Columns

Increasing the Perceived Value of Risk Management

The true value of risk management can only be realised through an integrate3d approach
By Ehab Saif
Edited by: Dr. Steven Halliday

Increasing the Perceived Value of Risk Management

By: Ehab Saif

Edited by: Dr. Steven Halliday

Increasing the Perceived Value of Risk Management

The integration of enterprise risk management and operational risk management roles is bound to lead to more effective risk management.

 

Based on my experience in the Middle East region, the ERM concept is relatively new and many business owners have difficulties in understanding the role of the ERM function. I recently noted a perceived gap between the “Head of Enterprise Risk Management (ERM)” and the “Operational Risk Manager” roles. In many cases, this leads to a performance expectation gap. In my view, these roles should be integrated to ensure a smooth implementation of ERM.

As part of the implementation of a comprehensive ERM program, a considerable amount of time is required to develop an ERM framework, spread risk awareness, execute entity-wide risk assessments and embed Risk Management in each business unit. This lengthy timeframe can lead to a less responsive and inflexible Risk Management model, given the dynamic nature of businesses and frequent changes in business risks.  Bringing a focus onto operational risk management helps achieve quick wins and keeps the risk profile under management attention.

 

Resilient Risk Management Function

In order to have an effective and resilient Risk Management model, the Risk Management function should work as an operational risk advisor to management by dynamically reviewing business decisions, investments, processes and other risk exposures.  In parallel and simultaneously the Risk Management function should also implement a robust ERM program that ensures high level Risk Management assurance and the creation of a risk-aware culture.

While some organizations recruit industry-specialized technical risk managers for operational levels and/or Enterprise Risk Managers to implement the ERM framework, very few organizations have a Risk Management department that combines both the strategic and operational levels of risk management.

 

Internal Audit vs. ERM

In most cases, an ERM function focuses only on risk identification and prioritization, without being an integral part of the decision making process and actively advising management on dynamic and emerging risks.  This can result in Risk Management being perceived and classified by senior management as part of the internal audit function; which can create unnecessary barriers, decreasing the added value of having a Risk Management function.

 

Independence

Based on my experience, the majority of ERM functions in the Middle East (excluding the financial sector) are still working under the umbrella of internal audit departments, reporting directly to a Chief Audit Executive (CAE) and up through to the Audit Committee. This is also the case in the UAE where by a recent study1 has shown that in 35% of the cases, the Chief Audit Executive took the lead role for ERM compared to 25% for the Chief Risk Officer. This model dilutes the effectiveness of the Risk Management activities and increases the limits on Risk Management involvement in decision making process.

  • The sufficiency of resources to ensure audit coverage of high risk areas and ensuring maximum value from auditing activities;
  • The competency of subject matter experts whom add value through audit recommendations; and
  • The management of outsourced internal audit service providers from a quality and value-adding perspective.

The diagram below illustrates the optimal Risk Management Governance Model in any organization:

 

Assurance over the effectiveness of the Risk Management Model in the organization
Monitoring risks, implementing response strategies and treatment plans, and developing timely reports for review by the Risk Management Function.
Responsibility to roll-out and support the Risk Management process across the organization
Responsibility to proactively advise management on risks and implement a robust ERM program across the organization
Oversight and responsibility to ensure adequate risk management systems are in place

 

Characteristics of Risk Managers

Finding a suitable candidate to lead a Risk Management function that has operational risk and ERM responsibilities is not a simple task.  In order to gain Senior Management confidence and to be perceived as a trusted business advisor, an effective Risk Manager should possess deep industry-specific experience, in addition to having ERM program implementation experience, coupled with outstanding communication, presentation and interviewing skills.

The Risk Manager should also accept part of the responsibility over his business advisory role, which at the same time, should be part of his key performance indicators.

 

Risk Management Standards

International Risk Management Standards (e.g. ISO 31000:2009, COSO ERM Framework) focus on having a function which is responsible for the establishment of a robust Risk Management framework that facilitates and coordinates the risk assessment and ensures the promotion of risk awareness within the organization.

Although Risk Management standards emphasize the importance of frequent communication and consultation with stakeholders throughout the implementation of the ERM program, they do not provide sufficient attention to the dynamic role of the Risk Manager as an operational risk advisor whom adds value to the company through his or her industry knowledge.

 

The Way Forward

The structure and mandate of the Risk Management function is still under global debate with no clear consensus.  On one hand, it is important to emphasize the differentiation between Risk Management and Internal Audit; however, on the other hand, it is also important to focus on merging operational risk and ERM responsibilities under the same umbrella.

