IIA April 2010.pdf - UAE IAA

Issue No. 13, April 2010
Going Full Blast.....
11 th Annual Regional Gulf
Audit Conference
What is the Range of the Internal
Auditor’s Work - By: Andrew Cox

4 March 2010
12 March 2010
th O n 1 November, 7 a half-day course on Quality Assurance and Improvement by Andrew Cox was held in Dubai. The same
was held on 24 th November in Abu Dhabi. Andrew Cox is acknowledged as a leader in quality assurance and improvement
of internal audit activities in organisations, both in the private and public sectors. The course focused on how quality
assessments can raise the profile of the IA Department with chief executives and audit committees. It also honed in on
preparing an independent quality assessment, self-assessment for the IA Department followed by an independent validation.
Visuals from the event…
It got its name because its founders got
started by applying patches to code
The name came from the river Adobe written for NCSA’s httpd daemon. The
Creek that ran behind the house of result was ‘A PAtCHy’ server - thus,
founder John Warnock.
the name Apache.
but an abbreviation of San
Francisco. The company’s logo
reflects its San Francisco name
heritage. It represents a stylized
Golden Gate Bridge.
Packard tossed a coin
to decide whether the
company they founded
would be called
Hewlett-Packard or
Packard-Hewlett.
16 March 2010
By: Andrew Cox
boast about the amount of
information the search-engine
would be able to search. It was
originally named ‘Googol’, a
word for the number represented
by 1 followed by 100 zeros. After
founders - Stanford graduate
students Sergey Brin and Larry
Page presented their project to
an angel investor, they received a
cheque made out to ‘Google’.
Moore wanted to name
their new company ‘Moore
Noyce’ but that was already
trademarked by a hotel chain,
so they had to settle for
an acronym of INTegrated
ELectronics.
The Evolution of Internal Auditing
The evolution of how internal audit determined what it would audit can be tracked in Table 1.
Then (up to the 1990s)
• Areas for internal audit identified on a functional
basis from historic information.
• Set of one-dimensional risk factors applied
(high, moderate, low).
• Input into a model and prioritization based on risk
rankings.
• 3 or 5 year strategic internal audit plan based on risk
rankings.
• Annual internal audit plan based on available
resources. Presented to the audit committee (but
not always).
Apple Computers
Favourite fruit of founder Steve Jobs. He
was three months late in filing a name
for the business, and he threatened to
call his company Apple Computers if the
other colleagues didn’t suggest a better
name by 5 o’clock.
of accessing email via the web
from a computer anywhere in
the world. When Sabeer Bhatia
came up with the business plan
for the mail service, he tried all
kinds of names ending in ‘mail’
and finally settled for Hotmail
as it included the letters “html”
- the programming language
used to write web pages. It was
initially referred to as HoTMaiL
with selective upper casings.
Executive Summary
• The mandate for internal audit contained in the internal audit charter.
• What the audit committee and management want internal audit to do.
• T whom the chief audit executive (head of internal audit) reports.
• The capability and skills of the internal auditors.
• Any legislative or regulatory requirements of internal audit.
Introduction
Internal auditing is an evolving profession. It has been around for a very long time, probably since
the pharaohs in Egypt. But it wasn’t until 1947, when the foremost professional body for internal
auditing, the Institute of Internal Auditors (IIA), was formed that internal auditing was set on its
path to emerging as a profession.
Subsequently, professional standards and a code of ethics for internal auditing have been
established and in 1974 professional certification for internal auditing was created, with the
designation Certified Internal Auditor. Over time, the scope of internal auditing has changed
significantly.
Advantages Disadvantages
• Often cyclical (every year). • Done in isolation of the business.
• Well known to internal • Time-consuming.
auditors.
• Focus on functional areas.
• Safe approach.
• May not be timely, relevant or
responsive.
• Correlation between risk rankings
and internal audit plan often weak.
• Assumed a static organisation.
Today fraud is a key buzzword among and assessing risks involved in achieving the execution of controls will do so
corporations (big and small) and compliance an entity’s objectives.
responsibly and to the best of their
professionals alike. Recent large fraud
ability. While this assumption may be
cases are often used to build a business iii) Control Activities are the policies and correct during an internal control risk
case for spending large amounts of money procedures that enforce management’s assessment, it does not hold good while
in implementing a Control Framework. directives.
assessing fraud risks.
Surveys such as the ACFE 2008 Report
to the Nation show that implementation iv) Information and Communication, which An individual breaching his fiduciary
of a control framework has a measurable allows the exchange of information in responsibilities is an Occupational Fraud!!
impact on the organisation’s exposure the right quantities and to the right
to fraud. The survey revealed that persons across the organisation A key differentiator between Internal
organisations that implemented anti-fraud
Controls and Anti Fraud Controls is the
controls suffered much lower losses than v) Monitoring is the process that assesses Human Element. Failure to assess the
organisations without anti fraud controls. the quality of the Framework over a Human Element can cause frauds to
Though many Control Frameworks period of time.
happen in organisations that otherwise
were developed and propagated over
seem to have a robust and comprehensive
the years, the most commonly applied Generally, Corporations build their Anti- internal control framework.
Control Framework is the one developed Fraud controls on the principles of the
in the early nineties by the Committee Of COSO framework. To do so, organisations Before addressing how to prioritize fraud
Sponsoring Organisations of the Treadway first identify fraud risks and prioritize risks, let’s understand why do people
Commission, better known as the COSO them according to risks that matter the commit fraud?
Framework (“COSO”). COSO identifies most. Prioritization is generally done
5 components, which when integrated by assessing the impact and likelihood of One of the best theories on why people
and operating in all business units, will an inherent risk. Impact is the extent to commit fraud was given by Mr. Donald
help establish an effective internal control which the risk, if realized, would impact the Cressey in his book “Other People’s
framework. These 5 components are: organisation. Likelihood is the probability Money” . As per this hypothesis, fraud
of a risk occurring over a pre-defined time occurs when an individual has:
i) Control Environment, which sets period which is generally the organisation’s
the moral tone of the organisation, planning horizon.
a. A non sharable financial problem
influencing the control consciousness of
the organisation and is the foundation While prioritizing risks on impact and b. Perceives an opportunity to resolve
upon which all other components are likelihood, it is generally assumed that the situation
built
individuals will honour their fiduciary
responsibilities to the organisation. In c. Has the ability to rationalize his misdeed
ii) Risk Assessment involves identifying other words, people entrusted with even before committing them.
6 March 2010
A company’s IT (Information Technology)
organisation is no stranger to scrutiny when it comes
to corporate responsibility and sustainability.
As a major consumer of electricity in many
organisations and a significant producer of
waste electronics, IT has been among the
first to come under pressure to better
manage energy consumption and to
“reduce, reuse, and recycle” in
order to improve efficiency and
lessen environmental impact.
