Professional Documents
Culture Documents
Internal Audit in The Dynamic World
Internal Audit in The Dynamic World
Internal Audit in The Dynamic World
AUDIT IN THE
DYNAMIC
WORLD
PRESENTED BY
FAZAL HUSSAIN GAFFOOR
Agenda
• A detailed understanding of the current trends, challenges
and expectations and how Internal Audit can really add
value.
• Focus Discussion with examples on the areas where the
Internal Audit needs to increase its attention.
• Areas to increase activity as expected by stakeholder and
tools to effectively deliver.
• Scope and use of AI to enhance its reach and proper data
analysis
Session 1. (From 9 am to 10:45 am)
• Operational • Sustainability/non-
financial reporting
• ERM and related
processes • Financial reporting
Assist in implementation of
recommendations
21
Skill Set and Capabilities
Skill Set & Capabilities
Global
Perspective
Business acumen
Knowledge
of Clients
Business
Preparation Establishing
of Audit Audit
Program Universe
Planning
Process
Deciding Establishing
Resource Objectives of
Allocation Engagement
Establishing
Scope of
Engagement
Understanding value chain
Board and Leadership
Approach to Internal Audit is an ideal mix of traditional orthodox audit approach and process
driven risk based approach, focusing on evaluating the end- to- end process risks and
evaluating design and operating effectiveness of controls, using a sampling methodology 26
Audit Approach Process Efficiency Strategic Partnering
Consultative Business
Assurance
Monitor
Process Effectiveness
Value
Proposition Risk Management Strategy Achievement
Opportunities
Opportunities:
Following are the types of audits carried out by Internal auditors:
Compliance Audit: To ensure Compliance with rules,
regulations and Laws applicable to a company.
Operational Audit: To ensure Effective & Efficient conduct of
operations of a company.
Information System Audit: To ensure Proper Functioning of
Information System throughout the life of a Business.
Performance Audit: To ensure the efficient use of resources to
obtain the objectives of a Company.
Environmental Audits: To Ensure Compliance with the
Environmental Laws & Regulations.
Special Assignments: relate to Investigations on fraud and
Corruption, or any other Special service with the approval of
the Board.
Internal Auditors helps to achieve the right balance
between risk and reward by establishing an environment
for timely and effective response to the ever changing
business risks.
30
Expectation of Regulators (ECB Perspective)
• Staffing and Training
• Audit Methodology
• Automation
• Audit Cycle
• Independence and quality
• Proper Follow-up reviews
• Compliance
• Status and Influence
Board Expectation from Internal Audit
• Scale, diversity and complexity of the company’s
operations
• Number of employees
• Cost-benefit considerations
• Changes in organizational structure
• Changes in key risks
• Problems with internal control systems
• Increased number of unexplained or unacceptable events
INTERNATIONAL PROFESSIONAL
PRACTICES FRAMEWORK (IPPF)
• Detect
• Perform a detail analysis to identify vulnerabilities and threats
• Coordinate with external consultant to get an expert view.
• Business Continuity
• Assist in developing a Cyber Security Resilience
• Assess the adequacy of the business continuity program.
Benefits of Cyber Security Audit
• Identification of Vulnerabilities
• Enhanced Protection
• Regulatory Compliance
• Improved Incident Response
• Risk Management
• Stakeholder Confidence
• Continuous Improvement
INTERNAL
AUDIT AND
CORPORATE
GOVERNANCE
Corporate Governance - Definition
• the system by which business corporations are directed and controlled
• specifies the distribution of rights and responsibilities among different
participants in the corporation, such as the board, managers,
shareholders and other stakeholders
• spells out the rules and procedures for making decisions on corporate
affairs
• provides the structure through which the company objectives are set,
and the means of attaining those objectives and monitoring
performance
(Source: OECD April 1999)
50
The Principles of Corporate Governance
52
Accountability and Audit
– Financial Reporting
53
Accountability and Audit
– Internal Control
54
Communication with Shareholders
- Effective communication
• Maintain on-going dialogue with shareholders and make use of annual
general meetings or other general meetings to communicate with
shareholders
• Transparency in corporate governance practices and business
performances through proper and adequate disclosures
• Encourage shareholders’ participation
55
Questions the Board Should Ask
• How deeply is internal audit involved in the organization’s
discussions on risk?
