IIA April 2010.pdf - UAE IAA
IIA April 2010.pdf - UAE IAA
IIA April 2010.pdf - UAE IAA
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Issue No. 13, <strong>April</strong> 2010<br />
Going Full Blast.....<br />
11 th Annual Regional Gulf<br />
Audit Conference<br />
What is the Range of the Internal<br />
Auditor’s Work - By: Andrew Cox
4 March 2010<br />
12 March 2010<br />
th O n 1 November, 7 a half-day course on Quality Assurance and Improvement by Andrew Cox was held in Dubai. The same<br />
was held on 24 th November in Abu Dhabi. Andrew Cox is acknowledged as a leader in quality assurance and improvement<br />
of internal audit activities in organisations, both in the private and public sectors. The course focused on how quality<br />
assessments can raise the profile of the IA Department with chief executives and audit committees. It also honed in on<br />
preparing an independent quality assessment, self-assessment for the IA Department followed by an independent validation.<br />
Visuals from the event…<br />
It got its name because its founders got<br />
started by applying patches to code<br />
The name came from the river Adobe written for NCSA’s httpd daemon. The<br />
Creek that ran behind the house of result was ‘A PAtCHy’ server - thus,<br />
founder John Warnock.<br />
the name Apache.<br />
but an abbreviation of San<br />
Francisco. The company’s logo<br />
reflects its San Francisco name<br />
heritage. It represents a stylized<br />
Golden Gate Bridge.<br />
Packard tossed a coin<br />
to decide whether the<br />
company they founded<br />
would be called<br />
Hewlett-Packard or<br />
Packard-Hewlett.<br />
16 March 2010<br />
By: Andrew Cox<br />
boast about the amount of<br />
information the search-engine<br />
would be able to search. It was<br />
originally named ‘Googol’, a<br />
word for the number represented<br />
by 1 followed by 100 zeros. After<br />
founders - Stanford graduate<br />
students Sergey Brin and Larry<br />
Page presented their project to<br />
an angel investor, they received a<br />
cheque made out to ‘Google’.<br />
Moore wanted to name<br />
their new company ‘Moore<br />
Noyce’ but that was already<br />
trademarked by a hotel chain,<br />
so they had to settle for<br />
an acronym of INTegrated<br />
ELectronics.<br />
The Evolution of Internal Auditing<br />
The evolution of how internal audit determined what it would audit can be tracked in Table 1.<br />
Then (up to the 1990s)<br />
• Areas for internal audit identified on a functional<br />
basis from historic information.<br />
• Set of one-dimensional risk factors applied<br />
(high, moderate, low).<br />
• Input into a model and prioritization based on risk<br />
rankings.<br />
• 3 or 5 year strategic internal audit plan based on risk<br />
rankings.<br />
• Annual internal audit plan based on available<br />
resources. Presented to the audit committee (but<br />
not always).<br />
Apple Computers<br />
Favourite fruit of founder Steve Jobs. He<br />
was three months late in filing a name<br />
for the business, and he threatened to<br />
call his company Apple Computers if the<br />
other colleagues didn’t suggest a better<br />
name by 5 o’clock.<br />
of accessing email via the web<br />
from a computer anywhere in<br />
the world. When Sabeer Bhatia<br />
came up with the business plan<br />
for the mail service, he tried all<br />
kinds of names ending in ‘mail’<br />
and finally settled for Hotmail<br />
as it included the letters “html”<br />
- the programming language<br />
used to write web pages. It was<br />
initially referred to as HoTMaiL<br />
with selective upper casings.<br />
Executive Summary<br />
• The mandate for internal audit contained in the internal audit charter.<br />
• What the audit committee and management want internal audit to do.<br />
• T whom the chief audit executive (head of internal audit) reports.<br />
• The capability and skills of the internal auditors.<br />
• Any legislative or regulatory requirements of internal audit.<br />
Introduction<br />
Internal auditing is an evolving profession. It has been around for a very long time, probably since<br />
the pharaohs in Egypt. But it wasn’t until 1947, when the foremost professional body for internal<br />
auditing, the Institute of Internal Auditors (<strong>IIA</strong>), was formed that internal auditing was set on its<br />
path to emerging as a profession.<br />
Subsequently, professional standards and a code of ethics for internal auditing have been<br />
established and in 1974 professional certification for internal auditing was created, with the<br />
designation Certified Internal Auditor. Over time, the scope of internal auditing has changed<br />
significantly.<br />
Advantages Disadvantages<br />
• Often cyclical (every year). • Done in isolation of the business.<br />
• Well known to internal • Time-consuming.<br />
auditors.<br />
• Focus on functional areas.<br />
• Safe approach.<br />
• May not be timely, relevant or<br />
responsive.<br />
• Correlation between risk rankings<br />
and internal audit plan often weak.<br />
• Assumed a static organisation.<br />
Today fraud is a key buzzword among and assessing risks involved in achieving the execution of controls will do so<br />
corporations (big and small) and compliance an entity’s objectives.<br />
responsibly and to the best of their<br />
professionals alike. Recent large fraud<br />
ability. While this assumption may be<br />
cases are often used to build a business iii) Control Activities are the policies and correct during an internal control risk<br />
case for spending large amounts of money procedures that enforce management’s assessment, it does not hold good while<br />
in implementing a Control Framework. directives.<br />
assessing fraud risks.<br />
Surveys such as the ACFE 2008 Report<br />
to the Nation show that implementation iv) Information and Communication, which An individual breaching his fiduciary<br />
of a control framework has a measurable allows the exchange of information in responsibilities is an Occupational Fraud!!<br />
impact on the organisation’s exposure the right quantities and to the right<br />
to fraud. The survey revealed that persons across the organisation A key differentiator between Internal<br />
organisations that implemented anti-fraud<br />
Controls and Anti Fraud Controls is the<br />
controls suffered much lower losses than v) Monitoring is the process that assesses Human Element. Failure to assess the<br />
organisations without anti fraud controls. the quality of the Framework over a Human Element can cause frauds to<br />
Though many Control Frameworks period of time.<br />
happen in organisations that otherwise<br />
were developed and propagated over<br />
seem to have a robust and comprehensive<br />
the years, the most commonly applied Generally, Corporations build their Anti- internal control framework.<br />
Control Framework is the one developed Fraud controls on the principles of the<br />
in the early nineties by the Committee Of COSO framework. To do so, organisations Before addressing how to prioritize fraud<br />
Sponsoring Organisations of the Treadway first identify fraud risks and prioritize risks, let’s understand why do people<br />
Commission, better known as the COSO them according to risks that matter the commit fraud?<br />
Framework (“COSO”). COSO identifies most. Prioritization is generally done<br />
5 components, which when integrated by assessing the impact and likelihood of One of the best theories on why people<br />
and operating in all business units, will an inherent risk. Impact is the extent to commit fraud was given by Mr. Donald<br />
help establish an effective internal control which the risk, if realized, would impact the Cressey in his book “Other People’s<br />
framework. These 5 components are: organisation. Likelihood is the probability Money” . As per this hypothesis, fraud<br />
of a risk occurring over a pre-defined time occurs when an individual has:<br />
i) Control Environment, which sets period which is generally the organisation’s<br />
the moral tone of the organisation, planning horizon.<br />
a. A non sharable financial problem<br />
influencing the control consciousness of<br />
the organisation and is the foundation While prioritizing risks on impact and b. Perceives an opportunity to resolve<br />
upon which all other components are likelihood, it is generally assumed that the situation<br />
built<br />
individuals will honour their fiduciary<br />
responsibilities to the organisation. In c. Has the ability to rationalize his misdeed<br />
ii) Risk Assessment involves identifying other words, people entrusted with even before committing them.<br />
6 March 2010<br />
A company’s IT (Information Technology)<br />
organisation is no stranger to scrutiny when it comes<br />
to corporate responsibility and sustainability.<br />
As a major consumer of electricity in many<br />
organisations and a significant producer of<br />
waste electronics, IT has been among the<br />
first to come under pressure to better<br />
manage energy consumption and to<br />
“reduce, reuse, and recycle” in<br />
order to improve efficiency and<br />
lessen environmental impact.<br />
Fortunately, in improving its sustainability opportunity to improve its financial<br />
performance, IT has had a lot of low-hanging performance while jumpstarting green<br />