Fortunately, in improving its sustainability opportunity to improve its financial
performance, IT has had a lot of low-hanging performance while jumpstarting green
fruit to choose from, including server change throughout the larger organisation
consolidation, application rationalization, as well as reducing environmental impacts.
procurement of energy-efficient hardware,
better printing policies, and even simple The areas where IT can address
behavioral changes such as having people sustainability issues directly are through
turn off the lights and shut down their its acquisition, usage and disposal policies.
desktop computers at night. Electronic Consolidation and virtualization initiatives,
components consume substantial amounts for example, have generated advantages
of electricity and produce significant in terms of cost and operational efficiency
amounts of heat – not to mention that and also led to a reduced impact on the
they often contain heavy metals and other environment as utilization rates reduce
toxins that pose disposal issues. Clearly, energy consumption. Beyond virtualization,
IT must play a big part in going green, if a as new equipment is brought in as part of
company is to be effective at it.
the move to denser blade configurations
and 64-bit architectures, or simply to
A competitive advantage
provide additional capacity, organisations
Responding to a growing wave of will also benefit from advances in processor
investor activism, consumer demands efficiency.
and regulations around environmental
sustainability, companies are looking for The Green Data Center at the Core of
ways to gain a competitive advantage Green IT
by adopting green business practices. IT
can be a catalyst for realizing short and Finance, IT and business unit executives
long-term business benefits through the in large companies around the world
implementation of green approaches. have come to embrace environmentally
Green IT thus can offer a company the sustainable business practices that are
10 March 2010
14 March 2010
By: Vishal Thakkar
global financial upheaval of the past two years has seen many
commentators questioning the value of audit.
While attention has naturally been most focused on the large
end of the audit profession, which is involved with the banks and
other major financial institutions, there are also important issues
at the smaller end of the audit market. Given the removal in
recent years of the statutory audit requirement for many entities
with turnover below £6.5m, audit is increasingly a voluntary
exercise in this sector and so needs to demonstrate the value it
brings to business.
In its new policy paper, entitled Restating the Value of Audit,
ACCA argues that against this backdrop of change, it is vital
for the accountancy profession to re-examine the role of audit
and to question whether a sufficiently strong case is being put
forward for the benefits that audit can provide to businesses, the
economy and society. We f irmly believe that audit has a key role
to play as a source of public confidence in financial reporting but
note that there is currently little published research, which seeks
to demonstrate the value of audit in promoting business trust.
http://www.accaglobal.com/page/3305046
our new survey shows, CEOs continue to work to strengthen
their organisations whilst seeking opportunities emerging from
structural shifts in their industries, economies and regulatory
environments.
The 13 th Annual Global CEO Survey offers an up-close look at
how business leaders have responded to the challenges brought
about by the recession, the concerns they are facing today and
their strategies for positioning their companies for the long-term.
The recession in developed nations was the worst many CEOs
had ever experienced. The resulting rupture to business planning
and operations was clear in our survey of 1,198 business leaders
from around the world for the PricewaterhouseCoopers 13th
Annual Global CEO Survey. Business leaders are emerging with
a healthy respect for risk, volatility and flexibility.
http://www.pwc.com/gx/en/ceo-survey/download.jhtml?WT.
ac=flash_01-2010_ceo-survey-hp_download
changing their IT practices in an effort
to save money, improve performance
and lessen their impact on the physical
environment.
For example, Marriott International’s
efforts to lower its IT power consumption
over the past few years have not only
resulted in greener and more sustainable
IT operations, but also serve as a risk
mitigation tool. Their data centers are
protected from nature, nuclear attacks and
electronic eavesdropping, amongst other
IT threats because of their location. The
company has built a data center 300 feet
below ground, in a former Pennsylvania
mine. The mine maintains an ambient air
temperature of 53 degrees Fahrenheit.
In addition, virtualization software from
vendors has helped the hospitality giant
reduce its server population by more than
one-third over the past three years. Storage
virtualization and archiving technologies
have enabled the company to slash its
storage energy costs by more than 50%
over that same period.
we are likely to reflect on just how dramatically it changed the
corporate landscape. Not only will it have sent some mighty
business names to the wall, it will also have been responsible for
fundamentally changing the way the business world operates.
One such example may be in the way that corporate value is
determined; will financial measures still be used in isolation as the
measure of business value? This approach will soon be challenged,
claims Rodger Hill of KPMG Advisory.
The days of purely measuring business performance by financial
result may well be numbered. In its place discerning investors will
look for something broader to measure an entity’s real contribution
and performance.
That something could be in the shape of the “triple bottom line”;
an amalgam of financial results and an assessment of the social and
environmental impacts of a business. Or, when stated differently:
People, Planet and Profits.
http://www.kpmg.com/Global/en/IssuesAndInsights/
ArticlesPublications/Press-releases/Pages/Press-release-
Introducing-the-triple-bottom-line-1-Mar-2010.aspx
About the Author:
Vishal Thakkar is a qualified
Chartered Accountant and Certified
Internal Auditor. He is currently
working with Group Internal Audit
department of Dubai World and can
be contacted at
vishalkthakkar@yahoo.com
…Going Full Blast…
4
UAE-IAA Past Events
Course on Quality Assurance
and Improvement
Message from the President
On behalf of the UAE Internal Audit Association’s Board of Governors, I wish
to extend a warm welcome to all the delegates to the 11 th Annual Regional Gulf
Audit Conference in Abu Dhabi. Our theme for this year is ‘2010 and Beyond’,
and we urge you to join us in “going full blast” in enthusiasm, as we start the
implementation of programs and planned activities for this still challenging year.
Firstly, we encourage you to optimize your learning and networking opportunities
during this conference by actively participating in the pre-conference workshops on
Day 1 and the main conference sessions, which will cover topical issues impacting
our profession. We are fortunate to have with us as keynote speaker, our IIA
Global President, Mr. Richard Chambers.
You are also invited to participate in the Global Internal Audit Survey, which opened
on March 15, 2010 and is available in both the IIA and UAE-IAA websites. The
survey is expected to be completed by over 15,000 internal auditors from around
the globe, in more than 20 languages. Results will provide insight into emerging
issues and trends, as well as developments and changes within the profession. We
are pleased to have set another milestone at the Institute by successfully providing
an Arabic translation for this survey.
As we ended the first quarter, we near the completion of a Memorandum of
Understanding with the American University of Sharjah, to initiate cooperative
agreements with educational institutions in the UAE / Region. In February, we
were also privileged to have shared our programs and experiences with IIA Saudi
Arabia when they visited us for a benchmarking exercise.
As we progress on in 2010 and beyond, we set up a dedicated staff to better
provide the services of the Institute. Once again, we request your wholehearted
support in achieving all our plans and objectives.
