the journey to excellence in internal auditthe international conference 2018 is to be held in dubai...

JUNE 2017 WWW.INTERNALAUDITOR.ME

Identifying serial offenders us-ing forensics analyzing digital evidence

IA is the Second Line ofDefense in unstablebusiness environment

Self-service analytics benefits for internal Audit

INSIGHTS ON GOVERNANCE, RISK MANAGEMENT AND CONTROL

The Journey to Excellence inInternal Audit

INTERNAL AUDITOR - MIDDLE EAST 01 JUNE 2017

From The President

Dear Readers,

On behalf of the Board of Governors and Executive Committee, our Key Partners and staff of the UAE Internal Auditors Association; let me wish you all Eid Mubarak.

We had a very eventful month of May – the International Audit Awareness Month. The UAE IAA conducted several sessions advocating the internal audit profession. The UAE Internal Auditors Association and the Institute of Chartered Accounts of India held the 3rd joint event in Abu Dhabi titled “Partners in Progress” which was attended by 400+ delegates. Awareness sessions were also conducted in several universities to initiate the students towards the profession of internal audit.

The mega event in this month was the 3rd Internal Audit Government Forum which was held under the Patronage of HH Sheikh Ahmed president of the Dubai Civil Aviation Authority, CEO and chairman of the Emirates Group and chairman of Dubai World in collaboration with the Dubai Aviation City Corporation (GIARA).

The International Conference 2018 is to be held in Dubai and all efforts are being made to ensure that we break all yesteryear records. The UAE IAA invited the members of the IIA Global to visit Dubai for discussions. The fruitful discussions ensured that we are on the right track for a successful conference. All the major items were ticked with roles and responsibilities defined. The end of discussions left both, the UAE IAA and The IIA Global, well-satisfied and confident.

The 4th batch of HASAAD was conducted recently in Abu Dhabi. What was so unique about this batch was the fact that it was the first batch of HASAAD conducted in Arabic. This is an extremely significant achievement for us as it gives us the confidence to tap the government sectors. The HASAAD program is an extremely important program for us as it enables young aspiring UAE Nationals to come into the main stream of internal audit profession. I congratulate the graduating students of the 4th HASAAD batch.

Summer holidays are round the corner and you all must have made your holiday plans. I

wish you a very joyous holiday and look forward to engaging with you on return.

Regards,

Abdulqader Obaid AliPresident

TeamMate®

Ecosystem for Assurance

Copyright © 2014 Wolters Kluwer Financial Services, Inc. All Rights Reserved. 3946

To achieve new heights, finding the right balance of audit tools is essential. Only TeamMate offers an integrated set of solutions that include the industry’s leading audit management system, an innovative controls management system and powerful data analytics.

Audit

ControlsAnalytics

TeamMate AM

Learn more at: TeamMateSolutions.com

TeamMate CM TeamMate Analytics


I N T E R N A L A U D I T O RM I D D L E E A S T JUNE 2017 WWW.INTERNALAUDITOR.ME

F E A T U R E S

D E P A R T M E N T S

16 COVER STORY: The Journey to Excellence in Internal AuditWhat is The Roadmap to Initiating a Quality Assessment? by Ninad Pradhan

20 Profiling Cyber-Criminals : The four-step process, from the perspective of deductive profiling methods, with which the cyber-criminal profile should be developed “ by Fadi Abu Zuhri

4 Reader Feedback

6 Knowledge Update Internal Audit’s Critical Role in Cyber-security, Global Technology Audit Guide (GTAG): Understand-ing and Auditing Big Data, Protiviti Survey on Sarbanes-Oxley Compli-ance 2017, Mining business in-sights from the audit - Audit Value Survey by Deloitte, 2017 State of the Internal Audit Profession: Study by PWC BY VISHAL THAKKAR

8 UAE-IAA Events 27 Fraud RiskWhat a Fraud Response Plan should containBY David Clements

31 Frosting Fundamen-tals What are the steps that are cov-ered as part of the annual internal audit planning process?BY Arif Zaman

24 Self Service Audit Analytics – transform your approachHow you can transform the way your organization work with data? By Induman Das

10 IT Audit What are the common mistakes IT auditors make while audit-ing the Logical access area BY Melhem Khoury

12 Risk management Are Emerging Risks really differ-ent from Conventional Risks ?BY Porus Pavri

22 Adding Value in a Challenging Economic Environmentwhat are the responsibilities for internal auditors in the current volatile and unstable economic conditions? by Ehab Saif

TeamMate®

Ecosystem for Assurance

Copyright © 2014 Wolters Kluwer Financial Services, Inc. All Rights Reserved. 3946

To achieve new heights, finding the right balance of audit tools is essential. Only TeamMate offers an integrated set of solutions that include the industry’s leading audit management system, an innovative controls management system and powerful data analytics.

Audit

ControlsAnalytics

TeamMate AM

Learn more at: TeamMateSolutions.com

TeamMate CM TeamMate Analytics

04 INTERNAL AUDITOR - MIDDLE EAST JUNE 2017

Comment on an article entitled “Does the internal audit profession suit me?”All thanks and appreciation goes out to the colleague and author of the article for putting forward such an important topic. I would like to refer to three of the traits and skills stated in the International Professional Practices Framework (IPPF) issued by The Institute of Internal Auditors, which I consider some of the most important traits and skills that distinguish internal auditors.

Effective Communication Skill: Through this skill, the internal auditor ensures gaining the trust of the client in addition to enhancing communication and adding a positive impact, ensuring the addition of real value through audit assignments.

Critical Thinking: That is achieved by applying professional doubt, applying different tools and techniques to extract data and adopting problem-solving techniques that help the internal auditor solve complex situations and propose solutions that ensure developing the functions being audited.

Improvement and Innovation skills: When the internal auditor has such skills, this ensures his work as a key player of change and continuous improvement which supports the establishment in achieving its objectives by rendering them as part of the change management process within the establishment and adopting change by explaining benefits and encouraging coworkers on the same.

Mahmoud El Bagoury

Chief Internal Auditor for a group of commercial companies operating in the Middle East

GRCA, CPIA, CICA, CERTIA, QIA

Comment on the article written by Mr. Adil Buhariwalla, entitled: “Innovate or Deteriorate”At the beginning, I would like to thank my colleague Adel Buhariwala for his wonderful article which gives recent examples of what happened to international companies that did not keep abreast with the developments and changes that have taken place in its industry as well as valuable information on the definition and quality of innovation, and on innovation governance and the role of auditors in reviewing innovation governance.

In my opinion, internal auditors can play a big role in auditing innovation processes and providing reasonable assurance of their effectiveness to the Board of Directors and other stakeholders because innovation is an essential element in improving the performance of the establishment and ensuring its sustainability. It is known that sustainability is one of the core

responsibilities and priorities of corporate governance.

Innovation creates new opportunities for the establishment and increases its competitiveness, and these opportunities must be managed in the same way of risks are managed to which the establishment is/may be exposed to. Opportunities that cannot be well managed will turn into risks that might have been avoided, noting that “Collapse” exists at the top of these risks as reported in the article. In my opinion, if any competitive advantage is not accompanied by development and innovation, it will not remain an advantage on which the establishment can rely for maintaining its sustainability.

Innovation, renovation and creativity must be a top management priority, and since traditional and old methods are no longer useful, there must be innovative alternatives to develop, maintain and keep sustainability of the establishment to be an effective competitor in its sector.

Alaa Abunbaba CPA, CIA, CRMA, CICP, MACC

Head of Audit and Institutional Excellence

IFA GROUP - The International Financial Advisors Company (IFA) - Kuwait

ARABIC REVIEW TEAM

Qais Hamdan, CISA, CISM, PMP (Lead Member)Khal id M. Alodhaibi , SOCPA Waleed Sweimeh, CIANoora AyoobSaif Kaddourah, MBA

UAE INTERNAL AUDITORS ASSOCIATION

PRESIDENTAbdulqader Obaid Al i , CFE, CRMA, QIALGENERAL MANAGERSamia Al Yousuf

REGISTRATION

Internal Audi tor - Middle East magazine is l icensed by the Nat ional Media Counci l of the Uni ted Arab Emirates (License Number 244).

Reader Feedback

I N T E R N A L A U D I T O RM I D D L E E A S T

UAE Internal Audiors Association

We want your views on the articles and the magazine! Share your thoughts and feedback with us via email at [email protected]

EDITOR-IN-CHIEFAbdulqader Obaid Al i , CFE, CRMA, QIALEDITORGhada Abd ElbakyEDITORIAL ADVISORY COMMITTEE Ayman Abd El Rahim MQM, CIA, CCSA,CFE (Lead member)Asem Al Naser, CPA, CIA, QIALFarah Araj , CPA, CIA, CFE, QIALAndrew Cox, MBA, MEC, PFIIA, CIA, CISA, CFE, CGAP, MRMIARaymond Helayel , CPA, CIAMeenakshi Razdan, CA, CPA CIA, CFEHossam Samy, CRMA, CFE, CPA, CGANagesh Suryanarayana, MBA, CIA,CCSAJames Tebbs, CAVishal Thakkar, ACA, CIAGautam Gandhi, ACA, CIA, CISA, CFE

JUNE 2017VOLUME 2017: 2

CONTACT INFORMATION

MARKETING & SOCIAL MEDIAAlaa Abu Nabaa, MACC, CIA, CRMA, CPA, [email protected] & ADMINISTRATION

Yasmine Abd El Aziz [email protected] Tel : +971 55 351 2335EDITORIAL

Ghada Abd Elbaky [email protected] : +971 55 728 5147 DESIGN & PRINTING

Gulf Internat ional Advert is ing& Publ ishing L.L.C.giadco511@gmai l .comTel: + 971 2 441 2299

GUIDELINES FOR AUTHORSwww.internalaudi tor.me

Internal Audi tor - Middle East is publ ished quarter ly by the UAE Internal Audi tors Associat ion (UAE-IAA), Off ice 1503, 15th Floor, API Tr io Tower, Dubai , Uni ted Arab Emirates

DISCLAIMERS

Internal Audi tor - Middle East is intended only for members of the Inst i tute of Internal Audi tors in the Middle East and as such i t is not intended to be sold or re-sold by any party. The views expressed in Internal Audi tor - Middle East are solely those of the authors, and do not necessar i ly represent the v iews of the UAE-IAA or the authors’ respect ive employers. Internal Audi tor - Middle East is a peer-reviewed magazine and does not ver i fy the or ig inal i ty of the content submit ted by the authors.

