JUNE 2017 WWW.INTERNALAUDITOR.

ME

Identifying serial offenders us-

ing forensics analyzing digital
evidence

IA is the Second Line of

Defense in unstable
business environment

Self-service analytics benefits

for internal Audit

The Journey to
Excellence in
Internal Audit

INSIGHTS ON GOVERNANCE, RISK MANAGEMENT AND CONTROL

From The President

Dear Readers,
On behalf of the Board of Governors and Executive Committee, our Key Partners and
staff of the UAE Internal Auditors Association; let me wish you all Eid Mubarak.
We had a very eventful month of May – the International Audit Awareness Month. The
UAE IAA conducted several sessions advocating the internal audit profession. The UAE
Internal Auditors Association and the Institute of Chartered Accounts of India held the
3rd joint event in Abu Dhabi titled “Partners in Progress” which was attended by 400+
delegates. Awareness sessions were also conducted in several universities to initiate the
students towards the profession of internal audit.
The mega event in this month was the 3rd Internal Audit Government Forum which was
held under the Patronage of HH Sheikh Ahmed president of the Dubai Civil Aviation
Authority, CEO and chairman of the Emirates Group and chairman of Dubai World in
collaboration with the Dubai Aviation City Corporation (GIARA).
The International Conference 2018 is to be held in Dubai and all efforts are being made
to ensure that we break all yesteryear records. The UAE IAA invited the members of the
IIA Global to visit Dubai for discussions. The fruitful discussions ensured that we are
on the right track for a successful conference. All the major items were ticked with roles
and responsibilities defined. The end of discussions left both, the UAE IAA and The IIA
Global, well-satisfied and confident.
The 4th batch of HASAAD was conducted recently in Abu Dhabi. What was so unique
about this batch was the fact that it was the first batch of HASAAD conducted in Arabic.
This is an extremely significant achievement for us as it gives us the confidence to tap the
government sectors. The HASAAD program is an extremely important program for us as
it enables young aspiring UAE Nationals to come into the main stream of internal audit
profession. I congratulate the graduating students of the 4th HASAAD batch.
Summer holidays are round the corner and you all must have made your holiday plans. I

wish you a very joyous holiday and look forward to engaging with you on return.

Regards,

Abdulqader Obaid Ali

President

JUNE 2017 INTERNAL AUDITOR - MIDDLE EAST 01

TeamMate ®
Ecosystem for Assurance

Audit

Controls
Analytics

To achieve new heights, finding the right balance of audit tools is essential. Only
TeamMate offers an integrated set of solutions that include the industry’s leading
audit management system, an innovative controls management system and
powerful data analytics.

TeamMate AM TeamMate CM TeamMate Analytics

Learn more at: TeamMateSolutions.com

Copyright © 2014 Wolters Kluwer Financial Services, Inc. All Rights Reserved. 3946
 INTERNAL AUDITOR
MIDDLE EAST JUNE 2017 WWW.INTERNALAUDITOR.ME

F E ATU RES
16 COVER STORY: The Journey to Excellence in Internal Audit
What is The Roadmap to Initiating a Quality Assessment? by Ninad Pradhan

20 Profiling Cyber- 22 Adding Value in a 24 Self Service Audit

Criminals : The four-step
process, from the perspective of
deductive profiling methods, with
which the cyber-criminal profile
should be developed “ by Fadi
Abu Zuhri
Challenging Economic
Environment
what are the responsibilities for
internal auditors in the current
volatile and unstable economic
conditions? by Ehab Saif
Analytics – transform
your approach
How you can transform the way
your organization work with
data? By Induman Das

DE PARTMENTS
4 Reader Feedback
6 Knowledge Update
Internal Audit’s Critical Role in
Cyber-security, Global Technology
Audit Guide (GTAG): Understand-
ing and Auditing Big Data, Protiviti
Survey on Sarbanes-Oxley Compli-
ance 2017, Mining business in-
sights from the audit - Audit Value
Survey by Deloitte, 2017 State of
the Internal Audit Profession: Study
by PWC
BY VISHAL THAKKAR
8 UAE-IAA Events 10 IT Audit
What are the common mistakes
27 Fraud Risk IT auditors make while audit-
What a Fraud Response Plan ing the Logical access area BY
should contain Melhem Khoury
BY David Clements
31 Frosting Fundamen- 12 Risk management
Are Emerging Risks really differ-
tals ent from Conventional Risks ?
What are the steps that are cov-
BY Porus Pavri
ered as part of the annual internal
audit planning process?
BY Arif Zaman

JUNE 2017 INTERNAL AUDITOR - MIDDLE EAST 03

Reader Feedback We want your views on the articles and the magazine! Share your
thoughts and feedback with us via email at ghada@iiauae.org

Comment on an article entitled 2017

WWW.I
NTERNA
LAUDIT
OR.ME
Comment on the article written by Mr. Adil
Buhariwalla, entitled: “Innovate or Deteriorate”
MARCH

“Does the internal audit

g the
gnizin
in Reco
Helping
Steps
Value
Added ards for
the
Stand of Internal

profession suit me?”

ern ational cti ce

At the beginning, I would like to thank my colleague Adel

Int l Pra
siona updates
Profes new kle
Auditing s to tac
po nsivitie d risks.
res s an

Buhariwala for his wonderful article which gives recent

al Audit s issue
Intern nt busines
importa

All thanks and appreciation goes out to

R
ITO
AUD

examples of what happened to international companies that

AL T
ERN LE EAS
INT

OR
D
MID

the colleague and author of the article for

VATE did not keep abreast with the developments and changes
putting forward such an important topic. I INNORIORATE that have taken place in its industry as well as valuable
would like to refer to three of the traits and DETE information on the definition and quality of innovation,
skills stated in the International Professional and on innovation governance and the role of auditors in
Practices Framework (IPPF) issued by reviewing innovation governance.
The Institute of Internal Auditors, which I
consider some of the most important traits and In my opinion, internal auditors can play a big role in
skills that distinguish internal auditors. auditing innovation processes and providing reasonable
t of fo
cusing
assurance of their effectiveness to the Board of Directors
Effective Communication Skill: Through this on the
portan
The im organizatio
ion Gove
n’s
rnance
”. and other stakeholders because innovation is an
skill, the internal auditor ensures gaining the essential element in improving the performance of
at
“Innov
L
TRO
D CON

the establishment and ensuring its sustainability.

T AN

trust of the client in addition to enhancing

MEN
AN AGE
S K M
, RI
NA NCE

It is known that sustainability is one of the core

VER

communication and adding a positive impact,

N GO
TS O
IGH
INS

ensuring the addition of real value through audit responsibilities and priorities of corporate governance.
assignments. Innovation creates new opportunities for the establishment and
Critical Thinking: That is achieved by applying professional doubt, increases its competitiveness, and these opportunities must be managed
applying different tools and techniques to extract data and adopting in the same way of risks are managed to which the establishment is/
problem-solving techniques that help the internal auditor solve complex may be exposed to. Opportunities that cannot be well managed will
situations and propose solutions that ensure developing the functions turn into risks that might have been avoided, noting that “Collapse”
being audited. exists at the top of these risks as reported in the article. In my opinion,
if any competitive advantage is not accompanied by development and
Improvement and Innovation skills: When the internal auditor has such innovation, it will not remain an advantage on which the establishment
skills, this ensures his work as a key player of change and continuous can rely for maintaining its sustainability.
improvement which supports the establishment in achieving its
Innovation, renovation and creativity must be a top management
objectives by rendering them as part of the change management process priority, and since traditional and old methods are no longer useful,
within the establishment and adopting change by explaining benefits there must be innovative alternatives to develop, maintain and keep
and encouraging coworkers on the same. sustainability of the establishment to be an effective competitor in its
sector.
Mahmoud El Bagoury Alaa Abunbaba CPA, CIA, CRMA, CICP, MACC
Chief Internal Auditor for a group of commercial companies Head of Audit and Institutional Excellence
operating in the Middle East
IFA GROUP - The International Financial Advisors Company (IFA)
GRCA, CPIA, CICA, CERTIA, QIA - Kuwait
UAE Internal Audiors Association
ARABIC RE VIE W TE AM C O N TAC T IN FO RMATIO N
Qais Hamdan, CISA, CISM, PMP (Lead MARK ETIN G & SO C IAL MED IA
Member) Alaa Abu Nabaa, MACC, CIA, CRMA,
CPA, CICP
Khalid M. Alodhaibi, SOCPA
aabunabaa@yahoo.com
INTERNAL AUDITOR
Waleed Sweimeh, CIA
MIDDLE EAST
ADVERTIS IN G &
JUNE 2017 Noora Ayoob AD MIN IS TRATIO N
VOLUME 2017: 2 Saif Kaddourah, MBA Yasmine Abd El Aziz

E D IT OR-I N-CHI EF yasmeen@iiauae.org

Abdulqader Obaid Ali, CFE, CRMA, QIAL
E D IT OR
Ghada Abd Elbaky
E D IT ORI A L A DVISORY
C OMM IT T EE
Ayman Abd El Rahim MQM, CIA, CCSA,
CFE (Lead member)
Asem Al Naser, CPA, CIA, QIAL
Farah Araj, CPA, CIA, CFE, QIAL
Andrew Cox, MBA, MEC, PFIIA, CIA,
CISA, CFE, CGAP, MRMIA
Raymond Helayel, CPA, CIA
Meenakshi Razdan, CA, CPA CIA, CFE
Hossam Samy, CRMA, CFE, CPA, CGA
Nagesh Suryanarayana, MBA, CIA,CCSA
James Tebbs, CA
Vishal Thakkar, ACA, CIA
Gautam Gandhi, ACA, CIA, CISA, CFE
UAE INTE RNAL AUDITORS
Tel: +971 55 351 2335 Internal Auditor - Middle East is published quarterly by the UAE
AS SOCIATION
Internal Auditors Association (UAE-IAA), Office 1503, 15th Floor,
PRESIDENT ED ITO RIAL API Trio Tower, Dubai, United Arab Emirates
Abdulqader Obaid Ali, CFE, CRMA, QIAL Ghada Abd Elbaky
GENERAL MANAGER ghada@uaeiaa.org
Samia Al Yousuf Tel: +971 55 728 5147
D ISC L AIMERS
D ESIG N & PRIN TIN G Internal Auditor - Middle East is intended only for members of the
RE GIS TRATION Gulf International Advertising Institute of Internal Auditors in the Middle East and as such it is
& Publishing L.L.C. not intended to be sold or re-sold by any party.
Internal Auditor - Middle East magazine
is licensed by the National Media Council giadco511@gmail.com The views expressed in Internal Auditor - Middle East are solely
of the United Arab Emirates (License those of the authors, and do not necessarily represent the views
Tel: + 971 2 441 2299 of the UAE-IAA or the authors’ respective employers.
Number 244).
Internal Auditor - Middle East is a peer-reviewed magazine and
G U ID EL IN ES FO R AU TH O RS does not verify the originality of the content submitted by the
www.internalauditor.me authors.