Abdulqader Obaid Ali
President
UAE-IAA
April 2010
Board of Governors
UAE-IAA Chapter
President:
Abdulqader Obaid Ali
abdulqader.obaidali@dubaiworld.ae
Board Members:
Abdulrahman Al Hareb
abdulrahman.alhareb@dubaiholding.com
Abdulrahman Ba Saeed
abdulrahman.basaeed@dubaiworld.ae
Adnan Zaidi
adnan.zaidi@protivitiglobal.ae
Ahmad Dahabiyeh
adahabiyeh@adaa.ae
Amir Gergawi
amir.algergawi@du.ae
Badr Mohammed Buhannad
bbuhannad@dso.ae
Karem Obeid
karem.obeid@dubaiholding.com
Khalid Halyan
khalhalyan@dca.gov.ae
Laila Al Humairi
laila.alhumairi@gmail.com
Raza Abdulla
raza.abdulla@emirates.com
Venkataraman
venkat@habtoor.com
Yaser Al Yaish
yaser.yasih@gmail.com
Newsletter Committee:
Vishal Thakkar
Dubai World
Mayur Motwani
Protiviti Middle East
Julion Ruwette
Deloitte & Touche, (M.E.)
8
How famous companies
were named?
Cisco
The name is not an acronym
Hewlett-Packard
Bill Hewlett and Dave
12
Google
The name started as a jockey
Intel
Bob Noyce and Gordon
16
Hotmail
Founder Jack Smith got the idea
What Is the Range
of the Internal
Auditor’s Work?
UAE-IAA Events
Fraud Risk Assessment: the
Human Element
– By: Santosh Noronha
11 th Annual Regional Gulf
Audit Conference
How famous companies
were named
Green IT
– By: Fadi Sidani
Knowledge Update
– By: Vishal Thakkar
What is the range of the Internal
Auditor’s Work
– By: Andrew Cox
6
By: Santosh Noronha
Fraud Risk
Assessment:
The Human
Element
10
By: Fadi Sidani
Green IT
IT at the Core of office greening initiatives
Knowledge
Update
Restating the value of audit
The role of audit is under heightened scrutiny. The unprecedented
13 th Annual Global CEO
Survey
The effects of the recent downturn were far-reaching, but as
14
Introducing the triple
bottom line
Once the credit crisis is firmly consigned to corporate history,
Contents
Editor:
Manjula Ramakrishnan
UAE-IAA Newsletter welcomes editorial
contributions and feedback from readers.
Write in to editor@iiauae.org
Affliated to The Institute of Internal Auditors • 247 Maitland Avenue • Altamonte Springs,
Florida 32701-4201 USA +1-407-937-1100 • Fax +1-407-937-1101 • www.theiia.org • Copyright 2008
Disclaimer: It is hereby notified that all opinions, facts or views expressed in this magazine are those of
the author and need not necessarily represent the views of UAE-IAA. The advertising of events, courses,
products and services in this publication does not imply that they have UAE-IAA endorsement.
2 April 2010 3 April 2010

UAE-IAA Past Events
Course on Quality Assurance
and Improvement
Mr. Abdullah Al Rowais, Chief Audit Executive of Mobily, recently visited Dubai. On the 22 nd of February, as the representative
of the IIA-Saudi Chapter, Mr. Rowais had a benchmarking meeting with the UAE-IAA Chapter. Other UAE-IAA delegates who
attended the meeting were Abdulqader Obaid Ali, Neeraj Kumar, Adil Buhariwalla, Raymund Mungkal, Abdulrahman BaSaeed
and Khalid Halyan.
On 17 th November, a half-day course on Quality Assurance and Improvement by Andrew Cox was held in Dubai. The same
was held on 24 th November in Abu Dhabi. Andrew Cox is acknowledged as a leader in quality assurance and improvement
of internal audit activities in organisations, both in the private and public sectors. The course focused on how quality
assessments can raise the profile of the IA Department with chief executives and audit committees. It also honed in on
preparing an independent quality assessment, self-assessment for the IA Department followed by an independent validation.
Visuals from the event…
4 April 2010 5 April 2010

By: Santosh Noronha
Fraud Risk
Assessment:
The Human
Element
Today fraud is a key buzzword among
corporations (big and small) and compliance
professionals alike. Recent large fraud
cases are often used to build a business
case for spending large amounts of money
in implementing a Control Framework.
Surveys such as the ACFE 2008 Report
to the Nation show that implementation
of a control framework has a measurable
impact on the organisation’s exposure
to fraud. The survey revealed that
organisations that implemented anti-fraud
controls suffered much lower losses than
organisations without anti-fraud controls.
Though many Control Frameworks
were developed and propagated over
the years, the most commonly applied
Control Framework is the one developed
in the early nineties by the Committee Of
Sponsoring Organisations of the Treadway
Commission, better known as the COSO
Framework (“COSO”). COSO identifies
5 components, which when integrated
and operating in all business units, will
help establish an effective internal control
framework. These 5 components are:
i) Control Environment, which sets
the moral tone of the organisation,
influencing the control consciousness of
the organisation and is the foundation
upon which all other components are
built.
ii) Risk Assessment involves identifying
and assessing risks involved in achieving
an entity’s objectives.
iii) Control Activities are the policies and
procedures that enforce management’s
directives.
iv) Information and Communication, which
allows the exchange of information in
the right quantities and to the right
persons across the organisation.
v) Monitoring is the process that assesses
the quality of the Framework over a
period of time.
Generally, Corporations build their Anti-
Fraud controls on the principles of the
COSO framework. To do so, organisations
first identify fraud risks and prioritize
them according to risks that matter the
most. Prioritization is generally done
by assessing the impact and likelihood of
an inherent risk. Impact is the extent to
which the risk, if realized, would impact the
organisation. Likelihood is the probability
of a risk occurring over a pre-defined time
period, which is generally the organisation’s
planning horizon.
While prioritizing risks on impact and
likelihood, it is generally assumed that
individuals will honour their fiduciary
responsibilities to the organisation. In
other words, people entrusted with
the execution of controls will do so
responsibly and to the best of their
ability. While this assumption may be
correct during an internal control risk
assessment, it does not hold good while
assessing fraud risks.
An individual breaching his fiduciary
responsibilities is an Occupational Fraud!!
A key differentiator between Internal
Controls and Anti Fraud Controls is the
Human Element. Failure to assess the
Human Element can cause frauds to
happen in organisations that otherwise
seem to have a robust and comprehensive
internal control framework.
Before addressing how to prioritize fraud
risks, let’s understand why do people
commit fraud?
One of the best theories on why people
commit fraud was given by Donald Cressey
in his book “Other People’s Money”. As
per this hypothesis, fraud occurs when an
individual has:
a. A non sharable financial problem.
b. Perceives an opportunity to resolve
the situation.
c. Has the ability to rationalize his misdeed
even before committing them.
