Keeping In Touch - The Institute of Internal Auditors MALAYSIA
Transcription
Keeping In Touch - The Institute of Internal Auditors MALAYSIA
2013 ISSUE 03/2013 JUL – SEP 2013 IN TOUCH www.iiam.com.my progress through sharing An exclusive publication for Members of The Institute of Internal Auditors Malaysia KDN PP 7705/04/2013(032230) Glance At a Pass CIA Part 4 Via Professional Experience Recognition 2 Members’ Networking Session Cum Hari Raya Gathering in Johor Bahru 7 2013 International Conference, Orlando 12 2013 National Conference on Internal Auditing – Scaling Greater Heights : Adding Value 13 The Evolving Role of Internal Auditors in Risk Management and Internal Control 21 editor says Editor says Just like every other year, I attended the recently concluded National Conference on Internal Auditing organised by the Institute. I find it a spirited way to meet and network with fellow friends in the internal audit profession. This year I met an old friend of mine who I had not met for the last three years. We had a lengthy ‘catching-up’ session and I felt good having met him at the conference. OF GOVERNORS 2013/2014 BOARD AND STAFF President Ranjit Singh Vice Presidents Philip Satish Rao MBA (UK), CRMA, CMIIA, CA (M), CPA (M) CMIIA, CPA (AUST), CPA (M), CA (M) Shabaruddin Ibrahim MIA, MICPA, FCA, CFIIA Hon. Secretary Lucy Wong Kam Yang Hon. Treasurer Mohamed Farook Nasar Governors Christine Ong May Ee, MBA (AUST), CIA, CMIIA, CRMA, FCMA, CGMA, CA(M) MBA(USM), CIA, CRMA, CMIIA, ICSA (UK) B.ACC (HONS) (SG), CIA, CRMA, CMIIA, FCA (AUST), CA (M) Later in the night at the networking dinner, I happened to sit in a table occupied by some young budding auditors and a few veteran auditors. The young auditors were asking the veterans about conducting internal audit of a construction company. Information was flowing across the table between the veterans and the young budding auditors and I found this very captivating. The Institute has a sizable number of highly competent and experienced internal auditors who are ever ready to share their knowledge and experiences. For those who missed attending the conference, this issue has a report on the national conference. Also featured in this issue are the results of the 2013 membership drive campaign, the evolving role of internal auditor in risk management & internal control and the news release on COSO Internal Control. Pleasant reading. Nickson Choo Wei Sin B.ACC (HONS), CMIIA, CISA, CFE, CA (M) Devanesan Evanson LLB (HONS) (UK), CFIIA, CA (M), FCCA (UK) Mohd Khaidzir Shahari BACC (HONS), CIA, CMIIA, CA (M) Dr Nurmazilah Dato’ Mahzan PHD (UK), CIA, CRMA, CMIIA, CA (M), CPA (M) Zahran Tasliman B.ACC (HONS), CIA, CCSA, CMIIA Alan Chang Kong Chong B.ECONOMICS (AUST), CIA, CFSA, CPA (AUST), CCP (IBBM) Nik Hasnan Nik Abd Kadir BSC (HONS), CIA, CMIIA CHAIRMAN Sabah District Society Sarawak District Society Auditor Solicitor STAFF Executive Director / Technical Director Senior Certification Manager Senior Technical Manager Dr Suresh Kannan Chief Editor Nur Hayati Baharuddin MBA, CIA, CCSA, CFSA, CGAP, CRMA, CMIIA, FCPA, CA(M) Zaimah Ismail BBA(Hons), AIIA Sivamalar Thuraisingam BA(Hons)(UK), CIA, CCSA,CMIIA VISION To be the national voice of the internal audit profession: Advocating its value, promoting best practices, and providing exceptional service to its members. MISSION To provide dynamic leadership for the global profession of internal auditing. Activities in support of this mission will include: • Advocating and promoting the value that internal audit professionals add to their organisations; • Providing comprehensive professional educational and development opportunities; standards and other professional practice guidance; and certification programmes; • Researching, disseminating, and promoting to practitioners and stakeholders knowledge concerning internal auditing and its appropriate role in control, risk management, and governance; • Educating practitioners and other relevant audiences on best practices in internal auditing; and • Bringing together internal auditors to share information and experiences. OBJECTIVES 1. To be the recognised voice for the internal audit profession; 2. To develop and sustain the internal audit profession in Malaysia through appropriate infrastructure, coordination, support and communication; and 3. To provide exceptional service to IIA Malaysia’s members. Senior Finance Manager Technical Manager Assistant Manager Corporate Services Assistant Manager Membership Assistant Manager Professional Development Senior Certification Executive Accounts Executive Accounts Executive Training Executive Training Executive Membership Executive Membership Executive Administrative Executive Siti Arafah Abdul Aziz BSc(Hons) Jessie Liew Siau Yan BA(Hons) Sally Goh Syed Lee Veronica Justin B.Comp. Sc Josie R. Omilda Nor Shazwani Mohamad Shafiee BMgt(Hons) Noor Adiha Abu Bakar BBA(Hons) Raja Nur Aina Raja Mohammad Noordin Admin Officer Admin Officer Admin Officer Training Officer Despatch Cum Office Assistant Nur Zuhairah Zamberi BSc(Hons) Yusliza Md Yusof Syazana Dzulkefli BBA(Hons) Ahmad Farouk Rosman Hamdani Mohd Sahit Mashud EDITORIAL BOARD PSC Chairman Lucy Wong Kam Yang Deputy Chairman Zahran Tasliman Chief Editor Dr Suresh Kannan B.Acc (Hons), CIA, CCSA, CMIIA PHD, MBA, BA (Hons) Acc, CMIIA 1 KEEPING IN TOUCH • Issue 3 Jul – Sep 2013 P. Shanthi Palaniappan CIA, CMIIA Sky Chan Kin Kwan B.ACC (Hons), CIA, CMIIA Abdul Azim Abd Jalil BSc (Hons), AIIA Production & Circulation 2 4 9 11 21 Siti Rohani Umar BA(Hons) Irwan Noor Hadi Dahili B.Comm(Hons) MBA (AUST), CIA, CRMA, CMIIA, FCMA, CGMA, CA(M) MOTTO : “PROGRESS THROUGH SHARING” The Institute maintains its motto “Progress Through Sharing” and share with our members information on new trends, latest internal audit techniques, regulatory and statutory requirements and the emerging issues affecting the profession. contents Lee Fook Sun MAcc(Aust), CMIIA, CA(M), CRMA Tengku Idreena Tuan Ismail BA(Hons) Jess Liu Shiak Peng B.Com(Aust) B.Econ(Hons) Committee Members Academic Relations Membership New Releases Events Technical Woo Yoke Meng, CFIIA Baker Tilly Monteiro Heng KC Lim & Co Zaimah Ismail BBA (Hons), AIIA Siti Rohani Umar BA (Hons) Nor Shazwani Mohamad Shafiee BMgt (Hons) Noor Adiha Abu Bakar BBA (Hons) THE INSTITUTE OF INTERNAL AUDITORS MALAYSIA 160-3-3 Kompleks Maluri, Jalan Jejaka, Taman Maluri, 55100 Kuala Lumpur, Malaysia. Tel: (603) 9282 1148 Fax: (603) 9282 1241 E-mail: ijdm@po.jaring.my Website: www.iiam.com.my Printed by: PENCETAK WENG FATT SDN BHD (19847-W) Lot 6, Lorong Kilang A, Off Jalan Kilang, 46050 Petaling Jaya, Selangor Darul Ehsan. academic relations Pass CIA Part 4 Via Professional Experience Recognition Candidates who have successfully completed Part 3 of the CIA can opt to complete the Part 4 of the old CIA syllabus via the Professional Experience Recognition process. To be eligible, candidate must: 1. hold an MBA or a master’s degree (5 to 6 years post-secondary education) with a curriculum encompassing the five domains of Part 4 from an accredited university; 2. complete a detailed narrative of at least 75 to 100 words per domain describing examples of their experience within the domains of the current Part 4 exam. Experience in all of the five domains is required, and the candidate should document a minimum of 60 months’ experience. 