Although we should emphasize that Risk Management cannot guarantee mistakes will not happen, I do not agree with the idea that Risk Management should be prevented from making decisions for the organization.  The reason for this is due to the fact that it is difficult to justify the existence of another “all cares no responsibility” function that has similar roles to the internal audit department in the perception of senior management.  If both Internal Audit and Risk Management are seen as an independent assurance functions, then it is justifiable for business owners to merge both functions under one department, in an effort to cut costs.

My alternative recommended model for a Risk Management function is to evolve and justify its existence through having direct involvement in operations and focusing on its risk advisory role by having subject matter knowledge, which has true value to the organization, in addition to its role as a coordinator and facilitator of a comprehensive ERM program.

 

References:

  1. Risk Management Practices and the Role of Internal Audit: A UAE Perspective on Non-Financial Institutions. Published by the UAE-Internal Audit Association, 2015.

 


EHAB R. SAIF, CMA, CIA, CFE is an Internal Audit Manager at a private holding company in Abu Dhabi.

Family Business Governance

Family businesses have specific governance systems which need to be in place to ensure their community
By Arif Zaman
Edited by: Meenakshi Rezdan

Family Business Governance

By: Arif Zaman

Edited by: Meenakshi Razdan

Family Business Governance

A family business refers to a company where the voting majority is in the hands of the controlling family. Several studies have shown that family owned companies out perform their non-family counterparts in terms of sales, profits and other growth measures.1  Some of their strengths include commitment from family as business owners, willingness to pass knowledge and experience, willingness to work harder and reinvest in the business, family name and pride associated with the business. 2

 

It is also a fact that most family businesses have a very short life span beyond their founder’s stage and that 95% of the family businesses do not survive the third generation of ownership. 3 Main reason for this being complexity, informality due to absence of articulated practices and procedures and lack of discipline.4

 

The evolution of family business can be projected into three stages; the founder stage, the sibling partnership stage and the cousin confederation stage.5 In the founder stage, the business is entirely owned and managed by the founder. In the sibling partnership stage, management and ownership is transferred to the children of the founder. In the cousin confederation stage, the business governance becomes more complex as more family members are directly or indirectly involved in the business, including children of the siblings, cousins, and in laws.

 

Each stage brings with it unique governance challenges. The following table summarizes the key family governance issues faced by family businesses during their development cycle: 6

 

Stage Issues
The founder stage
  • Leadership transition
  • Succession
  • Estate planning
The sibling partnership
  • Maintaining team work and harmony
  • Sustaining family ownership
  • Succession
The cousin confederation
  • Allocation of corporate capital; dividends, debt and profit levels
  • Shareholder liquidity
  • Family conflict resolution
  • Family participation and role
  • Family vision and mission
  • Family linkage with the business

 

Six steps that can help family businesses to attain business continuity are-

 

Step 1: Establishment of Family Constitution

The family constitution is a statement of the principles that outline its commitment to core values, vision and mission of the business. It’s a living document that evolves as the family and its business continue to grow. A typical family constitution will cover the following elements:

  • Family values, mission statement and vision
  • Family institutions such as family assembly, family council, education committee and family office
  • Authority, responsibility and relationship among the family, the board and the senior management etc.

 

Step 2: Forming Family Governance Institutions

Family governance institutions help strengthen the family harmony and relationship with its business. Deciding what type of institution to establish will depend on the size of the business, the family’s stage of development, the number of existing family members and the degree of involvement of family members in their business.

  • Family Assembly; It is a formal forum, which meets 1 or 2 times in a year, to discuss business and family issues. Family assembly is open to all family members, with some restriction such as minimum age, participation of in-laws and voting rights. Its role is to approve family vision, values, family related policies, election of committee’s member etc.
  • Family Council; It is the governance body for the assembly. Family council comprises of 5 to 9 members elected by the family assembly and meets 2 to 6 times in a year. Its role is to act as bridge between family, the board and senior management, suggest name for board candidate and formulate family polices etc.
  • Family Office; It is an investment and administrative center that is organized and overseen by the family council. It looks after family member’s personal investment, taxes, insurance coverage, estate planning, career counseling and other areas of interest to individual family members. This is managed by professionals.
  • Other Family Institutions; Depending on size, the family business can have education, share redemption, career planning, family reunion and recreation committees.