04 INTERNAL AUDITOR - MIDDLE EAST JUNE 2017

Knowledge Update
BY V IS H A L TH A KKAR

Internal
Audit’s
Critical
Role in
Cyber-se-
curity

Organizations monitor cyber-security

practices, policies and plans on an ongoing
basis. Internal audit plays can play a crucial
Global Technology Audit Guide
role here. When cyber-security plans are
created, organizations should solicit internal
(GTAG): Understanding and
audit to do what is best suited for them
i.e. test for effectiveness and efficiency of
Auditing Big Data
controls and protocols. Based on the testing
results, provide the board and management
Big data is both i.e. a growing risk and a growing resource for internal auditors. This
with assurance about these protective
prompted the IIA to offer a guidance to help auditors to address it and leverage it.
mechanisms. Internal audit should focus
on following four areas related to cyber- The IIA’s guide provides an overview of big data to help internal auditors who may
security: be responsible for both i.e. using it and assessing risks associated with it. This guide
1. Provide assurance over readiness covers the following: value of big data, the components, strategies, implementation
and response considerations, data governance, consumption and reporting as well as the associated
risks. The guide also explains what the IIA regards as internal auditors’ roles and
2. Communicate about the level
responsibilities when they need to perform big data related advisory or assurance
of risk to the organization and
efforts to address such risks to the procedures. As per the guide, this begins with considering the role of big data in the
board and executive management organization as part of the risk assessment and audit planning processes. Auditors
generally plan to address big data risk in multiple audits where it arises instead of a
3. Work in coordination with IT single audit looking at all big data risks. Auditors should plan to look at controls such
and other related parties to build
as process and technology to focus on how the data is consumed and acted upon in the
effective defenses and responses
organization.
4. Ensure communication and
coordination The risks associated with big data that justify internal audit’s attention are numerous
and complex such a poor data quality, inadequate technology, insufficient security and
Inspite of complexity and alarming immature data governance practices within the organization. The auditor should reach
challenge, cyber-security that can
out to company’s Chief Information Officer for understanding the risks associated
be effective can be achieved by most
with collecting, storing, analyzing and securing big data. The guide also gives internal
organizations. By using the “Four Rs”
– resist, react, recover, and re-evaluate – auditors some advice on using the data as an audit tool, beyond auditing the data or
organizations can build cyber-resilience the big data effort itself. The company may have already acquired, consolidated and
plans that are effective. integrated the data, enabling internal audit to realize efficiencies.

http://www.accountingweb.com/aa/auditing/ https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/
internal-audits-critical-role-in-cybersecurity Pages/GTAG-Understanding-and-Auditing-Big-Data.aspx

06 INTERNAL AUDITOR - MIDDLE EAST JUNE 2017

 Knowledge Update

Protiviti Survey on Sarbanes-Oxley

Compliance 2017
Sarbanes-Oxley Act (SOX) became law almost 15 years back, and as many
organizations have advanced into complying with its requirements, the compliance
process is not only dynamic, but also a matter of continuous interest. CAEs, CFOs
and other finance and internal audit professionals keenly look for benchmarking data
on costs, hours, control counts etc, as they determine how and where to rationalize
compliance activities while addressing frequent regulatory and market changes.
Key findings of the survey are as follows: 2017 State of the
Compliance costs appear to be trending down, but not for all: SOX compliance costs Internal Audit Profession:
show some decrease compared to last year’s survey results for some companies. This Study by PWC
could be due to these organizations completing their work to implement the updated
COSO Internal Control — Integrated Framework. However, costs are still on the rise
for many companies as the percentage of those annually spending $2 million or more
increased compared to last year.
Hours continue to go up: Time spent on SOX compliance has increased for most of
44%
Stakeholders reported that Internal Audit
organizations as compare to the last year adds significant value dropped from 54%
Increased use of outside resources: Considerably more organizations are relying on in 2016 to only 44% in 2017, reaching its
outside providers for SOX compliance activities, either on an outsourced and co- lowest level in the five years
sourced basis
Control counts have gone up: compared to prior year results, there is an increase in
percentage of entity-level controls classified as key controls 48%
Revenue recognition, cyber security and the PCAOB are influencing forces: SOX of stakeholders (nearly half) want Internal
compliance efforts continue to be formed by new and emerging influences, from Audit to be trusted advisors to the business
the new revenue recognition standard and cyber security concerns to the PCAOB’s
inspection reports on external auditors and the resulting effects on audits of internal Top five disruptions: responses by CAE’s
control over financial reporting and their stakeholders

58%
SOX work continues to be viewed as having a positive effect: Overall, three out of four
organizations reported that their internal control over financial reporting structure has
improved as soon as they started complying with SOX.
https://www.protiviti.com/US-en/insights/sox-compliance-survey
New regulations

Mining business insights from the 44%

audit - Audit Value Survey by Deloitte Changes in business model or strategy
Notwithstanding to the fact that valuable perspective a financial statement audit
provides, one out of three companies fails to fully use the information. The survey
results reveal that the audit has the influence to provide insights, identify inefficiencies
or risks and help inform best practices to the companies. Still, auditors and their clients
37%
Cyber-security and privacy threats
are missing out on what financial statement audits can accomplish in more depth. 45

36%
percent of C-suite executives and 48 percent of audit committee members don’t have
processes in place to make better use of audit findings. According to 79 percent of
C-suite executives and 94 percent of audit committee members, increased transparency
of financial statement audits would improve performance of the company. About the
same percentage stated that financial statement audits reveal what their companies Financial challenges

34%
could do different or better.
Executives participated in the survey stated that they want information processing
of audits even further. They want audits to provide a wider range of strategic and
Technological challenges
operational insights that go beyond financial reporting. At the forefront: information
about spending patterns, assessment of how effective the company’s business processes
https://www.pwc.com/us/en/risk-
are and recommendations for improving operations.
assurance/sotp/2017-state-of-the-internal-
https://www2.deloitte.com/us/en/pages/audit/articles/audit-value-survey.html audit-profession-report.pdf

JUNE 2017 INTERNAL AUDITOR - MIDDLE EAST 07

UAE-IAA Events
By S a m i a A l Yo u s uf

The eighteenth Annual Regional

Conference- Abu Dhabi

UAE IAA held its 18th Annual regional conference at Jumeirah
Etihad Towers, Abu Dhabi from April 18 - 20, 2017 .The 2-days
conference is the largest “Smart” meeting and a premier Internal
Audit event in the MENA region and was attended by over 700
participants consisting of heads of organizations, experts and
professionals from internal auditing and various other industries
from the GCC countries and beyond. The conference was under
the patronage of His Excellency Sheikh Nahayan Mabarak Al
Nahayan, UAE Minister of Culture and Knowledge Development,
who stated that UAE Internal Auditors Association is playing
a key role in facilitating education of internal auditors in our
country by offering an invaluable training and education to its
almost 2,000 members and working effectively to increasing the
number of Emirati auditors. Sheikh Nahyan had honored the key
note speaker Mr. Mohamed Jameel Al Ramahi, CEO Masdar and
Mr. Hassan Al Mulla, President of IIA Qatar with the Lifetime
Achievement Awards, at the conference.

08 INTERNAL AUDITOR - MIDDLE EAST JUNE 2017

 UAE-IAA Events

UAE IAA and Dubai Aviation

City Corporation (GIARA)
held the 3rd Internal Audit
Government Forum 2017
UAE IAA held the 3rd Internal Audit Government forum in
collaboration with Dubai Aviation City Corporation on 17th May
2017 at Palazzo Versace Hotel with the theme of: “Be a Leader in
your Profession” .
The forum was under the patronage of His Highness Sheikh Ahmed
Bin Saeed Al Maktoum the Chairman Of Dubai Aviation City
Corporation

UAE IAA celebrating the International Internal Audit

Awareness Month May 2017
UAE IAA is advocating the internal audit profession through several sessions
during May which is considered the internal audit awareness month:
• The 3rd Joint Professional Development Seminar in collaboration with ICAI –
Abu Dhabi Chapter - was held in Abu Dhabi on 3rd May,
• 1st Joint sub-groups event between Construction, Media and Hospitality Sub-
groups was held in Dubai on May 8th.
•  n 15th May an internal audit awareness Session at Khalifa University, in
O
collaboration with the Petroleum Institute was held in Abu Dhabi,
•  n awareness session at New York Institute of Technology was held in Abu
A
Dhabi on May 22nd.
• UAE IAA held the second joint sub-groups event between IT, Fraud and Governance Sub-groups in Dubai on May 24th

UAE IAA hosted COSO new certificate training for the

first time in the region
UAE IAA had a very successful
session on COSO internal control new
certificate training. The new certificate
that is issued by AICPA and supported
by IIA grabbed the attention of many
internal auditors in the region and Mr.
Mike Fussily, the course trainer, added
a lot of value to the course with his
experience.
Second round of the course will be
running in October 2017.

