IA Middle East

JUNE 2017 WWW.INTERNALAUDITOR.
ME
Identifying serial offenders us-

ing forensics analyzing digital
evidence
IA is the Second Line of

Defense in unstable
business environment
Self-service analytics benefits

for internal Audit
The Journey to
Excellence in
Internal Audit
INSIGHTS ON GOVERNANCE, RISK MANAGEMENT AND CONTROL

From The President
Dear Readers,
On behalf of the Board of Governors and Executive Committee, our Key Partners and
staff of the UAE Internal Auditors Association; let me wish you all Eid Mubarak.
We had a very eventful month of May – the International Audit Awareness Month. The
UAE IAA conducted several sessions advocating the internal audit profession. The UAE
Internal Auditors Association and the Institute of Chartered Accounts of India held the
3rd joint event in Abu Dhabi titled “Partners in Progress” which was attended by 400+
delegates. Awareness sessions were also conducted in several universities to initiate the
students towards the profession of internal audit.
The mega event in this month was the 3rd Internal Audit Government Forum which was
held under the Patronage of HH Sheikh Ahmed president of the Dubai Civil Aviation
Authority, CEO and chairman of the Emirates Group and chairman of Dubai World in
collaboration with the Dubai Aviation City Corporation (GIARA).
The International Conference 2018 is to be held in Dubai and all efforts are being made
to ensure that we break all yesteryear records. The UAE IAA invited the members of the
IIA Global to visit Dubai for discussions. The fruitful discussions ensured that we are
on the right track for a successful conference. All the major items were ticked with roles
and responsibilities defined. The end of discussions left both, the UAE IAA and The IIA
Global, well-satisfied and confident.
The 4th batch of HASAAD was conducted recently in Abu Dhabi. What was so unique
about this batch was the fact that it was the first batch of HASAAD conducted in Arabic.
This is an extremely significant achievement for us as it gives us the confidence to tap the
government sectors. The HASAAD program is an extremely important program for us as
it enables young aspiring UAE Nationals to come into the main stream of internal audit
profession. I congratulate the graduating students of the 4th HASAAD batch.
Summer holidays are round the corner and you all must have made your holiday plans. I
wish you a very joyous holiday and look forward to engaging with you on return.
Regards,
Abdulqader Obaid Ali

President
JUNE 2017 INTERNAL AUDITOR - MIDDLE EAST 01

TeamMate ®
Ecosystem for Assurance
Audit
Controls
Analytics
To achieve new heights, finding the right balance of audit tools is essential. Only
TeamMate offers an integrated set of solutions that include the industry’s leading
audit management system, an innovative controls management system and
powerful data analytics.
TeamMate AM TeamMate CM TeamMate Analytics
Learn more at: TeamMateSolutions.com
Copyright © 2014 Wolters Kluwer Financial Services, Inc. All Rights Reserved. 3946
INTERNAL AUDITOR
MIDDLE EAST JUNE 2017 WWW.INTERNALAUDITOR.ME
F E ATU RES
16 COVER STORY: The Journey to Excellence in Internal Audit
What is The Roadmap to Initiating a Quality Assessment? by Ninad Pradhan
20 Profiling Cyber- 22 Adding Value in a 24 Self Service Audit

Criminals : The four-step Challenging Economic Analytics – transform
process, from the perspective of Environment your approach
deductive profiling methods, with what are the responsibilities for How you can transform the way
which the cyber-criminal profile internal auditors in the current your organization work with
should be developed “ by Fadi volatile and unstable economic data? By Induman Das
Abu Zuhri conditions? by Ehab Saif
DE PARTMENTS
4 Reader Feedback 8 UAE-IAA Events 10 IT Audit
What are the common mistakes
6 Knowledge Update 27 Fraud Risk IT auditors make while audit-
What a Fraud Response Plan ing the Logical access area BY
Internal Audit’s Critical Role in
should contain Melhem Khoury
Cyber-security, Global Technology
BY David Clements
Audit Guide (GTAG): Understand-
ing and Auditing Big Data, Protiviti 31 Frosting Fundamen- 12 Risk management
Are Emerging Risks really differ-
Survey on Sarbanes-Oxley Compli- tals ent from Conventional Risks ?
ance 2017, Mining business in- What are the steps that are cov-
BY Porus Pavri
sights from the audit - Audit Value ered as part of the annual internal
Survey by Deloitte, 2017 State of audit planning process?
the Internal Audit Profession: Study BY Arif Zaman
by PWC
BY VISHAL THAKKAR

Reader Feedback We want your views on the articles and the magazine! Share your
thoughts and feedback with us via email at [email protected]
Comment on an article entitled 2017

WWW.I
NTERNA
LAUDIT
OR.ME
Comment on the article written by Mr. Adil
Buhariwalla, entitled: “Innovate or Deteriorate”
MARCH
“Does the internal audit

g the
gnizin
in Reco
Helping
Steps
Value
Added ards for
the
Stand of Internal
profession suit me?”

ern ational cti ce
At the beginning, I would like to thank my colleague Adel

Int l Pra
siona updates
Profes new kle
Auditing s to tac
po nsivitie d risks.
res s an
Buhariwala for his wonderful article which gives recent

al Audit s issue
Intern nt busines
importa
All thanks and appreciation goes out to

R
ITO
AUD
examples of what happened to international companies that

AL T
ERN LE EAS
INT
OR
D
MID
the colleague and author of the article for

VATE did not keep abreast with the developments and changes
putting forward such an important topic. I INNORIORATE that have taken place in its industry as well as valuable
would like to refer to three of the traits and DETE information on the definition and quality of innovation,
skills stated in the International Professional and on innovation governance and the role of auditors in
Practices Framework (IPPF) issued by reviewing innovation governance.
The Institute of Internal Auditors, which I
consider some of the most important traits and In my opinion, internal auditors can play a big role in
skills that distinguish internal auditors. auditing innovation processes and providing reasonable
t of fo
cusing
assurance of their effectiveness to the Board of Directors
Effective Communication Skill: Through this on the
portan
The im organizatio
ion Gove
n’s
rnance
”. and other stakeholders because innovation is an
skill, the internal auditor ensures gaining the essential element in improving the performance of
at
“Innov
L
TRO
D CON
the establishment and ensuring its sustainability.

T AN
trust of the client in addition to enhancing

MEN
AN AGE
S K M
, RI
NA NCE
It is known that sustainability is one of the core

VER
communication and adding a positive impact,

N GO
TS O
IGH
INS
ensuring the addition of real value through audit responsibilities and priorities of corporate governance.
assignments. Innovation creates new opportunities for the establishment and
Critical Thinking: That is achieved by applying professional doubt, increases its competitiveness, and these opportunities must be managed
applying different tools and techniques to extract data and adopting in the same way of risks are managed to which the establishment is/
problem-solving techniques that help the internal auditor solve complex may be exposed to. Opportunities that cannot be well managed will
situations and propose solutions that ensure developing the functions turn into risks that might have been avoided, noting that “Collapse”
being audited. exists at the top of these risks as reported in the article. In my opinion,
if any competitive advantage is not accompanied by development and
Improvement and Innovation skills: When the internal auditor has such innovation, it will not remain an advantage on which the establishment
skills, this ensures his work as a key player of change and continuous can rely for maintaining its sustainability.
improvement which supports the establishment in achieving its
Innovation, renovation and creativity must be a top management
objectives by rendering them as part of the change management process priority, and since traditional and old methods are no longer useful,
within the establishment and adopting change by explaining benefits there must be innovative alternatives to develop, maintain and keep
and encouraging coworkers on the same. sustainability of the establishment to be an effective competitor in its
sector.
Mahmoud El Bagoury Alaa Abunbaba CPA, CIA, CRMA, CICP, MACC
Chief Internal Auditor for a group of commercial companies Head of Audit and Institutional Excellence
operating in the Middle East
IFA GROUP - The International Financial Advisors Company (IFA)
GRCA, CPIA, CICA, CERTIA, QIA - Kuwait
UAE Internal Audiors Association
ARABIC RE VIE W TE AM C O N TAC T IN FO RMATIO N
Qais Hamdan, CISA, CISM, PMP (Lead MARK ETIN G & SO C IAL MED IA
Member) Alaa Abu Nabaa, MACC, CIA, CRMA,
CPA, CICP
Khalid M. Alodhaibi, SOCPA
[email protected]
INTERNAL AUDITOR
Waleed Sweimeh, CIA
MIDDLE EAST
ADVERTIS IN G &
JUNE 2017 Noora Ayoob AD MIN IS TRATIO N
VOLUME 2017: 2 Saif Kaddourah, MBA Yasmine Abd El Aziz
E D IT OR-I N-CHI EF [email protected]

UAE INTE RNAL AUDITORS
Abdulqader Obaid Ali, CFE, CRMA, QIAL Tel: +971 55 351 2335 Internal Auditor - Middle East is published quarterly by the UAE
AS SOCIATION
E D IT OR Internal Auditors Association (UAE-IAA), Office 1503, 15th Floor,
PRESIDENT ED ITO RIAL API Trio Tower, Dubai, United Arab Emirates
Ghada Abd Elbaky
E D IT ORI A L A DVISORY Abdulqader Obaid Ali, CFE, CRMA, QIAL Ghada Abd Elbaky
C OMM IT T EE GENERAL MANAGER [email protected]
Ayman Abd El Rahim MQM, CIA, CCSA, Samia Al Yousuf Tel: +971 55 728 5147
CFE (Lead member) D ISC L AIMERS
Asem Al Naser, CPA, CIA, QIAL D ESIG N & PRIN TIN G Internal Auditor - Middle East is intended only for members of the
Farah Araj, CPA, CIA, CFE, QIAL RE GIS TRATION Gulf International Advertising Institute of Internal Auditors in the Middle East and as such it is
& Publishing L.L.C. not intended to be sold or re-sold by any party.
Andrew Cox, MBA, MEC, PFIIA, CIA, Internal Auditor - Middle East magazine
CISA, CFE, CGAP, MRMIA is licensed by the National Media Council [email protected] The views expressed in Internal Auditor - Middle East are solely
Raymond Helayel, CPA, CIA of the United Arab Emirates (License those of the authors, and do not necessarily represent the views
Tel: + 971 2 441 2299 of the UAE-IAA or the authors’ respective employers.
Meenakshi Razdan, CA, CPA CIA, CFE Number 244).
Hossam Samy, CRMA, CFE, CPA, CGA Internal Auditor - Middle East is a peer-reviewed magazine and
Nagesh Suryanarayana, MBA, CIA,CCSA G U ID EL IN ES FO R AU TH O RS does not verify the originality of the content submitted by the
James Tebbs, CA www.internalauditor.me authors.
Vishal Thakkar, ACA, CIA
Gautam Gandhi, ACA, CIA, CISA, CFE
04 INTERNAL AUDITOR - MIDDLE EAST JUNE 2017

