Professional Documents
Culture Documents
2
Best Practices in Internal Audit
3
1- Consider Risks and link it to the audit plan
Implementation Guide :
4
1- Consider Risks and link it to the audit plan
When developing the internal audit plan, the CAE also considers any
requests made by the board and/or senior management and the internal audit
activity’s ability to rely on the work of other internal and external assurance
providers (as per Standard 2050).
5
1- Consider Risks and link it to the audit plan
The internal audit plan is flexible enough to allow the CAE to review and
adjust it as necessary in response to changes in the organization’s business,
risks, operations, programs, systems, and controls. Significant changes
must be communicated to the board and senior management for review and
approval, in accordance with Standard 2020
6
1- Consider Risks and link it to the audit plan
Steps to Consider :
7
Statistics & Surveys
Sources: The Pulse of Internal Audit survey: © 2015 The IIA Audit Executive Center conducted in collaboration with the 2015 Common Body of Knowledge Study, © 2015
The IIA and The IIA Research Foundation. All rights reserved. No part of this data may be copied, reproduced or otherwise disseminated without explicit permission from
The IIA. Note: Q42: How frequently does internal audit conduct a risk assessment? Q48: What resources do you use to establish your audit plan?
• KPMG’s 2017 Global Audit
Committee Pulse Survey
• 832 responses
– 42 countries
– 55% audit committee chairs
– 45% audit committee members
• 63% public companies
• 25% private companies
Source: KPMG’s Audit Committee Institute – “Is Everything Under Control?” 2017 GlobalAudit
Committee Pulse Survey, © 2017 KPMG LLP
KPMG’s 2017 Global Audit Committee Pulse Survey
Beyond financial reporting and compliance risks, what
steps can internal audit take to maximize value?
Targets for Internal Audit to Maximize Value Response
Expand audit plan on key areas of risk (e.g. cyber security, 56%
and key operational and technology risks)
Maintain flexibility in the audit plan 53%
Source: KPMG’s Audit Committee Institute – “Is Everything Under Control?” 2017 GlobalAudit
Committee Pulse Survey, © 2017 KPMG LLP
2- Consistency & Work Closely with the second Line of Defense
Implementation Guide :
13
2- Consistency & Work Closely with the second Line of Defense
14
2- Consistency & Work Closely with the second Line of Defense
15
2- Consistency & Work Closely with the second Line of Defense
Assurance providers may use the map to coordinate the timing and scope of
their services, preventing audit fatigue within areas and processes under
review, except in cases where senior management or the board may need a
second opinion or a double check from another assurance provider on a high
risk area.
16
2- Consistency & Work Closely with the second Line of Defense
17
18
2- Consistency & Work Closely with the second Line of Defense
Steps to Consider :
Establish a common risk and control language that will enable the second
and third line of defense to communicate with each other.
Question and challenge the findings from risk & compliance functions.
19
3- Provide Advice and Insights that Focus More on predictive
20
3- Provide Advice and Insights that Focus More on predictive
21
3- Provide Advice and Insights that Focus More on predictive
Imagine the following scenario: You are a manager in a consumer bank that
offers customers a savings account with a minimum deposit and minimum of
six months before cash withdrawals can be made.
22
3- Provide Advice and Insights that Focus More on predictive
Certainly, such situations are not uncommon, and can occur in one form or
another, in any organization. But what if you could predict the occurrence of
such ‘bogus’ transactions and take action before they even occur? Wells Fargo
23
3- Provide Advice and Insights that Focus More on predictive
The results found that almost all internal audit functions represented in the
survey (94 percent) provide a combination of assurance and advisory
services. Key business areas where advisory services are being performed
include risk management, corporate governance, ethics, and performance
management.
24
3- Provide Advice and Insights that Focus More on predictive
25
4- Expand and Sharpen Internal Audit’s Skills
Implementation Guide :
IG 2030 – Resource Management : The CAE must ensure that internal audit
resources are appropriate, sufficient, and effectively deployed to achieve the
approved plan.
IG 1200 – Proficiency and Due Professional Care : Engagements must be
performed with proficiency and due professional care.
IG 1210 – Proficiency : The IA activity collectively must possess or obtain the
knowledge, skills, and other competencies needed to perform its
responsibilities.