• Is internal audit properly positioned and resourced to provide
high-quality, professional assurance and advisory services?
• Is the head of internal audit free to develop strong relationships
with the board and/or audit committee chair?
• Does the board/audit committee recognize and support the
best conditions under which internal audit can thrive?
• How can management and the board support efforts to make
the internal audit activity agile and innovative
Role of Internal Audit in Corporate
Governance
• Internal reviews the effectiveness of Governance, Risk and Controls
• Due to its independence it is best placed to provide an unbiased opinion.
• It can provide foresight to the organization by identifying trends and
bringing attention to emerging challenges before they become crisis
• They can act as consultant to the Board and Management in identifying
best practices in Corporate Governance.
• As part of the annual plan they can ensure that an opinion on areas part
of corporate governance are covered.
• Reviewing current/pending litigation or regulatory proceedings.
• Reviewing significant cases of employee conflict of interest, misconduct,
or fraud.
• Review of effectiveness of whistle Blowing Mechanism
Internal Auditor
Role in
Strategy and
Business Plan
What is strategic planning?
Accomplishment of mission
Policies:
• Express rules, expectations and requirements
• Explain what to do
• Are realistic and attainable
• Have an active voice (subject-verb-object)
Procedures:
• List steps to follow
• Tell “how” to perform a job
• Have an active voice and are imperative
Policy and Procedure Writing Skill:
77
Board Functions
• Select, monitor, evaluate, compensate and -- when
necessary -- replace senior management
• Review and approve strategic and long-term plans
• Monitor corporate performance against plans
• Review and approve material capital allocations, financial
standards and policies
• Ensure financial control and reporting integrity, ethical
standards and legal compliance
• Monitor constituent relations
• Organize the board
78
Information Needed by the Board
79
Basic Paradigm
80
Board Priorities
• Choose best managers available; compensate based on
performance; replace when necessary; plan for succession
• Engage with management in strategic planning and monitor
performance against strategic and business plans
• Ensure that corporate reporting, audit and legal compliance
systems are in good order
• Review/approve major transactions and expenditures
• Ensure that conflict situations are avoided and insider
transactions are objectively fair to the corporation and entire
shareholding body
• Determine and demand the information needed to govern
81
What are the worries of Audit
Committee
• Complex accounting and reporting areas and how management
addresses them
• Significant accounting policies, judgments, management estimates, and
their impact on the financial statements
• Any prior internal control issues and how they have been resolved
• The design and components of the company’s antifraud and
anticorruption compliance programs to confirm that those programs have
sufficient oversight, autonomy, and resources
• Pending financial reporting and regulatory developments, with a focus on
understanding how they may affect the company
• Related party transactions
• How to deal with shareholder queries at AGM
• Selection of External Auditors and coordination
Internal Audit can assist
• At the time of Annual Plan the Auditors should meet both
Chairman Board and Chairman Audit Committee to get a feel
of what worries them and how it can help.
• A periodic report on the financial statements and an
independent report on the same.
• A periodic report on the overall control environment and
exceptions.
• Assisting audit committee in whistleblowing and other
investigations
• Regular interaction to keep the chair audit committee abreast
with the current situation and activities performed and also to
get feedback
Session 3. (From 2 pm to 3:30 pm)
• Ensure that open and right culture is in place which encourages raising of concerns.
• testing case files; monitoring policy and procedures; and recommending improvements where
needed.
• Ensure that in addition to all workers the policy covers suppliers, customers and other
stakeholders
• Verify that the hotline adequately staffed with training and expertise to handle different types
of cases
• Carry out surveys to assess how the workforce views the whistleblowing arrangements
• If the whistleblowing hotlines are outsourced than Internal Audit has to review the supplier
selection process as well as check their performance periodically.
