Keeping In Touch - The Institute of Internal Auditors MALAYSIA

Comments

Transcription

Keeping In Touch - The Institute of Internal Auditors MALAYSIA
2013
ISSUE 03/2013
JUL – SEP 2013
IN TOUCH
www.iiam.com.my
progress through sharing
An exclusive publication for Members of The Institute of Internal Auditors Malaysia
KDN PP 7705/04/2013(032230)
Glance
At a
Pass CIA Part 4 Via Professional Experience Recognition
2
Members’ Networking Session Cum Hari Raya Gathering in Johor Bahru
7
2013 International Conference, Orlando
12
2013 National Conference on Internal Auditing –
Scaling Greater Heights : Adding Value
13
The Evolving Role of Internal Auditors in Risk Management and Internal Control
21
editor says
Editor says
Just like every other year, I attended the recently concluded National Conference
on Internal Auditing organised by the Institute. I find it a spirited way to meet and
network with fellow friends in the internal audit profession. This year I met an old
friend of mine who I had not met for the last three years. We had a lengthy
‘catching-up’ session and I felt good having met him at the conference.
OF GOVERNORS
2013/2014 BOARD
AND STAFF
President
Ranjit Singh
Vice Presidents
Philip Satish Rao
MBA (UK), CRMA, CMIIA, CA (M), CPA (M)
CMIIA, CPA (AUST), CPA (M), CA (M)
Shabaruddin Ibrahim
MIA, MICPA, FCA, CFIIA
Hon. Secretary
Lucy Wong Kam Yang
Hon. Treasurer
Mohamed Farook Nasar
Governors
Christine Ong May Ee,
MBA (AUST), CIA, CMIIA, CRMA, FCMA, CGMA, CA(M)
MBA(USM), CIA, CRMA, CMIIA, ICSA (UK)
B.ACC (HONS) (SG), CIA, CRMA, CMIIA, FCA (AUST),
CA (M)
Later in the night at the networking dinner, I happened to sit in a table occupied by
some young budding auditors and a few veteran auditors. The young auditors
were asking the veterans about conducting internal audit of a construction
company. Information was flowing across the table between the veterans and the
young budding auditors and I found this very captivating. The Institute has a
sizable number of highly competent and experienced internal auditors who are
ever ready to share their knowledge and experiences.
For those who missed attending the conference, this issue has a report on the
national conference. Also featured in this issue are the results of the 2013
membership drive campaign, the evolving role of internal auditor in risk
management & internal control and the news release on COSO Internal Control.
Pleasant reading.
Nickson Choo Wei Sin
B.ACC (HONS), CMIIA, CISA, CFE, CA (M)
Devanesan Evanson
LLB (HONS) (UK), CFIIA, CA (M), FCCA (UK)
Mohd Khaidzir Shahari
BACC (HONS), CIA, CMIIA, CA (M)
Dr Nurmazilah Dato’ Mahzan
PHD (UK), CIA, CRMA, CMIIA, CA (M), CPA (M)
Zahran Tasliman
B.ACC (HONS), CIA, CCSA, CMIIA
Alan Chang Kong Chong
B.ECONOMICS (AUST), CIA, CFSA, CPA (AUST),
CCP (IBBM)
Nik Hasnan Nik Abd Kadir
BSC (HONS), CIA, CMIIA
CHAIRMAN
Sabah District Society
Sarawak District Society
Auditor
Solicitor
STAFF
Executive Director /
Technical Director
Senior Certification Manager
Senior Technical Manager
Dr Suresh Kannan
Chief Editor
Nur Hayati Baharuddin
MBA, CIA, CCSA, CFSA, CGAP, CRMA, CMIIA,
FCPA, CA(M)
Zaimah Ismail BBA(Hons), AIIA
Sivamalar Thuraisingam
BA(Hons)(UK), CIA, CCSA,CMIIA
VISION
To be the national voice of the internal audit profession: Advocating its value, promoting best practices,
and providing exceptional service to its members.
MISSION
To provide dynamic leadership for the global profession of internal auditing. Activities in support of this
mission will include:
• Advocating and promoting the value that internal audit professionals add to their organisations;
• Providing comprehensive professional educational and development opportunities; standards and
other professional practice guidance; and certification programmes;
• Researching, disseminating, and promoting to practitioners and stakeholders knowledge concerning
internal auditing and its appropriate role in control, risk management, and governance;
• Educating practitioners and other relevant audiences on best practices in internal auditing; and
• Bringing together internal auditors to share information and experiences.
OBJECTIVES
1. To be the recognised voice for the internal audit profession;
2. To develop and sustain the internal audit profession in Malaysia through appropriate infrastructure,
coordination, support and communication; and
3. To provide exceptional service to IIA Malaysia’s members.
Senior Finance Manager
Technical Manager
Assistant Manager
Corporate Services
Assistant Manager
Membership
Assistant Manager
Professional Development
Senior Certification Executive
Accounts Executive
Accounts Executive
Training Executive
Training Executive
Membership Executive
Membership Executive
Administrative Executive
Siti Arafah Abdul Aziz BSc(Hons)
Jessie Liew Siau Yan BA(Hons)
Sally Goh Syed Lee
Veronica Justin B.Comp. Sc
Josie R. Omilda
Nor Shazwani Mohamad Shafiee BMgt(Hons)
Noor Adiha Abu Bakar BBA(Hons)
Raja Nur Aina Raja Mohammad Noordin
Admin Officer
Admin Officer
Admin Officer
Training Officer
Despatch Cum Office Assistant
Nur Zuhairah Zamberi BSc(Hons)
Yusliza Md Yusof
Syazana Dzulkefli BBA(Hons)
Ahmad Farouk Rosman
Hamdani Mohd Sahit Mashud
EDITORIAL BOARD
PSC Chairman
Lucy Wong Kam Yang
Deputy Chairman
Zahran Tasliman
Chief Editor
Dr Suresh Kannan
B.Acc (Hons), CIA, CCSA, CMIIA
PHD, MBA, BA (Hons) Acc, CMIIA
1 KEEPING IN TOUCH • Issue 3 Jul – Sep 2013
P. Shanthi Palaniappan
CIA, CMIIA
Sky Chan Kin Kwan
B.ACC (Hons), CIA, CMIIA
Abdul Azim Abd Jalil
BSc (Hons), AIIA
Production & Circulation
2
4
9
11
21
Siti Rohani Umar BA(Hons)
Irwan Noor Hadi Dahili B.Comm(Hons)
MBA (AUST), CIA, CRMA, CMIIA, FCMA, CGMA, CA(M)
MOTTO : “PROGRESS THROUGH SHARING”
The Institute maintains its motto “Progress Through Sharing” and share with our members information on
new trends, latest internal audit techniques, regulatory and statutory requirements and the emerging
issues affecting the profession.
contents
Lee Fook Sun MAcc(Aust), CMIIA, CA(M), CRMA
Tengku Idreena Tuan Ismail BA(Hons)
Jess Liu Shiak Peng B.Com(Aust)
B.Econ(Hons)
Committee Members
Academic Relations
Membership
New Releases
Events
Technical
Woo Yoke Meng, CFIIA
Baker Tilly Monteiro Heng
KC Lim & Co
Zaimah Ismail BBA (Hons), AIIA
Siti Rohani Umar BA (Hons)
Nor Shazwani Mohamad Shafiee BMgt (Hons)
Noor Adiha Abu Bakar BBA (Hons)
THE INSTITUTE OF INTERNAL AUDITORS MALAYSIA
160-3-3 Kompleks Maluri, Jalan Jejaka,
Taman Maluri, 55100 Kuala Lumpur, Malaysia.
