INTERNAL

AUDIT IN THE
DYNAMIC
WORLD
PRESENTED BY
FAZAL HUSSAIN GAFFOOR
Agenda
• A detailed understanding of the current trends, challenges
and expectations and how Internal Audit can really add
value.
• Focus Discussion with examples on the areas where the
Internal Audit needs to increase its attention.
• Areas to increase activity as expected by stakeholder and
tools to effectively deliver.
• Scope and use of AI to enhance its reach and proper data
analysis
Session 1. (From 9 am to 10:45 am)

• A detailed understanding of the current trends, challenges

and expectations and how Internal Audit can really add
value.
• Internal audit a brief refresher.
• What is expected from Internal Audit by various stake
holders be it Board, Top Management, Regulator and
other stakeholders.
• The exposures and accountabilities of Internal Audit
 2023 Survey by PwC
1. Megatrends are creating a complex
and interconnected risk multiverse
2. IA needs more involvement in
strategic areas to remain relevant

3. IA can be a unifying force with

other two lines of defenses

4. IA’s human ‘superpowers’ are more

important than ever
Disruptive Technologies
Block Chain Artificial Intelligence Nanotechnology

Big Data Quantum Computing Digital Fingerprinting

Top priorities for Internal Audit - Another
Survey
• Cyber security • Governance and culture

• Information Technology • Fraud

• Compliance/regulatory • Financial areas

• Operational • Sustainability/non-
financial reporting
• ERM and related
processes • Financial reporting

• Cost/expense reduction • Support for external audit

Upcoming Challenges
• Increased Transaction volume
• Ground breaking emerging technologies
• Business Transformation
• Cyber security and privacy
• Regulations
Protiviti 2023 Next Generation Internal
Audit Survey

• How Internal Audit Coordinate and Align with other

assurance functions
• Internal Audit Strategy which is better defined and aligned
to the organization
• Increasing use of data and analytics tools such as AI
Definition
Internal auditing is an independent,
objective assurance and consulting activity
designed to add value and improve an
organization's operations. It helps an
organization accomplish its objectives by
bringing a systematic, disciplined approach
to evaluate and improve the effectiveness of
risk management, control, and governance
processes.
‘ Institute of Internal Auditors’
 So what is Internal Audit?
• Internal Auditing is an Independent, Objective assurance and Consulting activity
designed to add value and Improve an Organizations’ operations.
• Internal Auditing is a Continuous process & not a One time event
• It helps improve effectiveness of Risk Management, control and Governance
processes
• It involves Conducting pro-active Fraud audits to identify potential fraudulent acts, and
Conducting post fraud investigation & identify Financial Loss and Control Breakdowns
• Internal Auditors are not responsible for execution of Company’s activities, but advise
management & BODs regarding how to better execute their responsibilities.
• Internal Auditors typically Issue reports at the end of the each audit that summarize
their Findings, recommendations, and any resources or action plans from
management
• Role Of Internal Audit should ideally act as a strategic partner to business, by providing
quality assurance on various critical risks that are crucial to achieving organization
goals.
Internal Audit Charter
• Mission
• Scope
• Reporting
• Authorities
• Responsibilities
• Independence and Objectivity
• Quality Assurance
 Authorities of Internal Audit

Have complete and unrestricted access to records, personnel, and

physical properties/assets relevant to the performance of I/A
engagement.
Delegate duties, allocate resources, select team, determine scope of
work, budget time & cost, and select required techniques/procedures to
accomplish objectives.
Obtain necessary assistance of personnel in company and other
specialized services within or outside the organization.
Independence and Objectivity
• The internal audit activity must be
independent, and internal auditors must
be objective in performing their work.

• The internal audit activity must be free

from interference in determining the scope
of internal auditing, performing work, and
communicating results.

• Internal auditors must have an impartial,

unbiased attitude and avoid any conflict
of interest.
Three Lines of Defenses
Changing role of Internal Audit
(Traditional V/S Modern)
 Traditional Internal Auditing
• Initially the objective of Internal Auditing
was to prepare the organization for External
1. Audit.
Policing Role

• Manual Vouching with Standard tick and

2. tie method being used.
Focus on
Financial
Audit • Focus on Financial audit and Manual Work
3. Papers

Manual • High Costs and significant time delays

Work Papers associated with information collection,
4. processing and reporting.
 Modern Internal Auditing

• Internal Auditing has changed from being

1. Transaction based to risk based.
Strategic
Function
• Challenge the existing practices for Business
2. performance improvement.
Focus on
overall
business • A balanced approach to risk identification
processes and rating, especially with unfamiliar areas
3. that have not been traditionally reviewed.

Use of • Makes Internal Audit a strategic unit of

Technology business.
4.
Service Commitment expected:

Significant attention and time from CAE

Enhanced focus on operational

processes and not just financial
transactions, without losing sight of the
criticality and materiality of the issues
that matter

Assist in implementation of
recommendations

Remaining contextually relevant to

business by encouraging participative
approach with process owners and
management

Shift from ‘fault finding’ to identifying

‘what can go wrong’
and providing practical
recommendations

21
Skill Set and Capabilities
Skill Set & Capabilities

Global
Perspective

Business acumen

Technologically adapt ( CAAT,

Flowcharts, Risk mapping Tools)

Creative Thinking and Problem solving

Strong Ethical Compass

Superb Communication ( Written &

Oral)

Relationship Expert ( Interpersonal Skills)

Planning Process of Internal Audit

Knowledge
of Clients
Business

Preparation Establishing
of Audit Audit
Program Universe

Planning
Process

Deciding Establishing
Resource Objectives of
Allocation Engagement

Establishing
Scope of
Engagement
 Understanding value chain
Board and Leadership

Business Planning Market Development

Business Development Pricing Strategies

Procurement - Procure to Pay Staff Management

Inventory Management Operational Efficiency

Manufacturing of Goods Logistics Inbound and Outbound

Revenue – Order to Cash Sales promotion and Marketing

HR and Payroll related Fixed Assets Management

Finance and Accounts Insurance
compliances and Capex

Admin Activities Information Technology Statutory Compliance Treasury Operations

Strategic Operational Support Internal Audit Focus Areas

25
 Internal Audit Solution
Solution Focus Risk Based Internal Audit
► Evaluate the design and operating effectiveness of the
controls for various auditable areas so as to give an
Process Review assurance to the management on the efficiency of the
Design Mechanism overall process.

