By: Awad Elkarim Mohamed Ahmed CIA, CFSA, CGAP, CCSA, CRMA, CCEP-I, ASQ CQA, CSAA, IFQ, ACSI, CFE, CACM, CICA, CRBA Group Head of Internal Audit, at Hayel Saeed Anam (HSA) Group

Practical case study

It is my pleasurer to share my practical experience as a Group Head of Internal Audit for Hayel Saeed Anam Group (HSA) Group since Mar 2011, the experience in taking accurate actions to solve the key challenges facing Internal Audit function from scratch to innovation.

  1. Fragmented Internal Audit Function
  2. Lack of Internal Audit Policies and Procedures
  3. Absence of Risk Based Audit Methodology
  4. Threat to Internal Audit Independence
  5. Lack of Awareness of Internal Audit Role
  6. Lack of Audit’s Competence
  7. Lack of Automation and Data Analytics Tool
  8. Fragmented Internal Audit Function:

The Group has internal control function but in the traditional way and not based on modern Internal Audit basics as per the International Professional Practices Framework (IPPF) issued by The Institute of Internal Auditors (IIA).

Action Taken:

  • Set-up Group Internal Audit Function from scratch.
  • Gathered all the auditors under centralized regional audit function.
  • Assigned Regional Head of Internal Audit for each region.
  • Introduce the service-based billing system, based on the actual audit assignment hours conducted at each company under one pool of one centralized audit function.
  • Provided all the resources and assistance to the Regional IA Function.
  • Centralized reporting of Regional IA Function to Group IA Function.
  1. Lack of Internal Audit Policies & Procedures:

There is no one consistent audit practice implemented across the Group. Each independent IA function has its own set of audit practice. There was absence of IA Charter, inconsistent audit working papers, and reporting templates.

Action Taken:

  • Develop IA Charter, approved by the Board Chairman
  • Develop Group IA Manual (Policies & Procedures)
  • Communicated the IA Charter and Group IA Manual across the Group
  • Encourage suggestion proposals for continuous improvement
  1. Absence of Risk Based Audit Methodology:

The internal auditors were carrying out very routine audit, with more emphasis of coverage rather than based on high risks. It was more of a checklist approach by the internal auditors to perform during audit.

Action Taken:

  • Introduced Risk Based Audit methodology in the Group.
  • The Group IA Methodology made based on Risk Based Audit in the IA Manual.
  • Carry out road-show map with extensive training.
  • Introduce the concept of Risk Assessment at the audit planning stage.
  • Encourage developing Internal Risk Register.

 

  1. Threat to Internal Audit Independence:

I observed threat to IA independence, initially the Internal Auditors were reporting to the General Managers of the Companies. Internal audit recruitment, termination, reporting, performance appraisal done by Companies General Managers.

Action Taken:

  • Introduced individual Internal Auditors reporting to the Regional Head of IA.
  • Provide authority to the Regional Head of IA over his audit team.
  • All the Regional Head of IA functional reporting line the Group Head of IA in order to ensure independence.
  • Group Head of IA functional reporting to the audit committee and Chairman of the Board.

 

  1. Lack of Awareness of IA Role:

There was a lack of awareness in the Group about the role of IA. This was due to many factors. The auditor was deploying classic audit techniques and Audit considered as a police catching the auditee for errors and mistakes. The role of internal audit was also confused with internal control. For some of the General Managers (GM’s), it was a new set up function.

Action Taken:

  • Carry out Group wide road show map with the regional General Managers (GM’s).
  • Introduce the vision, mission, role, and benefits of IA.
  • Establish open door policy with the top management.
  • Stress the participation of IA in strategic meetings and projects.
  • Carry out several structural changes by segregating IA from Internal Control.

 

  1. Lack of Audit Competence:

Initially, there were hardly any criteria to hire Internal Auditors. Most of the Auditors were internally transferred from other function. The auditors lack audit experience and with no professional certifications.

Action Taken:

  • Encourage existing Auditors to pursue CIA certification, incentivized them by reimbursing the exam cost for those who passed the exam and become CIA holders.
  • CIA certification preparation training course conducted to selected 25 Auditors based on passing a qualifying exam set especially for course attendees’ selection.
  • All new hire made mandatory to have bachelors (Business/ Finance) and at least CIA. Additional complementing certificates desirable such as CPA, CCSA, CRMA, CFSA, CISA, CFE, etc.
  • Introduce internal training and knowledge sharing initiative within the IA function, power point presentations sent through email to all regional Audit teams.
  • Successfully delivered by myself a training program “Internal Audit Core Skills” to Hayel Saeed Anam (HSA Group) audit team in Yemen, 30 hours training held at “Al Saeed Foundation of Science and Culture” attended by 114 Auditors from Sanaa, Aden, Taiz, and Alhodeidah. Similar trainings held at different regions.

 

  1. Lack of Automation and Data Analytics Tool:

Urgent need to transfer from manual to automation.

Action Taken:

Audit software selection based on the following criteria:

  • SAP Compatibility: The audit software should be compatible with the SAP system which can easily integrate and can extract reports.
  • Audit Management: The audit software should have the following functionality; risk based annual audit plan, scheduling, audit management, performance reporting, electronic working papers, recommendation tracking, comprehensive reporting, and resource allocation
  • Common Platform: The software connected to one platform, enabling multiple teams working at multiple locations and the manager can review offsite.
  • Common Depository: The software should provide access to the regional/group head to locate the audit engagement working papers, audit reports, etc. from one place.
  • Language: Require feature of the software in Arabic especially for Middle East, the software language must be Arabic and English.