Tel: (603) 9282 1148
Fax: (603) 9282 1241
E-mail: [email protected] Website: www.iiam.com.my
Printed by: PENCETAK WENG FATT SDN BHD (19847-W)
Lot 6, Lorong Kilang A, Off Jalan Kilang,
46050 Petaling Jaya, Selangor Darul Ehsan.
academic relations
Pass CIA Part 4 Via Professional
Experience Recognition
Candidates who have successfully completed Part 3 of the CIA can opt to complete the Part 4
of the old CIA syllabus via the Professional Experience Recognition process.
To be eligible, candidate must:
1.
hold an MBA or a master’s degree (5 to 6 years post-secondary education) with a curriculum encompassing the five
domains of Part 4 from an accredited university;
2.
complete a detailed narrative of at least 75 to 100 words per domain describing examples of their experience
within the domains of the current Part 4 exam. Experience in all of the five domains is required, and the candidate
should document a minimum of 60 months’ experience.
3.
have successfully completed Part 3 of the four-part exam.
The deadline for Part 4 PER is 31 December 2013. However, to enable IIA Malaysia to vet through application and
communicate to candidate in case of insufficient documentation, Malaysian candidates are required to submit their
application to IIA Malaysia by 1 December 2013.
Part 4
In order to retain credit for the current Part 3 "passed"
status from the four-part exam version, candidates will
need to clear the Part 4 exam requirement before 31
December 2013.
Candidates who do not complete the Part 4 requirement
before 31 December 2013, will need to sit for Part 3 of the
new three-part exam. The Professional Certification Board
(PCB) has approved a number of options for individuals to
clear the Part 4 requirement.
Registration for the Part 4 exam can be made until 22
November 2013. However candidates must schedule and
sit for the exam before 31 December 2013.
(Note: The 180-day rule does not apply here.)
ALL OF THE RIGHT PIECES FOR
YOUR CAREER DEVELOPMENT PUZZLE
Enhance your professional value with IIA Certifications:
• Distinguish yourself from your peers.
• Communicate your depth of knowledge in internal auditing.
• Demonstrate your ability to provide assurance, insight, and
objectivity.
Apply for the Certified Internal Auditor® (CIA®)
or one of the IIA’s four specialty certifications today.
Call us today at +603 9282 1148 or email us at [email protected]
Visit www.iiam.com.my for more details
Report Your CPE
It is now time for certified members to report their CPE
for the year 2013. Certified Internal Auditors are required
to fulfil 40 CPE hours while holders of other specialty
certifications are required to fulfil 20 CPE hours.
CPE Reporting Form will be emailed to all certified
members by 17 October 2013. Members must return the
CPE Form to IIA Malaysia by 1 December 2013.
Issue 3 Jul – Sep 2013 • KEEPING IN TOUCH
2
membership
Welcome
New Members
from June –
September 2013
Professional Members
Peter Liew Yew Keat
Ong Joo Sze
Salwa Che Noor
Voon Woan Jiun
Lim Yoong Yan
Chai Yen Yan
Tee Siew Poh
Audra Chung Kit Li
Hew Li Min
Jeyanthi A/P Vadivilu
Chua Kah Chun
Lim Tian Eu
Mohd Nasir Haji Mohamud
Tan Chun Keat
209828
209829
209848
209866
209888
209903
209904
209905
209906
209929
209930
209946
209949
209950
Associate Members
Arun Kumar S/O Murugasu
Khairul Nazir Rashid
Mohd Hilmi Isa
Mohd Faisal Mohd Yunus
Helmy Omar
Penny Angeline Attenbrough
Ng Lay Jyn
Ng Shi Ping
Nor Aida Omar
Chwah Chiew Luan
A S Sinarao A/L Nagayah @ Nagaraju
Koh Siew Peng
Chan Ee Meng
Allias Alwi
Mohd Nasir Abdul Manaf
Rosni Razali
Akhma Adlin Khalid
Cheow Kit Yee
Soriyanie Yusoff
Ng Jin Sheng
Ridzuan Kunji Koya
Mohd Sharil Mohd Noor
Imran Sadiman
Shahmir Nordin
209830
209831
209832
209833
209834
209835
209836
209837
209838
209839
209840
209841
209842
209843
209845
209846
209847
209849
209850
209851
209852
209853
209854
209855
Shazedin Shakir Samawi
Goh Hui Pin
Dato' Anuarudin Mohd Noor
Abdul Halim Abdul Latiff
Muhammad Sufyan Azmi
Siti Farahiyah Radzali
Amnah Omar
Siaw Yen Jak
Ting Ching Siong
Abdul Hadi Fa'at
Jeferi Darhman
Nurul Ain Zainal Abidin
Chong Yi Leng
Sohana Sulaiman
Zulkifli Kamarolzaman
Rahayu Ramli
Mariah Ahmad
Hamidah Kamarudin
Saffrizan Yusof
Mohd Hanif Mohd Hanapiah
Maziatun Alimon
Alshima Abdul Aziz
Muhammad Muzammil Md Haniffa
Hanizah Abd Hamid
Noor Qhaireena Mohd Nasron Ooi
Samsiah Abdullah
Stephanie Lim Li Chein
Zaimah Ismail
Muahad Amin
Hong Keh Shin
Reza Faisal
Badrul Alfian Tajuddin
Lee Yin Shan
Lee Han Leng
Sharifah Fazlinda Shaik Ismail
Arfiza Anwar
Ilyana Bustan
Sharifah Zawani Syed Ahmad Zaidi
Nurul Atiqah Johar
Norfazila Abd Hamid
Siti Nur Atiqah Mihad
Mohd Fadhir Ismail
Asok Kumar A/L Muniandy
Eric Wong Chung Ing
Mohd Nizam Mat Noor
Muhd Hafiz Muhtar
Kamineswary D/O Pakalan
Yam Hann Yeong
Rameeswarran A/L Sinniah
Lim Siak Ching
Lim Ker Shin
Tay Soon Yik
Chee Huey Min
Aneza Ismail
Lim Siow Woei
209856
209857
209859
209860
209861
209862
209864
209865
209867
209868
209869
209870
209871
209872
209873
209874
209875
209876
209877
209878
209879
209880
209881
209882
209883
209884
209885
209886
209887
209889
209890
209891
209892
209893
209894
209895
209896
209897
209898
209899
209900
209901
209902
209907
209908
209909
209910
209911
209912
209913
209914
209915
209916
209917
209918
Siti Noraini Amin
Wan Suliani Wan Ismail
Zulkifli Sulaiman
Hasrul Farid Hasnan
Rajwinder Singh A/L Sarman Singh
Norrulhuda Kulop Alang
Nurul Hafizah Haji Shahari
Cornie Wong Kim Fuen
Lai Kim Fong
Lee Foong Lee
Pat Yin Lai
Chan Jee Peng
Mohammad Khairi Kamaruddin
Wan Nur Faaizah Wan Ali
Hew See Yeing
Shamini A/P Gangadharan
Puan Poh Seng
Muhammad Hafizuddin Jimaain
Yeoh Boon Pin
Mohd Hafidz Abd Ghani
Lim Sok Kiang
Julinus @ Jeffery Jimit
Khairur Rejal Zakaria
Yuen Yoon Ee
Annie Chui Siew Hong
Nur Hidayah Othman
Chai Wan Yin
Woon Wee Lin
Divinagracia Dominic Fedilos
Mary Sii Lee Mieng
209919
209920
209921
209922
209923
209924
209925
209926
209927
209928
209931
209932
209933
209934
209935
209936
209937
209938
209939
209940
209941
209942
209943
209944
209945
209947
209948
209951
209952
209953
Student Member
Michelle Chien Ting Ting
Ewe Yee Phing
209844
209858
Upgraded Members
Eric Wong U-Jin
Lau Kui Chin, Charlotte
Murni Rahayu Mohamad Noh
Kong Yen Nee
Yap Sei Chuan
Diyalakshimi A/P E. Supramaniam
Chang Thai Yau
Ong Kean Siang
Lim Ko Wii
Toh Boon Yan
Loo Soo Hooi
206988
207064
207682
207947
207999
208385
208386
208941
208999
209102
209502
Audit Committee Members
Soh Chin Teck
Suen Lam Fu
AC0055
AC0056
Corporate Members
Teknologi Tenaga Perlis
Consortium Sdn Bhd
C0399
Renew Your Membership!