► For all the deficiencies observed, do a relative

Regulatory prioritization so that the leadership can concentrate on
Policies &
Compliance key risks.
Procedures
► Come up with a defined action plan for mitigation of the
gaps identified in conjunction with the Management.
Risk Organisation
& Control Structure ► Give positive assurance to the Audit Committee on the
operational and financial controls. This will also assist
the Board in commenting on operating effectiveness of
Operational Information operating as well as financial controls across
Effectiveness Technology processes.
& Efficiency effectiveness

Approach to Internal Audit is an ideal mix of traditional orthodox audit approach and process
driven risk based approach, focusing on evaluating the end- to- end process risks and
evaluating design and operating effectiveness of controls, using a sampling methodology 26
Audit Approach Process Efficiency Strategic Partnering

Focus: Enabling, drive into strategic gaps

Collaborative Focus: Process & control efficiency
Impact: Influence strategy & deployment;
& Enabling Impact: Systematic process & control
change behavior; leverage technology;
improvement, cost reduction
strategy/action congruence
Report: Analysis, facts &
Report: Best practices, analysis of
circumstances; recommended actions
strategy/action incongruity, business case
for change, off-report assistance

Consultative Business
Assurance
Monitor
Process Effectiveness

Focus: Compliance & controls Focus: Align process to support

Impact: Enhanced controls objectives; automate controls & solutions
Report: Exceptions & Impact: Change, influence system
recommendations development & deployment
Controls & Report: Analysis, facts & circumstances,
Compliance business case for change

Value
Proposition Risk Management Strategy Achievement
Opportunities
 Opportunities:
Following are the types of audits carried out by Internal auditors:
 Compliance Audit: To ensure Compliance with rules,
regulations and Laws applicable to a company.
 Operational Audit: To ensure Effective & Efficient conduct of
operations of a company.
 Information System Audit: To ensure Proper Functioning of
Information System throughout the life of a Business.
 Performance Audit: To ensure the efficient use of resources to
obtain the objectives of a Company.
 Environmental Audits: To Ensure Compliance with the
Environmental Laws & Regulations.
 Special Assignments: relate to Investigations on fraud and
Corruption, or any other Special service with the approval of
the Board.
Internal Auditors helps to achieve the right balance
between risk and reward by establishing an environment
for timely and effective response to the ever changing
business risks.

30
Expectation of Regulators (ECB Perspective)
• Staffing and Training
• Audit Methodology
• Automation
• Audit Cycle
• Independence and quality
• Proper Follow-up reviews
• Compliance
• Status and Influence
Board Expectation from Internal Audit
• Scale, diversity and complexity of the company’s
operations
• Number of employees
• Cost-benefit considerations
• Changes in organizational structure
• Changes in key risks
• Problems with internal control systems
• Increased number of unexplained or unacceptable events
INTERNATIONAL PROFESSIONAL
PRACTICES FRAMEWORK (IPPF)

Mandatory Guidance Strongly Recommended Guidance

Definition of I/A Position Papers (PPs)

Code of Ethics Practice Advisories (PAs)

The standards Practice Guides (PGs)

Internal Audit Framework 33

What Audit Committee wants to hear
from Internal Audit
• To the point discussion
• The Conclusion not the journey
• Your opinion not just facts
• Your concerns whether audited or not
• Something of substance in executive session
• You really know the business and its plan
• You are aligned with the second line of defense
• Show Courage
Taking a Client Service Approach to Internal
Audit

• Communicate Regularly With All Stakeholders

• Prioritize Client Concerns
• Trust the Team to Make Decisions
• Gather Meaningful Feedback
• Practice Transparent Auditing
• Market the Internal Audit Function
• Integrating Client Service to Advance Internal Audit
Auditors Accountability and Liability
• The auditor must possess the requisite skills to evaluate
financial statements
• The auditor has a duty to employ such skill with reasonable
care and diligence
• The auditor undertakes his task(s) with good faith and
integrity
• The auditor may be liable for negligence, bad faith, or
dishonesty, but not for mere errors in judgment
What can an Internal Audit be
accountable for
• Breach of Contract – By a client if the internal Audit is
outsourced
• Negligence – By Financial statement users
• Fraud and Gross Negligence – By Regulators and
Government.
Session 2. (From 11 am to 1 pm)

• Focus Discussion with examples on the following areas

where the Internal Audit needs to increase its attention:
• Cyber Security
• Corporate Governance
• Strategy and Business Plans
• Policies and Procedures
• Assisting Board and Audit Committee in discharging their role
CYBERSECURITY
What is Cyber Security

Cyber security refers to every aspect of

protecting an organization and its
employees and assets against cyber
threats.
Why Is Cybersecurity Important?

• Protection of Confidential Information:

• Compliance with Regulations:
• Protection of Reputation:
• Prevention of Financial Losses:
• Business Interruption
 Types of Cybersecurity Threats
• Malware
• Phishing
• Ransomware
• Denial of Service (DoS) Attacks
• Insider Threats
• Advanced Persistent Threats (APTs)
AREAS WHICH CAN BE AFFECTED BY
THREATS / ATTACKS
• 1. Network Security:
• 2. Application Security:
• 3. Information Security:
• 4. Cloud Security:
• 5. Internet of Things (IoT) Security:
• 6. Identity and Access Management (IAM):
How to Prevent Cyber Attacks?

• Use of Antivirus and Anti-malware Software:

• Regular Software Updates:
• Strong Passwords and Multi-Factor Authentication:
• Education and Awareness:
INTERNAL AUDIT ROLE IN CYBER
SECURITY- Key Questions
• Who has access to the organization's most valuable
information?
• Which assets are most likely to be targeted?
• What is the financial impact of a cyber or privacy breach?
• Which systems would cause the most significant impact to
the organization should they be compromised?
• Which data, if stolen, would cause financial or competitive
advantage, legal ramifications and / or reputational
damage?
INTERNAL AUDIT ROLE IN CYBER
SECURITY- Key Questions
• Is management prepared to react in a timely manner
should a cybersecurity incident occur?
• Is senior management / board aware of risks relating to
cybersecurity?
• Are cybersecurity policies and procedures in place,
understood and followed
• Has management performed risk assessments to quantify
their risk exposure?
Role of Internal Audit in Cyber Security
• Protect
• Assist in developing Cyber Security Strategy
• Evaluate Cyber Security Risks
• Identify Cyber Security Issues through data analysis

• Detect
• Perform a detail analysis to identify vulnerabilities and threats
• Coordinate with external consultant to get an expert view.