fruit to choose from, including server change throughout the larger organisation<br />
consolidation, application rationalization, as well as reducing environmental impacts.<br />
procurement of energy-efficient hardware,<br />
better printing policies, and even simple The areas where IT can address<br />
behavioral changes such as having people sustainability issues directly are through<br />
turn off the lights and shut down their its acquisition, usage and disposal policies.<br />
desktop computers at night. Electronic Consolidation and virtualization initiatives,<br />
components consume substantial amounts for example, have generated advantages<br />
of electricity and produce significant in terms of cost and operational efficiency<br />
amounts of heat – not to mention that and also led to a reduced impact on the<br />
they often contain heavy metals and other environment as utilization rates reduce<br />
toxins that pose disposal issues. Clearly, energy consumption. Beyond virtualization,<br />
IT must play a big part in going green, if a as new equipment is brought in as part of<br />
company is to be effective at it.<br />
the move to denser blade configurations<br />
and 64-bit architectures, or simply to<br />
A competitive advantage<br />
provide additional capacity, organisations<br />
Responding to a growing wave of will also benefit from advances in processor<br />
investor activism, consumer demands efficiency.<br />
and regulations around environmental<br />
sustainability, companies are looking for The Green Data Center at the Core of<br />
ways to gain a competitive advantage Green IT<br />
by adopting green business practices. IT<br />
can be a catalyst for realizing short and Finance, IT and business unit executives<br />
long-term business benefits through the in large companies around the world<br />
implementation of green approaches. have come to embrace environmentally<br />
Green IT thus can offer a company the sustainable business practices that are<br />
10 March 2010<br />
14 March 2010<br />
By: Vishal Thakkar<br />
global financial upheaval of the past two years has seen many<br />
commentators questioning the value of audit.<br />
While attention has naturally been most focused on the large<br />
end of the audit profession, which is involved with the banks and<br />
other major financial institutions, there are also important issues<br />
at the smaller end of the audit market. Given the removal in<br />
recent years of the statutory audit requirement for many entities<br />
with turnover below £6.5m, audit is increasingly a voluntary<br />
exercise in this sector and so needs to demonstrate the value it<br />
brings to business.<br />
In its new policy paper, entitled Restating the Value of Audit,<br />
ACCA argues that against this backdrop of change, it is vital<br />
for the accountancy profession to re-examine the role of audit<br />
and to question whether a sufficiently strong case is being put<br />
forward for the benefits that audit can provide to businesses, the<br />
economy and society. We f irmly believe that audit has a key role<br />
to play as a source of public confidence in financial reporting but<br />
note that there is currently little published research, which seeks<br />
to demonstrate the value of audit in promoting business trust.<br />
http://www.accaglobal.com/page/3305046<br />
our new survey shows, CEOs continue to work to strengthen<br />
their organisations whilst seeking opportunities emerging from<br />
structural shifts in their industries, economies and regulatory<br />
environments.<br />
The 13 th Annual Global CEO Survey offers an up-close look at<br />
how business leaders have responded to the challenges brought<br />
about by the recession, the concerns they are facing today and<br />
their strategies for positioning their companies for the long-term.<br />
The recession in developed nations was the worst many CEOs<br />
had ever experienced. The resulting rupture to business planning<br />
and operations was clear in our survey of 1,198 business leaders<br />
from around the world for the PricewaterhouseCoopers 13th<br />
Annual Global CEO Survey. Business leaders are emerging with<br />
a healthy respect for risk, volatility and flexibility.<br />
http://www.pwc.com/gx/en/ceo-survey/download.jhtml?WT.<br />
ac=flash_01-2010_ceo-survey-hp_download<br />
changing their IT practices in an effort<br />
to save money, improve performance<br />
and lessen their impact on the physical<br />
environment.<br />
For example, Marriott International’s<br />
efforts to lower its IT power consumption<br />
over the past few years have not only<br />
resulted in greener and more sustainable<br />
IT operations, but also serve as a risk<br />
mitigation tool. Their data centers are<br />
protected from nature, nuclear attacks and<br />
electronic eavesdropping, amongst other<br />
IT threats because of their location. The<br />
company has built a data center 300 feet<br />
below ground, in a former Pennsylvania<br />
mine. The mine maintains an ambient air<br />
temperature of 53 degrees Fahrenheit.<br />
In addition, virtualization software from<br />
vendors has helped the hospitality giant<br />
reduce its server population by more than<br />
one-third over the past three years. Storage<br />
virtualization and archiving technologies<br />
have enabled the company to slash its<br />
storage energy costs by more than 50%<br />
over that same period.<br />
we are likely to reflect on just how dramatically it changed the<br />
corporate landscape. Not only will it have sent some mighty<br />
business names to the wall, it will also have been responsible for<br />
fundamentally changing the way the business world operates.<br />
One such example may be in the way that corporate value is<br />
determined; will financial measures still be used in isolation as the<br />
measure of business value? This approach will soon be challenged,<br />
claims Rodger Hill of KPMG Advisory.<br />
The days of purely measuring business performance by financial<br />
result may well be numbered. In its place discerning investors will<br />
look for something broader to measure an entity’s real contribution<br />
and performance.<br />
That something could be in the shape of the “triple bottom line”;<br />
an amalgam of financial results and an assessment of the social and<br />
environmental impacts of a business. Or, when stated differently:<br />
People, Planet and Profits.<br />
http://www.kpmg.com/Global/en/IssuesAndInsights/<br />
ArticlesPublications/Press-releases/Pages/Press-release-<br />
Introducing-the-triple-bottom-line-1-Mar-2010.aspx<br />
About the Author:<br />
Vishal Thakkar is a qualified<br />
Chartered Accountant and Certified<br />
Internal Auditor. He is currently<br />
working with Group Internal Audit<br />
department of Dubai World and can<br />
be contacted at<br />
vishalkthakkar@yahoo.com<br />
…Going Full Blast…<br />
4<br />
<strong>UAE</strong>-<strong>IAA</strong> Past Events<br />
Course on Quality Assurance<br />
and Improvement<br />
Message from the President<br />
On behalf of the <strong>UAE</strong> Internal Audit Association’s Board of Governors, I wish<br />
to extend a warm welcome to all the delegates to the 11 th Annual Regional Gulf<br />
Audit Conference in Abu Dhabi. Our theme for this year is ‘2010 and Beyond’,<br />
and we urge you to join us in “going full blast” in enthusiasm, as we start the<br />
implementation of programs and planned activities for this still challenging year.<br />
Firstly, we encourage you to optimize your learning and networking opportunities<br />
during this conference by actively participating in the pre-conference workshops on<br />
Day 1 and the main conference sessions, which will cover topical issues impacting<br />
our profession. We are fortunate to have with us as keynote speaker, our <strong>IIA</strong><br />
Global President, Mr. Richard Chambers.<br />
You are also invited to participate in the Global Internal Audit Survey, which opened<br />
on March 15, 2010 and is available in both the <strong>IIA</strong> and <strong>UAE</strong>-<strong>IAA</strong> websites. The<br />
survey is expected to be completed by over 15,000 internal auditors from around<br />
the globe, in more than 20 languages. Results will provide insight into emerging<br />
issues and trends, as well as developments and changes within the profession. We<br />
are pleased to have set another milestone at the Institute by successfully providing<br />
an Arabic translation for this survey.<br />
As we ended the first quarter, we near the completion of a Memorandum of<br />
Understanding with the American University of Sharjah, to initiate cooperative<br />
agreements with educational institutions in the <strong>UAE</strong> / Region. In February, we<br />
were also privileged to have shared our programs and experiences with <strong>IIA</strong> Saudi<br />
Arabia when they visited us for a benchmarking exercise.<br />
As we progress on in 2010 and beyond, we set up a dedicated staff to better<br />
provide the services of the Institute. Once again, we request your wholehearted<br />
support in achieving all our plans and objectives.<br />
Abdulqader Obaid Ali<br />
President<br />
<strong>UAE</strong>-<strong>IAA</strong><br />
<strong>April</strong> 2010<br />
Board of Governors<br />
<strong>UAE</strong>-<strong>IAA</strong> Chapter<br />