3. have successfully completed Part 3 of the four-part exam. The deadline for Part 4 PER is 31 December 2013. However, to enable IIA Malaysia to vet through application and communicate to candidate in case of insufficient documentation, Malaysian candidates are required to submit their application to IIA Malaysia by 1 December 2013. Part 4 In order to retain credit for the current Part 3 "passed" status from the four-part exam version, candidates will need to clear the Part 4 exam requirement before 31 December 2013. Candidates who do not complete the Part 4 requirement before 31 December 2013, will need to sit for Part 3 of the new three-part exam. The Professional Certification Board (PCB) has approved a number of options for individuals to clear the Part 4 requirement. Registration for the Part 4 exam can be made until 22 November 2013. However candidates must schedule and sit for the exam before 31 December 2013. (Note: The 180-day rule does not apply here.) ALL OF THE RIGHT PIECES FOR YOUR CAREER DEVELOPMENT PUZZLE Enhance your professional value with IIA Certifications: • Distinguish yourself from your peers. • Communicate your depth of knowledge in internal auditing. • Demonstrate your ability to provide assurance, insight, and objectivity. Apply for the Certified Internal Auditor® (CIA®) or one of the IIA’s four specialty certifications today. Call us today at +603 9282 1148 or email us at certification@iiam.com.my Visit www.iiam.com.my for more details Report Your CPE It is now time for certified members to report their CPE for the year 2013. Certified Internal Auditors are required to fulfil 40 CPE hours while holders of other specialty certifications are required to fulfil 20 CPE hours. CPE Reporting Form will be emailed to all certified members by 17 October 2013. Members must return the CPE Form to IIA Malaysia by 1 December 2013. Issue 3 Jul – Sep 2013 • KEEPING IN TOUCH 2 membership Welcome New Members from June – September 2013 Professional Members Peter Liew Yew Keat Ong Joo Sze Salwa Che Noor Voon Woan Jiun Lim Yoong Yan Chai Yen Yan Tee Siew Poh Audra Chung Kit Li Hew Li Min Jeyanthi A/P Vadivilu Chua Kah Chun Lim Tian Eu Mohd Nasir Haji Mohamud Tan Chun Keat 209828 209829 209848 209866 209888 209903 209904 209905 209906 209929 209930 209946 209949 209950 Associate Members Arun Kumar S/O Murugasu Khairul Nazir Rashid Mohd Hilmi Isa Mohd Faisal Mohd Yunus Helmy Omar Penny Angeline Attenbrough Ng Lay Jyn Ng Shi Ping Nor Aida Omar Chwah Chiew Luan A S Sinarao A/L Nagayah @ Nagaraju Koh Siew Peng Chan Ee Meng Allias Alwi Mohd Nasir Abdul Manaf Rosni Razali Akhma Adlin Khalid Cheow Kit Yee Soriyanie Yusoff Ng Jin Sheng Ridzuan Kunji Koya Mohd Sharil Mohd Noor Imran Sadiman Shahmir Nordin 209830 209831 209832 209833 209834 209835 209836 209837 209838 209839 209840 209841 209842 209843 209845 209846 209847 209849 209850 209851 209852 209853 209854 209855 Shazedin Shakir Samawi Goh Hui Pin Dato' Anuarudin Mohd Noor Abdul Halim Abdul Latiff Muhammad Sufyan Azmi Siti Farahiyah Radzali Amnah Omar Siaw Yen Jak Ting Ching Siong Abdul Hadi Fa'at Jeferi Darhman Nurul Ain Zainal Abidin Chong Yi Leng Sohana Sulaiman Zulkifli Kamarolzaman Rahayu Ramli Mariah Ahmad Hamidah Kamarudin Saffrizan Yusof Mohd Hanif Mohd Hanapiah Maziatun Alimon Alshima Abdul Aziz Muhammad Muzammil Md Haniffa Hanizah Abd Hamid Noor Qhaireena Mohd Nasron Ooi Samsiah Abdullah Stephanie Lim Li Chein Zaimah Ismail Muahad Amin Hong Keh Shin Reza Faisal Badrul Alfian Tajuddin Lee Yin Shan Lee Han Leng Sharifah Fazlinda Shaik Ismail Arfiza Anwar Ilyana Bustan Sharifah Zawani Syed Ahmad Zaidi Nurul Atiqah Johar Norfazila Abd Hamid Siti Nur Atiqah Mihad Mohd Fadhir Ismail Asok Kumar A/L Muniandy Eric Wong Chung Ing Mohd Nizam Mat Noor Muhd Hafiz Muhtar Kamineswary D/O Pakalan Yam Hann Yeong Rameeswarran A/L Sinniah Lim Siak Ching Lim Ker Shin Tay Soon Yik Chee Huey Min Aneza Ismail Lim Siow Woei 209856 209857 209859 209860 209861 209862 209864 209865 209867 209868 209869 209870 209871 209872 209873 209874 209875 209876 209877 209878 209879 209880 209881 209882 209883 209884 209885 209886 209887 209889 209890 209891 209892 209893 209894 209895 209896 209897 209898 209899 209900 209901 209902 209907 209908 209909 209910 209911 209912 209913 209914 209915 209916 209917 209918 Siti Noraini Amin Wan Suliani Wan Ismail Zulkifli Sulaiman Hasrul Farid Hasnan Rajwinder Singh A/L Sarman Singh Norrulhuda Kulop Alang Nurul Hafizah Haji Shahari Cornie Wong Kim Fuen Lai Kim Fong Lee Foong Lee Pat Yin Lai Chan Jee Peng Mohammad Khairi Kamaruddin Wan Nur Faaizah Wan Ali Hew See Yeing Shamini A/P Gangadharan Puan Poh Seng Muhammad Hafizuddin Jimaain Yeoh Boon Pin Mohd Hafidz Abd Ghani Lim Sok Kiang Julinus @ Jeffery Jimit Khairur Rejal Zakaria Yuen Yoon Ee Annie Chui Siew Hong Nur Hidayah Othman Chai Wan Yin Woon Wee Lin Divinagracia Dominic Fedilos Mary Sii Lee Mieng 209919 209920 209921 209922 209923 209924 209925 209926 209927 209928 209931 209932 209933 209934 209935 209936 209937 209938 209939 209940 209941 209942 209943 209944 209945 209947 209948 209951 209952 209953 Student Member Michelle Chien Ting Ting Ewe Yee Phing 209844 209858 Upgraded Members Eric Wong U-Jin Lau Kui Chin, Charlotte Murni Rahayu Mohamad Noh Kong Yen Nee Yap Sei Chuan Diyalakshimi A/P E. Supramaniam Chang Thai Yau Ong Kean Siang Lim Ko Wii Toh Boon Yan Loo Soo Hooi 206988 207064 207682 207947 207999 208385 208386 208941 208999 209102 209502 Audit Committee Members Soh Chin Teck Suen Lam Fu AC0055 AC0056 Corporate Members Teknologi Tenaga Perlis Consortium Sdn Bhd C0399 Renew Your Membership! Have you renewed your membership for 2013? To ensure uninterrupted services and benefits from IIA Malaysia, do not forget to renew your membership with the Institute. 4 easy ways to renew your membership: • Cheque or bank draft made payable to: THE INSTITUTE OF INTERNAL AUDITORS MALAYSIA • Direct bank-in / Online transfer to the Malayan Banking account no: 5144 0450 1825 (please fax the bank-in slip to 603 9282 1241 with your name and telephone number written on it or scan and email to membership@iiam.com.my) • Credit card (please download the authorisation form from the website or request from the Secretariat) • Online banking: http://www.maybank2u.com.my (please fax a copy of your online transaction with your name and telephone number written on it or scan and email to membership@iiam.com.my) For enquiry, kindly contact Cik Adiha or Pn Shazwani or Pn Siti at (603) 9282 1148 Ext 110 or e-mail to membership@iiam.com.my Rejoining fee of RM100 will be charged to members who failed to renew their membership in 2013 Issue 3 Jul – Sep 2013 • KEEPING IN TOUCH 4 membership 2013 Membership Drive Campaign RESULT The Membership Drive Campaign ended on 31 July 2013 and IIA Malaysia would like to thank the following members for participating in the Campaign: No Name Membership No No. of Members Recruited No Name Membership No No. of Members Recruited 208006 1 1 Dr. Badrul Hisham Mohd Yusoff 206335 5 25 Mohd Yusman Jaafar 2 Syaridatul Ain Mohd Saari 207912 4 26 Mohd Amin Mohd Mongin 209231 1 Mohammed Shukor Ismail 206398 1 1 3 Law Lee Na 208048 4 27 4 Yang Fatimah Kamarulzaman 209165 2 28 Mohamad Hafizee Yaacob 208891 2 29 Mah Siew Hoong, Dennis 207624 1 Magit Anak Semong 208288 1 5 Mokhzaine Mohamad 209234 6 Mohd Sazali Mohd Salleh 209824 2 30 7 Kasmawati Kasian 207308 2 31 Lucas Lin Wen Fon 209559 1 Kee Chin Teck 207271 1 8 Chow Hoe Tong 208436 2 32 9 Bobby Anak Mapi 208707 2 33 Kamarudin Samsudin 206823 1 2 34 Jamal Seron 207220 1 Goh Chin Hong 208135 1 10 Anushia A/P Ganason 208699 11 Zuhairi Ismail 206907 1 35 12 Zalyffah Jiman 207325 1 36 Fazillah Md Yusof 209731 1 David Tian Kok Siong 208904 1 1 13 Zalfitri Abd. Mutalip 208737 1 37 14 Suriani Mohd Maideen 208471 1 38 Leong David @ Leong Sze Khiong 206937 1 39 Daniel Khoo Kok Hau 207979 1 Chong Vai Ming 207950 1 15 Suresh Dharamdas 206400 16 Stephen A/L Nelson Anandaraj 208101 1 40 17 Angeline Sim Hui Ngo 209464 1 41 Ch'ng Set Hoon 208700 1 Chin Suan Yong 209338 1 18 Shariffa Isnanie Mohd Idris 209433 1 42 19 Shanthan Sanmugam 208541 1 43 Chew Bee Suan 207088 1 1 44 Catherine A/P Annanda Robert Victor 209416 1 Benny Lee Lye Hock 207501 1 20 Pang Nam Ming 209399 21 Ong Ron Nee 205514 1 45 22 Ong Poh Soon 208439 1 46 Azmir Abdul Aziz 207687 1 47 Ahmad Faizal Hamdan 208802 1 23 Nurulhuda Abdul Kadir 206362 1 24 Norliza Ahmad 208382 1 Issue 3 Jul – Sep 2013 • KEEPING IN TOUCH 6 membership Members’ Networking Session Cum Hari Raya Gathering In Johor Bahru IIA Malaysia, together with the Southern Region Networking Committee organised a Networking Session cum Hari Raya Gathering on 5 September 2013 in Mutiara Johor Bahru. The event was planned as one of the activities for members within the region to get together for a time of sharing. 