Knowledge Update
BY V IS H A L TH A KKAR
Internal
Audit’s
Critical
Role in
Cyber-se-
curity
Organizations monitor cyber-security

practices, policies and plans on an ongoing
basis. Internal audit plays can play a crucial
Global Technology Audit Guide
role here. When cyber-security plans are
created, organizations should solicit internal
(GTAG): Understanding and
audit to do what is best suited for them
i.e. test for effectiveness and efficiency of
Auditing Big Data
controls and protocols. Based on the testing
results, provide the board and management
Big data is both i.e. a growing risk and a growing resource for internal auditors. This
with assurance about these protective
prompted the IIA to offer a guidance to help auditors to address it and leverage it.
mechanisms. Internal audit should focus
on following four areas related to cyber- The IIA’s guide provides an overview of big data to help internal auditors who may
security: be responsible for both i.e. using it and assessing risks associated with it. This guide
1. Provide assurance over readiness covers the following: value of big data, the components, strategies, implementation
and response considerations, data governance, consumption and reporting as well as the associated
risks. The guide also explains what the IIA regards as internal auditors’ roles and
2. Communicate about the level
responsibilities when they need to perform big data related advisory or assurance
of risk to the organization and
efforts to address such risks to the procedures. As per the guide, this begins with considering the role of big data in the
board and executive management organization as part of the risk assessment and audit planning processes. Auditors
generally plan to address big data risk in multiple audits where it arises instead of a
3. Work in coordination with IT single audit looking at all big data risks. Auditors should plan to look at controls such
and other related parties to build
as process and technology to focus on how the data is consumed and acted upon in the
effective defenses and responses
organization.
4. Ensure communication and
coordination The risks associated with big data that justify internal audit’s attention are numerous
and complex such a poor data quality, inadequate technology, insufficient security and
Inspite of complexity and alarming immature data governance practices within the organization. The auditor should reach
challenge, cyber-security that can
out to company’s Chief Information Officer for understanding the risks associated
be effective can be achieved by most
with collecting, storing, analyzing and securing big data. The guide also gives internal
organizations. By using the “Four Rs”
– resist, react, recover, and re-evaluate – auditors some advice on using the data as an audit tool, beyond auditing the data or
organizations can build cyber-resilience the big data effort itself. The company may have already acquired, consolidated and
plans that are effective. integrated the data, enabling internal audit to realize efficiencies.
http://www.accountingweb.com/aa/auditing/ https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/
internal-audits-critical-role-in-cybersecurity Pages/GTAG-Understanding-and-Auditing-Big-Data.aspx

Knowledge Update
Protiviti Survey on Sarbanes-Oxley

Compliance 2017
Sarbanes-Oxley Act (SOX) became law almost 15 years back, and as many
organizations have advanced into complying with its requirements, the compliance
process is not only dynamic, but also a matter of continuous interest. CAEs, CFOs
and other finance and internal audit professionals keenly look for benchmarking data
on costs, hours, control counts etc, as they determine how and where to rationalize
compliance activities while addressing frequent regulatory and market changes.
Key findings of the survey are as follows: 2017 State of the
Compliance costs appear to be trending down, but not for all: SOX compliance costs Internal Audit Profession:
show some decrease compared to last year’s survey results for some companies. This Study by PWC
could be due to these organizations completing their work to implement the updated
COSO Internal Control — Integrated Framework. However, costs are still on the rise
for many companies as the percentage of those annually spending $2 million or more
increased compared to last year.
Hours continue to go up: Time spent on SOX compliance has increased for most of
44%
Stakeholders reported that Internal Audit
organizations as compare to the last year adds significant value dropped from 54%
Increased use of outside resources: Considerably more organizations are relying on in 2016 to only 44% in 2017, reaching its
outside providers for SOX compliance activities, either on an outsourced and co- lowest level in the five years
sourced basis
Control counts have gone up: compared to prior year results, there is an increase in
percentage of entity-level controls classified as key controls 48%
Revenue recognition, cyber security and the PCAOB are influencing forces: SOX of stakeholders (nearly half) want Internal
compliance efforts continue to be formed by new and emerging influences, from Audit to be trusted advisors to the business
the new revenue recognition standard and cyber security concerns to the PCAOB’s
inspection reports on external auditors and the resulting effects on audits of internal Top five disruptions: responses by CAE’s
control over financial reporting and their stakeholders
58%
SOX work continues to be viewed as having a positive effect: Overall, three out of four
organizations reported that their internal control over financial reporting structure has
improved as soon as they started complying with SOX.
https://www.protiviti.com/US-en/insights/sox-compliance-survey
New regulations
Mining business insights from the 44%

audit - Audit Value Survey by Deloitte Changes in business model or strategy
Notwithstanding to the fact that valuable perspective a financial statement audit
provides, one out of three companies fails to fully use the information. The survey
results reveal that the audit has the influence to provide insights, identify inefficiencies
or risks and help inform best practices to the companies. Still, auditors and their clients
37%
Cyber-security and privacy threats
are missing out on what financial statement audits can accomplish in more depth. 45
36%
percent of C-suite executives and 48 percent of audit committee members don’t have
processes in place to make better use of audit findings. According to 79 percent of
C-suite executives and 94 percent of audit committee members, increased transparency
of financial statement audits would improve performance of the company. About the
same percentage stated that financial statement audits reveal what their companies Financial challenges
34%
could do different or better.
Executives participated in the survey stated that they want information processing
of audits even further. They want audits to provide a wider range of strategic and
Technological challenges
operational insights that go beyond financial reporting. At the forefront: information
about spending patterns, assessment of how effective the company’s business processes
https://www.pwc.com/us/en/risk-
are and recommendations for improving operations.
assurance/sotp/2017-state-of-the-internal-
https://www2.deloitte.com/us/en/pages/audit/articles/audit-value-survey.html audit-profession-report.pdf

UAE-IAA Events
By S a m i a A l Yo u s uf
The eighteenth Annual Regional

Conference- Abu Dhabi
UAE IAA held its 18th Annual regional conference at Jumeirah who stated that UAE Internal Auditors Association is playing
Etihad Towers, Abu Dhabi from April 18 - 20, 2017 .The 2-days a key role in facilitating education of internal auditors in our
conference is the largest “Smart” meeting and a premier Internal country by offering an invaluable training and education to its
Audit event in the MENA region and was attended by over 700
almost 2,000 members and working effectively to increasing the
participants consisting of heads of organizations, experts and
number of Emirati auditors. Sheikh Nahyan had honored the key
professionals from internal auditing and various other industries
from the GCC countries and beyond. The conference was under note speaker Mr. Mohamed Jameel Al Ramahi, CEO Masdar and
the patronage of His Excellency Sheikh Nahayan Mabarak Al Mr. Hassan Al Mulla, President of IIA Qatar with the Lifetime
Nahayan, UAE Minister of Culture and Knowledge Development, Achievement Awards, at the conference.

UAE-IAA Events
UAE IAA and Dubai Aviation

City Corporation (GIARA)
held the 3rd Internal Audit
Government Forum 2017
UAE IAA held the 3rd Internal Audit Government forum in
collaboration with Dubai Aviation City Corporation on 17th May
2017 at Palazzo Versace Hotel with the theme of: “Be a Leader in
your Profession” .
The forum was under the patronage of His Highness Sheikh Ahmed
Bin Saeed Al Maktoum the Chairman Of Dubai Aviation City
Corporation
UAE IAA celebrating the International Internal Audit

Awareness Month May 2017
UAE IAA is advocating the internal audit profession through several sessions
during May which is considered the internal audit awareness month:
• The 3rd Joint Professional Development Seminar in collaboration with ICAI –
Abu Dhabi Chapter - was held in Abu Dhabi on 3rd May,
• 1st Joint sub-groups event between Construction, Media and Hospitality Sub-
groups was held in Dubai on May 8th.
• n 15th May an internal audit awareness Session at Khalifa University, in
O
collaboration with the Petroleum Institute was held in Abu Dhabi,
• n awareness session at New York Institute of Technology was held in Abu
A
Dhabi on May 22nd.
• UAE IAA held the second joint sub-groups event between IT, Fraud and Governance Sub-groups in Dubai on May 24th
UAE IAA hosted COSO new certificate training for the

first time in the region
UAE IAA had a very successful
session on COSO internal control new
certificate training. The new certificate
that is issued by AICPA and supported
by IIA grabbed the attention of many
internal auditors in the region and Mr.
Mike Fussily, the course trainer, added
a lot of value to the course with his
experience.
Second round of the course will be
running in October 2017.

