A prominent board and audit committee member shares his views on internal auditing and meeting the expectations of the audit committee
In an exclusive interview, Internal Auditor – Middle East spoke to Salem Sultan Al Dhaheri, CPA, who is the Deputy Director of Internal Audit at the Abu Dhabi Investment Authority (ADIA). Salem has 21 years of experience in auditing investments, leading internal audit departments and serving as a board member for several public and private companies. He is a board member at Abu Dhabi National Energy Company (TAQA) and Al Etihad Credit Bureau, and an audit committee member at General Holding Corporation (SENAAT), Abu Dhabi National Oil Company (ADNOC), Emirates Investment Authority, Abu Dhabi Pension Fund, Etisalat and Emirates Steel Factory. Furthermore, Salem is a member of the Institute of Internal Auditors (IIA) and is also a recent recipient of the UAE Internal Audit Association’s (UAE-IAA) Lifetime Achievement Award.
Internal Auditor – Middle East met with Salem Sultan Al Dhaheri at ADIA’s headquarters in Abu Dhabi.
As an audit committee member, what are your expectations from an internal audit department?
Firstly, I expect the internal audit department to be a trusted advisor to the business and to communicate effectively with all stakeholders. This means sitting down with the audit committee and senior management to understand their expectations on how internal audit can add value. As a result, the Chief Audit Executive (CAE) will need to build robust capabilities and skills within the internal audit department in order to deliver what the stakeholders expect and raise its performance and value. Traditional auditing and compliance auditing is not enough. Secondly, the internal audit department needs to understand the business and industry of the company. This is the way it can provide insight to the business and support management in its identification of current and emerging risks and recommend solutions to address key risks or improve proposed mitigation plans. It is very important for the CAE to make sure that stakeholder expectations are discussed at the audit committee and are clearly reflected in the internal audit strategy and annual plan in order to avoid conflicting expectations.
How do audit committees ensure that internal audit is responding to the “risks that matter”?
This is done through a review of the risks identified in the risk assessment for internal audit planning. Internal audit’s role is to ensure that priority is directed to high risk areas. Further, Audit Committee members should also, when required, dive into the details of the residual risks identified and ensure that there is a plan to address risks which fall outside the company’s risk appetite. This can only be done if the risk assessment carried out by the internal audit department is thorough and leads to the identification of the top 10 risks facing the company. Also, internal audit will need to periodically interview management to identify changes in the company’s risk profile and emerging risks. Only then can the audit committee determine whether internal audit is focusing on the right risks. The traditional risk assessment which involves the annual ranking the audit universe is not sufficient. CAEs need to transform and move away from their comfort zone.
What kinds of reports/communication do you expect from the CAE?
The internal audit report is, in reality, the only deliverable from the internal audit department and therefore it should be a high quality deliverable. If there is one thing that I like, it is to see how the company changes as a result of internal audit reports. A good audit report is one which is accepted by management and creates positive change in the company. Further, I appreciate seeing a big picture analysis of an entity or process. This would show the overall progress and performance including positive observations. The audit committee should not get in to the details of each observation unless it is very significant. It is management’s responsibility to address the individual observations raised in the internal audit report. The audit committee will assess the quality of the recommendations and see what action management is taking to mitigate those risks.
I’m aware of situations where CAE has copied the audit committee on all reports issued to management! The committee should be copied only if there is a major problem; even then the whole report is too much. Quality and conciseness of the IA reports is more important than quantity.
In terms of quarterly presentations to the audit committee, the same principles mentioned above should apply. We need to see the consolidated view of findings: how many overdue action items are there, how many observations have been raised/closed, what is high/medium/low priority, what activities are internal audit carrying out etc.
“Providing assurance on its own will not meet the expectations of stakeholders”
A recent survey by the UAE-IAA, emphasised the need for internal audit to take the lead in risk management where such a process/function does not exist. What are your thoughts on this?
I support this. Internal audit is best placed to facilitate the establishment of a risk management process (with appropriate safeguards). A good internal audit team has knowledge of both the organization and its risks. This is one way for internal audit to move towards being a trusted advisor.
However, at a later stage, when the risk management process matures, and if the organization has grown sufficiently, internal audit will need to hand over the role to a dedicated risk function; a second line of defense. Internal audit will then elevate itself to auditing the risk management process.
What are your thoughts on internal audit quality assurance reviews or reviews by regulators?
Compliance with the IIA’s Standards and carrying out a quality assurance review by an external assessor are fundamental to assuring the audit committee of the quality of the internal audit department. However, a checklist approach against a set of standards is not enough. The assessor should meet with a variety of stakeholders and determine whether the internal audit department is adding value and meeting expectations. It is also important to see the internal audit department’s processes mapped against a maturity framework to allow the audit committee to better understand the current state of the internal audit department.
Have audit committees in the UAE been pushing for the concept of the 3 lines of defense and combined assurance?
Not many are giving attention to this concept. This is an area which we should be focusing on where multiple assurance providers exist and where there is sufficient maturity in risk management processes. The Audit Committee should make sure that each assurance function is playing its part and that there is no overlap in assurance or missing assurance. Helping build such a framework is a very good way for internal audit to add value to the business.
Are CAE’s keeping audit committees up-to-date with developments in the internal audit profession?
(Laughs) I rarely get any professional or industry updates from CAEs! I usually get it from outsourced service providers. When the audit committee is informed and given executive education, it will be in a better position to understand the issues and risks raised by internal audit. I think the CAE should make an effort to summarize new reports or research from the IIA or other sources at the quarterly audit committee meeting. He can take 5-10 minutes to deliver an overview. Also, if planned properly the CAE can deliver a training session on a particular topic to ensure that the audit committee is kept up to date. To do this the CAE must participate in professional associations such as the IIA and regularly attend workshops and conferences.
Any final advice to Chief Audit Executives?
As mentioned earlier, the CAE needs to work to become a trusted advisor. Internal audit by design is an assurance provider. It is when internal audit goes beyond this traditional role that it is able to add value to the business. Internal audit needs to build knowledge & skills and understand the business in order to be a trusted advisor. This includes getting specialized certifications (E.g. CFA if you work in investments), having staff members work in the business, building skills such as IT, cybersecurity, data analytics, forensics, Six Sigma, industry specific skills etc. Leading CAEs have implement a talent acquisition plan (using internal or external resources) to meet stakeholder expectations The CAE needs to get to a point where stakeholders are asking him for additional help. Only then will the CAE know that the internal audit department is doing a good job.