The important of focusing

on the organization’s

“Innovation Governance”.

I N S I G H T S O N G O V E R N A N C E , R I S K M A N A G E M E N T A N D C O N T R O L

MARCH 2017 WWW.INTERNALAUDITOR.ME

INNOVATE OR

DETERIORATE

Steps Helping in Recognizing the

Added Value

International Standards for the

Professional Practice of Internal

Auditing new updates

Internal Audit responsivities to tackle

important business issues and risks.

I N T E R N A L A U D I T O R

M I D D L E E A S T


Knowledge Update

BY VISHAL THAKKAR

Internal Audit’s Critical Role in Cyber-se-curity

Global Technology Audit Guide (GTAG): Understanding andAuditing Big DataBig data is both i.e. a growing risk and a growing resource for internal auditors. This prompted the IIA to offer a guidance to help auditors to address it and leverage it.

The IIA’s guide provides an overview of big data to help internal auditors who may be responsible for both i.e. using it and assessing risks associated with it. This guide covers the following: value of big data, the components, strategies, implementation considerations, data governance, consumption and reporting as well as the associated risks. The guide also explains what the IIA regards as internal auditors’ roles and responsibilities when they need to perform big data related advisory or assurance procedures. As per the guide, this begins with considering the role of big data in the organization as part of the risk assessment and audit planning processes. Auditors generally plan to address big data risk in multiple audits where it arises instead of a single audit looking at all big data risks. Auditors should plan to look at controls such as process and technology to focus on how the data is consumed and acted upon in the organization.

The risks associated with big data that justify internal audit’s attention are numerous and complex such a poor data quality, inadequate technology, insufficient security and immature data governance practices within the organization. The auditor should reach out to company’s Chief Information Officer for understanding the risks associated with collecting, storing, analyzing and securing big data. The guide also gives internal auditors some advice on using the data as an audit tool, beyond auditing the data or the big data effort itself. The company may have already acquired, consolidated and integrated the data, enabling internal audit to realize efficiencies.

https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG-Understanding-and-Auditing-Big-Data.aspx

Organizations monitor cyber-security practices, policies and plans on an ongoing basis. Internal audit plays can play a crucial role here. When cyber-security plans are created, organizations should solicit internal audit to do what is best suited for them i.e. test for effectiveness and efficiency of controls and protocols. Based on the testing results, provide the board and management with assurance about these protective mechanisms. Internal audit should focus on following four areas related to cyber-security:

1. Provide assurance over readiness and response

2. Communicate about the level of risk to the organization and efforts to address such risks to the board and executive management

3. Work in coordination with IT and other related parties to build effective defenses and responses

4. Ensure communication and coordination

Inspite of complexity and alarming challenge, cyber-security that can be effective can be achieved by most organizations. By using the “Four Rs” – resist, react, recover, and re-evaluate – organizations can build cyber-resilience plans that are effective.

http://www.accountingweb.com/aa/auditing/internal-audits-critical-role-in-cybersecurity


Knowledge Update

2017 State of the Internal Audit Profession:

Study by PWC

Stakeholders reported that Internal Audit adds significant value dropped from 54% in 2016 to only 44% in 2017, reaching its lowest level in the five years

of stakeholders (nearly half) want Internal Audit to be trusted advisors to the business

Top five disruptions: responses by CAE’s and their stakeholders

44%

48%

58%

44%37%36%34%

https://www.pwc.com/us/en/risk-assurance/sotp/2017-state-of-the-internal-

audit-profession-report.pdf

Protiviti Survey on Sarbanes-Oxley Compliance 2017Sarbanes-Oxley Act (SOX) became law almost 15 years back, and as many organizations have advanced into complying with its requirements, the compliance process is not only dynamic, but also a matter of continuous interest. CAEs, CFOs and other finance and internal audit professionals keenly look for benchmarking data on costs, hours, control counts etc, as they determine how and where to rationalize compliance activities while addressing frequent regulatory and market changes.

Key findings of the survey are as follows:

Compliance costs appear to be trending down, but not for all: SOX compliance costs show some decrease compared to last year’s survey results for some companies. This could be due to these organizations completing their work to implement the updated COSO Internal Control — Integrated Framework. However, costs are still on the rise for many companies as the percentage of those annually spending $2 million or more increased compared to last year.

Hours continue to go up: Time spent on SOX compliance has increased for most of organizations as compare to the last year

Increased use of outside resources: Considerably more organizations are relying on outside providers for SOX compliance activities, either on an outsourced and co-sourced basis

Control counts have gone up: compared to prior year results, there is an increase in percentage of entity-level controls classified as key controls

Revenue recognition, cyber security and the PCAOB are influencing forces: SOX compliance efforts continue to be formed by new and emerging influences, from the new revenue recognition standard and cyber security concerns to the PCAOB’s inspection reports on external auditors and the resulting effects on audits of internal control over financial reporting

SOX work continues to be viewed as having a positive effect: Overall, three out of four organizations reported that their internal control over financial reporting structure has improved as soon as they started complying with SOX.https://www.protiviti.com/US-en/insights/sox-compliance-survey

Mining business insights from the audit - Audit Value Survey by DeloitteNotwithstanding to the fact that valuable perspective a financial statement audit provides, one out of three companies fails to fully use the information. The survey results reveal that the audit has the influence to provide insights, identify inefficiencies or risks and help inform best practices to the companies. Still, auditors and their clients are missing out on what financial statement audits can accomplish in more depth. 45 percent of C-suite executives and 48 percent of audit committee members don’t have processes in place to make better use of audit findings. According to 79 percent of C-suite executives and 94 percent of audit committee members, increased transparency of financial statement audits would improve performance of the company. About the same percentage stated that financial statement audits reveal what their companies could do different or better.

Executives participated in the survey stated that they want information processing of audits even further. They want audits to provide a wider range of strategic and operational insights that go beyond financial reporting. At the forefront: information about spending patterns, assessment of how effective the company’s business processes are and recommendations for improving operations.

https://www2.deloitte.com/us/en/pages/audit/articles/audit-value-survey.html

New regulations

Changes in business model or strategy

Cyber-security and privacy threats

Financial challenges

Technological challenges


UAE-IAA Events

By Samia Al Yousuf

UAE IAA held its 18th Annual regional conference at Jumeirah Etihad Towers, Abu Dhabi from April 18 - 20, 2017 .The 2-days conference is the largest “Smart” meeting and a premier Internal Audit event in the MENA region and was attended by over 700 participants consisting of heads of organizations, experts and professionals from internal auditing and various other industries from the GCC countries and beyond. The conference was under the patronage of His Excellency Sheikh Nahayan Mabarak Al Nahayan, UAE Minister of Culture and Knowledge Development,

who stated that UAE Internal Auditors Association is playing a key role in facilitating education of internal auditors in our country by offering an invaluable training and education to its almost 2,000 members and working effectively to increasing the number of Emirati auditors. Sheikh Nahyan had honored the key note speaker Mr. Mohamed Jameel Al Ramahi, CEO Masdar and Mr. Hassan Al Mulla, President of IIA Qatar with the Lifetime Achievement Awards, at the conference.

The eighteenth Annual RegionalConference- Abu Dhabi

UAE-IAA Events


UAE IAA celebrating the International Internal Audit Awareness Month May 2017UAE IAA is advocating the internal audit profession through several sessions

during May which is considered the internal audit awareness month:

• The3rdJointProfessionalDevelopmentSeminarincollaborationwithICAI–

Abu Dhabi Chapter - was held in Abu Dhabi on 3rd May,

• 1stJointsub-groupseventbetweenConstruction,MediaandHospitalitySub-groups was held in Dubai on May 8th.

• On15thMayaninternalauditawarenessSessionatKhalifaUniversity,incollaboration with the Petroleum Institute was held in Abu Dhabi,

• AnawarenesssessionatNewYorkInstituteofTechnologywasheldinAbuDhabi on May 22nd.

• UAEIAAheldthesecondjointsub-groupseventbetweenIT,FraudandGovernanceSub-groupsinDubaionMay24th

UAE IAA and Dubai Aviation City Corporation (GIARA) held the 3rd Internal Audit Government Forum 2017 UAE IAA held the 3rd Internal Audit Government forum in collaboration with Dubai Aviation City Corporation on 17th May 2017 at Palazzo Versace Hotel with the theme of: “Be a Leader in your Profession” .

The forum was under the patronage of His Highness Sheikh Ahmed Bin Saeed Al Maktoum the Chairman Of Dubai Aviation City Corporation

UAE IAA had a very successful session on COSO internal control new certificate training. The new certificate that is issued by AICPA and supported by IIA grabbed the attention of many internal auditors in the region and Mr. Mike Fussily, the course trainer, added a lot of value to the course with his experience.

Second round of the course will be running in October 2017.

UAE IAA hosted COSO new certificate training for the first time in the region


IT Risk AssessmentBy Melhim Khoury Nicolas

The devil lies in the details, IT risk assessment and IT risk management, what detail differentiate them? With the growth in the need of Information security and risk management, the terms IT risk assessment and IT risk management could be confusing to most of executives dealing with risk-based audits and compliance of the organization.

