Are You Ready for the New Global Internal Audit Standards?

 With the Global Internal Audit Standards set to take effect on January 9, 2025, it is crucial that the audit committee is well-prepared and familiar with these standards. To assist with this, we have created a brief presentation designed to equip audit committee members with essential information.

Reach out to us to schedule an in-person or remote presentation.

Internal Audit Relationship with Regulators

The Chartered Institute of Internal auditors has recently published an Internal Code of Practice which provides guidance on effective internal audit in the private and third sectors. This code builds on the success of its previous of a similar code for the financial services firms.

The code covers a wide range of areas:

•   role and mandate of internal audit,
•   scope and priorities of internal audit 
•   interaction with risk management, compliance, and finance
•   reporting results
•   independence and authority of internal audit
•   resources
•   QIAP
•   relationship with regulators
•  Relationship with external auditors

I will limit the discussion in this post to the relationship with regulators. The code states that:

" The chief internal auditor should consider the impact of the regulatory environment and have an open, constructive and cooperative relationship with relevant regulators."

How do you interpret and apply the above statement in your country? 

Do you think the code should provide more details and guidance on this important issue?

Would your management accept an open and cooperative relationship with regulators?

What should be the nature, objectives, and scope of such a relationship?

Back in 2015, I wrote a post about  the same subject after reading a Thomson Reuters white paper, you may want to take a look at it:

Should Internal Audit Forge Relationships with Regulators & Other Outsiders?

Please provide your thoughts!

Educate your Internal Auditors While you Entertain Them!

Depending on What you Read:"Reading Can Seriously Damage your Ignorance"

I love this quote from "The Mindunleashed"! But, it can not be complete without pointing out that the damage is dependent on what you read!! The wrong readings (and/or correctly understanding what you read) may damage your intelligence, dignity and probably your humanity!!

The Internal Auditor is Now Available on Amazon!

The Internal Auditor (short fiction) is now Available on Amazon for Pre-Order! Below is a link to order:


                           Amazon Canada


You can also order it from other Amazon Country websites depending on your Country.

التدقيق الداخلي والمخاطر الجيوسياسية

 ان المتغيرات السياسية و الاقتصادية المتسارعة في المنطقة و ما ينتج عنها من عدم استقرار و عدم يقين

  تتطلب 

التعامل مع المخاطر الجيوسياسية بجدية اكثر من اي وقت مضى 

في مقالة نشرها معهد المدققين الداخليين في بريطانيا عام 2015,تمت الإشارة الى ان دراسة حديثة بينت بان 70 بالمائة من المدراء التنفيذين المشمولين بالدراسة ينظرون الى التوترات السياسية في العالم على انها تشكل خطرا على النمو الاقتصادي خلال فترة ال 12 شهرا التالية للدراسة وذلك بزيادة مقدارها 27 بالمائة منذ نهاية عام 2013.

ان نظرة واحدة على قائمة اهم مخاطر 2016 التي تصدرها مجموعة يوراسيا المتخصصة بتحليل المخاطر السياسية العالمية كفيلة بطرد النوم من اعين المدققين الداخليين ولجان التدقيق في الشرق الأوسط! كما ان نظرة أخرى على قائمة المخاطر لنفس العام الواردة ادناه والصادرة عن المنتدى الاقتصادي العالمي تبين أهم الاخطار الجيوسياسية على العالم:

بالمقابل فان تقرير معهد المدققين الداخليين الصادر في أذار من عام 2015 تحت مسمى "نبض التدقيق الداخلي" يشير الى ان 6 بالمائة فقط من الذين شملتهم الدراسة اعتبروا ان التطورات الجيوسياسية بما فيها المقاطعة الاقتصادية لها تأثير هام على خطة التدقيق بينما قال 40 بالمئة بأنهم لا يعيرون هذه التطورات اية أهمية! في الحقيقة فان هذه النتيجة مقلقة وقد اعتبرها التقرير ناتجة عن عدم قدرة التدقيق الداخلي على "توصيل النقاط". وانا اضيف الى ذلك عدم قدرة التدقيق الداخلي على استيعاب وفهم “الصورة الكبرى" وعدم فهم مكونات الاخطار الاستراتيجية!  