• Business Continuity
• Assist in developing a Cyber Security Resilience
• Assess the adequacy of the business continuity program.
Benefits of Cyber Security Audit
• Identification of Vulnerabilities
• Enhanced Protection
• Regulatory Compliance
• Improved Incident Response
• Risk Management
• Stakeholder Confidence
• Continuous Improvement
INTERNAL
AUDIT AND
CORPORATE
GOVERNANCE
Corporate Governance - Definition
• the system by which business corporations are directed and controlled
• specifies the distribution of rights and responsibilities among different
participants in the corporation, such as the board, managers,
shareholders and other stakeholders
• spells out the rules and procedures for making decisions on corporate
affairs
• provides the structure through which the company objectives are set,
and the means of attaining those objectives and monitoring
performance
(Source: OECD April 1999)
50
The Principles of Corporate Governance

• Fairness: The board of directors must treat shareholders, employees,

vendors, and communities fairly and with equal consideration.
• Transparency: The board should provide timely, accurate, and clear
information about such things as financial performance, conflicts of
interest, and risks to shareholders and other stakeholders.
 Risk Management: The board and management must determine risks
of all kinds and how best to control them and mange and disclose.
• Responsibility: The board is responsible for the oversight of corporate
matters and management activities. It must act in the best interests of
a company and its investors.
• Accountability: The board must explain the purpose of a company's
activities and the results of its conduct.
Responsibilities of directors
• Keep abreast of the responsibilities as a director
• Exercise duties of care, skill, integrity and diligence expected
• Ensure proper understanding of the operation, business and
the regulatory requirement
• Contribute sufficient time and resources to serve the
corporate
• Attend AGMs to share the views of shareholders

52
Accountability and Audit
– Financial Reporting

• Management provide explanation and information to the

board to enable them to make informed assessment of
financial and other information
• The board should present comprehensive assessment of the
corporate’s performance, position and prospects in annual
and interim reports, price-sensitive announcements and other
financial disclosures

53
Accountability and Audit
– Internal Control

• Ensure the maintenance of sound and effective internal controls

to safeguard assets
• Conduct regular reviews of the effectiveness of the internal control
system, covering financial, operational, compliance and risk
management control functions
• Prevent fraud, corruption, and malpractices

54
Communication with Shareholders
- Effective communication
• Maintain on-going dialogue with shareholders and make use of annual
general meetings or other general meetings to communicate with
shareholders
• Transparency in corporate governance practices and business
performances through proper and adequate disclosures
• Encourage shareholders’ participation

55
Questions the Board Should Ask
• How deeply is internal audit involved in the organization’s
discussions on risk?
• Is internal audit properly positioned and resourced to provide
high-quality, professional assurance and advisory services?
• Is the head of internal audit free to develop strong relationships
with the board and/or audit committee chair?
• Does the board/audit committee recognize and support the
best conditions under which internal audit can thrive?
• How can management and the board support efforts to make
the internal audit activity agile and innovative
Role of Internal Audit in Corporate
Governance
• Internal reviews the effectiveness of Governance, Risk and Controls
• Due to its independence it is best placed to provide an unbiased opinion.
• It can provide foresight to the organization by identifying trends and
bringing attention to emerging challenges before they become crisis
• They can act as consultant to the Board and Management in identifying
best practices in Corporate Governance.
• As part of the annual plan they can ensure that an opinion on areas part
of corporate governance are covered.
• Reviewing current/pending litigation or regulatory proceedings.
• Reviewing significant cases of employee conflict of interest, misconduct,
or fraud.
• Review of effectiveness of whistle Blowing Mechanism
Internal Auditor
Role in
Strategy and
Business Plan
What is strategic planning?

Strategic planning is an ongoing process by which an

organization sets its forward course to examine current
realities and define its vision for the future. It also examines
its strengths and weaknesses, resources available, and
opportunities.
Risks of Improper Strategic Planning
Process
• Not being able to identify (all) internal and external trends that may
impact the organization
• Not achieving the strategic goals
• Losing market share
• Spending resources, time and money without achieving the desired
result
• Lacking accurate KPIs to assess the actual situation, leading the
organization to steer blindly
• Having an imbalanced view of the situation by focusing too much on
near-term financial goals and losing sight of other strategic and short-
term objectives
• Not linking the strategic plan to the operating plan, resulting in a
disconnect between the strategy and operations
Importance of Internal Audit in Strategy
Formulation Process

• Protect and enhance business value

• Ensure that functional plans are fully aligned with strategy and also
they are strategically geared up and placed.
• Strengthen the ability to reach strategic goals
• Enhance operational efficiency
Role of Internal Audit in Strategy
• Risk Assessment and Mitigation:
• Internal auditors are invaluable in ensuring that the strategies align with the
organization's risk appetite. They also help identify potential obstacles and
vulnerabilities that might hinder the successful execution of a strategy

• Alignment with Objectives:

• Internal auditors, with their holistic perspective, can facilitate
alignment by ensuring that the proposed strategies are consistent
with the organization's overall mission, vision, and goals
Role of Internal Audit in Strategy
• Governance and Compliance:
• Internal auditors play a pivotal role in verifying that proposed
strategies adhere to regulatory standards, industry norms, and the
organization's own governance framework.

• Performance Measurement and Accountability:

• Internal auditors contribute by developing or validating the
performance measures, ensuring they are quantifiable, relevant,
and aligned with the strategic objectives.
Role of Internal Audit in Strategy
• Resource Allocation and Efficiency:
• Internal auditors can provide recommendations on optimizing
resource allocation whereby organization derives maximum value
from its investments.