Risk Identification and Management
The only alternative to risk management is crisis management
--- and crisis management is much more expensive, time
consuming and embarrassing.
JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003
91
Conversation Starters
102
Compliance is the Mirror of Risk
A call to conceptually integrate thinking and process
103
Regulatory and Legal Monitoring
Process
• Identify your Regulatory and Legal requirements
• Assess the impact of Regulatory Requirements
• Develop a compliance calendar
• Establish a Regulatory monitoring plan
• Build an Effective Team for Regulatory Monitoring
• Automate Regulatory Monitoring
• Constantly update for changes in laws and regulations
Challenges in Compliance Monitoring
• Resource Constraints
• Prioritize compliance efforts
• Automate processes
• Outsource certain tasks to third-party experts.
• Managing updates
• Assign responsibilities
• Subscription
• Engaging law firms for this purpose
• Ensuring Compliance
• Compliance Monitoring Software
How to Monitor Compliance
1. Data Security :
Data security refers to the prevention
of data from unauthorized users
2. Data Integrity :
Data integrity is defined as the data
contained in the database is both
correct and consistent
New Challanges
• Companies are growing very fast, and their IT systems change rapidly.
Old models of ITGCs do not necessarily fit agile environments!
• Companies deal with a HUGE amount of data, transactions and
information. Do they really have proper controls in the right places
to prevent or detect misstatements? How to test effectiveness of
ad-hoc online controls over data (dashboards)?
• Automated procedures, especially in the tech industries, face inherent
complexity. Do we really understand the end to end process and
the data flows in our organizations? Can we really gain comfort
that an automated control works appropriately in a complex
environment?
• Information systems can help our organizations, but can also raise risks if
the systems do not support proper control environment, especially if the
systems are maintained by a third party service provider with no proper
controls report.
How to Overcome
• Start early. Make sure you dedicate enough time to truly understand the
end to end business processes and IT systems.
• Make sure you’re involved in decisions related to major changes in
systems. Your input regarding internal controls is highly important!
• Use technology tools where possible. Tools can save you time and also
give you more comfort over large databases and transactions.
• Use experts to test automated complex controls / system reports. Our
biggest challenges from the regulator are related to these areas, which
require experience and expertise.
• Be creative! Agile IT environment requires agile IT controls. Design and
implement controls according to the TRUE risks in your systems.
• Challenge your understanding. Use colleagues / experts to challenge your
end to end understanding
Challenges in the next decade
• Automated working papers / testing
More tools will help us in controls testing procedures more effectively
• From Business Driven to Data Driven Data will be interfaced completely
and directly to the auditors Controls will be designed more on data
irregularities/errors and less on papers and manual testing procedures.
• From periodic to Continuous monitoring
The testing procedures will run constantly instead of “testing phases /
rounds”. This will also change the concept of having “internal testing”
procedures before the auditors, as they will also have full visibility on data
and controls 24/7/365.
• From manual procedures through RPA to AI
We see more and more automated procedures run by robots. We will also
see decision making by robots pretty soon. Can we really test a review
control operated by an intelligent robot?
Principles of data integrity
• Human Error
• Cyber Threats
• Technological Limitations
• Complex Data Ecosystems
• Cost And Resource Constraints
• Lack Of Standardization
IT Governance- An Overview
To provide assurance that the organization has the structure, policies,
accountability, mechanisms, and monitoring practices in place to achieve
the requirements of corporate governance of IT.
Examples of target
• Planning IT Strategy with IT Steering Committee
• Implementation of the IT strategy
• Business Process Reengineering
• Risk management for IT strategy
• Organization and Personnel Management
114
Fraud Detection and Prevention
Role of Internal Audit in Fraud Detection
Operationally, internal audit should have sufficient knowledge of
fraud to:
• Identify red flags indicating fraud may have been committed.
