CS 5 10 - Session in Arabic

Best Practices in Internal
Audit – [Visions &

Challenges]
Prepared by Mr. Basem Hijaz

Chief Audit Executive – NADEC
QIAL,CIA,CPA,CISA,CRMA,CRISC,CFE
Best Practices in
Internal Audit 1
2
Best Practices in Internal Audit
1. Consider Risks and link it to the audit plan.
2. Consistency & Work Closely with the second Line of Defense.
3. Provide Advice and Insights that Focus More on predictive.
4. Expand and Sharpen Internal Audit’s Skills.
5. Automate Wherever Possible with Technology.
3
1- Consider Risks and link it to the audit plan
Implementation Guide :
IG 2010 - Planning : The chief audit executive must establish a risk-based

plan to determine the priorities of the internal audit activity, consistent with the
organization’s goals.
According to Standard 2010.A1, the internal audit plan must be based on a

documented risk assessment, undertaken at least annually, that considers
the input of senior management and the board
4
Implementation Guide (Cont.) :
When developing the internal audit plan, the CAE also considers any
requests made by the board and/or senior management and the internal audit
activity’s ability to rely on the work of other internal and external assurance
providers (as per Standard 2050).
5
Implementation Guide (Cont.) :
The internal audit plan is flexible enough to allow the CAE to review and
adjust it as necessary in response to changes in the organization’s business,
risks, operations, programs, systems, and controls. Significant changes
must be communicated to the board and senior management for review and
approval, in accordance with Standard 2020
6
Steps to Consider :
 Identify top risks by meetings with stakeholders & industry analyses.
 Coordinate with other assurance groups to assess and score risks.
 Perform risk assessments to understand risk and what causes them.
 Rank and prioritize the risks.
 Conduct periodic reviews throughout the year.
7
Statistics & Surveys
Our Global Pulse of Internal

Audit survey is based on data
from 2,254 respondents in 111
countries or territories.
 The report is available from

your Institute or at
www.theiia.org/gpi
Stakeholders want us to raise

the bar, however,
 28% of CAEs say they rarely or never
participate in major organizational change
initiatives,
 31% are never invited to join a full board
meeting, and
 Only 26% of CAEs view themselves as
members of executive management
• The good news:

 91% of CAEs assess risks
 85% develop risk-based plans
• However, CBOK revealed we are not “auditing at the speed of
risk”
 63% of CAEs update audit plans no more than twice a year
 15% have “highly flexible plans”
 31% don’t update risk assessments
 Only 21% deploy continuous risk assessment
methodologies
Sources: The Pulse of Internal Audit survey: © 2015 The IIA Audit Executive Center conducted in collaboration with the 2015 Common Body of Knowledge Study, © 2015
The IIA and The IIA Research Foundation. All rights reserved. No part of this data may be copied, reproduced or otherwise disseminated without explicit permission from
The IIA. Note: Q42: How frequently does internal audit conduct a risk assessment? Q48: What resources do you use to establish your audit plan?
• KPMG’s 2017 Global Audit
Committee Pulse Survey
• 832 responses
– 42 countries
– 55% audit committee chairs
– 45% audit committee members
• 63% public companies
• 25% private companies
Source: KPMG’s Audit Committee Institute – “Is Everything Under Control?” 2017 GlobalAudit
Committee Pulse Survey, © 2017 KPMG LLP
KPMG’s 2017 Global Audit Committee Pulse Survey
Beyond financial reporting and compliance risks, what
steps can internal audit take to maximize value?
Targets for Internal Audit to Maximize Value Response
Expand audit plan on key areas of risk (e.g. cyber security, 56%
and key operational and technology risks)
Maintain flexibility in the audit plan 53%
Expand the audit plan on effectiveness of risk 49%

management processes generally
Improve internal audit’s talent and expertise 42%
Helping to assess / “audit” the culture of the organization 27%
Source: KPMG’s Audit Committee Institute – “Is Everything Under Control?” 2017 GlobalAudit
Committee Pulse Survey, © 2017 KPMG LLP
2- Consistency & Work Closely with the second Line of Defense
IG 2050 - Coordination and Reliance :

