24.01.2014 Views

IIA April 2010.pdf - UAE IAA

IIA April 2010.pdf - UAE IAA

IIA April 2010.pdf - UAE IAA

SHOW MORE
SHOW LESS

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

Issue No. 13, <strong>April</strong> 2010<br />

Going Full Blast.....<br />

11 th Annual Regional Gulf<br />

Audit Conference<br />

What is the Range of the Internal<br />

Auditor’s Work - By: Andrew Cox


4 March 2010<br />

12 March 2010<br />

th O n 1 November, 7 a half-day course on Quality Assurance and Improvement by Andrew Cox was held in Dubai. The same<br />

was held on 24 th November in Abu Dhabi. Andrew Cox is acknowledged as a leader in quality assurance and improvement<br />

of internal audit activities in organisations, both in the private and public sectors. The course focused on how quality<br />

assessments can raise the profile of the IA Department with chief executives and audit committees. It also honed in on<br />

preparing an independent quality assessment, self-assessment for the IA Department followed by an independent validation.<br />

Visuals from the event…<br />

It got its name because its founders got<br />

started by applying patches to code<br />

The name came from the river Adobe written for NCSA’s httpd daemon. The<br />

Creek that ran behind the house of result was ‘A PAtCHy’ server - thus,<br />

founder John Warnock.<br />

the name Apache.<br />

but an abbreviation of San<br />

Francisco. The company’s logo<br />

reflects its San Francisco name<br />

heritage. It represents a stylized<br />

Golden Gate Bridge.<br />

Packard tossed a coin<br />

to decide whether the<br />

company they founded<br />

would be called<br />

Hewlett-Packard or<br />

Packard-Hewlett.<br />

16 March 2010<br />

By: Andrew Cox<br />

boast about the amount of<br />

information the search-engine<br />

would be able to search. It was<br />

originally named ‘Googol’, a<br />

word for the number represented<br />

by 1 followed by 100 zeros. After<br />

founders - Stanford graduate<br />

students Sergey Brin and Larry<br />

Page presented their project to<br />

an angel investor, they received a<br />

cheque made out to ‘Google’.<br />

Moore wanted to name<br />

their new company ‘Moore<br />

Noyce’ but that was already<br />

trademarked by a hotel chain,<br />

so they had to settle for<br />

an acronym of INTegrated<br />

ELectronics.<br />

The Evolution of Internal Auditing<br />

The evolution of how internal audit determined what it would audit can be tracked in Table 1.<br />

Then (up to the 1990s)<br />

• Areas for internal audit identified on a functional<br />

basis from historic information.<br />

• Set of one-dimensional risk factors applied<br />

(high, moderate, low).<br />

• Input into a model and prioritization based on risk<br />

rankings.<br />

• 3 or 5 year strategic internal audit plan based on risk<br />

rankings.<br />

• Annual internal audit plan based on available<br />

resources. Presented to the audit committee (but<br />

not always).<br />

Apple Computers<br />

Favourite fruit of founder Steve Jobs. He<br />

was three months late in filing a name<br />

for the business, and he threatened to<br />

call his company Apple Computers if the<br />

other colleagues didn’t suggest a better<br />

name by 5 o’clock.<br />

of accessing email via the web<br />

from a computer anywhere in<br />

the world. When Sabeer Bhatia<br />

came up with the business plan<br />

for the mail service, he tried all<br />

kinds of names ending in ‘mail’<br />

and finally settled for Hotmail<br />

as it included the letters “html”<br />

- the programming language<br />

used to write web pages. It was<br />

initially referred to as HoTMaiL<br />

with selective upper casings.<br />

Executive Summary<br />

• The mandate for internal audit contained in the internal audit charter.<br />

• What the audit committee and management want internal audit to do.<br />

• T whom the chief audit executive (head of internal audit) reports.<br />

• The capability and skills of the internal auditors.<br />

• Any legislative or regulatory requirements of internal audit.<br />

Introduction<br />

Internal auditing is an evolving profession. It has been around for a very long time, probably since<br />

the pharaohs in Egypt. But it wasn’t until 1947, when the foremost professional body for internal<br />

auditing, the Institute of Internal Auditors (<strong>IIA</strong>), was formed that internal auditing was set on its<br />

path to emerging as a profession.<br />

Subsequently, professional standards and a code of ethics for internal auditing have been<br />

established and in 1974 professional certification for internal auditing was created, with the<br />

designation Certified Internal Auditor. Over time, the scope of internal auditing has changed<br />

significantly.<br />

Advantages Disadvantages<br />

• Often cyclical (every year). • Done in isolation of the business.<br />

• Well known to internal • Time-consuming.<br />

auditors.<br />

• Focus on functional areas.<br />

• Safe approach.<br />

• May not be timely, relevant or<br />

responsive.<br />

• Correlation between risk rankings<br />

and internal audit plan often weak.<br />

• Assumed a static organisation.<br />

Today fraud is a key buzzword among and assessing risks involved in achieving the execution of controls will do so<br />

corporations (big and small) and compliance an entity’s objectives.<br />

responsibly and to the best of their<br />

professionals alike. Recent large fraud<br />

ability. While this assumption may be<br />

cases are often used to build a business iii) Control Activities are the policies and correct during an internal control risk<br />

case for spending large amounts of money procedures that enforce management’s assessment, it does not hold good while<br />

in implementing a Control Framework. directives.<br />

assessing fraud risks.<br />

Surveys such as the ACFE 2008 Report<br />

to the Nation show that implementation iv) Information and Communication, which An individual breaching his fiduciary<br />

of a control framework has a measurable allows the exchange of information in responsibilities is an Occupational Fraud!!<br />

impact on the organisation’s exposure the right quantities and to the right<br />

to fraud. The survey revealed that persons across the organisation A key differentiator between Internal<br />

organisations that implemented anti-fraud<br />

Controls and Anti Fraud Controls is the<br />

controls suffered much lower losses than v) Monitoring is the process that assesses Human Element. Failure to assess the<br />

organisations without anti fraud controls. the quality of the Framework over a Human Element can cause frauds to<br />

Though many Control Frameworks period of time.<br />

happen in organisations that otherwise<br />

were developed and propagated over<br />

seem to have a robust and comprehensive<br />

the years, the most commonly applied Generally, Corporations build their Anti- internal control framework.<br />

Control Framework is the one developed Fraud controls on the principles of the<br />

in the early nineties by the Committee Of COSO framework. To do so, organisations Before addressing how to prioritize fraud<br />

Sponsoring Organisations of the Treadway first identify fraud risks and prioritize risks, let’s understand why do people<br />

Commission, better known as the COSO them according to risks that matter the commit fraud?<br />

Framework (“COSO”). COSO identifies most. Prioritization is generally done<br />

5 components, which when integrated by assessing the impact and likelihood of One of the best theories on why people<br />

and operating in all business units, will an inherent risk. Impact is the extent to commit fraud was given by Mr. Donald<br />

help establish an effective internal control which the risk, if realized, would impact the Cressey in his book “Other People’s<br />

framework. These 5 components are: organisation. Likelihood is the probability Money” . As per this hypothesis, fraud<br />

of a risk occurring over a pre-defined time occurs when an individual has:<br />

i) Control Environment, which sets period which is generally the organisation’s<br />

the moral tone of the organisation, planning horizon.<br />

a. A non sharable financial problem<br />

influencing the control consciousness of<br />

the organisation and is the foundation While prioritizing risks on impact and b. Perceives an opportunity to resolve<br />

upon which all other components are likelihood, it is generally assumed that the situation<br />

built<br />

individuals will honour their fiduciary<br />

responsibilities to the organisation. In c. Has the ability to rationalize his misdeed<br />

ii) Risk Assessment involves identifying other words, people entrusted with even before committing them.<br />

6 March 2010<br />

A company’s IT (Information Technology)<br />

organisation is no stranger to scrutiny when it comes<br />

to corporate responsibility and sustainability.<br />

As a major consumer of electricity in many<br />

organisations and a significant producer of<br />

waste electronics, IT has been among the<br />

first to come under pressure to better<br />

manage energy consumption and to<br />

“reduce, reuse, and recycle” in<br />

order to improve efficiency and<br />

lessen environmental impact.<br />

Fortunately, in improving its sustainability opportunity to improve its financial<br />

performance, IT has had a lot of low-hanging performance while jumpstarting green<br />

fruit to choose from, including server change throughout the larger organisation<br />

consolidation, application rationalization, as well as reducing environmental impacts.<br />

procurement of energy-efficient hardware,<br />

better printing policies, and even simple The areas where IT can address<br />

behavioral changes such as having people sustainability issues directly are through<br />

turn off the lights and shut down their its acquisition, usage and disposal policies.<br />

desktop computers at night. Electronic Consolidation and virtualization initiatives,<br />

components consume substantial amounts for example, have generated advantages<br />

of electricity and produce significant in terms of cost and operational efficiency<br />

amounts of heat – not to mention that and also led to a reduced impact on the<br />

they often contain heavy metals and other environment as utilization rates reduce<br />

toxins that pose disposal issues. Clearly, energy consumption. Beyond virtualization,<br />