Have you renewed your membership for 2013?
To ensure uninterrupted services and benefits from IIA Malaysia, do not forget to
renew your membership with the Institute.
4 easy ways to renew your membership:
• Cheque or bank draft made payable to: THE INSTITUTE OF INTERNAL AUDITORS MALAYSIA
• Direct bank-in / Online transfer to the Malayan Banking account no: 5144 0450 1825
(please fax the bank-in slip to 603 9282 1241 with your name and telephone number written on it or scan and
email to [email protected])
• Credit card (please download the authorisation form from the website or request from the Secretariat)
• Online banking: http://www.maybank2u.com.my
(please fax a copy of your online transaction with your name and telephone number written on it or scan and
email to [email protected])
For enquiry, kindly contact Cik Adiha or Pn Shazwani or Pn Siti at (603) 9282 1148 Ext 110
or e-mail to [email protected]
Rejoining fee of RM100 will be charged to members
who failed to renew their membership in 2013
Issue 3 Jul – Sep 2013 • KEEPING IN TOUCH
4
membership
2013 Membership
Drive Campaign
RESULT
The Membership Drive Campaign ended on 31 July 2013 and IIA Malaysia would like to
thank the following members for participating in the Campaign:
No Name
Membership
No
No. of
Members
Recruited
No Name
Membership
No
No. of
Members
Recruited
208006
1
1
Dr. Badrul Hisham Mohd Yusoff
206335
5
25
Mohd Yusman Jaafar
2
Syaridatul Ain Mohd Saari
207912
4
26
Mohd Amin Mohd Mongin
209231
1
Mohammed Shukor Ismail
206398
1
1
3
Law Lee Na
208048
4
27
4
Yang Fatimah Kamarulzaman
209165
2
28
Mohamad Hafizee Yaacob
208891
2
29
Mah Siew Hoong, Dennis
207624
1
Magit Anak Semong
208288
1
5
Mokhzaine Mohamad
209234
6
Mohd Sazali Mohd Salleh
209824
2
30
7
Kasmawati Kasian
207308
2
31
Lucas Lin Wen Fon
209559
1
Kee Chin Teck
207271
1
8
Chow Hoe Tong
208436
2
32
9
Bobby Anak Mapi
208707
2
33
Kamarudin Samsudin
206823
1
2
34
Jamal Seron
207220
1
Goh Chin Hong
208135
1
10
Anushia A/P Ganason
208699
11
Zuhairi Ismail
206907
1
35
12
Zalyffah Jiman
207325
1
36
Fazillah Md Yusof
209731
1
David Tian Kok Siong
208904
1
1
13
Zalfitri Abd. Mutalip
208737
1
37
14
Suriani Mohd Maideen
208471
1
38
Leong David @ Leong Sze Khiong
206937
1
39
Daniel Khoo Kok Hau
207979
1
Chong Vai Ming
207950
1
15
Suresh Dharamdas
206400
16
Stephen A/L Nelson Anandaraj
208101
1
40
17
Angeline Sim Hui Ngo
209464
1
41
Ch'ng Set Hoon
208700
1
Chin Suan Yong
209338
1
18
Shariffa Isnanie Mohd Idris
209433
1
42
19
Shanthan Sanmugam
208541
1
43
Chew Bee Suan
207088
1
1
44
Catherine A/P Annanda Robert Victor
209416
1
Benny Lee Lye Hock
207501
1
20
Pang Nam Ming
209399
21
Ong Ron Nee
205514
1
45
22
Ong Poh Soon
208439
1
46
Azmir Abdul Aziz
207687
1
47
Ahmad Faizal Hamdan
208802
1
23
Nurulhuda Abdul Kadir
206362
1
24
Norliza Ahmad
208382
1
Issue 3 Jul – Sep 2013 • KEEPING IN TOUCH
6
membership
Members’ Networking Session Cum Hari
Raya Gathering In Johor Bahru
IIA Malaysia, together with the Southern Region Networking Committee organised
a Networking Session cum Hari Raya Gathering on 5 September 2013 in Mutiara
Johor Bahru. The event was planned as one of the activities for members within the
region to get together for a time of sharing. 37 members attended the Session.
The programme began with a moment of silent to mark a respect to our Past
President, Allahyarham Tuan Haji Abdul Razak Haron who passed away on 13
August 2013. Then, a briefing was done on the activities of the Networking
Committee’s activities, upcoming events of the Institute, and the launching of the
Networking Facebook. The Facebook received twenty hits instantly. The
Networking Committee Facebook was set up as a medium to update the members
on the activities carried out and as an alternative communication media.
The highlight of the Session was a presentation by Lee Fook Sun, Senior Manager
of Corporate Services, IIA Malaysia who spoke on Financial Auditing in Internal
Audit Environment. Backed by his past experience and knowledge, Lee was able to
capture the audience attention instantly. The participants were exposed to issues
such as the need to assess financial impact when performing audit, quantification
of monetary impact and fraud. The areas were seen as the current expectations of
the Management and will remain as the challenges ahead for the Internal Auditors
in the coming years ahead.
The participants paying attention to the
speaker’s explanation
The secretariat staff led the Ice-breaking session. Participants were actively
engrossed in the event. The session ended with hi-tea and networking.
The Johor Working Committee would like to express its appreciation to all who
supported and assisted in making the event a very meaningful and memorable
one. We also like to take this opportunity to apologise for any short-comings.
By Johor Working Committee
Groups working closely to beat the clock during
the ice-breaking session
Industrial Visit To Zara Foodstuff Industries
One of the activities organised by Johor Working Committee was an
industrial visit to one of the leading food product manufacturers in
Malaysia located in Johor Bahru. About 20 members led by S. Subhash
Chandran K. Sekaran Nair, Chairman of Johor Working Committee
together with our Past President, Allahyarham Tuan Hj Abd Razak Haron
joined the visit to the new plant located at Kawasan Perindustrian Larkin,
Johor Bahru.
Zara Foodstuff Industries manufacture food products such as soy, chili
and tomato sauces, as well as kaya under the brand of Kipas Udang. The
company commenced its operation in 1987. Todate its products have
become preferred choice of not only Malaysian, but also ASEAN market.
During the visit, we were briefed on the production by the Plant and
Quality Manager, Encik Nazri Ismail. Then we were brought to walk
around the production plant and we were explained on the production
process. We were amazed by the cleanliness of the production plant. The management of Zara Foodstuff places strong emphasis on
quality in line with its vision ‘Quality Excellence, Our Aspiration’. Zara Foodstuff has obtained ISO 9002 Certification as a recognition of
their vision. Its yearly turnover capacity is RM80-100 million and creates job opportunities for 300-400 employees.