JUNE 2017 INTERNAL AUDITOR - MIDDLE EAST 09

IT Risk
By Me l h i m K h o u ry Nicolas

IT Risk Assessment

The devil lies in the details, IT risk
assessment and IT risk management,
what detail differentiate them? With the
growth in the need of Information security
and risk management, the terms IT risk
assessment and IT risk management could
be confusing to most of executives dealing
with risk-based audits and compliance of
the organization.
evolved to provide support for building
IT audit project plan. Further, financial
auditors became more dependent on the
outcome of the risk-based IT audits to
substantiate their audit scope.
IT risk assessment is a component of
the IT audit process. Regardless of the
framework and methodology used, it
focuses on identifying technical risks in a
technology dependent environment. This
entails identifying a risk such as denial
of service attack and quantifying the
probability of the risk happening.
The best method to arrive to an
acceptable risk value is to apply the
following equation:
Risk = Asset x Vulnerability x Threat

The Committee of Sponsoring Measure Factor Risk Asset Vulnerability Threat

Organizations’ (COSO) has provided an Scale (Quantitative) 1 to 5 10 to 100 1 to 10 10 to 50
Enterprise Risk Management Framework
Description a. High a. Critical a. Disastrous a. Severe
in 2004. This was an influential move (Qualitative) b. Me- b. Significant b. Passive b. El-
towards focusing efforts on internal dium c. Insignifi- c. Trivial evated
controls and prioritization of review tasks c. Low cant c. Negli-
when auditing internal controls. Based on gible
the COSO framework, IT risk assessment Table 1: Sample Scales

10 INTERNAL AUDITOR - MIDDLE EAST JUNE 2017

 TO COMMENT on the article,
EMAIL the author at melhim@hotmail.com
Assets are given a coefficient values based
on a certain range. Any quantitative range
used can be qualitatively mapped to the
ranges of the other factors. The objective
is to arrive to a risk rate mapped to a
tolerance scale, usually: High, Medium
and Low. Although the usual practice
is to use same scale, the following table
illustrates an example of the different
options that can be used as different
scales:
IT risk assessment is part of IT risk
management, which entails treatment
plan. In IT risk assessment, the treatment
options are unnecessary. The High,
Medium and Low values are used as
input for other tools, mainly IT audit
plan. IT auditors benefit from the IT risk
assessment in many ways that involve
understanding of the IT set up, an
overview of the structure of the IT, and
a snapshot of the risk areas of the IT. For
these reasons, IT risk assessment should
be a prelude to audits and other review
initiatives of the IT environments.
IT risk assessment methodology change
for different environments and different
industries, but the core objective is to
identify areas, with certain risk values,
where an intensive review should be
conducted. For a bank, for example, major
risks lie in operations and for a retail in
POS. In that view, industry should also
be a factor in building the risk universe
(the set of applicable risks), which help in
building an overall business operational
understanding, when planning for risk
based IT audits.
Most conspicuously, IT risk assessment is
a prerequisite to IT audit, mainly to reduce
the audit efforts where risk is low and to
substantiate audit procedures where risk is
high. While it is unnecessary to implement
a treatment options for the identified risks,
JUNE 2017
IT risk assessment benefits auditors and
reviewers in many ways essential to the
understanding of the IT environment.
Industry model is beneficial in providing
aid to contemplating the risks associated
with a specific setup in a specific industry.
This is done using methods such as
brainstorming, which is a very effective
technique following Osborn’s method.
In another sense, IT risks are not fixed
in a stateless condition waiting to be
identified. IT risks are variable in nature
and comprise of vulnerabilities and
associated threats. Identifying risks is a
direct exercise when auditors consider the
above equation.
The values of identified risks are called
IT Operations - High Risk Email and Storage -
(complete review) Medium Risk (selected
targeted review)
January
Table 1: Sample Quarterly IT Audit Plan
inherent risk scores and they represent
the risks as naturally provided through
the initial risks identification process.
Inherent risks have associated controls
that are applied in a reactive manner to
the underlying asset. An example can be,
password protection to a server, a locker
to a network switch, or a review of a
certain log. Subsequently, controls can be
categorized as detective or preventive. As
much as preventive controls are preferable,
they are expensive to implement. When
going through another round of risk
assessment exercise and considering
existing control measures, we produce a
list of residual risks. Essentially, residual
risks are the main factors in building a
risk treatment plan or, in our initiative,
in understanding the IT environment, in
provisioning for IT audits, and in planning
review initiatives.
IT Risk
IT Risk assessment is the result of [IT
risk management] less [IT risk treatment
options].
It is used to prioritize the review areas of
the IT environment. Below is an example
of how review can be executed based on
IT risk assessment output. For a complete
review, auditors have to examine the
details of the process in a substantial
manner. For a selected targeted review,
auditors have to examine a targeted sample
(60% or 70 %) of the details of the process.
For a random selection review, auditors
have to examine a random sample of (30%
to 40%) of the details of the process.
Connectivity, remote acces,
and internet - Low Risk
(random selection review)
February March
Finally, the IT audit plan needs to align
to the overall internal audit plan. In
principle IT audit is part of the internal
audit operations. The IT audit output feeds
to internal audit plan and provides input
to the internal audit planning process,
in which internal audit head plan for the
IT audits. Whether audits are performed
based on risk assessment or not, IT risk
assessment remains a necessity to pave the
way for IT auditors to perform their jobs.
In environment where risk assessment
is conducted for all operations, IT risk
assessment will align with the overall risk
assessment plan to create visibility to the
business operational and IT risks.
By Melhim Khoury Nicolas, Technology
Consultant, MBA
INTERNAL AUDITOR - MIDDLE EAST 11
Risk Management
By Porus Pavri

Are You Managing Your

Emerging Risks?

The world is becoming an increasingly
riskier place for organizations of all types
and sizes – whether in the private or public
sectors. Environments, 100-year old busi-
ness models, social and political dynamics
are being disrupted everywhere. A quick
look at some of the more recent corporate
disasters bears testimony to this.
And then, what about the Titanic (1912),
Chernobyl (1986), Toyota (2010), Nokia
(2013), GM (2014), Yahoo (2016) ?
Was there something common that was
missing in all these systems, which lead
to the infamous catastrophies ?
Yes, you guessed it right! They were NOT
managing the warning signs, the dan-
ger signals on their horizons, owing to
the absence of a reliable and effective (i)
Framework and (ii) System for managing
Emerging Risks.
A Definition of Emerging
Risk :
Emerging Risk can be defined as a
newly developing or changing risk, that

Catastrophe (& Estimated Cost)
2008 Global Financial Crisis (trillions of dollars)
2010 Deepwater Horizon blow-out ($60bn)
2011 Fukushima nuclear reactor meltdown ($188bn)
2012 Kodak bankruptcy
2015 Volkswagen Emissions scandal ($40bn)
Why ? Because they did not foresee / understand / com-
municate…
...the gigantic risks inherent in the complex financial products that
were created, rated and regulated by the global financial institu-
tions, ratings agencies and regulators!
…the risks lurking under a culture of complacency and informa-
tion withholding, within a hugely complex operation!
…the possibility of a tsunami in its disaster preparedness sce-
narios – because the last tsunami occurred over a 1000 years ago!
…the fatal risks to their business model emerging slowly but
surely from the digital camera revolution!
…the risks brewing internally from a closed, dictatorial culture,
and a top-down “win-at-any-cost” mindset driven by the Chair-
man of the Board!

12 INTERNAL AUDITOR - MIDDLE EAST JUNE 2017


is extremely difficult to quantify, but
nevertheless could have a major impact
on the achievement of your organization’s
objectives.
Are Emerging Risks really different from
Conventional Risks ? If so, in what way?
All risks by definition arise from uncer-
tainty. When a Risk Manager creates a Risk
Profile, a conventional risk has several
dimensions of uncertainty, such as (1)
likelihood (2) frequency (3) timing (4) im-
pact, (5) velocity as in the speed at which
the risk could manifest itself, (6) vulner-
ability/readiness as in how prepared your
organization is to respond to the risk, and
(7) duration of impact.
Now, an Emerging Risk has the exact same
dimensions of uncertainty, BUT you could
say that the degree of uncertainty is multi-
plied by a factor of say 10 or even 100 – this
is the basic difference in a nutshell !
Some implications of this are:
i) a risk which is emerging today, may
become a conventional risk after a
period of time, as we get more and
more knowledge about its risk profile
through research, analysis, etc…., and
as the uncertainty around the above 7
dimensions diminishes.
ii) w
 hat might be a current risk for Organ-
ization A, may still be an emerging risk
for Organization B.
Contributing Circum-
stances
What are the broad categories of cir-
cumstances which give rise to Emerging
Risks ?
Once you understand these ‘contribut-
ing circumstances’, you will look for these
circumstances on your entity’s horizon,
helping you identify your emerging risks
better !
Here’s a short list to set you thinking:
1: Complex systems
2: Closely interconnected system compo-
nents
JUNE 2017
3: Changing social, economic or political
dynamics
4: Untested technological advances
5: Inadequate multi-directional communi-
cation
6: Perverse incentives
I would strongly recommend all risk and
internal audit professionals reading this
article to visit www.irgc.org to gain a better
understanding of the above, and more,
factors.
Governance Framework
Having gained a high level understanding
of the definition of Emerging Risk and the
Contributing Circumstances, let us now
turn our attention to what constitutes the
Governance Framework for managing your
Emerging Risks.
The Governance Framework comprises 3
layers:
1. Strategy & Roles
2. Culture
3. Training
1. The “Strategy & Roles” layer requires
the Board and senior management to:
(a) f ormulate and embed the Emerging
Risk strategy into the overall organi-
zational strategy
(b) c larify the roles and responsibilities
of the various actors in the manage-
ment of Emerging Risks – the Board,
Senior Management, Risk Managers,
Line Managers, Internal and External
Auditors, and Regulatory Authori-
ties. But, the most important role in
the Governance Framework is that
of the Emerging Risk Coordinator,
who acts like the glue that binds the
various interested parties together.
His overarching aim is to ensure that
emerging risks and opportunities are
handled effectively and efficiently
to help the organization achieve its
objectives.
2. The “Culture” layer requires the Board
and senior management to establish a
Risk Management
strong mindset at all levels of the entity
to deal with emerging risks and oppor-
tunities by:
(a) establishing explicit incentives that
encourage horizon scanning
(b) removing any perverse incentives
that discourage horizon scanning
(c) encouraging the bottom-up flow of
contrarian views that challenge the
status quo, the reporting of unusual
events, the avoidance of “group think”
3. The “Training” layer requires the Board
and senior management to establish
training programs that teach staff and
executives at all levels on how to:
( a) undertake horizon scanning
( b) communicate clearly about poten-
tial emerging risks
( c) work in teams to improve under-
standing of, and response to, emerging
risks
The 5-step Emerging Risk
Identification & Manage-
ment System
And finally, let us introduce the iterative
system that functions within the Govern-
ance Framework, and which will help you
identify and manage your Emerging Risks
and Opportunities
STEP 1 – Early Warnings:
• DETECT signals on the horizon and
EXPLORE possible future situations that
may represent an Emerging Risk in the
short & medium term
• CREATE A RISK PROFILE of these
signals and situations
• FILTER & PRIORITIZE the list of Early
Warnings to carry forward into Step 2
• Regularly update the above filtered list
STEP 2 - Scenarios
• DEVELOP comprehensive set of scenar-
ios for each Early Warning coming from
Step 1, including those Scenarios relating
to “low-probability-catastrophic impact”
events (“Black-Swan” events)
• Regularly update the above scenarios
INTERNAL AUDITOR - MIDDLE EAST 13
 TO COMMENT on the article,
EMAIL the author at logosmgmtconsultants@gmail.com Risk Management