IT must play a big part in going green, if a as new equipment is brought in as part of<br />

company is to be effective at it.<br />

the move to denser blade configurations<br />

and 64-bit architectures, or simply to<br />

A competitive advantage<br />

provide additional capacity, organisations<br />

Responding to a growing wave of will also benefit from advances in processor<br />

investor activism, consumer demands efficiency.<br />

and regulations around environmental<br />

sustainability, companies are looking for The Green Data Center at the Core of<br />

ways to gain a competitive advantage Green IT<br />

by adopting green business practices. IT<br />

can be a catalyst for realizing short and Finance, IT and business unit executives<br />

long-term business benefits through the in large companies around the world<br />

implementation of green approaches. have come to embrace environmentally<br />

Green IT thus can offer a company the sustainable business practices that are<br />

10 March 2010<br />

14 March 2010<br />

By: Vishal Thakkar<br />

global financial upheaval of the past two years has seen many<br />

commentators questioning the value of audit.<br />

While attention has naturally been most focused on the large<br />

end of the audit profession, which is involved with the banks and<br />

other major financial institutions, there are also important issues<br />

at the smaller end of the audit market. Given the removal in<br />

recent years of the statutory audit requirement for many entities<br />

with turnover below £6.5m, audit is increasingly a voluntary<br />

exercise in this sector and so needs to demonstrate the value it<br />

brings to business.<br />

In its new policy paper, entitled Restating the Value of Audit,<br />

ACCA argues that against this backdrop of change, it is vital<br />

for the accountancy profession to re-examine the role of audit<br />

and to question whether a sufficiently strong case is being put<br />

forward for the benefits that audit can provide to businesses, the<br />

economy and society. We f irmly believe that audit has a key role<br />

to play as a source of public confidence in financial reporting but<br />

note that there is currently little published research, which seeks<br />

to demonstrate the value of audit in promoting business trust.<br />

http://www.accaglobal.com/page/3305046<br />

our new survey shows, CEOs continue to work to strengthen<br />

their organisations whilst seeking opportunities emerging from<br />

structural shifts in their industries, economies and regulatory<br />

environments.<br />

The 13 th Annual Global CEO Survey offers an up-close look at<br />

how business leaders have responded to the challenges brought<br />

about by the recession, the concerns they are facing today and<br />

their strategies for positioning their companies for the long-term.<br />

The recession in developed nations was the worst many CEOs<br />

had ever experienced. The resulting rupture to business planning<br />

and operations was clear in our survey of 1,198 business leaders<br />

from around the world for the PricewaterhouseCoopers 13th<br />

Annual Global CEO Survey. Business leaders are emerging with<br />

a healthy respect for risk, volatility and flexibility.<br />

http://www.pwc.com/gx/en/ceo-survey/download.jhtml?WT.<br />

ac=flash_01-2010_ceo-survey-hp_download<br />

changing their IT practices in an effort<br />

to save money, improve performance<br />

and lessen their impact on the physical<br />

environment.<br />

For example, Marriott International’s<br />

efforts to lower its IT power consumption<br />

over the past few years have not only<br />

resulted in greener and more sustainable<br />

IT operations, but also serve as a risk<br />

mitigation tool. Their data centers are<br />

protected from nature, nuclear attacks and<br />

electronic eavesdropping, amongst other<br />

IT threats because of their location. The<br />

company has built a data center 300 feet<br />

below ground, in a former Pennsylvania<br />

mine. The mine maintains an ambient air<br />

temperature of 53 degrees Fahrenheit.<br />

In addition, virtualization software from<br />

vendors has helped the hospitality giant<br />

reduce its server population by more than<br />

one-third over the past three years. Storage<br />

virtualization and archiving technologies<br />

have enabled the company to slash its<br />

storage energy costs by more than 50%<br />

over that same period.<br />

we are likely to reflect on just how dramatically it changed the<br />

corporate landscape. Not only will it have sent some mighty<br />

business names to the wall, it will also have been responsible for<br />

fundamentally changing the way the business world operates.<br />

One such example may be in the way that corporate value is<br />

determined; will financial measures still be used in isolation as the<br />

measure of business value? This approach will soon be challenged,<br />

claims Rodger Hill of KPMG Advisory.<br />

The days of purely measuring business performance by financial<br />

result may well be numbered. In its place discerning investors will<br />

look for something broader to measure an entity’s real contribution<br />

and performance.<br />

That something could be in the shape of the “triple bottom line”;<br />

an amalgam of financial results and an assessment of the social and<br />

environmental impacts of a business. Or, when stated differently:<br />

People, Planet and Profits.<br />

http://www.kpmg.com/Global/en/IssuesAndInsights/<br />

ArticlesPublications/Press-releases/Pages/Press-release-<br />

Introducing-the-triple-bottom-line-1-Mar-2010.aspx<br />

About the Author:<br />

Vishal Thakkar is a qualified<br />

Chartered Accountant and Certified<br />

Internal Auditor. He is currently<br />

working with Group Internal Audit<br />

department of Dubai World and can<br />

be contacted at<br />

vishalkthakkar@yahoo.com<br />

…Going Full Blast…<br />

4<br />

<strong>UAE</strong>-<strong>IAA</strong> Past Events<br />

Course on Quality Assurance<br />

and Improvement<br />

Message from the President<br />

On behalf of the <strong>UAE</strong> Internal Audit Association’s Board of Governors, I wish<br />

to extend a warm welcome to all the delegates to the 11 th Annual Regional Gulf<br />

Audit Conference in Abu Dhabi. Our theme for this year is ‘2010 and Beyond’,<br />

and we urge you to join us in “going full blast” in enthusiasm, as we start the<br />

implementation of programs and planned activities for this still challenging year.<br />

Firstly, we encourage you to optimize your learning and networking opportunities<br />

during this conference by actively participating in the pre-conference workshops on<br />

Day 1 and the main conference sessions, which will cover topical issues impacting<br />

our profession. We are fortunate to have with us as keynote speaker, our <strong>IIA</strong><br />

Global President, Mr. Richard Chambers.<br />

You are also invited to participate in the Global Internal Audit Survey, which opened<br />

on March 15, 2010 and is available in both the <strong>IIA</strong> and <strong>UAE</strong>-<strong>IAA</strong> websites. The<br />

survey is expected to be completed by over 15,000 internal auditors from around<br />

the globe, in more than 20 languages. Results will provide insight into emerging<br />

issues and trends, as well as developments and changes within the profession. We<br />

are pleased to have set another milestone at the Institute by successfully providing<br />

an Arabic translation for this survey.<br />

As we ended the first quarter, we near the completion of a Memorandum of<br />

Understanding with the American University of Sharjah, to initiate cooperative<br />

agreements with educational institutions in the <strong>UAE</strong> / Region. In February, we<br />

were also privileged to have shared our programs and experiences with <strong>IIA</strong> Saudi<br />