We took few photos during the visit. The visit was the most memorial event to the Southern Region members since Allahyarham Tn Hj
Abd Razak bin Haron was together with us on that day. We plan to visit other places and hope this activity will become our annual event
in the future.
By Johor Working Committee
7 KEEPING IN TOUCH • Issue 3 Jul – Sep 2013
membership
Career
NAZA World Group of Companies, Malaysia’s largest and prestigious importer of
luxury automobiles was originally founded in 1975. As importer and distributor of
automobiles brands such as Ferrari, Brabus and Masserati, Mercedez Benz,
Chevrolet, Harley Davidson, Ducati, Vespa. Naza has grown as one of the
conglomerates in Malaysia. Naza has diversified its business into a variety of
prominent industries which include property development, assembling and
distributions of motorbikes, transport & logistics services, finance & insurance and
agriculture.
NAZA is continuously enhancing efforts to grow its business internationally driving
our competitive strengths to deliver customer needs. We are on the lookouts for
passionate, dedicated and innovative talents with the right attitude to support our
aspirations and together pushing boundaries to achieve success.
ASSISTANT GENERAL MANAGER – INTERNAL AUDIT
MANAGER (TEAM LEADERS) – INTERNAL AUDIT
Main Job Responsibilities:
• Reporting to the Head of Group Internal Audit (“HoGIA”);
• You will be assisting the HoGIA to prepare and recommend annual audit plans and annual
departmental budget to the Internal Audit Committee (IAC) for approval;
• You will be assisting the HoGIA to develop and implement risk assessment methodology,
Internal Control Questionnaires (ICQs) and audit programs, and compliance with internal
audit standards;
• To plan, organize, co-ordinate and manage audit assignments from planning till post audit
follow-up stage as per the approved audit plan, and according to the Standards for the
Professional Practice of Internal Audit;
Main Job Responsibilities:
• Reporting to the Assistant General Manager;
• To lead and manage the respective internal audit team;
• To assist the HoGIA to present completed audit and work in progress reports to the IAC;
• To perform ad hoc audit assignments as and when required;
• To assist the HoGIA to educate and share with the stakeholders namely, auditees and senior
management the importance and benefits of having a sound controls and risk management
framework and practices.
(BASED IN PETALING JAYA)
Key Attributes for the Job Holders :
• A recognized degree holder in Accounting/Business/Finance/Law and/or a recognized
professional qualification such as CIA/CACA/CPA, and a member of IIAM/MIA;
• At least 10 years risk-based audit experience in financial and operational audits with a
recognized audit firm and/or with established companies preferably in the automobile
(4-wheel and/or 2-wheel) industry;
• Knowledge of risk management, SOPs, processes and corporate governance;
• High integrity, strong analytical, inquisitive, communication (both written and oral in English)
and presentation skills, strong interpersonal skill with a pleasant and matured personality,
proactive, results oriented, computer literate;
(BASED IN PETALING JAYA)
Key Attributes for the Job Holders :
• A recognized degree holder in Accounting/Business/Finance/Law and/or a recognized
professional qualification such as CIA/CACA/CPA, and a member of IIAM/MIA;
• At least 5 years risk-based audit experience in financial and operational audits with a
recognized audit firm and/or with established companies preferably in the automobile
(4-wheel and/or 2-wheel) industry;
• Knowledge of risk management, SOPs, processes and corporate governance;
• High integrity, strong analytical, inquisitive, communication (both written and oral in English)
and presentation skills, strong interpersonal skill with a pleasant and matured personality,
proactive, results oriented, computer literate;
• Willing to travel and possess own transport
The successful candidates can expect an outstanding career challenge and a competitive remuneration package commensurate with experience and qualifications. Interested candidates are invited to
forward their job application covering letter with a complete resume/curriculum vitae including personal particulars, academic qualifications, working experiences, contact number, and a recent
passport-sized photograph to [email protected] by 15th November 2013.
Only shortlisted candidates will be notified.
Did You Know…
WE NEED YOUR
CONTRIBUTIONS!
Upon completing the three years of internal auditing
working experience and hold a professional qualification
that recognised by Global IIA, you may upgrade your
membership category from Associate to Professional
Member. As a Professional Member:
Members with writing talent, here’s the opportunity
to share your thoughts with your friends in the
internal audit fraternity. The Editorial Board welcomes
contributions from members. We accept articles,
short stories, jokes, tips, etc.
•
You are permitted to use the designatory letters of CMIIA
which stands for Chartered Member of The Institute of
Internal Auditors Malaysia after your name.
•
You will have voting rights during IIA Malaysia Annual
General Meeting.
•
You are eligible for leadership position on the main
board of Governors of IIA Malaysia and may also serve on
any of the sub-committees.
We encourage submission of fraud findings and audit
stories that reflect the new age of internal auditing –
those that emphasise best
practices, use of technology
and value-added results. If
your article is published, you
will be awarded a token from
IIA Malaysia.
Issue 3 Jul – Sep 2013 • KEEPING IN TOUCH
8
new releases
COSO Internal Control – Integrated Framework: Turning
Principles into Positive Action
Larry Rittenberg, COSO’s chair emeritus, provides a high-level overview that will help internal
auditors in all industries to quickly identify the implications for their organisations.
For the internal auditor, there are seven changes in the updated Framework that will affect (1) the
scope of internal audit activities and (2) the nature of internal audit work, including the need for
more judgment by the auditor and the documentation of audit assessments — especially as related
to the evaluation of internal control over external financial reporting. The updated Framework:
1. Changes the financial reporting objective with the broader objective of reporting, thereby
expanding both the scope of reporting and the media by which reporting may be done.
2. Emphasise the relationship between objectives, risks, and internal control. Internal control exists
to reduce or mitigate risks to an acceptable level.
3. Emphasise the integrated nature of internal control (i.e., an evaluation of the effectiveness of
internal control must consider how all five components operate together to achieve objectives).
4. Introduces a "principles" approach to evaluating each component of the internal control
framework.
5. Makes explicit the need to assess fraud risk (i.e., fraud risk is set out as a part of risk analysis that
is required).
6. Expands discussion of the importance of the compliance and operations objectives, and
reiterates that principles of good internal control are appropriate for operations and compliance
objectives.
7. Updates guidance in emerging areas such as IT, organisational relationships and dependencies,
and monitoring.
This publication is designed to be a companion piece to the 2013 COSO Internal Control – Integrated
Framework and should not be viewed as a replacement for in-depth study of the updated
Framework. It outlines implications for internal auditing and suggests ways in which internal
auditors might also play a leading role in educating key members of management on how the
organisation might address changes suggested in the updated Framework. It also identifies the
need for internal auditors to use informed judgment to assess the design and operation of internal
control, as well as opportunities to make internal control both more effective and efficient.
Because controls are everybody’s business, this book will help anyone responsible for internal
controls understand:
•
The major changes in the Framework.
•
How the changes will impact decisions made by internal auditors, audit committees, boards, and
management.
•
The increased need for subjective analysis and evidence when auditing controls.
•
New approaches for external financial reporting and IT controls.
•
The shift toward more attention on operational and compliance objectives.
•
How to communicate the changes to internal audit staff, audit committee members, and
management.
•
The implications for frameworks outside North America.
This brief, easy-to-read piece is an indispensable companion for the 2013 revision of COSO’s Internal
Control - Integrated Framework.
9 KEEPING IN TOUCH • Issue 3 Jul – Sep 2013
new releases
Internal Auditing: Assurance & Advisory Services, Third Edition
This book continues to be the premier international textbook that supports the fast-growing global profession
of internal auditing. Written through the collaboration of educators and practitioners, this textbook serves as a
cornerstone for internal audit education. It covers key fundamentals of internal auditing that can be applied in
an ever-changing business world, serving as a reference and training tool for internal audit practitioners.
