IIA April 2010.pdf - UAE IAA

4 March 2010
12 March 2010
th O n 1 November, 7 a half-day course on Quality Assurance and Improvement by Andrew Cox was held in Dubai. The same
was held on 24 th November in Abu Dhabi. Andrew Cox is acknowledged as a leader in quality assurance and improvement
of internal audit activities in organisations, both in the private and public sectors. The course focused on how quality
assessments can raise the profile of the IA Department with chief executives and audit committees. It also honed in on
preparing an independent quality assessment, self-assessment for the IA Department followed by an independent validation.
Visuals from the event…
It got its name because its founders got
started by applying patches to code
The name came from the river Adobe written for NCSA’s httpd daemon. The
Creek that ran behind the house of result was ‘A PAtCHy’ server - thus,
founder John Warnock.
the name Apache.
but an abbreviation of San
Francisco. The company’s logo
reflects its San Francisco name
heritage. It represents a stylized
Golden Gate Bridge.
Packard tossed a coin
to decide whether the
company they founded
would be called
Hewlett-Packard or
Packard-Hewlett.
16 March 2010
By: Andrew Cox
boast about the amount of
information the search-engine
would be able to search. It was
originally named ‘Googol’, a
word for the number represented
by 1 followed by 100 zeros. After
founders - Stanford graduate
students Sergey Brin and Larry
Page presented their project to
an angel investor, they received a
cheque made out to ‘Google’.
Moore wanted to name
their new company ‘Moore
Noyce’ but that was already
trademarked by a hotel chain,
so they had to settle for
an acronym of INTegrated
ELectronics.
The Evolution of Internal Auditing
The evolution of how internal audit determined what it would audit can be tracked in Table 1.
Then (up to the 1990s)
• Areas for internal audit identified on a functional
basis from historic information.
• Set of one-dimensional risk factors applied
(high, moderate, low).
• Input into a model and prioritization based on risk
rankings.
• 3 or 5 year strategic internal audit plan based on risk
rankings.
• Annual internal audit plan based on available
resources. Presented to the audit committee (but
not always).
Apple Computers
Favourite fruit of founder Steve Jobs. He
was three months late in filing a name
for the business, and he threatened to
call his company Apple Computers if the
other colleagues didn’t suggest a better
name by 5 o’clock.
of accessing email via the web
from a computer anywhere in
the world. When Sabeer Bhatia
came up with the business plan
for the mail service, he tried all
kinds of names ending in ‘mail’
and finally settled for Hotmail
as it included the letters “html”
- the programming language
used to write web pages. It was
initially referred to as HoTMaiL
with selective upper casings.
Executive Summary
• The mandate for internal audit contained in the internal audit charter.
• What the audit committee and management want internal audit to do.
• T whom the chief audit executive (head of internal audit) reports.
• The capability and skills of the internal auditors.
• Any legislative or regulatory requirements of internal audit.
Introduction
Internal auditing is an evolving profession. It has been around for a very long time, probably since
the pharaohs in Egypt. But it wasn’t until 1947, when the foremost professional body for internal
auditing, the Institute of Internal Auditors (IIA), was formed that internal auditing was set on its
path to emerging as a profession.
Subsequently, professional standards and a code of ethics for internal auditing have been
established and in 1974 professional certification for internal auditing was created, with the
designation Certified Internal Auditor. Over time, the scope of internal auditing has changed
significantly.
Advantages Disadvantages
• Often cyclical (every year). • Done in isolation of the business.
• Well known to internal • Time-consuming.
auditors.
• Focus on functional areas.
• Safe approach.
• May not be timely, relevant or
responsive.
• Correlation between risk rankings
and internal audit plan often weak.
• Assumed a static organisation.
Today fraud is a key buzzword among and assessing risks involved in achieving the execution of controls will do so
corporations (big and small) and compliance an entity’s objectives.
responsibly and to the best of their
professionals alike. Recent large fraud
ability. While this assumption may be
cases are often used to build a business iii) Control Activities are the policies and correct during an internal control risk
case for spending large amounts of money procedures that enforce management’s assessment, it does not hold good while
in implementing a Control Framework. directives.
assessing fraud risks.