Arabia when they visited us for a benchmarking exercise.<br />

As we progress on in 2010 and beyond, we set up a dedicated staff to better<br />

provide the services of the Institute. Once again, we request your wholehearted<br />

support in achieving all our plans and objectives.<br />

Abdulqader Obaid Ali<br />

President<br />

<strong>UAE</strong>-<strong>IAA</strong><br />

<strong>April</strong> 2010<br />

Board of Governors<br />

<strong>UAE</strong>-<strong>IAA</strong> Chapter<br />

President:<br />

Abdulqader Obaid Ali<br />

abdulqader.obaidali@dubaiworld.ae<br />

Board Members:<br />

Abdulrahman Al Hareb<br />

abdulrahman.alhareb@dubaiholding.com<br />

Abdulrahman Ba Saeed<br />

abdulrahman.basaeed@dubaiworld.ae<br />

Adnan Zaidi<br />

adnan.zaidi@protivitiglobal.ae<br />

Ahmad Dahabiyeh<br />

adahabiyeh@adaa.ae<br />

Amir Gergawi<br />

amir.algergawi@du.ae<br />

Badr Mohammed Buhannad<br />

bbuhannad@dso.ae<br />

Karem Obeid<br />

karem.obeid@dubaiholding.com<br />

Khalid Halyan<br />

khalhalyan@dca.gov.ae<br />

Laila Al Humairi<br />

laila.alhumairi@gmail.com<br />

Raza Abdulla<br />

raza.abdulla@emirates.com<br />

Venkataraman<br />

venkat@habtoor.com<br />

Yaser Al Yaish<br />

yaser.yasih@gmail.com<br />

Newsletter Committee:<br />

Vishal Thakkar<br />

Dubai World<br />

Mayur Motwani<br />

Protiviti Middle East<br />

Julion Ruwette<br />

Deloitte & Touche, (M.E.)<br />

8<br />

How famous companies<br />

were named?<br />

Cisco<br />

The name is not an acronym<br />

Hewlett-Packard<br />

Bill Hewlett and Dave<br />

12<br />

Google<br />

The name started as a jockey<br />

Intel<br />

Bob Noyce and Gordon<br />

16<br />

Hotmail<br />

Founder Jack Smith got the idea<br />

What Is the Range<br />

of the Internal<br />

Auditor’s Work?<br />

<strong>UAE</strong>-<strong>IAA</strong> Events<br />

Fraud Risk Assessment: the<br />

Human Element<br />

– By: Santosh Noronha<br />

11 th Annual Regional Gulf<br />

Audit Conference<br />

How famous companies<br />

were named<br />

Green IT<br />

– By: Fadi Sidani<br />

Knowledge Update<br />

– By: Vishal Thakkar<br />

What is the range of the Internal<br />

Auditor’s Work<br />

– By: Andrew Cox<br />

6<br />

By: Santosh Noronha<br />

Fraud Risk<br />

Assessment:<br />

The Human<br />

Element<br />

10<br />

By: Fadi Sidani<br />

Green IT<br />

IT at the Core of office greening initiatives<br />

Knowledge<br />

Update<br />

Restating the value of audit<br />

The role of audit is under heightened scrutiny. The unprecedented<br />

13 th Annual Global CEO<br />

Survey<br />

The effects of the recent downturn were far-reaching, but as<br />

14<br />

Introducing the triple<br />

bottom line<br />

Once the credit crisis is firmly consigned to corporate history,<br />

Contents<br />

Editor:<br />

Manjula Ramakrishnan<br />

<strong>UAE</strong>-<strong>IAA</strong> Newsletter welcomes editorial<br />

contributions and feedback from readers.<br />

Write in to editor@iiauae.org<br />

Affliated to The Institute of Internal Auditors • 247 Maitland Avenue • Altamonte Springs,<br />

Florida 32701-4201 USA +1-407-937-1100 • Fax +1-407-937-1101 • www.theiia.org • Copyright 2008<br />

Disclaimer: It is hereby notified that all opinions, facts or views expressed in this magazine are those of<br />

the author and need not necessarily represent the views of <strong>UAE</strong>-<strong>IAA</strong>. The advertising of events, courses,<br />

products and services in this publication does not imply that they have <strong>UAE</strong>-<strong>IAA</strong> endorsement.<br />

2 <strong>April</strong> 2010 3 <strong>April</strong> 2010


<strong>UAE</strong>-<strong>IAA</strong> Past Events<br />

Course on Quality Assurance<br />

and Improvement<br />

Mr. Abdullah Al Rowais, Chief Audit Executive of Mobily, recently visited Dubai. On the 22 nd of February, as the representative<br />

of the <strong>IIA</strong>-Saudi Chapter, Mr. Rowais had a benchmarking meeting with the <strong>UAE</strong>-<strong>IAA</strong> Chapter. Other <strong>UAE</strong>-<strong>IAA</strong> delegates who<br />

attended the meeting were Abdulqader Obaid Ali, Neeraj Kumar, Adil Buhariwalla, Raymund Mungkal, Abdulrahman BaSaeed<br />

and Khalid Halyan.<br />

On 17 th November, a half-day course on Quality Assurance and Improvement by Andrew Cox was held in Dubai. The same<br />

was held on 24 th November in Abu Dhabi. Andrew Cox is acknowledged as a leader in quality assurance and improvement<br />

of internal audit activities in organisations, both in the private and public sectors. The course focused on how quality<br />

assessments can raise the profile of the IA Department with chief executives and audit committees. It also honed in on<br />

preparing an independent quality assessment, self-assessment for the IA Department followed by an independent validation.<br />

