MARCH 2015 WWW.INTERNALAUDITOR.

ME

Key Considerations and Tips for

Auditing Construction Projects

The Importance of Internal Audit’s

Role in Corporate Governance

Selected Techniques to Market Internal

INTERNAL AUDITOR
MIDDLE EAST
Audit Services to Stakeholders

ns

e
ng
io

nc
rti
at

ia
po
er

pl
m
Re
Op

Co

Function
Control Enviornment
Operating Unit
Division

Risk Assessment
Entity Level

Control Activities

Information & Communication

Monitoring Activities

COSO’s Internal Control

– Integrated Framework
ٔ

COSO’s Chairman emphasizes the applicability of

the framework for companies in the Middle East

INSIGHTS ON GOVERNANCE, RISK MANAGEMENT AND CONTROL

STREAMLINE YOUR INTERNAL AUDIT
PROCESSES FOR MORE EFFICIENCY

ACCELUS AUDIT MANAGER

Internal audit is being asked to evolve beyond the “third line of defense” or ticking regulatory boxes.
Boards and senior management now value the insight and analysis that a strong audit function can deliver.

Accelus Audit Manager can help:

• Liberate audit teams from manual tasks • Deepen engagement with your board audit committee
• Enrich your dialogue with the business • Contribute to business operational excellence
• Drive enhancement of audit quality • Improve identification of emerging risks

For more information on Accelus Audit Manager please visit: http://accelus.thomsonreuters.com

CONNECT | SIMPLIFY | PERFORM

© 2015 Thomson Reuters. All rights reserved.

From The President

We’re off to a Good Start!

Dear Readers,
I am pleased to announce that the UAE Internal Audit Association (UAE-IAA) is off to
a good start this year. We teamed up with the Association of Certified Fraud Examiners
(ACFE) in the UAE and KSA to launch the ACFE’s first conference in the Middle East
& North Africa region which had the theme of “Breaking the Barriers”. We’ve also been
strengthening our relationships with the other internal audit institutes in the GCC and
hopefully we’ll be exploring further areas of cooperation. Similarly, we’ve been meeting
with various government and semi-government institutions in the UAE to promote
the training of UAE nationals in the internal audit profession. More achievements and
success are planned for 2015.
Not only have we achieved all the above, but in the past few months, we’ve accomplished
3 strategic milestones which will positively impact our profession:

1. Internal Audit Quality Assurance: We’ve hired a highly experienced internal

audit professional who will lead the UAE-IAA’s efforts to promote internal audit quality
assurance and to provide our members with an objective and value adding service. We
will work to strengthen our capabilities in this area and will aim to rely on qualified
resources based in the UAE.
2. Internal Audit Research: Thanks to the efforts of volunteers and the cooperation
of our members we’ve been able to produce original research aimed at providing out
members with insights on our profession. The research titled “Risk Management
Practices and the Role of Internal Audit: A UAE Perspective on Non-Financial
Institutions” is an insightful and professional report which should make us all proud.
3. Qualification in Internal Audit Leadership Training: The Institute of Internal
Auditors delivered a training program to potential assessors in the UAE who hold the
Qualification in Internal Audit Leadership (QIAL) designation. This is the first step
towards activating the UAE-IAA’s role as the exclusive provider for the QIAL exams in
the Middle East & North Africa region.
We owe all this success to the active and continuous support of our strategic partners,
members and volunteers.
I hope you all enjoy reading this issue. Please feel free to email any feedback you may
have to editor@internalauditor.me

Sincerely,

Abdulqader Obaid Ali

President

COVER IMAGE: ©2013, Committee of Sponsoring Organizations of the Treadway Commission (COSO). Used by permission.

MARCH 2015 INTERNAL AUDITOR - MIDDLE EAST 1

TeamMate ®

Analytics
Data analysis for every audit
Integrates with TeamMate Audit Management
System and available for standalone use

Learn more at
TeamMateSolutions.com/Analytics
or call +44 207 981 0556

Copyright © 2014 Wolters Kluwer Financial Services, Inc.

All Rights Reserved. 3642
 INTERNAL AUDITOR
MIDDLE EAST MARCH 2015 WWW.INTERNALAUDITOR.ME

F E AT U RES
16 COVER STORY: COSO’s Internal Control – Integrated Framework COSO is the most
widely used internal control framework in the world and it is time for companies in Middle East to make use
of it. BY ROBERT HIRTH

20 Auditing Construction 22 The Evolving Role of 26 Marketing Internal

Projects
Whether it is a villa or a
tower, there are several major
risks to be audited during
each phase of a construction
project.
BY HAKIM LALIPURWALA
Internal Audit in Corpo-
rate Governance
Hawkamah’s CEO discusses
the important that internal
audit plays.
BY DR. ASHRAF GAMAL
Audit Services
Promoting the services of
the internal audit department
should be a priority for Chief
Audit Executives.
BY ALA’ ABU NABA’A

DE PARTMENTS
4 Reader Feedback
5 Knowledge Update
KPMG’s Audit Committee
Survey; COSO and Cyberse-
curity; Performance Auditing
Research; Anti-Fraud.
BY VISHAL THAKKAR
8 UAE-IAA Events
10 IT Audit
A digital future can only be
achieved if companies have
trust in their data and
security. BY KONSTANTINOS TAKOS
12 Conversations with
Colleagues
Karl Hendricks talks about
what internal audit leader-
ship really means.
BY MEENAKSHI RAZDAN
15 Human Resources
Internal auditors must
have very good skills when
it comes to dealing with
people.
BY DR. KHALAF ALWARDAT
29 Risk Management
How internal auditors should
respond to emerging risks in
the banking sector.
BY TAUSEEF ABDUL GHAFFAR