Note: Scenarios under Emerging Risks vs Conventional Risks In Conventional Risk • IDENTIFY Windows of Opportunity
Management, only those Scenarios which are considered probable today, and have a during which the risk management
probability attached to them, preferably based on past experience, are used in the Risk option can be applied, Failure Thresh-
Analysis. We do not consider events that might occur based on possible, though not
olds after which it will be impossible to
probable, scenarios ! For instance, risk analysis of non-nuclear infrastructure does not
normally consider the probability of a plane crashing into the infrastructure. effectively manage the emerging risk, and
Acceptability Thresholds below which
On the other hand, Scenario building for Emerging Risks Management considers all
it will not be necessary to manage the
risk events that might happen in future AND all possible combinations of risk events,
EVEN IF no reliable probability estimates are available. emerging risk

Let’s say, in a piping system in a factory, 50% of the pipes are more than 10 STEP 4 – Implementation
years old, and the rest are between 0-10 years old. Up until now, no problems • Establish internal and external commu-
have been detected in the new pipes.
nication channels
However, after reading an article in the IIA UAE magazine about Emerging • Allocate resources
Risks, the Risk Manager and the Factory Manager in consultation with the • Clearly define roles, responsibilities and
Maintenance Manager and the ERC, find that, in the summer months, owing
to excessive heat in the rear of the factory, all pipes experience a certain degree incentives
of expansion. If the temperature climbs even 1º beyond NNº, the stress in the • Ensure adequate authority in line with
piping system could cause multiple domino-style ruptures throughout the responsibility for implementation
piping system in the factory, with consequent chemical spillage, a major explo-
sion if the inflammable storage tanks in the factory compound were caught in STEP 5 – Monitoring
the midst of the spill, severe damage to the office building in the adjacent plot,
along with loss of life and property. This risk has never materialized in the • Monitor how emerging risks and oppor-
past, and there is no available probability distribution for this risk event.
tunities are unfolding
The Risk Manager and the Factory Manager however realize how negligent
they have been till now, by not considering such scenarios in their earlier risk • Review relevance and performance of
assessments, and have vowed to carry on the good work in all their risk assess- decisions made and options chosen
ments from now on.
• Update the risk management options
STEP 3 – Decisions the entity’s objectives, if left unmanaged
• Involve external experts to assess how the
• DECIDE which Scenarios to follow • IDENTIFY & EVALUATE possible risk
through for managing the related Emerg- management options [Refer Note below] process is doing
ing Risk – based on which scenarios have for each Scenario relating to a given
the highest impact on the achievement of emerging risk Conclusion
Globally, stakeholders are pressurizing
Note: Risk Management Options boards and managements to enhance
their organisations’ ability to look into
1. A
 ct on the Contributing Circumstances, try to influence them in order to mitigate
the future, to pick up signs of trouble and
the emerging risk
address them BEFORE they manifest
2. Avoid the emerging risk totally themselves in the form of events. If you, as
3. R
 educe (i) your organisation’s exposure to the emerging risk, by reducing the a Risk or Audit professional do not want a
exposed assets, businesses or processes, or (ii) your organisation’s vulnerability by “Titanic” moment on your CV, I strongly
developing resilience. Resilience is defined as the ability to withstand shocks and recommend you stir your organization out
return to normal operations in reasonable time.
of its slumber, and kick-start the establish-
4. R
 aise your organisation’s risk tolerance limits in line with its higher risk appetite, by ment of a framework and a system for
setting aside more funds to cover potential losses, or by transferring part of the risk
managing your Emerging Risks !
to a third party.

5. Choose to do nothing PORUS PAVRI, CRMA, CIA, CA is the

Founder & CEO of Logoss Management Con-
sultants International in Dubai.

14 INTERNAL AUDITOR - MIDDLE EAST JUNE 2017

 AD

JUNE 2017 INTERNAL AUDITOR - MIDDLE EAST 15

Quality Assurance
BY: N IN A D P R A D HAN
The Journey to Excellence in
Internal Audit
There are organizations and then there
are “world-class” organizations. Similarly,
there are Internal Audit (IA) departments
and then there are “world-class” IA
departments. And it is not necessary that
world-class organizations will have all their
departments in that category. Surely, the
chances are significantly high. There are
several parameters which can be judged
to ascertain if the IA activity falls in that
category. Few that come to the immediate
attention are:
• Empowerment
• Independence
• Objectivity
• Pro-activeness
16 INTERNAL AUDITOR - MIDDLE EAST
•U
 se of Computer Assisted Auditing
Techniques
•E
 mployee motivation and retention
•C
 lear understanding of organization
risks
These are taken from none other than
the International Professional Practices
Framework (IPPF) – The Standards.
Whilst the implementation of the
Standards is not mandatory, they are
considered sacrosanct. And compliance
to the IPPF is the ultimate goal of almost
every IA department. There are several
IA departments who demonstrate
compliance to many ‘individual’ parts
of the Standards, but fail to demonstrate
complete compliance when it comes to
Standards 1300 – Quality Assurance and
Improvement Program (QIAP).
And it is not the difficulty which is the
bottle-neck. In many cases, it is typically
the lack of understanding of Standards
1300 and its expected benefits and value
addition to the IA department and the
organization. This article will aim to
demystify this myth.
Quality is word which is perhaps
difficult a to define as it may take
different connotations under different
circumstances. In the words of Aristotle
“Quality is not an act, it is a habit”. Whilst
management guru Peter Drucker says
“Quality is what the customer gets and
is willing to pay for”. In the context of
internal audit, it can be defined as “the
JUNE 2017

responsibility on the shoulders of the Chief
Audit Executive (CAE) to fulfil the needs
and expectations of the stakeholders; whilst
complying to their own professional ethics
through conformance to the Standards.”
Compliance and conformance alone
fail to leverage the power of a Quality
Assessment.
Quality Assurance and Improvement
Program (QAIP)
The QAIP has 2 elements which need to
be collectively addressed to conform to
Standards 1300.
1. Internal Assessment; and
2. External Assessment
Many IA departments demonstrate
the adherence to the IA plan and
department budget as their KPIs.
However, internal assessments
also require to perform on-going
assessments which can include
work-paper review, staff performance
evaluation, auditee satisfaction surveys,
monitoring of KPIs, Actual v-s Budget,
etc. IA departments also require to
perform periodic self-assessments.
(Note: this is not an exhaustive list).
External assessments must be
conducted once every 5 years by a
qualified and independent assessor
from outside the organization and
reported to the Audit Committee
(AC). And this is one point many IA
department overlook, especially those
who are large conglomerates. Whilst
there are no defined qualifications
which an assessor should have,
they should largely demonstrate
competency in two areas: The
understanding of the IPPF and the
external assessment process.
The Roadmap to Initiating a Quality
Assessment
The UAE Internal Auditors Association
(UAE IAA), ensures that its assessors
have undergone the QA course offered
by the IIA and have a certain minimum
experience without which they are not
considered for the engagements. The
UAE IAA adopts the IIA’s proven and
documented methodology – The Quality
Assessment Manual.
JUNE 2017
The QAs can be called for by either the
Chairperson of the AC or the CAE.
There are no statistics, but, experience
has shown that when the AC calls for the
QAs, there is usually some lack of trust or
deliverables between them and the CAE
with such assessments ending up on the
“not favorable” side of the assessment
scale as against when the CAE calls for
the assessment. CAE’s may well wish to
consider this point and “stick their neck
out” and call for QAs on their department
– of course with adequate preparation
and planning as the outcome of the
assessments requires to be communicated
to the Board/AC.
A quality assessment, or QA, evaluates
the compliance with the Standards, the
definition of internal auditing, the Code
of Ethics, the internal audit & audit
committee charters, the organization’s
governance, risk and control assessment
and the use of successful practices.
So who audits the auditors? When an
IA department undergoes a QA, it can
proudly say that they too have been
assessed. The rating mechanism of a
QA can be either “General Conforms”,
“Partially Conforms” or “Does Not
Conform”.
QA scope
Typically, a QA scope covers
•C
 onformance with the Standards
& the Code of Ethics & the IA’s
charter, plan, policies, procedures
and applicable laws & regulatory
requirements
• Th
 e expectations of the IA as
expressed by the board, executive
management and operational
management
• Th
 e integration of the IA into the
governance process, including the
relationships between and among the
key groups involved in the process
•T
 ools and techniques
•M
 ix of knowledge, experience and
disciplines within the staff, including
the focus on process improvement
Quality Assurance
• Determination that the internal audit
activity adds value and improves the
organization’s operations
It provides the IA departments to delve
into the minds of their stakeholders
and gauge their level of trust in the IA
department and its functioning. The
independent nature of the external assessor
also provides for an opportunity to ask
certain questions which can be used for
further probing to provide further value
added service. The CAE gets a holistic
picture of what is happening around him/
her without ruffling too many feathers.
The QA assessors take care of those
uncomfortable questions.
Think for a minute how many times the
phone rings for a CAE or an email with
a request – sometimes an urgent one –
requesting for help in either a certain
review or in some investigation. The
number of consulting activities can be
an indicator of how much value-added
resource the IA department is considered
by the organization’s management. With
the level of such engagements rising the
perceived value that the IA department
is adding is definitely proportionate. As
they say – a voice but no vote at on the
management table.
Benefits of a QA
CBOK surveys have revealed that the top
5 reasons for investing in a QAIP are
1. Identifying areas for improvement
2. Full conformance to the Standards
3. B
 ring systematic, disciplined
approach
4. I ncrease credibility within the
organization
5. A
 nticipate, meet and/or exceed
stakeholder’s expectations
Further, the survey concludes that,
when compared to other internal audit
departments, those that conform to the
quality standards: 
• Were more likely to have complete
and unrestricted access to
INTERNAL AUDITOR - MIDDLE EAST 17
 TO COMMENT on the article,
EMAIL the author at logosmgmtconsultants@gmail.com
information as appropriate for the
performance of audit activities  Audit Executive (CAE) is able to lay
• Made more use of technology in
internal audit processes
• Used a wider variety of resources to
develop audit plans
• Were more likely to have
documented procedures in an
internal audit manual 
• Received more hours of training and
were more likely to have formalised
training programmes
• Served organisations with more
highly developed risk management
processes
• Were more likely to report that
funding for the internal audit
function was “completely sufficient”.
Conducting a Quality Assessment
exercise offers the internal audit activity
several benefits.
1. It offers an opportunity to
benchmarked against other IA
departments. The Global Audit
Information Network (GAIN) is also
a good tool to use.
2. The conducting of the QA is in itself
adherence to full conformance to
The Standards. This permits the IA
activity (if the assessment results
permits so) to insert the statement
“This audit is conducted in
conformance with ………..” within
its audit report and can also state
that the department itself conforms
with the requirements of the IPPF.
3. This lends credibility to the IA
activity and increases the perceived
value of the activity within the
organization.
4. The typical question of “Who audits
the auditors?” also gets answered.
The IA activity being subjected to
the assessment which is conducted
by independent assessors lends
credibility to its activities.
5. QAs also give an opportunity
to meet or exceed stakeholder
expectations as a result of the
interviews and surveys which are
18 INTERNAL AUDITOR - MIDDLE EAST
conducted independently. The Chief
emphasis on the expectations spelt
out.
6. The CAE can use this opportunity
to lay emphasis and focus on the
IPPF and raise the awareness of The
Standard amongst the management.
7. Overall, the reputation of
organization is enhanced. This, due
to the fact that nothing and no one
in that organization is immune and
is subjected to audit. It is a sign of a
mature organization which is willing
to learn and improve.
How to be Successful in a QA?
QAs require tremendous commitment
from each and every staff of the IA
department. It calls for commitment
to quality (Mission/Vision/Values/
Goals/Objectives/KPIs), drafting of
policies and procedures, demonstrating
continual improvement, monitoring
and reviewing mechanisms and their
subsequent reporting to the Board/AC – as
a minimum. Conducting periodic internal
assessment, plugging the identified gaps,
and a formal documentation of the QAIP
is a large step forward.
ConclusionThe Next Steps?
It is quite certain that the benefits from
a Quality Assessment far outweigh
than not going for it. But this also calls
for good preparation at all levels with
the department hierarchy. To begin,
it is important to have a project leader
Quality Assurance
who understands the QA process. And
attending a training session for a QA
course will prove beneficial.
The QA cannot be done in isolation
from the audit committee and hence it is
imperative to appraise them of the exercise
and the credentials of the team engaged
to conduct the same. Having the audit
committee on board is vital.
Historical data is proof that when a QA
is called by the CAE, the chances of a
successful QA are significantly higher than
when called for by an audit committee. So,
prepare well, and go for it. Do not wait for
your audit committee to instruct you on
this one.
Quote 1
“Thanks to the IAA UAE Team for the
great efforts exerted during the quality
assurance review done for our department.
The Audit team was very professional,
systematic and helped us towards further
improving our quality performance,
professionalism and use of best practices.
Itwas a great experience indeed!!”
Tamer Said Ali, Deputy Chief Internal
Auditor, Obeikan Investment Group
Quote 2
“Let me express my appreciation to
excellent work done during the quality
assessment review you’ve recently
completed for our internal audit
department. It was a fruitful exercise
and we welcome the improvement
opportunities highlighted to enhance
the quality and performance of the
department.I assure you that your value-
added recommendations will be acted
upon fully and promptly. May I also take
this opportunity to thank you and your
team for the professional approach and
courtesy displayed by the team”
Beelall Ramdianee, Vice President –
Internal Audit, Dubai International
Financial Centre
NINAD PRADHAN, CRMA, MBA, PGDC-
SM, BSc Senior Consultant & Trainer at UAE
IAA
JUNE 2017
 Ad