IT Risk
By Me l h i m K h o u ry Nicolas
IT Risk Assessment
The devil lies in the details, IT risk evolved to provide support for building technology dependent environment. This
assessment and IT risk management, IT audit project plan. Further, financial entails identifying a risk such as denial
what detail differentiate them? With the auditors became more dependent on the of service attack and quantifying the
growth in the need of Information security outcome of the risk-based IT audits to probability of the risk happening.
substantiate their audit scope.
and risk management, the terms IT risk The best method to arrive to an
assessment and IT risk management could IT risk assessment is a component of acceptable risk value is to apply the
be confusing to most of executives dealing the IT audit process. Regardless of the
following equation:
with risk-based audits and compliance of framework and methodology used, it
focuses on identifying technical risks in a Risk = Asset x Vulnerability x Threat
the organization.
The Committee of Sponsoring Measure Factor Risk Asset Vulnerability Threat

Organizations’ (COSO) has provided an Scale (Quantitative) 1 to 5 10 to 100 1 to 10 10 to 50
Enterprise Risk Management Framework
Description a. High a. Critical a. Disastrous a. Severe
in 2004. This was an influential move (Qualitative) b. Me- b. Significant b. Passive b. El-
towards focusing efforts on internal dium c. Insignifi- c. Trivial evated
controls and prioritization of review tasks c. Low cant c. Negli-
when auditing internal controls. Based on gible
the COSO framework, IT risk assessment Table 1: Sample Scales

TO COMMENT on the article,
EMAIL the author at [email protected] IT Risk
Assets are given a coefficient values based IT risk assessment benefits auditors and IT Risk assessment is the result of [IT
on a certain range. Any quantitative range reviewers in many ways essential to the risk management] less [IT risk treatment
used can be qualitatively mapped to the understanding of the IT environment.
options].
ranges of the other factors. The objective
Industry model is beneficial in providing
is to arrive to a risk rate mapped to a It is used to prioritize the review areas of
aid to contemplating the risks associated
tolerance scale, usually: High, Medium the IT environment. Below is an example
with a specific setup in a specific industry.
and Low. Although the usual practice
This is done using methods such as of how review can be executed based on
is to use same scale, the following table
brainstorming, which is a very effective IT risk assessment output. For a complete
illustrates an example of the different
technique following Osborn’s method.
options that can be used as different review, auditors have to examine the
In another sense, IT risks are not fixed
scales: details of the process in a substantial
in a stateless condition waiting to be
IT risk assessment is part of IT risk identified. IT risks are variable in nature manner. For a selected targeted review,
management, which entails treatment and comprise of vulnerabilities and auditors have to examine a targeted sample
plan. In IT risk assessment, the treatment associated threats. Identifying risks is a (60% or 70 %) of the details of the process.
options are unnecessary. The High, direct exercise when auditors consider the
For a random selection review, auditors
Medium and Low values are used as above equation.
have to examine a random sample of (30%
input for other tools, mainly IT audit The values of identified risks are called
to 40%) of the details of the process.
plan. IT auditors benefit from the IT risk
assessment in many ways that involve
understanding of the IT set up, an
overview of the structure of the IT, and IT Operations - High Risk Email and Storage - Connectivity, remote acces,
a snapshot of the risk areas of the IT. For (complete review) Medium Risk (selected and internet - Low Risk
targeted review) (random selection review)
these reasons, IT risk assessment should
January February March
be a prelude to audits and other review
Table 1: Sample Quarterly IT Audit Plan
initiatives of the IT environments.
inherent risk scores and they represent Finally, the IT audit plan needs to align
IT risk assessment methodology change the risks as naturally provided through to the overall internal audit plan. In
for different environments and different the initial risks identification process.
principle IT audit is part of the internal
industries, but the core objective is to Inherent risks have associated controls
audit operations. The IT audit output feeds
identify areas, with certain risk values, that are applied in a reactive manner to
the underlying asset. An example can be, to internal audit plan and provides input
where an intensive review should be
conducted. For a bank, for example, major password protection to a server, a locker to the internal audit planning process,
risks lie in operations and for a retail in to a network switch, or a review of a in which internal audit head plan for the
certain log. Subsequently, controls can be
POS. In that view, industry should also IT audits. Whether audits are performed
categorized as detective or preventive. As
be a factor in building the risk universe based on risk assessment or not, IT risk
much as preventive controls are preferable,
(the set of applicable risks), which help in assessment remains a necessity to pave the
they are expensive to implement. When
building an overall business operational
going through another round of risk way for IT auditors to perform their jobs.
understanding, when planning for risk
assessment exercise and considering In environment where risk assessment
based IT audits. existing control measures, we produce a
is conducted for all operations, IT risk
Most conspicuously, IT risk assessment is list of residual risks. Essentially, residual
assessment will align with the overall risk
a prerequisite to IT audit, mainly to reduce risks are the main factors in building a
the audit efforts where risk is low and to risk treatment plan or, in our initiative, assessment plan to create visibility to the
substantiate audit procedures where risk is in understanding the IT environment, in business operational and IT risks.
high. While it is unnecessary to implement provisioning for IT audits, and in planning
By Melhim Khoury Nicolas, Technology
a treatment options for the identified risks, review initiatives.
Consultant, MBA

Risk Management
By Porus Pavri
Are You Managing Your

Emerging Risks?
The world is becoming an increasingly Chernobyl (1986), Toyota (2010), Nokia the absence of a reliable and effective (i)
riskier place for organizations of all types (2013), GM (2014), Yahoo (2016) ? Framework and (ii) System for managing
and sizes – whether in the private or public Emerging Risks.
sectors. Environments, 100-year old busi- Was there something common that was
missing in all these systems, which lead
ness models, social and political dynamics
to the infamous catastrophies ?
A Definition of Emerging
are being disrupted everywhere. A quick
look at some of the more recent corporate Risk :
disasters bears testimony to this. Yes, you guessed it right! They were NOT
managing the warning signs, the dan- Emerging Risk can be defined as a
And then, what about the Titanic (1912), ger signals on their horizons, owing to newly developing or changing risk, that
Catastrophe (& Estimated Cost) Why ? Because they did not foresee / understand / com-
municate…
2008 Global Financial Crisis (trillions of dollars) ...the gigantic risks inherent in the complex financial products that
were created, rated and regulated by the global financial institu-
tions, ratings agencies and regulators!
2010 Deepwater Horizon blow-out ($60bn) …the risks lurking under a culture of complacency and informa-
tion withholding, within a hugely complex operation!
2011 Fukushima nuclear reactor meltdown ($188bn) …the possibility of a tsunami in its disaster preparedness sce-
narios – because the last tsunami occurred over a 1000 years ago!
2012 Kodak bankruptcy …the fatal risks to their business model emerging slowly but
surely from the digital camera revolution!
2015 Volkswagen Emissions scandal ($40bn) …the risks brewing internally from a closed, dictatorial culture,
and a top-down “win-at-any-cost” mindset driven by the Chair-
man of the Board!

Risk Management
is extremely difficult to quantify, but 3: Changing social, economic or political strong mindset at all levels of the entity
nevertheless could have a major impact dynamics to deal with emerging risks and oppor-
on the achievement of your organization’s tunities by:
4: Untested technological advances
objectives.
5: Inadequate multi-directional communi- (a) establishing explicit incentives that
Are Emerging Risks really different from cation encourage horizon scanning
Conventional Risks ? If so, in what way?
6: Perverse incentives (b) removing any perverse incentives
All risks by definition arise from uncer- that discourage horizon scanning
tainty. When a Risk Manager creates a Risk I would strongly recommend all risk and
Profile, a conventional risk has several internal audit professionals reading this (c) encouraging the bottom-up flow of
dimensions of uncertainty, such as (1) article to visit www.irgc.org to gain a better contrarian views that challenge the
likelihood (2) frequency (3) timing (4) im- understanding of the above, and more, status quo, the reporting of unusual
pact, (5) velocity as in the speed at which factors. events, the avoidance of “group think”
the risk could manifest itself, (6) vulner-
ability/readiness as in how prepared your Governance Framework 3. The “Training” layer requires the Board
organization is to respond to the risk, and
Having gained a high level understanding and senior management to establish
(7) duration of impact.
of the definition of Emerging Risk and the training programs that teach staff and
Now, an Emerging Risk has the exact same Contributing Circumstances, let us now executives at all levels on how to:
dimensions of uncertainty, BUT you could turn our attention to what constitutes the
( a) undertake horizon scanning
say that the degree of uncertainty is multi- Governance Framework for managing your
plied by a factor of say 10 or even 100 – this Emerging Risks. ( b) communicate clearly about poten-
is the basic difference in a nutshell ! tial emerging risks
The Governance Framework comprises 3
Some implications of this are: layers: ( c) work in teams to improve under-
standing of, and response to, emerging
i) a risk which is emerging today, may 1. Strategy & Roles
risks
become a conventional risk after a
2. Culture
period of time, as we get more and
more knowledge about its risk profile 3. Training
The 5-step Emerging Risk
through research, analysis, etc…., and Identification & Manage-
as the uncertainty around the above 7 1. The “Strategy & Roles” layer requires ment System
dimensions diminishes. the Board and senior management to:
And finally, let us introduce the iterative
ii) w
hat might be a current risk for Organ- (a) f ormulate and embed the Emerging system that functions within the Govern-
ization A, may still be an emerging risk Risk strategy into the overall organi- ance Framework, and which will help you
for Organization B. zational strategy identify and manage your Emerging Risks
and Opportunities
(b) c larify the roles and responsibilities
Contributing Circum- of the various actors in the manage- STEP 1 – Early Warnings:
stances ment of Emerging Risks – the Board, • DETECT signals on the horizon and
Senior Management, Risk Managers, EXPLORE possible future situations that
What are the broad categories of cir- Line Managers, Internal and External may represent an Emerging Risk in the
cumstances which give rise to Emerging Auditors, and Regulatory Authori- short & medium term
Risks ? ties. But, the most important role in • CREATE A RISK PROFILE of these
the Governance Framework is that signals and situations
Once you understand these ‘contribut-
of the Emerging Risk Coordinator, • FILTER & PRIORITIZE the list of Early
ing circumstances’, you will look for these
who acts like the glue that binds the Warnings to carry forward into Step 2
circumstances on your entity’s horizon,
various interested parties together. • Regularly update the above filtered list
helping you identify your emerging risks
His overarching aim is to ensure that
better ! STEP 2 - Scenarios
emerging risks and opportunities are
handled effectively and efficiently • DEVELOP comprehensive set of scenar-
Here’s a short list to set you thinking:
to help the organization achieve its ios for each Early Warning coming from
1: Complex systems objectives. Step 1, including those Scenarios relating
to “low-probability-catastrophic impact”
2: Closely interconnected system compo- 2. The “Culture” layer requires the Board events (“Black-Swan” events)
nents and senior management to establish a • Regularly update the above scenarios