MARCH 2015 INTERNAL AUDITOR - MIDDLE EAST 3

Reader Feedback
DECEMBER 2014
Using Feedback from Auditees to
Enhance Internal Audit Performance
Global Developments that are
Changing Internal Audit
INTERNAL AUDITOR
MIDDLE EAST
A Look Into the Characteristics and
Behaviors of the Typical Fraudster
SHAPING TALENTED
AUDIT TEAMS
The top 10 innovative professional
development programs for internal auditors
INSIGHTS ON GOVERNANCE, RISK MANAGEMENT AND CONTROL
Project Risks & Controls
The article Project Controls: More than
Just a Box Ticking Exercise (December
2014) was very informative and gave good
insight into the various controls required
for effective project management. From
my experience many of these controls are
usually overlooked. Actively identifying,
monitoring and responding to project risks
is something that should not be limited
to project management consultant, but
INTERNAL AUDITOR
MIDDLE EAST
M A R CH 2 0 1 5
VOLUME 2015: 1
PRESIDENT
A b d u l q a de r Oba id Ali
EDIT OR
F a r a h A ra j ( Ac t ing)
EDIT ORIAL ADVISORY COMMITTEE
A se m A l N a se r, CpA, CIA, QIAL ;
F a r a h A ra j, CpA, CIA, CF E, QIAL ;
M a j e d Buk ha she m; Andre w Co x,
M B A , M E C, CF IIA, CIA, CIS A, CF E ,
C G A p, MRMIA; Ra ymo nd He la ye l, CpA,
C I A ; M e e na k shi Ra z da n, CA, CpA CIA,
C F E ; H o s sa m S a m y, CRMA, CF E, CpA,
C G A ; N a ge sh S ur ya na ra ya na , MBA,
C I A , C C SA; J a me s Te b bs, CA; Vis h al
T h a k k a r, ACA, CIA; Issa m Za ghlou l,
M Sc , C I S A, CIS S p, CG EIT
ARABIC REVIEW TEAM
Ay m a n Abde lra him, MQM, CIA, CCSA,
C F E ; Kh a lid M. Alo dha ibi, S O CpA;
Q a i s H a mda n, CIS A, CIS M, p Mp ;
N o o r a Ayo o b; wa le e d S w e ime h, CIA
4 INTERNAL AUDITOR - MIDDLE EAST
We want your views on the articles and the magazine! Share your
thoughts and feedback with us via email at editor@internalauditor.me
should also extend to all project managers all the controls you want in a project but
WWW.INTERNALAUDITOR.ME
and the project team. On another note, the people leading the project are the most
I would have really liked it if the author important factor to ensure the success of
described the concept of “work in progress” any project.
management in more detail.
Hazem Mohamed Hosni Selim, CRMA
Vikas Anand, MRICS Senior Internal Auditor- Projects Audit
Projects Auditor Dubai, UAE
Abu Dhabi, UAE
Auditee Feedback
The article Auditee Feedback (December
The Importance of People in 2014) highlights an important topic for all
Projects Chief Audit Executives which is how to
The article Project Controls: More than
measure the effectiveness of the internal
Just a Box Ticking Exercise (December
audit activity. However, I don’t think we
2014) mentions many key controls for
should limit the feedback to only internal
projects but these alone will not ensure that
audit client; it should include all key
the project will be delivered successfully.
stakeholders. The Chief Audit Executive
I think the success of the project is the
must consider that constructive feedback
result of many factors, and the most
depends on two key factors: 1) the level of
important factor in my point of view is
the individual or person in charge of the
understanding of internal audit role within
the organization (from audit client side)
project. This person will know how to use
and 2) the level of applying the highest
the key controls properly and make the
standard of due professional care (from the
correct decision at the right time. There are
auditor’s side ). I am certain that internal
many situations that may be faced during
audit clients will provide constructive
the project life cycle (such as changes
feedback when they realise that the internal
to the scope of work, instructions from
audit activity values this feedback.
higher authorities, changing laws, market
fluctuations, and many others) which will Saif A. Kaddoura, MBA, CFC
need a quick and bold response from the Internal Audit Consultant
person in charge of the project. You can put Abu Dhabi, UAE
UAE INTERN AL AU DIT ASSOCIATION C ONTAC T I NF OR MAT I ON
BOARD OF GOVERNORS ADVER TISING & ADMINIS TRATION
Ah med Al An sari; Kh alid Al Hal yan ; Ya s m i n e A b d E l A zi z
M oh am ed Al Harth i; Ab d u lq ad er e ve n ts @i i a u a e . o rg
UAE Internal Audit Association
Ob aid Ali; Naseeb a Alrais; Ayesh a Te l : +9 7 1 4 4 3 3 9 0 8 2 an IIA Global affiliate
Bin Lootah ; Naeim a Moh ammed Al EDIT ORIAL
M en h ali; Ali Al Mu waijei; Nah la Al I n te rn a l A u d i to r – M i d d l e E a s t i s p u b l i s h e d q u a rte rl y b y t h e
F a ra h A ra j U A E I n te rn a l A u d i t A s s o ci a ti o n ( U A E - I A A ) , Of fi ce 1 5 0 3 , 1 5 t h
Qassimi e d i to r@i n te rn a l a u d i to r. m e F l o o r, A p I Tri o To we r, D u b a i , U n i te d A ra b E m i ra te s
EXECUTIVE COMMITTEE Te l : +9 7 1 5 0 8 5 0 1 7 8 0
COMPLIMENTARY TRANSLATION PROVIDED BY:
Raza Ab d u lla; Ab d u lrah man Al Hareb ;
DESIGN & PRINTING
Arin d am De; Karl Hen d ricks; Ru stom G i ri s h M e h ta
S. Kreid l y; Karem Ob eid ; Harsh A d ve n tu re G l o b a l
M oh an ; Rob ert Noye- Allen ; Fad i g i ri s h @a d ve n tu re - g l o b a l . co m
Sid an i; Ra b i You ssef; Ad n an Z aid i Te l : + 9 7 1 4 3 9 3 7 6 9 6
GENERAL MAN AGER ARABIC TRANSLATION & LAYOUT
Samia Al You su f Hossam Samir
E l a p h Tra n s l a ti o n
TEAM
h o s s a m @e l a p h tra n s l a ti o n . co m DISCLAIMERS
Aish a Akh tar; Yasmin e Ab d E l Aziz;
Te l : +9 7 1 4 3 3 1 0 3 3 2 I n te rn a l A u d i to r – M i d d l e E a s t i s i n te n d e d o n l y f o r m em b er s
Gh ad a Ab d E lb aky; Bassam E l
Ba g h d ad i; Moh ammed Jou d a; You ssef GUIDELINES F OR AUTHORS o f th e I n s ti tu te o f I n te rn a l A u d i to rs i n th e M i d d l e E as t an d
Lu tfi; Aileen pela g io; Nin ad prad h an ; www. i n te rn a l a u d i to r. m e a s s u ch i t i s n o t i n te n d e d to b e s o l d o r re - s o l d b y an y p ar t y.
Z eeh an Sh aikh T h e vi e ws e xp re s s e d i n I n te rn a l A u d i to r – M i d d l e E a s t
a re s o l e l y th o s e o f th e a u th o rs , a n d d o n o t n e ce s s ar il y
re p re s e n t th e vi e ws o f th e U A E - I A A o r th e a u th o rs ’
re s p e cti ve e m p l o ye rs .
I n te rn a l A u d i to r – M i d d l e E a s t i s a p e e r- re vi e we d ma g az in e
a n d d o e s n o t ve ri fy th e o ri g i n a l i ty o f th e co n te n t s ub m it t ed
b y th e a u th o rs .
MARCH 2015
Knowledge Update
B Y VI S H A L T H A K K A R
2015 Audit Committee Survey by KPMG
A survey carried out by KPMG of 1,500
Audit Committee members in more than
36 countries stated that three out of four
surveyed said the time required to carry
out their audit committee responsibilities
has increased significantly (24 percent) or
moderately (51 percent) and half said the
job continues to grow more difficult given
the committee’s time and expertise. Further,
cyber security and the pace of technology
change, risk management and operational
risk, and regulatory compliance are the
issues which will require more attention
in 2015.
More and more boards are reallocating
oversight of risk, financial reporting and
audit duties to Audit Committee and risk
environment is straining Audit Committee
agenda currently. More than one-third
of boards have recently reallocated risk
oversight duties among the full board
and its committees (up from 25 percent
last year), and 32 percent said they may
consider doing so in the near future
Audit committees are still expressing their
confidence in oversight of the company’s
financial reporting and audit, this survey
highlights many ongoing challenges and
concerns globally such as:
MARCH 2015
Top 5 Risks
for 2015
1
Regulatory Changes
& Scrutiny
2
Economic
Conditions
• The quality of information specifically
3
related to particularly on cyber security and
technology risk, talent and innovation and
business model disruption is falling short.
• The company’s readiness to respond
to matters such as loss of critical
Cyberthreats
infrastructure i.e. financial systems,
4
telecommunications networks,
transportation, energy / power may require
more attention.
• Succession planning of the Chief Finance
Officer continues to be a major gap, with
Ability to Attract &
many audit committees ranking themselves Retain Top Talent
lowest in this area.
5
• Many audit committees want to go into
the details of finance organization’s work,
including financial risk management,
capital allocation, tax, and debt.
Corporate Culture
• The internal audit function could deliver
greater value to the organization.
Not Supporting Risk
• External auditors could better support
Identification
the audit committee by sharing industry-
specific insights and views on the quality of
the company’s financial management team. Source: Protiviti’s Executive Perspectives on
Top Risks for 2015
http://www.protiviti.com/en-US/
https://www.kpmg-institutes.com/
Documents/Surveys/NC-State-Protiviti-
institutes/aci/articles/2015/01/kpmg-2015- Survey-Top-Risks-2015.pdf
global-audit-committee-survey.html
INTERNAL AUDITOR - MIDDLE EAST 5
 Knowledge Update

COSO in the Cyber Age

COSO Internal Control — Integrated Framework (“2013 Framework”) or the Enterprise
Risk Management Integrated Framework (2004) provide an effective and efficient
approach to evaluate and manage risks associated with cyber security. In 1992, when
the original COSO Internal Control — Integrated Framework (“1992 Framework”)
was released, businesses operated in a significantly different environment as there were
fewer internet users, Microsoft Internet Explorer didn’t not even exist and business
was communicated predominantly with telephone and fax. In the past two decades,
Information Technology (IT) has significantly transformed the way businesses operate
as businesses exist primarily in a cyber-driven world. As businesses and technology have
evolved, the 2013 Framework has evolved as it has been enhanced in many ways and
incorporates how organizations should manage IT innovation.

Even though businesses use great caution when sharing information about their
technology, both internally and externally, to protect their business operations, cyber
Emerging Strategies
attackers leverage technology to attack from virtually anywhere and to target virtually any
kind of data. Despite this far reaching cyber threat, it is clear that protecting all data is not
for Performance
possible and hence cyber risk is not something that can be avoided; instead, it must be
managed.
Auditing
Performance auditing can lead to more
An organization’s cyber risk assessment should begin by understanding what information efficient, effective, and economical program
systems are valuable to the organization and value should be measured against the delivery, stronger controls, and improved
potential impact to the entity’s objectives. Risk assessments should be updated on a compliance with laws and policies. Many
continuous basis to reflect changes that could impact an organization’s deployment of audit functions within local governments
cyber controls to protect its most critical information systems. in the United States and Canada have
embraced performance audits with the
http://coso.org/documents/COSO%20in%20the%20Cyber%20Age_FULL_r11.pdf
support audit committees and government
leaders to understand. The research report
from the Institute of Internal Auditors

Anti-Fraud Collaboration Report

Research Foundation will cover:

• 12 best practices for mitigating the

Offers Help to Build a Fraud-Resistant barriers to performance auditing;

Organization • Suggested funding levels for audit

functions; and
Anti-Fraud Collaboration Report outlines roles and responsibilities in fight against
financial reporting fraud, examines special challenges global companies face in this • Ways that public sector audit leaders and
effort. Financial reporting fraud can prove costly for investors and other capital market external stakeholders can collaborate to
stakeholders. A new report from the Anti-Fraud Collaboration whose members include address systemic barriers.
the Center for Audit Quality (CAQ), Financial Executives International (FEI), The
Institute of Internal Auditors (The IIA), and the National Association of Corporate The most significant barriers to
Directors (NACD), takes a fresh look at best practices for fraud deterrence and detection, performance auditing are difficulty
highlighting the critical importance of collaboration on this issue between and among the obtaining education and training,
key players in the financial reporting supply chain. As per the report, financial reporting insufficient funding and lack of sufficient
fraud is defined as “a material misrepresentation resulting from an intentional failure to authority. These barriers are more prevalent
report financial information in accordance with generally accepted accounting principles”. for smaller cities, for audit functions
with fewer employees and in areas where
This report identifies following three central themes that are critical to fraud deterrence performance auditing is not mandated by
and detection: legislation or the audit charter.
• Tone at the top that encourages an ethical culture IIA members can download the research
• The presence of scepticism
• The engagement of all participants in the financial reporting supply chain, with all report for free at the IIA’s online bookstore.
relevant parties understanding and effectively performing their roles with respect to
http://www.theiia.org/bookstore/product/
the company’s financial reporting
emerging-strategies-for-performance-
auditing-insights-from-city-auditors-in-major-
https://na.theiia.org/news/Documents/The-Fraud-Resistant-Organization.pdf cities-in-the-us-and-canada-1873.cfm

6 INTERNAL AUDITOR - MIDDLE EAST MARCH 2015

 www.pwc.com/me

Building
relationships,
creating value.
Whenever there is business to be done, you will find PwC providing insight,
perspective and solution to many of the world's most successful companies.

Through our global network of firms we can bring the power of more than
195,000 professionals in 157 countries. We believe that the best outcomes are
achieved through close collaboration with our clients and the many stakeholder
communities we serve.

Our people will listen to you and tailor solutions that will help you meet the
challenges and opportunities of doing business and beyond.