JUNE 2017 INTERNAL AUDITOR - MIDDLE EAST 19

Cybercrimianl
B Y: FA D I A B U ZUHRI EDI T ED BY: AND R EW C OX
Profiling cyber-
criminals
Since the middle ages era, the definition of crime has been
limited to types of crimes committed in the physical world. In
the same way, theories aimed at explaining crime including
the Conflict Theory, the Theory of Social Control, and others,
have defined crime within the confines of the physical world.
Strategies aimed at dealing with criminal activities have been
limited in their scope when defining crime within the context of
the physical world. However, the growth of information systems,
ICT, mass media, and increased interconnectivity, facilitated
by the internet, has revealed a new and unique form of crime:
the digital world crime. These types of crimes present several
challenges including legal, geographic, and web barriers, as well
as the anonymity of the internet. The environment in which these
crimes occur also pose a challenge to crime specialists. These
challenges have created the need to identify and modify techniques
used to combat crime committed in the physical world, such
as criminal profiling with a view to making them applicable to
e-crimes. This paper discusses the possibility of penetrating these
barriers by applying the modified version of criminal profiling
techniques to e-crimes.
The concept of crime has expanded beyond the
physical world to the global digital world.
Profiling Cyber Criminals in the physical world
Since the 1970s, experts within the Behavioral Science Unit
(BSU) of the FBI have been helping federal, state and local law
enforcement agencies investigate violent crimes. This practice was
initiated through offender profiling, with a view to understanding
personality and behavioral traits of perpetrators. It started as
an analytical technique for identifying the characteristics of
the offender, based on examination of crime scenes and crime
dynamics, and continued developing over the years as a tool to
help investigators narrow a suspect pool (Alison et al, 2010).
Offender profiling was offered within the BSU as an analytical tool
and a product of training programs.
Forensic psychologists often employ deductive or inductive
profiling in dealing with crimes committed in the physical world,
applying these techniques to ascertain characteristics of criminals.
Deductive profiling techniques involve the use of data, including
crime scene evidence, forensic evidence, offender characteristics
and victimology. In deductive profiling, the available information
is processed by applying personal experiences, with the profiler
assuming one or more facts of a case as self-evident about an
offender or crime. Then, by following hunches and experience,
arrive at conclusions. The ‘truth’ of facts or conclusions arrived at
using deductive profiling depends upon the truth (ie, contingent
truth). Also, in the deductive profiling method, the conclusions
are true if the hypothesis and the premises are true and valid.
On the other hand, inductive criminal profiles are created by
studying statistical data, including study of the demographic
20 INTERNAL AUDITOR - MIDDLE EAST
characteristics and behavioral patterns shared by criminals.
Inductive profiling is also theory-driven and based on the available
cases of crime. Inductive profiling relies on information collected
through interviews with offenders, and this forms the foundation
for investigators’ profiles. Again, the inductive profile technique
involves hypothesis (formalized operational definitions) for
testing, and coding of data to allow for statistical analysis.
Applicability of these techniques has been possible in crimes
committed in the physical world. However, applicability of these
techniques to deal with crimes committed in the digital world
is still debatable. It has been argued that criminal profiling is an
immature, but promising, science. Perhaps this may explain that
little attention has been given to such technique by both academics
and practitioners. In the digital world, forensic psychologists
have knowledge about the law, criminology and psychology. This
can be used to better understand technological aspects relating
to crime, in order to develop cyber-criminal profiles. As such,
they are required to take an interdisciplinary approach when
dealing with cyber crimes. Unfortunately, highlighted issues of
tractability, geography, law and anonymity makes it difficult for
forensic psychologists to collect information about criminals and
cyber-crimes (Tompsett, Marshall, and Semmens, 2005). Again,
most cyber-crimes go either unnoticed or unreported, and hence
go unpunished. Importantly, it is possible to draw some parallels
between non-cyber-crimes and cyber crimes. It is also possible to
develop a profile from the existing techniques that can be used for
law enforcement.
Most cyber-crimes go either unnoticed or unre-
ported, and hence go unpunished.
Profiling Techniques
From the perspective of deductive profiling methods, cyber-
criminal profile should be developed in a four-step process.
The first step is victimology. Today, criminals victimize both
organizations and individuals. This step involves understanding
the aspects of organizations and individuals that attract cyber-
criminals. Victimology helps security specialists understand an
offender’s motive behind the crime. Victimology includes the
following:
• Politically motivated crimes (ie, cyber-terrorists).
JUNE 2017
 TO COMMENT on the article,
EMAIL the author at Fadi@zahf.eu
•C
 rimes driven by emotional reasons (ie, cyber-stalking).
•C
 rimes committed and driven by sexual impulses (ie,
paedophiles).
•C
 rimes known to be less dangerous, such as sharing software
by individuals, or sharing copyrighted movies (Shinder,
2010).
The second step is motive identification – what is the reason for
the crime?
Victimology and motive leads to the third step – identifying
offender characteristics. Several topologies and ways to classify
cyber-criminals based on offender motives have been introduced
(Rogers, 2006). However, changes in criminal behavior with the
evolving technological environment necessitate modification of
existing schemes. Other studies have suggested that crime can
be addictive, and in the cyber world, criminals become addicted
to the internet and computers (Nykodym et al, 2008). It is also
argued this addiction, aided by various opportunities including the
access and availability of the internet and computers, and fueled by
criminal motives, could facilitate the making of a cyber-criminal.
This understanding may be used in analyzing the modus operandi
of cyber-criminal.
Modus operandi reflects criminal character (Lickiewicz, 2011).
For instance, a cyber-criminal may destroy information by using
a virus that is attached to an e-mail, while another may hack
into a computer system by attacking the server with a view to
stealing information. This suggests that one’s technical expertise
helps him or her to understand the behavior of a cyber-criminal.
A cyber-criminal may be required to have a level of technical
efficacy successfully penetrate a sophisticated and secure network
(Kirwan and Power, 2013). On the other hand, ‘script kiddie’ may
use an already developed program to attack a computer system. It
is worth noting that human elements, such as social engineering
skills, possessed by some professional cyber-criminals should
not be disregarded. This is because cyber-criminals with average
technical skills can participate in a crime by employing simple
techniques of subtle psychological manipulations and friendly
persuasion. Kirwan and Power (2013) affirm that technical skills
and other skills, including social skills and motives, determine the
modus operandi of a cyber-offender.
Step four of the deductive cyber-profiling technique involves
forensically analyzing digital evidence. Digital forensics are
important, because it is the means through which a cyber-
criminal profiler can trace the offender in the event there is no
physical evidence (Kwan, Ray and Stephens, 2008). In the view of
Lickiewicz (2011), not all criminals are traceable, as one of three
cyber-criminals manages to remove or modify the audit trail by
wiping their traceable digital footprints. The four-step approach
suggested is an iterative process. New information regarding the
offender, motive, victim and forensic evidence could be revealed
while in an investigation proceeds.
As for inductive profiling methods, they can be applied alongside
the deductive techniques described above, to help deal with cyber-
crimes. For example, statistical analysis data studying demographic
characteristics and behavioral patterns shared by criminals, and
breaches in cyber-security, could be employed to identify criminal
attack trends such as motive for attack, type of victims who are
likely to be targeted, and most common modes of attack used by
cyber-criminals. This may help to identify serial offenders, and
other cases with similar modus operandi.
JUNE 2017
Cybercriminal
The four-step approach is:
• Victimology.
• Motive identification.
• Identifying offender characteristics.
• Forensically analyzing digital evidence.
Conclusion
The techniques and tools discussed in this paper are worth testing
in practical scenarios. It is believed that if cyber-criminal profiling
is used effectively, the issue of cyber-crime may be reduced as more
offenders could be brought to justice. Considering the current
trend of increasing rates of cyber-crimes, it would be important
for academics and practitioners to collaborate. These practices may
be useful for law enforcement officers, as it may help them gather
legally valid and binding evidence in order to take appropriate
actions against these cyber-criminals.
Cyber-criminal profiling is a tool which could bring
more offenders to justice.
References
Alison, L., Goodwill, A., Almond, Louise, Heuvel, C. and Winter,
J. (2010) Pragmatic solutions to offender profiling and behavior
investigative advice. Legal and criminological psychology, 15, 115-
132.
Kirwan, G., and Power, A. (2013). Cybercrime: Psychology of
cybercrime. Dublin: Dun Laoghaire Institute of Art, Design and
Technology.
Kwan, L., Ray, P. and Stephens, G. (2008). Towards a Methodology
for Profiling Cyber Criminals. IEEE Computer Society.
Proceedings of the 41st Hawaii International Conference on
System Sciences.
Lickiewicz, J. (2011). Cyber Crime psychology-proposal of an
offender psychological profile. Problems of forensic sciences, 2(3):
239-252.
Nykodym, N., Ariss, S. and Kurtz, K. (2008) ‘Computer addiction
and cyber crime’. Journal of Leadership, Accountability and Ethics,
35: 55-59.
Rogers, M. K. (2006) ‘A two-dimensional circumplex approach to
the development of a hacker taxonomy’. Digital Investigation, 3 (2):
97-102.
Shinder, D. (2010) Profiling and categorizing cybercriminals.
Retrieved on 6th July 2016 from http://www.techrepublic.com/
blog/security/profiling-and-categorizing-cybercriminals/4069.
Tompsett, E.C., Marshall, A.M., and Semmens, C.N. (2005).
Cyberprofiling: Offender Profiling and Geographic Profiling of
Crime on the Internet. Computer Network Forensics Research
Workshop.
Fadi Abu Zuhri, (MSc, ITSM, CGEIT, CISM, CFE, CISA, CISSP,
PMP)
INTERNAL AUDITOR - MIDDLE EAST 21
Added Value
B Y: E h a b S a i f
Adding Value in a Challenging
Economic Environment
“In the current volatile
and unstable economic
conditions, internal
audit functions are
required, like never
before, to assume different
responsibilities and
wear multiple hats to
achieve the goals of the
reorganization programs”.
The current business environment is very
volatile and unstable worldwide and this
is especially clear in Middle East. The
characteristic of this stage are mainly
uncertainty and lack of clear strategic
direction.
Working in such business environment
adds a lot of responsibilities and pressure
on the available resources. This is of
course applicable to the internal audit
resources which are required to participate
in different organizational efforts aiming
to reduce costs, increase efficiency and
ensure proper restructuring of key business
activities.
In such circumstances, internal audit
functions are required, like never before, to
assume different responsibilities and wear
multiple hats to achieve the goals of the
reorganization programs.
Acting as the Second Line of Defense:
Most reorganization programs will
result in hard decisions related to job
cuts at different organizational levels.
The reduction in head count might
be permanent or temporary which
in both cases means weaker internal
controls, at least, during the period of the
restructuring.
22 INTERNAL AUDITOR - MIDDLE EAST
Assuming compliance and risk
management responsibilities is one
of the common scenarios for internal
audit resources in such circumstances.
For example, internal auditors might
be required to review some business
transactions to ensure its compliance
with internal policies and alignment with
reorganization objectives.
Having in depth knowledge of the internal
controls gives internal audit resources
the ability to perform compliance
related activities including financial and
operational compliance in a very efficient
and effective manner.
Internal audit departments can also
review, identify gaps and recommend
improvements related to the reorganization
plans as they have best understanding
of overall organizational operations,
departments and intradepartmental
workflows.
Risks to Independence and Objectivity
One of the major internal auditors’
concerns is always Independence and
Objectivity which is clearly reflected in
Standard 1100 of the IIA standards which