 

Step 3: Establishment of Advisory Board and Board of Directors

As the family business gets more complex, it becomes necessary to establish two boards, the Advisory Board and the Board of Directors. This allows the family business to become more organized and well-focused.

  • Advisory Board; the advisory board is a group of experienced and respected individuals outside the family. The members of the advisory board are usually experts in the family business industry and market or in other areas such as finance, marketing and international markets. Over a period of time and once the family sees the added value of the advisory board, some of its members are often invited to join the Company’s BoDs.
  • Board of Directors; in family business, BoD constitutes of family members and company senior managers. The BoD look in to the matters of strategy, succession planning, finances, internal controls, risk management and reporting to the owners and other interested parties. The presence of independent directors in the Board can play a vital role in the board meetings. Independent directors can bring an outside perspective on strategy and control.

 

Step 4: Developing Family Member Employment Policy

Many family businesses that didn’t set up clear employment policies for their members end up with more employees from the family than the company needs. As the family business reaches the sibling partnership stage of growth, it becomes necessary to formalize the family members’ employment policies. This would require setting up clear rules about the conditions of entry, staying, and exit from the business. The policy should also cover the treatment of family member employees in comparison with non-family employees.

 

Step 5: Succession Planning

Many family businesses put off the succession planning of their senior managers until the last minute, which leads to crisis. This could indeed be one of the reasons most family businesses disappear before they reach their third generation.

Effective succession plan should allow for the selection of the most competent person, whether it is a family member or not. In addition, it is crucial to involve all family members, the board, key senior managers and other important external stakeholders in the selection process and make sure they agree on the next choice.

 

Step 6: Exit Strategy of Family Member

There should be clarity over the mechanisms that allow family members to sell their shares if they prefer to exit from the family business. Preparing an exit strategy well in advance helps avoid many conflicts and increases chances of business continuity.  Some family businesses establish a “Shares Redemption Fund” in order to buy back any shares that family members would like to liquidate. The Fund is usually financed by contributing a small percentage of profits to it every year.

 

Conclusion

These initiatives are not exhaustive but are some of the fundamental factors crucial for business sustainability. Studies suggest that family businesses that demonstrate good corporate governance not only enjoy greater longevity, but improve efficiency, effective risk management and greater rewards for all stakeholders.

 

References:

  1. Denis Leach and John Leahy, “Ownership Structures, Control and the Performance of Large British Companies”, Economic Journal,
  2. Sir Adrian Cadbury, Family Firms and Their Governance: Creating Tomorrow’s Company from Today’s (Egon Zehnder International, 2000); John Ward, “The Family Business Advantage: Unconventional Strategy”, Families in Business,
  3. The Family Business Network, www.fbn-i.org/fbn/main.nsf/doclu/facts.
  4. “IFC Famaily Bsuiness Governance Handbook”, Third Edition, 2011.
  5. John Ward, Creating Effective Boards for Private Enterprises (Family Enterprise Publishers, 1991); Kelin E. Gersick, John A. Davis, Marion McCollom Hampton, Ivan Lansberg, Generation to Generation: Life Cycles of the Family Business (Harvard University Press, 1997).
  6. John Ward, Creating Effective Boards for Private Enterprises (Family Enterprise Publishers, 1991).

 


ARIF ZAMAN ACCA, CIA, CISA, CPA, CFE, CCSA, CRBA, CRMA is a Group Senior Internal Auditor at HSA Group based in Dubai, UAE.

Major Retail Store Risks and How Best to Control Them

How to effectively control retail store risks.
By Mohammed Khalil Al Jallad
Edited by: Ayman Abdelrahim

Conversations with Colleagues: Karl Hendricks

By: Mohammed Khalil Al Jallad

Edited by: Ayman Abdelrahim

Major Retail Store Risks and How Best to Control Them

The 2014 Global Retail Development Index1, issued by A.T. Kearney, indicated that gross domestic product of the Middle East will continue growing, which will bolster consumer confidence. Further, upcoming monumental events, such as Expo2020 in Dubai and Football World Cup 2022 in Qatar, will have a positive impact on the retail sector. There are other factors which will boost the growth of the retail sector, such as the construction boom in the region supported by significant national investments in infrastructure.

The expansion in retail stores operating under international or local trademarks will increase the potential business risks and force companies to draw up policies and action plans to curb such risks. Furthermore, the role of the internal auditor has become pivotal to evaluating the effectiveness of policies and procedures; and informing senior management of any improvements that may assist in achieving the objectives of the company.