The textbook is organised in three sections: Fundamental Internal Audit Concepts, Conducting Internal Audit
Engagements, and Case Studies. It is accompanied by a DVD-ROM containing case studies, The IIA’s Code of
Ethics and International Standards for the Professional Practice of Internal Auditing, and the leading generalised
audit software packages, ACL, IDEA, and CCH TeamMate.
The third edition has been updated to reflect:
• The latest release of The IIA’s International Professional Practices Framework (IPPF) and COSO’s updated
Internal Control – Integrated Framework.
• Emerging practices relating to governance, risk management, and control.
• The Three Lines of Defense model and how internal audit is positioned to add value within it.
• Emerging IT-related concepts and references to new Global Technology Audit Guides (GTAGs), the Guide to
the Assessment of IT Risk (GAIT), and COBIT® 5.
• Fraud guidance provided in Managing the Business Risk of Fraud: A Practical Guide (cosponsored by The IIA,
the AICPA, and the ACFE).
• A customised approach to conducting consulting engagements, which aligns with the latest IPPF.
• Internal audit’s use of TeamMate, the most widely used audit management software (included on a DVD-ROM).
The third edition of the textbook includes several significant changes:
• The first and most obvious change is the title of the textbook. The previous two editions were titled Internal
Auditing: Assurance & Consulting Services, but the name was changed for this edition to Internal Auditing:
Assurance & Advisory Services. The authors have noticed a shift around the world in the language used to
refer to non-assurance services provided by internal auditors. Many now refer to such services as "advisory"
services, a term that is widely believed to be descriptive of the non-assurance services provided by internal
auditors and is less likely to be confused with services provided by outside service firms for a fee. However,
while the title of the textbook was changed to reflect this shift, references within the textbook continue to
refer to "consulting" services because, as of the date this edition was published, that is the term used in The
IIA's Definition of Internal Auditing and throughout the International Standards for the Professional Practice
of Internal Auditing (Standards).
• Chapter 1, "Introduction to Internal Auditing," starts off with a discussion of the internal audit value
proposition. The discussion is focused on how internal audit functions can add value to their organisations
through the insight they provide. This concept is reinforced throughout the textbook with exhibits in
applicable chapters that offer ways for internal auditors to provide insight regarding the topics addressed
in the chapters.
• Chapter 2, "The International Professional Practices Framework: Authoritative Guidance for the Internal Audit
Profession," has been updated to include a discussion of the relationship between the value proposition
and the IPPF. It has also been updated to reflect the current process for keeping professional guidance
current, including the committees involved and how updates to the guidance are initiated, developed,
issued, and maintained.
• Chapter 3, "Governance," introduces the Three Lines of Defense Model and provides guidance on how the
model can be used to understand the various areas within the organisation that provide assurance and to
effectively layer those assurance areas to contribute to strong governance.
• Chapter 4, "Risk Management," has been updated to include a discussion of the International Organisation
for Standardisation's (ISO's) International Standard 31000:2009(E), Risk management — Principles and
guidelines (ISO 31000) and the risk management guidance it provides.
• Chapter 6, "Internal Control," has been revised to reflect COSO's updated Internal Control — Integrated
Framework.
• Chapter 7, "Information Technology Risks and Controls," has been revised to cover emerging developments
in technology such as social media, big data, cloud computing, and bring your own device (BYOD). This
chapter also pulls in newly issued Global Technology Audit Guides (GTAGs) included in the IPPF and refers
to ISACA's newly released COBIT® 5.
• Chapter 8, previously titled "Fraud Risks and Controls," has been retitled "Risk of Fraud and Illegal Acts." The
distinction between fraud and illegal acts is discussed as are the risks and appropriate risk responses
associated with each.
• Chapter 9, "Managing the Internal Audit Function," continues the discussion regarding coordination of
assurance activities that begins in chapter 3, but from the perspective of managing the internal audit function.
• Chapter 15, "The Consulting Engagement," discusses the internal audit value proposition in terms of the
insight that the internal audit function can provide through consulting services.
• The end-of-chapter review questions have been expanded to more thoroughly cover the major concepts
addressed in each chapter, including the new material. New multiple-choice and discussion questions have
been added for selected chapters.
• TeamMate audit management software has been integrated in applicable textbook chapters. TeamMate
case studies include demonstration videos that introduce readers to the ways TeamMate can be used to
streamline internal audit processes and exercises that provide opportunities for readers to gain hands-on
experience with the software.
This third edition promises to build on the success of this bestseller, significantly contributing to the internal
audit profession’s body of knowledge and introducing readers to the dynamic world of internal auditing.
Issue 3 Jul – Sep 2013 • KEEPING IN TOUCH
10
events
Seminar on Governance Risk Management
and Effective Internal Control
IIA Malaysia in collaboration with ACCA Malaysia organised a 1 day workshop on “Governance, Risk
Management and Effective Internal Controls” on 2 July 2013. The workshop was conducted by Ramesh Ruben
Louis at Tanahmas The Sibu Hotel and attended by 22 par ticipants. This interactive seminar stirred active
participation in discussions and case studies among participants. It is designed to promote good governance,
apply proper risk management and effective internal controls.
Beginning
Auditor Tools
and Techniques
Workshop
“Beginning Auditor Tools and Techniques”
Workshop on Internal
Audit Report Writing:
Improving Mindset,
Clarity, Focus, and
Brevity for Greater
Impact to Clients
on 19 – 22 August 2013 to 24 participants at
Brought back by popular demand, a two-day workshop on
Seri Pacific Hotel, Kuala Lumpur. The
“Internal Audit Report Writing: Improving Mindset, Clarity,
workshop was conducted by Shanmugam M.
Focus, and Brevity for Greater Impact to Clients” was
Through team exercises, group discussions,
organised on 17 – 18 July 2013. The session attended by 20
and trainers presentations, participants
participants at Concorde Hotel, Kuala Lumpur. The workshop was
gained a foundation of knowledge that
conducted by Steven Yee and tailored for audit professionals to
allowed them to prepare properly for and
gain from knowing that it is vital to appreciate the larger picture
IIA Malaysia organised a four-day workshop on
conduct
a
successful
audit,
of the audit findings in relation to the business risk and
using
governance practices before putting their thoughts in systematic
preliminary surveys and evidence-gathering
writings to convince their client to adopt changes to better the
techniques. A basic understanding of how to
business processes and risk management countermeasures. The
identify risks and internal controls in
auditing
was
stressed,
along
workshop also covered the ability to correctly identify root cause
with
for each finding so that proper remedy can be prescribed to
interpersonal and team-building skills.
strengthen the internal control system.
ALL SIGNS POINT TO THE TRAINING EXPERT
Call us today at +603 9282 1148 or email us at [email protected]
Visit www.iiam.com.my for our Training Calendar
11 KEEPING IN TOUCH • Issue 3 Jul – Sep 2013
events
It was a great experience to be part of the “One
World, One Profession, One Destination”, 2013
IIA International Conference, Orlando. The
conference program was truly beneficial and
the knowledge shared were related to the latest
internal audit practices. The speakers from all
parts of the internal audit diaspora were
experienced and provided current insights on
the profession.
The president of IIA Malaysia, Ranjit Singh,
being the internal audit expert from Asia, was
also a speaker at this conference. He shared
with the internal auditors on his area of expertise titled
Developing and Implementing Fraud Risk Assurance Map.