Surveys such as the ACFE 2008 Report
to the Nation show that implementation iv) Information and Communication, which An individual breaching his fiduciary
of a control framework has a measurable allows the exchange of information in responsibilities is an Occupational Fraud!!
impact on the organisation’s exposure the right quantities and to the right
to fraud. The survey revealed that persons across the organisation A key differentiator between Internal
organisations that implemented anti-fraud
Controls and Anti Fraud Controls is the
controls suffered much lower losses than v) Monitoring is the process that assesses Human Element. Failure to assess the
organisations without anti fraud controls. the quality of the Framework over a Human Element can cause frauds to
Though many Control Frameworks period of time.
happen in organisations that otherwise
were developed and propagated over
seem to have a robust and comprehensive
the years, the most commonly applied Generally, Corporations build their Anti- internal control framework.
Control Framework is the one developed Fraud controls on the principles of the
in the early nineties by the Committee Of COSO framework. To do so, organisations Before addressing how to prioritize fraud
Sponsoring Organisations of the Treadway first identify fraud risks and prioritize risks, let’s understand why do people
Commission, better known as the COSO them according to risks that matter the commit fraud?
Framework (“COSO”). COSO identifies most. Prioritization is generally done
5 components, which when integrated by assessing the impact and likelihood of One of the best theories on why people
and operating in all business units, will an inherent risk. Impact is the extent to commit fraud was given by Mr. Donald
help establish an effective internal control which the risk, if realized, would impact the Cressey in his book “Other People’s
framework. These 5 components are: organisation. Likelihood is the probability Money” . As per this hypothesis, fraud
of a risk occurring over a pre-defined time occurs when an individual has:
i) Control Environment, which sets period which is generally the organisation’s
the moral tone of the organisation, planning horizon.
a. A non sharable financial problem
influencing the control consciousness of
the organisation and is the foundation While prioritizing risks on impact and b. Perceives an opportunity to resolve
upon which all other components are likelihood, it is generally assumed that the situation
built
individuals will honour their fiduciary
responsibilities to the organisation. In c. Has the ability to rationalize his misdeed
ii) Risk Assessment involves identifying other words, people entrusted with even before committing them.
6 March 2010
A company’s IT (Information Technology)
organisation is no stranger to scrutiny when it comes
to corporate responsibility and sustainability.
As a major consumer of electricity in many
organisations and a significant producer of
waste electronics, IT has been among the
first to come under pressure to better
manage energy consumption and to
“reduce, reuse, and recycle” in
order to improve efficiency and
lessen environmental impact.
Fortunately, in improving its sustainability opportunity to improve its financial
performance, IT has had a lot of low-hanging performance while jumpstarting green
fruit to choose from, including server change throughout the larger organisation
consolidation, application rationalization, as well as reducing environmental impacts.
procurement of energy-efficient hardware,
better printing policies, and even simple The areas where IT can address
behavioral changes such as having people sustainability issues directly are through
turn off the lights and shut down their its acquisition, usage and disposal policies.
desktop computers at night. Electronic Consolidation and virtualization initiatives,
components consume substantial amounts for example, have generated advantages
of electricity and produce significant in terms of cost and operational efficiency
amounts of heat – not to mention that and also led to a reduced impact on the
they often contain heavy metals and other environment as utilization rates reduce
toxins that pose disposal issues. Clearly, energy consumption. Beyond virtualization,
IT must play a big part in going green, if a as new equipment is brought in as part of
company is to be effective at it.
the move to denser blade configurations
and 64-bit architectures, or simply to
A competitive advantage
provide additional capacity, organisations
Responding to a growing wave of will also benefit from advances in processor
investor activism, consumer demands efficiency.
and regulations around environmental
sustainability, companies are looking for The Green Data Center at the Core of
ways to gain a competitive advantage Green IT
by adopting green business practices. IT
can be a catalyst for realizing short and Finance, IT and business unit executives
long-term business benefits through the in large companies around the world
implementation of green approaches. have come to embrace environmentally
Green IT thus can offer a company the sustainable business practices that are
10 March 2010
14 March 2010
By: Vishal Thakkar
global financial upheaval of the past two years has seen many
commentators questioning the value of audit.