37 members attended the Session. The programme began with a moment of silent to mark a respect to our Past President, Allahyarham Tuan Haji Abdul Razak Haron who passed away on 13 August 2013. Then, a briefing was done on the activities of the Networking Committee’s activities, upcoming events of the Institute, and the launching of the Networking Facebook. The Facebook received twenty hits instantly. The Networking Committee Facebook was set up as a medium to update the members on the activities carried out and as an alternative communication media. The highlight of the Session was a presentation by Lee Fook Sun, Senior Manager of Corporate Services, IIA Malaysia who spoke on Financial Auditing in Internal Audit Environment. Backed by his past experience and knowledge, Lee was able to capture the audience attention instantly. The participants were exposed to issues such as the need to assess financial impact when performing audit, quantification of monetary impact and fraud. The areas were seen as the current expectations of the Management and will remain as the challenges ahead for the Internal Auditors in the coming years ahead. The participants paying attention to the speaker’s explanation The secretariat staff led the Ice-breaking session. Participants were actively engrossed in the event. The session ended with hi-tea and networking. The Johor Working Committee would like to express its appreciation to all who supported and assisted in making the event a very meaningful and memorable one. We also like to take this opportunity to apologise for any short-comings. By Johor Working Committee Groups working closely to beat the clock during the ice-breaking session Industrial Visit To Zara Foodstuff Industries One of the activities organised by Johor Working Committee was an industrial visit to one of the leading food product manufacturers in Malaysia located in Johor Bahru. About 20 members led by S. Subhash Chandran K. Sekaran Nair, Chairman of Johor Working Committee together with our Past President, Allahyarham Tuan Hj Abd Razak Haron joined the visit to the new plant located at Kawasan Perindustrian Larkin, Johor Bahru. Zara Foodstuff Industries manufacture food products such as soy, chili and tomato sauces, as well as kaya under the brand of Kipas Udang. The company commenced its operation in 1987. Todate its products have become preferred choice of not only Malaysian, but also ASEAN market. During the visit, we were briefed on the production by the Plant and Quality Manager, Encik Nazri Ismail. Then we were brought to walk around the production plant and we were explained on the production process. We were amazed by the cleanliness of the production plant. The management of Zara Foodstuff places strong emphasis on quality in line with its vision ‘Quality Excellence, Our Aspiration’. Zara Foodstuff has obtained ISO 9002 Certification as a recognition of their vision. Its yearly turnover capacity is RM80-100 million and creates job opportunities for 300-400 employees. We took few photos during the visit. The visit was the most memorial event to the Southern Region members since Allahyarham Tn Hj Abd Razak bin Haron was together with us on that day. We plan to visit other places and hope this activity will become our annual event in the future. By Johor Working Committee 7 KEEPING IN TOUCH • Issue 3 Jul – Sep 2013 membership Career NAZA World Group of Companies, Malaysia’s largest and prestigious importer of luxury automobiles was originally founded in 1975. As importer and distributor of automobiles brands such as Ferrari, Brabus and Masserati, Mercedez Benz, Chevrolet, Harley Davidson, Ducati, Vespa. Naza has grown as one of the conglomerates in Malaysia. Naza has diversified its business into a variety of prominent industries which include property development, assembling and distributions of motorbikes, transport & logistics services, finance & insurance and agriculture. NAZA is continuously enhancing efforts to grow its business internationally driving our competitive strengths to deliver customer needs. We are on the lookouts for passionate, dedicated and innovative talents with the right attitude to support our aspirations and together pushing boundaries to achieve success. ASSISTANT GENERAL MANAGER – INTERNAL AUDIT MANAGER (TEAM LEADERS) – INTERNAL AUDIT Main Job Responsibilities: • Reporting to the Head of Group Internal Audit (“HoGIA”); • You will be assisting the HoGIA to prepare and recommend annual audit plans and annual departmental budget to the Internal Audit Committee (IAC) for approval; • You will be assisting the HoGIA to develop and implement risk assessment methodology, Internal Control Questionnaires (ICQs) and audit programs, and compliance with internal audit standards; • To plan, organize, co-ordinate and manage audit assignments from planning till post audit follow-up stage as per the approved audit plan, and according to the Standards for the Professional Practice of Internal Audit; Main Job Responsibilities: • Reporting to the Assistant General Manager; • To lead and manage the respective internal audit team; • To assist the HoGIA to present completed audit and work in progress reports to the IAC; • To perform ad hoc audit assignments as and when required; • To assist the HoGIA to educate and share with the stakeholders namely, auditees and senior management the importance and benefits of having a sound controls and risk management framework and practices. (BASED IN PETALING JAYA) Key Attributes for the Job Holders : • A recognized degree holder in Accounting/Business/Finance/Law and/or a recognized professional qualification such as CIA/CACA/CPA, and a member of IIAM/MIA; • At least 10 years risk-based audit experience in financial and operational audits with a recognized audit firm and/or with established companies preferably in the automobile (4-wheel and/or 2-wheel) industry; • Knowledge of risk management, SOPs, processes and corporate governance; • High integrity, strong analytical, inquisitive, communication (both written and oral in English) and presentation skills, strong interpersonal skill with a pleasant and matured personality, proactive, results oriented, computer literate; (BASED IN PETALING JAYA) Key Attributes for the Job Holders : • A recognized degree holder in Accounting/Business/Finance/Law and/or a recognized professional qualification such as CIA/CACA/CPA, and a member of IIAM/MIA; • At least 5 years risk-based audit experience in financial and operational audits with a recognized audit firm and/or with established companies preferably in the automobile (4-wheel and/or 2-wheel) industry; • Knowledge of risk management, SOPs, processes and corporate governance; • High integrity, strong analytical, inquisitive, communication (both written and oral in English) and presentation skills, strong interpersonal skill with a pleasant and matured personality, proactive, results oriented, computer literate; • Willing to travel and possess own transport The successful candidates can expect an outstanding career challenge and a competitive remuneration package commensurate with experience and qualifications. Interested candidates are invited to forward their job application covering letter with a complete resume/curriculum vitae including personal particulars, academic qualifications, working experiences, contact number, and a recent passport-sized photograph to recruitment.internalaudit@gmail.com