By: Farah Araj

Mazars UAE leaders share their insights on the value that robust internal audit practices can bring to the public sector

interview photo 1

In an exclusive interview, Internal Auditor Middle East spoke to Mohammed Abu Hijleh, CPA and Ghaleb Al Masri, CPA, CIA, CFE, who are partners with Mazars in the UAE and are supporters of good governance in the public sector.

Mohammed started his career in public accounting after graduating from the United States. He spent time with international consulting companies and was the Chief Financial Officer of a prominent real estate developer before becoming Mazars UAE Managing Partner. Mohamed also serves as an independent audit committee member for an Abu Dhabi based investment company.

Ghaleb leads the Risk Advisory practice for Abu Dhabi and brings a wealth of internal audit and risk experience working with major corporations and public sector entities across the Middle East. In addition to working for international consulting companies, Ghaleb has served as a risk management leader and a Chief Audit Executive within the public sector.

Internal Auditor – Middle East connected with Mohammed Abu Hijleh and Ghaleb Al Masri at the Mazars offices in Abu Dhabi.

Can you introduce Mazars to us?

Mohammed: Mazars is an international, integrated and independent firm specializing in Audit, Risk Advisory, Financial Advisory, Tax, and Legal services. With over 23,000 professionals servicing clients from across 310 offices in more than 85 countries around the world, Mazars has positioned itself as a global player with an annual growth of over 8% and revenue exceeding $ 1.8 Billion in 2018.


Ghaleb: Locally, we have attracted a number of top tier governmental clients who are benefiting from our internal audit services. We’ve also supported local non-governmental organizations that have been established decades ago and are well-known within their respective sectors (manufacturing, construction, retail and food & beverage) in the UAE.


Based on your experience, what are your views on the challenges currently facing the public sector?

Mohammed:  The UAE market & public sector is evolving at an unprecedented rate. Having said this, adopting new technologies is the biggest challenge in a region where in some countries IT infrastructure lacks behind developed countries. Locally, the UAE has done a fantastic job building the necessary infrastructure to implement new technologies however, finding the right talent/expertise is quite challenging and will require attracting the same from abroad.


Are these challenges impacting stakeholder expectations of internal audit?

Ghaleb: Since the vast majority of governmental organizations are becoming more proactive and are focusing more on issues such as strategy, corporate governance, risk management and such, they’re demanding a more customized and added-value approach from internal audit. This emphasizes the dual roles of both assurance and consulting required from internal audit and the fact that increasingly, internal audit has to provide much more than cut and dry audit reports that lean more towards compliance issues only. From my perspective, I think this is an opportunity rather than a challenge as we’ve been able to find a niche for our Risk Advisory Services due to the aforementioned. We’ve adopted a model that revolves upon this concept and is based on the direct involvement and on the field presence of our senior level employees (managers and above) to ensure the right level of experience and know-how is provided to meet our clients’ needs. Our clients expect our support in dealing with complex issues that entail multiple scenarios and may lead to far reaching consequences. We have deliberately structured our Risk Advisory Services Division to be “top-heavy” with a low ratio of senior management to staff in order to handle such high-level relationships with our clients.


“As the public sector evolves and becomes more sophisticated, heads of internal audit will need to be more self-aware in challenging the status quo within their own internal audit functions and be more proactive in finding ways they can optimize their added-value to the organization”

Ghaleb Al Masri, Partner Risk Advisory, Mazars


How can CAEs respond effectively to these changing expectations?

Ghaleb: Primarily, CAEs and internal audit functions need to constantly be self-conscious and assess their own approach towards the execution of their risk assessments, developing their audit plans and such. The risk assessment methodology itself needs to be adapted to suit the client and ensure that the resulting audit plan is aligned to the strategic direction of the organization whilst also considering the organization’s maturity and environment. For example, whilst keeping within internal audit standards and guidelines in implementing a risk based approach, we’ve been able to highlight to our clients (where deemed suitable), the advantages in adopting a process oriented rather than a department oriented audit approach. This inherently forces the internal audit function to view and understand the whole cycle or journey of any given process if you will, which obviously optimizes the value added by internal audit.


CAEs also need to achieve and constantly maintain the balance between being independent and holding their ultimate responsibility towards the organization as a whole; and creating a synergetic relationship with management that is based on transparency and reliability.


Is regulation impacting the assurance internal auditors are providing on technology risks?  

Mohammed:  Technology risks play a key role in today’s tech heavy market as almost all organizations have to deal with application access controls, changes/updates to applications, development of new programs or embedding of new modules in existing applications and lastly data protection and problem management. Internal auditors will have to ensure that such application-based controls exist and provide reasonable assurance that the environment hosting these applications are secure. Internal auditors have increased responsibility towards ensuring that the technology risks are managed as an organization’s risk management framework depends on it.


How can CAEs assure their audit committees that they are maximizing the value of their internal audit resources?

Ghaleb: Quantitative KPIs in the form of number of audits and observations, utilization percentages and such are always informative, however, I think it is equally if not more important to ensure that CAEs are constantly in touch with the audit committee (without of course miring the audit committee members in unnecessary details) and obtaining their input regarding key matters. As an example, at the onset of a full-fledged internal audit engagement, I make sure to meet each audit committee member one to one and obtain their expectations. I also present to them different scenarios with objective pros and cons to each when tackling issues such as the internal audit function’s structure, risk assessment methodology, audit plan etc.


Finally, what would be one thing that a public sector internal audit function should strive to achieve over the next 2 years?

Ghaleb: Even though I alluded to the same subject earlier in the interview, I would stress that it is imperative for a public sector internal audit function to build a regular and open relationship with both management and the Board as represented by the audit committee. The underlying premise for this is the core of an internal audit function, which relies on adding value to the organization based on in-depth understanding of the business and processes and striving to identify root causes and corresponding feasible recommendations. Of course, the introduction of internal audit in any organization is bound to cause some resistance, but with time, management gradually realizes the objective of internal audit in improving and optimizing rather than finding fault.