• Scenario Analysis and Contingency Planning:

• Internal auditors through scenario analysis and identifying
potential disruptions or uncertainties can contribute by assisting in
the creation of contingency plans which can safeguard against
unforeseen challenges.
Internal Policies and
Procedure – Role of
Internal Audit
 What is the Purpose of

Compliance with laws and policies

Accomplishment of mission

Relevant and reliable data

Economical and efficient
use of resources
Safeguard assets
Responsibilities:
The Board of Directors are
responsible for the general
governance and administration
of the Corporate Entity. They
are charged with issuing policies
that govern the entity which are
the basis of the internal control
system.
Responsibilities, cont’d:
• Management:
• Responsible for maintaining an adequate system of internal
control.
• Communicating the expectations and duties.
• These responsibilities should reflect the appropriate authority and
accountability.
• Staff:
• Staff and operating personnel are responsible for carrying out the
internal control activities set forth by management.
Everyone is Responsible for Internal
Controls
All staff should:
• Read and understand the policies and
procedures which affect their job
• Comply with the controls established to protect
the charter school
• Notice if there is a control weakness and bring it
to the attention of the supervisor or manager
 Internal Controls: Myths vs. Fact
Myth
1. Internalcontrol starts with a strong
set of policies and procedures…
2. Internal control is why we have
internal auditors…
3. Internal
control is a finance thing.
We do what the business office tells 3. Internal control is integral to
us…
4. Internal controls are a necessary
evil. They take time away from our
core activities,
5. Internalcontrols are a list of what
not to do …
6. If
controls are strong enough, we
can be sure there will be no fraud,
and financial statements will be
accurate…
Fact
1. Internal
control starts with a
strong control environment
2. Management is the owner of
internal control
every aspect of the business
4. Internalcontrols should be
built into, not on to business
processes
5. Internalcontrol makes the
right things happen the first
time, and every time
6. Internal
controls provide
reasonable, but not absolute
assurance that objectives will
be achieve
 Introduction to Policies and
Procedures

There is an art and skill to writing policies and procedures:

Policies:
• Express rules, expectations and requirements
• Explain what to do
• Are realistic and attainable
• Have an active voice (subject-verb-object)

Procedures:
• List steps to follow
• Tell “how” to perform a job
• Have an active voice and are imperative
Policy and Procedure Writing Skill:

Say what you mean and mean what you say.

• Be aware of all possible interpretations.

Use specific language

Consider the Reader/Users

• Don’t assume anything

• Look at the experience of the user.

Why are policies and procedures
reviewed at regular intervals
• To ensure that they are not outdated
• When any process changes
• When a new law or regulation is enacted or an existing has
been amended
• Technological advancement
Internal Audit Role in policies and
procedures
• To check their existence as per requirements
• To check that they are implemented through walk through test
• They are followed and working as intended
• They are available to employees and understandable
• Required training on those procedures have been imparted
• Non compliances or breaches are being recorded and actions
taken
• Employees are tested on a regular basis to check awareness
Internal Audit Role in creation or
updation of policies and procedures
• Identify if any policy or procedure required is not in existence.
• Identify gaps in procedures
• See if they have not been reviewed as per requirements
• Can perform consulting assignment in advising management in
developing or updating a procedure
• Ensure that the procedure is consistent with the standard
followed by the company.
• For technical procedures check whether it was reviewed or
made in line with the advise of a third party consultant
• Be part of meetings where procedures are reviewed as an
observer.
Assisting the Board Audit Committee in
discharging its role
Board Challenge:
Direct the affairs of the corporation in assembling capital,
human resources and other necessary inputs to produce
goods and services efficiently

While holding managers accountable for the use of assets

provided by others

77
 Board Functions
• Select, monitor, evaluate, compensate and -- when
necessary -- replace senior management
• Review and approve strategic and long-term plans
• Monitor corporate performance against plans
• Review and approve material capital allocations, financial
standards and policies
• Ensure financial control and reporting integrity, ethical
standards and legal compliance
• Monitor constituent relations
• Organize the board

78
Information Needed by the Board

• Relevant and timely information is an essential predicate for

satisfying the board’s role
• Corporate Performance
• Background & Analysis of Major Issues/Transactions
• Related Party Transactions & Potential Conflicts of Interest
• Integrity of Information depends on
• Financial information and reporting systems
• Legal compliance and risk assessment systems
• An effective internal audit function

79
Basic Paradigm

“Managers accountable to boards;

boards accountable to shareholders
(profit) or for the organization’s
mission (non-profit).”

80
Board Priorities
• Choose best managers available; compensate based on
performance; replace when necessary; plan for succession
• Engage with management in strategic planning and monitor
performance against strategic and business plans
• Ensure that corporate reporting, audit and legal compliance
systems are in good order
• Review/approve major transactions and expenditures
• Ensure that conflict situations are avoided and insider
transactions are objectively fair to the corporation and entire
shareholding body
• Determine and demand the information needed to govern

81
What are the worries of Audit
Committee
• Complex accounting and reporting areas and how management
addresses them
• Significant accounting policies, judgments, management estimates, and
their impact on the financial statements
• Any prior internal control issues and how they have been resolved
• The design and components of the company’s antifraud and
anticorruption compliance programs to confirm that those programs have
sufficient oversight, autonomy, and resources
• Pending financial reporting and regulatory developments, with a focus on
understanding how they may affect the company
• Related party transactions
• How to deal with shareholder queries at AGM
• Selection of External Auditors and coordination
Internal Audit can assist
• At the time of Annual Plan the Auditors should meet both
Chairman Board and Chairman Audit Committee to get a feel
of what worries them and how it can help.
• A periodic report on the financial statements and an
independent report on the same.
• A periodic report on the overall control environment and
exceptions.
• Assisting audit committee in whistleblowing and other
investigations
• Regular interaction to keep the chair audit committee abreast
with the current situation and activities performed and also to
get feedback
Session 3. (From 2 pm to 3:30 pm)