For more formation on how we can help you address your business needs, please
visit our website: www.pwc.com/me

© 2015 PwC. All right reserved. PwC refers to the PwC network and/or one or more of its member
firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.
UAE-IAA Events
B Y SAM IA A L Y O U S U F
4th Annual Chief Audit Executive Conference
In November 2014, the UAE Internal Audit Association hosted its
4th Annual Chief Audit Executive Conference designed as a fully
interactive round table to provide CAEs an opportunity to share
individual expertise with the entire audience. Themed “Change or
Be Changed,” nearly 190 delegates enjoyed several sessions over a
two-day period in Abu Dhabi.
In his inaugural speech, His Excellency Engineer Sultan Bin Saeed
Al Mansouri, UAE Minister of Economy, stated “It is not an exag-
geration to say that for a country to grow and develop organically,
its auditing practices and systems must be developed as a core pri-
ority.” Following this, Committee of Sponsoring Organizations of
the Treadway Commission (COSO) Chairman Robert Hirth deliv-
ered a keynote address updating the audience on COSO including
how utilizing thought leadership can improve their organizations.
8 INTERNAL AUDITOR - MIDDLE EAST
Hirth then presented the first-ever Arabic version of COSO 2013
to HE Eng. Sultan Al Mansouri. “COSO is very pleased that our
2013 Internal Control Framework is now translated into Arabic,
allowing over 20 countries to take advantage of this material that
helps organizations improve their governance and operational
performance through enhanced internal control,” said Hirth.
The conference also had a panel discussion on the latest trends in
the internal audit profession, and delegates could chose among
concurrent sessions on risk management, corporate governance,
smart and continuous auditing, and top priorities for internal au-
dit in addressing emerging technology. Delegates were also given
the opportunity to learn more about The IIA’s new Qualification
in Internal Audit Leadership™ (QIAL™).
MARCH 2015
 UAE-IIA Events

HASAAD & Cooperation with IIA Joint Hospitality &

Kingdom of Saudi Arabia Technology
Subgroup Event
The UAE Internal Audit Association
Hospitality & Technology subgroups
collaborated to hold their last meeting
for the 2014 calendar year at Jumeirah
Group’s Atlantis The Palm, in Dubai on
Tuesday, 16 December 2014. The event was
attended by Abdulqader Obaid Ali, and
hosted by Aldrin Sequeira, Chief Internal
Audit Officer for the Jumeirah Group &
Chairman of the Hospitality Subgroup,
and co hosted by Huzaifa Hussain (event
coordinator of the Technology Subgroup).
The UAE Internal Audit Association held a possibilities of implementing the
several breakfast briefings in January 2015 programme in KSA. The meeting started with a warm welcome
to promote the HASAAD programme that • Quality Assurance Review services that by Aldrin followed by a brief on the
will soon be implemented across the UAE. can be provided by UAE-IAA. hospitality sub-group’s Vision, Mission
The HASAAD program is dedicated to and Objectives. Aldrin also introduced
• Arabization of CGAP and how the
the development of national talent in the the Executive committee members for this
UAE & KSA IAAs can collaborate to
UAE. Also, Abdulqader Obaid Ali met with sub-group that attended. This was followed
successfully complete the process.
the Saudi representatives of the Internal by Mr. Huzaifa Hussain who briefed
Audit Association in KSA: “H.E. Yossef • Providing website services to KSA-IAA
the attendees on the background of the
Al Mobarak & H.E. Rashed Al Rashoud” by UAE-IAA and their service
Technology sub-group’s vision, goals and
at Dubai Intercontinental Hotel, Dubai providers in the country.
objectives and 2014 accomplishments, on
Festival City in Jan 2015. The meeting • Other chances of collaborations
behalf of Mr. Tariq Ajmal, the Technology
conducted discussed the following points: between the UAE and KSA Internal
sub-group Chairman.
• HASAAD programme and the Audit associations in the future.
The session had 2 interesting specialists
Fraud Subgroup Meeting speaking on technology related matters
for the hospitality industry. The first of
The UAE Internal Audit Association (UAE-IAA) - Fraud Subgroup held its first Business which was a presentation from Micros
Breakfast event on Prevention, Detection and Response to Cyber Crime at the Villa Rotana Fidelio (GmbH) by Mr. Oliver Menzel
in Dubai, UAE on 8th of December 2014. One of the conclusions from the event, as stated (Vice President- Services and Business
by members of a panel, was “Tailored Internal Audit Framework, Annual Risk Assessment, Development) discussing “F&B loss
Assessment of new technologies and measuring the effectiveness of data security controls prevention and fraud detection tool”. This
are the key lines of defense against Cyber Threats”. The panel includes experts from
was immediately followed by an interactive
Microsoft, PwC and Dragon Oil.
session led by Mr. Niraj Mathur (Security
Practice Manager) from Gulf Business
Machines (GBM) on “Cyber security in
the hospitality sector”. Both sessions were
engaging and relevant to internal auditors
in the hospitality industry.

MARCH 2015 INTERNAL AUDITOR - MIDDLE EAST 9

IT Audit
B Y KO N S TA N T IN O S TAKOS E D I T E D BY I SSAM ZAGHLO UL
Building Trust in the Digital Era
The digital era
You hear it called the digital revolution – the transformation of
how we work and live, which is one of the great megatrends that
will continue shaping the world this century. Organisations in
the Middle East are coming to the realisation that technological
advances will have the greatest impact on their business over the
next five years. This is in line with what CEOs (85%) responded in
last years’ PwC survey of Middle East CEOs.
The speed of change is accelerating and the majority of businesses
are increasingly becoming dependent on technology-driven
transformation programmes. Over the last two decades, a
technology revolution has changed the way we do business.
Change will only continue and while it will offer opportunities for
innovation and productivity, the digital era presents new risks and
challenges. A digital ecosystem has developed, linking enterprises
to customers and suppliers through multiple channels.
Innovation built into everything
Only by seeking new ways of delivering their products and services
will companies stay ahead of the competition and maintain a
strategic edge. Businesses that are confident in their ability to
deliver technology enabled transformation will have a distinct
advantage in this new world.
In last year’s PwC’s survey of Middle East CEOs 30% said
innovation around products and services would provide the
main opportunity to grow their business over the next 12 months
(second only to increasing their share of existing markets).
Many of those products will be shaped by a combination of new
technologies and investments in the form of industrial automation,
10 INTERNAL AUDITOR - MIDDLE EAST
cloud computing, enhanced Enterprise Resource Planning (ERP)
systems, customer experience innovations, Big Data and the
growth of connected devices – the so-called Internet of Things
(IoT).
Not surprisingly, Middle East executives are interested in shaping
their organisation in the best possible way to cater for innovation,
whether this is through new organisational roles, better processes
and reporting, stronger corporate governance or increased interest
on IT altogether.
Boards spend more time on IT
With technology rapidly changing the way companies do business,
Boards increasingly recognise the importance of effective IT
oversight. That’s likely why the amount of board time dedicated to
IT oversight increased year-over-year according to PwC’s Annual
Corporate Directors Survey 2013. Directors are enhancing their
digital IQ by meeting more frequently with the company’s Chief
Information Officer (CIO) as they are dealing with challenges like
the ones below:
• Significant IT investments
Businesses are making significant investments in technology led
transformation to gain competitive advantage in the digital age.
With fewer and fewer skills retained in most businesses to achieve
these, successful delivery is far from assured.
• Focus on resilience
Businesses have never been more dependent on secure, reliable
technology, systems and data. Cyber breaches and system outages
are being reported daily – destroying trust between businesses and
their stakeholders.
MARCH 2015
 TO COMMENT on the article,
EMAIL the author at konstantinos.takos@ae.pwc.com
• New regulation and standards
Regulators and standards setters are slowly starting to define a raft
of regulations and frameworks that businesses will eventually need
to comply with in order to ensure that they build the right level of
trust into their technology environments.
Focus on trust
Many global companies now invest a good deal of time and effort
to demonstrate business transparency and build trust. Indeed, 68%
of Middle East CEOs report that customer and client confidence
in their companies has improved in the last five years. Still, most
Middle East CEOs understand that relationship is only as strong
as its weakest link. 60% say they were concerned about the lack of
trust in business as a potential threat to their organisation.
When it comes to technology, getting the right attention in the
boardroom is key. With digital opportunities and risks becoming
so central to business strategy, boards and audit committees must
have the digital expertise to set the level of risk that they are willing
to accept. They must be able to ask the right questions and hold
management to account. Naturally, the level of trust required to be
placed on their IT departments is increasing exponentially.
Governance
IT governance is a key ingredient in building trust in the digital
era, but behaviours and expectations of what this means are
varied. The level of importance that organisations in the Middle
East place on IT governance tends to be relatively low and it
is seen as an afterthought or at best a way to satisfy nebulous
compliance requirements. For many within IT, better governance
is euphuism for more bureaucracy and “process” imposed by
compliance functions. This is in line with the typical mistake many
IT departments do when confusing management with governance.
The key decision making meetings tend to resemble management
or operational meetings due to the level of detail involved and the
reactive nature of discussion.
As a consequence, it is difficult to consolidate and report upwards
the right level of information around performance and risk
mitigation. Only about a quarter of directors “very much” agree
that the company provides them with adequate information for
effective oversight (PwC’s Annual Corporate Directors Survey
2013). A lack of representation from outside IT in the main
decision making forums misses out another key ingredient in
building trust on what the IT department is doing and how this
can be aligned to the overall business strategy.
To make matters worse, when the IT department is audited the
main findings usually tend to focus on the lack of documentation
and inappropriately designed operational processes. This
reinforces existing views on IT governance, while the information
MARCH 2015
IT Audit
flow, reporting and decision making responsibilities remain
conveniently unclear. This is despite that the International
Standards for the Professional Practice of Internal Auditing
mandates the internal audit activity to assess whether the
information technology governance of the organization supports
the organization’s strategies and objectives (2110.A2).
It is not all negative though, as new standards (e.g. COBIT 5) that
are slowly being adopted by the IT department help explain and
elevate the importance of IT governance. Some CIOs who are
increasingly pressured to engage with the Business are seeing this
as a great opportunity to change and also elevate their status within
their organisations.
Skill shortage
Changing though seems too great of a challenge for many CIOs.
The majority of skills within the IT department focus on pure
delivery of IT services. The lack of business partnering skills is
being felt acutely as Boards demand from their IT departments to
step up and take a more prominent role.
According to Middle East CEOs the key business threats facing
businesses are availability of key skills (70%) and IT departments
are caught in the middle of the search for new talent. It is not
about holding the right qualifications but demonstrating the right
behaviours that will help nurture trust and confidence. People
are important, and their actions have a direct impact on the
business and its security. Creating the right culture where people
instinctively do the right thing as with many organisational issues
lies at the heart of the issue.
Trust in the Digital Era
Organisations are facing rapid technological change, increasing
data complexity and a growing cyber-security threat - all of which
are raising the risk profile of IT to the business. Organisations
will only be able to have the confidence to embrace their digital
future, if they have trust in their data and security, resilience
built into their systems, and with the assurance that the digital
transformations projects will succeed.
Making the right choices and ultimately drive profitable growth
requires a renewed focus on relevant skills acquisition and better
governance. Provided these are aligned to the overall strategy of
the organisation this can be the first step for building trust in the
digital era. Trust combined with a new attitude to risk will allow
organisations to unleash their potential and the confidence to take
risks.
KONSTANTINOS TAKOS, MSc, ACA is a Senior Manager at PwC and
leads the Technology Governance and Risk Service in the Middle East.
INTERNAL AUDITOR - MIDDLE EAST 11
Conversations with Colleagues
B y Meenakshi R azdan