EMAIL the author at [email protected] Risk Management
Note: Scenarios under Emerging Risks vs Conventional Risks In Conventional Risk • IDENTIFY Windows of Opportunity
Management, only those Scenarios which are considered probable today, and have a during which the risk management
probability attached to them, preferably based on past experience, are used in the Risk option can be applied, Failure Thresh-
Analysis. We do not consider events that might occur based on possible, though not
olds after which it will be impossible to
probable, scenarios ! For instance, risk analysis of non-nuclear infrastructure does not
normally consider the probability of a plane crashing into the infrastructure. effectively manage the emerging risk, and
Acceptability Thresholds below which
On the other hand, Scenario building for Emerging Risks Management considers all
it will not be necessary to manage the
risk events that might happen in future AND all possible combinations of risk events,
EVEN IF no reliable probability estimates are available. emerging risk
Let’s say, in a piping system in a factory, 50% of the pipes are more than 10 STEP 4 – Implementation
years old, and the rest are between 0-10 years old. Up until now, no problems • Establish internal and external commu-
have been detected in the new pipes.
nication channels
However, after reading an article in the IIA UAE magazine about Emerging • Allocate resources
Risks, the Risk Manager and the Factory Manager in consultation with the • Clearly define roles, responsibilities and
Maintenance Manager and the ERC, find that, in the summer months, owing
to excessive heat in the rear of the factory, all pipes experience a certain degree incentives
of expansion. If the temperature climbs even 1º beyond NNº, the stress in the • Ensure adequate authority in line with
piping system could cause multiple domino-style ruptures throughout the responsibility for implementation
piping system in the factory, with consequent chemical spillage, a major explo-
sion if the inflammable storage tanks in the factory compound were caught in STEP 5 – Monitoring
the midst of the spill, severe damage to the office building in the adjacent plot,
along with loss of life and property. This risk has never materialized in the • Monitor how emerging risks and oppor-
past, and there is no available probability distribution for this risk event.
tunities are unfolding
The Risk Manager and the Factory Manager however realize how negligent
they have been till now, by not considering such scenarios in their earlier risk • Review relevance and performance of
assessments, and have vowed to carry on the good work in all their risk assess- decisions made and options chosen
ments from now on.
• Update the risk management options
STEP 3 – Decisions the entity’s objectives, if left unmanaged
• Involve external experts to assess how the
• DECIDE which Scenarios to follow • IDENTIFY & EVALUATE possible risk
through for managing the related Emerg- management options [Refer Note below] process is doing
ing Risk – based on which scenarios have for each Scenario relating to a given
the highest impact on the achievement of emerging risk Conclusion
Globally, stakeholders are pressurizing
Note: Risk Management Options boards and managements to enhance
their organisations’ ability to look into
1. A
ct on the Contributing Circumstances, try to influence them in order to mitigate
the future, to pick up signs of trouble and
the emerging risk
address them BEFORE they manifest
2. Avoid the emerging risk totally themselves in the form of events. If you, as
3. R
educe (i) your organisation’s exposure to the emerging risk, by reducing the a Risk or Audit professional do not want a
exposed assets, businesses or processes, or (ii) your organisation’s vulnerability by “Titanic” moment on your CV, I strongly
developing resilience. Resilience is defined as the ability to withstand shocks and recommend you stir your organization out
return to normal operations in reasonable time.
of its slumber, and kick-start the establish-
4. R
aise your organisation’s risk tolerance limits in line with its higher risk appetite, by ment of a framework and a system for
setting aside more funds to cover potential losses, or by transferring part of the risk
managing your Emerging Risks !
to a third party.
5. Choose to do nothing PORUS PAVRI, CRMA, CIA, CA is the

Founder & CEO of Logoss Management Con-
sultants International in Dubai.

AD

Quality Assurance
BY: N IN A D P R A D HAN
The Journey to Excellence in

Internal Audit
There are organizations and then there •U

se of Computer Assisted Auditing Standards 1300 – Quality Assurance and
are “world-class” organizations. Similarly, Techniques Improvement Program (QIAP).
there are Internal Audit (IA) departments •E
mployee motivation and retention And it is not the difficulty which is the
and then there are “world-class” IA bottle-neck. In many cases, it is typically
departments. And it is not necessary that •C
lear understanding of organization
the lack of understanding of Standards
world-class organizations will have all their risks
1300 and its expected benefits and value
departments in that category. Surely, the These are taken from none other than addition to the IA department and the
chances are significantly high. There are the International Professional Practices organization. This article will aim to
several parameters which can be judged Framework (IPPF) – The Standards. demystify this myth.
to ascertain if the IA activity falls in that
Whilst the implementation of the Quality is word which is perhaps
category. Few that come to the immediate Standards is not mandatory, they are difficult a to define as it may take
attention are: considered sacrosanct. And compliance different connotations under different
• Empowerment to the IPPF is the ultimate goal of almost circumstances. In the words of Aristotle
every IA department. There are several “Quality is not an act, it is a habit”. Whilst
• Independence IA departments who demonstrate management guru Peter Drucker says
compliance to many ‘individual’ parts “Quality is what the customer gets and
• Objectivity
of the Standards, but fail to demonstrate is willing to pay for”. In the context of
• Pro-activeness complete compliance when it comes to internal audit, it can be defined as “the

Quality Assurance
responsibility on the shoulders of the Chief The QAs can be called for by either the • Determination that the internal audit
Audit Executive (CAE) to fulfil the needs Chairperson of the AC or the CAE. activity adds value and improves the
and expectations of the stakeholders; whilst There are no statistics, but, experience organization’s operations
complying to their own professional ethics has shown that when the AC calls for the
It provides the IA departments to delve
through conformance to the Standards.” QAs, there is usually some lack of trust or
into the minds of their stakeholders
deliverables between them and the CAE
Compliance and conformance alone and gauge their level of trust in the IA
with such assessments ending up on the
fail to leverage the power of a Quality department and its functioning. The
“not favorable” side of the assessment
Assessment. independent nature of the external assessor
scale as against when the CAE calls for
also provides for an opportunity to ask
Quality Assurance and Improvement the assessment. CAE’s may well wish to
certain questions which can be used for
Program (QAIP) consider this point and “stick their neck
out” and call for QAs on their department further probing to provide further value
The QAIP has 2 elements which need to added service. The CAE gets a holistic
– of course with adequate preparation
be collectively addressed to conform to picture of what is happening around him/
and planning as the outcome of the
Standards 1300. her without ruffling too many feathers.
assessments requires to be communicated
1. Internal Assessment; and to the Board/AC. The QA assessors take care of those
uncomfortable questions.
2. External Assessment A quality assessment, or QA, evaluates
the compliance with the Standards, the Think for a minute how many times the
Many IA departments demonstrate phone rings for a CAE or an email with
definition of internal auditing, the Code
the adherence to the IA plan and
of Ethics, the internal audit & audit a request – sometimes an urgent one –
department budget as their KPIs.
committee charters, the organization’s requesting for help in either a certain
However, internal assessments
governance, risk and control assessment review or in some investigation. The
also require to perform on-going
and the use of successful practices. number of consulting activities can be
assessments which can include
work-paper review, staff performance So who audits the auditors? When an an indicator of how much value-added
evaluation, auditee satisfaction surveys, IA department undergoes a QA, it can resource the IA department is considered
monitoring of KPIs, Actual v-s Budget, proudly say that they too have been by the organization’s management. With
etc. IA departments also require to assessed. The rating mechanism of a the level of such engagements rising the
perform periodic self-assessments. QA can be either “General Conforms”, perceived value that the IA department
(Note: this is not an exhaustive list). “Partially Conforms” or “Does Not is adding is definitely proportionate. As
Conform”.
External assessments must be they say – a voice but no vote at on the
conducted once every 5 years by a management table.
qualified and independent assessor
QA scope
from outside the organization and
reported to the Audit Committee Typically, a QA scope covers Benefits of a QA
(AC). And this is one point many IA
•C
onformance with the Standards CBOK surveys have revealed that the top
department overlook, especially those
who are large conglomerates. Whilst & the Code of Ethics & the IA’s 5 reasons for investing in a QAIP are
there are no defined qualifications charter, plan, policies, procedures
1. Identifying areas for improvement
which an assessor should have, and applicable laws & regulatory
they should largely demonstrate requirements 2. Full conformance to the Standards
competency in two areas: The
• Th
e expectations of the IA as 3. B
ring systematic, disciplined
understanding of the IPPF and the
expressed by the board, executive approach
external assessment process.
management and operational 4. I ncrease credibility within the
The Roadmap to Initiating a Quality management organization
Assessment
• Th
e integration of the IA into the 5. A
nticipate, meet and/or exceed
The UAE Internal Auditors Association
governance process, including the stakeholder’s expectations
(UAE IAA), ensures that its assessors
relationships between and among the
have undergone the QA course offered Further, the survey concludes that,
by the IIA and have a certain minimum key groups involved in the process
when compared to other internal audit
experience without which they are not •T
ools and techniques departments, those that conform to the
considered for the engagements. The
•M
ix of knowledge, experience and quality standards:
UAE IAA adopts the IIA’s proven and
documented methodology – The Quality disciplines within the staff, including • Were more likely to have complete
Assessment Manual. the focus on process improvement and unrestricted access to

EMAIL the author at [email protected] Quality Assurance
information as appropriate for the conducted independently. The Chief who understands the QA process. And
performance of audit activities Audit Executive (CAE) is able to lay attending a training session for a QA
emphasis on the expectations spelt course will prove beneficial.
• Made more use of technology in
out.
internal audit processes The QA cannot be done in isolation
6. The CAE can use this opportunity from the audit committee and hence it is
• Used a wider variety of resources to
to lay emphasis and focus on the imperative to appraise them of the exercise
develop audit plans
IPPF and raise the awareness of The and the credentials of the team engaged
• Were more likely to have Standard amongst the management.
to conduct the same. Having the audit
documented procedures in an
7. Overall, the reputation of committee on board is vital.
internal audit manual
organization is enhanced. This, due
Historical data is proof that when a QA
• Received more hours of training and to the fact that nothing and no one
were more likely to have formalised in that organization is immune and is called by the CAE, the chances of a
training programmes is subjected to audit. It is a sign of a successful QA are significantly higher than
mature organization which is willing when called for by an audit committee. So,
• Served organisations with more prepare well, and go for it. Do not wait for
to learn and improve.
highly developed risk management
your audit committee to instruct you on
processes
this one.
• Were more likely to report that
Quote 1
funding for the internal audit
function was “completely sufficient”. “Thanks to the IAA UAE Team for the
Conducting a Quality Assessment great efforts exerted during the quality
exercise offers the internal audit activity assurance review done for our department.
several benefits. The Audit team was very professional,
systematic and helped us towards further
1. It offers an opportunity to
improving our quality performance,
benchmarked against other IA
professionalism and use of best practices.
departments. The Global Audit
Itwas a great experience indeed!!”
Information Network (GAIN) is also
a good tool to use. Tamer Said Ali, Deputy Chief Internal
2. The conducting of the QA is in itself Auditor, Obeikan Investment Group
adherence to full conformance to Quote 2
The Standards. This permits the IA
activity (if the assessment results How to be Successful in a QA? “Let me express my appreciation to
permits so) to insert the statement excellent work done during the quality
QAs require tremendous commitment
“This audit is conducted in assessment review you’ve recently
from each and every staff of the IA
conformance with ………..” within completed for our internal audit
department. It calls for commitment
its audit report and can also state department. It was a fruitful exercise
to quality (Mission/Vision/Values/
that the department itself conforms and we welcome the improvement
Goals/Objectives/KPIs), drafting of
with the requirements of the IPPF. opportunities highlighted to enhance
policies and procedures, demonstrating
3. This lends credibility to the IA continual improvement, monitoring the quality and performance of the
activity and increases the perceived and reviewing mechanisms and their department.I assure you that your value-
value of the activity within the subsequent reporting to the Board/AC – as added recommendations will be acted
organization. a minimum. Conducting periodic internal upon fully and promptly. May I also take
assessment, plugging the identified gaps, this opportunity to thank you and your
4. The typical question of “Who audits
and a formal documentation of the QAIP team for the professional approach and
the auditors?” also gets answered.
is a large step forward. courtesy displayed by the team”
The IA activity being subjected to
the assessment which is conducted ConclusionThe Next Steps? Beelall Ramdianee, Vice President –
by independent assessors lends Internal Audit, Dubai International
It is quite certain that the benefits from
credibility to its activities.
a Quality Assessment far outweigh Financial Centre
5. QAs also give an opportunity than not going for it. But this also calls
to meet or exceed stakeholder for good preparation at all levels with NINAD PRADHAN, CRMA, MBA, PGDC-
expectations as a result of the the department hierarchy. To begin, SM, BSc Senior Consultant & Trainer at UAE
interviews and surveys which are it is important to have a project leader IAA