Areas of value addition

 Whistle Blowing Mechanism

 Risk identification and Management

 Legal Compliance monitoring

 Data Security and Integrity

 Fraud Detection and Prevention

 Whistle Blowing
A whistleblower is a person,
disclosing information to
some higher authority about
any wrongdoing, which could
be in the form of fraud,
corruption, etc.
Internal Audit Role in Whistleblowing
• The initial capture of the tip-offs is crucial - all reports should
be acknowledged and responded to as quickly as
possible
• Prioritize action on the reports according to risk. Whilst
allegations of fraud or corruption are almost always serious,
tip-offs concerning health and safety, or environmental
breaches may be critical depending on the risk profile of
the organization
• Delegate reports that reflect misunderstandings, personal
grievances or minor errors to a support group such as HR
which can handle them efficiently (complaints and
grievances should be subject to a separate procedure -
often in practice they are not).
Internal Audit Role in Investigation

• Commit to investigating all matters fully, fairly, quickly and

confidentially
• Make recommendations for further action
• Maintain a feedback loop to whistleblowers
• Internal Audit is properly resourced both in terms of staffing
and skills
• The board needs to ensure that Internal Audit’s main
functions and wider assurance role are not compromised.
Assurance Role
• Internal Audit should provide the board with assurance on the effectiveness of the
whistleblowing system.

• Ensure that open and right culture is in place which encourages raising of concerns.

• Promoting whistleblowing best practice

• testing case files; monitoring policy and procedures; and recommending improvements where
needed.

• Ensure that in addition to all workers the policy covers suppliers, customers and other
stakeholders

• Suggesting reporting lines – providing different alternatives facilitates disclosure,

• Verify that the hotline adequately staffed with training and expertise to handle different types
of cases

• Carry out surveys to assess how the workforce views the whistleblowing arrangements

• If the whistleblowing hotlines are outsourced than Internal Audit has to review the supplier
selection process as well as check their performance periodically.
Risk Identification and Management
The only alternative to risk management is crisis management
--- and crisis management is much more expensive, time
consuming and embarrassing.
JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003

Risk management means more than preparing for the worst;

it also means taking advantage of opportunities to improve
services or lower costs.
Sheila Fraser, Auditor General of Canada
Keep it simple

91
 Conversation Starters

 Who is accountable for risks?

 How do we talk about risk? Do we have a
common language in the functions and across
the company?
 Are we taking too much risk? Or not enough?
 Are the right people taking the right risks at the
right time?
 What’s our risk culture? Are we risk-adverse, risk-
takers, or somewhere in between?
 The Risk Management Principles
Risk is the uncertainty that surrounds future events and
outcomes.

Risk is the expression of the likelihood and impact of

any event with the potential to influence the
achievement of an organization’s objectives.
 Risk Management Prerequisites

 Promote a healthy risk culture, where risk is a routine and

expected topic of conversation.
 Develop a common and consistent approach to addressing
risk across the institution
 Practice proactivity rather than reactivity
 Identify new risk and develop appropriate strategies for
mitigating or profiting from it
 Establish accountability, transparency and responsibility
 Realize programmatic success, defined as implementation
and practice throughout the entire organization
Internal Auditor role in Risk
Management
• Internal auditors cannot be involved in decision making,
but can help the organisation to understand risks

• IIA Standard 2100 – Nature of Work: The internal audit

activity must evaluate and contribute to the improvement
of the organization’s governance, risk management, and
control processes using a systematic, disciplined, and risk-
based approach. Internal audit credibility and value are
enhanced when auditors are proactive and their
evaluations offer new insights and consider future impact.
– IA is helping by performing the internal audit activity
Risk based audit planning vs.
Risk management
Objective of Risk Management Audit
• Risk Management processes are operating as intended
• Risk Management processes are of sound design
• Risk treatment plan are adequate to reduce the risk to an
acceptable level
• A sound framework of control is in place to mitigate those
identified risks.
 Ask questions and develop your approach

• Do we understand our major risks? Do we know

what is causing our risks to increase, decrease or
stay the same?
• Have we assessed the likelihood and impact of
our risks?
• Have we identified the sources and causes of our
risks?
• How well are we managing our risks?
• Are we trying to prevent the downside of risk, or
are we seemingly trying to recover from them?
Monitoring Legal
Compliance
 What is Legal Compliance

To ensures that your organization is compliant with all

applicable laws and regulations, allowing you to
operate within the legal and ethical boundaries of
your industry
Risk ‘Waterfall’
• Compliance often seen as a
Risk necessary evil, and one that does not
add value
• Key in helping to reduce risk in
complex systems

Regulation • Effective, and underappreciated,

way of creating value in
organisations
• Often the only way to be able to run
Compliance complex operations

102
 Compliance is the Mirror of Risk
A call to conceptually integrate thinking and process

• Understanding risk is a competitive advantage, if it is carried through

by the organisation (compliance)
• Compliance efforts need to be proportional to risk
• Regulator is interested in process, not ‘box-ticking’
• Humans are good at making judgements, machines in performing
routine tasks. But we waste humans on routine tasks in compliance.
• Rethink processes and workflows, optimise them, and then digitalise
them

103
Regulatory and Legal Monitoring
Process
• Identify your Regulatory and Legal requirements
• Assess the impact of Regulatory Requirements
• Develop a compliance calendar
• Establish a Regulatory monitoring plan
• Build an Effective Team for Regulatory Monitoring
• Automate Regulatory Monitoring
• Constantly update for changes in laws and regulations
Challenges in Compliance Monitoring
• Resource Constraints
• Prioritize compliance efforts
• Automate processes
• Outsource certain tasks to third-party experts.

• Handling Complex Regulations

• Obtaining expert Advice

• Managing updates
• Assign responsibilities
• Subscription
• Engaging law firms for this purpose

• Ensuring Compliance
• Compliance Monitoring Software
How to Monitor Compliance

• Identify areas of non-compliance.