 ربما لم تكن المخاطر الجيوسياسية أولوية على اجندة وظائف التدقيق الداخلي في الشرق الاوسط في السنوات الماضية على الرغم من تاريخ المنطقة الحافل بالأزمات، وذلك يعود الى ان التدقيق الداخلي في تلك المرحلة كان يمر بعملية ولادة واثبات وجود بالإضافة الى جهوده المستمرة في تطوير نفسه. ولما كان التدقيق الداخلي قد قطع شوطا طويلا في تحقيق هذه الأهداف فهو مهيئ الان لان يقوم بدوره في فهم ومواجهة هذه المخاطر!

قبل القيام بأي دور على التدقيق الداخلي:

1.  ان يكون لديه الاطلاع الكافي على اهم التطورات السياسية والاقتصادية في بلده وفي دول الجوار وان يقوم بمتابعتها عن كثب ومن أكثر من مصدر واحد. على ان تكون هذه المصادر حيادية وذات مصداقية عالية وبعيدة عن الاجندات السياسية والاقتصادية الضيقة والخاصة.

2. ان يكون لديه الفهم العميق لتأثير المخاطر الجيوسياسية على المنشأة بشكل عام، وعلى مستوى العمليات الفردية. 

3. ان يلتزم الحياد التام والموضوعية والاستقلالية في جمع وتحليل المعلومات وتقدير المخاطر بعيدا عن المعتقدات السياسية الخاصة به. ان المدقق الداخلي ليس محللا سياسيا او اقتصاديا ولاحد يتوقع منه القيام بهذا الدور!

دور التدقيق الداخلي

دور المدقق الداخلي بالنسبة للمخاطر الجيوسياسية لا يختلف عن دوره في المخاطر الأخرى والتي يحكمها المعيار 2120,     والتي لا داعي لتكرارها هنا، الا من حيث ان طبيعة الاخطار الجيوسياسية تتطلب لباقة أكثر في عرضها ومناقشتها ومراقبة أعمق لها في الدول المصنفة بانها عالية المخاطر نظرا لان أثارها قد تكون كارثية على المنشأة. بشكل عام فان على التدقيق الداخلي ان يقوم بما يلي:

1.القيام بتقييم شامل ومستقل للمخاطر الجيوسياسية بالتعاون والتشاور مع الإدارة، لجنة التدقيق وإدارة المخاطر بهدف تحديد المخاطر الأكثر أهمية ودمجها في خطة التدقيق. والقيام بتعديل الخطة بناء على نتائج التقييم المستمر والمخاطر المستجدة. وهذا يتطلب ان يكون للتدقيق الداخلي القدرة على القيام بالتنبؤ بالمخاطر التي قد تستجد مستقبلا. 

2.التاكد من ان الادارة ولجنة التدقيق على دراية تامة بهذه المخاطر واثارها وأنها تقوم باتخاذ الإجراءات المناسبة للتعامل معها ومعالجتها في الوقت المناسب.

3.التاكد بان لجنة المخاطر تقوم بعملها بكل كفاءة وفعلية وأنها تقوم بتقديم المعلومات المناسبة والضرورية للإدارة بالوقت المناسب.  

4.التاكد من وجود خطط ملائمة "لاستمرارية العمل" و "التعافي من الكوارث" ومدى مطابقتها لاحتياجات المنشأة. كما يجب التأكد من ان هذه الخطط يتم تحديثها وتجربتها بشكل دوري.

5.التاكد من كفاية التامين لتغطية الاثار الناجمة عن مخاطر الحروب، الاعمال العدائية، الكوارث البيئية والطبيعية، هجرة المدنيين وانقطاع الدخل.

6.التاكد من قيام إدارة الموارد البشرية بأجراء "فحص الخلفية" لكافة الموظفين قبل التوظيف والحصول على الموافقات الأمنية اللازمة ومراقبة اية تصرفات تثير الشكوك والابلاغ عنها مباشرة للإدارة.

7.التاكد من قيام المنشأة بالامتثال للقوانين والتشريعات المتعلقة بغسل الاموال ومكافحة الإرهاب.