The proper management of business risks at retail stores boosts competitiveness. The senior management team should view risk management a means to assist in making decisions concerning the company’s investments and its sustainability thereof. Accordingly, we have to review the most critical risks faced by retail stores, the auditor’s role, and the sufficiency of internal controls to address such risks.

 

1.   A Decline in Consumer Spending

The decline in consumer spending is the greatest danger facing retail stores, as it has a material impact on cash flows, which in turn affects the day-to-day operations relating to purchases from suppliers and meeting the daily obligations of the company. Consumer spending is affected by a host of factors that the company cannot easily control, such as local and international economic factors and the price of oil.

The role of the internal auditor should be to ensure that the company:

  • Takes proper procedures to monitor and consider the impact of the changes in economic indicators such as government spending, oil prices, and unemployment;
  • Monitors a consumer confidence index designed to measure consumer optimism on market conditions, and constitutes a tool for predicting consumer behavior;
  • Adopts a proper strategy to increase consumer spending; and
  • Monitors daily sales and considers the consequences of any decrease in these sales.

 

2.   Reputation Risks

The retail sector is characterized by direct contact with consumers and the worse problems for retail stores if when customers stop buying from these stores or view them negatively. Further, reputation risks have increased due to social media and the internet. Accordingly, any shortcomings in consumer satisfaction may quickly impact a store’s reputation and hence its revenue.

The role of the internal auditor should be to ensure that the company:

  • Conducts periodic consumers satisfaction surveys and formulates surveys to predict customer needs and expectations;
  • Adopts a consumer relation management system to deal with any complaints and reply to any inquiries;
  • Analyzes mystery shopper results to measure the quality of the rendered services as well as the quality of the employee-consumer relation;
  • Provides proper training to employees; and
  • Draws up a policy for dealing with social media with swift replies to any negative comments affecting the stores or products.

 

3.   Intense Competition

Retail business is known for intense competition due to limited barriers to entry. An increase in competition may hinder revenue growth. Competition through product price reduction is a major factor in consumer purchasing decisions.

The role of the internal auditor should be to ensure that the company:

  • Determines its competitors and periodically monitors product prices in the market;
  • Uses the concept of loyalty cards which helps in consumer analysis as well as predicting the products that satisfy consumer expectations;
  • Adopts a product pricing strategy by understanding consumer behavior and the manner by which they make purchasing decisions; and
  • Works out a plan for sales increase by taking advantage of sporting events, beginning of the school year, and holidays.

 

4.   Supply Chain Failure

Lack of goods to display is a sensitive issue for day-to-day operations and can result from a failure in the supply chain.

The role of the internal auditor should be to ensure that the company:

  • Qualifies more than one supplier without depending on a specific supplier;
  • Uses proper forecasting of sales;
  • Adopts stock management policy;
  • Controls the stock periodically and maintains reasonable levels. This ensures smooth store operation without facing any product shortage; and
  • Adopts an automated system to review the level of available stock in the stores to meet any increase in the sales of a specific product as well as securing direct supply to the stores.

 

5.   Online Shopping

Online shopping is one of the emerging risks that may increase due technological developments. A recent study issued by PricewaterhouseCoopers2 in early 2015 showed that online shopping is expanding at the expense of traditional retail stores. The study indicated that smart phones play a pivotal role in the online shopping boom, as 17% of the respondents shop weekly online whilst 28% prefer traditional retail stores.

The role of the internal auditor should be to ensure that the company:

  • Adopts creative ways to encourage consumers to visit their stores;
  • Develops a website displaying the its goods and promotions;
  • Allows for shopping via e-mail; and
  • Reviews marketing studies relating to online shopping trends in order for the company to develop proper plans for addressing the same.

 

6.   Failure to Comply with Laws and Legislation

Failure to maintain the validity of agreements and licenses (lease agreements, business license, advertising license, etc.) may cause the retail stores to face closure, incur financial losses or pay penalties. This would also impact the Company’s reputation. Some activities necessitate certain licenses, such as professional practice for employees in pharmacies as well as obtaining health certificates for laborers in restaurants.

The role of the internal auditor should be to ensure that the company:

  • Adopts procedures for identifying and complying with any changes made to laws and legislations;
  • Adopts procedures for following up on the terms of agreements and licenses; and
  • Fixes a time period for initiating the action required for renewing agreements and licenses prior to expiry.