In other words for an individual to commit
fraud, he should be under pressure from
a financial problem which the individual
perceives cannot be solved through other
means. These problems often manifest
themselves into behaviour patterns or
red flags, which if spotted in time, could
prevent a fraud from happening. As per
the ACFE 2008 Report to the Nation, the
most commonly cited behavioral red flags
were perpetrators living beyond their
apparent means or experiencing financial
difficulties at the time of the fraud.
Even if an individual has the motive,
2
Real or Perceived
Opportunity
Weak controls / Employees in
positions of trust
Incentive or Pressure
Financial, personal, unrealistic
corporate objectives, etc.
FRAUD
he cannot perpetrate the fraud unless
presented with an opportunity.
Opportunities could arise due to a number
of factors within the organisation such as
high turnover of management in key roles,
lack of segregation of duties or a complex
1
Traditional Risk Assessment Criteria
Fraud Risk Assessment Criteria
organisation structure.
Rationalization of the act is the last element
in understanding why people commit
fraud. Most people believe themselves
as good and need to convince themselves
that their actions were justified. Some of
these justifications are:
• I was going to pay it back
• Everybody does it
• I am not hurting anyone
• I was helping my family
• This is nothing compared to what xyz did...
To sum up, when this individual under
pressure is presented with an opportunity
and is able to rationalize his planned actions,
fraud occurs. Over the years this hypothesis
is better known as the Fraud Triangle.
To be able to effectively prioritize fraud
risks, organisations should evaluate the
Human Element to the fraud risk. This
can be achieved by applying the principles
3
Attitude or
Rationalization
Beliefs such as “The activity is
not criminal,” “Everybody is
doing it,” etc.
of the Fraud Triangle to the traditional risk
assessment criteria of Impact and Likelihood.
This is illustrated in the table below:
For example, in an organisation where
an individual performs a number of key
controls – if this individual’s personal
integrity and values are high, the chances
of fraud happening is significantly lower
than when the individual’s personal
integrity is low. Understanding the people
who manage key internal controls in an
organisation, their values and attitude could
go a long way in minimizing the incidence
of fraud and help build effective anti-fraud
deterrents within an organisation.
To sum up, it is important for organisations
to consider the human element while
prioritizing its key fraud risks. Besides, there
are a number of cost effective measures
that can assist in improving the anti-fraud
environment within an organisation. These
are as under:
• Establish a Code of Ethics and clearly
communicate expectations to all
stakeholders.
• Develop Fraud Policies which clearly
describe company policies and
procedures relating to fraud.
• Invest in a communication and training
program on fraud and corporate fraud
policies for all employees.
• Ensure proper segregation of duties for
key activities and functions.
• Set up appropriate recruitment
procedures to select the right
candidates.
• Set up policies for rotation of staff
duties and forced vacations.
• Know your key fraud risks and controls.
Monitor them regularly.
• Set up a whistle blower hotline.
About the Author:
Santosh Noronha is a Manager with Ernst & Young Dubai working
in the Fraud Investigation and Dispute Services Practice. Opinions
expressed in this article belong solely to the author, and do not
necessarily represent the views of Ernst & Young. To comment on
this article, feel free to email the author at
santosh.noronha@ae.ey.com
6 April 2010 7 April 2010

8 April 2010 9 April 2010

By: Fadi Sidani
Green IT
IT at the Core of office greening initiatives
A company’s IT (Information Technology)
organisation is no stranger to scrutiny when it comes
to corporate responsibility and sustainability.
As a major consumer of electricity in many
organisations and a significant producer of
waste electronics, IT has been among the
first to come under pressure to better
manage energy consumption and to
“reduce, reuse, and recycle” in
order to improve efficiency and
lessen environmental impact.
Fortunately, in improving its sustainability
performance, IT has had a lot of low-hanging
fruit to choose from, including server
consolidation, application rationalization,
procurement of energy-efficient hardware,
better printing policies, and even simple
behavioral changes such as having people
turn off the lights and shut down their
desktop computers at night. Electronic
components consume substantial amounts
of electricity and produce significant
amounts of heat – not to mention that
they often contain heavy metals and other
toxins that pose disposal issues. Clearly,
IT must play a big part in going green, if a
company is to be effective at it.
A competitive advantage
Responding to a growing wave of
investor activism, consumer demands
and regulations around environmental
sustainability, companies are looking for
ways to gain a competitive advantage
by adopting green business practices. IT
can be a catalyst for realizing short and
long-term business benefits through the
implementation of green approaches.
Green IT thus can offer a company the
opportunity to improve its financial
performance while jumpstarting green
change throughout the larger organisation
as well as reducing environmental impacts.
The areas where IT can address
sustainability issues directly are through
its acquisition, usage and disposal policies.
Consolidation and virtualization initiatives,
for example, have generated advantages
in terms of cost and operational efficiency
and also led to a reduced impact on the
environment as utilization rates reduce
energy consumption. Beyond virtualization,
as new equipment is brought in as part of
the move to denser blade configurations
and 64-bit architectures, or simply to
provide additional capacity, organisations
will also benefit from advances in processor
efficiency.
The Green Data Center at the Core of
Green IT
Finance, IT and business unit executives
in large companies around the world
have come to embrace environmentally
sustainable business practices that are
changing their IT practices in an effort
to save money, improve performance
and lessen their impact on the physical
environment.
For example, Marriott International’s
efforts to lower its IT power consumption
over the past few years have not only
resulted in greener and more sustainable
IT operations, but also serve as a risk
mitigation tool. Their data centers are
protected from nature, nuclear attacks and
electronic eavesdropping, amongst other
IT threats because of their location. The
company has built a data center 300 feet
below ground, in a former Pennsylvania
mine. The mine maintains an ambient air
temperature of 53 degrees Fahrenheit.
In addition, virtualization software from
vendors has helped the hospitality giant
reduce its server population by more than
one-third over the past three years. Storage
virtualization and archiving technologies
have enabled the company to slash its
storage energy costs by more than 50%
over that same period.
Traditionally, data centers have been
designed to store, process, manage and
exchange information in order to either
support the informational needs of large
institutions or provide application services
or management for information technology,
telecommunication, web hosting, internet
or intranet. These data centers have been
designed to accommodate energy intensive
computing equipment and the speciallydesigned
infrastructure for high electrical
power consumption, redundant and
uninterruptible power and heat dissipation.
Based on their energy signatures, large data
centers are actually more like industrial
facilities than commercial buildings. Careful
attention is usually paid to maximizing the
computing power in the traditional data
center, but often very little consideration
is given to environmental issues.
Green data centers are ecologically friendly
data centers where the mechanical,
electrical, thermal, hosted systems and
building materials are all used to improve
energy efficiency and effectively manage
any negative environmental impact. Until
recently, no one seemed to care whether
or not data centers were environmentally
friendly. Now, financial, legislative and
environmental pressures are causing data
centers to take steps toward ‘going green.’