The Committee of Sponsoring Organizations’ (COSO) has provided an Enterprise Risk Management Framework in 2004. This was an influential move towards focusing efforts on internal controls and prioritization of review tasks when auditing internal controls. Based on the COSO framework, IT risk assessment

evolved to provide support for building IT audit project plan. Further, financial auditors became more dependent on the outcome of the risk-based IT audits to substantiate their audit scope.

IT risk assessment is a component of the IT audit process. Regardless of the framework and methodology used, it focuses on identifying technical risks in a

technology dependent environment. This entails identifying a risk such as denial of service attack and quantifying the probability of the risk happening.

The best method to arrive to an acceptable risk value is to apply the following equation:

Risk = Asset x Vulnerability x Threat

IT Risk

Measure Factor Risk Asset Vulnerability ThreatScale (Quantitative) 1 to 5 10 to 100 1 to 10 10 to 50

Description(Qualitative)

a. Highb. Me-diumc. Low

a. Criticalb. Significantc. Insignifi-cant

a. Disastrousb. Passivec. Trivial

a. Severeb. El-evatedc. Negli-gible

Table 1: Sample Scales


IT RiskTO COMMENT on the article,EMAIL the author at [email protected]

Assets are given a coefficient values based on a certain range. Any quantitative range used can be qualitatively mapped to the ranges of the other factors. The objective is to arrive to a risk rate mapped to a tolerance scale, usually: High, Medium and Low. Although the usual practice is to use same scale, the following table illustrates an example of the different options that can be used as different scales:

IT risk assessment is part of IT risk management, which entails treatment plan. In IT risk assessment, the treatment options are unnecessary. The High, Medium and Low values are used as input for other tools, mainly IT audit plan. IT auditors benefit from the IT risk assessment in many ways that involve understanding of the IT set up, an overview of the structure of the IT, and a snapshot of the risk areas of the IT. For these reasons, IT risk assessment should be a prelude to audits and other review initiatives of the IT environments.

IT risk assessment methodology change for different environments and different industries, but the core objective is to identify areas, with certain risk values, where an intensive review should be conducted. For a bank, for example, major risks lie in operations and for a retail in POS. In that view, industry should also be a factor in building the risk universe (the set of applicable risks), which help in building an overall business operational understanding, when planning for risk based IT audits.

Most conspicuously, IT risk assessment is a prerequisite to IT audit, mainly to reduce the audit efforts where risk is low and to substantiate audit procedures where risk is high. While it is unnecessary to implement a treatment options for the identified risks,

IT risk assessment benefits auditors and reviewers in many ways essential to the understanding of the IT environment.

Industry model is beneficial in providing aid to contemplating the risks associated with a specific setup in a specific industry. This is done using methods such as brainstorming, which is a very effective technique following Osborn’s method. In another sense, IT risks are not fixed in a stateless condition waiting to be identified. IT risks are variable in nature and comprise of vulnerabilities and associated threats. Identifying risks is a direct exercise when auditors consider the above equation.

The values of identified risks are called

inherent risk scores and they represent the risks as naturally provided through the initial risks identification process. Inherent risks have associated controls that are applied in a reactive manner to the underlying asset. An example can be, password protection to a server, a locker to a network switch, or a review of a certain log. Subsequently, controls can be categorized as detective or preventive. As much as preventive controls are preferable, they are expensive to implement. When going through another round of risk assessment exercise and considering existing control measures, we produce a list of residual risks. Essentially, residual risks are the main factors in building a risk treatment plan or, in our initiative, in understanding the IT environment, in provisioning for IT audits, and in planning review initiatives.

IT Risk assessment is the result of [IT

risk management] less [IT risk treatment

options].

It is used to prioritize the review areas of

the IT environment. Below is an example

of how review can be executed based on

IT risk assessment output. For a complete

review, auditors have to examine the

details of the process in a substantial

manner. For a selected targeted review,

auditors have to examine a targeted sample

(60% or 70 %) of the details of the process.

For a random selection review, auditors

have to examine a random sample of (30%

to 40%) of the details of the process.

Finally, the IT audit plan needs to align

to the overall internal audit plan. In

principle IT audit is part of the internal

audit operations. The IT audit output feeds

to internal audit plan and provides input

to the internal audit planning process,

in which internal audit head plan for the

IT audits. Whether audits are performed

based on risk assessment or not, IT risk

assessment remains a necessity to pave the

way for IT auditors to perform their jobs.

In environment where risk assessment

is conducted for all operations, IT risk

assessment will align with the overall risk

assessment plan to create visibility to the

business operational and IT risks.

By Melhim Khoury Nicolas, Technology Consultant, MBA

IT Operations - High Risk (complete review)

Email and Storage - Medium Risk (selected

targeted review)

Connectivity, remote acces, and internet - Low Risk

(random selection review)January February March

Table 1: Sample Quarterly IT Audit Plan


Are You Managing YourEmerging Risks?

By Porus Pavr i

The world is becoming an increasingly riskier place for organizations of all types and sizes – whether in the private or public sectors. Environments, 100-year old busi-ness models, social and political dynamics are being disrupted everywhere. A quick look at some of the more recent corporate disasters bears testimony to this.

And then, what about the Titanic (1912),

Chernobyl (1986), Toyota (2010), Nokia (2013),GM(2014),Yahoo(2016)?

Was there something common that was missing in all these systems, which lead to the infamous catastrophies ?

Yes,youguesseditright!TheywereNOT managing the warning signs, the dan-ger signals on their horizons, owing to

the absence of a reliable and effective (i) Framework and (ii) System for managing Emerging Risks.

A Definition of Emerging Risk :Emerging Risk can be defined as a newly developing or changing risk, that

Catastrophe (& Estimated Cost) Why ? Because they did not foresee / understand / com-municate…

2008 Global Financial Crisis (trillions of dollars) ...the gigantic risks inherent in the complex financial products that were created, rated and regulated by the global financial institu-tions,ratingsagenciesandregulators!

2010 Deepwater Horizon blow-out ($60bn) …the risks lurking under a culture of complacency and informa-tionwithholding,withinahugelycomplexoperation!

2011 Fukushima nuclear reactor meltdown ($188bn) …the possibility of a tsunami in its disaster preparedness sce-narios–becausethelasttsunamioccurredovera1000yearsago!

2012 Kodak bankruptcy …the fatal risks to their business model emerging slowly but surelyfromthedigitalcamerarevolution!

2015 Volkswagen Emissions scandal ($40bn) …the risks brewing internally from a closed, dictatorial culture, and a top-down “win-at-any-cost” mindset driven by the Chair-manoftheBoard!

Risk Management


is extremely difficult to quantify, but nevertheless could have a major impact on the achievement of your organization’s objectives.

Are Emerging Risks really different from Conventional Risks ? If so, in what way?

All risks by definition arise from uncer-tainty. When a Risk Manager creates a Risk Profile, a conventional risk has several dimensions of uncertainty, such as (1) likelihood (2) frequency (3) timing (4) im-pact, (5) velocity as in the speed at which the risk could manifest itself, (6) vulner-ability/readiness as in how prepared your organization is to respond to the risk, and (7) duration of impact.

Now, an Emerging Risk has the exact same dimensions of uncertainty, BUT you could say that the degree of uncertainty is multi-plied by a factor of say 10 or even 100 – this isthebasicdifferenceinanutshell!

Some implications of this are:

i) a risk which is emerging today, may become a conventional risk after a period of time, as we get more and more knowledge about its risk profile through research, analysis, etc…., and as the uncertainty around the above 7 dimensions diminishes.

ii) what might be a current risk for Organ-ization A, may still be an emerging risk for Organization B.

Contributing Circum-stancesWhat are the broad categories of cir-cumstances which give rise to Emerging Risks ?

Once you understand these ‘contribut-ing circumstances’, you will look for these circumstances on your entity’s horizon, helping you identify your emerging risks better!

Here’s a short list to set you thinking:

1: Complex systems

2: Closely interconnected system compo-nents

3: Changing social, economic or political dynamics

4: Untested technological advances

5: Inadequate multi-directional communi-cation

6: Perverse incentives

I would strongly recommend all risk and internal audit professionals reading this article to visit www.irgc.org to gain a better understanding of the above, and more, factors.

Governance FrameworkHaving gained a high level understanding of the definition of Emerging Risk and the Contributing Circumstances, let us now turn our attention to what constitutes the Governance Framework for managing your Emerging Risks.

The Governance Framework comprises 3 layers:

1. Strategy & Roles

2. Culture

3. Training

1. The “Strategy & Roles” layer requires the Board and senior management to:

(a) formulate and embed the Emerging Risk strategy into the overall organi-zational strategy

(b) clarify the roles and responsibilities of the various actors in the manage-ment of Emerging Risks – the Board, Senior Management, Risk Managers, Line Managers, Internal and External Auditors, and Regulatory Authori-ties. But, the most important role in the Governance Framework is that of the Emerging Risk Coordinator, who acts like the glue that binds the various interested parties together. His overarching aim is to ensure that emerging risks and opportunities are handled effectively and efficiently to help the organization achieve its objectives.