Ad

Cybercrimianl
B Y: FA D I A B U ZUHRI EDI T ED BY: AND R EW C OX
Profiling cyber-
criminals
Since the middle ages era, the definition of crime has been
limited to types of crimes committed in the physical world. In
the same way, theories aimed at explaining crime including
the Conflict Theory, the Theory of Social Control, and others,
have defined crime within the confines of the physical world.
Strategies aimed at dealing with criminal activities have been
limited in their scope when defining crime within the context of
the physical world. However, the growth of information systems,
ICT, mass media, and increased interconnectivity, facilitated
by the internet, has revealed a new and unique form of crime: characteristics and behavioral patterns shared by criminals.
the digital world crime. These types of crimes present several Inductive profiling is also theory-driven and based on the available
challenges including legal, geographic, and web barriers, as well cases of crime. Inductive profiling relies on information collected
as the anonymity of the internet. The environment in which these through interviews with offenders, and this forms the foundation
crimes occur also pose a challenge to crime specialists. These for investigators’ profiles. Again, the inductive profile technique
challenges have created the need to identify and modify techniques involves hypothesis (formalized operational definitions) for
used to combat crime committed in the physical world, such testing, and coding of data to allow for statistical analysis.
as criminal profiling with a view to making them applicable to
e-crimes. This paper discusses the possibility of penetrating these Applicability of these techniques has been possible in crimes
barriers by applying the modified version of criminal profiling committed in the physical world. However, applicability of these
techniques to e-crimes. techniques to deal with crimes committed in the digital world
is still debatable. It has been argued that criminal profiling is an
The concept of crime has expanded beyond the immature, but promising, science. Perhaps this may explain that
physical world to the global digital world. little attention has been given to such technique by both academics
and practitioners. In the digital world, forensic psychologists
have knowledge about the law, criminology and psychology. This
Profiling Cyber Criminals in the physical world can be used to better understand technological aspects relating
to crime, in order to develop cyber-criminal profiles. As such,
Since the 1970s, experts within the Behavioral Science Unit they are required to take an interdisciplinary approach when
(BSU) of the FBI have been helping federal, state and local law
dealing with cyber crimes. Unfortunately, highlighted issues of
enforcement agencies investigate violent crimes. This practice was
tractability, geography, law and anonymity makes it difficult for
initiated through offender profiling, with a view to understanding
forensic psychologists to collect information about criminals and
personality and behavioral traits of perpetrators. It started as
cyber-crimes (Tompsett, Marshall, and Semmens, 2005). Again,
an analytical technique for identifying the characteristics of
most cyber-crimes go either unnoticed or unreported, and hence
the offender, based on examination of crime scenes and crime
go unpunished. Importantly, it is possible to draw some parallels
dynamics, and continued developing over the years as a tool to
help investigators narrow a suspect pool (Alison et al, 2010). between non-cyber-crimes and cyber crimes. It is also possible to
Offender profiling was offered within the BSU as an analytical tool develop a profile from the existing techniques that can be used for
and a product of training programs. law enforcement.
Forensic psychologists often employ deductive or inductive

Most cyber-crimes go either unnoticed or unre-
profiling in dealing with crimes committed in the physical world, ported, and hence go unpunished.
applying these techniques to ascertain characteristics of criminals.
Deductive profiling techniques involve the use of data, including
crime scene evidence, forensic evidence, offender characteristics Profiling Techniques
and victimology. In deductive profiling, the available information From the perspective of deductive profiling methods, cyber-
is processed by applying personal experiences, with the profiler criminal profile should be developed in a four-step process.
assuming one or more facts of a case as self-evident about an The first step is victimology. Today, criminals victimize both
offender or crime. Then, by following hunches and experience, organizations and individuals. This step involves understanding
arrive at conclusions. The ‘truth’ of facts or conclusions arrived at the aspects of organizations and individuals that attract cyber-
using deductive profiling depends upon the truth (ie, contingent criminals. Victimology helps security specialists understand an
truth). Also, in the deductive profiling method, the conclusions offender’s motive behind the crime. Victimology includes the
are true if the hypothesis and the premises are true and valid. following:
On the other hand, inductive criminal profiles are created by
studying statistical data, including study of the demographic • Politically motivated crimes (ie, cyber-terrorists).

EMAIL the author at [email protected] Cybercriminal
•C
rimes driven by emotional reasons (ie, cyber-stalking). The four-step approach is:
•C
rimes committed and driven by sexual impulses (ie, • Victimology.
paedophiles). • Motive identification.
•C
rimes known to be less dangerous, such as sharing software • Identifying offender characteristics.
by individuals, or sharing copyrighted movies (Shinder, • Forensically analyzing digital evidence.
2010).
The second step is motive identification – what is the reason for Conclusion
the crime?
The techniques and tools discussed in this paper are worth testing
Victimology and motive leads to the third step – identifying in practical scenarios. It is believed that if cyber-criminal profiling
offender characteristics. Several topologies and ways to classify is used effectively, the issue of cyber-crime may be reduced as more
cyber-criminals based on offender motives have been introduced offenders could be brought to justice. Considering the current
(Rogers, 2006). However, changes in criminal behavior with the trend of increasing rates of cyber-crimes, it would be important
evolving technological environment necessitate modification of
for academics and practitioners to collaborate. These practices may
existing schemes. Other studies have suggested that crime can
be addictive, and in the cyber world, criminals become addicted be useful for law enforcement officers, as it may help them gather
to the internet and computers (Nykodym et al, 2008). It is also legally valid and binding evidence in order to take appropriate
argued this addiction, aided by various opportunities including the actions against these cyber-criminals.
access and availability of the internet and computers, and fueled by Cyber-criminal profiling is a tool which could bring
criminal motives, could facilitate the making of a cyber-criminal.
This understanding may be used in analyzing the modus operandi more offenders to justice.
of cyber-criminal.
Modus operandi reflects criminal character (Lickiewicz, 2011). References
For instance, a cyber-criminal may destroy information by using
a virus that is attached to an e-mail, while another may hack Alison, L., Goodwill, A., Almond, Louise, Heuvel, C. and Winter,
into a computer system by attacking the server with a view to J. (2010) Pragmatic solutions to offender profiling and behavior
stealing information. This suggests that one’s technical expertise investigative advice. Legal and criminological psychology, 15, 115-
helps him or her to understand the behavior of a cyber-criminal. 132.
A cyber-criminal may be required to have a level of technical
efficacy successfully penetrate a sophisticated and secure network Kirwan, G., and Power, A. (2013). Cybercrime: Psychology of
(Kirwan and Power, 2013). On the other hand, ‘script kiddie’ may cybercrime. Dublin: Dun Laoghaire Institute of Art, Design and
use an already developed program to attack a computer system. It Technology.
is worth noting that human elements, such as social engineering
skills, possessed by some professional cyber-criminals should Kwan, L., Ray, P. and Stephens, G. (2008). Towards a Methodology
not be disregarded. This is because cyber-criminals with average for Profiling Cyber Criminals. IEEE Computer Society.
technical skills can participate in a crime by employing simple Proceedings of the 41st Hawaii International Conference on
techniques of subtle psychological manipulations and friendly System Sciences.
persuasion. Kirwan and Power (2013) affirm that technical skills
and other skills, including social skills and motives, determine the Lickiewicz, J. (2011). Cyber Crime psychology-proposal of an
modus operandi of a cyber-offender. offender psychological profile. Problems of forensic sciences, 2(3):
Step four of the deductive cyber-profiling technique involves 239-252.
forensically analyzing digital evidence. Digital forensics are Nykodym, N., Ariss, S. and Kurtz, K. (2008) ‘Computer addiction
important, because it is the means through which a cyber- and cyber crime’. Journal of Leadership, Accountability and Ethics,
criminal profiler can trace the offender in the event there is no
35: 55-59.
physical evidence (Kwan, Ray and Stephens, 2008). In the view of
Lickiewicz (2011), not all criminals are traceable, as one of three Rogers, M. K. (2006) ‘A two-dimensional circumplex approach to
cyber-criminals manages to remove or modify the audit trail by the development of a hacker taxonomy’. Digital Investigation, 3 (2):
wiping their traceable digital footprints. The four-step approach 97-102.
suggested is an iterative process. New information regarding the
offender, motive, victim and forensic evidence could be revealed Shinder, D. (2010) Profiling and categorizing cybercriminals.
while in an investigation proceeds. Retrieved on 6th July 2016 from http://www.techrepublic.com/
As for inductive profiling methods, they can be applied alongside blog/security/profiling-and-categorizing-cybercriminals/4069.
the deductive techniques described above, to help deal with cyber- Tompsett, E.C., Marshall, A.M., and Semmens, C.N. (2005).
crimes. For example, statistical analysis data studying demographic
Cyberprofiling: Offender Profiling and Geographic Profiling of
characteristics and behavioral patterns shared by criminals, and
breaches in cyber-security, could be employed to identify criminal Crime on the Internet. Computer Network Forensics Research
attack trends such as motive for attack, type of victims who are Workshop.
likely to be targeted, and most common modes of attack used by
cyber-criminals. This may help to identify serial offenders, and Fadi Abu Zuhri, (MSc, ITSM, CGEIT, CISM, CFE, CISA, CISSP,
other cases with similar modus operandi. PMP)