Baby steps
Environmental improvement and
sustainability initiatives can be addressed
and implemented through basic efforts
such as the thoughtful use of technology,
a combination of high-quality financial and
operating information, useful metrics and
well-considered business cases and strong
executive commitment. But there are no
simple answers to building a sustainable
enterprise.
Companies have taken many early steps
in the first wave of green IT to lessen
their environmental impact. For example,
they have retired out-of-date systems,
consolidated data centers like the
aforementioned example and adopted
substantially more efficient hardware and
cooling systems. These early efforts have
been focused on cutting waste, decreasing
energy usage, and optimizing the efficiency
of IT assets in data centers, on desktops,
and throughout company operations.
And executives say these early steps have
yielded returns that are satisfactory or
even better.
Some companies have been particularly
ambitious in leading environmental change,
whether led by a desire to keep pace
with competitors, to avoid penalties or
bad publicity, or simply their own sense
of right and wrong. Those who adopt a
wait-and-see attitude may well be caught
short, pulled under the next wave of
green IT and forced to struggle to catch
up or even survive. Those who are well
prepared, especially those who learned the
importance of strategic investments during
the last economic downturn may well be
able to ride this wave successfully and even
flourish as a result.
Evolve into a sustainable business over
time
Although Green IT efforts have focused in
particular on increasing energy efficiency
in IT infrastructure management, e.g.
‘Green Data Centers’, this focus does
not suffice. Environmental sustainability
needs to go beyond simply improving the
energy efficiency of the IT infrastructure
– and include business solutions that
help customers move towards greater
levels of maturity in their management of
sustainability practices.
‘Smart’ companies address environmental,
economic and social factors – the three
pillars that make a company sustainable.
Namely, IT that contributes to the wellbeing
of society, contributes to preserving
natural resources and ecosystem and IT
that improves economic sustainability.
Companies can take internal steps to
improve processes and cut waste, but the
giant leap forward will come from more
environmentally sensitive solutions coming
to market for them to employ. Such
progress will allow companies to mitigate
risk and strive to be a good corporate
citizen, an employer for which people want
to work, and a company that deserves
customers’ business.
IT as the catalyst for change
IT organisations do not have to tear down
their existing data centers and start from
scratch in order to start benefiting from
environmentally friendly technologies and
processes. IT organisations just need to
start considering these in the data center
planning process. Incorporating green
thinking into plans involves everything
from purchasing energy efficient hardware
made from more environmentally friendly
materials to implementing rationalization
projects to designing new data centers and
locating them in places where they can take
advantage of alternative power or cooling
methods. The sooner data centers start
taking steps toward implementing green
technologies and processes, the sooner
they will start realizing the benefits.
No blueprint or one-size-fits-all master plan
exists. But one thing above all others is clear:
the best results will come to organisations
which include IT as an integral supporting
element of its environmental and broader
sustainability initiatives.
About the Author:
Fadi Sidani is the Partner in charge of Enterprise Risk Services
(ERS) at Deloitte in the Middle East. Fadi has 22 years of global
experience in Risk Management, Consulting and Sustainability
work across various markets, industries and business functions.
He is a regular public speaker in many forums across the ME
region, and he has been involved in the set up and delivery of
various training courses for staff and clients. For more information
please contact + 971 4 369 8999
10 April 2010 11 April 2010

How famous companies
were named
Lotus
Mitch Kapor got the name
for his company from the
lotus position or ‘padmasana.’
Kapor used to be a teacher of
Transcendental Meditation of
Maharishi Mahesh Yogi.
It was coined by Bill Gates to
represent the company that was
devoted to MICROcomputer
SOFTware. Originally christened
Micro-Soft, the ‘-’ was removed
later on.
Founder Paul Galvin came
up with this name when his
company started manufacturing
radios for cars. The popular
radio company at the time was
called Victrola.
The name came from the river Adobe
Creek that ran behind the house of
founder John Warnock.
It got its name because its founders got
started by applying patches to code
written for NCSA’s httpd daemon. The
result was ‘A PAtCHy’ server - thus,
the name Apache.
Apple Computers
Favourite fruit of founder Steve Jobs. He
was three months late in filing a name
for the business, and he threatened to
call his company Apple Computers if the
other colleagues didn’t suggest a better
name by 5 o’clock.
Oracle
Larry Ellison and Bob Oats were
working on a consulting project
for the Central Intelligence
Agency (CIA). The code name
for the project was called Oracle
(the CIA saw this as the system
to give answers to all questions
or something such).
Red Hat
Company founder Marc Ewing
was given the Cornell lacrosse
team cap (with red and white
stripes) while at college by his
grandfather. He lost it and had
to search for it desperately. The
manual of the beta version of
Red Hat Linux had an appeal to
readers to return his Red Hat if
found by anyone!
SAP
“Systems, Applications,
Products in Data Processing”,
formed by four ex-IBM
employees who used to work
in the ‘Systems/Applications/
Projects’ group of IBM.
Cisco
The name is not an acronym
but an abbreviation of San
Francisco. The company’s logo
reflects its San Francisco name
heritage. It represents a stylized
Golden Gate Bridge.
Hewlett-Packard
Bill Hewlett and Dave
Packard tossed a coin
to decide whether the
company they founded
would be called
Hewlett-Packard or
Packard-Hewlett.
Google
The name started as a jockey
boast about the amount of
information the search-engine
would be able to search. It was
originally named ‘Googol’, a
word for the number represented
by 1 followed by 100 zeros. After
founders - Stanford graduate
students Sergey Brin and Larry
Page presented their project to
an angel investor, they received a
cheque made out to ‘Google’.
Intel
Bob Noyce and Gordon
Moore wanted to name
their new company ‘Moore
Noyce’ but that was already
trademarked by a hotel chain,
so they had to settle for
an acronym of INTegrated
ELectronics.
Founder Jack Smith got the idea
of accessing email via the web
from a computer anywhere in
the world. When Sabeer Bhatia
came up with the business plan
for the mail service, he tried all
kinds of names ending in ‘mail’
and finally settled for Hotmail
as it included the letters “html”
- the programming language
used to write web pages. It was
initially referred to as HoTMaiL
with selective upper casings.
Sony
From the Latin word ‘sonus’
meaning sound, and ‘sonny’
a slang used by Americans to
refer to a bright youngster.
Sun Microsystems
Founded by four Stanford
University buddies, Sun is the
acronym for Stanford University
Network.
The Greek root “xer” means
dry. The inventor, Chestor
Carlson, named his product
Xerox as it was dry copying,
markedly different from the
then prevailing wet copying.
The word was invented by Jonathan Swift and used in his book Gulliver’s Travels. It
represents a person who is repulsive in appearance and action and is barely human.
Yahoo! founders Jerry Yang and David Filo selected the name because they considered
themselves yahoos.