President:<br />
Abdulqader Obaid Ali<br />
abdulqader.obaidali@dubaiworld.ae<br />
Board Members:<br />
Abdulrahman Al Hareb<br />
abdulrahman.alhareb@dubaiholding.com<br />
Abdulrahman Ba Saeed<br />
abdulrahman.basaeed@dubaiworld.ae<br />
Adnan Zaidi<br />
adnan.zaidi@protivitiglobal.ae<br />
Ahmad Dahabiyeh<br />
adahabiyeh@adaa.ae<br />
Amir Gergawi<br />
amir.algergawi@du.ae<br />
Badr Mohammed Buhannad<br />
bbuhannad@dso.ae<br />
Karem Obeid<br />
karem.obeid@dubaiholding.com<br />
Khalid Halyan<br />
khalhalyan@dca.gov.ae<br />
Laila Al Humairi<br />
laila.alhumairi@gmail.com<br />
Raza Abdulla<br />
raza.abdulla@emirates.com<br />
Venkataraman<br />
venkat@habtoor.com<br />
Yaser Al Yaish<br />
yaser.yasih@gmail.com<br />
Newsletter Committee:<br />
Vishal Thakkar<br />
Dubai World<br />
Mayur Motwani<br />
Protiviti Middle East<br />
Julion Ruwette<br />
Deloitte & Touche, (M.E.)<br />
8<br />
How famous companies<br />
were named?<br />
Cisco<br />
The name is not an acronym<br />
Hewlett-Packard<br />
Bill Hewlett and Dave<br />
12<br />
Google<br />
The name started as a jockey<br />
Intel<br />
Bob Noyce and Gordon<br />
16<br />
Hotmail<br />
Founder Jack Smith got the idea<br />
What Is the Range<br />
of the Internal<br />
Auditor’s Work?<br />
<strong>UAE</strong>-<strong>IAA</strong> Events<br />
Fraud Risk Assessment: the<br />
Human Element<br />
– By: Santosh Noronha<br />
11 th Annual Regional Gulf<br />
Audit Conference<br />
How famous companies<br />
were named<br />
Green IT<br />
– By: Fadi Sidani<br />
Knowledge Update<br />
– By: Vishal Thakkar<br />
What is the range of the Internal<br />
Auditor’s Work<br />
– By: Andrew Cox<br />
6<br />
By: Santosh Noronha<br />
Fraud Risk<br />
Assessment:<br />
The Human<br />
Element<br />
10<br />
By: Fadi Sidani<br />
Green IT<br />
IT at the Core of office greening initiatives<br />
Knowledge<br />
Update<br />
Restating the value of audit<br />
The role of audit is under heightened scrutiny. The unprecedented<br />
13 th Annual Global CEO<br />
Survey<br />
The effects of the recent downturn were far-reaching, but as<br />
14<br />
Introducing the triple<br />
bottom line<br />
Once the credit crisis is firmly consigned to corporate history,<br />
Contents<br />
Editor:<br />
Manjula Ramakrishnan<br />
<strong>UAE</strong>-<strong>IAA</strong> Newsletter welcomes editorial<br />
contributions and feedback from readers.<br />
Write in to editor@iiauae.org<br />
Affliated to The Institute of Internal Auditors • 247 Maitland Avenue • Altamonte Springs,<br />
Florida 32701-4201 USA +1-407-937-1100 • Fax +1-407-937-1101 • www.theiia.org • Copyright 2008<br />
Disclaimer: It is hereby notified that all opinions, facts or views expressed in this magazine are those of<br />
the author and need not necessarily represent the views of <strong>UAE</strong>-<strong>IAA</strong>. The advertising of events, courses,<br />
products and services in this publication does not imply that they have <strong>UAE</strong>-<strong>IAA</strong> endorsement.<br />
2 <strong>April</strong> 2010 3 <strong>April</strong> 2010
<strong>UAE</strong>-<strong>IAA</strong> Past Events<br />
Course on Quality Assurance<br />
and Improvement<br />
Mr. Abdullah Al Rowais, Chief Audit Executive of Mobily, recently visited Dubai. On the 22 nd of February, as the representative<br />
of the <strong>IIA</strong>-Saudi Chapter, Mr. Rowais had a benchmarking meeting with the <strong>UAE</strong>-<strong>IAA</strong> Chapter. Other <strong>UAE</strong>-<strong>IAA</strong> delegates who<br />
attended the meeting were Abdulqader Obaid Ali, Neeraj Kumar, Adil Buhariwalla, Raymund Mungkal, Abdulrahman BaSaeed<br />
and Khalid Halyan.<br />
On 17 th November, a half-day course on Quality Assurance and Improvement by Andrew Cox was held in Dubai. The same<br />
was held on 24 th November in Abu Dhabi. Andrew Cox is acknowledged as a leader in quality assurance and improvement<br />
of internal audit activities in organisations, both in the private and public sectors. The course focused on how quality<br />
assessments can raise the profile of the IA Department with chief executives and audit committees. It also honed in on<br />
preparing an independent quality assessment, self-assessment for the IA Department followed by an independent validation.<br />
Visuals from the event…<br />
4 <strong>April</strong> 2010 5 <strong>April</strong> 2010
By: Santosh Noronha<br />
Fraud Risk<br />
Assessment:<br />
The Human<br />
Element<br />
Today fraud is a key buzzword among<br />
corporations (big and small) and compliance<br />
professionals alike. Recent large fraud<br />
cases are often used to build a business<br />
case for spending large amounts of money<br />
in implementing a Control Framework.<br />
Surveys such as the ACFE 2008 Report<br />
to the Nation show that implementation<br />
of a control framework has a measurable<br />
impact on the organisation’s exposure<br />
to fraud. The survey revealed that<br />
organisations that implemented anti-fraud<br />
controls suffered much lower losses than<br />
organisations without anti-fraud controls.<br />
Though many Control Frameworks<br />
were developed and propagated over<br />
the years, the most commonly applied<br />
Control Framework is the one developed<br />
in the early nineties by the Committee Of<br />
Sponsoring Organisations of the Treadway<br />
Commission, better known as the COSO<br />
Framework (“COSO”). COSO identifies<br />
5 components, which when integrated<br />
and operating in all business units, will<br />
help establish an effective internal control<br />
framework. These 5 components are:<br />
i) Control Environment, which sets<br />
the moral tone of the organisation,<br />
influencing the control consciousness of<br />
the organisation and is the foundation<br />
upon which all other components are<br />
built.<br />
ii) Risk Assessment involves identifying<br />
and assessing risks involved in achieving<br />
an entity’s objectives.<br />
iii) Control Activities are the policies and<br />
procedures that enforce management’s<br />
directives.<br />
iv) Information and Communication, which<br />
allows the exchange of information in<br />
the right quantities and to the right<br />
persons across the organisation.<br />
v) Monitoring is the process that assesses<br />
the quality of the Framework over a<br />
period of time.<br />
Generally, Corporations build their Anti-<br />
Fraud controls on the principles of the<br />
COSO framework. To do so, organisations<br />
first identify fraud risks and prioritize<br />
them according to risks that matter the<br />
most. Prioritization is generally done<br />
by assessing the impact and likelihood of<br />
an inherent risk. Impact is the extent to<br />
which the risk, if realized, would impact the<br />
organisation. Likelihood is the probability<br />
of a risk occurring over a pre-defined time<br />
period, which is generally the organisation’s<br />
planning horizon.<br />
While prioritizing risks on impact and<br />
likelihood, it is generally assumed that<br />
individuals will honour their fiduciary<br />
responsibilities to the organisation. In<br />
other words, people entrusted with<br />
the execution of controls will do so<br />
responsibly and to the best of their<br />
ability. While this assumption may be<br />
correct during an internal control risk<br />
assessment, it does not hold good while<br />
assessing fraud risks.<br />
An individual breaching his fiduciary<br />
responsibilities is an Occupational Fraud!!<br />
A key differentiator between Internal<br />
Controls and Anti Fraud Controls is the<br />
Human Element. Failure to assess the<br />
Human Element can cause frauds to<br />
happen in organisations that otherwise<br />
seem to have a robust and comprehensive<br />
internal control framework.<br />
Before addressing how to prioritize fraud<br />
risks, let’s understand why do people<br />
commit fraud?<br />
One of the best theories on why people<br />
commit fraud was given by Donald Cressey<br />
in his book “Other People’s Money”. As<br />
per this hypothesis, fraud occurs when an<br />
individual has:<br />
a. A non sharable financial problem.<br />
b. Perceives an opportunity to resolve<br />
the situation.<br />
c. Has the ability to rationalize his misdeed<br />
even before committing them.<br />
In other words for an individual to commit<br />
fraud, he should be under pressure from<br />
a financial problem which the individual<br />
perceives cannot be solved through other<br />
means. These problems often manifest<br />
themselves into behaviour patterns or<br />
red flags, which if spotted in time, could<br />
prevent a fraud from happening. As per<br />
the ACFE 2008 Report to the Nation, the<br />
most commonly cited behavioral red flags<br />
were perpetrators living beyond their<br />
apparent means or experiencing financial<br />
difficulties at the time of the fraud.<br />
Even if an individual has the motive,<br />
2<br />
Real or Perceived<br />
Opportunity<br />
Weak controls / Employees in<br />
positions of trust<br />
Incentive or Pressure<br />
Financial, personal, unrealistic<br />
corporate objectives, etc.<br />
FRAUD<br />
he cannot perpetrate the fraud unless<br />
presented with an opportunity.<br />
Opportunities could arise due to a number<br />
of factors within the organisation such as<br />