• Gauge the effectiveness of compliance training programs.
• Monitor established benchmarks to track progress.
• Identify emerging risks and recommend compliance strategies
accordingly.
• Promote transparency and accountability throughout the
organization.
• Facilitate effective communication and education on compliance
matters.
• Monitor reporting of compliance with regulatory authorities and
stakeholders.
 Data Security and Integrity

1. Data Security :
Data security refers to the prevention
of data from unauthorized users

2. Data Integrity :
Data integrity is defined as the data
contained in the database is both
correct and consistent
New Challanges
• Companies are growing very fast, and their IT systems change rapidly.
Old models of ITGCs do not necessarily fit agile environments!
• Companies deal with a HUGE amount of data, transactions and
information. Do they really have proper controls in the right places
to prevent or detect misstatements? How to test effectiveness of
ad-hoc online controls over data (dashboards)?
• Automated procedures, especially in the tech industries, face inherent
complexity. Do we really understand the end to end process and
the data flows in our organizations? Can we really gain comfort
that an automated control works appropriately in a complex
environment?
• Information systems can help our organizations, but can also raise risks if
the systems do not support proper control environment, especially if the
systems are maintained by a third party service provider with no proper
controls report.
 How to Overcome
• Start early. Make sure you dedicate enough time to truly understand the
end to end business processes and IT systems.
• Make sure you’re involved in decisions related to major changes in
systems. Your input regarding internal controls is highly important!
• Use technology tools where possible. Tools can save you time and also
give you more comfort over large databases and transactions.
• Use experts to test automated complex controls / system reports. Our
biggest challenges from the regulator are related to these areas, which
require experience and expertise.
• Be creative! Agile IT environment requires agile IT controls. Design and
implement controls according to the TRUE risks in your systems.
• Challenge your understanding. Use colleagues / experts to challenge your
end to end understanding
 Challenges in the next decade
• Automated working papers / testing
More tools will help us in controls testing procedures more effectively
• From Business Driven to Data Driven Data will be interfaced completely
and directly to the auditors Controls will be designed more on data
irregularities/errors and less on papers and manual testing procedures.
• From periodic to Continuous monitoring
The testing procedures will run constantly instead of “testing phases /
rounds”. This will also change the concept of having “internal testing”
procedures before the auditors, as they will also have full visibility on data
and controls 24/7/365.
• From manual procedures through RPA to AI
We see more and more automated procedures run by robots. We will also
see decision making by robots pretty soon. Can we really test a review
control operated by an intelligent robot?
Principles of data integrity

• Accuracy: Data must be recorded and maintained to

reflect the truth precisely.
• Consistency: Data must remain consistent over time,
regardless of the format or platform.
• Completeness: All necessary data should be recorded,
and any missing data can lead to incorrect conclusions.
• Trustworthiness: Data must be reliable and should
accurately represent the reality it is intended to depict.
Importance of Data Integrity
• Regulatory Compliance
• Improved Customer Trust And Satisfaction
• Enhanced Market Reputation
• Better Resource Allocation
• Data Availability
CHALLENGES IN MAINTAINING DATA
INTEGRITY

• Human Error
• Cyber Threats
• Technological Limitations
• Complex Data Ecosystems
• Cost And Resource Constraints
• Lack Of Standardization
IT Governance- An Overview
To provide assurance that the organization has the structure, policies,
accountability, mechanisms, and monitoring practices in place to achieve
the requirements of corporate governance of IT.

Examples of target
• Planning IT Strategy with IT Steering Committee
• Implementation of the IT strategy
• Business Process Reengineering
• Risk management for IT strategy
• Organization and Personnel Management

114
Fraud Detection and Prevention
Role of Internal Audit in Fraud Detection
Operationally, internal audit should have sufficient knowledge of
fraud to:
• Identify red flags indicating fraud may have been committed.
• Understand the characteristics of fraud and the techniques
used to commit fraud, and the various fraud schemes and
scenarios.
• Evaluate the indicators of fraud and decide whether further
action is necessary or whether an investigation should be
recommended.
• Evaluate the effectiveness of controls to prevent or detect
fraud.
Managing Fraud Risk
• Does the organization have a fraud response plan in place that
outlines key policies and investigation methodologies?
• Who carries out fraud investigations within the organization?
• Is internal audit tasked with identifying where fraud risk is present,
and does it audit controls in these areas?
• When fraud has occurred, does internal audit investigate to
understand how the controls failed and how they can be
improved?
• Is internal audit tasked to investigate fraud, and, if so, does it
possess the proper skill sets to carry out such investigations?
Whether or not Internal Audit should
undertake investigation of Fraud
• Investigation is not typically an internal audit task
• Internal audit should first consider extent of the work
needed in terms of the complexity, materiality or
significance of the Incident being investigated.
• They need to decide whether they are best placed to
undertake the investigation or outsource it to some expert.
Fraud Risk Assessment Process
Steps in Risk Assessment
• 1. Identify relevant fraud risk factors.
• 2. Identify potential fraud schemes and prioritize
them based on risk.
• 3. Map existing controls to potential fraud schemes and
identify gaps.
• 4. Test operating effectiveness of fraud prevention and
detection controls.
• 5. Document and report the fraud risk assessment.
Fraud Management Framework
Role of Internal Audit
• Consider fraud risks in the assessment of internal control design
and determination of audit steps to perform.
• Have sufficient knowledge of fraud to identify red
flags indicating fraud may have been committed.
• Be alert to opportunities that could allow fraud, such as
control deficiencies.
• Evaluate whether management is actively
retaining responsibility for oversight of the fraud risk
management program.
• Evaluate the indicators of fraud and decide whether any further
action is necessary or whether an investigation should be
recommended.
• Recommend investigation when appropriate.
Session 4. (From 3:45 pm to 5:15 pm)

• Scope and use of AI to enhance its reach and proper data

analysis
• Opportunities and challenges of use of AI role in bridging
the gap between technology and Audit
• How to use Technology and AI in the planning cycle
• Data Analysis and Anomaly Detection
• Benefits of using AI
• Use of generative AI with examples
What is Artificial Intelligence

Artificial intelligence (AI) is a technology that enables

computers and digital devices to learn, read, write,
talk, see, create, play, analyze, make
recommendations, and do other things humans do
Strong AI Vs. Weak AI
• Strong AI is AI that acts exactly as a human would, think C-
3PO, the Terminator or Commander Data. They exhibit
emotions, real creativity, and can even have a sense of
purpose.

• Weak AI is AI that is confined to a narrow task, like when a

system processes language into text or sorts all the pictures
on your pc.

• Examples of Weak AI include: Siri, Cortana, Bing, Netflix,

and even ChatGPT
Introduction to Generative AI
• Generative AI refers to a type of artificial intelligence that has the
ability to generate content that is, in many cases, indistinguishable
from content created by humans. This AI can produce text, images,
audio, or even video, often in response to a given input or prompt.