I was also excited with the networking opportunities, to
mingle with over 2,000 internal auditors from 110
countries who attended the conference. The interaction
with fellow internal auditors and sharing of knowledge
and experiences were priceless.
Contributed by:
Leo Pui Yong
Senior Manager,
Transmission Unit, Internal Audit
Tenaga Nasional Malaysia
Disclaimer
Opinions expressed herein do not necessary represent those of IIA Malaysia. Neither the IIA Malaysia or the Editorial Board is responsible for the accuracy
of any statement, opinion or advice contained herein. Readers should rely on their own due diligence in making decisions concern any matter herein. All
materials in any form contained herein are copyrighted by IIA Malaysia. Reproduction and/or storage and/or retrieval in whole or part in whatsoever
manner is not permitted without the written consent from IIA Malaysia.
Publisher: The Institute of Internal Auditors Malaysia
Typesetting: Bluefish Design
Issue 3 Jul – Oct 2013 • KEEPING IN TOUCH
12
events
YB Senator Datuk Paul Low Seng Kuan, Minister in the Prime Minister’s Department,
delivered the keynote address and officiated the opening of the conference. He
stated that the internal audit profession has changed considerably over time to meet
the challenges of modern economy and the complexity of commerce. The skill sets
that are required for the profession are more than assessing compliance to internal
controls and procedures – it also requires formulating risk based preventive
strategies and mitigating measures.
The Institute of Internal Auditors
Malaysia was proud to host its
Datuk Paul Low further added that it is imperative that internal auditors embrace
modern technology to enhance capability in monitoring and mitigating risks.
Therefore, the internal auditor today must be a highly competent person with
impeccable character and integrity. As such, he would seek to pursue
recommendations to legislate the
internal audit profession in Malaysia in
the near future, thus making it
mandatory for all internal auditors to
be registered and comply with
professional standards. This would
ensure that internal audit functions are
staffed by professional and competent
internal auditors.
annual event, the 2013 National
Conference on Internal Auditing, on
23 – 24 September 2013 at the
Kuala Lumpur Convention Centre.
The conference, themed “Scaling
Greater Heights: Adding Value”,
saw the participation of over 800
internal audit and risk professionals
from
organisations
throughout
Malaysia, ASEAN countries as well
as other parts of the world.
OPENING CEREMONY
The conference commenced with the welcome address
by Ranjit Singh, President of IIA Malaysia, touching on
the continuous challenge for internal auditors to add
value and improve the organisation’s operations
through recommendations of best practices, in addition
to evaluating and improving the effectiveness of risk
management, control and governance processes. Such
challenges
have
increased
the
expectations
of
corporate stakeholders throughout the world, and
through the National Conference on Internal Auditing as
a learning platform, IIA Malaysia aims to further enhance
knowledge sharing among internal auditors in scaling
greater heights and adding value to their organisations.
13 KEEPING IN TOUCH • Issue 3 Jul – Sep 2013
Issue 3 Jul – Sep 2013 • KEEPING IN TOUCH
14
events
PLENARY SESSIONS, MASTER CLASSES, FORUM AND TRACKS
With a panel of respected speakers from around the world, the 2013 National
Conference saw speakers presenting insights on governance, risk and control with
regards to emerging issues and trends currently challenging the profession on a global
level. Leading the line-up of speakers at the conference was Mr Lawrence Harrington,
Vice Chairman of IIA Global.
There were a total of 16 plenary sessions, master classes, CAE forum and tracks
featuring 22 prominent speakers, panelists and moderators from Malaysia and abroad.
The 4 plenary sessions held on the first day encompassed the following
topics:
• Adding Value: Our Customer’s Perspective
• Too Many Bosses, Too Few Leaders
• Scaling Greater Heights: Adding Value
• Why Auditors Do Not Discover Fraud
The second day of the conference featured 3 concurrent master classes, a CAE
forum and 8 tracks focusing on the following topics:
• Master Class A: Raising the Floor of IT Auditing in the Age of Emerging
Technology
• Master Class B: Aligning Leadership Accountability and Corporate
Performance with GRC
• Master Class C: Strategic Thinking
• CAE Forum: Three Lines of Defence in Effective Risk Management and Control
• Embracing COSO 2013 – A “Value Added” Approach to Strengthen Your
Internal Control System
• The Evolving Role of Internal Auditors in Risk Management and Internal
Control
• The ASEAN Corporate Governance Scorecard: Opportunities for Enhancing
Governance Across the Region
• Business Insights: The 3 Wise Men of Information
• Effecting Change and Adding Value in Partnership with Audit Committees
• Integrated Assurance – Internal Audit and Enterprise Risk Management
Working Together
• Rising Up to the Challenge of Assessing Board Governance by the Internal
Audit Function
• Automation Best Practices: Tips from Leading Experts and Organisations
15 KEEPING IN TOUCH • Issue 3 Jul – Sep 2013
events
NETWORKING DINNER - An Evening with Jason Lo
An informal networking dinner was held in the evening of the first day of the conference
to encourage networking among the conference delegates and speakers. The audience
were inspired by the talk entitled ‘From Rock n Roll to CEO’ presented by Jason Lo. Jason
shared his fascinating experience from his early days till how he got to being the CEO of
TuneTalk, and interacted well with the crowd. One lucky delegate won tickets to the Kesha
Warrior Tour Concert courtesy of TuneTalk for having the highest number of followers on
social media such as Facebook, Twitter, YouTube and Instagram amongst those present.
SPONSORSHIP, EXHIBITION AND SUPPORTING BODIES
2013 National Conference – Sponsors
1 TeamMate AsiaPacific
Platinum
2 KPMG
Gold
3 EY
Silver
4 CIMB Group
Silver
5 Columbus Advisory
Bronze
6 Telekom Malaysia
Bronze
7 PricewaterhouseCoopers
Bronze
8 Salihin Consulting
Bronze
9 AFTAAS
Bronze
10 ACL Services Ltd
Bronze
2013 National Conference –
Other Exhibitors
1 BusinessWare Solutions
Pte. Ltd.
2 MKinsight
3 ISACA
4 Thomson Reuters Accelus
5 Majlis Kanser Nasional
(MAKNA)
In addition to the conference sponsors and exhibitors, IIA Malaysia received support from
Jabatan Audit Negara, Securities Commission Malaysia, Bursa Malaysia, Companies
Commission of Malaysia, Malaysian Institute of Accountants, ACCA, CPA Australia, CPA
Malaysia, CIMA, ISACA and Institute of Bankers Malaysia.
Conference delegates were seen dropping by the respective booths and getting to know
the latest products and offerings from the sponsors/exhibitors. The delegates also visited
the IIA Malaysia booth to view the latest IIA publications and enjoyed discounted prices
for on-site purchases.
The 2013 National Conference was a huge success with the help of fellow sponsors,
exhibitors and supporting bodies, and the wide array of topics led by the distinguished
speakers was well received by the conference delegates.
By: Lim Wei Hong, CIA, CCSA, CFSA, CRMA, CMIIA
Issue 3 Jul – Sep 2013 • KEEPING IN TOUCH
16
events
Audit Purchasing for Contemporary Business
Workshop
A two-day workshop on “Audit Purchasing for Contemporary Business” took place on 28 – 29 August 2013. The session
attended by 12 participants at Concorde Hotel, Kuala Lumpur. The workshop was conducted by Captain Abdul Manan Mansor.
The session enabled participants to understand the close correlation of audit purchasing and marketing process. In addition
they managed to understand the direct impact of the correlation to the bottom line in an organisation.