Added Value
B Y: E h a b S a i f
Adding Value in a Challenging

Economic Environment
“In the current volatile
and unstable economic
conditions, internal
audit functions are
required, like never
before, to assume different
responsibilities and
wear multiple hats to
achieve the goals of the
reorganization programs”.
The current business environment is very

volatile and unstable worldwide and this
is especially clear in Middle East. The
characteristic of this stage are mainly
uncertainty and lack of clear strategic Assuming compliance and risk Objectivity which is clearly reflected in
direction. management responsibilities is one Standard 1100 of the IIA standards which
of the common scenarios for internal states that the internal audit activity must
Working in such business environment
audit resources in such circumstances. be independent, and internal auditors must
adds a lot of responsibilities and pressure be objective in performing their work.
For example, internal auditors might
on the available resources. This is of However, participation in restructuring
be required to review some business
course applicable to the internal audit efforts requires high level of flexibility
transactions to ensure its compliance
resources which are required to participate to convince restructuring committees
with internal policies and alignment with
in different organizational efforts aiming that internal auditors are well rounded
reorganization objectives.
to reduce costs, increase efficiency and resources who can employ their knowledge
ensure proper restructuring of key business Having in depth knowledge of the internal in internal controls and utilize their
activities. controls gives internal audit resources internal business relationships to add value
the ability to perform compliance to the organization.
In such circumstances, internal audit
related activities including financial and
functions are required, like never before, to Unfortunately, in most of the cases internal
operational compliance in a very efficient
assume different responsibilities and wear auditors will not have a say in whether
and effective manner. they are involved in such reorganization
multiple hats to achieve the goals of the
reorganization programs. Internal audit departments can also programs. BoD/business owners will
review, identify gaps and recommend usually ask internal auditors to be involved
Acting as the Second Line of Defense: in the reorganization efforts due to
improvements related to the reorganization
Most reorganization programs will plans as they have best understanding the lack of trusted and knowledgeable
result in hard decisions related to job of overall organizational operations, resources. This might be more applicable
cuts at different organizational levels. departments and intradepartmental in family businesses where internal audit
is considered a trusted agent to accelerate
The reduction in head count might workflows.
changes and ensure that the BoD/owners’
be permanent or temporary which
Risks to Independence and Objectivity decisions are implemented.
in both cases means weaker internal
controls, at least, during the period of the One of the major internal auditors’ The independence issues normally
restructuring. concerns is always Independence and appear when the Chief Audit Executive

EMAIL the author at [email protected] Added Value
(CAE) or the internal audit resources are Audit and the Second Line of Defense” provide assurance services where they had
required to report on specific assignments which addresses the specific cases where previously performed consulting services,
to the reorganization committee which BoD/business owners ask CAEs to assume provided the nature of the consulting did
might consists of current or future responsibilities for risk management, not impair objectivity. This means that
management employees. The impairment compliance, and other governance internal audit functions will need robust
of independence might also result from functions. processes to assess requests for consulting
performing some compliance and risk engagements to help prevent independence
As per the practice guide, the CAE should issues in future audit plans.
management activities which are subject to
ensure the following before and during
internal audit reviews in the future.
assuming such responsibilities: Conclusion
Considering the factors mentioned above,
•D
iscussion of risks with management Organizational changes might not always
there are clearly some risks associated be in the favor of the employees and
with assuming second line of defense and the BoD/business owners.
this usually creates more pressure and
responsibilities temporarily. The CAE is •A
cceptance and ownership of risks by discomfort for the available resources.
required to report such risks to the audit management. Internal auditors are usually one of the
committee/BoD before acceptance of most impacted resources as they are
assigned responsibilities •C
lear definition and assignment of
required to assume more responsibilities.
roles for each activity where second
Adding Value in Difficult Times line of defense activities overlap with In addition to the reorganization programs,
third line of defense activities. internal auditors might be asked to assume
The internal audit resources should
plan their work in a smart and effective second line of defense responsibilities due
•P
eriodic independent assessment of to many reasons including, but not be
manner to add the maximum value to the
internal audit’s second line of defense limited to, the following:
reorganization efforts while maintaining
the highest possible level of independence roles and responsibilities.
• BoD/business owners do not
and objectivity. Such activities might The practice guide has also specified some understand or appropriately value the
include, but not be limited to, the of the activities that the internal audit importance of an independent and
following: objective third line of defense.
should avoid in such cases which include:
•E
fficiency reviews that focus on
• S etting the risk appetite, owning or • Internal audit has the necessary skill
cost optimization in which internal
managing risks. set or relevant expertise for specific
auditors review previous practices
risk management and/or compliance
in various business departments
•A
ssuming responsibilities for activities.
and recommend improvements that
will decrease costs or/and increase accounting, business development,
• The organization is small and
efficiencies. and any other first line of defense
cannot support distinct control and
functions.
•L
iquidity assessment reviews that assurance functions.
highlight potential gaps in cash flow •A
ssuming accountability for Internal auditors might have two options
for management action given that risk management or governance when it comes to assuming second line
most reorganization efforts involve processes. of defense activities which are either
major debt restructuring and cash
•P
roviding assurance on second line to quite the job in order to protect
flow difficulties which require close
of defense activities performed by their independence or to accept such
attention by the reorganization
responsibilities with a strategy of how to
committee. internal audit.
achieve the required objectives with a clear
•P
rocess gap analysis reviews that The practice guide above was subsequently transition plan to relieve internal audit
help reorganization committee to followed with a new IIA Standard which from such responsibilities in the future.
conduct proper process reengineering is Standard 1112 “Chief Audit Executive
exercises. There is a good saying to remember in
Roles Beyond Internal Auditing”. The new this regard. It says “I can’t change the
•L
imited ad-hoc assignments IIA Standard specified certain safeguards direction of the wind, but I can adjust
or investigations that assist to address the impairments resulted from my sails to always reach my destination”.
reorganization committee to reach assuming responsibilities that fall outside It is extremely important for internal
certain conclusions on various the internal auditing which include auditors to be mentally prepared for such
organizational matters. circumstances, especially in the current
periodic evaluation of reporting lines and
IIA Response developing alternative processes to obtain economic conditions, which will help them
assurance related to the areas of additional perform and excel without unnecessary
As a response to the increasing pressure hard feelings.
responsibility.
on the internal audit resources to perform
second line of defense activities, the Another sensible change in IIA standards Ehab R. Saif, CMA, CIA, CFE a Head of
Institute of Internal Auditors (IIA) has was introduced in Standard 1130.A3 Internal Audit at a private holding company in
issued a practice guide called “Internal which allowed internal audit resources to Abu Dhabi.

Audit Analytics
B y : In d u m o n D a s Edit ed by G aut am G an d h i
Self Service Audit Analytics –

transform your approach
Despite the fact that data analytics and Businesses need broad-spectrum audit internal audit and enhance its value. The
Computer Assisted Audit Techniques processes that extend beyond reviewing the survey also cited the increasing relevance
(CAAT) have been a part of auditing for obvious. Auditors should adopt forward- of cutting-edge technologies such as
nearly thirty years, many organizations are looking IA approaches, and should be able artificial intelligence, cognitive computing,
still struggling with the implementation of to provide deeper and valuable insights on and visual analytics.
effective data analytics to enhance internal strategy, execution, emerging risks, and
Is skill-gap a concern?
audit quality and effectiveness. hidden opportunities.
More than half of CAEs (57%) who
Increasing complexities of risks and The 2016 Deloitte Global Chief Audit
participated in the survey expressed their
incessant emergence of disruptive Executive Survey that polled more than
intense dissatisfaction about inadequate
technologies are demanding substantial 1200 CAEs from 29 countries and a diverse
skills and insufficient expertise of audit
change in internal audit processes. range of industries, reaffirms the growing
teams.
need to conduct analytics-based auditing.
In today’s world of constant disruption, More than a three quarter of the CAEs When left unaddressed, these skill gaps will
internal audit should evolve into a (79%) recommend the need for digital weaken auditors’ capabilities to deliver on
dynamic and future-oriented function. disruption and innovation to transform changing stakeholder expectations.

EMAIL the author at [email protected] Analytics
Stakeholders expect more forward- to work seamlessly with large data sets • Process more information than
looking analysis to uncover risks and of any size or type, and discover savvy reading numbers
hidden opportunities.Gone are the days insights without having to write codes or
• Discover insights using spatial
of static audit reports and analysis of learn programming languages.
relationships, colors, and textures
sample data.
Key advantages of using self-service • Make data accessible to a broader
The Deloitte survey also cites risk analytics tools: Explore your data and audience and provide users with a
anticipation (39%) and data analytics (34%) create ad-hoc reports without IT skills rich and engaging experience
as the two groundbreaking innovations
that are most likely to impact internal •E
asy access to any source data There are many reasons why auditing
audit within the next five years. Changing •G
uided analysis - Faster answers to is ripe for self-service analytics and
business landscapes, technological complex questions visualization driven transformation. There
advancements, and proliferation of data is more data to examine within limited
have brought forth the imminent need to • I ntuitive drag-and-drop interface to time availability. Most financial and
leverage analytics and data visualization create and share interactive reports. operational transactions are moving online,
to increase the impact, influence, and •N
atural language processing to and the number of variables, outliers,
effectiveness of internal audit. respond to complex queries trends, and patterns to identify and analyze
continue to increase each day.
Analytics Adoption Challenges • I nteractive visualizations and
Visual analytics is the fastest way to analyze
Even after 30 years of inception of data personalized dashboards to identify
and understand structured or unstructured
analytics, many auditors continue to adopt patterns and trends
data of any size, without IT assistance.
conventional internal audit methods and •F
ast to deploy and easy to manage Visual technologies help speed up and
lag in technology adoption. Wondering improve decision making with heat maps,
why? Here are some of the reasons: •A
ll-encompassing data analysis
bubble charts, and interactive dashboards
anywhere and available anytime that are easy for C-suite executive, non-
1. Skills gap
technical business users, and stakeholders
2. Insufficient IT support to understand.
2. Mobile Analytics – Audit insights on
3. Difficulty to manage and manipulate Everything gets better when you can
the go
data do it yourself, right? Self-service audit
Regardless of the size of an organization analytics and visualization too are not
4. Increasing requests for ad-hoc
analysis and one-off reports or availability of data, it takes weeks to different.
prepare and present comprehensive audit
5. Difficulty in dealing with the basic Benefits of self-service analytics in
reports. The numbers are usually saved Internal Audit
aspects of data management and
offline as large files or copied to multiple
governance • Analytics for everyone: Everyone in
slides for boardroom meetings.
Can technology disruption be a savior? an IA Team can perform analytics
Mobile data analytics enables a concise and build audit dashboards – It’s a
Advancements in technology are and easily accessible digital avatar of audit cultural shift
fundamentally changing the nature of the
reports and dynamic dashboards that can • Greater insights – Transform audit,
audit and improving its effectiveness and
be accessed on mobile devices to interact increase audit quality, and create
relevance. Here are a few game-changing
technology solutions that auditors can and proactively monitor the business more impact
harness effectively to enhance the way they information on the go.
• Increased coverage – Identify more
work with data: risks and opportunities
3.Data Visualization • Generate and deliver more forward-

