Saturday, December 14, 2013

Internal Audit in 2020 : What the ordinary internal Auditors think?

In the last issue of the Ia magazine, there is an article discussing the future of Internal Audit. The author chose the year 2020 for the prediction of the future and asked the following three questions:

1. What will not change about Internal Audit in 2020?
2. What will?
3. Can you make a prediction based on a current trend, taken to its logical conclusion?

The above questions were directed at seven "thought leaders", who provided their views on the future of Internal Audit. Their answers did not include any surprises or wild predictions!

I am very much interested in the views of the ordinary Internal Auditors! So please share your predictions and thoughts!  

Thursday, December 12, 2013

Should corporations have heart?‎

If what Mitt Romney  once told us  is right “Corporations are people “ , then should corporations have heart and act like humans ?
What caused me to ask is that I read in a local newspaper that a cable company is asking an Ottawa man to pay a huge bill for services that stayed active at his house months after it burned to the ground.
The man claims that he has called the company and disconnected the services few days after the fire! The company is not buying this and transferred the case to a collection agency .
The company did not respond to the request of the newspaper (which reported the news) for more information.
Let's assume that the man actually failed to disconnect the service, should the company under these circumstances ,when known to it, still charge him for the service he never received ? Or should it act as a caring human and wave the charges ?
Heart or no heart ,what do you think?


Tuesday, December 10, 2013

2014 Horoscope for Internal Auditors !

My fellow Internal Auditors ,here is your monthly horoscope for 2014  :

January :      Pay attention to your IT skills .You still need to improve it !
February:     Work on your soft skills .It is essential for your survival !
March:          Adapt to new regularity environments,or you become irrelevant !
April:             Keep up to date with the necessary skills .
May:              Maintain independence , but be an active partner with management.
June:              It is okay to question why you choose to be an internal auditor !
July:               Integrate fraud detection and prevention into audit strategy.
August:          Align your work with other parties responsible for  risk management .
September:    Always stay objective,no matter what.
October:        Compliance still matters ,don't ignore it !
November:     Communicate,communicate,communicate ...
December:     Get over it, you will never be rich working as an internal auditor !

Wishing you all a happy and prosperous new year .


Wednesday, October 16, 2013

Trust ,but don't be naive !

Today, I have attended IIA's Ottawa training session which focused on Asset Protection and Security( AP & S). Two mantras stuck on my head by the time we were done :

The first is:" AP & S is largely based on trust!"
The second:" Being compliant does not mean being secure "

While I agree with the second, I have trouble with the first!

The examples of trust provided during the session made me more skeptical ( i.e I trust you because A trusts you and I trust A )!

 Trust is good, but it is not enough and certainly does not provide security.

Trust, but verify!
Trust.but monitor!
Trust, but don't be naive!

 In God we trust, others will be audited!

What do you think?

Monday, October 7, 2013

Does industry specialization limit internal auditors' careers?

Industry specialization is a good thing! This is at least what employers and hiring managers are telling us because it improves audit quality! Not everyone agrees with this, a recent study by the University of Miami published in June 2013 concluded that there is no evidence to support such a claim!

But, is specialization good for internal auditors? Does it limit our career path to certain industries because the perception is, as an example, if you are a bank auditor you can't effectively audit a manufacturing company?

The golden rule is that " you can't audit what you don't understand "! The question here is: does "understanding the operations " of an organization means that you need to be an industry expert? I am personally not sure if this is the case! Understanding the business is the key to a successful audit and this understanding nowadays can be achieved in a relatively short period of time for a willing auditor!

These are my thoughts, please share your thoughts and experience.

Tuesday, October 1, 2013

The Head of Internal Audit !!!!

Source : Careers In Audit website .

Thursday, August 15, 2013

Who Audits The Internal Auditors ?

When I ask this question, I usually get a variety of answers ranging from "no one" to " the audit committee"! While the Internal Audit Activity is not subject to audit in the same way other company business units  and processes are ,there are ways management can get reasonable assurance that the internal audit department is doing what it is supposed to do. One of these ways is the External Quality Assessment.

 IIA Standard 1300 covers the Quality Assurance and Improvement Program that need to be established by the CAE covering all aspects of the internal audit activity. Standard1312 requires that "External Assessment must be conducted at least once every five years by a qualified,independent assessor or assessment team from outside the organization. The chief audit executive must discuss with the board:

  • The form and frequency of external assessment,and
  • The qualification and independence of the external assessor or assessment team,including any potential conflict of interest."
The interpretation of the standard explains that external assessment can be in the form of a full external assessment,or a self -assessment with independent external validation.

