focus on pure
so central to business strategy, boards and audit committees must delivery of IT services. The lack of business partnering skills is
have the digital expertise to set the level of risk that they are willing being felt acutely as Boards demand from their IT departments to
to accept. They must be able to ask the right questions and hold step up and take a more prominent role.
management to account. Naturally, the level of trust required to be According to Middle East CEOs the key business threats facing
placed on their IT departments is increasing exponentially. businesses are availability of key skills (70%) and IT departments
are caught in the middle of the search for new talent. It is not
Governance about holding the right qualifications but demonstrating the right
IT governance is a key ingredient in building trust in the digital behaviours that will help nurture trust and confidence. People
era, but behaviours and expectations of what this means are are important, and their actions have a direct impact on the
varied. The level of importance that organisations in the Middle business and its security. Creating the right culture where people
East place on IT governance tends to be relatively low and it instinctively do the right thing as with many organisational issues
is seen as an afterthought or at best a way to satisfy nebulous lies at the heart of the issue.
compliance requirements. For many within IT, better governance
is euphuism for more bureaucracy and “process” imposed by Trust in the Digital Era
compliance functions. This is in line with the typical mistake many
Organisations are facing rapid technological change, increasing
IT departments do when confusing management with governance.
data complexity and a growing cyber-security threat - all of which
The key decision making meetings tend to resemble management
are raising the risk profile of IT to the business. Organisations
or operational meetings due to the level of detail involved and the
will only be able to have the confidence to embrace their digital
reactive nature of discussion.
future, if they have trust in their data and security, resilience
built into their systems, and with the assurance that the digital
As a consequence, it is difficult to consolidate and report upwards transformations projects will succeed.
the right level of information around performance and risk
Making the right choices and ultimately drive profitable growth
mitigation. Only about a quarter of directors “very much” agree
requires a renewed focus on relevant skills acquisition and better
that the company provides them with adequate information for
governance. Provided these are aligned to the overall strategy of
effective oversight (PwC’s Annual Corporate Directors Survey
the organisation this can be the first step for building trust in the
2013). A lack of representation from outside IT in the main
digital era. Trust combined with a new attitude to risk will allow
decision making forums misses out another key ingredient in
organisations to unleash their potential and the confidence to take
building trust on what the IT department is doing and how this
risks.
can be aligned to the overall business strategy.
To make matters worse, when the IT department is audited the
main findings usually tend to focus on the lack of documentation KONSTANTINOS TAKOS, MSc, ACA is a Senior Manager at PwC and
and inappropriately designed operational processes. This leads the Technology Governance and Risk Service in the Middle East.
reinforces existing views on IT governance, while the information
Karl Hendricks
KPMG’s Head of
Consulting for
Lower Gulf and Risk
Consulting Leader
across Middle East
and South Asia region
explains what it really
takes to be an internal
audit leader
I
n an exclusive interview, Internal Auditor - Middle East spoke to Karl Hendricks,
QIAL who is currently a Partner in KPMG Lower Gulf Limited and leads the
Consulting practice. He has over 18 years of experience in providing Risk &
Management Consultancy including areas such as Internal Audit, Risk Management,
Corporate Governance, Forensics and Business Process Re-engineering to clients both
locally and internationally. Karl also resides organization. not to compromise their objectivity and
on the Executive Team within KPMG and independence. CAEs should contribute to
also looks after Risk Consulting across the What do you think is the difference an organization’s strategy and growth plans
Middle East and South Asia region. Karl between a good internal audit leader and by providing their insights into strategic
is an active supporter of the UAE Internal a great one? issues and business operations and, not
Audit Association (UAE-IAA) and is a A great Internal Audit Leader would be the being so prescriptive on internal controls.
member of its executive committee. one who acts as driver for a change within
an organization. He would not just be Based on your experience within the
Internal Auditor - Middle East met with perceived as a trusted advisor, but would region, how are audit committees
Karl Hendricks at KPMG’s offices in Dubai. also act as one I would think that he should evaluating the effectiveness of a CAE’s
be the first person a CEO / C level would leadership abilities?