Karl Hendricks

KPMG’s Head of
Consulting for
Lower Gulf and Risk
Consulting Leader
across Middle East
and South Asia region
explains what it really
takes to be an internal
audit leader

I
n an exclusive interview, Internal Auditor - Middle East spoke to Karl Hendricks,
QIAL who is currently a Partner in KPMG Lower Gulf Limited and leads the
Consulting practice. He has over 18 years of experience in providing Risk &
Management Consultancy including areas such as Internal Audit, Risk Management,
Corporate Governance, Forensics and Business Process Re-engineering to clients both

12 INTERNAL AUDITOR - MIDDLE EAST MARCH 2015

 TO COMMENT on the article,
EMAIL the author at meenakshi.razdan@yahoo.com
locally and internationally. Karl also resides
on the Executive Team within KPMG and
also looks after Risk Consulting across the
Middle East and South Asia region. Karl
is an active supporter of the UAE Internal
Audit Association (UAE-IAA) and is a
member of its executive committee.
Internal Auditor - Middle East met with
Karl Hendricks at KPMG’s offices in Dubai.
How has KPMG developed internal audit
leaders across our region?
At KPMG, we take great pride in our
training programs and the training of our
Internal Audit professionals. We recognize
that our staff not only interact with middle
management, but also with industry
leaders. To that end, we focus greatly on
transforming our staff into leaders and
have a global internal initiative called the
‘Emerging Leaders Program’ wherein high
potential KPMG staff, including Internal
Audit, undergo extensive leadership
trainings.
What have you gained from earning
the Qualification in Internal Audit
Leadership (QIAL)?
I felt that the qualification immediately
enhanced my profile within the region as
the first senior internal audit professional
amongst the Big Four to obtain the
qualification.
In addition to my existing qualifications
that I had obtained a few years back, I
find that the qualification to be a good
medium for keeping up with recent trends
and needs that are to be demonstrated by
a leader.
What are the most important skills for an
internal audit leader?
In my opinion, an Internal Audit Leader
should have great interpersonal skills, the
ability to be objective and be a strategic
partner who will strive to add value to an
MARCH 2015
organization.
What do you think is the difference
between a good internal audit leader and
a great one?
A great Internal Audit Leader would be the
one who acts as driver for a change within
an organization. He would not just be
perceived as a trusted advisor, but would
also act as one I would think that he should
be the first person a CEO / C level would
call to consult.
What are some initiatives that Chief
Audit Executives (CAEs) can work on
in order to lead positive change in their
organizations?
A leader has to be the change he wants
to see in the organization. CAEs need
to have the ability to envision and reach
the standards he wishes to instill in the
organization. He should consider a healthy
mix of assurance and advisory mandates
“As an internal audit leader in today’s fast
paced and dynamic market, you need to keep
your finger on the pulse to provide innovative
responses relevant to market changes’ and
ensure you are ahead of the curve to meet
business needs”
as a part of the audit plan with an aim to
add value and assist organizations in the
achievement of their goals.
How can CAEs become more strategic in
their positioning and thinking?
The CAE should work towards becoming
part of the strategic or key operational
teams so as to steer their thinking in
the direction of a company’s goals and
plans. However, this is an important area
Interview
not to compromise their objectivity and
independence. CAEs should contribute to
an organization’s strategy and growth plans
by providing their insights into strategic
issues and business operations and, not
being so prescriptive on internal controls.
Based on your experience within the
region, how are audit committees
evaluating the effectiveness of a CAE’s
leadership abilities?
Primarily by KPIs focusing on leadership
capabilities such as relationship-oriented
KPIs with C-suite members. Second, audit
committees focus on contribution of CAE’s
ability to articulate control and risk issues
and its impact on business strategy during
board and committee meetings. Numerous
audit committee also assess the proactive
involvement with various internal and
external stakeholders such as regulators,
external auditors amongst others by using
feedback forms.
Finally, what advice do you have for
CAEs looking to improve their leadership
skills?
I believe that CAEs should continuously
strive to invest time for self-development.
They should ensure they are being more
relevant with business and auditing skills.
Aspiring CAEs should try their best to
move away from ‘traditional audit’ and
introduce innovative trends such as Data
Analytics, Cyber Security and Continuous
Monitoring.
INTERNAL AUDITOR - MIDDLE EAST 13
 KPMG is a global network of professional firms
providing Audit, Tax and Advisory services. We have
more than 155,000 outstanding professional working
together to deliver value in 155 countries worldwide.

KPMG’s Internal Audit Risk & Compliance Services

(IARCS) deploys multidisciplinary teams of professionals
experienced in financial and operational internal audit,
governance, compliance, and risk assessment to
augment and enhance an organizations’ existing internal
audit capabilities.

Contact Details for IARCS UAE

Karl Hendricks, Partner
khendricks@kpmg.com
+971 442 489 86
+971 505 043 129
Sudhir Arvind, Partner
sarvind@kpmg.com
+971 240 148 33
+971 502 380 378
Harikrishnan J, Director
hjanakiraman@kpmg.com
+971 442 489 21
+971 502 402 559

© 2014 KPMG, KPMG LLP and KPMG Lower Gulf Limited, registered in
the UAE and member firms of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (”KPMG
International”), a Swiss entity. All rights reserved. Printed in the United
Arab Emirates. The KPMG name, logo and ‘cutting through complexity’ are
registered trademarks or trademarks of KPMG International.
Human Resources
B Y DR . K H A L A F A LwARD AT E D I T E D BY M AJE D BUKHASHEM
People
Skills for
Internal
Auditors
“People Skills” are considered an integral
part of the essential skills that must be
acquired by the internal auditor. It aims
to change the negative impressions that
some employees may have about internal
auditors into more positive perceptions.
This is accomplished by creating a positive
image of the internal auditor by describing
him/her as an expert who is seeking to
help them, instead of a policeman who
is trying to highlight their mistakes. The
most important aspect of people skills is
diplomacy.
Diplomacy is a science with rules that
must be learned. However, there is a thin
line between diplomacy and hypocrisy. The
first, diplomacy, is decency, understanding,
and sensitivity to others while the second,
hypocrisy, is an immoral attitude to reach a
certain aim. Therefore, internal audit needs
a high level of diplomacy or wisdom to
differentiate itself from hypocrisy in order
to effectively achieve goals by mastering
many skills:
1- Communication: It is defined as the
best ways to share information and convey
meanings, feelings, and opinions to
others in order to influence or persuade,
whether via verbal or non-verbal
communication. The well-known therapist,
Virginia Satir, says: “Communication
is a process of exchanging meanings
between two persons.” Based on the
above, the conclusion is that successful
MARCH 2015
communication has to be established on
two milestones:
• Building a strong relationship with
others and harmonizing with them.
• Transferring information and ideas to
others and influencing them as required.
2- Negotiation: Negotiation is ongoing
discussions, talks, and communication
between two or more parties as a result
of an agreement or disagreement with
regards to common interests. The
parties naturally tend to compromise
to reach a win-win solution. This is
the right concept for negotiation, as it
considers it a “collaboration” rather than
a “confrontation.” It is a chance for two
parties to work jointly to achieve a goal not
attainable by either of them alone.
3- Persuasion: Is a mental process to
influence the thoughts of others, a way to
achieve objectives. Effective persuasion
embodies successful communication skills
and is a milestone for success. Therefore,
some have considered it the parameter to
measure a person’s keenness to succeed
and reach his/her goals. As Omar bin Al
Khattab, said: “Speak so that you may be
known, since a man is hidden under his
tongue.”
4- Criticism: Criticism is a method to
recover from setbacks if such criticism is
determined and focused on the (wrong)
behavior, instead of focusing on the person.
TO COMMENT on the article,
EMAIL the author at dr.khalafalwardat@yahoo.com
It must be constructive and should not be
intended to frustrate others or damage the
relationship with them, but rather improve
it. It is aimed to be communicated in one-
to-one meetings and not in public.
5- Influencing others: The Prophet
(PBUH) said: “Whenever forbearance
is added to something, it adorns it; and
whenever it is withdrawn from something,
it leaves it defective.” The one who calls
for something and does the opposite
says to the people I want you to know it
and believe it doesn’t work, but don’t you
see that in me. Keep silent after saying a
statement of doing something and allow
the person(s) to think. As such, you are
conveying great messages to them as they
themselves understand that they are great.
Finally, I would like to mention that the
auditee is a human being who is formed
by his/her beliefs and emotions. He/she is
not a machine that does exactly as it is told
and the internal audits needs to use his/her
“people skills” to build a relationship with
the auditee and for them to understand
the recommendation and to implement it.
Without people skills such as diplomacy,
internal audit will not be as effective and
the organization as a whole will not benefit.
DR. KHALAF ALWARDAT is a financial expert,
trainer and auditor, and is accredited locally
and internationally in the fields of accounting,
finance and auditing.
INTERNAL AUDITOR - MIDDLE EAST 15