While attention has naturally been most focused on the large
end of the audit profession, which is involved with the banks and
other major financial institutions, there are also important issues
at the smaller end of the audit market. Given the removal in
recent years of the statutory audit requirement for many entities
with turnover below £6.5m, audit is increasingly a voluntary
exercise in this sector and so needs to demonstrate the value it
brings to business.
In its new policy paper, entitled Restating the Value of Audit,
ACCA argues that against this backdrop of change, it is vital
for the accountancy profession to re-examine the role of audit
and to question whether a sufficiently strong case is being put
forward for the benefits that audit can provide to businesses, the
economy and society. We f irmly believe that audit has a key role
to play as a source of public confidence in financial reporting but
note that there is currently little published research, which seeks
to demonstrate the value of audit in promoting business trust.
http://www.accaglobal.com/page/3305046
our new survey shows, CEOs continue to work to strengthen
their organisations whilst seeking opportunities emerging from
structural shifts in their industries, economies and regulatory
environments.
The 13 th Annual Global CEO Survey offers an up-close look at
how business leaders have responded to the challenges brought
about by the recession, the concerns they are facing today and
their strategies for positioning their companies for the long-term.
The recession in developed nations was the worst many CEOs
had ever experienced. The resulting rupture to business planning
and operations was clear in our survey of 1,198 business leaders
from around the world for the PricewaterhouseCoopers 13th
Annual Global CEO Survey. Business leaders are emerging with
a healthy respect for risk, volatility and flexibility.
http://www.pwc.com/gx/en/ceo-survey/download.jhtml?WT.
ac=flash_01-2010_ceo-survey-hp_download
changing their IT practices in an effort
to save money, improve performance
and lessen their impact on the physical
environment.
For example, Marriott International’s
efforts to lower its IT power consumption
over the past few years have not only
resulted in greener and more sustainable
IT operations, but also serve as a risk
mitigation tool. Their data centers are
protected from nature, nuclear attacks and
electronic eavesdropping, amongst other
IT threats because of their location. The
company has built a data center 300 feet
below ground, in a former Pennsylvania
mine. The mine maintains an ambient air
temperature of 53 degrees Fahrenheit.
In addition, virtualization software from
vendors has helped the hospitality giant
reduce its server population by more than
one-third over the past three years. Storage
virtualization and archiving technologies
have enabled the company to slash its
storage energy costs by more than 50%
over that same period.
we are likely to reflect on just how dramatically it changed the
corporate landscape. Not only will it have sent some mighty
business names to the wall, it will also have been responsible for
fundamentally changing the way the business world operates.
One such example may be in the way that corporate value is
determined; will financial measures still be used in isolation as the
measure of business value? This approach will soon be challenged,
claims Rodger Hill of KPMG Advisory.
The days of purely measuring business performance by financial
result may well be numbered. In its place discerning investors will
look for something broader to measure an entity’s real contribution
and performance.
That something could be in the shape of the “triple bottom line”;
an amalgam of financial results and an assessment of the social and
environmental impacts of a business. Or, when stated differently:
People, Planet and Profits.
http://www.kpmg.com/Global/en/IssuesAndInsights/
ArticlesPublications/Press-releases/Pages/Press-release-
Introducing-the-triple-bottom-line-1-Mar-2010.aspx
About the Author:
Vishal Thakkar is a qualified
Chartered Accountant and Certified
Internal Auditor. He is currently
working with Group Internal Audit
department of Dubai World and can
be contacted at
vishalkthakkar@yahoo.com
…Going Full Blast…
4
UAE-IAA Past Events
Course on Quality Assurance
and Improvement
Message from the President
On behalf of the UAE Internal Audit Association’s Board of Governors, I wish
to extend a warm welcome to all the delegates to the 11 th Annual Regional Gulf
Audit Conference in Abu Dhabi. Our theme for this year is ‘2010 and Beyond’,
and we urge you to join us in “going full blast” in enthusiasm, as we start the
implementation of programs and planned activities for this still challenging year.