 

7.   Fraud and Theft

Fraud risk arises when customers pay using counterfeit money or credit cards, and employees manipulate discounts granted to them to sell goods at a cheaper price. Further, direct thefts from retail stores either by customers (stealing goods) or by store employees (stealing goods or money) occurs very often.

The role of the internal auditor should be to ensure that the company:

  • Uses money counting equipment and counterfeit detectors;
  • Controls credit card transactions on a daily basis.
  • Develops a clear policy on employee discounts, including a maximum amount of the discount granted to each employee, and develops a periodic report on the same;
  • Hires security employees at stores containing high value goods, and insures goods against theft; and
  • Carries out a daily inventory of cash registers and compares cash with the total sale movements.

 

8.   Improper Storage of Goods

Goods are sometimes stored in an improper manner. They may be stacked without any consideration of the safety factors inside the stores. Thus, it becomes very difficult to deal with any fire or emergency. It is also necessary to comply with the requirements of goods storage to avoid any damage thereto in the same manner adopted for handling medicine and foodstuffs requiring storage in an environment at a specific temperature.

The role of the internal auditor should be to ensure that the company:

  • Develops procedures for storing goods in compliance with the safety conditions;
  • Periodically reviews storage conditions for each type of good; and
  • Secures goods against fire and maintains a valid insurance policy.

 

Conclusion

The retail store business is vulnerable to several risks that should addressed in order to avoid potential losses. The importance of the internal auditor’s role is to ensure the sufficiency and effectiveness of policies and procedures established to mitigate such risks. The development of a risk based audit plan helps the internal auditor to cover the high risks affecting retail stores, and evaluate the established controls to adequately address such risks.

References:

  1. http://www.atkearney.com/consumer-products-retail/global-retail-development-index
  2. http://www.pwc.com/gx/en/retail-consumer/retail-consumer-publications/global-multi-channel-consumer-survey/assets/pdf/total-retail-2015.pdf

 


 

MOHAMMED JALLAD, CIDA, CFC is an audit and accounting professional who works at a leading institution in Kuwait.

Conversations with Colleagues: Salem Sultan Al Dhaheri

Salem Sultan Al Dhaheri advises internal auditors on ho to meet the expectations of the audit committee.
By Farah Araj

Conversations with Colleagues: Salem Sultan Al Dhaheri

By: Farah Araj

Conversations with Colleagues: Salem Sultan Al Dhaheri

In an exclusive interview, Internal Auditor – Middle East spoke to Salem Sultan Al Dhaheri, CPA, who is the Deputy Director of Internal Audit at the Abu Dhabi Investment Authority (ADIA). Salem has 21 years of experience in auditing investments, leading internal audit departments and serving as a board member for several public and private companies. He is a board member at Abu Dhabi National Energy Company (TAQA) and Al Etihad Credit Bureau, and an audit committee member at General Holding Corporation (SENAAT), Abu Dhabi National Oil Company (ADNOC), Emirates Investment Authority, Abu Dhabi Pension Fund, Etisalat and Emirates Steel Factory. Furthermore, Salem is a member of the Institute of Internal Auditors (IIA) and is also a recent recipient of the UAE Internal Audit Association’s (UAE-IAA) Lifetime Achievement Award.

 

Internal Auditor – Middle East met with Salem Sultan Al Dhaheri at ADIA’s headquarters in Abu Dhabi.

 

As an audit committee member, what are your expectations from an internal audit department?

Firstly, I expect the internal audit department to be a trusted advisor to the business and to communicate effectively with all stakeholders. This means sitting down with the audit committee and senior management to understand their expectations on how internal audit can add value. As a result, the Chief Audit Executive (CAE) will need to build robust capabilities and skills within the internal audit department in order to deliver what the stakeholders expect and raise its performance and value.  Traditional auditing and compliance auditing is not enough. Secondly, the internal audit department needs to understand the business and industry of the company. This is the way it  can provide insight to the business and support management in its identification of current and emerging risks and recommend solutions to address key risks or improve proposed mitigation plans. It is very important for the CAE to make sure that stakeholder expectations are discussed at the audit committee and are clearly reflected in the internal audit strategy and annual plan in order to avoid conflicting expectations.

 

How do audit committees ensure that internal audit is responding to the “risks that matter”?