The chief audit executive should share information, coordinate activities, and
consider relying upon the work of other internal and external assurance and
consulting service providers to ensure proper coverage and minimize
duplication of efforts.
13
Implementation Guide (Cont.):
Internal providers include oversight functions that either report to senior

management or are part of senior management. Their involvement may include
areas such as environmental, financial, control, health and safety, IT
security, legal, risk management, compliance, or quality assurance.
14
Supplemental Guide (Cont.):
An assurance map is a matrix comprising a visual representation of the

organization’s risks and all the internal and external providers of assurance
services that cover those risks. This visual depiction exposes coverage gaps
and duplications.
15
Assurance providers may use the map to coordinate the timing and scope of
their services, preventing audit fatigue within areas and processes under
review, except in cases where senior management or the board may need a
second opinion or a double check from another assurance provider on a high
risk area.
16
Assurance mapping steps include:
1. Identifying sources of risk information.
2. Organizing risks into risk categories for consolidated viewing.
3. Identifying assurance providers.
4. Gathering information and documenting assurance activities by risk category.
5. Periodically reviewing, monitoring, and updating the assurance map.
17
18
Steps to Consider :
 Establish a common risk and control language that will enable the second
and third line of defense to communicate with each other.
 Conduct periodic meetings between IA and other assurance functions.
 Question and challenge the findings from risk & compliance functions.
 Link the risk function’s assessments of key risks to audit planning.
 Report key risks, issues, and opportunities to stakeholders.
19
3- Provide Advice and Insights that Focus More on predictive
New Supplemental Guide [Auditing Model Risk Management]
Banks and other large financial services organizations rely extensively on

mathematical models to make business decisions and meet regulatory
requirements.
20
What is predictive audit?
The predictive audit is a forward-looking approach that examines the validity of

transactions before they are executed. It does so by comparing actual
transactions to timely normative models, allowing managers to be alerted to
potentially problematic transactions before they occur. This gives senior staff
the opportunity to investigate and resolve any issues before allowing flagged
transactions to go through.
21
Imagine the following scenario: You are a manager in a consumer bank that
offers customers a savings account with a minimum deposit and minimum of
six months before cash withdrawals can be made.
However, if a customer is dissatisfied with the account, they can immediately

close it and get their money back. Regardless of whether or not they close their
account within six months, the sales employee who set it up is still paid a
commission.
22
In such a scenario, an employee could seek to inflate their commission by

influencing a customer to open an account in order to be eligible for another
product (an accompanying loan, for example) with the condition that the
savings account can be closed, without penalty, immediately thereafter.
Certainly, such situations are not uncommon, and can occur in one form or
another, in any organization. But what if you could predict the occurrence of
such ‘bogus’ transactions and take action before they even occur? Wells Fargo
23
A Combination of Services – (Cont.)
IIA’s Audit Executive Center conducted a survey,
The results found that almost all internal audit functions represented in the
survey (94 percent) provide a combination of assurance and advisory
services. Key business areas where advisory services are being performed
include risk management, corporate governance, ethics, and performance
management.
24
25
4- Expand and Sharpen Internal Audit’s Skills
IG 2030 – Resource Management : The CAE must ensure that internal audit
resources are appropriate, sufficient, and effectively deployed to achieve the
approved plan.
IG 1200 – Proficiency and Due Professional Care : Engagements must be
performed with proficiency and due professional care.
IG 1210 – Proficiency : The IA activity collectively must possess or obtain the
knowledge, skills, and other competencies needed to perform its
responsibilities.
26
Supplemental Guide [Talent Management]:
Recruiting, motivating, and retaining great team members is recognized as one

of 10 imperatives that will enable internal audit to drive success in a changing
world.
According to The IIA’s 2015 Global Internal Audit Common Body of Knowledge
(CBOK) study, internal audit departments need to cast their nets wider to
attract, motivate, and retain team members who are able to understand and
anticipate the rapidly changing business environment.
27
Developing Talent
The CAE should align internal audit’s talent development approach with the
organization’s professional development practices.
Efforts to develop talent typically include :