How has KPMG developed internal audit call to consult. Primarily by KPIs focusing on leadership
leaders across our region? capabilities such as relationship-oriented
At KPMG, we take great pride in our What are some initiatives that Chief KPIs with C-suite members. Second, audit
training programs and the training of our Audit Executives (CAEs) can work on committees focus on contribution of CAE’s
Internal Audit professionals. We recognize in order to lead positive change in their ability to articulate control and risk issues
that our staff not only interact with middle organizations? and its impact on business strategy during
management, but also with industry A leader has to be the change he wants board and committee meetings. Numerous
leaders. To that end, we focus greatly on to see in the organization. CAEs need audit committee also assess the proactive
transforming our staff into leaders and to have the ability to envision and reach involvement with various internal and
have a global internal initiative called the the standards he wishes to instill in the external stakeholders such as regulators,
‘Emerging Leaders Program’ wherein high organization. He should consider a healthy external auditors amongst others by using
potential KPMG staff, including Internal mix of assurance and advisory mandates feedback forms.
Audit, undergo extensive leadership
trainings.
“As an internal audit leader in today’s fast
What have you gained from earning
the Qualification in Internal Audit paced and dynamic market, you need to keep
Leadership (QIAL)?
I felt that the qualification immediately
your finger on the pulse to provide innovative
enhanced my profile within the region as responses relevant to market changes’ and
the first senior internal audit professional
amongst the Big Four to obtain the ensure you are ahead of the curve to meet
qualification.
In addition to my existing qualifications business needs”
that I had obtained a few years back, I
find that the qualification to be a good as a part of the audit plan with an aim to Finally, what advice do you have for
medium for keeping up with recent trends add value and assist organizations in the CAEs looking to improve their leadership
and needs that are to be demonstrated by achievement of their goals. skills?
a leader. I believe that CAEs should continuously
How can CAEs become more strategic in strive to invest time for self-development.
What are the most important skills for an their positioning and thinking? They should ensure they are being more
internal audit leader? The CAE should work towards becoming relevant with business and auditing skills.
In my opinion, an Internal Audit Leader part of the strategic or key operational Aspiring CAEs should try their best to
should have great interpersonal skills, the teams so as to steer their thinking in move away from ‘traditional audit’ and
ability to be objective and be a strategic the direction of a company’s goals and introduce innovative trends such as Data
partner who will strive to add value to an plans. However, this is an important area Analytics, Cyber Security and Continuous
Monitoring.
© 2014 KPMG, KPMG LLP and KPMG Lower Gulf Limited, registered in
the UAE and member firms of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (”KPMG
International”), a Swiss entity. All rights reserved. Printed in the United
Arab Emirates. The KPMG name, logo and ‘cutting through complexity’ are
registered trademarks or trademarks of KPMG International.
Human Resources TO COMMENT on the article,
EMAIL the author at dr.khalafalwardat@yahoo.com
People
Skills for
Internal
Auditors
“People Skills” are considered an integral communication has to be established on It must be constructive and should not be
part of the essential skills that must be two milestones: intended to frustrate others or damage the
acquired by the internal auditor. It aims • Building a strong relationship with relationship with them, but rather improve
to change the negative impressions that others and harmonizing with them. it. It is aimed to be communicated in one-
some employees may have about internal • Transferring information and ideas to to-one meetings and not in public.
auditors into more positive perceptions. others and influencing them as required.