states that the internal audit activity must
be independent, and internal auditors must
be objective in performing their work.
However, participation in restructuring
efforts requires high level of flexibility
to convince restructuring committees
that internal auditors are well rounded
resources who can employ their knowledge
in internal controls and utilize their
internal business relationships to add value
to the organization.
Unfortunately, in most of the cases internal
auditors will not have a say in whether
they are involved in such reorganization
programs. BoD/business owners will
usually ask internal auditors to be involved
in the reorganization efforts due to
the lack of trusted and knowledgeable
resources. This might be more applicable
in family businesses where internal audit
is considered a trusted agent to accelerate
changes and ensure that the BoD/owners’
decisions are implemented.
The independence issues normally
appear when the Chief Audit Executive
JUNE 2017
 TO COMMENT on the article,
EMAIL the author at ehab-saif@live.com
(CAE) or the internal audit resources are
required to report on specific assignments
to the reorganization committee which
might consists of current or future
management employees. The impairment
of independence might also result from
performing some compliance and risk
management activities which are subject to
internal audit reviews in the future.
Considering the factors mentioned above,
there are clearly some risks associated
with assuming second line of defense
responsibilities temporarily. The CAE is
required to report such risks to the audit
committee/BoD before acceptance of
assigned responsibilities
Adding Value in Difficult Times
The internal audit resources should
plan their work in a smart and effective
manner to add the maximum value to the
reorganization efforts while maintaining
the highest possible level of independence
and objectivity. Such activities might
include, but not be limited to, the
following:
•E
 fficiency reviews that focus on
cost optimization in which internal
auditors review previous practices
in various business departments
and recommend improvements that
will decrease costs or/and increase
efficiencies.
•L
 iquidity assessment reviews that
highlight potential gaps in cash flow
for management action given that
most reorganization efforts involve
major debt restructuring and cash
flow difficulties which require close
attention by the reorganization
committee.
•P
 rocess gap analysis reviews that
help reorganization committee to
conduct proper process reengineering
exercises.
•L
 imited ad-hoc assignments
or investigations that assist
reorganization committee to reach
certain conclusions on various
organizational matters.
IIA Response
As a response to the increasing pressure
on the internal audit resources to perform
second line of defense activities, the
Institute of Internal Auditors (IIA) has
issued a practice guide called “Internal
JUNE 2017
Audit and the Second Line of Defense”
which addresses the specific cases where
BoD/business owners ask CAEs to assume
responsibilities for risk management,
compliance, and other governance
functions.
As per the practice guide, the CAE should
ensure the following before and during
assuming such responsibilities:
•D
 iscussion of risks with management
and the BoD/business owners.
•A
 cceptance and ownership of risks by
management.
•C
 lear definition and assignment of
roles for each activity where second
line of defense activities overlap with
third line of defense activities.
•P
 eriodic independent assessment of
internal audit’s second line of defense
roles and responsibilities.
The practice guide has also specified some
of the activities that the internal audit
should avoid in such cases which include:
• S etting the risk appetite, owning or
managing risks.
•A
 ssuming responsibilities for
accounting, business development,
and any other first line of defense
functions.
•A
 ssuming accountability for
risk management or governance
processes.
•P
 roviding assurance on second line
of defense activities performed by
internal audit.
The practice guide above was subsequently
followed with a new IIA Standard which
is Standard 1112 “Chief Audit Executive
Roles Beyond Internal Auditing”. The new
IIA Standard specified certain safeguards
to address the impairments resulted from
assuming responsibilities that fall outside
the internal auditing which include
periodic evaluation of reporting lines and
developing alternative processes to obtain
assurance related to the areas of additional
responsibility.
Another sensible change in IIA standards
was introduced in Standard 1130.A3
which allowed internal audit resources to
Added Value
provide assurance services where they had
previously performed consulting services,
provided the nature of the consulting did
not impair objectivity. This means that
internal audit functions will need robust
processes to assess requests for consulting
engagements to help prevent independence
issues in future audit plans.
Conclusion
Organizational changes might not always
be in the favor of the employees and
this usually creates more pressure and
discomfort for the available resources.
Internal auditors are usually one of the
most impacted resources as they are
required to assume more responsibilities.
In addition to the reorganization programs,
internal auditors might be asked to assume
second line of defense responsibilities due
to many reasons including, but not be
limited to, the following:
• BoD/business owners do not
understand or appropriately value the
importance of an independent and
objective third line of defense.
• Internal audit has the necessary skill
set or relevant expertise for specific
risk management and/or compliance
activities.
• The organization is small and
cannot support distinct control and
assurance functions.
Internal auditors might have two options
when it comes to assuming second line
of defense activities which are either
to quite the job in order to protect
their independence or to accept such
responsibilities with a strategy of how to
achieve the required objectives with a clear
transition plan to relieve internal audit
from such responsibilities in the future.
There is a good saying to remember in
this regard. It says “I can’t change the
direction of the wind, but I can adjust
my sails to always reach my destination”.
It is extremely important for internal
auditors to be mentally prepared for such
circumstances, especially in the current
economic conditions, which will help them
perform and excel without unnecessary
hard feelings.
Ehab R. Saif, CMA, CIA, CFE a Head of
Internal Audit at a private holding company in
Abu Dhabi.
INTERNAL AUDITOR - MIDDLE EAST 23
Audit Analytics
B y : In d u m o n D a s Edit ed by G aut am G an d h i
Self Service Audit Analytics –
transform your approach
Despite the fact that data analytics and
Computer Assisted Audit Techniques
(CAAT) have been a part of auditing for
nearly thirty years, many organizations are
still struggling with the implementation of
effective data analytics to enhance internal
audit quality and effectiveness.
Increasing complexities of risks and
incessant emergence of disruptive
technologies are demanding substantial
change in internal audit processes.
In today’s world of constant disruption,
internal audit should evolve into a
dynamic and future-oriented function.
24 INTERNAL AUDITOR - MIDDLE EAST
Businesses need broad-spectrum audit
processes that extend beyond reviewing the
obvious. Auditors should adopt forward-
looking IA approaches, and should be able
to provide deeper and valuable insights on
strategy, execution, emerging risks, and
hidden opportunities.
The 2016 Deloitte Global Chief Audit
Executive Survey that polled more than
1200 CAEs from 29 countries and a diverse
range of industries, reaffirms the growing
need to conduct analytics-based auditing.
More than a three quarter of the CAEs
(79%) recommend the need for digital
disruption and innovation to transform
internal audit and enhance its value. The
survey also cited the increasing relevance
of cutting-edge technologies such as
artificial intelligence, cognitive computing,
and visual analytics.
Is skill-gap a concern?
More than half of CAEs (57%) who
participated in the survey expressed their
intense dissatisfaction about inadequate
skills and insufficient expertise of audit
teams.
When left unaddressed, these skill gaps will
weaken auditors’ capabilities to deliver on
changing stakeholder expectations.
JUNE 2017
 TO COMMENT on the article,
EMAIL the author at indumon.das@beinex.com
Stakeholders expect more forward-
looking analysis to uncover risks and
hidden opportunities.Gone are the days
of static audit reports and analysis of
sample data.
The Deloitte survey also cites risk
anticipation (39%) and data analytics (34%)
as the two groundbreaking innovations
that are most likely to impact internal
audit within the next five years. Changing
business landscapes, technological
advancements, and proliferation of data
have brought forth the imminent need to
leverage analytics and data visualization
to increase the impact, influence, and
effectiveness of internal audit.
Analytics Adoption Challenges
Even after 30 years of inception of data
analytics, many auditors continue to adopt
conventional internal audit methods and
lag in technology adoption. Wondering
why? Here are some of the reasons:
1. Skills gap
2. Insufficient IT support
3. Difficulty to manage and manipulate
data
4. Increasing requests for ad-hoc
analysis and one-off reports
5. Difficulty in dealing with the basic
aspects of data management and
governance
Can technology disruption be a savior?
Advancements in technology are
fundamentally changing the nature of the
audit and improving its effectiveness and
relevance. Here are a few game-changing
technology solutions that auditors can
harness effectively to enhance the way they
work with data:
1.Self-service analytics - Smart analytics
for all
Self-service analytics is no more a
buzzword. It’s the new norm. Self-service
analytics empowers auditors to access data,
perform queries, and create interactive
reports that add richness and granularity to
the insights derived. Anyone and everyone,
with or without technical expertise, can
harness the power of self-service analytics
JUNE 2017
to work seamlessly with large data sets
of any size or type, and discover savvy
insights without having to write codes or
learn programming languages.
Key advantages of using self-service
analytics tools: Explore your data and
create ad-hoc reports without IT skills
•E
 asy access to any source data
•G
 uided analysis - Faster answers to
complex questions
• I ntuitive drag-and-drop interface to
create and share interactive reports.
•N
 atural language processing to
respond to complex queries
• I nteractive visualizations and
personalized dashboards to identify
patterns and trends
•F
 ast to deploy and easy to manage
•A
 ll-encompassing data analysis
anywhere and available anytime
2. Mobile Analytics – Audit insights on
the go
Regardless of the size of an organization
or availability of data, it takes weeks to
prepare and present comprehensive audit
reports. The numbers are usually saved
offline as large files or copied to multiple
slides for boardroom meetings.
Mobile data analytics enables a concise
and easily accessible digital avatar of audit
reports and dynamic dashboards that can
be accessed on mobile devices to interact
and proactively monitor the business
information on the go.
3.Data Visualization
When it comes to presenting audit data,
reports and findings, one gets a single
view of the entire raw data, all at once.
This makes it difficult to decipher what
is important and what isn’t, the reason
why the point of sharing information gets
defeated. Data visualization helps get a
flexible and reliable way to identify and
share pertinent information in a manner
that everyone can easily understand.
Analytics
• Process more information than
reading numbers
• Discover insights using spatial
relationships, colors, and textures
• Make data accessible to a broader
audience and provide users with a
rich and engaging experience
There are many reasons why auditing
is ripe for self-service analytics and
visualization driven transformation. There
is more data to examine within limited
time availability. Most financial and
operational transactions are moving online,
and the number of variables, outliers,
trends, and patterns to identify and analyze
continue to increase each day.
Visual analytics is the fastest way to analyze
and understand structured or unstructured
data of any size, without IT assistance.
Visual technologies help speed up and
improve decision making with heat maps,
bubble charts, and interactive dashboards
that are easy for C-suite executive, non-
technical business users, and stakeholders
to understand.
Everything gets better when you can
do it yourself, right? Self-service audit
analytics and visualization too are not
different.
Benefits of self-service analytics in
Internal Audit
• Analytics for everyone: Everyone in
an IA Team can perform analytics
and build audit dashboards – It’s a
cultural shift
• Greater insights – Transform audit,
increase audit quality, and create
more impact
• Increased coverage – Identify more
risks and opportunities
• Generate and deliver more forward-
looking recommendations quickly –
From auditors to business advisors
• Minimal Investment, Tangible and
Quicker ROI
• Work smarter and reduce costs by
building and deploying Continuous
Audit and Monitoring mechanisms.
Indumon Das, Founder, Principal Consultant
in Consulting firm UAE
INTERNAL AUDITOR - MIDDLE EAST 25
 AD