Visuals from the event…<br />

4 <strong>April</strong> 2010 5 <strong>April</strong> 2010


By: Santosh Noronha<br />

Fraud Risk<br />

Assessment:<br />

The Human<br />

Element<br />

Today fraud is a key buzzword among<br />

corporations (big and small) and compliance<br />

professionals alike. Recent large fraud<br />

cases are often used to build a business<br />

case for spending large amounts of money<br />

in implementing a Control Framework.<br />

Surveys such as the ACFE 2008 Report<br />

to the Nation show that implementation<br />

of a control framework has a measurable<br />

impact on the organisation’s exposure<br />

to fraud. The survey revealed that<br />

organisations that implemented anti-fraud<br />

controls suffered much lower losses than<br />

organisations without anti-fraud controls.<br />

Though many Control Frameworks<br />

were developed and propagated over<br />

the years, the most commonly applied<br />

Control Framework is the one developed<br />

in the early nineties by the Committee Of<br />

Sponsoring Organisations of the Treadway<br />

Commission, better known as the COSO<br />

Framework (“COSO”). COSO identifies<br />

5 components, which when integrated<br />

and operating in all business units, will<br />

help establish an effective internal control<br />

framework. These 5 components are:<br />

i) Control Environment, which sets<br />

the moral tone of the organisation,<br />

influencing the control consciousness of<br />

the organisation and is the foundation<br />

upon which all other components are<br />

built.<br />

ii) Risk Assessment involves identifying<br />

and assessing risks involved in achieving<br />

an entity’s objectives.<br />

iii) Control Activities are the policies and<br />

procedures that enforce management’s<br />

directives.<br />

iv) Information and Communication, which<br />

allows the exchange of information in<br />

the right quantities and to the right<br />

persons across the organisation.<br />

v) Monitoring is the process that assesses<br />

the quality of the Framework over a<br />

period of time.<br />

Generally, Corporations build their Anti-<br />

Fraud controls on the principles of the<br />

COSO framework. To do so, organisations<br />

first identify fraud risks and prioritize<br />

them according to risks that matter the<br />

most. Prioritization is generally done<br />

by assessing the impact and likelihood of<br />

an inherent risk. Impact is the extent to<br />

which the risk, if realized, would impact the<br />

organisation. Likelihood is the probability<br />

of a risk occurring over a pre-defined time<br />

period, which is generally the organisation’s<br />

planning horizon.<br />

While prioritizing risks on impact and<br />

likelihood, it is generally assumed that<br />

individuals will honour their fiduciary<br />

responsibilities to the organisation. In<br />

other words, people entrusted with<br />

the execution of controls will do so<br />

responsibly and to the best of their<br />

ability. While this assumption may be<br />

correct during an internal control risk<br />

assessment, it does not hold good while<br />

assessing fraud risks.<br />

An individual breaching his fiduciary<br />

responsibilities is an Occupational Fraud!!<br />

A key differentiator between Internal<br />

Controls and Anti Fraud Controls is the<br />

Human Element. Failure to assess the<br />

Human Element can cause frauds to<br />

happen in organisations that otherwise<br />

seem to have a robust and comprehensive<br />

internal control framework.<br />

Before addressing how to prioritize fraud<br />

risks, let’s understand why do people<br />

commit fraud?<br />

One of the best theories on why people<br />

commit fraud was given by Donald Cressey<br />

in his book “Other People’s Money”. As<br />

per this hypothesis, fraud occurs when an<br />

individual has:<br />

a. A non sharable financial problem.<br />

b. Perceives an opportunity to resolve<br />

the situation.<br />

c. Has the ability to rationalize his misdeed<br />

even before committing them.<br />

In other words for an individual to commit<br />

fraud, he should be under pressure from<br />

a financial problem which the individual<br />

perceives cannot be solved through other<br />

means. These problems often manifest<br />

themselves into behaviour patterns or<br />

red flags, which if spotted in time, could<br />

prevent a fraud from happening. As per<br />

the ACFE 2008 Report to the Nation, the<br />

most commonly cited behavioral red flags<br />

were perpetrators living beyond their<br />

apparent means or experiencing financial<br />

difficulties at the time of the fraud.<br />

Even if an individual has the motive,<br />

2<br />

Real or Perceived<br />

Opportunity<br />

Weak controls / Employees in<br />

positions of trust<br />

Incentive or Pressure<br />

Financial, personal, unrealistic<br />

corporate objectives, etc.<br />

FRAUD<br />

he cannot perpetrate the fraud unless<br />

presented with an opportunity.<br />

Opportunities could arise due to a number<br />

of factors within the organisation such as<br />

high turnover of management in key roles,<br />

lack of segregation of duties or a complex<br />

1<br />

Traditional Risk Assessment Criteria<br />

Fraud Risk Assessment Criteria<br />

organisation structure.<br />

Rationalization of the act is the last element<br />

in understanding why people commit<br />

fraud. Most people believe themselves<br />

as good and need to convince themselves<br />

that their actions were justified. Some of<br />

these justifications are:<br />

• I was going to pay it back<br />

• Everybody does it<br />

• I am not hurting anyone<br />

• I was helping my family<br />

• This is nothing compared to what xyz did...<br />

To sum up, when this individual under<br />

pressure is presented with an opportunity<br />

and is able to rationalize his planned actions,<br />

fraud occurs. Over the years this hypothesis<br />

is better known as the Fraud Triangle.<br />

To be able to effectively prioritize fraud<br />

risks, organisations should evaluate the<br />

Human Element to the fraud risk. This<br />

can be achieved by applying the principles<br />

3<br />

Attitude or<br />

Rationalization<br />

Beliefs such as “The activity is<br />

not criminal,” “Everybody is<br />

doing it,” etc.<br />

of the Fraud Triangle to the traditional risk<br />

assessment criteria of Impact and Likelihood.<br />

This is illustrated in the table below:<br />

For example, in an organisation where<br />

an individual performs a number of key<br />

controls – if this individual’s personal<br />

integrity and values are high, the chances<br />

of fraud happening is significantly lower<br />

than when the individual’s personal<br />

integrity is low. Understanding the people<br />

who manage key internal controls in an<br />

organisation, their values and attitude could<br />

go a long way in minimizing the incidence<br />

of fraud and help build effective anti-fraud<br />

deterrents within an organisation.<br />

To sum up, it is important for organisations<br />

to consider the human element while<br />

prioritizing its key fraud risks. Besides, there<br />

are a number of cost effective measures<br />

that can assist in improving the anti-fraud<br />

environment within an organisation. These<br />

are as under:<br />

• Establish a Code of Ethics and clearly<br />

communicate expectations to all<br />

stakeholders.<br />

• Develop Fraud Policies which clearly<br />

describe company policies and<br />

procedures relating to fraud.<br />

• Invest in a communication and training<br />

program on fraud and corporate fraud<br />

policies for all employees.<br />

• Ensure proper segregation of duties for<br />

key activities and functions.<br />

• Set up appropriate recruitment<br />

procedures to select the right<br />

candidates.<br />

• Set up policies for rotation of staff<br />

duties and forced vacations.<br />

• Know your key fraud risks and controls.<br />

Monitor them regularly.<br />

• Set up a whistle blower hotline.<br />

About the Author:<br />

Santosh Noronha is a Manager with Ernst & Young Dubai working<br />

in the Fraud Investigation and Dispute Services Practice. Opinions<br />

expressed in this article belong solely to the author, and do not<br />

necessarily represent the views of Ernst & Young. To comment on<br />

this article, feel free to email the author at<br />

santosh.noronha@ae.ey.com<br />

6 <strong>April</strong> 2010 7 <strong>April</strong> 2010


8 <strong>April</strong> 2010 9 <strong>April</strong> 2010


By: Fadi Sidani<br />

Green IT<br />

IT at the Core of office greening initiatives<br />

A company’s IT (Information Technology)<br />

organisation is no stranger to scrutiny when it comes<br />

to corporate responsibility and sustainability.<br />

As a major consumer of electricity in many<br />

organisations and a significant producer of<br />

waste electronics, IT has been among the<br />

first to come under pressure to better<br />

manage energy consumption and to<br />

“reduce, reuse, and recycle” in<br />

order to improve efficiency and<br />

lessen environmental impact.<br />

Fortunately, in improving its sustainability<br />

performance, IT has had a lot of low-hanging<br />

fruit to choose from, including server<br />

consolidation, application rationalization,<br />

procurement of energy-efficient hardware,<br />

better printing policies, and even simple<br />

behavioral changes such as having people<br />

turn off the lights and shut down their<br />

desktop computers at night. Electronic<br />

components consume substantial amounts<br />

of electricity and produce significant<br />

amounts of heat – not to mention that<br />

they often contain heavy metals and other<br />

toxins that pose disposal issues. Clearly,<br />

IT must play a big part in going green, if a<br />

company is to be effective at it.<br />

A competitive advantage<br />

Responding to a growing wave of<br />

investor activism, consumer demands<br />

and regulations around environmental<br />

sustainability, companies are looking for<br />

ways to gain a competitive advantage<br />

by adopting green business practices. IT<br />

can be a catalyst for realizing short and<br />

long-term business benefits through the<br />

implementation of green approaches.<br />

Green IT thus can offer a company the<br />

opportunity to improve its financial<br />

performance while jumpstarting green<br />

change throughout the larger organisation<br />

as well as reducing environmental impacts.<br />

The areas where IT can address<br />

sustainability issues directly are through<br />

its acquisition, usage and disposal policies.<br />

Consolidation and virtualization initiatives,<br />

for example, have generated advantages<br />

in terms of cost and operational efficiency<br />

and also led to a reduced impact on the<br />

environment as utilization rates reduce<br />

energy consumption. Beyond virtualization,<br />

as new equipment is brought in as part of<br />

the move to denser blade configurations<br />

and 64-bit architectures, or simply to<br />

provide additional capacity, organisations<br />

will also benefit from advances in processor<br />

efficiency.<br />

The Green Data Center at the Core of<br />

Green IT<br />

Finance, IT and business unit executives<br />

in large companies around the world<br />

have come to embrace environmentally<br />

sustainable business practices that are<br />

changing their IT practices in an effort<br />

to save money, improve performance<br />

and lessen their impact on the physical<br />

environment.<br />