2. The “Culture” layer requires the Board and senior management to establish a

strong mindset at all levels of the entity to deal with emerging risks and oppor-tunities by:

(a) establishing explicit incentives that encourage horizon scanning

(b) removing any perverse incentives that discourage horizon scanning

(c) encouraging the bottom-up flow of contrarian views that challenge the status quo, the reporting of unusual events, the avoidance of “group think”

3. The “Training” layer requires the Board and senior management to establish training programs that teach staff and executives at all levels on how to:

(a) undertake horizon scanning

(b) communicate clearly about poten-tial emerging risks

(c) work in teams to improve under-standing of, and response to, emerging risks

The 5-step Emerging Risk Identification & Manage-ment SystemAnd finally, let us introduce the iterative system that functions within the Govern-ance Framework, and which will help you identify and manage your Emerging Risks and Opportunities

STEP 1 – Early Warnings:• DETECT signals on the horizon and

EXPLORE possible future situations that may represent an Emerging Risk in the short & medium term

• CREATE A RISK PROFILE of these signals and situations

• FILTER & PRIORITIZE the list of Early Warnings to carry forward into Step 2

• Regularly update the above filtered list

STEP 2 - Scenarios• DEVELOP comprehensive set of scenar-

ios for each Early Warning coming from Step 1, including those Scenarios relating to “low-probability-catastrophic impact” events (“Black-Swan” events)

• Regularly update the above scenarios

Risk Management


Risk ManagementTO COMMENT on the article,EMAIL the author at [email protected]

STEP 3 – Decisions• DECIDE which Scenarios to follow

through for managing the related Emerg-ing Risk – based on which scenarios have the highest impact on the achievement of

the entity’s objectives, if left unmanaged• IDENTIFY & EVALUATE possible risk

management options [Refer Note below] for each Scenario relating to a given emerging risk

• IDENTIFY Windows of Opportunity during which the risk management option can be applied, Failure Thresh-olds after which it will be impossible to effectively manage the emerging risk, and Acceptability Thresholds below which it will not be necessary to manage the emerging risk

STEP 4 – Implementation• Establish internal and external commu-

nication channels• Allocate resources• Clearly define roles, responsibilities and

incentives• Ensure adequate authority in line with

responsibility for implementation

STEP 5 – Monitoring

• Monitor how emerging risks and oppor-tunities are unfolding

• Review relevance and performance of decisions made and options chosen

• Update the risk management options

• Involve external experts to assess how the process is doing

ConclusionGlobally, stakeholders are pressurizing boards and managements to enhance their organisations’ ability to look into the future, to pick up signs of trouble and address them BEFORE they manifest themselves in the form of events. If you, as a Risk or Audit professional do not want a “Titanic” moment on your CV, I strongly recommend you stir your organization out of its slumber, and kick-start the establish-ment of a framework and a system for managingyourEmergingRisks!

PORUS PAVRI, CRMA, CIA, CA is the Founder & CEO of Logoss Management Con-sultants International in Dubai.

Note: Scenarios under Emerging Risks vs Conventional Risks In Conventional Risk Management, only those Scenarios which are considered probable today, and have a probability attached to them, preferably based on past experience, are used in the Risk Analysis. We do not consider events that might occur based on possible, though not probable,scenarios!Forinstance,riskanalysisofnon-nuclearinfrastructuredoesnotnormally consider the probability of a plane crashing into the infrastructure.

On the other hand, Scenario building for Emerging Risks Management considers all risk events that might happen in future AND all possible combinations of risk events, EVEN IF no reliable probability estimates are available.

Let’s say, in a piping system in a factory, 50% of the pipes are more than 10 years old, and the rest are between 0-10 years old. Up until now, no problems have been detected in the new pipes.

However, after reading an article in the IIA UAE magazine about Emerging Risks, the Risk Manager and the Factory Manager in consultation with the Maintenance Manager and the ERC, find that, in the summer months, owing to excessive heat in the rear of the factory, all pipes experience a certain degree of expansion. If the temperature climbs even 1º beyond NNº, the stress in the piping system could cause multiple domino-style ruptures throughout the piping system in the factory, with consequent chemical spillage, a major explo-sion if the inflammable storage tanks in the factory compound were caught in the midst of the spill, severe damage to the office building in the adjacent plot, along with loss of life and property. This risk has never materialized in the past, and there is no available probability distribution for this risk event.

The Risk Manager and the Factory Manager however realize how negligent they have been till now, by not considering such scenarios in their earlier risk assessments, and have vowed to carry on the good work in all their risk assess-ments from now on.

Note: Risk Management Options

1. Act on the Contributing Circumstances, try to influence them in order to mitigate the emerging risk

2. Avoid the emerging risk totally

3. Reduce (i) your organisation’s exposure to the emerging risk, by reducing the exposed assets, businesses or processes, or (ii) your organisation’s vulnerability by developing resilience. Resilience is defined as the ability to withstand shocks and return to normal operations in reasonable time.

4. Raise your organisation’s risk tolerance limits in line with its higher risk appetite, by setting aside more funds to cover potential losses, or by transferring part of the risk to a third party.

5. Choose to do nothing


AD


There are organizations and then there are “world-class” organizations. Similarly, there are Internal Audit (IA) departments and then there are “world-class” IA departments. And it is not necessary that world-class organizations will have all their departments in that category. Surely, the chances are significantly high. There are several parameters which can be judged to ascertain if the IA activity falls in that category. Few that come to the immediate attention are:

• Empowerment

• Independence

• Objectivity

• Pro-activeness

• Use of Computer Assisted Auditing Techniques

• Employee motivation and retention

• Clear understanding of organization risks

These are taken from none other than the International Professional Practices Framework (IPPF) – The Standards.

Whilst the implementation of the Standards is not mandatory, they are considered sacrosanct. And compliance to the IPPF is the ultimate goal of almost every IA department. There are several IA departments who demonstrate compliance to many ‘individual’ parts of the Standards, but fail to demonstrate complete compliance when it comes to

Standards 1300 – Quality Assurance and Improvement Program (QIAP).

And it is not the difficulty which is the bottle-neck. In many cases, it is typically the lack of understanding of Standards 1300 and its expected benefits and value addition to the IA department and the organization. This article will aim to demystify this myth.

Quality is word which is perhaps difficult a to define as it may take different connotations under different circumstances. In the words of Aristotle “Quality is not an act, it is a habit”. Whilst management guru Peter Drucker says “Quality is what the customer gets and is willing to pay for”. In the context of internal audit, it can be defined as “the

Quality Assurance

BY: NINAD PRADHAN

The Journey to Excellence in Internal Audit


responsibility on the shoulders of the Chief Audit Executive (CAE) to fulfil the needs and expectations of the stakeholders; whilst complying to their own professional ethics through conformance to the Standards.”

Compliance and conformance alone fail to leverage the power of a Quality Assessment.

Quality Assurance and Improvement Program (QAIP)

The QAIP has 2 elements which need to be collectively addressed to conform to Standards 1300.

1. Internal Assessment; and

2. External Assessment

Many IA departments demonstrate the adherence to the IA plan and department budget as their KPIs. However, internal assessments also require to perform on-going assessments which can include work-paper review, staff performance evaluation, auditee satisfaction surveys, monitoring of KPIs, Actual v-s Budget, etc. IA departments also require to perform periodic self-assessments. (Note: this is not an exhaustive list).

External assessments must be conducted once every 5 years by a qualified and independent assessor from outside the organization and reported to the Audit Committee (AC). And this is one point many IA department overlook, especially those who are large conglomerates. Whilst there are no defined qualifications which an assessor should have, they should largely demonstrate competency in two areas: The understanding of the IPPF and the external assessment process.

The Roadmap to Initiating a Quality Assessment

The UAE Internal Auditors Association (UAE IAA), ensures that its assessors have undergone the QA course offered by the IIA and have a certain minimum experience without which they are not considered for the engagements. The UAE IAA adopts the IIA’s proven and documented methodology – The Quality Assessment Manual.

The QAs can be called for by either the Chairperson of the AC or the CAE. There are no statistics, but, experience has shown that when the AC calls for the QAs, there is usually some lack of trust or deliverables between them and the CAE with such assessments ending up on the “not favorable” side of the assessment scale as against when the CAE calls for the assessment. CAE’s may well wish to consider this point and “stick their neck out” and call for QAs on their department – of course with adequate preparation and planning as the outcome of the assessments requires to be communicated to the Board/AC.

A quality assessment, or QA, evaluates the compliance with the Standards, the definition of internal auditing, the Code of Ethics, the internal audit & audit committee charters, the organization’s governance, risk and control assessment and the use of successful practices.

So who audits the auditors? When an IA department undergoes a QA, it can proudly say that they too have been assessed. The rating mechanism of a QA can be either “General Conforms”, “Partially Conforms” or “Does Not Conform”.

QA scope

Typically, a QA scope covers

• Conformance with the Standards & the Code of Ethics & the IA’s charter, plan, policies, procedures and applicable laws & regulatory requirements

• The expectations of the IA as expressed by the board, executive management and operational management

• The integration of the IA into the governance process, including the relationships between and among the key groups involved in the process

• Tools and techniques

• Mix of knowledge, experience and disciplines within the staff, including the focus on process improvement

• Determination that the internal audit activity adds value and improves the organization’s operations

It provides the IA departments to delve into the minds of their stakeholders and gauge their level of trust in the IA department and its functioning. The independent nature of the external assessor also provides for an opportunity to ask certain questions which can be used for further probing to provide further value added service. The CAE gets a holistic picture of what is happening around him/her without ruffling too many feathers. The QA assessors take care of those uncomfortable questions.

Think for a minute how many times the phone rings for a CAE or an email with a request – sometimes an urgent one – requesting for help in either a certain review or in some investigation. The number of consulting activities can be an indicator of how much value-added resource the IA department is considered by the organization’s management. With the level of such engagements rising the perceived value that the IA department is adding is definitely proportionate. As they say – a voice but no vote at on the management table.

Benefits of a QA

CBOK surveys have revealed that the top 5 reasons for investing in a QAIP are

1. Identifying areas for improvement

2. Full conformance to the Standards

3. Bring systematic, disciplined approach

4. Increase credibility within the organization

5. Anticipate, meet and/or exceed stakeholder’s expectations

Further, the survey concludes that, when compared to other internal audit departments, those that conform to the quality standards:

• Were more likely to have complete and unrestricted access to

Quality Assurance


Quality AssuranceTO COMMENT on the article,EMAIL the author at [email protected]

information as appropriate for the performance of audit activities

• Made more use of technology in internal audit processes

• Used a wider variety of resources to develop audit plans

• Were more likely to have documented procedures in an internal audit manual

• Received more hours of training and were more likely to have formalised training programmes

• Served organisations with more highly developed risk management processes

• Were more likely to report that funding for the internal audit function was “completely sufficient”.