Workshop on Technology Governance for
the Auditor
IIA Malaysia in collaboration with ISACA Malaysia Chapter
organised a workshop on “Technology Governance for
the Auditor” on 17 – 18 September 2013 to 24 participants
at Concorde Hotel, Kuala Lumpur. It was one of the topics
promoted under The International Speakers Series. The
workshop was conducted by Alan Simmonds to share with
the participants an introduction to IT governance
specifically using the world’s foremost IT Governance
Framework, COBIT® 5, and how this can support their
activities across IT audit initiatives. It reminded the
participants
that
understanding
information
technology
poses
the
for
challenges
nearly
every
Processing some thoughts
organisation is necessary for all auditors – in particular it is
necessary to bring together an understanding of COBIT® 5
in terms of risk, control and audit.
Alan was sharing some key information on IT Governance
19 KEEPING IN TOUCH • Issue 3 Jul – Sep 2013
Participants from various industries
TRAINING CALENDAR
2013
October
November
28 - 29
Risk-based Auditing and Reporting
Kuala Lumpur
28 - 31
Beginning Auditor Tools and Techniques
Kuala Lumpur
29 - 30
Fundamental Skills in Information Systems Auditing
Kuala Lumpur
Governance, Risk Management and Effective Internal Controls*
Kuala Terengganu
11 - 14
Audit Manager Tools and Techniques
Kuala Lumpur
12 - 13
Financial Auditing for Internal Auditors
Kuala Lumpur
13 - 14
Value-Added Business Controls : The Right Way to Manage Risks
Kuala Lumpur
Governance, Risk Management and Effective Internal Controls*
Kota Bharu
18 - 21
Leadership Skills for Auditors
Kuala Lumpur
18 - 20
High-Impact Operational Audit of Human Resource Management
Kuala Lumpur
20 - 21
Consulting : Activities, Skills & Attitudes
Kuala Lumpur
11
18
December
NEW
NEW
25 - 26
NEW
Internal Controls for Accountants and Auditors*
Kuala Lumpur
27 - 29
NEW
IT Audit and Control - From Theory to Practice
Kuala Lumpur
27 - 28
NEW
Internal Audit Report Writing: Improving Mindset, Clarity, Focus, and Brevity for
Greater Impact to Clients (Previously known as Effective Audit Report Writing)
Kuala Lumpur
2-3
Performing an Effective Quality Assessment
Kuala Lumpur
2-5
Beginning Auditor Tools and Techniques
Kota Kinabalu
4-5
NEW
COSO 2013: Implementing the Framework
Kuala Lumpur
5
NEW
Governance, Risk Management and Effective Internal Controls*
Ipoh
4-5
Related Party Transaction Audit : Internal Control, Risk & Disclosure Requirements
Kuala Lumpur
9 - 11
Setting-Up and Managing an Effective Internal Audit Function
Kuala Lumpur
16 - 17
Financial Auditing for Internal Auditors
Kuala Lumpur
1 6 - 19
Beginning Auditor Tools and Techniques
Kuala Lumpur
* This seminar/workshop is in collaboration with ACCA Malaysia.
For further information on our training programmes, please visit our website: www.iiam.com.my
IIA Members always pay less for
IIA Training and now can save even more
by registering early for public programmes.
Call us today at +603 9282 1148 or email us at [email protected]
Visit www.iiam.com.my for our Training Calendar
Issue 3 Jul – Sep 2013 • KEEPING IN TOUCH
20
technical
The Evolving
Role of Internal
Auditors in Risk
Management
and Internal
Control
By David SK Leong
The Relationship between Internal Audit and Risk
Management
I pose this question to you. Imagine we are on a car rally race
across the wilds of Africa from Cairo, in Egypt to
Johannesburg in South Africa.
We have to travel in a suitable vehicle, be it a rally car or a
four wheel drive vehicle but the objective is to get to
Johannesburg in one piece, without breaking laws and
preferably ahead of other car teams. And we have to do this
without being eaten by lions or crocodiles on the way.
You pretty well get the picture.
Now suppose one of us, the driver, is French, speaks only
French and the other, the navigator or back-up driver is
Chinese and speaks only Chinese. Both also are strong
characters and want to drive the car, have different ideas, use
different maps and differ on the route to Johannesburg. We
do not agree entirely on the type of car, who drives and
when, the exact route and the equipment we need. We can’t
agree fully on the strategy, the risks of the journey and there
is some suspicion between us over the sharing of the prize.
What are our chances of getting to Johannesburg, much less
ahead of others in one piece and in great shape?
You may say the whole idea of the situation is ludicrous. But
then, isn’t that what many organisations notably financial
institutions are doing? Internal audit and risk management
functions are “reading different maps and speaking different
21 KEEPING IN TOUCH • Issue 3 Jul – Sep 2013
languages.” Most times, so are compliance and operations
functions, with the latter, most times being often totally
confused. And do we get it right in the end? Hardly.
Where are we as a profession?
A Financial Times editorial recently reported that a survey of
the largest global banks revealed that the average
cost-to-income ratio had remained at 60% which is the same
as in 2011, despite that no major bank had dared to present
a strategy to their shareholders without a cost cutting plan.
With all the pressure now to strengthen compliance control
and risk management in general, costs are likely to grow
even if the banks can resist a ramp-up of staff figures and opt
for the use of IT based systems.
I did a simple survey of the Malaysian banks and was
unusually successful to get nine responses. The results give a
revealing glimpse of the situation in Malaysia:
1. All the banks surveyed except one say that risk
management has a different risk framework.
2. All the Banks except one have internal audit and risk
management still operating at arm’s length.
3. In two, the internal audit and risk management functions
have IT-based systems but the systems for risk
management and internal audit are not integrated.
4. Only four of the banks’ internal audit functions
acknowledge they use The IIA’s International Professional
Practices Framework (IPPF).
5. All banks except two still use MS Excel-based systems to
do their risk management activities.
6. Two banks are not using the COSO framework with one
technical
focusing mainly on complying with the Bank Negara
late Lawrence Sawyer, the father of modern-internal auditing,
regulations.
once said “Objectivity is a matter of the mind.” (Indeed my
7. Only one bank is actively collaborating closely with risk
research on risk management and internal auditing literature
management and actively integrating the same risk
and papers issued basically revealed no differences in the
methodology across risk management, internal audit and
approaches in managing risk.)
compliance.
8. All the banks’ CAEs agree that integration between risk
In fact the guidelines of Bank Negara Malaysia (BNM)
management and internal audit systems will be good but
governing the audit function
except for two, they have no plans to integrate risk
Section 7.1) clearly states that internal audit’s objectivity will
management and internal audit systems.
not be compromised in an assessment even though internal
(BNM/RH/GL 013-1, Part 1
audit‘s opinion as a consultant had been sought earlier on.
The Causes
What are the causes of this situation?
Moreover, the IIA Research Foundation had issued a paper on
From the survey, the main suspected root cause for this
“Internal Audit’s Role in Risk Management” in March 2011
divide between the two functions is internal audit’s thinking
which stated effectively internal audit can do the following:
that “We are different” or “We are independent.”
1. Facilitating identification and evaluation of risks;
2. Coaching management in responding to risks;
This is the “myth” of independence or rather of objectivity. I
believe many internal auditors associate thinking along the
3. Maintaining and developing the Enterprise-wide Risk
Management (ERM) framework;
same lines as risk management with impairment of their
4. Championing the establishment of ERM;
independence. But I would like to argue that independence
5. Consolidating the reporting of risks; and
is a matter of the reporting structure. As for objectivity, the
6. Developing the ERM strategy for Board approval.
Figure 1 illustrating “ IA’s Role in Risk Management” is reproduced above.