1.Self-service analytics - Smart analytics looking recommendations quickly –
When it comes to presenting audit data, From auditors to business advisors
for all reports and findings, one gets a single
Self-service analytics is no more a view of the entire raw data, all at once. • Minimal Investment, Tangible and
buzzword. It’s the new norm. Self-service This makes it difficult to decipher what Quicker ROI
analytics empowers auditors to access data, is important and what isn’t, the reason • Work smarter and reduce costs by
perform queries, and create interactive why the point of sharing information gets building and deploying Continuous
reports that add richness and granularity to defeated. Data visualization helps get a Audit and Monitoring mechanisms.
the insights derived. Anyone and everyone, flexible and reliable way to identify and
with or without technical expertise, can share pertinent information in a manner Indumon Das, Founder, Principal Consultant
harness the power of self-service analytics that everyone can easily understand. in Consulting firm UAE

AD

Fraud Risk
BY: D a v i d C l e m e nt s EDI T ED BY : Me e n a ksh i R a zd a n
You think you have discovered a

fraud. What do you do?
Despite recent surveys pointing to fraud impact the course and/or outcome of a expected occurrence and banks employ
being on the increase in instances of full investigation and may even make it or sophisticated processes and technology
fraud, the discovery of a suspected fraud break it. to prevent and detect such occurrences.
within any organisation is not an everyday Most organisations have controls in The bigger problem occurs when fraud
occurrence for most people and initial place to prevent and detect fraud being has been committed from within. Apart
reactions may include shock and surprise. committed against them from outside from the cost involved, there is always
However, action taken in the first few hours the organisation. In the banking industry some collateral damage caused including
and days after discovery will significantly in particular, external fraud is an loss of reputation, brand damage and

Fraud Risk
reduced employee morale. Seniority of the the matter which became public knowledge This is particularly important in
suspect is also a factor, the more senior the was only a small part of a much larger organisations or business units with a close
employee, the more serious the damage. conspiracy between a number of employees working environment, where there may be
History shows that , in the absence of any and suppliers. By failing to keep the matter a strong temptation to simply question an
structured response plan, the amount of confidential, the company management employee as soon as suspicion is raised.
time and effort it takes for management to enabled the conspirators to destroy
It is also important to be aware that larger
respond, particularly in the initial weeks, is incriminating records, electronic data scale frauds are often international in
excessive and severely impacts the normal and to dispose of stolen property which nature. Therefore, any fraud contingency
business activity of the organisation. When rendered any future investigation a limited planning must include measures for
a potential fraud is first discovered, the exercise. The identities of the suspects investigation and taking legal and
following few hours or days can be very were not confirmed, which means that the investigative action across jurisdictions.
confusing and stressful if the organisation
company may still employ people who are In addition, most frauds involve the
is unprepared.
actively seeking ways to defraud it. use of a computer at some stage in the
planning or execution of the fraud.
This is particularly evident in today’s
In the absence of a Fraud The purpose of a Fraud environment, when the majority of white
Response Plan, experience Response Plan is to ensure collar employees are allocated a computer
has shown that managers that incidents are handled
by their employer. Business is conducted
by computer and correspondence
handle the same problem in a systematic and normally involves acomputer through the
in different ways efficient manner, not only widespread use of corporate email. The
pervasive involvement of the computer
to conclude a successful into most facets of corporate life means
Sometimes this can have with disastrous investigation, but also to that electronic evidence is often vital to
investigating corporate fraud. Obtaining
consequences such as destroying the show that the organisation that electronic piece of evidence is a
evidentiary value of information and acted in a prudent and specialist skill which should be discussed
evidence by inappropriate handling
processes, inadvertently tipping off the
lawful manner. And and with your forensic specialists.
suspect and, enabling them to destroy that it does not tolerate Initial actions are crucial to the eventual
outcome of an investigation and, if a proper
incriminating evidence, failing to keep fraud. strategy is put in place and adhered to, the
the matter confidential and taking extent of fraudulent activity can usually
inappropriate action caused by having be assessed and action taken to resolve the
insufficient information. The Fraud Response Plan should outline
matter successfully. This usually means
how far an individual line manager should obtaining sufficient evidence to dismiss
For example, In a recent fraud incident go in collecting initial information before errant staff and to commence civil and/
that occurred in a UAE organisation, the invoking the Response Plan. The key is to or criminal proceedings against those
suspect was in charge of procurement provide the line manager with an effective concerned involved in the fraud, or claims
for the organisation, but it had been framework to resolve concerns, rather against insurers, if so desired.
discovered and it came to light that he than leave such resolution to individual
also operated a supply and contracting initiative.
company which had been paid in excess Initial responsibility designation
of 3 million dirhams by his employer’s
Fraud investigation is by necessity, a
company, all ordered and authorised by Initial Action
confidential task and is a sensitive matter
the suspect. After discovery, he was made
It is important to remember that when for the vast majority of organisations.
aware of the issue but was allowed to
fraud is first suspected, the matter may It is vital that all allegations of fraud are
remain in his position for another month,
well be more serious than it may initially treated seriously and that responsibility
during which time he destroyed a large
appear. This is because fraudsters rarely for handling fraud incidents is assigned
number of incriminating documents.
restrict their activities to only one modus to a senior, trusted individual or group of
In an incident which occurred in another operandi or method. Therefore, every individuals. In many organisations, this
Middle East country, it became widely effort should be made to obtain as much responsibility is handed to a corporate
known throughout the organisation that a information as possible before anyone is security advisor, internal audit manager
fraud had been uncovered. Unfortunately, questioned, confronted or interviewed. or risk management director. In other

EMAIL the author at [email protected] Fraud Risk
organisations, the responsibility is shared Receipt and initial assessment of 4. Maintain confidentiality (only inform
between members of senior management suspicion, allegation or ‘tip off ’ those people who need to know about
or an audit committee and the the suspected act). Unwarranted
Fraud investigations are often initiated
organisation’s human resources personnel disclosure can seriously damage
after an allegation or a tip-off (often
and corporate lawyers are involved from potential successful investigations. Do
anonymous) is received. This will usually
not confront the suspect.
a very early pointthe. Fraud incident be sourced from inside the organisation,
management responsibility is an important although external tip-offs are not 5. Write out in full the suspected act or
role and those chosen to administer uncommon. Many fraud incidents are wrongdoing including:
the role must the have appropriate legal initially discovered by accident, perhaps
• What is alleged to have occurred
and management level to authority to as a result of an audit, job change or
resignation. Very few frauds are discovered • Who is alleged to have committed
investigate actions toand co-ordinate the
as part of a deliberate attempt to uncover the act
organisation’s overall response to fraud
fraud, as very few organisations implement • Is the activity continuing
incidents. a proactive fraud detection program.
• Where did it occur
As part of their overall fraud control plan, The checklist shown below highlights
organisations should assign responsibility initial actions to be taken taken /(or • What is the value of the loss or
for fraud incident management to an avoided) upon the discovery of fraud or potential loss
appropriate person(s) as a precursor to tip-off. • Who knows of the activity
adopting an incident management plan. At the conclusion of this stage, a decision 6. Identify all documentary and other
Consideration should also be given to must be made as to whether the allegation evidence connected to the activity
the appropriate level of involvement by or suspicion warrants investigation or is • Invoices
corporate lawyers and human resource implausible or vexatious. However, this
personnel at appropriate levels is essential. decision must be made carefully. If an • Contracts
allegation cannot be quickly dismissed as • Purchase orders
false, further action should be taken.
Fraud Response Team • Cheques
Some Fraud Response Plans only deal with • Computers

situations where an employee discovers a A typical Fraud Response Plan contains:
• Credit card statements
fraud and hands it over to an investigation • purpose of the plan,
department to follow up. However, some 7. Obtain evidence and place in a secure
frauds have impacts far beyond the remit of • policy statement, area. (only where it is possible without
the investigation department to deal with alerting any suspects)
• definition of fraud,
(such as when the organisation’s liquidity is 8. Protect evidence from damage or
threatened). The Plan also should cater for • r oles and responsibilities including contamination
such eventualities. fraud response team,
9. List each item individually taking
Most large organisations have formed •o
bjectives including civil and note of acquisition (incl. time, date
crisis management committees to respond and location) and where the item was
criminal response,
to major incidents (such as a fire or securely stored
explosion), so it is not uncommon unusual • r eporting of suspicions and collection
to take have a similar approach in a Fraud and preservation of evidence. 10. Identify all potential witnesses
Response Plan. Typically, this means
11. Unless electronic evidence is in the
forming a Fraud Incident Management
process of being destroyed do not
Team, comprising essential members and
Checklist go into the suspect/target computer
co-opted members.
systems
Initial action checklist upon discovering
In some types of fraud, the victim may only
a potential fraud: 12. If possible, secure and/or remove
have a few hours to take action to freeze
suspect’s access to relevant computers/
funds which have been illicitly transferred. 1. Alert the fraud incident manager that
systems. Do not allow IT department
It is essential that contact numbers for an allegation or suspicion exists
to examine computer
essential service providers are established
2. Document date, time and details of
beforehand, including internal support 13. Consider other potential suspects and
initial report/discovery
departments, such as legal, corporate extent of fraud
security, insurance external lawyers, police 3. Take notes of all observations and
and telecommunications agencies, forensic actions – if something is worth taking a David Clements , Formal Principal Director |
accountants and investigators. mental note, it is worth a written note) Deloitte Forensics