 Professional development plans, “Certification Policy”
 Training and continuing education, and
 Mentoring.
28
Steps to Consider :
 Evaluate the existing skills of the internal audit team, identify gaps, and
conduct periodic training.
 Align training and development programs with emerging risk, regulatory
and business objectives.
 Consider communication skills as audit qualifications when recruit new
resources.
• Explore alternative staﬃng models such as rotation & guest auditor.
 Build relationships with external service providers.
29
PwC’s 2016 State of the Internal Audit Profession Study found that strategic
and creative talent management is one of the most-significant drivers of the
value an internal audit function can provide. The study also showed a close
correlation between very effective internal audit leadership and talent
management.
30
In fact, 83% of very effective internal audit leaders perform well at talent
management compared with just 47% of effective leaders and 24% of less-
effective leaders. However, chief audit executives (CAEs) also indicated that
acquiring and managing talent are their most-significant challenges.
31
As per IIA study in 2015 The top five areas where respondents are
experiencing difficulty hiring candidates are:
1. IT-general
2. Cybersecurity and privacy
3. Data mining and analytics
4. Industry-specific knowledge
5. Analytical/critical thinking
32
5- Automate Wherever Possible with Technology
Guides:
Attribute Standard
1220.A2 :Internal auditors must consider the use of technology-based audit

and other data analysis techniques.
33
Steps to Consider :
 Consider replacing solid spreadsheets and tools with integrated audit

systems
 Build a centralized library to integrate and map audit data.
 Leverage mobile auditing tools to enter audit findings [smartphones or
tablets].
 Implement intuitive dashboards (KPI) and reporting tools using Business
Intelligent Software (Continues Auditing)
34
Steps to Consider – (Cont.):

Internal audit analytics
 Start by applying off-the-shelf analytics packages to datasets.
 Depending on your industry, identify areas where audit should be forward-

looking, and thus, analytical.
 Improving the first line of defense by certain analytical tasks.
35
Internal audit analytics – Why we use analytics?
 Sample-based testing will not satisfy stakeholder needs.

 Analytics can apply risk indicators to large datasets.
 Reduce the complexity and time consuming.
 Adopting analytics enhanced focus, efficiency, effectiveness, and value.
36
Current Internal Audit Analytics Capabilities
7% Advanced
Standard methods and training, using advanced tools and analysis techniques
24% Intermediate
Some standardization of methods, some repeatable analytics
55% Basic
Ad-hoc analytics with limited repeatable solutions, basic tools (e.g.
spreadsheet, etc.)
11% None
No analytics capabilities
3% Not sure
Source: Deloitte’s Global Chief Audit Executive Survey 2016-2017
37
How Many Audits Use Analytics?
Audits Using Analytics
18% 75% to 100%
14% 51% to 75% “What percentage of total audits utilize
some form of data analytics?”
26% 26% to 50%
42% 1% to 25%
Source: Protiviti – Internal Audit Capabilities and Needs Survey 2017
38
Data visualization
Impact Area
 Data visualization transforms analytical output into visual formats.

 The complexity and prices of these tools have dropped sharply.
 Data visualization can pinpoint many areas.
 Visualization can better meet stakeholder needs.
 Visualization can depict trends, patterns, and anomalies that might
otherwise be missed.
39
Data visualization – (Continued)

Steps to consider
 Train one or more staff members.

 A desktop license for a good package is relatively inexpensive.
 Then try using data visualization in scoping, execution, and reporting on
selected areas of the audit.
 Data visualization is also meaningful in reports to the Board and Audit
Committee.
 Famous Data Visualization tools (Tableau and BI (Oracle, Microsoft)
40
What is Continuous Auditing ?
“Is a method used to perform control and risk assessments automatically on a more
frequent basis”. IIA
Internal Audit Business Leads
IA Data Analytics Continuous Continuous Enterprise Governance
Auditing Monitoring Risk Risk & Compliance
Management
41
Dashboards Examples – GL Dashboard
79
Dashboards Examples – Accounts Payables
81
Dashboards Examples – General Ledger
82
Dashboards Examples – Fixed Assets
83
Dashboards Examples – Procure to Pay
84
Dashboards Examples – PO without PR
85
48
Internal Audit In Practice
A report is only valuable when management and the board use it and see that it
helps them.
If they briefly look at it and then put it aside, then it is basically useless.
On the other hand, if they look at the report and say 'yes, this is something I
think will help me manage my business' or if they discuss the contents of the
report with other parts of the business, then it is a good sign.
49
Board and Audit Committee Perspectives on Value Add:

Seen to be value adding:
 Delivering the audit plan within the year;
 Delivering assurance over key concerns or areas of interest for the
board/audit committee;
 Providing comfort over core control and compliance areas;
50
 Providing timely and tailored briefings on the position of the organization in

relation to topical issues;
 Offering insights into emerging risks (VAT, Cyber security);
 Identifying themes and trends in audit findings;
 Being seen to be influential with senior management.
51
Board and Audit Committee Perspectives on Value Add:

Seen not to add value:
 Failing to deliver the audit plan;
 Having a major issue occur in an area that was recently audited (e.g. “Why
didn’t you spot that issue when you audited that area last year?”);
 Appearing un-influential with senior management (and expecting the board
to do the running) or appearing in the pocket of management;
52
 Audit receiving negative feedback in a quality review or from a regulator or

from the external auditor;
 Audit “Pushing the nuclear button” on an issue which proves to be relatively
minor;
53
Senior Management Perspectives on Value Add:

Seen to be value adding:
 Audit being on hand to do targeted work for some senior managers;
 Audit delivering advisory assignments that are seen to support the
achievement of priority objectives;
 Audit producing short, balanced reports on a timely basis;
54
 Audit working in a joined up way with other functions, including the external
auditor, to manage the burden of assurance activities across the
organization;
 Audit delivering the audit plan to (or under) budget;
 Audit identifying inefficiencies or cost savings.
55
Senior Management Perspectives on Value Add:

Seen not to add value:
 Audit reports with negative ratings that do not align with senior
management’s risk appetite;
 Audit report wording that is either inflammatory or that might be unhelpful if
disclosed to a regulator or in litigation;
56
 Anything that comes as a surprise;

 Anything communicated out of chain;
 Audit reports that simply repeat known issues in more detail;
 Audit reports that are issued too late to do anything with.
57
Cases in Corporate
Governance 2
58
What causes the companies to conduct a criminal
behavior?
I. Pressure from top management on Middle management to achieve nonrealistic

target.
II. Opportunity arises most basically from the susceptibility of the company’s
accounting systems to manipulation due to inherent risks from management
override or collusion.
III. Some regulations that may affects corporation regional sales.
IV. To increase corporation stock price or to stay at the leading position.
A. I,III
B. I,II,III
C. I,II,III and IV
D. III,IV
59
Cases in Corporate Governance
 Wells Fargo Scandal
 Volkswagen Scandal
 Cambridge Analytica scandal
 Rolls-Royce Scandal
 Mobily Scandal
60
Cases in Corporate Governance – [Wells Fargo]
61
Wells Fargo & Company is an American international banking and financial

services holding company headquartered in San Francisco, California, with
"hubquarters" throughout the country
“Where wells went Wrong”
Wells Fargo employees created millions of fake bank accounts for customers
to hit sales targets and receive bonuses.
Source: Forbes
62
63
“Eight is Great”
 Meaning get eight wells Fargo products into the hands of each customers.
 But this directive proved burdensome for bank employees as they

struggled to meet demand.
 Opened deposit accounts and credit cards for well customers without their
knowledge or permission.
Source: Forbes
64
“Two Million Phony Accounts”
 From 2009 to mid 2016 created more than 1.5 Million unauthorized deposit
accounts.
 Issued more than 500,000 unauthorized credit card application.
 These accounts racked up $2.6 million in fees for the bank
Source: Forbes
65
66
“The Results”
 $185 million fines

 Fired 5,300 employees over five years for creating the phony accounts
 A public demand and government officials attacked wells for its actions.
 On September 13 eliminate all sales goals in its retail banking business
[meaning that the types of quotas that led the fraud will soon no longer
exist
 CEO resign in October -2016
Source: Forbes
67
Cases in Corporate Governance – [Volkswagen]
68
 The Volkswagen emissions scandal (also called "emissionsgate" or