26 INTERNAL AUDITOR - MIDDLE EAST JUNE 2017


BY: D a v i d C l e m e nt s EDI T ED BY : Me e n a ksh i R a zd a n
You think you have discovered a
fraud. What do you do?
Despite recent surveys pointing to fraud
being on the increase in instances of
fraud, the discovery of a suspected fraud
within any organisation is not an everyday
occurrence for most people and initial
reactions may include shock and surprise.
However, action taken in the first few hours
and days after discovery will significantly
JUNE 2017
impact the course and/or outcome of a
full investigation and may even make it or
break it.
Most organisations have controls in
place to prevent and detect fraud being
committed against them from outside
the organisation. In the banking industry
in particular, external fraud is an
Fraud Risk
expected occurrence and banks employ
sophisticated processes and technology
to prevent and detect such occurrences.
The bigger problem occurs when fraud
has been committed from within. Apart
from the cost involved, there is always
some collateral damage caused including
loss of reputation, brand damage and
INTERNAL AUDITOR - MIDDLE EAST 27

reduced employee morale. Seniority of the
suspect is also a factor, the more senior the
employee, the more serious the damage.
History shows that , in the absence of any
structured response plan, the amount of
time and effort it takes for management to
respond, particularly in the initial weeks, is
excessive and severely impacts the normal
business activity of the organisation. When
a potential fraud is first discovered, the
following few hours or days can be very
confusing and stressful if the organisation
is unprepared.
In the absence of a Fraud
Response Plan, experience
has shown that managers
handle the same problem
in different ways
Sometimes this can have with disastrous
consequences such as destroying the
evidentiary value of information and
evidence by inappropriate handling
processes, inadvertently tipping off the
suspect and, enabling them to destroy
incriminating evidence, failing to keep
the matter confidential and taking
inappropriate action caused by having
insufficient information.
For example, In a recent fraud incident
that occurred in a UAE organisation, the
suspect was in charge of procurement
for the organisation, but it had been
discovered and it came to light that he
also operated a supply and contracting
company which had been paid in excess
of 3 million dirhams by his employer’s
company, all ordered and authorised by
the suspect. After discovery, he was made
aware of the issue but was allowed to
remain in his position for another month,
during which time he destroyed a large
number of incriminating documents.
In an incident which occurred in another
Middle East country, it became widely
known throughout the organisation that a
fraud had been uncovered. Unfortunately,
28 INTERNAL AUDITOR - MIDDLE EAST
the matter which became public knowledge
was only a small part of a much larger
conspiracy between a number of employees
and suppliers. By failing to keep the matter
confidential, the company management
enabled the conspirators to destroy
incriminating records, electronic data
and to dispose of stolen property which
rendered any future investigation a limited
exercise. The identities of the suspects
were not confirmed, which means that the
company may still employ people who are
actively seeking ways to defraud it.
The purpose of a Fraud
Response Plan is to ensure
that incidents are handled
in a systematic and
efficient manner, not only
to conclude a successful
investigation, but also to
show that the organisation
acted in a prudent and
lawful manner. And and
that it does not tolerate
fraud.
The Fraud Response Plan should outline
how far an individual line manager should
go in collecting initial information before
invoking the Response Plan. The key is to
provide the line manager with an effective
framework to resolve concerns, rather
than leave such resolution to individual
initiative.
Initial Action
It is important to remember that when
fraud is first suspected, the matter may
well be more serious than it may initially
appear. This is because fraudsters rarely
restrict their activities to only one modus
operandi or method. Therefore, every
effort should be made to obtain as much
information as possible before anyone is
questioned, confronted or interviewed.
Fraud Risk
This is particularly important in
organisations or business units with a close
working environment, where there may be
a strong temptation to simply question an
employee as soon as suspicion is raised.
It is also important to be aware that larger
scale frauds are often international in
nature. Therefore, any fraud contingency
planning must include measures for
investigation and taking legal and
investigative action across jurisdictions.
In addition, most frauds involve the
use of a computer at some stage in the
planning or execution of the fraud.
This is particularly evident in today’s
environment, when the majority of white
collar employees are allocated a computer
by their employer. Business is conducted
by computer and correspondence
normally involves acomputer through the
widespread use of corporate email. The
pervasive involvement of the computer
into most facets of corporate life means
that electronic evidence is often vital to
investigating corporate fraud. Obtaining
that electronic piece of evidence is a
specialist skill which should be discussed
with your forensic specialists.
Initial actions are crucial to the eventual
outcome of an investigation and, if a proper
strategy is put in place and adhered to, the
extent of fraudulent activity can usually
be assessed and action taken to resolve the
matter successfully. This usually means
obtaining sufficient evidence to dismiss
errant staff and to commence civil and/
or criminal proceedings against those
concerned involved in the fraud, or claims
against insurers, if so desired.
Initial responsibility designation
Fraud investigation is by necessity, a
confidential task and is a sensitive matter
for the vast majority of organisations.
It is vital that all allegations of fraud are
treated seriously and that responsibility
for handling fraud incidents is assigned
to a senior, trusted individual or group of
individuals. In many organisations, this
responsibility is handed to a corporate
security advisor, internal audit manager
or risk management director. In other
JUNE 2017
 TO COMMENT on the article,
EMAIL the author at djwclements654@gmail.com
organisations, the responsibility is shared
between members of senior management
or an audit committee and the
organisation’s human resources personnel
and corporate lawyers are involved from
a very early pointthe. Fraud incident
management responsibility is an important
role and those chosen to administer
the role must the have appropriate legal
and management level to authority to
investigate actions toand co-ordinate the
organisation’s overall response to fraud
incidents.
As part of their overall fraud control plan,
organisations should assign responsibility
for fraud incident management to an
appropriate person(s) as a precursor to
adopting an incident management plan.
Consideration should also be given to
the appropriate level of involvement by
corporate lawyers and human resource
personnel at appropriate levels is essential.
Fraud Response Team
Some Fraud Response Plans only deal with
situations where an employee discovers a
fraud and hands it over to an investigation
department to follow up. However, some
frauds have impacts far beyond the remit of
the investigation department to deal with
(such as when the organisation’s liquidity is
threatened). The Plan also should cater for
such eventualities.
Most large organisations have formed
crisis management committees to respond
to major incidents (such as a fire or
explosion), so it is not uncommon unusual
to take have a similar approach in a Fraud
Response Plan. Typically, this means
forming a Fraud Incident Management
Team, comprising essential members and
co-opted members.
In some types of fraud, the victim may only
have a few hours to take action to freeze
funds which have been illicitly transferred.
It is essential that contact numbers for
essential service providers are established
beforehand, including internal support
departments, such as legal, corporate
security, insurance external lawyers, police
and telecommunications agencies, forensic
accountants and investigators.
JUNE 2017
Receipt and initial assessment of
suspicion, allegation or ‘tip off ’
Fraud investigations are often initiated
after an allegation or a tip-off (often
anonymous) is received. This will usually
be sourced from inside the organisation,
although external tip-offs are not
uncommon. Many fraud incidents are
initially discovered by accident, perhaps
as a result of an audit, job change or
resignation. Very few frauds are discovered
as part of a deliberate attempt to uncover
fraud, as very few organisations implement
a proactive fraud detection program.
The checklist shown below highlights
initial actions to be taken taken /(or
avoided) upon the discovery of fraud or
tip-off.
At the conclusion of this stage, a decision
must be made as to whether the allegation
or suspicion warrants investigation or is
implausible or vexatious. However, this
decision must be made carefully. If an
allegation cannot be quickly dismissed as
false, further action should be taken.
A typical Fraud Response Plan contains:
• purpose of the plan,
• policy statement,
• definition of fraud,
• r oles and responsibilities including
fraud response team,
•o
 bjectives including civil and
criminal response,
• r eporting of suspicions and collection
and preservation of evidence.
Checklist
Initial action checklist upon discovering
a potential fraud:
1. Alert the fraud incident manager that
an allegation or suspicion exists
2. Document date, time and details of
initial report/discovery
3. Take notes of all observations and
actions – if something is worth taking a
mental note, it is worth a written note)
Fraud Risk
4. Maintain confidentiality (only inform
those people who need to know about
the suspected act). Unwarranted
disclosure can seriously damage
potential successful investigations. Do
not confront the suspect.
5. Write out in full the suspected act or
wrongdoing including:
• What is alleged to have occurred
• Who is alleged to have committed
the act
• Is the activity continuing
• Where did it occur
• What is the value of the loss or
potential loss
• Who knows of the activity
6. Identify all documentary and other
evidence connected to the activity
• Invoices
• Contracts
• Purchase orders
• Cheques
• Computers
• Credit card statements
7. Obtain evidence and place in a secure
area. (only where it is possible without
alerting any suspects)
8. Protect evidence from damage or
contamination
9. List each item individually taking
note of acquisition (incl. time, date
and location) and where the item was
securely stored
10. Identify all potential witnesses
11. Unless electronic evidence is in the
process of being destroyed do not
go into the suspect/target computer
systems
12. If possible, secure and/or remove
suspect’s access to relevant computers/
systems. Do not allow IT department
to examine computer
13. Consider other potential suspects and
extent of fraud
David Clements , Formal Principal Director |
Deloitte Forensics
INTERNAL AUDITOR - MIDDLE EAST 29
 AD