Conducting a Quality Assessment exercise offers the internal audit activity several benefits.

1. It offers an opportunity to benchmarked against other IA departments. The Global Audit Information Network (GAIN) is also a good tool to use.

2. The conducting of the QA is in itself adherence to full conformance to The Standards. This permits the IA activity (if the assessment results permits so) to insert the statement “This audit is conducted in conformance with ………..” within its audit report and can also state that the department itself conforms with the requirements of the IPPF.

3. This lends credibility to the IA activity and increases the perceived value of the activity within the organization.

4. The typical question of “Who audits the auditors?” also gets answered. The IA activity being subjected to the assessment which is conducted by independent assessors lends credibility to its activities.

5. QAs also give an opportunity to meet or exceed stakeholder expectations as a result of the interviews and surveys which are

conducted independently. The Chief Audit Executive (CAE) is able to lay emphasis on the expectations spelt out.

6. The CAE can use this opportunity to lay emphasis and focus on the IPPF and raise the awareness of The Standard amongst the management.

7. Overall, the reputation of organization is enhanced. This, due to the fact that nothing and no one in that organization is immune and is subjected to audit. It is a sign of a mature organization which is willing to learn and improve.

How to be Successful in a QA?

QAs require tremendous commitment from each and every staff of the IA department. It calls for commitment to quality (Mission/Vision/Values/Goals/Objectives/KPIs), drafting of policies and procedures, demonstrating continual improvement, monitoring and reviewing mechanisms and their subsequent reporting to the Board/AC – as a minimum. Conducting periodic internal assessment, plugging the identified gaps, and a formal documentation of the QAIP is a large step forward.

ConclusionThe Next Steps?

It is quite certain that the benefits from a Quality Assessment far outweigh than not going for it. But this also calls for good preparation at all levels with the department hierarchy. To begin, it is important to have a project leader

who understands the QA process. And attending a training session for a QA course will prove beneficial.

The QA cannot be done in isolation from the audit committee and hence it is imperative to appraise them of the exercise and the credentials of the team engaged to conduct the same. Having the audit committee on board is vital.

Historical data is proof that when a QA is called by the CAE, the chances of a successful QA are significantly higher than when called for by an audit committee. So, prepare well, and go for it. Do not wait for your audit committee to instruct you on this one.

Quote 1

“Thanks to the IAA UAE Team for the great efforts exerted during the quality assurance review done for our department. The Audit team was very professional, systematic and helped us towards further improving our quality performance, professionalism and use of best practices.Itwas a great experience indeed!!”

Tamer Said Ali, Deputy Chief Internal Auditor, Obeikan Investment Group

Quote 2

“Let me express my appreciation to excellent work done during the quality assessment review you’ve recently completed for our internal audit department. It was a fruitful exercise and we welcome the improvement opportunities highlighted to enhance the quality and performance of the department.I assure you that your value-added recommendations will be acted upon fully and promptly. May I also take this opportunity to thank you and your team for the professional approach and courtesy displayed by the team”

Beelall Ramdianee, Vice President – Internal Audit, Dubai International Financial Centre

NINAD PRADHAN, CRMA, MBA, PGDC-SM, BSc Senior Consultant & Trainer at UAE IAA


Ad


Profiling cyber-criminals

BY: FADI ABU ZUHRI EDITED BY: ANDREW COX

Since the middle ages era, the definition of crime has been limited to types of crimes committed in the physical world. In the same way, theories aimed at explaining crime including the Conflict Theory, the Theory of Social Control, and others, have defined crime within the confines of the physical world. Strategies aimed at dealing with criminal activities have been limited in their scope when defining crime within the context of the physical world. However, the growth of information systems, ICT, mass media, and increased interconnectivity, facilitated by the internet, has revealed a new and unique form of crime: the digital world crime. These types of crimes present several challenges including legal, geographic, and web barriers, as well as the anonymity of the internet. The environment in which these crimes occur also pose a challenge to crime specialists. These challenges have created the need to identify and modify techniques used to combat crime committed in the physical world, such as criminal profiling with a view to making them applicable to e-crimes. This paper discusses the possibility of penetrating these barriers by applying the modified version of criminal profiling techniques to e-crimes.The concept of crime has expanded beyond the physical world to the global digital world.

Profiling Cyber Criminals in the physical world Since the 1970s, experts within the Behavioral Science Unit (BSU) of the FBI have been helping federal, state and local law enforcement agencies investigate violent crimes. This practice was initiated through offender profiling, with a view to understanding personality and behavioral traits of perpetrators. It started as an analytical technique for identifying the characteristics of the offender, based on examination of crime scenes and crime dynamics, and continued developing over the years as a tool to help investigators narrow a suspect pool (Alison et al, 2010). Offender profiling was offered within the BSU as an analytical tool and a product of training programs.

Forensic psychologists often employ deductive or inductive profiling in dealing with crimes committed in the physical world, applying these techniques to ascertain characteristics of criminals. Deductive profiling techniques involve the use of data, including crime scene evidence, forensic evidence, offender characteristics and victimology. In deductive profiling, the available information is processed by applying personal experiences, with the profiler assuming one or more facts of a case as self-evident about an offender or crime. Then, by following hunches and experience, arrive at conclusions. The ‘truth’ of facts or conclusions arrived at using deductive profiling depends upon the truth (ie, contingent truth). Also, in the deductive profiling method, the conclusions are true if the hypothesis and the premises are true and valid. On the other hand, inductive criminal profiles are created by studying statistical data, including study of the demographic

characteristics and behavioral patterns shared by criminals. Inductive profiling is also theory-driven and based on the available cases of crime. Inductive profiling relies on information collected through interviews with offenders, and this forms the foundation for investigators’ profiles. Again, the inductive profile technique involves hypothesis (formalized operational definitions) for testing, and coding of data to allow for statistical analysis.

Applicability of these techniques has been possible in crimes committed in the physical world. However, applicability of these techniques to deal with crimes committed in the digital world is still debatable. It has been argued that criminal profiling is an immature, but promising, science. Perhaps this may explain that little attention has been given to such technique by both academics and practitioners. In the digital world, forensic psychologists have knowledge about the law, criminology and psychology. This can be used to better understand technological aspects relating to crime, in order to develop cyber-criminal profiles. As such, they are required to take an interdisciplinary approach when dealing with cyber crimes. Unfortunately, highlighted issues of tractability, geography, law and anonymity makes it difficult for forensic psychologists to collect information about criminals and cyber-crimes (Tompsett, Marshall, and Semmens, 2005). Again, most cyber-crimes go either unnoticed or unreported, and hence go unpunished. Importantly, it is possible to draw some parallels between non-cyber-crimes and cyber crimes. It is also possible to develop a profile from the existing techniques that can be used for law enforcement.Most cyber-crimes go either unnoticed or unre-ported, and hence go unpunished.

Profiling TechniquesFrom the perspective of deductive profiling methods, cyber-criminal profile should be developed in a four-step process. The first step is victimology. Today, criminals victimize both organizations and individuals. This step involves understanding the aspects of organizations and individuals that attract cyber-criminals. Victimology helps security specialists understand an offender’s motive behind the crime. Victimology includes the following:

• Politically motivated crimes (ie, cyber-terrorists).

Cybercrimianl


CybercriminalTO COMMENT on the article,EMAIL the author at [email protected]

• Crimes driven by emotional reasons (ie, cyber-stalking).

• Crimes committed and driven by sexual impulses (ie, paedophiles).

• Crimes known to be less dangerous, such as sharing software by individuals, or sharing copyrighted movies (Shinder, 2010).

The second step is motive identification – what is the reason for the crime?

Victimology and motive leads to the third step – identifying offender characteristics. Several topologies and ways to classify cyber-criminals based on offender motives have been introduced (Rogers, 2006). However, changes in criminal behavior with the evolving technological environment necessitate modification of existing schemes. Other studies have suggested that crime can be addictive, and in the cyber world, criminals become addicted to the internet and computers (Nykodym et al, 2008). It is also argued this addiction, aided by various opportunities including the access and availability of the internet and computers, and fueled by criminal motives, could facilitate the making of a cyber-criminal. This understanding may be used in analyzing the modus operandi of cyber-criminal.

Modus operandi reflects criminal character (Lickiewicz, 2011). For instance, a cyber-criminal may destroy information by using a virus that is attached to an e-mail, while another may hack into a computer system by attacking the server with a view to stealing information. This suggests that one’s technical expertise helps him or her to understand the behavior of a cyber-criminal. A cyber-criminal may be required to have a level of technical efficacy successfully penetrate a sophisticated and secure network (Kirwan and Power, 2013). On the other hand, ‘script kiddie’ may use an already developed program to attack a computer system. It is worth noting that human elements, such as social engineering skills, possessed by some professional cyber-criminals should not be disregarded. This is because cyber-criminals with average technical skills can participate in a crime by employing simple techniques of subtle psychological manipulations and friendly persuasion. Kirwan and Power (2013) affirm that technical skills and other skills, including social skills and motives, determine the modus operandi of a cyber-offender.

Step four of the deductive cyber-profiling technique involves forensically analyzing digital evidence. Digital forensics are important, because it is the means through which a cyber-criminal profiler can trace the offender in the event there is no physical evidence (Kwan, Ray and Stephens, 2008). In the view of Lickiewicz (2011), not all criminals are traceable, as one of three cyber-criminals manages to remove or modify the audit trail by wiping their traceable digital footprints. The four-step approach suggested is an iterative process. New information regarding the offender, motive, victim and forensic evidence could be revealed while in an investigation proceeds.