This is accomplished by creating a positive 5- Influencing others: The Prophet
image of the internal auditor by describing 2- Negotiation: Negotiation is ongoing (PBUH) said: “Whenever forbearance
him/her as an expert who is seeking to discussions, talks, and communication is added to something, it adorns it; and
help them, instead of a policeman who between two or more parties as a result whenever it is withdrawn from something,
is trying to highlight their mistakes. The of an agreement or disagreement with it leaves it defective.” The one who calls
most important aspect of people skills is regards to common interests. The for something and does the opposite
diplomacy. parties naturally tend to compromise says to the people I want you to know it
to reach a win-win solution. This is and believe it doesn’t work, but don’t you
Diplomacy is a science with rules that the right concept for negotiation, as it see that in me. Keep silent after saying a
must be learned. However, there is a thin considers it a “collaboration” rather than statement of doing something and allow
line between diplomacy and hypocrisy. The a “confrontation.” It is a chance for two the person(s) to think. As such, you are
first, diplomacy, is decency, understanding, parties to work jointly to achieve a goal not conveying great messages to them as they
and sensitivity to others while the second, attainable by either of them alone. themselves understand that they are great.
hypocrisy, is an immoral attitude to reach a
certain aim. Therefore, internal audit needs 3- Persuasion: Is a mental process to Finally, I would like to mention that the
a high level of diplomacy or wisdom to influence the thoughts of others, a way to auditee is a human being who is formed
differentiate itself from hypocrisy in order achieve objectives. Effective persuasion by his/her beliefs and emotions. He/she is
to effectively achieve goals by mastering embodies successful communication skills not a machine that does exactly as it is told
many skills: and is a milestone for success. Therefore, and the internal audits needs to use his/her
some have considered it the parameter to “people skills” to build a relationship with
1- Communication: It is defined as the measure a person’s keenness to succeed the auditee and for them to understand
best ways to share information and convey and reach his/her goals. As Omar bin Al the recommendation and to implement it.
meanings, feelings, and opinions to Khattab, said: “Speak so that you may be Without people skills such as diplomacy,
others in order to influence or persuade, known, since a man is hidden under his internal audit will not be as effective and
whether via verbal or non-verbal tongue.” the organization as a whole will not benefit.
communication. The well-known therapist,
Virginia Satir, says: “Communication 4- Criticism: Criticism is a method to
is a process of exchanging meanings recover from setbacks if such criticism is DR. KHALAF ALWARDAT is a financial expert,
between two persons.” Based on the determined and focused on the (wrong) trainer and auditor, and is accredited locally
above, the conclusion is that successful behavior, instead of focusing on the person. and internationally in the fields of accounting,
finance and auditing.
B Y R O B E RT H IRT H
Global Credibility
The framework has been translated from the English version into the following languages,
making it truly a global framework:
All US stock exchange listed companies subject to Section 404 (management certification
and being subject to independent audit on internal control over financial reporting) of
the Sarbanes- Oxley Act of 2002 are given the option of choosing a “suitable” internal
control framework. 100% have chosen the COSO Framework. Further, the US General
Accounting Office (GAO) has adopted the framework as part of its Green Book
publication on internal control guidance. Aspects of internal control regulations in China,
Japan and South Korea have utilized COSO internal control related concepts.
Most recently, under its Companies Act, Components and Principles that Create The five components are defined as follows
India has created a requirement for all effective internal Control in the 2013 COSO Framework:
listed companies to report on internal
control and to require an independent The 2013 COSO Framework consists of 1. Control Environment
assessment by the external auditor and 5 key components of internal controls The control environment is the set of
requiring the auditor to report on the and are represented across the face of the standards, processes, and structures
adequacy of internal financial control COSO cube model: that provide the basis for carrying out