high turnover of management in key roles,<br />
lack of segregation of duties or a complex<br />
1<br />
Traditional Risk Assessment Criteria<br />
Fraud Risk Assessment Criteria<br />
organisation structure.<br />
Rationalization of the act is the last element<br />
in understanding why people commit<br />
fraud. Most people believe themselves<br />
as good and need to convince themselves<br />
that their actions were justified. Some of<br />
these justifications are:<br />
• I was going to pay it back<br />
• Everybody does it<br />
• I am not hurting anyone<br />
• I was helping my family<br />
• This is nothing compared to what xyz did...<br />
To sum up, when this individual under<br />
pressure is presented with an opportunity<br />
and is able to rationalize his planned actions,<br />
fraud occurs. Over the years this hypothesis<br />
is better known as the Fraud Triangle.<br />
To be able to effectively prioritize fraud<br />
risks, organisations should evaluate the<br />
Human Element to the fraud risk. This<br />
can be achieved by applying the principles<br />
3<br />
Attitude or<br />
Rationalization<br />
Beliefs such as “The activity is<br />
not criminal,” “Everybody is<br />
doing it,” etc.<br />
of the Fraud Triangle to the traditional risk<br />
assessment criteria of Impact and Likelihood.<br />
This is illustrated in the table below:<br />
For example, in an organisation where<br />
an individual performs a number of key<br />
controls – if this individual’s personal<br />
integrity and values are high, the chances<br />
of fraud happening is significantly lower<br />
than when the individual’s personal<br />
integrity is low. Understanding the people<br />
who manage key internal controls in an<br />
organisation, their values and attitude could<br />
go a long way in minimizing the incidence<br />
of fraud and help build effective anti-fraud<br />
deterrents within an organisation.<br />
To sum up, it is important for organisations<br />
to consider the human element while<br />
prioritizing its key fraud risks. Besides, there<br />
are a number of cost effective measures<br />
that can assist in improving the anti-fraud<br />
environment within an organisation. These<br />
are as under:<br />
• Establish a Code of Ethics and clearly<br />
communicate expectations to all<br />
stakeholders.<br />
• Develop Fraud Policies which clearly<br />
describe company policies and<br />
procedures relating to fraud.<br />
• Invest in a communication and training<br />
program on fraud and corporate fraud<br />
policies for all employees.<br />
• Ensure proper segregation of duties for<br />
key activities and functions.<br />
• Set up appropriate recruitment<br />
procedures to select the right<br />
candidates.<br />
• Set up policies for rotation of staff<br />
duties and forced vacations.<br />
• Know your key fraud risks and controls.<br />
Monitor them regularly.<br />
• Set up a whistle blower hotline.<br />
About the Author:<br />
Santosh Noronha is a Manager with Ernst & Young Dubai working<br />
in the Fraud Investigation and Dispute Services Practice. Opinions<br />
expressed in this article belong solely to the author, and do not<br />
necessarily represent the views of Ernst & Young. To comment on<br />
this article, feel free to email the author at<br />
santosh.noronha@ae.ey.com<br />
6 <strong>April</strong> 2010 7 <strong>April</strong> 2010
8 <strong>April</strong> 2010 9 <strong>April</strong> 2010
By: Fadi Sidani<br />
Green IT<br />
IT at the Core of office greening initiatives<br />
A company’s IT (Information Technology)<br />
organisation is no stranger to scrutiny when it comes<br />
to corporate responsibility and sustainability.<br />
As a major consumer of electricity in many<br />
organisations and a significant producer of<br />
waste electronics, IT has been among the<br />
first to come under pressure to better<br />
manage energy consumption and to<br />
“reduce, reuse, and recycle” in<br />
order to improve efficiency and<br />
lessen environmental impact.<br />
Fortunately, in improving its sustainability<br />
performance, IT has had a lot of low-hanging<br />
fruit to choose from, including server<br />
consolidation, application rationalization,<br />
procurement of energy-efficient hardware,<br />
better printing policies, and even simple<br />
behavioral changes such as having people<br />
turn off the lights and shut down their<br />
desktop computers at night. Electronic<br />
components consume substantial amounts<br />
of electricity and produce significant<br />
amounts of heat – not to mention that<br />
they often contain heavy metals and other<br />
toxins that pose disposal issues. Clearly,<br />
IT must play a big part in going green, if a<br />
company is to be effective at it.<br />
A competitive advantage<br />
Responding to a growing wave of<br />
investor activism, consumer demands<br />
and regulations around environmental<br />
sustainability, companies are looking for<br />
ways to gain a competitive advantage<br />
by adopting green business practices. IT<br />
can be a catalyst for realizing short and<br />
long-term business benefits through the<br />
implementation of green approaches.<br />
Green IT thus can offer a company the<br />
opportunity to improve its financial<br />
performance while jumpstarting green<br />
change throughout the larger organisation<br />
as well as reducing environmental impacts.<br />
The areas where IT can address<br />
sustainability issues directly are through<br />
its acquisition, usage and disposal policies.<br />
Consolidation and virtualization initiatives,<br />
for example, have generated advantages<br />
in terms of cost and operational efficiency<br />
and also led to a reduced impact on the<br />
environment as utilization rates reduce<br />
energy consumption. Beyond virtualization,<br />
as new equipment is brought in as part of<br />
the move to denser blade configurations<br />
and 64-bit architectures, or simply to<br />
provide additional capacity, organisations<br />
will also benefit from advances in processor<br />
efficiency.<br />
The Green Data Center at the Core of<br />
Green IT<br />
Finance, IT and business unit executives<br />
in large companies around the world<br />
have come to embrace environmentally<br />
sustainable business practices that are<br />
changing their IT practices in an effort<br />
to save money, improve performance<br />
and lessen their impact on the physical<br />
environment.<br />
For example, Marriott International’s<br />
efforts to lower its IT power consumption<br />
over the past few years have not only<br />
resulted in greener and more sustainable<br />
IT operations, but also serve as a risk<br />
mitigation tool. Their data centers are<br />
protected from nature, nuclear attacks and<br />
electronic eavesdropping, amongst other<br />
IT threats because of their location. The<br />
company has built a data center 300 feet<br />
below ground, in a former Pennsylvania<br />
mine. The mine maintains an ambient air<br />
temperature of 53 degrees Fahrenheit.<br />
In addition, virtualization software from<br />
vendors has helped the hospitality giant<br />
reduce its server population by more than<br />
one-third over the past three years. Storage<br />
virtualization and archiving technologies<br />
have enabled the company to slash its<br />
storage energy costs by more than 50%<br />
over that same period.<br />
Traditionally, data centers have been<br />
designed to store, process, manage and<br />
exchange information in order to either<br />
support the informational needs of large<br />
institutions or provide application services<br />
or management for information technology,<br />
telecommunication, web hosting, internet<br />
or intranet. These data centers have been<br />
designed to accommodate energy intensive<br />
computing equipment and the speciallydesigned<br />
infrastructure for high electrical<br />
power consumption, redundant and<br />
uninterruptible power and heat dissipation.<br />
Based on their energy signatures, large data<br />
centers are actually more like industrial<br />
facilities than commercial buildings. Careful<br />
attention is usually paid to maximizing the<br />
computing power in the traditional data<br />
center, but often very little consideration<br />
is given to environmental issues.<br />
Green data centers are ecologically friendly<br />
data centers where the mechanical,<br />
electrical, thermal, hosted systems and<br />
building materials are all used to improve<br />
energy efficiency and effectively manage<br />
any negative environmental impact. Until<br />
recently, no one seemed to care whether<br />
or not data centers were environmentally<br />
friendly. Now, financial, legislative and<br />
environmental pressures are causing data<br />
centers to take steps toward ‘going green.’<br />
Baby steps<br />
Environmental improvement and<br />
sustainability initiatives can be addressed<br />
and implemented through basic efforts<br />
such as the thoughtful use of technology,<br />
a combination of high-quality financial and<br />
operating information, useful metrics and<br />
well-considered business cases and strong<br />
executive commitment. But there are no<br />
simple answers to building a sustainable<br />
enterprise.<br />
Companies have taken many early steps<br />