Firstly, we encourage you to optimize your learning and networking opportunities
during this conference by actively participating in the pre-conference workshops on
Day 1 and the main conference sessions, which will cover topical issues impacting
our profession. We are fortunate to have with us as keynote speaker, our IIA
Global President, Mr. Richard Chambers.
You are also invited to participate in the Global Internal Audit Survey, which opened
on March 15, 2010 and is available in both the IIA and UAE-IAA websites. The
survey is expected to be completed by over 15,000 internal auditors from around
the globe, in more than 20 languages. Results will provide insight into emerging
issues and trends, as well as developments and changes within the profession. We
are pleased to have set another milestone at the Institute by successfully providing
an Arabic translation for this survey.
As we ended the first quarter, we near the completion of a Memorandum of
Understanding with the American University of Sharjah, to initiate cooperative
agreements with educational institutions in the UAE / Region. In February, we
were also privileged to have shared our programs and experiences with IIA Saudi
Arabia when they visited us for a benchmarking exercise.
As we progress on in 2010 and beyond, we set up a dedicated staff to better
provide the services of the Institute. Once again, we request your wholehearted
support in achieving all our plans and objectives.
Abdulqader Obaid Ali
President
UAE-IAA
April 2010
Board of Governors
UAE-IAA Chapter
President:
Abdulqader Obaid Ali
abdulqader.obaidali@dubaiworld.ae
Board Members:
Abdulrahman Al Hareb
abdulrahman.alhareb@dubaiholding.com
Abdulrahman Ba Saeed
abdulrahman.basaeed@dubaiworld.ae
Adnan Zaidi
adnan.zaidi@protivitiglobal.ae
Ahmad Dahabiyeh
adahabiyeh@adaa.ae
Amir Gergawi
amir.algergawi@du.ae
Badr Mohammed Buhannad
bbuhannad@dso.ae
Karem Obeid
karem.obeid@dubaiholding.com
Khalid Halyan
khalhalyan@dca.gov.ae
Laila Al Humairi
laila.alhumairi@gmail.com
Raza Abdulla
raza.abdulla@emirates.com
Venkataraman
venkat@habtoor.com
Yaser Al Yaish
yaser.yasih@gmail.com
Newsletter Committee:
Vishal Thakkar
Dubai World
Mayur Motwani
Protiviti Middle East
Julion Ruwette
Deloitte & Touche, (M.E.)
8
How famous companies
were named?
Cisco
The name is not an acronym
Hewlett-Packard
Bill Hewlett and Dave
12
Google
The name started as a jockey
Intel
Bob Noyce and Gordon
16
Hotmail
Founder Jack Smith got the idea
What Is the Range
of the Internal
Auditor’s Work?
UAE-IAA Events
Fraud Risk Assessment: the
Human Element
– By: Santosh Noronha
11 th Annual Regional Gulf
Audit Conference
How famous companies
were named
Green IT
– By: Fadi Sidani
Knowledge Update
– By: Vishal Thakkar
What is the range of the Internal
Auditor’s Work
– By: Andrew Cox
6
By: Santosh Noronha
Fraud Risk
Assessment:
The Human
Element
10
By: Fadi Sidani
Green IT
IT at the Core of office greening initiatives
Knowledge
Update
Restating the value of audit
The role of audit is under heightened scrutiny. The unprecedented
13 th Annual Global CEO
Survey
The effects of the recent downturn were far-reaching, but as
14
Introducing the triple
bottom line
Once the credit crisis is firmly consigned to corporate history,
Contents
Editor:
Manjula Ramakrishnan
UAE-IAA Newsletter welcomes editorial
contributions and feedback from readers.
Write in to editor@iiauae.org
Affliated to The Institute of Internal Auditors • 247 Maitland Avenue • Altamonte Springs,
Florida 32701-4201 USA +1-407-937-1100 • Fax +1-407-937-1101 • www.theiia.org • Copyright 2008
Disclaimer: It is hereby notified that all opinions, facts or views expressed in this magazine are those of
the author and need not necessarily represent the views of UAE-IAA. The advertising of events, courses,
products and services in this publication does not imply that they have UAE-IAA endorsement.
2 April 2010 3 April 2010