B Y R O B E RT H IRT H
COSO’s Internal Control –
Integrated Framework
COSO’s Chairman writes
about the global importance
of the 2013 COSO Framework
while pointing out that there
is no excuse for companies in
the Middle East not to learn
the framework, communicate
it to others and use it to
help improve their internal
controls.
16 INTERNAL AUDITOR - MIDDLE EAST
Internal Control
T
he Committee of Sponsoring Organizations of the Treadway Commission (COSO)
released the updated version of its Internal Control – Integrated Framework in
May 2013 (the 2013 COSO Framework). The original version of the framework
was issued in 1992 and gained acceptance to become the most widely used internal control
framework in the world. To create a logical transition process, COSO announced that the
1992 framework would be superseded effective 15 December 2014.
These efforts support COSO’s mission to “improve organizational performance and
governance and to reduce the extent of fraud in organizations”. The update of the Internal
Control – Integrated Framework has resulted in several improvements to the original
framework including: emphasis on non-financial reporting objectives (e.g. Integrated
Reporting, Sustainability Reporting etc), focusing on the increasing importance of
technology, and addressing fraud risk.
To purchase the 2013 COSO Framework or access publications on risk management,
internal control and fraud deterrence, please visit www.coso.org or the IIA Bookstore
http://www.theiia.org/bookstore/index.cfm
Global Credibility
The framework has been translated from the English version into the following languages,
making it truly a global framework:
• Chinese • French • Russian
• Japanese • Spanish • Portuguese
All US stock exchange listed companies subject to Section 404 (management certification
and being subject to independent audit on internal control over financial reporting) of
the Sarbanes- Oxley Act of 2002 are given the option of choosing a “suitable” internal
control framework. 100% have chosen the COSO Framework. Further, the US General
Accounting Office (GAO) has adopted the framework as part of its Green Book
publication on internal control guidance. Aspects of internal control regulations in China,
Japan and South Korea have utilized COSO internal control related concepts.
MARCH 2015
 Internal Control

Most recently, under its Companies Act, Components and Principles that Create The five components are defined as follows
India has created a requirement for all effective internal Control in the 2013 COSO Framework:
listed companies to report on internal
control and to require an independent The 2013 COSO Framework consists of 1. Control Environment
assessment by the external auditor and 5 key components of internal controls The control environment is the set of
requiring the auditor to report on the and are represented across the face of the standards, processes, and structures
adequacy of internal financial control COSO cube model: that provide the basis for carrying out
over financial reporting. Part of this
requirement discusses the use of a
framework and specifically mentions the
2013 COSO framework.

In the Middle East, the 2013 COSO

Framework has been translated to Arabic
by the UAE Internal Audit Association
and was released in November 2014 at
the Chief Audit Executives conference in
Abu Dhabi, where it was also presented
to the His Excellency Sultan bin Saeed
Al Mansouri, UAE Minister of Economy.
Further, several countries in the region
have adopted regulation on internal
controls (including annual evaluations of
effectiveness) for listed companies. While
the COSO framework is not a requirement,
several leading companies (such as Etisalat1
and National Bank of Kuwait2) have chosen
to adopt the framework as a best practice.

A Broad Definition of Internal Control

COSO defines internal control broadly as

follows:

Internal control is a process,

effected by an entity’s board of
directors, management, and
other personnel, designed to
provide reasonable assurance
regarding the achievement
of objectives relating to
operations, reporting, and
compliance.
Part of the philosophy of this definition
is that internal control is not and cannot
be limited to finance and accounting
activities but rather encompasses the entire
organization and a combination of different
levels of employees, management and the
board.
©2013, Committee of Sponsoring Organizations of the Treadway Commission (COSO). Used by permission.
The COSO cube allows for the entire
enterprise or any component thereof
(division, subsidiary, operating unit or
function, etc.) to be subjected to the
framework. The definition of internal
control used as the scope of an evaluation
may utilize all or any combination of
the three internal control objectives:
Operations, Reporting (defined as
any combination of internal, external,
financial or non-financial reporting) and
Compliance. Therefore the framework is
both clearly structured and organized, yet
flexible.
internal control across the organization.
The control environment comprises
the integrity and ethical values of the
organization; the parameters enabling
the board of directors to carry out its
governance oversight responsibilities; the
organizational structure and assignment
of authority and responsibility; the process
for attracting, developing, and retaining
competent individuals; and the rigor
around performance measures, incentives,
and rewards to drive accountability
for performance. The resulting control
environment has a pervasive impact on the
overall system of internal control.

MARCH 2015 INTERNAL AUDITOR - MIDDLE EAST 17


2. Risk Assessment
Risk assessment involves a dynamic
and iterative process for identifying and
assessing risks to the achievement of
objectives. Risks to the achievement of
these objectives from across the entity
are considered relative to established risk
tolerances. Thus, risk assessment forms
the basis for determining how risks will
be managed. Risk assessment also requires
management to consider the impact
of pos¬sible changes in the external
environment and within its own business
model that may render internal control
ineffective.
3. Control Activities
Control activities are the actions established
through policies and procedures that
help ensure that management’s directives
to mitigate risks to the achievement of
objectives are carried out. Control activities
are performed at all levels of the entity, at
various stages within business processes,
and over the technology environment. They
may be preventive or detective in nature
and may encompass a range of manual and
automated activities such as authorizations
and approvals, verifications, reconciliations,
and busi¬ness performance reviews.
4. Information and Communication
Information is necessary for the entity to
carry out internal control responsibilities to
support the achievement of its objectives.
Communication is the continual,
iterative process of providing, sharing,
and obtaining necessary information. It
enables personnel to receive a clear message
from senior management that control
responsibilities must be taken seriously.
5. Monitoring Activities
Ongoing evaluations, separate evaluations,
or some combination of the two are used
to ascertain whether each of the five
components of internal control, including
controls to effect the principles within each
component, is present and functioning.
Findings are evaluated against criteria
established by regulators, recognized
standard-setting bodies or management
18 INTERNAL AUDITOR - MIDDLE EAST
Internal Control
and the board of directors, and deficiencies are communicated to management
In addition, there are 17 Principles of effective internal control that support and enable
these components:
Components Principles
Control Environment 1. Demonstrates commitment to
integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and
responsibility
4. Demonstrates commitment to
competence
5. Enforces accountability
Risk Assessment 6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes
significant change
Control Activities 10. Selects and develops control activities
11. Selects and develops general controls
over technology
12. Deploys through policies and
procedures
Information & 13. Uses relevant information
Communication 14. Communicates internally
15. Communicates externally
Monitoring Activities 16. Conducts ongoing and/or separate
evaluations
17. Evaluates and communicates
deficiencies
Supporting each Principle are Points of Focus, representing important characteristics of
the Principles. While the 2013 COSO Framework does NOT prescribe specific controls
that must be in place, the Points of Focus help guide organizations in the development and
selection of appropriate controls. If we look at Diagram 1 across, we can see how there are
4 Points of Focus to support the particular principle on integrity and ethical values. There
can be a number of controls which address this Principle such as leading by example,
communication (email or staff meetings) on the importance of ethics, the existence of a
formal code of conduct with training and annual attestations.
MARCH 2015
 TO COMMENT on the article,
EMAIL the author at robert.hirth@protiviti.com Internal Control
Diagram 1
Component
1. The organization demonstrates a commitment to integrity
Principle
• Sets the Tone at the Top
Point of Focus (Optional) • Establishes Standards of Conduct
• Evaluates Adherence to Standards of Conduct
• Addresses Deviations in a Timely Manner
Key Controls Control
1 2
Under the framework’s methodology, all
17 Principles must be present and function
in such a way that the 5 components
operate in an integrated manner in order to
conclude that internal control is effective. It
should be noted that compliance with the
Points of Focus is optional. The principles
become present and functioning through
responsive control activities that are
designed to the correct level of precision
and are in fact operating as intended.
Operating effectiveness is generally
determined though independent testing of
the control activity.
Benefits to Internal Auditors
While the 2013 COSO Framework, when
implemented correctly, helps organizations
to achieve their objectives and improve
performance, it is also way for internal
auditors to meet the requirements of the
IIA’s standards and drive positive change
within their organizations.
When it comes to the IIA’s Standards,
evaluating internal controls using the
2013 COSO Framework mainly helps to
address 2 Standards which can be difficult
to implement:
MARCH 2015
Control Environment
and ethical values.
Control Control Control
3 4
• 2100 – Nature of Work: Relates
to the evaluation of governance,
risk management, and control
processes (Mainly through
the Control Environment, Risk
Assessment, Control Activities
and Information &
Communication components).
• 2450 – Overall Opinions:
Supporting overall opinions on
internal controls with sufficient,
reliable, relevant, and useful
information (Mainly through the
Monitoring Activities component).
Similarly, by promoting a world class
control framework, internal auditors can
be seen as having up to date knowledge
and can use this knowledge to educate
management and work with them to
improve governance, risk and control
processes. Even at private companies in
the Middle East, such as the Ali Bin Ali
Group3 in Qatar, the internal auditors are
promoting awareness of the framework
within their company.
Get Started - Use Some or All of it
As stated in the title of this article, you
need to :
• Learn the COSO materials- read and
study them, determines how you can best
apply some or all of this material to your
organization all at once or over time
• Get started by putting the COSO
concepts in place. Even if it’s a small
change to begin, you have to start
somewhere
• Communicate the COSO concepts and
materials to others- you can’t be successful
alone. This includes your internal audit
team, company management, the board
and many employees in your organization.
Closing Remarks
The 2013 COSO Framework is meant to
be applied to all companies. COSO can
be tailored to any type of organization
regardless of company size, maturity,
industry or location or type (private,
public and etc). For small companies in
some cases, the 2013 COSO Framework
may be implemented using less than 100
key controls. In the Middle East, forward-
thinking companies are already using
the framework and internal auditors are
using it to build awareness around internal
control best practice. With this trend
and the translation of the 2013 COSO
Framework into Arabic, there is no excuse
not to use it and benefit from it!
References:
1. http://etisalat.com/en/system/docs/12-
4-2013/EtisalatGovernanceReport-2013-
English.pdf
2. http://www.nbk.com/
corporategovernance/governanceframework/
riskmanagementandinternalcontrol_en_
gb.aspx (Accessed on 9 January 2015)
3. http://www.alibinali.com/coso-internal-
control-integrated-framework-workshop-for-
aba-finance-team/ (Accessed on 9 January
2015)
ROBERT HIRTH is the Chairman of COSO and
is a Senior Managing Director with Protiviti in
the United States.
INTERNAL AUDITOR - MIDDLE EAST 19