in the first wave of green IT to lessen<br />
their environmental impact. For example,<br />
they have retired out-of-date systems,<br />
consolidated data centers like the<br />
aforementioned example and adopted<br />
substantially more efficient hardware and<br />
cooling systems. These early efforts have<br />
been focused on cutting waste, decreasing<br />
energy usage, and optimizing the efficiency<br />
of IT assets in data centers, on desktops,<br />
and throughout company operations.<br />
And executives say these early steps have<br />
yielded returns that are satisfactory or<br />
even better.<br />
Some companies have been particularly<br />
ambitious in leading environmental change,<br />
whether led by a desire to keep pace<br />
with competitors, to avoid penalties or<br />
bad publicity, or simply their own sense<br />
of right and wrong. Those who adopt a<br />
wait-and-see attitude may well be caught<br />
short, pulled under the next wave of<br />
green IT and forced to struggle to catch<br />
up or even survive. Those who are well<br />
prepared, especially those who learned the<br />
importance of strategic investments during<br />
the last economic downturn may well be<br />
able to ride this wave successfully and even<br />
flourish as a result.<br />
Evolve into a sustainable business over<br />
time<br />
Although Green IT efforts have focused in<br />
particular on increasing energy efficiency<br />
in IT infrastructure management, e.g.<br />
‘Green Data Centers’, this focus does<br />
not suffice. Environmental sustainability<br />
needs to go beyond simply improving the<br />
energy efficiency of the IT infrastructure<br />
– and include business solutions that<br />
help customers move towards greater<br />
levels of maturity in their management of<br />
sustainability practices.<br />
‘Smart’ companies address environmental,<br />
economic and social factors – the three<br />
pillars that make a company sustainable.<br />
Namely, IT that contributes to the wellbeing<br />
of society, contributes to preserving<br />
natural resources and ecosystem and IT<br />
that improves economic sustainability.<br />
Companies can take internal steps to<br />
improve processes and cut waste, but the<br />
giant leap forward will come from more<br />
environmentally sensitive solutions coming<br />
to market for them to employ. Such<br />
progress will allow companies to mitigate<br />
risk and strive to be a good corporate<br />
citizen, an employer for which people want<br />
to work, and a company that deserves<br />
customers’ business.<br />
IT as the catalyst for change<br />
IT organisations do not have to tear down<br />
their existing data centers and start from<br />
scratch in order to start benefiting from<br />
environmentally friendly technologies and<br />
processes. IT organisations just need to<br />
start considering these in the data center<br />
planning process. Incorporating green<br />
thinking into plans involves everything<br />
from purchasing energy efficient hardware<br />
made from more environmentally friendly<br />
materials to implementing rationalization<br />
projects to designing new data centers and<br />
locating them in places where they can take<br />
advantage of alternative power or cooling<br />
methods. The sooner data centers start<br />
taking steps toward implementing green<br />
technologies and processes, the sooner<br />
they will start realizing the benefits.<br />
No blueprint or one-size-fits-all master plan<br />
exists. But one thing above all others is clear:<br />
the best results will come to organisations<br />
which include IT as an integral supporting<br />
element of its environmental and broader<br />
sustainability initiatives.<br />
About the Author:<br />
Fadi Sidani is the Partner in charge of Enterprise Risk Services<br />
(ERS) at Deloitte in the Middle East. Fadi has 22 years of global<br />
experience in Risk Management, Consulting and Sustainability<br />
work across various markets, industries and business functions.<br />
He is a regular public speaker in many forums across the ME<br />
region, and he has been involved in the set up and delivery of<br />
various training courses for staff and clients. For more information<br />
please contact + 971 4 369 8999<br />
10 <strong>April</strong> 2010 11 <strong>April</strong> 2010
How famous companies<br />
were named<br />
Lotus<br />
Mitch Kapor got the name<br />
for his company from the<br />
lotus position or ‘padmasana.’<br />
Kapor used to be a teacher of<br />
Transcendental Meditation of<br />
Maharishi Mahesh Yogi.<br />
It was coined by Bill Gates to<br />
represent the company that was<br />
devoted to MICROcomputer<br />
SOFTware. Originally christened<br />
Micro-Soft, the ‘-’ was removed<br />
later on.<br />
Founder Paul Galvin came<br />
up with this name when his<br />
company started manufacturing<br />
radios for cars. The popular<br />
radio company at the time was<br />
called Victrola.<br />
The name came from the river Adobe<br />
Creek that ran behind the house of<br />
founder John Warnock.<br />
It got its name because its founders got<br />
started by applying patches to code<br />
written for NCSA’s httpd daemon. The<br />
result was ‘A PAtCHy’ server - thus,<br />
the name Apache.<br />
Apple Computers<br />
Favourite fruit of founder Steve Jobs. He<br />
was three months late in filing a name<br />
for the business, and he threatened to<br />
call his company Apple Computers if the<br />
other colleagues didn’t suggest a better<br />
name by 5 o’clock.<br />
Oracle<br />
Larry Ellison and Bob Oats were<br />
working on a consulting project<br />
for the Central Intelligence<br />
Agency (CIA). The code name<br />
for the project was called Oracle<br />
(the CIA saw this as the system<br />
to give answers to all questions<br />
or something such).<br />
Red Hat<br />
Company founder Marc Ewing<br />
was given the Cornell lacrosse<br />
team cap (with red and white<br />
stripes) while at college by his<br />
grandfather. He lost it and had<br />
to search for it desperately. The<br />
manual of the beta version of<br />
Red Hat Linux had an appeal to<br />
readers to return his Red Hat if<br />
found by anyone!<br />
SAP<br />
“Systems, Applications,<br />
Products in Data Processing”,<br />
formed by four ex-IBM<br />
employees who used to work<br />
in the ‘Systems/Applications/<br />
Projects’ group of IBM.<br />
Cisco<br />
The name is not an acronym<br />
but an abbreviation of San<br />
Francisco. The company’s logo<br />
reflects its San Francisco name<br />
heritage. It represents a stylized<br />
Golden Gate Bridge.<br />
Hewlett-Packard<br />
Bill Hewlett and Dave<br />
Packard tossed a coin<br />
to decide whether the<br />
company they founded<br />
would be called<br />
Hewlett-Packard or<br />
Packard-Hewlett.<br />
Google<br />
The name started as a jockey<br />
boast about the amount of<br />
information the search-engine<br />
would be able to search. It was<br />
originally named ‘Googol’, a<br />
word for the number represented<br />
by 1 followed by 100 zeros. After<br />
founders - Stanford graduate<br />
students Sergey Brin and Larry<br />
Page presented their project to<br />
an angel investor, they received a<br />
cheque made out to ‘Google’.<br />
Intel<br />
Bob Noyce and Gordon<br />
Moore wanted to name<br />
their new company ‘Moore<br />
Noyce’ but that was already<br />
trademarked by a hotel chain,<br />
so they had to settle for<br />
an acronym of INTegrated<br />
ELectronics.<br />
Founder Jack Smith got the idea<br />
of accessing email via the web<br />
from a computer anywhere in<br />
the world. When Sabeer Bhatia<br />
came up with the business plan<br />
for the mail service, he tried all<br />
kinds of names ending in ‘mail’<br />
and finally settled for Hotmail<br />
as it included the letters “html”<br />
- the programming language<br />
used to write web pages. It was<br />
initially referred to as HoTMaiL<br />
with selective upper casings.<br />
Sony<br />
From the Latin word ‘sonus’<br />
meaning sound, and ‘sonny’<br />
a slang used by Americans to<br />
refer to a bright youngster.<br />
Sun Microsystems<br />
Founded by four Stanford<br />
University buddies, Sun is the<br />
acronym for Stanford University<br />
Network.<br />
The Greek root “xer” means<br />
dry. The inventor, Chestor<br />
Carlson, named his product<br />
Xerox as it was dry copying,<br />
markedly different from the<br />
then prevailing wet copying.<br />
The word was invented by Jonathan Swift and used in his book Gulliver’s Travels. It<br />
represents a person who is repulsive in appearance and action and is barely human.<br />
Yahoo! founders Jerry Yang and David Filo selected the name because they considered<br />
themselves yahoos.<br />
12 <strong>April</strong> 2010 13 <strong>April</strong> 2010
By: Vishal Thakkar<br />
Knowledge<br />
Update<br />
Restating the value of audit<br />
The role of audit is under heightened scrutiny. The unprecedented<br />
global financial upheaval of the past two years has seen many<br />
commentators questioning the value of audit.<br />
With the changing<br />
global scene<br />
Stay in the front row<br />
While attention has naturally been most focused on the large<br />
end of the audit profession, which is involved with the banks and<br />
other major financial institutions, there are also important issues<br />