الخلاصة بان تقييم المخاطر الجيوسياسية ليس " ترفا فكريا" أو تعاطيا بالسياسة وانما هو جزء أساسي 

من مهمه المدقق الداخلي الناجح الذي يضيف قيمة للمنشـأة التي منحته ثقتها ! ا

Please God, let Him Not be an Internal Auditor!

A visitor to my company’s website (www.bibiconsulting.net) has sent me the following message:  “send to me all publications”

 

He was referring to a section in the website where I offer visitors to send them a PDF copy of my blog posts. My first reaction was “wow”! I do not see “hello”,” please” or “thank you”! My second reaction was a prayer “Please God, let him not be an internal auditor”!

 

Before I proceed with this post, I should show some manners and thank the visitor for inspiring this post!

 

Can you imagine what would be the reaction of a customer if an internal auditor communicates with him/her in this way! This type of manners will not only reflect on the auditor alone, but on the internal audit activity as a whole, on its reputation and on its efforts to market itself as a professional value adding party!

 

Good manners, in general, and good communications manners, in particular, are part of the “must have” soft skills for internal auditors! I call on CAEs to take a hard look at their auditors’ communication manners and offer guidance and training when needed.

 

Bottom line is “Manners still matter”!

These are my thoughts, please share yours!

 

 

 

 

Should Internal Audit Forge Relationships with Regulators & Other Outsiders?

While updating my electronic internal audit library, I realized there are some documents that I have not read yet! One of these was a June 2015 white paper by Thomson Reuters entitled” A new order: The key skillsets necessary to thrive as Head of Internal Audit today”. The document lists skillsets that most of us are familiar with these days such as:

·         A thorough understanding of the (new) basic requirements

·         Critical thinking and the ability to continue learning

·         Deep industry experience and corporate knowledge

·         Leadership and ability to “belong” in the C-suite

·         A firm grasp of the importance of teamwork and partnering

·         And finally: The ability to view the organization with external holism

The last skillset caught my attention as I rarely come across anything similar to it in other literatures! The whitepaper explains this as:

“As regulators move beyond the strict letter of the law to point a finger at companies on issues involving culture, conduct and IT security, the burden on compliance and internal audit to anticipate appropriate standards and tests has become a constantly moving target”

It adds:

“Consulting typically requires more creative thinking than assurance work, and this may involve the acquisition of new expertise, either by the internal auditor or through subcontracting.  It is important not only for compliance and legal, but for internal audit to forge relationships with regulators, subsidiaries, suppliers and major customers and to be able to anticipate changes affecting the business”

Do you agree with this? What type of relationships (objectives, scope and nature) with regulators, customers and suppliers are you willing to forge? How do you balance this with internal audit independence?

Do you agree with the statement that consulting requires more creative thinking?

Please share your thoughts and experience!

What Have You Learned Today?

Internal Auditors are expected to provide advice on best practices, consulting services, and opinions on a wide range of issues. To be able to do so and achieve the status of a "Trusted Adviser", I believe they need to learn new things on daily basis! And "by new things", I am not only referring to necessary technical knowledge, but to any other useful piece of information. Such information may prove to be useful to them in providing their services and/or as a door opener in establishing relationships with their customers. Not to mention, improving their business acumen.

Don't confuse this with continuous professional education (CPE), these are two different things!

I have been literally doing just that (learning a new thing every day) for a long time. I would like to think this approach has helped shape who I am today. Needless to say, modern technology has made it much easier to achieve this goal compared to the past!

What Did I Learn Today?

It is very simple and basic: I have learned the difference between " what did you learn today" and "what have you learned today"! I was debating which sentence is more appropriate to use. I have learned that both sentences are grammatically correct. The former is past simple and the latter is present perfect. This is useful information for someone whose English is a second language like myself and for improving my vocabulary &  communication skills!

Why Learn New Things?

An article published on Lifehack.org lists the following benefits :

• Learning across a wide range of subjects gives us a range of perspectives to call on in our own narrow day-to-day areas of specialization.
• Learning helps us more easily and readily adapt to new situations.
• A broad knowledge of unfamiliar situations feeds innovation by inspiring us to think creatively and providing examples to follow.
• Learning deepens our character and makes us more inspiring to those around us.
• Learning makes us more confident.
• Learning instills an understanding of the historical, social, and natural processes that impact and limit our lives.