over financial reporting. Part of this
requirement discusses the use of a
framework and specifically mentions the
2013 COSO framework.
2. Risk Assessment and the board of directors, and deficiencies are communicated to management
Risk assessment involves a dynamic
and iterative process for identifying and In addition, there are 17 Principles of effective internal control that support and enable
assessing risks to the achievement of these components:
objectives. Risks to the achievement of
these objectives from across the entity
are considered relative to established risk Components Principles
tolerances. Thus, risk assessment forms
the basis for determining how risks will Control Environment 1. Demonstrates commitment to
be managed. Risk assessment also requires integrity and ethical values
management to consider the impact
of pos¬sible changes in the external
2. Exercises oversight responsibility
environment and within its own business 3. Establishes structure, authority and
model that may render internal control responsibility
ineffective. 4. Demonstrates commitment to
competence
3. Control Activities
Control activities are the actions established
5. Enforces accountability
through policies and procedures that
help ensure that management’s directives Risk Assessment 6. Specifies suitable objectives
to mitigate risks to the achievement of 7. Identifies and analyzes risk
objectives are carried out. Control activities
are performed at all levels of the entity, at 8. Assesses fraud risk
various stages within business processes, 9. Identifies and analyzes
and over the technology environment. They significant change
may be preventive or detective in nature
and may encompass a range of manual and Control Activities 10. Selects and develops control activities
automated activities such as authorizations
and approvals, verifications, reconciliations, 11. Selects and develops general controls
and busi¬ness performance reviews.
over technology
12. Deploys through policies and
4. Information and Communication procedures
Information is necessary for the entity to
carry out internal control responsibilities to Information & 13. Uses relevant information
support the achievement of its objectives. Communication 14. Communicates internally
Communication is the continual,
15. Communicates externally
iterative process of providing, sharing,
and obtaining necessary information. It
enables personnel to receive a clear message Monitoring Activities 16. Conducts ongoing and/or separate
from senior management that control evaluations
responsibilities must be taken seriously. 17. Evaluates and communicates
deficiencies
5. Monitoring Activities
Ongoing evaluations, separate evaluations,
or some combination of the two are used Supporting each Principle are Points of Focus, representing important characteristics of
to ascertain whether each of the five the Principles. While the 2013 COSO Framework does NOT prescribe specific controls
components of internal control, including that must be in place, the Points of Focus help guide organizations in the development and
controls to effect the principles within each selection of appropriate controls. If we look at Diagram 1 across, we can see how there are
component, is present and functioning. 4 Points of Focus to support the particular principle on integrity and ethical values. There
Findings are evaluated against criteria can be a number of controls which address this Principle such as leading by example,
established by regulators, recognized communication (email or staff meetings) on the importance of ethics, the existence of a
standard-setting bodies or management formal code of conduct with training and annual attestations.
Closing Remarks
Key Controls Control Control Control Control
1 2 3 4 The 2013 COSO Framework is meant to
be applied to all companies. COSO can
be tailored to any type of organization
regardless of company size, maturity,
Under the framework’s methodology, all • 2100 – Nature of Work: Relates industry or location or type (private,
17 Principles must be present and function to the evaluation of governance, public and etc). For small companies in
in such a way that the 5 components risk management, and control some cases, the 2013 COSO Framework
operate in an integrated manner in order to processes (Mainly through may be implemented using less than 100
conclude that internal control is effective. It the Control Environment, Risk key controls. In the Middle East, forward-
should be noted that compliance with the Assessment, Control Activities thinking companies are already using
Points of Focus is optional. The principles and Information & the framework and internal auditors are
become present and functioning through Communication components). using it to build awareness around internal
responsive control activities that are control best practice. With this trend
• 2450 – Overall Opinions:
designed to the correct level of precision and the translation of the 2013 COSO
Supporting overall opinions on
and are in fact operating as intended. Framework into Arabic, there is no excuse
internal controls with sufficient,
Operating effectiveness is generally not to use it and benefit from it!
reliable, relevant, and useful
determined though independent testing of
information (Mainly through the References:
the control activity.
Monitoring Activities component).
1. http://etisalat.com/en/system/docs/12-
Benefits to Internal Auditors Similarly, by promoting a world class 4-2013/EtisalatGovernanceReport-2013-
control framework, internal auditors can English.pdf
While the 2013 COSO Framework, when
be seen as having up to date knowledge
implemented correctly, helps organizations 2. http://www.nbk.com/
and can use this knowledge to educate
to achieve their objectives and improve corporategovernance/governanceframework/
management and work with them to
performance, it is also way for internal riskmanagementandinternalcontrol_en_
improve governance, risk and control
auditors to meet the requirements of the gb.aspx (Accessed on 9 January 2015)
processes. Even at private companies in
IIA’s standards and drive positive change
the Middle East, such as the Ali Bin Ali 3. http://www.alibinali.com/coso-internal-
within their organizations.