In addition to the external assessment ,the standards call for internal assessment which must include:
  • Ongoing monitoring of the performance of the internal audit activity,and
  • Periodic self - assessment or assessments by other persons within the organization with sufficient knowledge of internal audit practises.
Do you think the above is adequate to provide management with reasonable assurance that the internal audit activity is performing its duties in conformity with the IIA standards? If not, what else would you suggest to do,for example:
  • Have the external auditors audit the internal audit activity
  • Have a peer review by other internal audit activity of an unrelated company.
  • Have an external assessment every year or two.
 Please share your experience and thoughts.

Friday, August 9, 2013

In The Age of Information, Ignorance Is A Choice !

No further comments from me, the quote speaks for itself !! *

* A reader to this blog post brought to  my attention that the author of the above quote is Mr.
   Donny Miller .It should be clearly mentioned that I was simply sharing the above picture ( because I  loved it so much ) and had  no intention whatsoever ,to imply that the quote is mine ! The name of the author of the quote was not included in the picture and was not known to me at the time I shared it on this post.
The reader accused me of being a "thief "  and of  "plagiarism" , however, regular readers of my posts know  that I always reference the quotes I use to their authors ! Despite the fact that the above post does not in any shape or form imply directly or indirectly ,explicitly or implicitly that the quote is mine ( how would it be mine when I say: no further comments from me and it comes in a form of a picture that is flooding the internet  !!)  ,the reader insists that I have stolen the quote for my own use.
 I am just wondering if this self appointed  "author right's defender" is exposing himself to a libel case ! This is something I am discussing with my legal advisor .

When you read this post, did you get the impression that  I am implying that the quote is mine ? Please provide your feedback.

Let me very clear on this issue, I do not approve of any plagiarism ,and it is in my own interest that I defend author rights ,because I publish many articles and blogs and would not appreciate any one "stealing " it !


Saturday, July 27, 2013

Should the CAE Educate the Audit Committee?

Do not expect  all the audit committee members to possess sufficient accounting ,audit and risk management knowledge and experience . In a perfect world it would be great if they do ! As we don't live in such a world ,someone should take the initiative to educate them ,and I believe that this " someone " should be the CAE !

During the brief period when I established and managed an internal audit activity for a multi - billion dollar company ,I took it upon myself to keep open communication lines with management in general and the audit committee in particular in order to keep them abreast of developments in areas relevant to their responsibilities .In the case of the audit committee ,I used to share with them news,articles and publications relating to accounting,audit ,risk management ,corporate governance and other areas of interests . And to make things more interesting ,I used to send them a monthly quiz ! I was pleasantly surprised with the positive reaction of the committee members and their desire to receive more information and quizzes ! In fact ,they were competing to score higher points each time I send a new quiz .

I am fully aware that not all audit committee members will act in the same way, but the CAE should at least try and fulfil this educational role . It not only benefits the audit committee members and the organization ,but helps to strengthen the CAE's relationship with the audit committee.


Difficult Audit Customer : No Problem !

During my long career in external and internal audit ,I have always managed to handle all types of audit customers: the easy going ones and the difficult ! My experience covers many countries and many cultures .My secret is very simple , I follow these steps:

1. Know the person :

Before starting and audit assignment ,invest some time to learn about the key person you will be dealing with .Know about his/her educational background , career history ,family status, interests  ..etc.

2. Find a common interest :

There must be something in common  to talk about between you and the person you will be dealing with .It could be family values, sports ,travel  or any other areas of interest .Use this as a door opener .I encourage you to spend few minutes talking about it when you first meet with him/her . Word of caution : never discuss politics or religion and if the subject is raised be neutral !
 People are different and each one needs a personalized approach .

3. Explain why you are performing the Audit :

Always explain the objectives of the audit in advance and what you expect to achieve . You have to send a clear message that you are doing what you are hired to do and that in the process you wish that it will be a mutually beneficial and enjoyable experience !

4. Be Professional & Patient :

No matter how difficult the audit customer is ,always behave in a professional manner and be patient .Your professionalism will pave the way towards a healthy relationship across the organisation .

And finally ,I am a strong believer of the saying: If there is a will ,there is a way .

My 4 P's for work :


Please share your experience !


Monday, July 22, 2013

Why Internal Auditors keep telling us that they add value?

Why is it that internal auditors are the most users of the terminology "add value" ? Do you hear other functions in your company use it as often ? Do internal auditors use it to justify their existence to others and/or to convince themselves that they are valuable to their organizations ? And finally do they really add value and how?