For example, Marriott International’s<br />

efforts to lower its IT power consumption<br />

over the past few years have not only<br />

resulted in greener and more sustainable<br />

IT operations, but also serve as a risk<br />

mitigation tool. Their data centers are<br />

protected from nature, nuclear attacks and<br />

electronic eavesdropping, amongst other<br />

IT threats because of their location. The<br />

company has built a data center 300 feet<br />

below ground, in a former Pennsylvania<br />

mine. The mine maintains an ambient air<br />

temperature of 53 degrees Fahrenheit.<br />

In addition, virtualization software from<br />

vendors has helped the hospitality giant<br />

reduce its server population by more than<br />

one-third over the past three years. Storage<br />

virtualization and archiving technologies<br />

have enabled the company to slash its<br />

storage energy costs by more than 50%<br />

over that same period.<br />

Traditionally, data centers have been<br />

designed to store, process, manage and<br />

exchange information in order to either<br />

support the informational needs of large<br />

institutions or provide application services<br />

or management for information technology,<br />

telecommunication, web hosting, internet<br />

or intranet. These data centers have been<br />

designed to accommodate energy intensive<br />

computing equipment and the speciallydesigned<br />

infrastructure for high electrical<br />

power consumption, redundant and<br />

uninterruptible power and heat dissipation.<br />

Based on their energy signatures, large data<br />

centers are actually more like industrial<br />

facilities than commercial buildings. Careful<br />

attention is usually paid to maximizing the<br />

computing power in the traditional data<br />

center, but often very little consideration<br />

is given to environmental issues.<br />

Green data centers are ecologically friendly<br />

data centers where the mechanical,<br />

electrical, thermal, hosted systems and<br />

building materials are all used to improve<br />

energy efficiency and effectively manage<br />

any negative environmental impact. Until<br />

recently, no one seemed to care whether<br />

or not data centers were environmentally<br />

friendly. Now, financial, legislative and<br />

environmental pressures are causing data<br />

centers to take steps toward ‘going green.’<br />

Baby steps<br />

Environmental improvement and<br />

sustainability initiatives can be addressed<br />

and implemented through basic efforts<br />

such as the thoughtful use of technology,<br />

a combination of high-quality financial and<br />

operating information, useful metrics and<br />

well-considered business cases and strong<br />

executive commitment. But there are no<br />

simple answers to building a sustainable<br />

enterprise.<br />

Companies have taken many early steps<br />

in the first wave of green IT to lessen<br />

their environmental impact. For example,<br />

they have retired out-of-date systems,<br />

consolidated data centers like the<br />

aforementioned example and adopted<br />

substantially more efficient hardware and<br />

cooling systems. These early efforts have<br />

been focused on cutting waste, decreasing<br />

energy usage, and optimizing the efficiency<br />

of IT assets in data centers, on desktops,<br />

and throughout company operations.<br />

And executives say these early steps have<br />

yielded returns that are satisfactory or<br />

even better.<br />

Some companies have been particularly<br />

ambitious in leading environmental change,<br />

whether led by a desire to keep pace<br />

with competitors, to avoid penalties or<br />

bad publicity, or simply their own sense<br />

of right and wrong. Those who adopt a<br />

wait-and-see attitude may well be caught<br />

short, pulled under the next wave of<br />

green IT and forced to struggle to catch<br />

up or even survive. Those who are well<br />

prepared, especially those who learned the<br />

importance of strategic investments during<br />

the last economic downturn may well be<br />

able to ride this wave successfully and even<br />

flourish as a result.<br />

Evolve into a sustainable business over<br />

time<br />

Although Green IT efforts have focused in<br />

particular on increasing energy efficiency<br />

in IT infrastructure management, e.g.<br />

‘Green Data Centers’, this focus does<br />

not suffice. Environmental sustainability<br />

needs to go beyond simply improving the<br />

energy efficiency of the IT infrastructure<br />

– and include business solutions that<br />

help customers move towards greater<br />

levels of maturity in their management of<br />

sustainability practices.<br />

‘Smart’ companies address environmental,<br />

economic and social factors – the three<br />

pillars that make a company sustainable.<br />

Namely, IT that contributes to the wellbeing<br />

of society, contributes to preserving<br />

natural resources and ecosystem and IT<br />

that improves economic sustainability.<br />

Companies can take internal steps to<br />

improve processes and cut waste, but the<br />

giant leap forward will come from more<br />

environmentally sensitive solutions coming<br />

to market for them to employ. Such<br />

progress will allow companies to mitigate<br />

risk and strive to be a good corporate<br />

citizen, an employer for which people want<br />

to work, and a company that deserves<br />

customers’ business.<br />

IT as the catalyst for change<br />

IT organisations do not have to tear down<br />

their existing data centers and start from<br />

scratch in order to start benefiting from<br />

environmentally friendly technologies and<br />

processes. IT organisations just need to<br />

start considering these in the data center<br />

planning process. Incorporating green<br />

thinking into plans involves everything<br />

from purchasing energy efficient hardware<br />

made from more environmentally friendly<br />

materials to implementing rationalization<br />

projects to designing new data centers and<br />

locating them in places where they can take<br />

advantage of alternative power or cooling<br />

methods. The sooner data centers start<br />

taking steps toward implementing green<br />

technologies and processes, the sooner<br />

they will start realizing the benefits.<br />

No blueprint or one-size-fits-all master plan<br />

exists. But one thing above all others is clear:<br />

the best results will come to organisations<br />

which include IT as an integral supporting<br />

element of its environmental and broader<br />

sustainability initiatives.<br />

About the Author:<br />

Fadi Sidani is the Partner in charge of Enterprise Risk Services<br />

(ERS) at Deloitte in the Middle East. Fadi has 22 years of global<br />

experience in Risk Management, Consulting and Sustainability<br />

work across various markets, industries and business functions.<br />

He is a regular public speaker in many forums across the ME<br />

region, and he has been involved in the set up and delivery of<br />

various training courses for staff and clients. For more information<br />

please contact + 971 4 369 8999<br />

10 <strong>April</strong> 2010 11 <strong>April</strong> 2010


How famous companies<br />

were named<br />

Lotus<br />

Mitch Kapor got the name<br />

for his company from the<br />

lotus position or ‘padmasana.’<br />

Kapor used to be a teacher of<br />

Transcendental Meditation of<br />

Maharishi Mahesh Yogi.<br />

It was coined by Bill Gates to<br />

represent the company that was<br />

devoted to MICROcomputer<br />

SOFTware. Originally christened<br />

Micro-Soft, the ‘-’ was removed<br />

later on.<br />

Founder Paul Galvin came<br />

up with this name when his<br />

company started manufacturing<br />

radios for cars. The popular<br />

radio company at the time was<br />

called Victrola.<br />

The name came from the river Adobe<br />

Creek that ran behind the house of<br />

founder John Warnock.<br />

It got its name because its founders got<br />

started by applying patches to code<br />

written for NCSA’s httpd daemon. The<br />

result was ‘A PAtCHy’ server - thus,<br />

the name Apache.<br />

Apple Computers<br />

Favourite fruit of founder Steve Jobs. He<br />

was three months late in filing a name<br />

for the business, and he threatened to<br />

call his company Apple Computers if the<br />

other colleagues didn’t suggest a better<br />

name by 5 o’clock.<br />

Oracle<br />

Larry Ellison and Bob Oats were<br />

working on a consulting project<br />

for the Central Intelligence<br />

Agency (CIA). The code name<br />

for the project was called Oracle<br />

(the CIA saw this as the system<br />

to give answers to all questions<br />

or something such).<br />

Red Hat<br />

Company founder Marc Ewing<br />

was given the Cornell lacrosse<br />

team cap (with red and white<br />

stripes) while at college by his<br />

grandfather. He lost it and had<br />

to search for it desperately. The<br />

manual of the beta version of<br />

Red Hat Linux had an appeal to<br />

readers to return his Red Hat if<br />

found by anyone!<br />

SAP<br />

“Systems, Applications,<br />

Products in Data Processing”,<br />

formed by four ex-IBM<br />

employees who used to work<br />

in the ‘Systems/Applications/<br />

Projects’ group of IBM.<br />

Cisco<br />

The name is not an acronym<br />

but an abbreviation of San<br />

Francisco. The company’s logo<br />

reflects its San Francisco name<br />

heritage. It represents a stylized<br />

Golden Gate Bridge.<br />

Hewlett-Packard<br />

Bill Hewlett and Dave<br />

Packard tossed a coin<br />

to decide whether the<br />

company they founded<br />

would be called<br />

Hewlett-Packard or<br />

Packard-Hewlett.<br />

Google<br />

The name started as a jockey<br />

boast about the amount of<br />

information the search-engine<br />

would be able to search. It was<br />

originally named ‘Googol’, a<br />

word for the number represented<br />

by 1 followed by 100 zeros. After<br />

founders - Stanford graduate<br />

students Sergey Brin and Larry<br />

Page presented their project to<br />

an angel investor, they received a<br />

cheque made out to ‘Google’.<br />

Intel<br />

Bob Noyce and Gordon<br />

Moore wanted to name<br />

their new company ‘Moore<br />

Noyce’ but that was already<br />

trademarked by a hotel chain,<br />

so they had to settle for<br />

an acronym of INTegrated<br />

ELectronics.<br />

Founder Jack Smith got the idea<br />

of accessing email via the web<br />

from a computer anywhere in<br />

the world. When Sabeer Bhatia<br />

came up with the business plan<br />

for the mail service, he tried all<br />

kinds of names ending in ‘mail’<br />

and finally settled for Hotmail<br />

as it included the letters “html”<br />

- the programming language<br />

used to write web pages. It was<br />

initially referred to as HoTMaiL<br />

with selective upper casings.<br />

Sony<br />

From the Latin word ‘sonus’<br />

meaning sound, and ‘sonny’<br />

a slang used by Americans to<br />

refer to a bright youngster.<br />

Sun Microsystems<br />

Founded by four Stanford<br />

University buddies, Sun is the<br />

acronym for Stanford University<br />

Network.<br />

The Greek root “xer” means<br />

dry. The inventor, Chestor<br />

Carlson, named his product<br />

Xerox as it was dry copying,<br />

markedly different from the<br />

then prevailing wet copying.<br />

The word was invented by Jonathan Swift and used in his book Gulliver’s Travels. It<br />

represents a person who is repulsive in appearance and action and is barely human.<br />