Group3 in Qatar, the internal auditors are control-integrated-framework-workshop-for-
When it comes to the IIA’s Standards, promoting awareness of the framework aba-finance-team/ (Accessed on 9 January
evaluating internal controls using the within their company. 2015)
2013 COSO Framework mainly helps to
Get Started - Use Some or All of it
address 2 Standards which can be difficult ROBERT HIRTH is the Chairman of COSO and
to implement: As stated in the title of this article, you is a Senior Managing Director with Protiviti in
need to : the United States.
B Y DR . A S H R A F G A MAL
S
ir Adrian Cadbury defines corporate controls. The first layer lies usually within make sure that their money and interests
governance as “the system by each department where work procedures are well-protected, and that various systems
which companies are directed ensure the presence of controls aiming within their companies are sufficient
and controlled”. The proper corporate to minimize the space for errors and and are functioning the way they should
governance structure specifies the misconduct. The CEO gets the assurance be. They therefore appoint the external
distribution of rights and responsibilities that internal controls are sufficient and are auditor who evaluates such systems, gives
among the different parties in the working well through the internal audit recommendations or assurances to
organization; this includes the board, function. But since the board is ultimately the owners.
managers, shareholders and other responsible for the governance of the
stakeholders. It will also lay down the rules organization, establishing an effective Given that the role of the internal audit
and procedures for decision-making within audit committee is the key tool that the function is ever evolving with respect
the organization. board has in order to oversee that the to its role in governance, recently the
organization is well governed and that the Financial Reporting Council, UK, has
Putting the right controls and making sure numbers and information coming to the revised its corporate governance code for
they work has always been in the heart of board and going out to other stakeholders UK companies, which came into effect on
corporate governance. Companies usually are accurate and trustworthy. Share- 1 October 2014 and in which it states that
therefore have multi-layer systems of owners, on the other hand, would like to “ The board should establish formal and
We develop tailor-made corporate governance frameworks for listed companies, banks and
According to the Institute of Internal need for marketing internal audit services audit involves “educating stakeholders on
Auditors’ definition of Internal Auditing, arises. Such marketing needs to challenge the services we can provide, giving them
there are two types of services that are stereotypes about internal audit services examples of how these services recently
provided by the Internal Audit function, and promote a positive image for the Chief have helped the organization, and then
namely, Assurance and Consulting Audit Executive and his team. persuading, encouraging or inducing them
services. The definition also set out its to use our services”.
scope of work to include evaluating and The very word “Service” implies a more
improving the effectiveness of Governance, personal interaction between internal Marketing help in enhancing not only
Risk Management and Control processes. auditors and their stakeholders. Internal professional relationships but also most
Consequently, there are a number of audit services are directly tied to the importantly the personal ties with
stakeholders of internal audit inside auditors themselves, their professionalism, stakeholders and hence replacing the image
and outside the organization, each of objectivity and proficiency. of the policeman with the image of the
whom with different expectations from business partner who is there to add value.
internal audit. Internal auditors need to In my opinion, marketing skill is one of
have marketing skills in order to allow the most important non-technical or soft How to Market Internal Auditing?
stakeholders to understand the internal skills that internal auditors must possess In his blog2, Richard Chambers, CIA, QIAL
audit team’s role and the diversity of as it will help them explore stakeholders’ (President and CEO of The Institute of
services that the team can provide to the expectations, create, and deliver value Internal Auditors) encouraged internal
organization to satisfy their needs, and manage audit auditors to develop a marketing strategy to
relationships in ways that also benefit the improve awareness of their capabilities. He
Why There is a Need for Marketing? organization. Marketing skills also help wrote: “we needed to develop a deliberate
Every year, organizations spend billions internal audit establish and maintain a strategy for improving awareness of our
of dollars marketing their services to strong position within the organization, capabilities – and the value we would deliver
customers. Each of these organizations optimize outcomes, provide viable – because changing perceptions isn’t always
is promoting its image and the way recommendations, promote awareness by easy. In other words, we came to understand
customers perceive that image. Internal various business units of internal audit’s that we needed to do some good old-
audit is similar in that you may not really consultative role, and encourage audit fashioned marketing so that clients would
know how your customers (stakeholders) clients to bring problems to the audit’s know when to call us in and what
perceive you and your teammates. Chief attention. Audit clients with positive audit to expect ”.