by 15th November 2013. Only shortlisted candidates will be notified. Did You Know… WE NEED YOUR CONTRIBUTIONS! Upon completing the three years of internal auditing working experience and hold a professional qualification that recognised by Global IIA, you may upgrade your membership category from Associate to Professional Member. As a Professional Member: Members with writing talent, here’s the opportunity to share your thoughts with your friends in the internal audit fraternity. The Editorial Board welcomes contributions from members. We accept articles, short stories, jokes, tips, etc. • You are permitted to use the designatory letters of CMIIA which stands for Chartered Member of The Institute of Internal Auditors Malaysia after your name. • You will have voting rights during IIA Malaysia Annual General Meeting. • You are eligible for leadership position on the main board of Governors of IIA Malaysia and may also serve on any of the sub-committees. We encourage submission of fraud findings and audit stories that reflect the new age of internal auditing – those that emphasise best practices, use of technology and value-added results. If your article is published, you will be awarded a token from IIA Malaysia. Issue 3 Jul – Sep 2013 • KEEPING IN TOUCH 8 new releases COSO Internal Control – Integrated Framework: Turning Principles into Positive Action Larry Rittenberg, COSO’s chair emeritus, provides a high-level overview that will help internal auditors in all industries to quickly identify the implications for their organisations. For the internal auditor, there are seven changes in the updated Framework that will affect (1) the scope of internal audit activities and (2) the nature of internal audit work, including the need for more judgment by the auditor and the documentation of audit assessments — especially as related to the evaluation of internal control over external financial reporting. The updated Framework: 1. Changes the financial reporting objective with the broader objective of reporting, thereby expanding both the scope of reporting and the media by which reporting may be done. 2. Emphasise the relationship between objectives, risks, and internal control. Internal control exists to reduce or mitigate risks to an acceptable level. 3. Emphasise the integrated nature of internal control (i.e., an evaluation of the effectiveness of internal control must consider how all five components operate together to achieve objectives). 4. Introduces a "principles" approach to evaluating each component of the internal control framework. 5. Makes explicit the need to assess fraud risk (i.e., fraud risk is set out as a part of risk analysis that is required). 6. Expands discussion of the importance of the compliance and operations objectives, and reiterates that principles of good internal control are appropriate for operations and compliance objectives. 7. Updates guidance in emerging areas such as IT, organisational relationships and dependencies, and monitoring. This publication is designed to be a companion piece to the 2013 COSO Internal Control – Integrated Framework and should not be viewed as a replacement for in-depth study of the updated Framework. It outlines implications for internal auditing and suggests ways in which internal auditors might also play a leading role in educating key members of management on how the organisation might address changes suggested in the updated Framework. It also identifies the need for internal auditors to use informed judgment to assess the design and operation of internal control, as well as opportunities to make internal control both more effective and efficient. Because controls are everybody’s business, this book will help anyone responsible for internal controls understand: • The major changes in the Framework. • How the changes will impact decisions made by internal auditors, audit committees, boards, and management. • The increased need for subjective analysis and evidence when auditing controls. • New approaches for external financial reporting and IT controls. • The shift toward more attention on operational and compliance objectives. • How to communicate the changes to internal audit staff, audit committee members, and management. • The implications for frameworks outside North America. This brief, easy-to-read piece is an indispensable companion for the 2013 revision of COSO’s Internal Control - Integrated Framework. 9 KEEPING IN TOUCH • Issue 3 Jul – Sep 2013 new releases Internal Auditing: Assurance & Advisory Services, Third Edition This book continues to be the premier international textbook that supports the fast-growing global profession of internal auditing. Written through the collaboration of educators and practitioners, this textbook serves as a cornerstone for internal audit education. It covers key fundamentals of internal auditing that can be applied in an ever-changing business world, serving as a reference and training tool for internal audit practitioners. The textbook is organised in three sections: Fundamental Internal Audit Concepts, Conducting Internal Audit Engagements, and Case Studies. It is accompanied by a DVD-ROM containing case studies, The IIA’s Code of Ethics and International Standards for the Professional Practice of Internal Auditing, and the leading generalised audit software packages, ACL, IDEA, and CCH TeamMate. The third edition has been updated to reflect: • The latest release of The IIA’s International Professional Practices Framework (IPPF) and COSO’s updated Internal Control – Integrated Framework. • Emerging practices relating to governance, risk management, and control. • The Three Lines of Defense model and how internal audit is positioned to add value within it. • Emerging IT-related concepts and references to new Global Technology Audit Guides (GTAGs), the Guide to the Assessment of IT Risk (GAIT), and COBIT® 5. • Fraud guidance provided in Managing the Business Risk of Fraud: A Practical Guide (cosponsored by The IIA, the AICPA, and the ACFE). • A customised approach to conducting consulting engagements, which aligns with the latest IPPF. • Internal audit’s use of TeamMate, the most widely used audit management software (included on a DVD-ROM). The third edition of the textbook includes several significant changes: • The first and most obvious change is the title of the textbook. The previous two editions were titled Internal Auditing: Assurance & Consulting Services, but the name was changed for this edition to Internal Auditing: Assurance & Advisory Services. The authors have noticed a shift around the world in the language used to refer to non-assurance services provided by internal auditors. Many now refer to such services as "advisory" services, a term that is widely believed to be descriptive of the non-assurance services provided by internal auditors and is less likely to be confused with services provided by outside service firms for a fee. However, while the title of the textbook was changed to reflect this shift, references within the textbook continue to refer to "consulting" services because, as of the date this edition was published, that is the term used in The IIA's Definition of Internal Auditing and throughout the International Standards for the Professional Practice of Internal Auditing (Standards). • Chapter 1, "Introduction to Internal Auditing," starts off with a discussion of the internal audit value proposition. The discussion is focused on how internal audit functions can add value to their organisations through the insight they provide. This concept is reinforced throughout the textbook with exhibits in applicable chapters that offer ways for internal auditors to provide insight regarding the topics addressed in the chapters. • Chapter 2, "The International Professional Practices Framework: Authoritative Guidance for the Internal