at the smaller end of the audit market. Given the removal in<br />
recent years of the statutory audit requirement for many entities<br />
with turnover below £6.5m, audit is increasingly a voluntary<br />
exercise in this sector and so needs to demonstrate the value it<br />
brings to business.<br />
In its new policy paper, entitled Restating the Value of Audit,<br />
ACCA argues that against this backdrop of change, it is vital<br />
for the accountancy profession to re-examine the role of audit<br />
and to question whether a sufficiently strong case is being put<br />
forward for the benefits that audit can provide to businesses, the<br />
economy and society. We firmly believe that audit has a key role<br />
to play as a source of public confidence in financial reporting but<br />
note that there is currently little published research, which seeks<br />
to demonstrate the value of audit in promoting business trust.<br />
http://www.accaglobal.com/page/3305046<br />
13 th Annual Global CEO<br />
Survey<br />
The effects of the recent downturn were far-reaching, but as<br />
our new survey shows, CEOs continue to work to strengthen<br />
their organisations whilst seeking opportunities emerging from<br />
structural shifts in their industries, economies and regulatory<br />
environments.<br />
The 13 th Annual Global CEO Survey offers an up-close look at<br />
how business leaders have responded to the challenges brought<br />
about by the recession, the concerns they are facing today and<br />
their strategies for positioning their companies for the long-term.<br />
The recession in developed nations was the worst many CEOs<br />
had ever experienced. The resulting rupture to business planning<br />
and operations was clear in our survey of 1,198 business leaders<br />
from around the world for the PricewaterhouseCoopers 13 th<br />
Annual Global CEO Survey. Business leaders are emerging with<br />
a healthy respect for risk, volatility and flexibility.<br />
http://www.pwc.com/gx/en/ceo-survey/download.jhtml?WT.<br />
ac=flash_01-2010_ceo-survey-hp_download<br />
Introducing the triple<br />
bottom line<br />
Once the credit crisis is firmly consigned to corporate history,<br />
we are likely to reflect on just how dramatically it changed the<br />
corporate landscape. Not only will it have sent some mighty<br />
business names to the wall, it will also have been responsible for<br />
fundamentally changing the way the business world operates.<br />
One such example may be in the way that corporate value is<br />
determined; will financial measures still be used in isolation as the<br />
measure of business value? This approach will soon be challenged,<br />
claims Rodger Hill of KPMG Advisory.<br />
The days of purely measuring business performance by financial<br />
result may well be numbered. In its place discerning investors will<br />
look for something broader to measure an entity’s real contribution<br />
and performance.<br />
That something could be in the shape of the “triple bottom line”;<br />
an amalgam of financial results and an assessment of the social and<br />
environmental impacts of a business. Or, when stated differently:<br />
People, Planet and Profits.<br />
http://www.kpmg.com/Global/en/IssuesAndInsights/<br />
ArticlesPublications/Press-releases/Pages/Press-release-<br />
Introducing-the-triple-bottom-line-1-Mar-2010.aspx<br />
About the Author:<br />
Vishal Thakkar is a qualified<br />
Chartered Accountant and Certified<br />
Internal Auditor. He is currently<br />
working with Group Internal Audit<br />
department of Dubai World and can<br />
be contacted at<br />
vishalkthakkar@yahoo.com<br />
In a globalized world, competition is everything. At Deloitte, we make<br />
it our business to study and understand the competitive environment.<br />
With 1,700 people in over 25 locations across the Middle East, and<br />
access to the deep intellectual capital of 165,000 people worldwide,<br />
Deloitte is your local resource to connect you to a global network of<br />
expertise and innovation.<br />
Working in partnership with you, our people design solutions that<br />
bring tangible returns and sustainable growth for your business. From<br />
auditing to tax, and consulting to financial advisory services, our<br />
member firms provide a broader range of multidisciplinary services<br />
than any of our competitors. For world-class thinking with an edge,<br />
you know where to come.<br />
Visit us at www.deloitte.com<br />
Emaar Business Park<br />
Sheikh Zayed Road<br />
Building 1, 4th Floor, Suite 4<br />
© 2008 Deloitte & Touche (M.E.). All rights reserved.<br />
PO Box 282056 Dubai, <strong>UAE</strong><br />
Tel: +971 (0)4 369 8999<br />
Fax: +971 (0)4 369 8998<br />
Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network<br />
of member firms, each of which is a legally separate and independent entity. Please see<br />
www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche<br />
Tohmatsu and its member firms.<br />
Eighty Years<br />
in the Middle East<br />
14 <strong>April</strong> 2010 15 <strong>April</strong> 2010
By: Andrew Cox<br />
What Is the Range<br />
of the Internal<br />
Auditor’s Work?<br />
Nowadays, Table 2 could be the best representation.<br />
Table 2: The evolution of internal auditing, 1990s–2000s<br />
Now (1990s–2000s)<br />
• Areas for internal audit identified on a functional,<br />
cross-organisational and strategic basis, may use the<br />
organisation’s risk register.<br />
• Discussed with senior management, additional<br />
internal audit areas may be added.<br />
• Set of risk factors applied, input into a model,<br />
prioritized based on risk rankings.<br />
• 3-year strategic internal audit plan based on risk<br />
rankings.<br />
• Annual internal audit plan based on available<br />
resources. Presented to the audit committee.<br />
Advantages<br />
• Well known to internal<br />
auditors.<br />
• Done in consultation with the<br />
business.<br />
• Broader scope that considers<br />
business risks.<br />
• Facilitates integration of internal<br />
audit, risk management and<br />
strategic planning.<br />
• Requires strong understanding<br />
of the business.<br />
Disadvantages<br />
• Can be challenging.<br />
• Time-consuming.<br />
• May not be timely, relevant, or<br />
responsive.<br />
Executive Summary<br />
The range of the Internal Auditor’s work is dependent on:<br />
• The mandate for internal audit contained in the internal audit charter.<br />
• What the audit committee and management want internal audit to do.<br />
• To whom the chief audit executive (head of internal audit) reports.<br />
• The capability and skills of the internal auditors.<br />
• Any legislative or regulatory requirements of internal audit.<br />
Introduction<br />
Internal auditing is an evolving profession. It has been around for a very long time, probably since<br />
the pharaohs in Egypt. But it wasn’t until 1947, when the foremost professional body for internal<br />
auditing, the Institute of Internal Auditors (<strong>IIA</strong>), was formed that internal auditing was set on its<br />
path to emerging as a profession.<br />
Subsequently, professional standards and a code of ethics for internal auditing have been established<br />
and in 1974 professional certification for internal auditing was created, with the designation<br />
Certified Internal Auditor. Over time, the scope of internal auditing has changed significantly.<br />
The Evolution of Internal Auditing<br />
The evolution of how internal audit determined what it would audit can be tracked in Table 1.<br />
Then (up to the 1990s)<br />
• Areas for internal audit identified on a functional<br />
basis from historic information.<br />
• Set of one-dimensional risk factors applied<br />
(high, moderate, low).<br />
• Input into a model and prioritization based on risk<br />
rankings.<br />
• 3 or 5-year strategic internal audit plan based on risk<br />
rankings.<br />
• Annual internal audit plan based on available<br />
resources. Presented to the audit committee (but<br />
not always).<br />
Advantages<br />
• Often cyclical (every year).<br />
• Well known to internal<br />
auditors.<br />
• Safe approach.<br />
Disadvantages<br />
• Done in isolation of the business.<br />
• Time-consuming.<br />
• Focus on functional areas.<br />
• May not be timely, relevant or<br />
responsive.<br />
• Correlation between risk rankings<br />
and internal audit plan often weak.<br />
• Assumed a static organisation.<br />
In the future Table 3 would be more accurate.<br />
Table 3: The evolution of internal auditing, 2000s onward<br />
Future (2000s onward)<br />
• Areas for internal audit identified on a functional,<br />
cross-organisational and strategic basis using the<br />
organisation’s risk register and other relevant<br />
information.<br />
• Develop base audit plan.<br />
• Discuss with senior management, including facilitated<br />
workshops - additional audit areas may be added.<br />
• Develop annual or longer-term assurance plan.<br />
• Develop flexible, rolling internal audit consulting plan<br />
to provide timely, relevant and responsive services.<br />
• Present to audit committee.<br />
The point is this: The range of an internal<br />
auditor’s work will generally be related<br />
to where he or she is currently placed in<br />