26
4- Expand and Sharpen Internal Audit’s Skills
27
4- Expand and Sharpen Internal Audit’s Skills
Developing Talent
The CAE should align internal audit’s talent development approach with the
organization’s professional development practices.
28
4- Expand and Sharpen Internal Audit’s Skills
Steps to Consider :
Evaluate the existing skills of the internal audit team, identify gaps, and
conduct periodic training.
Align training and development programs with emerging risk, regulatory
and business objectives.
Consider communication skills as audit qualifications when recruit new
resources.
• Explore alternative staffing models such as rotation & guest auditor.
Build relationships with external service providers.
29
4- Expand and Sharpen Internal Audit’s Skills
PwC’s 2016 State of the Internal Audit Profession Study found that strategic
and creative talent management is one of the most-significant drivers of the
value an internal audit function can provide. The study also showed a close
correlation between very effective internal audit leadership and talent
management.
30
4- Expand and Sharpen Internal Audit’s Skills
In fact, 83% of very effective internal audit leaders perform well at talent
management compared with just 47% of effective leaders and 24% of less-
effective leaders. However, chief audit executives (CAEs) also indicated that
acquiring and managing talent are their most-significant challenges.
31
4- Expand and Sharpen Internal Audit’s Skills
As per IIA study in 2015 The top five areas where respondents are
experiencing difficulty hiring candidates are:
1. IT-general
4. Industry-specific knowledge
5. Analytical/critical thinking
32
5- Automate Wherever Possible with Technology
Guides:
Attribute Standard
33
5- Automate Wherever Possible with Technology
Steps to Consider :
34
5- Automate Wherever Possible with Technology
35
5- Automate Wherever Possible with Technology
36
Current Internal Audit Analytics Capabilities
7% Advanced
Standard methods and training, using advanced tools and analysis techniques
24% Intermediate
Some standardization of methods, some repeatable analytics
55% Basic
Ad-hoc analytics with limited repeatable solutions, basic tools (e.g.
spreadsheet, etc.)
11% None
No analytics capabilities
3% Not sure
Source: Deloitte’s Global Chief Audit Executive Survey 2016-2017
37
How Many Audits Use Analytics?
Audits Using Analytics
18% 75% to 100%
14% 51% to 75% “What percentage of total audits utilize
some form of data analytics?”
26% 26% to 50%
42% 1% to 25%
38
5- Automate Wherever Possible with Technology
Data visualization
Impact Area
39
5- Automate Wherever Possible with Technology
40
5- Automate Wherever Possible with Technology
What is Continuous Auditing ?
“Is a method used to perform control and risk assessments automatically on a more
frequent basis”. IIA
Internal Audit Business Leads
IA Data Analytics Continuous Continuous Enterprise Governance
Auditing Monitoring Risk Risk & Compliance
Management
41
Dashboards Examples – GL Dashboard
79
Dashboards Examples – Accounts Payables
81
Dashboards Examples – General Ledger
82
Dashboards Examples – Fixed Assets
83
Dashboards Examples – Procure to Pay
84
Dashboards Examples – PO without PR
85
5- Automate Wherever Possible with Technology
48
Internal Audit In Practice
A report is only valuable when management and the board use it and see that it
helps them.
If they briefly look at it and then put it aside, then it is basically useless.
On the other hand, if they look at the report and say 'yes, this is something I
think will help me manage my business' or if they discuss the contents of the
report with other parts of the business, then it is a good sign.
49
Internal Audit In Practice
50
Internal Audit In Practice
51
Internal Audit In Practice
52
Internal Audit In Practice
53
Internal Audit In Practice
54
Internal Audit In Practice
Audit working in a joined up way with other functions, including the external
auditor, to manage the burden of assurance activities across the
organization;
Audit delivering the audit plan to (or under) budget;
Audit identifying inefficiencies or cost savings.
55
Internal Audit In Practice
56
Internal Audit In Practice
57
Cases in Corporate
Governance 2
58
What causes the companies to conduct a criminal
behavior?
A. I,III
B. I,II,III
C. I,II,III and IV
D. III,IV
59
Cases in Corporate Governance
Volkswagen Scandal
Rolls-Royce Scandal
Mobily Scandal
60
Cases in Corporate Governance – [Wells Fargo]
61
Cases in Corporate Governance – [Wells Fargo]
Wells Fargo employees created millions of fake bank accounts for customers
to hit sales targets and receive bonuses.