As for inductive profiling methods, they can be applied alongside the deductive techniques described above, to help deal with cyber-crimes. For example, statistical analysis data studying demographic characteristics and behavioral patterns shared by criminals, and breaches in cyber-security, could be employed to identify criminal attack trends such as motive for attack, type of victims who are likely to be targeted, and most common modes of attack used by cyber-criminals. This may help to identify serial offenders, and other cases with similar modus operandi.

The four-step approach is:• Victimology.• Motive identification.• Identifying offender characteristics.• Forensically analyzing digital evidence.

Conclusion

The techniques and tools discussed in this paper are worth testing in practical scenarios. It is believed that if cyber-criminal profiling is used effectively, the issue of cyber-crime may be reduced as more offenders could be brought to justice. Considering the current trend of increasing rates of cyber-crimes, it would be important for academics and practitioners to collaborate. These practices may be useful for law enforcement officers, as it may help them gather legally valid and binding evidence in order to take appropriate actions against these cyber-criminals.

Cyber-criminal profiling is a tool which could bring more offenders to justice.

References

Alison, L., Goodwill, A., Almond, Louise, Heuvel, C. and Winter, J. (2010) Pragmatic solutions to offender profiling and behavior investigative advice. Legal and criminological psychology, 15, 115-132.

Kirwan, G., and Power, A. (2013). Cybercrime: Psychology of cybercrime. Dublin: Dun Laoghaire Institute of Art, Design and Technology.

Kwan, L., Ray, P. and Stephens, G. (2008). Towards a Methodology for Profiling Cyber Criminals. IEEE Computer Society. Proceedings of the 41st Hawaii International Conference on System Sciences.

Lickiewicz, J. (2011). Cyber Crime psychology-proposal of an offender psychological profile. Problems of forensic sciences, 2(3): 239-252.

Nykodym, N., Ariss, S. and Kurtz, K. (2008) ‘Computer addiction and cyber crime’. Journal of Leadership, Accountability and Ethics, 35: 55-59.

Rogers, M. K. (2006) ‘A two-dimensional circumplex approach to the development of a hacker taxonomy’. Digital Investigation, 3 (2): 97-102.

Shinder, D. (2010) Profiling and categorizing cybercriminals. Retrieved on 6th July 2016 from http://www.techrepublic.com/blog/security/profiling-and-categorizing-cybercriminals/4069.

Tompsett, E.C., Marshall, A.M., and Semmens, C.N. (2005). Cyberprofiling: Offender Profiling and Geographic Profiling of Crime on the Internet. Computer Network Forensics Research Workshop.

Fadi Abu Zuhri, (MSc, ITSM, CGEIT, CISM, CFE, CISA, CISSP, PMP)


The current business environment is very volatile and unstable worldwide and this is especially clear in Middle East. The characteristic of this stage are mainly uncertainty and lack of clear strategic direction.

Working in such business environment adds a lot of responsibilities and pressure on the available resources. This is of course applicable to the internal audit resources which are required to participate in different organizational efforts aiming to reduce costs, increase efficiency and ensure proper restructuring of key business activities.

In such circumstances, internal audit functions are required, like never before, to assume different responsibilities and wear multiple hats to achieve the goals of the reorganization programs.

Acting as the Second Line of Defense:

Most reorganization programs will result in hard decisions related to job cuts at different organizational levels. The reduction in head count might be permanent or temporary which in both cases means weaker internal controls, at least, during the period of the restructuring.

Assuming compliance and risk management responsibilities is one of the common scenarios for internal audit resources in such circumstances. For example, internal auditors might be required to review some business transactions to ensure its compliance with internal policies and alignment with reorganization objectives.

Having in depth knowledge of the internal controls gives internal audit resources the ability to perform compliance related activities including financial and operational compliance in a very efficient and effective manner.

Internal audit departments can also review, identify gaps and recommend improvements related to the reorganization plans as they have best understanding of overall organizational operations, departments and intradepartmental workflows.

Risks to Independence and Objectivity

One of the major internal auditors’ concerns is always Independence and

Objectivity which is clearly reflected in Standard 1100 of the IIA standards which states that the internal audit activity must be independent, and internal auditors must be objective in performing their work. However, participation in restructuring efforts requires high level of flexibility to convince restructuring committees that internal auditors are well rounded resources who can employ their knowledge in internal controls and utilize their internal business relationships to add value to the organization.

Unfortunately, in most of the cases internal auditors will not have a say in whether they are involved in such reorganization programs. BoD/business owners will usually ask internal auditors to be involved in the reorganization efforts due to the lack of trusted and knowledgeable resources. This might be more applicable in family businesses where internal audit is considered a trusted agent to accelerate changes and ensure that the BoD/owners’ decisions are implemented.

The independence issues normally appear when the Chief Audit Executive

Adding Value in a Challenging Economic Environment

BY: Ehab Sai f

“In the current volatile and unstable economic conditions, internal audit functions are required, like never before, to assume different responsibilities and wear multiple hats to achieve the goals of the reorganization programs”.

Added Value


Added Value TO COMMENT on the article,EMAIL the author at [email protected]

(CAE) or the internal audit resources are required to report on specific assignments to the reorganization committee which might consists of current or future management employees. The impairment of independence might also result from performing some compliance and risk management activities which are subject to internal audit reviews in the future.

Considering the factors mentioned above, there are clearly some risks associated with assuming second line of defense responsibilities temporarily. The CAE is required to report such risks to the audit committee/BoD before acceptance of assigned responsibilities

Adding Value in Difficult Times

The internal audit resources should plan their work in a smart and effective manner to add the maximum value to the reorganization efforts while maintaining the highest possible level of independence and objectivity. Such activities might include, but not be limited to, the following:

• Efficiency reviews that focus on cost optimization in which internal auditors review previous practices in various business departments and recommend improvements that will decrease costs or/and increase efficiencies.

• Liquidity assessment reviews that highlight potential gaps in cash flow for management action given that most reorganization efforts involve major debt restructuring and cash flow difficulties which require close attention by the reorganization committee.

• Process gap analysis reviews that help reorganization committee to conduct proper process reengineering exercises.

• Limited ad-hoc assignments or investigations that assist reorganization committee to reach certain conclusions on various organizational matters.

IIA Response

As a response to the increasing pressure on the internal audit resources to perform second line of defense activities, the Institute of Internal Auditors (IIA) has issued a practice guide called “Internal

Audit and the Second Line of Defense” which addresses the specific cases where BoD/business owners ask CAEs to assume responsibilities for risk management, compliance, and other governance functions.

As per the practice guide, the CAE should ensure the following before and during assuming such responsibilities:

• Discussion of risks with management and the BoD/business owners.

• Acceptance and ownership of risks by management.

• Clear definition and assignment of roles for each activity where second line of defense activities overlap with third line of defense activities.

• Periodic independent assessment of internal audit’s second line of defense roles and responsibilities.

The practice guide has also specified some of the activities that the internal audit should avoid in such cases which include:

• Setting the risk appetite, owning or managing risks.

• Assuming responsibilities for accounting, business development, and any other first line of defense functions.

• Assuming accountability for risk management or governance processes.

• Providing assurance on second line of defense activities performed by internal audit.

The practice guide above was subsequently followed with a new IIA Standard which is Standard 1112 “Chief Audit Executive Roles Beyond Internal Auditing”. The new IIA Standard specified certain safeguards to address the impairments resulted from assuming responsibilities that fall outside the internal auditing which include periodic evaluation of reporting lines and developing alternative processes to obtain assurance related to the areas of additional responsibility.

Another sensible change in IIA standards was introduced in Standard 1130.A3 which allowed internal audit resources to

provide assurance services where they had previously performed consulting services, provided the nature of the consulting did not impair objectivity. This means that internal audit functions will need robust processes to assess requests for consulting engagements to help prevent independence issues in future audit plans.

Conclusion

Organizational changes might not always be in the favor of the employees and this usually creates more pressure and discomfort for the available resources. Internal auditors are usually one of the most impacted resources as they are required to assume more responsibilities.

In addition to the reorganization programs, internal auditors might be asked to assume second line of defense responsibilities due to many reasons including, but not be limited to, the following:

• BoD/business owners do not understand or appropriately value the importance of an independent and objective third line of defense.

• Internal audit has the necessary skill set or relevant expertise for specific risk management and/or compliance activities.

• The organization is small and cannot support distinct control and assurance functions.

Internal auditors might have two options when it comes to assuming second line of defense activities which are either to quite the job in order to protect their independence or to accept such responsibilities with a strategy of how to achieve the required objectives with a clear transition plan to relieve internal audit from such responsibilities in the future.

There is a good saying to remember in this regard. It says “I can’t change the direction of the wind, but I can adjust my sails to always reach my destination”. It is extremely important for internal auditors to be mentally prepared for such circumstances, especially in the current economic conditions, which will help them perform and excel without unnecessary hard feelings.

Ehab R. Saif, CMA, CIA, CFE a Head of Internal Audit at a private holding company in Abu Dhabi.


Despite the fact that data analytics and Computer Assisted Audit Techniques (CAAT) have been a part of auditing for nearly thirty years, many organizations are still struggling with the implementation of effective data analytics to enhance internal audit quality and effectiveness.

Increasing complexities of risks and incessant emergence of disruptive technologies are demanding substantial change in internal audit processes.

In today’s world of constant disruption, internal audit should evolve into a dynamic and future-oriented function.

Businesses need broad-spectrum audit processes that extend beyond reviewing the obvious. Auditors should adopt forward-looking IA approaches, and should be able to provide deeper and valuable insights on strategy, execution, emerging risks, and hidden opportunities.

The 2016 Deloitte Global Chief Audit Executive Survey that polled more than 1200 CAEs from 29 countries and a diverse range of industries, reaffirms the growing need to conduct analytics-based auditing. More than a three quarter of the CAEs (79%) recommend the need for digital disruption and innovation to transform

internal audit and enhance its value. The survey also cited the increasing relevance of cutting-edge technologies such as artificial intelligence, cognitive computing, and visual analytics.