B Y Hakim L ali p urwala E dited by Andre w C ox
Auditing Construction Projects
Introduction
Many companies engage in construction
projects which can entail significant
risks and costs. Companies have gone
bankrupt by poor initial analysis of project
benefits and a cavalier attitude to project
management and costs. As a result, it is
likely construction risks will be high and
an audit may be scheduled in the Annual
Internal Audit Plan. This article provides
information on what should be considered
when auditing construction projects.
Multi–Stage Audit Approach
These can be a valuable assurance tool,
especially for auditing construction projects
which will be planned and implemented
over a period of time. The idea is that
Internal Audit can provide assurance by
adopting a life cycle approach to the project
through ‘short and sharp’ audits at key
project stages. This provides immediate
feedback as the implementation progresses
and any areas requiring remedial action
can be addressed at the time they need to
be addressed. It is generally acknowledged
this approach can provide added assurance,
identify problems as they arise, and
improve outcomes.
Tip – Adopting a multi–stage audit
approach by tracking the project as it
evolves, and reporting on how to remediate
issues as they arise, will win you much
more respect than coming in after the
project is complete and reporting the
project was not managed well. A bit like
the old audit saying about auditors going in
after the battle to shoot the wounded.
Stakeholders
There are many stakeholders involved in
construction projects, including some from
20 INTERNAL AUDITOR - MIDDLE EAST
Internal Audit
outside the company. Stakeholders • Independent assurance by external
may include: consultants for significant projects.
• Master Developer.
• Developer. Tip – There should be continuous review
• Designer/Consultant. of all the above, including changes in the
• Project Manager. construction environment and market
• Prime Contractor.
conditions.
• Sub–Contractors.
• Regulatory Authorities eg. Municipal
Authorities, Road and Traffic authority, Design and Planning
Civil Defence, Land Department, etc. Key considerations for selection of
consultants include:
Project Stages • Method of selection.
Key project stages are usually: • Qualification and experience.
• Feasibility. • Insurances and bonds
• Specified payment milestones.
• Design and Planning.
• Tender and Contracts.
• Monitoring of Construction. Tip – Many consultants put forward their
• Handover. company credentials and experience, but it
is important to confirm that the specified
Auditing Construction Projects personnel who will actually work on the
Auditors need to consider the following project have the necessary qualifications,
while auditing construction projects in experience and track record.
their various stages:
Tender and Contracts
Feasibility Key considerations are:
Key considerations are: • Method of selection – the contractor
• Major Risks are highlighted. should ideally be selected based on a
• Assumptions are matched with current tender. Audit review may include:
actual conditions - Adequacy and compliance with
• Internal ‘checks and balances’.
MARCH 2015
 TO COMMENT on the article,
EMAIL the author at hakim_lal@yahoo.com
company tender policies.
- Was the tender properly conducted
with equal opportunity for all?
- Were both commercial and technical
evaluations performed for all bids?
- Is a priced Bill of Quantities (BoQ)
submitted by all bids?
- Does the tender scope cover the entire
project? For example, if the developer
is building the first phase of a project
with a community centre, a mall and
a mosque, will all these be completed
and ready for occupancy at the same
time?
• Are Contracts signed with all
Contractors?
- Is a standard contract format such
as FIDIC (International Federation of
Consulting Engineers) followed as
it will typically cover all eventualities
involved in the construction process
- Are contractual terms consistent for all
contractors?
- Are adequate retention conditions
specified to ensure contractors are
incentivised to complete the project
as planned.
- Costing – fixed price, cost plus or
guaranteed maximum price? If the
contract is a cost plus or guaranteed
maximum price, this increases risk
and needs to be confirmed as the
best approach.
Tip – It can be useful and cost–effective to
employ an independent Probity Auditor to
provide ongoing review of the project.
Tip – There should be adequate segregation
of duties in the contract award process.
Monitoring of Construction
Key considerations are:
• In FIDIC construction contracts,
Schedule 14 represents the
construction timeline and highlights
the timeline for completion of key
activities. If Schedule 14 has been
agreed with the contractor, the auditor
needs to verify whether the project is
on schedule or delayed. If there are
any delays, enquire about actions taken
to complete the project on schedule,
who is responsible for the delay and
whether there is recourse for any
MARCH 2015
additional cost.
• Project progress reports are usually
prepared by consultants on a monthly
basis and circulated to all parties. The
monthly progress reports contain,
amongst other things, details about
the actual versus planned progress and
costs, variations, claims and
disputes, non–conformance to contract
specifications, and safety issues. A
detailed review of the monthly progress
reports gives a good view of the current
project status.
• The auditor needs to review whether
there is a formal Document Control
System with proper control over
all project documents such as contract
copies, communication with
contractors, consultants, etc. A detailed
review of these documents is necessary
to audit the project and understand
its current status. Further, a document
monitoring system should be in place
to enable the company to ensure claims
from contractors are correct.
• These documents should align
with a recognised project management
methodology.
• Prior to making payments to
contractors, the following details
should be confirmed:
- The performance bond, advance
guarantee bond and required
insurances are valid.
- The retention and advance recovery
has been properly deducted.
- The consultant has approved the
payment.
- Management has reviewed the
Payment Certificate against the BOQ
rates and quantities.
• Should a consultant or contractor be
terminated for any reason, the auditor
should review:
- The reasons for termination
and mitigation plans put in place by
management to ensure project
continuity.
- Termination and mitigation plans been
approved by management.
- Contract requirements and procedures
have been complied with.
- The new contractor or consultant
has accepted all required handover
requirements before processing
the final settlement for the terminated
Internal Audit
contractor or consultant.
• Verification of health and safety reports
on compliance with health and safety
requirements to ensure safety
standards are maintained and people
are not placed at risk.
Tip – Auditors should consider engaging
Subject Matter Experts (SMEs) to provide
expert input to the construction review
process. An accounting qualified Auditor
will have certain skills, but is unlikely to be
an expert in construction.
Handover
Key considerations are:
• Regulatory approvals such as
Certificate of Occupancy.
• The final drawings, testing reports, end
user training, warranties and manuals
for equipment have been handed over
to the developer.
• Adequate spare parts for equipment are
handed over.
• All non–conformances have been
rectified to the developer’s satisfaction.
• All issues around time extensions,
non–conformances and penalties have
been approved and settled.
• All variations been approved and
valued.
• The cost consultant provides a cost of
break–up attributable to each
construction element and the various
components, so assets can be
capitalised.
Tip – A survey may be conducted with
the users of the project to verify whether
the project meets their needs and to
highlight any short comings.
Conclusion
Internal Auditors have a key role to review
construction projects. They should become
an assurance partner for the duration of
the project and adopt a multi–stage audit
approach. It is not much use to audit a
project after it is completed.
HAKIM LALIPURWALA, ACA, CPA is Chief
Internal Auditor at Easa Saleh Al Gurg Group.
INTERNAL AUDITOR - MIDDLE EAST 21

B Y DR . A S H R A F G A MAL
The Evolving Role of Internal Audit in
Corporate Governance
S
ir Adrian Cadbury defines corporate
governance as “the system by
which companies are directed
and controlled”. The proper corporate
governance structure specifies the
distribution of rights and responsibilities
among the different parties in the
organization; this includes the board,
managers, shareholders and other
stakeholders. It will also lay down the rules
and procedures for decision-making within
the organization.
Putting the right controls and making sure
they work has always been in the heart of
corporate governance. Companies usually
therefore have multi-layer systems of
22 INTERNAL AUDITOR - MIDDLE EAST
controls. The first layer lies usually within
each department where work procedures
ensure the presence of controls aiming
to minimize the space for errors and
misconduct. The CEO gets the assurance
that internal controls are sufficient and are
working well through the internal audit
function. But since the board is ultimately
responsible for the governance of the
organization, establishing an effective
audit committee is the key tool that the
board has in order to oversee that the
organization is well governed and that the
numbers and information coming to the
board and going out to other stakeholders
are accurate and trustworthy. Share-
owners, on the other hand, would like to
Governance
make sure that their money and interests
are well-protected, and that various systems
within their companies are sufficient
and are functioning the way they should
be. They therefore appoint the external
auditor who evaluates such systems, gives
recommendations or assurances to
the owners.
Given that the role of the internal audit
function is ever evolving with respect
to its role in governance, recently the
Financial Reporting Council, UK, has
revised its corporate governance code for
UK companies, which came into effect on
1 October 2014 and in which it states that
“ The board should establish formal and
MARCH 2015