• Understand the characteristics of fraud and the techniques
used to commit fraud, and the various fraud schemes and
scenarios.
• Evaluate the indicators of fraud and decide whether further
action is necessary or whether an investigation should be
recommended.
• Evaluate the effectiveness of controls to prevent or detect
fraud.
Managing Fraud Risk
• Does the organization have a fraud response plan in place that
outlines key policies and investigation methodologies?
• Who carries out fraud investigations within the organization?
• Is internal audit tasked with identifying where fraud risk is present,
and does it audit controls in these areas?
• When fraud has occurred, does internal audit investigate to
understand how the controls failed and how they can be
improved?
• Is internal audit tasked to investigate fraud, and, if so, does it
possess the proper skill sets to carry out such investigations?
Whether or not Internal Audit should
undertake investigation of Fraud
• Investigation is not typically an internal audit task
• Internal audit should first consider extent of the work
needed in terms of the complexity, materiality or
significance of the Incident being investigated.
• They need to decide whether they are best placed to
undertake the investigation or outsource it to some expert.
Fraud Risk Assessment Process
Steps in Risk Assessment
• 1. Identify relevant fraud risk factors.
• 2. Identify potential fraud schemes and prioritize
them based on risk.
• 3. Map existing controls to potential fraud schemes and
identify gaps.
• 4. Test operating effectiveness of fraud prevention and
detection controls.
• 5. Document and report the fraud risk assessment.
Fraud Management Framework
Role of Internal Audit
• Consider fraud risks in the assessment of internal control design
and determination of audit steps to perform.
• Have sufficient knowledge of fraud to identify red
flags indicating fraud may have been committed.
• Be alert to opportunities that could allow fraud, such as
control deficiencies.
• Evaluate whether management is actively
retaining responsibility for oversight of the fraud risk
management program.
• Evaluate the indicators of fraud and decide whether any further
action is necessary or whether an investigation should be
recommended.
• Recommend investigation when appropriate.
Session 4. (From 3:45 pm to 5:15 pm)
• Data Quality: Garbage in, garbage out: If AI systems are fed with poor-
quality or biased data, the ethical integrity of the resulting decisions is
compromised.
• Data Ethics
• Use high-quality and diverse training data that is free from bias and sensitive
information. Be aware of the potential biases in your training data and take steps to
mitigate them.
• Human Oversight
• Maintain human oversight and control over AI systems. Fact-check your data and avoid
plagiarism.
Guidelines for Leveraging Generative AI
• Accountability:
• Clearly define roles and responsibilities for AI development and deployment.
Ensure accountability for the outcomes of AI systems, both positive and
negative.
• What happened?
• What is Happening?
• Why did it happen or happening
Analyzing data- key facts & issues
• To analyze historic and real time data we have powerful
business intelligence tools available
• There are limitations on prediction and prescriptions to be
made when using these tools
• The size of the data is huge and it is impossible to go
through and analyze all possible scenarios
• During Audits, Limitation to cover 100% and thus sampling
approach
• Growing stakeholder needs and expectation
• Availability of Human Resources, Competence
So what do we expect machines to do
for us?
• We are asking machines to learn and act according to
multiple business scenarios based on our needs
• Mimic human actions wherever possible without explicit
programming, unlike standard software applications
• So we have decided to test and trust the machine
intelligence which is purely artificial as it is designed ,
trained and taught using human intelligence
Future of IA
• Can risk assessment be done based on the data within the
organization?
• Can observation be made as they happen and therefore
avoid them?
• Can report writing be automated?
“
The internal auditing profession cannot be left behind in what
may be the next digital frontier —artificial intelligence. To
prepare, internal auditors must understand AI basics, the roles
that internal audit can and should play, and AI risks and
opportunities. To meet these challenges, internal auditors should
leverage the Framework to deliver systematic, disciplined
methods to evaluate and improve the effectiveness of risk
management, control, and governance processes related to AI.
”
Thank You!
fazalgaffoor@hotmail.com