Is skill-gap a concern?

More than half of CAEs (57%) who participated in the survey expressed their intense dissatisfaction about inadequate skills and insufficient expertise of audit teams.

When left unaddressed, these skill gaps will weaken auditors’ capabilities to deliver on changing stakeholder expectations.

Self Service Audit Analytics – transform your approach

By : Indumon Das Edi ted by Gautam Gandhi

Audit Analytics

AnalyticsTO COMMENT on the article,EMAIL the author at [email protected]


Stakeholders expect more forward-looking analysis to uncover risks and hidden opportunities.Gone are the days of static audit reports and analysis of sample data.

The Deloitte survey also cites risk anticipation (39%) and data analytics (34%) as the two groundbreaking innovations that are most likely to impact internal audit within the next five years. Changing business landscapes, technological advancements, and proliferation of data have brought forth the imminent need to leverage analytics and data visualization to increase the impact, influence, and effectiveness of internal audit.

Analytics Adoption Challenges

Even after 30 years of inception of data analytics, many auditors continue to adopt conventional internal audit methods and lag in technology adoption. Wondering why? Here are some of the reasons:

1. Skills gap

2. Insufficient IT support

3. Difficulty to manage and manipulate data

4. Increasing requests for ad-hoc analysis and one-off reports

5. Difficulty in dealing with the basic aspects of data management and governance

Can technology disruption be a savior?

Advancements in technology are fundamentally changing the nature of the audit and improving its effectiveness and relevance. Here are a few game-changing technology solutions that auditors can harness effectively to enhance the way they work with data:

1. Self-service analytics - Smart analytics for all

Self-service analytics is no more a buzzword. It’s the new norm. Self-service analytics empowers auditors to access data, perform queries, and create interactive reports that add richness and granularity to the insights derived. Anyone and everyone, with or without technical expertise, can harness the power of self-service analytics

to work seamlessly with large data sets of any size or type, and discover savvy insights without having to write codes or learn programming languages.

Key advantages of using self-service analytics tools: Explore your data and create ad-hoc reports without IT skills

• Easy access to any source data

• Guided analysis - Faster answers to complex questions

• Intuitive drag-and-drop interface to create and share interactive reports.

• Natural language processing to respond to complex queries

• Interactive visualizations and personalized dashboards to identify patterns and trends

• Fast to deploy and easy to manage

• All-encompassing data analysis anywhere and available anytime

2. Mobile Analytics – Audit insights on the go

Regardless of the size of an organization or availability of data, it takes weeks to prepare and present comprehensive audit reports. The numbers are usually saved offline as large files or copied to multiple slides for boardroom meetings.

Mobile data analytics enables a concise and easily accessible digital avatar of audit reports and dynamic dashboards that can be accessed on mobile devices to interact and proactively monitor the business information on the go.

3.Data Visualization

When it comes to presenting audit data, reports and findings, one gets a single view of the entire raw data, all at once. This makes it difficult to decipher what is important and what isn’t, the reason why the point of sharing information gets defeated. Data visualization helps get a flexible and reliable way to identify and share pertinent information in a manner that everyone can easily understand.

• Process more information than reading numbers

• Discover insights using spatial relationships, colors, and textures

• Make data accessible to a broader audience and provide users with a rich and engaging experience

There are many reasons why auditing is ripe for self-service analytics and visualization driven transformation. There is more data to examine within limited time availability. Most financial and operational transactions are moving online, and the number of variables, outliers, trends, and patterns to identify and analyze continue to increase each day.

Visual analytics is the fastest way to analyze and understand structured or unstructured data of any size, without IT assistance. Visual technologies help speed up and improve decision making with heat maps, bubble charts, and interactive dashboards that are easy for C-suite executive, non-technical business users, and stakeholders to understand.

Everything gets better when you can do it yourself, right? Self-service audit analytics and visualization too are not different.

Benefits of self-service analytics in Internal Audit

• Analytics for everyone: Everyone in an IA Team can perform analytics and build audit dashboards – It’s a cultural shift

• Greater insights – Transform audit, increase audit quality, and create more impact

• Increased coverage – Identify more risks and opportunities

• Generate and deliver more forward-looking recommendations quickly – From auditors to business advisors

• Minimal Investment, Tangible and Quicker ROI

• Work smarter and reduce costs by building and deploying Continuous Audit and Monitoring mechanisms.

Indumon Das, Founder, Principal Consultant in Consulting firm UAE


AD


Fraud Risk

BY: David Clements EDITED BY : Meenakshi Razdan

Despite recent surveys pointing to fraud being on the increase in instances of fraud, the discovery of a suspected fraud within any organisation is not an everyday occurrence for most people and initial reactions may include shock and surprise. However, action taken in the first few hours and days after discovery will significantly

impact the course and/or outcome of a full investigation and may even make it or break it.

Most organisations have controls in place to prevent and detect fraud being committed against them from outside the organisation. In the banking industry in particular, external fraud is an

expected occurrence and banks employ sophisticated processes and technology to prevent and detect such occurrences. The bigger problem occurs when fraud has been committed from within. Apart from the cost involved, there is always some collateral damage caused including loss of reputation, brand damage and

You think you have discovered a fraud. What do you do?


Fraud Risk

reduced employee morale. Seniority of the suspect is also a factor, the more senior the employee, the more serious the damage.

History shows that , in the absence of any structured response plan, the amount of time and effort it takes for management to respond, particularly in the initial weeks, is excessive and severely impacts the normal business activity of the organisation. When a potential fraud is first discovered, the following few hours or days can be very confusing and stressful if the organisation is unprepared.

In the absence of a Fraud Response Plan, experience has shown that managers handle the same problem in different ways

Sometimes this can have with disastrous consequences such as destroying the evidentiary value of information and evidence by inappropriate handling processes, inadvertently tipping off the suspect and, enabling them to destroy incriminating evidence, failing to keep the matter confidential and taking inappropriate action caused by having insufficient information.

For example, In a recent fraud incident that occurred in a UAE organisation, the suspect was in charge of procurement for the organisation, but it had been discovered and it came to light that he also operated a supply and contracting company which had been paid in excess of 3 million dirhams by his employer’s company, all ordered and authorised by the suspect. After discovery, he was made aware of the issue but was allowed to remain in his position for another month, during which time he destroyed a large number of incriminating documents.

In an incident which occurred in another Middle East country, it became widely known throughout the organisation that a fraud had been uncovered. Unfortunately,

the matter which became public knowledge was only a small part of a much larger conspiracy between a number of employees and suppliers. By failing to keep the matter confidential, the company management enabled the conspirators to destroy incriminating records, electronic data and to dispose of stolen property which rendered any future investigation a limited exercise. The identities of the suspects were not confirmed, which means that the company may still employ people who are actively seeking ways to defraud it.

The purpose of a Fraud Response Plan is to ensure that incidents are handled in a systematic and efficient manner, not only to conclude a successful investigation, but also to show that the organisation acted in a prudent and lawful manner. And and that it does not tolerate fraud.

The Fraud Response Plan should outline how far an individual line manager should go in collecting initial information before invoking the Response Plan. The key is to provide the line manager with an effective framework to resolve concerns, rather than leave such resolution to individual initiative.

Initial Action

It is important to remember that when fraud is first suspected, the matter may well be more serious than it may initially appear. This is because fraudsters rarely restrict their activities to only one modus operandi or method. Therefore, every effort should be made to obtain as much information as possible before anyone is questioned, confronted or interviewed.

This is particularly important in organisations or business units with a close working environment, where there may be a strong temptation to simply question an employee as soon as suspicion is raised.

It is also important to be aware that larger scale frauds are often international in nature. Therefore, any fraud contingency planning must include measures for investigation and taking legal and investigative action across jurisdictions.

In addition, most frauds involve the use of a computer at some stage in the planning or execution of the fraud. This is particularly evident in today’s environment, when the majority of white collar employees are allocated a computer by their employer. Business is conducted by computer and correspondence normally involves acomputer through the widespread use of corporate email. The pervasive involvement of the computer into most facets of corporate life means that electronic evidence is often vital to investigating corporate fraud. Obtaining that electronic piece of evidence is a specialist skill which should be discussed with your forensic specialists.

Initial actions are crucial to the eventual outcome of an investigation and, if a proper strategy is put in place and adhered to, the extent of fraudulent activity can usually be assessed and action taken to resolve the matter successfully. This usually means obtaining sufficient evidence to dismiss errant staff and to commence civil and/or criminal proceedings against those concerned involved in the fraud, or claims against insurers, if so desired.

Initial responsibility designation

Fraud investigation is by necessity, a confidential task and is a sensitive matter for the vast majority of organisations. It is vital that all allegations of fraud are treated seriously and that responsibility for handling fraud incidents is assigned to a senior, trusted individual or group of individuals. In many organisations, this responsibility is handed to a corporate security advisor, internal audit manager or risk management director. In other


Fraud RiskTO COMMENT on the article,EMAIL the author at [email protected]

organisations, the responsibility is shared between members of senior management or an audit committee and the organisation’s human resources personnel and corporate lawyers are involved from a very early pointthe. Fraud incident management responsibility is an important role and those chosen to administer the role must the have appropriate legal and management level to authority to investigate actions toand co-ordinate the organisation’s overall response to fraud incidents.

As part of their overall fraud control plan, organisations should assign responsibility for fraud incident management to an appropriate person(s) as a precursor to adopting an incident management plan. Consideration should also be given to the appropriate level of involvement by corporate lawyers and human resource personnel at appropriate levels is essential.