The glossary section of the IIA standards defines add value as follows :
"The internal audit activity adds value to the organization ( and its stakeholders) when it provides objective and relevant assurance and contributes to the effectiveness and efficiency of governance,risk management, and control processes." Isn't this what they are supposed to do anyway? Is adding value means doing your job as prescribed by your job description or does it go above and beyond what is expected of you ?

Can you in your own words describe how you add value to your organization using at least one practical example ?

Do you know what is your stakeholders definition of "adding value" ? Did you ever asked them?

I am not trying to offer answers here ,but rather to start a self-dialogue !!

Friday, June 28, 2013

Are you an Internal Auditor at home as well?

Is your career, as an internal auditor, affecting your lifestyle and relationship with others?

It is a fact that our careers affect our lifestyle in one way or another, whether we intend this or not.For example, as an internal auditor, do you find yourself :

- Dealing with others with skepticism without giving them the benefit of the doubt?
- Paying too much attention to details at home? This may not keep your spouse or other family members happy!
- Trying to maintain independence in your relationships with family members and friends when sometimes you have to take sides and be biased?
- Questioning if your actions may result in a conflict of interest all the time?

On the positive side,do you think that internal audit made you :

- A more effective communicator
- An objective person
- A persuader
- Add value and change lives around you
- Vigilant. You pay more attention to your surroundings
- Better understand risks and opportunities
- Improved your decision-making process

Please share your thoughts and experience.


Saturday, April 13, 2013

May is International Internal Audit Awareness Month .

May is International Internal Audit Awareness Month .What are your plans to promote our profession ? Please share your ideas and plans.


Tuesday, April 9, 2013

Did he impair his independence ?

Last week, the Director of Internal Audit at Cyprus Central Bank addressed the financial crises in his country to the media and discussed what the Central Bank intends to do with the bank deposits .His statement implied that he was involved in the discussions / decision making of the proposed arrangements. While we do not know the extent of his involvement ,if any ,the fact the he has addressed an operational issue to the public is unusual and may suggest an impairment of Independence .

What do you think ? Is it appropriate for internal auditors to address operational and management issues to the public ?

Saturday, March 16, 2013

Free High Level Review of Internal Audit Departments !

Bibi Consulting is offering free high level review of internal audit departments in Ontario ,Canada and selected cities in the Middle East .
The review will focus on the following :
- Authority,organization and Independence.
- Staffing
- Audit process
- Quality assurance
The review is not designed to audit the company's operations in any form,or is designed to detect fraud or weaknesses in internal controls .It is not a substitute for the external assessment as stipulated by standard 1312 of the International Standards for  the  Professional Practice for internal Auditing,but it may help preparing for such assessment.
Upon the completion of the review, the company shall receive a brief report summarizing the work performed and recommendations for major areas of improvements ,if any.
To take advantage of this offer ,contact us at .


Tuesday, February 26, 2013

2013 Internal Audit Focus - Why compliance is still a high priority ?

According to the IIA Audit Executive Center's Fall 2012 Pulse of the Profession Study , the CAE's identified their top risk coverage priorities for 2013 as follows:

24%  Operational
14%  Compliance
13%  General Financial
12%  SOX Compliance
12%  IT
5%   Risk Management Effectiveness
4%   Fraud
4%   Strategic Business Risk
12%  Other

How do your priorities compare to the above ?

Would you feel comfortable spending 14% of your resources on compliance and only 5% on risk management effectiveness and 4% on strategic business risks?Is compliance risk really that important ?

Are internal auditors still spending significant time on SOX compliance ?

Please share your thoughts .

Wednesday, February 20, 2013

Is IA success influenced by Board & Management desire?‎

The traditional perception indicates that “Internal Audit will be what senior management wants it to be “. I was reminded of this while reading the Framework for Excellence Article in the Ia magazine's February issue. In particular, this statement caught my attention:

“Ultimately, an audit department can only be as advanced as the board and senior management want it to be”

Do you agree with this statement?
More importantly, do you accept this as being the normal way of doing business?
Do you feel that Internal Auditors can influence how the Board & Management perceive their work?

Can you share your experience and share your success story?

picture credit:

Tuesday, February 19, 2013

Do you have what it takes to be a mentor?

Being a mentor provides a great deal of job satisfaction and makes jobs more enjoyable and productive! However, not everyone has got what it takes to be a mentor.
To be a mentor, one should be:
- a good listener
- a leader
- patient
- willing to share knowledge
- experienced
- committed
- and above all, has the right mindset

Why Become a mentor?