Yahoo! founders Jerry Yang and David Filo selected the name because they considered<br />

themselves yahoos.<br />

12 <strong>April</strong> 2010 13 <strong>April</strong> 2010


By: Vishal Thakkar<br />

Knowledge<br />

Update<br />

Restating the value of audit<br />

The role of audit is under heightened scrutiny. The unprecedented<br />

global financial upheaval of the past two years has seen many<br />

commentators questioning the value of audit.<br />

With the changing<br />

global scene<br />

Stay in the front row<br />

While attention has naturally been most focused on the large<br />

end of the audit profession, which is involved with the banks and<br />

other major financial institutions, there are also important issues<br />

at the smaller end of the audit market. Given the removal in<br />

recent years of the statutory audit requirement for many entities<br />

with turnover below £6.5m, audit is increasingly a voluntary<br />

exercise in this sector and so needs to demonstrate the value it<br />

brings to business.<br />

In its new policy paper, entitled Restating the Value of Audit,<br />

ACCA argues that against this backdrop of change, it is vital<br />

for the accountancy profession to re-examine the role of audit<br />

and to question whether a sufficiently strong case is being put<br />

forward for the benefits that audit can provide to businesses, the<br />

economy and society. We firmly believe that audit has a key role<br />

to play as a source of public confidence in financial reporting but<br />

note that there is currently little published research, which seeks<br />

to demonstrate the value of audit in promoting business trust.<br />

http://www.accaglobal.com/page/3305046<br />

13 th Annual Global CEO<br />

Survey<br />

The effects of the recent downturn were far-reaching, but as<br />

our new survey shows, CEOs continue to work to strengthen<br />

their organisations whilst seeking opportunities emerging from<br />

structural shifts in their industries, economies and regulatory<br />

environments.<br />

The 13 th Annual Global CEO Survey offers an up-close look at<br />

how business leaders have responded to the challenges brought<br />

about by the recession, the concerns they are facing today and<br />

their strategies for positioning their companies for the long-term.<br />

The recession in developed nations was the worst many CEOs<br />

had ever experienced. The resulting rupture to business planning<br />

and operations was clear in our survey of 1,198 business leaders<br />

from around the world for the PricewaterhouseCoopers 13 th<br />

Annual Global CEO Survey. Business leaders are emerging with<br />

a healthy respect for risk, volatility and flexibility.<br />

http://www.pwc.com/gx/en/ceo-survey/download.jhtml?WT.<br />

ac=flash_01-2010_ceo-survey-hp_download<br />

Introducing the triple<br />

bottom line<br />

Once the credit crisis is firmly consigned to corporate history,<br />

we are likely to reflect on just how dramatically it changed the<br />

corporate landscape. Not only will it have sent some mighty<br />

business names to the wall, it will also have been responsible for<br />

fundamentally changing the way the business world operates.<br />

One such example may be in the way that corporate value is<br />

determined; will financial measures still be used in isolation as the<br />

measure of business value? This approach will soon be challenged,<br />

claims Rodger Hill of KPMG Advisory.<br />

The days of purely measuring business performance by financial<br />

result may well be numbered. In its place discerning investors will<br />

look for something broader to measure an entity’s real contribution<br />

and performance.<br />

That something could be in the shape of the “triple bottom line”;<br />

an amalgam of financial results and an assessment of the social and<br />

environmental impacts of a business. Or, when stated differently:<br />

People, Planet and Profits.<br />

http://www.kpmg.com/Global/en/IssuesAndInsights/<br />

ArticlesPublications/Press-releases/Pages/Press-release-<br />

Introducing-the-triple-bottom-line-1-Mar-2010.aspx<br />

About the Author:<br />

Vishal Thakkar is a qualified<br />

Chartered Accountant and Certified<br />

Internal Auditor. He is currently<br />

working with Group Internal Audit<br />

department of Dubai World and can<br />

be contacted at<br />

vishalkthakkar@yahoo.com<br />

In a globalized world, competition is everything. At Deloitte, we make<br />

it our business to study and understand the competitive environment.<br />

With 1,700 people in over 25 locations across the Middle East, and<br />

access to the deep intellectual capital of 165,000 people worldwide,<br />

Deloitte is your local resource to connect you to a global network of<br />

expertise and innovation.<br />

Working in partnership with you, our people design solutions that<br />

bring tangible returns and sustainable growth for your business. From<br />

auditing to tax, and consulting to financial advisory services, our<br />

member firms provide a broader range of multidisciplinary services<br />

than any of our competitors. For world-class thinking with an edge,<br />

you know where to come.<br />

Visit us at www.deloitte.com<br />

Emaar Business Park<br />

Sheikh Zayed Road<br />

Building 1, 4th Floor, Suite 4<br />

© 2008 Deloitte & Touche (M.E.). All rights reserved.<br />

PO Box 282056 Dubai, <strong>UAE</strong><br />

Tel: +971 (0)4 369 8999<br />

Fax: +971 (0)4 369 8998<br />

Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network<br />

of member firms, each of which is a legally separate and independent entity. Please see<br />

www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche<br />

Tohmatsu and its member firms.<br />

Eighty Years<br />

in the Middle East<br />

14 <strong>April</strong> 2010 15 <strong>April</strong> 2010


By: Andrew Cox<br />

What Is the Range<br />

of the Internal<br />

Auditor’s Work?<br />

Nowadays, Table 2 could be the best representation.<br />

Table 2: The evolution of internal auditing, 1990s–2000s<br />

Now (1990s–2000s)<br />

• Areas for internal audit identified on a functional,<br />

cross-organisational and strategic basis, may use the<br />

organisation’s risk register.<br />

• Discussed with senior management, additional<br />

internal audit areas may be added.<br />

• Set of risk factors applied, input into a model,<br />

prioritized based on risk rankings.<br />

• 3-year strategic internal audit plan based on risk<br />

rankings.<br />

• Annual internal audit plan based on available<br />

resources. Presented to the audit committee.<br />

Advantages<br />

• Well known to internal<br />

auditors.<br />

• Done in consultation with the<br />

business.<br />

• Broader scope that considers<br />

business risks.<br />

• Facilitates integration of internal<br />

audit, risk management and<br />

strategic planning.<br />

• Requires strong understanding<br />

of the business.<br />

Disadvantages<br />

• Can be challenging.<br />

• Time-consuming.<br />

• May not be timely, relevant, or<br />

responsive.<br />

Executive Summary<br />

The range of the Internal Auditor’s work is dependent on:<br />

• The mandate for internal audit contained in the internal audit charter.<br />

• What the audit committee and management want internal audit to do.<br />

• To whom the chief audit executive (head of internal audit) reports.<br />

• The capability and skills of the internal auditors.<br />

• Any legislative or regulatory requirements of internal audit.<br />

Introduction<br />

Internal auditing is an evolving profession. It has been around for a very long time, probably since<br />

the pharaohs in Egypt. But it wasn’t until 1947, when the foremost professional body for internal<br />

auditing, the Institute of Internal Auditors (<strong>IIA</strong>), was formed that internal auditing was set on its<br />

path to emerging as a profession.<br />

Subsequently, professional standards and a code of ethics for internal auditing have been established<br />

and in 1974 professional certification for internal auditing was created, with the designation<br />

Certified Internal Auditor. Over time, the scope of internal auditing has changed significantly.<br />

The Evolution of Internal Auditing<br />

The evolution of how internal audit determined what it would audit can be tracked in Table 1.<br />