transparent arrangements for considering
how they should apply the corporate
reporting, risk management and internal
control principles and for maintaining
an appropriate relationship with the
company’s auditors.”
As defined1 by the Institute of Internal
Auditors “Internal auditing is an
independent, objective assurance and
consulting activity designed to add
value and improve an organization’s
operations. It helps an organization
accomplish its objectives by bringing
a systematic, disciplined approach to
evaluate and improve the effectiveness of
risk management, control, and governance
processes”. This clearly indicates that the
role of the internal audit function must
be set and looked at positively rather
than negatively. That positive role must
go beyond the traditional concept of
controlling and safeguarding corporate
assets, regulatory compliance and
enforcing corporate policies. The role of
internal audit is rather to focus on value
creation for an organization, and on
evaluating and suggesting improvements
to corporate governance systems of
organizations. The value creation concept
of internal audit will therefore be an
integrated part of making sure that the
company achieves long-term success and
that it is creating value for the society
at large.
An effective Internal Audit function plays
a fundamental role in assisting the Board
to discharge its governance and control
responsibilities. The Board must, however,
set the right ‘tone at the top’ and to ensure
support to be extended to the internal
audit at all levels within the organization. It
should be communicated and understood
that internal audit helps the Board and
the executive management in protecting
the assets, reputation and sustainability
of the organization. The internal audit’s
MARCH 2015
Internal audit plays a crucial role in ensuring the
success and sustainability of any organization.
role therefore extends beyond financial
controls to include audits of non-financial
information and the controls surrounding
the production of this information as well.
Recognizing the important role that the
internal audit function plays in a corporate
governance system of an organization, the
Institute of Internal Auditors has issued a
standard no. 2110 on ‘Governance’ which
states that “An effective internal audit
function provides assurance that there are
appropriate corporate governance processes
and internal control procedures in place.
The internal audit activity should assess
and make appropriate recommendations
for improving the governance process in its
accomplishment of the following objectives:
• Promoting appropriate ethics and
values within the organization
• Ensuring effective organizational
performance management and
accountability
• Effectively communicating risk and
control information to appropriate
areas of the organization
• Effectively coordinating the activities
of and communicating information
among the board, external and internal
auditors and management.”
Various Codes of Corporate Governance
issued have also echoed the fact that
internal audit function is an integral part
of the corporate governance system of any
organization. The South African King III
report of Corporate Governance (King
III Code) recommends that internal audit
should be strategically positioned in order
to achieve its objectives. The code further
suggests that the internal audit should
report functionally to the chairman of the
audit committee. Given that functional
reporting line for the internal audit
Governance
function is the ultimate source of its
independence and authority, the Institute
of Internal Audit also recommends that the
chief audit executive reports functionally
to the audit committee, board of directors,
or other appropriate governing authority.
Subsidiary, branch and divisional heads of
internal audit should also be sufficiently
senior as compared to the senior
management whose activities they are
responsible for auditing. This point of
view is getting more popular among
central banks and financial regulators.
One of the lessons learnt from the banking
sector/ financial crisis that started in 2007
onwards was that certain “risk takers” can
be left to the control of the CEO or senior
management, they must report directly to
the board or one of its committees. This
includes chief risk officers, chief financial
officers, and chief auditors. Recent bank
collapses clearly indicated that it is way too
risky for the CEO or top management to be
in control of these functions.
Internal auditor, with the help and
guidance of the audit committee, must be
able to set the right priorities. Therefore it
is recommended that internal audit follows
a risk based approach, focusing on the
high risk areas, going down the ladder as
much as possible. The audit committee also
assists the internal audit by discussing with
him/her the adequacy of resources and
skills available to address risk identified
with the audit committee. It is the role of
the board/ audit committee to make sure
that internal audit has enough resources
and calibers to do their job right, keeping
in mind that the failure of internal audit
is a failure of the board itself and may
represent high risk on the organization.
The internal auditor should, at least
INTERNAL AUDITOR - MIDDLE EAST 23
 TO COMMENT on the article,
EMAIL the author at ashraf.gamaleldin@hawkamah.org
annually, carry out an assessment of the
overall effectiveness of the governance,
risk and control frameworks of the
organization, together with an analysis
of themes and trends emerging from
internal audit work and their impact
on the organization’s risk profile. A
comprehensive report is then presented to
the audit committee and the board with
The internal auditor should, at least annually,
carry out an assessment of the overall
effectiveness of the governance, risk and
control frameworks of the organization.
the results and recommendations as well
as the challenges that may need board
interventions to handle.
The Institute of Internal Auditors has
issued Standard No 2060 on internal audit
reporting to senior management and to
the board, which specifies that “the chief
audit executive must report periodically to
senior management and the board on the
internal audit activity’s purpose, authority,
responsibility, and performance relative
to its plan. Reporting must also include
significant risk exposures and control
issues, including fraud risks, governance
issues, and other matters needed or
requested by senior management and
the board.”
24 INTERNAL AUDITOR - MIDDLE EAST
Due to their important role, it is
recommended that the Chief Audit
Executive, and other senior managers
within Internal Audit, have an open,
constructive and co-operative relationship
with regulators which supports sharing
of information relevant to carrying out
their respective responsibilities. In such
cases, however, it is important that this be
done within the framework of corporate
governance of the organization, the one
that is approved by the board of directors
and endorsed by the owners if necessary.
Since the quality of the carrying out the
internal audit function may have serious
implications on the company and on its
stakeholders, the internal audit should
establish and maintain a quality assurance
and improvement program. Where the
internal audit function is outsourced to an
external provider, Internal Audit’s work
should be subject to the same quality
assurance work as the in-house functions
and the results of this quality assurance
work should be presented to the Audit
Committee at least annually for review.
Governance
Internal Audit must also maintain an up-
to-date set of policies and procedures, and
performance and effectiveness measures
for the Internal Audit function. Internal
Audit should continuously improve these
in light of industry developments. Due
to its complexity and importance, it is
recommended that the role of internal
audit is articulated in an Internal Audit
Charter that is reviewed annually, possibly
by a third party, in order to make sure
that it is matching with the evolving best
practices.
Finally, it is worth noting that internal
audit acts as an important line of defense
for any company and its failure may
lead to the failure of the organization
itself. The recent corporate governance
scandals under investigation such as
Tesco and Mobily, have one issue in
common; misstatement of the financial
figures. The internal auditors thus may
have a responsibility in educating audit
committees on what is important and the
questions audit committees are supposed
to raise at their meetings. Historically,
when internal audit focused on monitoring
business operations, processes and
internal control functions, it examined
whether a control was being performed or
procedures were followed and report either
in affirmative or in negative. Whereas now
internal audit’s focus is not on whether a
control is being performed but on whether
it is the right control and if it is being
performed correctly and cost effectively.
The internal audit activity and certainly
audit committees should be more forward
than backward looking.
References:
1. https://na.theiia.org/standards-
guidance/mandatory-guidance/Pages/
Definition-of-Internal-Auditing.aspx
Dr. Ashraf Gamal is the Chief Executive
Officer of Hawkamah, The Institute for
Corporate Governance.
MARCH 2015
Hawkamah provides advisory services on various aspects of corporate governance for
companies across the MENA region.

We develop tailor-made corporate governance frameworks for listed companies, banks and

group companies, and private equity backed companies.

Hawkamah through our Mudara Institute of Director provides professional development

courses and workshops for Board of Directors.

Our services include:

• Governance Assessments
• Development of Governance Codes and framework
• Customized Training and Workshops
• Board
• Director Development Program (DDP)
• Company Secretary Workshop

Tel: +9714 362 2551 / 362 2616

www.hawkamah.org / www.mudara.org

B y A la’ A bu N aba’ a E dited by: Asem Al Naser
Marketing Internal Audit Services
According to the Institute of Internal
Auditors’ definition of Internal Auditing,
there are two types of services that are
provided by the Internal Audit function,
namely, Assurance and Consulting
services. The definition also set out its
scope of work to include evaluating and
improving the effectiveness of Governance,
Risk Management and Control processes.
Consequently, there are a number of
stakeholders of internal audit inside
and outside the organization, each of
whom with different expectations from
internal audit. Internal auditors need to
have marketing skills in order to allow
stakeholders to understand the internal
audit team’s role and the diversity of
services that the team can provide to the
organization
Why There is a Need for Marketing?
Every year, organizations spend billions
of dollars marketing their services to
customers. Each of these organizations
is promoting its image and the way
customers perceive that image. Internal
audit is similar in that you may not really
know how your customers (stakeholders)
perceive you and your teammates. Chief
Audit Executives may think that they are
the best and have superior capabilities but
does really reflect in the perception key
stakeholders such as senior management
and the audit committee? This is where the
26 INTERNAL AUDITOR - MIDDLE EAST
need for marketing internal audit services
arises. Such marketing needs to challenge
stereotypes about internal audit services
and promote a positive image for the Chief
Audit Executive and his team.
The very word “Service” implies a more
personal interaction between internal
auditors and their stakeholders. Internal
audit services are directly tied to the
auditors themselves, their professionalism,
objectivity and proficiency.
In my opinion, marketing skill is one of
the most important non-technical or soft
skills that internal auditors must possess
as it will help them explore stakeholders’
expectations, create, and deliver value
to satisfy their needs, and manage audit
relationships in ways that also benefit the
organization. Marketing skills also help
internal audit establish and maintain a
strong position within the organization,
optimize outcomes, provide viable
recommendations, promote awareness by
various business units of internal audit’s
consultative role, and encourage audit
clients to bring problems to the audit’s
attention. Audit clients with positive audit
experience would be more likely to ask for
more services.
According to Joel Kramer from MIS
Training Institute1, marketing internal
Audit Management
Similar to the way that
organizations market their
products and services,
internal audit needs to
create awareness among
its stakeholders through
marketing its value added
services.
audit involves “educating stakeholders on
the services we can provide, giving them
examples of how these services recently
have helped the organization, and then
persuading, encouraging or inducing them
to use our services”.
Marketing help in enhancing not only
professional relationships but also most
importantly the personal ties with
stakeholders and hence replacing the image
of the policeman with the image of the
business partner who is there to add value.
How to Market Internal Auditing?
In his blog2, Richard Chambers, CIA, QIAL
(President and CEO of The Institute of
Internal Auditors) encouraged internal
auditors to develop a marketing strategy to
improve awareness of their capabilities. He
wrote: “we needed to develop a deliberate
strategy for improving awareness of our
capabilities – and the value we would deliver
– because changing perceptions isn’t always
easy. In other words, we came to understand
that we needed to do some good old-
fashioned marketing so that clients would
know when to call us in and what
to expect ”.
Audit stakeholders do not think only about
technical quality (how good the audit work
is) but also about the quality of the service
(their overall experience with the auditor).
MARCH 2015
 TO COMMENT on the article,
EMAIL the author at a.nabaa@arabou.edu.kw
In order to deliver a high quality service
that adds value to our audit stakeholders,
we first need to understand the business
“what the organization actually does”,
current and emerging risks, strategy,
objectives, and how the management
is planning to achieve those objectives.
Once the business needs are understood
it is then important to understand
stakeholders’ needs. In other words, should
the internal audit department focus more
on consultancy work or internal audit?
To this end, we need to develop healthy
and long term relationship with all levels
of the business. In addition, we need to
understand their perceptions about the
Internal Audit function and rectify such
perceptions whenever possible or needed.
The internal audit website may be used to
manage expectations of those who may
have distorted perception of the audit
role (frequently asked questions could be
considered).
Audit Feedback Questionnaire is also a
good tool to obtain the client’s view on the
benefits secured from the audit, identify
any communication problems that may
5 Tips to Marketing Internal
Audit Services
According to Richard Chambers, CIA,
QIAL (President and CEO of The Institute
of Internal Auditors)2 the following are
useful ways to market internal audit
services:
1. Hold one-on-one conversations
with key stakeholders: Meet with key
stakeholders regularly. Ask about their
opinion of the internal audit
department. Share with them internal
audit success stories.
2. Develop a professional presentation: can be put on the intranet that in a
Make sure you have professional presentation or brochure. They can
looking presentation that explains
what internal audit does. Use this internal audit messages and can
at kick-off meetings and for orienting include profiles of the team, main
new employees and also new internal audit policies and the internal audit
auditors.
3. Build marketing messages into
periodic reports on internal audit’s
performance: When you report
MARCH 2015
“At the end of the day, we’re not paid by the
audit report or by the audit finding. We’re paid
by how we can make the company better”
Larry Harrington, CIA, QIAL
Chief Audit Executive at Raytheon Co.3
have been experienced by the client, assess
whether the client’s expectations have
been met, and recommend appropriate
adjustments to the marketing strategy and
audit methodologies.
Developing a formal escalation process
to address disagreements with senior
management is another recommended
marketing strategy. Though it rarely will be
used, having such strategy in place would
reinforce internal audit’s desire to listen
and be fair.
Auditors need always to tell their
internal audit story as part of new
employee orientation program, all-hands
meetings, and initial meetings of all audit
engagements. They can showcase their role,
internal audit’s performance to the
CEO or Audit Committee, make be hurt.
sure you highlight your achievements
and possible services that your team
can provide.
4. Develop and distribute an internal
audit brochure: Brochures are a
powerful way to promote internal
audit’s services. This is very useful
when starting an audit or with new
audit areas or new audit clients.
5. Create an intranet site for access
by your company’s executives and
employees: Much more information
ask as a central location for all key
department’s achievements. The
intranet site will need to be
updated periodically.
Audit Management
standing, independence, and contributions
in the organization’s published annual
report.
Conclusion
Making an active effort to promote the
services of the internal audit department
is an important priority for the Chief
Audit Executive and the internal audit
team. The authority given to internal audit
by the audit committee is not enough to
have a lasting and fruitful relationship
with all stakeholders. Marketing internal
audit services will allow the internal
audit department to better influence the
organization and be a positive agent for
change and add more value to governance,
risk management, and control. However,
caution must be exercised when marketing
internal audit services because if you over
promise and don’t deliver, the credibility of
the Chief Audit Executive and his team will
References:
1. http://www.protiviti.com/en-US/
Documents/Featured-Articles/The-Worst-
Practices-for-Marketing-and-Selling-
Internal-Audit.pdf
2. https://iaonline.theiia.org/blogs/
chambers/2014/Pages/Creating-Awareness-
With-Internal-Audit’s-Stakeholders-
Sometimes-It-Takes-Marketing.aspx
3. http://www.kpmg.com/be/en/
issuesandinsights/articlespublications/
risknewsletter/documents/robert-half-white-
paper.pdf
Ala’ Abu Naba’a, MACC, CIA, CRMA is Chief
Audit Executive at the Arab Open University in
Kuwait.
INTERNAL AUDITOR - MIDDLE EAST 27
 BUILDING THE LEADERS
OF TOMORROW, TODAY.