• Generative AI operates by learning patterns and structures from large

datasets and then using that knowledge to produce new content that
fits within those learned patterns. It's a type of machine learning
where the AI model learns to understand and mimic the
characteristics of the data it has been trained
Generative AI Limitations
• Quality and Coherence : Generative AI can sometimes produce
content that is factually incorrect or incoherent.

• Lack of Understanding: Generative models don't have true

understanding of the text they generate. They generate responses
based on statistical patterns rather than comprehension, which means
they can't answer questions that require deep understanding or
common-sense reasoning.

• Biases: Generative AI can inadvertently perpetuate biases present in

the training data.
Generative AI Limitations
• Safety and Privacy: In some cases, generative AI can generate
harmful or inappropriate content. Ensuring the safety and ethical use
of AI-generated text is a significant concern.

• Inconsistency: The same prompt given to a generative model may

produce different responses at different times. While this can be
useful for creativity, it can also result in inconsistent or contradictory
answers.

• Overgeneration: Generative models can be verbose and tend to

over generate content.
Generative AI Limitations
• Data Dependency: The quality of the generated text depends on
the quality and diversity of the training data. Limited or biased training
data can result in poor performance.

• Prompt Sensitivity: The way a prompt is framed can significantly

impact the output. Crafting effective prompts requires skill and
experimentation.
Identifying Opportunities for AI
• Nature of the Task: What are you trying to generate?
• Complexity of the Task: Does it need to be broken into segments?
• Data Availability: How recent/prevalent is the data for what you are
trying to do?
• Ethical Considerations: Use ethical guidelines to avoid harmful or biased
content.
• Human Review/Monitoring: Human oversight is needed to ensure no
errors or biases are present.
• Scalability: Assess if the task can be handled efficiently with available
computational resources.
 What is Prompt Engineering?
• Prompt engineering is the process of designing and crafting input prompts
or queries to generative AI models to elicit desired outputs or responses.
The choice of words, format, and context in the prompt can significantly
influence the generated content.
• How to structure prompts for desired outputs:
• Be Clear and Specific • Ask the Model to Think Step by Step
• Specify the Format • Use Keywords
• Add Context • Provide Constraints
• Use Examples • Experiment
• Control the Tone • Iterate and Refine
Prompt Engineering Examples
• Task: Summarize a Report
• Ineffective Prompt: "Summarize this report."
• Effective Prompt: "Provide a concise summary of the key findings and
overarching messages of the GLBA Audit Findings: [paste report here]. "

• Task: Creative Writing

• Ineffective Prompt: "Write a story."
• Effective Prompt: "Create an engaging short story about a time traveler who finds
themselves in a parallel universe where gravity behaves differently."

• Task: Language Translation

• Ineffective Prompt: "Translate this sentence."
• Effective Prompt: "Translate the following English sentence into French: 'The
quick brown fox jumps over the lazy dog.'"
Information Security, Privacy, and Ethics
• Do tools and platforms like ChatGPT present an inherent security risk?
• From their TOS: “Use of Content to Improve Services: We do not use Content that
you provide to or receive from our API (“API Content”) to develop or improve our
Services. We may use Content from Services other than our API (“Non-API
Content”) to help develop and improve our Services.”
• OpenAI Recommends using fake names or pseudonyms when interacting with
ChatGPT, and to avoid public wi-fi, instead using secured private networks.

• Not all platforms follow the same or even similar guidelines

• “Copilot seamlessly integrates into Microsoft 365, inheriting your organization's
security, compliance, and privacy policies, It utilizes advanced encryption, access
control, and permissions to prevent data leakage and maintain compliance with
security and privacy policies. Microsoft Copilot places a high emphasis on data
security and privacy within Microsoft 365.” - Microsoft
Ethical Concerns
• Bias and Fairness: AI systems can inherit biases from the data they are
trained on, potentially leading to discrimination in areas like
admissions, hiring, or grading.

• Privacy: AI may process and store sensitive student or faculty data,

raising concerns about data security and privacy violations.

• Transparency: The opacity of some AI algorithms makes it difficult to

understand how decisions are reached. This lack of transparency can
raise ethical questions about accountability and trust.
Ethical Concerns
• Accountability: It can be challenging to assign responsibility when AI is used
in decision-making processes. Determining who is accountable for AI-related
outcomes or errors is an important ethical consideration.

• Data Quality: Garbage in, garbage out: If AI systems are fed with poor-
quality or biased data, the ethical integrity of the resulting decisions is
compromised.

• Consent: Collecting and using personal data for AI applications should

involve informed consent. Companies must be transparent about data usage
and give individuals the option to opt in or out.
 Guidelines for Leveraging Generative AI
• Understand the Technology
• Ensure that you and your team have a deep understanding of how generative AI
works, its capabilities, and its limitations. This understanding is crucial for responsible
use.

• Data Ethics
• Use high-quality and diverse training data that is free from bias and sensitive
information. Be aware of the potential biases in your training data and take steps to
mitigate them.

• Human Oversight
• Maintain human oversight and control over AI systems. Fact-check your data and avoid
plagiarism.
Guidelines for Leveraging Generative AI
• Accountability:
• Clearly define roles and responsibilities for AI development and deployment.
Ensure accountability for the outcomes of AI systems, both positive and
negative.

• Education and Training:

• Provide training and guidelines to staff or users interacting with AI systems to
promote responsible usage and ethical considerations.

