The Enterprise Risk Services Leader and the Information & Technology Risk Services Leader for Deloitte in the Middle East explain how technology is changing the face of the internal audit profession.
In an exclusive interview, Internal Auditor – Middle East spoke to Fadi Sidani and Tariq Ajmal from Deloitte’s Enterprise Risk Services practice in the Middle East. Fadi is the Partner-In-Charge of Enterprise Risk Services for the Middle East with more than 25 years of experience while Tariq is its Information & Technology Risk Services Leader with more than 15 years of experience. Both gentlemen are active supporters of the UAE Internal Audit Association (UAE-IAA) as Fadi is a member of its Executive Committee and Tariq is the Chairman of its Technology Subgroup.
Internal Auditor-Middle East met with Fadi Sidani (FS) and Tariq Ajmal (TA) at Deloitte’s offices in Abu Dhabi.
Deloitte seems to have built a strong technology risk practice in the region. How did this come about?
FS: This didn’t happen by chance – it was by design. Deloitte saw that technology was the crux of the future of internal audit. This was because technology has become a critical driver for both business growth and operational efficiency.
We started by looking at basic elements of IT by mainly auditing general controls and application controls. It then evolved with the evolution of technology, the introduction of e-business etc., which brought in a new set of business risks that internal auditors had to understand and respond to. The team’s major transformation happened over 10 years ago when Tariq joined us as Technology Risk Services leader for the Middle East. Since then Technology Risk Services has become a dedicated practice with around 150 people in the Middle East with specializations in cybersecurity, business continuity, data analytics, IT governance and IT controls, and more are coming.
Since the start of your practice, what have been the technology developments with the most impact on the work of internal auditors in the Middle East?
TA: When we started, it was the time of the ERP wave in the Middle East. Companies were busy implementing Oracle, SAP and other enterprise applications, hence auditors focus was mainly on IT general controls, application controls with rudimentary data analysis using ACL. As the maturity of these companies increased, dependency on IT proportionally increased, especially with the advent of newer technologies, more online connectivity and e-commerce. This resulted in auditors starting to focus on IT Governance, IT processes and security issues. Most recently, major cyber-attacks on prominent organizations in various industries, both public and private have resulted in significant business interruptions and loss of reputation, among other things, which led to increased focus on cyber security. This is expected to stay as priority areas for both the companies and auditors for new future. Lastly, with ever increasing maturity of systems and data (big data) we will see use of more sophisticated Data Analytics through visualization as a new frontier that can transform how we do audits.
FS: I would like to add that what is also impacting the work of internal audit are the changing expectations of Audit Committees (ACs) and other stakeholders. ACs and stakeholders are now expecting internal audit to anticipate and provide insight on risks which are unique and emerging. This has made using technology a necessity in internal audit’s work both during the risk assessment and the execution.
Which industries have been impacted the most by these technology developments?
FS: Practically all industries but some more than others such as financial services, telecommunications, airlines due to their automated nature and the fact that they process significant amount of data. And it is not just the listed or private companies which have experienced advances in technology, the region’s governments have also been transformed though various e-government initiatives.
TA: One thing not to forget is the oil & gas and manufacturing sectors. These industries nowadays rely on sophisticated Industrial Control Systems (ICS), which interface with corporate IT systems to control production processes. All of this is making internal audit more challenging due to these technology risks that continue to evolve.
How have Chief Audit Executives (CAE) in the Middle East responded to these technological developments?
FS: Many CAEs have been ahead of the game. They saw technology, with all its opportunities and risks, and embraced it by investing time, money and talent into it. However, some other CAEs have not seen the full potential. These CAEs have been dealing with technology as a tool for a specific task and not as a total solution which can unlock a lot of value for internal audit. This is not something specific to a particular country in the Middle East but it varies by the style of leadership in internal audit and the audit committee.
TA: One of the major constraints in responding to technology risk is that it requires a wide variety of specializations (applications, security, governance, analytics, etc). It may be very difficult, both economically and administratively for CAEs to hire all the required competencies to address technology risks not to mention the knowledge management aspect of making sure auditors remain up-to-date on technology developments.
You mentioned that internal auditors need to use technology to provide insight on emerging risks. How can this be done?
FS: There are different ways for internal auditors to use technology, but one of the more effective ways is through the use of data analytics to analyze and link different areas of the business together in an intelligent way. In the past, data analytics in its basic form was used to carry out 100% sampling using ACL. The focus was on finding exceptions and not on providing insights. Today it’s the new tools such as Tableau, Qlikview and others which are allowing CAEs to provide insights though visualization and dashboards. TA: The power of data analytics is not just in the world of internal audit. In this year’s world cup, the German team used data analytics to collect massive amounts of data from the field to provide coaches and players with real-time feedback. In the same way internal auditors need to use technology in order to provide assurance on technology risks.
“Technology is at the core of doing more intelligent audits, which means higher quality audits with better results and at a cheaper cost” – Fadi Sidani, Partner, Deloitte
Is regulation impacting the assurance internal auditors are providing on technology risks?
TA: Definitely. Across the Middle East we are seeing new regulations aimed at countering cyber security and business interruption risks. For example, in the UAE we have guidelines on security in Abu Dhabi from ADSIC (Abu Dhabi Systems & Information Centre) and in Dubai there is the Information Security Regulation from Dubai Smart Government. Similarly, central banks across the region have issued regulations on cybersecurity and business continuity. As internal auditors we have a role to play to ensure that our entities are taking appropriate steps to comply with such regulations. We need to “Protect What Matters”.
FS: Adding to that, there is a business continuity requirement issued by the NCEMA (National Emergency Crisis and Disaster Management Authority) which should be complied with by all government entities in the UAE (Deloitte has been awarded the 2014 Business Continuity Provider Award by the Business Continuity Institute). Though regulation is driving risks relating to technology, this should not be viewed solely as a compliance exercise. Whether regulated or not, organizations should have proper cyber security and business continuity programs as a way of ensuring that they stay ahead of existing and emerging threats to their organization.
Based on your experience within the region, what are your views on the emphasis that is being placed on IT audit?
TA: IT audit has not evolved at the same pace technology has evolved. We still see many internal audit departments focusing only on core audits like IT General Controls. This mainly goes down to basics: how organizations perform their IT risk assessments and identify IT audit universe. When developing an IT audit plan we recommend covering technology from 3 perspectives 1) Core audits (IT General Controls, application controls, etc.), 2) Advanced audits (IT governance, security, data analytics, IT project audits etc.) and finally 3) Emerging area audits (cloud computing, social media, etc.).
Finally, what should be the priorities for CAEs to respond to this changing technology landscape over the next 3 years?
FS: Three years?! That is a long way out technologically speaking! Technology brings significant opportunities but it also brings significant risks. Also with the realization that technology is forever changing, the risks of today and related solutions may not necessarily work tomorrow. With that said, I think, as a start, CAEs, Boards and Audit Committees, need to continually invest in people, training and tools specifically as they relate to technology so that they can stay ahead of the game. Secondly, data analytics should be considered seriously to increase the efficiency of the internal audit process at the planning and execution stages, and also to add value and insights as we discussed earlier. Thirdly, the cybersecurity is a reality and must not be ignored. Finally, make sure you continue to cover the basics. Covering the evolving technology risks is critical but addressing the basic IT general and application controls continues to be as critical.