Audit Profession," has been updated to include a discussion of the relationship between the value proposition and the IPPF. It has also been updated to reflect the current process for keeping professional guidance current, including the committees involved and how updates to the guidance are initiated, developed, issued, and maintained. • Chapter 3, "Governance," introduces the Three Lines of Defense Model and provides guidance on how the model can be used to understand the various areas within the organisation that provide assurance and to effectively layer those assurance areas to contribute to strong governance. • Chapter 4, "Risk Management," has been updated to include a discussion of the International Organisation for Standardisation's (ISO's) International Standard 31000:2009(E), Risk management — Principles and guidelines (ISO 31000) and the risk management guidance it provides. • Chapter 6, "Internal Control," has been revised to reflect COSO's updated Internal Control — Integrated Framework. • Chapter 7, "Information Technology Risks and Controls," has been revised to cover emerging developments in technology such as social media, big data, cloud computing, and bring your own device (BYOD). This chapter also pulls in newly issued Global Technology Audit Guides (GTAGs) included in the IPPF and refers to ISACA's newly released COBIT® 5. • Chapter 8, previously titled "Fraud Risks and Controls," has been retitled "Risk of Fraud and Illegal Acts." The distinction between fraud and illegal acts is discussed as are the risks and appropriate risk responses associated with each. • Chapter 9, "Managing the Internal Audit Function," continues the discussion regarding coordination of assurance activities that begins in chapter 3, but from the perspective of managing the internal audit function. • Chapter 15, "The Consulting Engagement," discusses the internal audit value proposition in terms of the insight that the internal audit function can provide through consulting services. • The end-of-chapter review questions have been expanded to more thoroughly cover the major concepts addressed in each chapter, including the new material. New multiple-choice and discussion questions have been added for selected chapters. • TeamMate audit management software has been integrated in applicable textbook chapters. TeamMate case studies include demonstration videos that introduce readers to the ways TeamMate can be used to streamline internal audit processes and exercises that provide opportunities for readers to gain hands-on experience with the software. This third edition promises to build on the success of this bestseller, significantly contributing to the internal audit profession’s body of knowledge and introducing readers to the dynamic world of internal auditing. Issue 3 Jul – Sep 2013 • KEEPING IN TOUCH 10 events Seminar on Governance Risk Management and Effective Internal Control IIA Malaysia in collaboration with ACCA Malaysia organised a 1 day workshop on “Governance, Risk Management and Effective Internal Controls” on 2 July 2013. The workshop was conducted by Ramesh Ruben Louis at Tanahmas The Sibu Hotel and attended by 22 par ticipants. This interactive seminar stirred active participation in discussions and case studies among participants. It is designed to promote good governance, apply proper risk management and effective internal controls. Beginning Auditor Tools and Techniques Workshop “Beginning Auditor Tools and Techniques” Workshop on Internal Audit Report Writing: Improving Mindset, Clarity, Focus, and Brevity for Greater Impact to Clients on 19 – 22 August 2013 to 24 participants at Brought back by popular demand, a two-day workshop on Seri Pacific Hotel, Kuala Lumpur. The “Internal Audit Report Writing: Improving Mindset, Clarity, workshop was conducted by Shanmugam M. Focus, and Brevity for Greater Impact to Clients” was Through team exercises, group discussions, organised on 17 – 18 July 2013. The session attended by 20 and trainers presentations, participants participants at Concorde Hotel, Kuala Lumpur. The workshop was gained a foundation of knowledge that conducted by Steven Yee and tailored for audit professionals to allowed them to prepare properly for and gain from knowing that it is vital to appreciate the larger picture IIA Malaysia organised a four-day workshop on conduct a successful audit, of the audit findings in relation to the business risk and using governance practices before putting their thoughts in systematic preliminary surveys and evidence-gathering writings to convince their client to adopt changes to better the techniques. A basic understanding of how to business processes and risk management countermeasures. The identify risks and internal controls in auditing was stressed, along workshop also covered the ability to correctly identify root cause with for each finding so that proper remedy can be prescribed to interpersonal and team-building skills. strengthen the internal control system. ALL SIGNS POINT TO THE TRAINING EXPERT Call us today at +603 9282 1148 or email us at training@iiam.com.my Visit www.iiam.com.my for our Training Calendar 11 KEEPING IN TOUCH • Issue 3 Jul – Sep 2013 events It was a great experience to be part of the “One World, One Profession, One Destination”, 2013 IIA International Conference, Orlando. The conference program was truly beneficial and the knowledge shared were related to the latest internal audit practices. The speakers from all parts of the internal audit diaspora were experienced and provided current insights on the profession. The president of IIA Malaysia, Ranjit Singh, being the internal audit expert from Asia, was also a speaker at this conference. He shared with the internal auditors on his area of expertise titled Developing and Implementing Fraud Risk Assurance Map. I was also excited with the networking opportunities, to mingle with over 2,000 internal auditors from 110 countries who attended the conference. The interaction with fellow internal auditors and sharing of knowledge and experiences were priceless. Contributed by: Leo Pui Yong Senior Manager, Transmission Unit, Internal Audit Tenaga Nasional Malaysia Disclaimer Opinions expressed herein do not necessary represent those of IIA Malaysia. Neither the IIA Malaysia or the Editorial Board is responsible for the accuracy of any statement, opinion or advice contained herein. Readers should rely on their own due diligence in making decisions concern any matter herein. All materials in any form contained herein are copyrighted by IIA Malaysia. Reproduction and/or storage and/or retrieval in whole or part in whatsoever manner is not permitted without the written consent from IIA Malaysia. Publisher: The Institute of Internal Auditors Malaysia Typesetting: Bluefish Design Issue 3 Jul – Oct 2013 • KEEPING IN TOUCH 12 events YB Senator Datuk Paul Low Seng Kuan, Minister in the Prime Minister’s Department, delivered the keynote address and officiated the opening of the conference. He stated that the internal audit profession has changed considerably over time to meet the challenges of modern economy and the complexity of commerce. The skill sets that are required for the profession are more than assessing compliance to internal controls and procedures – it also requires formulating risk based preventive strategies and mitigating measures. The Institute of Internal Auditors Malaysia was proud to host its Datuk Paul Low further added that it is imperative that internal auditors embrace modern technology to enhance capability in monitoring and mitigating risks. Therefore, the internal auditor today must be a highly competent person with impeccable character and integrity. As such, he would seek to pursue recommendations to legislate the internal audit profession in Malaysia in the near future, thus making it mandatory for all internal