Audit Executives may think that they are experience would be more likely to ask for
the best and have superior capabilities but more services. Audit stakeholders do not think only about
does really reflect in the perception key technical quality (how good the audit work
stakeholders such as senior management According to Joel Kramer from MIS is) but also about the quality of the service
and the audit committee? This is where the Training Institute1, marketing internal (their overall experience with the auditor).
www.globaliia.org/QIAL
Risk Management
B Y TA U S E E F A B D U L GH AF FAR E D I T E D BY RAY MO ND HELAYEL
EMERGING RISK
TRENDS IN THE
BANKING SECTOR AND
HOW INTERNAL AUDIT
NEEDS TO REPSOND
Over the past 10 years, the Banking strategy and the risk appetite will result in they do not become over-leveraged.
Industry has experienced a number of the organization pursuing opportunities
severe shocks. From the global financial that go beyond their risk tolerance levels 6. Quality of assets
crisis to global austerity to the LIBOR and and without an appreciation of the risks It is imperative that banks understand the
FX scandals and the recent oil price slump, that they are taking. quality of their asset book and take steps to
a number of risks have emerged that were ensure that adequate quality is maintained.
previously not considered important. 3. Focus on area of expertise A main concern is the over-reliance on
Regulators have also added to the pressure Banks need to understand their products external rating agencies as an indicator of
on banks to understand their risks and and their related risks, thereby building asset quality. Whilst such ratings may be a
implement solutions that help manage expertise in these products. A simple rule good initial indicator, banks and financial
these risks. Internal Audit has not been should be followed: if a transaction is not institutions need to build appropriate
immune to this, where these events have in line with your strategy or your area of internal rating models to gauge asset
highlighted the need for Internal Auditors expertise, it should not be done, period. quality.
to change the way they think and operate. 4. Liquidity/Capital adequacy 7. Perils of inadequate risk transference
EMERGING RISK TRENDS WITHIN Banks need to be aware of two things: Banks use a variety of financial instruments
THE BANKING SECTOR the importance of liquidity and the fact and tools to transfer risk away from them.
that severe economic shocks can break Some of these can be complex in structure
Some of the key risks emerging within the down any assumptions around liquidity and as such may not necessarily work as
Banking Sector are: by affecting correlations between financial expected. Where necessary, banks need to
instruments. In relation to this, regulators ensure that risk is adequately transferred
1. Corporate Governance – tone at across the world have started introducing using scenario analysis and stress testing.
the top stricter liquidity and capital adequacy
All banks are in the business of making requirements. On their part, banks should 8. Understanding models
money. The key is to do so safely and have robust Contingency Funding Plans Banks use various models to help measure
this mindset needs to come from the top. in place and should regularly stress test and manage risk. These are usually based
Management need to ensure that their their liquidity portfolios using severe shock on certain assumptions and; therefore
front-line understand the risks involved scenarios. there is a need to ensure that models are
and have adequate controls in place to thoroughly validated and back-tested
manage them. 5. Dangers of gearing and over-leverage before they can be considered reliable.