Issue 3 Jul – Sep 2013 • KEEPING IN TOUCH
22
technical
Why then, are so few internal audit functions not talking to
their risk management counterparts and collaborating to
integrate with risk management when we already have
been given the licence? Effectively, I am saying there is
now no independence excuse to prevent internal audit
from working with risk management.
The Leadership Dilemma
Is there a leadership vacuum? The IIA Research Foundation
in 2011 revealed that only 23% of audit committees require
internal audit to give an opinion on the overall risk
management process. And only 45% ask for internal audit’s
recommendations and advice on enhancing the risk
management process. Are our audit committees not aware
of this? Maybe, but it can be argued that a more progressive
Chief Audit Executive (CAE) should demonstrate better
leadership by influencing the audit committee to bring
about this collaboration.
Can the CAE lead this initiative? According to the “IA’s Role
in ERM” paper, yes. This is allowed so long as the internal
audit function does not make the decisions and own the
system.
The “We are different” Excuse
All the banks surveyed except one
management has a different framework.
say
that
corporate objectives. When you assess systems, you are really
assessing a collection of interconnected parts which together
form an integrated whole. By satisfying the five internal control
components of COSO; Control Environment, Risk Assessment,
Control Activities, Information & Communication and
Monitoring; you would be better able to assess whether the
system is working effectively as a whole. That is what I have
learned in my Sarbanes-Oxley work which requires
organisations to design a system of controls for financial
reporting and for which the COSO framework fits the bill.
If any one or more of the components are materially deficient,
then it should become obvious to all that internal control
cannot be assured and where it should be fixed. There are a lot
of COSO Guidance papers since 1994. The latest is the paper on
the 17 principles of COSO, released in May 2013. This
publication states the seventeen principles which should make
up the five internal control components and hence enables a
more consistent and more accurate assessment.
The above benefits of using a common framework should be
“sold” not only to risk management but to management as a
whole. When all stakeholders are on the same playbook, many
of the conflicts and friction encountered in the journey
towards reasonable assurance will be avoided.
risk
Governance, Risk and Compliance (GRC) Systems
Of these banks, one is now working with risk management
on a common framework and one other bank thinks that
collaboration is already in place although its internal audit
and risk management systems are not integrated.
Previously in the early 2000s, it would have been challenging
for internal audit functions to collaborate with the risk
management functions. Risk management processes were
invariably captured on MS Excel spreadsheets while internal
audit processes were not much better off.
Overall, the results show that the trend is still one of the
two divisions in question thinking quite separately in silos.
The responsibility for this sad affair seems to be shared.
This was the same result as the 2013 Grant Thornton’s
survey of 330 CAEs in the United States which concluded
that “there is plenty of room for better integration.”
Today, there are Enterprise-wide Risk Management (ERM)/GRC
IT-based systems which come nearly fully intact or “off theshelf” which only need minimal configuration. The leaders in
this software genre come fully configured or compatible to
incorporate the COSO ERM (2004) framework or the ISO 31000
framework.
I would like to propose the use of a well-known framework
such as COSO to bring internal audit and risk management
closer and talking to each other. The assessment of risks,
audit programmes and audit ratings should follow the
COSO framework because they give a “cause-and-effect”
framework. The COSO framework helps one see the possible
knock-on effect of the failure of each control on the others.
I have worked before with the UK Governance Code but it is
very difficult to use to arrive at a convincing logical
conclusion as to the causes of the deficiencies. If I have to
use the UK Code today, I would try to integrate the Code
components into the COSO framework, or if other auditors
prefer, the ISO 31000 framework.
Integration between internal audit, risk management and
compliance functions is the main objective of such systems so
that the risks are assessed, controls designed, implemented,
reported and audited using a similar terminology and process,
based on the same information residing in one database.
COSO makes it much easier to understand which risks are
important because the components are critical and integrated
with other internal control components towards achieving the
23 KEEPING IN TOUCH • Issue 3 Jul – Sep 2013
The most obvious benefit is that internal audit can better track
the process of risk assessment through to control design and
implementation, and onwards to reporting. If the risk
management steps are embedded and logged in an IT system,
internal audit can more effectively and efficiently assess the
risk management system and then test the results. Continuous
auditing will also be possible without necessarily having to
physically visit remote sites or the risk management division.
The ERM or GRC system opens up new audit methodologies
and economies. The hitherto “impossible” becomes possible.
When internal audit has more than one hundred branches or
technical
entities to audit, knowing you have a system which requires and
guides operations staff to perform disciplined but easy-to-do risk
assessments to manage their own risks is half the battle won. The
benefits to risk management are also enormous. They can do so
much more with a GRC or ERM software system. The system is
usually web-based and hence much of the hitherto connectivity
issues encountered by banks in the past are now history.
Internal audit’s mission after all is to improve operations.
internal audit wants the whole organisation to do the risk
assessments easily, correctly and to own the risks. Risk
management will supervise that the operations staff do this
correctly. As auditors, we will check that the system is working
and that no new risks have been left out.
How to Integrate
Management
Internal
Audit
and
This is the challenge. If internal auditors want to add value,
they should be great strategists too. Internal auditors should
not be content just to propose incremental change and
improvement. Instead we should be bold and go for
transformational change and honestly, no great change can
come without some effort.
In the past, the internal auditor’s main mission is to finish his
audit fieldwork, issue the report and hopefully complete all
scheduled audits for the year. This is no longer acceptable.
Internal audit’s role is evolving and it should be towards a
strategic role. This can be best summarised by the following
comment at a Harvard University event:
Risk
How do we integrate /collaborate between internal audit and risk
management? First of all, realise that no worthwhile project can
hope to succeed without a powerful sponsor. Hence:
1. The CAE has to create awareness and influence the top
management, audit committee and the board risk
committee.
2. There should be only one definition of risk. The ISO 31000
definition of risk is “uncertainty over objectives,” which
means when applied to organisations, the probability of
events that will hamper or stop the organisation from
achieving corporate objectives.” I consider this to be the
best definition because it allows us to prioritise risks.
3. Make it clear that risk is measured in terms of probability
and impact in the organisation. It is the correct formula for
organisations and can be understood by all. Conduct ERM
training courses for other divisions, if necessary.
4. Make sure that your audit procedures adhere to the
attribute and performance standards of the International
Professional Practices Framework. This will ensure your
methodologies can be easily mapped over to the IT-based
ERM/GRC system.
5. Internal audit and risk management (and compliance) have
to agree to adopt the same risk methodology or
framework, and therefore prevent confusion and
duplication of work.
“…, a temporary data center outage can result in a short-term
problem…... Other more significant risk events can be
catastrophic, ….. that can not only impair an organisation’s
ability to meet its objectives, but may also threaten the
organisation’s survival.
The recent credit crisis is an example of this type of risk.”
By ensuring that the operational risks are being managed
effectively by a system, internal audit can then attend to
strategic risks, these being those “risks that are most
consequential to the organisation’s ability to execute its
strategies and achieve its business objectives.”
The author is a CA (NZ), CA(M), ACIB (UK), MBA, and CIA with 32
years of banking experience, the last ten years of which were as
CAE of three banks. His experience includes senior-management
stints in branch management, credit management, risk
management and strategic planning. David is currently Chief
Internal Auditor of Bank Islam Malaysia Bhd.
Any views or opinions presented in this article are solely those of
the author and does not reflect the views or opinions of the
Institute.
Issue 3 Jul – Sep 2013 • KEEPING IN TOUCH
24