auditors to be registered and comply with professional standards. This would ensure that internal audit functions are staffed by professional and competent internal auditors. annual event, the 2013 National Conference on Internal Auditing, on 23 – 24 September 2013 at the Kuala Lumpur Convention Centre. The conference, themed “Scaling Greater Heights: Adding Value”, saw the participation of over 800 internal audit and risk professionals from organisations throughout Malaysia, ASEAN countries as well as other parts of the world. OPENING CEREMONY The conference commenced with the welcome address by Ranjit Singh, President of IIA Malaysia, touching on the continuous challenge for internal auditors to add value and improve the organisation’s operations through recommendations of best practices, in addition to evaluating and improving the effectiveness of risk management, control and governance processes. Such challenges have increased the expectations of corporate stakeholders throughout the world, and through the National Conference on Internal Auditing as a learning platform, IIA Malaysia aims to further enhance knowledge sharing among internal auditors in scaling greater heights and adding value to their organisations. 13 KEEPING IN TOUCH • Issue 3 Jul – Sep 2013 Issue 3 Jul – Sep 2013 • KEEPING IN TOUCH 14 events PLENARY SESSIONS, MASTER CLASSES, FORUM AND TRACKS With a panel of respected speakers from around the world, the 2013 National Conference saw speakers presenting insights on governance, risk and control with regards to emerging issues and trends currently challenging the profession on a global level. Leading the line-up of speakers at the conference was Mr Lawrence Harrington, Vice Chairman of IIA Global. There were a total of 16 plenary sessions, master classes, CAE forum and tracks featuring 22 prominent speakers, panelists and moderators from Malaysia and abroad. The 4 plenary sessions held on the first day encompassed the following topics: • Adding Value: Our Customer’s Perspective • Too Many Bosses, Too Few Leaders • Scaling Greater Heights: Adding Value • Why Auditors Do Not Discover Fraud The second day of the conference featured 3 concurrent master classes, a CAE forum and 8 tracks focusing on the following topics: • Master Class A: Raising the Floor of IT Auditing in the Age of Emerging Technology • Master Class B: Aligning Leadership Accountability and Corporate Performance with GRC • Master Class C: Strategic Thinking • CAE Forum: Three Lines of Defence in Effective Risk Management and Control • Embracing COSO 2013 – A “Value Added” Approach to Strengthen Your Internal Control System • The Evolving Role of Internal Auditors in Risk Management and Internal Control • The ASEAN Corporate Governance Scorecard: Opportunities for Enhancing Governance Across the Region • Business Insights: The 3 Wise Men of Information • Effecting Change and Adding Value in Partnership with Audit Committees • Integrated Assurance – Internal Audit and Enterprise Risk Management Working Together • Rising Up to the Challenge of Assessing Board Governance by the Internal Audit Function • Automation Best Practices: Tips from Leading Experts and Organisations 15 KEEPING IN TOUCH • Issue 3 Jul – Sep 2013 events NETWORKING DINNER - An Evening with Jason Lo An informal networking dinner was held in the evening of the first day of the conference to encourage networking among the conference delegates and speakers. The audience were inspired by the talk entitled ‘From Rock n Roll to CEO’ presented by Jason Lo. Jason shared his fascinating experience from his early days till how he got to being the CEO of TuneTalk, and interacted well with the crowd. One lucky delegate won tickets to the Kesha Warrior Tour Concert courtesy of TuneTalk for having the highest number of followers on social media such as Facebook, Twitter, YouTube and Instagram amongst those present. SPONSORSHIP, EXHIBITION AND SUPPORTING BODIES 2013 National Conference – Sponsors 1 TeamMate AsiaPacific Platinum 2 KPMG Gold 3 EY Silver 4 CIMB Group Silver 5 Columbus Advisory Bronze 6 Telekom Malaysia Bronze 7 PricewaterhouseCoopers Bronze 8 Salihin Consulting Bronze 9 AFTAAS Bronze 10 ACL Services Ltd Bronze 2013 National Conference – Other Exhibitors 1 BusinessWare Solutions Pte. Ltd. 2 MKinsight 3 ISACA 4 Thomson Reuters Accelus 5 Majlis Kanser Nasional (MAKNA) In addition to the conference sponsors and exhibitors, IIA Malaysia received support from Jabatan Audit Negara, Securities Commission Malaysia, Bursa Malaysia, Companies Commission of Malaysia, Malaysian Institute of Accountants, ACCA, CPA Australia, CPA Malaysia, CIMA, ISACA and Institute of Bankers Malaysia. Conference delegates were seen dropping by the respective booths and getting to know the latest products and offerings from the sponsors/exhibitors. The delegates also visited the IIA Malaysia booth to view the latest IIA publications and enjoyed discounted prices for on-site purchases. The 2013 National Conference was a huge success with the help of fellow sponsors, exhibitors and supporting bodies, and the wide array of topics led by the distinguished speakers was well received by the conference delegates. By: Lim Wei Hong, CIA, CCSA, CFSA, CRMA, CMIIA Issue 3 Jul – Sep 2013 • KEEPING IN TOUCH 16 events Audit Purchasing for Contemporary Business Workshop A two-day workshop on “Audit Purchasing for Contemporary Business” took place on 28 – 29 August 2013. The session attended by 12 participants at Concorde Hotel, Kuala Lumpur. The workshop was conducted by Captain Abdul Manan Mansor. The session enabled participants to understand the close correlation of audit purchasing and marketing process. In addition they managed to understand the direct impact of the correlation to the bottom line in an organisation. Workshop on Technology Governance for the Auditor IIA Malaysia in collaboration with ISACA Malaysia Chapter organised a workshop on “Technology Governance for the Auditor” on 17 – 18 September 2013 to 24 participants at Concorde Hotel, Kuala Lumpur. It was one of the topics promoted under The International Speakers Series. The workshop was conducted by Alan Simmonds to share with the participants an introduction to IT governance specifically using the world’s foremost IT Governance Framework, COBIT® 5, and how this can support their activities across IT audit initiatives. It reminded the participants that understanding information technology poses the for challenges nearly every Processing some thoughts organisation is necessary for all auditors – in particular it is necessary to bring together an understanding of COBIT® 5 in terms of risk, control and audit. Alan was sharing some key information on IT Governance 19 KEEPING IN TOUCH • Issue 3 Jul – Sep 2013 Participants from various industries TRAINING CALENDAR 2013 October November 28 - 29 Risk-based Auditing and Reporting Kuala Lumpur 28 - 31 Beginning Auditor Tools and Techniques Kuala Lumpur 29 - 30 Fundamental Skills in Information Systems Auditing Kuala Lumpur Governance, Risk Management and Effective Internal Controls* Kuala Terengganu 11 - 14 Audit Manager Tools and Techniques Kuala Lumpur 12 - 13 Financial Auditing for Internal Auditors Kuala Lumpur 13 - 14 Value-Added Business Controls : The Right Way to Manage Risks Kuala Lumpur Governance, Risk Management and Effective Internal Controls* Kota Bharu 18 - 21 Leadership Skills for Auditors Kuala Lumpur 18 - 20 High-Impact Operational Audit of Human Resource Management Kuala Lumpur 20 - 21 Consulting : Activities, Skills & Attitudes Kuala Lumpur 11 18 December NEW NEW 25 - 26 NEW Internal Controls for Accountants and Auditors* Kuala Lumpur 27 - 29 NEW IT Audit and Control - From Theory to Practice Kuala Lumpur 27 - 28 NEW Internal Audit Report Writing: Improving Mindset, Clarity, Focus, and Brevity for Greater Impact to Clients (Previously known as Effective Audit Report Writing) Kuala Lumpur 2-3 Performing an Effective Quality Assessment Kuala Lumpur 2-5 Beginning Auditor Tools and Techniques Kota Kinabalu 4-5 NEW COSO 2013: Implementing the Framework Kuala Lumpur 5 NEW Governance, Risk Management and Effective Internal Controls* Ipoh 4-5 Related Party Transaction Audit : Internal Control, Risk & Disclosure Requirements Kuala Lumpur 9 - 11 Setting-Up and Managing an Effective Internal Audit Function Kuala Lumpur 16 - 17 Financial Auditing for Internal Auditors Kuala Lumpur 1 6 - 19 Beginning Auditor Tools and Techniques Kuala Lumpur * This seminar/workshop is in collaboration with ACCA Malaysia. For further information on our training programmes, please visit our website: www.iiam.com.my IIA Members always pay less for IIA Training and now can save even more by registering early for public programmes. Call us today at +603 9282 1148 or email us at training@iiam.com.my Visit www.iiam.com.my for our Training Calendar Issue 3 Jul – Sep 2013 • KEEPING IN TOUCH 20 technical The Evolving Role of Internal Auditors in Risk Management and Internal Control By David SK Leong The Relationship between Internal Audit and Risk Management I pose this question to you. Imagine we are on a car rally race across the wilds of Africa from Cairo, in Egypt to Johannesburg in South Africa. We have to travel in a suitable vehicle, be it a rally car or a four wheel drive vehicle but the objective is to get to Johannesburg in one piece, without breaking laws and preferably ahead of other car teams. And we have to do this without being eaten by lions or crocodiles on the way. You pretty well get the picture. Now suppose one of us, the driver, is French, speaks only French and the other, the navigator or back-up driver is Chinese and speaks only Chinese. Both also are strong characters and want to drive the car, have different ideas, use different maps and differ on the route to Johannesburg. We do not agree entirely on the type of car, who drives and when, the exact route and the equipment we need. We can’t agree fully on the strategy, the risks of the journey and there is some suspicion between us over the sharing of the prize. What are our chances of getting to Johannesburg, much less ahead of others in one piece and in great shape? You may say the whole idea of the situation is ludicrous. But then, isn’t that what many organisations notably financial institutions are doing? Internal audit and risk management functions are “reading different maps and speaking different 21 KEEPING IN TOUCH • Issue 3 Jul – Sep 2013 languages.” Most times, so are compliance and operations functions, with the latter, most times being often totally confused. And do we get it right in the end? Hardly. Where are we as a profession? A Financial Times editorial recently reported that a survey of the largest global banks revealed that the average cost-to-income ratio had remained at 60% which is the same as in 2011, despite that no major bank had dared to present a strategy to their shareholders without a cost cutting plan. With all the pressure now to strengthen compliance control and risk management in general, costs are likely to grow even if the banks can resist a ramp-up of staff figures and opt for the use of IT based systems. I did a simple survey of the Malaysian banks and was unusually successful to get nine responses. The results give a revealing glimpse of the situation in Malaysia: 1. All the banks surveyed except one say that risk management has a different risk framework. 2. All the Banks except one have internal audit and risk management still operating at arm’s length. 3. In two, the internal audit and risk management functions have IT-based systems but the systems for risk management and internal audit are not integrated. 4. Only four of the banks’ internal audit functions acknowledge they use The IIA’s International Professional Practices Framework (IPPF). 5. All banks except two still use MS Excel-based systems to do their risk management activities. 6. Two banks are not using the COSO framework with one technical focusing mainly on complying with the Bank Negara late Lawrence Sawyer, the father of modern-internal auditing, regulations. once said “Objectivity is a matter of the mind.” (Indeed my 7. Only one bank is actively collaborating closely with risk research on risk management and internal auditing literature management and actively integrating the same risk and papers issued basically revealed no differences in the methodology across risk management, internal audit and approaches in managing risk.) compliance. 8. All the banks’ CAEs agree that integration between risk In fact the guidelines of Bank Negara Malaysia (BNM) management and internal audit systems will be good but governing the audit function except for two, they have no plans to integrate risk Section 7.1) clearly states that internal audit’s objectivity will management and internal audit systems. not be compromised in an assessment even though internal (BNM/RH/GL 013-1, Part 1 audit‘s opinion as a consultant had been sought earlier on. The Causes What are the causes of this situation? Moreover, the IIA Research Foundation had issued a paper on From the survey, the main suspected root cause for this “Internal Audit’s Role in Risk Management” in March 2011 divide between the two functions is internal audit’s thinking which stated effectively internal audit can do the following: that “We are different” or “We are independent.” 1. Facilitating identification and evaluation of risks; 2. Coaching management in responding to risks; This is the “myth” of independence or rather of objectivity. I believe many internal auditors associate thinking along the 3. Maintaining and developing the Enterprise-wide Risk Management (ERM) framework; same lines as risk management with impairment of their 4. Championing the establishment of ERM; independence. But I would like to argue that independence 5. Consolidating the reporting of risks; and is a matter of the reporting structure. As for objectivity, the 6. Developing the ERM strategy for Board approval. Figure 1 illustrating “ IA’s Role in Risk Management” is reproduced above. Issue 3 Jul – Sep 2013 • KEEPING IN TOUCH 22 technical Why then, are so few internal audit functions not talking to their risk management counterparts and collaborating to integrate with risk management when we already have been given the licence? Effectively, I am saying there is now no independence excuse to prevent internal audit from working with risk management. The Leadership Dilemma Is there a leadership vacuum? The IIA Research Foundation in 2011 revealed that only 23% of audit committees require internal audit to give an opinion on the overall risk management process. And only 45% ask for internal audit’s recommendations and advice on enhancing the risk management process. Are our audit committees not aware of this? Maybe, but it can be argued that a more progressive Chief Audit Executive (CAE) should demonstrate better leadership by influencing the audit committee to bring about this collaboration. Can the CAE lead this initiative? According to the “IA’s Role in ERM” paper, yes. This is allowed so long as the internal audit function does not make the decisions and own the system. The “We are different” Excuse All the banks surveyed except one management has a different framework. say that corporate objectives. When you assess systems, you are really assessing a collection of interconnected parts which together form an integrated whole. By satisfying the five internal control components of COSO; Control Environment, Risk Assessment, Control Activities, Information & Communication and Monitoring; you would be better able to assess whether the system is working effectively as a whole. That is what I have learned in my Sarbanes-Oxley work which