regard to these three evolutionary phases<br />
of the internal audit continuum. As we move<br />
into the more difficult methods of operating<br />
an internal audit function, the complexity<br />
of internal audit work increases, and the<br />
capability and skills of the internal auditor<br />
need to be greater. Many internal auditors<br />
are still in the early evolutionary phases of<br />
internal auditing, because the future is seen<br />
as too difficult and daunting.<br />
What do the Standards say?<br />
The internal auditing standards we will<br />
consider here are those issued by the<br />
Institute of Internal Auditors (<strong>IIA</strong>). The<br />
internationally accepted definition of<br />
internal auditing issued by the <strong>IIA</strong> is:<br />
“Internal auditing is an independent, objective<br />
Advantages<br />
• Done in consultation with the<br />
business.<br />
• Timely, relevant, and<br />
responsive.<br />
• Broader scope taking into<br />
account business risks.<br />
• Facilitates integration of internal<br />
audit, risk management, and<br />
strategic planning.<br />
assurance and consulting activity designed<br />
to add value and improve an organisation’s<br />
operations. It helps an organisation accomplish<br />
its objectives by bringing a systematic,<br />
disciplined approach to evaluate and improve<br />
the effectiveness of risk management, control<br />
and governance processes.”<br />
This was a step up from the previous<br />
definition, which concentrated on assurance.<br />
This definition expanded the role of internal<br />
audit to encompass consulting services.<br />
To understand the difference between<br />
assurance services and consulting services,<br />
we need a couple of definitions:<br />
Assurance: An objective examination<br />
of the evidence for the purpose of<br />
providing an independent assessment of<br />
risk management, control, or governance<br />
processes for an organisation. Examples<br />
may include financial, performance,<br />
Disadvantages<br />
• Requires strong commitment<br />
from senior management.<br />
• Requires discipline to ensure<br />
that the internal audit<br />
consultation process is effective.<br />
• May not be well known to<br />
internal auditors.<br />
compliance, system security and due<br />
diligence engagements.<br />
Consulting: Advisory and related client<br />
service activities, the nature and scope of<br />
which are agreed with the client, and which<br />
are intended to add value and improve an<br />
organisation’s governance, risk management,<br />
and control processes without the internal<br />
auditor assuming management responsibility.<br />
Examples include counsel, advice, facilitation<br />
and training.<br />
It should be noted that the definitions of<br />
internal auditing and the standards, focus on<br />
risk management, control and governance:<br />
Risk management: Internal audit should<br />
assist the organisation by identifying and<br />
evaluating significant exposures to risk and<br />
contributing to the improvement of risk<br />
management and control systems.<br />
16 <strong>April</strong> 2010 17 <strong>April</strong> 2010
Control: Internal audit should assist<br />
the organisation in maintaining effective<br />
controls by evaluating their effectiveness<br />
and efficiency and by promoting continuous<br />
improvement.<br />
Governance: Internal audit should assess<br />
and make appropriate recommendations<br />
for improving the governance process<br />
in its accomplishment of the following<br />
objectives:<br />
• Promoting appropriate ethics and values<br />
within the organisation.<br />
• Ensuring effective organisational<br />
performance management and<br />
accountability.<br />
• Effectively communicating risk and<br />
control information to appropriate<br />
areas of the organisation.<br />
• Effectively coordinating the activities and<br />
communicating information among the<br />
board, external and internal auditors<br />
and management.<br />
What type of work?<br />
So, what should be the range and type<br />
of work carried out by internal audit for<br />
an organisation? The <strong>IIA</strong> believes that the<br />
work and methods of internal audit should<br />
encompass:<br />
• Conducting enterprise risk assessment.<br />
• Utilizing risk and control selfassessment.<br />
• Using internal control processes based<br />
on COSO (Committee of Sponsoring<br />
Organisations) guidelines.<br />
• Partnering with management.<br />
• Integrating corporate governance into<br />
practice.<br />
• Increasing staff performance.<br />
• Communicating more effectively.<br />
• Developing staff, both personally and<br />
professionally.<br />
• Using technology to increase staff<br />
efficiency.<br />
• Establishing an assurance function.<br />
• Providing consulting services.<br />
• Conducting audits in emerging areas.<br />
• Utilizing performance measures.<br />
This leads to the types of internal audit<br />
provided by the internal audit function, which<br />
may include some or all of the following:<br />
Compliance audit: The review of both<br />
financial and operating controls and<br />
transactions to see how they conform to<br />
established laws, standards, regulations and<br />
procedures.<br />
Financial audit: The examination of the<br />
financial records and reports of a company<br />
to verify that the figures in the financial<br />
reports are relevant, accurate and complete.<br />
The general focus is on making sure that all<br />
assets and liabilities are properly recorded<br />
on the balance sheet and that the statement<br />
of income and expenses is correct.<br />
Information technology (IT) audit: A<br />
review of the controls within an entity’s<br />
technology infrastructure. These reviews<br />
are typically performed in conjunction<br />
with a financial statement audit, internal<br />
audit review, or other form of attestation<br />
engagement.<br />
On-demand audit: A request for an<br />
internal audit initiated by the board, audit<br />
committee, or management in response<br />
to their particular concerns, and which has<br />
not been scheduled in the internal audit<br />
plan of work. It may also be known as a<br />
management-initiated review.<br />
Operational audit: Sometimes called<br />
program or performance audits, these<br />
examine the use of resources to evaluate<br />
whether those resources are being used in<br />
the most efficient and effective way to fulfil<br />
an organisation’s objectives. An operational<br />
audit may include elements of a compliance<br />
audit, a financial audit and an information<br />
systems audit. This term is mainly used in<br />
the private sector.<br />
Performance audit: The independent and<br />
systematic examination of the management<br />
of an organisation, program, or function<br />
for the purpose of identifying whether<br />
the management is being carried out in<br />
an efficient and effective manner, and<br />
whether management practices promote<br />
improvement. This term is mainly used<br />
in the public sector, and a performance<br />
audit may be the same as or similar to an<br />
operational audit.<br />
and evaluation of all activities related to<br />
the quality of a product or service, to<br />
determine the suitability and effectiveness<br />
of the activities to meet quality goals.<br />
Value for money (VFM) audit: An<br />
examination of how resources are<br />
allocated and utilized. The audit is<br />
concerned with interrelated concepts of<br />
efficiency, effectiveness, economy, and<br />
organisational outcomes. VFM audits<br />
are more common in the public sector<br />
than the private sector since the profit<br />
criterion is lacking in the public sector, and<br />
they may be the same as or similar to a<br />
performance audit.<br />
What influences the type of work?<br />
The range and type of the internal auditor’s<br />
work depend on a number of factors:<br />
The mandate for internal audit<br />
contained in the internal audit<br />
charter: This is what the audit committee<br />
and the organisation want internal audit<br />
to do. Although ideally this should include<br />
both assurance services and consulting<br />
services, it is true to say that some audit<br />
committees and management believe that<br />
internal audit should not stray from its<br />
roots of providing assurance, so in some<br />
organisations the internal audit charter<br />
has focused only on the provision of<br />
assurance services. This attitude peaked<br />
following the corporate collapses of the<br />
1990s. However, more enlightened audit<br />
committees and management of today<br />
seek a more comprehensive internal<br />
auditing service for the organisation. This<br />
has the potential to add a lot of value,<br />
rather than just reporting what is wrong<br />
in compliance and financial areas.<br />
To whom the chief audit executive<br />
reports: The chief audit executive should<br />
report to the audit committee functionally<br />
and for operations, and to the chief<br />
executive officer for administration. Where<br />
a chief audit executive may have other<br />
reporting arrangements - for example to a<br />
chief executive officer for operations and<br />
administration, or worse, to a chief financial<br />
