Dr. Khalid Al-Faddagh
An experienced business leader and advocate of anti-corruption talks about fraud risk and the role of internal auditing.
In an exclusive interview, Internal Auditor – Middle East spoke to Khalid Al-Faddagh, Ph.D., who is a retired Chief Audit Executive (CAE) and a former CEO and a member of several boards. Dr. Khalid has over 30 years of experience in various roles in the oil & gas industry. Most recently, he served as the Executive Director of Internal Auditing at Saudi Aramco where he led a team of over 150 internal audit professionals.
Dr. Khalid also served as a board member in several joint ventures in Saudi Arabia, the Philippines and Japan. In the Philippines, he served as the President and CEO of one of the largest listed oil refining and marketing companies in the country.
In an exclusive interview, Internal Auditor – Middle East spoke to Khalid Al-Faddagh, Ph.D., who is a retired Chief Audit Executive (CAE) and a former CEO and a member of several boards. Dr. Khalid has over 30 years of experience in various roles in the oil & gas industry. Most recently, he served as the Executive Director of Internal Auditing at Saudi Aramco where he led a team of over 150 internal audit professionals. Dr. Khaled also served as a board member in several joint ventures in Saudi Arabia, the Philippines and Japan. In the Philippines, he served as the President and CEO of one of the largest listed oil refining and marketing companies in the country.
Dr. Khalid is an avid advocate of anti-corruption efforts in the Middle East and recently co-chaired both the 4th and 5th Middle East Anti-Corruption Summits. Furthermore, Dr. Khalid is a supporter of the Institute of Internal Auditors (IIA) and is also a recent recipient of the UAE Internal Audit Association’s regional “Lifetime Achievement Award”.
Internal Auditor – Middle East conducted a telephone interview with Dr. Khalid Al-Faddagh.
In the Middle East, do you think executive management & boards are giving adequate attention to fraud risk, including anti-corruption?
If we take a look at the data published by Transparency International, there is not a single country in the world which can claim to be fraud free. This includes the Middle East which, on average, does not score well on the Corruption Perceptions Index. However the attention given to fraud risk varies from one company to the other depending on the maturity and corporate culture. Forward thinking companies have boards and executive management that actively oversee and manage fraud risk.
It would quite surprising if major corporations in the Middle East didn’t include fraud risk as one of the top 5 risks they are facing. Fraud is a reality that we cannot deny in the Middle East and it needs to be adequately addressed if companies want to create shareholders value and attract capital.
What should be the role of internal auditing in the detection and prevention of fraud?
We need to think about fraud risk management as a process. There are shared responsibilities in this process amongst internal audit, management and second line functions. The role of internal audit and the extent of involvement in the fraud risk management process would depend on how internal audit is positioned in the company. This role can be to solely or jointly carry out investigations or, instead, outsource fraud investigations and focus on providing the overall assurance.
When it comes to detection, I believe internal audit bears a higher portion of responsibility than it has for the prevention of fraud. The IIA Standards require that internal auditors be able to evaluate how fraud risk is being management and to identify fraud red flags. Chief Audit Executives cannot really say they have no responsibility in the detection of fraud even when there is a specialized fraud investigation team not part of the internal audit department.
In terms of prevention, I believe that management has the higher responsibly being the first line of defense and responsible for internal controls, including anti-corruption controls. Internal audit role will be to assess the effectiveness of the process and conduct root causes analysis on how and why fraud occurred. In addition, they may conduct awareness sessions or facilitate fraud risk assessments.
Fraud is a risk like any other business risk. Responding to this risk requires a coordinated effort between management, second line functions and internal audit.
How would you respond to those who say, “Where were the internal auditors?” when fraud occurs?
I would reply “Where was management? Where was the second line of defense?”. In such cases management failed to do its job. When internal auditors carry an audit of a particular area, they focus on the high risks. If fraud is one of those high risks, then the particular controls are audited. This means that internal auditors do not always cover fraud in their audits and it is up to management to ensure that internal controls are functioning adequately. The Chief Audit Executive has an important role to play when it comes to making management aware of internal auditor’s role and responsibility in these areas.
Similarly, when we look into fraud discovery, studies show that the prime source is usually through hotlines. Therefore, management needs to foster a culture of openness and embrace non-retaliation. When an employee gets fired for reporting a red flag, the message is “don’t report fraud”. In such cases, the statement “where were the internal auditors?” is not even relevant.
How important are fraud certifications (E.g. Certified Fraud Examiner) are for internal auditors?
We need to differentiate between general internal auditors and internal auditors who are fraud specialists or investigators. In my opinion, all fraud specialists and not hire one who is not certified! For the general or mainstream internal auditors, I’m not too concerned about fraud certifications. There are a variety of other risks that they need to audit and I would not want to distract them away from these risks to focus on fraud certifications. Mainstream auditors should not play the role of investigators; however, they need to have the skills to identify the red flags related to fraud, and hand over such observations to the investigators.
When internal audit departments are responsible for investigations, they need to have the appropriate skills and certifications. For example, in smaller audit functions or functions which do not have separate investigation teams, it would help to have certain mainstream auditor certified..
So where would internal auditors get the skills to identify fraud red flags?
Fraud is a risk like any other business risk. Specialized training can improve the competencies of internal auditors in order to deal with such risk. However, this alone would not be sufficient for internal auditors to understand fraud red flags and potential schemes. One of the most important things that Chief Audit Executives need to do it to utilize the lessons learned from fraud cases, and use them to improve the effectiveness of internal auditors and the internal audit process. This can be done by creating a smart and searchable database that includes all fraud incidents which have happened over the years. From there, you can analyze trends and gain useful insights into fraud hot spots and the related circumstances. You can zoom into the details of who is committing fraud, what age, what were the circumstances that made the employee become a fraudster. You basically analyze each fraud case based on the elements of the fraud triangle.
Such findings can be sued to sharpen internal auditors skills in identifying red flags and the potential fraud schemes. Chief Audit Executives need to work smart and know where to direct internal audit efforts.
If you have to name the single most important element in an anti-corruption program, what would it be?
It would most certainly be the tone at the top! There has to be a strategic commitment at the highest levels to enact changes in behavior and ensure enforcement across the country or a corporation a whole. Take for example, Singapore, which was one of the bottom five countries in terms of corruption perceptions 40 years ago. Today, it is one of the “cleanest” countries in the world. This was the result of the strategic commitment and the tone set by Singapore’s leadership.
The same concept applies corporations. You need to have a strong policy, proper enforcement and make sure that no one is above such a policy. If those in leadership positions, including a CEOs clearly communicate that fraud will not be tolerated, and enforce the appropriate punishment, then this tone will send a very strong and positive message across the organization.
Any final advice to Chief Audit Executives on responding to fraud risk?
CAEs need to shield the audit team and the investigators from “Corporate Politics”, demonstrate independence and objectivity and ensure that he/she and his team adhere to the highest ethical standards. There are valuable lessons learned that can be gained through smart data mining on fraud cases which CAEs need to initiate and champion.