This is done through a review of the risks identified in the risk assessment for internal audit planning. Internal audit’s role is to ensure that priority is directed to high risk areas. Further, Audit Committee members should also, when required, dive into the details of the residual risks identified and ensure that there is a plan to address risks which fall outside the company’s risk appetite. This can only be done if the risk assessment carried out by the internal audit department is thorough and leads to the identification of the top 10 risks facing the company. Also, internal audit will need to periodically interview management to identify changes in the company’s risk profile and emerging risks. Only then can the audit committee determine whether internal audit is focusing on the right risks. The traditional risk assessment which involves the annual ranking the audit universe is not sufficient. CAEs need to transform and move away from their comfort zone.

 

What kinds of reports/communication do you expect from the CAE?

The internal audit report is, in reality, the only deliverable from the internal audit department and therefore it should be a high quality deliverable. If there is one thing that I like, it is to see how the company changes as a result of internal audit reports. A good audit report is one which is accepted by management and creates positive change in the company. Further, I appreciate seeing a big picture analysis of an entity or process. This would show the overall progress and performance including positive observations. The audit committee should not get in to the details of each observation unless it is very significant. It is management’s responsibility to address the individual observations raised in the internal audit report. The audit committee will assess the quality of the recommendations and see what action management is taking to mitigate those risks.

 

I’m aware of situations where CAE has copied the audit committee on all reports issued to management! The committee should be copied only if there is a major problem; even then the whole report is too much.  Quality and conciseness of the IA reports is more important than quantity.

 

In terms of quarterly presentations to the audit committee, the same principles mentioned above should apply. We need to see the consolidated view of findings: how many overdue action items are there, how many observations have been raised/closed, what is high/medium/low priority, what activities are internal audit carrying out etc.

 

Providing assurance on its own will not meet the expectations of stakeholders

 

A recent survey by the UAE-IAA, emphasised the need for internal audit to take the lead in risk management where such a process/function does not exist.  What are your thoughts on this?

I support this. Internal audit is best placed to facilitate the establishment of a risk management process (with appropriate safeguards). A good internal audit team has knowledge of both the organization and its risks. This is one way for internal audit to move towards being a trusted advisor.

However, at a later stage, when the risk management process matures, and if the organization has grown sufficiently, internal audit will need to hand over the role to a dedicated risk function; a second line of defense. Internal audit will then elevate itself to auditing the risk management process.

 

What are your thoughts on internal audit quality assurance reviews or reviews by regulators?

Compliance with the IIA’s Standards and carrying out a quality assurance review by an external assessor are fundamental to assuring the audit committee of the quality of the internal audit department. However, a checklist approach against a set of standards is not enough. The assessor should meet with a variety of stakeholders and determine whether the internal audit department is adding value and meeting expectations. It is also important to see the internal audit department’s processes mapped against a maturity framework to allow the audit committee to better understand the current state of the internal audit department.

 

Have audit committees in the UAE been pushing for the concept of the 3 lines of defense and combined assurance?

Not many are giving attention to this concept. This is an area which we should be focusing on where multiple assurance providers exist and where there is sufficient maturity in risk management processes. The Audit Committee should make sure that each assurance function is playing its part and that there is no overlap in assurance or missing assurance. Helping build such a framework is a very good way for internal audit to add value to the business.

 

Are CAE’s keeping audit committees up-to-date with developments in the internal audit profession?

(Laughs) I rarely get any professional or industry updates from CAEs! I usually get it from outsourced service providers. When the audit committee is informed and given executive education, it will be in a better position to understand the issues and risks raised by internal audit. I think the CAE should make an effort to summarize new reports or research from the IIA or other sources at the quarterly audit committee meeting. He can take 5-10 minutes to deliver an overview. Also, if planned properly the CAE can deliver a training session on a particular topic to ensure that the audit committee is kept up to date. To do this the CAE must participate in professional associations such as the IIA and regularly attend workshops and conferences.

 

Any final advice to Chief Audit Executives?

As mentioned earlier, the CAE needs to work to become a trusted advisor. Internal audit by design is an assurance provider. It is when internal audit goes beyond this traditional role that it is able to add value to the business. Internal audit needs to build knowledge & skills and understand the business in order to be a trusted advisor. This includes getting specialized certifications (E.g. CFA if you work in investments), having staff members work in the business, building skills such as IT, cybersecurity, data analytics, forensics, Six Sigma, industry specific skills etc. Leading CAEs have implement a talent acquisition plan (using internal or external resources) to meet stakeholder expectations The CAE needs to get to a point where stakeholders are asking him for additional help. Only then will the CAE know that the internal audit department is doing a good job.

 
Back to Top