Then (up to the 1990s)<br />

• Areas for internal audit identified on a functional<br />

basis from historic information.<br />

• Set of one-dimensional risk factors applied<br />

(high, moderate, low).<br />

• Input into a model and prioritization based on risk<br />

rankings.<br />

• 3 or 5-year strategic internal audit plan based on risk<br />

rankings.<br />

• Annual internal audit plan based on available<br />

resources. Presented to the audit committee (but<br />

not always).<br />

Advantages<br />

• Often cyclical (every year).<br />

• Well known to internal<br />

auditors.<br />

• Safe approach.<br />

Disadvantages<br />

• Done in isolation of the business.<br />

• Time-consuming.<br />

• Focus on functional areas.<br />

• May not be timely, relevant or<br />

responsive.<br />

• Correlation between risk rankings<br />

and internal audit plan often weak.<br />

• Assumed a static organisation.<br />

In the future Table 3 would be more accurate.<br />

Table 3: The evolution of internal auditing, 2000s onward<br />

Future (2000s onward)<br />

• Areas for internal audit identified on a functional,<br />

cross-organisational and strategic basis using the<br />

organisation’s risk register and other relevant<br />

information.<br />

• Develop base audit plan.<br />

• Discuss with senior management, including facilitated<br />

workshops - additional audit areas may be added.<br />

• Develop annual or longer-term assurance plan.<br />

• Develop flexible, rolling internal audit consulting plan<br />

to provide timely, relevant and responsive services.<br />

• Present to audit committee.<br />

The point is this: The range of an internal<br />

auditor’s work will generally be related<br />

to where he or she is currently placed in<br />

regard to these three evolutionary phases<br />

of the internal audit continuum. As we move<br />

into the more difficult methods of operating<br />

an internal audit function, the complexity<br />

of internal audit work increases, and the<br />

capability and skills of the internal auditor<br />

need to be greater. Many internal auditors<br />

are still in the early evolutionary phases of<br />

internal auditing, because the future is seen<br />

as too difficult and daunting.<br />

What do the Standards say?<br />

The internal auditing standards we will<br />

consider here are those issued by the<br />

Institute of Internal Auditors (<strong>IIA</strong>). The<br />

internationally accepted definition of<br />

internal auditing issued by the <strong>IIA</strong> is:<br />

“Internal auditing is an independent, objective<br />

Advantages<br />

• Done in consultation with the<br />

business.<br />

• Timely, relevant, and<br />

responsive.<br />

• Broader scope taking into<br />

account business risks.<br />

• Facilitates integration of internal<br />

audit, risk management, and<br />

strategic planning.<br />

assurance and consulting activity designed<br />

to add value and improve an organisation’s<br />

operations. It helps an organisation accomplish<br />

its objectives by bringing a systematic,<br />

disciplined approach to evaluate and improve<br />

the effectiveness of risk management, control<br />

and governance processes.”<br />

This was a step up from the previous<br />

definition, which concentrated on assurance.<br />

This definition expanded the role of internal<br />

audit to encompass consulting services.<br />

To understand the difference between<br />

assurance services and consulting services,<br />

we need a couple of definitions:<br />

Assurance: An objective examination<br />

of the evidence for the purpose of<br />

providing an independent assessment of<br />

risk management, control, or governance<br />

processes for an organisation. Examples<br />

may include financial, performance,<br />

Disadvantages<br />

• Requires strong commitment<br />

from senior management.<br />

• Requires discipline to ensure<br />

that the internal audit<br />

consultation process is effective.<br />

• May not be well known to<br />

internal auditors.<br />

compliance, system security and due<br />

diligence engagements.<br />

Consulting: Advisory and related client<br />

service activities, the nature and scope of<br />

which are agreed with the client, and which<br />

are intended to add value and improve an<br />

organisation’s governance, risk management,<br />

and control processes without the internal<br />

auditor assuming management responsibility.<br />

Examples include counsel, advice, facilitation<br />

and training.<br />

It should be noted that the definitions of<br />

internal auditing and the standards, focus on<br />

risk management, control and governance:<br />

Risk management: Internal audit should<br />

assist the organisation by identifying and<br />

evaluating significant exposures to risk and<br />

contributing to the improvement of risk<br />

management and control systems.<br />

16 <strong>April</strong> 2010 17 <strong>April</strong> 2010


Control: Internal audit should assist<br />

the organisation in maintaining effective<br />

controls by evaluating their effectiveness<br />

and efficiency and by promoting continuous<br />

improvement.<br />

Governance: Internal audit should assess<br />

and make appropriate recommendations<br />

for improving the governance process<br />

in its accomplishment of the following<br />

objectives:<br />

• Promoting appropriate ethics and values<br />

within the organisation.<br />

• Ensuring effective organisational<br />

performance management and<br />

accountability.<br />

• Effectively communicating risk and<br />

control information to appropriate<br />

areas of the organisation.<br />

• Effectively coordinating the activities and<br />

communicating information among the<br />

board, external and internal auditors<br />

and management.<br />

What type of work?<br />

So, what should be the range and type<br />

of work carried out by internal audit for<br />

an organisation? The <strong>IIA</strong> believes that the<br />

work and methods of internal audit should<br />

encompass:<br />

• Conducting enterprise risk assessment.<br />

• Utilizing risk and control selfassessment.<br />

• Using internal control processes based<br />

on COSO (Committee of Sponsoring<br />

Organisations) guidelines.<br />

• Partnering with management.<br />

• Integrating corporate governance into<br />

practice.<br />

• Increasing staff performance.<br />

• Communicating more effectively.<br />

• Developing staff, both personally and<br />

professionally.<br />

• Using technology to increase staff<br />

efficiency.<br />

• Establishing an assurance function.<br />

• Providing consulting services.<br />

• Conducting audits in emerging areas.<br />

• Utilizing performance measures.<br />

This leads to the types of internal audit<br />

provided by the internal audit function, which<br />

may include some or all of the following:<br />

Compliance audit: The review of both<br />

financial and operating controls and<br />

transactions to see how they conform to<br />

established laws, standards, regulations and<br />

procedures.<br />

Financial audit: The examination of the<br />

financial records and reports of a company<br />

to verify that the figures in the financial<br />

reports are relevant, accurate and complete.<br />

The general focus is on making sure that all<br />

assets and liabilities are properly recorded<br />

on the balance sheet and that the statement<br />

of income and expenses is correct.<br />

Information technology (IT) audit: A<br />

review of the controls within an entity’s<br />

technology infrastructure. These reviews<br />

are typically performed in conjunction<br />

with a financial statement audit, internal<br />

audit review, or other form of attestation<br />

engagement.<br />

On-demand audit: A request for an<br />

internal audit initiated by the board, audit<br />

committee, or management in response<br />

to their particular concerns, and which has<br />

not been scheduled in the internal audit<br />

plan of work. It may also be known as a<br />

management-initiated review.<br />

Operational audit: Sometimes called<br />

program or performance audits, these<br />

examine the use of resources to evaluate<br />

whether those resources are being used in<br />

the most efficient and effective way to fulfil<br />

an organisation’s objectives. An operational<br />

audit may include elements of a compliance<br />

audit, a financial audit and an information<br />

systems audit. This term is mainly used in<br />

the private sector.<br />

Performance audit: The independent and<br />

systematic examination of the management<br />

of an organisation, program, or function<br />

for the purpose of identifying whether<br />

the management is being carried out in<br />

an efficient and effective manner, and<br />

whether management practices promote<br />

improvement. This term is mainly used<br />

in the public sector, and a performance<br />

audit may be the same as or similar to an<br />

operational audit.<br />

and evaluation of all activities related to<br />

the quality of a product or service, to<br />

determine the suitability and effectiveness<br />

of the activities to meet quality goals.<br />

Value for money (VFM) audit: An<br />

examination of how resources are<br />

allocated and utilized. The audit is<br />

concerned with interrelated concepts of<br />

efficiency, effectiveness, economy, and<br />

organisational outcomes. VFM audits<br />

are more common in the public sector<br />

than the private sector since the profit<br />

criterion is lacking in the public sector, and<br />

they may be the same as or similar to a<br />

performance audit.<br />

What influences the type of work?<br />

The range and type of the internal auditor’s<br />

work depend on a number of factors:<br />

The mandate for internal audit<br />

contained in the internal audit<br />

charter: This is what the audit committee<br />

and the organisation want internal audit<br />

to do. Although ideally this should include<br />

both assurance services and consulting<br />

services, it is true to say that some audit<br />

committees and management believe that<br />

internal audit should not stray from its<br />

roots of providing assurance, so in some<br />

organisations the internal audit charter<br />

has focused only on the provision of<br />