12 April 2010 13 April 2010

By: Vishal Thakkar
Knowledge
Update
Restating the value of audit
The role of audit is under heightened scrutiny. The unprecedented
global financial upheaval of the past two years has seen many
commentators questioning the value of audit.
With the changing
global scene
Stay in the front row
While attention has naturally been most focused on the large
end of the audit profession, which is involved with the banks and
other major financial institutions, there are also important issues
at the smaller end of the audit market. Given the removal in
recent years of the statutory audit requirement for many entities
with turnover below £6.5m, audit is increasingly a voluntary
exercise in this sector and so needs to demonstrate the value it
brings to business.
In its new policy paper, entitled Restating the Value of Audit,
ACCA argues that against this backdrop of change, it is vital
for the accountancy profession to re-examine the role of audit
and to question whether a sufficiently strong case is being put
forward for the benefits that audit can provide to businesses, the
economy and society. We firmly believe that audit has a key role
to play as a source of public confidence in financial reporting but
note that there is currently little published research, which seeks
to demonstrate the value of audit in promoting business trust.
http://www.accaglobal.com/page/3305046
13 th Annual Global CEO
Survey
The effects of the recent downturn were far-reaching, but as
our new survey shows, CEOs continue to work to strengthen
their organisations whilst seeking opportunities emerging from
structural shifts in their industries, economies and regulatory
environments.
The 13 th Annual Global CEO Survey offers an up-close look at
how business leaders have responded to the challenges brought
about by the recession, the concerns they are facing today and
their strategies for positioning their companies for the long-term.
The recession in developed nations was the worst many CEOs
had ever experienced. The resulting rupture to business planning
and operations was clear in our survey of 1,198 business leaders
from around the world for the PricewaterhouseCoopers 13 th
Annual Global CEO Survey. Business leaders are emerging with
a healthy respect for risk, volatility and flexibility.
http://www.pwc.com/gx/en/ceo-survey/download.jhtml?WT.
ac=flash_01-2010_ceo-survey-hp_download
Introducing the triple
bottom line
Once the credit crisis is firmly consigned to corporate history,
we are likely to reflect on just how dramatically it changed the
corporate landscape. Not only will it have sent some mighty
business names to the wall, it will also have been responsible for
fundamentally changing the way the business world operates.
One such example may be in the way that corporate value is
determined; will financial measures still be used in isolation as the
measure of business value? This approach will soon be challenged,
claims Rodger Hill of KPMG Advisory.
The days of purely measuring business performance by financial
result may well be numbered. In its place discerning investors will
look for something broader to measure an entity’s real contribution
and performance.
That something could be in the shape of the “triple bottom line”;
an amalgam of financial results and an assessment of the social and
environmental impacts of a business. Or, when stated differently:
People, Planet and Profits.
http://www.kpmg.com/Global/en/IssuesAndInsights/
ArticlesPublications/Press-releases/Pages/Press-release-
Introducing-the-triple-bottom-line-1-Mar-2010.aspx
About the Author:
Vishal Thakkar is a qualified
Chartered Accountant and Certified
Internal Auditor. He is currently
working with Group Internal Audit
department of Dubai World and can
be contacted at
vishalkthakkar@yahoo.com
In a globalized world, competition is everything. At Deloitte, we make
it our business to study and understand the competitive environment.
With 1,700 people in over 25 locations across the Middle East, and
access to the deep intellectual capital of 165,000 people worldwide,
Deloitte is your local resource to connect you to a global network of
expertise and innovation.
Working in partnership with you, our people design solutions that
bring tangible returns and sustainable growth for your business. From
auditing to tax, and consulting to financial advisory services, our
member firms provide a broader range of multidisciplinary services
than any of our competitors. For world-class thinking with an edge,
you know where to come.
Visit us at www.deloitte.com
Emaar Business Park
Sheikh Zayed Road
Building 1, 4th Floor, Suite 4
© 2008 Deloitte & Touche (M.E.). All rights reserved.
PO Box 282056 Dubai, UAE
Tel: +971 (0)4 369 8999
Fax: +971 (0)4 369 8998
Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network
of member firms, each of which is a legally separate and independent entity. Please see
www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche
Tohmatsu and its member firms.
Eighty Years
in the Middle East
14 April 2010 15 April 2010

By: Andrew Cox
What Is the Range
of the Internal
Auditor’s Work?
Nowadays, Table 2 could be the best representation.
Table 2: The evolution of internal auditing, 1990s–2000s
Now (1990s–2000s)
• Areas for internal audit identified on a functional,
cross-organisational and strategic basis, may use the
organisation’s risk register.
• Discussed with senior management, additional
internal audit areas may be added.
• Set of risk factors applied, input into a model,
prioritized based on risk rankings.
• 3-year strategic internal audit plan based on risk
rankings.
• Annual internal audit plan based on available
resources. Presented to the audit committee.
Advantages
• Well known to internal
auditors.
• Done in consultation with the
business.
• Broader scope that considers
business risks.
• Facilitates integration of internal
audit, risk management and
strategic planning.
• Requires strong understanding
of the business.
Disadvantages
• Can be challenging.
• Time-consuming.
• May not be timely, relevant, or
responsive.
Executive Summary
The range of the Internal Auditor’s work is dependent on:
• The mandate for internal audit contained in the internal audit charter.
• What the audit committee and management want internal audit to do.
• To whom the chief audit executive (head of internal audit) reports.
• The capability and skills of the internal auditors.
• Any legislative or regulatory requirements of internal audit.
Introduction
Internal auditing is an evolving profession. It has been around for a very long time, probably since
the pharaohs in Egypt. But it wasn’t until 1947, when the foremost professional body for internal
auditing, the Institute of Internal Auditors (IIA), was formed that internal auditing was set on its
path to emerging as a profession.
Subsequently, professional standards and a code of ethics for internal auditing have been established
and in 1974 professional certification for internal auditing was created, with the designation
Certified Internal Auditor. Over time, the scope of internal auditing has changed significantly.
The Evolution of Internal Auditing
The evolution of how internal audit determined what it would audit can be tracked in Table 1.
Then (up to the 1990s)
• Areas for internal audit identified on a functional
basis from historic information.
• Set of one-dimensional risk factors applied
(high, moderate, low).
• Input into a model and prioritization based on risk
rankings.
• 3 or 5-year strategic internal audit plan based on risk
rankings.
• Annual internal audit plan based on available
resources. Presented to the audit committee (but
not always).
Advantages
• Often cyclical (every year).
• Well known to internal
auditors.
• Safe approach.
Disadvantages
• Done in isolation of the business.
• Time-consuming.
• Focus on functional areas.
• May not be timely, relevant or
responsive.
• Correlation between risk rankings
and internal audit plan often weak.
• Assumed a static organisation.
In the future Table 3 would be more accurate.
Table 3: The evolution of internal auditing, 2000s onward
Future (2000s onward)
• Areas for internal audit identified on a functional,
cross-organisational and strategic basis using the
organisation’s risk register and other relevant
information.