"dieselgate")
 In September 2015 Environmental Protection Agency (EPA) issued a

notice of violation of the Clean Air Act.
 Intentionally programmed turbocharged direct injection (TDI) diesel

engines to active their emissions controls during laboratory emissions
testing only.
69
70
“The Results”
 11 Million cars around the world have emission program problem.
 Withdrawal 9 Million cars from Euro market.
 Withdrawal 500K cars from US market.
 Lost the confidence of its customers and the confidence of the public.
 Volkswagen has announced that it will give up 30,000 jobs in an effort to
save about $ 4 billion a year, starting in 2020 after carbon emissions
scandal.
 A $ 15 billion settlement with US consumers and regulators and gave
diesel owners the choice between repurchase, refunds or free repair.
71
This coming statistics show Volkswagen's operating profit from the fiscal year
of 2006 to the fiscal year of 2017. In light of the diesel scandal, Volkswagen
produced an operating profit of around 13.8 billion euros in 2017.
72
73
Cases in Corporate Governance – [Analytica]
74
Cambridge Analytica captured more than 50 million Facebook user without

their consent to develop an information program that allows voters to reveal
their intentions and how to manipulate since 2014.
Christopher Wylie helped in the development of voters studies to analyze

data from Facebook through application.
Source: Monte Carlo International

75
 The application requires access to Facebook, allowing third parties

(Academic) to obtain data from users of Facebook.
 The aim of study to creating models of personalities and exploitation of

their spirits and what affects them to build campaigns and targeting them
better. “This is known as machine the learning"

76
The idea is inspired by a study done by two researchers at Cambridge

University Michal Kosinski and David Stillwell by application called [My
Personality] via Facebook.
They use this application to study the psychology of users, after answering
specific questions or through what they share on Facebook pages and what
they like. (It means data usage to understand the user's psychology across the
amount of data).

77
Dr. Aleksander Kogan, A psychologist and researcher professor at the

University of Cambridge reproduced the study of Kosinski and data used and
sold them to the company Strategic Communication Laboratories, one of the
companies under "Cambridge Analytica”, which allowed for Kogan as a
researcher at Cambridge from telling Facebook that his data collection is an
academic goals but in fact is not.

78
It turned out that Facebook was aware of this collection process since 2015,
and only took limited steps to retrieve and protect the data of these users,
these data according to the report of the Observer is still available "raw" on the
Internet and can be found.

79
80
After the information was released publicly, Facebook:
 Shares fell 6.8 percent at the close of Monday's trading and 7 percent on
Tuesday,
 A new laws could by applied that could hurt the company's business
model.

81
After the information was released publicly, (Cont.) :
 Technology giant companies in Wall Street, including Apple, Alphabet and

Netflix, has been on the decline.
 Asian markets also suffered losses, with Sony shares in Tokyo, Samsung
in Seoul and Chinese equities in Hong Kong
82
Cases in Corporate Governance – [Rolls-Royce]
Source: BBC
83
 Rolls-Royce paid bribes including a luxury car and millions of pounds’

worth of cash to middlemen to secure orders in six countries, including
Indonesia, Russia and China.
 Settlement of £671m has been reached, which means engineering giant

will avoid being prosecuted by anti-corruption investigators in UK, US or
Brazil
Source: BBC
84
 In Indonesia, Rolls-Royce gave $2.25m (£1.8m) and a Rolls-Royce Silver

Spirit car
 In Thailand, the firm paid more than $36m between 1991 and 2005
 In India, where the use of agents to secure defense contracts is prohibited,

Rolls-Royce disguised its use of middlemen as “general consulting
services”.
Source: BBC
85
 In Nigeria a middleman hired by the company paid bribes to public officials
 In China, Rolls-Royce failed to prevent bribery in relation to the extension

of a £5m cash credit to China Eastern Airlines in exchange of the purchase
of engines for aircraft in 2013.
 In Russia, Rolls-Royce won a contract to supply equipment by making

payments to a senior official.
Source: BBC
86
Cases in Corporate Governance – [Mobily]
87
 The share price of Mobily dropping from 92 riyals to less than 60 riyals in
just three days?
 Has Mobily deliberately manipulated the earnings figure or not?
 Starting from the loyalty program, this program aims to guarantee the
customer loyalty to the company by giving him points whenever he uses
the services of the company.
Source : Al Arabiya
88
 The customers can replace these points with rewards from Mobily or
agreed companies.[ Company Services or other goods and products]
 In this case, the sellers (agreed companies) of the goods registers the
points and considers Mobily debit on the amount of goods which are
replaced with customers until it pays them.
Source : Al Arabiya
89
 A new way in which it agreed with a number of companies from various