Leverage, whilst having tremendous
2. Strategies linked to risk appetite/ potential upside, exacerbates downside 9. Risk-Based compensation
risk tolerance risk. Excessive leverage can potentially have In an effort to curb excessive risk-taking,
The starting point for managing risk as a a negative impact on the capital. Banks, banks have started to introduce the concept
business is to evaluate the appetite for risk by their very nature, are highly geared and of risk-based compensation. This means
and then formulate the business strategy hence have a responsibility to ensure that that rewards are now tempered by the
around it. Any disconnect between the level of risk taken to achieve them. This
ensures that even if the frontline follows 3. Continuous monitoring 7. Awareness of regulations
an aggressive profit-generating strategy, Today’s environment is too dynamic to The staggering amount of regulatory fines
they would not be rewarded if they take on simply rely on annual audits, and hence recently levied on financial institutions
undue risk. there is a need for employing continuous is testament to the fact that businesses
monitoring techniques. Internal auditors need to keep abreast of regulations.
10. Equitable investment in systems and should have inquiry access to all systems Regulatory compliance should be at the
enablement resources used by the business and be able to view foremost of Internal Audit’s agenda.
Banks tend to invest more in the business- exactly what business managers are Conversely, Internal Audit should also
generating frontline, rather than in systems seeing. Access to regular management focus on unregulated or under-regulated
and enablement resources supporting information will help keep them abreast of areas as they are usually subject to limited
that business. This has resulted in risks the developments. oversight.
going unmanaged, as certain transactions
for example are being managed through
spreadsheets. Equitable investment in the “Internal auditors need to partner and build
governance and support infrastructure
is required to ensure that business is
relationships with the business in order to keep
conducted safely.
a finger on the pulse of the organization.”
HOW SHOULD INTERNAL AUDIT 4. Exercise of rationality CONCLUSION
RESPOND? One question that an internal auditor Recessions and crises provide a very
So what are the implications for Internal should always ask is whether the income important opportunity for internal
Audit? As the 3rd line of defense, Internal generated by a business or a transaction auditors. They usually highlight the risks
Audit needs to upgrade its practices is reasonable. The age-old adage applies: that are often overlooked during economic
so that it can meet its dual mandate of If it is too good to be true, it probably is. growth/expansion periods. It is during
independent assurance to the Board and Internal auditors need to adopt a cynical such times that Internal Audit can really
value addition to the business. It needs challenge to identify excessive income learn lessons that provide valuable insight
to be more responsive to its environment being generated from excessive risk-taking. into what went wrong, the implications
and be closer to the business, in order to on the internal audit profession, and how
achieve these objectives. 5. Up-skilling of auditors internal auditors can change or improve
Having only an audit qualification is their processes and practice.
Some of the developments that could no longer enough. If they are to audit
be considered by the Internal Audit effectively, internal auditors need to receive Internal Audit can no longer play the same
Function are: the same training as the businesses they traditional role. Internal Auditors need
1. Robust risk-based planning are auditing. Internal Audit management to really understand the risks within the
The Internal Audit profession has already can enhance the skills of their teams by businesses, partner with them to keep a
adopted a risk-based approach; however, having them obtain business qualifications, finger on the pulse of the organization
this needs to be taken further. Banks or by hiring people with prior industry so that they are aware of things as they
operate in a very dynamic environment experience. happen, and better develop their teams’
and risks need to be constantly reassessed. skills. At the same time, internal audit
6. Sourcing specialization needs to resist pressures from management
This can be done through lessons learned Internal Audit management need to
exercises or on the back of regulatory hot and ensure that its voice is heard across the
avail other avenues to source specialized organization. Ultimately, internal audit is
topics, as well as through constant dialogue resources. Whilst outsourcing/co-sourcing
with the business. the last line of defense and therefore cannot
is one option, one abundant source of afford to be complacent.
2. Partnering/Relationship concept experience and expertise is the business
Internal auditors need to partner and build itself. Internal Audit can invite business
relationships with the business in order to staff as guest auditors on audit assignments.
keep abreast of their operations and related This will not only allow the auditors to gain TAUSEEF ABDUL GHAFFAR, CFA, FRM, CPA
progress. This will enable them better from the guest’s expertise, but also allows is the Senior Vice President & Head of Audit
businesses to have a better understanding of the Global Wholesale Bank at the National
assess and anticipate potential risks as they
of the work of Internal Audit. Bank of Abu Dhabi.
emerge.