I can't agree more.

Practical Approach to Everyday Learning!

• First and foremost, you need to have the will and commitment to learn! Where There’s a Will, There’s a Way!
• Chose the right information source. Social media does not necessarily provide correct and accurate information! 
•  Pay attention! You will be surprised how much you can learn by paying attention to people and your surroundings.
• Be curious. Albert Einstein once said, "I have no special talents. I am only passionately curious". 
• Combine entertainment with learning! I often find myself googling a word, a term, or a piece of information I have heard while watching my favorite TV show or reading a fiction book!
• Make reading part of your daily ritual. Joseph Addison said," Reading is to the mind what exercise is to the body ".
• If you are a disciplined person, set aside a specific time of the day for quick learning ( i.e. first thing in the morning, bedtime, during commute, or during breaks).
• Don't be shy or embarrassed to learn from younger people. I still learn a lot from my children!
• Make your smartphone work for you. Set up an alert for your topic of interest to keep you up-to-date.

Do You Have The Time?

Absolutely! There is no excuse for not learning a simple thing a day. It only takes a few minutes, this is equivalent to one social media status update!

So, What have you learned today?

Picture credit:What Have I Learned Today Text Written On Notebook Page, Red Pencil On The Right Stock Photo, Picture And Royalty Free Image. Image 39823048. (123rf.com)

Does Courage Lead to a Career Suicide ?

Like me, you probably have recently read a few articles and blogs about the political pressure on internal auditors including the IIRF report. You may, or may not, have first-hand experience with pressure, but you know that it is a fact of life!                                                                                   

 And you probably agree with me that the CAE* should have the courage to tell things as they are. After all, courage is one of seven traits of top audit executives according to the President and CEO of The IIA. He says :

"Internal auditing is not for the faint of heart; it requires courage — real courage. Doing the right thing is not always easy, especially when pressured by circumstances and those holding the power. And yet having courage is one of the CAE’s highest callings.
The top CAEs have the courage of their convictions, the courage to call it as they see it, and the courage to step out and step up with a proactive approach to both existing and anticipated risks. They are integral to their organization’s decisions, their executive management’s knowledge and their audit committee’s confidence and peace of mind."

I couldn't agree more.

A Harvard business review article entitled "Courage as a Skill" says :

"In business, courageous action is really a special kind of calculated risk-taking. People who become good leaders have a greater than average willingness to make bold moves, but they strengthen their chances of success—and avoid career suicide—through careful deliberation and preparation. Business courage is not so much a visionary leader’s inborn characteristic as a skill acquired through decision-making processes that improve with practice. In other words, most great business leaders teach themselves to make high-risk decisions. They learn to do this well over a period of time, often decades."

The question is how do you balance between being a courageous CAE* and avoiding career suicide! A courageous CAE that does not bow to political pressure may end up being fired, downgraded or forced to resign. Do you think there should be an external mechanism of protection for the CAE? I believe the IIA chapters should take the lead in discussing with the local regulators, insurance companies and other relevant parties the introduction/improvement of suitable legal and financial protection plans if such plans do not exist. 

These are my thoughts, please share yours!

* I use the CAE as a symbol of all internal auditors!

picture credit:theazaragroup.com

How to tarnish your company's reputation in 30 seconds?‎

Yes it’s possible; it only takes an inappropriate tweet or a status update on a social media web-page such as Facebook , LinkedIn  or a short video on  You Tube to cause a major damage to a company’s hard earned reputation or brand .This could happen intentionally or as a result of ignorance or oversight.  While the company may not have control over the intentional acts, it can do something to eliminate, or at least minimize, the actions caused by ignorance or oversight. Here is what I think can be done:

• It starts with recognizing the power & risks of social media .If management does not believe in it, then such management is part of the problem, not part of the solution.
• Raise awareness at all levels in the company about the benefits and risks associated with social media.
• Conduct training to educate all employees on how to deal with social media at work or in their private life.
• Set a clear and concise social media policy and ensure that it is distributed to and understood by all employees.
• Include social media risks in the company’s risk management plan.
• Include social media behavior in the company’s Code of Ethics.
• Perform Social Media audits on continues basis.

Can you suggest more actions or discuss your company's experience with this issue ?