industries that Mobily broadcast messages for several days to all users of
the network urging them to replace their points with those agreed
companies, and then the agreed companies pay the rights of these ads
through the points that will Replaced.
 This turns Mobily from a debit to a vendor of these points on the

companies that participated and announced to them.
Source : Al Arabiya
90
Where is the problem?
The agreement provided that the companies would pay Mobily only the used
points.
But Mobily recorded the "full" points allocated to them as revenue while the
actual revenue was only a fraction of it, which was actually replaced by
customers only, and it seems to have been very little, and this is a huge
revenue figure on the contrary
Source : Al Arabiya
91
The Results
 Mobily amended net profit in 2013 from 6.6 Billion riyals to 5.9 Billion riyals
 Mobily loss more than 10 Billion riyals from its market value within a week.
 Mobily Share loss all earnings and profits for the last two years.
Source : Al Arabiya
92
Thank You

CS 5 10 - Session in Arabic

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CS 5 10 - Session in Arabic

Uploaded by

Copyright:

Available Formats

Best Practices in Internal

Audit – [Visions &

Prepared by Mr. Basem Hijaz

1. Consider Risks and link it to the audit plan.

2. Consistency & Work Closely with the second Line of Defense.

3. Provide Advice and Insights that Focus More on predictive.

4. Expand and Sharpen Internal Audit’s Skills.

5. Automate Wherever Possible with Technology.

IG 2010 - Planning : The chief audit executive must establish a risk-based

According to Standard 2010.A1, the internal audit plan must be based on a

Implementation Guide (Cont.) :

Implementation Guide (Cont.) :

 Identify top risks by meetings with stakeholders & industry analyses.

 Coordinate with other assurance groups to assess and score risks.

 Perform risk assessments to understand risk and what causes them.

 Rank and prioritize the risks.

 Conduct periodic reviews throughout the year.

Our Global Pulse of Internal

 The report is available from

Stakeholders want us to raise

• The good news:

Expand the audit plan on effectiveness of risk 49%

Helping to assess / “audit” the culture of the organization 27%

IG 2050 - Coordination and Reliance :

Implementation Guide (Cont.):

Internal providers include oversight functions that either report to senior

Supplemental Guide (Cont.):

An assurance map is a matrix comprising a visual representation of the

Supplemental Guide (Cont.):

Supplemental Guide (Cont.):

Assurance mapping steps include:

1. Identifying sources of risk information.

2. Organizing risks into risk categories for consolidated viewing.

3. Identifying assurance providers.

4. Gathering information and documenting assurance activities by risk category.

5. Periodically reviewing, monitoring, and updating the assurance map.

 Conduct periodic meetings between IA and other assurance functions.

 Link the risk function’s assessments of key risks to audit planning.

 Report key risks, issues, and opportunities to stakeholders.

New Supplemental Guide [Auditing Model Risk Management]

Banks and other large financial services organizations rely extensively on

What is predictive audit?

The predictive audit is a forward-looking approach that examines the validity of

However, if a customer is dissatisfied with the account, they can immediately

In such a scenario, an employee could seek to inflate their commission by

A Combination of Services – (Cont.)

IIA’s Audit Executive Center conducted a survey,

Supplemental Guide [Talent Management]:

Recruiting, motivating, and retaining great team members is recognized as one

Efforts to develop talent typically include :

2. Cybersecurity and privacy

3. Data mining and analytics

1220.A2 :Internal auditors must consider the use of technology-based audit

 Consider replacing solid spreadsheets and tools with integrated audit

Steps to Consider – (Cont.):

 Start by applying off-the-shelf analytics packages to datasets.

 Depending on your industry, identify areas where audit should be forward-

 Improving the first line of defense by certain analytical tasks.

Internal audit analytics – Why we use analytics?

 Sample-based testing will not satisfy stakeholder needs.

Source: Protiviti – Internal Audit Capabilities and Needs Survey 2017

 Data visualization transforms analytical output into visual formats.

Data visualization – (Continued)