• Develop base audit plan.
• Discuss with senior management, including facilitated
workshops - additional audit areas may be added.
• Develop annual or longer-term assurance plan.
• Develop flexible, rolling internal audit consulting plan
to provide timely, relevant and responsive services.
• Present to audit committee.
The point is this: The range of an internal
auditor’s work will generally be related
to where he or she is currently placed in
regard to these three evolutionary phases
of the internal audit continuum. As we move
into the more difficult methods of operating
an internal audit function, the complexity
of internal audit work increases, and the
capability and skills of the internal auditor
need to be greater. Many internal auditors
are still in the early evolutionary phases of
internal auditing, because the future is seen
as too difficult and daunting.
What do the Standards say?
The internal auditing standards we will
consider here are those issued by the
Institute of Internal Auditors (IIA). The
internationally accepted definition of
internal auditing issued by the IIA is:
“Internal auditing is an independent, objective
Advantages
• Done in consultation with the
business.
• Timely, relevant, and
responsive.
• Broader scope taking into
account business risks.
• Facilitates integration of internal
audit, risk management, and
strategic planning.
assurance and consulting activity designed
to add value and improve an organisation’s
operations. It helps an organisation accomplish
its objectives by bringing a systematic,
disciplined approach to evaluate and improve
the effectiveness of risk management, control
and governance processes.”
This was a step up from the previous
definition, which concentrated on assurance.
This definition expanded the role of internal
audit to encompass consulting services.
To understand the difference between
assurance services and consulting services,
we need a couple of definitions:
Assurance: An objective examination
of the evidence for the purpose of
providing an independent assessment of
risk management, control, or governance
processes for an organisation. Examples
may include financial, performance,
Disadvantages
• Requires strong commitment
from senior management.
• Requires discipline to ensure
that the internal audit
consultation process is effective.
• May not be well known to
internal auditors.
compliance, system security and due
diligence engagements.
Consulting: Advisory and related client
service activities, the nature and scope of
which are agreed with the client, and which
are intended to add value and improve an
organisation’s governance, risk management,
and control processes without the internal
auditor assuming management responsibility.
Examples include counsel, advice, facilitation
and training.
It should be noted that the definitions of
internal auditing and the standards, focus on
risk management, control and governance:
Risk management: Internal audit should
assist the organisation by identifying and
evaluating significant exposures to risk and
contributing to the improvement of risk
management and control systems.
16 April 2010 17 April 2010

Control: Internal audit should assist
the organisation in maintaining effective
controls by evaluating their effectiveness
and efficiency and by promoting continuous
improvement.
Governance: Internal audit should assess
and make appropriate recommendations
for improving the governance process
in its accomplishment of the following
objectives:
• Promoting appropriate ethics and values
within the organisation.
• Ensuring effective organisational
performance management and
accountability.
• Effectively communicating risk and
control information to appropriate
areas of the organisation.
• Effectively coordinating the activities and
communicating information among the
board, external and internal auditors
and management.
What type of work?
So, what should be the range and type
of work carried out by internal audit for
an organisation? The IIA believes that the
work and methods of internal audit should
encompass:
• Conducting enterprise risk assessment.
• Utilizing risk and control selfassessment.
• Using internal control processes based
on COSO (Committee of Sponsoring
Organisations) guidelines.
• Partnering with management.
• Integrating corporate governance into
practice.
• Increasing staff performance.
• Communicating more effectively.
• Developing staff, both personally and
professionally.
• Using technology to increase staff
efficiency.
• Establishing an assurance function.
• Providing consulting services.
• Conducting audits in emerging areas.
• Utilizing performance measures.
This leads to the types of internal audit
provided by the internal audit function, which
may include some or all of the following:
Compliance audit: The review of both
financial and operating controls and
transactions to see how they conform to
established laws, standards, regulations and
procedures.
Financial audit: The examination of the
financial records and reports of a company
to verify that the figures in the financial
reports are relevant, accurate and complete.
The general focus is on making sure that all
assets and liabilities are properly recorded
on the balance sheet and that the statement
of income and expenses is correct.
Information technology (IT) audit: A
review of the controls within an entity’s
technology infrastructure. These reviews
are typically performed in conjunction
with a financial statement audit, internal
audit review, or other form of attestation
engagement.
On-demand audit: A request for an
internal audit initiated by the board, audit
committee, or management in response
to their particular concerns, and which has
not been scheduled in the internal audit
plan of work. It may also be known as a
management-initiated review.
Operational audit: Sometimes called
program or performance audits, these
examine the use of resources to evaluate
whether those resources are being used in
the most efficient and effective way to fulfil
an organisation’s objectives. An operational
audit may include elements of a compliance
audit, a financial audit and an information
systems audit. This term is mainly used in
the private sector.
Performance audit: The independent and
systematic examination of the management
of an organisation, program, or function
for the purpose of identifying whether
the management is being carried out in
an efficient and effective manner, and
whether management practices promote
improvement. This term is mainly used
in the public sector, and a performance
audit may be the same as or similar to an
operational audit.
and evaluation of all activities related to
the quality of a product or service, to
determine the suitability and effectiveness
of the activities to meet quality goals.
Value for money (VFM) audit: An
examination of how resources are
allocated and utilized. The audit is
concerned with interrelated concepts of
efficiency, effectiveness, economy, and
organisational outcomes. VFM audits
are more common in the public sector
than the private sector since the profit
criterion is lacking in the public sector, and
they may be the same as or similar to a
performance audit.
What influences the type of work?
The range and type of the internal auditor’s
work depend on a number of factors:
The mandate for internal audit
contained in the internal audit
charter: This is what the audit committee
and the organisation want internal audit
to do. Although ideally this should include
both assurance services and consulting
services, it is true to say that some audit
committees and management believe that
internal audit should not stray from its
roots of providing assurance, so in some
organisations the internal audit charter
has focused only on the provision of
assurance services. This attitude peaked
following the corporate collapses of the
1990s. However, more enlightened audit
committees and management of today
seek a more comprehensive internal
auditing service for the organisation. This
has the potential to add a lot of value,
rather than just reporting what is wrong
in compliance and financial areas.
To whom the chief audit executive
reports: The chief audit executive should
report to the audit committee functionally
and for operations, and to the chief
executive officer for administration. Where
a chief audit executive may have other
reporting arrangements - for example to a
chief executive officer for operations and
administration, or worse, to a chief financial
officer - there is a risk that internal audit
may lose a measure of its independence.
Table 4: The chief audit executive’s risk-based annual internal audit plan
Compliance
Assurance
Consulting
Financial
Assurance
Consulting
IT
Assurance
Consulting
Audit Type
Cyclical 12
months
scheduled
hours
6,000
0
750
250
3,000
3,000
Rolling 6
months
scheduled
hours
0
0
2,500
0
0
0
Rolling 3
months
reserve hours
0
0
1,000
0
0
0
This has a potential to impact negatively on
the range and type of work to be performed
by internal audit.