assurance services. This attitude peaked<br />

following the corporate collapses of the<br />

1990s. However, more enlightened audit<br />

committees and management of today<br />

seek a more comprehensive internal<br />

auditing service for the organisation. This<br />

has the potential to add a lot of value,<br />

rather than just reporting what is wrong<br />

in compliance and financial areas.<br />

To whom the chief audit executive<br />

reports: The chief audit executive should<br />

report to the audit committee functionally<br />

and for operations, and to the chief<br />

executive officer for administration. Where<br />

a chief audit executive may have other<br />

reporting arrangements - for example to a<br />

chief executive officer for operations and<br />

administration, or worse, to a chief financial<br />

officer - there is a risk that internal audit<br />

may lose a measure of its independence.<br />

Table 4: The chief audit executive’s risk-based annual internal audit plan<br />

Compliance<br />

Assurance<br />

Consulting<br />

Financial<br />

Assurance<br />

Consulting<br />

IT<br />

Assurance<br />

Consulting<br />

Audit Type<br />

Cyclical 12<br />

months<br />

scheduled<br />

hours<br />

6,000<br />

0<br />

750<br />

250<br />

3,000<br />

3,000<br />

Rolling 6<br />

months<br />

scheduled<br />

hours<br />

0<br />

0<br />

2,500<br />

0<br />

0<br />

0<br />

Rolling 3<br />

months<br />

reserve hours<br />

0<br />

0<br />

1,000<br />

0<br />

0<br />

0<br />

This has a potential to impact negatively on<br />

the range and type of work to be performed<br />

by internal audit.<br />

The capability and skills of the internal<br />

auditors: As the work of internal audit<br />

moves toward more difficult methods<br />

of operating, the complexity of internal<br />

audit work increases. This means that the<br />

capability and skills of the internal auditor<br />

need to be greater, and many internal<br />

auditors see this as a quantum leap so great<br />

that they prefer to remain comfortable<br />

where they are.<br />

Any legislative or regulatory<br />

requirements of internal audit: The work<br />

of internal audit will nearly always have a<br />

role to provide assurance of legislative and<br />

regulatory compliance; this is an important<br />

role that should never be forgotten.<br />

Case Study<br />

Designing a Comprehensive Internal<br />

Audit Plan<br />

A large public sector organisation with<br />

Rolling 3<br />

months<br />

unassigned<br />

hours<br />

0<br />

0<br />

500<br />

0<br />

0<br />

0<br />

Annual total<br />

hours<br />

6,000<br />

0<br />

4,750<br />

250<br />

3,000<br />

3,000<br />

Operational / Performance<br />

Assurance / Consulting 500 2,500 1,000 1,000 5,000<br />

Internal audit planning 500 0 0 0 500<br />

Audit monitor and follow-up 500 0 0 0 500<br />

Audit committee 500 0 0 0 500<br />

External audit co-ordination 1,500 0 0 0 1,500<br />

Quality audit: The systematic examination<br />

Total 25,000<br />

18 <strong>April</strong> 2010 19 <strong>April</strong> 2010


a significant commitment to internal<br />

auditing provided sufficient funds to<br />

resource an internal audit function of<br />

25,000 audit hours each year. The audit<br />

committee wanted an internal audit plan<br />

of work that provided assurance and<br />

examined how well the organisation was<br />

operating, but which was also responsive<br />

to the changing needs and risks of the<br />

organisation. The risk-based internal audit<br />

plan of work to achieve this designed by<br />

the chief audit executive is summarized<br />

in Table 4.<br />

Rather than have a static internal audit<br />

plan, the plan shown in the table was<br />

designed to cover an 18-month period<br />

with a refresher every six months so that<br />

workflows could be smoothed and work<br />

allocated to internal auditors continuously.<br />

The plan encompassed the following<br />

areas:<br />

• Cyclical 12 months scheduled: For highrisk<br />

areas worthy of annual internal<br />

audit attention.<br />

• Rolling 6 months scheduled: Higherrisk<br />

areas scheduled for periodic or<br />

one-off internal audits.<br />

• Rolling 3 months reserve: Areas held<br />

in reserve in case of postponement or<br />

cancellation of other internal audits.<br />

• Rolling 3 months unassigned: Reserved<br />

for on-demand internal audits initiated<br />

by management for emerging business<br />

issues and risks.<br />

Conclusion<br />

The range and type of the internal auditor’s<br />

work depend on a number of factors:<br />

• The mandate for internal audit<br />

contained in the internal audit charter.<br />

• What the audit committee wants<br />

internal audit to do, and how<br />

enlightened it is.<br />

• What management wants internal<br />

audit to do.<br />

• To whom the chief audit executive<br />

(head of internal audit) reports.<br />

• The capability and skills of the internal<br />

auditors.<br />

• Any legislative or regulatory<br />

requirements of internal audit.<br />

Making It Happen<br />

Chief audit executives should look to his<br />

or her audit committee and management<br />

for guidance on the range and type of<br />

work to be performed by the internal<br />

audit function. However, the chief audit<br />

executive, as an internal audit professional,<br />

should be using his or her knowledge and<br />

experience to identify and influence the<br />

formulation of a risk-based internal audit<br />

plan of work that best provides for the<br />

needs of the organisation. This is likely to<br />

be a blended plan of internal audit work<br />

that encompasses both assurance services<br />

and consulting services:<br />

Assurance Services<br />

• Part of the overall internal audit plan<br />

of work.<br />

• Annual or longer-term focus.<br />

• Risk-based.<br />

• May include cyclical internal audits of<br />

higher-risk areas.<br />

• Need to consider legislative and<br />

regulatory requirements.<br />

• Need to consider external audit to<br />

avoid duplication of audit effort.<br />

• Estimated hours for audit topics<br />

assessed from previous internal audits<br />

(structured gut feel).<br />

• Focus on compliance, financial issues<br />

and risks, financial controls, and IT<br />

reviews.<br />

Consulting Services<br />

• Part of the overall internal audit plan<br />

of work.<br />

• Flexible, rolling focus - rather than<br />

fixed in time.<br />

• Risk-based and customer-focused.<br />

• If limited previous data are available,<br />

estimate hours needed for internal<br />

audit topics on the basis of the<br />

best available information and past<br />

experience (unstructured gut feel).<br />

• Focus on current and emerging<br />

business issues and risks, and system<br />

under development reviews.<br />

Further reading:<br />

Books:<br />

• Australian National Audit Office.<br />

Public Sector Audit Committees:<br />

Having the Right People is the Key.<br />

Canberra: Australian National Audit<br />

Office, 2005.<br />

• Australian National Audit Office.<br />

Public Sector Internal Audit - An<br />

Investment in Assurance and Business<br />

Improvement. Canberra: Australian<br />

National Audit Office, 2007.<br />

• Picket, K. H. Spencer. Audit Planning:<br />

A Risk-Based Approach. Hoboken, NJ:<br />

Wiley, 2006.<br />

• Reding, Kurt F., Paul J. Sobel, Unton<br />

L. Anderson, Michael J. Head, Sridhar<br />

Ramamoorti, and Mark Salamasick.<br />

Internal Auditing: Assurance and<br />

Consulting Services. Altamonte<br />

Springs, FL: <strong>IIA</strong> Research Foundation,<br />

2007.<br />

• Sawyer, Lawrence B., Mortimer A.<br />

Dittenhofer, and James H. Scheiner.<br />

Sawyer’s Internal Auditing: The<br />

Practice of Modern Internal Auditing.<br />

5th ed. Altamonte Springs, FL: <strong>IIA</strong><br />

Research Foundation, 2003.<br />

Standards:<br />

• Institute of Internal Auditors (<strong>IIA</strong>).<br />

International Standards for the<br />

Professional Practice of Internal<br />

Auditing. Altamonte Springs, FL: <strong>IIA</strong>,<br />

2007. Online at: www.theiia.org/<br />

guidance/standards-and-guidance/<br />

ippf/standards<br />

Website:<br />

• The Institute of Internal Auditors:<br />

www.theiia.org<br />

Article originally published in “QFinance:<br />

The Ultimate Resource”, 2009. Republished<br />

by courtesy of Bloomsbury. For further<br />

details visit www.bloomsbury.com/qfinance<br />

or www.qfinance.com<br />

About the Author:<br />

Andrew Cox MBA MEC CIA CISA CFE CGAP CSQA MACS is<br />

acknowledged as a leader in quality assurance and improvement<br />

of internal audit activities in organisations. In recent times he<br />

worked for <strong>IIA</strong> - Australia and conducted 25 quality assessments<br />

of Internal Audit Departments in various organisations. Over his<br />

career he has been a senior internal audit executive in Australia<br />

and has managed 8 internal audit activities. He is now working in<br />

the United Arab Emirates.<br />

20 <strong>April</strong> 2010


Global expertise,<br />

local knowledge*<br />

PricewaterhouseCoopers provides industry-focused<br />

assurance, tax and advisory services to build public<br />

trust and enhance value for its clients and their<br />

stakeholders. More than 154,000 people in 153<br />

countries across our network share their thinking,<br />

experience and solutions to develop fresh perspectives<br />

and practical advice.<br />

PricewaterhouseCoopers in the Middle East<br />

Established in the region for over 30 years,<br />

PricewaterhouseCoopers’ Middle East network covers<br />

15 countries and has over 2,000 people.<br />

Complementing our depth of industry expertise and<br />

breadth of skills is our sound knowledge of local<br />

business environments across the Middle East.<br />

For information about our internal audit, risk and<br />

corporate governance services across the Middle East,<br />

contact Andrew Garrett, Middle East Internal Audit<br />

Leader, andrew.garrett@ae.pwc.com,<br />

+971 (0)4 3043100, or visit www.pwc.com/me<br />

*connectedthinking<br />

© 2008 PricewaterhouseCoopers. All rights reserved. ‘PricewaterhouseCoopers’ refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate<br />

and independent legal entity.

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!