requires organisations to design a system of controls for financial reporting and for which the COSO framework fits the bill. If any one or more of the components are materially deficient, then it should become obvious to all that internal control cannot be assured and where it should be fixed. There are a lot of COSO Guidance papers since 1994. The latest is the paper on the 17 principles of COSO, released in May 2013. This publication states the seventeen principles which should make up the five internal control components and hence enables a more consistent and more accurate assessment. The above benefits of using a common framework should be “sold” not only to risk management but to management as a whole. When all stakeholders are on the same playbook, many of the conflicts and friction encountered in the journey towards reasonable assurance will be avoided. risk Governance, Risk and Compliance (GRC) Systems Of these banks, one is now working with risk management on a common framework and one other bank thinks that collaboration is already in place although its internal audit and risk management systems are not integrated. Previously in the early 2000s, it would have been challenging for internal audit functions to collaborate with the risk management functions. Risk management processes were invariably captured on MS Excel spreadsheets while internal audit processes were not much better off. Overall, the results show that the trend is still one of the two divisions in question thinking quite separately in silos. The responsibility for this sad affair seems to be shared. This was the same result as the 2013 Grant Thornton’s survey of 330 CAEs in the United States which concluded that “there is plenty of room for better integration.” Today, there are Enterprise-wide Risk Management (ERM)/GRC IT-based systems which come nearly fully intact or “off theshelf” which only need minimal configuration. The leaders in this software genre come fully configured or compatible to incorporate the COSO ERM (2004) framework or the ISO 31000 framework. I would like to propose the use of a well-known framework such as COSO to bring internal audit and risk management closer and talking to each other. The assessment of risks, audit programmes and audit ratings should follow the COSO framework because they give a “cause-and-effect” framework. The COSO framework helps one see the possible knock-on effect of the failure of each control on the others. I have worked before with the UK Governance Code but it is very difficult to use to arrive at a convincing logical conclusion as to the causes of the deficiencies. If I have to use the UK Code today, I would try to integrate the Code components into the COSO framework, or if other auditors prefer, the ISO 31000 framework. Integration between internal audit, risk management and compliance functions is the main objective of such systems so that the risks are assessed, controls designed, implemented, reported and audited using a similar terminology and process, based on the same information residing in one database. COSO makes it much easier to understand which risks are important because the components are critical and integrated with other internal control components towards achieving the 23 KEEPING IN TOUCH • Issue 3 Jul – Sep 2013 The most obvious benefit is that internal audit can better track the process of risk assessment through to control design and implementation, and onwards to reporting. If the risk management steps are embedded and logged in an IT system, internal audit can more effectively and efficiently assess the risk management system and then test the results. Continuous auditing will also be possible without necessarily having to physically visit remote sites or the risk management division. The ERM or GRC system opens up new audit methodologies and economies. The hitherto “impossible” becomes possible. When internal audit has more than one hundred branches or technical entities to audit, knowing you have a system which requires and guides operations staff to perform disciplined but easy-to-do risk assessments to manage their own risks is half the battle won. The benefits to risk management are also enormous. They can do so much more with a GRC or ERM software system. The system is usually web-based and hence much of the hitherto connectivity issues encountered by banks in the past are now history. Internal audit’s mission after all is to improve operations. internal audit wants the whole organisation to do the risk assessments easily, correctly and to own the risks. Risk management will supervise that the operations staff do this correctly. As auditors, we will check that the system is working and that no new risks have been left out. How to Integrate Management Internal Audit and This is the challenge. If internal auditors want to add value, they should be great strategists too. Internal auditors should not be content just to propose incremental change and improvement. Instead we should be bold and go for transformational change and honestly, no great change can come without some effort. In the past, the internal auditor’s main mission is to finish his audit fieldwork, issue the report and hopefully complete all scheduled audits for the year. This is no longer acceptable. Internal audit’s role is evolving and it should be towards a strategic role. This can be best summarised by the following comment at a Harvard University event: Risk How do we integrate /collaborate between internal audit and risk management? First of all, realise that no worthwhile project can hope to succeed without a powerful sponsor. Hence: 1. The CAE has to create awareness and influence the top management, audit committee and the board risk committee. 2. There should be only one definition of risk. The ISO 31000 definition of risk is “uncertainty over objectives,” which means when applied to organisations, the probability of events that will hamper or stop the organisation from achieving corporate objectives.” I consider this to be the best definition because it allows us to prioritise risks. 3. Make it clear that risk is measured in terms of probability and impact in the organisation. It is the correct formula for organisations and can be understood by all. Conduct ERM training courses for other divisions, if necessary. 4. Make sure that your audit procedures adhere to the attribute and performance standards of the International Professional Practices Framework. This will ensure your methodologies can be easily mapped over to the IT-based ERM/GRC system. 5. Internal audit and risk management (and compliance) have to agree to adopt the same risk methodology or framework, and therefore prevent confusion and duplication of work. “…, a temporary data center outage can result in a short-term problem…... Other more significant risk events can be catastrophic, ….. that can not only impair an organisation’s ability to meet its objectives, but may also threaten the organisation’s survival. The recent credit crisis is an example of this type of risk.” By ensuring that the operational risks are being managed effectively by a system, internal audit can then attend to strategic risks, these being those “risks that are most consequential to the organisation’s ability to execute its strategies and achieve its business objectives.” The author is a CA (NZ), CA(M), ACIB (UK), MBA, and CIA with 32 years of banking experience, the last ten years of which were as CAE of three banks. His experience includes senior-management stints in branch management, credit management, risk management and strategic planning. David is currently Chief Internal Auditor of Bank Islam Malaysia Bhd. Any views or opinions presented in this article are solely those of the author and does not reflect the views or opinions of the Institute. Issue 3 Jul – Sep 2013 • KEEPING IN TOUCH 24