Source: Forbes
62
Cases in Corporate Governance – [Wells Fargo]
63
Cases in Corporate Governance – [Wells Fargo]
“Eight is Great”
Meaning get eight wells Fargo products into the hands of each customers.
Opened deposit accounts and credit cards for well customers without their
knowledge or permission.
Source: Forbes
64
Cases in Corporate Governance – [Wells Fargo]
From 2009 to mid 2016 created more than 1.5 Million unauthorized deposit
accounts.
Source: Forbes
65
Cases in Corporate Governance – [Wells Fargo]
66
Cases in Corporate Governance – [Wells Fargo]
“The Results”
Source: Forbes
67
Cases in Corporate Governance – [Volkswagen]
68
Cases in Corporate Governance – [Volkswagen]
69
Cases in Corporate Governance – [Volkswagen]
70
Cases in Corporate Governance – [Volkswagen]
“The Results”
11 Million cars around the world have emission program problem.
Withdrawal 9 Million cars from Euro market.
Withdrawal 500K cars from US market.
Lost the confidence of its customers and the confidence of the public.
Volkswagen has announced that it will give up 30,000 jobs in an effort to
save about $ 4 billion a year, starting in 2020 after carbon emissions
scandal.
A $ 15 billion settlement with US consumers and regulators and gave
diesel owners the choice between repurchase, refunds or free repair.
71
Cases in Corporate Governance – [Volkswagen]
This coming statistics show Volkswagen's operating profit from the fiscal year
of 2006 to the fiscal year of 2017. In light of the diesel scandal, Volkswagen
produced an operating profit of around 13.8 billion euros in 2017.
72
Cases in Corporate Governance – [Volkswagen]
73
Cases in Corporate Governance – [Analytica]
74
Cases in Corporate Governance – [Analytica]
They use this application to study the psychology of users, after answering
specific questions or through what they share on Facebook pages and what
they like. (It means data usage to understand the user's psychology across the
amount of data).
It turned out that Facebook was aware of this collection process since 2015,
and only took limited steps to retrieve and protect the data of these users,
these data according to the report of the Observer is still available "raw" on the
Internet and can be found.
80
Cases in Corporate Governance – [Analytica]
Shares fell 6.8 percent at the close of Monday's trading and 7 percent on
Tuesday,
A new laws could by applied that could hurt the company's business
model.
Asian markets also suffered losses, with Sony shares in Tokyo, Samsung
in Seoul and Chinese equities in Hong Kong
Source: Monte Carlo International
82
Cases in Corporate Governance – [Rolls-Royce]
Source: BBC
83
Cases in Corporate Governance – [Rolls-Royce]
Source: BBC
84
Cases in Corporate Governance – [Rolls-Royce]
In Thailand, the firm paid more than $36m between 1991 and 2005
Source: BBC
85
Cases in Corporate Governance – [Rolls-Royce]
Source: BBC
86
Cases in Corporate Governance – [Mobily]
87
Cases in Corporate Governance – [Mobily]
The share price of Mobily dropping from 92 riyals to less than 60 riyals in
just three days?
Starting from the loyalty program, this program aims to guarantee the
customer loyalty to the company by giving him points whenever he uses
the services of the company.
Source : Al Arabiya
88
Cases in Corporate Governance – [Mobily]
The customers can replace these points with rewards from Mobily or
agreed companies.[ Company Services or other goods and products]
In this case, the sellers (agreed companies) of the goods registers the
points and considers Mobily debit on the amount of goods which are
replaced with customers until it pays them.
Source : Al Arabiya
89
Cases in Corporate Governance – [Mobily]
Source : Al Arabiya
90
Cases in Corporate Governance – [Mobily]
The agreement provided that the companies would pay Mobily only the used
points.
But Mobily recorded the "full" points allocated to them as revenue while the
actual revenue was only a fraction of it, which was actually replaced by
customers only, and it seems to have been very little, and this is a huge
revenue figure on the contrary
Source : Al Arabiya
91
Cases in Corporate Governance – [Mobily]
The Results
Mobily amended net profit in 2013 from 6.6 Billion riyals to 5.9 Billion riyals
Mobily loss more than 10 Billion riyals from its market value within a week.
Mobily Share loss all earnings and profits for the last two years.
Source : Al Arabiya
92
Thank You