AD

Frosting Fundamentals
BY: A r i f Za m a n
Internal
Audit
Planning
-The Value-
Adding
Phase
One would think that the most important step of the internal audit There is a common belief that the annual audit planning process
process is conducting the audit. Experience and research shows is time-consuming and costly, when in reality all internal auditors
otherwise, since there is a long and rigorous process to arrive at agree that the benefits exceed by far the cost and time spent on it.
the audit execution phase. This takes me to our point of discussion As per a famous saying, “By failing to prepare, you are preparing to
in this article, which is that the most important step in the process fail”. In the following points, I will share with you the details of the
is the planning phase. The whole internal audit process is heavily steps that are covered as part of the annual internal audit planning
reliant on proper planning taking place.
process.
The Chief Audit Executive (CAE) must effectively manage the
internal audit activity to ensure it adds value to the organization1. Step 1. Audit Universe
Value can be added to the organization and its stakeholders Before embarking on the risk assessment, it is important to
when internal audit considers strategies, objectives, and risks to break down the organization into auditable areas. This should
enhance governance, risk management, and control processes and include all the businesses, regions and functions that make up the
objectively provides relevant assurance on how effective they are
organization in a systematic order. And it could be done through
functioning. These aspects normally come up during the annual
planning phase of the internal audit process. any of the following approaches:
Annual planning • Geography: the subsidiaries and sister companies can be

categorized by geographic regions.
The CAE must establish a risk-based plan to determine the
priorities of the internal audit activity, consistent with the • Industry: if the organization is operating in diverse industries
organization’s goals2. The purpose of annual audit planning is to and sectors, then it can be classified by industry or sector.
ensure that the audit is relevant to the organization’s needs and is
• Function, Process, Service or Product: the organization can be
adding value towards the achievement of the preset objectives. It
classified either by function, process, service or product.
also helps in better utilization of the limited audit resources.
The audit universe is a collaborative effort between the key
business stakeholders and the internal audit function. The Internal
Audit Department (IAD) needs to update the audit universe
for any structural changes that have taken place within the
organization. Upon completion of audit universe, the IAD is ready
to proceed with the annual risk assessment phase, since it has
clarity on which areas or functions it needs to assess for risk and
controls.
Step 2. Risk Assessment
The IAD’s activity plan of engagements must be based on a
documented risk assessment, undertaken at least annually. The

EMAIL the author at [email protected] Frosting Fundamentals
input of senior management and the board • Any other input from the internet e.g. The formalized audit plan would be
must be considered in this process3. knowledge leader, board executive, etc. presented to the Board Audit Committee
for review and recommendations. Input
The risk assessment is the most challenging In carrying out the risk assessment there
stage in the annual planning process. The are certain standard requirements that from senior management and the Board
first element that needs to be assessed the IAD must take into consideration. must be considered in this process8.
by the auditor, is the organization’s risk The risk assessment must be documented, IAD should identify the pervasive audit
maturity. the Internal Auditors must have sufficient needs requested by the Board or senior
knowledge to evaluate risk of fraud4 management and take them into account,
Risk Mature Organization: if the
and key information technology risks5. based on the available resources and the
organization clearly has three lines of
defense for the management of risks, Moreover, the Internal Audit activity must Internal Auditors’ professional judgment.
controls, compliance, fraud, quality, then evaluate the effectiveness and contribute to The Chief Audit Executive must also
input needs to be collected from all these the improvement of the risk management communicate the impact of resource
functions as part of the risk assessment processes6. limitations9 if any.
process.
The annual audit plan could vary as per
In a risk mature organization these Step 3. Alignment of Risks with the
the organization’s needs and requirements.
functions are operating as intended. Strategic Goals and Objectives
Moreover, they have a defined risk appetite The IPPF only specify certain criteria and
(the amount of risk an organization is The IAD must be alert to the significant guidelines for the annual planning process,
willing to accept to achieve its objectives), risks that might affect objectives, which sets the minimum requirement for
risk registers (detailing business risks) and operations, or resources7. the annual audit planning process. Some
a robust ethical framework in place, to organizations add audits based on criteria
Once the IAD has identified business
strengthen the overall control environment. other than risk. Such criteria might include
risks, these should be aligned with the
Risk Immature Organization: if none organization’s strategic goals and objectives areas subject to change, mandatory audits
of the aforementioned lines of defense and must be assessed in terms of their or audits requested by management. The
are specified, then a more detailed risk probability of occurring (likelihood) and steps highlighted above could be used as a
assessment needs to be conducted, since
consequences (impact), to arrive at an guide to facilitate the annual audit planning
the IAD would not have the points of
reference to rely on in the collection of overall rating. There are many ways to rate process.
risk-related information. risks, either qualitatively (High, Medium
The IAD’s credibility and value are
or Low), or through quantitatively, through
In this situation, which is applicable to enhanced when they are proactive and
the assignment of an overall grade to each
many organizations, it is recommended risk (residual risk). their evaluations offer new insights and
that the IAD collect risk input from each consider future impact. The purpose
functional head. There are several tools Step 4. Risks Prioritization of audit planning is to make the IAD
that can be used in this process, such as more effective in contributing to the
surveys/questionnaires, holding meetings/ Based on the rating, most of the high improvement of the organization’s
interviews, reviewing management reports, risks and a few medium risks would be governance, risk management, and control
etc. prioritized. We also include some medium process, through the use of a systematic,
and low risks, since there is a certain level disciplined, and risk based approach10.
The IAD needs to record all the key risks of subjectivity involved in risk assessment,
and map them against each auditable area which is determined by the IAD based on
in the audit universe. professional judgement. 1.International Standards for the Professional Practice
of Internal Auditing – 2000 - Managing the Internal
Despite the risk maturity of the Audit Activity
organization, the IAD is also expected to Step 5. Formalize Internal Audit Plan 2. International Standards for the Professional Practice
review other sources of information, such of Internal Auditing – 2010 – Planning
Once the previous phases are complete, 3.International Standards for the Professional Practice of
as:
then the IAD has a clear idea of the Internal Auditing 2010.A1 – Planning
• Industry/Sector Risks risky areas that are of importance to the 4.2010.A2 – Proficiency
5.1210.A3 – Proficiency
• External Factor (Internal Auditors can organization and its management. Based 6. 2120 – Risk Management
use techniques like PEST, SWOT) on that, the process to formalize the 7. 1220.A3 – Due Professional Care
8. 2010.A1- Planning
Annual Internal Audit Plan would start.
• Compliance/Regulation Risks 9. 2020 - Communication and Approval
It could sometimes cover a span of more 10. 2100 - Nature of Work
• Previous Internal Audit Reports than one year. The plan would specify
• Management reports from 2nd line of which areas will be audited during the year, Arif Zaman is a Group Internal Audit
defense such as risk function, compliance detailing the execution period/s (normally Manager, ACCA, CIA, CPA, CISA, CFE, CCSA,
function, fraud function reports, etc. on a quarterly basis). CRMA, CRBA and CGA.

IA Middle East

Uploaded by

Copyright:

Available Formats

IA Middle East

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IA Middle East

Uploaded by

Copyright:

Available Formats

JUNE 2017 WWW.INTERNALAUDITOR.

Identifying serial offenders us-

IA is the Second Line of

Self-service analytics benefits

INSIGHTS ON GOVERNANCE, RISK MANAGEMENT AND CONTROL

Abdulqader Obaid Ali

JUNE 2017 INTERNAL AUDITOR - MIDDLE EAST 01

TeamMate AM TeamMate CM TeamMate Analytics

Learn more at: TeamMateSolutions.com

20 Profiling Cyber- 22 Adding Value in a 24 Self Service Audit

JUNE 2017 INTERNAL AUDITOR - MIDDLE EAST 03

Comment on an article entitled 2017

“Does the internal audit

profession suit me?”

At the beginning, I would like to thank my colleague Adel

Buhariwala for his wonderful article which gives recent

All thanks and appreciation goes out to

examples of what happened to international companies that

the colleague and author of the article for

the establishment and ensuring its sustainability.

trust of the client in addition to enhancing

It is known that sustainability is one of the core

communication and adding a positive impact,

E D IT OR-I N-CHI EF [email protected]

04 INTERNAL AUDITOR - MIDDLE EAST JUNE 2017

Organizations monitor cyber-security

06 INTERNAL AUDITOR - MIDDLE EAST JUNE 2017

Protiviti Survey on Sarbanes-Oxley

Mining business insights from the 44%

JUNE 2017 INTERNAL AUDITOR - MIDDLE EAST 07

The eighteenth Annual Regional

08 INTERNAL AUDITOR - MIDDLE EAST JUNE 2017

UAE IAA and Dubai Aviation

UAE IAA celebrating the International Internal Audit

UAE IAA hosted COSO new certificate training for the

JUNE 2017 INTERNAL AUDITOR - MIDDLE EAST 09

The Committee of Sponsoring Measure Factor Risk Asset Vulnerability Threat

10 INTERNAL AUDITOR - MIDDLE EAST JUNE 2017

JUNE 2017 INTERNAL AUDITOR - MIDDLE EAST 11

Are You Managing Your

12 INTERNAL AUDITOR - MIDDLE EAST JUNE 2017

JUNE 2017 INTERNAL AUDITOR - MIDDLE EAST 13

5. Choose to do nothing PORUS PAVRI, CRMA, CIA, CA is the

14 INTERNAL AUDITOR - MIDDLE EAST JUNE 2017

JUNE 2017 INTERNAL AUDITOR - MIDDLE EAST 15

The Journey to Excellence in

There are organizations and then there •U

16 INTERNAL AUDITOR - MIDDLE EAST JUNE 2017

JUNE 2017 INTERNAL AUDITOR - MIDDLE EAST 17

18 INTERNAL AUDITOR - MIDDLE EAST JUNE 2017

JUNE 2017 INTERNAL AUDITOR - MIDDLE EAST 19

Forensic psychologists often employ deductive or inductive

20 INTERNAL AUDITOR - MIDDLE EAST JUNE 2017

JUNE 2017 INTERNAL AUDITOR - MIDDLE EAST 21

Adding Value in a Challenging

The current business environment is very

22 INTERNAL AUDITOR - MIDDLE EAST JUNE 2017

JUNE 2017 INTERNAL AUDITOR - MIDDLE EAST 23

Self Service Audit Analytics –

24 INTERNAL AUDITOR - MIDDLE EAST JUNE 2017

5. Choose to do nothing PORUS PAVRI, CRMA, CIA, CA is the

3.Data Visualization • Generate and deliver more forward-

Annual planning • Geography: the subsidiaries and sister companies can be