Fraud Response Team

Some Fraud Response Plans only deal with situations where an employee discovers a fraud and hands it over to an investigation department to follow up. However, some frauds have impacts far beyond the remit of the investigation department to deal with (such as when the organisation’s liquidity is threatened). The Plan also should cater for such eventualities.

Most large organisations have formed crisis management committees to respond to major incidents (such as a fire or explosion), so it is not uncommon unusual to take have a similar approach in a Fraud Response Plan. Typically, this means forming a Fraud Incident Management Team, comprising essential members and co-opted members.

In some types of fraud, the victim may only have a few hours to take action to freeze funds which have been illicitly transferred. It is essential that contact numbers for essential service providers are established beforehand, including internal support departments, such as legal, corporate security, insurance external lawyers, police and telecommunications agencies, forensic accountants and investigators.

Receipt and initial assessment of suspicion, allegation or ‘tip off ’

Fraud investigations are often initiated after an allegation or a tip-off (often anonymous) is received. This will usually be sourced from inside the organisation, although external tip-offs are not uncommon. Many fraud incidents are initially discovered by accident, perhaps as a result of an audit, job change or resignation. Very few frauds are discovered as part of a deliberate attempt to uncover fraud, as very few organisations implement a proactive fraud detection program.

The checklist shown below highlights initial actions to be taken taken /(or avoided) upon the discovery of fraud or tip-off.

At the conclusion of this stage, a decision must be made as to whether the allegation or suspicion warrants investigation or is implausible or vexatious. However, this decision must be made carefully. If an allegation cannot be quickly dismissed as false, further action should be taken.

A typical Fraud Response Plan contains:

• purpose of the plan,

• policy statement,

• definition of fraud,

• roles and responsibilities including fraud response team,

• objectives including civil and criminal response,

• reporting of suspicions and collection and preservation of evidence.

Checklist

Initial action checklist upon discovering a potential fraud:

1. Alert the fraud incident manager that an allegation or suspicion exists

2. Document date, time and details of initial report/discovery

3. Take notes of all observations and actions – if something is worth taking a mental note, it is worth a written note)

4. Maintain confidentiality (only inform those people who need to know about the suspected act). Unwarranted disclosure can seriously damage potential successful investigations. Do not confront the suspect.

5. Write out in full the suspected act or wrongdoing including:

• What is alleged to have occurred

• Who is alleged to have committed the act

• Is the activity continuing

• Where did it occur

• What is the value of the loss or potential loss

• Who knows of the activity

6. Identify all documentary and other evidence connected to the activity

• Invoices

• Contracts

• Purchase orders

• Cheques

• Computers

• Credit card statements

7. Obtain evidence and place in a secure area. (only where it is possible without alerting any suspects)

8. Protect evidence from damage or contamination

9. List each item individually taking note of acquisition (incl. time, date and location) and where the item was securely stored

10. Identify all potential witnesses

11. Unless electronic evidence is in the process of being destroyed do not go into the suspect/target computer systems

12. If possible, secure and/or remove suspect’s access to relevant computers/systems. Do not allow IT department to examine computer

13. Consider other potential suspects and extent of fraud

David Clements , Formal Principal Director | Deloitte Forensics


AD


Frosting Fundamentals

BY: Ar i f Zaman

Internal Audit Planning -The Value-Adding PhaseOne would think that the most important step of the internal audit process is conducting the audit. Experience and research shows otherwise, since there is a long and rigorous process to arrive at the audit execution phase. This takes me to our point of discussion in this article, which is that the most important step in the process is the planning phase. The whole internal audit process is heavily reliant on proper planning taking place.

The Chief Audit Executive (CAE) must effectively manage the internal audit activity to ensure it adds value to the organization1. Value can be added to the organization and its stakeholders when internal audit considers strategies, objectives, and risks to enhance governance, risk management, and control processes and objectively provides relevant assurance on how effective they are functioning. These aspects normally come up during the annual planning phase of the internal audit process.

Annual planning The CAE must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals2. The purpose of annual audit planning is to ensure that the audit is relevant to the organization’s needs and is adding value towards the achievement of the preset objectives. It also helps in better utilization of the limited audit resources.

There is a common belief that the annual audit planning process is time-consuming and costly, when in reality all internal auditors agree that the benefits exceed by far the cost and time spent on it. As per a famous saying, “By failing to prepare, you are preparing to fail”. In the following points, I will share with you the details of the steps that are covered as part of the annual internal audit planning process.

Step 1. Audit Universe

Before embarking on the risk assessment, it is important to break down the organization into auditable areas. This should include all the businesses, regions and functions that make up the organization in a systematic order. And it could be done through any of the following approaches:

•Geography: the subsidiaries and sister companies can be categorized by geographic regions.

•Industry: if the organization is operating in diverse industries and sectors, then it can be classified by industry or sector.

•Function, Process, Service or Product: the organization can be classified either by function, process, service or product.

The audit universe is a collaborative effort between the key business stakeholders and the internal audit function. The Internal Audit Department (IAD) needs to update the audit universe for any structural changes that have taken place within the organization. Upon completion of audit universe, the IAD is ready to proceed with the annual risk assessment phase, since it has clarity on which areas or functions it needs to assess for risk and controls.

Step 2. Risk Assessment

The IAD’s activity plan of engagements must be based on a documented risk assessment, undertaken at least annually. The


Frosting Fundamentals

input of senior management and the board must be considered in this process3.

The risk assessment is the most challenging stage in the annual planning process. The first element that needs to be assessed by the auditor, is the organization’s risk maturity.

Risk Mature Organization: if the organization clearly has three lines of defense for the management of risks, controls, compliance, fraud, quality, then input needs to be collected from all these functions as part of the risk assessment process.

In a risk mature organization these functions are operating as intended. Moreover, they have a defined risk appetite (the amount of risk an organization is willing to accept to achieve its objectives), risk registers (detailing business risks) and a robust ethical framework in place, to strengthen the overall control environment.

Risk Immature Organization: if none of the aforementioned lines of defense are specified, then a more detailed risk assessment needs to be conducted, since the IAD would not have the points of reference to rely on in the collection of risk-related information.

In this situation, which is applicable to many organizations, it is recommended that the IAD collect risk input from each functional head. There are several tools that can be used in this process, such as surveys/questionnaires, holding meetings/interviews, reviewing management reports, etc.

The IAD needs to record all the key risks and map them against each auditable area in the audit universe.

Despite the risk maturity of the organization, the IAD is also expected to review other sources of information, such as:

•Industry/SectorRisks

•ExternalFactor(InternalAuditorscanuse techniques like PEST, SWOT)

•Compliance/RegulationRisks

•PreviousInternalAuditReports

•Managementreportsfrom2ndlineofdefense such as risk function, compliance function, fraud function reports, etc.

•Anyotherinputfromtheinternete.g.knowledge leader, board executive, etc.

In carrying out the risk assessment there are certain standard requirements that the IAD must take into consideration. The risk assessment must be documented, the Internal Auditors must have sufficient knowledge to evaluate risk of fraud4 and key information technology risks5. Moreover, the Internal Audit activity must evaluate the effectiveness and contribute to the improvement of the risk management processes6.

Step 3. Alignment of Risks with the Strategic Goals and Objectives

The IAD must be alert to the significant risks that might affect objectives, operations, or resources7.

Once the IAD has identified business risks, these should be aligned with the organization’s strategic goals and objectives and must be assessed in terms of their probability of occurring (likelihood) and consequences (impact), to arrive at an overall rating. There are many ways to rate risks, either qualitatively (High, Medium or Low), or through quantitatively, through the assignment of an overall grade to each risk (residual risk).

Step 4. Risks Prioritization

Based on the rating, most of the high risks and a few medium risks would be prioritized. We also include some medium and low risks, since there is a certain level of subjectivity involved in risk assessment, which is determined by the IAD based on professional judgement.

Step 5. Formalize Internal Audit Plan

Once the previous phases are complete, then the IAD has a clear idea of the risky areas that are of importance to the organization and its management. Based on that, the process to formalize the Annual Internal Audit Plan would start. It could sometimes cover a span of more than one year. The plan would specify which areas will be audited during the year, detailing the execution period/s (normally on a quarterly basis).

The formalized audit plan would be presented to the Board Audit Committee for review and recommendations. Input from senior management and the Board must be considered in this process8. IAD should identify the pervasive audit needs requested by the Board or senior management and take them into account, based on the available resources and the Internal Auditors’ professional judgment. The Chief Audit Executive must also communicate the impact of resource limitations9 if any.

The annual audit plan could vary as per the organization’s needs and requirements. The IPPF only specify certain criteria and guidelines for the annual planning process, which sets the minimum requirement for the annual audit planning process. Some organizations add audits based on criteria other than risk. Such criteria might include areas subject to change, mandatory audits or audits requested by management. The steps highlighted above could be used as a guide to facilitate the annual audit planning process.

The IAD’s credibility and value are enhanced when they are proactive and their evaluations offer new insights and consider future impact. The purpose of audit planning is to make the IAD more effective in contributing to the improvement of the organization’s governance, risk management, and control process, through the use of a systematic, disciplined, and risk based approach10.

1. International Standards for the Professional Practice of Internal Auditing – 2000 - Managing the Internal Audit Activity

2. International Standards for the Professional Practice of Internal Auditing – 2010 – Planning

3. International Standards for the Professional Practice of Internal Auditing 2010.A1 – Planning

4. 2010.A2 – Proficiency 5. 1210.A3 – Proficiency 6. 2120 – Risk Management 7. 1220.A3 – Due Professional Care8. 2010.A1- Planning9. 2020 - Communication and Approval

10. 2100 - Nature of Work

Arif Zaman is a Group Internal Audit Manager, ACCA, CIA, CPA, CISA, CFE, CCSA, CRMA, CRBA and CGA.

TO COMMENT on the article,EMAIL the author at [email protected]

the journey to excellence in internal auditthe international conference 2018 is to be held in dubai...

Documents