officer - there is a risk that internal audit<br />
may lose a measure of its independence.<br />
Table 4: The chief audit executive’s risk-based annual internal audit plan<br />
Compliance<br />
Assurance<br />
Consulting<br />
Financial<br />
Assurance<br />
Consulting<br />
IT<br />
Assurance<br />
Consulting<br />
Audit Type<br />
Cyclical 12<br />
months<br />
scheduled<br />
hours<br />
6,000<br />
0<br />
750<br />
250<br />
3,000<br />
3,000<br />
Rolling 6<br />
months<br />
scheduled<br />
hours<br />
0<br />
0<br />
2,500<br />
0<br />
0<br />
0<br />
Rolling 3<br />
months<br />
reserve hours<br />
0<br />
0<br />
1,000<br />
0<br />
0<br />
0<br />
This has a potential to impact negatively on<br />
the range and type of work to be performed<br />
by internal audit.<br />
The capability and skills of the internal<br />
auditors: As the work of internal audit<br />
moves toward more difficult methods<br />
of operating, the complexity of internal<br />
audit work increases. This means that the<br />
capability and skills of the internal auditor<br />
need to be greater, and many internal<br />
auditors see this as a quantum leap so great<br />
that they prefer to remain comfortable<br />
where they are.<br />
Any legislative or regulatory<br />
requirements of internal audit: The work<br />
of internal audit will nearly always have a<br />
role to provide assurance of legislative and<br />
regulatory compliance; this is an important<br />
role that should never be forgotten.<br />
Case Study<br />
Designing a Comprehensive Internal<br />
Audit Plan<br />
A large public sector organisation with<br />
Rolling 3<br />
months<br />
unassigned<br />
hours<br />
0<br />
0<br />
500<br />
0<br />
0<br />
0<br />
Annual total<br />
hours<br />
6,000<br />
0<br />
4,750<br />
250<br />
3,000<br />
3,000<br />
Operational / Performance<br />
Assurance / Consulting 500 2,500 1,000 1,000 5,000<br />
Internal audit planning 500 0 0 0 500<br />
Audit monitor and follow-up 500 0 0 0 500<br />
Audit committee 500 0 0 0 500<br />
External audit co-ordination 1,500 0 0 0 1,500<br />
Quality audit: The systematic examination<br />
Total 25,000<br />
18 <strong>April</strong> 2010 19 <strong>April</strong> 2010
a significant commitment to internal<br />
auditing provided sufficient funds to<br />
resource an internal audit function of<br />
25,000 audit hours each year. The audit<br />
committee wanted an internal audit plan<br />
of work that provided assurance and<br />
examined how well the organisation was<br />
operating, but which was also responsive<br />
to the changing needs and risks of the<br />
organisation. The risk-based internal audit<br />
plan of work to achieve this designed by<br />
the chief audit executive is summarized<br />
in Table 4.<br />
Rather than have a static internal audit<br />
plan, the plan shown in the table was<br />
designed to cover an 18-month period<br />
with a refresher every six months so that<br />
workflows could be smoothed and work<br />
allocated to internal auditors continuously.<br />
The plan encompassed the following<br />
areas:<br />
• Cyclical 12 months scheduled: For highrisk<br />
areas worthy of annual internal<br />
audit attention.<br />
• Rolling 6 months scheduled: Higherrisk<br />
areas scheduled for periodic or<br />
one-off internal audits.<br />
• Rolling 3 months reserve: Areas held<br />
in reserve in case of postponement or<br />
cancellation of other internal audits.<br />
• Rolling 3 months unassigned: Reserved<br />
for on-demand internal audits initiated<br />
by management for emerging business<br />
issues and risks.<br />
Conclusion<br />
The range and type of the internal auditor’s<br />
work depend on a number of factors:<br />
• The mandate for internal audit<br />
contained in the internal audit charter.<br />
• What the audit committee wants<br />
internal audit to do, and how<br />
enlightened it is.<br />
• What management wants internal<br />
audit to do.<br />
• To whom the chief audit executive<br />
(head of internal audit) reports.<br />
• The capability and skills of the internal<br />
auditors.<br />
• Any legislative or regulatory<br />
requirements of internal audit.<br />
Making It Happen<br />
Chief audit executives should look to his<br />
or her audit committee and management<br />
for guidance on the range and type of<br />
work to be performed by the internal<br />
audit function. However, the chief audit<br />
executive, as an internal audit professional,<br />
should be using his or her knowledge and<br />
experience to identify and influence the<br />
formulation of a risk-based internal audit<br />
plan of work that best provides for the<br />
needs of the organisation. This is likely to<br />
be a blended plan of internal audit work<br />
that encompasses both assurance services<br />
and consulting services:<br />
Assurance Services<br />
• Part of the overall internal audit plan<br />
of work.<br />
• Annual or longer-term focus.<br />
• Risk-based.<br />
• May include cyclical internal audits of<br />
higher-risk areas.<br />
• Need to consider legislative and<br />
regulatory requirements.<br />
• Need to consider external audit to<br />
avoid duplication of audit effort.<br />
• Estimated hours for audit topics<br />
assessed from previous internal audits<br />
(structured gut feel).<br />
• Focus on compliance, financial issues<br />
and risks, financial controls, and IT<br />
reviews.<br />
Consulting Services<br />
• Part of the overall internal audit plan<br />
of work.<br />
• Flexible, rolling focus - rather than<br />
fixed in time.<br />
• Risk-based and customer-focused.<br />
• If limited previous data are available,<br />
estimate hours needed for internal<br />
audit topics on the basis of the<br />
best available information and past<br />
experience (unstructured gut feel).<br />
• Focus on current and emerging<br />
business issues and risks, and system<br />
under development reviews.<br />
Further reading:<br />
Books:<br />
• Australian National Audit Office.<br />
Public Sector Audit Committees:<br />
Having the Right People is the Key.<br />
Canberra: Australian National Audit<br />
Office, 2005.<br />
• Australian National Audit Office.<br />
Public Sector Internal Audit - An<br />
Investment in Assurance and Business<br />
Improvement. Canberra: Australian<br />
National Audit Office, 2007.<br />
• Picket, K. H. Spencer. Audit Planning:<br />
A Risk-Based Approach. Hoboken, NJ:<br />
Wiley, 2006.<br />
• Reding, Kurt F., Paul J. Sobel, Unton<br />
L. Anderson, Michael J. Head, Sridhar<br />
Ramamoorti, and Mark Salamasick.<br />
Internal Auditing: Assurance and<br />
Consulting Services. Altamonte<br />
Springs, FL: <strong>IIA</strong> Research Foundation,<br />
2007.<br />
• Sawyer, Lawrence B., Mortimer A.<br />
Dittenhofer, and James H. Scheiner.<br />
Sawyer’s Internal Auditing: The<br />
Practice of Modern Internal Auditing.<br />
5th ed. Altamonte Springs, FL: <strong>IIA</strong><br />
Research Foundation, 2003.<br />
Standards:<br />
• Institute of Internal Auditors (<strong>IIA</strong>).<br />
International Standards for the<br />
Professional Practice of Internal<br />
Auditing. Altamonte Springs, FL: <strong>IIA</strong>,<br />
2007. Online at: www.theiia.org/<br />
guidance/standards-and-guidance/<br />
ippf/standards<br />
Website:<br />
• The Institute of Internal Auditors:<br />
www.theiia.org<br />
Article originally published in “QFinance:<br />
The Ultimate Resource”, 2009. Republished<br />
by courtesy of Bloomsbury. For further<br />
details visit www.bloomsbury.com/qfinance<br />
or www.qfinance.com<br />
About the Author:<br />
Andrew Cox MBA MEC CIA CISA CFE CGAP CSQA MACS is<br />
acknowledged as a leader in quality assurance and improvement<br />
of internal audit activities in organisations. In recent times he<br />
worked for <strong>IIA</strong> - Australia and conducted 25 quality assessments<br />
of Internal Audit Departments in various organisations. Over his<br />
career he has been a senior internal audit executive in Australia<br />
and has managed 8 internal audit activities. He is now working in<br />
the United Arab Emirates.<br />
20 <strong>April</strong> 2010
Global expertise,<br />
local knowledge*<br />
PricewaterhouseCoopers provides industry-focused<br />
assurance, tax and advisory services to build public<br />
trust and enhance value for its clients and their<br />
stakeholders. More than 154,000 people in 153<br />
countries across our network share their thinking,<br />
experience and solutions to develop fresh perspectives<br />
and practical advice.<br />
PricewaterhouseCoopers in the Middle East<br />
Established in the region for over 30 years,<br />
PricewaterhouseCoopers’ Middle East network covers<br />
15 countries and has over 2,000 people.<br />
Complementing our depth of industry expertise and<br />
breadth of skills is our sound knowledge of local<br />
business environments across the Middle East.<br />
For information about our internal audit, risk and<br />
corporate governance services across the Middle East,<br />
contact Andrew Garrett, Middle East Internal Audit<br />
Leader, andrew.garrett@ae.pwc.com,<br />
+971 (0)4 3043100, or visit www.pwc.com/me<br />
*connectedthinking<br />
© 2008 PricewaterhouseCoopers. All rights reserved. ‘PricewaterhouseCoopers’ refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate<br />
and independent legal entity.