Page 21 - Internal Auditor M.E.

Page 21 - Internal Auditor M.E. - June 2019

P. 21

conversations with colleagues

Are these challenges impacting stakeholder to view and understand the whole cycle or journey of any given
expectations of internal audit? process if you will, which obviously optimizes the value added by
internal audit.
Ghaleb: Since the vast majority of governmental organizations are
becoming more proactive and are focusing more on issues such as CAEs also need to achieve and constantly maintain the
strategy, corporate governance, risk management and such, they’re balance between being independent and holding their ultimate
responsibility towards the organization as a whole; and creating
demanding a more customized and added-value approach from a synergetic relationship with management that is based on
internal audit. This emphasizes the dual roles of both assurance transparency and reliability.
and consulting required from internal audit and the fact that
increasingly, internal audit has to provide much more than cut and Is regulation impacting the assurance internal
dry audit reports that lean more towards compliance issues only. auditors are providing on technology risks?
From my perspective, I think this is an opportunity rather than a
challenge as we’ve been able to find a niche for our Risk Advisory Mohammed: Technology risks play a key role in today’s tech
heavy market as almost all organizations have to deal with
Services due to the aforementioned. We’ve adopted a model that application access controls, changes/updates to applications,
revolves upon this concept and is based on the direct involvement development of new programs or embedding of new modules
and on the field presence of our senior level employees (managers in existing applications and lastly data protection and problem
and above) to ensure the right level of experience and know-how is management. Internal auditors will have to ensure that such
provided to meet our clients’ needs. Our clients expect our support application-based controls exist and provide reasonable assurance
in dealing with complex issues that entail multiple scenarios and that the environment hosting these applications are secure.
may lead to far reaching consequences. We have deliberately Internal auditors have increased responsibility towards ensuring
structured our Risk Advisory Services Division to be “top-heavy” that the technology risks are managed as an organization’s risk
with a low ratio of senior management to staff in order to handle management framework depends on it.
such high-level relationships with our clients.
How can CAEs assure their audit committees that
they are maximizing the value of their internal audit
“as the public sector evolves and becomes resources?
more sophisticated, heads of internal Ghaleb: Quantitative KPIs in the form of number of audits
and observations, utilization percentages and such are always
audit will need to be more self-aware in informative, however, I think it is equally if not more important to
ensure that CAEs are constantly in touch with the audit committee
challenging the status quo within their (without of course miring the audit committee members in
own internal audit functions and be more unnecessary details) and obtaining their input regarding key
matters. As an example, at the onset of a full-fledged internal audit
proactive in finding ways they can optimize engagement, I make sure to meet each audit committee member
one to one and obtain their expectations. I also present to them
their added-value to the organization” different scenarios with objective pros and cons to each when
tackling issues such as the internal audit function’s structure, risk
Ghaleb Al Masri, Partner Risk Advisory, Mazars assessment methodology, audit plan etc.

Finally, what would be one thing that a public sector
How can CAEs respond effectively to these changing internal audit function should strive to achieve over
expectations? the next 2 years?
Ghaleb: Primarily, CAEs and internal audit functions need to Ghaleb: Even though I alluded to the same subject earlier in the
constantly be self-conscious and assess their own approach interview, I would stress that it is imperative for a public sector
towards the execution of their risk assessments, developing their internal audit function to build a regular and open relationship
audit plans and such. The risk assessment methodology itself needs with both management and the Board as represented by the
to be adapted to suit the client and ensure that the resulting audit audit committee. The underlying premise for this is the core of
plan is aligned to the strategic direction of the organization whilst an internal audit function, which relies on adding value to the
also considering the organization’s maturity and environment. organization based on in-depth understanding of the business and
For example, whilst keeping within internal audit standards and processes and striving to identify root causes and corresponding
guidelines in implementing a risk based approach, we’ve been able feasible recommendations. Of course, the introduction of internal
to highlight to our clients (where deemed suitable), the advantages audit in any organization is bound to cause some resistance, but
in adopting a process oriented rather than a department oriented with time, management gradually realizes the objective of internal
audit approach. This inherently forces the internal audit function audit in improving and optimizing rather than finding fault.

JUNE 2019 INTERNAL AUDITOR - MIDDLE EAST 21

16 17 18 19 20 21 22 23 24 25 26