30 INTERNAL AUDITOR - MIDDLE EAST JUNE 2017


BY: A r i f Za m a n
Internal
Audit
Planning
-The Value-
Adding
Phase
One would think that the most important step of the internal audit
process is conducting the audit. Experience and research shows
otherwise, since there is a long and rigorous process to arrive at
the audit execution phase. This takes me to our point of discussion
in this article, which is that the most important step in the process
is the planning phase. The whole internal audit process is heavily
reliant on proper planning taking place.
The Chief Audit Executive (CAE) must effectively manage the
internal audit activity to ensure it adds value to the organization1.
Value can be added to the organization and its stakeholders
when internal audit considers strategies, objectives, and risks to
enhance governance, risk management, and control processes and
objectively provides relevant assurance on how effective they are
functioning. These aspects normally come up during the annual
planning phase of the internal audit process.
Annual planning
The CAE must establish a risk-based plan to determine the
priorities of the internal audit activity, consistent with the
organization’s goals2. The purpose of annual audit planning is to
ensure that the audit is relevant to the organization’s needs and is
adding value towards the achievement of the preset objectives. It
also helps in better utilization of the limited audit resources.
JUNE 2017
Frosting Fundamentals
There is a common belief that the annual audit planning process
is time-consuming and costly, when in reality all internal auditors
agree that the benefits exceed by far the cost and time spent on it.
As per a famous saying, “By failing to prepare, you are preparing to
fail”. In the following points, I will share with you the details of the
steps that are covered as part of the annual internal audit planning
process.
Step 1. Audit Universe
Before embarking on the risk assessment, it is important to
break down the organization into auditable areas. This should
include all the businesses, regions and functions that make up the
organization in a systematic order. And it could be done through
any of the following approaches:
• Geography: the subsidiaries and sister companies can be
categorized by geographic regions.
• Industry: if the organization is operating in diverse industries
and sectors, then it can be classified by industry or sector.
• Function, Process, Service or Product: the organization can be
classified either by function, process, service or product.
The audit universe is a collaborative effort between the key
business stakeholders and the internal audit function. The Internal
Audit Department (IAD) needs to update the audit universe
for any structural changes that have taken place within the
organization. Upon completion of audit universe, the IAD is ready
to proceed with the annual risk assessment phase, since it has
clarity on which areas or functions it needs to assess for risk and
controls.
Step 2. Risk Assessment
The IAD’s activity plan of engagements must be based on a
documented risk assessment, undertaken at least annually. The
INTERNAL AUDITOR - MIDDLE EAST 31
 TO COMMENT on the article,
EMAIL the author at arifzaman786@yahoo.com
input of senior management and the board
must be considered in this process3.
The risk assessment is the most challenging
stage in the annual planning process. The
first element that needs to be assessed
by the auditor, is the organization’s risk
maturity.
Risk Mature Organization: if the
organization clearly has three lines of
defense for the management of risks,
controls, compliance, fraud, quality, then
input needs to be collected from all these
functions as part of the risk assessment
process.
In a risk mature organization these
functions are operating as intended.
Moreover, they have a defined risk appetite
(the amount of risk an organization is
willing to accept to achieve its objectives),
risk registers (detailing business risks) and
a robust ethical framework in place, to
strengthen the overall control environment.
Risk Immature Organization: if none
of the aforementioned lines of defense
are specified, then a more detailed risk
assessment needs to be conducted, since
the IAD would not have the points of
reference to rely on in the collection of
risk-related information.
In this situation, which is applicable to
many organizations, it is recommended
that the IAD collect risk input from each
functional head. There are several tools
that can be used in this process, such as
surveys/questionnaires, holding meetings/
interviews, reviewing management reports,
etc.
The IAD needs to record all the key risks
and map them against each auditable area
in the audit universe.
Despite the risk maturity of the
organization, the IAD is also expected to
review other sources of information, such
as:
• Industry/Sector Risks
• External Factor (Internal Auditors can
use techniques like PEST, SWOT)
• Compliance/Regulation Risks
• Previous Internal Audit Reports
• Management reports from 2nd line of
defense such as risk function, compliance
function, fraud function reports, etc.
32 INTERNAL AUDITOR - MIDDLE EAST
• Any other input from the internet e.g.
knowledge leader, board executive, etc.
In carrying out the risk assessment there
are certain standard requirements that
the IAD must take into consideration.
The risk assessment must be documented,
the Internal Auditors must have sufficient
knowledge to evaluate risk of fraud4
and key information technology risks5.
Moreover, the Internal Audit activity must
evaluate the effectiveness and contribute to
the improvement of the risk management
processes6.
Step 3. Alignment of Risks with the
Strategic Goals and Objectives
The IAD must be alert to the significant
risks that might affect objectives,
operations, or resources7.
Once the IAD has identified business
risks, these should be aligned with the
organization’s strategic goals and objectives
and must be assessed in terms of their
probability of occurring (likelihood) and
consequences (impact), to arrive at an
overall rating. There are many ways to rate
risks, either qualitatively (High, Medium
or Low), or through quantitatively, through
the assignment of an overall grade to each
risk (residual risk).
Step 4. Risks Prioritization
Based on the rating, most of the high
risks and a few medium risks would be
prioritized. We also include some medium
and low risks, since there is a certain level
of subjectivity involved in risk assessment,
which is determined by the IAD based on
professional judgement.
Step 5. Formalize Internal Audit Plan
Once the previous phases are complete,
then the IAD has a clear idea of the
risky areas that are of importance to the
organization and its management. Based
on that, the process to formalize the
Annual Internal Audit Plan would start.
It could sometimes cover a span of more
than one year. The plan would specify
which areas will be audited during the year,
detailing the execution period/s (normally
on a quarterly basis).
Frosting Fundamentals
The formalized audit plan would be
presented to the Board Audit Committee
for review and recommendations. Input
from senior management and the Board
must be considered in this process8.
IAD should identify the pervasive audit
needs requested by the Board or senior
management and take them into account,
based on the available resources and the
Internal Auditors’ professional judgment.
The Chief Audit Executive must also
communicate the impact of resource
limitations9 if any.
The annual audit plan could vary as per
the organization’s needs and requirements.
The IPPF only specify certain criteria and
guidelines for the annual planning process,
which sets the minimum requirement for
the annual audit planning process. Some
organizations add audits based on criteria
other than risk. Such criteria might include
areas subject to change, mandatory audits
or audits requested by management. The
steps highlighted above could be used as a
guide to facilitate the annual audit planning
process.
The IAD’s credibility and value are
enhanced when they are proactive and
their evaluations offer new insights and
consider future impact. The purpose
of audit planning is to make the IAD
more effective in contributing to the
improvement of the organization’s
governance, risk management, and control
process, through the use of a systematic,
disciplined, and risk based approach10.
1.International Standards for the Professional Practice
of Internal Auditing – 2000 - Managing the Internal
Audit Activity
2. International Standards for the Professional Practice
of Internal Auditing – 2010 – Planning
3.International Standards for the Professional Practice of
Internal Auditing 2010.A1 – Planning
4.2010.A2 – Proficiency
5.1210.A3 – Proficiency
6. 2120 – Risk Management
7. 1220.A3 – Due Professional Care
8. 2010.A1- Planning
9. 2020 - Communication and Approval
10. 2100 - Nature of Work
Arif Zaman is a Group Internal Audit
Manager, ACCA, CIA, CPA, CISA, CFE, CCSA,
CRMA, CRBA and CGA.
JUNE 2017