You’re successful, respected, and committed.

What does it take to get to the next level?
The QIAL identifies, assesses, and develops core skills linked to audit leadership success. It caters
to CIAs and CAEs who are already strong performers and have the potential for greater leadership.

Registration is now open. Start your leadership journey TODAY at globaliia.org/QIAL.

141526

www.globaliia.org/QIAL
Risk Management
B Y TA U S E E F A B D U L GH AF FAR E D I T E D BY RAY MO ND HELAYEL
EMERGING RISK
TRENDS IN THE
BANKING SECTOR AND
HOW INTERNAL AUDIT
NEEDS TO REPSOND
Over the past 10 years, the Banking
Industry has experienced a number of
severe shocks. From the global financial
crisis to global austerity to the LIBOR and
FX scandals and the recent oil price slump,
a number of risks have emerged that were
previously not considered important.
Regulators have also added to the pressure
on banks to understand their risks and
implement solutions that help manage
these risks. Internal Audit has not been
immune to this, where these events have
highlighted the need for Internal Auditors
to change the way they think and operate.
EMERGING RISK TRENDS WITHIN
THE BANKING SECTOR
Some of the key risks emerging within the
Banking Sector are:
1. Corporate Governance – tone at
the top
All banks are in the business of making
money. The key is to do so safely and
this mindset needs to come from the top.
Management need to ensure that their
front-line understand the risks involved
and have adequate controls in place to
manage them.
2. Strategies linked to risk appetite/
risk tolerance
The starting point for managing risk as a
business is to evaluate the appetite for risk
and then formulate the business strategy
around it. Any disconnect between the
MARCH 2015
strategy and the risk appetite will result in
the organization pursuing opportunities
that go beyond their risk tolerance levels
and without an appreciation of the risks
that they are taking.
3. Focus on area of expertise
Banks need to understand their products
and their related risks, thereby building
expertise in these products. A simple rule
should be followed: if a transaction is not
in line with your strategy or your area of
expertise, it should not be done, period.
4. Liquidity/Capital adequacy
Banks need to be aware of two things:
the importance of liquidity and the fact
that severe economic shocks can break
down any assumptions around liquidity
by affecting correlations between financial
instruments. In relation to this, regulators
across the world have started introducing
stricter liquidity and capital adequacy
requirements. On their part, banks should
have robust Contingency Funding Plans
in place and should regularly stress test
their liquidity portfolios using severe shock
scenarios.
5. Dangers of gearing and over-leverage
Leverage, whilst having tremendous
potential upside, exacerbates downside
risk. Excessive leverage can potentially have
a negative impact on the capital. Banks,
by their very nature, are highly geared and
hence have a responsibility to ensure that
they do not become over-leveraged.
6. Quality of assets
It is imperative that banks understand the
quality of their asset book and take steps to
ensure that adequate quality is maintained.
A main concern is the over-reliance on
external rating agencies as an indicator of
asset quality. Whilst such ratings may be a
good initial indicator, banks and financial
institutions need to build appropriate
internal rating models to gauge asset
quality.
7. Perils of inadequate risk transference
Banks use a variety of financial instruments
and tools to transfer risk away from them.
Some of these can be complex in structure
and as such may not necessarily work as
expected. Where necessary, banks need to
ensure that risk is adequately transferred
using scenario analysis and stress testing.
8. Understanding models
Banks use various models to help measure
and manage risk. These are usually based
on certain assumptions and; therefore
there is a need to ensure that models are
thoroughly validated and back-tested
before they can be considered reliable.
9. Risk-Based compensation
In an effort to curb excessive risk-taking,
banks have started to introduce the concept
of risk-based compensation. This means
that rewards are now tempered by the
level of risk taken to achieve them. This
INTERNAL AUDITOR - MIDDLE EAST 29
 TO COMMENT on the article,
EMAIL the author at tauseef.ghaffar@nbad.com
ensures that even if the frontline follows
an aggressive profit-generating strategy,
they would not be rewarded if they take on
undue risk.
10. Equitable investment in systems and
enablement resources
Banks tend to invest more in the business-
generating frontline, rather than in systems
and enablement resources supporting
that business. This has resulted in risks
going unmanaged, as certain transactions
for example are being managed through
spreadsheets. Equitable investment in the
governance and support infrastructure
is required to ensure that business is
conducted safely.
HOW SHOULD INTERNAL AUDIT
RESPOND?
So what are the implications for Internal
Audit? As the 3rd line of defense, Internal
Audit needs to upgrade its practices
so that it can meet its dual mandate of
independent assurance to the Board and
value addition to the business. It needs
to be more responsive to its environment
and be closer to the business, in order to
achieve these objectives.
Some of the developments that could
be considered by the Internal Audit
Function are:
1. Robust risk-based planning
The Internal Audit profession has already
adopted a risk-based approach; however,
this needs to be taken further. Banks
operate in a very dynamic environment
and risks need to be constantly reassessed.
This can be done through lessons learned
exercises or on the back of regulatory hot
topics, as well as through constant dialogue
with the business.
2. Partnering/Relationship concept
Internal auditors need to partner and build
relationships with the business in order to
keep abreast of their operations and related
progress. This will enable them better
assess and anticipate potential risks as they
emerge.
30 INTERNAL AUDITOR - MIDDLE EAST
3. Continuous monitoring
Today’s environment is too dynamic to
simply rely on annual audits, and hence
there is a need for employing continuous
monitoring techniques. Internal auditors
should have inquiry access to all systems
used by the business and be able to view
exactly what business managers are
seeing. Access to regular management
information will help keep them abreast of
the developments.
“Internal auditors need to partner and build
relationships with the business in order to keep
a finger on the pulse of the organization.”
4. Exercise of rationality
One question that an internal auditor
should always ask is whether the income
generated by a business or a transaction
is reasonable. The age-old adage applies:
If it is too good to be true, it probably is.
Internal auditors need to adopt a cynical
challenge to identify excessive income
being generated from excessive risk-taking.
5. Up-skilling of auditors
Having only an audit qualification is
no longer enough. If they are to audit
effectively, internal auditors need to receive
the same training as the businesses they
are auditing. Internal Audit management
can enhance the skills of their teams by
having them obtain business qualifications,
or by hiring people with prior industry
experience.
6. Sourcing specialization
Internal Audit management need to
avail other avenues to source specialized
resources. Whilst outsourcing/co-sourcing
is one option, one abundant source of
experience and expertise is the business
itself. Internal Audit can invite business
staff as guest auditors on audit assignments.
This will not only allow the auditors to gain
from the guest’s expertise, but also allows
businesses to have a better understanding
of the work of Internal Audit.
Risk Management
7. Awareness of regulations
The staggering amount of regulatory fines
recently levied on financial institutions
is testament to the fact that businesses
need to keep abreast of regulations.
Regulatory compliance should be at the
foremost of Internal Audit’s agenda.
Conversely, Internal Audit should also
focus on unregulated or under-regulated
areas as they are usually subject to limited
oversight.
CONCLUSION
Recessions and crises provide a very
important opportunity for internal
auditors. They usually highlight the risks
that are often overlooked during economic
growth/expansion periods. It is during
such times that Internal Audit can really
learn lessons that provide valuable insight
into what went wrong, the implications
on the internal audit profession, and how
internal auditors can change or improve
their processes and practice.
Internal Audit can no longer play the same
traditional role. Internal Auditors need
to really understand the risks within the
businesses, partner with them to keep a
finger on the pulse of the organization
so that they are aware of things as they
happen, and better develop their teams’
skills. At the same time, internal audit
needs to resist pressures from management
and ensure that its voice is heard across the
organization. Ultimately, internal audit is
the last line of defense and therefore cannot
afford to be complacent.
TAUSEEF ABDUL GHAFFAR, CFA, FRM, CPA
is the Senior Vice President & Head of Audit
of the Global Wholesale Bank at the National
Bank of Abu Dhabi.
MARCH 2015