• Continual Monitoring and Evaluation:

• Continuously monitor the performance and impact of AI systems after
deployment. Be prepared to make adjustments or take corrective actions as
needed.
Tools, Platforms, and Software
• ChatGPT – chatbot, text generator
• Midjourney/Dall-E2 –text to art
• Wisdolia – plugin, generate flash cards for any website, video, or PDF you are on.
• RunwayML – Extreme video/picture editing.
• Microsoft 365 copilot – brings AI across the entire Microsoft office suite
• Eleven Labs – voice recognition. You speak to it, then you can feed it scripts and it will read them in
your voice and cadence.
• Synthesia – create a realistic avatar that can speak any script it is given.
• Mixo/Sitekick – type a product idea and it creates a full website.
• Tome – makes presentations from simple prompts.
• Tableau’s Ask Data – ask questions, receive data visualizations as responses.
What do auditors analyze and the result
achieved
• Business Performance
• Conformance

• What happened?
• What is Happening?
• Why did it happen or happening
Analyzing data- key facts & issues
• To analyze historic and real time data we have powerful
business intelligence tools available
• There are limitations on prediction and prescriptions to be
made when using these tools
• The size of the data is huge and it is impossible to go
through and analyze all possible scenarios
• During Audits, Limitation to cover 100% and thus sampling
approach
• Growing stakeholder needs and expectation
• Availability of Human Resources, Competence
So what do we expect machines to do
for us?
• We are asking machines to learn and act according to
multiple business scenarios based on our needs
• Mimic human actions wherever possible without explicit
programming, unlike standard software applications
• So we have decided to test and trust the machine
intelligence which is purely artificial as it is designed ,
trained and taught using human intelligence
Future of IA
• Can risk assessment be done based on the data within the
organization?
• Can observation be made as they happen and therefore
avoid them?
• Can report writing be automated?

Audit and Compliance will merge in future because it will be

possible to correct a decision as it is being made by
answering the above questions in real time
Risk Management & Technology
• Transformation from a STATIC risk management process (
pre defined intervals) to a Continuous, Dynamic and Real
Time

• Journey from a Risk Register to a support for informed

decision making
Fraud Detection
• Fraud Detection and Prevention in real time
• Distinguishes real customers from cyber criminals in real time
• Anomaly detection for recognizing inconsistencies or
inaccuracies
• Predictive and Prescriptive Analytics to detect fraud from
multiple sources
• Automated process for gathering and monitoring information
• Detection of real time fraudulent activities using RPA
• Predict future fraudulent activities based on patterns in historical
data
Cyber Security
• Threat Detection
• AI based solutions detecting patterns of malicious behavior in
network traffic and files and websites
• AI based solutions do not rely on signatures and attacks not
reported can be detected

• Prevention and Recovery

• A dynamic real time authentication framework that changes
network access privileges is created by AI which facilitates security
and recovery.
AI Techniques in Auditing
Types of Audit Automation
• Predictive analysis—A mechanism to predict a trend with data
or an evidence sample size while auditing a specific area, e.g.,
predicting noncompliance to user offboarding based on
quarterly data
• Robotic process automation (RPA)—Semi- or partial automation
of auditing steps such as data extraction from data sets into
Word/Excel as part of large audit and risk assessments2
• NLP—Automating repetitive tasks via voice commands targeted
at manual and repeat checks
• Natural language generation and ingestion—Creation of an
NLP-based bot that could ingest and learn new commands
such as reconciliations or checks based on checklists if the type
of audit varies
AI Automation Scope
Specific Use Cases
 Benefit of Automation
• Consistency in data collection
• Enhanced efficiency
• Real-time collaboration for increased productivity
• Enhanced accuracy
• Consistent and traceable automated processes
• Enhanced risk management
• Enhanced security and data protection
• Cost savings through error reduction
• Better utilization of resources
• Real-time insights for informed decision-making
 AI Strategy for Internal Audit
• Understands the strategic objectives of
the organization, and the processes
implemented to achieve those objectives.
• Is able to evaluate whether AI activities
are accomplishing their objectives.
• Can provide internal assurance over
management’s risk management
activities relevant to AI risks.
• Is perceived as a trusted advisor that can
positively support the adoption of AI to
improve business processes or enhance
product and service offerings.
The new
organization
Structure of
Internal Audit
Steps towards AI
• Change the mindest of teams and create access to
internal Database
• Audit workflow which have adequate data of the past
• Build robotics
• Build policies of the organization into decision making tools
• Ability to identify the issues as it happends or before it
happens
• Dynamic risk assessment
1. Business and Risk Assessment
• Understand the business • Risk assessment must be an
strategy for the year outcome of the business
plan for the year. Only
• Call for inputs from various then can we assess the
leaders in the organization status of controls and what
on what should be our should be tested.
focus
• Read all board and sub
committee papers to
decipher the strategy
• Speak with all product
teams as what is being
planned
First step towards AI : Technology &
Data
• Audit workflow should be one stop shop
• Should have risk assessment template
• Checklist for each area of audit
• Template observation
• Audit Reports
360 Degree Auditing
• Ability to query data lakes to not just test small samples but
generate exceptions from the whole population of data

• Ability to build mechanics to cull out exceptions at regular

periodicity to achieve concurrent audit status
IA to AI
• Use ChatGPT or like tools to aid in auditing
• Use tools available to depict observations in summary through
video creation and effective summarization
• Use the predictive skills of tools to decipher risks in a particular
area
• Workflow, data lakes and Robotics within the organization are a
prerequisite
• Using the foundation laid, the scope of AI in audits is inflinite
• Base level of robotics and data warehouse is a pre-requisite for
AI to take root in any organization.
Actions for the Future – Internal Audit
• Get informed and educated
• Identify AI leaders within your organization
• Identify Opportunities for automation
• Recognize tasks that requires analyzing of large data
• Begin implementing AI processes on small scale
Actions for the Future – Internal Audit
• AI is not going away, and learning how to use it appropriately is
important. It is not coming for your job, but can make you much more
productive.
• Being mindful of how we use this new technology, and how we can
shape our jobs with it will determine the future of its efficacy.
• Through intentional exploration we can innovate in ways we have not
dreamed of.
• Common sense will prevail in most situations.
Conclusion
• AI will become inevitable in audits in future
• Our role will change to use the AI in the right manner
• Start with excel if you are no where
• Build workflow and gain access to data warehouses
• Become the Doctor of the organization
• Increasingly quantify audit observation into tangible
numbers to assess risks
 The Key Message

“
The internal auditing profession cannot be left behind in what
may be the next digital frontier —artificial intelligence. To
prepare, internal auditors must understand AI basics, the roles
that internal audit can and should play, and AI risks and
opportunities. To meet these challenges, internal auditors should
leverage the Framework to deliver systematic, disciplined
methods to evaluate and improve the effectiveness of risk
management, control, and governance processes related to AI.

”
Thank You!
fazalgaffoor@hotmail.com