The capability and skills of the internal
auditors: As the work of internal audit
moves toward more difficult methods
of operating, the complexity of internal
audit work increases. This means that the
capability and skills of the internal auditor
need to be greater, and many internal
auditors see this as a quantum leap so great
that they prefer to remain comfortable
where they are.
Any legislative or regulatory
requirements of internal audit: The work
of internal audit will nearly always have a
role to provide assurance of legislative and
regulatory compliance; this is an important
role that should never be forgotten.
Case Study
Designing a Comprehensive Internal
Audit Plan
A large public sector organisation with
Rolling 3
months
unassigned
hours
0
0
500
0
0
0
Annual total
hours
6,000
0
4,750
250
3,000
3,000
Operational / Performance
Assurance / Consulting 500 2,500 1,000 1,000 5,000
Internal audit planning 500 0 0 0 500
Audit monitor and follow-up 500 0 0 0 500
Audit committee 500 0 0 0 500
External audit co-ordination 1,500 0 0 0 1,500
Quality audit: The systematic examination
Total 25,000
18 April 2010 19 April 2010

a significant commitment to internal
auditing provided sufficient funds to
resource an internal audit function of
25,000 audit hours each year. The audit
committee wanted an internal audit plan
of work that provided assurance and
examined how well the organisation was
operating, but which was also responsive
to the changing needs and risks of the
organisation. The risk-based internal audit
plan of work to achieve this designed by
the chief audit executive is summarized
in Table 4.
Rather than have a static internal audit
plan, the plan shown in the table was
designed to cover an 18-month period
with a refresher every six months so that
workflows could be smoothed and work
allocated to internal auditors continuously.
The plan encompassed the following
areas:
• Cyclical 12 months scheduled: For highrisk
areas worthy of annual internal
audit attention.
• Rolling 6 months scheduled: Higherrisk
areas scheduled for periodic or
one-off internal audits.
• Rolling 3 months reserve: Areas held
in reserve in case of postponement or
cancellation of other internal audits.
• Rolling 3 months unassigned: Reserved
for on-demand internal audits initiated
by management for emerging business
issues and risks.
Conclusion
The range and type of the internal auditor’s
work depend on a number of factors:
• The mandate for internal audit
contained in the internal audit charter.
• What the audit committee wants
internal audit to do, and how
enlightened it is.
• What management wants internal
audit to do.
• To whom the chief audit executive
(head of internal audit) reports.
• The capability and skills of the internal
auditors.
• Any legislative or regulatory
requirements of internal audit.
Making It Happen
Chief audit executives should look to his
or her audit committee and management
for guidance on the range and type of
work to be performed by the internal
audit function. However, the chief audit
executive, as an internal audit professional,
should be using his or her knowledge and
experience to identify and influence the
formulation of a risk-based internal audit
plan of work that best provides for the
needs of the organisation. This is likely to
be a blended plan of internal audit work
that encompasses both assurance services
and consulting services:
Assurance Services
• Part of the overall internal audit plan
of work.
• Annual or longer-term focus.
• Risk-based.
• May include cyclical internal audits of
higher-risk areas.
• Need to consider legislative and
regulatory requirements.
• Need to consider external audit to
avoid duplication of audit effort.
• Estimated hours for audit topics
assessed from previous internal audits
(structured gut feel).
• Focus on compliance, financial issues
and risks, financial controls, and IT
reviews.
Consulting Services
• Part of the overall internal audit plan
of work.
• Flexible, rolling focus - rather than
fixed in time.
• Risk-based and customer-focused.
• If limited previous data are available,
estimate hours needed for internal
audit topics on the basis of the
best available information and past
experience (unstructured gut feel).
• Focus on current and emerging
business issues and risks, and system
under development reviews.
Further reading:
Books:
• Australian National Audit Office.
Public Sector Audit Committees:
Having the Right People is the Key.
Canberra: Australian National Audit
Office, 2005.
• Australian National Audit Office.
Public Sector Internal Audit - An
Investment in Assurance and Business
Improvement. Canberra: Australian
National Audit Office, 2007.
• Picket, K. H. Spencer. Audit Planning:
A Risk-Based Approach. Hoboken, NJ:
Wiley, 2006.
• Reding, Kurt F., Paul J. Sobel, Unton
L. Anderson, Michael J. Head, Sridhar
Ramamoorti, and Mark Salamasick.
Internal Auditing: Assurance and
Consulting Services. Altamonte
Springs, FL: IIA Research Foundation,
2007.
• Sawyer, Lawrence B., Mortimer A.
Dittenhofer, and James H. Scheiner.
Sawyer’s Internal Auditing: The
Practice of Modern Internal Auditing.
5th ed. Altamonte Springs, FL: IIA
Research Foundation, 2003.
Standards:
• Institute of Internal Auditors (IIA).
International Standards for the
Professional Practice of Internal
Auditing. Altamonte Springs, FL: IIA,
2007. Online at: www.theiia.org/
guidance/standards-and-guidance/
ippf/standards
Website:
• The Institute of Internal Auditors:
www.theiia.org
Article originally published in “QFinance:
The Ultimate Resource”, 2009. Republished
by courtesy of Bloomsbury. For further
details visit www.bloomsbury.com/qfinance
or www.qfinance.com
About the Author:
Andrew Cox MBA MEC CIA CISA CFE CGAP CSQA MACS is
acknowledged as a leader in quality assurance and improvement
of internal audit activities in organisations. In recent times he
worked for IIA - Australia and conducted 25 quality assessments
of Internal Audit Departments in various organisations. Over his
career he has been a senior internal audit executive in Australia
and has managed 8 internal audit activities. He is now working in
the United Arab Emirates.
20 April 2010

Global expertise,
local knowledge*
PricewaterhouseCoopers provides industry-focused
assurance, tax and advisory services to build public
trust and enhance value for its clients and their
stakeholders. More than 154,000 people in 153
countries across our network share their thinking,
experience and solutions to develop fresh perspectives
and practical advice.
PricewaterhouseCoopers in the Middle East
Established in the region for over 30 years,
PricewaterhouseCoopers’ Middle East network covers
15 countries and has over 2,000 people.
Complementing our depth of industry expertise and
breadth of skills is our sound knowledge of local
business environments across the Middle East.
For information about our internal audit, risk and
corporate governance services across the Middle East,
contact Andrew Garrett, Middle East Internal Audit
Leader, andrew.garrett@ae.pwc.com,
+971 (0)4 3043100, or visit www.pwc.com/me
*connectedthinking
© 2008 PricewaterhouseCoopers. All rights reserved. ‘PricewaterhouseCoopers’ refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate
and independent legal entity.