An article published by the ExecutiveBrief lists the following argument :

"A great number of mentors claim that by being a mentor, one earns the respect and recognition of peers. Mentoring enhances authority, thus firming up one’s position within the organizational structure. The mentor likewise is given the opportunity or the chance to learn from the mentee."
While I agree with the above statement, I do not support the notion that mentoring should be used for enhancing the mentor's position. This should not be an objective by itself but can be a byproduct of the mentoring process.

I have come across a useful publication by Human Resources and  Skills Development Canada ( HRSDC), which provides good guidance about mentoring. I would like to share it with you. It can be accessed here.

Have you thought about mentoring?
If you already have, was it rewarding as promised?

These are my thoughts, please share yours!

picture credit:

Thursday, February 7, 2013

Differences and Similarities Between Fraud and Corruption

Fraud and corruption are two words that we hear too often. Both are on the rise worldwide, and their methods are evolving to adapt to the development of technology. Who among us did not receive at least one fraudulent email during the last month?

Is corruption a form of fraud? Or are these two different things? A review of the definition of the terms may offer an answer :

A handbook published by the World Bank Group (Fraud and Corruption Awareness Handbook Defines fraud and corruption as follows:

A fraudulent practice is any act or omission, including a misrepresentation, that knowingly or
Recklessly misleads, or attempts to mislead, a party to obtain a financial or other benefit or to avoid
an obligation.”

“A corrupt practice is the offering, giving, receiving or soliciting, directly or indirectly, of anything of
value to influence improperly the actions of another party.”

An IIA Chicago Chapter presentation (Auditing for Corruption in Emerging Markets) provides the following explanation of the two terms:

Deriving undue benefit by bypassing some controls or bending some rules. Fraud Schemes are used to commit corrupt activities:

• Asset Misappropriation
• Financial statement irregularities
• Corruption

Takes place in the form of providing illicit benefits; harder to find; narrower scope than fraud.

• Bribery
• Embezzlement
• Extortion
• Influence Peddling
• Unlawful gratuity favor or commission
• Nepotism
• Illegal Political contribution

 The Business dictionary differentiates between these two terms as follows:
 Fraud is misrepresenting yourself or something as something you or it is not. For example, if you use a fake ID, you’re committing fraud by misrepresenting yourself as someone else.
Corruption is a broad term that can be applied to fraud, as well as other dishonest acts such as bribery, extortion, or embezzlement.
The two can be used in a wide array of instances but can apply specifically to business. Corporate leaders are often prosecuted for various fraudulent and corrupt acts, as well as political leaders.

Have you reached a conclusion yet? One thing we can, for sure, agree on: Fraud and Corruption are very bad practices and should be prevented and detected at an early stage.

Photo credit:Shutterstock

Tuesday, January 22, 2013

How to tarnish your company's reputation in 30 seconds?‎

Yes it’s possible; it only takes an inappropriate tweet or a status update on a social media web-page such as Facebook , LinkedIn  or a short video on  You Tube to cause a major damage to a company’s hard earned reputation or brand .This could happen intentionally or as a result of ignorance or oversight.  While the company may not have control over the intentional acts, it can do something to eliminate, or at least minimize, the actions caused by ignorance or oversight. Here is what I think can be done:
  • It starts with recognizing the power & risks of social media .If management does not believe in it, then such management is part of the problem, not part of the solution.
  • Raise awareness at all levels in the company about the benefits and risks associated with social media.
  • Conduct training to educate all employees on how to deal with social media at work or in their private life.
  • Set a clear and concise social media policy and ensure that it is distributed to and understood by all employees.
  • Include social media risks in the company’s risk management plan.
  • Include social media behavior in the company’s Code of Ethics.
  • Perform Social Media audits on continues basis.
Can you suggest more actions or discuss your company's experience with this issue ?

Tuesday, January 8, 2013

‎ Shall we promote the CAE to CAO?‎

The Head of the Internal Audit department is usually referred to as the Chief Audit Executives (CAE). It seems this is a generally accepted title and is being used worldwide. But, do you think that it undermines the position compared to the other “C” suite positions? For example, we don’t call the top financial person Chief Financial Executive ( CFE), we call him/her Chief Financial Officer ( CFO). The same applies to other executive positions  such as CEO, CIO , CRO...
If we really want a seat at the table, shall we start by having the right title!! Why not start by changing CAE to CAO (Chief Audit Officer).
I am interested in your views and I hope that it goes beyond “ this is a formality “ and “ substance over form” cliche!

Are you getting the most from the ethics mandatory hours?

 Like many of you at this time of year, I have been looking to take the mandatory two hours of ethics training to comply with the IIA cpe  r...